1. Overview
After finished installing a new RHEL/CentOS 7 server, there are some primary configurations that we need to do to ensure that the new server is ready for any further services/applications installation and configuration.
The following tutorial will covers some initial tasks that is needed to be done on a new installed RHEL/CentOS 7 Linux server.
2. Prerequisites
In this article, it is presumed that:
a. You have already install RHEL/CentOS 7 Linux server up and running. In case that you don’t, you would probably like to read this link. Minimal RHEL/CentOS 7 Installation With Logical Volume Manager (LVM)
b. You have the internet connection in place.
3. Configure Static IP Address
To configure a static IP address for CentOS 7 server, we need to edit file /etc/sysconfig/network-scripts/ifcfg-eno16777728 as the following.
# vi /etc/sysconfig/network-scripts/ifcfg-eno16777728 BOOTPROTO="static" ONBOOT="yes" IPADDR="192.168.1.10" NETMASK="255.255.255.0" GATEWAY="192.168.1.1" DNS1="192.168.1.1" DNS2="8.8.8.8" DOMAIN="techspacekh.com"
Then we need to restart the network service as the following.
#systemctl restart network
Check if the server is now configured with the new IP address with the following command.
#ip route default via 192.168.1.10 dev eno16777728 proto static metric 100192.168.1.0/24 dev eno16777728 proto kernel scope link src 192.168.1.1 metric 100
Check if file is updated after restarting the network service as the following.
# cat /etc/resolv.conf # Generated by NetworkManager search techspacekh.com nameserver 192.168.1.1 nameserver 8.8.8.8
Normally, when we install a minimal CentOS 7 server, the Network Manager program is enable by default to manage the network interface. We can use command nmtui (Network Manager Text User Interface) to launch the Network Manager program in a terminal environment.
# nmtui
However, most of the time we work with file /etc/sysconfig/network-scripts/ifcfg-eno16777728 when configuring an IP address for the server, so we can disable the Network Manager service as the following and then we need to restart the network service.
#systemctl stop NetworkManager #systemctl disable NetworkManager #systemctl restart network
4. Enable EPEL Repository
The Extra Packages for Enterprise Linux (EPEL) is an additional repository with high quality add-on software packages for Linux distribution such as RHEL (Red Hat Enterprise Linux), CentOS, and Scientific Linux . It is developed by Fedora team which is the open source and free community based repository.
Execute the following command to install EPEL repository.
#yum -y install epel-release
5. Update OS
After finished the CentOS 7 server installation, it is extremely important to update and keep up the operating system and various packages installed to have a stable and secure operating system.
To update the operating system and all packages installed, execute the following command.
#yum -y update
6. Install Basic Commands
The minimal CentOS 7 installation is not include some basic Linux commands that they are necessary to work with Linux system. So, before going any further with this new installed servder, we need to install those necessary command as the following.
- net-tools for ifconfig, netstat command
- bind-utils for nslookup, dig command
- wget for wget command
- telnet for telnet command
- mailx for mail command
- vim for vim command
- nmap to list open port with nmap command
- traceroute to install traceroute command
- w3m to install w3m command
- htop to instal htop command
- iftop to install iftop command
- policycoreutils-python to install semanage command
#yum -y install net-tools #yum -y install bind-utils #yum -y install wget #yum -y install telnet #yum -y install mailx #yum -y install vim #yum -y install nmap #yum -y install traceroute #yum -y install w3m #yum -y install htop #yum -y install iftop #yum -y install policycoreutils-python
7. NTP, Date and Time Setting
7.1 Time Zone Setting
Since we don’t know what is our time zone to set in CentOS 7, we can list all available time zones with the following command.
#timedatectl list-timezones [...] Asia/Novokuznetsk Asia/Novosibirsk Asia/Omsk Asia/Oral Asia/Phnom_Penh Asia/Pontianak Asia/Pyongyang Asia/Qatar Asia/Qyzylorda Asia/Riyadh Asia/Sakhalin [...]
To change the currently used time zone to our own time use the following command. The following will change the time zone to “Asia/Phnom_Penh”.
#timedatectl set-timezone Asia/Phnom_Penh
7.2 Date and Time Setting
We can use command timedatectl to display the current date and time along with detailed information about the configuration of the system and hardware clock.
