Configure high-end desktop as server for lab experiments

From Notes_Wiki

Home > CentOS > CentOS 6.x > New machine configuration > Configure high-end desktop as server for lab experiments

This page is intended to describe settings to be done, files to be copied, packages to be installed via yum or source after OS has been on a high-end desktop to be used as server for lab-experiments. It was last updated during Cent-OS 6.3 installation on 7 March, 2013


Installing OS

Install OS with following partitioning:

  • Create 30 GB RAID partition for root(/) on all disks with ext3 or ext4
  • Create RAID device /dev/md0 with all 30GB partitions in RAID I with spares if possible
  • Create 50 GB Standard partition with vfat for other OS / dual booting on all disks
  • Create RAID partition to consume all available space on all three drives
  • Create RAID device /dev/md1 as Phsical volume
  • Create Volume group with following logical volumes
    • swap partition of size 1.5 or 2 times RAM
    • Rest for /mnt/das1 partition with ext4 (where das stands for directly attached storage)


GUI configuration

  • Remove user switch option from panel from top right corner of screen
  • Add system monitor panel extension for monitoring CPU, hard-disk and network usage.
  • Remove all folders (Documents, Downloads, Music, Pictures, etc.) from home folder except Desktop
  • Configure nautilus properly
    • Show hidden and backup files
    • Always open in browser window
    • View executable text files when they are opened
    • Preview for files smaller than 500KB
  • Add lock icon to panel for locking screen
  • Disable screensaver and locking
  • Configure display to go to sleep in inactive for 10 minutes


Configure firefox

  • Edit preferences for file download and blank page as home
  • Configure proper proxy and no proxy for values


Configure terminal

Do following changes immediately after OS install to configure terminals

  1. Create file /etc/profile.d/history.sh as mentioned at Storing date / time along with commands in history
  2. Configure Ctl+Alt+t to be shortcut for running terminal
  3. Configure sudo to allow user saurabh to run all commands as root as mentioned at Allowing user to run all commands as root without specifying password
  4. Create shortcut for root terminal in gnome-panel with command 'sudo su -' to be run in terminal with '/usr/share/pixmaps/keyring.png' as image file.
  5. Remove all temporary files created in /root by anaconda
  6. Add 'alias mplayer="mplayer -idx -zoom -softvol -softvol-max 400"' to .bashrc


Configure start-up applications

Go to System -> Preferences -> Start-up applications and disable following start-up applications:

  • AT SPI Registry Wrapper
  • Automatic bug reporting tool
  • Bluetooth
  • File context maintainer
  • Network manager
  • Packetkit update
  • Personal file sharing
  • Policykit authentication agent
  • Remote desktop
  • SELinux troubleshooter
  • Smart card manager
  • Spice vdagents
  • Terminal server client autostart
  • User folder update
  • Visual assistance


Disable SELinux

Edit file '/etc/sysconfig/selinux' and set value for SELINUX parameter to 'disabled'


Disabling services

Disable following services after OS is installed from automatically starting in run-levels 3 to 5: (List is alphabetic)

  1. abrt-ccpp
  2. abrt-oops
  3. abrtd
  4. avahi-daemon
  5. bluetooth
  6. cachefilesd
  7. cgconfig
  8. edac
  9. fcoe
  10. fcoe-target
  11. ibacm
  12. iscsi
  13. iscsid
  14. isdn
  15. lldpad
  16. nfslock
  17. pcscd
  18. pppoe-server
  19. qpidd
  20. rpcbind
  21. rpcgssd
  22. rpcidmapd
  23. sandbox
  24. spice-vdagentd
  25. stap-server
  26. tog-pegasus
  27. trace-cmd
  28. xinetd


One can use following shell script to disable all above mentioned services: 

#!/bin/bash

SERVICES="abrt-ccpp
abrt-oops
abrtd
avahi-daemon
bluetooth
cachefilesd
cgconfig
edac
fcoe
fcoe-target
ibacm
iscsi
iscsid
isdn
lldpad
nfslock
pcscd
pppoe-server
qpidd
rpcbind
rpcgssd
rpcidmapd
sandbox
spice-vdagentd
stap-server
tog-pegasus
trace-cmd
xinetd "

for SERVICE1 in $SERVICES; do
	echo "Going to run " chkconfig $SERVICE1 off
	chkconfig $SERVICE1 off
done

exit 0


In case LVM, Virtualization, Auditing, Software raid etc. are not going to be used then following services can also be stopped:

  1. auditd (Auditing)
  2. libvirt-guests, libvirt-qmf, libvirtd (Virtualization)
  3. lvm2-monitor (LVM)
  4. mdmonitor (Software raid)
  5. ksm, ksmtuned (Kernel same page merging)


Following script can be used to stop above mentioned additional services: 

#!/bin/bash

SERVICES="auditd
libvirt-guests
libvirt-qmf
libvirtd  
lvm2-monitor 
mdmonitor   
ksm
ksmtuned"

for SERVICE1 in $SERVICES; do
	echo "Going to run " chkconfig $SERVICE1 off
	chkconfig $SERVICE1 off
done

exit 0


Configure yum

Configure yum with following repositories

  • rpmfusion
  • rpmforge
  • epel

To configure use following steps:

  1. Vist http://www.rpmfusion.org/ and choose link 'Enable RPM Fusion no your system'.
  2. Then download both RPM Fusion free and RPM Fusion nonfree setup rpms
  3. Install epel using from http://ftp.cuhk.edu.hk/pub/linux/fedora-epel/6/i386/epel-release-6-8.noarch.rpm
  4. Install downloaded rpms using 'rpm -ivh rpmfusion*'
  5. Disable 'rpmfusion-free-updates-testing' and 'rpmfusion-nonfree-updates-testing' repositories
  6. Visit http://repoforge.org/use/ and download rpmfile for configuring repoforge (rpmforge) repository.
  7. Configure repoforge repository using downloaded rpm file 'rpm -ivh repo*.rpm'
  8. Edit '/etc/yum.conf' and configure proper proxy and do 'keepcache=1'
  9. rsync yum cache backup from updated Cent-OS 6.3 machines '/var/cache/yum' folder with keepcache=1 to current machine


Installing packages from yum

Install following packages using yum (List is alphabetic)

  1. atop
  2. denyhosts
  3. dia
  4. dot
  5. dvdisaster
  6. encfs
  7. emacs
  8. flash-plugin
  9. geany
  10. htop
  11. hunt
  12. iptraf
  13. john
  14. kile
  15. libotf-devel
  16. mplayer
  17. openvpn
  18. phpMyAdmin
  19. tcptrack
  20. wireshark
  21. wireshark-gnome


Following script can be used to install above packages: 

#!/bin/bash

PACKAGES="atop
denyhosts
dia
dot
dvdisaster
encfs
emacs
flash-plugin
geany
htop
hunt
iptraf
john
kile
libotf-devel
mplayer
openvpn
phpMyAdmin
tcptrack
wireshark
wireshark-gnome"

yum -y install $PACKAGES

exit 0


Install vlc and mp3 codecs

To install vlc

  1. Remove all conflicting packages (libdvdread etc.)
  2. yum -y --disablerepo='epel' install vlc yum -y install vlc
  3. yum -y install gstreamer-plugins-{bad,ugly} yum -y install gstreamer-plugins-ugly

If problems are faced during installation of mplayer or gstreamer-plugins-{bad,ugly} then disable testing repositories and try again.


Mount all filesystems

  1. Install ntfs-3g using 'yum -y install ntfs-3g'
  2. Create /mnt/cdrive folder if it does not exists
  3. Try to mount NTFS partition on /mnt/cdrive
  4. Get block IDS of all partitions using blkid
  5. Do proper entries in /etc/fstab for interesting partitions. Use 'umask=0000' option whereever required like vfat partitions


Configure SSH

  1. Enable connection multiplexing as explained at Sharing multiple ssh connections
  2. Disable GSSAPI authentication using 'GSSAPIAuthentication no'


Disable guest account

  1. Use 'userdel -r xguest' to disable guest account


Install packages from source

Install following packages from source:

  1. Emacs installation from source
  2. Installing emacs package manager
  3. Installing Erlang by source
  4. Installing yaws by source
  5. Installing latest org mode
  6. Configure .emacs file


Configure firewall

Configure iptables firewall with proper port knocking rules. Following configuration can be used as basic '/etc/sysconfig/iptables' file on new installations: 

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:INTO-PHASE1 - [0:0]
:INTO-PHASE2 - [0:0]
:INTO-PHASE3 - [0:0]
:INTO-PHASE4 - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 22 -s 10.3.1.183 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 22 -s 10.3.3.230 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 100 -j INTO-PHASE1 
-A INPUT -p tcp -m tcp --dport 200 -m recent --rcheck --name PHASE1 -j INTO-PHASE2 
-A INPUT -p tcp -m tcp --dport 300 -m recent --rcheck --name PHASE2 -j INTO-PHASE3 
-A INPUT -p tcp -m tcp --dport 400 -m recent --rcheck --name PHASE3 -j INTO-PHASE4 
-A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 60 --name PHASE4 -j ACCEPT 
-A INPUT -p udp -j DROP
#To disable denied_connection_attempt logs for multicast packets
-A INPUT -d 224.0.0.1 -j DROP
-A INPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "denied_connection_attempt_"
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#
-A INTO-PHASE1 -m recent --remove --name PHASE2 
-A INTO-PHASE1 -m recent --remove --name PHASE3  
-A INTO-PHASE1 -m recent --remove --name PHASE4 
-A INTO-PHASE1 -m recent --set --name PHASE1 
-A INTO-PHASE1 -j LOG --log-prefix "INTO PHASE1: " 
#
-A INTO-PHASE2 -m recent --remove --name PHASE1
-A INTO-PHASE2 -m recent --set --name PHASE2
-A INTO-PHASE2 -j LOG --log-prefix "INTO PHASE2: " 
#
-A INTO-PHASE3 -m recent --remove --name PHASE2
-A INTO-PHASE3 -m recent --set --name PHASE3
-A INTO-PHASE3 -j LOG --log-prefix "INTO PHASE3: " 
#
-A INTO-PHASE4 -m recent --remove --name PHASE3
-A INTO-PHASE4 -m recent --set --name PHASE4 
-A INTO-PHASE4 -j LOG --log-prefix "INTO PHASE4: " 
#
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
#


Configure logging

  1. Edit '/etc/logwatch/conf/logwatch.conf' and write 'Detail = High' in the file.
  2. Edit '/usr/share/logwatch/scripts/services/kernel' and set Detail to 0 statically using 'my $Detail = 0;'
  3. Edit '/etc/mail/sendmail.mc' and configure it such that it can send emails
  4. Edit '/etc/aliases' file and enter email address as alias for root.
  5. Run 'newaliases', 'make', 'service sendmail restart' etc. appropriately.
  6. Test by sending email to root@localhost whether email configuration is working properly or not.


Home > CentOS > CentOS 6.x > New machine configuration > Configure high-end desktop as server for lab experiments

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Configure_high-end_desktop_as_server_for_lab_experiments&oldid=6566"