Configure laptop after Cent-OS re-installation

This page is intended to describe settings to be done, files to be copied, packages to be installed via yum or source after OS has been re-installed on laptop. It was last updated during Cent-OS 6.2 installation on 15 April, 2012

Installing OS

Install OS with following partitioning:

• 25 GB for root(/) partition
• swap partition of size 1.5 or 2 times RAM
• 25 GB for /documents_raw partition
• Rest for /mnt/data1 partition

GUI configuration

• Remove user switch option from panel from top right corner of screen
• Add system monitor panel extension for monitoring CPU, hard-disk and network usage.
• Remove all folders (Documents, Downloads, Music, Pictures, etc.) from home folder except Desktop
• Configure nautilus properly
  • Show hidden and backup files
  • Always open in browser window
  • View executable text files when they are opened
  • Preview for files smaller than 500KB
• Set preferred email application to thunderbird

Configure firefox

• Edit preferences for file download
• Configure proper proxy and no proxy for values
• Install following firefox plugins and configure them properly:
  1. NoScript
     • Whitelist xmarks.com (can also be done by restoring noscript preferences backup)
  2. WOT (Web of trust)
  3. Xmarks
  4. Ghostery
  5. Better privacy
  6. Ad-block plus

Configure terminal

Do following changes immediately after OS install to configure terminals

1. Create file /etc/profile.d/history.sh as mentioned at Storing date / time along with commands in history
2. Configure Ctl+Alt+t to be shortcut for running terminal
3. Configure sudo to allow user saurabh to run all commands as root as mentioned at Allowing user to run all commands as root without specifying password
4. Create shortcut for root terminal in gnome-panel with command 'sudo su -' to be run in terminal with '/usr/share/pixmaps/keyring.png' as image file.

Configure start-up applications

Go to System -%gt; Preferences -> Start-up applications and disable following start-up applications:

• Automatic bug reporting tool
• Bluetooth
• File context maintainer
• Network authentication
• Network manager
• Packetkit update
• Personal file sharing
• Policykit authentication agent
• Remote desktop
• SELinux troubleshooter
• Smart card manager
• Spice vdagents
• Terminal server client autostart
• User folder update
• Visual assistance

Disable SELinux

Edit file '/etc/sysconfig/selinux' and set value for SELINUX parameter to 'disabled'

Disabling services

Disable following services after OS is installed from automatically starting in run-levels 3 to 5: (List is alphabetic)

1. NetworkManager
2. abrt-ccpp
3. abrt-oops
4. abrtd
5. avahi-daemon
6. bluetooth
7. cachefilesd
8. cgconfig
9. edac
10. fcoe
11. fcoe-target
12. iscsi
13. iscsid
14. isdn
15. lldpad
16. nfslock
17. pcscd
18. pppoe-server
19. qpidd
20. rpcbind
21. rpcgssd
22. rpcidmapd
23. sandbox
24. stap-server
25. tog-pegasus
26. trace-cmd
27. xinetd

One can use following shell script to disable all above mentioned services:

#!/bin/bash

SERVICES="NetworkManager
abrt-ccpp
abrt-oops
abrtd
avahi-daemon
bluetooth
cachefilesd
cgconfig
edac
fcoe
fcoe-target
iscsi
iscsid
isdn
lldpad
nfslock
pcscd
pppoe-server
qpidd
rpcbind
rpcgssd
rpcidmapd
sandbox
stap-server
tog-pegasus
trace-cmd
xinetd "

for SERVICE1 in $SERVICES; do
	echo "Going to run " chkconfig $SERVICE1 off
	chkconfig $SERVICE1 off
done

exit 0

In case LVM, Virtualization, Auditing, Software raid etc. are not going to be used then following services can also be stopped:

1. auditd (Auditing)
2. libvirt-guests, libvirt-qmf, libvirtd (Virtualization)
3. lvm2-monitor (LVM)
4. mdmonitor (Software raid)
5. ksm, ksmtuned (Kernel same page merging)

Following script can be used to stop above mentioned additional services:

#!/bin/bash

SERVICES="auditd
libvirt-guests
libvirt-qmf
libvirtd  
lvm2-monitor 
mdmonitor   
ksm
ksmtuned"

for SERVICE1 in $SERVICES; do
	echo "Going to run " chkconfig $SERVICE1 off
	chkconfig $SERVICE1 off
done

exit 0

In case of configuring a VM and not laptop following services can also be stopped: Need to be updated based on CentOS-6.2

1. acpid
2. cpuspeed
3. cups
4. hddtemp
5. irqbalance
6. lm_sensors
7. microcode_ctl
8. smartd

Note:

• Do not worry if some command gives error service not found. It is possible that default installation of Cent-OS does not contains few of above mentioned services.

Configure yum

Configure yum with following repositories

• rpmfusion

To configure RPM Fusion:

1. Vist http://www.rpmfusion.org/ and choose link 'Enable RPM Fusion no your system'.
2. Then download both RPM Fusion free and RPM Fusion nonfree setup rpms
3. Install epel using 'rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm'
4. Visit http://repoforge.org/use/ and download rpmfile for configuring repoforge (rpmforge) repository.
5. Install downloaded rpms using 'rpm -ivh rpmfusion*'
6. Disable 'rpmfusion-free-updates-testing' and 'rpmfusion-nonfree-updates-testing' repositories
7. Edit '/etc/yum.conf' and configure proper proxy and do 'keepcache=1'

Installing packages from yum

Install following packages using yum (List is alphabetic)

1. atop
2. denyhosts
3. dia
4. dvdisaster
5. encfs
6. flash-plugin
7. geany
8. htop
9. hunt
10. iptraf
11. john
12. kile
13. mplayer
14. openvpn
15. phpMyAdmin
16. tcptrack
17. wireshark
18. wireshark-gnome

Following script can be used to install above packages:

#!/bin/bash

PACKAGES="atop
denyhosts
dia
dvdisaster
encfs
flash-plugin
geany
htop
hunt
iptraf
john
kile
mplayer
openvpn
phpMyAdmin
tcptrack
wireshark
wireshark-gnome"

yum -y install $PACKAGES

exit 0

Install vlc and mp3 codecs

To install vlc

1. Remove all conflicting packages (libdvdread etc.)
2. yum -y --disablerepo='epel' install vlc
3. yum -y install gstreamer-plugins-{bad,ugly}

If problems are faced during installation of mplayer or gstreamer-plugins-{bad,ugly} then disable testing repositories and try again.

Mount all filesystems

1. Install ntfs-3g using 'yum -y install ntfs-3g'
2. Create /mnt/cdrive folder if it does not exists
3. Try to mount NTFS partition on /mnt/cdrive
4. Get block IDS of all partitions using blkid
5. Do proper entries in /etc/fstab for interesting partitions. Use 'umask=0000' option whereever required like vfat partitions
6. Create following script to mount encrypted /documents folder.

#!/bin/bash

function mount_encfs()
{
	while :
	do
		echo "Enter encfs password for $2 : "
		sudo encfs --public $1 $2
		echo -n "Rerun encfs for $2 (y/n) : "
		read VAL1
		if [[ "$VAL1" = "n" || "$VAL1" = "N" ]] ; then
			break
		fi
		echo
	done
}
mount_encfs /documents_raw /documents

exit 0

Mount /documents with above script and create proper short-cuts for /mnt/ddrive, /mnt/cdrive, /documents and /mnt/data1 in nautilus

Configure rhythmbox

1. Disable all plugins except status icon
2. Configure library location
3. Enable watch my library for new files

Configure SSH

1. Enable connection multiplexing as explained at Sharing multiple ssh connections
2. Disable GSSAPI authentication using 'GSSAPIAuthentication no'

Disable guest account

1. Use 'userdel -r xguest' to disable guest account

Install packages from source

Install following packages from source: (List is alphabetic)

1. emacs (as mentioned at Emacs installation from source then configure it using Configure .emacs file)
2. erlang (as mentioned at Erlang and yaws installation)

Configure firewall

Configure iptables firewall with proper port knocking rules. Following configuration can be used as basic '/etc/sysconfig/iptables' file on new installations:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:INTO-PHASE1 - [0:0]
:INTO-PHASE2 - [0:0]
:INTO-PHASE3 - [0:0]
:INTO-PHASE4 - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 22 -s 10.3.1.183 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 22 -s 10.3.3.230 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 100 -j INTO-PHASE1 
-A INPUT -p tcp -m tcp --dport 200 -m recent --rcheck --name PHASE1 -j INTO-PHASE2 
-A INPUT -p tcp -m tcp --dport 300 -m recent --rcheck --name PHASE2 -j INTO-PHASE3 
-A INPUT -p tcp -m tcp --dport 400 -m recent --rcheck --name PHASE3 -j INTO-PHASE4 
-A INPUT -p tcp -m tcp --dport 22 -m recent --rcheck --seconds 60 --name PHASE4 -j ACCEPT 
-A INPUT -p udp -j DROP
-A INPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "denied_connection_attempt_"
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#
-A INTO-PHASE1 -m recent --remove --name PHASE2 
-A INTO-PHASE1 -m recent --remove --name PHASE3  
-A INTO-PHASE1 -m recent --remove --name PHASE4 
-A INTO-PHASE1 -m recent --set --name PHASE1 
-A INTO-PHASE1 -j LOG --log-prefix "INTO PHASE1: " 
#
-A INTO-PHASE2 -m recent --remove --name PHASE1
-A INTO-PHASE2 -m recent --set --name PHASE2
-A INTO-PHASE2 -j LOG --log-prefix "INTO PHASE2: " 
#
-A INTO-PHASE3 -m recent --remove --name PHASE2
-A INTO-PHASE3 -m recent --set --name PHASE3
-A INTO-PHASE3 -j LOG --log-prefix "INTO PHASE3: " 
#
-A INTO-PHASE4 -m recent --remove --name PHASE3
-A INTO-PHASE4 -m recent --set --name PHASE4 
-A INTO-PHASE4 -j LOG --log-prefix "INTO PHASE4: " 
#
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
#

Configure thunderbird

Configure thunderbird using backup of .thunderbird configuration from backups.

Configure logging

1. Edit '/etc/logwatch/conf/logwatch.conf' and write 'Detail = High' in the file.
2. Edit '/etc/mail/sendmail.mc' and configure it such that it can send emails
3. Edit '/etc/aliases' file and enter email address as alias for root.
4. Run 'newaliases', 'make', 'service sendmail restart' etc. appropriately.
5. Test by sending email to root@localhost whether email configuration is working properly or not.