https://www.microlinux.fr/serveur-lan-centos-7/

http://www.certdepot.net/

By separating file systems into various partitions, you can fine tune permissions and functionality. Doing so will provide you greater granularity for permissions, as well as adding a layer of security for any potential bad guys to work through.

Steve Grubb suggests, and quite rightly so, that areas where users have write privileges be kept on their own partition. This allows you to prevent hard link privilege escalation attempts, prevent creative device additions, and other unsavory behavior.

Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible. An example of a decently restricted /etc/fstab file is below:

  Disk OS with LVM (required)
  Disks data with LVM (required)

Once you have your partitions broken out and sized accordingly, you can begin to restrict the various mount points as much as possible. You should add nodev, noexec, and nosuid wherever possible.

An example of a decently restricted /etc/fstab file is below:

/dev/mapper/rootvg-root /                       ext4    defaults        1 1
/dev/sda1               /boot                   ext4    defaults,nosuid,noexec,nodev        1 2
/dev/mapper/rootvg-home /home                   ext4    defaults,nosuid,nodev        1 2
/dev/mapper/rootvg-opt  /opt                    ext4    defaults        1 2
/dev/mapper/rootvg-tmp  /tmp                    ext4    defaults,nosuid,noexec,nodev        1 2
/dev/mapper/rootvg-usr  /usr                    ext4    defaults        1 2
/dev/mapper/rootvg-var  /var                    ext4    defaults,nosuid        1 2
/dev/mapper/rootvg-swap swap                    swap    defaults        0 0
/dev/mapper/reposvg-reposlv /repos              ext4    defaults        1 2
/dev/mapper/reposvg-repcentoslv /repos/CentOS   ext4    defaults        1 2
/dev/mapper/reposvg-weblv        /var/www ext4      defaults,nosuid,nodev  1 2

Add into /etc/profile

HISTSIZE=10000
EXTENDED_HISTORY=ON
HISTTIMEFORMAT="%F %T "
export HISTSIZE EXTENDED_HISTORY HISTTIMEFORMAT

Adapt the yum repositories in /etc/yum.repos.d/ to be able to reach the right repositories
Add ntp and net-tools (for ifconfig command), and other utilities

yum -y install chrony
yum -y install gdisk
yum -y install psmisc             # (fuser, killall, pstree...)
yum -y install yum-utils          #(needs-restarting)
yum -y install telnet             #(client only to debug)
yum -y install net-tools          #(ifconfig, arp, netstat)
yum -y install lsof
yum -y install mlocate            #(locate)
yum -y install bind-utils         #(host, nslookup)
yum -y install open-vm-tools      #(VMware Tools)
yum -y install sg3_utils          #(scsi-rescan, alias for rescan-scsi-bus.sh)
yum -y install cpulimit           #(limit CPU usage per process)
yum -y install nmap-ncat          # nc command
yum -y install system-storage-manager   #ssm list
yum -y install dosfstools         # to mount USB keys in vfat, extfat
yum -y install gmp                # copy/paste using mouse (in terminal)
yum -y install screen             # start a terminal in background (in terminal)

Also for NTFS USB keys you can download and install ntfs-3g package from EPEL

http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/n/

On Redhat and CentOS 7, some services are replaced by their new version:

NetworkManager.service (network service) instead of network.service
chronyd.service (NTP service) instead of ntpd.service
firewalld.service (firewall service) instead of iptable.service and ip6tables.services

[root@centos7 ~]# systemctl list-unit-files | egrep -i "firew|Network|chrony|postfix|tables|bluetooth"
chrony-wait.service                        disabled
chronyd.service                            enabled
firewalld.service                          disabled
NetworkManager-dispatcher.service          active
NetworkManager-wait-online.service         active
NetworkManager.service                     running
postfix.service                            disabled
network-online.target                      static
network.target                             static
iptables.service                           disabled
ip6tables.service                          disabled
bluetooth.service                          disabled
bluetooth.target                           static

If not required for security purpose, you can disable SELINUX and then reboot. Selinux will prevent many action like automatic connection for user using ssh public keys…(you can also use it and enable each part you require)

[root@centos7 ~]# vi /etc/selinux/config
SELINUX=disabled

Reboot now.

Example of disable/enable services:

[root@centos7 ~]# for i in postfix.service firewalld.service bluetooth.service
do
systemctl disable $i
systemctl stop $i
done

For info postfix is required to forward email

chronyd.service

[root@centos7 ~]# yum -y install ntp
[root@centos7 ~]# for i in chronyd.service
do
systemctl enable $i
systemctl start $i
done

Enable additional useful services if needed

[root@centos7 scripts]# systemctl enable httpd.service
ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'
[root@centos7 scripts]# systemctl start httpd.service

In this example, you could disable the rpcbind.service

[root@centos7 ~]# netstat -an | grep LIST
tcp        0      0 0.0.0.0:51579           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
tcp        0      0 192.168.22.136:80       0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
unix  2      [ ACC ]     STREAM     LISTENING     14412    @ISCSIADM_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING     10242    /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     16930    @/tmp/dbus-wEGN6K01Pn
unix  2      [ ACC ]     STREAM     LISTENING     16307    /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     17599    /tmp/.ICE-unix/1146
unix  2      [ ACC ]     SEQPACKET  LISTENING     10256    /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     15164    /var/run/lsm/ipc/sim
unix  2      [ ACC ]     STREAM     LISTENING     15166    /var/run/lsm/ipc/simc
unix  2      [ ACC ]     STREAM     LISTENING     14413    @ISCSID_UIP_ABSTRACT_NAMESPACE
unix  2      [ ACC ]     STREAM     LISTENING     14414    /var/run/avahi-daemon/socket
unix  2      [ ACC ]     STREAM     LISTENING     14417    /var/run/rpcbind.sock
unix  2      [ ACC ]     STREAM     LISTENING     16306    @/tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     8042     /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     18796    /run/user/42/pulse/native
unix  2      [ ACC ]     STREAM     LISTENING     1388     /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     17778    /var/run/rpcbind.sock
unix  2      [ ACC ]     STREAM     LISTENING     14458    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     18556    /var/run/libvirt/libvirt-sock
unix  2      [ ACC ]     STREAM     LISTENING     18558    /var/run/libvirt/libvirt-sock-ro
unix  2      [ ACC ]     STREAM     LISTENING     17598    @/tmp/.ICE-unix/1146
unix  2      [ ACC ]     STREAM     LISTENING     16036    /var/run/abrt/abrt.socket
unix  2      [ ACC ]     STREAM     LISTENING     17418    @/tmp/dbus-0PYMRpYu
unix  2      [ ACC ]     STREAM     LISTENING     16892    @/tmp/dbus-bKDTQeVf
unix  2      [ ACC ]     STREAM     LISTENING     16893    @/tmp/dbus-Skwj1TBB
unix  2      [ ACC ]     STREAM     LISTENING     17543    @/tmp/dbus-qVKMoS2bff
unix  2      [ ACC ]     STREAM     LISTENING     18410    @/tmp/dbus-V9cHUqaM
unix  2      [ ACC ]     STREAM     LISTENING     17419    @/tmp/dbus-9XjDfCN8
[root@centos7 ~]# lsof -i :111
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1243  rpc    7u  IPv4  17780      0t0  UDP *:sunrpc
rpcbind 1243  rpc    9u  IPv4  17782      0t0  TCP *:sunrpc (LISTEN)
[root@lstor2rrd ~]# systemctl list-unit-files  | egrep -i "rpc"
var-lib-nfs-rpc_pipefs.mount               static
rpcbind.service                            enabled
rpcgssd.service                            disabled
rpcidmapd.service                          disabled
rpcsvcgssd.service                         disabled
rpcbind.socket                             enabled
rpcbind.target                             static
[root@centos7 ~]# systemctl list-units  | egrep -i "rpc"
proc-fs-nfsd.mount                                                                               loaded active mounted   RPC Pipe File System
var-lib-nfs-rpc_pipefs.mount                                                                     loaded active mounted   RPC Pipe File System
rpcbind.service                                                                                  loaded active running   RPC bind service
rpcbind.socket                                                                                   loaded active running   RPCbind Server Activation Socket 

Use nmcli command to configure the network, install it if required, partof NetworkManager.

Check your IP config and routes

[root@centos7 sysctl.d]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eno16780032: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:50:56:83:33:1e brd ff:ff:ff:ff:ff:ff
    inet 192.168.21.194/24 brd 192.168.21.255 scope global eno16780032
       valid_lft forever preferred_lft forever
[root@lproxymail sysctl.d]# ip route
default via 192.168.21.250 dev eno16780032
169.254.0.0/16 dev eno16780032  scope link  metric 1002
192.168.21.0/24 dev eno16780032  proto kernel  scope link  src 192.168.21.194

For information Due to new network adapter naming convention, you 'll find network interface called enp6s0 or enp4s2f0 doesn’t satisfy everybody.
Ex:

[root@centos7 ~]# dmesg | grep NIC
[    2.318327] VMware vmxnet3 virtual NIC driver - version 1.1.30.0-k-NAPI
[    2.333886] vmxnet3 0000:0b:00.0 eth0: NIC Link is Up 10000 Mbps
[    3.373209] vmxnet3 0000:0b:00.0 eno16780032: NIC Link is Up 10000 Mbps

You can switch to the old naming convention eth0, eth1… by changing boot parameters (optional):

grubby --update-kernel=ALL --args="net.ifnames=0 biosdevname=0"

If not using libvirtd service then you may stop that service.

[root@centos7 ~]# systemctl stop libvirtd.service
[root@centos7 ~]# systemctl disable libvirtd.service

On most current OS, IPV6 is activate by default. It wouldn't be a good practice to completely unload the kernel module, but better disable it for most applications. You have to know that some application, like SELINUX will load IPV6 module if needed!

Create a file /etc/sysctl.d/98-disable_ipv6.conf

[root@centos7 ~]# cat /etc/sysctl.d/98-disable_ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1 

To disable in the running system:

[root@centos7 ~]# echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
[root@lstor2rrd ~]# echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6

or

[root@centos7 ~]# sysctl -w net.ipv6.conf.all.disable_ipv6=1
[root@lstor2rrd ~]# sysctl -w net.ipv6.conf.default.disable_ipv6=1

If problems with X forwarding are encountered on systems with IPv6 disabled, edit /etc/ssh/sshd_config and make either of the following changes:

(1) Change the line

#AddressFamily any

to   

AddressFamily inet

(inet is ipv4 only; inet6 is ipv6 only)

or

(2) Remove the hash mark (#) in front of the line

#ListenAddress 0.0.0.0

Then restart ssh.

systemctl restart sshd.service

If problems with starting postfix are encountered on systems with IPv6 disabled, either

edit /etc/postfix/main.cf and comment out the localhost part of the config and use ipv4 loopback.

#inet_interfaces = localhost
inet_interfaces = 127.0.0.1

Edit the file /etc/ntp.conf, and comment the line related to IPV6

# restrict ::1

To disable RPCBIND ipv6 (rpcbind, rpc.mountd, prc.statd) remark out the udp6 and tcp6 lines in /etc/netconfig:

udp        tpi_clts      v     inet     udp     -       -
tcp        tpi_cots_ord  v     inet     tcp     -       -
#udp6      tpi_clts      v     inet6    udp     -       -
#tcp6      tpi_cots_ord  v     inet6    tcp     -       -
rawip      tpi_raw       -     inet      -      -       -
local      tpi_cots_ord  -     loopback  -      -       -
unix       tpi_cots_ord  -     loopback  -      -       -

If you'd prefer chrony instead of ntpd, then create the file chronyd and restart the related systemd deamon:

[root@fedora22 sysconfig]# cat /etc/sysconfig/chronyd 
OPTIONS= -4

List the current TimeZone:

[root@fedora22 ~]# timedatectl 
      Local time: mar. 2015-10-27 14:12:13 CET
  Universal time: mar. 2015-10-27 13:12:13 UTC
        RTC time: mar. 2015-10-27 13:12:14
       Time zone: Europe/Luxembourg (CET, +0100)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: no
 Last DST change: DST ended at
            dim. 2015-10-25 02:59:59 CEST
            dim. 2015-10-25 02:00:00 CET
 Next DST change: DST begins (the clock jumps one hour forward) at dim. 2016-03-27 01:59:59 CET
            dim. 2016-03-27 03:00:00 CEST

List available TimeZones:

[root@dlp ~]# timedatectl list-timezones
...
Pacific/Rarotonga
Pacific/Saipan
Pacific/Tahiti
Pacific/Tarawa
Pacific/Tongatapu
Pacific/Wake
Pacific/Wallis

Change the current TimeZone:

[root@dlp ~]# timedatectl set-timezone Pacific/Wallis