Red Hat & Linode QuickStart
OpenSSH keys
The Redhat Image that was loaded onto your linode came with precreated SSH keys. In order for SSH to be secure, these keys need to be secret, for this you need to create new keys. Enter the below onto the commandline.
/etc/init.d/sshd stop &&
rm -f /etc/ssh/*_key* &&
/etc/init.d/sshd start
OpenSSH should have restarted and created new keys in the process. Connect to your linode, your ssh client should warn you that the key has changed.
Cron Output
Unless you are hosting mail or planning on checking your mail on your linode, you will probably want the output of your cron jobs mailed to a different email address. You can change the address with the MAILTO environment variable inside a crontab. If you are working with a user's crontab, that can be done by simply adding a MAILTO=
MAILTO=you@example.com
Cron's Schedule
Redhat comes with certain cron jobs scheduled to run hourly, daily, weekly, or monthly. These cron jobs are used for maintance, rotating logs, etc. The problem is that your linode is sharing a physical machine with other linodes that probably run the same jobs at the same times. This will result in a heavy load on the machine when every linode runs its daily jobs at the same time. Since you don't want to overload the machine anymore then you have to, plus you want your jobs to run faster
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
You should change the minutes and hours to something else, such as:
09 * * * * root run-parts /etc/cron.hourly
19 0 * * * root run-parts /etc/cron.daily
39 1 * * 0 root run-parts /etc/cron.weekly
49 2 1 * * root run-parts /etc/cron.monthly
Of course if everyone used the above, the problem would still exist. Make up your own times.
Disable ECN
ECN (Explicit Congestion Notification) is enabled by default on same kernels. As you probably won't be using your linode as a router, it is a good idea to disable it. Leaving the option enabled will mean that your linode will not be able to communicate with systems behind older routes that do not understand ECN. To disable upon bootup, edit /etc/rc.d/rc.local and add the following line.
echo 0 > /proc/sys/net/ipv4/tcp_ecn
RedHat Updates
Keeping your server up to date is important. Lets do that.
#Download rhupdate
wget http://www.jjminer.org/rhupdate/rhupdate-1.10-beta-1.102.tar.gz
#Unpack it
tar -zxf rhupdate-1.10-beta-1.102.tar.gz &&
cd rhupdate-1.10-beta-1.102
#Configure and install it
./configure &&
make install
#Download available updates
mkdir /tmp/updates &&
rhupdate --download /tmp/updates
Unless the download failed (if it did try again later), you should now have all of the available updates for your redhat server downloaded into /tmp/updates. As it is a good practice to pay attention to what packages are being updated, it's up to you to install them.
Misc.
The RedHat image came with Apache certificates prebuilt, however I don't consider this that big of an issue. If you are planning on using Apache over HTTPS you'll need to get your own certificates anyways.
2 Replies
I'd guess it is, but don't want to assume TOO much…
thanks
- j
@wazdog:
Anyone know if this info is still valid (and recommended) for Fedora.
I'd guess it is, but don't want to assume TOO much…
thanks
- j
Although I haven't used Fedora, I know that Chris changed the images for RedHat and Debian (thus I'd assume Fedora too) so that you no longer have to recreate your SSH keys, change the schedule for cron, or disable ecn (i think).. which only leaves changing you cron output if you want and updating (check up2date).
short answer: it's done for you
Kenny