Skip to main content

Posts

Showing posts from September, 2020

Initial Settings : Sudo Settings

 Configure Sudo to separate users' duty if some people share privileges. It does not need to install sudo manually because it is installed by default even if Minimal installed environment. [1]. Transfer root privilege all to a user. [root@dlp ~]# visudo # add to the end: user [cent] can use all root privilege cent  ALL=(ALL)       ALL # how to write ⇒ destination host=(owner) command # verify with user [cent] [cent@dlp ~]$ /usr/bin/cat /etc/shadow /usr/bin/cat: /etc/shadow: Permission denied   # denied normally [cent@dlp ~]$ sudo /usr/bin/cat /etc/shadow Password:     # user's own password ..... ..... chrony:!!:18163:::::: tcpdump:!!:18163::::::   # just executed [2]. In addition to the setting of [1], set some commands prohibit. [root@dlp ~]# visudo # line 49: add # for example, set aliase for the kind of shutdown commands Cmnd_Alias SHUTDOWN = /usr/sbin/halt, /usr/sbin/shutdown, \ /usr/sbin/poweroff, /usr/sbin/reboot, /usr/sbin/init, /usr/bin/systemctl # add ( prohibit co

Initial Settings : Vim Settings

 There are many cases to use text editor on CUI terminal, so it's more convenient to install editors with advanced features like Vim. [1]. Install Vim in this example. [root@dlp ~]# dnf -y install vim-enhanced [2]. Set command alias for your own environment. But for users that has UID 201 or higher, Alias is already set by [/etc/profile.d/vim.sh] file that is included in [vim-enhanced] package. [root@dlp ~]# vi ~/.bashrc # add alias to the end alias vi='vim' # apply changes [root@dlp ~]# source ~/.bashrc [3]. Configure Vim for your own environment. (common settings for all users are in [/etc/vimrc]) [root@dlp ~]# vi ~/.vimrc " use extended function of vim (no compatible with vi) set nocompatible " specify encoding set encoding=utf-8 " specify file encoding set fileencodings=utf-8,iso-2022-jp,sjis,euc-jp " specify file formats set fileformats=unix,dos " take backup " if not, specify [ set nobackup ] set backup " specify backup directo

Initial Settings : Add Additional Repositories

 Add some useful external repositories to install useful softwares. [1]. Add EPEL that Fedora project provides packages which are specially built for RHEL. ⇒ https://fedoraproject.org/wiki/EPEL [root@dlp ~]# dnf -y install epel-release [root@dlp ~]# vi /etc/yum.repos.d/epel.repo [epel] name=Extra Packages for Enterprise Linux $releasever - $basearch #baseurl=https://download.fedoraproject.org/pub/epel/$releasever/Everything/$basearch metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch&infra=$infra&content=$contentdir failovermethod=priority # [enabled=1] = repository enabled, [enabled=0] = repository disabled enabled=1 # to add [priority=*], it can set priority to repository # it can specify [1-99], [1] is highest, default without the line is [99] priority=10 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-$releasever ..... # if disabling with [enabled=0] regulary but want to enable it temporary, run like follows [root@dlp ~

Initial Settings : Update System

 The package management tool DNF (Dandified YUM) has been set default on RHEL 8 / CentOS 8. However, [yum] command is also located as a link to [dnf], so it's possbile to use [yum] or [dnf] with the same usage. Actually, the official documents on RedHat gives examples with [yum] command for RHEL 8. (the documents on this site gives examples with [dnf] command) [1]. [yum] and [dnf] are linked to [dnf-3] command. [root@dlp ~]# which yum /usr/bin/yum [root@dlp ~]# ll /usr/bin/yum lrwxrwxrwx. 1 root root 5 May 14 04:34 /usr/bin/yum -> dnf-3 [root@dlp ~]# which dnf /usr/bin/dnf [root@dlp ~]# ll /usr/bin/dnf lrwxrwxrwx. 1 root root 5 May 14 04:34 /usr/bin/dnf -> dnf-3 [root@dlp ~]# ll /usr/bin/dnf-3 -rwxr-xr-x. 1 root root 1954 May 14 04:34 /usr/bin/dnf-3 # installed [yum] package [root@dlp ~]# rpm -q yum yum-4.0.9.2-5.el8.noarch [root@dlp ~]# rpm -ql yum /etc/yum.conf /etc/yum/pluginconf.d /etc/yum/protected.d /etc/yum/vars /usr/bin/yum /usr/share/man/man1/yum-aliases.1.gz /usr/

