Standard Redhat RHEL 4 AS Server Build

The Standard Linux Server build was designed around the RHEL 4 release to document all processes related to installing Linux AS4 server software, securing the system, setting up monitoring, setting up backups and verifying that all required services are operational in accordance with best practices.

Installation 3

Remove Unneeded Pacakges 5

Disable Services 5

Network Configuration 6

Install Package Management and Patch the System 6

Install xinetd 7

Install Other Packages 7

Install and Configure NTP 8

Install VMWare Tools 9

Security and Configuration Standards 9

Security Banners 9

IPTables Configuration 10

Kernel Parameters 11

Process and File Handle Limits 11

Inittab Setting 12

Default Password Expiration 12

Restrict Root Access 12

Create User Account(s) 12

Configure Sendmail 13

Limit Failed Logins 13

Register System with Redhat 14

Create Standard Mountpoints 14

Reboot the System 14

Install Netbackup 14

Configure Big Brother 15


  • Boot the system from Redhat Enterprise Linux 4 disc 1.
  • When prompted, press enter to start the install in graphical mode.
  • Skip the media check (unless you want to spend an hour having it scan the disc for errors.)
  • Welcome Screen: Click “Next”
  • Language Selection: English should be selected. Click “Next”.
  • Keyboard Configuration: U.S. English should be selected. Click “Next”.
  • Disk Partitioning: Select “Manually partition with Disk Druid” and click “Next”.

If it says that the partition table was unreadable and asks if you want to destroy all data on the drive, click “Yes”. Using the interface, set up the following partitions with at least as much disk space as is listed:

To Create LVM Volumes:

Chose your structure based upon server type while keeping in mind that it's always good to separate out your /var /tmp and any logging filesystems so you don't fill up / and bring your system to a halt..... Also, if it's a file server with /home directories for users you will definately want a separate mount point for /home, preferably an LVM so you can grow the filesystem when necessary.

o Make a new, ext3 for “/boot” of at least 150MB – Click on New. In the Add Partition dialog box, change the file system type to ext3. Set size to 150MB and select Fixed size as well as option to force to be a primary partition.

o Make a new, LVM PV – Click on New. In the Add Partition dialog box, change the file system type to physical volume (LVM). Make the size such that you have a substantial amount of space to accommodate “swap”, “/” and “/var” plus 64MB for partition overhead. The size will be a minimum of 18496MB in our case. Be sure not to check the option force to be a primary partition and Fixed Size.

o Now click on LVM. In the Make LVM Volume Group dialog box, we’re going to add three logical volumes. First add the swap space (file system type = swap) of size 2048, and then add mount point “/” (type ext3) and give it 18000MB, and finally add mount point “/var” (type ext3) and give it 4096MB.

o If the partitioning gets confused in some way, just click back, and then click “Next” to start the partitioning over again.

Mount Point

Filesystem Type

Size (MB)




18000 +

8192 for smaller systems









4096 +




Dependent on available disk




All space left




This is optional (you don't want this on some database servers, i.e. use 14MB on Oracle server)

Click “Next” when you are done with partitioning.

  • Boot Loader Configuration: Accept the defaults, and click “Next”.
  • Network Configuration: Configure the settings as needed, and click “Next”.
  • Firewall Configuration: Enable the firewall, and select to only allow SSH and FTP access. Change 'Enable SELinux?' to 'Warn'. Click “Next”.
  • Additional Language Support: Click “Next”.
  • Time Zone Select: Enable 'System clock uses UTC'. Select 'America/Chicago' for the location. Click “Next”.
  • Set Root Password: Enter the current root password twice, and click “Next”.
  • Package Installation Defaults: Select 'Customize software packages to be installed' and click “Next”.
  • Package Group Selection (Also review Appendix A kickstart file): Select Minimal Install
  • About to Install: Click “Next”, and then click Continue at the popup window.

The system will now partition the hard disk, format the file systems, and install the software. It will ask to switch discs: do so and click OK. When the install is finished, remove the CD from the drive and click the Reboot button.

