Here is a guide for how I configure CentOS 7 server installations. I am making a set of new Virtual Machines and thought it would be a good time to document it. I will assume a hypervisor setup where you are provisioning this as a VM and have the ability to create multiple virtual hard drives. This is really more for my own reference than anything. However, someone else may find it useful. Install from media Create a VM of the desired specifications with a 40GB system drive -- other drives for other partitions can be created and mounted later Utilize the CentOS 7 DVD ISO installation media and boot to the installer System -> Installation Destination Accept the automatic partitioning (Click 'Done') System -> Network and Host Name Leave hostname as the default ("localhost.localdomain") Click 'Configure...' under Ethernet (eth0) Navigate to IPv4 settings Method: Manual Add an IPv4 address / netmask / gateway Add DNS servers as comma separated values (I often use OpenDNS: '22.214.171.124,126.96.36.199') Add the relevant search domain Save Click the 'On/Off' button next to Ethernet Click 'Done' Localization -> Date & Time Region: Etc City: Coordinated Universal Time Network time: On Click the gear icon next to Network Time to ensure that NTP servers are configured and working Click 'Done' Leave the rest of the defaults Installation Source: Local media Software Selection: Minimal Install Click 'Begin Installation' Click User Settings -> Root Password, and set the root user's password Utilize a randomly generated 20 character password containing upper case, lower case, digits, and symbols If the server will be a standalone server (e.g. no LDAP / AD authentication), utilize User Settings -> User Creation, and add your local user Select 'Make this user administrator' to allow sudo access Post-install setup After finishing with the installer, further steps will be necessary to bring the system to a usable state. Some of these are basic patching and updating steps, and some are workarounds for the idiosyncrasies of a SystemD based distribution. Further thoughts on SystemD components are below. Packages and services Log in to the root user Perform the following to update system base RPMs and install some core utilities: Code: yum -y update yum -y install zsh.x86_64 rsyslog.x86_64 policycoreutils-python.x86_64 epel-release.noarch Disable avahi and the horrid NetworkManager (avahi-daemon may or may not be enabled by default depending on the release version, so ignore errors): Code: systemctl disable NetworkManager systemctl disable avahi-daemon Turn on old style networking and syslog: Code: systemctl enable network rsyslog Networking Establish /etc/sysconfig/network: Code: NETWORKING=yes HOSTNAME=[hostname] IPV6_DEFAULTDEV=eth0 IPV6_DEFAULTGW=[v6 gateway] Set /etc/hostname, e.g.: echo [hostname] > /etc/hostname Establish /etc/sysconfig/network-scripts/ifcfg-eth0: Code: DEVICE=eth0 BOOTPROTO=none IPADDR=[IPv4 host address] NETMASK=[IPv4 netmask] NETWORK=[IPv4 network address] GATEWAY=[IPv4 gateway] IPV6ADDR=[IPv6 address] ONBOOT=yes NAME=uplink DEFROUTE=yes IPV6INIT=yes IPV6_AUTOCONF=no USERCTL=no SSH Edit /etc/ssh/sshd_config to increase SSH security (vi /etc/ssh/sshd_config) Select a non-standard SSH port and uncomment/change the Port line, e.g.: Port 4422 Uncomment/change the PermitRootLogin line to disable root logins, e.g.: PermitRootLogin No Save the file and exit the editor Use semanage to allow SSHd (via SELinux) to bind to the non-standard port, e.g. semanage port -a -t ssh_port_t -p tcp 4422 Add a FirewallD service for the new SSH port in /etc/firewalld/services/hissh.xml, e.g.: Code: <?xml version="1.0" encoding="utf-8"?> <service> <short>hissh</short> <port protocol="tcp" port="4422"/> </service> Firewalling Set the default firewall zone: firewall-cmd --set-default-zone=public Place eth0 in the public zone: firewall-cmd --permanent --zone=public --change-interface=eth0 Remove out of the box allowed services: firewall-cmd --permanent --remove-service=ssh --remove-service=dhcpv6-client Allow your management subnets (e.g. 188.8.131.52/24, 184.108.40.206/28) to contact SSH: Code: firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="220.127.116.11/24" service name="hissh" accept' firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="18.104.22.168/28" service name="hissh" accept' CentOS 7 changes There are three major new components in CentOS 7: NetworkManager, firewalld, and systemd. There are also some miscellaneous changes such as in device naming for Ethernet ports and the removal of the deprecated ifconfig utility (replaced by ip). NetworkManager NetworkManager is almost completely useless. It doesn’t support much more than static addresses or DHCP on an Ethernet interface, and even these are kind of slow to come up sometimes and a pain to configure. No good support for even mildly off-the-path networking (link aggs, bridges, loopbacks). Despite being the out-of-the-box default way of doing networking in RHEL/CentOS 7 and part of the SystemD ecosystem, it seems that it was only built with desktops and laptops in mind. Thankfully the legacy networking method (/etc/sysconfig/network-scripts) is still available and can be re-enabled by disabling the NetworkManager service (systemctl disable NetworkManager) and enabling the network service (systemctl enable network). Alternatively it can be disabled/enabled completely on a per-interface basis by using the NM_CONTROLLED variable in the relevant ifcfg configuration file. Verdict on NetworkManager: disable it completely. FirewallD FirewallD is a bit different and has some desktop-y features that it could do without (e.g. placing interfaces in zones). However, it is actually fairly easy to work with and simplifies the configuration of iptables if you don’t need complex rules (just want to enable/disable certain service ports). Past that you can also insert direct rules, although you have to play around a bit to order them, or use its native syntax, but it isn’t really lending you much over just using the old iptables file. However, it is part of the whole SystemD universe and it’s likely the old firewall scripts (while still available) will be deprecated soon. Verdict on firewalld: live with it. SystemD The base SystemD is actually not too bad to deal with and does give some nice extra info on running processes. Creating new service entries is less work than creating old init scripts. There are a lot of general concerns about feature bloat and the direction of the project, but unfortunately there aren’t any serious alternative options if you want to use a modern stable/enterprise Linux distribution. Notably besides replacing SysV Init functionality, the SystemD project also has tentacles into the system console, networking (networkd/networkmanager, firewalld, aspires to replace DHCPd), NTP (aspires to replace standalone NTP daemon), and logging (journald/no more syslog). It also comes with a slew of dependencies you wouldn’t otherwise normally need. To get system logs back into traditional text syslog format you need to run a local syslog daemon (e.g. rsyslog). Verdict on SystemD: install rsyslog and live with it.