STMA: CentOS 7 VirtualBox Guest

Last updated 2018-03-02

VirtualBox guest machine setup

OS installation

  1. Install from minimal installation disk (1708)
  2. Set disk partitioning to Standard Partitions and automatically create partitions, then change swap and /boot to 512 MB each and set / as large as possible
  3. Set hostname , turn on networking
  4. Set root password
  5. Create user, with administrator privileges
  6. Reboot, log in as “stick”, sudo yum update, reboot

Security

Secure SSH

sudo vim /etc/ssh/sshd_config

  1. Optionally, set SSH to listen on IPv4 only.

    ...
    AddressFamily inet
    ...
    
  2. Use only secure ciphers and macs.

    ...
    # Ciphers and keying
    Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    Macs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
    #RekeyLimit default none
    ...
    
  3. Disallow root login, and make it harder to brute force guesses.

    ...
    LoginGraceTime 30
    PermitRootLogin no
    #StrictModes yes
    MaxAuthTries 2
    MaxSessions 2
    ...
    
  4. Optinally, set SSH to use pubkey login only. Ensure you set up public key authentication for you user before you do this.

  5. From other machine: ssh-copy-id stick@centos7.stma

  6. sudo vim /etc/ssh/sshd_config

    ...
    #PubkeyAuthentication yes
    ...
    PasswordAuthentication no
    ...
    

Disable IPv6 and set other networking options

  1. sudo nmtui
    • Edit a connection -> eth0 -> Edit… -> IPv6 CONFIGURATION <Ignore> -> OK
  2. sudo curl -L https://raw.githubusercontent.com/nstickney/dotfiles/master/aconfmgr/files/etc/sysctl.d/51-net.conf -o /etc/sysctl.d/51-net.conf
  3. sudo reboot

You can use ip addr to check that IPv6 really is turned off.. The various options specified in 51-net.conf are mostly from the ArchWiki.

Optional: Remove unwanted network listeners:

  1. sudo yum remove chrony postfix

Set up firewall

  1. curl -o fw.sh https://raw.githubusercontent.com/nstickney/dotfiles/master/bin/fw.sh
  2. sudo ./fw.sh
  3. rm fw.sh

Disable root account

  1. sudo usermod -p '!' root
  2. sudo passwd -l root.

Skip the grub timeout on boot

  1. sudo vim /etc/default/grub
  2. Change GRUB_TIMEOUT=5 to GRUB_TIMEOUT=0
  3. sudo grub2-mkconfig -o /boot/grub2/grub.cfg

Install additional software

Install VirtualBox Guest Additions

See CentOS wiki. 1. sudo yum install bzip2 dkms gcc kernel-devel make 1. “Devices -> Insert Guest Additions CD image” 1. sudo mount /dev/sr0 /mnt && sudo /mnt/VBoxLinuxAdditions.run 1. Reboot and remove the Guest Additions CD image (or remove optical device entirely)

Install Vim (version 8)

Thanks to SysTutorials QA. 1. sudo curl -L https://copr.fedorainfracloud.org/coprs/mcepl/vim8/repo/epel-7/mcepl-vim8-epel-7.repo -o /etc/yum.repos.d/mcepl-vim8-epel-7.repo 1. sudo yum update 1. sudo yum install vim

Optional: Install the EPEL repo

The EPEL repository contains a large number of extra packages for Enterprise Linux (and by extension CentOS). * sudo yum install epel-release && sudo yum update

Install other useful packages

The dig and nslookup commands on CentOS 7 are in the bind-utils package. You should know what git is. The mlocate package is a way to find files across your entire system. * sudo yum install bind-utils git mlocate && sudo updatedb

If you installed the EPEL repo above, you can also install ag, the silver searcher. * sudo yum install the_silver_searcher

Configure the system

Optional: Install dotfiles

  1. cd ~ && git clone https://github.com/nstickney/dotfiles && ./dotfiles/install.sh
  2. Refresh bash session (logout/login, etc)

Optional: Create a snapshot

  1. history -c
  2. Close -> ACPI Shutdown
  3. Snapshots -> Take