Initial Settings : Services

 [1]. It's possible to display services' status like follows. # the list of services that are active now [root@dlp ~]# systemctl -t service UNIT                            LOAD   ACTIVE SUB     DESCRIPTION atd.service                     loaded active running Job spooling tools auditd.service                  loaded active running Security Auditing Service chronyd.service                 loaded active running NTP client/server crond.service                   loaded active running Command Scheduler dbus.service                    loaded active running D-Bus System Message Bus ..... ..... user-runtime-dir@0.service      loaded active exited  /run/user/0 mount wrapper user@0.service                  loaded active running User Manager for UID 0 vdo.service                     loaded active exited  VDO volume services LOAD   = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB    = The low-level

Initial Settings : Network Settings

[1]. Set static IP address to the server. ( Replace the interface name [ens2] to your own one because it's not the same on any System ) # if you did not set Host Name during installation, set it like follows [root@localhost ~]# hostnamectl set-hostname dlp.srv.world # display devices [root@localhost ~]# nmcli device DEVICE  TYPE      STATE      CONNECTION ens2    ethernet  connected  ens2 lo      loopback  unmanaged  -- # set IPv4 address [root@localhost ~]# nmcli connection modify ens2 ipv4.addresses 10.0.0.30/24 # set gateway [root@localhost ~]# nmcli connection modify ens2 ipv4.gateway 10.0.0.1 # set DNS [root@localhost ~]# nmcli connection modify ens2 ipv4.dns 10.0.0.1 # set manual for static setting (it's [auto] for DHCP) [root@localhost ~]# nmcli connection modify ens2 ipv4.method manual # restart the interface to reload settings [root@localhost ~]# nmcli connection down ens2; nmcli connection up ens2 Connection 'ens2' successfully deactivated (D-Bus active path

SELinux : Operating Mode

  This is the Basic Usage and Configuration for SELinux (Security-Enhanced Linux). It's possible to use MAC (Mandatory Access Control) feature on CentOS for various resources by SELinux. [1]. Confirm the current status of SELinux like follows. (default mode is [Enforcing]) # display current mode [root@dlp ~]# getenforce Enforcing # enforcing   ⇒  SELinux is enabled (default) # permissive  ⇒  MAC is not enabled, but only records audit logs according to Policies # disabled    ⇒  SELinux is disabled # also possible to display with the command ([Current mode] line) [root@dlp ~]# sestatus SELinux status:                 enabled SELinuxfs mount:                /sys/fs/selinux SELinux root directory:         /etc/selinux Loaded policy name:             targeted Current mode:                   enforcing Mode from config file:          enforcing Policy MLS status:              enabled Policy deny_unknown status:     allowed Memory protection checking:     actual (secure) Max kernel policy

Firewalld : Basic Operation

  This is the Basic Operation of Firewalld. The definition of services is set to zones on Firewalld. To enable Firewall, assosiate a zone to a NIC with related commands. [1]. To use Firewalld, start the Service. [root@dlp ~]# systemctl enable --now firewalld [2]. By default, [public] zone is applied with a NIC and cockpit, dhcpv6-client, ssh are allowed. When operating with [firewall-cmd] command, if you input the command without [--zone=***] specification, then, configuration is set to the default zone. # display the default zone [root@dlp ~]# firewall-cmd --get-default-zone public # display current settings [root@dlp ~]# firewall-cmd --list-all public (active)   target: default   icmp-block-inversion: no   interfaces: ens2   sources:   services: cockpit dhcpv6-client ssh   ports:   protocols:   masquerade: no   forward-ports:   source-ports:   icmp-blocks:   rich rules: # display all zones defined by default [root@dlp ~]# firewall-cmd --list-all-zones block   target: %%REJECT%%

