mico/systems-guide
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6cfae9993b
systems-guide/setup.md
mic0 6cfae9993b
Initial guide
2025-11-18 14:44:53 +01:00

3.0 KiB
Raw Blame History

Setting up a new machine

This guides assumes you are on a fresh machine running AlmaLinux 9 or 10, ssh-ed as root. It will show how to install required packages, configure firewalls, lock the server to just SSH and create an admin user.

Installing initial packages

First Update system

dnf update -y && dnf upgrade -y

Then install the neccessary packages

dnf install -y epel-release firewalld bind-utils git fail2ban neovim

epel-release is neccessary to get fail2ban and some later dependencies It stands for "extra packages for enterprise linux".

Closing the Firewall to anything but SSH

We are gonna close the firewall to anything but SSH for now. We dont have anything running on the server yet anyway.

# Enable firewalld
systemctl enable --now firewalld
# This will set the default firewall zone to DROP, which means traffic will get dropped by default.
# Later on you will want to change this to zone=public so you can serve traffic over http/https
firewall-cmd --set-default-zone=drop &&
firewall-cmd --add-service=ssh --permanent &&
firewall-cmd --reload

Unattended upgrades

dnf install -y dnf-automatic
systemctl enable --now dnf-automatic.timer

Enabling fail2ban

This will keep the masses of bots of trying to SSH / log into our server by banning their ips if they are annoying us.

Create a new jail file at /etc/fail2ban/jail.local

[sshd]
enabled = true

Start it

systemctl enable --now fail2ban

Creating the admin user

To avoid using root user we are gonna create a new user with sudo privileges and prevent logging into root via ssh.

The password for admin user is in our Bitwarden.

adduser admin
passwd admin # Will prompt you for a new password
usermod -aG wheel admin # Give elevated (sudo) privileges to the user

Add the SSH key to admin user's authorized keys so you can SSH into it

Switch to admin account

su -i admin

Create files and paste your public key

cd ~ # in case you arent in $HOME dir
mkdir .ssh
nvim .ssh/authorized_keys # paste relevant SSH public keys in here

Try opening a new terminal and ssh-ing into admin user on the server, it should work. Be sure this is the case before you lock root account out.

Locking the root account

Go back to root account now, otherwise you will need to sudo the commands below. The following commands will lock out the root by configuring /etc/ssh/sshd_config file.

sed -i 's/#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/#PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd

If done correctly root is no longer available.

Accessing the root account locally thru another account

Even though we went thru the trouble of setting up a dedicated admin user, you can still switch into root account by simply executing:

sudo -i

It will prompt you for admin password and then log into root.