Server Setup

CentOS 7 Server Setup

by , , revisited on


We have by far the largest RPM repository with dynamic stable NGINX modules and VMODs for Varnish 4.1 and 6.0 LTS. If you want to install NGINX, Varnish, and lots of useful modules for them, this is your one-stop repository to get all performance-related software.
You have to maintain an active subscription in order to be able to use the repository!

Note for beginners

This guide is easy to follow by copy pasting commands and hitting Enter. If you are unsure on how to edit configuration files, install nano command line editor first by SSH command: yum -y install nano. You can edit files by issuing command nano followed by configuration file name. Navigate text by arrow keys and hit Ctrl + X followed by Y and Enter to save.

Prerequisites

You need to have a VPS, or virtual machine, or a dedicated server with CentOS 7 minimal image installed. Have a look at the list of our recommended VPS hosts, in case you’re still looking for a good VPS plan with CentOS 7.

Hostname

First things first. Setting the hostname is the very first thing that needs to be done on a Linux server.

Select meaningful hostname

  • Contains keyword specifying main server function, i.e. db, or web
  • Hostname is a FQDN, i.e. web.example.com
  • It is not a FQDN where you host any website of yours. It should not equal to www.example.com or example.com

Assuming we have decided on web.example.com as the hostname, set the hostname with:

hostnamectl set-hostname web.example.com

Basic security

Create a sudo user

It is a good practice to have a user other from root. So we are going to create centos user who will able to run administrative commands by prepending sudo keyword in front of them:

useradd centos && passwd centos
usermod -aG wheel centos 

After this, attempt to establish SSH connection under the centos user. Once connected, verify that you are capable of gaining root privileges via su (“turns” you into a root), or sudo whoami (prepend sudo prior to running any command to run it under root user).

Following this, you can harden your SSH configuration by disallowing direct root SSH login.

In /etc/ssh/sshd_config set PermitRootLogin no, then run systemctl restart sshd.

Virus scanner?

For those super crazy about viruses, even on Linux, here is an excellent tutorial for you.

Enable The Firewall

CentOS 7 comes with different firewall software than CentOS 6.5 – firewalld. Iptables can still be used, but let’s follow up with what is provided by default (which is always better when it comes to security related software alternatives).

For easier storage of firewall rules related to many IP addresses, we need ipset command line tool. It will interact with IP Sets functionality of Linux kernel.

yum -y install ipset

Usually, we have a single IP address on a server. It is the IP address which hosts our websites. Firewalld comes with the concept of zones. Let’s enable the firewall to start automatically, run it immediately and configure our IP address to be part of public zone.

systemctl enable firewalld
systemctl start firewalld
firewall-cmd --zone=public --change-interface=eth0
firewall-cmd --permanent --zone=public --add-service=http # Enable access to HTTP
firewall-cmd --reload # Applies changes immediately

To check firewall run status, issue systemctl status firewalld command.

Install the convenience Linux tools

The file editor

The default file viewer and editor of choice in Linux is vim. However, it is quite complex to master. And since you’re reading this tutorial, you likely want something easy, like the nano editor.

The downloader

You will often want to download stuff to your Linux machine, whether it’s some software packages or data files. You can get around with curl which is pre-installed by default, but wget will be somewhat easier to work with:

So to install these tools, run:

yum -y install wget nano

We can tell the operating system, what is our file editor of choice:

cat <>/etc/profile.d/nano.sh
export VISUAL="nano"
export EDITOR="nano"
EOF

Fail2ban

Fail2ban protects your server by blocking malicious users who try to brute-force it.

sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
sudo yum -y install fail2ban 

Make a copy of configuration template. Fail2ban expects you to always use jail.local and not jail.conf:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Add SSH-related configuration to our jail.local file (at the end of the file):

[ssh]

enabled  = true
filter   = sshd
action   = firewallcmd-ipset
logpath  = /var/log/secure
maxretry = 3
bantime = 7200

Next, add custom settings to ban action. This will make sure that it matches ban time in jail definition:

cat << _EOF_ > /etc/fail2ban/action.d/firewallcmd-ipset.local
[Init]
bantime = 7200
_EOF_

Copy source supplied system unit file so that we can manage fail2ban service using systemctl:

cp /usr/local/src/fail2ban-0.8.14/files/fail2ban.service /usr/lib/systemd/system/

Next, we need to configure directory /var/run/fail2ban to be automatically created each time server boots. This is done by making use of tmpfiles.d configuration. Simply add special config file for it, and the directory is always recreated.

Even if we use non-packaged software, which is compiled into /usr/local, we should not be using /var/local/var/run for state files, because the system takes care of state files only under /var/run. This is something to always account for when configuring compiled software.

echo '# fail2ban runtime directory' > /etc/tmpfiles.d/fail2ban.conf
echo 'd /run/fail2ban 0755 root root -' >> /etc/tmpfiles.d/fail2ban.conf
systemctl start fail2ban
systemctl enable fail2ban

TODO, describe app-specific fail2ban rules:

http://extensions.joomla.org/extensions/access-a-security/site-security/login-protection/25592

Add client IP to trusted zone (all connections are allowed from your IP):

firewall-cmd --permanent --zone="trusted" --add-source="82.209.102.7"

Adjust root mail alias to your own email address. This will allow you to receive system related emails that your server generates:

sed s/^root.*/root:\ someuser@gmail.com/ -i /etc/aliases && newaliases

Install development tools for compiling software (Risky!)

Proceed with this step if you know what you’re doing. Only a few programs are not available via RPM packages and only if you require that particular program that is not available via packaged version, you would want to compile it from the sources.

For compilation, you will need a group of utility software. You can install it via:

yum -y groupinstall "Development tools"

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.