Here is list of things to do after you install a new CentOS 7 server: 0. Make sure the machine has the right hostname/ip/network setup: # edit the /etc/hosts to make it look like this: $ cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 204.85.28.88 monitor.shodor.org monitor # edit the /etc/hostname file to look like this: $ cat cat /etc/hostname monitor.shodor.org # for networking and setting up routing gateway $ cat /etc/sysconfig/network # Created by anaconda NETWORKING=yes HOSTNAME=monitor.shodor.org ## for routing internet in case you have vms installed #GATEWAYDEV=br0 # Change the default network interface name to “eth0″ $ vim /etc/default/grub # find the GRUB_CMDLINE_LINUX line and append the following net.ifnames=0 biosdevname=0 ##then Create a new configuration based on the currently running system using grub2-mkconfig command: $ grub2-mkconfig -o /boot/grub2/grub.cfg ## Then Rename the interface files by renaming the file “/etc/sysconfig/network-scripts/ifcfg-en01… $ mv /etc/sysconfig/network-scripts/ifcfg-eno16777736 \ /etc/sysconfig/network-scripts/ifcfg-eth0 HelpfulLink: http://rbgeek.wordpress.com/2014/07/15/initial-settings-after-installing-the-centos-7/ http://www.server-world.info/en/note?os=CentOS_7&p=install http://www.tecmint.com/centos-7-installation/ # More on networking setup see KVM config docs 1. Create new users # you want to make sure you are not sshing as root. $ useradd jcoldren -c "Joel Coldren" -m # This will create a new user with username: jcoldren Fullname: Joel Coldren and the -m to create a home direcotory for user too # Make sure you change the password for the new user(s) $ passwd jcoldren Changing password for user jcoldren. New password: Retype new password: passwd: all authentication tokens updated successfully. 2. Securing OpenSSH #System-wide SSH configuration informatio is stored in the /etc/ssh directory and user-specific in the ~/.ssh # Here are some system-wide config files: a. /etc/ssh/ssh_config # the default ssh client config This file is usually overwirten by ~/.ssh/config file b. /etc/ssh/sshd_config # The config file for the sshd daemon. This is where most configs are set. c. /etc/sysconfig/sshd # config file for sshd services\ # In order to stop root ssh login do followig: a. Search this line, uncomment and change yes to no $ PermitRootLogin no # Disable insecure Protocol 1; allowing only Protocol 2 a. Edit sshd_config to include only Protocol 2, and not both: $ Protocol 2 # For some servers you may only want sysadmin to be able to login Therefore, you can put some limits on who can ssh to system a. Add an AllowUsers line followed by a space separated list of usernames to /etc/ssh/sshd_config $ AllowUsers mludin jcoldren # After chaning anything in the config files you must restart sshd $ systemctl reload sshd.service # check sshd daemon status: $ systemctl statu sshd.service # Start sshd on reboot/boot $ systemctl enable sshd.service # Help full commands to monitor ssh attacks a. # top 5 most recently attacked accounts $ lastb | awk '{print $1}' | sort | uniq -c | sort -rn | head -5 b. # top 5 most attacked accounts $ awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $1}' /var/log/secure* | sort | uniq -c | sort -rn | head -5 c. # top 5 attacker IP addresses (obscured for privacy) $ awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $3}' /var/log/secure* | sort | uniq -c | sort -rn | head -5 # More options for securing SSH are a. Change the default port b. limit access from only few systems HelpLink: http://centoshelp.org/security/securing-sshd/ only specific ip http://wiki.centos.org/HowTos/Network/SecuringSSH http://centoshelp.org/security/securing-sshd/ http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html c. Install fail2ban: # To install fail2ban you must first add EPEL repos: $ http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm $ rpm -ivh epel-release-7-2.noarch.rpm # Update System $ yum -y update # first time update might take few minutes to go make coffee. # install fail2ban with yum $ yum install fail2ban -y # Now HOW TO CONFIGURE FAIL2BAN a. Now firstly copy default configuration file: #This task is necessary so you can edit configuration locally (your own setting) without messing up with default one. $ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local b. Now edit jail.local file you copied or copy jail.conf from old servers $ vim /etc/fail2ban/jail.local # There are few lines act as basic setup you can edit as necessary to suit your need including: ignoreip, bantime, findtime, and maxretry. c. Restart fail2ban services and enable on boot $ systemctl restart fail2ban.service $ systemctl enable fail2ban.service 3. Installing KVM See the its documentation and scripts 4. Installing OpenLDAP: Links: http://www.openldap.org/doc/admin24/quickstart.html http://www.tldp.org/HOWTO/LDAP-HOWTO/index.html http://www.unixmen.com/install-ldap-server-in-centos-step-by-step/ https://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-ldap-quickstart.html http://www.server-world.info/en/note?os=CentOS_7&p=openldap