Note:

• During the overall process of configuring the Linux client, you should login to root user.
• Process of Linux configuration is very complicated, make sure that you follow the configuration process exactly;
do not jump or skip any process.
• Linux configuration are very sensitive, you have to be careful with every single component of syntax and
command such as space, sign, paragraph, etc.
• If you are not sure about the use of any command, you can type: man command_name; EX: man rm
• This academic tutorial is intended for demonstration only, you may use simple passwords here, but in real
practice, you should use strong passwords.
• You can skip the yellow highlight parts.

1. Configure Time Zone

The first thing that we need to do after installing the client OS is to configure time zone.

♦ List all available time zones in CentOS; press q to exit.

[root@centos ~] # timedatectl list-timezones

♦ Set time zone to Asia/Phnom_Penh

[root@centos ~] # timedatectl set-timezone Asia/Phnom_Penh

♦ View current time zone and make sure that Asia/Phnom_Penh is there
[root@centos ~] # ls -l /etc/localtime

2. Configure Date and Time

After configuring time zone, we have to set a correct date and time.

♦ Set a correct date and time on the client according to your current time
[root@centos ~] # date --set "2020-10-25 13:45:30.999"

♦ To view current date and time

[root@centos ~] # date

3. Configure Network Cards

In this case there are 2 network cards:
• ens160 is used for receiving services from the server.
• ens192 is used for accessing to the Internet.
The number 160 and 192 may be different from a computer to another.

♦ Check the device number and state

[root@centos ~] # nmcli device
 ♦ Edit the Service network card configuration
[root@centos ~] # vi /etc/sysconfig/network-scripts/ifcfg-ens160
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPV6_FAILURE_FATAL=no
NAME=Service
UUID=(do not change it)
DEVICE=ens160
ONBOOT=yes
IPADDR=192.168.11.12
PREFIX=24
GATEWAY=192.168.11.10
DNS1=192.168.11.10
DOMAIN=vanndy.edu
IPV6_DISABLED=yes

♦ Edit the Internet network card configuration

[root@centos ~] # vi /etc/sysconfig/network-scripts/ifcfg-ens192
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=no
IPV4_FAILURE_FATAL=no
IPV6INIT=no
IPV6_FAILURE_FATAL=no
NAME=Internet
UUID=(do not change it)
DEVICE=ens192
ONBOOT=yes
IPADDR=192.168.88.12
PREFIX=24
IPV6_DISABLED=yes

♦ Restart network service

[root@centos ~] # systemctl restart NetworkManager

♦ Show the devices information

[root@centos ~] # nmcli device show ens160
[root@centos ~] # nmcli device show ens192

♦ Test ICMP service by ping to server’s IP addresses and make sure it can reach server. Press Ctrl + c to stop.
[root@centos ~] # ping 192.168.11.10
[root@centos ~] # ping 192.168.88.10

4. Configure SSH Password Authentication

SSH service allows client to remote login to server. It can authenticate clients using a variety of different
methods. SSH password authentication allow us to remote login to SSH server with username and password

♦ Edit SSH configuration file

[root@centos ~] # vi /etc/ssh/sshd_config

Note: to go to any line, press line number + gg

♣ Line 43: make sure it is uncomment (remove # or // or ; from the beginning of the line) and change to yes
PermitRootLogin yes

♣ Line 69: uncomment

PermitEmptyPasswords no

♦ Restart SSH service

[root@centos ~] # systemctl restart sshd

♦ Check the IP addresses of the client

[root@centos ~] # ifconfig

5. Remote Login with Password Authentication via PuTTY (Windows OS)

PuTTY is an SSH and telnet client. From Windows OS we use it to remote login to the Linux client.

♦ Download and install PuTTY from link below

https://drive.google.com/drive/folders/1Yx01RRFZKvQHEUy9WUQ1Dxj4DPEd_amp?usp=sharing
♦ Enter the client’s IP address, either 192.168.11.12 or 192.168.88.12 and use port number 22
 ♦ Accept the connection and enter user root’s password

6. Remote Login with Password Authentication via Terminal (Mac OS and Linux OS)
From Mac OS or Linux OS, we use Terminal to remote login to the Linux client.

