System Administration – Post Installation Tasks

Status: RC – Ready for publication

Author: Peter Boy (pboy) | Creation Date: 2021-04-20 | Last update: 2021-04-26 | Related Fedora Version(s): 33,34

These post-install tasks are all optional. The system administrator has to decide whether each individual task makes sense in the specific use case or not.

1. Set up root login via key file

According to the default installation, SSH login is only possible using an SSH key file. However, the setup cannot be done as part of the installation. If this step is omitted, logging in as root via SSH is not possible.

Prepare a pair of private / public keys

This step is to be performed only if a pair of keys does not already exist. It is best to create the key in the .ssh directory of the desktop user. It should not be secured by password to enable automatic processing. The naming with leading 'id_' und trailing types abbreviation, e.g. '_rsa' is just a common convention, yet helpful.

  1. Execute on the local desktop

    […]# mkdir ~/.ssh
    […]# cd ~/.ssh
    […]# ssh-keygen -t rsa -b 4096  -C "root@example.com" -f <outputkeyfile>

Although the type rsa is widely used, you may adjust your key type accordingly.

Transfer and Install the Public Key onto the Server

You normally use ssh-copy-id to install the public key on the server. However, this requires a password login, which was disabled for root during installation. Therefore, a detour is now required.

  1. Log in to your server via sftp using the unprivileged administration account and transfer the public key file

    […]# sftp hostmin@example.com
    sftp> put ~/.ssh/<outputkeyfile>.pub
    sftp> quit
  2. Log in to your server via ssh using the unprivileged administration account again

    […]$ ssh  hostmin@example.com
  3. On the server acquire root permissions, move the key file and adjust permissions

    […]$ sudo su -
    […]# mkdir /root/.ssh
    […]# cd  /root/.ssh
    […]# mv /home/hostmin/<outputkeyfile>.pub /root/.ssh/authorized_keys
    […]# chown  -R  root.root  /root/.ssh
    […]# chmod 700 /root/.ssh
    […]# chmod 600 ~/.ssh/*
    […]# /sbin/restorecon  -R  -vF  /root/.ssh

Test and Simplify Access

  1. On your local workstation test key file based access:

    […]# ssh -i ~/.ssh/<outputkeyfile>  root@example.com

    adjust file, file type, and domain name as appropriate.

  2. To simplify access create a configuration file on your desktop and define a short name for the connection:

    […]# vi ~/.ssh/config
    #  ###########################################################
    #  my rented remote server, root account
    #  ###########################################################
    Host myhost
            Hostname myhost.example.com
            User root
            ProxyCommand none
            ForwardAgent no
            ForwardX11 no
            Port 22
            KeepAlive yes
            IdentityFile ~/.ssh/<outputkeyfile>

    again, replace names accordingly.

  3. Check if everything works:

    […]# ssh myhost

2. Update System and Install Additional Software

Now that secure administrative access is in place, it’s time to update the system and install some useful software. Of course, 'useful software' concretizes itself differently depending on the user and application context. Anyway, a good choice might be vim. With vimdiff e.g. a comparison of updates of configuration files (*.rpmnew) is very comfortable and straightforward.

[…]# dnf update
[…]# dnf install vim

Add to the software list as needed.

3. Double Check Hostname and Time Synchronisation

Both are important for trouble-free server operation. Just in case you missed its configuration during installation or it is incorrect, now is the opportunity to fix it.

  1. Check for correct hostname

    […]# hostnamectl
    • Set hostname if required:

      […]# hostnamectl  set-hostname  <YourFQDN>
  2. Control of time zone, time synchronisation, time

    […]# timedatectl
    • Correct time zone if necessary:

      […]# timedatectl set-timezone  <ZONE>
    • If necessary, activate time synchronisation:

      timedatectl set-ntp true
    • Correct time if necessary:

      […]# timedatectl set-time  <TIME>

4. Consolidation of Network Configuration

Depending on installation efforts, network configuration consolidation may be required.

  1. Check IP addresses, interface and which protocol stack is used

    […]# ip a
    1:  lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc n
             ...
    2:  enp3s0: <BROADCAST,MULTICAST,UP,LOWER
             ...
    
    […]# nmcli con
    NAME    UUID                                  TYPE      DEVICE
    enp3s0  dabaa33b-25b0-3bfd-8a74-b6b40847a7a4  ethernet  enp3s0
    
    […]# who am i
    root     pts/5        2021-04-09 21:07 (2003:ca:7f05:xx00:yyyy:zzzz:479a:b36e)
    
    […]# nmcli -p -f ipv4.method,ipv6.method con show 'enp3s0'
    =====================================================================
                        Connection details (enp3s0)
    =====================================================================
    ipv4.method:              manual
    ---------------------------------------------------------------------
    ipv6.method:              manual
    ---------------------------------------------------------------------
    Adjust interface names to your custom config
  2. Just in case IPv6 is configured as local only (fe80::…​.) or not static, you may set up a fixed IPv6

    […]# nmcli con mod 'enp3s0' ipv6.method manual \
      ipv6.addresses <YOUR_IPv6_PREFIX>::2/64 \
      ipv6.gateway fe80::1 \
      ipv6.dns "2a01:4f8:xx:yy::zzz:8888 2a01:4f8:xx:yy::zzz:9999"
    […]# nmcli con up 'enp3s0'
    […]# nmcli con reload

    Again, don’t forget to adjust names, prefix, and DNS IP addresses. Pay special attention to the gateway. Using a local address of 1 (fe80::1) is a widely used convention.Another is the IPV6 prefix with the address 1. But each provider may have an even different approach.

