This tutorial explains how to setup and use an SFTP server on
CentOS. Before I start, let me explain what actually SFTP represents and
what it is used for. Currently, most people know that we can use normal
FTP for transferring, downloading or uploading data from a server to
client or client to server. But this protocol is getting hacked easily
(if TLS is not used) by anonymous intruders as it the ports are wide
open to anyone. Therefore, SFTP has been introduced to as another
alternative to meet the main purpose to strengthen the security level.
SFTP stands for SSH File Transfer Protocol or Secure File
Transfer Protocol. It uses a separate protocol packaged with SSH to
provide a secure connection.
1. Preliminary Note
For this tutorial, I am using CentOS 7 in the 64bit version.
The same steps will work on CentOS 6 as well. The tutorial result will
show how a client can be provided with access to the SFTP server but
unable to login to the server itself by SSH.
2. SFTP Installation
Unlike normal FTP, there’s no need to install additional
packages in order to use SFTP. We just require the prebuild SSHd package
that got already installed during installation on the server.
Therefore, just check to confirm if you already have the required SSH
package. Below are the steps:
This guide shows you how to set custom DNS entries for CentOS 7 / RedHat 7 and ensure that the settings are persistent even after a reboot.
What you need
A CentOS 7 or a Red Hat Enterprise Linux (RHEL) 7 server
A couple of minutes
In CentOS and Red Hat Enterprise Linux (RHEL) 7, any custom DNS entries are stored in the file /etc/resolv.conf. However, if we simply go ahead and add our nameservers to this file, we’ll notice that after a reboot or a restart of the network.service, the file is overwritten by NetworkManager.
In this guide, we will first configure NetworkManager to not overwrite this file. Then, we will go ahead and actually add our custom nameservers to /etc/resolv.conf.
The NetworkManager configuration is located here: /etc/NetworkManager/NetworkManager.conf Open this file using vim or your favorite text editor.
Search for the [main] section in this file. It should look something like this:
Add dns=none just after the [main] tag like this:
Go ahead and save the file.
Let’s restart the NetworkManager.service service so that it picks up the changes we made to the configuration.
sudo systemctl restart NetworkManager.service
Note that the service name NetworkManager.service is case-sensitive.
Now, let’s add our nameservers to /etc/resolv.conf
Open this file in you favorite text editor and specify the name servers as follows:
# Generated by NetworkManager
That’s it! You’re done. The nameservers added to /etc/resolv.conf will now persist even after a reboot. NetworkManager will not longer overwrite this file.
This tutorial only covers general security tips for CentOS 7 which can be used to harden the system. The checklist tips are intended to be used mostly on various types of bare-metal servers or on machines (physical or virtual) that provides network services.
Security and Hardening of CentOS 7
However, some of tips can be successfully applied on general purpose machines too, such as Desktops, Laptops and card-sized single-board computers (Raspberry Pi).
In this guide, we are going to learn how to enforce password complexity policy on CentOS 7/RHEL based derivatives. Our previous guide covered the enforcement of password complexity on Ubuntu 18.04. You can check the same by following the link below;
Similar to our previous guide, we are going to use PAM pwquality modules to enforce password complexity policy on CentOS 7/RHEL based derivatives.
In Ubuntu or Debian based derivatives, we modified the, /etc/pam.d/common-password configuration file. For CentOS 7 or similar derivatives, the /etc/security/pwquality.conf or /etc/pam.d/system-auth configuration file is used.
As our normalcy, make a backup of the configuration file before making changes just in case things go south.
How to Install and Configure ‘Cache Only DNS Server’ with ‘Unbound’ in RHEL/CentOS 7
Caching name servers using ‘Unbound‘ ( is a validating, recursive, and caching DNS server software ), back in RHEL/CentOS 6.x (where x is version number), we used bind software to configure DNS servers.
Here in this article, we are going to use ‘unbound‘ caching software to install and configure a DNS Server in RHEL/CentOS 7 systems.
Setup Cahing DNS Server in RHEL/CentOS 7
DNS cache servers are used to resolve any DNS query they receive. If the server caches the query and in future the same queries requested by any clients the request will be delivered from DNS ‘unbound‘ cache, this can be done in milliseconds than the first time it resolved.
Caching will only act as a agent to resolve the query of client from any one of the forwarders. Using caching server, will reduce the loading time of webpages by keeping the cache database in unbound server.
My Server and Client Setup
For demonstration purpose, I will be using two systems. The first system will act as a Master(Primary) DNS server and the second system will act as a local DNS client.
Master DNS Server
Operating System : CentOS Linux release 7.0.1406 (Core)
IP Address : 192.168.0.50
Host-name : ns.tecmintlocal.com
Operating System : CentOS 6
IP Address : 192.168.0.100
Host-name : client.tecmintlocal.com
Step 1: Check System Hostname and IP
1. Before setting up a caching DNS server, make sure that you’ve added correct hostname and configured correct static IP address for your system, if not set the system static IP address.
2. After, setting correct hostname and static IP address, you can verify them with the help of following commands.
# ip addr show | grep inet
Step 2: Installing and Configuring Unbound
3. Before installing ‘Unbound’ package, we must update the our system to latest version, after that we can install the unbound package.
# yum update -y
# yum install unbound -y
4. After package has been installed, make a copy of the unbound configuration file before making any changes to original file.
8. Now it’s time to check our DNS cache, by doing a ‘drill’ (query) one ‘india.com‘ domain. At first the ‘drill‘ command results for ‘india.com‘ domain will take some milliseconds, and then do a second drill and have a note on Query time it takes for both drills.
drill india.com @192.168.0.50
Did you see in the above output, the first query taken almost 262 msec to resolve and the second query takes 0 msec to resolve domain (india.com).
That means, the first query gets cached in our DNS Cache, so when we run ‘drill’ second time the query served from our local DNS cache, this way we can improve loading speed of websites.
Step 4: Flush Iptables and Add Firewalld Rules
9. We can’t use both iptables and firewalld at same time on same machine, if we do both will conflict with each other, thus removing ipables rules will be a good idea. To remove or flush the iptables, use the following command.
# iptables -F
10. After removing iptables rules permanently, now add the DNS service to firewalld list permanently.
11. After adding DNS service rules, list the rules and confirm.
# firewall-cmd --list-all
Step 5: Managing and Troubleshooting Unbound
12. To get the current server status, use the following command.
# unbound-control status
Check Unbound DNS Status
Dumping DNS Cache
13. If in-case you would like to have a dump of a DNS cache information in a text file, you can redirect it to some file using below command for future use.
# unbound-control dump_cache > /tmp/DNS_cache.txt
Backup DNS Cache
14. To restore or import the cache from the dumped file, you can use following command.
# unbound-control dump_cache < /tmp/DNS_cache.txt
Restore DNS Cache
Flushing DNS Records
15. To check whether the specific address was resolved by our forwarders in unbound cache Server, use the below command.
# unbound-control lookup google.com
Check DNS Lookup
16. Some times if our DNS cache server will not reply our query, in mean time we can use to flush the cache to remove information such as A, AAA, NS, SO, CNAME, MX, PTR etc.. records from DNS cache. We can remove all information using flush_zone this will remove all informations.
17. To check which forwards are currently used to resolve.
# unbound-control list_forwards
Check Current DNS Forwards
Step 6: Client Side DNS Configuration
18. Here I’ve used a CentOS 6 server as my client machine, IP for this machine is 192.168.0.100 and I’m going to use my unbound DNS server IP (i.e Primary DNS) in it’s interface configuration.
Log-into the Client machine and set the Primary DNS server IP to our unbound server’s IP.
Run the setup command and choose network configuration from TUI network manager.
Then choose DNS configuration, insert the unbound DNS server’s IP as Primary DNS, but here i have used both in Primary and Secondary because I don’t have any other DNS server.
Primary DNS : 192.168.0.50
Secondary DNS : 192.168.0.50
Select Network Configuration
Select DNS Configuration
Enter DNS IP Address
Click OK –> Save&Quit –> Quit.
19. After adding Primary and Secondary DNS IP addresses, now it’s time to restart the network using following command.
# /etc/init.d/network restart
20. Now time to access any one of the website from client machine and check for the cache in unbound DNS server.
# elinks aol.com
# dig aol.com
Earlier we were used to setup DNS cache server using bind package in RHEL and CentOS systems. Now, we have seen how to setup a DNS cache server using unbound package. Hope this will resolve your query request quicker than the bind pacakge.