nadnerB's CloudatCost Project Journal

nadnerB

My project, so far is to set up, configure and secure CentOS 7 (minimal install) with very little Linux experience.
It might be a little ambitious but I can read and follow instructions.
 
I'm doing this all by command line as that's the only way given the fact that I am using the minimal install
So far I've:

• changed the root password
• Created a new user and set a password

Now for a firewall and that Fail2Ban thing.
 
EDIT: oops, better update it before I do anything else (not sure where I read the below code but it was somewhere on ML)

yum -y update

nadnerB

My main goal is to set up a VPN as I've never done that before and I want to use that on free WiFi locations as I am paranoid (only a little)

A Former User

What do you use on free WiFi that's important and not using SSL anyway?

A Former User

Fyi the yum -y just pre accepts the install. Otherwise it will fetch the package information tell you what it is and the size and ask you if you'd like to install or not.

nadnerB

@thecreativeone91 said:

Fyi the yum -y just pre accepts the install. Otherwise it will fetch the package information tell you what it is and the size and ask you if you'd like to install or not.

Thanks

scottalanmiller

CentOS is secure by default. Firewall is already locked down.

nadnerB

@scottalanmiller not 100% sure what you mean by

Firewall is already locked down.

After Googling I discovered that it's called firewalld.
I ran the following to check the status

systemctl status firewalld

Which resulted in:

Does that mean that the firewall is off or on?

A Former User

Looks like the last one is stopping. You can also start it by systemctl start firewalld and enable it at system start with systemctl enable firewalld

nadnerB

Thanks that got it

nadnerB

Following the instructions kindly provided by @JaredBusch on installing Fail2Ban
http://mangolassi.it/topic/4108/how-to-fail2ban-on-centos-7

nadnerB

Righto, so the firewall (enabled and on but no custom configs yet) and fail2ban are done.

nadnerB

So, today I'd like to set up SSH but I'll check on the fail2ban that I did yesterday.
 
Logged in as my non-root user account
fail2ban-client status sshd ... looks like it requires use of sudo to check
Apparently my non-root account requires listing in a 'sudoers file'... righto.
 
One goes the lab coat as I step into the research mode...

nadnerB

I think I'll do this by group permissions instead of individual permissions.
New group created groupadd <group name>
User added usermod <user> -G <groupname>
Check members of the group grep ^<group name> /etc/group

• success

nadnerB

Righto, so it looks like the Sudoers file, that I need to edit, is read only.
However, I have found what looks like a good set of instructions here: https://www.digitalocean.com/community/tutorials/how-to-edit-the-sudoers-file-on-ubuntu-and-centos
EDIT: This initial setup guide has a slightly different (I think) way of doing it (step 4) https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-12-04

nadnerB

Hmmm, perhaps editing the Sudoers file is not a good idea...
Should I edit the file and add my username or just use su?
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.

thanksajdotcom

@nadnerB said:

Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.

I log in as root directly to all my servers.

A Former User

@nadnerB said:

Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.

You don't edit the file You'd gpasswd -a nadnerb wheel where nadnerb is the username you wish to give sudo privileges too.

A Former User

@thanksajdotcom said:

@nadnerB said:

Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.

I log in as root directly to all my servers.

I personally would disable root access over SSH after the initial setup.

nadnerB

@thanksajdotcom said:

@nadnerB said:

Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.

I log in as root directly to all my servers.

Thanks for your input but I won't be doing this

nadnerB

@thecreativeone91 said:

@nadnerB said:

Hmmm, perhaps this is not a good idea...
Comments @JaredBusch, @thecreativeone91, @scottalanmiller or @thanksajdotcom ?
EDIT: I'll hold off on deploying this for now.

You don't edit the file You'd gpasswd -a nadnerb wheel where nadnerb is the username you wish to give sudo privileges too.

Fantastic! Thanks!