Setting Up Your CentOS 10 Stream on VPS: First 10 Essential Steps

Setting Up Your CentOS 10 Stream on VPS: First 10 Essential Steps

February 10, 2025

Hey there, fellow Linux enthusiast! So you’ve just got your hands on a fresh VPS and decided to go with CentOS 10 Stream. Great choice! Today, I’m going to walk you through the first 10 crucial steps you need to take to get your server up and running securely. I remember my first time setting up a CentOS server – it was both exciting and a bit overwhelming. But don’t worry, I’ll break everything down into easy-to-follow steps that will have your server running smoothly in no time. The best part? We’ll make sure your setup is optimized for search engines right from the start, so your web applications can get the visibility they deserve.

Step 1: Initial System Update and Package Management

Before we dive into any specific configurations, let’s make sure your system is up-to-date with all the latest security patches and updates. This is absolutely crucial for maintaining a secure server environment. Assuming that you have already created a new user with sudo privileges (wheel membership), when you first log into your VPS as a sudoer, you’ll want to update the package manager’s cache and upgrade all installed packages. CentOS 10 Stream uses DNF (Dandified Yum) as its package manager, which makes this process pretty straightforward. The process might take a few minutes, but it’s essential to start with a fully updated system. Think of it as giving your car a full service before a long journey – you want everything in top condition before you start adding customizations.

# Update the package manager cache
sudo dnf check-update

# Upgrade all installed packages
sudo dnf upgrade -y

# Install essential tools we'll need later
sudo dnf install -y epel-release
sudo dnf install -y wget curl nano vim htop screen

Step 2: Configuring a Secure SSH Setup

One of the most critical aspects of server security is properly configuring SSH access. By default, CentOS comes with a basic SSH configuration, but we need to enhance it to prevent unauthorized access attempts. We’ll modify the SSH configuration to disable root login, change the default port (to reduce automated attacks), and set up key-based authentication. Remember, your SSH configuration is like your front door – you want it to be as secure as possible while still being convenient for legitimate users.

# First, create a backup of the original SSH config
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

# Generate a new SSH key pair on your local machine (if you haven't already)
ssh-keygen -t ed25519 -C "your_email@example.com"

# Copy your public key to the server
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@your_server_ip

# Now edit the SSH configuration
sudo nano /etc/ssh/sshd_config

Key SSH Configuration Changes:

Port 2222                    # Change default port to reduce noise in your          
                             # SSH logs, reducing brute-force attempts
PermitRootLogin no           # Disable root login
PasswordAuthentication no    # Disable password authentication
PubkeyAuthentication yes     # Enable key-based authentication
Protocol 2                   # Use SSH protocol 2 only, SSH protocol 1 has 
                             # known vulnerabilities
LoginGraceTime 30            # Reduce login grace time, 30 seconds
MaxAuthTries 3               # Limit authentication attempts
# Restart the SSH service to apply changes
sudo systemctl restart sshd

Step 3: Setting Up Your Firewall

A properly configured firewall is your server’s shield against unwanted traffic. CentOS 10 Stream comes with firewalld, which is a dynamic firewall manager. We’ll set up basic rules to allow only the services we need while blocking everything else. This creates a secure baseline that you can build upon as you add more services to your server. Think of your firewall as a bouncer at a club – it needs to know exactly who to let in and who to keep out.

# Ensure firewalld is installed and running
sudo dnf install -y firewalld
sudo systemctl enable firewalld
sudo systemctl start firewalld

# Configure basic firewall rules
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-port=2222/tcp  # New SSH port
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --remove-service=ssh  # Remove default SSH port

# Reload firewall to apply changes
sudo firewall-cmd --reload

Step 4: Implementing Fail2Ban for Enhanced Security

Fail2Ban is an intrusion prevention system that protects your server from brute-force attacks. It monitors log files and temporarily bans IPs that show malicious signs. Setting up Fail2Ban is like having an automated security guard that watches for suspicious activity and takes action before it becomes a problem. The tool is particularly effective at preventing automated attacks that might try to guess your SSH credentials.

# Install Fail2Ban
sudo dnf install -y fail2ban

# Create a local configuration file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# Edit the configuration
sudo nano /etc/fail2ban/jail.local

Basic Fail2Ban Configuration:

[DEFAULT]
bantime = 86400; 24 hours (adjust as needed)
findtime = 3600 ; 1 hour (adjust as needed)
maxretry = 3


[sshd]
enabled = true
port = 2222; Or the port you're using
filter = sshd
logpath = /var/log/secure; Or /var/log/auth.log depending on your system
ignoreip = 192.168.1.0/24 10.0.0.0/8; Example: Whitelist your networks
# Start and enable Fail2Ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Here’s a breakdown and why the changes are recommended:

  • enabled = true: This is essential; it activates the jail, this is enabled by default.
  • port = 2222: This is correct. It specifies the port Fail2ban should monitor. Make sure this matches the actual SSH port you’re using. If you haven’t changed the port, it should be port = ssh or port = 22. Using port = ssh is generally preferred as it’s more flexible.
  • filter = sshd: This is correct. It specifies the filter to use for parsing the logs. The sshd filter is pre-defined and designed for SSH logs.
  • logpath = /var/log/secure: This is usually the correct path for SSH logs on systems like CentOS/RHEL. On Debian/Ubuntu systems, it’s typically /var/log/auth.log. Double-check the correct path for your system. If you’re unsure, you can check your SSH configuration file (/etc/ssh/sshd_config) for the SyslogFacility directive. It often indicates where the logs are going.
  • maxretry = 3: This is a good value. Three failed attempts are a good indicator of a brute-force attack.
  • bantime = 86400 (24 hours): This is a significant improvement. A longer ban time makes brute-force attacks much less effective. You can adjust this as needed, but 24 hours is a good starting point for SSH.
  • findtime = 3600 (1 hour): This is also crucial. A longer findtime helps detect attacks that are spread out over a longer period. 1 hour is a good value for SSH.
  • ignoreip = 192.168.1.0/24 10.0.0.0/8: This is highly recommended. It whitelists IP addresses that you don’t want to be banned. Always whitelist your own IP address and any trusted networks. This prevents you from accidentally locking yourself out of your server. Replace the example IP ranges with your actual trusted networks. You can specify individual IP addresses or CIDR blocks (like the examples).

Step 5: Optimizing System Performance

Now that we have our basic security in place, let’s optimize the system for better performance. This includes adjusting the kernel parameters, configuring system resources, and setting up proper swap space. These optimizations will help your server handle load more efficiently and provide better response times for your applications. Think of this step as fine-tuning your server’s engine for optimal performance.

# Configure kernel parameters for better performance
sudo nano /etc/sysctl.conf

Add these performance optimizations:

# Increase system file descriptor limit
fs.file-max = 65535

# Optimize network settings
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.core.netdev_max_backlog = 65535

# Optimize virtual memory settings
vm.swappiness = 10
vm.vfs_cache_pressure = 50
# Apply the changes
sudo sysctl -p

# Set up proper swap space (if not already configured)
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

Step 6: Setting Up System Monitoring

Monitoring your server’s health is crucial for maintaining optimal performance and catching issues before they become problems. We’ll set up basic monitoring tools that will help you keep track of system resources, performance metrics, and potential issues. This is like having a dashboard in your car that shows you all the important metrics you need to know about your engine’s performance.

# Install monitoring tools
sudo dnf install -y nethogs iotop sysstat

# Configure system statistics collection
sudo systemctl enable sysstat
sudo systemctl start sysstat

# Edit the sysstat configuration
sudo nano /etc/sysconfig/sysstat

Basic Monitoring Configuration:

# Enable system activity data collector
ENABLED="true"

# Set history data retention (in days)
HISTORY=28

# Set compression for archives
COMPRESSAFTER=10

Step 7: Implementing Automatic Security Updates

Keeping your system updated is crucial for security, but manually updating can be time-consuming. We’ll set up automatic security updates to ensure your system stays protected against known vulnerabilities. This is like having an automatic immune system that keeps your server protected against new threats as they emerge.

# Install dnf-automatic
sudo dnf install -y dnf-automatic

# Configure automatic updates
sudo nano /etc/dnf/automatic.conf

Automatic Update Configuration:

[commands]
upgrade_type = security
download_updates = yes
apply_updates = yes

[emitters]
system_name = your-server-name 
emit_via = email

[email]
email_from = root@localhost 
email_to = your-email@domain.com 
email_host = localhost
# Enable and start the automatic update service
sudo systemctl enable --now dnf-automatic.timer

Step 8: Setting Up Backup System

Regular backups are essential for any production server. We’ll configure an automated backup system that ensures your important data is safely stored and easily recoverable. Think of this as your server’s insurance policy – you hope you never need it, but you’ll be grateful to have it if something goes wrong.

# Install backup tools
sudo dnf install -y rsync duplicity

# Create backup script
sudo nano /usr/local/bin/backup.sh

Basic Backup Script:

#!/bin/bash

# Set backup destination
BACKUP_DIR="/backup"
DATE=$(date +%Y-%m-%d)

# Create backup directory structure
mkdir -p "$BACKUP_DIR/$DATE"

# Ensure backup directory was created
if [ ! -d "$BACKUP_DIR/$DATE" ]; then
    echo "Error: Backup directory $BACKUP_DIR/$DATE was not created."
    exit 1
fi

# Backup important directories while excluding the backup folder itself
sudo rsync -aAXv \
    --exclude="$BACKUP_DIR" \
    --exclude="/dev/*" --exclude="/proc/*" --exclude="/sys/*" \
    --exclude="/tmp/*" --exclude="/run/*" --exclude="/mnt/*" \
    --exclude="/media/*" --exclude="/lost+found" \
    / "$BACKUP_DIR/$DATE"

# Remove backups older than 7 days
find "$BACKUP_DIR" -mindepth 1 -type d -mtime +7 -exec rm -rf {} \;

# Make the script executable
sudo chmod +x /usr/local/bin/backup.sh

# Create a cron job for automated backups
sudo crontab -e

Add this line to run backup daily at 2 AM:

0 2 * * * /usr/local/bin/backup.sh

Step 9: Optimizing for SEO

Now that we have our server running securely and efficiently, let’s optimize it for search engines. This includes setting up proper server headers, enabling compression, and configuring caching. These optimizations will help search engines better index your content and improve your site’s loading speed, which is a crucial factor in SEO rankings.

# Install and configure Apache (if you're using it)
sudo dnf install -y httpd mod_ssl

# Enable and start Apache
sudo systemctl enable httpd
sudo systemctl start httpd

# Create optimization configuration
sudo nano /etc/httpd/conf.d/optimization.conf

SEO Optimization Configuration:

# Enable compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>

# Set browser caching
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/pdf "access plus 1 month"
    ExpiresByType text/x-javascript "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType application/x-javascript "access plus 1 month"
    ExpiresByType application/x-shockwave-flash "access plus 1 month"
    ExpiresByType image/x-icon "access plus 1 year"
    ExpiresDefault "access plus 2 days"
</IfModule>

Step 10: Setting Up Monitoring and Analytics

Finally, let’s set up proper monitoring and analytics to track your server’s performance and visitor behavior. This will help you make data-driven decisions about optimizing your content and server configuration. It’s like having a detailed map of how visitors interact with your site and how your server handles the load.

# Install Matomo (open-source analytics)
sudo dnf install -y php php-mysqlnd php-gd php-xml mariadb-server

# Start and enable MariaDB
sudo systemctl enable mariadb
sudo systemctl start mariadb

# Secure MariaDB installation
sudo mysql_secure_installation

# Create database for Matomo
sudo mysql -u root -p

Database Setup Commands:

CREATE DATABASE matomo;
CREATE USER 'matomo'@'localhost' IDENTIFIED BY 'your_password';
GRANT ALL PRIVILEGES ON matomo.* TO 'matomo'@'localhost';
FLUSH PRIVILEGES;
EXIT;

Sources:

  1. CentOS Documentation: https://docs.centos.org/
  2. Red Hat Enterprise Linux Documentation: https://access.redhat.com/documentation/en-us/
  3. Apache HTTP Server Documentation: https://httpd.apache.org/docs/

Disclaimer: This guide is provided “as is” without warranty of any kind, either expressed or implied. While we strive to provide accurate and up-to-date information, server configurations can vary based on specific requirements and use cases. Always test configurations in a development environment before applying them to production servers. If you notice any inaccuracies or have suggestions for improvements, please report them to our editorial team at info@felixrante.com.

Leave a Reply

Your email address will not be published. Required fields are marked *


Translate ยป