Index: openacs-4/packages/acs-core-docs/www/install-redhat.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/install-redhat.html,v diff -u -r1.44 -r1.45 --- openacs-4/packages/acs-core-docs/www/install-redhat.html 25 Apr 2018 08:38:27 -0000 1.44 +++ openacs-4/packages/acs-core-docs/www/install-redhat.html 3 Sep 2024 15:37:32 -0000 1.45 @@ -1,31 +1,17 @@ -
This section takes a blank PC and sets up some supporting +
This section takes a blank PC and sets up some supporting software. You should do this section as-is if you have a machine you can reformat and you want to be sure that your installation works and is secure; it should take about an hour. (In my experience, it's almost always a net time savings of several hours to install a new machine from scratch compared to installing each - of these packages installed independently.)
- -The installation guide assumes you have:
-A PC with hard drive you can reinstall
-Red Hat 8.0 or 9.0 install discs
-A CD with the current Security - Patches for your version of Red Hat.
-The installation guide assumes that you can do the following on + of these packages installed independently.)
The installation guide assumes you have:
A PC with hard drive you can reinstall
Red Hat 8.0 or 9.0 install discs
A CD with the current Security + Patches for your version of Red Hat.
The installation guide assumes that you can do the following on your platform: -
- -+
Adding users, groups, setting passwords
(For Oracle) Starting an X server and running an X program remotely
@@ -34,83 +20,65 @@
mv, and cd
Compiling a program using ./config and make. -
+
You can complete this install without the above knowledge, but if anything goes wrong it may take extra time to understand and correct the problem. Some useful UNIX resources. -
- -Unplug the network cable from your +
Unplug the network cable from your computer. We don't want to connect to the network until we're sure the computer is secure. - + (Wherever you see the word secure, you should always read it as, "secure enough for our purposes, given the amount of work we're willing to exert and the estimated risk and - consequences.")
-Insert Red Hat 8.0 or 9.0 Disk 1 into the + consequences.")
Insert Red Hat 8.0 or 9.0 Disk 1 into the CD-ROM and reboot the computer
At the
- boot:
+ boot:
prompt, press Enter for a
graphical install. The text install is fairly different, so
if you need to do that instead proceed with caution, because
the guide won't match the steps.
Checking the media is probably a waste of time, so when it asks press Tab and - then Enter to skip it.
After the graphical introduction page loads, click
Choose the language you want to use and then click
-
-
Select the keyboard layout you will use and Click
Choose your mouse type and Click
Red Hat has several templates for new + then Enter to skip it.
After the graphical introduction page loads, click
Choose the language you want to use and then click
+
+
Select the keyboard layout you will use and Click
Choose your mouse type and Click
Red Hat has several templates for new
computers. We'll start with the "Server" template and then
fine-tune it during the rest of the install. Choose
- Server
+ Server
and click
- .
Reformat the hard drive. If you know what you're doing,
+ .
Reformat the hard drive. If you know what you're doing, do this step on your own. Otherwise: we're going to let the installer wipe out the everything on the main hard drive and then arrange things to - its liking.
-Choose Automatically Partition
- and click
Uncheck
-Review (and modify if needed) the partitions created
and click
On the pop-up window asking "Are you sure + its liking.
Choose Automatically Partition
+ and click
Uncheck
+Review (and modify if needed) the partitions created
and click
On the pop-up window asking "Are you sure
you want to do this?" click
-
- IF YOU ARE WIPING YOUR HARD DRIVE.
Click on the boot loader screen
Configure Networking.
+
+ IF YOU ARE WIPING YOUR HARD DRIVE.
Click on the boot loader screen
Configure Networking. Again, if you know what you're doing, do this step yourself, being sure to note the firewall holes. Otherwise, - follow the instructions in this step to set up a computer directly connected to the internet with a dedicated IP address.
-DHCP is a system by which a computer that + follow the instructions in this step to set up a computer directly connected to the internet with a dedicated IP address.
DHCP is a system by which a computer that
joins a network (such as on boot) can request a temporary IP address
and other network information. Assuming the machine has a dedicated
IP address (if it doesn't, it will be tricky to access the OpenACS
service from the outside world), we're going to set up that address.
If you don't know your netmask, 255.255.255.0 is usually a pretty safe
-guess. Click , uncheck
Configure using DHCP
-and type in your IP and netmask. Click .
Type in your host
-name, gateway, and DNS server(s). Then click .
We're going to use the firewall template for high
+guess. Click , uncheck
Configure using DHCP
+and type in your IP and netmask. Click .
Type in your hostname, gateway, and DNS server(s). Then click .
