Category: CentOS

Force Strong Password on CentOS
vim /etc/pam.d/system-auth
password requisite pam_cracklib.so try_first_pass retry=3 type= difok=5 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1

Explanation:
ucredit=-1
At least one upper case letter

lcredit=-1
At least one lower case letter

dcredit=-1
At least one digit

ocredit=-1
At least one symbol

minlen=8
Minimum 8 characters

difok=5
The minimum number of characters that must be different from the previous password

retry=3
Prompt user at most 3 times before returning with error

Reference:
https://www.cyberciti.biz/faq/securing-passwords-libpam-cracklib-on-debian-ubuntu-linux/

---

Set Password Expiration Period
sudo vim /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_WARN_AGE 7

Explanation:
Force users to change their password once every three months, and send out a warning message seven days before password expiration.

Reference:
http://xmodulo.com/set-password-policy-linux.html

---

Set Password Expiration Period
sudo vim /etc/pam.d/system-auth
password sufficient pam_unix.so use_authtok md5 shadow remember=5

Explanation:
Append remember=5 to prevent a user from re-using any of his or her last 5 passwords.

Reference:
https://www.cyberciti.biz/tips/how-to-linux-prevent-the-reuse-of-old-passwords.html

1. Check if the server has swap configured

swapon -s

If nothing is shown, that means no swap is enabled.

free -m

If swap is 0, that means no swap is enabled.

2. Create a swap file

sudo fallocate -l 4G /swapfile

3. Change file permission to make sure the swap file can only be accessed by root

sudo chmod 600 /swapfile

4. Setup swap

sudo mkswap /swapfile

5. Enable swap

sudo swapon /swapfile

6. Verify swap

swapon -s
free -m

7. Make the swap File Permanent

sudo vim /etc/fstab
#add this line to the bottom
/swapfile swap swap sw 0 0

Reference:
https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-centos-7

Start firewalld

systemctl start firewalld.service

Stop firewalld

systemctl stop firewalld.service

Restart firewalld

systemctl restart firewalld.service

Check opened ports

firewall-cmd –list-all

Open port 80

firewall-cmd –permanent –add-port=80/tcp

Open port range

firewall-cmd –permanent –add-port=10000-10010/tcp

Close port 80

firewall-cmd –permanent –remove-port=80/tcp

Reload settings

firewall-cmd –reload

Reference:
http://note.tc.edu.tw/932.html

CentOS 7 uses firewalld instead of iptables.

Transfer the folder /source from remote server 123.123.123.123 to local folder /dest over ssh using port 2345

rsync -av -e ssh --rsh='ssh -p2345' [email protected]:/source /dest/

DHCP:

vim /etc/sysconfig/network-scripts/ifcfg-eth0
BOOTPROTO=dhcp
ONBOOT=yes

/etc/init.d/network restart

Static IP:

vim /etc/sysconfig/network-scripts/ifcfg-eth0
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.1.10
NETWORK=192.168.1.0
NETMASK=255.255.255.0
GATEWAY=192.168.1.1

/etc/init.d/network restart

#!/usr/bin/perl
unless(-e “/var/run/named.pid”)
{
`/etc/init.d/named start`;
}
exit;

1. Buy a Standard SSL Cert from GoDaddy

2. Make sure the whois record of the domain name is not private, and you have the access to the contact email

3. Login to Linux and enter this command:

openssl req -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.csr

Enter the following information:

Passphrase: (pick a passphrase yourself and remember to mark it down)
Country Name: HK
State or Province Name: HKSAR
Locality Name: Hong Kong
Organization Name: MyHelper
Organizational Unit Name: MyHelper
Common name: my-helper.com
Email Address: [email protected]
A challenge password: (empty)
An optional company name: (empty)

4. Copy the content of ca.csr to GoDaddy and follow this instruction to request the SSL Cert from GoDaddy:
https://products.secureserver.net/products/howtoapplyturbo.htm

5. Upload domain.com.crt and gd_bundle.crt to server

6. Open ssl.conf and enter:

DocumentRoot "/var/www/vhosts/myhelper/htdocs"
SSLCertificateFile /etc/pki/tls/certs/myhelper/myhelper.com.crt
SSLCertificateKeyFile /etc/pki/tls/certs/myhelper/ca.key
SSLCertificateChainFile /etc/pki/tls/certs/myhelper/gd_bundle.crt

<Directory "/var/www/vhosts/myhelper/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

7. Stop Apache prompt for passphrase on next restart

cp /etc/pki/tls/certs/myhelper/ca.key /etc/pki/tls/certs/myhelper/ca.key.bak
openssl rsa -in /etc/pki/tls/certs/myhelper/ca.key -out /etc/pki/tls/certs/myhelper/ca.key

Reference:
http://blog.yorkxin.org/2009/02/23/buying-a-turbo-ssl-cert/
http://www.mnxsolutions.com/apache/removing-a-passphrase-from-an-ssl-key.html

vim /etc/sysconfig/network-scripts/ifcfg-eth0
PEERDNS=no

Install ntpdate

yum install ntp

Sync with Hong Kong Observatory

ntpdate stdtime.gov.hk

Write the time to BIOS

hwclock -w

Set a cron job to sync the time automatically

10 4 * * * root (/usr/sbin/ntpdate stdtime.gov.hk && /sbin/hwclock -w) &> /dev/null

reference: http://linux.vbird.org/linux_server/0440ntp.php