[Logo for The C Shore Landing Page]
The C Shore

Configuring an OVH VPS with CentOS 7

A guide to configuring an OVH VPS (Virtual Private Server) with CentOS 7

Table of Contents

Configuring an OVH OpenStack VPS with CentOS 7

Version 1.0.0

Preliminaries

  1. Configure your DNS with a hostname pointing to the IP that has been assigned to your instance. As doing so depends on who your DNS provider is, documenting this is beyond the scope of this document.

  2. Locally create a SSH keypair (or keypairs) if you don't already have one. See one of the many guides on the internet if you need more information, for example:

  *    [GitHub's Guide for SSH](https://help.github.com/articles/connecting-to-github-with-ssh/)
  *    [Oracle's Guide for SSH](https://docs.oracle.com/en/cloud/paas/database-dbaas-cloud/csdbi/generate-ssh-key-pair.html#GUID-4285B8CF-A228-4B89-9552-FE6446B5A673)
  *    [Scaleway's Guide for SSH Key Generation](https://www.scaleway.com/docs/configure-new-ssh-key/)
  *    [OVH's Guide for SSH Key Generation](https://docs.ovh.com/gb/en/public-cloud/configuring_additional_ssh_keys/#legacy:1769)
  1. In your OVH Web Control Panel (https://xx.ovh.com/manager, where xx is the ISO two letter country code for your OVH billing/admin), in your account information (the menu that appears when you click on your name on the top-right, select ‘My Account’), select ‘My SSH Keys’, then ‘Add an SSH key’ - for a more complete guide see OVH's guide configuring SSH keys. It is recommended to use a separate SSH key here rather than the key you will use during regular operation.

  2. Change your server's hostname for OVH purposes:

  1.    Select Cloud|Servers|[your new server]

  2.    Under the 'Configuration' section click on the circle
        with `...` to right of the current hostname (in the
        row titled 'Name')

  3.    Click on 'Modify'

  4.    Enter your new hostname (the DNS you configured above).

  5.    In 'IP' section for the row 'Reverse DNS' select '...'
        and configure your IP(s) to point to your hostname
        (only one hostname per address family (ipv4/ipv6).

  6.    Reinstall your VPS with CentOS 7 -- you will be
        prompted for the SSH keys to include in the image;
        they will be used to allow public key root login; also
        deselect 'email me my authentication/credentials'.
        It is recommended to use a separate SSH for this
        initial deployment than for regular use.

After OS Install Completes

  1. ssh root@[your-vps-ip-or-hostname]

  2. Change root password (execute passwd root)

  3. Edit /etc/cloud/cloud.cfg * Edit hostname: <default-hostname> to be your desired hostname. * Set ssh_pwauth: 0 (after setting up public/private keypair, below).

  4. Set hostname for instance: hostnamectl set-hostname new-hostname

  5. Make sure /etc/hosts has your IP (v4 and/or v6) to hostname mapping

127.0.0.1           localhost
xxx.xxx.xxx.xxxx    exhost.example.com exhost

# If you wish to support ipv6
::1 localhost
abcd:0124:ef56:789a::aaaa exhost.example.com exhost
  1. Add a regular user who is a member of ‘adm’, ‘systemd-journal’, ‘wheel’ and allow only public/private key login for that user.
  1.    ``adduser -U -G adm,systemd-journal,wheel username``

  2.    Set the password for that user: ``passwd username``

  3.    Switch to that user: ``su - username``

  4.    ``mkdir ~/.ssh``

  5.    From you local host copy your regular operating SSH public
        key to the user you just created:
        ``scp ssh-key.pub username@your-host.example.com:.ssh/uthorized_keys``

  6.    Back on the VPS as the regular user you created:
        ``chmod 600 ~/.ssh/authorized_keys``

  7.    From your local host login to the VPS using the private
        key associated with the public key you just copied to the
        VPS: ``ssh -i ssh-key username@your-host.example.com``.
        You should get to a shell prompt without having to enter a
        password for the user (you may have to enter the SSH
        key's password, however).  If not troubleshoot and fix
        what is wrong before going on to the next step.

