Cemtos 8 Basic Set up
YUM
NAT
SSHD
VISUDO
FIREWALL
Remote Centos8
NetInstall Centos8
LAMP
ClamAv
Samba
GUI & Gnome

YUM update /* check for latest version */

$ yum -y install epel-release

/* time server install chrony https://www.tecmint.com/install-ntp-in-rhel-8 */
$ dnf install chrony
$ systemctl enable chronyd

$ systemctl start chronyd
$ firewall-cmd --permanent --add-service=ntp
$ firewall-cmd --reload
$ dnf -y install wget unzip openssh-clients rsync net-tools lsof curl telnet mailx
$ dnf -y install epel-release yum-utils unzip curl wget bash-completion policycoreutils-python-utils mlocate bzip2

/* Set Hostname and update /etc/hosts file */
$ hostnamectl set-hostname < domain / sub-domain>
$ exec bash
$ vim /etc/hosts

$ yum install -y fuse ntfs-3g # mount ntfs windows partition

** mount exfat partition
$ yum -y install http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
$ yum -y install exfat-utils fuse-exfat

$ yum install -y ibus-table-quick* ibus-table-cangjie ibus-table-sci
go to "System" --> "Reference" --> "Input Method" --> enable "input method" & select "Use Ibus .... " --> "input method Reference" --> select "Input Method" --> add method

$ dnf -y update; reboot

$ yum --enablerepo=epel -y install filezilla /* install FileZilla */

Set selinux disabled

Note#  1
if display error messages "Error: Failed to download metadata for repo 'appstream':"

edit /etc/yum.repos.d/ all Centos-*.repos
cd /etc/yum.repos.d/
sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*

edit /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=8.8.8.8
DNS2=8.8.4.4
PEERDNS=no

edit /etc/resovl.conf
; generated by /usr/sbin/dhclient-script
nameserver 8.8.8.8
nameserver 8.8.4.4
search localdomain

Note# 2
if display error message :

Problem: conflicting requests
  - nothing provides redhat-release >= 8.6 needed by remi-release-8.6-1.el8.remi.noarch

$ dnf -y install centos-release-stream
$ dnf -y swap centos-{linux,stream}-repos
$ dnf -y distro-sync

          # dhcp NAT settting

          TYPE=Ethernet

          PROXY_METHOD=none

          BROWSER_ONLY=no

          BOOTPROTO=dhcp

          DEFROUTE=yes

          IPV4_FAILURE_FATAL=no

          IPV6INIT=yes

          IPV6_AUTOCONF=yes

          IPV6_DEFROUTE=yes

          IPV6_FAILURE_FATAL=no

          IPV6_ADDR_GEN_MODE=stable-privacy

          NAME=enp1s0

          UUID=6d08c8ee-d2e3-4594-a489-65683a3066a0

          DEVICE=enp1s0

          ONBOOT=yes

             # STATIC IP setting  192.168.1.161
             TYPE=Ethernet
             PROXY_METHOD=none
             BROWSER_ONLY=no
             BOOTPROTO=none
             DEFROUTE=yes
             IPV4_FAILURE_FATAL=no
             IPV6INIT=yes
             IPV6_AUTOCONF=yes
             IPV6_DEFROUTE=yes
             IPV6_FAILURE_FATAL=no
             IPV6_ADDR_GEN_MODE=stable-privacy
             NAME=enp2s0
             UUID=709cfebb-bed8-40e5-b90d-73bcf38d5889
             DEVICE=enp2s0
             ONBOOT=yes
             IPADDR=192.168.1.161
             PREFIX=24
             GATEWAY=192.168.1.1
             DNS1=203.185.0.35
             DNS2=203.185.0.36
             IPV6_PRIVACY=no
 
            

Port=<port#> ;change port number
PermitRootLogin no #not allow root login
AllowUsers <username ; username> #allow users login not root
systemctl restart sshd
systemctl enable sshd
sudo firewall-cmd --add-service=sshd --permanent

Authorized Keys
Gen key in remote PC
#ssh-keygen -t rsa -b 4096 ; Gen keys
:) id_rsa and id_rsa.pub created and save <user_home path>/.ssh/ e.g. /home/jame/.ssh/,
:) rename id_rsa.pub to authorized_keys
:) transfer authorized_keys to SSH server

/****** NOT OK *******************/
SSH server
copy authorized_keys to <user_home path>/.ssh/ e.g. /home/jame/.ssh/authorized_keys
If your SSH folder does not yet exist, create it manually:

$ mkdir ~/.ssh
$ chmod 0700 ~/.ssh
$ touch ~/.ssh/authorized_keys
$ chmod 0644 ~/.ssh/authorized_keys

edit sshd_config file #vim /etc/ssh/sshd.conf , change

PubkeyAuthentication yes
PasswordAuthentication no                     
UsePAM no

systemctl restart sshd

Gen public key by puttygen for putty

1) "number of bits in a generated key" : 2048 or 4096 , mark "RSA: option , click "Gen"

2) save Private Key into local PC

3)on top puttygen , “Public key for pasting into OpenSSH authorized_keys file" , below box : “ssh-rsa …" codes, directly Copy and paste to a text file

4) edit this text file , remove new line character ，change whole coding into a one line.
5) move this text file to SSH server /home/~/.ssh/ , cat id_dsa >> authorized_keys。

putty setting :

• In the Host Name field, enter the IP address of your VPS or its fully qualified domain name

• Enter the port number in the Port field (for added security, consider changing your server's SSH port to a non-standard port.)

• Select SSH under Protocol;

• Along the left-hand side of the window, select the Data sub-category, under Connection;

• Specify the username that you plan on using, when logging in to the SSH server, and whose profile you're saving, in the Auto-login username field;

• Expand the SSH sub-category, under Connection;

• Highlight the Auth sub-category and click the Browse button, on the right-hand side of the PuTTY window;

• Browse your file system and select your previously-created private key;

• Return to the Session Category and enter a name for this profile in the Saved Sessions field, e.g. user@123.456.78.9 or user@host.yourdomain.tld;
  
  /****** NOT OK *******************/

           /*** find User Aliases ***/ , add line
           User_Alias ADMINS = <login_usen_name1> , <login_user_name2>, ....
           
           /*** find Allow root to run any commands anywhere***/ , add line
           ADMINS  ALL=(ALL)       NOPASSWD:ALL
           
           /*** find  Allows people in group wheel to run all commands***/ , add line
           %ADMINS         ALL=(ALL)       NOPASSWD:ALL

Firewalld
/etc/firewalld /* path */
/usr/bin/firewall-cmd /* command */

$ firewall-cmd --list-all /*list all port , service , .... setting */

/* temporary DNS port 53 */

$ sudo systemctl start named
$ sudo systemctl enable named
$ sudo firewall-cmd --add-service=dns
$ sudo firewall-cmd --reload
$ firewall-cmd --list-all

/* permanently DNS port 53 */

$ sudo firewall-cmd --add-service=dns --permanent
$ sudo firewall-cmd --reload
/*add other port# */
$ sudo firewall-cmd --add-port=8080/tcp --permanent
success
$ sudo firewall-cmd --remove-port=8080/tcp --permanent
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --list-all
public (default, active)
interfaces: ens160
sources:
services: dhcpv6-client dns ssh
ports: 8080/tcp
masquerade: no

recommand services : http https imap ntp pop3 samba smtp ssh


refer link
https://blog.gtwang.org/linux/centos-7-firewalld-command-setup-tutorial/
http://note.drx.tw/2017/09/the-firewalld-on-centos-7.html

if Linux servers don’t have a desktop environment installed
$ dnf groupinstall "Server with GUI"
$ dnf -y install epel-release
$ dnf -y install xrdp
$ systemctl enable xrdp --now
$ systemctl status xrdp
$ systemctl restart xrdp

Configuring Firewall
$ firewall-cmd --new-zone=xrdp --permanent
$ firewall-cmd --zone=xrdp --add-port=3389/tcp --permanent
$ firewall-cmd --zone=xrdp --add-source=192.168.1.0/24 --permanent
$ firewall-cmd --reload
$ firewall-cmd --add-port=3389/tcp --permanent
$ firewall-cmd --reload

refer link
https://linuxize.com/post/how-to-install-xrdp-on-centos-8/

Linux client remote access centos 8 desktop - Remmina
https://draculaservers.com/tutorials/install-xrdp-centos/

1) Download CentOS 8 Net Install (NetInstall) image
Select mirror here: CentOS 8 x86_64 version

2) Burn CentOS 8 Image to CD and Boot Computer or Create Bootable USB Stick
select iso : CentOS-8-x86_64-1905-boot.iso

3) insert the bootable USB thumb drive in your computer and boot from it , enable LAN adaptor

4) CentOS 8 NetInstall URL (Installation Source)
https://linuxhint.com/install_centos8_netboot_iso/

note : select "http://" and select the URL type as "repository URL" ,
key the network mirrio site : mirror.centos.org/centos/8/BaseOS/x86_64/os/

Apache

$ dnf install httpd httpd-tools mod_ssl
$ systemctl enable httpd
$ systemctl start httpd
$ systemctl status httpd
$ firewall-cmd --permanent --zone=public --add-service=http
$ firewall-cmd --permanent --zone=public --add-service=https
$ firewall-cmd --reload
$ httpd -v
$ rpm -q

Maria DB

$ dnf -y install mariadb-server mariadb
$ systemctl enable mariadb
$ systemctl start mariadb //MariaDB database is running

$ mysql_secure_installation //Start the interactive script by running:
/* Then the prompt will ask you if you want to set a root password. Go ahead and enter Y, and follow the instructions: */

Enter current password for root (enter for none): OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorization. New password: password Re-enter new password: password Password updated successfully! Reloading privilege tables.. ... Success!

$ systemctl enable mariadb.service

PHP 8.2

$ dnf -y install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
$ dnf install epel-release
$ dnf module list php
$ dnf -y install yum-utils
$ dnf module reset php
$ dnf module install php:remi-8.2

$ dnf -y install php php-cli php-common php-mysql php-mysqlnd php-fpm php-gd
$ php -v

/* install some common PHP modules that are required by CMS Systems like Wordpress, Joomla and Drupal: * if nessccury /
$ dnf -y install php-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-snmp php-soap curl curl-devel php-zip php-intl

config file /etc/php.ini
$ systemctl restart php-fpm.service
$ systemctl restart httpd

Firewall setting port 80 443 http & https , port 3306 mysql

$ firewall-cmd --permanent --zone=public --add-service=http
$ firewall-cmd --permanent --zone=public --add-service=https

$ firewall-cmd --reload
$ firewall-cmd --permanent --zone=public --add-service=mysql 
/* Note** check existing services*/
$ firewall-cmd --get-services
/* special IP# for special port# / special service*/
$ firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="$your_IP_or_class" service name="mysql" accept'

refer URL
https://www.tecmint.com/install-lamp-on-centos-8/

$ dnf --enablerepo=extras install epel-release
$ dnf -y install clamav clamav-update clamd
/* if fail or need ibjson-c.so.4(JSONC_0.14)(64bit)  e.g : json-c-0.13.1-3.el8.x86_64.rpm  FIRST */
 download link :
wget https://rpmfind.net/linux/centos/8-stream/BaseOS/x86_64/os/Packages/json-c-0.13.1-3.el8.x86_64.rpm
/* end of need JSONC lib */
$ setsebool -P antivirus_can_scan_system 1 /* for selinux */
$ freshclam

configure clamd
locate the ‘LocalSocket’ parameter in /etc/clamd.d/scan.conf file and enable it.
$ sed -i 's/#LocalSocket \/run/LocalSocket \/run/g' /etc/clamd.d/scan.conf
$ sed -i 's/scanner (%i) daemon/scanner daemon/g' /usr/lib/systemd/system/clamd@.service
$ sed -i 's/\/etc\/clamd.d\/%i.conf/\/etc\/clamd.d\/scan.conf/g' /usr/lib/systemd/system/clamd@.service

$ systemctl start clamd@scan
$ systemctl status clamd@scan
$ systemctl enable clamd@scan

$ systemctl start freshclam.service
$ systemctl status freshclam.service
$ systemctl enable freshclam.service


$ clamscan --remove filename
$ clamscan -r directoryname
$ clamscan -r --remove directoryname --log=/path/to/the/log

installaton
$ dnf install samba samba-common samba-client -y

edit config file : vim /etc/samba/smb.conf

$ testperm /* test the Samba configuration */

create suitable folder for samba
$ systemctl start smb
$ systemctl start nmb
$ systemctl enable smb
$ systemctl enable nmb

SeLinux settting
$ setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
$ semanage fcontext -a -t samba_share_t "/samba/share/public(/.*)?"
$ restorecon /samba/share/public

Firewall
$ firewall-cmd --add-service=samba --permanent
$ firewall-cmd --reload
refer URL
https://www.howtoforge.com/how-to-install-samba-server-on-centos-8/

$ dnf group list
$ dnf -y groupinstall "Server with GUI"
$ systemctl set-default graphical
$ reboot