Index: openacs-4/packages/acs-core-docs/www/xml/install-guide/red-hat.xml
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/xml/install-guide/red-hat.xml,v
diff -u -r1.5 -r1.6
--- openacs-4/packages/acs-core-docs/www/xml/install-guide/red-hat.xml 5 Nov 2003 11:48:12 -0000 1.5
+++ openacs-4/packages/acs-core-docs/www/xml/install-guide/red-hat.xml 11 Dec 2003 21:39:49 -0000 1.6
@@ -8,7 +8,7 @@
Install Red Hat 8/9
- by Joel Aufrecht
+ by Joel Aufrecht
This section takes a blank PC and sets up some supporting
@@ -63,7 +63,7 @@
Unplug the network cable from your
computer. We don't want to connect to the network
until we're sure the computer is secure.
-
+
security
definition
@@ -101,7 +101,6 @@
Next.
-
Reformat the hard drive. If you know what you're doing,
do this step on your own. Otherwise: we're going to let the
@@ -159,7 +158,7 @@
Select any additional languages you want the
computer to support and then click
Next
- Choose your time zone and click Next..
+ Choose your time zone and click Next.
Type in a root
password, twice.
@@ -172,17 +171,18 @@
risk that's still screened by the firewall, or a resource hog. Just
don't install a database or web server, because that would conflict
with the database and web server we'll install later.
-check Editors (this installs emacsemacsinstallation),
-click Details next to Text-based Internet, check lynx, and click OK;
-check Authoring and Publishing (docbookinstallationthis installs docbook),
-uncheck Server Configuration Tools,
-uncheck Web Server,
-uncheck Windows File Server,
-check SQL Database
-Server (this installs PostGreSQL,
-check Development Tools (this installs gmake and other build tools),
-uncheck Administration Tools, and
-uncheck Printing Support.
+
+check Editors (this installs emacsemacsinstallation),
+click Details next to Text-based Internet, check lynx, and click OK;
+check Authoring and Publishing (docbookinstallationthis installs docbook),
+uncheck Server Configuration Tools,
+uncheck Web Server,
+uncheck Windows File Server,
+check SQL Database Server (this installs PostgreSQL),
+check Development Tools (this installs gmake and other build tools),
+uncheck Administration Tools, and
+uncheck Printing Support.
+
At the bottom, check Select Individual Packages and click Next
@@ -193,21 +193,23 @@
Flat
View and wait. In a minute, a
list of packages will appear.
-uncheck apmd (monitors power, not very useful for servers),
-check ImageMagick (required for the photo-albuminstallationImageMagickphoto-album packages,
-uncheckisdn4k-utils (unless you are using isdn, this installs a useless daemon),
-check mutt (a mail program that reads Maildir),
-uncheck nfs-utils (nfs is a major security risk),
-uncheck pam-devel (I don't remember why, but we don't want this),
-uncheck portmap,
-uncheck postfix (this is an MTA, but we're going to install qmail later),
-check
-postgresql-devel,
-uncheck rsh (rsh is a security hole),
-uncheck sendmail (sendmail is an insecure MTA; we're going to install qmail instead later),
-check tcl (we need tcl), and
-uncheck xinetd (xinetd handles incoming tcp connections. We'll install a different, more secure program, ucspi-tcp).
-Click Next
+
+uncheck apmd (monitors power, not very useful for servers),
+check ImageMagick (required for the photo-albuminstallationImageMagickphoto-album packages,
+uncheckisdn4k-utils (unless you are using isdn, this installs a useless daemon),
+check mutt (a mail program that reads Maildir),
+uncheck nfs-utils (nfs is a major security risk),
+uncheck pam-devel (I don't remember why, but we don't want this),
+uncheck portmap,
+uncheck postfix (this is an MTA, but we're going to install qmail later),
+check postgresql-devel,
+uncheck rsh (rsh is a security hole),
+uncheck sendmail (sendmail is an insecure MTA; we're going to install qmail instead later),
+check tcl (we need tcl), and
+uncheck xinetd (xinetd handles incoming tcp connections. We'll install a different, more secure program, ucspi-tcp).
+Click Next
+
+
Red Hat isn't completely happy with the combination
of packages we've selected, and wants to satisfy some dependencies.
@@ -252,36 +254,57 @@
Lock down SSH
-
- ssh
-
-SSH is the protocol we use to connect
- securely to the computer (replacing telnet, which is
- insecure). sshd is the daemon that listens for incoming
- ssh connections. As a security precaution, we are now going
- to tell ssh not to allow anyone to connect directly to this
- computer as root. Type this into the shell:
- emacs /etc/ssh/sshd_config
- Search for the word "root" by typing C-s (that's emacs-speak for control-s) and then root.
-Make the following changes:
-#Protocol 2,1 to
- Protocol 2
- (this prevents any connections via SSH 1, which is insecure)
-#PermitRootLogin yes to
- PermitRootLogin no
- (this prevents the root user from logging in remotely via
- ssh. If you do this, be sure to create a remote access
- account, such as "remadmin", which you can use to get ssh
- before using "su" to become root.)
-#PermitEmptyPasswords no to PermitEmptyPasswords no (this blocks passwordless accounts)
-
- and save and exit by typing C-x C-s C-x C-c
- Restart sshd so that the change takes effect.service sshd restart
+
+
+ ssh
+ SSH is the protocol we use to connect
+ securely to the computer (replacing telnet, which is
+ insecure). sshd is the daemon that listens for incoming
+ ssh connections. As a security precaution, we are now going
+ to tell ssh not to allow anyone to connect directly to this
+ computer as root. Type this into the shell:
+
+ emacs /etc/ssh/sshd_config
+
+ Search for the word "root" by typing C-s (that's emacs-speak for control-s) and then root.
+
+
+ Make the following changes:
+
+ #Protocol 2,1 to
+ Protocol 2
+ (this prevents any connections via SSH 1, which is insecure)
+ #PermitRootLogin yes to
+ PermitRootLogin no
+ (this prevents the root user from logging in remotely via
+ ssh. If you do this, be sure to create a remote access
+ account, such as "remadmin", which you can use to get ssh
+ before using "su" to become root)
+ #PermitEmptyPasswords no to PermitEmptyPasswords no
+ (this blocks passwordless accounts) and save and exit by typing C-x C-s C-x C-c
+
+
+ Restart sshd so that the change takes effect.service sshd restart
+
- Red Hat still installed a few services we
-don't need, and which can be security holes. Use the service command to turn them off, and then use chkconfig to automatically edit the System V init directories to permanently (The System V init directories are the ones in /etc/rc.d. They consist of a bunch of scripts for starting and stopping programs, and directories of symlinks for each system level indicating which services should be up and down at any given service level. We'll use this system for PostGreSQL, but we'll use daemontools to perform a similar function for AOLServer. (The reason for this discrepencies is that, while daemontools is better, it's a pain in the ass to deal with and nobody's had any trouble leaving PostGreSQL the way it is.)
+
+
+ Red Hat still installed a few services we don't need, and
+ which can be security holes. Use the service command to turn
+ them off, and then use chkconfig to automatically edit the
+ System V init directories to permanently (The System V init
+ directories are the ones in /etc/rc.d. They consist of a
+ bunch of scripts for starting and stopping programs, and
+ directories of symlinks for each system level indicating
+ which services should be up and down at any given service
+ level. We'll use this system for PostgreSQL, but we'll use
+ daemontools to perform a similar function for AOLserver.
+ (The reason for this discrepencies is that, while daemontools
+ is better, it's a pain in the ass to deal with and nobody's
+ had any trouble leaving PostgreSQL the way it is.)
+
[root@yourserver root]# service pcmcia stop
[root@yourserver root]# service netfs stop
[root@yourserver root]# chkconfig --del pcmcia
@@ -291,7 +314,7 @@
service netfs stop
chkconfig --del pcmcia
chkconfig --del netfs
- If you installed PostGreSQL, do also
+ If you installed PostgreSQL, do also
service postgresql start and chkconfig --add postgresql.