Post Installation Tasks

Peter Boy, Stephen Daley, Kevin Fenzi Versão F36-F37 Last review: 2023-01-17

This guide offers a recommended checklist of tasks to ensure the safe and reliable operation of Fedora Server. System administrators may choose whether these tasks apply to their specific use case.

1. Simplified access for the administrative account

It is convenient to additionally set up a key file for the administrative account and configure easy access on the local (Fedora) desktop. Create a key file and a ssh client config file. Leave the password field empty for easy access on a secure desktop and choose a descriptive name for the generated key file.

[…]$ mkdir ~/.ssh
[…]$ chmod 700 ~/.ssh
[…]$ cd ~/.ssh
[…]$ ssh-keygen -t rsa -b 4096  -C "hostmin@host.example.com" -f ~/.ssh/<outputkeyfile>
[…]$ ssh-copy-id -i $outputkeyfile.pub hostmin@host.example.com
[…]$ vi ~/.ssh/config
Host <MYHOST>
        Hostname host.example.com
        User hostmin
        ProxyCommand none
        ForwardAgent no
        ForwardX11 no
        Port 22
        KeepAlive yes
        IdentityFile ~/.ssh/$outputkeyfile
[…]$ ssh <MYHOST>

2. Disable SSH Login with passwords for system users

System users are a systematic weak point in defending a server against compromise attacks. This is certainly unintentional on the part of the users. It is due to lack of understanding, insecure passwords, falling for phishing attacks, and alike. On the other hand, it is precisely the users that a server is operated for.

Therefore, it is best practice to minimize the number of system users and instead use virtual accounts or offload applications that require system users to virtual machines or containers. In case of an intrusion, this is a kind of second line of defense, trying to keep the server itself from being infected even then.

In addition, it is a small effort to generally prevent password-based login and to enforce key files. An exception can be defined for individual, selected users. If a server is located in a data center and can only be remotely accessed without much additional effort, it may make sense to set up a "fallback user" if key-based authentication is no longer available for some reason.

As a side effect it saves a lot of warning messages in the log file and makes it easier to check them.

  1. Login to your server and create a sshd configuration file and edit as follows:

    […]# vi /etc/ssh/sshd_config.d/60-local.conf
# Local custimization: disable password login except for
# one (optionally add some more) user as a fallback option.
PasswordAuthentication no

Match User hostmin
 PasswordAuthentication yes
#Match User hostmin2
#       PasswordAuthentication yes

  2. Reload the sshd daemon

    […]# systemctl  reload sshd

  3. Test that everything works as expected

    • Is an authorised user able to log in?

    • Are other users rejected with the message "Permission denied (publickey,gssapi-keyex,gssapi-with-mic)"?

    • If other users are able to log in with a password besides your know authorized user, install the latest updates. Also, check the file /etc/ssh/sshd_config.d/50-redhat.conf to make sure that it does not include the line "PasswordAuthentication yes" (as this is already the default and should not be repeated or else it could hinder other configurations).

3. Check Cockpit access

Open Cockpit in your desktops browser https://host.example.com:9090. Accept the security warning of your browser. Cockpit uses a self signed certificate.

If you disabled root access during installation (recommended), login as root is not possible.

Login with your administrative user account (hostmin here). At the top you will see a warning that the Web Console is running with limited permissions. Enable administrator access so that all administrative privileges are automatically available after login.

4. Increase security of Cockpit access

Cockpit relies on a password based login to its web interface, even for root (unless the root account is completely locked, locking the account as part of ssh does not help here). And thus it is a potential target for brute-force attacks. In most cases, it is rarely used in daily operations and it may be a good practice to remove the general accessibility in the firewall. Instead, access Cockpit in one of the three secure alternatives described below.

Reconfigure firewall permanently

[…]# firewall-cmd --permanent --remove-service=cockpit
[…]# firewall-cmd --reload

Use one of the following alternatives.

