System Prep



Step 1: Now we will remove all software groups, to get Centos to a minimum
Step 1.1: Run grouplist to see what software groups that are installed:

yum grouplist



Step 1.2: Remove all groups that are installed EXCEPT “Yum Utilities”

yum groupremove "GroupName"



Step 2: Lets disable unneeded services:

chkconfig anacron off
chkconfig atd off
chkconfig auditd off
chkconfig cpuspeed off
chkconfig kudzu off
chkconfig netfs off
chkconfig ip6tables off
chkconfig smartd off
chkconfig pcscd off
chkconfig cups off
chkconfig mcstrans off
chkconfig nfslock off
chkconfig rpcgssd off
chkconfig rpcidmapd off
chkconfig portmap off
chkconfig nfs off



Step 3.1: Use this command to check what services that are setup to run

chkconfig --list | grep :on



Step 3.2: You should have these services running:
anacron, crond, iptables, irqbalance, kudzu, mcstrans, network, readahead_early, restorecond, sshd, syslog, sysstat, yum-updatesd


Step 4: Lets upgrade Centos to the newest, and install some tools:

yum -y upgrade
yum -y install wget bzip2 unzip zip fileutils gcc gcc-c++ ncurses-devel pam-devel libxml2-devel libxslt-devel
yum -y install binutils autoconf automake libtool zlib lsof man man-pages mlocate quota yum-utils
yum -y install sendmail rsync sysstat vixie-cron bzip2-devel m4 flex byacc wget which mailx


Step 5: Install and syncing NTP time service:

yum -y install ntp
chkconfig --levels 235 ntpd on
ntpdate 0.pool.ntp.org
/etc/init.d/ntpd start



Step 6: Install EPEL Repo, giving access to more software thats not in the Centos base. More info here

(32Bit) rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
(64Bit) rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm



Step 7: Install RPMForge Repo, giving access to more software thats not in the Centos base. More info here

(32Bit)
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.i386.rpm
rpm -Uhv rpmforge-release-0.5.1-1.el5.rf.i386.rpm
(64Bit)
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm
rpm -Uhv rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm



Step 8: This will change minimum password lenght to 8, if you want higher minimum lenght, change the number.

sed -i s/PASS_MIN_LEN.*/PASS_MIN_LEN\ 8/ /etc/login.defs



Step 9.1: Changing server hostname:

nano -w /etc/sysconfig/network

Step 9.2: Find HOSTNAME= and change it to etc srv01.maxisecure.com or something else of your choice:

HOSTNAME=s01.yourdomain.com



Step 9.3: Now a reboot:

shutdown -r now
Comment (RSS)  |  Trackback
  • Austin

    Great stuff here. But would like to see a summary of what services we are shutting off above. I don’t know what half those things are, and am taking your word on it that I don’t need them!

    Great work on the site

  • Scott

    Cheers for making this info available.
    Some extra info about each step would make it less confusing to a novice linux user.

    For example, these look conflicting to me:
    Step 2: Disable uneeded services: chkconfig anacron off…
    Step 3.2: You should have these services are running: anacron…

    Also, chkconfig –list | grep :o n lists the runlevels. Its not obvious what to look for here, from your description. Which levels should something be on, or off at?

    Thanks for your time in setting up this site and making this info available.

  • neq

    Hello Austin You can check what every package does by rpm -qi `rpm -qf /etc/init.d/portmap` ;)
    or
    for _P in anacrong atdg auditdg cpuspeedg kudzug netfsg ip6tablesg smartdg pcscdg cupsg mcstransg nfslockg rpcgssdg rpcidmapdg portmapg nfsg; do rpm -qi `rpm -qf /etc/init.d/${_P}`; done

    And if You just blind follow instructions found in any website – this site is not for You ;(

  • http://www.froward.org Mike

    With all due respect, if you can’t identify at least 75% of what those things are that are being disabled you shouldn’t be using a quick step guide you should be reading a book :P

  • Arie

    In Step 2 kudzu, mcstrans are disabled, but you list them in Step 3.2

  • Nnyan

    I would add to install nano and then run updatedb

  • Ranjit

    Excellent information, really appreciate the publish. A little detailed explanation about the services would be great.

  • anatolijd

    Step4 – wget is mentioned twice

  • Nick

    Good evening to everyone (at least here is evening) :)

    I recently started using linux and more specific CentOs.

    I want to build a server (im using the 5.4 ver) which has only the required services/packages.

    Is there any way (or advice) to find out which services my server needs?

    Thanks in advance
    Nick

  • Pingback: System Prep | SecureCentos.com | David Bomba

  • alex

    Need one for debian! :)

  • oussama larhmich

    thinks SecureCentos Stuff

    Your are a Good Stuff

    Regards

  • http://ciprianpantea.blogspot.com/ Ciprian Pantea

    Hey,

    great stuff, keep more coming!

    What about atomic repo?

  • Sander Ouwejan

    Can I perform this howto on a live server?

  • http://twitter.com/belsemtech مؤسسة البلسم

    Sorry it’s Thanks not thinks :)

  • nequ

    I thing there is a error in step 6 for 64 bit You must use this epel release
    http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm