About Fedora.

The Fedora linux distribution was sponsored by Red Hat and was developed by a community supported project. Its many softwares are packaged under free and open-source licenses. Fedora is known for its focus on innovation and how it provided versions bundled with new technologies sooner than other Linux distribution.

It uses the RedHat Package Manager - RPM, using a program called DNF simmilar to YUM to manage RPM packages. The three main Fedora editions are Workstation, Server and Cloud. Fedora releases are also supported for relatively, brief periods of time. With support for old versions, going away, with the release of every two additional ones. With new versions released every six months, the lifecycle for any version of the software is 13 months. Fedora version 22 , is used for this tutorial.

Introduction

When you get a fresh Fedora install, you need do some setup to get the recommended build for a production environment. Such as setting up a super user, customizing the firewall and securing remote user access by SSH.

To get started, you will need a Fedora 22 server installation with root access.

$ ssh root@your_server_ip  

SSH to your server as root, using your machine's public IP address, supply the password. Accept any prompts the server throws back at you. If it is a first time login, you will have to change the login password for root.

After geting in as the root user, we will need a non-root user account with similar administrative rights. The username we will use is manager and we will give it sudo rights, to the system for basic computing functions.

To add manager as a user, key in

 # adduser manager 

To assign a password to new the user, manager, fire the shell command

 # passwd manager 

Key in a good password and confirm by typing it the second time, when prompted to do so

Adding root privileges

After setting up the regular user account with user level rights and privileges. The need to have users who are also admins such as "manager" will also arise.

This requires adding super user privileges to the normal account. Such that a regular account would be able to run admin commands by using the word "sudo" before each of such commands.

The "manager" user would have to be added to a group, called the "wheel" group for these privileges to be added to it. Such that it can be able to use the sudo command.

to do that, fire the following command :

 # gpasswd -a manager wheel

With this the user "manager" can now run commands with admin user privileges.

You can now, log out of the server and ssh into it using the manager user account.

 # ssh -p 1234 manager@SERVER_IP_ADDRESS 

Configuring the secure shell directives

In order to increase server security, we can change the SSH configuration file. The SSH daemon allows access to the server, remotely as the root or normal user over a custom port 22.

We will start by installing a text editor. You can proceed by installing any text editor of your choice, We will install Vim . To do this we first run the update command, to install any current updates.

 sudo dnf update 

Then we install vim , with the following command:

 sudo dnf install vim-enhanced 

Then to view the configuration file as a super user.

 # sudo vim /etc/ssh/sshd_config 

To do this, find the line as shown below and change the directive to no.

 /etc/ssh/sshd_config  
 #PermitRootLogin yes

Also to ensure no one has remote access to our server via port 22, we can change the SSH port.

To do this, find the line as shown below and change the directive to no.

 /etc/ssh/sshd_config  
 #Port 22

You will have to search through several lines, of directive so use the search utility within your favourite editor. For vi, press escape and type the following lines to find the PermitRootLogin directive.

 /PermitRoot 

Hit the enter key. Remove the '#' sign and change the "yes" to "no".

The new directive will look like this :

 /etc/ssh/sshd_config  
 PermitRootLogin no

For the port, press escape and type the following lines to find the Port directive.

 /Port 

Also, hit the enter key. Remove the '#' sign and change the "22" to "1234". Or any custom port number you may choose.

The new directive will look like this :

 /etc/ssh/sshd_config  
 Port 1234

Ensuring remote access as root is disabled is very important on your server.

Also ensuring the default port address is no longer in use for remote SSH access is equally important on your server.

Strike the escape key again and type the following commands to save and close the file.

 :wq 

Restarting SSH

For the server to use the new configurations, an SSH restart is required.

 # sudo systemctl reload sshd 

We test the new configs before logging off, to know they were properly done.

Launch a new terminal window using any command program you have. Begin a new connection to your server. With this new connection, we will test the new user "manager" instead of root for login.

Time zones

By default, the system clock is set to UTC. You can adjust it to your local time zone.

The time zone programs are stored in the /usr/share/zoneinfo/ direcory. You can see them by fireing the following command.

 # ls /usr/share/zoneinfo/ 

To make the system clock to function with your local timezone, get your country in the directory along with its zone file. The using symbolic linking, link it to the /etc/localtime directory. For example if you stay in Sydney, Australia. The zone file will look like this : /usr/share/zoneinfo/Australia/Sydney , where the time zone is EST . Here is the command:

 sudo ln -sf /usr/share/zoneinfo/your_zone_file /etc/localtime  

To confirm that this went well, fire the data command and check the output.

 
date 
Fri Nov 21 08:53:03 EST 2014

The printed output shows the timezone is now for, EST which is, Australia.

sudo systemctl start iptables

On Fedora 22 the IPTables program comes with a already pre-configured rules. To see the, type:

 sudo iptables -L 
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination

These are the default runtime rules, to ensure they, suvive your next reboot, fire the following commands:

 sudo /usr/libexec/iptables/iptables.init save 

The IPTable rules would now be saved to a file called iptables in the /etc/sysconfig

Allowing services through the firewall

We will work with a custom port that we created for SSH, port 1234.

By default the IPTable allows access for SSH using port 22. But our custom SSH direcive needs new access through the firewall.

To begin, editing the rules in the firewall typing the following command

 sudo nano /etc/sysconfig/iptables 

You add the rules, beneath the default SSH rule - port 22 - as shown here:


-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

To activate, these new rules, do a restart for IPTables

 sudo systemctl restart iptables 

Phanerus Banner