CentOS7 VPS Installing Required Packages

CentOS7 VPS Installing Required Packages for basic and advanced configuration. Such packages and will be needed through the rest of the configuration steps. Initially, you will install and configure MTA eMail services in order to receive emails and alerts notification while you are configuring your system. The required packages will include Development Tools and packages to prepare the VM or VPS for advanced HowTo configuration Articles.

Besides, I will install updates, upgrades, NTP time server, Utilities, and Development Tools, which will prepare the VM/VPS for Linux Security Measures and Hardening Tools. As you probably noticed, the VM or the VPS must go through few layers of staging before start loading and running specific services such Web Hosting Solution services.

Objectives:

1. Installing Required Packages

2. Installing MTA eMail Services

3. Disabling Firewalld and SELinux

4. Setting Basic Configuration

5. Setting Daily System Update Notifier

Prerequisites:

A. Basic Debian or Ubuntu System Knowledge

B. Login to your DigitalOcean or Vultr Account

C. Follow the Courses and Sections by Order

Recommendations:

For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.

Installing Required Packages

Run the following steps (1 to 13)

1. Import Gnu Privacy Guard keys

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*

2. Enable Additional Repositories

First, I will make sure wget and nano editor are installed:

yum install wget nano -y

a. Enable EPEL Repo

Note: Repos update their release, for instance, EPEL repo keeps updating the epel-release, meaning, as of this writing, the EPEL is epel-release-7-6.noarch.rpm, so if you face error “404 not found” while downloading the rpm, increase the version number from 7-6 to 7-7 and try again.

If you still can’t spot the right version, go to the Repo link itself at this link http://dl.fedoraproject.org/pub/epel/7/x86_64/e/ and search for epel-release-7, write it down and update your wget command below accordingly.

TIP: Copy all lines in each Repo as one command and make sure all copied lines got executed. You may need to Press Enter to make sure the last line get executed. Besides, I noticed sometimes that importing (the first line) takes longer than expected, skip the first line if it takes so long.

rpm --import https://fedoraproject.org/static/0608B895.txt
wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-9.noarch.rpm
rpm -Uvh epel-release-7*.rpm

b. Enable Remi RPM Repo

rpm --import http://rpms.famillecollet.com/RPM-GPG-KEY-remi
wget http://rpms.famillecollet.com/enterprise/remi-release-7.rpm 
rpm -Uvh remi-release-7*.rpm

c. Enable Psychotic Ninja RPM Repo

wget http://packages.psychotic.ninja/7/base/x86_64/RPMS/psychotic-release-1.0.0-1.el7.psychotic.noarch.rpm 
rpm -Uvh psychotic-release*rpm

2. Set EPEL Repo priority at 10

nano /etc/yum.repos.d/epel.repo

Make sure priority is there and set at 10, enabled=1 as shown below:

[epel]
name=Extra Packages for Enterprise Linux 6 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
failovermethod=priority
enabled=1
priority=10
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
[...]

Save: Ctrl-X, Hit Y Key, and Enter.

4. Set Remi Repo at priority 10

nano /etc/yum.repos.d/remi.repo

Make sure priority is there and set at 10, enabled=1 as shown below:

[remi]
name=Les RPM de remi pour Enterprise Linux $releasever - $basearch
#baseurl=http://rpms.famillecollet.com/enterprise/$releasever/remi/$basearch/
mirrorlist=http://rpms.famillecollet.com/enterprise/$releasever/remi/mirror
enabled=1
priority=10
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi
failovermethod=priority
[...]

Save: Ctrl-X, Hit Y Key, and Enter.

5. Set Psychotic Ninja Repo at priority 10

nano /etc/yum.repos.d/psychotic.repo

Make sure priority is there and set at 10, enabled=1 as shown below:

[psychotic]
name=Psychotic Ninja Enterprise Linux Repository
baseurl=http://packages.psychotic.ninja/$releasever/base/$basearch/RPMS/
enabled=1
priority=10
protect=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-psychotic
gpgcheck=1
[...]

Save: Ctrl-X, Hit Y Key, and Enter.

List the New Repos

You will notice that some are disabled which is fine, but make sure that the following Repos are enabled as shown below:

yum repolist all | grep -i enabled

You should have around 6 Repos enabled.

[...]
base/7/x86_64                    CentOS-7 - Base              enabled: 8,863+144
epel/x86_64                      Extra Packages for Enterpris enabled:    10,421
extras/7/x86_64                  CentOS-7 - Extras            enabled:    314+61
psychotic/7/x86_64               Psychotic Ninja Enterprise L enabled:        94
remi                             Remi's RPM repository for En enabled:     3,288
remi-safe                        Safe Remi's RPM repository f enabled:   0+1,044
updates/7/x86_64                 CentOS-7 - Updates           enabled:  2,227+50

6. Install Tools and Utilities

Note: the following Required Packages such Dependencies, Utilities, and Development Tools are required across all the Web Hosting Solution.

