Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Mastering CentOS 7 Linux Server
  • Table Of Contents Toc
Mastering CentOS 7 Linux Server

Mastering CentOS 7 Linux Server

By : Alibi, BHASKARJYOTI ROY
3.7 (16)
Buy this Book
close
close
Mastering CentOS 7 Linux Server

Mastering CentOS 7 Linux Server

3.7 (16)
By: Alibi, BHASKARJYOTI ROY
Buy this Book

Overview of this book

Most server infrastructures are equipped with at least one Linux server that provides many essential services, both for a user's demands and for the infrastructure itself. Setting up a sustainable Linux server is one of the most demanding tasks for a system administrator to perform. However, learning multiple, new technologies to meet all of their needs is time-consuming. CentOS 7 is the brand new version of the CentOS Linux system under the RPM (Red Hat) family. It is one of the most widely-used operating systems, being the choice of many organizations across the world. With the help of this book, you will explore the best practices and administration tools of CentOS 7 Linux server along with implementing some of the most common Linux services. We start by explaining the initial steps you need to carry out after installing CentOS 7 by briefly explaining the concepts related to users, groups, and right management, along with some basic system security measures. Next, you will be introduced to the most commonly used services and shown in detail how to implement and deploy them so they can be used by internal or external users. Soon enough, you will be shown how to monitor the server. We will then move on to master the virtualization and cloud computing techniques. Finally, the book wraps up by explaining configuration management and some security tweaks. All these topics and more are covered in this comprehensive guide, which briefly demonstrates the latest changes to all of the services and tools with the recent shift from CentOS 6 to CentOS 7.
Table of Contents (11 chapters)
close
close
close
Preface
Icon
Preface
Icon
What this book covers
Icon
What you need for this book
Icon
Who this book is for
Icon
Conventions
Icon
Reader feedback
Icon
Customer support
Lock Free Chapter
1
1. Advanced User Management
chevron up
Icon
1. Advanced User Management
Icon
Managing users and groups from GUI and the command line
Icon
Quotas
Icon
Password aging
Icon
Sudoers
Icon
Reference
Icon
Summary
2
2. Security
Icon
2. Security
Icon
Introducing SELinux
Icon
Domain transition
Icon
SELinux users
Icon
Restricting access to su or sudo
Icon
SELinux audit logs
Icon
SELinux troubleshooting
Icon
Summary
3
3. Linux for Different Purposes
Icon
3. Linux for Different Purposes
Icon
Configuring a gateway server
Icon
Setting up a VPN server
Icon
Implementing BIND as a DNS server
Icon
Setting up a web server using Apache-MySQL-PHP
Icon
Setting up an FTP server
Icon
Securing Apache and FTP with OpenSSL
Icon
References
Icon
Summary
4
4. Mail Server with Postfix
Icon
4. Mail Server with Postfix
Icon
Setting up and configuring of Postfix mail server
Icon
Setting up MariaDB for virtual domains and users
Icon
Setting up a mail tool (Dovecot) to retrieve mails
Icon
Configuring the OpenLDAP Active Directory with Postfix
Icon
Securing the mail server using SSL/TLS
Icon
References
Icon
Summary
5
5. Monitoring and Logging
Icon
5. Monitoring and Logging
Icon
Open source monitoring tools
Icon
Setting up Nagios as a monitoring server
Icon
Tools to set up a logging server
Icon
Setting up and configuring Syslog-ng
Icon
References
Icon
Summary
6
6. Virtualization
Icon
6. Virtualization
Icon
The basics of virtualization on Linux
Icon
Full virtualization
Icon
Paravirtualization
Icon
Setting up Xen on CentOS 7
Icon
Setting up KVM for full virtualization on CentOS 7
Icon
Setting up OpenVZ virtualization on CentOS 7
Icon
Setting up VirtualBox virtualization on CentOS 7
Icon
Setting up Docker on CentOS 7
Icon
Establishing services' high availability using HAProxy
Icon
References
Icon
Summary
7
7. Cloud Computing
Icon
7. Cloud Computing
Icon
An overview of cloud computing
Icon
Cloud computing services
Icon
Introducing OpenStack
Icon
Components of OpenStack
Icon
Installing and configuring OpenStack
Icon
References
Icon
Summary
8
8. Configuration Management
Icon
8. Configuration Management
Icon
Introducing configuration management
Icon
Open source configuration management tools
Icon
References
Icon
Summary
9
9. Some Additional Tricks and Tools
Icon
9. Some Additional Tricks and Tools
Icon
SSH for remote connection
Icon
Securing SSH and the root login configuration
Icon
SSH key-based authentication
Icon
Installing and configuring SpamAssassin
Icon
Setting up the Clamav antivirus
Icon
Configuring Mytop for a MySQL database
Icon
Setting up Samba and NFS for file sharing
Icon
Introducing the Linux system and network monitoring tools
Icon
References
Icon
Summary
10
Index
Icon
Index

Password aging

It is a good policy to have password aging so that the users are forced to change their passwords at a certain interval. This, in turn, helps to keep the security of the system as well.

We can use chage to configure the password to expire the first time the user logs in to the system.

