red letting are command that you need to issue as root

1. click on Computer > More Applications > YaST

2. Put in root password for YaST

3. Scroll down until you see Software Management and single click on it

4. Check for the following software. If you don’t have it installed, install it

   1. kernel-source

   2. gcc

   3. gcc-c++

   4. make (This is most likely already installed, but just to double check)

5. Once you have installed that software, lets head over to the command line. Right click on the desktop and select “open terminal”

6. Once you get into the terminal, you want to log in as a super user or root. You can do this by using the su command

   clmowers@linux-box:~> SUPassword:linux-box:/home/clmowers #

7. Next you want to run the following command. This will check for the needed software and it will also show you the kernel modules that are installed. You MUST have the same kernel numbers though out, or you will have issues later down the road

   rpm -qa kernel* gcc* make

   It will look like this when the command is run

   linux-box:/home/clmowers # rpm -qa kernel* gcc* make gcc-c++-4.2-24make-3.81-66kernel-source-2.6.22.17-0.1 gcc42-c++-4.2.1_20070724-17 kernel-default-2.6.22.17-0.1 gcc-4.2-24 gcc42-4.2.1_20070724-17

   Notice that both of the kernels are the same. If these numbers are diffent then you need to run the online updates to get the lastest ones and to make sure everything matches. ***Just remember that these numbers change, This was the latest kernel when I wrote this, yours might be different from mine.

8. OK, lets move on. Next we want to change the directory to /usr/scr/linux. We can do that by this command

   linux-box:/home/clmowers # cd /usr/src/linux

9. next we want to issue these commands. Don’t worry, we are almost done in the command line for the time being.

   linux-box:/home/clmowers # make mrproper; make cloneconfig; make modules_prepareYou will notice that it is done when you get back to this linelinux-box:/home/clmowers #

10. YEA!!! The moment we all have been waiting for, installing vmware server. But we are not done yet. Once vmware server is installed we will need to configure it. Then you can start adding all the VM that your heart desires.

11. Next you want to go to where you have downloaded the file and right click and select install software

12. Once the windows closes we are ready to configure it. I know I know, but we are almost done. Just 2 more minutes.

13. open up a new terminal window (or open the one you already had) and issue this command

    linux-box:/home/clmowers # cd /usr/binlinux-box:/usr/bin #

14. This will bring you to the /usr/bin directory. Next we want to run the pl script the vmware was so kind of to provide us. This will let us configure the server

    linux-box:/usr/bin # vmware-config.pl

15. We will start out by reading the EULA. Hit space or enter to go through the agreement. Once you are done reading hit Q and then type yes. Now what I did was just accept all the defaults. This will give you a very good install of vmware. My only suggestion would be to create a folder under your /home/username/ directory called vms. When you get to the question asking you where you want to have your virutual machine saved, type in that location.

16. You will be ask for your license key, so make sure that you have one. Type it in and press eneter.

Introduction

Are you using SSH in the best way possible? Have you configured it to be as limited and secure as possible? The goal of this document is to kick in the new year with some best practices for SSH: why you should use them, how to set them up, and how to verify that they are in place.

All of the examples below assume that you are using EnGarde Secure Linux but any modern Linux distribution will do just fine since, as far as I know, everybody ships OpenSSH.

SSHv2 vs. SSHv1

There are numerous benefits to using the latest version of the SSH protocol, version 2, over it’s older counterpart, version 1 and I’m not going into a lot of details on those benefits here – if you’re interested, see the URL in the reference below or Google around. That being said if you don’t have an explicit reason to use the older version 1, you should always be using version 2.

To use SSHv2 by default but permit SSHv1, locate the “Protocol” line in your sshd_config file and change it to:

Protocol 2,1

When doing 2,1 please note that the protocol selection is left up to the client. Most clients will default to v2 and “fall back” to v1, while legacy clients may continue to use v1. To force everybody to use SSHv2, change it to:

Protocol 2

When you make this change don’t forget to generate the appropriate HostKey’s as well! SSHv2 requires the following keys:

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

While SSHv1 requires:

# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key

Once your changes are made, restart the SSH daemon:

# /etc/init.d/sshd restart

[ SUCCESSFUL ] Secure Shell Daemon
[ SUCCESSFUL ] Secure Shell Daemon

From another machine, try SSH’ing in. You can use the -v option to see which protocol is being used, and the ‘-oProtocol=’ option to force one or the other – for example, “ssh -v -oProtocol=2 ” would force protocol version 2.

Binding to a Specific Address or Non-Standard Port

If you’re running SSH on an internal, firewalled, workstation then you can probably skip this section, but if you’re running SSH on a firewall or on a machine with two network interfaces, this section is for you.

