LinuxWebLog.com

1. Backup files:
   
      /etc/mail/sendmail.mc
   /etc/mail/sendmail.cf
   /etc/mail/access
   /etc/mail/access.db
   /etc/aliases
2. These changes go in the /etc/mail/sendmail.mc file:

   Security enhancements:

   • Require a HELO or EHLO greeting from the sending SMTP server.
     
   • Put limits on Sendmail forks and other settings to stop a DOS attack from overwhelming server.
     
   • Munge the Sendmail server identification.
     
   • Recipient throttle to identify when an envelope arrives with more than 4 invalid users, presuming that this is a dictionary attack.
     
   • Limit the number of recipients in a single message.
   dnl #
dnl #start security mods
define(`confPRIVACY_FLAGS�39;, `authwarnings,novrfy,noexpn,restrictqrun,needmailhelo')dnl
define(`confMAX_DAEMON_CHILDREN',20)dnl
define(`confSMTP_LOGIN_MSG',$j Sendmail; $b)dnl
define(`confMIN_FREE_BLOCKS', `4000')dnl
define(`confMAX_HEADERS_LENGTH', `32000')dnl
define(`confMAX_MIME_HEADER_LENGTH', `1024')dnl
define(`confBAD_RCPT_THROTTLE',`4')dnl
define(`confMAX_RCPTS_PER_MESSAGE', `10')
dnl #end security mods
dnl #

   Enable DNS BlockLists:

   dnl #
dnl # Begin Spam Block Enhancement mod
dnl # Start BlockList
FEATURE(`dnsbl', `bl.spamcop.net', `"554 Spam blocked - see http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
FEATURE(`dnsbl', `zen.spamhaus.org', `"554 Rejected - see http://www.spamhaus.org/query/bl?ip="$&{client_addr}')dnl
dnl # sorbs dynamic user list ( not dial up )
FEATURE(`dnsbl', `dul.dnsbl.sorbs.net', `"554 Rejected "$&{client_addr}"; - see http://dnsbl.sorbs.net"')dnl
dnl # End BlockList
dnl # Start dont bounce errors back to me
define(`confDOUBLE_BOUNCE_ADDRESS', `dev-null')dnl
dnl # End dont bounce
dnl # Start delay checks, so we see the intended recipient
dnl # Added friend so we can exempt specified local user via access file
FEATURE(`delay_checks',`friend')dnl
dnl # End delay checks
dnl # End Spam Block Enhancement mod
dnl #

   All of the above should go before the line:

   FEATURE(`blacklist_recipients')dnl

   Notes:

   The above Double Bounce Address throws the double bounces into the bit bucket.

   The delay_checks feature causes it to log the sender from address and other info, when it rejects spam.

3. Create an alias in "/etc/aliases" called dev-null and point it to "/dev/null":
   dev-null: /dev/null

4. In file "/etc/mail/access", enter:
   Connect:xxx.xxx.xxx.xxx OK

   where xxx.xxx.xxx.xxx is the server IP. This keeps you from blocking yourself, if you happen to get listed in one of the blocklists used!

5. To apply the configurations, run:
   # newaliases
# makemap hash /etc/mail/access.db < /etc/mail/access
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
# /sbin/service sendmail restart

Recently I've had to provide a developer with the makedep tool. It is available via imake rpm. However, it is deprecated and when installing automake and autoconf, it should automatically get installed as it is a required package by autoconf.

If getting the error "Metadata file does not match checksum", try running `

`yum clean all` should also resolve the issue if the metadata fails.

Lists out the files in a directory including hidden files in a single-column format and pipes it through a line count via wc.

Gallery Remote install kept erroing out with:

The way around the error was to comment out the assumed kernel.

Once installed Gallery Remote would not run and I had run the same hack for the Gallery_Remote launcher script as well.

These are some services I would normally turn off on web servers.
NOTE: usage may vary.

1. gpm -- mouse
2. mdmonitor -- monitor raid devices
3. netfs -- nfs, samba etc...
4. autofs -- automount, nfs, cd etc...
5. kudzu -- detect new hardware
6. restorecond -- monitor selinux file context
7. mcstrans -- mandatory access control selinux translation
8. messagebus -- routes messages between applications
9. haldaemon -- maintains database of devices connected

There may be more, but if you've cleaned up your rpm packages, it would probably not exist.

Below is a list of rpm packages that are not necessary on a web server. Use it as a reference starting point for cleaning up servers. You may also want to make sure not to run services not required by the server.
NOTE: usage may vary and removal should be in the order listed:

1. redhat-lsb cups system-config-printer-libs system-config-printer paps -- printer support
   
   
2. system-config-soundcard  -- gui for sound setup
   
   
3. system-config-securitylevel-tui -- gui for setting up security
   
   
4. nfs-utils system-config-nfs nfs-utils-lib -- nfs server
   
   
5. portmap -- manage RPC connections
6. ypbind yp-tools -- NIS client binding
7. htmlview  -- view webpages via gui
   
   
8. system-config-services system-config-samba pinfo system-config-users system-config-date -- gui configs
   
   
9. samba samba-client samba-common -- samba support
   
   
10. oprofile oprofile-devel oprofile-gui qt
11. vnc
12. libglade2 libgnomecanvas usermode-gtk libbonoboui libgnomeui libglade-java pygtk2-libglade system-config-httpd system-config-network gnome-mount libgnome-java gnome-python2-bonobo gnome-python2-canvas gnome-python2 authconfig-gtk system-config-lvm authconfig-gtk pirut gnome-vfs2 gnome-python2-gnomevfs gnome-python2-gconf libgnome libgsf librsvg2 librsvg2
    ImageMagick
13. gnome-mime-data gnome-keyring  notify-python
    
    
14. GConf2 notification-daemon bluez-gnome libgconf-java libnotify bluez-utils
15. libgtk-java libvte-java
16. pygtk2 system-config-language system-config-rootpassword
17. vte
18. libwnck
19. glib-java cairo-java frysk
20. libwmf
21. gtk2
22. cups-libs
    
    
23. ghostscript ghostscript-fonts
    
    
24. avahi avahi-glib
25. wpa_supplicant NetworkManager
26. system-config-rootpassword
27. system-config-language
    
    
28. system-config-keyboard
29. system-config-network-tui firstboot-tui
30. system-config-securitylevel-tui
31. dhcpv6_client dhcdbd dhclient -- dhcp support
    
    
32. irda-utils -- Infra Red communications
33. isdn4k-utils -- ISDN
34. apmd -- laptop power management
35. cpuspeed -- dynamically changing cpu speed
36. bluez-libs -- bluetooth
37. irqbalance -- irq load balancing on multi-cpus (remove only in single cpu situation)
38. rsh -- unsecure remote access
39. talk -- internet talk protocol
40. foomatic -- printer driver database
41. finger -- finger client
42. eject -- eject removable media
43. cvs -- concurrent version control
    
    
44. rcs -- revision control system
45. dosfstools mkbootdisk -- bootdisk
46. redhat-menus desktop-file-utils startup-notification -- desktop
47. ppp rp-pppoe wvdial -- dialup
48. esound -- sound daemon
49. pcmciautils -- PCMCIA Cardbus
50. pcsc-lite coolkey ifd-egate ccid
51. OpenIPMI net-snmp-libs
52. ImageMagick-devel -- ImageMagick development package
53. xorg-x11-devel -- X server development package
54. acpid -- power management (remove if you don't shutdown using power button)

lftp ftp client support tls/ssl so why not use a secure connection for ftp.

Insist on your host to serve up ftp with tls/ssl support so all data is secured.

If using proftpd server, tls/ssl can be configured via "/etc/proftpd.conf":

The certificate can be generated to be used on the ftp server via:

Reference:

• ProFTPD mini HOWTO TLS