Note

Note: This process will not work if the user logs in to the system using SSH.

This method of using chage will ensure that the user is forced to change the password right away.

Tip

If we use only chage <username>, it will display the current password aging value for the specified user and will allow them to be changed interactively.

The following steps need to be performed to accomplish password aging:

  1. Lock the user. If the user doesn't exist, we will use the useradd command to create the user. However, we will not assign any password to the user so that it remains locked. But, if the user already exists on the system, we will use the usermod command to lock the user:
    Usermod -L <username>
  2. Force immediate password change using the following command:
    chage -d 0 <username>
  3. Unlock the account. This can be achieved in two ways. One is to assign an initial password and the other is to assign a null password. We will take the first approach as the second one, though possible, is not good practice in terms of security. Therefore, here is what we do to assign an initial password:
    • Use the Python command to start the command-line Python interpreter:
      import crypt; print
crypt.crypt("Q!W@E#R$","Bing0000/")
    • Here, we have used the Q!W@E#R$ password with a salt combination of the alphanumeric character: Bing0000 followed by a / character. The output is the encrypted password, similar to BiagqBsi6gl1o.
    • Press Ctrl + D to exit the Python interpreter.
  4. At the shell, enter the following command with the encrypted output of the Python interpreter:
    usermod -p "<encrypted-password>" <username>

    So, here, in our case, if the username is testuser, and the encrypted output is " BiagqBsi6gl1o" we will do:

    usermod -p "BiagqBsi6gl1o" testuser

Now, upon initial login using the Q!W@E#R$ password, the user will be prompted for a new password.

Setting the password policy

This is a set of rules defined in some files, which have to be followed when a system user is setting up. It's an important factor in security because one of the many security breach histories was started with hacking user passwords. This is the reason why most organizations set a password policy for their users. All users and passwords must comply with this.

A password policy usually is defined by the following:

  • Password aging
  • Password length
  • Password complexity
  • Limit login failures
  • Limit prior password reuse

Configuring password aging and password length

Password aging and password length are defined in /etc/login.defs. Aging basically means the maximum number of days a password might be used, minimum number of days allowed between password changes, and number of warnings before the password expires. Length refers to the number of characters required for creating the password. To configure password aging and length, we should edit the /etc/login.defs file and set different PASS values according to the policy set by the organization.

Note

Note: The password aging controls defined here do not affect existing users; it only affects the newly created users. So, we must set these policies when setting up the system or the server at the beginning. The values we modify are:

  • PASS_MAX_DAYS: The maximum number of days a password can be used
  • PASS_MIN_DAYS: The minimum number of days allowed between password changes
  • PASS_MIN_LEN: The minimum acceptable password length
  • PASS_WARN_AGE: The number of days' warning to be given before a password expires

Let's take a look at a sample configuration of the login.defs file:

Configuring password aging and password length

Configuring password complexity and limiting reused password usage

By editing the /etc/pam.d/system-auth file, we can configure the password complexity and the number of reused passwords to be denied. Password complexity refers to the complexity of the characters used in the password, and the reused password deny refers to denying the desired number of passwords the user used in the past. By setting the complexity, we force the usage of the desired number of capital characters, lowercase characters, numbers, and symbols in a password. The password will be denied by the system until and unless the complexity set by the rules is met. We do this using the following terms:

  • Force capital characters in passwords: ucredit=-X, where X is the number of capital characters required in the password.
  • Force lower case characters in passwords: lcredit=-X, where X is the number of lowercase characters required in the password.
  • Force numbers in passwords: dcredit=-X, where X is the number of numbers required in the password.
  • Force the use of symbols in passwords: ocredit=-X, where X is the number of symbols required in the password. For example:
    password requisite pam_cracklib.so try_first_pass retry=3 type= ucredit=-2 lcredit=-2 dcredit=-2 ocredit=-2
  • Deny reused passwords: remember=X, where X is the number of past passwords to be denied. For example:
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

Let's now take a look at a sample configuration of /etc/pam.d/system-auth:

Configuring password complexity and limiting reused password usage

Configuring login failures

We set the number of login failures allowed by a user in the /etc/pam.d/password-auth, /etc/pam.d/system-auth, and /etc/pam.d/login files. When a user's failed login attempts are higher than the number defined here, the account is locked and only a system administrator can unlock the account. To configure this, make the following additions to the files. The following deny=X parameter configures this, where X is the number of failed login attempts allowed.

Add these two lines to the /etc/pam.d/password-auth and /etc/pam.d/system-auth files and only the first line to the /etc/pam.d/login file:

auth        required    pam_tally2.so file=/var/log/tallylog deny=3 no_magic_root unlock_time=300
account     required    pam_tally2.so

The following screenshot is a sample /etc/pam.d/system-auth file:

Configuring login failures

The following is a sample /etc/pam.d/login file:

Configuring login failures

To see failures, use the following command:

pam_tally2 –user=<User Name>

To reset the failure attempts and to enable the user to log in again, use the following command:

pam_tally2 –user=<User Name> --reset
Visually different images
CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Mastering CentOS 7 Linux Server
End of Section 1
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist download Download options
font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon