• Bare Metal Server

bms
  1. Help Center
  2. Bare Metal Server
  3. Private Image Creation Guide (BMS)
  4. Creating a Linux Image
  5. Performing Security Configurations

Performing Security Configurations

Modify SSH Configuration Items

You can configure permissions of users for logging in to a BMS based on the user type. Select the type of the account for logging in to the BMS.

  1. To improve security of the BMS, disable remote login using the password and retain only the certificate login mode. Check whether the value of parameter ChallengeResponseAuthentication in the /etc/ssh/sshd_config file is no. If not, change it to no so that users cannot log in to a BMS through Xshell by entering the password using the keyboard inactive method.
  2. To allow user root to log in remotely and enable SSH permissions of user root, perform the following operations:

    Allowing user root to log in to the BMS remotely has potential security risks. Exercise caution before performing the operations.

    1. Modify the Cloud-Init configuration file.

      Take CentOS 6.7 for example. Modify the following parameters:

      users: 
        - name: root 
          lock_passwd: false 
        
      disable_root: 0 
      ssh_pwauth: 1
      • Set the value of lock_passwd to false, indicating that user passwords are not locked.
      • disable_root specifies whether remote login using SSH as user root is disabled. Set its value to 0, indicating that remote login is enabled. (In the Cloud-Init configuration in some OSs, true indicates that remote login is disabled and false indicates that remote login is enabled.)
      • ssh_pwauth specifies whether login using the SSH password is supported. Set its value to 1, indicating that login using the SSH password is supported.
    2. Run the following command to open /etc/ssh/sshd_config in the vi editor:

      vi /etc/ssh/sshd_config

      Change the value of PasswordAuthentication to yes.

      NOTE:
      • For SUSE and OpenSUSE, change the values of both PasswordAuthentication and ChallengeResponseAuthentication to yes.
      • For Ubuntu, change the value of PermitRootLogin to yes.
    3. Modify the shadow file and lock the initial password of user root in the image plate to prevent security risks:
      1. Run the following command to open the /etc/shadow file in the vim editor:

        vim /etc/shadow

        Add !! to the hash value of the user root password. The modified file content is as follows:

        # cat /etc/shadow | grep root 
         root:!!$6$SphQRPXu$Nvg6izXbhDPrcY3j1vRiHaQFVRpNiV3HD/bjDgnZrACOWPXwJahx78iaut1IigIUrwavVGSYQ1JOIw.rDlVh7.:17376:0:99999:7:::
      2. After the modification, press Esc and enter :wq to save and exit the file.
        NOTE:

        For Ubuntu, you must delete the user created during the OS installation. For example, if the created user is ubuntu, run the userdel -rf ubuntu command.

Modify Configuration Item /etc/motd

By modifying this configuration item, you can enable the system to remind users of changing the password when they log in to the BMS for the first time. This helps enhance the BMS security. To modify this configuration item, perform the following operations:

  1. Run the following command to open /etc/motd in the vi editor or create /etc/motd:

    vi /etc/motd

    NOTE:

    /etc/motd is the directory that stores the prompts displayed after login to Linux.

  2. Press i to enter editing mode and add the following information to the end of the file:
    Please update the password for root regularly and ensure the complexity of the password.
  3. Press Esc and enter :wq to save the change the exit.

(Optional) Set the Password Validity Period

  1. Run the following command to query the password validity period:

    vi /etc/login.defs

    The value of parameter PASS_MAX_DAYS indicates the password validity period.

  2. Run the following command to change the value of parameter PASS_MAX_DAYS:

    chage -M 99999 user_name

    99999 is the validity period of the password, and user_name is a system user.

    You are advised to set the password validity period as needed and change it on a regular basis.

  3. Run vi /etc/login.defs to verify that the configuration has taken effect.