Networking & NTP

Make sure you can reach your ISP's DNS as well as NTP servers,

ping -c1 DNS1
ping -c1 DNS2
yum -y install nmap
nmap -Pn -p 53 DNS1
nmap -Pn -p 53 DNS2
nmap -sU -Pn -p 53 DNS1
nmap -sU -Pn -p 53 DNS2
nmap -sU -Pn -p 123 NTPSRV

Setup the hostname,

vi /etc/hostname # short is fine
vi /etc/hosts # fqdn + short

Note. it's ok to use shortname in /etc/hostname as long as you define the fqdn in /etc/hosts in first position. In that case, hostname --short and hostname --long would be fine. domainname however, would not work since hostname or uname -n alone would print the short hostname (domainname evaluates the domain part).

Check the network conf & time sync,

#vi /etc/sysconfig/network
vi /etc/sysconfig/network/network-scripts/ifcfg-eth0
#vi /etc/resolv.conf
cp -pi /etc/ntp.conf /etc/ntp.conf
vi /etc/ntp.conf
systemctl restart ntpd
systemctl enable ntpd
ntpq -p
hwclock --systohc

Note. don't forget to check the timezone setting,

ls -lhF /etc/localtime

Make sure SElinux is at least in permissive mode,

getenforce
vi /etc/sysconfig/selinux

SELINUX=permissive

setenforce 0
getenforce

Eventually enable SElinux "enforcing" at some point (no reboot needed if you're in permissive mode).

Commmon finish-up

Make sure the system is up-do-date,

yum -y upgrade

Install a few handy packages (Docker host as well as CentOS containers),

yum -y install \
    bc \
    bind-utils \
    curl \
    dos2unix \
    elinks \
    git \
    lftp \
    mlocate \
    nmap \
    nmap-ncat \
    telnet \
    wget \
    whois

If you want mail on the host or container,

yum -y install \
    rsyslog postfix \
    mailx

For a real host only,

yum -y install \
    ksh \
    hdparm \
    mc \
    pciutils \
    rsync \
    screen \
    sudo

Update the file index,

updatedb

Install EPEL and a few more packages,

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm
yum -y install pwgen

Wheeled accounts & SSH

Make sure the wheel group exists (default),

grep ^wheel /etc/group

Setup wheeled accounts for some sysadmin,

usermod -a -G wheel root

user=WHEELED
grep ^$user /etc/passwd
grep ^$user /etc/group
useradd -m -g users -G wheel $user
#usermod -a -G wheel $user
passwd $user

su - $user
ssh-keygen -t ecdsa
ssh-keygen -t ed25519
#mkdir -p .ssh/
#chmod 700 .ssh/
vi ~/.ssh/authorized_keys

YOU REMOTE PUBLIC KEY HERE

chmod 600 ~/.ssh/authorized_keys
^D

Eventually authorize those wheeled users to become root with their user password (commented out) or even directly without password,

cp -pi /etc/sudoers /etc/sudoers.dist
vi /etc/sudoers
#/wheel

#%wheel ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD: ALL

Secure your logs a little bit and allow %wheel to read it,

#default is root.root -rw-------
chown root:wheel /var/log/messages
chmod g+r /var/log/messages

#default is root.root -rw-------
chown root:wheel /var/log/maillog
chmod g+r /var/log/maillog

Secure SSH a little bit (and eventually enable a failover),

grep ^wheel /etc/group
cd /etc/ssh/
cp -pi sshd_config sshd_config.dist
vi sshd_config

Port 2222
AllowGroups wheel
PermitRootLogin without-password
PasswordAuthentication no

systemctl restart sshd
tail -F /var/log/secure &

Keep your session up until you validated that you could log in again.

Tweak your environment

Setup GNU/Screen

Docker

Setting up Docker on various systems