CentOS 7 Minimal Installation

0
41

1. CentOS 7 Minimal Installation

Introduction

This is the first lesson of the series CentOS 7 Minimal Web Server Fundamentals. In this lesson I will be downloading and installing the CentOS 7 operating system using the Minimal option. I have chosen CentOS as the operating system because of it’s popularity among web hosting platforms. I recommend that you following with this series by either installing the web server on a physical server or by using a virtual platform to install it on your PC. I will be using a software application called Virtualbox so that I can run it straight from my PC. Both Virtualbox and CentOS are free, trusted, and open source software.

The CentOS 7 Operating System

CentOS is a very popular Linux distribution used to run web servers, in fact at the time of this writing the hosting provider I am using (Hostgator.com) is using CentOS. The operating system is derived from the source code of the very popular Red Hat Enterprise Linux (RHEL) distribution. I have chosen to use the minimal installation option as this will install the basic operating system without any extra software. Throughout this course I will be adding the necessary packages to turn this operating system into a web server.

You will need to download the operating system from the CentOS web site, https://www.centos.org/download/. I have chosen the minimal download option ( CentOS-7-x86_64-Minimal-1511.iso ) , currently located on the bottom of the page. This link will display a list of locations to download the ISO image. If you plan to install the operating system to a physical computer then you will need to burn the ISO to a disk. If you are using it in a virtual machine then all you will need is the downloaded file.

2. Setting a Static IP in a CentOS 7 Minimal Installation

In order to set the network adapter and get get CentOS to communicate on the network the Ethernet adapter will need to be configured. In this lesson I will set a static IP address for the network adapter. To view a list of your network adapters use the command ip addr.

The configuration file for the network adapter should be located at /etc/sysconfig/network-scripts/ifcfg-enp0s3 ( running with Virtualbox). With the minimal installation of CentOS there are not many options available to configure the network adapter. One option is to use the vi editor or nano to configure ifcfg-enp0s3. Another option is to use the nmtui utility to edit the network adapter.

Modify ifcfg-enp0s3 using nmtui

If you plan on configuring the network adapter using the nmtui utility open a terminal and enter the command nmtui A utility application opens within the terminal that will allow you to configure the network adapters. With Edit a Connection selected, press Enter. Your network adapter should be listed, for example enp0s3 is what is listed on my computer. Using the arrow keys, select Edit and press Enter. To allow the adapter to fire up at startup, use the spacebar to place an “x” in the Automatically connect option. If you wish to set a static IP address you can do so by selecting the IP version and editing it.

Modify ifcfg-enp0s3 using vi or nano

If you are familiar with using the vi editor you can also modify the ifcf-eth0 file using vi. To use this option, type the following command in the prompt: vi /etc/sysconfig/network-scripts/ifcfg-enp0s3

You can also use nano as a text editor. If you are newer to Linux this editor has less of a learning curve than vi. Nano will need to be installed using the command: yum install nano Once installed, to use nano to edit the file type: nano /etc/sysconfig/network-scripts/ifcfg-enp0s3

Here is an example of the file using 192.168.1.2 as the static IP address.

TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV$_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp0s3
UUID=”WHAT EVER IS YOUR COMPUTER’s UUID”
ONBOOT=yes
HWADDR=”WHATEVER IS YOUR COMPUTER’S MAC ADDRESS”
IPADDR=192.168.1.2
PREFIX=24
GATEWAY=192.168.1.1
DNS=192.168.1.1
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes

Restarting the networking service

You may have to restart the network adapter or the machine. To restart the network adapter use the following command:service network restart.

Using ifconfig

If you wish to install the common networking tools you can now install the net-tools package using the following command:yum install net-tools

This will allow you to view your network adapters using the terminal command: ifconfig

3. Changing the Hostname of a CentOS 7 Minimal Server

So the default hostname on a fresh install of CentOS 7 Minimal is localhost. If you are wanting to change the name of your computer you will want to do this in a few spots on your computer to have it take affect across the whole system. At the end of this lesson you will need to reboot your CentOS server for the changes to fully apply.

