| Prev | Part�II.�Administrator's Guide | Next |
|---|
- by Joel Aufrecht
+
This section takes a blank PC and sets up some supporting software. You should do this section as-is if you have a machine you can reformat and you want to be sure that your installation works and is secure; it should take about an hour. (In my @@ -27,7 +26,7 @@
Unplug the network cable from your computer. We don't want to connect to the network until we're sure the computer is secure. - + (Wherever you see the word secure, you should always read it as, "secure enough for our purposes, given the amount of work we're @@ -55,7 +54,7 @@ Review (and modify if needed) the partitions created and click
On the pop-up window asking "Are you sure you want to do this?" click - IF YOU ARE WIPING YOUR HARD DRIVE.
Click on the boot loader screen
Click on the boot loader screen
Configure Networking. Again, if you know what you're doing, do this step yourself, being sure to note the firewall holes. Otherwise, follow the instructions in this step to set up a computer directly connected to the internet with a dedicated IP address.
DHCP is a system by which a computer that @@ -76,7 +75,7 @@ Mail (SMTP). In the Other ports box, enter 443, 8000, 8443. Click . -Port 443 is for https (http over ssl), and 8000 and 8443 are http and https access to the development server we'll be setting up.
Select any additional languages you want the +Port 443 is for https (http over ssl), and 8000 and 8443 are http and https access to the development server we'll be setting up.
Select any additional languages you want the computer to support and then click
Choose your time zone and click .
Type in a root password, twice.
On the Package selection page, we're going to @@ -88,37 +87,13 @@ risk that's still screened by the firewall, or a resource hog. Just don't install a database or web server, because that would conflict with the database and web server we'll install later. -
check�Editors�(this�installs�emacs),
-click�Details�next�to�Text-based�Internet,�check�lynx,�and�click�;
-check�Authoring�and�Publishing�(this�installs�docbook),
-uncheck�Server�Configuration�Tools,
-uncheck�Web�Server,
-uncheck�Windows�File�Server,
-check�SQL�Database
-Server�(this�installs�PostGreSQL,
-check�Development�Tools�(this�installs�gmake�and�other�build�tools),
-uncheck�Administration�Tools,�and
-uncheck�Printing�Support.�
At the bottom, check Select Individual Packages and click
We need to fine-tune the exact list of packages. +
At the bottom, check Select Individual Packages and click
We need to fine-tune the exact list of packages. The same rules apply as in the last step - you can add more stuff, but you shouldn't remove anything the guide adds. We're going to go through all the packages in one big list, so select Flat View and wait. In a minute, a -list of packages will appear.
uncheck�apmd�(monitors�power,�not�very�useful�for�servers),�
-check�ImageMagick�(required�for�the�photo-album�packages,�
-uncheckisdn4k-utils�(unless�you�are�using�isdn,�this�installs�a�useless�daemon),�
-check�mutt�(a�mail�program�that�reads�Maildir),
-uncheck�nfs-utils�(nfs�is�a�major�security�risk),�
-uncheck�pam-devel�(I�don't�remember�why,�but�we�don't�want�this),�
-uncheck�portmap,�
-uncheck�postfix�(this�is�an�MTA,�but�we're�going�to�install�qmail�later),�
-check
-postgresql-devel,
-uncheck�rsh�(rsh�is�a�security�hole),�
-uncheck�sendmail�(sendmail�is�an�insecure�MTA;�we're�going�to�install�qmail�instead�later),
-check�tcl�(we�need�tcl),�and�
-uncheck�xinetd�(xinetd�handles�incoming�tcp�connections.��We'll�install�a�different,�more�secure�program,�ucspi-tcp).
-Click�
Red Hat isn't completely happy with the combination +list of packages will appear.
Red Hat isn't completely happy with the combination of packages we've selected, and wants to satisfy some dependencies. Don't let it. On the next screen, choose Ignore Package @@ -143,28 +118,37 @@ kernel and openssl/openssh root exploits, so you should be upgrading all of that. Since you are upgrading the kernel, reboot after this step. -
Lock down SSH
-SSH is the protocol we use to connect - securely to the computer (replacing telnet, which is - insecure). sshd is the daemon that listens for incoming - ssh connections. As a security precaution, we are now going - to tell ssh not to allow anyone to connect directly to this - computer as root. Type this into the shell: -
emacs /etc/ssh/sshd_config
Search�for�the�word�"root"�by�typing�C-s�(that's�emacs-speak�for�control-s)�and�then�root.���
-Make�the�following�changes:
-
#Protocol�2,1�to
Protocol�2�
#PermitRootLogin�yes�to
PermitRootLogin�no�
#PermitEmptyPasswords�no�to�
PermitEmptyPasswords�no�(this�blocks�passwordless�accounts)
service sshd restart
Red Hat still installed a few services we -don't need, and which can be security holes. Use the service command to turn them off, and then use chkconfig to automatically edit the System V init directories to permanently (The System V init directories are the ones in /etc/rc.d. They consist of a bunch of scripts for starting and stopping programs, and directories of symlinks for each system level indicating which services should be up and down at any given service level. We'll use this system for PostGreSQL, but we'll use daemontools to perform a similar function for AOLServer. (The reason for this discrepencies is that, while daemontools is better, it's a pain in the ass to deal with and nobody's had any trouble leaving PostGreSQL the way it is.)
[root@yourserver root]# service pcmcia stop +
Lock down SSH
+ + SSH is the protocol we use to connect + securely to the computer (replacing telnet, which is + insecure). sshd is the daemon that listens for incoming + ssh connections. As a security precaution, we are now going + to tell ssh not to allow anyone to connect directly to this + computer as root. Type this into the shell: +
emacs /etc/ssh/sshd_config
Search for the word "root" by typing C-s (that's emacs-speak for control-s) and then root.
Make the following changes:
| #Protocol 2,1 to + Protocol 2 + (this prevents any connections via SSH 1, which is insecure) |
| #PermitRootLogin yes to + PermitRootLogin no + (this prevents the root user from logging in remotely via + ssh. If you do this, be sure to create a remote access + account, such as "remadmin", which you can use to get ssh + before using "su" to become root) |
| #PermitEmptyPasswords no to PermitEmptyPasswords no + (this blocks passwordless accounts) and save and exit by typing C-x C-s C-x C-c |
Restart sshd so that the change takes effect.
service sshd restart
+ Red Hat still installed a few services we don't need, and + which can be security holes. Use the service command to turn + them off, and then use chkconfig to automatically edit the + System V init directories to permanently (The System V init + directories are the ones in /etc/rc.d. They consist of a + bunch of scripts for starting and stopping programs, and + directories of symlinks for each system level indicating + which services should be up and down at any given service + level. We'll use this system for PostGreSQL, but we'll use + daemontools to perform a similar function for AOLServer. + (The reason for this discrepencies is that, while daemontools + is better, it's a pain in the ass to deal with and nobody's + had any trouble leaving PostGreSQL the way it is.) +
[root@yourserver root]# service pcmcia stop [root@yourserver root]# service netfs stop [root@yourserver root]# chkconfig --del pcmcia [root@yourserver root]# chkconfig --del netfs