Index: openacs-4/packages/acs-core-docs/www/install-redhat.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/install-redhat.html,v diff -u -r1.13.2.3 -r1.13.2.4 --- openacs-4/packages/acs-core-docs/www/install-redhat.html 8 Dec 2003 15:41:17 -0000 1.13.2.3 +++ openacs-4/packages/acs-core-docs/www/install-redhat.html 15 Dec 2003 15:03:47 -0000 1.13.2.4 @@ -26,7 +26,7 @@

  1. Unplug the network cable from your computer. We don't want to connect to the network until we're sure the computer is secure. - + (Wherever you see the word secure, you should always read it as, "secure enough for our purposes, given the amount of work we're @@ -54,7 +54,7 @@ Review (and modify if needed) the partitions created and click Next

  2. On the pop-up window asking "Are you sure you want to do this?" click Yes - IF YOU ARE WIPING YOUR HARD DRIVE.

  3. Click Next on the boot loader screen

  • Configure Networking. + IF YOU ARE WIPING YOUR HARD DRIVE.

  • Click Next on the boot loader screen

  • Configure Networking. Again, if you know what you're doing, do this step yourself, being sure to note the firewall holes. Otherwise, follow the instructions in this step to set up a computer directly connected to the internet with a dedicated IP address.

    1. DHCP is a system by which a computer that @@ -75,7 +75,7 @@ Mail (SMTP). In the Other ports box, enter 443, 8000, 8443. Click Next. -Port 443 is for https (http over ssl), and 8000 and 8443 are http and https access to the development server we'll be setting up.

  • Select any additional languages you want the +Port 443 is for https (http over ssl), and 8000 and 8443 are http and https access to the development server we'll be setting up.

  • Select any additional languages you want the computer to support and then click Next

  • Choose your time zone and click Next.

  • Type in a root password, twice.

  • On the Package selection page, we're going to @@ -87,13 +87,13 @@ risk that's still screened by the firewall, or a resource hog. Just don't install a database or web server, because that would conflict with the database and web server we'll install later. -

    check Editors (this installs emacs),
    click Details next to Text-based Internet, check lynx, and click OK;
    check Authoring and Publishing (this installs docbook),
    uncheck Server Configuration Tools,
    uncheck Web Server,
    uncheck Windows File Server,
    check SQL Database Server (this installs PostgreSQL),
    check Development Tools (this installs gmake and other build tools),
    uncheck Administration Tools, and
    uncheck Printing Support.

    At the bottom, check Select Individual Packages and click Next

  • We need to fine-tune the exact list of packages. +

    check Editors (this installs emacs),
    click Details next to Text-based Internet, check lynx, and click OK;
    check Authoring and Publishing (this installs docbook),
    uncheck Server Configuration Tools,
    uncheck Web Server,
    uncheck Windows File Server,
    check SQL Database Server (this installs PostgreSQL),
    check Development Tools (this installs gmake and other build tools),
    uncheck Administration Tools, and
    uncheck Printing Support.

    At the bottom, check Select Individual Packages and click Next

  • We need to fine-tune the exact list of packages. The same rules apply as in the last step - you can add more stuff, but you shouldn't remove anything the guide adds. We're going to go through all the packages in one big list, so select Flat View and wait. In a minute, a -list of packages will appear.

    uncheck apmd (monitors power, not very useful for servers),
    check ImageMagick (required for the photo-album packages,
    uncheckisdn4k-utils (unless you are using isdn, this installs a useless daemon),
    check mutt (a mail program that reads Maildir),
    uncheck nfs-utils (nfs is a major security risk),
    uncheck pam-devel (I don't remember why, but we don't want this),
    uncheck portmap,
    uncheck postfix (this is an MTA, but we're going to install qmail later),
    check postgresql-devel,
    uncheck rsh (rsh is a security hole),
    uncheck sendmail (sendmail is an insecure MTA; we're going to install qmail instead later),
    check tcl (we need tcl), and
    uncheck xinetd (xinetd handles incoming tcp connections. We'll install a different, more secure program, ucspi-tcp).
    Click Next

  • Red Hat isn't completely happy with the combination +list of packages will appear.

