Post-Installation & Maintenance for Linux


Security Modifications

After you have installed RedHat Linux on your machines, you should secure your machine. Linux boxes found to be a security risk will be removed from UVa's network. The following measures give an acceptable minimum of security:

  • TCP Wrappers - with tcp wrappers you can control what machines can connect to your system.
  • Install Secure Shell (ssh) on your machine. It will replace openssh that is installed by default.
  • Iptables
    * For users upgrading to Red Hat 7.1:
    Make sure that you remove any ipchains scripts prior to setting up iptables

    Beginning with RedHat 7.1, iptables should be used instead of ipchains*. They work better with kernel versions 2.4 and above. Similar to ipchains, iptables provides an ordered set of "rules" against which network packets are checked, and this can help secure your system.

    To install ITC's recommended iptables rules on your system, save the UVAiptables script into your /etc/rc.d/init.d area. Make the file executable, activate the service to specify runlevels 3, 4, and 5, and     turn on iptables (or reboot your computer):

    chmod +x /etc/rc.d/init.d/UVAiptables
    /sbin/chkconfig --level 345 UVAiptables on
    /etc/rc.d/init.d/UVAiptables start

  • Sendmail Configuration
    Turn it OFF.
  • Using Pine in an IMAP configuration.
    Since the typical linux box will have a DHCP (non-permanent) ip address, we recommend that you maintain your registered UVa email address elsewhere. The following document describes how to use the mailer pine to read mail on another server (see "Modify your .pinerc file"): http://www.itc.virginia.edu/desktop/unix/docs/modifyblue.html

Administration Issues

  • Printing
    Use RedHat's printtool to configure a printer attached to your machine. For a listing of networked printers and their servers, logon to an ITC maintained machined (for example blue.unix) and look at the contents of the /etc/printcap file.
    Alternatively, LPRng is part of the RedHat distributions after 7.0. LPRng has the advantage that it does not require the creation of a printcap file in order to access networked printers. If you are running a version below 7.0, you may want to obtain an LPRng RPM.
  • Creating User Accounts
    Use the linuxconf tool to create user accounts on your machine. Do NOT login as root for your personal day-to-day use. We recommend that accounts on Linux boxes be given the same userid as used by the UVa computing systems. Please read this important note regarding assignment of UIDs.

System Maintenance

Is is very important to periodically check for, and to install, OS and package patches. Patches (and security advisories) for Redhat Linux can be found at http://www.redhat.com/support/errata/. You may also mount the appropriate exports directory for the version of your installation from the same machine used for the NFS install. For instructions see Mounting File Systems.

Linux Support Home

* ipchains were used with versions of RedHat Linux preceding 7.1. ITC's recommended ipchain rules are in the UVAipchains script, which can be saved into your /etc/rc.d/init.d area. Make sure the script is executable.


© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.