Post-Installation Steps for Minimal Rocky Linux in Production

Setting up a minimal Rocky Linux installation for production requires a thoughtful approach to system configuration, security hardening, and service readiness. This article provides a practical, structured SOP (Standard Operating Procedure) to follow immediately after installing Rocky Linux (minimal ISO).

 

🔧 1. Set Hostname and Create Admin User

Start by giving your machine a proper identity and setting up a non-root admin user.

hostnamectl set-hostname your-hostname

Update /etc/hosts accordingly if needed.

Create an admin user:

useradd -m adminuser
passwd adminuser
usermod -aG wheel adminuser

🔄 2. Update the System and Install Essentials

Bring the system up to date and install basic tools:

dnf update -y
dnf install epel-release -y
dnf install vim wget curl bash-completion net-tools git htop -y

🔐 3. Enable and Secure Critical Services

Start and enable important system services:

systemctl enable --now sshd
systemctl enable --now chronyd
systemctl enable --now firewalld

Harden SSH:

Edit /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no  # Only if you're using SSH keys

Then restart the SSH service:

systemctl restart sshd

🛡️ 4. Configure SELinux and Firewalld

Ensure SELinux is enforcing:

getenforce
setenforce 1
sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config

Open required firewall ports:

firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload

Add other services as needed (HTTP, HTTPS, etc.).

 

🚨 5. Install and Configure Fail2Ban

fail2ban helps block brute-force attacks:

dnf install fail2ban -y
systemctl enable --now fail2ban

Create a configuration for SSH:

cat <<EOF > /etc/fail2ban/jail.d/sshd.local
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = systemd
EOF

systemctl restart fail2ban

🌐 6. Configure Timezone and Time Sync

Set your local timezone:

timedatectl set-timezone Asia/Kolkata
timedatectl set-ntp true

💾 7. Check Storage and Mount Additional Disks

Verify partitions:

lsblk
df -hT

Mount additional storage as needed and configure /etc/fstab for persistence.

 

🧹 8. Enable Housekeeping Timers

Enable system timers to handle routine tasks:

systemctl enable --now dnf-makecache.timer
systemctl enable --now logrotate.timer

Optional but recommended:

dnf install sysstat -y
systemctl enable --now sysstat

🔍 9. Check for Issues

Inspect system for any startup errors:

systemctl --failed
journalctl -p 3 -xb

These commands will highlight any failed services or critical warnings after boot.

 

🧾 10. Optional Enhancements

Based on the role of the server, you can install additional packages:

RoleSuggested PackagesWeb servernginx, httpd, certbotDatabasemariadb-server, postgresql-serverVM Guestopen-vm-tools or qemu-guest-agentMonitoringiotop, nmon, glances, logwatch

 

📝 Bonus: Set Custom Login Banner

echo "Authorized access only. System activity is monitored." > /etc/motd

✅ Conclusion

With these steps, your minimal Rocky Linux installation is well-prepared for production. You've hardened access, enabled key services, ensured logs and time sync, and made the system easier to maintain. Depending on your server's purpose, you can further build on this baseline.

For automation, consider converting this checklist into an Ansible playbook or bash script.