Remove Unneeded Pacakges

The first thing we need to do is remove some packages that contain unnecessary software that carries serious security risks. Run the following command as root:

rpm --erase rsh rdate talk rdist tog-pegasus-devel tog-pegasus redhat-lsb-3.0-8.EL.i386 redhat-lsb-3.0-8.EL.x86_64 redhat-lsb

Next, we need to remove some packages that are generally only useful for desktop systems, and not used on our servers. Run the following command (if you encounter errors you must go back and run one command at a time and resolve errors as you proceed i.e. rpm –e wvdial by itself followed by the next package until all have been removed):

rpm --erase wvdial rp-pppoe ppp isdn4k-utils irda-utils anacron redhat-lsb at pcmcia-cs lftp bluez-utils bluez-bluefw bluez-hcidump bluez-libs NetworkManager-gnome NetworkManager wireless-tools vconfig lksctp-tools lksctp-tools-devel OpenIPMI OpenIPMI-libs lha

64 bit:

If you get error: "bluez-libs" specifies multiple packages

rpm -qa --queryformat "%{NAME}-%{VERSION}.%{ARCH} \n" | grep bluez-libs |sort




Then run:

rpm –e bluez-libs-2.10.i386 bluez-libs-2.10.x86_64

If you get error: Failed dependencies: is needed by (installed) bluez-pin 0.23-3.x86_64

Then remove the dependency with:

rpm –e bluez-pin

Then return to previous command to remove the primary package/s

Disable Services

To disable a service, use the command:

chkconfig --levels 123456 [servicename] off

Where [servicename] is the name of the service.

The following are the services that should be disabled:

Service name(s)



This is an older power-management system. Disable on VMWare hosts.


Only required if you are printing from this server.


This throttles CPU speed to save power. You MUST disable this on VMware clients, otherwise it plays havoc with the system's timekeeping.


Console mouse service. Marginally useful at best.


Disk monitoring for IDE. Disable on VMWare hosts and on servers that are using SCSI disks.


Mounts network filesystems (NFS, Samba, etc.) Not needed if you are not mounting network filesystems.


Only useful if you have applications that want to use raw disk space (like Oracle)

rpcidmapd portmap nfslock rpcgssd

These are only needed if you are using the system as an NFS server.

Network Configuration

Configure any additional network settings on the system that were not configured, or incorrectly configured, during the installation. The interface configuration files can be found in /etc/sysconfig/network-scripts

For example (ifcfg-eth0):



BROADCAST= ##### set to correct Broadcast

HWADDR= ##### leave as is



NETMASK= ##### set to correct SM

IPADDR= ##### set to correct IP

GATEWAY= ##### set correct GW

Make sure that /etc/hosts looks like the following: localhost localhost.localdomain server-new ##### set correct hostname and IP here

Make sure that /etc/resolv.conf looks like the following:

search pvalentino.lan



Make sure /etc/sysconfig/network has the hostname

Make sure you can access the network, and resolve any problems before continuing, as the following steps require network access.

Install Package Management and Patch the System

Refer to my other document regarding Centralized YUM setup to use these settings, otherwise just point your yum.conf to the appropriate internet based repository for your build.

Run the following as root to install YUM, the package management system:

mkdir /root/yum ; cd /root/yum

For 32 bit systems:


tar xzf yum-rhel4-i386.tar.gz

tar zxvf yum-rhel4-i386.tar.gz

rpm -ivh *.rpm

cd /root

rm -rf yum

For 64 bit systems:


tar xvf yum-rhel4-x86_64.tar

cd yum_install

rpm -ivh *.rpm

cd /root

rm -rf yum

Now, run the following to patch the system to the latest patch revisions:

32 bit:

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf -y update

64 bit:

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf -y update

After the patching is completed, reboot the system.

Install xinetd

This doesn't get installed in some cases. It is needed for having Netbackup installed. Run the following:

32 bit:

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf install xinetd

64 bit:

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf install xinetd

Then run:

service xinetd start

Install Other Packages

Run the following to ensure we didn’t miss any required packages:

On 32 bit systems:

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf -y install openldap-clients emacs mkisofs net-snmp net-snmp-libs net-snmp-utils

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf -y install compat-libgcc-296 compat-glibc compat-libstdc++-33 compat-libstdc++-296 gcc-c++ dev86

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf -y install samba samba-client

Or for 64 bit systems:

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf -y install openldap-clients emacs mkisofs net-snmp net-snmp-libs net-snmp-utils

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf -y install compat-libgcc-296 compat-glibc compat-libstdc++-33 compat-libstdc++-296 gcc-c++ dev86

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf -y install samba samba-client

Install and Configure NTP

Run the following to install the NTP service:

32 bit:

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf install ntp

64 bit:

yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf -y install ntp

Run the following to configure NTP:

cat <<EOF > /etc/ntp.conf

restrict mask


driftfile /var/lib/ntp/drift

broadcastdelay 0.008

authenticate yes

keys /etc/ntp/keys


echo "" > /etc/ntp/step-tickers

echo "" > /etc/ntp/ntpservers

For ESX…

Run the following command. This opens the appropriate ports and enables the NTP daemon to talk with the external server.

esxcfg-firewall --enableService ntpClient

Restart the NTP service…

service ntpd restart

To enable the NTP daemon to autostart when the server is rebooted, run:

chkconfig --level 345 ntpd on

Monitor the NTP service as desired:
To see the offset (in seconds) between the local clock and the source clock, run:

ntpdate -q

sync. the Hardware Clock with ESX system.
hwclock --systohc

If you are running a VMWare host, you will also want to edit /etc/grub.conf and add "clock=pit" to the end of the first entry's "kernel" line, like such:

kernel /vmlinuz-2.6.9-42.0.10.ELsmp ro root=LABEL=/ clock=pit

This will set the kernel to use a different method for counting clock ticks which is more compatible with running under the VMWare environment.