#timedatectl Local time: Thu 2017-04-27 19:52:08 +07 Universal time: Thu 2017-04-27 12:52:08 UTC RTC time: Thu 2017-04-27 12:52:08 Time zone: Asia/Phnom_Penh (+07, +0700) NTP enabled: yes NTP synchronized: yes RTC in local TZ: no DST active: n/a
To change the current time, we can execute command timedatectl set-time HH:MM:SS as the following. HH is for hour, MM is for minute, and SS is for second.
#timedatectl
set-time
13:30:00
To change the current date, we can execute command timedatectl set-time YYYY-MM-DD as the following. YYYY is for year, MM is for month, and DD is for day.
#timedatectl set-time 2017-04-27
We can also use command date to display the current date and time.
#date Thu Apr 27 20:02:50 +07 2017
7.3 NTP Client Setting
By default in CentOS 7 Chrony is the default NTP client/server, so it should already be installed if NTP server is turned on during the operating system installation, otherwise you can install it as in below command.
#yum -y install chrony
Once installed, execute the following command to start and automatically starts up chronyd service on boot so that it can maintain an accurate time.
#systemctl start chronyd #systemctl enable chronyd
To enable automatic synchronization of the system clock with a remote NTP server, execute the following command.
#timedatectl set-ntp yes
To disable automatic synchronization of the system clock with a remote NTP server, execute the following command.
#timedatectl set-ntp no
To synchronizing the time with an local NTP server, edit file /etc/chrony.conf and add line server 192.168.1.2 prefer as the following. The prefer parameter specifies that server is preferred over other servers.
#vim /etc/chrony.conf server 0.centos.pool.ntp.org iburst server 1.centos.pool.ntp.org iburst server 2.centos.pool.ntp.org iburst server 3.centos.pool.ntp.org iburst server 192.168.1.2 prefer
Then, we need to restart chronyd service as below.
#systemctl restart chronyd #systemctl restart systemd-timedate
We can use chronyc command to view detailed NTP specific information as the following.
#chronyc tracking Reference ID : 192.168.1.2 (ntp.techspacekh.com) Stratum : 4 Ref time (UTC) : Thu Apr 27 10:20:09 2017 System time : 7.206224442 seconds fast of NTP time Last offset : +10.208244324 seconds RMS offset : 3.228130341 seconds Frequency : 13.497 ppm fast Residual freq : +52.354 ppm Skew : 0.385 ppm Root delay : 0.015626 seconds Root dispersion : 10.924638 seconds Update interval : 60.4 seconds Leap status : Normal
8. Set Host Name
To change a server host name edit file /etc/hostname and the following will change the server host name to “vkcent-web01”.
#vim /etc/hostname vkcent-web01
After that we need to restart server.
#reboot
9. Enable IPTables Instead of Firewalld
By default CentOS 7 use firewalld to manage iptables and the iptables service is not installed. The firewall-cmd commands is used to disable firewalld and enable iptables. If we prefer to use the classic iptables, then we need to disable firewalld as the following.
#systemctl disable firewalld #systemctl stop firewalld #systemctl mask firewalld
Then, we need to install “iptables-services” package as the following.
#yum install iptables-services
Now, we need to start and enable iptables services so that they will start automatically at system boot time.
#systemctl enable iptables #systemctl start iptables
We can use the following command to list the current iptables rules.
#iptables -L -v -n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 36 2592 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 1 159 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 19 packets, 2072 bytes) pkts bytes target prot opt in out source destination
Now we can either add iptables rules from the CLI with iptables command or edit file /etc/sysconfig/iptables and it looks something like the following to open ports 22 on the server for SSH remote management. Editing file /etc/sysconfig/iptables will not loss iptables rules after system restart.
#vim /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited
Now let try to open port 80 on the server with iptables command on the terminal. Using iptables command to create rules is not permanently save in the system and the rule will be disable after reboot.
#iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
List the current iptables rules again to see if new iptables rule is there.
# iptables -L -v -n Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 118 8624 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 20 3250 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 5 packets, 776 bytes) pkts bytes target prot opt in out source destination
To save the iptables rules after system reboot run the following command.
# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
10. Change NIC Name
In CentOS 7 the naming convention for network interfaces is automatically determined based on firmware, topology, and location information can result in a long interface names. Having a network interface in a long name doesn’t satisfy the people.
