I lost access to my GoDaddy VPS CentOS 6 server after fat-fingering an openssl update and clobbering sshd in the process. GoDaddy technical support was unable to reinstall openssl then restart the server. They might not have physical access or a means of simulating physical access to my VPS instance. (With physical access to a non-virtual server, one would boot into single-user mode, reinstall openssl, and reboot normally.) It is my fault that I lost a server that was operational for almost 10 years. I learned not to hot update system libraries, ordered a new VPS running CentOS 7, and I am rebuilding. I am so glad I established data backup procedures!
I want to now share my experience with the GoDaddy VPS CentOS 7 installation.
Iptables is incomplete.
I recommend disabling iptables (“
systemctl disable iptables”) before experimenting with it. This allows the server to reboot without the risk of applying inadvertently saved bad iptable rules, especially when a rule causes SSH to be inaccessible unexpectedly.
I have used iptables for my GoDaddy VPS running CentOS 6, but upon a fresh provisioning of GoDaddy VPS running CentOS 7, the following status is returned for iptables:
# systemctl -l status iptables iptables: Applying firewall rules: iptables-restore: line 14 failed
Iptables can be started (“
systemctl start iptables”) after fixing the “line 14 failed” issue with the following command:
# /usr/libexec/iptables/iptables.init save
In particular, issuing the following command fails:
# iptables -A INPUT -m state --state ESTABLISHED,RELATED \ -j ACCEPT iptables: No chain/target/match by that name.
The iptables extension module responsible for ‘state’ is installed but unloadable. Attempts to load the modules are ignored.
SELinux also does not work.
The configuration file,
/etc/selinux/config, suggests that it is enforcing, but
getenforce shows that SELinux is disabled. Furthermore,
setenforce apparently ignores the command and confirms SELinux is disabled:
# setenforce Enforcing setenforce: SELinux is disabled
swapon also does not work.
Entering the following commands yields the following:
# fallocate -l 4G /.swapfile # chmod 600 /.swapfile # mkswap /.swapfile Setting up swapspace version 1, size = 4194300 KiB no label, UUID=722XXXXX-XXXX-XXXX-XXXX-000000004a36 # swapon /.swapfile swapon: /.swapfile: swapon failed: Operation not permitted
The VPS I ordered only has 1GB of memory. I am prevented from enabling a swap file, but I accept the challenge of maximally utilizing constrained resources.
Although GoDaddy’s VPS configuration prevents me from deploying iptables and SELinux, I successfully hardened my installation by configuring MariaDB, rh-php720-php-fpm, and rbcbind to bind to 127.0.0.1 or ::1. I also deployed httpd with a certificate from Let’s Encrypt. Port scanners identified as open only ports that I exposed. Qualys SSL Labs SSL Server Test gave my server an “A” overall rating. And, I am pleased with the results of my effort.