CentOS Stream 9 is up, now what?
A black screen with a command prompt appears. Installing the OS is only 10% of the journey. If you immediately deploy your application, your server will sooner or later face security breaches or crawl like a snail. Trust me, just by leaving the default port 22 open for 15 minutes, you’ll see system logs flooded with brute-force attacks from botnets.
Our team once stayed up all night cleaning up the mess while migrating from CentOS 7 to CentOS Stream 9. Those painful lessons are distilled into the checklist below. It will transform a raw installation into a fortress ready for a true production environment.
Which path to take: Minimalist or Full-stack?
System administrators are usually divided into two distinct camps:
- The Minimalists: Install only what is necessary. Pros: lightweight, small attack surface. Cons: when the server crashes, you’ll struggle without debugging tools.
- The Full-stackers: Configure everything from security to kernel optimization. This is the path I choose to sleep soundly at night.
Balancing Needs and Risks
By default, CentOS Stream 9 is quite “clean.” It lacks critical repositories like EPEL, making it frustrating to find and install familiar tools. However, hoarding unnecessary items makes the server heavy. The most sensible strategy is to focus on three pillars: Package Management – Security – Performance.
Implementing the Detailed Checklist
1. Update the System and Set the Hostname
Never skip this step. Security patches are often released right after the ISO file is packaged. Update everything to the latest version immediately.
# Update the entire system
sudo dnf update -y
# Set a clear hostname (Example: srv-web-prod-01)
sudo hostnamectl set-hostname srv-web-prod-012. Enable EPEL and CRB Repositories
Trying to install htop, git, or supporting libraries without EPEL is a nightmare. On CentOS 9, you also need to enable the CRB (CodeReady Builder) repository for everything to run smoothly.
sudo dnf install epel-release epel-next-release -y
sudo dnf config-manager --set-enabled crb
sudo dnf update -y3. Create an Admin User (Never use Root)
Logging in directly as root is like leaving a master key right outside your front door. Create a separate user and grant it sudo privileges.
# Create new user
useradd itfromzero
passwd itfromzero
# Grant sudo privileges via the wheel group
usermod -aG wheel itfromzero4. Tightening SSH Security
Using passwords is outdated. Switch to SSH Keys. Changing the default port 22 to a non-standard port (like 2222) can reduce up to 90% of junk logs from automated scanning scripts.
Open the /etc/ssh/sshd_config file and edit the following lines:
PasswordAuthentication no: Disable password login.PermitRootLogin no: Prohibit remote root login.Port 2222: Change the connection port.
sudo systemctl restart sshd5. Synchronize Timezone
System logs with the wrong time will make incident investigation a disaster. Set it to the correct timezone (e.g., ICT/GMT+7).
sudo timedatectl set-timezone Asia/Ho_Chi_Minh
# Verify the results
timedatectl status6. Low RAM Salvation with SWAP
If you’re using a VPS with only 1GB or 2GB of RAM, processes like MySQL 8 or PHP-FPM are prone to OOM (Out Of Memory) crashes. Creating a 2GB Swap file is the cheapest way to keep the server stable during traffic spikes.
# Create a 2GB swap file
sudo dd if=/dev/zero of=/swapfile bs=1024 count=2097152
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
# Automatically enable on reboot
echo '/swapfile swap swap defaults 0 0' | sudo tee -a /etc/fstab7. Optimize Performance with Tuned
CentOS 9 has a “secret weapon” called tuned. This tool automatically tunes kernel parameters to suit specific use cases.
sudo dnf install tuned -y
sudo systemctl enable --now tuned
# If running Web/DB, use the throughput-performance profile
sudo tuned-adm profile throughput-performance8. Never Disable the Firewall
Instead of systemctl stop firewalld (a fatal mistake), learn how to open ports correctly. This is the dividing line between an amateur and a true system engineer.
# Open the new SSH port and basic web services
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload9. Equip Monitoring “Tools of the Trade”
When issues arise, you need tools to see what’s consuming resources. I always pre-install this basic toolkit on every server.
sudo dnf install htop nmap-ncat bmon <a href="https://itfromzero.com/en/centos-vi-en/mastering-performance-co-pilot-pcp-the-black-box-for-monitoring-centos-stream-9.html">monitor resource graphs</a> vim traceroute -yIn particular, don’t forget Cockpit. This is a powerful built-in web-based management interface that lets you monitor resource graphs without typing commands.
sudo systemctl enable --now cockpit.socket10. Configure Automatic Security Updates
You can’t afford to check your server every day. Let dnf-automatic download and install critical security updates automatically while you sleep.
sudo dnf install dnf-automatic -y
sudo systemctl enable --now dnf-automatic.timerConclusion from Real-World Experience
These steps might seem simple, but they are a rock-solid foundation. The biggest mistake I’ve seen is beginners jumping straight into installing Docker or Nginx while forgetting SSH security or Swap configuration. The result? Within a week, the server gets infected with crypto-mining malware, or logs show the wrong time, turning debugging into a nightmare.
I hope this checklist saves you a few hours of trial and error. If you have any better tips, don’t hesitate to share!
