Podstawowa konfiguracja po instalacji RHEL 8.5 (minimal). Zapisałem jako skrypt.sh, nadałem uprawnienia do wykonania chmod u+x skrypt.sh i uruchomiłem jako root ./skrypt.sh, chociaż wiem, że skrypty powinno się odpalać z sudo dla bezpieczeństwa. Tyle, że ja wiem, co robię i po co. Wszystko opisane komentarzami po angielsku. User został utworzony podczas instalacji systemu, stąd zmiana. Na codzień korzystam z usera i sudo. Tu na szybko rozwiązanie. Te komendy można wykonać równie dobrze z użyciem sudo.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

#!/bin/bash
# Create a group admins
groupadd admins
# Add user user to group admins
usermod -a -G admins user
# Check which groups user has assigned
id user
# Remove user from group wheel
gpasswd -d user wheel
# Check which groups user has assigned
id user
# Create directory .ssh
mkdir -p /home/user/.ssh
# Create a file authorized_keys
touch /home/user/.ssh/authorized_keys
# Change permissions for .ssh directory
chmod 700 /home/user/.ssh
# Generate RSA key and put it into authorized_keys
echo "ssh-rsa A....." >> /home/user/.ssh/authorized_keys
# Change permissions for authorized_keys
chmod 600 /home/user/.ssh/authorized_keys
# Change the owner to user for the whole /home/user directory
chown -R user:user /home/user
# Create hosts.allow and hosts.deny . Skip these steps if you are using a dynamic IP assigned by your ISO from DHCP
touch /etc/hosts.{allow,deny}
# Deny the ssh access for all
echo "sshd: ALL" >> /etc/hosts.deny
# Allow ssh access only from the specific IP address Replace XXX.XXX.XXX.XX with your public, static IP address 
echo "sshd: XXX.XXX.XXX.XX" >> /etc/hosts.allow
#Change default wheel group to admins
sed -i 's/%wheel/%admins/g' /etc/sudoers
# This enforces the use of key-based authentication instead of the use of passwords 
# for logging in as root and reduces risks by preventing brute-force attacks.
sed -i 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
# Disable password authentication
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
# Disable empty passwords
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
# Change default port 22 to higher for ssh 22222 is to obvious - it is an example
sed -i 's/#Port 22/Port 22222/g' /etc/ssh/sshd_config
# Enable SELinux rule for a defined port
semanage port -a -t ssh_port_t -p tcp 22222
# Add a firewalld rule to allow traffic on a defined port
firewall-cmd --add-port 22222/tcp
# remove ssh firewalld rule
firewall-cmd --permanent --remove-service=ssh
# remove cockpit firewalld rule
firewall-cmd --permanent --remove-service=cockpit
# set rules to be permanent
firewall-cmd --runtime-to-permanent
# reload firewalld rules - changes will take effect
firewall-cmd --reload
# list firewalld rules
firewall-cmd --list-all
# Restricting access to specific group
echo "AllowGroups admins" >> /etc/ssh/sshd_config
# restart ssh daemon
systemctl restart sshd
# Now we have a secured ssh on a very basic level that should be sufficient. 
# set timezone to Warsaw. Use timedatectl list-timezones to check the proper zone.
timedatectl set-timezone Europe/Warsaw
# remove cockpit from the system. Pardon, but web-based server management is not secure. No matter how it will be written. Pure CLI rulez.
systemctl stop cockpit
systemctl disable cockpit
dnf remove cockpit -y
rm -f /etc/issue.d/cockpit.issue
rpm -e subscription-manager-cockpit
rpm -e cockpit-storaged
rpm -e cockpit-system
rpm -e cockpit-podman
rpm -e cockpit-packagekit
rpm -e cockpit-bridge
rpm -e cockpit-ws
rm -R -f /run/cockpit
rm -R -f /etc/cockpit
rm -R -f /usr/share/cockpit
rm -R -f /var/lib/selinux/targeted/active/modules/100/cockpit
rm -R -f /usr/share/selinux/targeted/default/active/modules/100/cockpit
## ****** Additionall steps if needed ******
# adding insights from Red Hat https://red.ht/insights-dashboard Of course only if needed
insights-client --register
# install epel release to be able to install additional tools
dnf -y install https://dl.fedoraproject.org/.../epel-release-latest-8...
# install additional tools
# https://www.tecmint.com/view-multiple-files-in-linux/
dnf install multitail -y
# https://linuxize.com/post/how-to-use-linux-screen/
dnf install screen -y
# https://www.linux-magazine.com/.../2017/196/Tutorials-lnav
dnf install lnav -y 
# Disable splash screen during boot. Splash screen is not very informative to be honest. I prefer to see what is going on during the boot.
sed -i 's/rhgb quiet//g' /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg