Rocky Linux https://rockylinux.org/ (from Community Enterprise Operating System) Rocky Linux is an open-source enterprise operating system designed to be 100% bug-for-bug compatible with Red Hat Enterprise Linux®. It is under intensive development by the community.
Reasoning. It is recommended to disable root account for security reasons. ssh root@IP_OF_THE_SERVER_HERE should not be reachable.
Add a new user and grant him as a sudoer privileges (by adding to the wheel group):
useradd spokane
passwd spokane
su -
usermod -aG wheel spokane
su - spokane
sudo nano /etc/ssh/sshd_config
Inside set PasswordAuthentication no or yes
sudo systemctl reload sshd
If you don't have a root password generate one
passwd
STEP1: Generate keys with ssh-gen.
Note!! execute ssh-keygen it from local pc not from server: ssh-keygen -t rsa -b 4096
Copy the public server on server in /.ssh/authenticated_keys.
Keep locally the public and private keys
For the new user spokane session perform a logout
ssh-copy-id developer@IP_OF_YOUR_SERVER
Now login into server.
ssh spokane@IP_OF_THE_SERVER_HERE
cd ~/.ssh
vi authorized_keys
Paste the key,save and change the permissions.
chmod 600 authorized_keys
Test the key
ssh spokane@IP_OF_YOUR_SERVER -i path/to/your/PRIVATE/key/file
sudo nano /etc/ssh/sshd_config
PermitRootLogin yes | no
PasswordAuthentication yes | no
timedatectl
timedatectl list-timezones | grep Europe
timedatectl set-timezone Europe/Brussels
Checkout the OS version: cat /etc/os-release
and hostname: hostname
What is my external IP?: hostname -I
Check system resources: inxi
Check system kernel: uname -r
Check available space: df -h
top and htop:
top
htop
Supervise processes/daemons
systemctl --list
systemctl | grep httpd
systemctl | grep sshd
Security checks: last login table: last
sudo systemctl enable --now cockpit.socket
https://SERVER_IP:9090
I highly recommend you not log in as the root user.
Midnight commander, for file management. Ctrl+O to toggle to terminal: mc
You can edit hostname /etc/hostname
You can set alias for this server in /etc/hosts
In case you have Apache installed edit the hostname in main configuration file httpd.conf
There, add:
ServerName localhost
sudo service hostname start
WARNING: You have been warned!
sudo dnf check-update
Clean package manager
sudo dnf clean all
Update kernel
sudo dnf update
Note: CentOS renders yum obsolete, by introducing dnf package installer Check kernel updates, then add the GPG key to the repository to secure the installation.
dnf check-update
su
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
Add the repository (by installing an RPM package).
dnf install https://www.elrepo.org/elrepo-release-8.0-2.el8.elrepo.noarch.rpm
Check the repository was successfully added. dnf repolist Current kernel? uname -r 4.18 Now, install the new kernel, then check. dnf --enablerepo=elrepo-kernel install kernel-ml reboot uname -msr 5.5.5-1.el8.elrepo.x86_64
List groups for current user
groups
groups WHATEVER_USERS
Add a new group
sudo groupadd NEW_GROUP
Add a user to the new group
sudo usermod -aG NEW_GROUP spokane
Delete a group. Note you need to remove all users from GROUP_TO_DELETE before deleting group or to set a new primary group in case there is a complaint.
sudo groupdel GROUP_TO_DELETE
groupdel: cannot remove the primary group of user 'spokane'
sudo usermod -g PRIMARY_GROUP spokane
dnf list <package-name>
See available package and versions
dnf list php*
Available packages with description
dnf search php*
dnf list --installed <package-name>
dnf repolist
sudo dnf install <package1-name> <package2-name> <package3-name>
sudo dnf upgrade <package-name>
sudo dnf remove <package-name>
Uninstall all dependency packages which are no longer required
sudo dnf autoremove
Clean all temporary files
sudo dnf clean all
Install the firewall daemon
sudo dnf install firewalld
sudo systemctl start firewalld
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-service=smtp
List all
sudo firewall-cmd --permanent --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client http https smtp ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
sudo firewall-cmd --get-services
sudo firewall-cmd --reload
Make it permanent
sudo systemctl enable firewalld
sudo netstat -tunlp
SELinux implements what’s known as MAC (Mandatory Access Control). This is implemented on top of what’s already present in every Linux distribution, the DAC (Discretionary Access Control). Read https://www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selinux-policies-for-apache-web-servers/ https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-1-basic-concepts Make sure you have semanage
yum install -y policycoreutils-python
Get status
sestatus
getenforce
Enforce | Permissive (warnings) | Disabled
Alternatively you can also edit selinux is configurable in /etc/selinux/config After changes you need reboot. cat /etc/selinux/config
This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:
enforcing - SELinux security policy is enforced.
permissive - SELinux prints warnings instead of enforcing.
disabled - No SELinux policy is loaded.
