2. Django 1.8 Server Build - CentOS 7 hosted on VPS SSH login & firewall

In previous chapter (1. Django 1.8 Server Build - CentOS 7 hosted on VPS):

1. We installed CentOS 7 and boot up the machine.
2. Then, we setup DNS for newly purchased domain name.

In this chapter, we'll login to the server via SSH.

Open the terminal window or application, type the following command, and then press Enter. Be sure to replace the example IP address with our Linode's IP address:

$ ssh root@45.79.90.218
The authenticity of host '45.79.90.218 (45.79.90.218)' can't be established.
RSA key fingerprint is 38:df:75:b6:1f:5c:64:06:84:db:e1:b6:66:ce:4c:2f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '45.79.90.218' (RSA) to the list of known hosts.
root@45.79.90.218's password:
Last failed login: Mon Jun 15 00:38:09 UTC 2015 from 182.100.67.112 on ssh:notty
There were 228 failed login attempts since the last successful login.
[root@li1189-218 ~]#

We'll need to set our system's hostname and fully qualified domain name (FQDN). Our hostname should be something unique. Some people name their servers after planets, philosophers, or animals. Note that the system's hostname has no relationship to websites or email services hosted on it, aside from providing a name for the system itself. Our hostname should not be "www" or anything too generic.

Let's set hostname:

[root@li1189-218 ~]# cat /etc/hostname
localhost.localdomain

[root@li1189-218 ~]# hostnamectl set-hostname sf

Let's set timezone:

[root@li1189-218 ~]# timedatectl list-timezones
...
America/Tijuana
...
[root@li1189-218 ~]# timedatectl set-timezone America/Tijuana

[root@li1189-218 ~]# date
Sun Jun 14 18:00:23 PDT 2015

[root@sf ~] yum update
Loaded plugins: fastestmirror
base                                                     | 3.6 kB     00:00
extras                                                   | 3.4 kB     00:00
updates                                                  | 3.4 kB     00:00
(1/4): base/7/x86_64/group_gz                              | 154 kB   00:00
(2/4): extras/7/x86_64/primary_db                          |  54 kB   00:00
(3/4): updates/7/x86_64/primary_db                         | 1.7 MB   00:00
(4/4): base/7/x86_64/primary_db                                                  | 5.1 MB  00:00:16
...
Complete!

Now we want to stop using root account.

So, let's create a new account:

[root@sf ~]# adduser sfvue
[root@sf ~]# passwd sfvue
Changing password for user sfvue.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

sudo file:

[root@sf ~]# visudo
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
sfvue   ALL=(ALL)       ALL

This allows the user sfvue can do anything that root can do.

Let's exit and log back in with the new user sfvue:

[root@sf ~]# exit
logout
Connection to 45.79.90.218 closed.
Ki-Hongs-MacBook-Pro:~ kihyuckhong$ ssh sfvue@45.79.90.218
sfvue@45.79.90.218's password:

Next thing to do is to disable the root account from being able to login over SSH:

[sfvue@sf ~]$ sudo vim /etc/ssh/sshd_config
PermitRootLogin no

Now, we want to restart ssh daemon:

[sfvue@sf ~]$ sudo systemctl restart sshd

[sfvue@sf ~]$ sudo yum install iptables-services
[sfvue@sf ~]$ sudo systemctl enable iptables
ln -s '/usr/lib/systemd/system/iptables.service' '/etc/systemd/system/basic.target.wants/iptables.service'
[sfvue@sf ~]$ sudo systemctl start iptables
[sfvue@sf ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Now it's time to create some firewall rules. We've created some basic rules to get us started. Copy and paste the rules shown Securing Your Server in to the /etc/iptables.firewall.rules file we just created:

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

By default, the rules will allow traffic to the following services and ports: HTTP (80), HTTPS (443), SSH (22), and ping. All other ports will be blocked.

Activate the firewall rules by entering the following command:

[sfvue@sf ~]$ sudo iptables-restore < /etc/iptables.firewall.rules

To save our current rule set use the following command:

[sfvue@sf ~]$ sudo /usr/libexec/iptables/iptables.init save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

Recheck our Linode's firewall rules by entering the following command:

[sfvue@sf ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             loopback/8           reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

3. Django 1.8 Server Build - CentOS 7 hosted (VPS) on Linode - Apache Install