Kevin Ashcraft

CentOS 7.4 Basic Configuration

After installing CentOS there are a few basic configurations to make to ensure you've got basic security and easy access. The first thing we'll do is add an add an admin user and update the system, and then lockdown ssh access with a few settings and a firewall, next we'll check on SELinux, check on the network, set the hostname and dns, and then add a login message of the day. There will also be some useful keyboard shortcuts and commands.

Add an Admin User

useradd $username -G $username wheel

You can add an admin user (a user with sudo access) by adding a user to the wheel group. To add a new user and add them to the wheel group, include the -G flag when you run adduser.

To add an existing user to the wheel group run usermod -a -G wheel $username.

The name of the privileged group can be set with thevisudo command, which saves the configuration (after it checks to make sure nothing is broken) to /etc/sudoers. Do not edit this file manually as it can break sudo and lock you out. The line you're looking for is %wheel ALL=(ALL:ALL) ALL, which grants the wheel group access to ALL.

Adding an admin user is an important security point to ensure your permissions are set from the beginning and you're not just going around and rooting into everything.

Update the System

yum update && yum install vim wget rsync

You can update the system by running yum update and you can install software packages with the yum install $packages command. Above we added the && between the two commands so one is ran after the other. You could also add the -y flag to automatically accept the questions and do everything at once.

Lockdown SSH Access

# space-separated list of user allowes to login
AllowUsers $usernames

# disable password authentication
PasswordAuthentication no
    

Two of the most important steps in securing SSH access are restricting which users are allowed to login and requiring those with access to use keyfiles. To only allow specific users to have SSH access add/edit the AllowUsers line with a list of users (separated by spaces). Requiring a keyfile to login is done by disabling PasswordAuthentication.

Add Firewall Rules

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  ## listen to only your ip address for ssh access
  <rule family="ipv4">
    <source address="$your_current_ip_address"/>
    <service name="ssh"/>
    <accept />
  </rule>

  ## add a port for a service
  # <service name="$service"/>
  ## add a port and protocol
  # <port port="$port" protocol="$protocol"/>
</zone>
    

The firewall (iptables) is configured with the firewalld service. It can be updated with the firewall-cmd command or via the zone files (like above).

systemctl start firewalld
systemctl enable firewalld
systemctl status firewalld
    

# temporarily add a port
firewall-cmd --add-port=80/tcp
# permanently add a port
firewall-cmd --add-service=http --permanent
firewall-cmd --reload
    

FirewallD is just one of the many ways to configure iptables which controls the traffic rules. You can see all of the rules in effect by running iptables -L.

Check SELinux Status

getenforce
    

setenforce 1
## 0 to disable
# setenforce 0
    

## set to enforcing or permissive
SELINUX=enforcing
SELINUXTYPE=targeted
    

SELinux stands for Security Enhanced Linux and further locks down a system, restricting file and network access based on specific policies in addition to the standard filesystem permissions. You can check if SELinux is currently enforicing policies by running the getenforce command, and to temporarily enable/disable SELinux run setenforce 1/0. To make permanent changes edit the /etc/sysconfig/selinux file, setting SELINUX to enforcing or permissive.

SELinux is enabled by default on CentOS and is a good idea/challenge to keep it on, however just remember if you're encountering a permission problem, there's a good chance that SELinux is to blame.

Check Network Status

ip a

## turn onboot to yes to start the card on system boot
ONBOOT="yes"
## set bootproto to dhcp/static/none (for bridge)
BOOTPROTO=static
## set ip addresses if static
IPADDR=10.0.0.2
PREFIX=24
GATEWAY=10.0.0.1
DNS1=8.8.8.8
DNS2=8.8.4.4
## Assigns the device to a bridge
# BRIDGE=br0
    

DEVICE="br0"
TYPE=Bridge
DELAY=0
    

The network addresses can be found with the ip a command and the device settings can be edited in the /etc/sysconfig/network-scripts/ifcfg-$eth_device file.

Changing the BOOTPROTO to dhcp/static will control the address assignment.

Creating a ifcfg-br0 file with the above lines changed will create a bridge device (useful for kvm).

Set Hostname and DNS

hostname $hostname

$hostname

nameserver 8.8.8.8
nameserver 8.8.4.4
    

The system's hostname can be temporarily changed with the hostname command and permanently changed by editing the /etc/hostname file with the new name.

You can set the nameservers in the /etc/resolv.conf file.

Add a Message of the Day

  ____           _    ___  ____    _____
 / ___|___ _ __ | |_ / _ \/ ___|  |___  |
| |   / _ \ '_ \| __| | | \___ \     / /
| |__|  __/ | | | |_| |_| |___) |   / /
 \____\___|_| |_|\__|\___/|____/   /_/
    

If you want to see a message whenever you login add it to the /etc/motd file. This is a good place to add that timeless ascii art you've been saving.

Keyboard Shortcuts

ctrl+r

ctrl+shift+c and ctrl+shift+v

ctrl-l

ctrl-d

Useful Commands

w

wall

find . -iname '*$filename'

ps aux | grep $query

netstat -tulpn

cat $filename

head -n 50 $filename

tail -n 40 $filename