Contents
1. SELinux Disable
First, disable selinux. selinux is a feature that improves auditing and security in Linux, but when enabled, it can limit the behavior of services and the configuration considerably.
Therefore, it is basically invalidated in many cases.
You can disable it by doing the following
1 2 |
# grubby --update-kernel ALL --args selinux=0 # reboot |
Confirmation after change
1 2 |
# getenforce Disabled |
2. System modernization & Services suspended due to security measures
2.1 System modernization
1 |
# dnf -y upgrade |
2.2 Services suspended due to security measures
1 2 3 4 5 6 7 8 9 10 11 12 |
# systemctl stop atd.service # systemctl disable atd.service # systemctl stop kdump.service # systemctl disable kdump.service # systemctl stop lvm2-monitor.service # systemctl disable lvm2-monitor.service # systemctl stop mdmonitor.service # systemctl disable mdmonitor.service # systemctl stop smartd.service # systemctl disable smartd.service # systemctl stop dm-event.socket # systemctl disable dm-event.socket |
3.Network Settings
3.1 Set host name
Set the host name if it was not set during OS installation.
To set to "Lepard"
1 |
# hostnamectl set-hostname Lepard |
Re-login after the change and the changed hostname will be reflected in the prompt
1 2 |
# cat /etc/hostname Lepard |
3.2 Change network settings to a static IP address
(Replace the network interface name [ens160] with the name of your environment because it varies depending on your environment.)
Network device confirmation
1 2 3 4 |
# nmcli device DEVICE TYPE STATE CONNECTION ens160 ethernet connected ens160 lo loopback unmanaged -- |
Change the IP address of network interface [ens160] to "192.168.11.83"
1 2 3 4 5 6 7 8 9 10 11 12 |
# Fixed IPv4 address setting # nmcli connection modify ens160 ipv4.addresses 192.168.11.83/24 # Gateway Configuration # nmcli connection modify ens160 ipv4.gateway 192.168.11.1 # Referenced DNS settings # nmcli connection modify ens160 ipv4.dns 192.168.11.1 # DNS search base settings (own domain name) # nmcli connection modify ens160 ipv4.dns-search <own domain name> # Set to fixed IP address assignment # nmcli connection modify ens160 ipv4.method manual # Reboot interface to reflect settings # nmcli connection down ens160; nmcli connection up ens160 |
Confirmation of settings
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# nmcli device show ens160 GENERAL.DEVICE: ens160 GENERAL.TYPE: ethernet GENERAL.HWADDR: 00:0C:29:0C:EA:13 GENERAL.MTU: 1500 GENERAL.STATE: 100 (connected) GENERAL.CONNECTION: ens160 GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveC> WIRED-PROPERTIES.CARRIER: on IP4.ADDRESS[1]: 192.168.11.83/24 IP4.GATEWAY: 192.168.11.1 IP4.ROUTE[1]: dst = 192.168.11.0/24, nh = 0.0.0.0, mt> IP4.ROUTE[2]: dst = 0.0.0.0/0, nh = 192.168.11.1, mt > IP4.DNS[1]: 192.168.11.1 IP4.SEARCHES[1]: <own domain name> IP6.ADDRESS[1]: fe80::20c:29ff:fe0c:ea13/64 IP6.GATEWAY: -- IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 1024 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# ip address : lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:0c:ea:13 brd ff:ff:ff:ff:ff:ff altname enp3s0 inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe0c:ea13/64 scope link noprefixroute valid_lft forever preferred_lft forever |
3.3 Disable IPv6 if not needed
1 2 |
# grubby --update-kernel ALL --args ipv6.disable=1 # reboot |
1 2 3 4 5 6 7 8 9 10 11 |
# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:0c:ea:13 brd ff:ff:ff:ff:ff:ff altname enp3s0 inet 192.168.11.83/24 brd 192.168.11.255 scope global noprefixroute ens160 valid_lft forever preferred_lft forever |
4.Install NTP server and set up time synchronization service
4.1 Chrony Install
1 |
# dnf -y install chrony |
4.2 Change the configuration file as follows
1 2 3 4 5 6 7 8 |
# vi /etc/chrony.conf # Line 2 : Change NTP server for time synchronization # pool 2.fedora.pool.ntp.org iburst pool ntp.nict.jp iburst # Line27 : Add network that accepts time synchronization requests from NTP clients # Specify your local network, etc. allow 192.168.11.0/24 |
4.3 Restart chrony and enable chrony after restart
1 |
# systemctl enable chronyd.service |
4.4 NTP service permission required if Firewalld is enabled
Note that NTP uses [123/UDP].
Firewalld is explained in detail in the next section, so here we will just release the NTP port with the following command.
1 2 3 4 |
# firewall-cmd --add-service=ntp --permanent success # firewall-cmd --reload success |
4.5 Check chronyd status (behavior).
1 2 3 4 5 6 7 8 |
# chronyc sources Display as follows MS Name/IP address Stratum Poll Reach LastRx Last sample =========================================== ^+ ntp-a2.nict.go.jp 1 6 377 56 -15us[ -71us] +/- 5282us ^+ ntp-b3.nict.go.jp 1 6 377 54 -94us[ -94us] +/- 5357us ^* ntp-k1.nict.jp 1 6 377 54 -232us[ -288us] +/- 3333us ^+ ntp-b2.nict.go.jp 1 6 377 55 -98us[ -154us] +/- 5465us |
If it is marked with *, it has been synchronized. (It takes about 10 minutes to synchronize after startup.)
5.Set server time zone
Set time zone to Japan (Tokyo)
1 |
# timedatectl set-timezone Asia/Tokyo |
1 2 3 4 5 6 7 8 9 |
# timedatectl Local time: Sun 2022-10-16 17:15:04 JST Universal time: Sun 2022-10-16 08:15:04 UTC RTC time: Sun 2022-10-16 08:15:05 Time zone: Asia/Tokyo (JST, +0900) System clock synchronized: yes NTP service: active RTC in local TZ: no |