Chapter 4. Machine Configuration

Table of Contents

Introduction to Machine Configuration
Update the Machine
Hostname
Set the Correct Time Zone
Adding a Regular User
Firewall Introduction
SELinux
Machine Configuration Check Point

Introduction to Machine Configuration Top of Page

In this chapter, we'll do some additional configuration on the server. These configuration steps will make the server customized and a little more secure, they're simple "move in and settle" type steps. The steps we'll take are:

  1. Update the machine.
  2. Set the hostname.
  3. Set the correct time zone.
  4. Add a regular user.
  5. Check out the firewall.
  6. Take a look at SELinux.
[Note] SSH Access Required

Completion of these tasks will require access to the machine via SSH as the root user. For questions about SSH Access see Chapter 5, SSH, particularly the section called "SSH Client".

Update the Machine Top of Page

Figure 4.1. Machine Update Image #1

Machine Update Image #1

Updating the machine is one of the most important steps to take. It will install all the latest releases of software and security enhancements. As shown in the screenshot above, the command to issue is `yum update`.

Figure 4.2. Machine Update Image #2

Machine Update Image #2

Once the update command is issued, the system will check to verify that there are updated packages that can be installed. If so, there is a verification step involved. Type "y" to proceed.

[Note] Update Command All-in-One

To install the updates all in one step, issue the command `yum -y update`.

Figure 4.3. Machine Update Image #3

Machine Update Image #3

The screenshot above shows the updates as they are being installed. Sit back, relax, and enjoy the show.

Figure 4.4. Machine Update Image #4

Machine Update Image #4

Finally, all the available updates have been installed. In most instances, a reboot will not be necessary.

[Important] Reboot Necessary When Kernel is Updated

Note in the screenshot above that the kernel was updated. This is the one instance that requires a reboot. Therefore, as shown at the bottom of the image, the command `shutdown -r now` is issued to reboot the machine.

No Updates Available Top of Page

[Note] When No Updates are Available

Sometimes no updates are available. In that case, it's time to move on.

Figure 4.5. No Updates Available

No Updates Available

Hostname Top of Page

The next step in machine configuration is to establish the correct hostname for the machine. It's best if the name of the machine, as established from within the operating system, is the same as the hostname given in the RackSpace interface.

Figure 4.6. Hostname Configuration

Hostname Configuration

Issuing the command `hostname`, first in the image above, tells what the current hostname is. If it is not correct, we will need to set it.

The second command issued above is `hostnamectl`. This command returns much more information about the system. Finally, the command `hostnamectl set-hostname <name-of-machine>` will set or change the name of the machine as needed.. That should get it.[10]

Set the Correct Time Zone Top of Page

We need to configure our server to have the correct time. This involves two steps: a) set the correct time zone, and b) enable time synchronizaiton. The sequence of commands below shows how this is done.

 
    bob@intrepid ~/
    --> mv /etc/localtime /etc/localtime.bak 1
    ln -s /usr/share/zoneinfo/America/Chicago /etc/localtime 2 
    systemctl start ntpd.service 3
    systemctl enable ntpd.service 4
    

1

Back up the current time zone file.

2

Create a link to the time zone of choice. You can take a look inside the '/usr/share/zoneinfo' directory for a listing of time zones. Choose the one that the machine resides in.

3

Start the time synchronization service. It's typically installed by default but not always running.

4

Enable the time synchronization service to start at boot time. This will automatically keep your server on the correct time.[11]

If you now issue the command `date`, you should see the time zone had been adjusted and the time is correct.

Adding a Regular User Top of Page

We need to add a regular user to the system. There are several reasons for this step, one of them being that the superuser, root, is not the best account to use for login. In the initial steps of machine configuration it's necessary, but under production use the machine logn should be changed. At this point, all we're going to do is add a regular user.[12]

Figure 4.7. Adding a User Image #1

Adding a User Image #1

There are two steps to adding a regular user, both shown in the screen shotabove. Please name your user as you see fit. Both commands must be run as the root user. The following list gives both steps.

  1. Issue the command `useradd <user>`.
  2. Issue the command `passwd <user>`.

When prompted, set the password for the new user account.

Firewall Introduction Top of Page

Linux uses a firewall called iptables. The iptables service is best accessed by an entity called firewalld. Typically, and by default, both of these facilities are installed and enabled upon launch of the machine. Among the many functions provided by iptables, restricted access is the one we will deal with. All services run on a specifically numbered port. The screenshots below show how the iptables firewall works with these ports.

Figure 4.8. Firewall Configuration Image #1

Firewall Configuration Image #1

Figure 4.9. Firewall Configuration Image #2

Firewall Configuration Image #2

The command issued is `iptables -vnL`. If the output looks daunting, don't be led astray. All we're interested in at this point is the line that says "tcp dpt:22 ctstate NEW". This means that port 22 is open and waiting for an SSH connection. That's how we're able to log in to the server. By the time we're finished with the course, we'll open several more ports. Having this firewall in place is like having a moat and thick walls around our castle. In essence, for every port that's opened, there's a bridge or window that's available.

Figure 4.10. Firewall Configuration Image #3

Firewall Configuration Image #3

This last screen shot shows the output of the command `systemctl status firewalld`. The output is a snapshot of the current status of the firewall process as it's running. This command is helpful for troubleshooting firewall problems.

SELinux Top of Page

Configuration of SELinux is beyond the scope of this course. Indeed, SELinux is a study all to itself. For the purpose of this course we will run SELinux in Permissive or Disabled mode. First we need to verify the status of SELinux. See this footnote for more information about SELinux.[13]

Figure 4.11. SELinux Configuration Image #1

SELinux Configuration Image #1

The image above shows the output of the command `getenforce`. The output should be as shown, Permissive or Disabled. If it is Enabled, it will need to be reset. Go through the following list.

  1. Issue the command `getenforce` - see image above.
  2. If the return output says either Permissive or Disabled, you are finished. You can skip the rest of this section.
  3. If the return output says Enabled, we need to set it to Permissive. Perform the next two steps.
  4. To disable SELinux, issue the command `vi /etc/sysconfig/selinux` and edit the file according to the instructions given within the file. When finished, the entry should look like either of the screen shots below.
  5. Reboot the machine: `shutdown -r now`

Figure 4.12. SELinux Configuration Image #2

SELinux Configuration Image #2

Figure 4.13. SELinux Configuration Image #3

SELinux Configuration Image #3

Machine Configuration Check Point Top of Page

When you finish the steps above, send me an email with the name and password of your regular user. I will log in to the machine as that user to verify that we are on track.



[10] The command hostnamectl is new to RHEL/CentOS 7, and is part of the rich feature set that comes with systemd. For more info, including a look at the many options available, issue the command `man hostnamectl`

[11] The command systemctl is new to RHEL/CentOS 7, similar to hostnamectl, above. Again, it's part of systemd, and it's a far-reaching command. For more info issue the command `man systemctl`

[12] Public-facing servers, particularly web servers, are prone to a variety of attacks. For a brief outline of just one of the maladies that one faces, see Script Kiddie on Wikipedia . One of the industry's most recommended practices is to not login via the root account. In the interest of simplicity, we will not be stressing that practice at this time. If you would like to see how to impliment this practice, see the the section called "SSH Extras".

[13] What is SELinux? Simply put, it's fine grained-security tuning established by the NSA. See SELinux on Wikipedia and National Security Agency Security-Enhanced Linux for more information.