How to configure VPS server on CentOS
14:04, 17.01.2022
CentOS is a flexible operating system based on the commercial Red Hat Enterprise Linux distribution. The main advantages of CentOS for VPS are considered to be its simplicity, elegance, and convenience at all levels of interaction, from installation to setting up firewall filters. In addition, this operating system is regularly supplied with updates and innovations, especially in the field of security. In terms of security and safety, VPS with CentOS surpasses almost all similar free operating systems.
Updating CentOS
Downloading and installing updates on this operating system is done through the built-in yum program, which downloads the necessary data directly from the CentOS Mirror Network repository. To get all the latest updates immediately after installation, you need to open the server PU, go to the "Console" tab, log in and run a single command:
yum update
Remember that the yum package manager is used in all versions except CentOS 8, which has switched to dnf. If you have CentOS 8 or newer, use that software. The command is similar:
dnf update
This utility also has a very simple and intuitive syntax, which has a standard structure:
# dnf [parameters] [command] packages_names-or-groups
You can also use the yum package manager if you wish since support has not gone anywhere.
Automatic Update on CentOS: Setting it Up Properly
Updating the kernel and system utilities in manual mode is a thankless task, even if it takes very little time. To ensure that your VPS with CentOS on HostZealot is always reliably protected and receives all the latest updates quickly, it is recommended to set up automatic system updates. For example, in CentOS 7, the yum-cron utility is used for this purpose. It can be installed from the standard repository:
yum install yum-cron
When the installation is complete, the utility will create jobs to run in /etc/cron.daily and /etc/cron.hourly. That is, by default it will download the latest updates from the specified path, but they still have to be installed by the administrator.
You can configure yum-cron using configuration files located at /etc/yum/yum-cron.conf and /etc/yum/yum-cron-hourly.conf. Here you can describe parameters for sending messages, configure the use of third-party mail servers, etc.
For CentOS 8 the situation is a bit different. In this case, the dnf-automatic program is used to automate updates and can be downloaded with a simple command:
yum install dnf-automatic
After installation, you must first look at the automatic update check start timers for the systemd utility:
systemctl list-timers *dnf-*
If tasks are not set automatically, they must be added manually:
systemctl enable --now dnf-automatic.timer
By default, the system will check for updates once a day, one hour after the VPS has booted. If necessary, you can change these values in the configuration file /etc/systemd/system/multi-user.target.wants/dnf-automatic.timer.
With the dnf-automatic configuration file, which is located at /etc/dnf/automatic.conf, you can have updates automatically downloaded and applied. By default, they will only be downloaded, but you will have to install them manually. The file can be configured so that the system does these tasks without user intervention.
Proper time setting
The first thing to do is to check the default time using the standard command:
date
If necessary, you can change the time zone using the utility included in the system:
timedatectl set-timezone america/new_york // Setting up New York time zone
Next, we check the status of the time update services with the command:
timedatectl
On CentOS, time synchronization over the Internet is done through the chrony service, which is available immediately and does not need to be installed. The exception is the lightweight configurations of CentOS, in which almost everything unnecessary has been cut out. In this case, chrony can be installed through the repository:
yum install chrony
After that, you need to run the utility and add it to the autostart. Enter the two commands in turn:
systemctl start chronyd systemctl enable chronyd
You can check the status of the software with the command:
systemctl status chronyd
First of all, we are interested in the System clock and NTP service lines. The first line should be "yes" and the second should be "active". Now, every time you run this utility, your VPS automatically synchronizes the time over the Internet.
Properly configuring the firewall
The VPS can be protected from most types of threats by controlling incoming and outgoing traffic. This is done through the iptables firewall - this utility is available in CentOS by default. You can check the actual rules under which the tool works through the command:
iptables -L -v -n
On CentOS 7 and 8, the firewall function is performed by the firewall-cmd utility, which is essentially a nifty add-on to iptables. Rule groups are managed through elements called zones. Each zone is a set of rules defining permissions for traffic by levels of trust on the network. FirewallD has nine zones:
- drop: the zone with the lowest trust level. Such connections will be dropped by the VPS firewall without any response, but outgoing connections are allowed.
- block: all incoming connections to this zone will be rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
- public: public networks with low levels of trust. Individual incoming connections can be allowed as an exception if necessary.
- external: external networks for when the firewall is used as a gateway.
- internal: for computers in the internal part of the gateway that are mostly trustworthy.
- dmz: a zone for isolated PCs in a DMZ segment without access to the rest of your network. This zone is allowed separate incoming connections.
- work: the optimal zone for hosting work computers. Permissions for some additional services are allowed.
- home: The home environment.
