[TOP TIP] CentOS 7 - easy setup guide
CentOS is build around RPM packages, which tend to not change very much over the years. Making it one of the most stable and secure platforms, but at the same time you loose some new features. There are alternative repositories to install the latest and greatest but that is not something we want on an internet server.
Below, is a quite setup guide, to get you started with a new and clean CentOS 7 server:
kernel
By default, you will get a custom Linode kernel which should be sufficient for most people. If you want to use SELinux security extensions and features then you need to install the original CentOS kernel.
* Install the kernel and grub2 with: yum install kernel.x86_64 grub2
Auto-configure grub2 with: grub2-mkconfig -o /boot/grub2/grub.cfg
In the Linode Manager, edit the dashboard profile and set "GRUB 2" as the boot kernel.
Reboot
limit to 2 kernels only
Limit kernel installation to 2 kernel versions only, so there is no wasted space keeping very old kernels installed. Edit the file /etc/yum.conf and set the following parameter:
installonly_limit=2
kdump
Disable kdump, which is unnecessary for almost everyone.
systemctl stop kdump
systemctl disable kdump
systemctl mask kdump
hostname
Set the FQDN (full qualified domain name) of the server via the following command:
hostnamectl set-hostname beautiful.server.tld
system emails
By default, system emails are sent to the root user. Most of the time, we prefer to have them sent to a real email address. Edit the /etc/aliases file, at the bottom of the file you should see something like:
# Person who should get root's mail
#root: marc
Change "marc" to an email address and uncomment the whole line:
# Person who should get root's mail
root: admin@example.tld
timezone
It is very important to set the timezone, a lot of security features depend on the correct date/time/zone (like TLS certificates). Set the timezone with:
timedatectl set-timezone 'Europe/London'
SELinux
If you REALLY know what you are doing, install and enable SELinux with:
yum install selinux-policy selinux-policy-targeted policycoreutils-python
You need to disable the network auto-configuration feature from the Linode Manager, because that will cause avc errors with SELinux. You will also need to restorecon files like /etc/resolv.conf which have been modified by the Linode Manager. But as I mentioned, if you use SELinux then you know what you are doing.
sshd
The default settings of the ssh daemon are not secure enough. You should modify the /etc/sshd_config file and make the following changes:
* Port XYZ (set to a high port number, the default 22 is getting hammered with brute force attacks)
Protocol 2 (force v2 protocol)
PermitRootLogin without-password (permit root to login via a secure key only)
MaxSessions 5 (limit sessions to 5 or whatever you prefer based on your needs)
PermitEmptyPasswords no (obviously…)
PasswordAuthentication no (disable passwords, only allow secure keys)
ChallengeResponseAuthentication no (obviously…)
X11Forwarding no (most servers don't use X11 anyway, it should never be enabled)
UseDNS no (looking connecting client and match IP with hostname, now disabled!)
You need to allow the new Port number via whatever firewall you are using. If you are using SELinux then you also need to allow sshd to bind and use the new port via semanage.
avahi
Various garbage like avahi need to stay out of the server, disable and remove, if they have been reinstalled.
systemctl stop avahi-daemon.socket avahi-daemon.service
systemctl disable avahi-daemon.socket avahi-daemon.service
rpm -e avahi
disable vulnerable kernel modules
These two modules have (had?) various security issues, so disable them with:
echo "install dccp /bin/true" > /etc/modprobe.d/dccp.conf
echo "install sctp /bin/true" > /etc/modprobe.d/sctp.conf
disable unused file systems
In most cases, you don't need to mount remote file systems, so disable them. If you need one or more then just comment them out. Edit the file /etc/modprobe.d/fs.conf and add the following:
install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install fat /bin/true
install vfat /bin/true
install cifs /bin/true
install nfs /bin/true
install nfsv3 /bin/true
install nfsv4 /bin/true
install gfs2 /bin/true
install bnep /bin/true
install bluetooth /bin/true
install btusb /bin/true
install net-pf-31 /bin/true
install appletalk /bin/true
install rds /bin/true
install tipc /bin/true
disable USB mass storage
Chances are, you don't want someone to be able to plugin a USB stick to your server, so we disable this kind of storage by default. Its mostly useful for real servers and not VMs, but it doesn't hurt to use it by default on everything. Edit the file /etc/modprobe.d/usb.conf and add the following:
blacklist usb-storage
blacklist firewire-core
install usb-storage /bin/true
network manager
By default, Network Manager is used by CentOS 7. If you want to save some resources, then you can disable and remove it with:
systemctl stop NetworkManager wpa_supplicant
systemctl disable NetworkManager wpa_supplicant
yum remove NetworkManager wpa_supplicant
systemctl enable network
If you remove Network Manager, then you need to set the following sysctl options, for services to bind to their socket. Create the file /etc/sysctl.d/80-network.conf with the following content:
net.ipv4.ip_nonlocal_bind = 1
net.ipv6.ip_nonlocal_bind = 1
chrony
The old and deprecated ntp has been replaced for the improved chrony, install and enable with:
yum install -y chrony
systemctl enable chronyd
systemctl start chronyd
remove unused packages
If for some reason you managed to install 32bit packages on a 64bit system by accident, then you may remove them with:
yum remove '*.i686'
You may also want to remove these packages, they are most unused on plain web servers. Read each package and make sure it is not something that you need. The firmware files are useful to hardware servers that actually have a related hardware that needs a firmware to work, but for Linode VMs they are useless.
yum remove alsa-lib iwl1000-firmware iwl100-firmware iwl105-firmware iwl135-firmware iwl2000-firmware iwl2030-firmware iwl3160-firmware iwl3945-firmware iwl4965-firmware iwl5000-firmware iwl5150-firmware iwl6000-firmware iwl6000g2a-firmware iwl6000g2b-firmware iwl6050-firmware iwl7260-firmware iwl7265-firmware pciutils tcpdump traceroute dnsmasq gnutls trousers ntpdate rdma-core alsa-firmware alsa-tools-firmware aic94xx-firmware btrfs-progs ivtv-firmware ModemManager-glib python-backports ppp glib-networking libsoup
yum update and automatic updates
Make sure everything is updated by manually running:
yum -y update
Alternatively, you may install the yum-cron package, which updates the system automatically every day. Install with:
yum install yum-cron
Edit the file /etc/yum/yum-cron.conf and change the following line:
apply_updates = yes
The above steps will prepare your server for production use. There are some steps missing, like the firewalld configuration, but that requires a post of its own.
Enjoy!
1 Reply
According to the CentOS forum, while you can remove the various unnecessary firmware packages, they'll be reinstalled when you update the kernel-firmware package.