Install VMWare Tools

If the server is a VMWare host, you will need to install the VMWare tools package.

Open the console for the system, and log in as root. You MUST do this from the console, and not from a SSH session.

Select "Install VMWare Tools..." from the "VM" menu on the console window. On the system, do the following:

  • mount /media/cdrom
  • cd /root
  • tar xvzf /media/cdrom/VMwareTools*tar.gz
  • umount /media/cdrom
  • cd vmware-tools-distrib
  • ./
  • Accept all the defaults
  • Reboot the system after the install finishes.

Security and Configuration Standards

Security Banners

Run the following to set the standard pvalentino security banner:

cat <<EOF > /etc/issue


* pvalentino's systems must only be used for conducting pvalentino's *

* business or for purposes authorized by pvalentino. *

* *


* *

* Use is subject to audit at any time by pvalentino. *

* *



/bin/cp -f /etc/issue /etc/

/bin/cp -f /etc/issue /etc/motd

IPTables Configuration

Edit /etc/sysconfig/iptables to contain the following:

cp /etc/sysconfig/iptables iptables.bak

cat <<EOF > /etc/sysconfig/iptables





:RH-Firewall-1-INPUT - [0:0]

:NETBACKUP - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -p 50 -j ACCEPT

-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT


#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT

#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5902 -j ACCEPT

#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT


# Netbackup ports get filtered to the NETBACKUP chain

-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 13701 -j NETBACKUP

-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 13711 -j NETBACKUP

-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 13720:13724 -j NETBACKUP

-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 13782:13783 -j NETBACKUP

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 13701 -j NETBACKUP

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 13711 -j NETBACKUP

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 13720:13724 -j NETBACKUP

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 13782:13783 -j NETBACKUP

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

##### End of RH-Firewall-1-INPUT definitions #####

# Netbackup chain -- only allow netbackup ports to/from netbackup servers





-A NETBACKUP -j REJECT --reject-with icmp-port-unreachable



And then restart IPTables:

service iptables restart

Kernel Parameters

Run the following:

cat <<EOF >> /etc/sysctl.conf

kernel.shmmax = 2147483648

kernel.shmmni = 4096

kernel.shmall = 2097152

kernel.sem = 250 32000 100 128

fs.file-max = 104032

net.ipv4.ip_local_port_range = 1024 65000

net.core.rmem_default = 1048576

net.core.rmem_max = 1048576

net.core.wmem_default = 262144

net.core.wmem_max = 262144


then run sysctl -p

For Oracle:

# replace kernel.shmmax from above with the following parameters for ORACLE db server

kernel.shmmax = 4294967296

You will need to reboot the system to properly affect these changes -- the system will be rebooted in a later step of this document.

Process and File Handle Limits

Add the following lines to /etc/security/limits.conf:

* hard nproc 8192

* hard nofile 8192

Oracle specific:


file-max = 65536

/etc/sercurity/limits.conf modifications:
Open file descriptors - system wide <nofile> 65536Max procs for a single user - system wide <nproc> 16384
oracle soft nproc 15360
oracle hard nproc 16384
oracle soft nofile 64512
oracle hard nofile 65536

Add this line to /etc/pam.d/login if it doesn't already exist:
session required

Inittab Setting

/etc/inittab needs to be modified to ensure that the system boots to runlevel 3. Edit /etc/inittab and look for the line that has the word initdefault in the third colon-delimited field, like this:


If the number in the second field is not 3, change it.

Default Password Expiration

pvalentino standard is that passwords should expire after 90 days, and must be at least 7 characters in length. Edit /etc/login.defs and update the following lines:





Create User Account(s)

Since root access is limited to the console, you will need to add a personal account in order to ssh into the system and su to root. Run the following:

To create an oracle user (only required on an Oracle server):

groupadd -g 502 oinstall ; useradd –m -u 500 -g oinstall oracle ; passwd oracle

To create a standard user:

useradd -m -u 701 [username] ; passwd [username]

# replace [username] with the appropriate username

NOTE! Be sure to su – username to a standard user before changing the following settings

Restrict Root Access and Enable Public Key Authentication

Root access should only be done via the system console.

