Mar 08 2008

Post-Installation

Published by blake

2.3 Post-Installation

Now, if you're installing from CD and you want to get away from the console so you can go sit on the couch and work from your laptop, at this point you might want to configure the firewall, add some users and groups, set up sudoers, and then set up SSH at this point so you can do everything else from the comfort of your couch. Come back here when you're done, otherwise, continue reading and we'll get there soon.

Note that up until you've completed the sections up to Sudoers, you'll need to be logged in as root. After that, sudo will be the best way to go.

2.3.1 Modify Installed Software Packages

2.3.1.1 Clean up packages

Time to delete some crap! Now, if you installed via CD, you shouldn't have a ton of extra stuff on there if you only selected the package groups I mentioned earlier. However, if you ordered your server from somewhere, it might be piled high with junk. A log of installed pacakages can be found in /root/install.log, you may want to give it a browse. You can always use yum info [package name] to help figure out what something does.

Tip: If you are not familiar with the yum command, it might behoove you to take a moment and read the man page. It's your primary tool for installing, removing and updating software on your system.

That being said, take a look below for a huge list of things to uninstall. I probably didn't even manage to write all of them down by the time I was finished with my last production server. The base install put so much on there I was sort of glazing over as I ran endless 'yum remove' commands. That being said, here's a list of things you're not either not going to need on your remotely-administered Linux server, or that we'll install later. I formatted it as a single yum remove command in a giant block of text for easy copy-and-paste; you can do the whole thing at once.

  • yum remove gpm apmd irda-utils bluez-utils bluez-libs bluez-hcidump bluez-bluefw wireless-tools NetworkManager minicom libwstreams wvdial libogg libvorbis sox system-config-soundcard system-config-mouse acpid samba-client system-config-samba samba-common samba finger ypbind yp-tools squid nfs-utils system-config-nfs nfs-utils-lib tux pcmcia-cs portmap netdump fbset talk krb5-workstation nano cups cups-libs redhat-lsb pinfo at htmlview redhat-menus system-config-date system-config-services system-config-users system-logviewer jpackage-utils ipsec-tools isdn4k-utils elinks mysql dovecot postgresql-libs xorg-x11-xauth system-config-network system-config-lvm system-config-network-tui system-config-packages libgnome gnome-python2 gnome-python2-bonobo gnome-python-canvas libbonoboui libgnomeui esound alsa-utils indexhtml audiofile libbonobo gnome-vfs2 libart_lgpl libgnomecanvas libwvstreams cadaver neon lrzsz ppp rp-pppoe telnet spamassassin shared-mime-info gnome-mime-data desktop-file-utils redhat-menus pyorbit alsa-lib ash system-config-mouse comps-extras pdksh

yum remove them all! If you remove something accidentally that it turns out you need later, then you can just do a yum install and get it back. Mmm, yum. You may have noted that I'm removing some core LAMP packages such as MySQL. I mentioned this earlier. If you're concerned about a particular LAMP package, take a look at the installation section of this guide and see what I've done with it.

2.3.1.2 Update Everything

With some of the extras gone, we need to update the rest. Run yum update to update everything else on the system. That's it! Depending on how recent your install is, you might have to wait a few minutes for all the updates to download. You might get some kernel upgrades here as well, which is fine, now is the best time to be installing those. You may also get asked to import some GPG keys for package verification. This is generally ok to do.

2.3.1.3 Add some important stuff

I compile a lot of stuff from source, so I generally install the following packages. Note that some of them are devel libraries.

  • yum install gcc autoconf rpm-build ttmkfdir freetype-devel openssl-devel libxml2-devel

Confirm any dependencies they need and install those as well.

Noob tip: If you are unfamiliar with devel libraries, here's the short version: they are libraries of code that other programs can integrate into themselves to gain some sort of functionality. Example: if you build your PHP module from source, and you want to be able to use the PHP functions related to SSL in your PHP scripts, you need to compile PHP with a reference to the OpenSSL devel libraries so that it includes the latest OpenSSL code. This is easier than it sounds, and all it requires is that you have installed the '-devel' package of whatever you're working with when you go to compile PHP, ie. openssl-devel.

If you ever get errors when compiling something from source, one of the first things to check is whether you have installed the proper devel libraries for your configuration options.

We're all done with packages (for now)!

2.3.2 Delete Unused User Accounts

If any of the following default users exist, you should get rid of them for security. Use userdel [username]:

  • userdel wnn
  • userdel canna
  • userdel webalizer
  • userdel squid
  • userdel games
  • userdel gopher
  • userdel ftp
  • userdel halt
  • userdel news
  • userdel shutdown
  • userdel uucp
  • userdel operator
  • userdel lp
  • userdel sync

2.3.3 Configure The Firewall

This is an optional step depending on your setup. If you're building a production box, you might already have a decent firewall setup going. If you're putting a new box on an unprotected home network, you might want to have the firewall running. Depending on what you want running will depending on which ports you want to open.

Run:

  • system-config-securitylevel

Configure the following options once you're in the super hi-tech interface:

  1. Select "Enabled" for Security Level, then move to 'Customize' and hit Enter.
  2. Select the 'WWW' option
  3. For other services, enter the port information into "Other ports" box. Only do this if you plan to run a particular service.
  4. SSH custom port: 2002:udp 2002:tcp
  5. Samba: 137:udp,137:tcp,138:udp,138:tcp,139:udp,139:tcp
  6. Svnserve: 3690:tcp,3690:udp
  7. Once you're done, hit 'OK', then 'OK' again.

2.3.4 Automatic Updates

You can configure your system to automatically download and install updates from various sources using up2date. If you choose to do this, you can download and install up2date using yum install up2date, then configure it by running up2date --configure.

If you don't want your system updating automatically, you can periodically run yum update and review what needs updating first. This is my preferred option, as I like to keep informed as to what the latest updates are and what they fix, and sometimes automatic package updates will overwrite an important configuration file and I end up spending an hour trying to figure out why a service that worked perfectly yesterday isn't working today. Your mileage may vary.

If you do utilize up2date, it's a common option to leave out any kernel packages from the automatic updates.

2.3.5 Add Users And Groups

Now to get off the root account if you haven't done so already. Create your own user and whatever groups you like. I generally create a 'webdev' group and put apache in it (later), which allows my web developers to create areas in their web trees where apache can write to if necessary.

  • useradd blake
  • passwd blake
  • groupadd webdev
  • gpasswd -a blake webdev

2.3.6 Sudoers

Sudo is the way to go when you're doing stuff that requires root privileges. You shouldn't run around the system logged in as root, as that can be dangerous. Sudo helps keep you out of that habit by allowing you to run single commands as root as required.

The easiest way to work with sudo is to configure it to allow everyone in the 'wheel' group to have sudo access. This is a historical group, traditionally used for this sort of purpose. Run:

  • visudo

to edit the sudoers file. Activate the wheel group by uncommenting the following line (delete the '#' at the front of the line):

%wheel ALL=(ALL) ALL

Use :wq to save and exit vi. Your wheel group is all set for sudo access, so just add yourself to it:

  • gpasswd -a blake wheel

See http://fedorasolved.org/post-install-solutions/sudo for more on sudo.

Now, if you're on a remote server, open a new session and log in with your new personal account. If you're on a local box, just log out (CTRL-D) and log back in. Check that you can become root using sudo:

  • sudo su -

The '-' option sets your environment to the root account (as if you logged in normally using root), without it you'll still have your own environment (paths, etc). Once you confirm sudo is working, close down any other root sessions you might have open and continue working with from your personal user id. This is the way you should log in from now on.

2.3.7 Change Your Timezone

This is an easy one. Check that the timezone is correct by running date. If it's not, look at the timezone files in /usr/share/zoneinfo. Find your timezone, then copy it to /etc/localtime:

  • sudo cp /usr/share/zoneinfo/Canada/Pacific /etc/localtime

It's a good idea to set the ZONE in /etc/sysconfig/clock as well, as I've noticed some yum upgrades have a nasty habit of defaulting to this timezone and changing your system time when you least expect it.

Run date again to make sure things are ok. Some services won't pick up any system time changes automatically, and you may want to reboot the machine or restart these services. The cron daemon for certain will require a restart (sudo /sbin/service crond restart).

Make sure you sync any changes to the hardware clock as well, or the system time might be off the next time you reboot:

  • sudo hwclock --systohc

2.3.8 Change Host Name

If you've changed your mind on the host name, or weren't there for the base installation, you can change the hostname with the following steps:

  • sudo vi /etc/sysconfig/network script and change the HOSTNAME variable to your new HOSTNAME
  • sudo hostname [new hostname]
  • sudo vi /etc/hosts and change any instance of your old hostname to your new HOSTNAME
  • sudo /sbin/service network restart

2.3.9 Sync Time

I used to use cron jobs and ntpdate to sync the system time, but all that has been replaced with a nifty service called ntpd. It's way more complicated than setting your time needs to be, but it is rather interesting, so if you want to know more about it, Google for ntpd and read up. In the meantime, to keep your clock synced, all you need to do is start the service. We'll also use chkconfig to make sure it starts at boot time.

Set your clock manually, close to the current time, with the following command:

  • sudo date --set="Thu Feb 14 11:10:42 PST 2008"

Now turn on ntpd:

  • chkconfig ntpd on
  • service ntpd start

ntpd may take awhile at first to establish appropriate readings before syncing your time exactly. You can see ntpd notifications in /var/log/messages.

2.3.10 Configure Services

Speaking of chkconfig, there's a whole list of services installed on your machine that you don't necessarily need. We un-installed some of them back in our Post-installation package removal frenzy, which is good (take off, gpm mouse server, eh hoser?) Others we can turn off. You'll need to be root, or sudo these commands.

  • sudo su -
  • service haldaemon stop
  • chkconfig haldaemon off
  • service netfs stop
  • chkconfig netfs off
  • service autofs stop
  • chkconfig autofs off

2.3.11 Configure SSH Server

A good reference for configuring your SSH server is here: http://fedorasolved.org/post-install-solutions/securing-ssh/

I got annoyed with seeing all the random log-in attempts from bots and script kiddies on port 22, so I ended up moving my SSH port to somewhere else. The options below will help tighten up your SSH a little bit without doing anything too crazy. Using key authentication instead of password authentication can be a good idea for the security-concious, but I generally set up password auth for ease-of-use, as I never know when or where I might need to log in from.

I edit the following options in the SSH daemon config file at /etc/ssh/sshd_config.

Port 2002
Protocol 2
LoginGraceTime 30s
PermitRootLogin no
PermitEmptyPasswords no
MaxStartups 4:50:10

The MaxStartups option is in the format start:rate:full. sshd will begin to refuse connections randomly at rate/100 (ie. 50% here) once there are more than start connections. This refusal probability increases linearly until full number of connections is reached, whereby all connections are refused until some open connections clear up (time out or finish).

Be careful with your SSH config! Any screwups in the config file might cost you your running SSH server, and if it's remotely hosted, you might have to make an embarrassing call to tech support to ask them to fix your config so you can log in. If in doubt, read some docs or leave it alone.

Now, do a sudo /sbin/service sshd reload (NOT restart), and open a new session to the server on the new port BEFORE closing your old connection. Make sure it works!

« Prev: Package SelectionIndexNext: GeoIP »
  • Digg
  • del.icio.us
  • description
  • Slashdot
  • StumbleUpon

Trackback URI | Comments RSS

Leave a Reply