Appendix�A.�Install Red Hat 8.0

+Appendix�A.�Install Red Hat 8/9

Prev	Part�II.�Administrator's Guide	Next

Appendix�A.�Install Red Hat 8/9

by Joel Aufrecht
OpenACS docs are written by the named authors, and may be edited by OpenACS documentation staff. @@ -8,7 +8,8 @@ works and is secure; it should take about an hour. (In my experience, it's almost always a net time savings of several hours to install a new machine from scratch compared to installing each - of these packages installed independently.)

The installation guide assumes you can do the following on + of these packages installed independently.)

The installation guide assumes you have:

A PC with hard drive you can reinstall
Red Hat 8.0 or 9.0 install discs
A CD with the current Security + Patches for your version of Red Hat.

The installation guide assumes that you can do the following on your platform:

Adding users, groups, setting passwords @@ -26,12 +27,12 @@
1. Unplug the network cable from your computer. We don't want to connect to the network until we're sure the computer is secure. - + (Wherever you see the word secure, you should always read it as, "secure enough for our purposes, given the amount of work we're willing to exert and the estimated risk and - consequences.")
2. Insert Red Hat 8.0 Disk 1 into the + consequences.")
3. Insert Red Hat 8.0 or 9.0 Disk 1 into the CD-ROM and reboot the computer
4. At the boot: prompt, press Enter for a @@ -54,7 +55,7 @@ Review (and modify if needed) the partitions created and click Next
5. On the pop-up window asking "Are you sure you want to do this?" click Yes - IF YOU ARE WIPING YOUR HARD DRIVE.
6. Click Next on the boot loader screen
Configure Networking. + IF YOU ARE WIPING YOUR HARD DRIVE.
Click Next on the boot loader screen

Configure Networking. Again, if you know what you're doing, do this step yourself, being sure to note the firewall holes. Otherwise, follow the instructions in this step to set up a computer directly connected to the internet with a dedicated IP address.

DHCP is a system by which a computer that @@ -75,19 +76,10 @@ Mail (SMTP). In the Other ports box, enter 443, 8000, 8443. Click Next. -Port 443 is for https (http over ssl), and 8000 and 8443 are http and https access to the development server we'll be setting up.

Select any additional languages you want the +Port 443 is for https (http over ssl), and 8000 and 8443 are http and https access to the development server we'll be setting up.

Select any additional languages you want the computer to support and then click Next

Choose your time zone and click Next.

Type in a root -password, twice. To - improve security, we're going to prevent anyone from - connecting to the computer directly as root. Instead, - we'll create a different user, called - remadmin, used solely to - connect to the computer for administration. Click -Add -and enter username remadmin and a password, -twice, then click OK. Then click -Next.

On the Package selection page, we're going to +password, twice.

On the Package selection page, we're going to uncheck a lot of packages that install software we don't need, and add packages that have stuff we do need. You should install everything we're installing here or the guide may not work for you; you can @@ -96,12 +88,14 @@ risk that's still screened by the firewall, or a resource hog. Just don't install a database or web server, because that would conflict with the database and web server we'll install later. -

check�Editors�(this�installs�emacs),
+

check�Editors�(this�installs�emacs),
click�Details�next�to�Text-based�Internet,�check�lynx,�and�click�OK;
-check�Authoring�and�Publishing�(this�installs�docbook),
+check�Authoring�and�Publishing�(this�installs�docbook),
uncheck�Server�Configuration�Tools,
uncheck�Web�Server,
uncheck�Windows�File�Server,
+check�SQL�Database +Server�(this�installs�PostGreSQL,
check�Development�Tools�(this�installs�gmake�and�other�build�tools),
uncheck�Administration�Tools,�and
uncheck�Printing�Support.�

At the bottom, check Select Individual Packages and click Next

We need to fine-tune the exact list of packages. @@ -111,13 +105,15 @@ Flat View and wait. In a minute, a list of packages will appear.

