Jeder CentOS 7-Server mit Minimal-Installation aufgesetzt

• Min RAM: 1536MB
• Tastatur: Deutsch
• kdump disabled

• acpid
• bash-completion
• epel-release
• rsync
• vim
• wget
• xinetd

Bei internen Servern wird SELinux von enforcing auf disabled umgestellt. Reboot erforderlich.

[root@server]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

[root@virtserv]# useradd -u 1010 -m backuppc
[root@virtserv]# su - backuppc

[backuppc@virtserv ~]$ scheffe@backuppc4
The authenticity of host 'backuppc4 (192.168.13.41)' can't be established.
ECDSA key fingerprint is SHA256:kbl36qOtGqCKzFTf9shprve4bw3LemJCfGTfY9Iy/R4.
ECDSA key fingerprint is MD5:a5:32:de:b1:72:4c:c2:c6:f3:68:15:95:ce:0f:57:1d.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.

[backuppc@virtserv ~]$ cd .ssh/
[backuppc@virtserv .ssh]$ vi authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArYzOt9RYxEvLeZ2s1pr94f1AaS6ebhol3fi+oZasUBIJezVK29dX6t+i+U0cejxr+mR8wCHfQHB02iOyxQ6fk0jn119UuViqFwSVpTIpQRl61MoZFnpThbwHihPsmggHATnuGn7V0F5ZN/9szh2OZDuqnP3rS7e7kr/wqgwNqcoBTSZSCv88WPR8k4sdNdqWS9WruEUVIwtMbwz/NH0OVpOYvDWi4LzLVhc9rTLTU1ShfpEQDbrv5Lhfcl273eHpXdF1eH3SlqhJbciRuFR9sL6pUsSXFUncuGQOK8xBx9nt4D5qEuPX2Lhf/3MXcgld1CeafaXJK5N47cTLc7BFgw== backuppc@backup.lan.klotzbuecher.biz

[backuppc@virtserv .ssh]$ chmod 600 authorized_keys

in /etc/ssh/sshd_config

# no default banner path
#Banner none

auf folgendes ändern:

# no default banner path
Banner /etc/issue.net

In /etc/issue.net geben wir einen Hinweistext aus, der beim Login per SSH erscheint.

[root@server ~]# cat /etc/issue.net 
 ##############################################################################
 #                                                                            #
 #                       This is a private home server.                       #
 #                                                                            #
 #             Unauthorized access to this system is prohibited !             #
 #                                                                            #
 #    This system is actively monitored and all connections may be logged.    #
 #         By accessing this system, you consent to this monitoring.          #
 #                                                                            #
 ##############################################################################

folgendes in /etc/postfix/main.cf am Ende hinzufügen. Dadurch kann der Server Mails am Mailserver einwerfen, jedoch keine empfangen.

mydomain = lan.klotzbuecher.biz
myhostname = server.lan.klotzbuecher.biz
myorigin = $mydomain
mynetworks = 127.0.0.0/8
smtp_generic_maps = hash:/etc/postfix/generic
smtp_tls_security_level = may
relayhost = mailserv.lan.klotzbuecher.biz

[root@server ~]# visudo -f /etc/sudoers.d/backuppc 
# Allows backuppc to do backups and restores

# BackupPC 3
#backuppc  ALL=NOPASSWD: /usr/bin/rsync --server *

# BackupPC 4
backuppc  ALL=NOPASSWD: /usr/bin/rsync *

Globale Einstellungen für vim können in der /etc/vim/vimrc durcgeführt werden.

Passt die Farben für dunklen Hintergrund an.

set background=dark

Für die CentOS7-Repos Base, Updates, Extras sowie für das Epel-Repo gibt es einen lokalen Spiegel. Um den lokalen Spiegel nutzen zu können, müssen die repo-Dateien angepaßt werden.

[root@server ~]# more /etc/yum.repos.d/CentOS-Base.repo
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client.  You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the 
# remarked out baseurl= line instead.
#
#

[base]
name=CentOS-$releasever - Base (local)
baseurl=http://repo.lan.klotzbuecher.biz/repos/CentOS/7/os/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#released updates 
[updates]
name=CentOS-$releasever - Updates (local)
baseurl=http://repo.lan.klotzbuecher.biz/repos/CentOS/7/updates/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras (local)
baseurl=http://repo.lan.klotzbuecher.biz/repos/CentOS/7/extras/x86_64/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

[root@server ~]# more /etc/yum.repos.d/epel.repo
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
baseurl=http://repo.lan.klotzbuecher.biz/repos/epel/7/
enabled=1
gpgcheck=1
gpgkey=http://repo.lan.klotzbuecher.biz/repos/epel/RPM-GPG-KEY-EPEL-$releasever

Port 6556 für Überwachung

[root@virtserv]# firewall-cmd --add-port=6556/tcp
[root@virtserv]# firewall-cmd --permanent --add-port=6556/tcp

Zugriff von check_mk beschränken