    Check connectivity from your local workstation. If that fails, the gateway configuration is the first suspected culprit.

    […]# ping6 <YOUR_IPv6_PREFIX>::2
    […]# # e.g. ping6  2a01:xxx:yyy:zzz::2
  3. Optionally reconfigure IPv4 as static. But make sure the IPv6 address works and don’t change both protocol stacks at the same time (and in the worst case drop connectivity at all):

    […]# nmcli con mod 'enp3s0' ipv4.method manual \
      ipv4.addresses <YOUR_IPv4>/27 \
      ipv4.gateway <GATEWAY> \
      ipv6.dns "<DNS1_IPv4> <DNS2_IPv4>"
    […]# nmcli con up'enp3s0'
    […]# nmcli con reload

    Again, don’t forget to adjust names, prefix, and DNS IP addresses and check connectivity from your local workstation:

    […]# ping <YOUR_IPv4>
  4. Optionally you may have a look at the NetworkManager configuration file

    […]# less /etc/NetworkManager/system-connections/enp3s0.nmconnection

Finally reboot now to check everything from ground up

4. Disable System Users Password Login

System users are a systematic weak point in defending a server against compromise attacks. This is certainly unintentional on the part of the users. It is due to lack of understanding, insecure passwords, falling for phishing attacks, and alike. On the other hand, it is precisely the users that a server is operated for.

Therefore, it is best practice to minimize the number of system users and instead use virtual accounts or offload applications that require system users to virtual machines or containers. In case of an intrusion, this is a kind of second line of defense, trying to keep the server itself from being infected even then.

In addition, it is a small effort to generally prevent password-based login and to enforce key files. An exception can be defined for individual, selected users. If a server is located in a data center and can only be remotely accessed without much additional effort, it may make sense to set up a "fallback user" if key-based authentication is no longer available for some reason.

As a side effect it saves a lot of warning messages in the log file and makes it easier to check them.

  1. Create a sshd configuration file and edit as follows:

    […]# vi /etc/ssh/sshd_config.d/60-local.conf
    # Local custimization: disable password login except for
    # one (optionally add some more) user as a fallback option.
    PasswordAuthentication no
    
    Match User hostmin
     PasswordAuthentication yes
    #Match User hostmin2
    #       PasswordAuthentication yes
  2. Reload the sshd daemon

    […]# systemctl  reload sshd
  3. Test that everything works as expected

    • Is an authorised user able to log in?

    • Is anyone else is rejected with the message "Permission denied (publickey,gssapi-keyex,gssapi-with-mic)"?

    • If this does not work: Check whether the latest update has been installed. The file /etc/ssh/sshd_config.d/50-redhat.conf there should not include a line „PasswordAuthentication yes“ (as this is already the default and should not be repeated in order not to hinder other configurations).

5. Install fail2ban

The software monitors the log files for authentication errors. In case of multiple retries from the same IP address, the source IP gets blocked by the firewall. This is to prevent brute force methods for cracking passwords and bots checking for weak passwords. However, if an error occurs in the authentication process, a system administrator may also lock himself out.

If you disabled system users password Login in the previous step so sshd only allows keys, you may skip this section. There will be nothing to log in this regard anymore.

  1. Installation of the software and the required Postfix

    […]# dnf install fail2ban postfix
  2. Create and fill configuration file

    […]# vi /etc/fail2ban/jail.local
    # Jail configuration additions for local installation
    
    # Adjust the default configuration's default values
    [DEFAULT]
    # Optional enter an trusted IP never to ban
    #ignoreip = www.xxx.yyy.zzz/32
    bantime  = 6600
    backend = auto
    
    # The main configuration file defines all services but
    # deactivates them by default. We have to activate those neeeded
    [sshd]
    enabled = true
  3. Activate software

    […]# systemctl  enable  postfix  --now
    […]# systemctl  enable  fail2ban  --now
  4. Control in the log

    […]# tail -f /var/log/fail2ban.log

6. Install and Configure Logwatch

The software checks log files for anomalies and compiles a daily report that can optionally be sent to system administrators via email. It is something like a minimal defensive effort. More powerful, but much more involved would be the installation of a monitor software.

  1. Install software

    […]# dnf install  logwatch
  2. The only configuration required is to enter a real email address for root, the recipient of the report. It is added at the end of the file.

    […]# vi /etc/aliases
    ...
    # Person who should get root's mail
    #root:          marc
    root:		   real@address.for.root
    
    […]# newaliases

7. Securing Cockpit Access

Cockpit enables a password-supported root login in its web interface as well as a corresponding terminal access, and thus it is a potential target for brute-force attacks. In most cases, it is rarely used in daily operations and it may be a good practice to remove the general accessibility in the firewall. Instead, access is allowed only via an ssh tunnel or accessibility in the firewall is activated on demand only.

  1. Reconfigure firewall permanently

    […]# firewall-cmd --permanent --remove-service=cockpit
    […]# firewall-cmd --reload
  2. To access Cockpit via ssh tunnel

    • Login to the server via ssh and setup a tunnel

      ssh host.example.com -L 9090:host.example.com:9090
    • On the desktop keep logged in and open your browser using the address localhost:9090

  3. To add Cockpit service temporarily on demand

    • Login to the server and reconfigure firewall

      firewall-cmd –add-service=cockpit
    • When finished remove cockpit again

      firewall-cmd –remove-service=cockpit

These nice people helped write this page:

Peter Boy, Jan Kuparinen

Want to help? Learn how to contribute to Fedora Docs.