Contents
1.Disable SELinux
First, disable selinux. selinux is a feature that improves auditing and security in Linux, but when enabled, it places considerable restrictions on the behavior of services and on what can be configured. Therefore, it is basically disabled in many cases. If you build a server while browsing a website and it does not work as expected, it may be due to the fact that selinux is enabled. Therefore, do not forget to disable it after installation.
You can disable it by doing the following
1 2 3 4 5 |
# getenforce ← Check SELinux functionality Enforcing ← SELinux is effective # setenforce 0 ← Disable SELinux functionality # getenforce ← Reconfirmation of SELinux functionality Permissive ← SELinux functionality is disabled. |
As it is, seinux will return to be enabled once the server is restarted, so to permanently disable selinux, modify the /etc/sysconfig/selinux file.
1 |
# vi /etc/sysconfig/selinux |
Change "SELINUX=enforcing" to "SELINUX=disabled"
1 2 3 4 5 6 7 8 9 10 11 |
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted |
2.System Modernization
Package updates are performed as soon as possible immediately after OS installation.
However, when a dnf update is performed, a kernel update is also performed at the same time.
A kernel update may require rebooting the system or stopping services, or worse, a kernel panic may occur and the system may not boot. It is wiser to exclude the kernel from the update.
By running dnf -y update with "--exclude=kernel*" after
kernel*" after "update" to exclude the kernel from updates.
1 |
# dnf -y update --exclude=kernel* |
3.Services to be stopped due to security measures
Stop the following services that you deem unnecessary.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# systemctl stop atd.service # systemctl disable atd.service # systemctl stop kdump.service # systemctl disable kdump.service # systemctl stop lvm2-monitor.service # systemctl disable lvm2-monitor.service # systemctl stop mdmonitor.service # systemctl disable mdmonitor.service # systemctl stop smartd.service # systemctl disable smartd.service # systemctl stop tuned.service # systemctl disable tuned.service # systemctl stop dm-event.socket # systemctl disable dm-event.socket |
4.Adding Repositories
4.1 Add EPEL repository
1 2 |
# dnf -y install epel-release # vi /etc/yum.repos.d/epel.repo |
1 2 3 4 5 6 7 8 9 10 11 |
[epel] name=Extra Packages for Enterprise Linux $releasever - $basearch # It is much more secure to use the metalink, but if you wish to use a local mirror # place its address here. #baseurl=https://download.example/pub/epel/$releasever/Everything/$basearch metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch&infra=$infra&content=$contentdir enabled=1 ← Repository enabled (0 : Repository disabled) priority=10 ← Specify priority in the range of 1~99 gpgcheck=1 countme=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 |
4.2 Added Remi's RPM repository
1 |
# dnf -y install https://rpms.remirepo.net/enterprise/remi-release-8.rpm |
1 |
# vi /etc/yum.repos.d/remi-safe.repo |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# This repository is safe to use with RHEL/CentOS base repository # it only provides additional packages for the PHP stack # all dependencies are in base repository or in EPEL[remi-safe] name=Safe Remi's RPM repository for Enterprise Linux 8 - $basearch #baseurl=http://rpms.remirepo.net/enterprise/8/safe/$basearch/ #mirrorlist=https://rpms.remirepo.net/enterprise/8/safe/$basearch/httpsmirror mirrorlist=http://cdn.remirepo.net/enterprise/8/safe/$basearch/mirror enabled=1 ← Repository enabled (0 : Repository disabled) priority=10 ← Specify priority in the range of 1~99 gpgcheck=1 repo_gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi.el8[remi-safe-debuginfo] name=Remi's RPM repository for Enterprise Linux 8 - $basearch - debuginfo baseurl=http://rpms.remirepo.net/enterprise/8/debug-remi/$basearch/ |
5.Network Settings
5.1 Host Name Change
Change the host name to Lepard to try it out
1 2 3 |
# hostnamectl set-hostname Lepard # reboot [huong@Lepard:~]$ |
5.2 Static IP address setting
If the default setting is to obtain an IP address via DHCP during OS installation, change the network settings to a fixed IP address if necessary.
This time, the IPv4 static address is 192.168.11.83
Router address 192.168.11.1
First find out the name of your network interface with the following command
In this case, it is "ens160".
1 2 3 4 |
# nmcli device DEVICE TYPE STATE CONNECTION ens160 ethernet connected ens160 lo loopback unmanaged -- |
①How to edit and change network configuration files
1 |
# vi /etc/sysconfig/network-scripts/ifcfg-ens160 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=dhcp DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=eui64 NAME=ens160 UUID=a2cb5a26-1cd7-4d13-b94c-c70fa17a6601 DEVICE=ens160 ONBOOT=yes Change as follows TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static ← revision DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=eui64 NAME=ens160 UUID=a2cb5a26-1cd7-4d13-b94c-c70fa17a6601 DEVICE=ens160 ONBOOT=yes IPADDR=192.168.11.83 ← Add NETMASK=255.255.255.0 ← Add GATEWAY=192.168.11.1 ← Add DNS1=192.168.11.1 ← Add |
To reflect the settings, do one of the following
1 |
# systemctl restart NetworkManager |
➁How to change with nmcli command
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
# Fixed IPv4 address setting # nmcli connection modify ens160 ipv4.addresses 192.168.11.83/24 # Gateway Configuration # nmcli connection modify ens160 ipv4.gateway 192.168.11.1 # Referenced DNS settings # nmcli connection modify ens160 ipv4.dns 192.168.11.1 # DNS search base settings (own domain name) # nmcli connection modify ens160 ipv4.dns-search [domain] # Set to fixed IP address assignment # nmcli connection modify ens160 ipv4.method manual |
Reboot interface to reflect settings
1 |
# nmcli connection down ens160; nmcli connection up ens160 |
6.Vim Configuration
①Vim install
1 |
# dnf -y install vim-enhanced |
②Apply and reflect Vim
1 2 3 4 5 6 |
# vi ~/.bashrc # Alias appended to the last line alias vi='vim' Configuration Reflection # source ~/.bashrc |
③Configure Vim as a user-specific environment
1 |
# vi ~/.vimrc |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
" Use vim's own extensions (not compatible with vi) set nocompatible " Specify character code set encoding=utf-8 " Specify file encoding (read from the beginning until success) set fileencodings=utf-8,iso-2022-jp,sjis,euc-jp " Specify the line feed code to be recognized automatically set fileformats=unix,dos " Get Backup set backup " Specify the directory from which to obtain backups set backupdir=~/backup " Number of generations to keep search history set history=50 " Do not distinguish between upper and lower case letters when searching set ignorecase " Mixing capital letters in search terms makes the search case sensitive set smartcase " Highlight words matching your search term set hlsearch " Use incremental search set incsearch " Display line number set number " Visualize line breaks ( $ ) and tabs ( ^I ) set list " Highlight corresponding parentheses when entering parentheses set showmatch " No newlines at the end of files set binary noeol " Enable automatic indentation set autoindent " Color-coded display by syntax syntax on " Change color of comment text in case of syntax on highlight Comment ctermfg=LightCyan " Wrap lines by window width set wrap |