[TOP TIP] CentOS 7 - easy setup guide

There are many many many Linux distributions available and Linode supports most major ones. While everyone is free to choose whatever he or she likes, I think I can offer some suggestions. Mainly, to choose CentOS for your internet server. It is a highly controlled distribution that gives long term support, backed by RedHat's RHEL and it tends to be the "boring, secure & stable" distro in the Linux world. When you run an internet server, boring, secure and stable is exactly what you should be looking for.

CentOS is build around RPM packages, which tend to not change very much over the years. Making it one of the most stable and secure platforms, but at the same time you loose some new features. There are alternative repositories to install the latest and greatest but that is not something we want on an internet server.

Below, is a quite setup guide, to get you started with a new and clean CentOS 7 server:

kernel

By default, you will get a custom Linode kernel which should be sufficient for most people. If you want to use SELinux security extensions and features then you need to install the original CentOS kernel.

* Install the kernel and grub2 with: yum install kernel.x86_64 grub2

• Auto-configure grub2 with: grub2-mkconfig -o /boot/grub2/grub.cfg

• In the Linode Manager, edit the dashboard profile and set "GRUB 2" as the boot kernel.

• Reboot

limit to 2 kernels only

Limit kernel installation to 2 kernel versions only, so there is no wasted space keeping very old kernels installed. Edit the file /etc/yum.conf and set the following parameter:

installonly_limit=2

kdump

Disable kdump, which is unnecessary for almost everyone.

systemctl stop kdump
systemctl disable kdump
systemctl mask kdump

hostname

Set the FQDN (full qualified domain name) of the server via the following command:

hostnamectl set-hostname beautiful.server.tld

system emails

By default, system emails are sent to the root user. Most of the time, we prefer to have them sent to a real email address. Edit the /etc/aliases file, at the bottom of the file you should see something like:

# Person who should get root's mail
#root:        marc

Change "marc" to an email address and uncomment the whole line:

# Person who should get root's mail
root:        admin@example.tld

timezone

It is very important to set the timezone, a lot of security features depend on the correct date/time/zone (like TLS certificates). Set the timezone with:

timedatectl set-timezone 'Europe/London'

SELinux

If you REALLY know what you are doing, install and enable SELinux with:

yum install selinux-policy selinux-policy-targeted policycoreutils-python

You need to disable the network auto-configuration feature from the Linode Manager, because that will cause avc errors with SELinux. You will also need to restorecon files like /etc/resolv.conf which have been modified by the Linode Manager. But as I mentioned, if you use SELinux then you know what you are doing.

sshd

The default settings of the ssh daemon are not secure enough. You should modify the /etc/sshd_config file and make the following changes:

* Port XYZ (set to a high port number, the default 22 is getting hammered with brute force attacks)

• Protocol 2 (force v2 protocol)

• PermitRootLogin without-password (permit root to login via a secure key only)

• MaxSessions 5 (limit sessions to 5 or whatever you prefer based on your needs)

• PermitEmptyPasswords no (obviously…)

• PasswordAuthentication no (disable passwords, only allow secure keys)

• ChallengeResponseAuthentication no (obviously…)

• X11Forwarding no (most servers don't use X11 anyway, it should never be enabled)

• UseDNS no (looking connecting client and match IP with hostname, now disabled!)

You need to allow the new Port number via whatever firewall you are using. If you are using SELinux then you also need to allow sshd to bind and use the new port via semanage.

avahi

Various garbage like avahi need to stay out of the server, disable and remove, if they have been reinstalled.

systemctl stop avahi-daemon.socket avahi-daemon.service
systemctl disable avahi-daemon.socket avahi-daemon.service
rpm -e avahi

disable vulnerable kernel modules

These two modules have (had?) various security issues, so disable them with:

echo "install dccp /bin/true" > /etc/modprobe.d/dccp.conf
echo "install sctp /bin/true" > /etc/modprobe.d/sctp.conf

disable unused file systems

In most cases, you don't need to mount remote file systems, so disable them. If you need one or more then just comment them out. Edit the file /etc/modprobe.d/fs.conf and add the following:

install cramfs /bin/true
install freevxfs /bin/true
install jffs2 /bin/true
install hfs /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install udf /bin/true
install fat /bin/true
install vfat /bin/true
install cifs /bin/true
install nfs /bin/true
install nfsv3 /bin/true
install nfsv4 /bin/true
install gfs2 /bin/true
install bnep /bin/true
install bluetooth /bin/true
install btusb /bin/true
install net-pf-31 /bin/true
install appletalk /bin/true
install rds /bin/true
install tipc /bin/true

disable USB mass storage

Chances are, you don't want someone to be able to plugin a USB stick to your server, so we disable this kind of storage by default. Its mostly useful for real servers and not VMs, but it doesn't hurt to use it by default on everything. Edit the file /etc/modprobe.d/usb.conf and add the following:

blacklist usb-storage
blacklist firewire-core
install usb-storage /bin/true

network manager

By default, Network Manager is used by CentOS 7. If you want to save some resources, then you can disable and remove it with:

systemctl stop NetworkManager wpa_supplicant
systemctl disable NetworkManager wpa_supplicant
yum remove NetworkManager wpa_supplicant
systemctl enable network

If you remove Network Manager, then you need to set the following sysctl options, for services to bind to their socket. Create the file /etc/sysctl.d/80-network.conf with the following content:

net.ipv4.ip_nonlocal_bind = 1
net.ipv6.ip_nonlocal_bind = 1

chrony

The old and deprecated ntp has been replaced for the improved chrony, install and enable with:

yum install -y chrony
systemctl enable chronyd
systemctl start chronyd

remove unused packages

If for some reason you managed to install 32bit packages on a 64bit system by accident, then you may remove them with:

yum remove '*.i686'

You may also want to remove these packages, they are most unused on plain web servers. Read each package and make sure it is not something that you need. The firmware files are useful to hardware servers that actually have a related hardware that needs a firmware to work, but for Linode VMs they are useless.

yum remove alsa-lib iwl1000-firmware iwl100-firmware iwl105-firmware iwl135-firmware iwl2000-firmware iwl2030-firmware iwl3160-firmware iwl3945-firmware iwl4965-firmware iwl5000-firmware iwl5150-firmware iwl6000-firmware iwl6000g2a-firmware iwl6000g2b-firmware iwl6050-firmware iwl7260-firmware iwl7265-firmware pciutils tcpdump traceroute dnsmasq gnutls trousers ntpdate rdma-core alsa-firmware alsa-tools-firmware aic94xx-firmware btrfs-progs ivtv-firmware ModemManager-glib python-backports ppp glib-networking libsoup

yum update and automatic updates

Make sure everything is updated by manually running:

yum -y update

Alternatively, you may install the yum-cron package, which updates the system automatically every day. Install with:

yum install yum-cron

Edit the file /etc/yum/yum-cron.conf and change the following line:

apply_updates = yes

The above steps will prepare your server for production use. There are some steps missing, like the firewalld configuration, but that requires a post of its own.

Enjoy!