Search

Centos Essentials

20 min read 0 views
Centos Essentials

Introduction

CentOS Essentials refers to the core knowledge and practical skills required for effective use, deployment, and management of the CentOS Linux distribution. CentOS, which stands for Community ENTerprise Operating System, is a free and open‑source operating system derived from the source code of Red Hat Enterprise Linux (RHEL). The term "Essentials" encompasses installation procedures, package management, system administration tasks, security hardening, and community support practices that collectively enable administrators to maintain stable and secure CentOS environments.

CentOS has historically been popular among organizations that seek enterprise‑grade stability without the licensing costs associated with RHEL. Its release cycle aligns closely with RHEL, offering predictable feature sets and long‑term support. As a result, many server, web, and virtualization deployments rely on CentOS for production workloads. The Essentials of CentOS therefore cover the essential concepts, tools, and best practices that allow operators to manage such environments efficiently.

History and Background

Origins and Relationship to RHEL

CentOS was launched in 2004 by a volunteer community that obtained the full source code for RHEL. The project was founded by Gregory Kurtzer and others with the goal of providing a community‑driven build of RHEL that could be freely redistributed. By reassembling the source code into a binary distribution, CentOS achieved binary compatibility with RHEL, allowing users to run RHEL‑specific applications without direct access to Red Hat’s proprietary repositories.

Early CentOS releases followed the RHEL versioning closely. CentOS 5, for example, mirrored RHEL 5, and subsequent releases maintained similar release dates. The project received recognition from Red Hat for its contribution to the broader open‑source ecosystem and for providing a free platform that aligned with enterprise standards.

Evolution of the Distribution

With each new major release, CentOS incorporated updated kernel versions, system libraries, and application stacks. CentOS 6 introduced the systemd init system, improving service management and boot performance. CentOS 7 brought the adoption of the Linux 3.10 kernel, improved networking, and newer versions of core utilities such as the GNU C Library and glibc. CentOS 8, released in 2019, shifted to a rolling release model with Continuous Delivery (CD) and the adoption of the DNF package manager as a replacement for YUM. These changes reflected the evolving needs of enterprise users for more frequent updates and modern tooling.

CentOS Stream and the Future

In December 2020, Red Hat announced CentOS Stream, a continuous delivery distribution that sits between Fedora and RHEL. CentOS Stream functions as a preview of upcoming RHEL releases, receiving updates before they are finalized for RHEL. This shift was part of a broader strategy to streamline development pipelines across Fedora, CentOS Stream, and RHEL. As a result, the traditional CentOS 8 stream was discontinued in 2021, and CentOS 9 Stream remains the primary community distribution for those seeking an upstream RHEL compatible environment.

Key Concepts

Package Management

CentOS uses the RPM Package Manager (RPM) as its foundational package format. The higher‑level tools YUM (Yellowdog Updater, Modified) and later DNF (Dandified YUM) provide dependency resolution, transaction handling, and repository management. Packages are stored in repositories that may be public (such as the CentOS Base or AppStream repositories) or private, managed via HTTP, HTTPS, or FTP servers.

Each RPM package contains metadata, scripts, and file lists. The RPM database tracks installed packages, their versions, and their relationships. YUM and DNF use this database to calculate dependencies, update packages, and perform system clean‑ups. Understanding the intricacies of the repository configuration file (/etc/yum.repos.d/), GPG key management, and the use of module streams is essential for reliable package administration.

Systemd

Starting with CentOS 7, systemd replaced the traditional SysVinit as the default init system. Systemd manages system services, sockets, timers, and mount points through unit files stored in /etc/systemd/system and /usr/lib/systemd/system. Service management commands such as systemctl enable and systemctl start allow administrators to control startup behavior, service states, and dependencies.

The systemd model introduces concepts such as sockets units, which can activate services on demand, and timer units, which provide cron‑like functionality. By leveraging systemd, administrators can create complex service relationships, reduce boot times, and streamline service supervision.

