When you first log into a fresh Fedora 22, it’s not ready for use as a production system. There are a number of recommended steps to take in order to customize and secure it, such as enabling a firewall.
This tutorial will show you how to give a fresh installation of a Fedora 22 server a better security profile and be ready for use.
To follow this tutorial, you will need:
You can follow this section of the SSH key tutorial to create keys if you don’t have them, and this section of the same tutorial to automatically embed your SSH key in your server’s root account when you create your Droplet.
First, log into your server as root.
Operating as root is a security risk, so in this step, we’ll set up a sudo non-root user account to use for system and other computing tasks. The username used in this tutorial is sammy, but you can use any name you like.
To add the user, type:
Specify a strong password for the user using the command below. You’ll be prompted to enter the password twice.
Then add the user to the wheel group, which gives it sudo privileges.
gpasswd -a sammy wheel
Log out of your server and add your SSH key to the new user account by running the following on your local machine.
For more information on how to copy your SSH keys from your local machine to your server, you can read this section of the SSH tutorial.
Finally, log back in as the new sudo non-root user. You won’t be prompted for a password because this account now has SSH keys.
In this step, we’ll make SSH logins more secure by disabling root logins and password authentication.
To edit configuration files, you’ll need to install a text editor. We’ll use
nano but you can use whichever is your favorite.
First, apply any available updates using:
sudo dnf update
Then, to install
sudo dnf install -y nano
Now, open the the SSH daemon’s configuration file for editing.
sudo nano /etc/ssh/sshd_config
Inside that file, look for the
PermitRootLogin directive. Uncomment it (that means remove the starting
# character) and set it to no.
Similarly, look for the
PasswordAuthentication directive and set it to no as well.
Save and exit the file, then reload the configuration to put your changes into place.
sudo systemctl reload sshd
If anyone tries to log in as root now, the response should be
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
In this step, you’ll read how to change the system clock to your local time zone. The default clock is set to UTC.
All the known timezones are under the
/usr/share/zoneinfo/ directory. Take a look at the files and directories in
To set the clock to use the local timezone, find your country or geographical area in that directory, locate the zone file under it, then create a symbolic soft link from it to the
/etc/localtime directory. For example, if you’re in the central part of the United States, where the timezone is Central, or CST, the zone file will be
Create a symbolic soft link from your zone file to
sudo ln -sf /usr/share/zoneinfo/your_zone_file /etc/localtime
Verify that the clock is now set to local time by viewing the output of the
The output will look something like:
Wed Mar 25 14:41:20 CST 2015
The CST in that output confirms that it’s Central time.
A new Fedora 22 server has no active firewall application. In this step, we’ll learn how to enable the IPTables firewall application and make sure that runtime rules persist after a reboot.
The IPTables package is already installed, but to be enable to enable it, you need to install the
sudo dnf install -y iptables-services
You may then enable IPTables so that it automatically starts on boot.
sudo systemctl enable iptables
Next, start IPTables.
sudo systemctl start iptables
IPTables on Fedora 22 ships with a default set of rules. One of those rules permits SSH traffic. To view the default rules, type:
sudo iptables -L
The output should read:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
Those rules are runtime rules and will be lost if the system is rebooted. To save the current runtime rules to a file so that they persist after a reboot, type:
sudo /usr/libexec/iptables/iptables.init save
The rules are now saved to a file called
iptables in the
In this section, we’ll cover how to edit the firewall rules to allow services for ports 80 (HTTP) and 443 (HTTPS).
The default IPTables rules allow SSH traffic in by default, but HTTP and its relatively more secure cousin, HTTPS, are services that many applications use, so you may want to allow these to pass through the firewall as well.
To proceed, open the firewall rules file by typing:
sudo nano /etc/sysconfig/iptables
All you need to do is add two rules, one for port 80 and another for port 443, after the rule for SSH (port 22) traffic. The lines below in red are the ones you will add; the lines before and after are included for context to help you find where to add the new rules.
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited
To activate the new ruleset, restart IPTables.
sudo systemctl restart iptables
locate command is a very useful utility for looking up the location of files in the system. For example, to find a file called example, you would type:
That will scan the file system and print the location or locations of the file on your screen. There are more advanced ways of using
To make the command available on your server, first you need to install the
sudo dnf install -y mlocate
Then, run the
updatedb command to update the search database.
After that, you should be able to use
locate to find any file by name.
After completing the last step, your Fedora 22 server should be configured, reasonably secure, and ready for use!
If you’ve enjoyed this tutorial and our broader community, consider checking out our DigitalOcean products which can also help you achieve your development goals.