  8.    Disable password authentication by editing
        ``/etc/ssh/sshd_config`` so that
        ``PasswordAuthentication no`` is set and *not*
        ``PasswordAuthentication yes``.  Use the user you created
        to do this via sudoedit.  This verifies that you can
        obtain root through this user.
  1. Disable root logins via SSH: Edit /etc/ssh/sshd_config to set PermitRootLogin no.

  2. To avoid log spam from failed SSH brute force attempts change the SSH port (NB This isn't a real security measure, it just avoids having your journal filled with ‘script kiddy’ level failures — you are using SSH public keys, not passwords of course).

  1.    Tell SELinux to allow SSH on your new port (we use 28322
        for this example: 10000-65535 are mostly safe although
        there may be ports already in use; use `ss -lut` to check
        your ports in use)
        ``semanage port -a -t ssh_port_t -p tcp 28332``

  2.    Update SSH config to use the new port by changing the
        `Port 22` directive in `/etc/ssh/sshd_config` to
        `Port 28332`

  3.    Configure firewall logging by running
        `firewall-cmd --set-log-denied=unicast`

  4.    Allow the new port through your firewall:
  ```sh
  firewall-cmd --permanent --new-service=altssh
  firewall-cmd --permanent --service=altssh --add-port=28332/tcp
  firewall-cmd --permanent --add-service altssh
  firewall-cmd --complete-reload
  ```

  5.    Restart SSH (`systemctl restart sshd`)

  6.    Login again (a second session) using the new
        port (e.g. `ssh -p 28332 your-user@your-dns-address-or-ip-
        address`).
  1. Permanently enable firewall in VPS: systemctl enable --now firewalld.

  2. Exit all SSH sessions except the last one you started.

  3. Enable OVH Firewall (see OVH docs for this; this reduces the load on your VPS/VM by letting OVH handle the majority of firewall traffic): See OVH Firewall Network (anti-DDOS)

  4. Install useful admin tools

   *     byobu (pre-installed on Ubuntu / Docker on Ubuntu
         images)
       +    `byobu-config` (as each user for which you wish
            to use byobu
       +    `byobu-enable` (for each user for which you
            wish to byobu to launch on logon; it is not
            recommended to do this for root as there is a
            potential for for getting locked out of the root
            account in certain error scenarios).
       +    `touch ~/.byobu/.always-select` (if you want to
            be prompted to resume an old session (if
            present) and otherwise start a new session
            when byobu launches.
   *    logwatch
   *    psmisc
   *    rsync
   *    mutt
   *    vim-enhanced
      +     Recommend having a `$HOME/.vimrc` with things like
            `syntax on`
  1. Enable SELinux if it's not enabled * Edit /etc/sysconfig/selinux so that it has the line SELINUX=enforcing and not SELINUX=permissive or SELINUX=disabled.

  2. Edit /etc/sysconfig/network-scripts/ifcfg-eth0 (only needed if you wish to support ipv6).

BOOTPROTO=dhcp
DEVICE=eth0
HWADDR=<macaddr>
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
IPV6INIT=yes
IPV6_AUTOCONF=no
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6ADDR=<ipv6-addr/cidr>
IPV6_DEFAULTGW=<ipv6-gateway-addr>
ZONE=<firewall-zone>
  1. Enable ipv6 (if wanted) by adding the following to /etc/ sysconfig/network. (Obviously you only do this if you're supporting ipv6): NETWORKING_IPV6=yes

  2. Add /etc/cloud/cloud.cfg.d/00_disable_cloud_init_networking.cfg. Only if you've done the manual network configuration above.

  network:
      config: disabled
  1. Allow SLA monitoring from OVH 1. In your control panel find the SLA address ranges to allow, and issue a command similar to the following for each range:
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 1 -s <range> -j ACCEPT
   2.   Then `firewall-cmd --complete-reload`
  1. Install epel-release to get EPEL repository (yum install epel-release)

  2. Install yum-cron + Edit /etc/yum/yum-cron.conf and /etc/yum/yum-cron- hourly.conf to suit your preferences.