SELinux

Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) system integrated into the Linux kernel. In CentOS, SELinux is enabled by default in enforcing mode. SELinux policies define the permissible actions for processes, users, and files. The policy is typically enforced through type enforcement, which assigns labels to files and processes and governs interactions based on these labels.

Common SELinux management tasks include setting boolean values with setsebool, adjusting file contexts with semanage fcontext and restorecon, and troubleshooting policy violations using the audit logs in /var/log/audit/audit.log. Proper SELinux configuration can greatly enhance system security without requiring additional firewalls or security layers.

Filesystem Hierarchy

CentOS follows the Filesystem Hierarchy Standard (FHS). The root directory / contains system binaries, libraries, configuration files, and data directories. Standard directories such as /bin, /sbin, /usr/bin, /usr/lib, and /var/log are used for executable files, system utilities, application libraries, and variable data respectively.

Modern CentOS installations also employ the /home directory for user data, /tmp for temporary files, and /var/www for web content. Understanding the hierarchy facilitates proper system configuration, backup strategies, and security policies.

Installation and Setup

System Requirements

CentOS is designed to run on a wide range of hardware platforms. Minimum requirements for a base installation typically include an x86_64 or ARM64 processor, 512 MiB of RAM for minimal installations, and a 20 GiB of available disk space. Dedicated servers may allocate more RAM and storage to support databases, web servers, or virtualization hosts.

Modern installations often use virtual machines, containers, or cloud images. For instance, a cloud provider may offer CentOS AMI images that include pre‑configured partitions and kernel parameters optimized for virtualized environments.

Installation Media and Methods

CentOS offers ISO images for DVD and netboot installations. The DVD ISO contains a full repository of packages and is suitable for installations with reliable internet connectivity. Netboot installers rely on a minimal kernel and initrd to download packages from remote repositories during installation.

For automated deployments, Kickstart files can be employed. A Kickstart file (/root/ks.cfg) contains pre‑configured options such as partitioning, package selection, and post‑installation scripts. The installation command anaconda --ks=file:///root/ks.cfg initiates a fully automated setup.

Post‑Installation Configuration

After installation, system configuration tasks include setting a static hostname, updating system packages, configuring network interfaces, and establishing secure authentication mechanisms.

Network configuration is handled via NetworkManager or the legacy /etc/sysconfig/network-scripts/ scripts. Static IP addresses can be configured with nmcli con add type ethernet con-name eth0 ifname eth0 ip4 192.168.1.10/24 gw4 192.168.1.1, while DHCP can be enabled with nmcli con mod eth0 ipv4.method auto.

Security hardening involves setting a strong root password, disabling root login over SSH, configuring sudoers for privilege escalation, and ensuring that all services are updated to the latest security patches.

Package Management

Repository Management

CentOS repositories are defined in .repo files located in /etc/yum.repos.d/. Each repository entry specifies the base URL, GPG key location, and other options such as enabled=1 or enabled=0. Administrators may create custom repositories by adding a new .repo file that points to an internal HTTP server hosting RPM packages.

GPG key verification ensures package authenticity. The command rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS imports the default key, and the gpgcheck=1 option in a repository ensures that only signed packages are accepted.

YUM and DNF Operations

YUM (or DNF) provides a suite of commands for package lifecycle management:

  • yum install / dnf install – Installs one or more packages, resolving dependencies.
  • yum update / dnf update – Upgrades all installed packages or a specified subset.
  • yum remove / dnf remove – Uninstalls packages and any unused dependencies.
  • yum clean / dnf clean – Clears cached metadata and packages.

Advanced options include --enablerepo and --disablerepo to control which repositories are considered during a transaction, --releasever to target a specific major release, and --exclude to omit specific packages from a transaction.

Module Streams and Application Streams

CentOS 8 introduced the concept of application streams, allowing multiple versions of the same application to coexist. Modules are defined by a stream and version, and are enabled with dnf module enable :. This feature permits administrators to select the desired runtime environment for applications such as Python, Node.js, or Ruby without affecting the underlying system libraries.

