Difference between revisions of "Configuring laptop after Cent-OS re-installation"
m |
m |
||
Line 356: | Line 356: | ||
#[[Installing latest org mode]] | #[[Installing latest org mode]] | ||
#[[Configure .emacs file]] | #[[Configure .emacs file]] | ||
#[[Connecting to SSH server listening on port 22 using HTTP proxy server with HTTP CONNECT | Install corkscrew]] | |||
==Configure firewall== | ==Configure firewall== |
Revision as of 05:03, 26 January 2013
Configure laptop after Cent-OS re-installation
This page is intended to describe settings to be done, files to be copied, packages to be installed via yum or source after OS has been re-installed on laptop. It was last updated during Cent-OS 6.3 installation on 8 January, 2013
Installing OS
Install OS with following partitioning:
- 25 GB for root(/) partition
- swap partition of size 1.5 or 2 times RAM
- 25 GB for /documents_raw partition
- Rest for /mnt/data1 partition
GUI configuration
- Remove user switch option from panel from top right corner of screen
- Add system monitor panel extension for monitoring CPU, hard-disk and network usage.
- Remove all folders (Documents, Downloads, Music, Pictures, etc.) from home folder except Desktop
- Configure nautilus properly
- Show hidden and backup files
- Always open in browser window
- View executable text files when they are opened
- Preview for files smaller than 500KB
- Set preferred email application to thunderbird
- Add lock icon to panel for locking screen
Configure firefox
- Edit preferences for file download
- Configure proper proxy and no proxy for values
- Install following firefox plugins and configure them properly:
- NoScript
- Whitelist xmarks.com (can also be done by restoring noscript preferences backup)
- WOT (Web of trust)
- Xmarks
- Ghostery
- Better privacy
- Ad-block plus
- NoScript
Configure terminal
Do following changes immediately after OS install to configure terminals
- Create file /etc/profile.d/history.sh as mentioned at Storing date / time along with commands in history
- Configure Ctl+Alt+t to be shortcut for running terminal
- Configure sudo to allow user saurabh to run all commands as root as mentioned at Allowing user to run all commands as root without specifying password
- Create shortcut for root terminal in gnome-panel with command 'sudo su -' to be run in terminal with '/usr/share/pixmaps/keyring.png' as image file.
- Remove all temporary files created in /root by anaconda
- Add 'alias mplayer="mplayer -idx -zoom -softvol -softvol-max 400"' to .bashrc
Configure start-up applications
Go to System -%gt; Preferences -> Start-up applications and disable following start-up applications:
- AT SPI Registry Wrapper
- Automatic bug reporting tool
- Bluetooth
- File context maintainer
- Network manager
- Packetkit update
- Personal file sharing
- Policykit authentication agent
- Remote desktop
- SELinux troubleshooter
- Smart card manager
- Spice vdagents
- Terminal server client autostart
- User folder update
- Visual assistance
Disable SELinux
Edit file '/etc/sysconfig/selinux' and set value for SELINUX parameter to 'disabled'
Disabling services
Disable following services after OS is installed from automatically starting in run-levels 3 to 5: (List is alphabetic)
- abrt-ccpp
- abrt-oops
- abrtd
- avahi-daemon
- bluetooth
- cachefilesd
- cgconfig
- edac
- fcoe
- fcoe-target
- iscsi
- iscsid
- isdn
- lldpad
- nfslock
- pcscd
- pppoe-server
- qpidd
- rpcbind
- rpcgssd
- rpcidmapd
- sandbox
- stap-server
- tog-pegasus
- trace-cmd
- xinetd
One can use following shell script to disable all above mentioned services:
#!/bin/bash SERVICES="abrt-ccpp abrt-oops abrtd avahi-daemon bluetooth cachefilesd cgconfig edac fcoe fcoe-target iscsi iscsid isdn lldpad nfslock pcscd pppoe-server qpidd rpcbind rpcgssd rpcidmapd sandbox stap-server tog-pegasus trace-cmd xinetd " for SERVICE1 in $SERVICES; do echo "Going to run " chkconfig $SERVICE1 off chkconfig $SERVICE1 off done exit 0
In case LVM, Virtualization, Auditing, Software raid etc. are not going to be used then following services can also be stopped:
- auditd (Auditing)
- libvirt-guests, libvirt-qmf, libvirtd (Virtualization)
- lvm2-monitor (LVM)
- mdmonitor (Software raid)
- ksm, ksmtuned (Kernel same page merging)
Following script can be used to stop above mentioned additional services:
#!/bin/bash SERVICES="auditd libvirt-guests libvirt-qmf libvirtd lvm2-monitor mdmonitor ksm ksmtuned" for SERVICE1 in $SERVICES; do echo "Going to run " chkconfig $SERVICE1 off chkconfig $SERVICE1 off done exit 0
In case of configuring a VM and not laptop following services can also be stopped: Need to be updated based on CentOS-6.2
- acpid
- cpuspeed
- cups
- hddtemp
- irqbalance
- lm_sensors
- microcode_ctl
- smartd
Note:
- Do not worry if some command gives error service not found. It is possible that default installation of Cent-OS does not contains few of above mentioned services.