Initial Settings : Firewall

 [1]. It's possible to show FireWall Service Status like follows. (enabled by default) [root@localhost ~]# systemctl status firewalld *  firewalld.service - firewalld - dynamic firewall daemon    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor p>    Active: active (running) since Wed 2019-09-24 23:16:35 JST; 18min ago      Docs: man:firewalld(1)  Main PID: 801 (firewalld)     Tasks: 2 (limit: 25025)    Memory: 30.9M    CGroup: /system.slice/firewalld.service            └─801 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork -> Sep 24 23:16:34 localhost.localdomain systemd[1]: Starting firewalld - dynamic > Sep 24 23:16:35 localhost.localdomain systemd[1]: Started firewalld - dynamic f> # [Active: active (running) ***] means firewalld is running now [2].   If you use FireWall service, it needs to modify FireWall settings manually because incoming requests for services are mostly not allowed by default. Refer to here for basic Firew

Initial Settings : Add Common Users

[1]. To add a common user account on CentOS Server, Set like follows. [root@localhost ~]# useradd centos [root@localhost ~]# passwd centos Changing password for user centos. New UNIX password:              # input any password you'd like to set Retype new UNIX password:       # confirm passwd: all authentication tokens updated successfully. [2]. If you'd like to switch to root user account from a common user, use [su] command to do so. localhost login: centos         # login username password:                       # input user password [centos@localhost ~]$ su -      # swicth to root Password:                       # input root password [root@localhost ~]#             # just switched to root [3]. If you'd like to limit users to run [su] command, set like follows. On the example below, only users in [wheel] group can run [su] command. [root@localhost ~]# usermod -G wheel centos [root@localhost ~]# vi /etc/pam.d/su #%PAM-1.0 auth            sufficient      pam_rootok.s

FTP Server : Pure-FTPd Over SSL/TLS

Enable SSL/TLS for Pure-FTPd to use secure FTP connections. [1]. Create self-signed certificates. But if you use valid certificates like from Let's Encrypt or others, you don't need to create this one. [root@www ~]# cd /etc/pki/tls/certs [root@www certs]# openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/certs/pure-ftpd.pem -out /etc/pki/tls/certs/pure-ftpd.pem /certs/pure-ftpd.pem -out /etc/pki/tls/certs/pure-ftpd.pem  -keyout /etc/pki/tls/ Generating a RSA private key ..+++++ ........................................ writing new private key to '/etc/pki/tls/certs/pure-ftpd.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [

FTP Server : Vsftpd Over SSL/TLS

 Enable SSL/TLS for Vsftpd to use secure FTP connections. [1]. Create self-signed certificates. But if you use valid certificates like from Let's Encrypt or others, you don't need to create this one. [root@www ~]# cd /etc/pki/tls/certs [root@www certs]# openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/certs/vsftpd.pem -out /etc/pki/tls/certs/vsftpd.pem /certs/vsftpd.pem -out /etc/pki/tls/certs/vsftpd.pem a:2048 -keyout /etc/pki/tls/ Generating a RSA private key ........................+++++ ..................+++++ writing new private key to '/etc/pki/tls/certs/vsftpd.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP

FTP Server : FTP Client (CentOS)