    uncheck apmd (monitors power, not very useful for servers),
    check ImageMagick (required for the photo-album packages,
    uncheckisdn4k-utils (unless you are using isdn, this installs a useless daemon),
    check mutt (a mail program that reads Maildir),
    uncheck nfs-utils (nfs is a major security risk),
    uncheck pam-devel (I don't remember why, but we don't want this),
    uncheck portmap,
    uncheck postfix (this is an MTA, but we're going to install qmail later),
    check postgresql-devel,
    uncheck rsh (rsh is a security hole),
    uncheck sendmail (sendmail is an insecure MTA; we're going to install qmail instead later),
    check tcl (we need tcl), and
    uncheck xinetd (xinetd handles incoming tcp connections. We'll install a different, more secure program, ucspi-tcp).
    Click Next

  • Red Hat isn't completely happy with the combination of packages we've selected, and wants to satisfy some dependencies. Don't let it. On the next screen, choose Ignore Package @@ -110,7 +110,7 @@

  • After it finishes rebooting and shows the login prompt, log in:

    yourserver login: root
 Password:
-[root@yourserver root]#

  • Install any security patches. For example, insert your CD with +[root root]#

  • Install any security patches. For example, insert your CD with patches, mount it with mount /dev/cdrom, then cd /mnt/cdrom, then rpm -UVH @@ -119,7 +119,7 @@ upgrading all of that. Since you are upgrading the kernel, reboot after this step.

  • Lock down SSH

    1. - + SSH is the protocol we use to connect securely to the computer (replacing telnet, which is insecure). sshd is the daemon that listens for incoming @@ -148,15 +148,15 @@ (The reason for this discrepencies is that, while daemontools is better, it's a pain in the ass to deal with and nobody's had any trouble leaving PostgreSQL the way it is.) - 

      [root@yourserver root]# service pcmcia stop
-[root@yourserver root]# service netfs stop
-[root@yourserver root]# chkconfig --del pcmcia
-[root@yourserver root]# chkconfig --del netfs
-[root@yourserver root]#
-
      service pcmcia stop
+       
      [root root]# service pcmcia stop
+[root root]# service netfs stop
+[root root]# chkconfig --del pcmcia
+[root root]# chkconfig --del netfs
+[root root]#
+service pcmcia stop
 service netfs stop
 chkconfig --del pcmcia
-chkconfig --del netfs
      If you installed PostgreSQL, do also
+chkconfig --del netfs

      If you installed PostgreSQL, do also service postgresql start and chkconfig --add postgresql.

    2. Plug in the network cable.

    3. Verify that you have connectivity by going to another computer and ssh'ing to yourserver, logging in as @@ -167,15 +167,15 @@ Warning: Permanently added 'yourserver.test (1.2.3.4)' (DSA) to the list of known hosts. Password: Last login: Mon Mar 3 21:15:27 2003 from host-12-01.dsl-sea.seanet.com -[remadmin@yourserver remadmin]$ su - +[remadmin remadmin]$ su - Password: -[root@yourserver root]#

    4. If you didn't burn a CD of patches and use it, can still +[root root]#

    5. If you didn't burn a CD of patches and use it, can still download and install the necessary patches. Here's how to do it for the kernel; you should also check for other critical packages.

      Upgrade the kernel to fix a security hole. The default Red Hat 8.0 system kernel (2.4.18-14, which you can check - with uname -a) has several security problems. Download the new kernel, install it, and reboot.

      [root@yourserver root]# cd /tmp
-[root@yourserver tmp]# wget http://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm
+          with uname -a) has several security problems.  Download the new kernel, install it, and reboot.
      [root root]# cd /tmp
+[root tmp]# wget http://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm
 --20:39:00--  http://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm
            => `kernel-2.4.18-27.7.x.i686.rpm'
 Resolving updates.redhat.com... done.
@@ -191,13 +191,13 @@
 warning: kernel-2.4.18-27.7.x.i686.rpm: V3 DSA signature: NOKEY, key ID db42a60e
 Preparing...                ########################################### [100%]
    1:kernel                 ########################################### [100%]
-[root@yourserver tmp]# reboot
+[root tmp]# reboot
 
 Broadcast message from root (pts/0) (Sat May  3 20:46:39 2003):
 
 The system is going down for reboot NOW!
-[root@yourserver tmp]#
-
      cd /tmp
+[root tmp]#
+cd /tmp
 wget http://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm
 rpm -Uvh kernel-2.4.18-27.7.x.i686.rpm
-reboot
    Prev Home Next
    Backup and Recovery Up Appendix�B.�Install additional supporting software
    docs@openacs.org
    View comments on this page at openacs.org
    +reboot
    • Prev Home Next
    Backup and Recovery Up Appendix�B.�Install additional supporting software
    docs@openacs.org
    View comments on this page at openacs.org