Things I Do First on a Vanilla Linux System 1


This blog post is primarily for my own benefit, so I have a list of the standard tasks, utilities, servers, scripts, and/or programs I like to install on vanilla Fedora / RedHat / CentOS Linux systems when I first set them up. But if you have suggestions for improving this list, please feel free to comment!

  • If it’s a Fedora 14-15 box, turn on SSH with chkconfig sshd on (not needed on Fedora 15+)
  • If it’s a box with NetworkManager installed, disable it with chkconfig NetworkManager off, and shut it off with service NetworkManager stop
  • Edit the firewall settings to my liking.
  • Install alpine (my fav shell-based mail client), which also installs the pico text editor.
  • Change the default run level in /etc/inittab to 3.
  • Disable SELinux in /etc/selinux/config.
  • Set up aliases in my user home directory.
  • Configure and enable NTP (automatic on Fedora 15+).
  • Edit /etc/sudoers file to allow users in the wheel group to use sudo.
  • Edit /etc/group to add my primary username to the wheel group (can be done at install with Fedora 15+)
  • Run a yum update to bring everything up to date.
  • yum groupinstall ‘Development Tools’
  • Install lshw to have access to hardware info.
  • If it’s a Dell server (most of mine are), I do a yum compat-libstdc++-33.i686 libstdc++.i686 libxml2.i686 to install all the libraries required to do firmware updates, then I update firmware as needed.
  • Turn off unneeded services.
  • Install DenyHosts via yum (an excellent script to help block hack attempts via ssh). I put explicitly allowed hosts in /var/lib/denyhosts/allowed-hosts, edit /etc/denyhosts.conf to turn on synchronization, do a checkconfig denyhosts on and then start the service. You can verify proper startup in /var/log/denyhosts
  • Set ServerSignature Off in httpd.conf. Why give the hax0rs any more info than I have to?
  • Install Fail2Ban to protect attacks against other ports. I turn off the SSH checks, since I prefer how they are handled by DenyHosts.
  • Install lrzsz with yum
  • Update to latest version of LogWatch (using install instructions from Cyber Sprocket Labs) using the official Logwatch RPM from SourceForge and then install postfix-logwatch
  • Secure SSH connections following various suggestions from FedoraUnity
  • If it’s a CentOS server, I install the epel repository and leave it enabled, and I install DAG’s repository and set it to disabled (I enable it for specific packages only).
  • If it’s an incoming mail server, I install Amavis-new, ClamAV, and SpamAssassin
  • If it’s an outgoing mail server, I compile and install the latest version of Postfix, then set up my main.cf and master.cf to lock it down tight.
  • If it’s part of my main network, I install Nagios NRPE.
  • If it’s a Dell server, I install Dell OMSA from the Dell repository.

Virtual Machine Guests

If it’s a VM guest system, which I’m usually setting up for RPM building and testing, I’ll also do:

yum install gcc kernel-devel kernel-headers rpm-build redhat-rpm-config rpmdevtools rpmlint ccache sendmail-devel openssl-devel git

and:

  • Install Guest Additions
  • As the RPM building user, do rpmdev-setuptree