Out of the box OpenSSH will bind to every available network address; while convenient and suitable for most installations, this is far from optimal. If your machine has two or more interfaces then the odds are that one is “trusted” and the other is “untrusted.” If this is the case, and you don’t need nor want SSH access coming in on the untrusted interface, then you should configure OpenSSH to listen on a specific interface.

To have OpenSSH only bind to your internal interface, 192.168.0.1 in the example below, locate the following line in your sshd_config file:

ListenAddress 0.0.0.0

and change the 0.0.0.0 to 192.168.0.1:

ListenAddress 192.168.0.1

To verify that this change took, restart OpenSSH and look at netstat:

# /etc/init.d/sshd restart

[ SUCCESSFUL ] Secure Shell Daemon
[ SUCCESSFUL ] Secure Shell Daemon

# netstat -anp | grep sshd

tcp 0 0 192.168.0.1:22 0.0.0.0:* LISTEN 7868/sshd

As you can see, the sshd daemon is now only listening on 192.168.0.1. SSH requests coming in any other interface will be ignored.

Similarly, you may want to change the port that the SSH daemon binds to. Sometimes there is a functional need for this (ie, your employer blocks outbound 22/tcp) but there is also security-through-obscurity value in this as well. While not providing any real security benefit against a determined attacker, moving the SSH daemon off of port 22 protects you against automated attacks which assume that the daemon is running on port 22.

To have OpenSSH bind to a port other than port 22, 31337 in the example below, locate the following line in your sshd_config file:

Port 22

and change the 22 to 31337:

Port 31337

To verify that this change took, restart OpenSSH and, again, look at netstat:

# netstat -anp | grep sshd

tcp 0 0 192.168.0.1:31337 0.0.0.0:* LISTEN 330/sshd

Finally, to SSH into a host whose SSH daemon is listening on a non-standard port, use the -p option:

ssh -p 31337 user@192.168.0.1

Using TCP Wrappers

TCP Wrappers are used to limit access to TCP services on your machine. If you haven’t heard of TCP Wrappers you’ve probably heard of /etc/hosts.allow and /etc/hosts.deny: these are the two configuration files for TCP Wrappers. In the context of SSH, TCP Wrappers allow you to decide what specific addresses or networks have access to the SSH service.

To use TCP Wrappers with SSH you need to make sure that OpenSSH was built with the -with-tcp-wrappers. This is the case on any modern distribution.

As I indicated earlier, TCP Wrappers are configured by editing the /etc/hosts.deny and /etc/hosts.allow files. Typically you tell hosts.deny to deny everything, then add entries to hosts.allow to permit specific hosts access to specific services.

An example:

#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
ALL: ALL
#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
sshd: 207.46.236. 198.133.219.25

In the example above, access to SSH is limited to the network 207.46.236.0/24 and the address 198.133.219.25. Requests to any other service from any other address are denied by the “ALL: ALL” in hosts.deny. If you try to SSH into a machine and TCP Wrappers denies your access, you’ll see something like this:

ssh_exchange_identification: Connection closed by remote host

This simple configuration change significantly hardens your installation since, with it in place, packets from hostile clients are dropped very early in the TCP session — and before they can do any real damage to a potentially vulnerable daemon.

Public Key Authentication

The last item I will cover is public key authentication. One of the best things you can do to tighten the security of your SSH installation is to disable password authentication and to use public key authentication instead. Password authentication is suboptimal for many reasons, but mostly because people choose bad passwords and attackers routinely try to brute-force passwords. If the systems administrator has chosen a bad password and he’s permitting root logins… game over.

Public key authentication is no silver bullet – similarly, people generate passphrase-less keys or leave ssh-agents running when they shouldn’t – but, in my opinion, it’s a much better bet.

Just about every distribution ships with public key authentication enabled, but begin by making sure it is:

RSAAuthentication yes
PubkeyAuthentication yes

Both of these options default to “yes” and the “RSAAuthentication” option is for SSHv1 and the “PubkeyAuthentication” option is for SSHv2. If you plan on using this authentication method exclusively, while you’re there, you may want to disable password authentication:

PasswordAuthentication no

Before you proceed, make sure you have a terminal open on your target machine. Once you restart the SSH daemon you will no longer be able to log in without a key… which we haven’t generated yet!

Once you’re sure, restart the SSH daemon:

# /etc/init.d/sshd restart

[ SUCCESSFUL ] Secure Shell Daemon
[ SUCCESSFUL ] Secure Shell Daemon

Now, from your desktop, try to SSH in to your target machine:

$ ssh rwm@brainy

Permission denied (publickey,keyboard-interactive).

We’re locked out! This is a good thing. The next step, on your desktop, is to generate a key:

$ ssh-keygen -t dsa -C “Ryan’s SSHv2 DSA Key (Jan 2008)”

Generating public/private dsa key pair.
Enter file in which to save the key (/home/rwm/.ssh/id_dsa):
Enter passphrase (empty for no passphrase): **********
Enter same passphrase again: **********
Your identification has been saved in /home/rwm/.ssh/id_dsa.
Your public key has been saved in /home/rwm/.ssh/id_dsa.pub.
The key fingerprint is:
98:4d:50:ba:ee:8b:79:be:b3:36:75:8a:c2:4a:44:4b Ryan’s SSHv2 DSA Key (Jan 2008)

A few notes on this:

• You can generate a DSA (-t dsa), RSA (-t rsa), or SSHv1 (-t rsa1) key. In the example above I’m using dsa.
• I like to put the date I generated the key in the comment (-C) field, that way I can change it out every so often.
• You’re entering a passphrase, not a password. Use a long string with spaces and punctuation. The longer and more complicated the better!

The command you just ran generated two files – id_dsa, your private key and id_dsa.pub, your public key. It is critical that you keep your private key private, but you can distribute your public key to any machines you would like to access.

Now that you have generated your keys we need to get the public key into the ~/.ssh/authorized_keys file on the target machine. The best way to do this is to copy-and-paste it – begin by concatenating the public key file:

$ cat .ssh/id_dsa.pub

ssh-dss AAAAB3NzaC1kc3MAAACBAL7p6bsg5kK4ES9BWLPCNABl20iQQB3R0ymaPMHK…
… ds= Ryan’s SSHv2 DSA Key (Jan 2008)

This is a very long string. Make sure you copy all of it and that you do NOT copy the newline character at the end. In other words, copy from the “ssh” to the “2008)”, but not past that.

The next step is to append this key to the end of the ~/.ssh/authorized_keys file on your target machine. Remember that terminal I told you to keep open a few steps ago? Type the following command into it, pasting the key you’ve just copied into the area noted KEY:

echo “KEY” >> ~/.ssh/authorized_keys

For example:

echo “ssh-dss AAAA5kS9BWLPCN…s= Ryan’s SSHv2 DSA Key (Jan 2008)” >> ~/.ssh/authorized_keys

Now, try to SSH in again. If you did this procedure correctly then instead of being denied access, you’ll be prompted for your passphrase:

$ ssh rwm@brainy

Enter passphrase for key ‘/home/rwm/.ssh/id_dsa’:
Last login: Thu Jan 10 14:37:14 2008 from papa.engardelinux.org
[rwm@brainy ~]$

Viola! You’re now logged in using public key authentication instead of password authentication.

In Summary…

SSH is a wonderful tool and is every systems administrators second best friend (Perl, of course, being the first . It allows you to read your email from anywhere, provided you still use a terminal-based mail reader. It allows you to tunnel an xterm or X11 application from your home server to your desktop at work. It provides you a far superior alternative to FTP in SFTP and SCP.

SSH is great but just like any tool, it’s only as good as you use it. I hope that you found value in some of my best practices and if you have any of your own, leave them in the comments!

Before I go, here are some additional resources on SSH:

• The OpenSSH Project
• SSH, The Secure Shell: The Definitive Guide
• Introduction to SSH Versions 1 and 2
• Knock, Knock, Knockin’ on EnGarde’s Door (with FWKNOP)

Setting up Subversion

For detailed information on this, including alternate setups, have a look at Version Control with Subversion.

1. Install the required packages.

   sudo aptitude install enscript libapache2-mod-python python-docutils trac db4.3-util libapache2-svn subversion-tools

2. Create a virtual host directory for SVN. We’ll use /var/local/svn instead of /var/www so that Subversion instances don’t clog up the directory of web root directories.

   sudo mkdir -p /var/local/svn/svn.example.com

3. Create a development group, and add the web user to it.

   sudo addgroup example; sudo adduser www-data example

4. Add users to the development group. These are persons that need access to the repository.

   1. sudo adduser username1 example
   2. sudo adduser username2 example
   3. sudo adduser username3 example

5. Set the proper permissions.

   sudo chmod 2770 /var/local/svn/svn.example.com

6. Set up the repository.

   sudo svnadmin create /var/local/svn/svn.example.com

7. Clear the current password file. By default it’s for the svnserve protocol, but we’ll be using HTTPS (or just HTTP). We’ll be adding users to this file later in the process.

   sudo rm /var/local/svn/svn.example.com/conf/passwd
   sudo touch /var/local/svn/svn.example.com/conf/passwd

8. Allow the group to write to the repository.

   sudo chmod -R g+w /var/local/svn/svn.example.com

9. Set proper file ownership.

   sudo chown -R www-data:example /var/local/svn/svn.example.com

10. Set the repository access permissions. Information on how to do this can be found in the Path-Based Authorization section of Version Control with Subversion.

    sudo vi /var/local/svn/svn.example.com/conf/authz

11. Create a directory for the log files.

    sudo mkdir /var/log/apache2/svn.example.com

12. Add the site to the log rotation list.

    sudo vi /etc/logrotate.d/apache2

13. Configure the virtual host…

    sudo vi /etc/apache2/sites-available/svn.example.com

    …with the following data. If you don’t care about SSL, you can ignore the SSL options and run this on port 80.

