Configuring laptop after Cent-OS re-installation

From Notes_Wiki

Home > CentOS > CentOS 6.x > New machine configuration > Configuring laptop after Cent-OS re-installation

This page is intended to describe settings to be done, files to be copied, packages to be installed via yum or source after OS has been re-installed on laptop. It was last updated during Cent-OS 6.3 installation on 8 January, 2013


Installing OS

Install OS with following partitioning:

  • 30 GB for root(/) partition
  • swap partition of size 1.5 or 2 times RAM
  • Rest for /mnt/das1 partition (where das stands for directly attached storage)


GUI configuration

  • Remove user switch option from panel from top right corner of screen
  • Add system monitor panel extension for monitoring CPU, hard-disk and network usage.
  • Remove all folders (Documents, Downloads, Music, Pictures, etc.) from home folder except Desktop
  • Configure nautilus properly
    • Show hidden and backup files
    • Always open in browser window
    • View executable text files when they are opened
    • Preview for files smaller than 500KB
  • Set preferred email application to kmail
  • Add lock icon to panel for locking screen


Configure firefox

  • Edit preferences for file download
  • Configure proper proxy and no proxy for values
  • Install following firefox plugins and configure them properly:
    1. NoScript
      • Whitelist xmarks.com (can also be done by restoring noscript preferences backup)
    2. WOT (Web of trust)
    3. Xmarks
    4. Ghostery
    5. Better privacy
    6. Ad-block plus

Use:

rm -rf ~/.mozilla
ln -s /documents/room-documents/documents/general/configuration_files/mozilla ~/.mozilla


Configure pidgin

ln -s /documents/room-documents/documents/general/configuration_files/purple ~/.purple


Configure ssh keys

ln -s /documents/room-documents/documents/general/configuration_files/ssh .ssh


Configure bazaar

ln -s /documents/room-documents/documents/general/configuration_files/bazaar .bazaar


Configure aws

ln -s /documents/room-documents/documents/general/configuration_files/aws ~/.aws


Configure terminal

Do following changes immediately after OS install to configure terminals

  1. Create file /etc/profile.d/history.sh as mentioned at Storing date / time along with commands in history
  2. Configure Ctl+Alt+t to be shortcut for running terminal
  3. Configure sudo to allow user saurabh to run all commands as root as mentioned at Allowing user to run all commands as root without specifying password
  4. Create shortcut for root terminal in gnome-panel with command 'sudo su -' to be run in terminal with '/usr/share/pixmaps/keyring.png' as image file.
  5. Remove all temporary files created in /root by anaconda
  6. Add 'alias mplayer="mplayer -idx -zoom -softvol -softvol-max 400"' to .bashrc


Configure start-up applications

Go to System -> Preferences -> Start-up applications and disable following start-up applications:

  • AT SPI Registry Wrapper
  • Automatic bug reporting tool
  • Bluetooth
  • File context maintainer
  • Network manager
  • Packetkit update
  • Personal file sharing
  • Policykit authentication agent
  • Remote desktop
  • SELinux troubleshooter
  • Smart card manager
  • Spice vdagents
  • Terminal server client autostart
  • User folder update
  • Visual assistance


Disable SELinux

Edit file '/etc/sysconfig/selinux' and set value for SELINUX parameter to 'disabled'


Disabling services

Disable following services after OS is installed from automatically starting in run-levels 3 to 5: (List is alphabetic)

  1. abrt-ccpp
  2. abrt-oops
  3. abrtd
  4. avahi-daemon
  5. bluetooth
  6. cachefilesd
  7. cgconfig
  8. edac
  9. fcoe
  10. fcoe-target
  11. ibacm
  12. iscsi
  13. iscsid
  14. isdn
  15. lldpad
  16. nfslock
  17. pcscd
  18. pppoe-server
  19. qpidd
  20. rpcbind
  21. rpcgssd
  22. rpcidmapd
  23. sandbox
  24. spice-vdagentd
  25. stap-server
  26. tog-pegasus
  27. trace-cmd
  28. xinetd


One can use following shell script to disable all above mentioned services:

#!/bin/bash

SERVICES="abrt-ccpp
abrt-oops
abrtd
avahi-daemon
bluetooth
cachefilesd
cgconfig
edac
fcoe
fcoe-target
ibacm
iscsi
iscsid
isdn
lldpad
nfslock
pcscd
pppoe-server
qpidd
rpcbind
rpcgssd
rpcidmapd
sandbox
spice-vdagentd
stap-server
tog-pegasus
trace-cmd
xinetd "

for SERVICE1 in $SERVICES; do
	echo "Going to run " chkconfig $SERVICE1 off
	chkconfig $SERVICE1 off
done

exit 0


In case LVM, Virtualization, Auditing, Software raid etc. are not going to be used then following services can also be stopped:

  1. auditd (Auditing)
  2. libvirt-guests, libvirt-qmf, libvirtd (Virtualization)
  3. lvm2-monitor (LVM)
  4. mdmonitor (Software raid)
  5. ksm, ksmtuned (Kernel same page merging)


Following script can be used to stop above mentioned additional services:

#!/bin/bash

SERVICES="auditd
libvirt-guests
libvirt-qmf
libvirtd  
lvm2-monitor 
mdmonitor   
ksm
ksmtuned"

for SERVICE1 in $SERVICES; do
	echo "Going to run " chkconfig $SERVICE1 off
	chkconfig $SERVICE1 off
done

exit 0


In case of configuring a VM and not laptop following services can also be stopped: Need to be updated based on CentOS-6.2

  1. acpid
  2. cpuspeed
  3. cups
  4. hddtemp
  5. irqbalance
  6. lm_sensors
  7. microcode_ctl
  8. smartd


Note:

  • Do not worry if some command gives error service not found. It is possible that default installation of Cent-OS does not contains few of above mentioned services.


Configure yum

Configure yum with following repositories

  • rpmfusion
  • rpmforge
  • epel

To configure use following steps:

  1. Vist http://www.rpmfusion.org/ and choose link 'Enable RPM Fusion no your system'.
  2. Then download both RPM Fusion free and RPM Fusion nonfree setup rpms
  3. Install epel using from http://ftp.cuhk.edu.hk/pub/linux/fedora-epel/6/i386/epel-release-6-8.noarch.rpm
  4. Install downloaded rpms using 'rpm -ivh rpmfusion*'
  5. Disable 'rpmfusion-free-updates-testing' and 'rpmfusion-nonfree-updates-testing' repositories
  6. Visit http://repoforge.org/use/ and download rpmfile for configuring repoforge (rpmforge) repository.
  7. Configure repoforge repository using downloaded rpm file 'rpm -ivh repo*.rpm'
  8. Edit '/etc/yum.conf' and configure proper proxy and do 'keepcache=1'


Installing packages from yum

Install following packages using yum (List is alphabetic)

  1. atop
  2. denyhosts
  3. dia
  4. dot
  5. dvdisaster
  6. encfs
  7. emacs
  8. flash-plugin
  9. geany
  10. htop
  11. hunt
  12. iptraf
  13. john
  14. kile
  15. libotf-devel
  16. mplayer
  17. openvpn
  18. phpMyAdmin
  19. tcptrack
  20. wireshark
  21. wireshark-gnome


Following script can be used to install above packages:

#!/bin/bash

PACKAGES="atop
denyhosts
dia
dot
dvdisaster
encfs
emacs
flash-plugin
geany
htop
hunt
iptraf
john
kile
libotf-devel
mplayer
openvpn
phpMyAdmin
tcptrack
wireshark
wireshark-gnome"

yum -y install $PACKAGES

exit 0


Install vlc and mp3 codecs

To install vlc

  1. Remove all conflicting packages (libdvdread etc.)
  2. yum -y --disablerepo='epel' install vlc yum -y install vlc
  3. yum -y install gstreamer-plugins-{bad,ugly} yum -y install gstreamer-plugins-ugly

If problems are faced during installation of mplayer or gstreamer-plugins-{bad,ugly} then disable testing repositories and try again.


Mount all filesystems

  1. Install ntfs-3g using 'yum -y install ntfs-3g'
  2. Create /mnt/cdrive folder if it does not exists
  3. Try to mount NTFS partition on /mnt/cdrive
  4. Get block IDS of all partitions using blkid
  5. Do proper entries in /etc/fstab for interesting partitions. Use 'umask=0000' option whereever required like vfat partitions
  6. Create following script to mount encrypted /documents folder.
#!/bin/bash

while :
do
	read -s -p "Password: " PASSWORD
	sshpass -p "$PASSWORD" sudo encfs --public /mnt/data1/raw_folders/backup_raw  /mnt/data1/backup_snapshots
	echo
	echo -n "Was password incorrect (y/n) : "
	read VAL1
	if [[ "$VAL1" = "n" || "$VAL1" = "N" ]] ; then
		break
	fi
	echo
done
sshpass -p "$PASSWORD" sudo encfs --public /mnt/data1/raw_folders/documents_raw /documents
sudo /sbin/service httpd start
/documents/room-documents/documents/programs/erlang/web_application/start_yaws.sh
sshpass -p "$PASSWORD" sudo encfs --public /mnt/data1/raw_folders/personal_raw /mnt/personal
sshpass -p "$PASSWORD" sudo encfs --public /var/lib/mysql_raw  /var/lib/mysql
sudo /sbin/service mysqld start
sshpass -p "$PASSWORD" sudo encfs --public /var/lib/pgsql_raw  /var/lib/pgsql
sudo /sbin/service postgresql start
sshpass -p "$PASSWORD" sudo encfs --public /mnt/data1/raw_folders/virtual_labs_raw  /mnt/data1/virtual_labs

echo "Mounting of encrypted folders complete."

exit 0


Configure rhythmbox

  1. Disable all plugins except status icon
  2. Configure library location
  3. Enable watch my library for new files


Configure SSH

  1. Enable connection multiplexing as explained at Sharing multiple ssh connections
  2. Disable GSSAPI authentication using 'GSSAPIAuthentication no'


Disable guest account

  1. Use 'userdel -r xguest' to disable guest account


Install packages from source

Install following packages from source:

  1. Emacs installation from source
  2. Installing emacs package manager
  3. Installing Erlang by source
  4. Installing yaws by source
  5. Installing latest org mode
  6. Configure .emacs file
  7. Install corkscrew
  8. Installaing Android SDK


Configure firewall

Configure iptables firewall with proper port knocking rules. Following configuration can be used as basic '/etc/sysconfig/iptables' file on new installations:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:INTO-PHASE1 - [0:0]
:INTO-PHASE2 - [0:0]
:INTO-PHASE3 - [0:0]
:INTO-PHASE4 - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 22 -s 10.3.1.183 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 22 -s 10.3.3.230 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 100 -j INTO-PHASE1 
-A INPUT -p tcp -m tcp --dport 200 -m recent --rcheck --name PHASE1 -j INTO-PHASE2 
-A INPUT -p tcp -m tcp --dport 300 -m recent --rcheck --name PHASE2 -j INTO-PHASE3 
-A INPUT -p tcp -m tcp --dport 400 -m recent --rcheck --name PHASE3 -j INTO-PHASE4 
-A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 60 --name PHASE4 -j ACCEPT 
-A INPUT -p udp -j DROP
#To disable denied_connection_attempt logs for multicast packets
-A INPUT -d 224.0.0.1 -j DROP
-A INPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "denied_connection_attempt_"
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#
-A INTO-PHASE1 -m recent --remove --name PHASE2 
-A INTO-PHASE1 -m recent --remove --name PHASE3  
-A INTO-PHASE1 -m recent --remove --name PHASE4 
-A INTO-PHASE1 -m recent --set --name PHASE1 
-A INTO-PHASE1 -j LOG --log-prefix "INTO PHASE1: " 
#
-A INTO-PHASE2 -m recent --remove --name PHASE1
-A INTO-PHASE2 -m recent --set --name PHASE2
-A INTO-PHASE2 -j LOG --log-prefix "INTO PHASE2: " 
#
-A INTO-PHASE3 -m recent --remove --name PHASE2
-A INTO-PHASE3 -m recent --set --name PHASE3
-A INTO-PHASE3 -j LOG --log-prefix "INTO PHASE3: " 
#
-A INTO-PHASE4 -m recent --remove --name PHASE3
-A INTO-PHASE4 -m recent --set --name PHASE4 
-A INTO-PHASE4 -j LOG --log-prefix "INTO PHASE4: " 
#
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
#



Configure kmail

Use following to configure kmail:

ln -s /documents/room-documents/documents/general/configuration_files/kmail ~/.kde/share/apps/kmail

Refer to Kmail for detailed information


Configure logging

  1. Edit '/etc/logwatch/conf/logwatch.conf' and write 'Detail = High' in the file.
  2. Edit '/usr/share/logwatch/scripts/services/kernel' and set Detail to 0 statically using 'my $Detail = 0;'
  3. Edit '/etc/mail/sendmail.mc' and configure it such that it can send emails
  4. Edit '/etc/aliases' file and enter email address as alias for root.
  5. Run 'newaliases', 'make', 'service sendmail restart' etc. appropriately.
  6. Test by sending email to root@localhost whether email configuration is working properly or not.


