CentOS is a flexible operating system based on the commercial Red Hat Enterprise Linux distribution. The main advantages of CentOS for VPS are considered to be its simplicity, elegance, and convenience at all levels of interaction, from installation to setting up firewall filters. In addition, this operating system is regularly supplied with updates and innovations, especially in the field of security. In terms of security and safety, VPS with CentOS surpasses almost all similar free operating systems.
Downloading and installing updates on this operating system is done through the built-in yum program, which downloads the necessary data directly from the CentOS Mirror Network repository. To get all the latest updates immediately after installation, you need to open the server PU, go to the "Console" tab, log in and run a single command:
Remember that the yum package manager is used in all versions except CentOS 8, which has switched to dnf. If you have CentOS 8 or newer, use that software. The command is similar:
This utility also has a very simple and intuitive syntax, which has a standard structure:
# dnf [parameters] [command] packages_names-or-groups
You can also use the yum package manager if you wish since support has not gone anywhere.
Updating the kernel and system utilities in manual mode is a thankless task, even if it takes very little time. To ensure that your VPS with CentOS on HostZealot is always reliably protected and receives all the latest updates quickly, it is recommended to set up automatic system updates. For example, in CentOS 7, the yum-cron utility is used for this purpose. It can be installed from the standard repository:
yum install yum-cron
When the installation is complete, the utility will create jobs to run in /etc/cron.daily and /etc/cron.hourly. That is, by default it will download the latest updates from the specified path, but they still have to be installed by the administrator.
You can configure yum-cron using configuration files located at /etc/yum/yum-cron.conf and /etc/yum/yum-cron-hourly.conf. Here you can describe parameters for sending messages, configure the use of third-party mail servers, etc.
For CentOS 8 the situation is a bit different. In this case, the dnf-automatic program is used to automate updates and can be downloaded with a simple command:
yum install dnf-automatic
After installation, you must first look at the automatic update check start timers for the systemd utility:
systemctl list-timers *dnf-*
If tasks are not set automatically, they must be added manually:
systemctl enable --now dnf-automatic.timer
By default, the system will check for updates once a day, one hour after the VPS has booted. If necessary, you can change these values in the configuration file /etc/systemd/system/multi-user.target.wants/dnf-automatic.timer.
With the dnf-automatic configuration file, which is located at /etc/dnf/automatic.conf, you can have updates automatically downloaded and applied. By default, they will only be downloaded, but you will have to install them manually. The file can be configured so that the system does these tasks without user intervention.
The first thing to do is to check the default time using the standard command:
If necessary, you can change the time zone using the utility included in the system:
timedatectl set-timezone america/new_york // Setting up New York time zone
Next, we check the status of the time update services with the command:
On CentOS, time synchronization over the Internet is done through the chrony service, which is available immediately and does not need to be installed. The exception is the lightweight configurations of CentOS, in which almost everything unnecessary has been cut out. In this case, chrony can be installed through the repository:
yum install chrony
After that, you need to run the utility and add it to the autostart. Enter the two commands in turn:
systemctl start chronyd
systemctl enable chronyd
You can check the status of the software with the command:
systemctl status chronyd
First of all, we are interested in the System clock and NTP service lines. The first line should be "yes" and the second should be "active". Now, every time you run this utility, your VPS automatically synchronizes the time over the Internet.
The VPS can be protected from most types of threats by controlling incoming and outgoing traffic. This is done through the iptables firewall - this utility is available in CentOS by default. You can check the actual rules under which the tool works through the command:
iptables -L -v -n
On CentOS 7 and 8, the firewall function is performed by the firewall-cmd utility, which is essentially a nifty add-on to iptables. Rule groups are managed through elements called zones. Each zone is a set of rules defining permissions for traffic by levels of trust on the network. FirewallD has nine zones:
You can see which zone is selected now by using the command:
iptables works in a similar way, only to work with it you need to turn off the firewall add-on first:
systemctl stop firewalld
systemctl disable firewalld
And then install the necessary utilities for the firewall:
yum install iptables-services
And turn on the auto launch:
systemctl enable iptables
Now we just need to create the file /etc/iptables.sh and edit it by adding the following rules:
$IPT -F -t nat
$IPT -F -t mangle
$IPT -t nat -X
$IPT -t mangle -X
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -o $WAN -j ACCEPT
$IPT -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -i $WAN -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $WAN -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $WAN -p tcp --dport 443 -j ACCEPT
$IPT -N undef_in
$IPT -N undef_out
$IPT -N undef_fw
$IPT -A INPUT -j undef_in
$IPT -A OUTPUT -j undef_out
$IPT -A FORWARD -j undef_fw
$IPT -A undef_in -j LOG --log-level info --log-prefix "-- IN -- DROP "
$IPT -A undef_in -j DROP
$IPT -A undef_out -j LOG --log-level info --log-prefix "-- OUT -- DROP "
$IPT -A undef_out -j DROP
$IPT -A undef_fw -j LOG --log-level info --log-prefix "-- FW -- DROP "
$IPT -A undef_fw -j DROP
/sbin/iptables-save > /etc/sysconfig/iptables
This self-written script can be modified and optimized for your needs if you wish. It can also be used as is - it makes using VPS more secure in any case.
To turn this script file into an executable one, use the command:
chmod 0740 /etc/iptables.sh
Before finishing, check and make sure that the rules have been applied using the same command we mentioned at the beginning of this section.
Let's take CentOS 7 as an example to see how to add a repository for downloading software to the system. Repository files are stored in the directory /etc/yum.repos.d/, you can view this directory with the command:
A separate file with this syntax is usually created for each repository:
So, to mount a repository in CentOS, you have to add a repository configuration file to the directory, and that's it. For example, like this:
name=Extras packages for CentOS 7.4.1708 for x86_64
Many repository sites offer ready-made packages and a command to install, which makes things much easier. For example, to install NUX on CentOS 7, all you have to do is type this command:
yum install -y http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-1.el7.nux.noarch.rpm
The utility will do everything automatically and download the necessary data. In the same way, you can install the popular REMI, RPMfusion, Adobe, and other repositories. For most tasks, even one repository will be enough.
The standard OS settings have a number of limitations that make storing the command history less convenient. First, only the last 1000 commands are logged. Second, the dates when certain commands were entered are not recorded. Thirdly, some commands do not make sense to store, because they do not make sense, but by default, the system saves absolutely all commands.
The logs are kept in the file .bash_history, which you can view with any editor. Or make it even simpler and type a command into the console:
You will be presented with a list, which you can filter through different commands. For example, you can select all runs of the yum command by using:
history | grep yum
So, here are some useful tweaks to make storing the command history more convenient. You can increase the size of the stored history in ~/.bashrc file by adding the following lines:
It would also be useful to disable the output of the same commands, which were repeatedly entered several times in a row. Add a line:
It is also recommended to disable the storage in history commands ls, ps and history with additional options:
Finally, we make it so that when the history of storing commands is displayed, it also shows us the date and time when the command was executed. We write the line:
export HISTTIMEFORMAT='%d.%m.%Y %H:%M:%S: '
To apply the settings on the fly, enter source ~/.bashrc. This can be done after all the necessary changes have been made to the file. That's all, thanks for your attention and see you soon!