Contents
1. SELinux Disable
First, disable selinux. selinux is a feature that improves auditing and security in Linux, but when enabled, it can limit the behavior of services and the configuration considerably.
Therefore, it is basically invalidated in many cases.
You can disable it by doing the following
1 |
# grubby --update-kernel ALL --args selinux=0 |
system reboot
1 |
# reboot |
Confirmation after change
1 2 |
# getenforce Disabled |
2. System modernization & Services suspended due to security measures
2.1 System modernization
1 |
# dnf -y upgrade |
2.2 Services suspended due to security measures
1 2 3 4 5 6 7 8 9 10 11 12 |
# systemctl stop atd.service # systemctl disable atd.service # systemctl stop kdump.service # systemctl disable kdump.service # systemctl stop lvm2-monitor.service # systemctl disable lvm2-monitor.service # systemctl stop mdmonitor.service # systemctl disable mdmonitor.service # systemctl stop smartd.service # systemctl disable smartd.service # systemctl stop dm-event.socket # systemctl disable dm-event.socket |
3.Network Settings
3.1 Set host name
Set the hostname to "Lepard" since the hostname was not set during OS installation.
1 |
# hostnamectl set-hostname Lepard |
Re-login after the change and the changed hostname will be reflected in the prompt
1 2 |
# cat /etc/hostname Lepard |
3.2 Change network settings to a static IP address
(Replace the network interface name [ens160] with the name of your environment because it varies depending on your environment.)
Network device confirmation
1 2 3 4 |
# nmcli device DEVICE TYPE STATE CONNECTION ens160 ethernet connected ens160 lo loopback unmanaged -- |
Change the IP address of network interface [ens160] to "192.168.11.83"
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
* Fixed IPv4 address setting # nmcli connection modify ens160 ipv4.addresses 192.168.11.83/24 * Gateway Configuration # nmcli connection modify ens160 ipv4.gateway 192.168.11.1 * Referenced DNS settings # nmcli connection modify ens160 ipv4.dns 192.168.11.1 * DNS search base settings (own domain name) # nmcli connection modify ens160 ipv4.dns-search <your domain name> * Set to fixed IP address assignment # nmcli connection modify ens160 ipv4.method manual * Reboot interface to reflect settings # nmcli connection down ens160; nmcli connection up ens160 |
Confirmation of settings
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# nmcli device show ens160 GENERAL.DEVICE: ens160 GENERAL.TYPE: ethernet GENERAL.HWADDR: 00:0C:29:94:75:13 GENERAL.MTU: 1500 GENERAL.STATE: 100 (connected) GENERAL.CONNECTION: ens160 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveC> WIRED-PROPERTIES.CARRIER: on IP4.ADDRESS[1]: 192.168.11.83/24 IP4.GATEWAY: 192.168.11.1 IP4.ROUTE[1]: dst = 192.168.11.0/24, nh = 0.0.0.0, mt> IP4.ROUTE[2]: dst = 0.0.0.0/0, nh = 192.168.11.1, mt > IP4.DNS[1]: 192.168.11.1 IP4.SEARCHES[1]: fedora.korodes.com IP6.ADDRESS[1]: fe80::20c:29ff:fe94:7513/64 IP6.GATEWAY: fe80::9296:f3ff:fe21:9900 IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 1024 IP6.ROUTE[2]: dst = ::/0, nh = fe80::9296:f3ff:fe21:9 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# ip address 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:94:75:13 brd ff:ff:ff:ff:ff:ff altname enp3s0 inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe94:7513/64 scope link noprefixroute valid_lft forever preferred_lft forever |
3.3 Disable IPv6 if not needed
1 2 |
# grubby --update-kernel ALL --args ipv6.disable=1 # reboot |
4.Install NTP server and set up time synchronization service
4.1 Chrony Install
1 |
# dnf -y install chrony |
4.2 Editing Configuration Files
1 2 3 4 5 6 7 8 9 |
# vi /etc/chrony.conf # Line 3 : Change NTP server for time synchronization # NTP server itself synchronizes with other NTP servers as an NTP client # pool 2.fedora.pool.ntp.org iburst pool ntp.nict.jp iburst # Per line 26: Added network to accept time synchronization requests from NTP clients # Specify your local network, etc. allow 192.168.11.0/24 |
4.3 Restart chrony and enable chrony after restart
1 |
# systemctl enable chronyd.service |
4.4 NTP service permission required if Firewalld is enabled
Note that NTP uses [123/UDP].
Firewalld is explained in detail in the next section, so here we will just release the NTP port with the following command.
1 2 3 4 |
# firewall-cmd --add-service=ntp --permanent success # firewall-cmd --reload success |
4.5 Check chronyd status (behavior).
1 2 3 4 5 6 7 8 |
# chronyc sources MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* ntp-a2.nict.go.jp 1 6 17 0 -356us[ +332us] +/- 6653us ^+ v160-16-113-133.ntp.tky2> 3 6 17 1 +666us[+1354us] +/- 7073us ^+ ipv4.ntp3.rbauman.com 2 6 17 1 +356us[+1044us] +/- 9545us ^- time.cloudflare.com 3 6 17 0 -3011us[-2323us] +/- 72ms |
If it is marked with *, it has been synchronized. (It takes about 10 minutes to synchronize after startup.)
5.Set server time zone
Set time zone to Japan (Tokyo)
1 |
# timedatectl set-timezone Asia/Tokyo |
Setup Confirmation
1 2 3 4 5 6 7 8 9 |
# timedatectl Local time: Tue 2023-02-28 09:56:30 JST Universal time: Tue 2023-02-28 00:56:30 UTC RTC time: Tue 2023-02-28 00:56:30 Time zone: Asia/Tokyo (JST, +0900) System clock synchronized: yes NTP service: active RTC in local TZ: no |
6.Install and configure vim editor
①Installing the vim package
1 |
# dnf -y install vim-enhanced |
②Change the editor used by default
1 2 3 4 5 |
# vi ~/.bashrc # Alias appended to the last line alias vi='vim' # source ~/.bashrc |
③Change vim settings
1 |
# vi ~/.vimrc |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
" Use vim's own extensions (not compatible with vi) set nocompatible " Use vim's own extensions (not compatible with vi) set encoding=utf-8 " Specify file encoding set fileencodings=utf-8,iso-2022-jp,sjis,euc-jp " Specify the line feed code to be automatically recognized set fileformats=unix,dos " Obtain a backup set backup " Specify the directory from which to obtain backups set backupdir=~/backup " Number of generations to keep search history set history=50 " Do not distinguish between upper and lower case letters when searching set ignorecase "Mixing capital letters in search terms makes the search case sensitive set smartcase " Highlight words matching your search term set hlsearch " Use incremental search set incsearch " Display line numbers set number " Visualize line breaks ( $ ) and tabs ( ^I ) set list " Highlight corresponding parentheses when entering parentheses set showmatch "No newlines at the end of files set binary noeol " Enable automatic indentation set autoindent " Color-coded display by syntax syntax on "change color of comment text in case of [ syntax on] highlight Comment ctermfg=LightCyan "Wrap lines by window width set wrap |