Settings after centos Installation

After centos is installed, the security and adaptability to the hardware may not fully comply with our actual situation. Here, the initial environment settings for the new centos system will follow the following principles:

1. To ensure security, restrict access to the maximum extent possible;
2. To save memory and CPU usage (as well as security considerations), close unnecessary services as much as possible;
3. In order to reduce the possible losses caused by misoperations, users in the wheel group are usually logged on to the system for management;
4. To make the system easier and faster, unmount unnecessary modules in the kernel;
............

Initial environment setting after centos 4.4 is installed

After the system is restarted, the following status appears:

Centos release 4.4 (final) Kernel 2.6.9-42.el on an i686 Sample login: the host name is displayed as "sample" on the site based on the network settings during installation.

[1] system logon and exit

Sample login: root users use the root user to log on to the system and enter the root user name. Password: keystore enter the root password set during installation. [Root @ sample ~] # Successfully logged on as the root user. The prompt is "#". If a user logs on successfully, the prompt is "$" [Root @ sample ~] # Exit logging out of the system Sample login: logging out of the system successfully

[2] General User Creation and Deletion

[Root @ sample ~] # Useradd centospub general user who creates a centospub user [Root @ sample ~] # Passwd centospub secret set a password for your centospub Changing password for user centospub. New Unix Password: Login enter the password (the password will not be displayed) Retype new Unix Password: Login enter the password again to confirm the two passwords are consistent Passwd: All authentication tokens updated successfully. login password set successfully [Root @ sample ~] # Userdel-r centospub users Delete common users whose username is centospub

[3] using a common user to log on as a root user

Because the root user has full operation permissions on the system, in order to avoid some mistakes, we recommend that you log on to the system as a general user. If necessary, you need root operation permissions, then, run the "Su-" command to log on as the root user.

[Centospub @ sample ~] The $ login prompt is "$", indicating that the current status is normal user centospub login IN THE SYSTEM [Centospub @ sample ~] $ Su-login: Enter the command used to log on as the root user. Password: Login enter the root password (the password will not be displayed), press ENTER [Root @ sample ~] # Login Successful Login as root user, prompt changed to "#" [Root @ sample ~] # Exit logging back to normal user logon status [Centospub @ sample ~] The $ login prompt is changed to "$" and returns to the status of the general user centospub logging on to the system.

[4] creating common users in the Administrator Group

　　 Generally, you can log on as the root user to configure the system as Administrator by executing the "Su-" command and entering the correct root password. However, in order to further enhance the security of the system, it is necessary to establish an Administrator group that only allows users in this group to execute the "Su-" command to log on as the root user, users in other groups cannot Log On As root even if they execute "Su-" and enter the correct root password. In UNIX, the group name is usually "Wheel ".

[Root @ sample ~] # Usermod-G wheel centospub worker Add the general user centospub to the Administrator Group's wheel group [Root @ sample ~] # Vi/etc/PAM. d/su Hei open this configuration file # Auth required/lib/security/$ ISA/pam_wheel.so use_uid locate this line and remove "#" Bytes Auth required/lib/security/$ ISA/pam_wheel.so use_uid restart changes to this State (approximately at the location of the 6th rows) [Root @ sample ~] # Echo "su_wheel_only yes">/etc/login. defs statement: add the statement to the end of the row.

After completing the preceding operations, you can create a new user. Then, you can use the new user to test the user. If the user is not added to the wheel group, run the "Su-" command, even if you enter the correct root password, you cannot log on as the root user.

[5] establishing pppoe connections (users without XDSL access can skip this step)

