Linux Post-Install and Essential Commands
From T5C
After installing Linux and rebooting your machine for the first time, you'll need to perform some important steps in order to finalize your server installation and have a secure and efficient configuration. In this article we will cover these post-install steps and the essential commands you'll need to master in order to become a successful Linux Sys Admin.
Contents |
[edit] Say Hello and Goodbye to Root
Given the sweeping power of the root account, using it for day to day tasks is highly discouraged and could have disastrous results in case of human error or malicious software execution. To avoid the security perils of using the root account, a secure alternative has been developed called sudo. With sudo, you can grant specific accounts the right to run commands as root but only when they have to and this execution requires a password to be entered. In this way, sudo allows us to delegate most administrative tasks to a normal user account without granting sweeping privileges to that account and permitting us to retire the root account for good.
So let's login to our newly installed Linux server as root and take the necessary steps to configure sudo and never have to use the root account again. To login, enter root as the username and hit Enter. When prompted for a password, enter the password you specified during the installation process and press Enter once again. You should be greeted with a prompt similar to this one:
root@gandalf:~ #
In this example, gandalf is the name of my server, so this prompt has the format user@server:path prompt , meaning that just by looking at the prompt we can quickly see who we are logged in as, where we logged into, and where in the filesystem we are currently located. The final prompt character will always be # for root and usually $ for all other users. This is also a quick reminder of the type of power we currently have.
[edit] Creating Our Real User Account
The first step in setting up sudo and leaving root is to create a normal user account for ourselves. We do this with the useradd command:
useradd -c "Full name" -G wheel username
Where Full Name should be the human readable name of our user (i.e. Jose Colon) and username is the short account name for the system to handle, such as jecolon. So using myself as an example, I would enter:
useradd -c "Jose Colon" -G wheel jecolon
The wheel specification for -G tells useradd to add this account to the group called wheel. The wheel group is special in Linux and is meant for system administrator accounts. Please note that this doesn't give any special privileges to the account, it just prepares us for the next steps in configuring sudo.
Once we have created our account, we need to set its initial password. We do this with passwd:
passwd jecolon ... [Enter password at both prompts]
With passwd, root has the ability to change or set his own or another user's password. Normal users can change their own password with passwd, but they cannot change other user's passwords like root can. Remember to use a complex password consisting of at least 6 alphanumeric characters including special punctuation marks such as asterisk, underscore, and period.
[edit] Edit Sudoers File
To allow our sys admins in the wheel group to run commands as root using sudo, we must make a small edit to the sudo control file called sudoers. This file is specially protected and thus must be edited via the visudo command.
visudo
Move down to the lines that say
# Uncomment to allow people in group wheel to run all commands # %wheel ALL=(ALL) ALL
and delete the # sign at the beginning of the second of these two lines, leaving them as
# Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL
To delete the pound sign, place the cursor over it and hit the x key on the keyboard. Then enter :wq to save and exit visudo. These strange commands are essential parts of the vi text editor in UNIX. This text editor is very important because you will surely find it installed in almost any type of UNIX based system available today. We'll cover vi in another article later on.
[edit] Logout and Login
Well, we can now say goodbye to the root account. Once we have our normal user account which belongs to the wheel group and this grouop in turn has sudo capabilities via the sudoers file, we no longer need to login as root to accomplish system administration tasks. So let's logout with the exit command:
exit
and then log back in with your normal account. Now we're ready finish setting up the server. But first, we must learn how to sudo.
[edit] Sudo for Initial Updates
To use sudo, you just prefix it to the commands you want to run as root. The very first time you run sudo, you'll see a warning message about it's use accompanied by a password prompt. This password is the one for the account you are currently logged into, and not the root password. Once you enter the password for your account and it matches correctly, your command executes as if it were run by root and you gain a grace period of around 5 minutes where you can run additional sudo commands without having to re-enter your password.
Let's see a useful example. After initial install of CentOS, we need to put the system up-to-date with all the fixes and patches that may have come out since the original release of the version we are using. To accomplish this, we use the Yellowdog Update Manager or yum to update the system. To use yum for system updates though, you have to have root privileges, so we'll rely on sudo to help us out:
sudo yum -y update
You'll be prompted for the password and off goes yum updating the system. This will take quite a while and you must be connected to the Internet so the fixes and patches can be downloaded and installed. Once the process is finished, you should reboot the server to use the newest kernel update. This isn't obligatory but recommended.