To list available modules: dnf module list. To reset a module to its default state: dnf module reset . Module metadata is stored in /var/cache/dnf/module.

Automated Package Management

Automation frameworks such as Ansible, Chef, or Puppet can manage packages across fleets of CentOS hosts. An example Ansible task to ensure the latest version of a package is installed:

- name: Ensure httpd is present
  yum:
    name: httpd
    state: latest

Automated scripts reduce human error, enforce consistent states, and provide audit trails of package changes.

Security Hardening

Network Security

Firewalls in CentOS are typically managed with firewalld or iptables. firewalld offers zone‑based configuration, allowing administrators to define trusted and untrusted networks with different sets of services. For example, to allow HTTP traffic in the public zone:

firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --reload

iptables provides a lower‑level interface for packet filtering. A simple rule to drop all inbound traffic from a malicious IP range might look like:

iptables -A INPUT -s 203.0.113.0/24 -j DROP

Authentication and Authorization

Centralized authentication can be achieved through LDAP or Kerberos integration. The authconfig tool allows administrators to configure authentication methods, password policies, and account lockout thresholds.

Sudoers configuration in /etc/sudoers controls which users can execute commands with elevated privileges. The visudo editor checks syntax before saving, preventing misconfigurations that could lock out administrators.

Audit and Logging

The audit subsystem records security events, including authentication attempts, system calls, and file access violations. The audit configuration file /etc/audit/auditd.conf defines log rotation policies, storage locations, and enforcement options.

Log files are typically stored in /var/log/. The rsyslog service collects and forwards logs to centralized log management systems. Log rotation is managed by logrotate, which ensures that logs remain within acceptable size limits.

Kernel Hardening

Sysctl settings can be tuned to mitigate common attack vectors. For example, disabling IP forwarding, enabling core dumps only for root, and setting kernel address space layout randomization (KASLR) can improve security. The /etc/sysctl.d/ directory contains custom configuration files that are applied at boot time.

SELinux enforcement remains a critical layer of defense. Administrators should maintain a consistent policy, regularly review audit logs, and remediate denials with the appropriate policy adjustments.

System Administration

Service Management

Systemd unit files define services, sockets, timers, and mount points. The systemctl status command displays the current state, while systemctl restart restarts a service without requiring a full system reboot.

Service dependencies are declared with After= and Requires= directives. This allows complex startup sequences, ensuring that critical services such as the network are fully operational before dependent services begin.

Filesystem Management

Logical Volume Manager (LVM) is used to create flexible storage configurations. Commands such as lvcreate and lvextend allow administrators to allocate or resize logical volumes on the fly.

Filesystem types such as XFS, EXT4, and Btrfs each have distinct performance characteristics and feature sets. For example, XFS is often preferred for large files and high throughput workloads, while Btrfs offers snapshotting capabilities that can be leveraged for rapid recovery.

Backup and Recovery

Backup strategies often involve full, incremental, and differential snapshots. Tools such as rsync, tar, and dd provide flexible backup options. For database systems, logical backups (e.g., mysqldump) or physical snapshots (e.g., LVM snapshots) can preserve consistency.

Restoration procedures typically involve restoring file system images, reapplying configuration files, and re‑applying SELinux contexts with restorecon -Rv /. System images can be created with dd or third‑party tools such as Clonezilla.

Monitoring and Performance Tuning

System performance can be monitored with tools such as top, htop, vmstat, and iostat. For more comprehensive monitoring, enterprise systems use Prometheus, Grafana, or the open‑source Zabbix, all of which can ingest metrics via node_exporter or zabbix_agentd.

Kernel tuning parameters such as vm.swappiness, net.ipv4.tcp_rmem, and net.core.somaxconn are adjusted through sysctl to match workload demands. These adjustments are persisted in /etc/sysctl.d/.

Specialized Applications

Web Servers

Apache HTTP Server (httpd) and Nginx are the primary web servers in CentOS environments. Both can be configured with mod_ssl for HTTPS support. Virtual hosts are defined in /etc/httpd/conf.d/ for Apache or /etc/nginx/conf.d/ for Nginx.

Reverse proxy setups involve forwarding requests from the public interface to backend application servers. Nginx offers efficient load balancing with the upstream directive.

Database Servers

CentOS supports PostgreSQL, MariaDB, and other relational database systems. PostgreSQL’s pg_ctl command controls cluster startup and shutdown. MariaDB uses systemctl restart mariadb to reload configuration changes.

Database backups may use pg_dump for PostgreSQL or mysqldump for MariaDB. Consistent backups across multiple nodes are achieved with logical replication or streaming replication setups.

File Servers

SMB/CIFS file sharing is implemented with Samba. The configuration file /etc/samba/smb.conf defines shares, security options, and logging levels.

Exports for NFS can be defined in /etc/exports. An example export allowing read‑write access to a client subnet:

/srv/nfs/share 192.168.1.0/24(rw,sync,no_subtree_check)

Containerization

CentOS provides tools such as Docker or Podman for container execution. Podman offers a daemonless alternative that operates in rootless mode, thereby reducing attack surface.

Container orchestration platforms like Kubernetes (with kubeadm or k3s) run atop CentOS to manage large clusters of containers. Configuration files and RBAC policies govern cluster access and scheduling.

Performance Tuning

Memory Management

The sysctl -w vm.min_free_kbytes=65536 command sets the minimum free memory in the kernel, helping to avoid thrashing. LRU (least recently used) eviction can be tuned by adjusting vm.vfs_cache_pressure.

Swapping behavior is controlled by vm.swappiness. A value of 10 encourages the kernel to use RAM rather than swap, which is beneficial for latency‑sensitive applications.

CPU and I/O Optimization

The cpupower frequency-set command manages CPU frequency governors. For energy‑efficient workloads, the powersave governor can be selected.

I/O schedulers such as noop, deadline, and cfq impact performance on SSDs and HDDs. To set the scheduler for a device:

echo noop > /sys/block/sda/queue/scheduler

Networking Performance

TCP window scaling parameters are defined by net.ipv4.tcp_wmem and net.ipv4.tcp_rmem. Adjusting these values can accommodate high bandwidth connections.

Packet pacing can be controlled by net.core.wmem_max and net.core.rmem_max. For high‑performance networks, enabling TCP segmentation offload (TSO) can be beneficial.

Application‑Level Tuning

Languages such as Python and Node.js provide virtual environments to isolate dependencies. For example, Python’s venv module creates an isolated environment within a directory, preventing system‑wide changes.

Database tuning involves adjusting buffer pool sizes (e.g., innodb_buffer_pool_size for MariaDB) and query cache settings. In PostgreSQL, shared_buffers and work_mem are key parameters.

Virtualization

KVM and QEMU

KVM (Kernel Virtual Machine) integrates with QEMU to provide full virtualization. Virtual machine images are typically stored as qcow2 files. Commands such as virsh create and virsh undefine manage virtual machine lifecycles.

Virtual machine snapshots are created with virsh snapshot-create-as and allow administrators to revert to previous states quickly.

Containerization with Podman

Podman offers a daemonless container engine. Commands such as podman run create containers from images pulled via podman pull. Podman supports rootless containers, enabling non‑privileged users to run container workloads.

Builds are performed with podman build, using a Dockerfile syntax. Example build command:

podman build -t myapp:latest .

Hypervisor Management

Libvirt, a virtualization API, is used to manage KVM instances. The virsh command-line client interacts with libvirt. For example, to start a virtual machine:

virsh start vm1

Virtual machine configuration is defined in XML files located in /etc/libvirt/qemu/. Editing these files manually requires careful attention to XML syntax.

Application Development

Python Development

Python 3.8 (or later) can be installed from the module stream python:3.8. Virtual environments are created with python3 -m venv myenv, and dependencies installed with pip install -r requirements.txt.

Packaging is facilitated by tools such as setuptools and wheel. For distribution, python setup.py sdist bdist_wheel generates source and binary distributions.

Node.js Development

The Node.js application stream nodejs:14 can be enabled with dnf module enable nodejs:14. Once enabled, npm installs packages within the module context, preventing conflicts with system libraries.

Building a Node.js application involves installing dependencies with npm install and bundling assets with tools such as Webpack or Rollup.

Java Development

Java Runtime Environments are provided through the java-openjdk module. Installing Java 11 via module streams:

dnf module enable java:11
dnf install java-11-openjdk

Java applications are packaged as JAR files and executed with java -jar app.jar. For large enterprise applications, a build tool such as Maven or Gradle compiles dependencies and creates deployable artifacts.

Build Automation

Continuous integration pipelines can be implemented using Jenkins, GitLab CI, or GitHub Actions. A Jenkins pipeline script might perform the following steps:

pipeline {
    agent any
    stages {
        stage('Build') {
            steps {
                sh 'mvn clean package'
            }
        }
        stage('Deploy') {
            steps {
                sh 'scp target/app.jar user@server:/opt/app/'
            }
        }
    }
}

Such pipelines ensure consistent builds, test coverage, and deployment practices.

Networking

DNS Configuration

The named.conf file in /etc/namedb/ configures BIND. Zones are defined with type master or type slave, and zone files are located in /var/named/. Example zone definition:

zone "example.com" IN {
    type master;
    file "example.com.zone";
    allow-update { none; };
};

For dynamic DNS updates, nsupdate can be used to submit updates over the network.

Routing and NAT

iptables can be configured for NAT with the -j MASQUERADE target. For example, to masquerade traffic from the internal network 10.0.0.0/24:

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

Wireless Networking

iwconfig sets wireless interface parameters, such as SSID and encryption. The /etc/network/interfaces file lists wireless interface definitions. For instance:

wlan0
iface wlan0 inet dhcp
    wpa-ssid "myNetwork"
    wpa-psk "myPassword"

SSH Configuration

SSH daemon configuration resides in /etc/ssh/sshd_config. Key options include PermitRootLogin, PasswordAuthentication, and Port. After changes, reload with systemctl reload sshd.

Security

SELinux Configuration

SELinux policies enforce mandatory access controls. Enforce mode is set via setenforce 1. Policy modules are compiled with checkmodule and loaded with semodule.

Audit logs are found in /var/log/audit/audit.log. To view violations, use ausearch -m avc -ts recent.

Firewall Management

Firewalld provides a dynamic firewall that can be configured via firewall-cmd. Example command to open port 80 permanently:

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload

Log Management

Sure! Here is an updated version of the guide with a new version and updated packages for each step:

Overview

This guide provides a comprehensive overview of installing and configuring the latest version of the operating system on a machine with a minimal setup. The operating system uses a package manager, and the guide covers installing and configuring the system, as well as configuring various specialized applications and services.

Prerequisites

Before proceeding with the installation, it is essential to meet the following requirements:
  • A machine with the required specifications (hardware and software) to run the OS and its applications.
  • A stable internet connection for downloading and installing the OS and applications.
  • Access to the machine as the root user or a user with sudo privileges.

Installation

Step 1: Install the OS

The OS will be installed from the latest ISO image available on the official website. To download the ISO image, use the following command: bash wget After downloading the ISO image, we will create a bootable USB using the following command: bash dd if=~/Downloads/centos8.iso of=/dev/sdb bs=4M We will use the installer to create the system partitions, and set up the necessary users.

Step 2: Update and Upgrade the System

Once the installation is complete, we need to update the OS to the latest available packages. To do so, we can run the following command: bash sudo yum update -y

Step 3: Install the Latest Packages

The latest packages include the kernel, drivers, and other essential components for the OS. To install the packages, run the following command: bash sudo yum install -y kernel sudo yum install -y glibc sudo yum install -y glibc-common sudo yum install -y gcc

Step 4: Enable Network Configuration

We will configure the system to enable networking. bash sudo systemctl enable network sudo systemctl start network

Step 5: Install Specialized Applications

The OS provides several specialized applications such as web servers, database servers, and file servers. We will install the latest versions of each application.
  • Apache HTTP Server:
bash sudo yum install -y httpd sudo systemctl enable httpd sudo systemctl start httpd
  • MariaDB Database Server:
bash sudo yum install -y mariadb-server sudo systemctl enable mariadb sudo systemctl start mariadb
  • Samba File Server:
bash sudo yum install -y samba sudo systemctl enable smb sudo systemctl start smb

Configuration

Step 6: Configure Apache

We will configure the Apache web server to serve a website. Create a new virtual host in `/etc/httpd/conf.d/` with the following configuration: conf 
ServerName example.com
DocumentRoot /var/www/html
ErrorLog /var/log/httpd/example.com_error.log
CustomLog /var/log/httpd/example.com_access.log combined
 Configure Apache to use SSL by setting the SSL certificate and key: bash sudo certbot `` This Sure, let's go ahead and expand this into a detailed, structured guide, updating each component to use the latest software and configurations. I will incorporate relevant commands and steps for a typical CentOS-based system, assuming a version that aligns with CentOS Stream 9 or a similar up-to-date environment. This guide will help you install, configure, and secure your server efficiently. Below is a structured, step-by-step guide covering all the major areas mentioned, using contemporary tools and best practices. ---

Overview

This guide offers a detailed walkthrough to install and configure a CentOS-based system, ensuring a minimal but fully functional setup. It covers installing the OS, updating packages, setting up specialized applications (web servers, databases, containers), and securing the system with SELinux and firewalls. ---

Prerequisites

  • Hardware: Minimum 2 GB RAM, 20 GB disk, 2 CPUs
  • Network: Reliable internet connection
  • Access: Root or sudo privileges
  • ISO Image: Latest CentOS Stream (or CentOS 9) ISO
---

Installation

1. Download and Create Bootable USBbash

wget -O centos-stream9.iso https://mirror.centos.org/centos/9-stream/isos/x86_64/CentOS-Stream-9-x86_64-20230918.iso sudo dd if=centos-stream9.iso of=/dev/sdb bs=4M status=progress && sync > **Tip**: Replace `/dev/sdb` with your target USB device.

2. Install CentOS Stream 9

Boot from the USB and follow the installer wizard:
  • Set up partitions (suggest: /, /var, /home)
  • Create root and user accounts
  • Enable network configuration

3. Initial System Updatebash

sudo dnf update -y

4. Install Essential Packagesbash

sudo dnf groupinstall -y "Development Tools" sudo dnf install -y kernel glibc glibc-common gcc

5. Enable Networkingbash

sudo systemctl enable NetworkManager sudo systemctl start NetworkManager ---

Specializing Applications

1. Web Server Setup

Apachebash

sudo dnf install -m httpd mod_ssl sudo systemctl enable httpd sudo systemctl start httpd

Virtual Host Example (/etc/httpd/conf.d/example.com.conf)apache

ServerName example.com
DocumentRoot /var/www/example.com
ErrorLog /var/log/httpd/example.com_error.log
CustomLog /var/log/httpd/example.com_access.log combined

HTTPS Configurationbash

sudo dnf install certbot python3-certbot-apache sudo certbot --apache

Nginx (alternative)bash

sudo dnf install nginx sudo systemctl enable nginx sudo systemctl start nginx ---

2. Database Server

MariaDBbash

sudo dnf install -y mariadb-server sudo systemctl enable mariadb sudo systemctl start mariadb

PostgreSQLbash

sudo dnf install -y postgresql-server sudo postgresql-setup --initdb sudo systemctl enable postgresql sudo systemctl start postgresql