[Root @ sample ~] # ADSL-setup timeout Welcome to the ADSL Client Setup. First, I will run some checks on Your system to make sure the pppoe client is installed properly... Login Name Enter your login name (Default Root): Enter the username of the ADSL connection in "login ". Interface Enter the Ethernet interface connected to the ADSL Modem For Solaris, this is likely to be something like/dev/hme0. For Linux, it will be ethx, where 'x' is a number. (Default eth0): indicates the network access device of the ENI. The default value is eth0. Do you want the link to come up on demand, or stay up continuously? If you want it to come up on demand, enter the idle time in seconds After which the link shoshould be dropped. If you want the link Stay up permanently, enter 'no' (two letters, lower-case .) Note: Demand-activated links do not interact well with dynamic IP Addresses. You may have some problems with demand-activated links. Enter the demand value (default no): Press enter directly to accept the default settings. DNS Please enter the IP address of your ISP's primary DNS server. If your ISP claims that 'the server will provide dynamic dns address ', Enter 'server' (all lower-case) here. If you just press enter, I will assume you know what you are Doing and not modify your DNS setup. Enter the DNS information here: Enter the information of the DNS server here. If you do not know, press enter to skip. Password Please enter your password: Enter the ADSL connection password Please re-enter your password: Confirm again enter the ADSL connection password Userctrl Please enter 'yes' (two letters, lower-case.) If you want to allow Normal user to start or stop DSL connection (default yes): no second is set to No. Generally, pppoe Connections cannot be controlled. Firewalling Please choose the firewall rules to use. Note that these rules are Very basic. You are strongly encouraged to use a more sophisticated Firewall setup; however, these will provide basic security. If you Are running any servers on your machine, you must choose 'none' and Set up firewalling yourself. Otherwise, the firewall rules will deny Access to all standard servers like Web, e-mail, FTP, etc. If you Are Using SSH, the rules will block outgoing SSH connections which Allocate a privileged source port. The firewall choices are: 0-None: This script will not set any firewall rules. You are responsible For ensuring the security of your machine. You are strongly Recommended to use some kind of firewall rules. 1-standalone: appropriate for a basic stand-alone Web-surfing Workstation 2-masquerade: appropriate for a machine acting as an Internet gateway For a LAN Choose a type of firewall (0-2): 0 worker input 0. Firewall is not used here Start this connection at boot time Do you want to start this connection at boot time? Please enter NO or yes (default no): Yes fill in Yes, automatically connect to ADSL at system startup ** Summary of what you entered ** Ethernet interface: eth0 User name: caun870293@ca.dti.ne.jp Activate-on-demand: No DNS: Do not adjust Firewalling: None User Control: No Accept these settings and adjust configuration files (y/n )? After confirming that the configuration information of Y branch is correct, Type Y agree to set Adjusting/etc/sysconfig/network-scripts/ifcfg-ppp0 Adjusting/etc/PPP/chap-secrets and/etc/PPP/PAP-secrets (But first backing it up to/etc/PPP/chap-secrets.bak) (But first backing it up to/etc/PPP/pap-secrets.bak) ? Congratulations, It shocould be all set up! Type '/sbin/IFUP ppp0' to bring up your XDSL link and '/sbin/ifdown ppp0' To bring it down. Type '/sbin/ADSL-status/etc/sysconfig/network-scripts/TS' To see the link status.

Then, start the ADSL connection.

[Root @ sample ~] # ADSL-start transaction start the ADSL connection [Root @ sample ~] # Wait a moment. If a prompt appears after the startup is successful (if there is no prompt, the connection is successful)

In this case, the "ifconfig" command can be used to view the information of each network interface (IP address, etc ).

[6] root Mail Transfer

When an error occurs in the system or an important notification is sent to the root user, let the system automatically forward the email to our usual mailbox, so that you can easily check the relevant reports and logs.

[Root @ sample ~] # Vi/etc/aliases ← edit aliases and add the following line to the end of the text Root: yourname@yourserver.com guest add your own email address [Root @ sample ~] # Newaliases restore rebuilding aliasesdb /Etc/aliases: 79 aliases, longest 19 bytes, 825 bytes total [Root @ sample ~] # Echo test | mail root users send a test email to root

If successful, you will receive the test email in the mailbox of the yourname@yourserver.com you just filled in.

[7] database update and automatic update settings for the locate command

The locate command is a tool used in Linux to tell you how to search files. Its principle is similar to that of Google Desktop Search in windows. It is used to create a database in advance, to quickly find the target file.

[Root @ sample ~] # Vi/etc/updatedb. conf configure edit the locate Database Update Configuration File Daily_update = no worker find this line and change "no" to "yes" Bytes Daily_update = yes. Save and exit after the status changes to "yes ". [Root @ sample ~] # Updatedb slave run the locate database update command. Wait a moment... Prompt displayed after successful update

[8] unofficial database defining yum

During server construction, some of the tools we will use do not exist in the official Yum library of centos. Therefore, we need to define the unofficial library file of yum, install necessary tools through yum.

[Root @ sample ~] # Vi/etc/yum. Repos. d/Dag. Repo creating Dag. Repo, defining unofficial Libraries [Dag] Name = Dag RPM repository for Red Hat Enterprise Linux Baseurl = http://apt.sw.be/redhat/el?releasever/en/?basearch/dag Gpgcheck = 1 Enabled = 1 [Root @ sample ~] # Rpm -- import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt export import the GPG for unofficial Libraries

[9] stopping the printing service

If you do not want to provide the printing service, stop the printing service that is set to auto start by default.

