Tencent Cloud Server Initialization

Reinstall the OS

│ 📓 Note:
│
│ When I purchased the server, the latest CentOS version available was only 7.3, but I wanted to use CentOS 7.5. I found it in the image repository (why wasn’t it offered at purchase time?), so I decided to reinstall the OS.

1. Select the instance, click More, then choose Reinstall OS:

2. Select Public Image -> CentOS -> CentOS 7.5 64-bit -> enter the root password. Click Start Reinstallation. As shown below:

3. Wait for the reinstallation to complete.

Configure Monitoring and Alerting

1. Click the Monitoring icon:

2. The following metrics are available, as shown below. Click Set Alert:

   1. CPU
   2. Memory
   3. Bandwidth (internal/external)
   4. Disk IO
   5. Partition usage

3. Customize the alert policy based on your needs. Example below:

4. To configure alert notification channels, you need to create a user group first. As shown below (I share the server with others, so creating a user group is necessary):

5. To create a user group, simply use the preset policy — Administrator — for now.

6. Next, associate it with the specific user group.

7. Click Done. The configuration result is shown below (you can disable the default policy):

Create SSH Key and Bind to Instance

1. In the SSH Key menu, click Create Key:

2. Create the key (❗ Keep the private key safe and do not share it).

3. After creation, shut down the instance first (only a stopped instance can be bound to a key — nice, the shutdown also triggered an alert 👌), then select Bind/Unbind Instance, as shown below:

Security Group Configuration

│ 📓 Note:
│
│ Similar to firewall rules.

1. Click Security Group -> Create. As shown below:

2. Select Set Rules Now. Reasons shown below:

3. Associate it with your cloud server instance. As shown below:

4. Then configure inbound/outbound rules. Start with inbound rules and select Quick Allow. This opens the following ports:

   1. Linux SSH login: port 22
   2. Windows login: port 3389
   3. Ping: ICMP protocol
   4. HTTP: port 80
   5. HTTPS: port 443
   6. FTP: ports 20 and 21

5. Add custom rules as needed. For example, allow TCP port 8000:

6. Finally, configure outbound rules and select Quick Allow. You can refine them later. As shown below:

At this point, the console configuration is mostly done. Next, log in to the server for further configuration.

CentOS 7.5 Optimization

User / Login Optimization

Create a Regular User with Public Key Authentication

1. Create a regular user: useradd -m -p yourpassword casey

2. Set up public key authentication for the regular user (since we already created and bound the SSH key earlier, the public key already exists on the server — just copy it):

   cp /root/.ssh/authorized_keys /home/casey/.ssh && chown -R casey:casey /home/casey/.ssh/

3. Verify that SSH public key authentication works.

│ 📓 Note:
│
│ The complete steps for public key authentication are as follows (assuming the account can initially log in with username and password):
│
│ 1. Create a regular user on the cloud server: useradd -m -p yourpassword hellowordomain
│ 2. Generate a key pair on the cloud server using ssh-keygen: ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_tencent_$(date +%Y-%m-%d) -C “tencent key for hellowordomain”
│ 3. Install the public key using ssh-copy-id: ssh-copy-id -i /path/to/public-key-file user@host
│ 4. Verify that SSH public key authentication works.

Configure sudo Privileges for the Regular User

How to add a user to the sudo group on CentOS/RHEL

On CentOS/RHEL and Fedora, users in the wheel group are allowed to execute all commands. Use the usermod command to add user vivek to the wheel group:

$ sudo usermod -aG wheel vivek
$ id vivek

Enable passwordless sudo

# As root user
visudo

# Modify the following content, then save and exit
## Allows people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

## Same thing without a password
%wheel  ALL=(ALL)       NOPASSWD: ALL

Test and verify that user vivek can execute commands as root:

sudo -i  # Switch to root user
sudo systemctl status sshd  # Check sshd status

sshd_config Hardening

# Disable root login
PermitRootLogin no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
# Disable password authentication, only allow public key authentication
AuthenticationMethods publickey
PubkeyAuthentication yes
# Disable empty passwords
PermitEmptyPasswords no

Finally, test the sshd_config file and restart/reload the SSH service:

sudo sshd -t
sudo systemctl restart sshd.service

Update System and Software

sudo yum upgrade -y  # Upgrade all packages
sudo yum clean all -y  # Clean cache

Install and Configure Git

1. Install Git

   sudo yum install -y --setopt=tsflags=nodocs git

2. Configure Git

   git config --global user.name "east4ming"
   git config --global user.email "cuikaidong@foxmail.com"
   ssh-keygen -t rsa -b 4096 -C "cuikaidong@foxmail.com"  # You can also reuse an existing private key

3. cat .ssh/id_rsa.pub and copy the output (id_rsa.pub contains the public key).

4. Open GitHub in your browser, log in, go to account Settings, find SSH on the left sidebar, clean up any unused SSH keys, then create a new one — name it anything you like, paste in all the characters output by cat, and save.

5. Cache HTTPS credentials:

   $ git config --global credential.helper 'cache --timeout=3600'
   # Set the cache to timeout after 1 hour (setting is in seconds)

Optimize Shell Configuration

Install zsh

sudo yum install -y --setopt=tsflags=nodocs zsh
zsh --version
sudo chsh -s $(which zsh)
# Log out

Install Powerline

pip install powerline-status --user

Install oh-my-zsh

sh -c "$(wget https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh -O -)"

Using Oh My Zsh

│ The following content is from the oh-my-zsh GitHub repository.

Plugins

Oh My Zsh comes with a shitload of plugins to take advantage of. You can take a look in the plugins directory and/or the wikito see what’s currently available.

Enabling Plugins

Once you spot a plugin (or several) that you’d like to use with Oh My Zsh, you’ll need to enable them in the .zshrc file. You’ll find the zshrc file in your $HOME directory. Open it with your favorite text editor and you’ll see a spot to list all the plugins you want to load.

vi ~/.zshrc

For example, this might begin to look like this:

plugins=(
git
bundler
dotenv
osx
rake
rbenv
ruby
)

Using Plugins

Most plugins (should! we’re working on this) include a README, which documents how to use them.

Themes

We’ll admit it. Early in the Oh My Zsh world, we may have gotten a bit too theme happy. We have over one hundred themes now bundled. Most of them have screenshots on the wiki. Check them out!

Selecting a Theme

Robby’s theme is the default one. It’s not the fanciest one. It’s not the simplest one. It’s just the right one (for him).

Once you find a theme that you’d like to use, you will need to edit the ~/.zshrc file. You’ll see an environment variable (all caps) in there that looks like:

ZSH_THEME="robbyrussell"

To use a different theme, simply change the value to match the name of your desired theme. For example:

ZSH_THEME="agnoster" # (this is one of the fancy ones)
# see https://github.com/robbyrussell/oh-my-zsh/wiki/Themes#agnoster
 

Note: many themes require installing the Powerline Fonts in order to render properly.

Open up a new terminal window and your prompt should look something like this:

In case you did not find a suitable theme for your needs, please have a look at the wiki for more of them.

If you’re feeling feisty, you can let the computer select one randomly for you each time you open a new terminal window.

ZSH_THEME="random" # (...please let it be pie... please be some pie..)

And if you want to pick random theme from a list of your favorite themes:

ZSH_THEME_RANDOM_CANDIDATES=(
“robbyrussell”
“agnoster”
)