Centos6
From Rivalug Wiki
Placeholder for Centos 6 notes
Centos 6.2 x86_64 Desktop
Contents |
Documentation
- http://wiki.centos.org/Manuals/ReleaseNotes/CentOS6.2
- http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/index.html
Repositories
The following packages are recommended:
yum-plugin-fastestmirror yum-plugin-priorities yum-plugin-security yum-presto
possibly:
yum-utils yum-plugin-downloadonly
At install:
CR
yum install centos-release-cr
Epel
Import key from master mirror site
rpm --import http://download.fedora.redhat.com/pub/epel/RPM-GPG-KEY-EPEL-6
Confirm package from local mirror site with key
rpm -K http://mirror.vcu.edu/pub/gnu+linux/epel/6/x86_64/epel-release-6-5.noarch.rpm
You should get the following verification:
rsa sha1 (md5) pgp md5 OK
Install package from local mirror site
rpm -Uvh http://mirror.vcu.edu/pub/gnu+linux/epel/6/x86_64/epel-release-6-5.noarch.rpm
Since these packages were installed using rpm, the next time you use yum you will get:
Warning: RPMDB altered outside of yum
To summarize the commands for easy cut and paste:
rpm --import http://download.fedora.redhat.com/pub/epel/RPM-GPG-KEY-EPEL-6 rpm -K http://mirror.vcu.edu/pub/gnu+linux/epel/6/x86_64/epel-release-6-5.noarch.rpm rpm -Uvh http://mirror.vcu.edu/pub/gnu+linux/epel/6/x86_64/epel-release-6-5.noarch.rpm
Rpmfusion
ElRepo
rpm --import http://elrepo.org/RPM-GPG-KEY-elrepo.org rpm -K http://elrepo.org/elrepo-release-6-4.el6.elrepo.noarch.rpm rpm -Uvh http://elrepo.org/elrepo-release-6-4.el6.elrepo.noarch.rpm
Note: make sure you pick the correct package, I discovered the RHEL5 package will install under 6 without complaint.
RepoForge
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt rpm -K http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
Solid State Disks
hdparm -I /dev/sda
Chrome
This will give you the choice of downloading the x86_64 rpm for Fedora/ Installing Google Chrome will add the Google repository so your system will automatically keep Google Chrome up to date. If you don't want Google's repository, do "sudo touch /etc/default/google-chrome" before installing the package.
- Chrome and Centos 5 http://www.cs.bham.ac.uk/~cxs548/chrome
- Flash and Chrome https://fedoraproject.org/wiki/Flash#Installing_the_plugin_on_Chrome
mkdir /opt/google/chrome/plugins ln -s /usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so /opt/google/chrome/plugins/nswrapper_32_64.libflashplayer.so
Nvidia Proprietary drivers
http://elrepo.org/tiki/kmod-nvidia
DNS Problems
Slow connection due to dns bug
- http://www.cyberciti.biz/faq/rhel-redhat-centos-slow-dns-on-linux-with-ipv6-configured-firewall/
- https://stomp.colorado.edu/blog/blog/2011/06/29/on-rhel-6-ssh-dns-firewalls-and-slow-logins/
Security
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/
Force password change on first login
chage -d 0 <account>
Even better: if the user has not used the account within 10 days, lock it.
chage -d 0 -I 10 <account>
To see a user's current account expiry information:
chage -l <account>
FIPS mode
- http://en.wikipedia.org/wiki/FIPS_140-2
- https://stomp.colorado.edu/blog/blog/2010/06/28/on-rhel-5-and-fips-mode/
- http://people.redhat.com/sgrubb/files/RHEL6-Security-Overview-2010.pdf
psad
Install the following perl rpm packages:
yum install perl-Bit-Vector perl-Date-Calc perl-IPTables-Parse perl-Net-IPv4Addr perl-Unix-Syslog
Install the following perl modules (which are not found as rpm packages) into /usr/local/:
yum install perl-ExtUtils-MakeMaker perl-Test-Simple
Download and unarchive:
wget http://search.cpan.org/CPAN/authors/id/M/MR/MRASH/IPTables-ChainMgr-0.9.tar.gz wget http://search.cpan.org/CPAN/authors/id/A/AM/AMS/Storable-2.30.tar.gz
In each of the source directories do:
perl Makefile.PL PREFIX=/usr/local/ make make test sudo make install
To verify each module is installed do:
Install psad in /usr/local/
./install.pl --help
OR Installing from rpm
Download and unarchive, cd to the psad-2.1.7 directory
rpm -Uvh psad-2.1.7-1.x86_64.rpm cd /etc/psad/ ln -s ./psad.conf ./psadwatchd.conf
edit /etc/pasd/pasd.conf - email and/or hostname
IPT_SYSLOG_FILE /var/log/iptables;
service psad start
iptables
