// Tutorial //

Additional Recommended Steps for New CentOS 7 Servers

Published on November 5, 2014 · Updated on February 20, 2019
Default avatar
By Justin Ellingwood
Developer and author at DigitalOcean.
English
Additional Recommended Steps for New CentOS 7 Servers

Introduction

After setting up the bare minimum configuration for a new server, there are some additional steps that are highly recommended in most cases. In this guide, we’ll continue the configuration of our servers by tackling some recommended, but optional procedures.

Prerequisites and Goals

Before you start this guide, you should run through the CentOS 7 initial server setup guide. This is necessary in order to set up your user accounts, configure privilege elevation with sudo, and lock down SSH for security.

Once you have completed the guide above, you can continue with this article. In this guide, we will be focusing on configuring some optional but recommended components. This will involve setting our system up with a firewall and a swap file, and configuring Network Time Protocol synchronization.

Configuring a Basic Firewall

Firewalls provide a basic level of security for your server. These applications are responsible for denying traffic to every port on your server with exceptions for ports/services you have approved. CentOS ships with a firewall called firewalld. A tool called firewall-cmd can be used to configure your firewall policies. Our basic strategy will be to lock down everything that we do not have a good reason to keep open. First install firewalld:

  1. sudo yum install firewalld

The firewalld service has the ability to make modifications without dropping current connections, so we can turn it on before creating our exceptions:

  1. sudo systemctl start firewalld

Now that the service is up and running, we can use the firewall-cmd utility to get and set policy information for the firewall. The firewalld application uses the concept of “zones” to label the trustworthiness of the other hosts on a network. This labelling gives us the ability to assign different rules depending on how much we trust a network.

In this guide, we will only be adjusting the policies for the default zone. When we reload our firewall, this will be the zone applied to our interfaces. We should start by adding exceptions to our firewall for approved services. The most essential of these is SSH, since we need to retain remote administrative access to the server.

If you have not modified the port that the SSH daemon is running on, you can enable the service by name by typing:

  1. sudo firewall-cmd --permanent --add-service=ssh

If you have changed the SSH port for your server, you will have to specify the new port explicitly. You will also need to include the protocol that the service utilizes. Only type the following if your SSH server has already been restarted to use the new port:

  1. sudo firewall-cmd --permanent --remove-service=ssh
  2. sudo firewall-cmd --permanent --add-port=4444/tcp

This is the bare minimum needed to retain administrative access to the server. If you plan on running additional services, you need to open the firewall for those as well.

If you plan on running a conventional HTTP web server, you will need to enable the http service:

  1. sudo firewall-cmd --permanent --add-service=http

If you plan to run a web server with SSL/TLS enabled, you should allow traffic for https as well:

  1. sudo firewall-cmd --permanent --add-service=https

If you need SMTP email enabled, you can type:

  1. sudo firewall-cmd --permanent --add-service=smtp

To see any additional services that you can enable by name, type:

  1. sudo firewall-cmd --get-services

When you are finished, you can see the list of the exceptions that will be implemented by typing:

  1. sudo firewall-cmd --permanent --list-all

When you are ready to implement the changes, reload the firewall:

  1. sudo firewall-cmd --reload

If, after testing, everything works as expected, you should make sure the firewall will be started at boot:

  1. sudo systemctl enable firewalld

Remember that you will have to explicitly open the firewall (with services or ports) for any additional services that you may configure later.

Configure Timezones and Network Time Protocol Synchronization

The next step is to adjust the localization settings for your server and configure the Network Time Protocol (NTP) synchronization.

The first step will ensure that your server is operating under the correct time zone. The second step will configure your system to synchronize its system clock to the standard time maintained by a global network of NTP servers. This will help prevent some inconsistent behavior that can arise from out-of-sync clocks.

Configure Timezones

Our first step is to set our server’s timezone. This is a very simple procedure that can be accomplished using the timedatectl command:

First, take a look at the available timezones by typing:

  1. sudo timedatectl list-timezones

This will give you a list of the timezones available for your server. When you find the region/timezone setting that is correct for your server, set it by typing:

  1. sudo timedatectl set-timezone region/timezone

For instance, to set it to United States eastern time, you can type:

  1. sudo timedatectl set-timezone America/New_York

Your system will be updated to use the selected timezone. You can confirm this by typing:

  1. sudo timedatectl

Configure NTP Synchronization

Now that you have your timezone set, we should configure NTP. This will allow your computer to stay in sync with other servers, leading to more predictability in operations that rely on having the correct time.

For NTP synchronization, we will use a service called ntp, which we can install from CentOS’s default repositories:

  1. sudo yum install ntp

Next, you need to start the service for this session. We will also enable the service so that it is automatically started each time the server boots:

  1. sudo systemctl start ntpd
  2. sudo systemctl enable ntpd

Your server will now automatically correct its system clock to align with the global servers.

Create a Swap File

Adding “swap” to a Linux server allows the system to move the less frequently accessed information of a running program from RAM to a location on disk. Accessing data stored on disk is much slower than accessing RAM, but having swap available can often be the difference between your application staying alive and crashing. This is especially useful if you plan to host any databases on your system.

