Set up a secure home server with Cent OS – Part 1

Set up a secure home server with Cent OS – Part 1

Hey all,
In this post I want to take a look at setting up a secure home server with Cent OS. Why Cent OS and not the more common distros such as Debian? Well, I like the stability and leanness of Cent and the applications such as the packet manager are neat as well. Pretty much everything runs on this thing as easy as it does under Debian, but the added security and stability are a great plus. Besides, such I prefer separating/containerizing everything anyway, the underlying host better be as stable as possible.

In Part 1 we’ll look at doing a post-installation setup of Cent OS. In later parts, we’ll take a look at Docker and setting up containers.

This page was edited on Janaury 16th 2018 to add some hyper-v related commands

First of, I’ve got everything installed in a virtual machine under Hyper-V. Hyper-V is freely available via the Microsoft website┬áby applying for the unlimited Hyper-V 2016 evaluation. Be aware that this is the core-version only with no way to upgrade to a GUI for free. This requires some Powershell knowledge and can be a pain with non-server hardware to get VLAN support working as most consumer networking cards don’t support this out of the box. Alternatively, you can also install Cent OS directly on the metal through installation with a USB stick. Several good programs are available for both Windows and MacOS.

Set up

Okay, initial Cent OS setup is pretty straight forward and requires barely any user interaction apart from setting the user and root password. Please choose carefully! Then, onto the set up process itself. This tutorial used Cent OS release 7.3.1611. If you’re on Cent OS 7, the commands will most likely be the same, but it’s always wise to check for updates and run them. To check your version:

cat /etc/centos-release

To check whether there are updates:

sudo yum check-update

Let the operating system update itself:

sudo yum update

Let’s start with the timezone setup, because time is an often overlooked component, but can be every important in logging and troubleshooting. To check the current time settings:

sudo timedatectl

Check whether ntp is installed in this section, if not, follow up with these commands to install time synchronisation:

sudo yum install ntp

Then enable the application to autostart:

sudo systemctl start ntp
sudo systemctl enable ntp

To check the available timezones for this system:

sudo timedatectl list-timezones

Pick the timezone applicable to you and your server, such as Amsterdam in my case:

sudo timedatectl set-timezone Europe/Amsterdam

Then, you can check your settings again with the timedatectl command.

By default the firewall is already enable, but it won’t hurt to check:

sudo systemctl status firewalld

If the firewall is not running, then enable it with the following command:

sudo systemctl start firewalld
sudo systemctl enable firewalld

It’s worth checking what services are enabled to pass through the firewall. Also to allow for later remote sessions with ssh for example:

sudo firewall-cmd --permanent --list-all

The permanent flag allows you to check the permanent rules only, by removing that flag all rules become visible. If properly set up, these two scenarios shouldn’t differ in most setups.
Typical output for this command looks something like this:

public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

This indicates that in my case the firewall is set to public (default) and allows only the DHCP ipv6 client and ssh. If SSH is not yet in the list, you can add it by using the following line:

sudo firewall-cmd --permanent --add-service=ssh

To find other services to enable:

sudo firewall-cmd --get-services

Adjusting Sudo password time-out

To adjust the time-out period for the server in which in asks again for the sudo password, it’s possible to alter the sudoers file. However, be careful in the altering the commands, since it can seriously damage your installation. It’s strongly recommended to do this through the visudo option (sudo visudo) as this check grammar as well, however, the following commands have been tested and also work.
Backup the file beforehand with the following command!

sudo cp /etc/sudoers /etc/sudoers.backup

Then the time-out period can be adjusted. In this case, it’s adjusted to 30 minutes:

sudo sh -c 'echo "Defaults timestamp_timeout=30">>/etc/sudoers'

Alternatively, to always require the password, the timestamp_timeout should be set to 0. To completely disable it, set it to -1.

Setlocale warning

My installations usually show a warning on the setlocale settings, which looks something like this:

-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory

This can easily be fixed by adding a few lines to /etc/environment:

sudo vi /etc/environment

Insert by pressing i.

