Things to do in the initial configuration of CentOS 7

What do you need to do the initial configuration of CentOS 7? In this tutorial, Step by step I think need the initial configuration for Centos 7.

Time synchronization.

Setting Command history

The command in example ( date, history,w, top, df) does not remain in the command history.

# cat << "_EOF" > /etc/profile.d/history.sh && source /etc/profile.d/history.sh

# The content command history
 HISTTIMEFORMAT='%F %T '
 HISTSIZE=100000
 HISTFILESIZE=100000
 HISTIGNORE='date,history:w:top:df'
 HISTCONTROL=ignoreboth
 PROMPT_COMMAND='history -a; history -c; history -r'
 _EOF

Enable i-search

Ctrl + r switches to the command history search mode, but by default, it cannot be re-searched in the reverse direction.

# echo '[ -t 0 ] && stty -ixon' > /etc/profile.d/stty.sh && source /etc/profile.d/stty.sh

Writing outputs to log file and console

cat << "_EOF_" > /etc/profile.d/script.sh && source /etc/profile.d/script.sh
# output operation log 
P_PROC=`ps aux | grep $PPID | grep sshd | awk '{ print $11 }'`
if [ "$P_PROC" = sshd: ]; then
  script -q /var/log/script/`whoami`_`date '+%F_%H%M%S'`.log
  exit
fi
_EOF_

# chmod 777 /etc/profile.d/script.sh

Monitor User Activity with psacct

You can use the lastcomm command to check which user executed which command when.

# yum -y install psacct && systemctl start $_ && systemctl enable $_

Detection with OSSEC HIDS

# yum install -y epel-release wget && curl -s http://www.atomicorp.com/installers/atomic | sh && yum install -y ossec-hids-server /var/ossec/bin/ossec-configure
# sed -i.org '/directories check_all/s/"yes"/"yes" realtime="yes"/' /var/ossec/etc/ossec.conf
# systemctl start ossec-hids && systemctl enable $_

Install and enable AIDE

Update Your System

# yum clean all && yum -y update

Prohibit login without password

# sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth

su and sudo settings

# sed -i.org '/NOPASSWD/ s/^# //' /etc/sudoers
# sed -i.org '/use_uid/ s/^#//' /etc/pam.d/su

sudo without password

Modify /etc/sudoers file

%wheel ALL=(ALL)       NOPASSWD: ALL

Passwordless root switch

Modify /etc/pam.d/su file

auth           sufficient      pam_wheel.so trust use_uid

su authorized user limit

modify /etc/pam.d/su file

auth           required        pam_wheel.so use_uid

Adding administrative users

# useradd huupv && passwd $_ && usermod -G wheel $_ && getent group wheel
# sudo -u huupv echo 'huupv@devopsroles.com' > ~/.forward
# sed -i /etc/aliases -e '/root:/ s/^#//' -e '/root:/ s/marc/huupv/' && newaliases
# echo "Test mail" | sendmail root

Changing the hostname

# hostnamectl set-hostname server1.devopsroles.com

The setting of less command.

cat << '_EOF_' >> ~/.bashrc
export VISUAL=vim
export LESS="-M"
_EOF_

The -M option always displays the file name, number of lines, and progress.

vim command

cat << '_EOF_' >> ~/.vimrc && mkdir -p ~/.vim/tmp
set encoding=utf-8
set directory=~/.vim/tmp
set backupdir=~/.vim/tmp
set undodir=~/.vim/tmp
_EOF_

Change the location of temporary files such as .swp.

Yum plugin

# yum -y install epel-release && yum -y yum-axelget yum-changelog yum-cron yum-plugin-ps yum-plugin-remove-with-leaves yum-plugin-rpm-warm-cache yum-plugin-show-leaves yum-utils

utility

There are many commands that are not installed in minimal.

# yum -y install bind-utils net-tools policycoreutils-python psmisc rlwrap traceroute tree vim-enhanced wget

Compression and decompression

# yum -y install epel-release && yum -y install unzip bzip2 lbzip2 pbzip2 pigz pxz

Installing the monitoring tool

Disabling GSSAPIAuthentication

Speed up SSH login by disabling GSSAPIAuthentication.

# sed -i '/GSSAPIAuthentication / s/yes/no/' /etc/ssh/sshd_config

limit of the number of old kernel packages

# sed -e '/installonly_limit/ s/5/2/' -i /etc/yum.conf

Interactive option

cat << "_EOF_" > /etc/profile.d/alias.sh
alias crontab='crontab -i'
alias cp='cp -i'
alias mv='mv -i'
alias rm='rm -i'
_EOF_

File rewrite prohibition by redirection

Edit .bashrc file

set -o noclobber

Yum Disable Excludes

# echo "exclude=kernel* centos*" >> /etc/yum.conf
# echo "alias yum='yum --disableexcludes=all'" >> /etc/profile.d/yum.sh

security settings

sed -i.org /etc/login.defs -e '/PASS_MIN_DAYS/ s/0/1/' -e '/PASS_MAX_DAYS/ s/99999/3650/'
sed -i /etc/profile -e  's/umask 002/umask 027/' -e 's/umask 022/umask 027/'

cat << "_EOF_" > /etc/modprobe.d/blacklist.conf
blacklist usb-storage
blacklist firewire_core
blacklist firewire_ohci
_EOF_

for i in $(find /lib/modules/`uname -r`/kernel/drivers/net/wireless -name "*.ko" -type f) ; do echo blacklist $i >> /etc/modprobe.d/blacklist-wireless ; done
sed -i.org 's/#AllowTcpForwarding yes/AllowTcpForwarding no/' /etc/ssh/sshd_config
sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 2/' /etc/ssh/sshd_config
sed -i 's/#Compression delayed/Compression no/' /etc/ssh/sshd_config
sed -i 's/#LogLevel INFO/LogLevel VERBOSE/' /etc/ssh/sshd_config
sed -i 's/#MaxAuthTries 6/MaxAuthTries 2/' /etc/ssh/sshd_config
sed -i 's/#MaxSessions 10/MaxSessions 2/' /etc/ssh/sshd_config
##sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
##sed -i 's/#Port 22/Port 10022/' /etc/ssh/sshd_config
sed -i 's/#TCPKeepAlive yes/TCPKeepAlive no/' /etc/ssh/sshd_config
sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
sed -i 's/X11Forwarding yes/X11Forwarding no/' /etc/ssh/sshd_config
sed -i 's/#AllowAgentForwarding yes/AllowAgentForwarding no/' /etc/ssh/sshd_config

cat << "_EOF_" >> /etc/sysctl.conf
kernel.kptr_restrict=2
kernel.sysrq=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.log_martians=1
net.ipv4.tcp_timestamps=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
_EOF_

# sysctl -p
# chmod 700 /usr/bin/as

Fail2ban

# yum -y install epel-release && yum -y install fail2ban{,-systemd}

cat << "_EOF_" > /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.0.0/24
[sshd]
enabled  = true
_EOF_

# fail2ban-client -d
# systemctl start fail2ban && systemctl enable $_
# fail2ban-client status
# fail2ban-client status sshd

Have a good nice!

,

About HuuPV

My name is Huu. I love technology and especially Devops Skill such as Docker, vagrant, git so forth. I likes open-sources. so I created DevopsRoles.com site to share the knowledge that I have learned. My Job: IT system administrator. Hobbies: summoners war game, gossip.
View all posts by HuuPV →

Leave a Reply

Your email address will not be published. Required fields are marked *

Comment moderation is enabled. Your comment may take some time to appear.

This site uses Akismet to reduce spam. Learn how your comment data is processed.