nadnerB's CloudatCost Project Journal
-
My project, so far is to set up, configure and secure CentOS 7 (minimal install) with very little Linux experience.
It might be a little ambitious but I can read and follow instructions.
Ā
I'm doing this all by command line as that's the only way given the fact that I am using the minimal install
So far I've:- changed the root password
- Created a new user and set a password
Now for a firewall and that Fail2Ban thing.
Ā
EDIT: oops, better update it before I do anything else (not sure where I read the below code but it was somewhere on ML)yum -y update -
My main goal is to set up a VPN as I've never done that before and I want to use that on free WiFi locations as I am paranoid (only a little)
-
What do you use on free WiFi that's important and not using SSL anyway?
-
Fyi the yum -y just pre accepts the install. Otherwise it will fetch the package information tell you what it is and the size and ask you if you'd like to install or not.
-
@thecreativeone91 said:
Fyi the yum -y just pre accepts the install. Otherwise it will fetch the package information tell you what it is and the size and ask you if you'd like to install or not.
Thanks
-
CentOS is secure by default. Firewall is already locked down.
-
@scottalanmiller not 100% sure what you mean by
Firewall is already locked down.
After Googling I discovered that it's called firewalld.
I ran the following to check the statussystemctl status firewalldWhich resulted in:
Does that mean that the firewall is off or on? -
Looks like the last one is stopping. You can also start it by
systemctl start firewalldand enable it at system start withsystemctl enable firewalld -
Thanks
that got it -
Following the instructions kindly provided by @JaredBusch on installing Fail2Ban
http://mangolassi.it/topic/4108/how-to-fail2ban-on-centos-7 -
Righto, so the firewall (enabled and on but no custom configs yet) and fail2ban are done.
-
So, today I'd like to set up SSH but I'll check on the fail2ban that I did yesterday.
Ā
Logged in as my non-root user account
fail2ban-client status sshd... looks like it requires use of sudo to check
Apparently my non-root account requires listing in a 'sudoers file'... righto.
Ā
One goes the lab coat as I step into the research mode... -
I think I'll do this by group permissions instead of individual permissions.
New group createdgroupadd <group name>
User addedusermod <user> -G <groupname>
Check members of the groupgrep ^<group name> /etc/group- success
- success
-
Righto, so it looks like the Sudoers file, that I need to edit, is read only.
However, I have found what looks like a good set of instructions here: https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos
EDIT: This initial setup guide has a slightly different (I think) way of doing it (step 4) https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-12-04 -
Hmmm, perhaps editing the Sudoers file is not a good idea...
Should I edit the file and add my username or just usesu?
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now. -
@nadnerB said:
Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.I log in as root directly to all my servers.
-
@nadnerB said:
Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.You don't edit the file You'd
gpasswd -a nadnerb wheelwhere nadnerb is the username you wish to give sudo privileges too. -
@thanksajdotcom said:
@nadnerB said:
Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.I log in as root directly to all my servers.
I personally would disable root access over SSH after the initial setup.
-
@thanksajdotcom said:
@nadnerB said:
Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.I log in as root directly to all my servers.
Thanks for your input but I won't be doing this
-
@thecreativeone91 said:
@nadnerB said:
Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.You don't edit the file You'd
gpasswd -a nadnerb wheelwhere nadnerb is the username you wish to give sudo privileges too.Fantastic! Thanks!
