IT Blog

Centos

How to configure Centos 6 after Installation

Installing Base & Updates

We will now want to install the nice complimentary things that Centos can give us through yum. Yum is the way we install Applications and services.

Lets update what we have, it will download the packages from the internet and then automatically install them.[root@backup01 ~]# yum -y update

We now will install extras and tools that will help up along the way of configuring Centos for whatever we want.[root@backup01 ~]# yum -y groupinstall base

That should Complete!

 Hostname

Ensure that your hostname is set correctly.

Type hostname then the desired FQDN for example:[root@backup01 ~]# hostname backup01.technical.network

Use vim to edit the network file with your hostname inside:[root@backup01 ~]# vim /etc/sysconfig/network
and ensure that is corrected.

To use insertion mode in vim then press the letter “i” on your keyboard.

To write and quit press ESC on your keyboard | then type in wq at the bottom of the vim page.

Disbaling SELinux

SElinux is good for security but most of the times it causes issues with letting things run properly, especially when configuring web servers. I prefer to dissable it:[root@backup01 ~]# sed -i ‘s/SELINUX=enforcing/SELINUX=permissive/g’ /etc/selinux/config[root@backup01 ~]# setenforce 0

Forwarding emails for Root User

If any emails are sent to the root user in Centos then they should go to a proper email account so we can read them. These emails that get sent to Root can be of great use when problems occur and when we try to do something like run  a script without proper access.

Don’t forget the “t” before the email address[root@backup01 ~]# printf “root:\tENTERACCOUNT@technical.network\n” >> /etc/aliases[root@backup01 ~]# newaliases

DNS Configuration

DNS is always very important.[root@backup01 ~]# vim /etc/resolv.conf

Use the search domain if you are running a domain you will understand this. If you don’t have a domain or use a domain name for other servers then you can miss this line out.

Insert in here something like:

search technical.network
nameserver 10.0.0.1
nameserver 10.0.0.2
options single-request-reopen

ESC, wq to save the file.

Edit the following file:[root@backup01 ~]# vim /etc/hosts

enter on the third line (or empty line):

192.168.0.11     hostnameosfSERVER.technical.network

Edit the IP and hostname.

IPTABLES Firewall configuration

IPtables is the firewall service. We will configure it quite securely so we can achieve better security.[root@backup01 ~]# vim /etc/sysconfig/iptables

Remember, if you get this bit wrong then you will not be able to connect into the server until you restart or un-do the changes as we will be restricting further port 22 which is used to allow SSH access.

Moving on ..

This is the default settings:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

As your curser is on the top line, type 20, then dd to delete 20 lines so we can start fresh.

then press the colon button on your keyboard adn type in set paste

:set paste

then press the i key to paste the following:

#
# Technical Network firewall example 24/06/2018
#
*filter
:INPUT DROP     [0:0]
:FORWARD DROP   [0:0]
:OUTPUT ACCEPT  [0:0]
#
## Accept Localhost Connections          ##
-A INPUT -i lo -j ACCEPT
#
## Accept & Rate Limit Ping              ##
-A INPUT -s 192.168.1.0/24 -p icmp -m limit --limit 10/sec -j ACCEPT
#
## Allow Established TCP/UDP Connections ##
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
## Allow Systems SSH Connections             ##
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
#
COMMIT

Anything in a file which has a # in the beginning of the line is a comment and you can write what you want.

Edit the ip and net mask as desired in the BOLD sections. This can be your private IP or a Public IP or even BOTH. Put a comma after the ip like so for more depending from where you will be remiting into this server:

-A INPUT -s 192.168.1.0/24,123.456.78.9/32 -p tcp -m tcp --dport 22 -j ACCEPT

ESC, wq

Now lets save this firewall (and also by saving it, it tests it before saving it for wany errors in configuration format):[root@backup01 ~]# iptables-restore < /etc/sysconfig/iptables

Before you close this ssh session down, open a new one and ensure that you can get in. If you can, well you should be able to then that’s great