Last updated 2018-03-02

VirtualBox guest machine setup §

• Name: “CentOS7”; Operating System: “Red Hat (64-bit)”
• Base Memory: 1024 MB
• Create a virtual hard disk now, VDI, fixed size
• Shared Clipboard: “Bidirectional”; Drag’n’Drop: “Bidirectional”
• Boot Order: Optical, Hard Disk (deselect Floppy)
• Enable extended features and all processor acceleration
• Enable 3D Acceleration
• Remove IDE storage device, add optical drive to SATA controller
• Disable audio and USB
• Change network card to preferred network and select Paravirtualized Interface
• Set up shared folders:
  • C:/Users/xxxxx/Downloads -> Win_Downloads, auto-mount, permanent
  • /home/xxxxx/Downloads -> Lin_Downloads, auto-mount, permanent

OS installation §

1. Install from minimal installation disk (1708)
2. Set disk partitioning to Standard Partitions and automatically create partitions, then change swap and /boot to 512 MB each and set / as large as possible
3. Set hostname , turn on networking
4. Set root password
5. Create user, with administrator privileges
6. Reboot, log in as “stick”, sudo yum update, reboot

Security §

Secure SSH §

sudo vim /etc/ssh/sshd_config

1. Optionally, set SSH to listen on IPv4 only.

...
AddressFamily inet
...

1. Use only secure ciphers and macs.

...
# Ciphers and keying
Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
Macs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512
#RekeyLimit default none
...

1. Disallow root login, and make it harder to brute force guesses.

...
LoginGraceTime 30
PermitRootLogin no
#StrictModes yes
MaxAuthTries 2
MaxSessions 2
...

1. Optinally, set SSH to use pubkey login only. Ensure you set up public key authentication for you user before you do this.

• From other machine: ssh-copy-id stick@centos7.stma
• sudo vim /etc/ssh/sshd_config

...
#PubkeyAuthentication yes
...
PasswordAuthentication no
...

Disable IPv6 and set other networking options §

1. sudo nmtui
   • Edit a connection -> eth0 -> Edit… -> IPv6 CONFIGURATION <Ignore> -> OK
2. sudo curl -L https://raw.githubusercontent.com/nstickney/dotfiles/master/aconfmgr/files/etc/sysctl.d/51-net.conf -o /etc/sysctl.d/51-net.conf
3. sudo reboot

You can use ip addr to check that IPv6 really is turned off.. The various options specified in 51-net.conf are mostly from the ArchWiki.

Optional: Remove unwanted network listeners: §

1. sudo yum remove chrony postfix

Set up firewall §

1. curl -o fw.sh https://raw.githubusercontent.com/nstickney/dotfiles/master/bin/fw.sh
2. sudo ./fw.sh
3. rm fw.sh

Disable root account §

1. sudo usermod -p '!' root
2. sudo passwd -l root.

Skip the grub timeout on boot §

1. sudo vim /etc/default/grub

• Change GRUB_TIMEOUT=5 to GRUB_TIMEOUT=0

1. sudo grub2-mkconfig -o /boot/grub2/grub.cfg

Install additional software §

Install VirtualBox Guest Additions §

See CentOS wiki.

1. sudo yum install bzip2 dkms gcc kernel-devel make
2. “Devices -> Insert Guest Additions CD image”
3. sudo mount /dev/sr0 /mnt && sudo /mnt/VBoxLinuxAdditions.run
4. Reboot and remove the Guest Additions CD image (or remove optical device entirely)

Install Vim (version 8) §

Thanks to SysTutorials QA.

1. sudo curl -L https://copr.fedorainfracloud.org/coprs/mcepl/vim8/repo/epel-7/mcepl-vim8-epel-7.repo -o /etc/yum.repos.d/mcepl-vim8-epel-7.repo
2. sudo yum update
3. sudo yum install vim

Optional: Install the EPEL repo §

The EPEL repository contains a large number of extra packages for Enterprise Linux (and by extension CentOS).

• sudo yum install epel-release && sudo yum update

Install other useful packages §

The dig and nslookup commands on CentOS 7 are in the bind-utils package. You should know what git is. The mlocate package is a way to find files across your entire system.

• sudo yum install bind-utils git mlocate && sudo updatedb

If you installed the EPEL repo above, you can also install ag, the silver searcher.

• sudo yum install the_silver_searcher

Configure the system §

Optional: Install dotfiles §

1. cd ~ && git clone https://github.com/nstickney/dotfiles && ./dotfiles/install.sh
2. Refresh bash session (logout/login, etc)

Optional: Create a snapshot §

1. history -c
2. Close -> ACPI Shutdown
3. Snapshots -> Take