You have to maintain an active subscription in order to be able to use the repository!
Note for beginners
This guide is easy to follow by copy pasting commands and hitting Enter. If you are unsure on how to edit configuration files, install nano command line editor first by SSH command:
yum -y install nano. You can edit files by issuing command
nano followed by configuration file name. Navigate text by arrow keys and hit Ctrl + X followed by Y and Enter to save.
You need to have a VPS, or virtual machine, or a dedicated server with CentOS 7 minimal image installed. Have a look at the list of our recommended VPS hosts, in case you’re still looking for a good VPS plan with CentOS 7.
First things first. Setting the hostname is the very first thing that needs to be done on a Linux server.
Select meaningful hostname
- Contains keyword specifying main server function, i.e. db, or web
- Hostname is a FQDN, i.e. web.example.com
- It is not a FQDN where you host any website of yours. It should not equal to www.example.com or example.com
Assuming we have decided on web.example.com as the hostname, set the hostname with:
hostnamectl set-hostname web.example.com
Create a sudo user
It is a good practice to have a user other from root. So we are going to create centos user who will able to run administrative commands by prepending
sudo keyword in front of them:
useradd centos && passwd centos usermod -aG wheel centos
After this, attempt to establish SSH connection under the
centos user. Once connected, verify that you are capable of gaining root privileges via
su (“turns” you into a
sudo whoami (prepend
sudo prior to running any command to run it under
Following this, you can harden your SSH configuration by disallowing direct
root SSH login.
PermitRootLogin no, then run
systemctl restart sshd.
For those super crazy about viruses, even on Linux, here is an excellent tutorial for you.
Enable The Firewall
CentOS 7 comes with different firewall software than CentOS 6.5 – firewalld. Iptables can still be used, but let’s follow up with what is provided by default (which is always better when it comes to security related software alternatives).
For easier storage of firewall rules related to many IP addresses, we need ipset command line tool. It will interact with IP Sets functionality of Linux kernel.
yum -y install ipset
Usually, we have a single IP address on a server. It is the IP address which hosts our websites. Firewalld comes with the concept of zones. Let’s enable the firewall to start automatically, run it immediately and configure our IP address to be part of public zone.
systemctl enable firewalld systemctl start firewalld firewall-cmd --zone=public --change-interface=eth0 firewall-cmd --permanent --zone=public --add-service=http # Enable access to HTTP firewall-cmd --reload # Applies changes immediately
To check firewall run status, issue
systemctl status firewalld command.
Install the convenience Linux tools
The file editor
The default file viewer and editor of choice in Linux is
vim. However, it is quite complex to master. And since you’re reading this tutorial, you likely want something easy, like the
You will often want to download stuff to your Linux machine, whether it’s some software packages or data files. You can get around with
curl which is pre-installed by default, but
wget will be somewhat easier to work with:
So to install these tools, run:
yum -y install wget nano
We can tell the operating system, what is our file editor of choice:
cat <>/etc/profile.d/nano.sh export VISUAL="nano" export EDITOR="nano" EOF
Fail2ban protects your server by blocking malicious users who try to brute-force it.
sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm sudo yum -y install fail2ban
Make a copy of configuration template. Fail2ban expects you to always use jail.local and not jail.conf:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Add SSH-related configuration to our jail.local file (at the end of the file):
[ssh] enabled = true filter = sshd action = firewallcmd-ipset logpath = /var/log/secure maxretry = 3 bantime = 7200
Next, add custom settings to ban action. This will make sure that it matches ban time in jail definition:
cat << _EOF_ > /etc/fail2ban/action.d/firewallcmd-ipset.local [Init] bantime = 7200 _EOF_
Copy source supplied system unit file so that we can manage fail2ban service using systemctl:
cp /usr/local/src/fail2ban-0.8.14/files/fail2ban.service /usr/lib/systemd/system/
Next, we need to configure directory /var/run/fail2ban to be automatically created each time server boots. This is done by making use of tmpfiles.d configuration. Simply add special config file for it, and the directory is always recreated.
Even if we use non-packaged software, which is compiled into /usr/local, we should not be using /var/local/var/run for state files, because the system takes care of state files only under /var/run. This is something to always account for when configuring compiled software.
echo '# fail2ban runtime directory' > /etc/tmpfiles.d/fail2ban.conf echo 'd /run/fail2ban 0755 root root -' >> /etc/tmpfiles.d/fail2ban.conf systemctl start fail2ban systemctl enable fail2ban
TODO, describe app-specific fail2ban rules:
Add client IP to trusted zone (all connections are allowed from your IP):
firewall-cmd --permanent --zone="trusted" --add-source="184.108.40.206"
Adjust root mail alias to your own email address. This will allow you to receive system related emails that your server generates:
sed s/^root.*/root:\ firstname.lastname@example.org/ -i /etc/aliases && newaliases
Install development tools for compiling software (Risky!)
Proceed with this step if you know what you’re doing. Only a few programs are not available via RPM packages and only if you require that particular program that is not available via packaged version, you would want to compile it from the sources.
For compilation, you will need a group of utility software. You can install it via:
yum -y groupinstall "Development tools"