    <VirtualHost [server's IP address]:443>
      ServerName svn.example.com
      <Location />
        DAV svn
        AuthType Basic
        AuthName "svn.example.com"
        AuthUserFile /var/local/svn/svn.example.com/conf/passwd
        AuthzSVNAccessFile /var/local/svn/svn.example.com/conf/authz
        SVNPath /var/local/svn/svn.example.com
        Require valid-user
      </Location>
      CustomLog /var/log/apache2/svn.example.com/access.log combined
      ErrorLog /var/log/apache2/svn.example.com/error.log
      SSLEngine on
      SSLCertificateFile /etc/apache2/ssl/apache.pem
    # Add this once there is a real (non self-signed) certificate.
    #  SSLCertificateKeyFile /etc/apache2/ssl/server.key
    </VirtualHost>
    <VirtualHost [server's IP address]:80>
      ServerName svn.example.com
      Redirect / https://svn.example.com/
    </VirtualHost>

    Reference:

    /etc/apache2/mods-enabled/dav_svn.conf

14. Enable the subversion virtual host.

    sudo a2ensite svn.example.com

15. Create user/password combinations.

    htpasswd /var/local/svn/svn.example.com/conf/passwd username

16. Restart the web server.

    sudo /etc/init.d/apache2 restart

17. If you’re going to have users working locally, set up svnwrap. (See the man page for details.)

    sudo ln -s /usr/bin/svnwrap /usr/local/bin/svn

Setting up Trac

1. Create the web directory. We’ll use /var/local/trac instead of /var/www so as not to clog up the directory of webroots.

   sudo mkdir /var/local/trac/trac.example.com

2. Set the proper permissions.

   sudo chmod 2770 /var/local/trac/trac.example.com

3. Create a Trac instance.

   sudo trac-admin /var/local/trac/trac.example.com initenv

4. Set proper ownership on the web directory.

   sudo chown -R www-data:example /var/local/trac/trac.example.com

5. Allow the group to write to the repository.

   sudo chmod -R g+w /var/local/trac/trac.example.com

6. Configure it.

   sudo vi /var/local/trac/trac.example.com/conf/trac.ini

7. Create a directory for the log files.

   sudo mkdir /var/log/apache2/trac.example.com

8. Add the site to the log rotation list.

   sudo vi /etc/logrotate.d/apache2

9. Configure the virtual host…

   sudo vi /etc/apache2/sites-available/trac.example.com

   …with the following data. If you don’t care about SSL, you can skip the SSL options and run this on port 80.

   # Trac Configuration
   <VirtualHost [server's IP address]:80>
     ServerName trac.example.com
     Redirect / https://trac.example.com/
   </VirtualHost>
   <VirtualHost [server's IP address]:443>
     ServerName trac.example.com
     DocumentRoot /var/local/trac/trac.example.com/
     Alias /trac/ /usr/share/trac/htdocs
     <Directory "/usr/share/trac/htdocs/">
         Options Indexes MultiViews
         AllowOverride None
         Order allow,deny
         Allow from all
     </Directory>
     <Location />
         SetHandler mod_python
         PythonHandler trac.web.modpython_frontend
         PythonInterpreter main_interpreter
         PythonOption TracEnv /var/local/trac/trac.example.com/
         PythonOption TracUriRoot /
         AuthType Basic
         AuthName "trac.example.com"
         # Use the SVN password file.
         AuthUserFile /var/local/svn/svn.example.com/conf/passwd
         Require valid-user
     </Location>
     CustomLog /var/log/apache2/trac.example.com/access.log combined
     ErrorLog /var/log/apache2/trac.example.com/error.log
     SSLEngine on
     SSLCertificateFile /etc/apache2/ssl/apache.pem
   # Add this once there is a real (non self-signed) certificate.
   #  SSLCertificateKeyFile /etc/apache2/ssl/server.key
   </VirtualHost>

   Reference:

   http://trac.edgewall.org/wiki/TracOnUbuntu

10. Enable the Trac virtual host.

    sudo a2ensite trac.example.com

11. Restart the web server.

    sudo /etc/init.d/apache2 restart

The last thing to do is add the subdomains “svn” and “trac” to the DNS configuration for your domain. Once this is done, Subversion and Trac will be integrated into your server environment, and will be accessible from the web.

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 12/17/2007

This tutorial shows how to set up a CentOS 4.6 based server that offers all services needed by ISPs and web hosters: Apache web server (SSL-capable), Postfix mail server with SMTP-AUTH and TLS, BIND DNS server, Proftpd FTP server, MySQL server, Dovecot POP3/IMAP, Quota, Firewall, etc. This tutorial is written for the 32-bit version of CentOS 4.6, but should apply to the 64-bit version with very little modifications as well.

