CentOS 7 – Minimal server install. I will document my build process in sections.
The minimal instalation. This is a very basic install with just the minimal selected. At this point I’m assuming you have some knowledge of installing Linux systems. I have plans to create a detailed install guide for CentOS in the near future.
Firewall configuration. I use custom firewall scripts using iptables, so all my firewall files I scp over to the new build. I realize that firewalld is the “new” firewall however until I’m comfortable with that I use the old iptables.
Server config. This section deals with installing services (if necessary) and configuration of those services. Remember this is a basic install so only the basic services are set up.
Post install. The finishing touches, This is stuff I like to do at the end of a base install.
Note: This guide assumes you have some knowledge of Linux systems. Whilst I do intend to document a detailed install guide for CentOS, at this point in time I am assuming you know how to do the install.
Actual commands are shown like so blue
Ok, this is pretty straight forward. As I mentioned earlier I am assuming you have knowledge of installing linux systems. Just configure the options for the install( eg: network, partitioning etc) to suit your needs but for software just select ‘minimal install’ Once the install is done and we have rebooted we can so some prelim config as shown below. You will need to su – as root to perform the following
The basic install will only install vi. If you are happy just with vi then skip this bit. I prefer vim so we need to get that like so: yum install vim
We need to get some tools to help us manage SELINUX as we will be modifying ports later on. So we need to do: yum install setroubleshoot setools
Ok, that’s the install section done, on with the firewall section
CentOS 7 is a major update and has some “new” systems such as systemd and firewalld just to name two.
At the moment I am not that familiar with firewalld, so I will use my old “iptables” scripts for my firewall. Once I am comfortable with firewalld I will switch to that. The first thing I do is SCP all my firewall scripts across to this new build. Once they have been correctly adjusted with the details of the new build we can do the following:
yum install net-tools
systemctl stop firewalld
systemctl disable firewalld
service <firewallscript> start
chkconfig <firewallscript> on
At this point I run tail -f /var/log/messages and watch the entries for a few m inutes, adjust the firewall script as necessary based on this. You should now have a running custom firewall.
Time to configure the services. This section is very open to your personal preferences. I have listed what I like to do, simply adjust to suit your requirements if necessary.
Edit SSH. I dont run ssh on the standard port and I disable root login so I make those adjustments in /etc/ssh/sshd_config , Now remember we are running SELINUX and it will prevent SSH from running on the non-standard port. So we need to adjust SELINUX to suit like so: semanage port -a -t ssh_port_t -p tcp <port> Then we can start SSH again.
As this is a base build for a 24/7 server I like to use ntp instead of chrony for time keeping. So we do the following:
yum install ntp
edit /etc/ntp.conf and adjust to suit
systemctl stop chrony
systemctl disable chrony
systemctl enable ntpd
systemctl start ntpd
Setting the time zone in CentOS 7 is very easy, much better than previous versions. Simply do the following:
Find the time zone you want by doingtimedatectl list-timezones Then set the zone by doing: timedatectl set-timezone <required zone> For example timedatectl set-timezone Australia/Sydney. That’s all there is to it!
As I have my own IP4 class C, I don’t need IPV6, so I disable it. Be aware that the upstream Redhat maintainer reccomends NOT removing the IPV6 module as this will upset SELINUX and maybe other services. I do it this way, create the file disableipv6.conf in /etc/sysctl.d/ and insert the following in it:
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
IPV6 will still be running so we need to disable it by the following:
If you are tailing the messages log as you do this you will see IPV6 being disabled. You can also do an ifconfig to verify ther eis no IPV6 address attached to the network interface.
I also like to remove all references to IPV6 in services such as SSH, postfix, ntpd etc. If you tail the messages log and restart the services in another terminal it will tell you if a particular service is complaing about nonexitant IPV6.
Ok now we have some tasks I like to do at the end, just to “tidy” things up.
Edit /etc/aliases so you get root’s mail. Don’t forget to run newaliases after you’re done.
yum install logwatch
yum install yum-priorities I like to use yum-priorities. Whilst you have only the base repo’s it makes no difference, but eventually you will install other repos and it can help then.
Finally do a complete yum update – yum update
That’s it! We now have a complete minimal install with custom firewall, IPV6 disabled and SSH configured securely. If you are using virtualization you can clone this build and use it as a base to build other systems such as a mail or web server.