Edit /etc/ssh/sshd_config and look for the line that reads:

#PermitRootLogin yes

Change that to read:

PermitRootLogin no

Remove comment markers from beginning of the following two lines.

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

Save the file and exit the editor. Then run the following:

service sshd restart

Configure Sendmail

Sendmail must be configured to send out email. Edit /etc/mail/ and find the lines that read:

# "Smart" relay host (may be null)


Change it to read:

# "Smart" relay host (may be null)

Save and exit. Then run:

service sendmail restart

Limit Failed Logins

Through use of the Pluggable Authentication Modules (PAM), we can lock out multiple failed login attempts. To install, first run:

touch /var/log/faillog

Edit /etc/pam.d/system-auth and add to the top of the auth lines:

auth required /lib/security/$ISA/ onerr=fail no_magic_root

Add to the bottom of the account lines:

account required /lib/security/$ISA/ deny=3 reset no_magic_root

Save and quit.

To see who currently has failed login attempts, run the command:


To unlock an account, run:

/sbin/pam_tally --user username --reset

Lockdown SU and SUDO Access

Add users that require access to root to the wheel group:

usermod -G wheel <username>

Add following line to /etc/pam.d/su

auth required /lib/security/$ISA/ use_uid

cp /etc/pam.d/su /etc/pam.d/su.bak

cat <<EOF > /etc/pam.d/su


auth sufficient /lib/security/$ISA/

auth required /lib/security/$ISA/ use_uid

# Uncomment the following line to implicitly trust users in the "wheel" group.

#auth sufficient /lib/security/$ISA/ trust use_uid

# Uncomment the following line to require a user to be in the "wheel" group.

#auth required /lib/security/$ISA/ use_uid

auth required /lib/security/$ISA/ service=system-auth

account required /lib/security/$ISA/ service=system-auth

password required /lib/security/$ISA/ service=system-auth

session required /lib/security/$ISA/ service=system-auth

session optional /lib/security/$ISA/


using visudo command add entries as follows:

# for full admin
username ALL=(ALL) ALL

Register System with Redhat

The system should be registered with Redhat for monitoring and support purposes. First, import Redhat's GPG key into the RPM system with the following command:

rpm --import /usr/share/rhn/RPM-GPG-KEY

Then run the following to register the system:

up2date --register

Select '“Next”' until you get to 'Step 2: Register a User Account'. Enter the Educational Credit RHN username, enter the password in both password fields, and enter your email address. You will need to do this even if you already have an account. Select '“Next”'.

Use the system's name for the profile name, and make sure the 'Include the following information about hardware and network' checkbox is checked. Select '“Next”'.

Make sure the 'Include RPM packages installed on this system in my System Profile' checkbox is checked, and select '“Next”'. Select '“Next”' again to finish the registration process, and then click 'Finish' to leave the program.

If you run into an error when trying to register a system, we may not have any available licenses from Redhat. Licenses will either need to be reclaimed from dead systems, or more licenses will need to be purchased.

Create Standard Mountpoints

Run the following to create the standard mountpoints on the system:

for i in apps data log export auto; do mkdir /${i}; done

Reboot the System

After making all of the above changes, you must reboot the system to make sure all the configuration changes take effect. Run the following command on the system as root:

shutdown -r now or init 6

Install Netbackup

Submit a ticket to the Backup group to have the Netbackup client installed onto the system, and configured to back up the critical filesystems.

cd /tmp

wget http://patch/install/Netbackup5.1/linuxclient.tar

tar xvpf linuxclient.tar

/bin/sh /tmp/bp/bin/client_config

edit /usr/openv/netbackup/bp.conf with appropriate server and client settings

Configure Big Brother

Add bigbrother user and then add server public key to the authorized_keys file on this client:

useradd –m bigbrother; passwd bigbrother

su – bigbrother

mkdir .ssh; chmod 755 .ssh; cd .ssh; touch authorized_keys; chmod 644 auth*

vi auth*

paste the current keys for the bigbrother server into the file making sure not to add any whitespace or extra characters

Log into system ‘bigbrother’ as user 'bigbrother', and add a line like the following into the appropriate section of /home/bigbrother/bb/etc/bb-hosts

ip.address.y.z hostname.pvalentino.tld # svcs cpu disk msgs procs

Restart Big Brother with the following command:

Version 1.9:

cd /home/bigbrother/bb ; ./ restart

Version 3.2:

service bigbrother restart

No comments: