Create a New User Grant Root Privileges and Disabl SSH Root Login on CentOS

Question

Recently, we encountered the problem that Alibaba Cloud ECS server was attacked by DDoS, indicating that our server security needs to be improved. From the perspective of ssh login, you can set sub-users for the linux system and prohibit root login, which can improve certain security.

In this article you will learn

• How to create a new user and set a password for linux system and CentOS system
• How to grant permission control to new CentOS users
• How to prohibit root login to improve server ssh remote connection security
• How to restart sshd service
• How to view file permissions and modify file permissions

User Management

1. Create a user and set a password

   First create a user, give a name, such as lwebapp

   adduser lwebapp
   

   Set a password for the user lwebapp, it will trigger interaction, just enter the password

   passwd lwebapp # Trigger interaction, enter password lwebappwd
   

2. Grant root privileges Modify sudoers to give root privileges to the newly created user, so that every time you only need to log in with the new user lwebapp, all server operations can be completed.

   The sudoers file is in the /etc directory, first modify the permission of this file to allow modification

   chmod 777 /etc/sudoers
   

   Then open with vim

   Hit i to enter edit mode

   vim /etc/sudoers
   

   Then after the root ALL=(ALL) ALL line break, enter

   lwebapp ALL=(ALL) ALL # Give all permissions to lwebapp, same as root above
   

   Hit Esc, enter colon : to enter vim command mode, then enter wq, hit Enter to save and exit

   After saving the file, set the file permissions back

   chmod 444 /etc/sudoers
   

3. Disable root login Because of the new user, the root user's login authority is prohibited, so that hackers cannot operate the server by cracking the root login. At least our new user name has changed, which adds a layer of difficulty to hacker attacks.

   Locate and edit the sshd_config file

   vim /etc/ssh/sshd_config
   

   Find PermitRootLogin yes, change yes to no, which means that the root account is not allowed to log in

   PermitRootLogin no
   

4. Restart sshd Finally restart sshd to take effect

   systemctl restart sshd.service
   

Extended Learning

File Permissions

1. Check file permissions

   stat -c '%A %a %n' *
   

2. Make all files in a folder have 777 permissions

   chmod 777 -R ./webapps

vim basic operations

1. Open a file

   vim file.txt
   

2. Enter edit mode
   Hit i, the bottom of the terminal interface displays -- INSERT -- is the edit mode

3. Enter command mode
   Enter :, the bottom of the terminal interface displays : and the cursor

4. Exit edit mode or command mode
   Hit Esc

5. Save and exit
   In command mode, enter wq, hit Enter to save and exit

6. Force Quit
   In command mode, enter q! and hit Enter to complete the forced exit

sshd service

1. View sshd service status

   systemctl status sshd.service
   

   A series of service statuses will be displayed, such as running, which means that the startup is successful.

2. Start the sshd service

   systemctl start sshd.service
   

3. Restart the sshd service

   systemctl restart sshd.service
   

4. Set to start at boot

   systemctl enable sshd.service

Reference

• centos7.5 creates a new account with root privileges
• How to restart the sshd service under centos7