[edit] Lockdown the Server
After initial updates and a reboot into the newest kernel, log in and install a simple little program called nmap.
sudo yum -y install nmap
After nmap is installed, run it against the localhost:
sudo nmap localhost
Nmap will tell you which ports are open on a machine. When we run it against the localhost, we should see the SSH port 22 and nothing more. If you have additional ports open, chances are they are related to unnecessary services such as printing and NFS file sharing. To turn these services off and prevent them from running again at the next reboot, we will use two commands native to CentOS and other Red Hat clones: chkconfig and service.
sudo chkconfig nfs off sudo chkconfig portmap off sudo chkconfig cups off sudo service nfs stop sudo service portmap stop sudo service cups stop
These sets of commands disable the services and then stop them immediately. Using shell scripting capabilities, we can accomplish the same with a for loop:
for i in nfs portmap cups; do sudo chkconfig $i off; sudo service $i stop; done
That was short, right! To make sure your system has all unnecessary ports closed you can repeat this process of running nmap and disabling and stopping services. You can get a list of all services (enabled or disabled) with:
sudo chkconfig --list
This list will display off for all columns when a service has been disabled.
[edit] Essential Commands
[edit] apropos
This command is used to search for a term in the manual pages. For example:
apropos disk
will display manual pages that have the word disk somewhere within their content. The format for a manual page reference is usually the command or keyword followed by a manual page section between parentheses:
ls(5)
This would be used to look up the manual page with man as we'll see next.
[edit] man
After you know the command you want more information about, you look it up using the man command. For example, to see the manual page for ls we enter:
man ls
This will bring up a manual page viewer that you can navigate with spacebar to move forward by one page or q to quit. If the command has multiple entries in different sections, it'll appear in many places with a number between parentheses appended at the end, as in ls(5) presented above. In this case you specify the section number between the man command and the command to look up:
man 5 ls
[edit] ls
The ls command displays a list of files in the specified directory or the current directory if none is specified.
ls /etc
The -a and -l parameters are very useful, displaying hidden files and a long listing respectively. They can be used in combination and joined together as is the case with most parameters in all UNIX commands.
ls -al
[edit] cd
To change directories, we use the cd command:
cd /etc
Typing cd without specifying a destination directory will take you to your home directory. Note that the home directory in UNIX is commonly aliased with the tilde character: ~.
cd ~
or
cd
[edit] pwd
To see where you are in the filesystem, use pwd (print working directory):
pwd
[edit] df
Disk free or df' will show you statistics about how much disk space is available on your system. The -h parameter makes the output human readable.
df -h
[edit] free
The free command displays statistics regarding memory in your server.
free
[edit] grep
To search a file or output from a command for a string of text, you can use grep:
ls -l /etc | grep host
Here we see the | or pipe character joining two commands. A pipe such as this directs the output of the first command to become the input of the second command. So here grep will search for the word host in the directory listing returned by ls. Pipes are one of the most powerful command line techniques for UNIX sys admins.
[edit] ps
To see the processes running on your machine, you can run the ps command. This will display a series of columns and rows that depict each process and a wealth of information related to its execution. The ps command is very often used in conjunction with grep to isolate a single process from the rest. For example, if I'm looking for the httpd process on my system, I could run:
ps aux | grep httpd
Note that the aux parameter combination is extremely useful as it provides very detailed information about the processes. Also note the exception in this case where the parameters are not preceded by a dash. This has caused a lot of confusion among novice and experienced Linux users alike.
[edit] top
To monitor the processes on an ongoing basis, you can use the top command. This command displays a columnar summary similar to that of ps but the program stays active, refreshing periodically to monitor the active processes. You also get a nice summary of memory and CPU utilization at the top of the display that also refreshes automatically. You can press ? to see a help screen or q to quit.
top
[edit] cp
Use cp to copy files:
cp /etc/hosts /etc/hosts.bak
[edit] mv
Use mv to move files:
mv /etc/hosts.bak /var/backup/hosts.bak
[edit] rm
Use rm to delete files:
rm /var/backup/hosts.old
The -rf parameters perform a recursive forced delete which will remove files and directories forever.
rm -rf ~/temp_dir