uncheck�apmd�(monitors�power,�not�very�useful�for�servers),�
-check�ImageMagick�(required�for�the�photo-album�packages,�
+check�ImageMagick�(required�for�the�photo-album�packages,�
uncheckisdn4k-utils�(unless�you�are�using�isdn,�this�installs�a�useless�daemon),�
check�mutt�(a�mail�program�that�reads�Maildir),
uncheck�nfs-utils�(nfs�is�a�major�security�risk),�
uncheck�pam-devel�(I�don't�remember�why,�but�we�don't�want�this),�
uncheck�portmap,�
uncheck�postfix�(this�is�an�MTA,�but�we're�going�to�install�qmail�later),�
+check
+postgresql-devel,
uncheck�rsh�(rsh�is�a�security�hole),�
uncheck�sendmail�(sendmail�is�an�insecure�MTA;�we're�going�to�install�qmail�instead�later),
check�tcl�(we�need�tcl),�and�
@@ -139,7 +135,15 @@

After it finishes rebooting and shows the login prompt, log in:

yourserver login: root
 Password:
-[root@yourserver root]#

Lock down SSH

+[root@yourserver root]#
Install any security patches. For example, insert your CD with + patches, mount it with mount + /dev/cdrom, then cd + /mnt/cdrom, then rpm -UVH + *rpm. Both Red Hat 8.0 and 9.0 have had both + kernel and openssl/openssh root exploits, so you should be + upgrading all of that. Since you are upgrading the kernel, + reboot after this step. +
Lock down SSH
1. SSH is the protocol we use to connect securely to the computer (replacing telnet, which is insecure). sshd is the daemon that listens for incoming @@ -148,8 +152,15 @@ computer as root. Type this into the shell:
```
emacs /etc/ssh/sshd_config
```
2. Search�for�the�word�"root"�by�typing�C-s�(that's�emacs-speak�for�control-s)�and�then�root.��
  Make�the�following�changes:
  -
```
#Protocol�2,1
```
  �to�
```
Protocol�2
```
  �(this�prevents�any�connections�via�SSH�1,�which�is�insecure)
  -
```
#PermitRootLogin�yes
```
  �to�
```
PermitRootLogin�no
```
  �(this�prevents�the�root�use�from�logging�in�via�ssh)
  +
```
#Protocol�2,1
```
  �to
  +��
```
Protocol�2
```
  �
  +��(this�prevents�any�connections�via�SSH�1,�which�is�insecure)
  +
```
#PermitRootLogin�yes
```
  �to
  +��
```
PermitRootLogin�no
```
  �
  +��(this�prevents�the�root�user�from�logging�in�remotely�via
  +��ssh.��If�you�do�this,�be�sure�to�create�a�remote�access
  +��account,�such�as�"remadmin",�which�you�can�use�to�get�ssh
  +��before�using�"su"�to�become�root.)
```
#PermitEmptyPasswords�no
```
  �to�
```
PermitEmptyPasswords�no
```
  �(this�blocks�passwordless�accounts)
  
  �and�save�and�exit�by�typing�C-x�C-s�C-x�C-c
3. Restart sshd so that the change takes effect.
```
service sshd restart
```

Red Hat still installed a few services we @@ -161,7 +172,8 @@

service pcmcia stop
 service netfs stop
 chkconfig --del pcmcia
-chkconfig --del netfs

Plug in the network cable.
Verify that you have connectivity by going to another +chkconfig --del netfs
If you installed PostGreSQL, do also +service postgresql start and chkconfig --add postgresql.
Plug in the network cable.

Verify that you have connectivity by going to another computer and ssh'ing to yourserver, logging in as remadmin, and promoting yourself to root:

[joeuser@someotherserver]$  ssh remadmin@yourserver.test
@@ -173,7 +185,10 @@
 Last login: Mon Mar  3 21:15:27 2003 from host-12-01.dsl-sea.seanet.com
 [remadmin@yourserver remadmin]$ su -
 Password: 
-[root@yourserver root]#

Upgrade the kernel to fix a security hole. The default +[root@yourserver root]#
If you didn't burn a CD of patches and use it, can still + download and install the necessary patches. Here's how to + do it for the kernel; you should also check for other + critical packages.
Upgrade the kernel to fix a security hole. The default Red Hat 8.0 system kernel (2.4.18-14, which you can check with uname -a) has several security problems. Download the new kernel, install it, and reboot.
```
[root@yourserver root]# cd /tmp
 [root@yourserver tmp]# wget http://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm
```