Centos Installation.

Discussion in 'Tips/Tricks/Mods' started by fraginhell, Mar 5, 2006.

  1. fraginhell

    fraginhell New Member

    Hi Guys.

    I’ve completed a few Installs now with CENTOs and thought I would share my experience with you.

    I used Cent OS 4.1 and the Fedora Core Setup Guide.
    However There are some minor changes to include Software Raid and I've made and a few security additions too that you may be interested in.

    My First change is with the filesystem layout.
    I Recommend some thing like.
    100mb Boot
    2GB root
    2GB home
    1GB tmp
    3GB var
    the rest as /var/www
    Boot will hardly ever fill up but a 100mb will always ensure you have enough space incase you update a lot of kernels.
    Root can be fairly small here, because ideally this box is not going to change very often, apart from upgrades.
    I keep /home separate since this system is going to used for ISPconfig and apart from 1 or 2 system accounts it will not need alot of space.
    /tmp an important one to keep separate from root as this will help prevent against denial of service attacks.
    /var again separate from /var/www where we are going to store our web sites and user files also suexec is complied to use this it.
    swap is whatever you need in my case 512mb is enough.

    During the installation I also used Software Raid – Here’s my Raid configuration.
    Primary Master = hda
    Secondary Master = hdc
    CD-Rom = hdd.

    Create the RAID devices during the installation, once installation is completed you will need to do some safe guards to protect against disk failure.

    You need to do this for both disks.

    Firstly need to backup the disk's MBR, and basic partition table.
    dd if=/dev/hda of=hda.mbr bs=512 count=1
    dd if=/dev/hdc of=hdc.mbr bs=512 count=1
    Second - backup the disks partition table (including the extended information).
    sfdisk -d /dev/hda > hda.sfd
    sfdisk -d /dev/hdc > hdc.sfd
    If you have a failed disk and it has been replaced, lets assume it was hda.

    Restore the MBR.
    dd if=hda.mbr of=/dev/hda bs=512 count=1
    Restore the Extended Partition information as well.
    sfdisk -O change.log /dev/hda <hda.sfd

    Check that the partition table is loaded
    fdisk -l /dev/hda

    Restart the Mirror sync process.
    raidhotadd /dev/md? /dev/hda

    to see the progress of the mirroring - watch -n1 cat /proc/mdstat

    Also to note that I'm using LILO - this seams to be installed on both disks, but grub only gets install on the primary disk. If you loose the primary disk - you cannot boot, but you can still boot if you loose the secondary disk. With lilo either disk can be lost and the system boots without problem.

    Follow the Guide but on page 3 you need to use yum instead of apt. I also use Dag Wieers as well, see (http://dag.wieers.com/home-made/apt/) you will need to add his Redhat Enterprise Repository. You will also need to import his GPG key.
    Make sure you do a complete system update to ensure you have the latest versions and plug any security holes.

    Ok Now when you edit the /etc/fstab also add these :
    Add nosuid,noexec to your /tmp entry for example mine looks like this. I also added quota’s to /home as well.
    The nosuid and noexec stop any program from being executable in tmp and prevent suid.
    /dev/md3 /home ext3 defaults,usrquota,grpquota 1 2
    /dev/md4 /tmp ext3 defaults,nosuid,noexec 1 2

    Follow the reaming steps in the Fedora Guide.

    Also centos ships with dovecot, this seams to work fine out of the box, however if you want to provide imap services you will need to edit its config file.

    Theses also quite a lot we can remove as well to help make the server more secure. The less there is on the system that we need the better, by removing everything we don’t need we hopefully remove any security problems that might come up in the future or take away tools a hacker might use. If you find you might need some thing you can always install it later.
    Remove power manager and its agents – we don’t want the system sleeping on us. (also disable it in the bios too)
    Yum remove apmd acpid
    Remove Samba
    yum remove samba-client system-config-samba samba-common samba
    remove finger
    yum remove finger
    remove cups printing service
    yum remove cups
    remove isdn tools.
    yum remove isdn4k-utils
    stop netplugd if you don’t need it. (chkconfig –level 12345 netplugd off)
    remove ypbind (nis client/server)
    yum remove ypbind
    Remove Squid proxy server.
    yum remove squid
    Remove automounter
    yum remove autofs
    Remove Network File System.
    yum remove nfs-utils system-config-nfs
    Remove tux
    yum remove tux
    If you not using RAID remove these.
    yum remove mdadm
    Remove Infra Red Tools.
    yum remove irda-utils
    Remove PCMCIA.
    yum remove pcmcia-cs
    Remove RPC services.
    Yum remove portmap
    Remove Kernel Netdump
    Yum remove netdump