Configure yum
Configure yum with following repositories
- rpmfusion
To configure RPM Fusion:
- Vist http://www.rpmfusion.org/ and choose link 'Enable RPM Fusion no your system'.
- Then download both RPM Fusion free and RPM Fusion nonfree setup rpms
- Install epel using from http://ftp.cuhk.edu.hk/pub/linux/fedora-epel/6/i386/epel-release-6-8.noarch.rpm
- Visit http://repoforge.org/use/ and download rpmfile for configuring repoforge (rpmforge) repository.
- Install downloaded rpms using 'rpm -ivh rpmfusion*'
- Disable 'rpmfusion-free-updates-testing' and 'rpmfusion-nonfree-updates-testing' repositories
- Edit '/etc/yum.conf' and configure proper proxy and do 'keepcache=1'
Installing packages from yum
Install following packages using yum (List is alphabetic)
- atop
- denyhosts
- dia
- dot
- dvdisaster
- encfs
- emacs
- flash-plugin
- geany
- htop
- hunt
- iptraf
- john
- kile
- libotf-devel
- mplayer
- openvpn
- phpMyAdmin
- tcptrack
- wireshark
- wireshark-gnome
Following script can be used to install above packages:
#!/bin/bash PACKAGES="atop denyhosts dia dot dvdisaster encfs emacs flash-plugin geany htop hunt iptraf john kile libotf-devel mplayer openvpn phpMyAdmin tcptrack wireshark wireshark-gnome" yum -y install $PACKAGES exit 0
Install vlc and mp3 codecs
To install vlc
- Remove all conflicting packages (libdvdread etc.)
- yum -y --disablerepo='epel' install vlc yum -y install vlc
- yum -y install gstreamer-plugins-{bad,ugly} yum -y install gstreamer-plugins-ugly
If problems are faced during installation of mplayer or gstreamer-plugins-{bad,ugly} then disable testing repositories and try again.
Mount all filesystems
- Install ntfs-3g using 'yum -y install ntfs-3g'
- Create /mnt/cdrive folder if it does not exists
- Try to mount NTFS partition on /mnt/cdrive
- Get block IDS of all partitions using blkid
- Do proper entries in /etc/fstab for interesting partitions. Use 'umask=0000' option whereever required like vfat partitions
- Create following script to mount encrypted /documents folder.
#!/bin/bash function mount_encfs() { while : do echo "Enter encfs password for $2 : " sudo encfs --public $1 $2 echo -n "Rerun encfs for $2 (y/n) : " read VAL1 if [[ "$VAL1" = "n" || "$VAL1" = "N" ]] ; then break fi echo done } mount_encfs /documents_raw /documents exit 0
Mount /documents with above script and create proper short-cuts for /mnt/ddrive, /mnt/cdrive, /documents and /mnt/data1 in nautilus. Note that in case there are many different raw and plain-text folder pairs that use same password, then following script can be used instead:
#!/bin/bash read -s -p "Password: " PASSWORD sshpass -p "$PASSWORD" sudo encfs --public /mnt/data1/raw_folders/documents_raw /documents sshpass -p "$PASSWORD" sudo encfs --public /mnt/data1/raw_folders/personal_raw /mnt/personal sshpass -p "$PASSWORD" sudo encfs --public /var/lib/mysql_raw /var/lib/mysql sudo /sbin/service mysqld start sshpass -p "$PASSWORD" sudo encfs --public /var/lib/pgsql_raw /var/lib/pgsql sudo /sbin/service postgresql start echo "Mounting of encrypted folders complete." exit 0
Configure rhythmbox
- Disable all plugins except status icon
- Configure library location
- Enable watch my library for new files
Configure SSH
- Enable connection multiplexing as explained at Sharing multiple ssh connections
- Disable GSSAPI authentication using 'GSSAPIAuthentication no'
Disable guest account
- Use 'userdel -r xguest' to disable guest account
Install packages from source