LANG=en_US.utf-8
LC_ALL=en_US.utf-8

Then hit Esc on the keyboard and save and close by typing:

:wq

Click here for more information on vi editor.

Hyper-V specifics:

To allow for automatic expandable memory, contrary to a pre-selected set amount, the machine needs to allow for this:

sudo vi /etc/udev/rules.d/100-balloon.rules

In this empty file, paste the following:

SUBSYSTEM=="memory", ACTION=="add", ATTR{state}="online"

Most Hyper-V related tools are already installed in Cent OS, however some features are not yet installed and enabled, such as:

  • VSS daemon (for backup of a live system)
  • KVP daemon
  • Powershell File copy daemon

If you want to enable this, then issue the following command:

sudo yum install -y hyperv-daemons

Lastly, you would want to disable the disk I/O optimiser, since Hyper-V is already doing this as well and having two optimisers is usually far from ideal. To do this, we have to be root first and then issue the appropriate command:

su root
echo noop > /sys/block/sda/queue/scheduler
exit

Installing Docker:

Now, we’re ready to install Docker Community Edition. The latest documentation can be found here, but I though it would be good to write a compact version here, also as my own documentation. Start by installing the pre-requistes:

 sudo yum install -y yum-utils device-mapper-persistent-data lvm2

Now, we should add the docker repository to our sources.list:

sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

By installing docker with the standard command set, we install the latest release. Alternatively, a release can be selected from the channel. The available releases are visible with the following command:

yum list docker-ce --showduplicates | sort -r

If you want to select a specific version, then replace docker by the name of the version from the list you just received. (sudo yum install ) Otherwise, proceed with the following command:

sudo yum install docker-ce

Since we’re downloading from a third party source, please check the fingerprint whether it matches:

Importing GPG key 0x621E9F35:
Userid     : "Docker Release (CE rpm) <[email protected]>"
Fingerprint: 060a 61c5 1b55 8a7f 742b 77aa c52f eb6b 621e 9f35
From       : https://download.docker.com/linux/centos/gpg

To start Docker:

sudo systemctl start docker

To autostart Docker after reboot:

sudo systemctl enable docker

Docker is now ready for usage. However, it’s strongly recommended to also complete the following steps as a security best-practice.

Since Docker binds to the socket, it runs with root privileges meaning that sudo’ing is constantly required to make changes. I mean, elevating yourself to root user is bad practice. Bad admin, bad admin!

So, create a group called Docker:

sudo groupadd Docker

Then add your local user to that group:

sudo usermod -aG Docker 

In my case, this would be:

sudo usermod -aG Docker linux

The new group assignment will be active after logging out and back into the machine, because of the revaluation of the user rights.

If for whatever reason you would want to point Docker to another set of DNS servers, then you can add this in the config file:

sudo vi /etc/docker/daemon.json

and add the following key in this file:

    {
        "dns": ["8.8.8.8", "8.8.4.4"]
    }

Then restart Docker:

sudo systemctl restart Docker 

For more linux configuration options, please review the official Docker documentation.

Optional – Docker compose

Docker compose allows for easier container management when using multiple containers at the same time. Since I’m planning on doing so, I’ll install docker-compose. However, in a later tutorial I will include the commands for both docker and docker-compose to get containers to work. Fore more information, please review the excellent documentation on the Docker website.

To start installing, first review the latest version on the Docker Github page. At the time of writing, version 1.18.0 is the latest. Before issuing the following command, please beware that a script is kicked off and this carries some security risk. Please review the contents of the script before kicking it of on the Github page. After code review, the following command can be used for installation:

sudo curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose

Then, adjust the rights to run docker-compose:

sudo chmod a+rx /usr/local/bin/docker-compose

You can check if the docker-compose commands can be found by

which docker-compose

This should return the path /usr/local/bin/docker-compose

To check the Docker-compose version:

docker-compose --version

Leave a Reply