Installing Base & Updates
We will now want to install the nice complimentary things that Centos can give us through yum. Yum is the way we install Applications and services.
Lets update what we have, it will download the packages from the internet and then automatically install them.[root@backup01 ~]# yum -y update
We now will install extras and tools that will help up along the way of configuring Centos for whatever we want.[root@backup01 ~]# yum -y groupinstall base
That should Complete!
Hostname
Ensure that your hostname is set correctly.
Type hostname then the desired FQDN for example:[root@backup01 ~]# hostname backup01.technical.network
Use vim to edit the network file with your hostname inside:[root@backup01 ~]# vim /etc/sysconfig/network
and ensure that is corrected.
To use insertion mode in vim then press the letter “i” on your keyboard.
To write and quit press ESC on your keyboard | then type in wq at the bottom of the vim page.
Disbaling SELinux
SElinux is good for security but most of the times it causes issues with letting things run properly, especially when configuring web servers. I prefer to dissable it:[root@backup01 ~]# sed -i ‘s/SELINUX=enforcing/SELINUX=permissive/g’ /etc/selinux/config[root@backup01 ~]# setenforce 0
Forwarding emails for Root User
If any emails are sent to the root user in Centos then they should go to a proper email account so we can read them. These emails that get sent to Root can be of great use when problems occur and when we try to do something like run a script without proper access.
Don’t forget the “t” before the email address[root@backup01 ~]# printf “root:\tENTERACCOUNT@technical.network\n” >> /etc/aliases[root@backup01 ~]# newaliases
DNS Configuration
DNS is always very important.[root@backup01 ~]# vim /etc/resolv.conf
Use the search domain if you are running a domain you will understand this. If you don’t have a domain or use a domain name for other servers then you can miss this line out.
Insert in here something like:
search technical.network nameserver 10.0.0.1 nameserver 10.0.0.2 options single-request-reopen
ESC, wq to save the file.
Edit the following file:[root@backup01 ~]# vim /etc/hosts
enter on the third line (or empty line):
192.168.0.11 hostnameosfSERVER.technical.network
Edit the IP and hostname.
IPTABLES Firewall configuration
IPtables is the firewall service. We will configure it quite securely so we can achieve better security.[root@backup01 ~]# vim /etc/sysconfig/iptables
Remember, if you get this bit wrong then you will not be able to connect into the server until you restart or un-do the changes as we will be restricting further port 22 which is used to allow SSH access.
Moving on ..
This is the default settings:
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
As your curser is on the top line, type 20, then dd to delete 20 lines so we can start fresh.
then press the colon button on your keyboard adn type in set paste
:set paste
then press the i key to paste the following:
# # Technical Network firewall example 24/06/2018 # *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # ## Accept Localhost Connections ## -A INPUT -i lo -j ACCEPT # ## Accept & Rate Limit Ping ## -A INPUT -s 192.168.1.0/24 -p icmp -m limit --limit 10/sec -j ACCEPT # ## Allow Established TCP/UDP Connections ## -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # ## Allow Systems SSH Connections ## -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT # COMMIT
Anything in a file which has a # in the beginning of the line is a comment and you can write what you want.
Edit the ip and net mask as desired in the BOLD sections. This can be your private IP or a Public IP or even BOTH. Put a comma after the ip like so for more depending from where you will be remiting into this server:
-A INPUT -s 192.168.1.0/24,123.456.78.9/32 -p tcp -m tcp --dport 22 -j ACCEPT
ESC, wq
Now lets save this firewall (and also by saving it, it tests it before saving it for wany errors in configuration format):[root@backup01 ~]# iptables-restore < /etc/sysconfig/iptables
Before you close this ssh session down, open a new one and ensure that you can get in. If you can, well you should be able to then that’s great