Install following packages from source: (List is alphabetic)
- Emacs installation from source
- Installing emacs package manager
- Installing Erlang by source
- Installing yaws by source
- Installing latest org mode
- Configure .emacs file
- Install corkscrew
Configure firewall
Configure iptables firewall with proper port knocking rules. Following configuration can be used as basic '/etc/sysconfig/iptables' file on new installations:
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :INTO-PHASE1 - [0:0] :INTO-PHASE2 - [0:0] :INTO-PHASE3 - [0:0] :INTO-PHASE4 - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p icmp --icmp-type any -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT #-A INPUT -p tcp -m tcp --dport 22 -s 10.3.1.183 -j ACCEPT #-A INPUT -p tcp -m tcp --dport 22 -s 10.3.3.230 -j ACCEPT -A INPUT -p tcp -m tcp --dport 100 -j INTO-PHASE1 -A INPUT -p tcp -m tcp --dport 200 -m recent --rcheck --name PHASE1 -j INTO-PHASE2 -A INPUT -p tcp -m tcp --dport 300 -m recent --rcheck --name PHASE2 -j INTO-PHASE3 -A INPUT -p tcp -m tcp --dport 400 -m recent --rcheck --name PHASE3 -j INTO-PHASE4 -A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 60 --name PHASE4 -j ACCEPT -A INPUT -p udp -j DROP -A INPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "denied_connection_attempt_" -A INPUT -j REJECT --reject-with icmp-host-prohibited # -A INTO-PHASE1 -m recent --remove --name PHASE2 -A INTO-PHASE1 -m recent --remove --name PHASE3 -A INTO-PHASE1 -m recent --remove --name PHASE4 -A INTO-PHASE1 -m recent --set --name PHASE1 -A INTO-PHASE1 -j LOG --log-prefix "INTO PHASE1: " # -A INTO-PHASE2 -m recent --remove --name PHASE1 -A INTO-PHASE2 -m recent --set --name PHASE2 -A INTO-PHASE2 -j LOG --log-prefix "INTO PHASE2: " # -A INTO-PHASE3 -m recent --remove --name PHASE2 -A INTO-PHASE3 -m recent --set --name PHASE3 -A INTO-PHASE3 -j LOG --log-prefix "INTO PHASE3: " # -A INTO-PHASE4 -m recent --remove --name PHASE3 -A INTO-PHASE4 -m recent --set --name PHASE4 -A INTO-PHASE4 -j LOG --log-prefix "INTO PHASE4: " # -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT #
Configure thunderbird
Configure thunderbird using backup of .thunderbird configuration from backups.
Configure logging
- Edit '/etc/logwatch/conf/logwatch.conf' and write 'Detail = High' in the file.
- Edit '/etc/mail/sendmail.mc' and configure it such that it can send emails
- Edit '/etc/aliases' file and enter email address as alias for root.
- Run 'newaliases', 'make', 'service sendmail restart' etc. appropriately.
- Test by sending email to root@localhost whether email configuration is working properly or not.
Configure openvpn
- Use 'yum -y install openvpn'
- Create connect_to_vpn.sh file with following contents:
- #!/bin/bash
- sudo /sbin/service openvpn start
- echo "Waiting for connection establishment to complete"
- STATUS=$(ifconfig | grep '10\.7\.1\.1')
- while [[ "$STATUS" = "" ]]; do
- echo -n ".";
- sleep 1
- STATUS=$(ifconfig | grep '10\.7\.1\.1')
- done
- echo "Connection successful"
- echo "Going to replace nameserver"
- sudo mv /etc/resolv.conf /etc/resolv.conf.backup
- echo "nameserver 10.4.3.222" > /tmp/resolv.conf
- sudo mv /tmp/resolv.conf /etc/resolv.conf
- echo "Nameserver replaced"
- echo "Press enter to disconnect..."
- read A
- sudo /sbin/service openvpn stop
- echo "Going to restore nameserver"
- sudo mv /etc/resolv.conf.backup /etc/resolv.conf
- echo "Nameserver restored"
- exit 0
- Copy vpn client configuration, key, certificate and ca certificate files to /etc/openvpn folder