Nethence Newdoc Olddoc Lab Your IP BBDock  

RHEL/CentOS post-installation

Networking & NTP

Make sure you can reach your ISP’s DNS as well as NTP servers,

ping -c1 DNS1
ping -c1 DNS2
yum -y install nmap
nmap -Pn -p 53 DNS1
nmap -Pn -p 53 DNS2
nmap -sU -Pn -p 53 DNS1
nmap -sU -Pn -p 53 DNS2
nmap -sU -Pn -p 123 NTPSRV

Check the network conf & time sync,

vi /etc/hostname
vi /etc/hosts
#vi /etc/sysconfig/network
vi /etc/sysconfig/network/network-scripts/ifcfg-eth0
#vi /etc/resolv.conf
vi /etc/ntp.conf
systemctl restart ntpd
systemctl enable ntpd
ntpq -p

Note. it’s ok to use shortname in /etc/hostname as long as you define the fqdn in /etc/hosts in first position e.g.,

x.x.x.x host.example.com host

in that case, hostname --short and hostname --long would be fine. domainname however, would not work since hostname or uname -n alone would print the short hostname (domainname evaluates the domain part).

Note. don’t forget to check the timezone setting,

ls -lhF /etc/localtime

Make sure SElinux is at least in permissive mode,

getenforce
vi /etc/sysconfig/selinux

SELINUX=permissive

setenforce 0
getenforce

Eventually enable SElinux “enforcing” at some point (no reboot needed if you’re in permissive mode).

Commmon finish-up

Make sure the system is up-do-date,

yum -y upgrade

Install a few handy packages (Docker host as well as CentOS containers),

yum -y install \
    bc \
    bind-utils \
    curl \
    dos2unix \
    elinks \
    git \
    lftp \
    mlocate \
    nmap \
    nmap-ncat \
    telnet \
    wget \
    whois

If you want mail on the host or container,

yum -y install
    rsyslog postfix \
    mailx \

For a real host only,

yum -y install \
    ksh \
    hdparm \
    mc \
    pciutils \
    rsync \
    screen \
    sudo

Update the file index,

updatedb

Install EPEL and a few more packages,

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm
yum -y install pwgen pdsh

Setup the hostname,

vi /etc/hostname # short is fine
vi /etc/hosts # fqdn + short

Wheeled accounts & SSH

Make sure the wheel group exists (default),

grep ^wheel /etc/group

Setup wheeled accounts for the sysadmins,

usermod -a -G wheel root

user=WHEELED
grep ^$user /etc/passwd
grep ^$user /etc/group
useradd -m -g users -G wheel $user
passwd $user

su - $user
mkdir -p .ssh/
chmod 700 .ssh/
cd .ssh/
cat >> authorized_keys <<-EOF
YOU PUBLIC KEY HERE
EOF
chmod 600 authorized_keys

Eventually authorize those wheeled users to become root with their user password (commented out) or even directly without password,

vi /etc/sudoers

#%wheel ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD: ALL

Secure your logs a little bit and allow %wheel to read it,

chown root:wheel /var/log/messages
chown root:wheel /var/log/maillog
chown -R root:wheel /var/log/httpd/
chmod 640 /var/log/messages
chmod 640 /var/log/maillog
chmod 750 /var/log/httpd/
chmod 640 /var/log/httpd/*

Secure SSH a little bit (and eventually enable a failover),

grep ^wheel /etc/group
cd /etc/ssh/
cp -pi sshd_config sshd_config.dist
vi sshd_config

AllowGroups wheel
PermitRootLogin without-password

service sshd restart

Eventually check the logs while validating that you can log into another session without a password,

tail -F /var/log/secure

Tweak your environment

Setup GNU/Screen

Docker

Setting up Docker on various systems


Home | GitHub | Donate | Feedback