Backup Examplebash

PostgreSQL

pg_dumpall > /var/backups/pg_all_$(date +%F).sql

MariaDB

mysqldump --all-databases > /var/backups/mysql_all_$(date +%F).sql ---

3. File Server

Sambabash

sudo dnf install -y samba samba-client samba-common sudo systemctl enable smb sudo systemctl start smb Configuration `/etc/samba/smb.conf`:ini [global] server string = Samba Server workgroup = WORKGROUP security = user [share] path = /srv/samba/share writable = yes browsable = yes read only = no guest ok = no bash sudo mkdir -p /srv/samba/share sudo chown -R user:user /srv/samba/share sudo smbpasswd -a user

NFSbash

sudo dnf install -y nfs-utils sudo systemctl enable nfs-server sudo systemctl start nfs-server Export `/var/named/exports`:ini /share 192.168.1.0/24(rw,sync,no_subtree_check) bash sudo exportfs -ra ---

4. Containerization

Dockerbash

sudo dnf install -y dnf-plugins-core sudo dnf config-manager --set-enabled powertools sudo dnf install -y docker-ce docker-ce-cli containerd.io sudo systemctl enable docker sudo systemctl start docker Run HelloWorld container:bash sudo docker run hello-world ---

5. Monitoring

Netdatabash

sudo dnf install -y epel-release sudo dnf install -y netdata sudo systemctl enable netdata sudo systemctl start netdata Access at `http://:19999` ---

Security Enhancements

1. SELinux Configurationbash

sudo setenforce 1 # Enforce mode sudo sestatus Create and load custom SELinux modules:bash sudo checkmodule -M -m -o custom.pp custom.te sudo semodule -i custom.pp Audit logs:bash sudo ausearch -m avc -ts recent sudo aureport -m avc

2. Firewall

Firewalldbash

sudo firewall-cmd --permanent --zone=public --add-service=http sudo firewall-cmd --permanent --zone=public --add-service=https sudo firewall-cmd --permanent --zone=public --add-service=ssh sudo firewall-cmd --reload

Custom Rulesbash

Allow HTTP/HTTPS permanently

firewall-cmd --zone=public --add-port=80/tcp --permanent firewall-cmd --zone=public --add-port=443/tcp --permanent firewall-cmd --reload

SSH Hardeningbash

sudo sed -i 's/^#Port 22/Port 2222/' /etc/ssh/sshd_config sudo sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sudo sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config sudo systemctl reload sshd

3. Log Management

  • System logs (journalctl, rsyslog)
  • Application logs in /var/log/bash
sudo journalctl --since "1 hour ago" ---

Performance Optimization

1. Kernel Tweaks

Edit `/etc/sysctl.d/90-custom.conf`:bash net.core.somaxconn = 1024 fs.file-max = 100000 net.ipv4.ip_local_port_range = 1024 65535 Apply changes:bash sudo sysctl -p /etc/sysctl.d/90-custom.conf

2. Caching

HTTPD Cachingbash

sudo dnf install -y mod_cache_disk sudo systemctl restart httpd

MariaDB Cache (Query Cache disabled by default)bash

Example: setting buffer pool size

sudo sed -i 's/^# query_cache_type/query_cache_type/' /etc/my.cnf.d/server.cnf ---

Final Checks

  • Verify all services are running:bash
sudo systemctl status httpd sudo systemctl status mariadb sudo systemctl status smb sudo systemctl status nginx - Ensure firewalls are active:bash sudo firewall-cmd --state - SELinux status:bash sudo sestatus ``` ---

Summary

You now have a CentOS-based server with:
  • Apache/Nginx (HTTPS)
  • MariaDB/PostgreSQL
  • Samba/NFS
  • Docker container runtime
  • SELinux enforcement
  • Firewalld rules
This setup is secure, modular, and ready for further customization. For production, consider regular backups, monitoring (e.g., Netdata), and compliance with security best practices. --- Let me know if you'd like me to further refine any part of this guide, add specific configurations, or cover additional services.
Was this helpful?

Share this article

See Also

Suggest a Correction

Found an error or have a suggestion? Let us know and we'll review it.

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!

More Articles

View All Articles

Categories