CentOS 7 Post-Installation Best Practices


If you haven’t done so yet, complete the tasks explained in Using SSH Key Pairs on Windows. If you fail to do so, you’ll be locked out of your CentOS instance!

Fire up Pageant, load your private key, and log into your SSH host.

Almost all of the commands will require root privileges, so first of all, make sudo access less painful:

sudo visudo

Find the following line:

# %wheel        ALL=(ALL)       NOPASSWD: ALL

Remove the leading # character (deleting a single character in vi is done by pressing the x key). Then find this line:

%wheel        ALL=(ALL)       ALL

Comment this one out by adding a leading # symbol (enter INSERT mode with the i key, then type #, then press ESC to quit from INSERT mode, then save and exit by typing :wq).

Now you can become root with:

sudo -i

Now update the system:

yum update

Applying the updates will take a while, and will require a reboot, since you will almost certainly receive a kernel update after installation.

Once rebooted, there’s a good number of essential utilities that needs installation:

yum install mc bind-utils psmisc bash-completion chrony wget policycoreutils-python setools-console yum-cron git

Verify your timezone. Adjust, if needed:

timedatectl set-timezone Europe/Berlin

While at it, make sure that time synchronization is running:

systemctl enable chronyd.service

Verify your hostname, if needed, modify via /etc/hostname:

hostname -f

Enable automatic updates:

sed -i.orig 's/apply_updates = no/apply_updates = yes/g' /etc/yum/yum-cron.conf
systemctl enable yum-cron.service
systemctl restart yum-cron.service

Create a new alternative SSH port, e.g. 922, disable root access, and disable password authentication:

semanage port -a -t ssh_port_t -p tcp 922
firewall-cmd --permanent --new-service sshsec
firewall-cmd --permanent --service=sshsec --add-port=922/tcp
firewall-cmd --permanent --add-service=sshsec
firewall-cmd --reload
sed -i 's/^#Port 22/Port 922/' /etc/ssh/sshd_config
sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl restart sshd.service

Once all is fine on the new port, you might as well close the default SSH port:

firewall-cmd --permanent --remove-service=ssh
firewall-cmd --reload

If you’re on a VPS with Btrfs, you should probably enforce compression on the root volume. Find the corresponding line in /etc/fstab (your UUID will differ):

UUID=0041e29c-9f8e-4ee3-b9e2-eea391a34c69 / btrfs subvol=root 0 0

Then add the compress-force=zlib mount option, like so:

UUID=0041e29c-9f8e-4ee3-b9e2-eea391a34c69 / btrfs subvol=root,compress-force=zlib 0 0