TIP: Copy the whole line as one command and past it inside Putty window. Just hit right click inside Putty window after you copied the whole line below, and it should get pasted right way, then hit enter to execute.

yum install autoconf bison flex git libtool lzop pax unzip zip yum-plugin-priorities perl bzip2 binutils bind-utils gcc make patch libgomp glibc-headers glibc-devel kernel-headers

7. Install Development Tools

yum groupinstall 'Development Tools'

8. Install Performance Tools

yum groupinstall "Performance Tools"

9. Install Network Configuration Tools

yum install iptables-services net-tools system-config-firewall

10. Install Dynamic Kernel Module Support

yum install dkms -y

11. Check for kernel Updates

yum install kernel* -y

12. Check if System Reboot Required

a. Create system-status.sh file

nano /root/system-status.sh

Open the following file, copy its content to system-status.sh window.

Save: Ctrl-X, Hit Y Key, and Enter.

b. Set Execute Permission

chmod +rwx /root/system-status.sh

c. Run system-status.sh file

/root/system-status.sh

If system reboot required, you will see the following message:

***System Reboot Required***

Reboot and come back to check for updates.

reboot

13. Check for Update

yum update -y

Check System Status Again if Reboot Required

/root/system-status.sh

Installing MTA eMail Services

Run the following steps (1 to 6)

I need MTA (SMTP) service such Postfix for email notification, however, Red Hat Base systems might have Sendmail package installed, meaning, I have to disable Sendmail before installing Postfix. It’s your choice, but I highly recommend using Postfix since it’s going to be used as standard Mail Server if you decide to build Web Hosting Solution.

1. Stop Sendmail Service

systemctl stop sendmail.service

If you read the following output: That means the service is not installed, go to the next step. However, if the service stopped, then execute the next command to turn sendmail off.

“Failed to stop sendmail.service: Unit sendmail.service not loaded.”

2. Disable Sendmail Startup

systemctl disable sendmail.service

3. Install Postfix or Double check if it’s Installed

Note: If postfix already installed, then make sure it’s started and enabled on the startup.

yum install postfix

4. Enable and Start Postfix at Startup

systemctl enable postfix.service

systemctl start postfix.service

5. Forward Root Emails

nano /etc/aliases

Add your email to the end of aliases file. Notice the last line.

#
#  Aliases in this file will NOT be expanded in the header from
#  Mail, but WILL be visible over networks or from /bin/mail.
#
#       >>>>>>>>>>      The program "newaliases" must be run after
#       >> NOTE >>      this file is updated for any changes to
#       >>>>>>>>>>      show through to sendmail.
#

# Basic system aliases -- these MUST be present.
mailer-daemon:  postmaster
postmaster:     root
[...]
# Person who should get root's mail
root:           [email protected]

Save: Ctrl-X, Hit Y Key, and Enter.

Refresh Aliases for changes to take effect

newaliases

6. Finally, restart Postfix

systemctl restart postfix.service

Disabling Firewalld and SELinux

SELinux is a Mandatory Access Control (MAC), and due it’s complex security implementation into the kernel, I found out that it conflicts with most Web Hosting Services and Web Hosting Control Panels. For more information https://wiki.centos.org/HowTos/SELinux

Note: Later on using Security Measures Course, I will show you how to build a crafted IPtables Script as Stateful Firewall and use other Security hardening tools.

Run the following steps (1 to 8)

1. Stop the Firewalld Services

systemctl stop firewalld.service

2. Disable and Mask Firewalld

systemctl disable firewalld.service

3. Check Firewalld Status

firewall-cmd --state

[[email protected] ~]# firewall-cmd --state
not running

4. Remove Firewalld

yum remove firewalld -y

5. Enable IPtables Firewall

systemctl enable iptables

It should show you the following statement:

Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.

systemctl enable ip6tables

It should show you the following statement:

Created symlink from /etc/systemd/system/basic.target.wants/ip6tables.service to /usr/lib/systemd/system/ip6tables.service.

6. Check IPtables 4 and 6 Rules

iptables -L

Make sure are empty, should look as follows:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

And IPv6 Firewall

ip6tables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

7. Edit SELinux Config File

nano /etc/selinux/config

Disable it as shown below:

Note: You might see it disabled already, however, verify. Besides, you might see blank file, that means is not installed; in either case hit Ctrl-x to exit and continue.

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled 
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted

Save: Ctrl-X, Hit Y Key, and Enter.

Note: no need to reboot if SELinux already disabled.

8. Check if System Reboot Required

/root/system-status.sh

If SELinux was enabled and you disabled it, then you must reboot for changes to take effect.