- trusted: For trusted computers only. This is the most open zone of all and should be used with care.
You can see which zone is selected now by using the command:
firewall-cmd --get-default-zone
iptables works in a similar way, only to work with it you need to turn off the firewall add-on first:
systemctl stop firewalld systemctl disable firewalld
And then install the necessary utilities for the firewall:
yum install iptables-services
And turn on the auto launch:
systemctl enable iptables
Now we just need to create the file /etc/iptables.sh and edit it by adding the following rules:
#!/bin/bash # export IPT="iptables" export WAN=eth0 export WAN_IP=147.15.218.72 $IPT -F $IPT -F -t nat $IPT -F -t mangle $IPT -X $IPT -t nat -X $IPT -t mangle -X $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT $IPT -A OUTPUT -o $WAN -j ACCEPT $IPT -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $IPT -A INPUT -m state --state INVALID -j DROP $IPT -A FORWARD -m state --state INVALID -j DROP $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP $IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP $IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT $IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $IPT -A INPUT -i $WAN -p tcp --dport 22 -j ACCEPT $IPT -A INPUT -i $WAN -p tcp --dport 80 -j ACCEPT $IPT -A INPUT -i $WAN -p tcp --dport 443 -j ACCEPT $IPT -N undef_in $IPT -N undef_out $IPT -N undef_fw $IPT -A INPUT -j undef_in $IPT -A OUTPUT -j undef_out $IPT -A FORWARD -j undef_fw $IPT -A undef_in -j LOG --log-level info --log-prefix "-- IN -- DROP " $IPT -A undef_in -j DROP $IPT -A undef_out -j LOG --log-level info --log-prefix "-- OUT -- DROP " $IPT -A undef_out -j DROP $IPT -A undef_fw -j LOG --log-level info --log-prefix "-- FW -- DROP " $IPT -A undef_fw -j DROP /sbin/iptables-save > /etc/sysconfig/iptables
This self-written script can be modified and optimized for your needs if you wish. It can also be used as is - it makes using VPS more secure in any case.
To turn this script file into an executable one, use the command:
chmod 0740 /etc/iptables.sh /etc/iptables.sh
Before finishing, check and make sure that the rules have been applied using the same command we mentioned at the beginning of this section.
Adding repositories to CentOS
Let's take CentOS 7 as an example to see how to add a repository for downloading software to the system. Repository files are stored in the directory /etc/yum.repos.d/, you can view this directory with the command:
ls /etc/yum.repos.d/
A separate file with this syntax is usually created for each repository:
[repository_name] name=respository_description mirrorlist=mirro_link_list baseurl=link_to_the_mirror_with_the_packages enabled=1 gpgcheck=1 gpgkey=file_keysignature
So, to mount a repository in CentOS, you have to add a repository configuration file to the directory, and that's it. For example, like this:
[extras741708] name=Extras packages for CentOS 7.4.1708 for x86_64 baseurl=http://vault.centos.org/centos/7.4.1708/extras/x86_64/ enabled=1
Many repository sites offer ready-made packages and a command to install, which makes things much easier. For example, to install NUX on CentOS 7, all you have to do is type this command:
yum install -y http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-1.el7.nux.noarch.rpm
The utility will do everything automatically and download the necessary data. In the same way, you can install the popular REMI, RPMfusion, Adobe, and other repositories. For most tasks, even one repository will be enough.
Setting history storage correctly
The standard OS settings have a number of limitations that make storing the command history less convenient. First, only the last 1000 commands are logged. Second, the dates when certain commands were entered are not recorded. Thirdly, some commands do not make sense to store, because they do not make sense, but by default, the system saves absolutely all commands.
The logs are kept in the file .bash_history, which you can view with any editor. Or make it even simpler and type a command into the console:
history
You will be presented with a list, which you can filter through different commands. For example, you can select all runs of the yum command by using:
history | grep yum
So, here are some useful tweaks to make storing the command history more convenient. You can increase the size of the stored history in ~/.bashrc file by adding the following lines:
export HISTSIZE=10000 export HISTFILESIZE=10000
It would also be useful to disable the output of the same commands, which were repeatedly entered several times in a row. Add a line:
export HISTCONTROL=ignoreboth:erasedups
It is also recommended to disable the storage in history commands ls, ps and history with additional options:
export HISTIGNORE='ls:ps:history*'
Finally, we make it so that when the history of storing commands is displayed, it also shows us the date and time when the command was executed. We write the line:
export HISTTIMEFORMAT='%d.%m.%Y %H:%M:%S: '
To apply the settings on the fly, enter source ~/.bashrc. This can be done after all the necessary changes have been made to the file. That's all, thanks for your attention and see you soon!