Advice about the best size for a swap space varies significantly depending on the source consulted. Generally, an amount equal to or double the amount of RAM on your system is a good starting point.

Allocate the space you want to use for your swap file using the fallocate utility. For example, if we need a 4 Gigabyte file, we can create a swap file located at /swapfile by typing:

  1. sudo fallocate -l 4G /swapfile

After creating the file, we need to restrict access to the file so that other users or processes cannot see what is written there:

  1. sudo chmod 600 /swapfile

We now have a file with the correct permissions. To tell our system to format the file for swap, we can type:

  1. sudo mkswap /swapfile

Now, tell the system it can use the swap file by typing:

  1. sudo swapon /swapfile

Our system is using the swap file for this session, but we need to modify a system file so that our server will do this automatically at boot. You can do this by typing:

  1. sudo sh -c 'echo "/swapfile none swap sw 0 0" >> /etc/fstab'

With this addition, your system should use your swap file automatically at each boot.

Where To Go from Here?

You now have a very decent beginning setup for your Linux server. From here, there are quite a few places you can go. First, you may wish to snapshot your server in its current configuration.

Take a Snapshot of your Current Configuration

If you are happy with your configuration and wish to use this as a base for future installations, you can take a snapshot of your server through the DigitalOcean control panel. Starting in October of 2016, snapshots cost $0.05 per gigabyte per month based on the amount of utilized space within the filesystem.

To do so, shutdown your server from the command line. While it is possible to snapshot a running system, powering down ensures that the files on disk are all in a consistent state:

  1. sudo poweroff

Now, in the DigitalOcean control panel, you can take a snapshot by visiting the “Snapshots” tab of your server:

DigitalOcean snapshot

After taking your snapshot, you will be able to use that image as a base for future installations by selecting the snapshot from the “My Snapshots” tab for images during the creation process:

DigitalOcean use snapshot

Additional Resources and Next Steps

From here, your path depends entirely on what you wish to do with your server. The list of guides below is in no way exhaustive, but represents some of the more common configurations that users turn to next:

Conclusion

By this point, you should know how to configure a solid foundation for your new servers. Hopefully, you also have a good idea for your next steps. Feel free to explore the site for more ideas that you can implement on your server.

If you’ve enjoyed this tutorial and our broader community, consider checking out our DigitalOcean products which can also help you achieve your development goals.

Learn more here


Tutorial Series: New CentOS 7 Server Checklist

When creating a new CentOS 7 server, there are some basic tasks that you should take to ensure that your server is secure and configured properly. This tutorial series will go over connecting to your server and general security best practices, and will also provide links to articles that will help you to start running your own web server or application.

About the authors
Default avatar
Developer and author at DigitalOcean.

Still looking for an answer?

Was this helpful?
10 Comments

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

In “Initial Server Setup with CentOS 7” you mention that you cover fail2ban in this tutorial. I see no mention of that here at all. Did you miss it or omit it for a reason?

I agree the following updates to the tutorial would be helpful:

  • specify a “sudo yum install firewalld” command before getting into the firewall stuff, because I was getting a “Unit not found” error when trying to start the firewall daemon.
  • add ntp to the list of allowed services on the firewall
  • create the swap file using dd instead of fallocate, because the swapon command was failing with an “invalid argument” error.

I ran into these issues with a fresh default droplet install of Centos7 in July 2018

Thanks for the tutorial!

Hi Justin,

Very nice tutorial indeed, super useful!

I have a question though, regarding the creation of a swap file part. It is recommended here, but i’ve just read that other DigitalOcean article that discourages enabling swap on DO:

“Although swap is generally recommended for systems utilizing traditional spinning hard drives, using swap with SSDs can cause issues with hardware degradation over time. Due to this consideration, we do not recommend enabling swap on DigitalOcean or any other provider that utilizes SSD storage. Doing so can impact the reliability of the underlying hardware for you and your neighbors.”

So is it or is it not a good idea to create the swap file on DO?

Thanks for your answer

after

sudo swapon /swapfile

catch error

swapon: /swapfile: swapon failed: Invalid argument

Nice tutorial, just one error/typo

sudo chown 600 /swapfile

should be

sudo chmod 600 /swapfile

hello, I want to know how can I put a static route, for example in a virtual-machine I make a route-eth0 .txt and add the following: ##remote source devise 10.26.4.0/24 via 192.168.2.201 dev eth0

but in the centos 7 digitalocean ,what is corrent way?

thank you

An easier to type method (instead of sudo sh -c) is: echo "/swapfile none swap sw 0 0" | sudo tee -a /etc/fstab

In-case anyone else had issues with doing the swapfile thing on CentOS 7. I used this post to help guide me.

https://unix.stackexchange.com/questions/294600/i-cant-enable-swap-space-on-centos-7

Thank you so much; this is very helpful!

Great tutorial! When running the command swapon /swapfile I had the error “swapfile has holes”. I created it as described in this guide:

$ dd if=/dev/zero of=/swapfile bs=2048
	count=2048
	2048+0 records in
	2048+0 records out
	$
$ mkswap /swapfile 2048
	Setting up swapspace, size = 2044 KiB 
	bytes
	$

Then I ran the swapon /swapfile again. Hope this helps someone with the same issue.