Help Center> Bare Metal Server> Private Image Creation Guide> Creating a Linux Private Image Using virt-manager> Creating a Linux Image> Performing Security Configurations

Performing Security Configurations

Modify SSH Configuration Items

You can configure permissions of users for logging in to a BMS based on the user type. Select the type of the account for logging in to the BMS.

To improve the security of a BMS by disabling remote login to the BMS using a password, configure the following parameters:
- Check whether the /etc/cloud/cloud.cfg file contains parameter ssh_pwauth and whether its value is false. If not, add value false to the parameter or change the parameter value to false so that a password cannot be used to log in to the BMS through Xshell.
- Check whether the /etc/ssh/sshd_config file contains parameter ChallengeResponseAuthentication and whether its value is no. If not, add value no to the parameter or change the parameter value to no so that a password cannot be entered using the keyboard inactive method to log in to the BMS through Xshell.
To allow user root to log in remotely and enable SSH permissions of user root, perform the following operations:

Allowing user root to log in to the BMS remotely has potential security risks. Exercise caution before performing the operations.
1. Modify the Cloud-Init configuration file /etc/cloud/cloud.cfg.
  Take CentOS 6.7 for example. Modify the following parameters:
```
users: 
  - name: root 
    lock_passwd: false 
  
disable_root: 0 
ssh_pwauth: 1
```
  - Set the value of lock_passwd to false, indicating that user passwords are not locked.
  - disable_root specifies whether remote login using SSH as user root is disabled. Set its value to 0, indicating that remote login is enabled. (In the Cloud-Init configuration in some OSs, true indicates that remote login is disabled and false indicates that remote login is enabled.)
  - ssh_pwauth specifies whether login using the SSH password is supported. Set its value to 1, indicating that login using the SSH password is supported.
2. Run the following command to open /etc/ssh/sshd_config in the vi editor:
  vi /etc/ssh/sshd_config
  
  Change the value of PasswordAuthentication to yes, and change the value of UseDNS to no.
  - For SUSE and OpenSUSE, change the values of both PasswordAuthentication and ChallengeResponseAuthentication to yes.
  - For Ubuntu, change the value of PermitRootLogin to yes.
3. Modify the shadow file and lock the initial password of user root in the image plate to prevent security risks:
  1. Run the following command to open the /etc/shadow file in the vim editor:
    vi /etc/shadow
    
    Add !! to the hash value of the user root password. The modified file content is as follows:
```
# cat /etc/shadow | grep root 
 root:!!$6$SphQRPXu$Nvg6izXbhDPrcY3j1vRiHaQFVRpNiV3HD/bjDgnZrACOWPXwJahx78iaut1IigIUrwavVGSYQ1JOIw.rDlVh7.:17376:0:99999:7:::
```
  2. After the modification, press Esc and enter :wq to save and exit the file.
    
    For Ubuntu, you must delete the user created during the OS installation. For example, if the created user is ubuntu, run the userdel -rf ubuntu command.

Change Network Script Permissions

Change network script permissions to meet security requirements.

Run the chmod 700 -R /opt/huawei/ command to change the permissions.
Run the ls -l /opt/huawei/ and ls -l /opt/huawei/* commands to check the permissions.

(Optional) Modify Configuration Item /etc/motd

By modifying this configuration item, you can enable the system to remind users of changing the password when they log in to the BMS for the first time. This helps enhance the BMS security. To modify this configuration item, perform the following operations:

Run the following command to open /etc/motd in the vi editor or create /etc/motd:
vi /etc/motd

/etc/motd is the directory that stores the prompts displayed after login to Linux.
Press i to enter editing mode and add the information to be displayed after you log in to the BMS to the end of the file.
Press Esc and enter :wq to save the change the exit.

Modify the Historical Record Configuration Item

Modify the /etc/profile.d/history.sh configuration file. Add the date and time sequencing and set the number of historical records to 1000.

This is applicable to all OSs except EulerOS.

Run the following command to open /etc/profile.d/history.sh in the vi editor:
vi /etc/profile.d/history.sh
Press i to enter editing mode and add the following content to the file:
```
export HISTTIMEFORMAT="%F %T `whoami` "
export HISTSIZE=1000
```
Press Esc and enter :wq to save the change the exit.

Modify the NTP Configuration File

Uninstall the chrony package (use the rpm -e or dpkg -P command) and use the NTP package to synchronize time. The command to install the NTP package is yum install ntp.

Run the following command to open /etc/ntp.conf in the vi editor:
vi /etc/ntp.conf
Press i to enter editing mode and add the following content to the file:
```
server ntp.myhuaweicloud.com
```
Press Esc and enter :wq to save the change the exit.

Optimize the udev Configuration

Delete the /etc/udev/rule.d/70-persistent-net.rules configuration file.

Optimize the Selinux Configuration

Run the following command to open /etc/selinux/config in the vi editor:
vi /etc/selinux/config
Press i to enter editing mode and change the value of SELINUX to disabled.
Press Esc and enter :wq to save the change the exit.

Uninstall denyhosts

Check whether denyhosts is installed. If yes, uninstall it because it causes some function issues, such as SSH login failures.

Run the following command to uninstall denyhosts:

rpm -qa | grep denyhosts

(Optional) Install hss and tel Plug-ins

hss is the server security plug-in and tel is the server monitoring plug-in.

Run the following command to install the hss plug-in:
bash HSSInstall config
Run the following command to install the tel plug-in:
Run the cd /etc/init.d/ command to check whether the plug-ins are installed successfully.

(Optional) Install Common O&M Tools

Common O&M tools include gcc, perl, python2-pip, strace, sysstat, tcpdump, vim-common, vim-enhanced, vim-filesystem, wget, and telnet. The tools are updated regularly.

CentOS and Red Hat can connect to the Internet for installing the tools using a yum source. Run the following commands to install the tools:

yum install gcc

yum install perl

yum install python2-pip

yum install strace

yum install sysstat

yum install tcpdump

yum install vim-common

yum install vim-enhanced

yum install vim-filesystem

yum install wget

yum install telnet

(Optional) Set the Password Validity Period

Run the following command to query the password validity period:
vi /etc/login.defs

The value of parameter PASS_MAX_DAYS indicates the password validity period.
Run the following command to change the value of parameter PASS_MAX_DAYS:
chage -M 99999 user_name

99999 is the validity period of the password, and user_name is a system user.

You are advised to set the password validity period as needed and change it on a regular basis.
Run vi /etc/login.defs to verify that the configuration has taken effect.

Parent topic: Creating a Linux Image

Last Article: (Optional) Installing the One-Click Password Reset Plug-in

Next Article: Configuring Remote Login to a BMS

Did this article solve your problem?

Thank you for your score！Your feedback would help us improve the website.

Products

Compute

Application

Dedicated Cloud

Storage

Management & Deployment

Migration

Network

Enterprise Intelligence

Video

Database

Edge Cloud Services

DevCloud

Security

Cloud Communications

Internet of Things

Solutions

Industry-Specific Solutions

General-Purpose Solutions

Security

DevOps

Enterprise Intelligence

Essential Platform

Big Data

Visual Cognition

Speech and Semantics

Support

Help Center

Customer Services

Developers

Console

语言 - Language

中国站 - 简体中文

中国站 - English

International - 简体中文

International - English