Configure openvpn

  1. Use 'yum -y install openvpn'
  2. Create connect_to_vpn.sh file with following contents:
    #!/bin/bash
    sudo /sbin/service openvpn start
    echo "Waiting for connection establishment to complete"
    STATUS=$(ifconfig | grep '10\.7\.1\.1')
    while [[ "$STATUS" = "" ]]; do
    echo -n ".";
    sleep 1
    STATUS=$(ifconfig | grep '10\.7\.1\.1')
    done
    echo "Connection successful"
    echo "Going to replace nameserver"
    sudo mv /etc/resolv.conf /etc/resolv.conf.backup
    echo "nameserver 10.4.3.222" > /tmp/resolv.conf
    sudo mv /tmp/resolv.conf /etc/resolv.conf
    echo "Nameserver replaced"
    echo "Press enter to disconnect..."
    read A
    sudo /sbin/service openvpn stop
    echo "Going to restore nameserver"
    sudo mv /etc/resolv.conf.backup /etc/resolv.conf
    echo "Nameserver restored"
    exit 0
  3. Use following to use openvpn folder from /documents
    rm -rf /etc/openvpn
    sudo ln -s /documents/room-documents/documents/general/configuration_files/openvpn /etc/openvpn


Configure apache, MySQL and various wikis

  1. Use following to use httpd.conf file kept in /documents
    rm -rf /etc/httpd/conf/httpd.conf
    sudo ln -s /documents/room-documents/documents/general/configuration_files/httpd.conf /etc/httpd/conf/
  2. Ensure that directory /var/lib/mysql is properly protected, possibly through encryption (encfs)
  3. Start mysqld service using 'sudo /sbin/service mysqld start'
  4. Secure mysql installation using '/usr/bin/mysql_secure_installation'
  5. Login into mysql as root using 'mysql -u root -p'
  6. Create required MySQL usernames and databases using:
    create database wikidb_notes;
    grant all on wikidb_notes.* to wikidb_notes@localhost identified by '<password>';
    create database wikidb_res;
    grant all on wikidb_res.* to wikidb_res@localhost identified by '<password>';
    create database wikidb_readme;
    grant all on wikidb_readme.* to wikidb_readme@localhost identified by '<password>';
    create database notes_wiki;
    grant all on notes_wiki.* to notes_wiki@localhost identified by '<password>';
    flush privileges;
  7. Restore various database backups using:
    cd /documents/public_html/
    bunzip2 -k notes_wiki.sql.bz2
    cat notes_wiki.sql | mysql -u notes_wiki -p notes_wiki
    rm notes_wiki.sql
    cd /documents/room-documents/documents/databases/mysql/notes_wiki/
    bunzip2 -k wikidb_notes.sql.bz2
    cat wikidb_notes.sql | mysql -u wikidb_notes -p wikidb_notes
    rm wikidb_notes.sql
    cd /documents/room-documents/documents/databases/mysql/research_wiki
    bunzip2 -k wikidb_res.sql.bz2
    cat wikidb_res.sql | mysql -u wikidb_res -p wikidb_res
    rm wikidb_res.sql
    cd /documents/room-documents/documents/databases/mysql/readme_wiki
    bunzip2 -k wikidb_readme.sql.bz2
    cat wikidb_readme.sql | mysql -u wikidb_readme -p wikidb_readme
    rm wikidb_readme.sql


Configure PostgreSQL

  1. Ensure that directory /var/lib/pgsql is properly protected, probably through encryption (encfs)
  2. Initialize PostgreSQL database using 'service postgresql initdb'
  3. Configure login through passwords using:
    sudo rm /var/lib/pgsql/data/pg_hba.conf
    sudo ln -s /documents/room-documents/documents/general/configuration_files/pg_hba.conf /var/lib/pgsql/data/
    sudo chown postgres:postgres /documents/room-documents/documents/general/configuration_files/pg_hba.conf
  4. Start PostgreSQL database using 'service postgresql start'
  5. Create accounts and databases using:
    sudo su - postgres
    psql
    CREATE USER saurabh WITH NOSUPERUSER NOCREATEDB LOGIN ENCRYPTED PASSWORD '<password>';
    CREATE DATABASE saurabh WITH OWNER=saurabh;
    CREATE USER sen WITH NOSUPERUSER NOCREATEDB LOGIN ENCRYPTED PASSWORD '<password>';
    CREATE DATABASE sen WITH OWNER=sen;
    \q
    exit
  6. Restore various database backups using:
    cd /documents/room-documents/documents/databases/pgsql/
    gpg -d account.sql.gpg > account.sql
    psql -U saurabh -d account < account.sql
    rm -f account.sql
    cd /documents/room-documents/documents/databases/pgsql/
    bunzip2 -k sen.sql.bz2
    psql -U sen -d sen < sen.sql
    rm -f sen.sql


Configure backups

Configure backups by using tools such as Rsnapshot. Configure updatedb to exclude backup folders and encrypted file-systems such as 'encfs'


Enable various services

Enable various services using:

chkconfig {httpd,mysqld,postgresql} on


Home > CentOS > CentOS 6.x > New machine configuration > Configuring laptop after Cent-OS re-installation