  1. Access Cockpit via ssh tunnel

    • Login to the server via ssh and setup a tunnel in one go

      ssh host.example.com -L 9090:host.example.com:9090

    • While you remain logged in, open in your local browser localhost:9090

  2. Add Cockpit service temporarily on demand

    • Login to the server and reconfigure firewall

      firewall-cmd –add-service=cockpit

    • When finished remove cockpit again

      firewall-cmd –remove-service=cockpit

  3. Use a secure local proxy

    Install Cockpit on your local Fedora workstation or on a lab server shielded by a firewall. Configure this instance to access any of your remote Cockpit instances using Cockpits remote administration capability. It uses a protected ssh connection in the public network.

    In the upper left corner of Cockpit you will see the name of the logged in user and the desktop rsp. the (local) lab server name, along with an expand icon. This opens a box where you can switch to another server or add a new one.

    The Add new host link opens a simple form to fill in hostname and user. Use your administrative user name on the (remote) server. And you can assign a color. Select automatic login via ssh keyfile. Cockpit will create one for you if none exists or otherwise uses an existing one. For a newly created key, Cockpit installs the public key on the remote server, too.

5. Optionally: Set up root login via key file

Even if you activated root access during installation, you have hopefully kept the default option to restrict root to key file authentification. So you have to set up a key file prior to any ssh login. But be aware! You can still log in to Cockpit’s web interface. Therefore, in this case, be sure to implement the additional security measures described in the previous chapter!

Prepare a pair of private / public keys

This step is to be performed only if a pair of keys does not already exist. It is best to create the key in the .ssh directory of the desktop user. It should not be secured by password to enable automatic processing. The naming with leading 'id_' und trailing types abbreviation, e.g. '_rsa' is just a common convention, yet helpful.

  1. Execute on the local desktop

    […]$ mkdir ~/.ssh
[…]$ cd ~/.ssh
[…]$ ssh-keygen -t rsa -b 4096  -C "root@example.com" -f <outputkeyfile>

Although the type rsa is widely used, you may adjust your key type accordingly.

Transfer and install the public key onto the server

You normally use ssh-copy-id to install the public key on the server. However, this requires a password login, which was disabled for root during installation. Therefore, a detour is now required.

  1. Log in to your server via sftp using the unprivileged administration account and transfer the public key file

    […]$ sftp hostmin@example.com
sftp> put ~/.ssh/<outputkeyfile>.pub
sftp> quit

  2. Log in to your server via ssh using the unprivileged administration account again

    […]$ ssh  hostmin@example.com

  3. On the server acquire root permissions, move the key file and adjust permissions

    […]$ sudo su -
[…]# mkdir /root/.ssh
[…]# cd  /root/.ssh
[…]# mv /home/hostmin/<outputkeyfile>.pub /root/.ssh/authorized_keys
[…]# chown  -R  root.root  /root/.ssh
[…]# chmod 700 /root/.ssh
[…]# chmod 600 ~/.ssh/*
[…]# /sbin/restorecon  -R  -vF  /root/.ssh

Test and Simplify Access

  1. On your local workstation test key file based access:

    […]# ssh -i ~/.ssh/<outputkeyfile>  root@example.com

    adjust file, file type, and domain name as appropriate.

  2. To simplify access create a configuration file on your desktop and define a short name for the connection:

    […]# vi ~/.ssh/config
#  ###########################################################
#  my remote server, root account
#  ###########################################################
Host myhost
        Hostname myhost.example.com
        User root
        ProxyCommand none
        ForwardAgent no
        ForwardX11 no
        Port 22
        KeepAlive yes
        IdentityFile ~/.ssh/<outputkeyfile>

    again, replace names accordingly.

  3. Check if everything works:

    […]# ssh myhost

6. Double check hostname and time synchronisation

Both are important for trouble-free server operation. Just in case you missed its configuration during installation or it is incorrect, now is the opportunity to fix it.

  1. Check for correct hostname

    […]# hostnamectl

    • Set hostname if required:

      […]# hostnamectl  set-hostname  <YourFQDN>

  2. Control of time zone, time synchronisation, time

    […]# timedatectl

    • Correct time zone if necessary:

      […]# timedatectl set-timezone  <ZONE>

    • If necessary, activate time synchronisation:

      timedatectl set-ntp true

    • Correct time if necessary:

      […]# timedatectl set-time  <TIME>

7. Consolidate network configuration

Depending on installation efforts, network configuration consolidation may be required.

It sounds trivial, but before any change of the network configuration make sure that the entries in the DNS are correct. If you change from DHCP to fixed addresses, you may need to adjust the DNS and vice versa!

  1. Check IP addresses, interface and which protocol stack is used

    […]# ip a
1:  lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc n
         ...
2:  enp3s0: <BROADCAST,MULTICAST,UP,LOWER
         ...

[…]# nmcli con
NAME    UUID                                  TYPE      DEVICE
enp3s0  dabaa33b-25b0-3bfd-8a74-b6b40847a7a4  ethernet  enp3s0

[…]# who am i
root     pts/5        2021-04-09 21:07 (2003:ca:7f05:xx00:yyyy:zzzz:479a:b36e)

[…]# nmcli -p -f ipv4.method,ipv6.method con show 'enp3s0'
=====================================================================
                    Connection details (enp3s0)
=====================================================================
ipv4.method:              manual
---------------------------------------------------------------------
ipv6.method:              manual
---------------------------------------------------------------------
    Adjust interface names to your custom config

  2. Just in case IPv6 is configured as local only (fe80::…​.) or not static, you may set up a fixed IPv6

    […]# nmcli con mod 'enp3s0' ipv6.method manual \
  ipv6.addresses <YOUR_IPv6_PREFIX>::2/64 \
  ipv6.gateway fe80::1 \
  ipv6.dns "2a01:4f8:xx:yy::zzz:8888 2a01:4f8:xx:yy::zzz:9999"
[…]# nmcli con up 'enp3s0'
[…]# nmcli con reload

    Again, don’t forget to adjust names, prefix, and DNS IP addresses. Pay special attention to the gateway. Using a local address of 1 (fe80::1) is a widely used convention.Another is the IPV6 prefix with the address 1. But each provider may have an even different approach.

    Check connectivity from your local workstation. If that fails, the gateway configuration is the first suspected culprit.

    […]# ping6 <YOUR_IPv6_PREFIX>::2
[…]# # e.g. ping6  2a01:xxx:yyy:zzz::2

  3. Optionally reconfigure IPv4 as static. But make sure the IPv6 address works and don’t change both protocol stacks at the same time (and in the worst case drop connectivity at all):

    […]# nmcli con mod 'enp3s0' ipv4.method manual \
  ipv4.addresses <YOUR_IPv4>/27 \
  ipv4.gateway <GATEWAY> \
  ipv6.dns "<DNS1_IPv4> <DNS2_IPv4>"
[…]# nmcli con up'enp3s0'
[…]# nmcli con reload

    Again, don’t forget to adjust names, prefix, and DNS IP addresses and check connectivity from your local workstation:

    […]# ping <YOUR_IPv4>

  4. Optionally you may have a look at the NetworkManager configuration file

    […]# less /etc/NetworkManager/system-connections/enp3s0.nmconnection

Finally reboot now to check everything from ground up

8. Consolidate storage configuration

Depending on how you decided on data storage during installation, different supplementary configuration may be required.

  1. If you have chosen the Default partitioning and are content with the basic principle of creating logical volumes for user data, there is nothing to do at the moment. The creation of these logical volumes happens in the context of the installation of the corresponding application software.

    You may ensure that the volume group – default name fedora – fills the complete disk. Using Cockpit, in the section Devices choose the volume group. At the top of the new window it shows its total capacity.

  2. If you have chosen the Default partitioning but are not content with the basic principle of creating Logical volumes for user data you have now to extend the existing root logical volume to accomodate your data. Cockpit provides an easy way for this. Choose Grow. Determine the new size as needed.

    This is not a recommended procedure! Don’t complain in case of issues.

  3. If you have decided for a stricter separation of system and user data and created a small Volume Group for system data, it is sometimes tricky to additionally create a large empty partition and Volume Group in Anacondas Custom interface. So you have to create it here.

    Select Storage in Cockpit’s main menu and then your drive in the right column. Select Create new partition and fill in the upcomming form accordingly. In the box "Devices" select from the Menu "Create LVM2 volume group" and fill in the upcomming form accordingly.

9. Install Fail2ban

The software monitors the log files for authentication errors. In case of multiple retries from the same IP address, the source IP gets blocked by the firewall. This is to prevent brute force methods for cracking passwords and bots checking for weak passwords. However, if an error occurs in the authentication process, a system administrator may also lock himself out.

If you disabled system users password Login in the previous step so sshd only allows keys, you may skip this section. There will be nothing to log in this regard anymore.

  1. Installation of the software and the required Postfix

    […]# dnf install fail2ban postfix

  2. Create and fill configuration file

    […]# vi /etc/fail2ban/jail.local
# Jail configuration additions for local installation

# Adjust the default configuration's default values
[DEFAULT]
# Optional enter an trusted IP never to ban
#ignoreip = www.xxx.yyy.zzz/32
bantime  = 6600
backend = auto

# The main configuration file defines all services but
# deactivates them by default. We have to activate those neeeded
[sshd]
enabled = true

  3. Activate software

    […]# systemctl  enable  postfix  --now
[…]# systemctl  enable  fail2ban  --now

  4. Control in the log

    […]# tail -f /var/log/fail2ban.log

10. Install and configure Logwatch

The software checks log files for anomalies and compiles a daily report that can optionally be sent to system administrators via email. It is something like a minimal defensive effort. More powerful, but much more involved would be the installation of a monitor software.

  1. Install software

    […]# dnf install  logwatch

  2. The only configuration required is to enter a real email address for root, the recipient of the report. It is added at the end of the file.

    […]# vi /etc/aliases
...
# Person who should get root's mail
#root:          marc
root:		   real@address.for.root

[…]# newaliases

11. Manage system updates

It is common sense among system administrators,that regular installation of bug fixes and closing of security vulnerabilities is essential, i.e. applying updates in a systremtatic way. An important step is to automate the process as much as it is reasonable.

Fedora includes a tool, dnf-automatic, which supports several modes of update automation: do not apply, notify admin, apply and notify admin, apply without notification. In particular, alternatives 2 and 3 are definitely worth considering. A general principle might be: Alternative 2 is the minimum choice for almost any system, alternative 3 is not at all suitable for critical systems that must not fail under any circumstances.

We recommend to install at least alternative 2:

[…]# dnf install dnf-automatic

[…]# vi /etc/dnf/automatic.conf
##emit_via = stdio
emit_via = email
##email_from = root@example.com
email_from = root@host.example.com
##

[…]# vi /etc/aliases
...
# Person who should get root's mail
#root:          marc
root:		   real@address.for.root

[…]# newaliases
[…]# systemctl enable --now dnf-automatic-notifyonly.timer

If you want to automatically install, activate the corresponding timer instead.

[…]# systemctl enable --now dnf-automatic-install.timer

12. Finally update system and install additional software

Now that secure administrative access is in place, it’s time to update the system and install some useful software. Of course, 'useful software' varies depending on the use case or applications that will be run on Fedora Server. Anyway, a good choice might be vim. With vimdiff e.g. a comparison of updates of configuration files (*.rpmnew) is very comfortable and straightforward.

[…]# dnf install vim-default-editor  --allowerasing
[…]# dnf update

Add to the software list as needed.

Finally reboot the server.

Want to help? Learn how to contribute to Fedora Docs