Setting the Hostname using nmtui

The nmtui command is helpful in setting a static IP address on your CentOS server. It can also be used to set the hostname of the computer. Once you run the command you can choose the Set system hostname option and make the change. To use nmtui, simply type: nmtui

If you reboot the system at this point most everything will work with the new hostname. In addition to this however, I will change the hostname in a few other locations for compatibility reasons.

Setting the Hostname in the /etc/hosts File

Before we make the change to the /etc/hosts file you will need to know the static IP address of the server. This will be used to a new entry in the hosts file. To check the IP address use either: ifconfig or ip addr

I will use the IP address 192.168.1.2. To edit the hosts file use the command: nano /etc/hosts

Now add the entry to the hosts file with your IP address followed by the domain name. For example I will use the domain name srv-centos. The loopback information will already be in the file. My file looks like this when I am done

127.0.0.1 localhost localhosts.localdomain localhost4 localhost4.localdomain4
::1 localhost localhosts.localdomain localhost6 localhost5.localdomain6
192.168.1.2 srv-centos

Setting the Hostname in the /etc/sysconfig/network File

In addition to the /etc/hosts file another file that may be used for hostname information can be found at/etc/sysconfig/network. This file on my CentOS server currently does not have an entry. To add one run the command: nano /etc/sysconfig/network

Append the following information to the file: HOSTNAME=srv-centos

Checking the Hostname Status

At this point you will need to reboot your server for all changes to take effect. To reboot the OS use the command: reboot

After CentOS reboots and you log in you should see that the terminal prompt has changed, using the new hostname.

To check the hostname on your server you can use two commands:

hostname

or

hostnamectl status

4. Adding Sudo Users to CentOS 7 Minimal

It is not the best security practice to login to your system as the root user all the time. Also if you plan on having other people manage your server, it is not a good idea to have every share the root user account. It is very simple to add new users to the CentOS server. Since this is on a command line operating system we don’t typically need a home folder loaded with all the common Desktop, Downloads, Documents, etc folders. In this lesson we will just create a user account, set a password so they can login, and then if we want them to have sudo (administrative) privileges we will add them to the wheel group.

Adding a New User Account

To add a new standard user to the CentOS server we will use the adduser command. I will create a user account for this example named matt. It is common/best practice to user all lowercase, single word usernames To add this user just simply use the following command in the terminal: adduser matt

Creating/Resetting a User Password

The user account will not be able to log into the system unless they have a password set. To set a password for the new user account (matt, in this example) issue the passwd command followed by the username. You will be prompted to enter the password twice. For example: passwd matt

Promoting a User to Use Root Privileges

The new user account is just a standard user account. If you wish to give the user root privileges you will need to add them to the wheel group i CentOS. Once in this group, the user can prefix any command with the sudo command and they will execute it as the root user. To add the user matt to the wheel group enter: gpasswd -a matt wheel

5. Setting up SSH Server in CentOS 7 Minimal Install

In this lesson I will turn on the SSH daemon to allow a user to connect to the CentOS operating system. There are several programs available to use to connect to the server remotely. If you are on a Microsoft Windows computer you can download and use the application putty.exe, located athttp://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.

SSH Service in CentOS

If you just simply wish to turn on the SSH service in CentOS, issue the following command: service sshd start or ( systemctl restart  sshd.service )

This will turn on the SSH service and allow users to connect to the computer using SSH on port 22. Now to turn off this service you could issue the command: service sshd stop

Automatically Running the SSH Service

If you wish to have the SSH daemon run automatically as the computer boots up, issue the command: chk sshd on

This will allow the SSH service to run every time you start up your computer.