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # persistant blacklist # packets dropped here are not logged # common network broadcasts which can be ignored #-A INPUT -p udp -m udp -s <non-authoritative ntp> --dport 123 -j DROP # windows file sharing #-A INPUT -p udp -m udp -s <windoze machine> --dport 137:138 -j DROP -A INPUT -p udp -m udp --dport 137:138 -j DROP # ipv4 dhcp server -A INPUT -p udp -m udp -d 255.255.255.255 --dport 67 -j DROP # # Microsoft Office OS X antipiracy broadcasts #-A INPUT -p udp -m udp -d 255.255.255.255 --dport 2222 -j DROP #-A INPUT -p udp -m udp -d 255.255.255.255 --dport 2223 -j DROP # dropbox lansync -A INPUT -p udp -m udp --sport 17500 --dport 17500 -j DROP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # disable ICMP timestamp requests and responses #-A INPUT -p ICMP --icmp-type timestamp-request -j DROP #-A INPUT -p ICMP --icmp-type timestamp-reply -j DROP # accept other pings -A INPUT -p icmp -j ACCEPT # loopback - never block -A INPUT -i lo -j ACCEPT # trusted interface #-A INPUT -i eth1 -j ACCEPT # accept ssh -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT #web #-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT #ntp -A INPUT -m udp -p udp -s <NTP_SERVER> --sport 123 -d 0/0 --dport 123 -j ACCEPT #-A INPUT -m udp -p udp -s <NTP_SERVER> --sport 123 -d 224.0.1.1/32 --dport 123 -j ACCEPT # log all dropped packets -A INPUT -m limit --limit 5/m --limit-burst 20 -j LOG --log-prefix " IPv4 INPUT " --log-level debug -A FORWARD -m limit --limit 5/m --limit-burst 20 -j LOG --log-prefix " IPv4 FORWARD " --log-level debug -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
ip6tables
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] ## ipv6 dhcp broadcast (needs fixing) ##-A RH-Firewall-1-INPUT -p udp -m udp -d ff02:0000:0000:0000:0000:0000:0001:0002 --dport 547 -j DROP #-A INPUT -p udp --dport 547 -d ff02::1:2 -j DROP ## ipv6 LLMNR - Link Local Multicast Name Resolution - a Microsoft thing #-A INPUT -p udp --dport 5355 -d ff02::1:3 -j DROP # ipv6 mDNS broadcasts # http://forums.fedoraforum.org/archive/index.php/t-148198.html #-A INPUT -p udp --dport 5353 -d ff02::fb -j DROP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m limit --limit 5/m --limit-burst 20 -j LOG --log-prefix " IPv6 INPUT " --log-level debug -A FORWARD -m limit --limit 5/m --limit-burst 20 -j LOG --log-prefix " IPv6 FORWARD " --log-level debug -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited COMMIT
handling firewall logging
- Enable logging in iptables and ip6tables (see above)
edit /etc/sysconfig/iptables and /etc/sysconfig/ip6tables
- Send logging to different log file
touch /var/log/iptables.log chown root:root /var/log/iptables.log chmod 600 /var/log/iptables.log
edit /etc/rsyslog.conf Option 1:
# Log dropped packets from iptables kern.=debug /var/log/iptables # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages
the above may still get other kernel debug message in the iptables log, so try
Option 2: Make sure this is before all other rules - http://unix.stackexchange.com/questions/16053/how-to-redirect-kernel-messages-having-the-unique-id-substring-into-separate-log
# direct these messages to iptables log :msg, startswith, " IPv" -/var/log/iptables & ~
touch /var/log/iptables chown root:root /var/log/iptables chmod 600 /var/log/iptables service rsyslog restart
- Enable log rotation on new file
create /etc/logrotate.d/iptables
/var/log/iptables {
missingok
notifempty
create 0600 root root
}
- Logwatch
add: /etc/logwatch/conf/logfiles/iptables.conf
LogFile = iptables
- Ossec
edit ossec.conf add to "Files to monitor" section
<localfile> <log_format>syslog</log_format> <location>/var/log/iptables</location> </localfile>
service ossec restart
- Psad
edit /etc/pasd/pasd.conf - email and/or hostname
IPT_SYSLOG_FILE /var/log/iptables;
References:
- http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-log-file.html
- http://www.linuxtopia.org/Linux_Firewall_iptables/x4238.html
- http://blog.shadypixel.com/log-iptables-messages-to-a-separate-file-with-rsyslog/
Flash
Adobe
For adobe flash plugin
- Go to: http://get.adobe.com/flashplayer/otherversions/
- Select Operating System: Linux 64-bit
- Select version: Flash Player 11 for other Linux (YUM) 64-bit
- Press download
yum install flash-plugin
rpmforge
yum install flash-plugin.x86_64
