RHEL/CentOS post-installation

Networking & NTP

Make sure you can reach your ISP’s DNS as well as NTP servers,

ping -c1 DNS1
ping -c1 DNS2
yum -y install nmap
nmap -Pn -p 53 DNS1
nmap -Pn -p 53 DNS2
nmap -sU -Pn -p 53 DNS1
nmap -sU -Pn -p 53 DNS2
nmap -sU -Pn -p 123 NTPSRV

Setup the hostname,

vi /etc/hostname # short is fine
vi /etc/hosts # fqdn + short

Note. it’s ok to use shortname in /etc/hostname as long as you define the fqdn in /etc/hosts in first position. In that case, hostname --short and hostname --long would be fine. domainname however, would not work since hostname or uname -n alone would print the short hostname (domainname evaluates the domain part).

Check the network conf & time sync,

#vi /etc/sysconfig/network
vi /etc/sysconfig/network/network-scripts/ifcfg-eth0
#vi /etc/resolv.conf
cp -pi /etc/ntp.conf /etc/ntp.conf
vi /etc/ntp.conf
systemctl restart ntpd
systemctl enable ntpd
ntpq -p
hwclock --systohc

Note. don’t forget to check the timezone setting,

ls -lhF /etc/localtime

Make sure SElinux is at least in permissive mode,

getenforce
vi /etc/sysconfig/selinux

SELINUX=permissive

setenforce 0
getenforce

Eventually enable SElinux “enforcing” at some point (no reboot needed if you’re in permissive mode).

Commmon finish-up

Make sure the system is up-do-date

yum -y upgrade

Install a few more packages – host and container

yum -y install \
    bc \
    bind-utils \
    bzip2 \
    cronie \
    cronie-noanacron \
    crontabs \
    curl \
    dos2unix \
    git \
    glibc-langpack-en \
    htop \
    iftop \
    iotop \
    lftp \
    man-db \
    man-db-cron \
    man-pages \
    mlocate \
    mtr \
    net-tools \
    ngrep \
    nmap \
    nmap-ncat \
    tar \
    telnet \
    wget \
    whois

    # elinks \
    # ksh \
    # mc \
    # motd \
    # rsync \
    # screen \
    # sudo

If you want mail – host and container

yum -y install \
    rsyslog \
    postfix \
    mailx

Bare-metal only

yum -y install \
    hdparm \
    pciutils

Update the file index

updatedb

Install EPEL and a few more packages

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm
yum -y install \
    colordiff \
    pwgen

Wheeled accounts & SSH

Make sure the wheel group exists (default),

grep ^wheel /etc/group

Setup wheeled accounts for some sysadmin,

usermod -a -G wheel root

user=WHEELED
grep ^$user /etc/passwd
grep ^$user /etc/group
useradd -m -g users -G wheel $user
#usermod -a -G wheel $user
passwd $user

su - $user
ssh-keygen -t ecdsa
ssh-keygen -t ed25519
#mkdir -p .ssh/
#chmod 700 .ssh/
vi ~/.ssh/authorized_keys

YOU REMOTE PUBLIC KEY HERE

chmod 600 ~/.ssh/authorized_keys
^D

Eventually authorize those wheeled users to become root with their user password (commented out) or even directly without password,

cp -pi /etc/sudoers /etc/sudoers.dist
vi /etc/sudoers
#/wheel

#%wheel ALL=(ALL) ALL
%wheel ALL=(ALL) NOPASSWD: ALL

Secure your logs a little bit and allow %wheel to read it,

#default is root.root -rw-------
chown root:wheel /var/log/messages
chmod g+r /var/log/messages

#default is root.root -rw-------
chown root:wheel /var/log/maillog
chmod g+r /var/log/maillog

Secure SSH a little bit (and eventually enable a failover),

grep ^wheel /etc/group
cd /etc/ssh/
cp -pi sshd_config sshd_config.dist
vi sshd_config

Port 2222
AllowGroups wheel
PermitRootLogin without-password
PasswordAuthentication no

systemctl restart sshd
tail -F /var/log/secure &

Keep your session up until you validated that you could log in again.

Tweak your environment

cp -pi /etc/bashrc /etc/bashrc.dist
vi /etc/bashrc

MAKEFLAGS=-j$((`grep ^processor /proc/cpuinfo | tail -1 | awk '{print $NF}'` + 1))

source /etc/bashrc

And eventually setup GNU/Screen.

Docker

Setting up Docker on various systems


GUIDES | LECTURES | BENCHMARKS | SMTP HEALTH