Tutorial

Initial Setup of a Fedora 22 Server

Published on July 8, 2015
Initial Setup of a Fedora 22 Server

Introduction

When you first log into a fresh Fedora 22, it’s not ready for use as a production system. There are a number of recommended steps to take in order to customize and secure it, such as enabling a firewall.

This tutorial will show you how to give a fresh installation of a Fedora 22 server a better security profile and be ready for use.

Prerequisites

To follow this tutorial, you will need:

  • A Fedora 22 Droplet with root SSH keys.

You can follow this section of the SSH key tutorial to create keys if you don’t have them, and this section of the same tutorial to automatically embed your SSH key in your server’s root account when you create your Droplet.

Step 1 — Creating a Standard User Account

First, log into your server as root.

ssh root@your_server_ip

Operating as root is a security risk, so in this step, we’ll set up a sudo non-root user account to use for system and other computing tasks. The username used in this tutorial is sammy, but you can use any name you like.

To add the user, type:

adduser sammy

Specify a strong password for the user using the command below. You’ll be prompted to enter the password twice.

passwd sammy

Then add the user to the wheel group, which gives it sudo privileges.

gpasswd -a sammy wheel

Log out of your server and add your SSH key to the new user account by running the following on your local machine.

ssh-copy-id sammy@your_server_ip

For more information on how to copy your SSH keys from your local machine to your server, you can read this section of the SSH tutorial.

Finally, log back in as the new sudo non-root user. You won’t be prompted for a password because this account now has SSH keys.

ssh sammy@your_server_ip

Step 2 — Disallowing Root Login and Password Authentication

In this step, we’ll make SSH logins more secure by disabling root logins and password authentication.

To edit configuration files, you’ll need to install a text editor. We’ll use nano but you can use whichever is your favorite.

First, apply any available updates using:

sudo dnf update

Then, to install nano, type:

sudo dnf install -y nano

Now, open the the SSH daemon’s configuration file for editing.

sudo nano /etc/ssh/sshd_config

Inside that file, look for the PermitRootLogin directive. Uncomment it (that means remove the starting # character) and set it to no.

PermitRootLogin no

Similarly, look for the PasswordAuthentication directive and set it to no as well.

PasswordAuthentication no

Save and exit the file, then reload the configuration to put your changes into place.

sudo systemctl reload sshd

If anyone tries to log in as root now, the response should be Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Step 3 ­— Configuring the Time Zone

In this step, you’ll read how to change the system clock to your local time zone. The default clock is set to UTC.

All the known timezones are under the /usr/share/zoneinfo/ directory. Take a look at the files and directories in /usr/share/zoneinfo/.

ls /usr/share/zoneinfo/

To set the clock to use the local timezone, find your country or geographical area in that directory, locate the zone file under it, then create a symbolic soft link from it to the /etc/localtime directory. For example, if you’re in the central part of the United States, where the timezone is Central, or CST, the zone file will be /usr/share/zoneinfo/US/Central.

Create a symbolic soft link from your zone file to /etc/localtime.

sudo ln -sf /usr/share/zoneinfo/your_zone_file /etc/localtime

Verify that the clock is now set to local time by viewing the output of the date command.

date

The output will look something like:

Wed Mar 25 14:41:20 CST 2015

The CST in that output confirms that it’s Central time.

Step 4 — Enabling a Firewall

A new Fedora 22 server has no active firewall application. In this step, we’ll learn how to enable the IPTables firewall application and make sure that runtime rules persist after a reboot.

The IPTables package is already installed, but to be enable to enable it, you need to install the iptables-services package.

sudo dnf install -y iptables-services

You may then enable IPTables so that it automatically starts on boot.

sudo systemctl enable iptables

Next, start IPTables.

sudo systemctl start iptables

IPTables on Fedora 22 ships with a default set of rules. One of those rules permits SSH traffic. To view the default rules, type:

sudo iptables -L

The output should read:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Those rules are runtime rules and will be lost if the system is rebooted. To save the current runtime rules to a file so that they persist after a reboot, type:

sudo /usr/libexec/iptables/iptables.init save

The rules are now saved to a file called iptables in the /etc/sysconfig directory.

Step 5 (Optional) — Allowing HTTP and HTTPS Traffic

In this section, we’ll cover how to edit the firewall rules to allow services for ports 80 (HTTP) and 443 (HTTPS).

The default IPTables rules allow SSH traffic in by default, but HTTP and its relatively more secure cousin, HTTPS, are services that many applications use, so you may want to allow these to pass through the firewall as well.

To proceed, open the firewall rules file by typing:

sudo nano /etc/sysconfig/iptables

All you need to do is add two rules, one for port 80 and another for port 443, after the rule for SSH (port 22) traffic. The lines below in red are the ones you will add; the lines before and after are included for context to help you find where to add the new rules.

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

To activate the new ruleset, restart IPTables.

sudo systemctl restart iptables

Step 6 (Optional) - Installing Mlocate

The locate command is a very useful utility for looking up the location of files in the system. For example, to find a file called example, you would type:

locate example

That will scan the file system and print the location or locations of the file on your screen. There are more advanced ways of using locate, too.

To make the command available on your server, first you need to install the mlocate package.

sudo dnf install -y mlocate

Then, run the updatedb command to update the search database.

sudo updatedb

After that, you should be able to use locate to find any file by name.

Conclusion

After completing the last step, your Fedora 22 server should be configured, reasonably secure, and ready for use!

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
4 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Thanks for this guide. Very helpful. Is there a guide written for Fedora 23? Basically everything works from this one. Just curious if there are any advanced topics discussed further.

I am having a bit of trouble copying my public key onto the new user. I think it may be partly because I am using MobaXterm in a Windows machine to connect to my remote machine. I try the ssh-copy-id from a git bash instance, and it almost works but complains when I can’t find the file?

Thanks for this. Fedora 33 now. I cannot access the network. I don’t want to use iptables – already use the Digital Ocean Firewall for our droplet. Port80 and 443 are enabled. Any ideas what to do? Why is the network not accessible?

I have install a Fedora 25 Droplet. For the step in which you install iptables

sudo dnf install -y iptables-services

Seems iptables is no longer installed by default. You will need to add it like this:

sudo dnf install -y iptables iptables-services

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more