Initial Configuration of a New CentOS-7 Server

Infrastructure
venbill -
December 11, 2020

Purpose

To provides a step-by-step guide to Configure a newly install CentOS 7 server. The inital steps and harden the system for general enterprise server use.

Plan

  1. Server update
  2. Configure the host name
  3. Configure Server time sync
  4. Configure a password policy
  5. Configure Automatic security updates

References

Step 1: Server update

1.1: Install repos

The Repo’s you install on your server provide you with access to the desire application and daemon package libraries.  Extra Packages for Enterprise Linux (EPEL) is a special interest group (SIG) from the Fedora Project that provides a set of additional packages for RHEL (and CentOS, and others)  from the Fedora sources.  

Input:
sudo yum -y install epel-release

1.2: update current system packages

Before you install any new packages it’s a good idea to update to the current application and daemon on your server.

Input:
sudo yum -y update

Step 2: Configure Hostname

Developing a easy to remember naming convention for your private network can help when it comes to network documentation and configuration. below is an example of how to make such a change on your new server.

Input:
sudo hostnamectl set-hostname <service or main app>.lnxark.org

Step 3: Configure Server time sync

Setting up your servers to be in sync is very important, it could cause many issues. It is very important to know that device time is a important factor in network security. Many authentication protocols will fail to work if you are different system time configured in different devices in your network.

3.1: Install chrony.

Input:
sudo yum -y install chrony

Output:
Installed:
  chrony-3.5-8.fc32.x86_64

Complete!

3.2: Enable chrony

Input:
sudo systemctl enable chronyd

3.3: Make a backup of the Chrony client’s configuration file /etc/chrony.conf:

Input:
sudo cp --archive /etc/chrony.conf /etc/chrony.conf.bck-$(date +'%F@%T')

Validate:

Input:
sudo ls -l /etc/chrony.*

Output:
-rw-r--r--. 1 root root 1085 May 10 2019 /etc/chrony.conf
-rw-r--r--. 1 root root 1085 May 10 2019 /etc/chrony.conf.bck-2020-08-19@05:57:31
-rw-r-----. 1 root chrony 540 May 10 2019 /etc/chrony.keys

3.4: Configure the chrony time servers

The next step is would be to configure your new server to use a network time server (which will commonly be your Domain Control) to allow for the network time sync.
Input:
sudo sed -i -r -e "s/^((server|pool).*)/# \1   # commented by $(whoami) on $(date +"%F @ %T")/" /etc/chrony.conf

echo -e "\n# server added by $(whoami) on $(date +"%F @ %T") \nserver time.lnxark.org iburst" | sudo tee -a /etc/chrony.conf

Validate:

Input:
egrep --color 'server|pool' /etc/chrony.conf

Output:
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
# pool 2.fedora.pool.ntp.org iburst # commented by sysop on 2020-08-19 @ 06:04:12
# server added by sysop on 2020-08-19 @ 08:28:03
server time.lnxark.org iburst

3.5: Restart chronyd

Remember to restart the daemon after making changes to the configuration file.

Input:
sudo systemctl restart chronyd

Validate:

Input:
sudo systemctl status chronyd.service

Output:
● chronyd.service - NTP client/server
Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-08-19 10:35:17 EDT; 15s ago
Docs: man:chronyd(8)
man:chrony.conf(5)

3.6: Check the status of the configured server pool.

Input:
sudo chronyc sources

Output:
210 Number of sources = 4
MS Name/IP address           Stratum Poll Reach LastRx Last sample
================================================================================
^- nu.binary.net                   2   6   37    65   +73us[+2517us] +/- 62ms
^* ntp1.torix.ca                   1   6   77     0   +1338us[+3772us] +/- 30ms
^+ ec2-34-194-39-113.comput>       2   6   77     1   -1692us[ +742us] +/- 52ms
^- tick.chi1.ntfo.org              3   6  153    62   -8448us[-6004us] +/- 146ms

Step 4: Configure a password policy

4.1: Setting max password login attempts per session

Linux-PAM (short for Pluggable Authentication Modules which evolved from the Unix-PAM architecture) is a powerful suite of shared libraries used to dynamically authenticate a user to applications (or services) in a Linux system.

Change to the pam.d directory

Input:
cd /etc/pam.d

Back-up the systemd-auth file

Input:
sudo cp --archive systemd-auth systemd-auth.orig

Edit the systemd-auth file

Input:
sudo vim systemd-auth

Edit statement pam_pwquality.so, change retry to 5 to limit the times a user can attempt a login.

Edit File:
password  requisite pam_pwquality.so try_first_pass local_users_only retry=5

Step 5: Configure Automatic security updates

5.1: Install yum-cron
Input:
sudo yum install -y yum-cron

Output:
Running transaction
  Installing : yum-cron-3.4.3-167.el7.centos.noarch 1/1
  Verifying : yum-cron-3.4.3-167.el7.centos.noarch 1/1

Installed:
  yum-cron.noarch 0:3.4.3-167.el7.centos

Complete!
5.2: Daemon Configuration

First, always back up the original yum-cron configuration file.

Input:
cd /etc/yum
sudo cp --archive yum-cron.conf yum-cron.conf.orgi

Configure yum-cron for auto-update, depending on how you want to update your servers. For the Lnxark server configuration w4e are going to go with, auto-update of security daemons.

Input:
sudo vim yum-cron.conf

Edit File:
[commands]
#  What kind of update to use:
# default                              = yum upgrade
# security                             = yum --security upgrade
# security-severity:Critical           = yum --sec-severity=Critical upgrade
# minimal                              = yum --bugfix update-minimal
# minimal-security                     = yum --security update-minimal
# minimal-security-severity:Critical   = --sec-severity=Critical update-minimal
update_cmd = security

#Whether a message should be emitted when updates are available,
#were downloaded, or applied.
update_messages = yes

#Whether updates should be downloaded when they are available.
download_updates = yes

#Whether updates should be applied when they are available. Note
#that download_updates must also be yes for the update to be applied.
apply_updates = yes

To stay in the know, lets set the yum-cron daemon to send an email to notify the relevant stakeholders of the updates:

Input:
sudo vim /etc/yum/yum-cron.conf

Edit File:
# How to send messages. Valid options are stdio and email. If
# emit_via includes stdio, messages will be sent to stdout; this is useful
# to have cron send the messages. If emit_via includes email, this
# program will send email itself according to the configured options.
# If emit_via is None or left blank, no messages will be sent.
emit_via = email

# The width, in characters, that messages that are emitted should be
# formatted to.
output_width = 80

[email]
# The address to send email messages from.
# NOTE: 'localhost' will be replaced with the value of system_name.
email_from = root@localhost

# List of addresses to send messages to.
email_to = sysadm@lnxark.org

# Name of the host to connect to to send email messages.
email_host = localhost
5.4: Restart the daemon

So that the new configuration will take effect.

Input:
sudo systemctl restart yum-cron

Your basic initial configuration of your new server is completed.

#No Tag

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *