This blog post is primarily for my own benefit, so I have a list of the standard tasks, utilities, servers, scripts, and/or programs I like to install on vanilla Fedora / RedHat / CentOS Linux systems when I first set them up. But if you have suggestions for improving this list, please feel free to comment!
- If it’s a Fedora 14-15 box, turn on SSH with chkconfig sshd on (not needed on Fedora 15+)
- If it’s a box with NetworkManager installed, disable it with chkconfig NetworkManager off, and shut it off with service NetworkManager stop
- Edit the firewall settings to my liking.
- Install alpine (my fav shell-based mail client), which also installs the pico text editor.
- Change the default run level in /etc/inittab to 3.
- Disable SELinux in /etc/selinux/config.
- Set up aliases in my user home directory.
- Configure and enable NTP (automatic on Fedora 15+).
- Edit /etc/sudoers file to allow users in the wheel group to use sudo.
- Edit /etc/group to add my primary username to the wheel group (can be done at install with Fedora 15+)
- Run a yum update to bring everything up to date.
- yum groupinstall ‘Development Tools’
- Install lshw to have access to hardware info.
- If it’s a Dell server (most of mine are), I do a yum compat-libstdc++-33.i686 libstdc++.i686 libxml2.i686 to install all the libraries required to do firmware updates, then I update firmware as needed.
- Turn off unneeded services.
- Install DenyHosts via yum (an excellent script to help block hack attempts via ssh). I put explicitly allowed hosts in /var/lib/denyhosts/allowed-hosts, edit /etc/denyhosts.conf to turn on synchronization, do a checkconfig denyhosts on and then start the service. You can verify proper startup in /var/log/denyhosts
- Set ServerSignature Off in httpd.conf. Why give the hax0rs any more info than I have to?
- Install Fail2Ban to protect attacks against other ports. I turn off the SSH checks, since I prefer how they are handled by DenyHosts.
- Install lrzsz with yum
- Update to latest version of LogWatch
(using install instructions from Cyber Sprocket Labs)using the official Logwatch RPM from SourceForge and then install postfix-logwatch
- Secure SSH connections following various suggestions from FedoraUnity
- If it’s a CentOS server, I install the epel repository and leave it enabled, and I install DAG’s repository and set it to disabled (I enable it for specific packages only).
- If it’s an incoming mail server, I install Amavis-new, ClamAV, and SpamAssassin
- If it’s an outgoing mail server, I compile and install the latest version of Postfix, then set up my main.cf and master.cf to lock it down tight.
- If it’s part of my main network, I install Nagios NRPE.
- If it’s a Dell server, I install Dell OMSA from the Dell repository.
Virtual Machine Guests
If it’s a VM guest system, which I’m usually setting up for RPM building and testing, I’ll also do:
yum install gcc kernel-devel kernel-headers rpm-build redhat-rpm-config rpmdevtools rpmlint ccache sendmail-devel openssl-devel git
- Install Guest Additions
- As the RPM building user, do rpmdev-setuptree