# ip add 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eno16777728: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:7f:fd:78 brd ff:ff:ff:ff:ff:ff inet 192.168.1.114/24 brd 192.168.1.255 scope global eno16777728 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe7f:fd78/64 scope link valid_lft forever preferred_lft forever
10.1 Method 1
To permanently change the network interface name to its traditional name in Linux which are enumerated as eth[0123…], we need to edit file /etc/udev/rules.d/90-eno-fix.rules and comment out the line starting with SUBSYSTEM as below. After that, copy that line and past just below the commented line and change the network interface value from NAME=”eno16777728″ to NAME=”eth0″ as the following.
#vim /etc/udev/rules.d/90-eno-fix.rules
#SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:b2:bc:95", NAME="eno16777728"
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0c:29:b2:bc:95", NAME="eth0"
Then, rename the interface file ifcfg-eno16777728 in directory /etc/sysconfig/network-scripts to ifcfg-eth0 as the following.
#mv /etc/sysconfig/network-scripts/ifcfg-eno16777728 /etc/sysconfig/network-scripts/ifcfg-eth0
Then, edit file /etc/sysconfig/network-scripts/ifcfg-eth0 and change the NAME and DEVICE from “eno16777728” to “eth0” as the following.
# vim /etc/sysconfig/network-scripts/ifcfg-eth0 NAME="eth0" DEVICE="eth0"
Finally, reboot the server and verify the new interface name as below.
# reboot # ip add 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:b2:bc:95 brd ff:ff:ff:ff:ff:ff inet 192.168.1.10/24 brd 192.168.1.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:feb2:bc95/64 scope link valid_lft forever preferred_lft forever
In case that we want to rename a network interface in an interactive manner without Udev and/or rebooting the server, we can do the following, but it will revert back to the old setting after system restart.
#ifdown eno16777728 #ip link set eno16777728 name eth0
Then again, rename the interface file ifcfg-eno16777728 in directory /etc/sysconfig/network-scripts to ifcfg-eth0 as the following.
#mv /etc/sysconfig/network-scripts/ifcfg-eno16777728 /etc/sysconfig/network-scripts/ifcfg-eth0
Then, we need to edit file /etc/sysconfig/network-scripts/ifcfg-eth0 and change the NAME and DEVICE from “eno16777728” to “eth0” as the following.
# vim /etc/sysconfig/network-scripts/ifcfg-eth0 NAME="eth0" DEVICE="eth0"
Finally, execute the following command to bring up the interface.
#ifup eth0
Verify the new interface name as below.
# ip add 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:b2:bc:95 brd ff:ff:ff:ff:ff:ff inet 192.168.1.10/24 brd 192.168.1.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:feb2:bc95/64 scope link valid_lft forever preferred_lft forever
10.2 Method 2
If the above method do not work, try the following method instead. Edit file /etc/default/grub in line starting with GRUB_CMDLINE_LINUX and and append “net.ifnames=0 biosdevname=0” at the end of the line as the following.
#vim /etc/default/grub
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=vg-systems/lv-root rd.lvm.lv=vg-systems/lv-swap rd.lvm.lv=vg-systems/lv-usr rhgb quiet net.ifnames=0 biosdevname=0"
Execute command grub2-mkconfig as the following to create a new configuration based on the currently running system.
#grub2-mkconfig -o /boot/grub2/grub.cfg
Then again, rename the interface file ifcfg-eno16777728 in directory /etc/sysconfig/network-scripts to ifcfg-eth0 as the following.
#mv /etc/sysconfig/network-scripts/ifcfg-eno16777728 /etc/sysconfig/network-scripts/ifcfg-eth0
Then, we need to edit file /etc/sysconfig/network-scripts/ifcfg-eth0 and change the NAME and DEVICE from “eno16777728” to “eth0” as the following.
# vim /etc/sysconfig/network-scripts/ifcfg-eth0 NAME="eth0" DEVICE="eth0"
Finally, reboot the server and verify the new interface name as below.
# reboot # ip add 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:b2:bc:95 brd ff:ff:ff:ff:ff:ff inet 192.168.1.10/24 brd 192.168.1.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:feb2:bc95/64 scope link valid_lft forever preferred_lft forever
11. Disable IPv6
IPv6 is enabled by default if we didn’t disable it during the installation of CentOS 7. IPv6 is really terrible for privacy and we should definitely disable it to protect our privacy. Since the system doesn’t need to have IPv6 active, It’s best to disable IPv6 in all possible ways, until we understand how to manage it to protect our privacy.
#ip add 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:b2:bc:95 brd ff:ff:ff:ff:ff:ff inet 10.111.102.56/24 brd 10.111.102.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:feb2:bc95/64 scope link valid_lft forever preferred_lft forever
To disable IPv6, append the following lines in file /etc/sysctl.conf.