[Root @ sample ~] #/Etc/rc. d/init. d/cups stop slave stop printing service Stopping CUPS: [OK] The slave instance stops the service successfully. "OK" appears" [Root @ sample ~] # Chkconfig cups off schedule disable auto start of the Print Service [Root @ sample ~] # Chkconfig -- list cups slave confirm the status of the auto-start setting of the service Cups 0: off 1: off 2: off 3: off 4: off 5: off 6: off running 0-6 are all off status OK (the current printing service is disabled since it is started)

[10] stopping IPv6

In the default centos status, IPv6 is enabled. Because we do not use IPv6, stop IPv6 to maximize security and speed.

First, check whether the IPv6 feature is enabled.

[Root @ sample ~] # Ifconfig-A Networks: list all network interfaces Eth0 link encap: Ethernet hwaddr 00: 0C: 29: B6: 16: A3 Inet ADDR: 192.168.0.13 bcast: 192.168.0.255 mask: 255.255.255.0 Inet6 ADDR: fe80: 20c: 29ff: feb6: 16a3/64 scope: Link Up broadcast running Multicast MTU: 1500 Metric: 1 RX packets: 84 errors: 0 dropped: 0 overruns: 0 frame: 0 TX packets: 93 errors: 0 dropped: 0 overruns: 0 carrier: 0 Collisions: 0 FIG: 1000 RX Bytes: 10288 (10.0 kib) TX Bytes: 9337 (9.1 kib) Interrupt: 185 base address: 0x1400 Lo link encap: local loopback Inet ADDR: 127.0.0.1 mask: 255.0.0.0 Inet6 ADDR: 1/128 scope: Host Up loopback running MTU: 16436 Metric: 1 RX packets: 12 errors: 0 dropped: 0 overruns: 0 frame: 0 TX packets: 12 errors: 0 dropped: 0 overruns: 0 carrier: 0 Collisions: 0 txqueuelen: 0 RX Bytes: 952 (952.0 B) TX Bytes: 952 (952.0 B) Sit0 link encap: The IPv6-in-IPv4 consumer confirms that IPv6 is in the started status Noarp MTU: 1480 Metric: 1 RX packets: 0 errors: 0 dropped: 0 overruns: 0 frame: 0 TX packets: 0 errors: 0 dropped: 0 overruns: 0 carrier: 0 Collisions: 0 txqueuelen: 0 RX Bytes: 0 (0.0 B) TX Bytes: 0 (0.0 B)

Modify the configuration file to stop IPv6.

[Root @ sample ~] # Vi/etc/modprobe. conf modify the corresponding configuration file and add the following line to the end of the text: Alias net-pf-10 off Alias IPv6 off [Root @ sample ~] # Shutdown-R now restart the system to make the settings take effect

Finally, verify that the IPv6 function is disabled.

[Root @ sample ~] # Ifconfig-A Networks: list all network interfaces Eth0 link encap: Ethernet hwaddr 00: 0C: 29: B6: 16: A3 Inet ADDR: 192.168.0.13 bcast: 192.168.0.255 mask: 255.255.255.0 Inet6 ADDR: fe80: 20c: 29ff: feb6: 16a3/64 scope: Link Up broadcast running Multicast MTU: 1500 Metric: 1 RX packets: 84 errors: 0 dropped: 0 overruns: 0 frame: 0 TX packets: 93 errors: 0 dropped: 0 overruns: 0 carrier: 0 Collisions: 0 FIG: 1000 RX Bytes: 10288 (10.0 kib) TX Bytes: 9337 (9.1 kib) Interrupt: 185 base address: 0x1400 lo link encap: local loopback Inet ADDR: 127.0.0.1 mask: 255.0.0.0 Inet6 ADDR: 1/128 scope: Host Up loopback running MTU: 16436 Metric: 1 RX packets: 12 errors: 0 dropped: 0 overruns: 0 frame: 0 TX packets: 12 errors: 0 dropped: 0 overruns: 0 carrier: 0 Collisions: 0 txqueuelen: 0 RX Bytes: 952 (952.0 B) TX Bytes: 952 (952.0 B) (Check that IPv6 information is not listed, indicating that IPv6 is disabled .)