♦ On Mac, go to System Preferences => Sharing and enable Remote Login

♦ Open Terminal and enter command

ssh root@192.168.11.12

♦ Accept the connection and enter user root’s password

 7. Set Hostname
Hostname is a label that is assigned to a device connected to a computer network and used to identify that
device. In this case:
centosclient is a hostname
vanndy is a domain name
edu is top level domain (TLD)

♦ Edit hostname configuration file

[root@centos ~] # vi /etc/hostname

♣ Line 1: enter the host name and domain name

centosclient.vanndy.edu

♦ To view the hostname and some server’s information

[root@centos ~] # hostnamectl

8. Configure Default Offline Repository

Normally, the default repository that the system searches for the packages is “CentOS-Base Repo” on the
Internet. But for CentOS distribution, some of the important packages are already build-in inside the operating
system ISO file, so we do not need to install the packages from the Internet, we only have to point its repository
to the folders “BaseOS” and “AppStream” in the ISO file.
Packages in BaseOS is intended to provide the core set of the underlying OS functionality that provides the
foundation for all type installations.
Packages in Application Stream includes user space applications, runtime languages, and databases in support
of the varied workloads and use cases.

♦ Create a new folder for backing up current repository lists

[root@centos ~] # mkdir /tmp/Repo

♦ Move the current repository lists to backup folder

[root@centos ~] # mv /etc/yum.repos.d/CentOS-Linux-*.repo /tmp/Repo

♦ Connect the CentOS DVD ISO file to the VM CD ROM

♦ Make a new folder for mounting the CD
[root@centos ~] # mkdir /mnt/Linux

♦ Mount the OS ISO file to the folder /mnt/Linux

[root@centos ~] # mount /dev/cdrom /mnt/Linux

♦ Create a local CentOS repository configuration file

[root@centos ~] # touch /etc/yum.repos.d/CentOS-Local.repo

♦ Edit local CentOS repository configuration file

[root@centos ~] # vi /etc/yum.repos.d/CentOS-Local.repo
[InstallMedia]
name=CentOS Linux 8 - Local
metadata_expire=-1
gpgcheck=1
enabled=1
baseurl=file:///mnt/Linux/BaseOS
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

[InstallMedia-AppStream]
name=CentOS Linux 8 - AppStream
metadata_expire=-1
gpgcheck=1
enabled=1
baseurl=file:///mnt/Linux/AppStream
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

♦ Change access permission of the CentOS repository configuration file

[root@centos ~] # chmod 644 /etc/yum.repos.d/CentOS-Local.repo

♦ Clean up YUM repository

[root@centos ~] # yum clean all

♦ Refresh YUM repository

[root@centos ~] # yum repolist

♦ Test by installing a simple package without the Internet connection; EX: Nginx
[root@centos ~] # yum -y install nginx

Note: from now on when we want to install any package, we do not need to connect to the Internet anymore, we
just connect the CentOS DVD ISO file to the VM CD ROM and mount the CD to the folder /mnt/Linux.

9. Install VMWare Tools

VMware Tools needs to be installed in VMs to make them run smoothly inside VMware products.

♦ Uninstall open-vm-tools package

[root@centos ~] # yum remove -y open-vm-tools open-vm-tools-desktop

♦ Install gcc package

[root@centos ~] # yum install -y gcc

♦ Install kernel-devel package

[root@centos ~] # yum install -y kernel-devel
 ♦ Unmount the OS ISO file to the folder /mnt/Linux
[root@centos ~] # umount /mnt/Linux

♦ For Windows host, go to C:\Program Files (x86)\VMware\VMware Workstation and copy file linux.iso
to the Desktop
♦ For MacOS host, go to /Applications/VMware Fusion.app/Contents/Library/isoimages/linux.iso and
copy file linux.iso to the Desktop
♦ In VMware Workstation or VMware Fusion, VM => Settings…, open CD/DVD menu then change the
ISO file of the CD/DVD and browse to the file linux.iso on the Desktop, then click Connect
♦ Mount the VMware Tools CD into /mnt/Linux
[root@centos ~] # mount /dev/cdrom /mnt/Linux

♦ Extract the file VMwareTools-10.3.23-16594550.tar.gzto the folder /root

Note: the file VMwareTools-10.3.23-16594550.tar.gz may have different name according to the version of
VMware product, so change it accordingly.
[root@centos ~] # tar -zxvf /mnt/Linux/VMwareTools-10.3.23-16594550.tar.gz -C /root

