[TOP TIP] CentOS 7 - easy setup guide
CentOS is build around RPM packages, which tend to not change very much over the years. Making it one of the most stable and secure platforms, but at the same time you loose some new features. There are alternative repositories to install the latest and greatest but that is not something we want on an internet server.
Below, is a quite setup guide, to get you started with a new and clean CentOS 7 server:
By default, you will get a custom Linode kernel which should be sufficient for most people. If you want to use SELinux security extensions and features then you need to install the original CentOS kernel.
* Install the kernel and grub2 with: yum install kernel.x86_64 grub2
Auto-configure grub2 with: grub2-mkconfig -o /boot/grub2/grub.cfg
In the Linode Manager, edit the dashboard profile and set "GRUB 2" as the boot kernel.
limit to 2 kernels only
Limit kernel installation to 2 kernel versions only, so there is no wasted space keeping very old kernels installed. Edit the file /etc/yum.conf and set the following parameter:
Disable kdump, which is unnecessary for almost everyone.
systemctl stop kdump systemctl disable kdump systemctl mask kdump
Set the FQDN (full qualified domain name) of the server via the following command:
hostnamectl set-hostname beautiful.server.tld
By default, system emails are sent to the root user. Most of the time, we prefer to have them sent to a real email address. Edit the /etc/aliases file, at the bottom of the file you should see something like:
# Person who should get root's mail #root: marc
Change "marc" to an email address and uncomment the whole line:
# Person who should get root's mail root: firstname.lastname@example.org
It is very important to set the timezone, a lot of security features depend on the correct date/time/zone (like TLS certificates). Set the timezone with:
timedatectl set-timezone 'Europe/London'
If you REALLY know what you are doing, install and enable SELinux with:
yum install selinux-policy selinux-policy-targeted policycoreutils-python
You need to disable the network auto-configuration feature from the Linode Manager, because that will cause avc errors with SELinux. You will also need to restorecon files like /etc/resolv.conf which have been modified by the Linode Manager. But as I mentioned, if you use SELinux then you know what you are doing.
The default settings of the ssh daemon are not secure enough. You should modify the /etc/sshd_config file and make the following changes:
* Port XYZ (set to a high port number, the default 22 is getting hammered with brute force attacks)
Protocol 2 (force v2 protocol)
PermitRootLogin without-password (permit root to login via a secure key only)
MaxSessions 5 (limit sessions to 5 or whatever you prefer based on your needs)
PermitEmptyPasswords no (obviously…)
PasswordAuthentication no (disable passwords, only allow secure keys)
ChallengeResponseAuthentication no (obviously…)
X11Forwarding no (most servers don't use X11 anyway, it should never be enabled)
UseDNS no (looking connecting client and match IP with hostname, now disabled!)
You need to allow the new Port number via whatever firewall you are using. If you are using SELinux then you also need to allow sshd to bind and use the new port via semanage.
Various garbage like avahi need to stay out of the server, disable and remove, if they have been reinstalled.
systemctl stop avahi-daemon.socket avahi-daemon.service systemctl disable avahi-daemon.socket avahi-daemon.service rpm -e avahi
disable vulnerable kernel modules
These two modules have (had?) various security issues, so disable them with:
echo "install dccp /bin/true" > /etc/modprobe.d/dccp.conf echo "install sctp /bin/true" > /etc/modprobe.d/sctp.conf
disable unused file systems
In most cases, you don't need to mount remote file systems, so disable them. If you need one or more then just comment them out. Edit the file /etc/modprobe.d/fs.conf and add the following:
install cramfs /bin/true install freevxfs /bin/true install jffs2 /bin/true install hfs /bin/true install hfsplus /bin/true install squashfs /bin/true install udf /bin/true install fat /bin/true install vfat /bin/true install cifs /bin/true install nfs /bin/true install nfsv3 /bin/true install nfsv4 /bin/true install gfs2 /bin/true install bnep /bin/true install bluetooth /bin/true install btusb /bin/true install net-pf-31 /bin/true install appletalk /bin/true install rds /bin/true install tipc /bin/true
disable USB mass storage
Chances are, you don't want someone to be able to plugin a USB stick to your server, so we disable this kind of storage by default. Its mostly useful for real servers and not VMs, but it doesn't hurt to use it by default on everything. Edit the file /etc/modprobe.d/usb.conf and add the following:
blacklist usb-storage blacklist firewire-core install usb-storage /bin/true
By default, Network Manager is used by CentOS 7. If you want to save some resources, then you can disable and remove it with:
systemctl stop NetworkManager wpa_supplicant systemctl disable NetworkManager wpa_supplicant yum remove NetworkManager wpa_supplicant systemctl enable network
If you remove Network Manager, then you need to set the following sysctl options, for services to bind to their socket. Create the file /etc/sysctl.d/80-network.conf with the following content:
net.ipv4.ip_nonlocal_bind = 1 net.ipv6.ip_nonlocal_bind = 1
The old and deprecated ntp has been replaced for the improved chrony, install and enable with:
yum install -y chrony systemctl enable chronyd systemctl start chronyd
remove unused packages
If for some reason you managed to install 32bit packages on a 64bit system by accident, then you may remove them with:
yum remove '*.i686'
You may also want to remove these packages, they are most unused on plain web servers. Read each package and make sure it is not something that you need. The firmware files are useful to hardware servers that actually have a related hardware that needs a firmware to work, but for Linode VMs they are useless.
yum remove alsa-lib iwl1000-firmware iwl100-firmware iwl105-firmware iwl135-firmware iwl2000-firmware iwl2030-firmware iwl3160-firmware iwl3945-firmware iwl4965-firmware iwl5000-firmware iwl5150-firmware iwl6000-firmware iwl6000g2a-firmware iwl6000g2b-firmware iwl6050-firmware iwl7260-firmware iwl7265-firmware pciutils tcpdump traceroute dnsmasq gnutls trousers ntpdate rdma-core alsa-firmware alsa-tools-firmware aic94xx-firmware btrfs-progs ivtv-firmware ModemManager-glib python-backports ppp glib-networking libsoup
yum update and automatic updates
Make sure everything is updated by manually running:
yum -y update
Alternatively, you may install the yum-cron package, which updates the system automatically every day. Install with:
yum install yum-cron
Edit the file /etc/yum/yum-cron.conf and change the following line:
apply_updates = yes
The above steps will prepare your server for production use. There are some steps missing, like the firewalld configuration, but that requires a post of its own.
According to the CentOS forum, while you can remove the various unnecessary firmware packages, they'll be reinstalled when you update the kernel-firmware package.