Make sure you can reach your ISP’s DNS as well as NTP servers,
ping -c1 DNS1 ping -c1 DNS2 yum -y install nmap nmap -Pn -p 53 DNS1 nmap -Pn -p 53 DNS2 nmap -sU -Pn -p 53 DNS1 nmap -sU -Pn -p 53 DNS2 nmap -sU -Pn -p 123 NTPSRV
Setup the hostname,
vi /etc/hostname # short is fine vi /etc/hosts # fqdn + short
Note. it’s ok to use shortname in /etc/hostname as long as you define the fqdn in /etc/hosts in first position. In that case, hostname --short and hostname --long would be fine. domainname however, would not work since hostname or uname -n alone would print the short hostname (domainname evaluates the domain part).
Check the network conf & time sync,
#vi /etc/sysconfig/network vi /etc/sysconfig/network/network-scripts/ifcfg-eth0 #vi /etc/resolv.conf cp -pi /etc/ntp.conf /etc/ntp.conf vi /etc/ntp.conf systemctl restart ntpd systemctl enable ntpd ntpq -p hwclock --systohc
Note. don’t forget to check the timezone setting,
ls -lhF /etc/localtime
Make sure SElinux is at least in permissive mode,
getenforce vi /etc/sysconfig/selinux SELINUX=permissive setenforce 0 getenforce
Eventually enable SElinux “enforcing” at some point (no reboot needed if you’re in permissive mode).
Make sure the system is up-do-date
yum -y upgrade
Install a few more packages – host and container
yum -y install \
bc \
bind-utils \
bzip2 \
cronie \
cronie-noanacron \
crontabs \
curl \
dos2unix \
git \
glibc-langpack-en \
htop \
iftop \
iotop \
lftp \
man-db \
man-db-cron \
man-pages \
mlocate \
mtr \
net-tools \
ngrep \
nmap \
nmap-ncat \
tar \
telnet \
wget \
whois
# elinks \
# ksh \
# mc \
# motd \
# rsync \
# screen \
# sudo
If you want mail – host and container
yum -y install \
rsyslog \
postfix \
mailx
Bare-metal only
yum -y install \
hdparm \
pciutils
Update the file index
updatedb
Install EPEL and a few more packages
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm
yum -y install \
colordiff \
pwgen
Make sure the wheel group exists (default),
grep ^wheel /etc/group
Setup wheeled accounts for some sysadmin,
usermod -a -G wheel root user=WHEELED grep ^$user /etc/passwd grep ^$user /etc/group useradd -m -g users -G wheel $user #usermod -a -G wheel $user passwd $user su - $user ssh-keygen -t ecdsa ssh-keygen -t ed25519 #mkdir -p .ssh/ #chmod 700 .ssh/ vi ~/.ssh/authorized_keys YOU REMOTE PUBLIC KEY HERE chmod 600 ~/.ssh/authorized_keys ^D
Eventually authorize those wheeled users to become root with their user password (commented out) or even directly without password,
cp -pi /etc/sudoers /etc/sudoers.dist vi /etc/sudoers #/wheel #%wheel ALL=(ALL) ALL %wheel ALL=(ALL) NOPASSWD: ALL
Secure your logs a little bit and allow %wheel to read it,
#default is root.root -rw------- chown root:wheel /var/log/messages chmod g+r /var/log/messages #default is root.root -rw------- chown root:wheel /var/log/maillog chmod g+r /var/log/maillog
Secure SSH a little bit (and eventually enable a failover),
grep ^wheel /etc/group cd /etc/ssh/ cp -pi sshd_config sshd_config.dist vi sshd_config Port 2222 AllowGroups wheel PermitRootLogin without-password PasswordAuthentication no systemctl restart sshd tail -F /var/log/secure &
Keep your session up until you validated that you could log in again.
cp -pi /etc/bashrc /etc/bashrc.dist
vi /etc/bashrc
MAKEFLAGS=-j$((`grep ^processor /proc/cpuinfo | tail -1 | awk '{print $NF}'` + 1))
source /etc/bashrc
And eventually setup GNU/Screen.
Setting up Docker on various systems
https://serverfault.com/questions/255969/prevent-the-console-from-clearing-the-screen