This blog post is primarily for my own benefit, so I have a list of the standard tasks, utilities, servers, scripts, and/or programs I like to install on vanilla Fedora / RedHat / CentOS Linux systems when I first set them up. But if you have suggestions for improving this list, please feel free to comment!

• If it’s a Fedora 14-15 box, turn on SSH with chkconfig sshd on (not needed on Fedora 15+)
• If it’s a box with NetworkManager installed, disable it with chkconfig NetworkManager off, and shut it off with service NetworkManager stop
• Edit the firewall settings to my liking.
• Install alpine (my fav shell-based mail client), which also installs the pico text editor.
• Change the default run level in /etc/inittab to 3.
• Disable SELinux in /etc/selinux/config.
• Set up aliases in my user home directory.
• Configure and enable NTP (automatic on Fedora 15+).
• Edit /etc/sudoers file to allow users in the wheel group to use sudo.
• Edit /etc/group to add my primary username to the wheel group (can be done at install with Fedora 15+)
• Run a yum update to bring everything up to date.
• yum groupinstall ‘Development Tools’
• Install lshw to have access to hardware info.
• If it’s a Dell server (most of mine are), I do a yum compat-libstdc++-33.i686 libstdc++.i686 libxml2.i686 to install all the libraries required to do firmware updates, then I update firmware as needed.
• Turn off unneeded services.
• Install DenyHosts via yum (an excellent script to help block hack attempts via ssh). I put explicitly allowed hosts in /var/lib/denyhosts/allowed-hosts, edit /etc/denyhosts.conf to turn on synchronization, do a checkconfig denyhosts on and then start the service. You can verify proper startup in /var/log/denyhosts
• Set ServerSignature Off in httpd.conf. Why give the hax0rs any more info than I have to?
• Install Fail2Ban to protect attacks against other ports. I turn off the SSH checks, since I prefer how they are handled by DenyHosts.
• Install lrzsz with yum
• Update to latest version of LogWatch (using install instructions from Cyber Sprocket Labs) using the official Logwatch RPM from SourceForge and then install postfix-logwatch
• Secure SSH connections following various suggestions from FedoraUnity
• If it’s a CentOS server, I install the epel repository and leave it enabled, and I install DAG’s repository and set it to disabled (I enable it for specific packages only).
• If it’s an incoming mail server, I install Amavis-new, ClamAV, and SpamAssassin
• If it’s an outgoing mail server, I compile and install the latest version of Postfix, then set up my main.cf and master.cf to lock it down tight.
• If it’s part of my main network, I install Nagios NRPE.
• If it’s a Dell server, I install Dell OMSA from the Dell repository.

Virtual Machine Guests

If it’s a VM guest system, which I’m usually setting up for RPM building and testing, I’ll also do:

yum install gcc kernel-devel kernel-headers rpm-build redhat-rpm-config rpmdevtools rpmlint ccache sendmail-devel openssl-devel git

and:

• Install Guest Additions
• As the RPM building user, do rpmdev-setuptree