Contents
1. SELinux Disable
First, disable selinux. selinux is a feature that improves auditing and security in Linux, but when enabled, it can limit the behavior of services and the configuration considerably.
Therefore, it is basically invalidated in many cases.
You can disable it by doing the following
|
1 |
# grubby --update-kernel ALL --args selinux=0 |
system reboot
|
1 |
# reboot |
Confirmation after change
|
1 2 |
# getenforce Disabled |
2. System modernization & Services suspended due to security measures
2.1 System modernization
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
# dnf -y upgrade Upgraded: ModemManager-1.18.8-1.fc36.x86_64 ModemManager-glib-1.18.8-1.fc36.x86_64 NetworkManager-1:1.38.4-1.fc36.x86_64 NetworkManager-bluetooth-1:1.38.4-1.fc36.x86_64 NetworkManager-libnm-1:1.38.4-1.fc36.x86_64 NetworkManager-team-1:1.38.4-1.fc36.x86_64 NetworkManager-wifi-1:1.38.4-1.fc36.x86_64 NetworkManager-wwan-1:1.38.4-1.fc36.x86_64 alsa-sof-firmware-2.2.2-1.fc36.noarch alternatives-1.21-1.fc36.x86_64 ......omission...... Installed: amd-gpu-firmware-20220913-140.fc36.noarch cronie-1.5.7-5.fc36.x86_64 cronie-anacron-1.5.7-5.fc36.x86_64 freetype-2.12.1-2.fc36.x86_64 fuse3-3.10.5-2.fc36.x86_64 fuse3-libs-3.10.5-2.fc36.x86_64 google-noto-sans-mono-vf-fonts-20201206-10.fc36.noarch google-noto-serif-vf-fonts-20201206-10.fc36.noarch graphite2-1.3.14-9.fc36.x86_64 grub2-tools-efi-1:2.06-54.fc36.x86_64 grub2-tools-extra-1:2.06-54.fc36.x86_64 harfbuzz-4.0.0-2.fc36.x86_64 intel-gpu-firmware-20220913-140.fc36.noarch kernel-5.19.15-201.fc36.x86_64 kernel-core-5.19.15-201.fc36.x86_64 kernel-modules-5.19.15-201.fc36.x86_64 libxcrypt-compat-4.4.28-1.fc36.x86_64 mtools-4.0.41-1.fc36.x86_64 nvidia-gpu-firmware-20220913-140.fc36.noarch python3-gobject-base-noarch-3.42.1-1.fc36.noarch reportd-0.7.4-8.fc36.x86_64 rpm-plugin-systemd-inhibit-4.17.1-3.fc36.x86_64 tpm2-tools-5.2-2.fc36.x86_64 Complete! |
2.2 Services suspended due to security measures
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# systemctl stop atd.service # systemctl disable atd.service # systemctl stop kdump.service # systemctl disable kdump.service # systemctl stop lvm2-monitor.service # systemctl disable lvm2-monitor.service # systemctl stop mdmonitor.service # systemctl disable mdmonitor.service # systemctl stop smartd.service # systemctl disable smartd.service # systemctl stop dm-event.socket # systemctl disable dm-event.socket |
3.Network Settings
3.1 Set host name
Set the hostname to "Lepard" since the hostname was not set during OS installation.
|
1 |
# hostnamectl set-hostname Lepard |
Re-login after the change and the changed hostname will be reflected in the prompt
|
1 2 |
# cat /etc/hostname Lepard |
3.2 Change network settings to a static IP address
(Replace the network interface name [ens160] with the name of your environment because it varies depending on your environment.)
Network device confirmation
|
1 2 3 4 |
# nmcli device DEVICE TYPE STATE CONNECTION ens160 ethernet connected ens160 lo loopback unmanaged -- |
Change the IP address of network interface [ens160] to "192.168.11.83"
|
1 2 3 4 5 6 7 8 9 10 11 12 |
Fixed IPv4 address setting # nmcli connection modify ens160 ipv4.addresses 192.168.11.83/24 # Gateway Configuration # nmcli connection modify ens160 ipv4.gateway 192.168.11.1 # Referenced DNS settings # nmcli connection modify ens160 ipv4.dns 192.168.11.1 # DNS search base settings (own domain name) # nmcli connection modify ens160 ipv4.dns-search own domain name> # Set to fixed IP address assignment # nmcli connection modify ens160 ipv4.method manual # Reboot interface to reflect settings # nmcli connection down ens160; nmcli connection up ens160 |
Confirmation of settings
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# nmcli device show ens160 GENERAL.DEVICE: ens160 GENERAL.TYPE: ethernet GENERAL.HWADDR: 00:0C:29:0C:EA:13 GENERAL.MTU: 1500 GENERAL.STATE: 100 (connected) GENERAL.CONNECTION: ens160 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveC> WIRED-PROPERTIES.CARRIER: on IP4.ADDRESS[1]: 192.168.11.83/24 IP4.GATEWAY: 192.168.11.1 IP4.ROUTE[1]: dst = 192.168.11.0/24, nh = 0.0.0.0, mt> IP4.ROUTE[2]: dst = 0.0.0.0/0, nh = 192.168.11.1, mt > IP4.DNS[1]: 192.168.11.1 IP4.SEARCHES[1]: fedora.korodes.com IP6.ADDRESS[1]: fe80::20c:29ff:fe0c:ea13/64 IP6.GATEWAY: -- IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 1024 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# ip address : lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:0c:ea:13 brd ff:ff:ff:ff:ff:ff altname enp3s0 inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe0c:ea13/64 scope link noprefixroute valid_lft forever preferred_lft forever |
3.3 Disable IPv6 if not needed
|
1 2 |
# grubby --update-kernel ALL --args ipv6.disable=1 # reboot |
|
1 2 3 4 5 6 7 8 9 10 11 |
# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:0c:ea:13 brd ff:ff:ff:ff:ff:ff altname enp3s0 inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160 valid_lft forever preferred_lft forever |
4.Install NTP server and set up time synchronization service
4.1 Chrony Install
|
1 |
# dnf -y install chrony |
4.2 Editing Configuration Files
|
1 2 3 4 5 6 7 8 9 |
# vi /etc/chrony.conf # Line 3 : Change NTP server for time synchronization # NTP server itself synchronizes with other NTP servers as an NTP client # pool 2.fedora.pool.ntp.org iburst pool ntp.nict.jp iburst # Per line 26: Added network to accept time synchronization requests from NTP clients # Specify your local network, etc. allow 192.168.11.0/24 |
4.3 Restart chrony and enable chrony after restart
|
1 |
# systemctl enable chronyd.service |
4.4 NTP service permission required if Firewalld is enabled
Note that NTP uses [123/UDP].
Firewalld is explained in detail in the next section, so here we will just release the NTP port with the following command.
|
1 2 3 4 |
# firewall-cmd --add-service=ntp --permanent success # firewall-cmd --reload success |
4.5 Check chronyd status (behavior).
|
1 |
# chronyc sources |
|
1 2 3 4 5 6 |
MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^+ ntp-a2.nict.go.jp 1 6 377 39 +12us[ +12us] +/- 5805us ^+ ntp-b3.nict.go.jp 1 6 377 37 -195us[ -195us] +/- 5353us ^* ntp-b2.nict.go.jp 1 6 377 40 +127us[ +128us] +/- 5545us ^+ ntp-a3.nict.go.jp 1 6 377 40 -308us[ -308us] +/- 5538us |
If it is marked with *, it has been synchronized. (It takes about 10 minutes to synchronize after startup.)
5.Set server time zone
Set time zone to Japan (Tokyo)
|
1 |
# timedatectl set-timezone Asia/Tokyo |
|
1 2 3 4 5 6 7 8 9 |
# timedatectl Local time: Sun 2022-10-16 17:15:04 JST Universal time: Sun 2022-10-16 08:15:04 UTC RTC time: Sun 2022-10-16 08:15:05 Time zone: Asia/Tokyo (JST, +0900) System clock synchronized: yes NTP service: active RTC in local TZ: no |