    Ok now for harding the system. I would recommend the following

    Tripwire – Install Tripwire and configure for your system
    Chkrootkit – Install and configure to run In cron make sure you get a copy of the report from the cronjob (ensure you get the system mail)
    rkhunter - does the same job as chkrootkit (looks for root kits)
    Process accounting – Ensure your watching how much each users using CPU time, - good indicator if the cpu is too high that either there’s a run away process or something more of a problem like a password cracker. Also It can check for missing time entires in the wtmp files.
    Log rotation – Keep lots of logs and email yourself your old log files.

    Missing Zlib – Zlib is missing from the centos build, you can install it yourself as an rpm (from dag) or compile from source.

    Install ISP config.
    Remove Compiler Tools - remove gcc gcc-++ after installation, this will stop any body trying to compile their own tools etc.
    Complete Tripwire install – create custom policy once your have installed Ispconfig.
    I would be really Interested in hearing about anything any one else has done to help secure their system or know of any more packages that can be removed to keep the system as basic as possible.

    Last edited: Mar 5, 2006
  2. itgroup

    itgroup New Member


    Hi Keith,
    since no one else has said it - I will, excellent article. Thanks. I was wondering though, do you have some more information about your tripwire setup? I have not used this before, but it does seem a good product.

    Also, I could never quite get the RAID working in linux. Being a MCSE, I have only being 'playing' with linux for a couple of years and are very happy with it, however - I have only tried to setup RAID a couple of times, and messed it up both times, so did not bother. At the moment, I have hardware RAID on my web box - which I have two of. They have two SATA 160GB HDD. The first is a Windows .Net one, which - on install, reconises that the is only one drive (as it should at 160GB), but the Linux box when I built it, says there are two drives (which of course there is, but I wanted the OS to see it as ONE drive). Would your setup resolve this issue, as I am really paranoid that one HDD will 'crash' one day and it will be a full rebuild. Obviously, under Windows, I just down the system, replace the HDD and regenerate. I guess, it SHOULD be this easy under linux?

    Thanks for your time.
  3. fraginhell

    fraginhell New Member

    Hi Steve,

    I found a really good document on tripwire from one of the original redhat 9 manuals, which are still there, it has a section on tripwire, which is what I use, its great and takes you step by step on getting tripwire going.I have boxes with both software and hardware raid.
    For Hardware RAID where the BIOS takes care of the mirroring the problem is the os will see the same disk twice, for example /dev/hda and /dev/hdc, well its seeing the two individual disks, but they look the same. The way round this is to build the system first on a single disk, add noprobe=/dev/hdc (this might need checking now its been a long time since I did it this way) to the boot looder kernel paramater to exclude the second disk and then add the second disk to the system. The O/S will totally ignore it. The problem is if you loose a disk you will need to move the second disk to the master location and reboot for the system to work, I've not found away round this problem, so I mainly use software raid, which seams to work fine and on my limited systems has no performance problems, and will handle a drive failure without crashing etc.
    As for the RAID I think it mainly depends on your BIOS. For software RAID. I have for example each disk as the master on each controller (to stripe accross the controllers as well for performance and redundancy) so the os see's /dev/hda (-first disk first controller) and /dev/hdc (first disk on the second controller) if you have SATA disks then I would expect them to be /dev/sda etc etc, the O/S then seans /dev/md0 which is a logical reference to both disks, so for example /dev/hda1 (partition1 for example here) and /dev/hdc1 = /dev/md0

    Disk Failure is fairly easy, you first replace the disk of course, and then replace the disk partitioning infomation so that your new disk contains the same partitions as the old one, finally re-sync the disks.
    The only think I've not played with much is logical volumes and RAID, its possible and I've kinda managed once, but was difficult to setup.
    I have played with RAID stuff quite a bit, pulling disks out on the fly and trying to replace them etc etc and it seams to work well.
    Hope this all makes sense :) let me know how you get on.


Share This Page