♦ Change the directory to /root/vmware-tools-distrib

[root@centos ~] # cd /root/vmware-tools-distrib

♦ Start to install VMware tools

[root@centos vmware-tools-distrib] # ./vmware-install.pl
Do you still want to proceed with this installation? [no] yes

♦ Follow the instruction to install VMware Tools (just press enter) until the installation is done
♦ Return back to the home directory
[root@centos ~] # cd

♦ Remove the directory /root/vmware-tools-distrib

[root@centos ~] # rm -rf /root/vmware-tools-distrib

♦ Unmount the VMware Tools CD from /mnt/Linux

[root@centos ~] # umount /mnt/Linux

♦ Shutdown the Linux client VM

[root@centos ~] # init 0

♦ In VMware Workstation or VMware Fusion, VM => Settings…, open CD/DVD menu then change the
ISO file of the CD/DVD and browse to the file CentOS-8.4.2105-x86_64-dvd1.iso, then click Connect

10. Install and Configure Vi Improved (VIM)

VIM is an improved version of VI with more features such as GUI support, online help and syntax highlighting.

♦ Edit CentOS profile to make alias vim to vi

[root@centos ~] # vi /etc/profile

♣ Add to the end of file (EoF)

alias vi='vim'

♦ Load function into the current shell

[root@centos ~] # source /etc/profile

♦ Edit CentOS profile to make alias vim to vi

[root@centos ~] # vi ~/.bashrc

♣ Add to the end of file (EoF)

alias vi='vim'

♦ Load function into the current shell

[root@centos ~] # source ~/.bashrc

♦ Create VIM configuration file and set as below

[root@centos ~] # vi ~/.vimrc
set nocompatible
set fileformats=unix,dos
set history=50
set ignorecase
set smartcase
set hlsearch
set incsearch
set number
set list
set showmatch
set wrap
syntax on
highlight Comment ctermfg=LightCyan

♦ Test by editing any configuration file and make sure that VIM feature works
[root@centos ~] # vi /etc/yum.repos.d/CentOS-Local.repo

11. Disable Normal User Using Sudo Command

Limiting users to run sudo command means do not allow normal user to use su command. We do this to
limit user from using sensitive Linux commands and to prevent user from hacking root user account. Linux
Pluggable Authentication Modules (PAM) provide dynamic authentication support for applications and
services in a Linux.

♦ Edit PAM configuration file

[root@centos ~] # vi /etc/pam.d/su

♣ Line 6: uncomment
auth required pam_wheel.so use_uid
 ♦ Restart the server
[root@centos ~] # init 6

♦ Login with normal user; EX: user vanndy. Try using sensitive Linux command, and make sure the
permission is denied; EX: changing user’s password
[vanndy@centos ~] # sudo passwd vanndy

12. Disable IPV6

IPV6 should be disable because it is no use right now; more importantly, it make the configuration more
complicated and may affect to server privacy.

♦ Edit CentOS boot grub configuration file

[root@centos ~] # vi /etc/default/grub

♣ Line 6: add ipv6.disable=1

GRUB_CMDLINE_LINUX="ipv6.disable=1 crashkernel=...

♦ Reload the boot grub on BIOS firmware

[root@centos ~] # grub2-mkconfig -o /boot/grub2/grub.cfg

♦ Reload the boot grub on UEFI firmware

[root@centos ~] # grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg

♦ Restart the Linux client then test with a command below and make sure that there is no IPV6
[root@centos ~] # lsmod | grep -i ipv6

13. Disable Boot Menu

Boot menu should be disabled to prevent from Backdoor hacking (resetting user root’s password).

♦ Edit CentOS boot grub configuration file

[root@centos ~] # vi /etc/default/grub

♣ Line 1: change from 5 to 0

GRUB_TIMEOUT=0

♦ Reload the boot grub

[root@centos ~] # grub2-mkconfig -o /boot/grub2/grub.cfg

♦ Reload the boot grub on UEFI firmware

[root@centos ~] # grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg

♦ Restart the Linux client and make sure that boot menu does not appear anymore
[root@centos ~] # init 6

14. Disable Firewall

Firewall should be configured on the gateway, so it is unnecessary to run it on the server. Moreover, Firewall
makes the server configuration more complicated since we need to set the rule on Firewall for every service.

♦ Check if Firewall is installed on the Linux client or not

[root@centos ~] # rpm -qa | grep firewalld

♦ Stop Firewall service

[root@centos ~] # systemctl stop firewalld

♦ Disable Firewall service on boot

[root@centos ~] # systemctl disable firewalld

♦ Restart the Linux client and check if Firewall service is running or not
[root@centos ~] # systemctl -t service

♦ Use the command below to see all services installed on server

[root@centos ~] # systemctl list-unit-files -t service

♦ Use the command below to check the status of Firewall services; make sure it is inactive
[root@centos ~] # systemctl status firewalld

15. Disable Security-Enhanced Linux

It is good to disable SELinux (Security-Enhanced Linux) since it sets restrictions on security – blocking some
services from starting. There are 3 options of SELinux:
enforcing = enabled
disabled = disabled
permissive = enabled but only loging, not deny accesses

♦ Show current SELinux (Security-Enhanced Linux) Status

[root@centos ~] # getenforce

♦ Edit SELinux configuration file

[root@centos ~] # vi /etc/selinux/config

♣ Line 7: change from enforcing to disabled

SELINUX=disabled

♦ Restart the Linux client then check the status of SELinux again, and make sure it is disabled

16. Install and Configure Network Time Protocol (NTP)

NTP is a networking protocol for clock synchronization between computer systems over packet-switched,
variable-latency data networks. NTP is intended to synchronize all participating computers to within a few
milliseconds of Coordinated Universal Time (UTC). In this architecture, the server synchronize time with the
Internet and all the clients synchronize time with the server.

♦ Install chrony package

[root@centos ~]# yum -y install chrony

♦ Edit chrony configuration file

[root@centos ~]# vi /etc/chrony.conf

♣ Line 3: comment
#pool 2.centos.pool.ntp.org iburst

♣ Add line 4
server www.vanndy.edu

♦ Restart chrony service and enable chrony service on boot

[root@centos ~]# systemctl enable --now chronyd

♦ Use the command below to synchronize time with the server

[root@centos ~]# chronyc sources

17. Install and Configure Network File System (NFS) Client

NFS client can link the shared folder from the server and use it as a local storage.

♦ Install nfs-utils package

[root@centos ~] # yum -y install nfs-utils

♦ Edit idmapd configuration file

[root@centos ~] # vi /etc/idmapd.conf

♦ Line 5: uncomment and change from local.domain.edu to primary.vanndy.edu

Domain = primary.vanndy.edu

♦ Restart rpcbind service

[root@centos ~] # systemctl restart rpcbind

♦ Enable rpcbind service on boot

[root@centos ~] # systemctl enable rpcbind

♦ Make a folder to mount the shared folder from the server

[root@centos ~] # mkdir /root/nfsClient

♦ Mount the /root/nfsServer folder from the server to the /root/nfsClient folder on client
[root@centos ~] # mount -t nfs primary.vanndy.edu:/root/nfsServer /root/nfsClient

♦ If it does not work, try the command below

[root@centos ~] # mount -t nfs 192.168.11.10:/root/nfsServer /root/nfsClient

♦ Check if the mounting process is success or not, make sure all the sample folders and files inside the
nfsServer folder is mounted to nfsClient folder
[root@centos ~] # ll /root/nfsClient

Note: for Mac OS user, you have to disable Remote network card first, then login directly to the server before
testing the commands above. This is the problem of VMware Fusion.
 ♦ Disable the Remote network card and test the commands above
[root@centos ~] # ifdown ens192

♦ To enable the Remote network card again

[root@centos ~] # ifup ens192

18. Configure LDAP Client

LDAP client is configured to enable LDAP users to login to the computers inside the domain controller.
♦ Install OpenLDAP packages
[root@centos ~] # yum -y install openldap-clients nss-pam-ldapd

♦ Enter the commands below line by line

[root@centos ~]# authconfig --enableldap \
--enableldapauth \
--ldapserver=primary.vanndy.edu \
--ldapbasedn="dc=vanndy,dc=edu" \
--enablemkhomedir \
--update

♦ Edit Authentication Configuration

[root@centos ~]# authconfig-tui

♦ Test by logging into LDAP user account; EX: user ubuntu

[root@centos ~]# su ubuntu
 ♦ To logout from user ubuntu to user root, just exit
[root@centos ~]# exit

19. Configure LDAP GUI Authentication

LDAP users can login to the computers inside the domain controller with GUI as well.
♦ Edit authentication method configuration file
[root@centos ~]# vi /etc/sysconfig/authconfig

♣ Line 3: change from no to yes

FORCELEGACY=yes

♦ Reboot the Linux client and configure Authentication Configuration again

[root@centos ~]# authconfig-tui

♦ Test by log out from root user (by using GUI) then log in with any LDAP user on the welcome screen.

20. Configure LDAP Client to Connect over TLS

LDAP can be configured to connect over TLS to enable encrypt connection.
♦ Change the execution mode of the TSL certificate
[root@centos ~]# chmod 644 /etc/openldap/cacerts/

♦ Edit LDAP configuration file to enable TLS

[root@centos ~]# echo "TLS_REQCERT allow" >> /etc/openldap/ldap.conf

♦ Edit name service to enable TLS

[root@centos ~]# echo "tls_reqcert allow" >> /etc/nslcd.conf

♦ Enable TLS on Authentication Configuration

[root@centos ~]# authconfig --enableldaptls --update

♦ Configure Authentication Configuration again

[root@centos ~]# authconfig-tui
 ♦ Try to login with LDAP users again and make sure you can login
Note: the different between LDAP user and local user is that LDAP user cannot use sudo command.

21. Use Web Admin Console

Cockpit Admin Console is installed with CentOS 8 Base Environment (server with GUI) or others. It is
possible to manage CentOS on a Web browser to enable it.
♦ Enable the socket of Cockpit Admin Console
[root@centos ~] # systemctl enable --now cockpit.socket

♦ Check the port number of Cockpit Admin Console; it listens on port 9090
[root@centos ~] # ss -napt

♦ From Windows client, access to https://192.168.11.12:9090

♦ You can configure various settings and also use Terminal
 22. Configure VNC Server
Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the Remote Frame Buffer
protocol (RFB) to remotely control another computer. It transmits the keyboard and mouse events from one
computer to another, relaying the graphical screen updates back in the other direction, over a network.
♦ Install tigervnc-server package
[root@centos ~] # yum -y install tigervnc-server

♦ Set VNC password

[root@centos ~] # vncpasswd

♣ Set your own password for VNC server

♦ Enable VNC service with the resolution 800 * 600 pixels, color depth 24 bit, and port 5903
Note: the VNC ports are reserved from 5901 to 5909, you may use any port you want.
The command vncserver :3 means port 5903.
[root@centos ~] # vncserver :3 -geometry 800x600 -depth 24

♦ After you restart the operating system, you need to enter the command above again to reactivate VNC service.
 Go to Windows client and configure section 9

22. Configure SSH Port Forwarding

Port forwarding is a way of making a computer on your home or business network accessible to computers
on the internet, even though they are behind a router. It is commonly used in gaming, security camera setup,
VoIP, and downloading files. It is not secure at all to use explicit port 590X, so port forwarding must be used.
♦ Forward from port 8081 to 5903 of localhost
[root@centos ~] # ssh -L 0.0.0.0:8081:localhost:5903 root@localhost
Are you sure you want to continue connecting (yes/no)? yes

♣ Enter user root’s password

♦ Check port 8081
[root@centos ~] # netstat -lnp | grep 8081

♦ Enable VNC service

Note: if you have entered the command below already, no need to enter it again.
[root@centos ~] # vncserver :3 -geometry 800x600 -depth 24

Go to Windows client and configure sections 10 and 11

23. Configure X11 GUI Port Forwarding

One way to enforce the traffic security is to use the SSH by the way of X11 tunneling and port forwarding.
X11 allows GUI application of the server to run, and virtually displays on the client.
♦ Edit SSH configuration file
[root@centos ~] # vi /etc/ssh/sshd_config
♣ Line 109: make sure it is uncomment
X11Forwarding yes

♣ Line 110: uncomment

X11DisplayOffset 10

♦ Restart SSH service

[root@centos ~] # systemctl restart sshd

Go to Windows client and configure sections 12