SELINUX=enforcing
SELINUXTYPE= can take one of these three values:
targeted - Targeted processes are protected,
minimum - Modification of targeted policy. Only selected processes are protected.
mls - Multi Level Security protection.
SELINUXTYPE=targeted
Now in relationship with httpd, selinux has evolved in Centos 7 was unified, that is simpler but less secure: sudo setsebool -P httpd_unified 1 in Centos 8 is by default httpd_unified is set to 0 allowing more granular control. sudo setsebool -P httpd_unified 0
Now you need to set labels on folders depending on permissions
ls -Z /var/www/html
Adjust /var/www to be read/write sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www(/.*)?"
Set correct context for log files in case you defined log folder inside the site. sudo semanage fcontext -a -t httpd_log_t "/var/www/example.com/log(/.*)?" The -R flag runs this command recursively, meaning it will update any existing files to use the new context. The -v flag will print the context changes the command made.
Next, use the restorecon command to apply these changes and have them persist across reboots:
sudo restorecon -R -v /var/www/example.com/log
Apache Context Types
Before we can start creating our own policies for applying Apache’s context types, we need to understand which are available to us out of the box. The following table shows the ones we are primarily interested in, however there are several others available.
httpd_sys_content_t Read-only directories and files used by Apache
httpd_sys_rw_content_t Readable and writable directories and files used by Apache. Assign this to directories where files can be created or modified by your application, or assign it to files directory to allow your application to modify them.
httpd_log_t Used by Apache to generate and append to web application log files.
httpd_cache_t Assign to a directory used by Apache for caching, if you are using mod_cache.
semanage fcontext -l
Restart the httpd service using the following command:
sudo systemctl restart httpd
curl -sS https://getcomposer.org/installer | php
sudo mv composer.phar /usr/local/bin/composer
sudo chmod +x /usr/local/bin/composer
source ~/.bashrc
sudo dnf install make gcc curl-devel expat-devel gettext-devel openssl-devel perl-CPAN perl-devel zlib-devel
Install latest git from https://www.kernel.org/pub/software/scm/git/
sudo dnf remove git
cd /usr/src
wget https://www.kernel.org/pub/software/scm/git/git-2.9.5.tar.gz
tar xzf git-2.9.5.tar.gz
cd git-2.9.5
make prefix=/usr/local/git all
make prefix=/usr/local/git install
If necessary go the root mode
echo "export PATH=$PATH:/usr/local/git/bin" >> /etc/bashrc
source /etc/bashrc
git -version
git config --global user.name "Jazz"
git config --global user.email "Your mail"
git config --global core.editor vim
git config --global merge.tool vimdiff
sudo apt-get install sshfs
local
sudo mkdir /mnt/droplet
sudo chown -R myuser:myuser /mnt/droplet
sshfs [-o allow_other,defer_permissions] [email protected]:/ /mnt/droplet
sshfs [-o allow_other,defer_permissions,IdentityFile=~/.ssh/id_rsa] [email protected]:/ /mnt/droplet
sudo umount /mnt/droplet
Permanent mounting remote fs
sudo nano /etc/fstab
sshfs##[email protected]:/ /mnt/droplet
Save the changes to /etc/fstab and reboot if necessary.
dnf install epel-release
dnf install fail2ban
Copy a local configuration to avoid problems upon next updates
cp -pf /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit the configuration file jail.local
vi /etc/fail2ban/jail.local
where you paste the following lines [DEFAULT] List of addresses that will never be banned ignoreip = 127.0.0.1/8 ::1 103.1.2.3
if generated a retry in 300 seconds then will ban the ip for 3600 seconds or 1h
bantime = 3600
findtime = 300
maxretry = 3
banaction = iptables-multiport
backend = systemd
[sshd]
enabled = true
Enable and start firewalld
systemctl enable firewalld
systemctl start firewalld
systemctl start fail2ban
systemctl enable fail2ban
systemctl status fail2ban
Tools to find list of IP addresses that have been banned issue: iptables -L -n
or
Finding status of failed and banned IP address
sudo fail2ban-client status
sudo fail2ban-client status sshd
to remove an IP address from the banned list, run below command. The name “sshd” is the name of the jail, in this case the “sshd” jail that we configured above: fail2ban-client set sshd unbanip IPADDRESS
See /var/log/secure using the grep command/egrep command or cat command/tail command/less command/more command:
tail -f /var/log/secure
grep 'sshd.*Failed password for' /var/log/secure
wget --recursive --no-clobber --page-requisites --html-extension --convert-links --restrict-file-names=windows --domains website.org --no-parent https://www.bible.ca/archeology/