Setting Basic Configuration

Run the following steps (1 to 6)

1. Display Nano Editor Cursor in the Status Bar

nano /etc/nanorc

Scroll down little bit using the arrow key, and comment out # set const in order to show Cursor Movements Line Number.

From:

# set const

To:

set const

Save: Ctrl-X, Hit Y Key, and Enter.

2. Install Network Time Protocol

yum install ntp

Enable ntp Service

systemctl enable ntpd

Start NTP Service

systemctl start ntpd

NTP Status

systemctl status ntpd

ntpd.service - Network Time Service
 Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled)
 Active: active (running) since Thu 2015-10-01 22:23:13 EDT; 8s ago
 Process: 28083 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 28084 (ntpd)
 CGroup: /system.slice/ntpd.service
 └─28084 /usr/sbin/ntpd -u ntp:ntp -g
[...]

3. Set Time Zone

There are 2 choices to change the Time Zone, either using a Menu Driven way, or Manually Change/Set the Time Zone.

Time Zone Menu Driven

tzselect

Finally, you will be prompted to confirm your time:

Therefore TZ='America/New_York' will be used.
Local time is now: Thu Jun 2 16:08:05 EDT 2016.
Universal Time is now: Thu Jun 2 20:08:05 UTC 2016.
Is the above information OK?
1) Yes
2) No

Then Check the Date

date

The date command output should show you Local time

Thu Jun 2 16:12:51 EDT 2016

Note: If the date command showing you Universal Time instead of Local Time, then set your time manually using the below steps.

Set your VPS time Manually

a. Pick your time zone from

https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

b. Backup the current time zone

cp /etc/localtime /root/old.timezone

c. Remove the current time and confirm

rm /etc/localtime

rm: remove regular file `/etc/localtime’? yes

d. Set the New time zone based on the upper wikipedia link

ln -s /usr/share/zoneinfo/America/New_York /etc/localtime

e. Check your time

date

You should see the Local time.

4. (Optional) For more local time accuracy, edit /etc/ntp.conf

nano /etc/ntp.conf

Scroll down to pool.ntp.org section

For Example, USA users, change ntp servers

From:

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

To:

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.us.pool.ntp.org iburst
server 1.us.pool.ntp.org iburst
server 2.us.pool.ntp.org iburst
server 3.us.pool.ntp.org iburst

Save: Ctrl-X, Hit Y Key, and Enter.

I have changed the upper pool NTP servers based on this link http://www.pool.ntp.org/zone/us just pick based on your country or area.

Restart NTP service

service ntpd restart

Force Time Zone Update Using Specific NTP Server

Copy and paste all 4 lines one shot.

service ntpd stop
ntpdate -s us.pool.ntp.org
service ntpd start
date

Or use the new systemd commands

systemctl stop ntpd
ntpdate -s us.pool.ntp.org
systemctl start ntpd
date

5. Add Warning Messages and MOTD

Very important to set Warning Messages at Web Console, SSH prompt, and Message of the Day. If an intruder penetrated your server and you are trying to get the authority involved because of data lose, first thing they would ask you “Have you set a Warning Messages and MOTD at Login Prompt?”, if not, your case will be dropped.

a. Add Web Console Message

nano /etc/issue

Copy and paste the following warning message at the end of issue file

******************************************************************
*                                                                *
*                           - WARNING -                          *
*                                                                *
*               THIS SYSTEM IS PRIVATE PROPERTY FOR              *
*                THE USE OF AUTHORIZED USERS ONLY                *
*                                                                *
******************************************************************

Save: Ctrl-X, Hit Y Key, and Enter.

b. Edit MOTD file

nano /etc/motd

Copy and paste the following MOTD at the end. Before you save, edit the current MOTD message to suite your company needs. I believe, all you need to change is the company name.

******************************************************************
***                                                            ***
***                   W A R N I N G ! ! !                      ***
***                                                            ***
***  THIS SYSTEM IS PRIVATE PROPERTY FOR THE USE OF YOUR       ***
***  COMPANY NAME INC. ADMIN STAFF AUTHORIZED USERS ONLY!      ***
***  ANY USE OF THIS COMPUTER NETWORK SYSTEM SHALL BE DEEMED   ***
***  TO BE EXPRESS CONSENT TO MONITORING OF SUCH USE AND TO    ***
***  SUCH ADDITIONAL MONITORING AS MAY BE NECESSARY TO         ***
***  IDENTIFY ANY UNAUTHORIZED USER. THE SYSTEM ADMINISTRATOR  ***
***  OR OTHER REPRESENTATIVES OF THE SYSTEM OWNER MAY MONITOR  ***
***  SYSTEM USE AT ANY TIME WITHOUT FURTHER NOTICE OR CONSENT. ***
***  UNAUTHORIZED USE OF THIS SYSTEM AND ANY OTHER CRIMINAL    ***
***  CONDUCT REVEALED BY SUCH USE IS SUBJECT TO DISCLOSURE TO  ***
***  LAW ENFORCEMENT OFFICIALS AND PROSECUTION TO THE FULL     ***
***  EXTENT OF THE LAW.                                        ***
***                                                            ***
***  UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL,  ***
***  CIVIL AND CRIMINAL LAWS.                                  ***
***                                                            ***
******************************************************************

