Setting up a new server running a RHEL-based distribution (e.g., Rocky Linux, AlmaLinux, or CentOS Stream) is the foundation for building a secure, efficient, and reliable system. This guide covers the critical steps I use in my own setups to ensure everything is properly configured and ready for future tasks.
A well-configured server at the outset helps to:
Most RHEL-based systems allow direct root login immediately after installation. Log in with:
ssh root@<your-server-ip>
For cloud servers, log in with the default user (e.g., rocky, ec2-user) and switch to root:
sudo -i
Start by updating the system to ensure you have the latest security patches and software:
dnf update -y
If root access is enabled, secure it with a strong password:
passwd
Using the root account for daily operations is risky. Create a new user for routine tasks:
adduser username
Set a password for the new user:
passwd username
Add the new user to the wheel group, which grants sudo privileges:
usermod -aG wheel username
Test the new user's privileges:
su - username
sudo dnf update
SSH keys provide a secure alternative to passwords. Generate an SSH key pair on your local machine:
ssh-keygen
Copy the public key to the server:
ssh-copy-id username@<your-server-ip>
Or manually upload the public key:
cat ~/.ssh/id_rsa.pub | ssh username@<your-server-ip> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Edit the SSH configuration file to improve security:
sudo nano /etc/ssh/sshd_config
Update the following settings:
PermitRootLogin no
PasswordAuthentication no
AllowUsers username
Restart the SSH service:
sudo systemctl restart sshd
Ensure the firewall is active:
sudo systemctl start firewalld
sudo systemctl enable firewalld
To avoid locking yourself out, allow SSH through the firewall:
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload
Allow traffic for common services like HTTP and HTTPS:
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
List all active rules:
sudo firewall-cmd --list-all
SELinux (Security-Enhanced Linux) provides an additional layer of security. Verify that it is enabled and set to enforcing mode:
sestatus
If it is not in enforcing mode, enable it:
sudo setenforce 1
sudo sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config
Set up automatic updates for critical security patches:
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timer
Install tools to monitor server performance:
sudo dnf install htop -y
htop
sudo dnf install nmap -y
Ensure sufficient storage space is available:
df -h
Log Out of the root account:
exit
Log Back In using the new user:
ssh username@<your-server-ip>
Verify:
Install Fail2Ban: Protect against brute-force attacks:
sudo dnf install epel-release -y
sudo dnf install fail2ban -y
sudo systemctl enable --now fail2ban
Backup Configuration: Automate backups using tools like rsync or borg.
Monitoring Tools: Deploy tools like Zabbix or Prometheus for advanced monitoring.
By following these steps, you’ll have a secure, stable, and efficient RHEL-based server ready for applications and services. This setup reflects the practices I rely on in my home lab and production environments, ensuring reliability and scalability.
Next Steps:
Happy configuring! 🚀
Return to the Table of Contents for more guides and tutorials.