I will use the following software:

• Web Server: Apache 2.0.x
• Database Server: MySQL 4.1
• Mail Server: Postfix
• DNS Server: BIND9 (chrooted!)
• FTP Server: proftpd
• POP3/IMAP server: dovecot
• Webalizer for web site statistics

In the end you should have a system that works reliably, and if you like you can install the free webhosting control panel ISPConfig (i.e., ISPConfig runs on it out of the box).

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

Requirements

To install such a system you will need the following:

• Download the CentOS 4.6 DVD or the four CD iso images from a mirror near you (the list of mirrors can be found here: http://www.centos.org/modules/tinycontent/index.php?id=13).
• a fast internet connection…

1 Install The Base System

Boot from your CentOS 4.6 DVD or CD (CD 1).

It can take a long time to test the installation media so we skip this test here:

The welcome screen of the CentOS installer appears. Click on Next:

Choose your language next:

Select your keyboard layout:

We want to install a server so we choose Server here:

Next we do the partitioning. Select Automatically partition. This will give you a smalll /boot partition and a large / partition which is fine for our purposes:

I’m installing CentOS 4.6 on a fresh system, so I answer Yes to the question Would you like to initialize this drive, erasing ALL DATA?

Select Remove all partitions on this system.

We want to remove all Linux partitions, so we answer Yes to the following question:

The installer presents you an overview of our new partitions. Click on Next:

Now the boot loader GRUB will be installed. You can leave the default settings unchanged and click on Next:

On to the network settings. The default setting here is to configure the network interfaces with DHCP, but we are installing a server, so static IP addresses are not a bad idea… Click on the Edit button at the top right. In the window that pops up uncheck Configure using DHCP and give your network card a static IP address (in this tutorial I’m using the IP address 192.168.0.100 for demonstration purposes):

Set the hostname manually, e.g. server1.example.com, and enter a gateway (e.g. 192.168.0.1) and up to three DNS servers (e.g. 213.191.92.86, 145.253.2.75, and 193.174.32.18):

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That’s why I disable the default CentOS firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn’t use any other firewall later on as it will most probably interfere with the CentOS firewall).

SELinux is a security extension of CentOS that should provide extended security. In my opinion you don’t need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn’t working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

Click on Proceed:

Select the default language for the system and add further languages, if necessary:

Choose your time zone:

Give root a password:

Now we are to select the package groups we want to install. Select Editors, Text Based Internet, Server Configuration Tools, Web Server, Mail Server, DNS Name Server, FTP Server, MySQL Database, Development Tools, Administration Tools and System Tools and click on Next:

Click on Next to start the installation:

The hard drive is being partitioned:

The installation begins. This will take a few minutes:

Finally, the installation is complete, and you can remove your CD from the computer and reboot it:

Now, on to the configuration…

2 Adjust /etc/hosts

Next we edit /etc/hosts. Make it look like this:

vi /etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1               localhost.localdomain localhost

192.168.0.100           server1.example.com server1

3 Configure Additional IP Addresses

(This section is totally optional. It just shows how to add additional IP addresses to your network interface eth0 if you need more than one IP address. If you’re fine with one IP address, you can skip this section.)

Let’s assume our network interface is eth0. Then there is a file /etc/sysconfig/network-scripts/ifcfg-eth0 which looks like this:

cat /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0

BOOTPROTO=static

BROADCAST=192.168.0.255

HWADDR=00:0C:29:CD:66:08

IPADDR=192.168.0.100

NETMASK=255.255.255.0

NETWORK=192.168.0.0

ONBOOT=yes

TYPE=Ethernet

Now we want to create the virtual interface eth0:0 with the IP address 192.168.0.101. All we have to do is to create the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 which looks like this (we can leave out the HWADDR line as it is the same physical network card):

vi /etc/sysconfig/network-scripts/ifcfg-eth0:0

DEVICE=eth0:0

BOOTPROTO=static

BROADCAST=192.168.0.255

IPADDR=192.168.0.101

NETMASK=255.255.255.0

NETWORK=192.168.0.0

ONBOOT=yes

TYPE=Ethernet

Afterwards we have to restart the network:

/etc/init.d/network restart

You might also want to adjust /etc/hosts after you have added new IP addresses, although this is not necessary.

Now run

ifconfig

You should now see your new IP address in the output:

[root@server1 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:CD:66:08
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fecd:6608/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:373 errors:0 dropped:0 overruns:0 frame:0
TX packets:385 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:31529 (30.7 KiB) TX bytes:64449 (62.9 KiB)
Interrupt:177 Base address:0×1400

eth0:0 Link encap:Ethernet HWaddr 00:0C:29:CD:66:08
inet addr:192.168.0.101 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:177 Base address:0×1400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)

[root@server1 ~]#

4 Configure The Firewall

(You can skip this chapter if you have already disabled the firewall during the basic system installation.)

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That’s why I disable the default CentOS firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn’t use any other firewall later on as it will most probably interfere with the CentOS firewall).

Run

system-config-securitylevel

Select Disabled and press OK.

To check that the firewall has really been disabled, you can run

iptables -L

afterwards. The output should look like this:

[root@server1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@server1 ~]#

5 Disable SELinux

(You can skip this chapter if you have already disabled SELinux during the basic system installation.)

SELinux is a security extension of CentOS that should provide extended security. In my opinion you don’t need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn’t working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

Edit /etc/selinux/config and set SELINUX=disabled:

vi /etc/selinux/config

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#       enforcing - SELinux security policy is enforced.

#       permissive - SELinux prints warnings instead of enforcing.

#       disabled - SELinux is fully disabled.

SELINUX=disabled

# SELINUXTYPE= type of policy in use. Possible values are:

#       targeted - Only targeted network daemons are protected.

#       strict - Full SELinux protection.

SELINUXTYPE=targeted

Afterwards we must reboot the system:

reboot

6 Install Some Software

First we import the GPG keys for software packages:

rpm –import /usr/share/rhn/RPM-GPG-KEY*

Then we update our existing packages on the system:

yum update

Now we install some software packages that are needed later on:

yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils gcc gcc-c++

7 Quota

To install quota, we run this command:

yum install quota

Edit /etc/fstab and add ,usrquota,grpquota to the / partition (/dev/VolGroup00/LogVol00):

vi /etc/fstab

# This file is edited by fstab-sync - see 'man fstab-sync' for details

/dev/VolGroup00/LogVol00 /                       ext3    defaults,usrquota,grpquota        1 1

LABEL=/boot             /boot                   ext3    defaults        1 2

none                    /dev/pts                devpts  gid=5,mode=620  0 0

none                    /dev/shm                tmpfs   defaults        0 0

none                    /proc                   proc    defaults        0 0

none                    /sys                    sysfs   defaults        0 0

/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0

/dev/hdc                /media/cdrecorder       auto    pamconsole,exec,noauto,managed 0 0

/dev/fd0                /media/floppy           auto    pamconsole,exec,noauto,managed 0 0

Then run

touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

to enable quota.

8 Install A Chrooted DNS Server (BIND9)

To install a chrooted BIND9, we do this:

yum install bind-chroot

Then do this:

chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
chkconfig –levels 235 named on
/etc/init.d/named start

BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig to configure BIND (zones, etc.).

9 MySQL (4.1)

To install MySQL, we do this:

yum install mysql mysql-devel mysql-server

The MySQL init script on CentOS might cause problems when you try to restart MySQL. In some cases it tries to start MySQL before the old MySQL process has stopped which leads to a failure. The solution is to edit the restart section of /etc/init.d/mysqld and add a few seconds delay between the stop and the start of MySQL.

Edit /etc/init.d/mysqld:

vi /etc/init.d/mysqld

and change this section:

[...]

restart(){

    stop

    start

}

[...]

so that it looks like this:

[...]

restart(){

    stop

    sleep 3

    start

}

[...]

This adds a three second delay between the stop and start of MySQL.

Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:

chkconfig –levels 235 mysqld on
/etc/init.d/mysqld start

Now check that networking is enabled. Run

netstat -tap | grep mysql

It should show something like this:

[root@server1 ~]# netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 3590/mysqld
[root@server1 ~]#

If it does not, edit /etc/my.cnf and comment out the option skip-networking:

vi /etc/my.cnf

[...]

#skip-networking

[...]

and restart your MySQL server:

/etc/init.d/mysqld restart

Run

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

10 Postfix With SMTP-AUTH And TLS

Now we install Postfix and dovecot (dovecot will be our POP3/IMAP server):

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot

Next we configure SMTP-AUTH and TLS:

postconf -e ‘smtpd_sasl_local_domain =’
postconf -e ‘smtpd_sasl_auth_enable = yes’
postconf -e ‘smtpd_sasl_security_options = noanonymous’
postconf -e ‘broken_sasl_auth_clients = yes’
postconf -e ‘smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination’
postconf -e ‘inet_interfaces = all’
postconf -e ‘mynetworks = 127.0.0.0/8′