SSH Configuration File

To make edits to the configuration of SSH edit the file located at /etc/ssh/sshd_config. One configuration you may want to change in the /etc/ssh/sshd_config file is to restrict the root user from accessing the server via SSH. Since the root user is the default administrative user account, this user would be the most likely to be used in login attacks against your computer. So it is a good idea to create another account on your system that has sudo privileges and login using that account.

To restrict the root user from logging in via SSH open the SSH config file by entering the terminal command: nano /etc/ssh/sshd-config

Locate the line that reads #Permit Root Login yes. Remove the # and change yes to no. Save the file and restart the SSH service by issuing the following command: service sshd restart

6. Monitoring Login Attempts in CentOS 7 Minimal

It is a very good idea to have a look various logs on your web server to determine who has logged in successfully and who has had failed attempts at logging in. This is especially important with a computer that has a network connection with a public IP address. There are several ways to look at this information and I will share a few below.

Using Aureport

The aureport utility is already installed on CentOS minimal and it is an audit tool that can show you several reports based on the options you provide. Just running the aureport command without any options will produce a report indicating the number of times events occurred. There is a log that can be found at /var/log/audit/audit.log

To get a report about user authentication activities use the command: aureport -au

This will provide a list of results. The columns read left to right: #, date, time, acct, host, term, exe, success, and event. Successful authentications will read yes for the success column and a no indicates a failed attempt.

If the list is long, you can narrow the results to just successful authenications using the command with the –success option. For example: aureport -au --success

Now to filter the list down to failed authentication attempts, change the –success option to –failed. For example: aureport -au --failed

You can also view the logins, successful and failed using the following commands: aureport -l --success
aureport -l --failed

Showing a list of Last Logged in Users with Last and Lastb

The last and lastb commands are another way to look at logins to the CentOS server. This command searches the /var/log/wtmp and lists all users who have logged in and out. Just simply running the command last will provide a listing of the logged events. You can narrow your results to a specific user too. For example: last root

Now to show the failed attempts on the root user, run the following command:lastb root

Viewing the /var/log/secure File

You can also view the log file at /var/log/secure using either cat, less, head, or tail to get a look at what is going on with logins on your server. Below are a few examples of items you may be looking for. I am passing the log to the grep command to filter out records.

To view a list of failed attempts using the ssh protocol use: cat /var/log/secure | grep 'sshd.*Failed'

To view a list of successful logins using the ssh protocol use: cat /var/log/secure | grep 'sshd.*opened'

To view a list of logins using the login terminal use: cat /var/log/secure | grep 'login.*tty'

7. Disabling SELinux in CentOS 7 Minimal

Before we can install Sentora we will need to disable SELinux in CentOS. SELinux is enabled by default in CentOS and can be modified by editing the configuration file located at /etc/selinux/config.

 

setenforce 0
sed -i s’/SELINUX.*=.*enforcing/SELINUX=disabled’/g /etc/selinux/config

I prefer using nano as my text editor. An alternative editor is vim, but if you are not familiar with it, it has a bit of a learning curve to using it. So lets get started and install nano: yum install nano

To edit the config file run the following command in the terminal: nano /etc/selinux/config

The file will look something like the code below. You will notice that the highlighted text in read, SELINUX=permissive, this is the configuration we need to change. There are three options we can use, enforcing, permissive, and disabled. We want to use disabled. Replace the word permissive with disabled. To save your changes press Ctrl + x, then y, then enter.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted process are protected,
# minimum - Modificatin of targeted policy. Only selected processes are protected
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

 

After you change the configuration file, you will need to reboot your server for the changes to take effect. Reboot the server by issuing the command: reboot

After you have rebooted and logged back in you can check the status of SELinux. It should be disabled at this point.

Checking SELinux Modes and Status

We can run the getenforce command to check the current SELinux mode.

getenforce

SELinux should currently be disabled, so the output will look like this:

Disabled

We can also run the sestatus command:

sestatus

When SELinux is disabled the output will show:

SELinux status:        disabled
Print Friendly

Comments

comments