Linux Windows Python Virtualization Networking Security Cloud

🛠 Post-Installation Checklist for Minimal Rocky Linux Setup (Production-Ready)

Category: Technology | Tags: Linux, Linux Server, Linux Setup, Production Linux, SELinux, Rocky Linux | Posted on: May 17, 2025

🛠 Post-Installation Checklist for Minimal Rocky Linux Setup (Production-Ready)
 

🔧 1. Set Hostname and Create Admin User

Begin by assigning a proper hostname and creating a non-root admin user.

hostnamectl set-hostname your-hostname

Update /etc/hosts if necessary to reflect the new hostname.

Create an administrative user:

useradd -m adminuser

passwd adminuser

usermod -aG wheel adminuser

🔄 2. Update the System and Install Essentials

Update all packages and install commonly used tools:

dnf update -y

dnf install epel-release -y

dnf install vim wget curl bash-completion net-tools git htop -y

🔐 3. Enable and Secure Essential Services

Enable critical services:

systemctl enable --now sshd

systemctl enable --now chronyd

systemctl enable --now firewalld

Harden SSH access:

Edit /etc/ssh/sshd_config:

PermitRootLogin no

PasswordAuthentication no  # Only if SSH key-based login is configured

Restart the SSH daemon:

systemctl restart sshd

🛡️ 4. Configure SELinux and Firewalld

Ensure SELinux is in enforcing mode:

getenforce

setenforce 1

sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config

Configure the firewall to allow SSH:

firewall-cmd --permanent --add-service=ssh

firewall-cmd --reload

Add additional services like HTTP/HTTPS as needed:

firewall-cmd --permanent --add-service=http

firewall-cmd --permanent --add-service=https

firewall-cmd --reload

🚨 5. Install and Configure Fail2Ban

Fail2Ban protects against brute-force login attempts.

Install and enable:

dnf install fail2ban -y

systemctl enable --now fail2ban

Create a simple jail configuration for SSH:

cat <<EOF > /etc/fail2ban/jail.d/sshd.local

[sshd]

enabled = true

port = ssh

logpath = %(sshd_log)s

backend = systemd

EOF

Restart the service:

systemctl restart fail2ban

🌐 6. Set Timezone and Enable Time Sync

Configure the correct timezone and enable NTP:

timedatectl set-timezone Asia/Kolkata

timedatectl set-ntp true

💾 7. Check Storage and Mount Disks

List partitions and disk usage:

lsblk

df -hT

If additional disks are added, mount them and update /etc/fstab for persistence.

🧹 8. Enable Housekeeping Timers

Activate useful system maintenance timers:

systemctl enable --now dnf-makecache.timer

systemctl enable --now logrotate.timer

Optional but recommended monitoring tools:

dnf install sysstat -y

systemctl enable --now sysstat

🔍 9. Review System Health

Check for failed services and boot-time issues:

systemctl --failed

journalctl -p 3 -xb

These help catch misconfigurations or service errors early.

🧾 10. Optional Enhancements Based on Server Role

Role

Recommended Packages

Web Server

nginx, httpd, certbot

Database

mariadb-server, postgresql-server

VM Guest

open-vm-tools, qemu-guest-agent

Monitoring

iotop, nmon, glances, logwatch

📝 Bonus: Add a Login Banner

Set a warning message for unauthorized access:

echo "Authorized access only. System activity is monitored." > /etc/motd

 

Script:

#!/bin/bash
# Rocky Linux Minimal Post-Install Automation Script

set -e

# Configurable Variables
ADMIN_USER="adminuser"
HOSTNAME="rocky-prod"
TIMEZONE="Asia/Kolkata"

echo "➡️ Setting hostname to $HOSTNAME"
hostnamectl set-hostname "$HOSTNAME"

echo "➡️ Updating /etc/hosts"
echo "127.0.0.1   $HOSTNAME" >> /etc/hosts

echo "➡️ Creating admin user: $ADMIN_USER"
useradd -m "$ADMIN_USER"
echo "Set password for $ADMIN_USER:"
passwd "$ADMIN_USER"
usermod -aG wheel "$ADMIN_USER"

echo "➡️ Updating system and installing base packages"
dnf update -y
dnf install -y epel-release
dnf install -y vim wget curl bash-completion net-tools git htop

echo "➡️ Enabling essential services"
systemctl enable --now sshd
systemctl enable --now chronyd
systemctl enable --now firewalld

echo "➡️ Hardening SSH"
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd

echo "➡️ Configuring SELinux"
setenforce 1
sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config

echo "➡️ Configuring firewalld"
firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload

echo "➡️ Installing and configuring Fail2Ban"
dnf install -y fail2ban
systemctl enable --now fail2ban

cat <<EOF > /etc/fail2ban/jail.d/sshd.local
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = systemd
EOF

systemctl restart fail2ban

echo "➡️ Setting timezone to $TIMEZONE"
timedatectl set-timezone "$TIMEZONE"
timedatectl set-ntp true

echo "➡️ Enabling system maintenance timers"
systemctl enable --now dnf-makecache.timer
systemctl enable --now logrotate.timer

echo "➡️ Installing optional system monitoring tools"
dnf install -y sysstat
systemctl enable --now sysstat

echo "➡️ Creating login banner"
echo "Authorized access only. System activity is monitored." > /etc/motd

echo "✅ Base configuration complete. Recommended next steps:"

 

← Back to Home

Comments

Leave a Comment

No comments yet. Be the first to comment!

Popular Posts
Related Posts