We must edit /usr/lib/sasl2/smtpd.conf so that Postfix allows PLAIN and LOGIN logins. On a 64Bit Centos 4.6 you must edit the file /usr/lib64/sasl2/smtpd.conf instead. It should look like this:

vi /usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd

mech_list: plain login

Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Next we configure Postfix for TLS:

postconf -e ‘smtpd_tls_auth_only = no’
postconf -e ‘smtp_use_tls = yes’
postconf -e ‘smtpd_use_tls = yes’
postconf -e ‘smtp_tls_note_starttls_offer = yes’
postconf -e ‘smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key’
postconf -e ‘smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt’
postconf -e ‘smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem’
postconf -e ‘smtpd_tls_loglevel = 1′
postconf -e ‘smtpd_tls_received_header = yes’
postconf -e ‘smtpd_tls_session_cache_timeout = 3600s’
postconf -e ‘tls_random_source = dev:/dev/urandom’

Then we set the hostname in our Postfix installation (make sure you replace server1.example.com with your own hostname):

postconf -e ‘myhostname = server1.example.com’

After these configuration steps you should now have a /etc/postfix/main.cf that looks like this (I have removed all comments from it):

cat /etc/postfix/main.cf

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/libexec/postfix

mail_owner = postfix

inet_interfaces = all

mydestination = $myhostname, localhost.$mydomain, localhost

unknown_local_recipient_reject_code = 550

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5sendmail_path = /usr/sbin/sendmail.postfix

newaliases_path = /usr/bin/newaliases.postfix

mailq_path = /usr/bin/mailq.postfix

setgid_group = postdrop

html_directory = no

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/postfix-2.2.10/samples

readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES

smtpd_sasl_local_domain =

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

mynetworks = 127.0.0.0/8

smtpd_tls_auth_only = no

smtp_use_tls = yes

smtpd_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key

smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt

smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

myhostname = server1.example.com

By default, CentOS’ dovecot daemon provides only IMAP and IMAPs services. Because we also want POP3 and POP3s we must configure dovecot to do so. We edit /etc/dovecot.conf and put the line protocols = imap imaps pop3 pop3s into it:

vi /etc/dovecot.conf

[...]

# Base directory where to store runtime data.

#base_dir = /var/run/dovecot/# Protocols we want to be serving:

#  imap imaps pop3 pop3s

protocols = imap imaps pop3 pop3s

[...]

Now start Postfix, saslauthd, and dovecot:

chkconfig –levels 235 sendmail off
chkconfig –levels 235 postfix on
chkconfig –levels 235 saslauthd on
chkconfig –levels 235 dovecot on
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start
/etc/init.d/dovecot start

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH LOGIN PLAIN

everything is fine.

[root@server1 ssl]# telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 server1.example.com ESMTP Postfix
ehlo localhost
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
quit
221 Bye
Connection closed by foreign host.
[root@server1 ssl]#

Type

quit

to return to the system’s shell.

10.1 Maildir

dovecot uses Maildir format (not mbox), so if you install ISPConfig on the server, please make sure you enable Maildir under Management -> Server -> Settings -> Email. ISPConfig will then do the necessary configuration.

If you do not want to install ISPConfig, then you must configure Postfix to deliver emails to a user’s Maildir:

postconf -e ‘home_mailbox = Maildir/’
postconf -e ‘mailbox_command =’
/etc/init.d/postfix restart

11 Apache2 With PHP

Now we install Apache with PHP (this is PHP 4.3.9; CentOS does not provide PHP5 packages):

yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel

Then edit /etc/httpd/conf/httpd.conf:

vi /etc/httpd/conf/httpd.conf

and change DirectoryIndex to

[...]

DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl

[...]

Now configure your system to start Apache at boot time:

chkconfig –levels 235 httpd on

Start Apache:

/etc/init.d/httpd start

11.1 Disable PHP Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.

To disable PHP globally, we edit /etc/httpd/conf.d/php.conf and comment out the AddType line:

vi /etc/httpd/conf.d/php.conf

#

# PHP is an HTML-embedded scripting language which attempts to make it

# easy for developers to write dynamically generated webpages.

#LoadModule php4_module modules/libphp4.so

#

# Cause the PHP interpreter to handle files with a .php extension.

#

#AddType application/x-httpd-php .php

# AddType application/x-httpd-php-source .phps

#

# Add index.php to the list of files that will be served as directory

# indexes.

#

DirectoryIndex index.php

Afterwards we restart Apache:

/etc/init.d/httpd restart

12 ProFTPd

ISPConfig has better support for proftpd than vsftpd, so let’s remove vsftpd:

yum remove vsftpd

Because CentOS has no proftpd package, we must use a third-party yum repository to install it:

cd /etc/yum.repos.d/
wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
rpm –import http://centos.karan.org/RPM-GPG-KEY-karan.org.txt

Now we can install proftpd:

yum install proftpd

Let’s create proftpd‘s system startup links and start it:

chkconfig –levels 235 proftpd on
/etc/init.d/proftpd start

Then create the file /etc/pam.d/ftp with the following content (otherwise you will not be able to log in with system users using FTP):

vi /etc/pam.d/ftp

#%PAM-1.0

auth    required        pam_unix.so     nullok

account required        pam_unix.so

session required        pam_unix.so

and restart proftpd:

/etc/init.d/proftpd restart

13 Webalizer

To install webalizer, just run

yum install webalizer

14 Synchronize The System Clock

If you want to have the system clock synchronized with an NTP server do the following:

yum install ntp

chkconfig –levels 235 ntpd on
ntpdate 0.pool.ntp.org
/etc/init.d/ntpd start

15 Install Some Perl Modules

ISPConfig comes with SpamAssassin which needs a few Perl modules to work. We install the required Perl modules with a single command:

yum install perl-DBI perl-Net-DNS perl-Digest-SHA1

We also need the module HTML::Parser. We could install the CentOS package perl-HTML-Parser, but this version is too old for the SpamAssassin version that comes with ISPConfig. It would result in the following error message during ISPConfig installation:

REQUIRED module out of date: HTML::Parser

Therefore we must install the latest HTML::Parser using the Perl shell.

Run the following command to start the Perl shell:

perl -MCPAN -e shell

If you run the Perl shell for the first time you will be asked some questions. In most cases the default answers are ok. Because there’s no ncftp package for CentOS, the Perl shell cannot find the programs ncftpget and ncftp, and you’ll see something like this:

Warning: ncftpget not found in PATH
Where is your ncftpget program? []
Warning: ncftp not found in PATH
Where is your ncftp program? []

It’s ok to hit ENTER in both cases.

Please note: If you run a firewall on your system you might have to turn it off while working on the Perl shell in order for the Perl shell to be able to fetch the needed modules without a big delay. You can switch it on afterwards.

Now type in the following command to install the Perl module HTML::Parser:

install HTML::Parser

If the installation is successful, you’ll see a line like this at the end:

/usr/bin/make install — OK

Type

q

afterwards to leave the Perl shell.

16 The End

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it.

16.1 A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as CentOS’ suExec is compiled with /var/www as Doc_Root. Run

/usr/sbin/suexec -V

and the output should look like this:

[root@server1 ~]# /usr/sbin/suexec -V
-D AP_DOC_ROOT=”/var/www”
-D AP_GID_MIN=100
-D AP_HTTPD_USER=”apache”
-D AP_LOG_EXEC=”/var/log/httpd/suexec.log”
-D AP_SAFE_PATH=”/usr/local/bin:/usr/bin:/bin”
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX=”public_html”
[root@server1 ~]#

So if you want to use suExec with ISPconfig, don’t change the default web root (which is /var/www) if you use expert mode during the ISPConfig installation (in standard mode you can’t change the web root anyway so you’ll be able to use suExec in any case).

17 Links

• CentOS: http://www.centos.org
• ISPConfig: http://www.ispconfig.org

other
click here
click here
clicky
other
other
other
friendly link
friendly link
read more
read more
friendly link
clicky
click here
friendly link

This how to uses Ubuntu 7.10 Server install. I am sure that this could be done with a much smaller install base, rather than server – I might have used the Alternative CD, or maybe even some other distribution like DSL, or Puppy Linux (if you needed GUI [graphical user interface] ). But for proof of concept this worked fine. I used an Old Dell GX100 Optiplex with 256 MB of RAM (I don’t think I need any more that 128 [maybe even 64MB], but this is what was in the box when I pulled it out of the pile). It has a small form factor, and runs pretty quiet. My steps are geared toward English & US, so you may want to change those if your using something else =).

Read more…

Install Debian. I used the basic barebones install option. I did
some things that were done because of preference, and not necessary. I
have marked them approriately. I encourage contributions from anyone
who would like to add or correct something in this HowTo to contact me
so I can fix it. I have installed this setup twice following these
instructions and used Avantfax 2.3.0. Thanks to all the resources who
helped me figure this out. Especially Razametal, who submitted a
fantastic Spanish language walkthrough on ecualug.org.

Read more…

There are already tons of written Snort rules, but there just might
be a time where you need to write one yourself. You can think of
writing Snort rules as writing a program. They can include variables,
keywords and functions. Why do we need to write rules? The reason is,
without rules Snort will never detect someone trying to hack your
machine. This HOWTO will give you confidence to write your own rules.

Read more…

It’s very simple to masquerade (internet connection sharing in
Windows language ) on Linux with a few lines of iptables and ip_forward
commands.

Read more…

This document describes how to set up Hyperic HQ on Fedora 8. The
resulting system provides an awesome, web-based “System
ManagementSoftware”. It’s the next stage of classical monitoring and
able to manage all kinds of operating systems, web servers, application
servers and database servers.

Read more…

DRBD is an abbreviation of Distributed Replicated Block Device.
DRBD is a block device which is designed to build high-availability
clusters. This is done by mirroring a whole block device via (a
dedicated) network. You could see it as a network RAID1.

Read more…