Minimal Installation and Securing the server

Step 1: Do a minimal install from the base ISO at Rocky Linux for the hardware architecture you have. This build has been tested on a Dell PowerEdge with Intel® Xeon® processors using Hyper-V as well as with the AMD Ryzen 9 5900 processor using VirtualBox 7.1 on Rocky Linux 8.7 with KDE Desktop.

Step 2: After base install Do the following commands in the terminal to reallocate hard drive space to be available from root ( / ) instead of just home ( /home ) you must be using a root account to do this:

  • ~]# lvdisplay # To show you current Logical Volume setup <ENTER>
  • ~]# umount /dev/rl/home # <ENTER>
  • ~]# lvchange -an -v /dev/rl/home # <ENTER>
  • ~]# lvremove -vf /dev/rl/home # <ENTER>
  • ~]# lvextend -l +100%FREE -r /dev/mapper/rl-root # <ENTER>

Step 3: Now you must edit the file /etc/fstab since this is just a base install you will need to use vi. If you are not familiar with vi you might want to take a short tutorial on it.

  • ~]# vi /etc/fstab

Once in the /etc/fstab file you should see:

# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
/dev/mapper/rl-root     /                       xfs     defaults        0 0
UUID=3f3d2d16-f9d8-4cd0-a3c1-94704e66a200 /boot                   xfs     defaults        0 0
UUID=8834-B693          /boot/efi               vfat    umask=0077,shortname=winnt 0 2
/dev/mapper/rl-home     /home                   xfs     defaults        0 0
/dev/mapper/rl-swap     none                    swap    defaults        0 0
UUID=3ff48da3-0f1f-4e99-bc52-f73ab8e8a344       /mnt/swift      ext4    defaults        0 0

You need to REM out the line with /dev/mapper/rl-home in it so that it looks like the following:

#/dev/mapper/rl-home     /home                   xfs     defaults        0 0

Now you can reboot. Once the machine has rebooted do a:
~]# df
to verify all the hard drive space is available to / (actual root)

Step 6: Securing the server. This is always the next step for me in building a server and preferably behind a subnet. This part is pretty easy though. I wrote a script will do the following:

  • Check for iptables running (so if you need to you can run it again)
  • Check for firewalld running if it is it will be disabled and iptables will be setup
  • Setup iptables to allow:
    • HTTP/HTTPS ports 80, 443, FTP port 21 and 7000-7500 for passive FTP for everyone
    • MySQL port 3306 for specified authorized IP Addresses which you enter as the script runs
    • webmin port 10000 for specified authorized IP Addresses which you enter as the script runs in case you want to use webmin
    • cockpit port 9090 in case you want to use Rocky Linux Cockpit
    • Drop more than 10 connections to the same IP for ports 80 and 443 to avert a DDoS or DoS attack
    • Allows connections that are initiated by the server itself and blocking all other connections that do not suit the defined rules.
  • setsebool -P ftpd_use_passive_mode=on so you can use passive mode with vsftpd even though selinux is not running this needs to be done as well as with the following two changes.
  • setsebool -P ftpd_full_access=on so you can use ftp with vsftpd
  • setsebool -P httpd_can_network_connect=on so you can see WordPress plugins and themes from the WordPress dashboard
  • Sets up the file /usr/local/bin/firewall.sh so that it fires up your IPTables at boot with the rules and creates the file /usr/local/bin/trusted.zones which you can edit adding and removing whatever trusted IP blocks you need.

I wrote a bash script that automates most all of this at secure_http.txt to run this script to secure your server perform the following steps:

  • ~]# dnf install wget -y
  • ~]# wget https://rocky.advalgo.com/secure_http.txt
  • ~]# chmod +x secure_http.txt
  • ~]# ./secure_http.txt

This script was tested again and verified on a Ryzen 9 5900 processor machine running Rocky Linux 8.7 with VirtualBox 7.1