Kevin Ashcraft
Linux & Radio Tutorials
CentOS 7.4 Basic Configuration
After installing CentOS there are a few basic configurations to make to ensure you've got basic security and easy access. The first thing we'll do is add an add an admin user and update the system, and then lockdown ssh access with a few settings and a firewall, next we'll check on SELinux, check on the network, set the hostname and dns, and then add a login message of the day. There will also be some useful keyboard shortcuts and commands.
Configuration Steps
Bonus Steps
Useful Notes
use sudo
to run commands as root
Add an Admin User
useradd $username -G $username wheel
You can add an admin user (a user with sudo access) by adding a user to the wheel group. To add a new user and add them to the wheel group, include the -G flag when you run adduser.
To add an existing user to the wheel group run usermod -a -G wheel $username.
The name of the privileged group can be set with thevisudo command, which saves the configuration (after it checks to make sure nothing is broken) to /etc/sudoers. Do not edit this file manually as it can break sudo and lock you out. The line you're looking for is %wheel ALL=(ALL:ALL) ALL, which grants the wheel group access to ALL.
Adding an admin user is an important security point to ensure your permissions are set from the beginning and you're not just going around and rooting into everything.
Update the System
yum update && yum install vim wget rsync
You can update the system by running yum update and you can install software packages with the yum install $packages command. Above we added the && between the two commands so one is ran after the other. You could also add the -y flag to automatically accept the questions and do everything at once.
Lockdown SSH Access
/etc/ssh/sshd_config
Find and update or add these lines
# space-separated list of user allowes to login AllowUsers $usernames # disable password authentication PasswordAuthentication no
Two of the most important steps in securing SSH access are restricting which users are allowed to login and requiring those with access to use keyfiles. To only allow specific users to have SSH access add/edit the AllowUsers line with a list of users (separated by spaces). Requiring a keyfile to login is done by disabling PasswordAuthentication.
Add Firewall Rules
/etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> ## listen to only your ip address for ssh access <rule family="ipv4"> <source address="$your_current_ip_address"/> <service name="ssh"/> <accept /> </rule> ## add a port for a service # <service name="$service"/> ## add a port and protocol # <port port="$port" protocol="$protocol"/> </zone>
The firewall (iptables) is configured with the firewalld service. It can be updated with the firewall-cmd command or via the zone files (like above).
start, enable, and check the status of the firewall
systemctl start firewalld systemctl enable firewalld systemctl status firewalld
open a port in the firewall
# temporarily add a port firewall-cmd --add-port=80/tcp # permanently add a port firewall-cmd --add-service=http --permanent firewall-cmd --reload
FirewallD is just one of the many ways to configure iptables which controls the traffic rules. You can see all of the rules in effect by running iptables -L.
Check SELinux Status
check if SELinux is enforcing
getenforce
start/stop SELinux enforcement
setenforce 1 ## 0 to disable # setenforce 0
/etc/sysconfig/selinux
## set to enforcing or permissive
SELINUX=enforcing
SELINUXTYPE=targeted
SELinux stands for Security Enhanced Linux and further locks down a system, restricting file and network access based on specific policies in addition to the standard filesystem permissions. You can check if SELinux is currently enforicing policies by running the getenforce command, and to temporarily enable/disable SELinux run setenforce 1/0. To make permanent changes edit the /etc/sysconfig/selinux file, setting SELINUX to enforcing or permissive.
SELinux is enabled by default on CentOS and is a good idea/challenge to keep it on, however just remember if you're encountering a permission problem, there's a good chance that SELinux is to blame.
Check Network Status
display network addresses
ip a
/etc/sysconfig/network-scripts/ifcfg-$eth_device
## turn onboot to yes to start the card on system boot ONBOOT="yes" ## set bootproto to dhcp/static/none (for bridge) BOOTPROTO=static ## set ip addresses if static IPADDR=10.0.0.2 PREFIX=24 GATEWAY=10.0.0.1 DNS1=8.8.8.8 DNS2=8.8.4.4 ## Assigns the device to a bridge # BRIDGE=br0
for a bridge device
DEVICE="br0" TYPE=Bridge DELAY=0
The network addresses can be found with the ip a command and the device settings can be edited in the /etc/sysconfig/network-scripts/ifcfg-$eth_device
file.
Changing the BOOTPROTO to dhcp/static will control the address assignment.
Creating a ifcfg-br0 file with the above lines changed will create a bridge device (useful for kvm).
Set Hostname and DNS
set the hostname (until next boot)
hostname $hostname
/etc/hostname
$hostname
/etc/resolv.conf
nameserver 8.8.8.8 nameserver 8.8.4.4
The system's hostname can be temporarily changed with the hostname command and permanently changed by editing the /etc/hostname
file with the new name.
You can set the nameservers in the /etc/resolv.conf
file.
Add a Message of the Day
vim /etc/motd
____ _ ___ ____ _____ / ___|___ _ __ | |_ / _ \/ ___| |___ | | | / _ \ '_ \| __| | | \___ \ / / | |__| __/ | | | |_| |_| |___) | / / \____\___|_| |_|\__|\___/|____/ /_/
If you want to see a message whenever you login add it to the /etc/motd
file. This is a good place to add that timeless ascii art you've been saving.
Keyboard Shortcuts
search command history
ctrl+r
copy/paste in a gui terminal
ctrl+shift+c and ctrl+shift+v
clear the screen
ctrl-l
logout
ctrl-d
Useful Commands
show who all is logged in
w
send a command-line message to all logged-in users
wall
find a file
find . -iname '*$filename'
show all running processes and search output
ps aux | grep $query
list currently active service ports
netstat -tulpn
display the contents of a file
cat $filename
display the first 50 lines of a file
head -n 50 $filename
display the last 40 lines of a file
tail -n 40 $filename