#vim /etc/sysctl.conf net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
After editing, execute the following command to make the settings effective.
#sysctl -p
Verify if IPv6 is really inactive as below.
# ip add 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:b2:bc:95 brd ff:ff:ff:ff:ff:ff inet 10.111.102.56/24 brd 10.111.102.255 scope global eth0 valid_lft forever preferred_lft forever
12. Disable Postfix
Normally, when we install a minimal CentOS 7 server, the Postfix program is enable by default. If the system will not be used as a SMTP service, we should stop Postfix master daemon which runs on localhost using the following commands.
#systemctl stop postfix #systemctl disable postfix
13. Enable SELinux
Security Enhanced Linux (SELinux) is extremely valuable as part of an overall RHEL/CentOS Linux server security baseline. It is strongly recommend to leave it enabled in enforcing mode where possible in any production environments system. If SELinux is disable because of a particular services or applications does not work properly, the key security part of the server is removed too.
After installing RHEL/CentOS, SELinux is enabled and running in enforcing mode by default. we can use command sestatus to view the current status of SELinux and it looks something as below.
#sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28
In case that SELinux is disable, we can enable it back by editing file /etc/selinux/config as the following and system restart is require for the change to take effect.
#vim /etc/selinux/config SELINUX=enforcing SELINUXTYPE=targeted #reboot
14. Login Banner
Following the publication of the “Computer Misuse Act 1990“, it is strongly recommended that computers should display a banner message before allowing users to log in. The Act stipulates that an offense of unauthorized access can only be committed if the offender knew at the time that the access he intended to obtain was unauthorized. Base on the “Regulation of Investigatory Powers Act 2000” also requires information to be given to users who access the computer. Login banners are the best way to achieve this.
14.1 Banner Before Users Login
To display a message banner for SSH users before login, we can create a file in directory /etc/ssh, let name it as loginbanner.txt, and add the content as something as in the example below.
#cd /etc/ssh #vim loginbanner.txt UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED! You must have explicit permission to access or configure this system. All activities performed on this system may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this system. Use of this system shall constitute consent to monitoring.
Edit /etc/ssh/sshd_config as the following.
#vim /etc/ssh/sshd_config Banner /etc/ssh/loginbanner.txt
Then we need to restart sshd service and test remote SSH to server for login.
#systemctl restart sshd
14.2 Banner After Users Login
To display a message banner after login, we need to edit file /etc/motd and add the content as something as in the following example.
#vim /etc/motd Authorized Access Only! If you are not an authorized user, disconnect IMMEDIATELY! All connections are monitored and recorded.
Now, try to remote SSH again, it will show the message banner as the following after a successful login.
The above message banner also appears when we are successfully login via a console session.
15. Delegation Root Privilege with Sudoers
It is the security best practice that the root user is not recommended to login to the system whether from console or remotely. It is recommended to use normal user to login to the system and use command sudo to perform the task that required root privilege. For more detail about Sudo, please check Linux Privilege Delegation With Sudoers.
[vannath@vkcent-web01 ~]$ sudo yum update We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for vannath: vannath is not in the sudoers file. This incident will be reported.
Now let delegate an authority to an alias group name “SYSADMIN” the ability to run commands as root by editing file /etc/sudoers with command visudo as the following. In the alias group name “SYSADMIN” there two users as member, “vannath” and “solida”.
#visudo User_Alias SYSADMIN = vannath, solida SYSADMIN ALL=(ALL:ALL) NOPASSWD: ALL
Now we should get a successful result when executing the following command again.
[vannath@vkcent-web01 ~]$ sudo yum update
16. Set Console Session Idle Timeout Interval
If a timeout period for console session on a server is not setting up, it is a security risk. In many cases, people stay away from their computers without locking the screens and console session is still connected to the server. Thus, it could be compromise. We need to create a file name /etc/profile.d/autologout.sh as the following. The timeout interval is in seconds. So let set it to 300 seconds to have 5 minutes idle timeout.
$sudo vim /etc/profile.d/autologout.sh TMOUT=300 readonly TMOUT export TMOUT
Next, we need to make it an executable file.
$sudo chmod +x /etc/profile.d/autologout.sh
17. Conclusion
Now you have just done some of the initial setups for the newly installed RHEL/CentOS 7 server and it should be enough for it to be ready for any services or applications installation and configuration such as web server or other services. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.