 For how to connect to FTP server from Client computer, the example follows is on CentOS Client. [1]. Install FTP Client. [root@dlp ~]# dnf -y install lftp [2]. Login as a common user and use FTP access. # lftp [option] [hostname] [redhat@dlp ~]$ lftp -u cent www.srv.world Password:     # login user password lftp cent@www.srv.world:~> # show current directory on FTP server lftp cent@www.srv.world:~> pwd ftp://cent@www.srv.world # show current directory on localhost lftp cent@www.srv.world:~> !pwd /home/redhat # show files in current directory on FTP server lftp cent@www.srv.world:~> ls drwxrwxr-x    2 1000     1000            6 Nov 03 16:33 public_html -rw-rw-r--    1 1000     1000            5 Nov 03 16:34 test.txt -rw-rw-r--    1 1000     1000            5 Nov 03 16:34 test2.txt # show files in current directory on localhost lftp cent@www.srv.world:~> !ls -l total 4 drwxrwxr-x. 2 redhat redhat 6 Nov  3 16:35 testdir -rw-rw-r--. 1 redhat redhat 9 Nov  3 16:35 testfi

FTP Server : Install Pure-FTPd

  Install Pure-FTPd to configure FTP Server. [1]. Install and Configure Pure-FTPd. # install from EPEL [root@www ~]# dnf --enablerepo=epel -y install pure-ftpd [root@www ~]# vi /etc/pure-ftpd/pure-ftpd.conf # line 77: change (no Anonymous) NoAnonymous                  yes # line 451: uncomment (if you use only IPv4) IPV4Only                     yes # line 460: uncomment (if you use only IPv6) IPV6Only                     yes [root@www ~]# systemctl enable --now pure-ftpd [2]. If SELinux is enabled, change boolean setting. [root@www ~]# setsebool -P ftpd_full_access on [3]. If Firewalld is running, allow FTP service ports. [root@www ~]# firewall-cmd --add-service=ftp --permanent success [root@www ~]# firewall-cmd --reload success

FTP Server : Install Vsftpd

  Install Vsftpd to configure FTP Server. [1]. Install and Configure Vsftpd. [root@www ~]# dnf -y install vsftpd [root@www ~]# vi /etc/vsftpd/vsftpd.conf # line 12: make sure value is [NO] (no anonymous) anonymous_enable=NO # line 83,84: uncomment ( allow ascii mode ) ascii_upload_enable=YES ascii_download_enable=YES # line 101,102: uncomment ( enable chroot ) chroot_local_user=YES chroot_list_enable=YES # line 104: uncomment ( chroot list file ) chroot_list_file=/etc/vsftpd/chroot_list # line 110: uncomment ls_recurse_enable=YES # line 115: change (if listening IPv4 only) # if listning IPv4 and IPv6 both, specify [NO] listen=YES # line 124: change (if listening IPv6 only) # if listning IPv4 and IPv6 both, specify [YES] listen_ipv6=NO # add to the end # specify root directory (if don't specify, users' home directory become FTP home directory) local_root=public_html # use local time use_localtime=YES # turn off for seccomp filter (if cannot login, add this line) seccomp_sand

Get SSL Certificate (Let's Encrypt)

 Get SSL Certificates from Let's Encrypt who provides Free SSL Certificates. Refer to the details for Let's Encrypt official site below. ⇒ https://letsencrypt.org/ By the way, expiration date of a cert is 90 days, so you must update within next 90 days later. [1]. Install Certbot Client which is the tool to get certificates from Let's Encrypt. [root@dlp ~]# dnf module -y install python36 [root@dlp ~]# dnf -y install gcc mod_ssl python3-virtualenv redhat-rpm-config augeas-libs libffi-devel openssl-devel [root@dlp ~]# curl -O https://dl.eff.org/certbot-auto [root@dlp ~]# mv certbot-auto /usr/local/bin/ [root@dlp ~]# chmod 700 /usr/local/bin/certbot-auto [2]. Get certificates. It needs Web server like Apache httpd or Nginx must be runing on the server you work. If no Web server is running, skip this section and Refer to [3] section. Furthermore, it needs that it's possible to access from the Internet to your working server on port 80 because of verification from Let