Save: Ctrl-X, Hit Y Key, and Enter.

c. Force sshd to display Pre-Login Message

nano /etc/ssh/sshd-banner

Copy and paste the following Warning Message inside sshd-banner

******************************************************************
*                                                                *
*                           - WARNING -                          *
*                                                                *
*               THIS SYSTEM IS PRIVATE PROPERTY FOR              *
*                THE USE OF AUTHORIZED USERS ONLY                *
*                                                                *
******************************************************************

Save: Ctrl-X, Hit Y Key, and Enter.

d. Edit sshd_config Configuration file

nano /etc/ssh/sshd_config

Enable Banner Message

Hit Ctrl-w and search for word banner, set as shown below. If you can’t find it, add it to the end of the file.

Banner /etc/ssh/sshd-banner

Save: Ctrl-X, Hit Y Key, and Enter.

e. Restart sshd Service

service sshd restart

6. Change Root Prompt Color

nano /root/.bashrc

Add either Red or yellow code to the end of .bashre file

Note: for some reason, wordpress is not showing the codes properly, however, I have them in a text file.

Pick the Red or Yellow, and paste it at the end of the file.

Save: Ctrl-X, Hit Y Key, and Enter.

Logout from root or Exit your Putty session; relogin to test it.

[root@node1 ~]#

For more styling and colors, check this link https://wiki.archlinux.org/index.php/Color_Bash_Prompt

Enable Green Color Prompt for other Users

Open the file again and add the Green color at the end of any user’s .bashrc file. For example, I am going to enable green color for my user imad.

TIP: if you haven’t created extra users yet, you can use adduser command to create extra user and passwd to set a password for that user. In case you don’t want to create extra users, you can skip this step.

nano /home/imad/.bashrc

Save: Ctrl-X, Hit Y Key, and Enter.

Login as regular user:

[root@node1 ~]# su -l imad
imad@node1:~$ exit
logout
[root@node1 ~]#

Setting Daily System Update Notifier

I would like to have the system email me everyday if updates available. There are 2 ways I know of to notify me about if System updates are available on CentOS7. Either install yum-cron or simply configure yum check-update result to be emailed daily as notifier. Using CentOS7, I am going to use yum-cron toward putting the system on auto pilot security update only without my intervention.

Run the following steps (1 to 4)

1. Install Yum Cron

yum install yum-cron

2. Configure Yum Cron

nano /etc/yum/yum-cron.conf

I’d like to apply critical security updates automatically. Look for the following settings and change them as follows:

update_cmd = yum --sec-severity=Critical upgrade
apply_updates = yes
emit_via = email
email_from = [email protected]

Save: Ctrl-X, Hit Y Key, and Enter.

3. Put yum-cron on Startup

systemctl enable yum-cron.service

4. Start yum-cron Service

systemctl start yum-cron.service

That’s it! You should be able to receive daily System updates.

Yum Update Email Notifications

If you would like to receive update Notification, it can be configured with yum check-update output as daily email.

Simple Yum Check Update Email Notification

nano /etc/cron.daily/yum-check-updates.cron

Add the following Daily Yum Update Check inside yum-check-updates.cron file

#!/bin/sh
/usr/bin/yum check-update 2>&1 | /bin/mail -s "yum check-update output" root

Change the File Permission

chmod +rwx /etc/cron.daily/yum-check-updates.cron

List cron.daily Directory, all files should be Green Color

ls -lah /etc/cron.daily/

total 28K
drwxr-xr-x.  2 root root   91 Oct  1 22:57 .
drwxr-xr-x. 82 root root 8.0K Oct  1 22:38 ..
-rwxr-xr-x   1 root root  332 Mar  9  2015 0yum-daily.cron
-rwx------.  1 root root  180 Jul 31  2013 logrotate
-rwxr-xr-x.  1 root root  618 Mar 17  2014 man-db.cron
-rwxr-xr-x   1 root root   87 Oct  1 22:57 yum-check-updates.cron

root at the end, indicates that the result will be sent to root, and since you configured aliases above, root emails will be sent to the email you specified. Keep in mind that you won’t receive any updates right now since the email server has not been configured yet.

Let’s Check Yum Updates Again

yum update -y

Check if System Reboot Required

/root/system-status.sh

Subject Related

By Godaddy Initial CentOS Setup | HowToForge CentOS Initial Setup