CentOS 5.5 in a flash

Posted

What’s all this, then?

Every once in a while I have to set up in rather quick fashion a new, GUI-less CentOS server for hosting services, databases, web sites, what have you. Here’s a quick and dirty (and extremely basic) list of things you’ll want to perform on a clean installation to get it situated. It’s also a great starting point if you’re creating an instance on any virtualized cloud service that allows you to create snapshots, which you can then deploy at a moment’s notice into a new instance. Since CentOS is essentially Red Hat Enterprise Linux, these steps also work wonderfully with RHEL.

Start with the überbasics

Set the time zone by linking the /etc/localtime to the zone file. In my case, most of my servers operate in the US Central time zone, so I’ve picked CST6CDT:

ln -fs /usr/share/zoneinfo/CST6CDT /etc/localtime

Make sure all packages on the server are totally updated, and install some basic packages for time synchronization, socket and route testing, DNS testing, and of course vim (my personal favorite; you no doubt have yours as well) to edit a few configuration files below:

yum update
yum install ntp traceroute telnet bind-utils vim-enhanced

Secure things a tad bit

Next, for a little bit of security, and so logwatch doesn’t email you a huge list of failed SSH attempts every morning (and someone doesn’t by rare chance gain access to your server), change sshd’s listening port number–I usually pick something obnoxious, far, far away from 22. (Obviously this doesn’t fully prevent someone from finding this port by scanning every possible port, but it helps a little bit.)

vim /etc/ssh/sshd_config

    Port NEWPORTNUMBER

Then reload sshd’s configuration immediately. This will not disconnect you since your session is already open as an already-running process on the system separate from the master daemon.

service sshd reload

Remember to update your iptables rules with the new port number you chose above. You might want to restrict ssh based on IP address, but below for simplicity sake I simply open the off-the-wall port number.

vim /etc/sysconfig/iptables

    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]

    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    -A INPUT -m state --state NEW -m tcp -p tcp --dport NEWPORTNUMBER -j ACCEPT

    COMMIT

Be sure to restart iptables so that the change goes into effect immediately. This will not disconnect you, either, as your connection falls under the ESTABLISHED state–and thus the first ACCEPT rule in the list.

service iptables restart

Next, disable SELINUX and turn it off, if currently active, as it tends to be a major pain in the ass for any server admin who knows how to manage things properly:

vim /etc/selinux/config
    SELINUX=disabled

setenforce 0

Stave off an identity crisis

Change the machine’s hostname and default search domains for the DNS resolver–especially helpful if you deploy an army of servers with names that fall under the same domain name:

vim /etc/sysconfig/network
    HOSTNAME=my.full.host.domainname.com

vim /etc/resolv.conf
    search domainname.com
    domain domainname.com

Cross your fingers

Reboot to make sure everything comes back up as intended–this is especially important if SELINUX was previously enabled on your server, as it could have funky effects on the availability of running services until a reboot:

reboot

Once the server’s back up, make sure the time zone settings stuck by checking the date and time:

date

It will take the newly installed NTPD a while to figure out how much clock lag you tend to have, so if you’re impatient, use ntpdate with a reliable time source (I tend to use ntpdate time.apple.com when in a rush) if you want to synchronize immediately. Just be sure and stop ntpd while you do this, then fire it back up, otherwise ntpdate will complain.

Voila and so forth

Everything should be just peachy now, and ready to either create a snapshot for a barebones, baseline image, or begin installing packages specific to the duties of this machine.

Comments

Nobody has posted any comments yet. Be the first!