We're going to use the firewall template for high
security, meaning that we'll block almost all incoming traffic. Then
we'll add a few holes to the firewall for services which we need and
-know are secure. Choose High
+know are secure. Choose High
security level. Check
-WWW
,
-SSH
, and
-Mail (SMTP)
. In the Other ports
+WWW
,
+SSH
, and
+Mail (SMTP)
. In the Other ports
box, enter 443, 8000, 8443
. Click
-.
-Port 443 is for https (http over ssl), and 8000 and 8443 are http and https access to the development server we'll be setting up.
Select any additional languages you want the
+.
+Port 443 is for https (http over ssl), and 8000 and 8443 are http and https access to the development server we'll be setting up.
Select any additional languages you want the
computer to support and then click
-
Choose your time zone and click .
Type in a root -password, twice.
-On the Package selection page, we're going to
+
Choose your timezone and click .
Type in a root +password, twice.
On the Package selection page, we're going to uncheck a lot of packages that install software we don't need, and add packages that have stuff we do need. You should install everything we're installing here or the guide may not work for you; you can @@ -119,79 +87,54 @@ risk that's still screened by the firewall, or a resource hog. Just don't install a database or web server, because that would conflict with the database and web server we'll install later. -
At the bottom, check Select Individual Packages
and click
We need to fine-tune the exact list of packages. +
At the bottom, check Select Individual Packages
and click
We need to fine-tune the exact list of packages.
The same rules apply as in the last step - you can add more stuff, but
you shouldn't remove anything the guide adds. We're going to go
through all the packages in one big list, so select
-Flat
-View
and wait. In a minute, a
-list of packages will appear.
Red Hat isn't completely happy with the combination
+Flat
+View
and wait. In a minute, a
+list of packages will appear.
Red Hat isn't completely happy with the combination
of packages we've selected, and wants to satisfy some dependencies.
Don't let it. On the next screen, choose
-Ignore Package
-Dependencies
and click
-.
-
Click
-
+
Ignore Package
+Dependencies
and click
+.
+
Click
+
to start the copying of files.
Wait. Insert Disk 2 when asked.
Wait. Insert Disk 3 when asked.
If you know how to use it, create a boot
disk. Since you can also boot into recovery mode with the
Install CDs, this is less useful than it used to be, and we
- won't bother. Select No,I do not want to create a boot disk
and click .
Click Exit
, remove the CD, and watch the
+ won't bother. Select No,I do not want to create a boot disk
and click .
Click Exit
, remove the CD, and watch the
computer reboot.
-
After it finishes rebooting and shows the login - prompt, log in:
-yourserver login: root
+
After it finishes rebooting and shows the login + prompt, log in:
yourserver login: root
Password:
-[root root]#
- Install any security patches. For example, insert your CD with +[root root]#
Install any security patches. For example, insert your CD with
patches, mount it with mount
/dev/cdrom
, then cd
/mnt/cdrom
, then rpm -UVH
*rpm
. Both Red Hat 8.0 and 9.0 have had both
kernel and openssl/openssh root exploits, so you should be
upgrading all of that. Since you are upgrading the kernel,
reboot after this step.
-
Lock down SSH
-Lock down SSH
+ SSH is the protocol we use to connect securely to the computer (replacing telnet, which is insecure). sshd is the daemon that listens for incoming ssh connections. As a security precaution, we are now going to tell ssh not to allow anyone to connect directly to this computer as root. Type this into the shell: -
-emacs /etc/ssh/sshd_config
- Search for the word "root" by typing C-s
(that's emacs-speak for control-s) and then root
.
Make the following changes:
-#Protocol 2,1 to
+
Search for the word "root" by typing Make the following changes:
Restart sshd so that the change takes effect.
-
+ (this blocks passwordless accounts) and save and exit by typing |
Restart sshd so that the change takes effect.
service sshd restart
Red Hat still installed a few services we don't need, and which can be security holes. Use the service command to turn them off, and then use chkconfig to automatically edit the @@ -202,29 +145,22 @@ which services should be up and down at any given service level. We'll use this system for PostgreSQL, but we'll use daemontools to perform a similar function for AOLserver. - (The reason for these discrepencies is that, while daemontools + (The reason for these discrepancies is that, while daemontools is better, it's a pain in the ass to deal with and nobody's had any trouble leaving PostgreSQL the way it is.) -
-[root root]#service pcmcia stop
+[root root]#-service pcmcia stop
[root root]#service netfs stop
[root root]#chkconfig --del pcmcia
[root root]#chkconfig --del netfs
[root root]# -service pcmcia stop +service pcmcia stop service netfs stop chkconfig --del pcmcia -chkconfig --del netfsIf you installed PostgreSQL, do also -
-service postgresql start
andchkconfig --add postgresql
.
Plug in the network cable.
-Verify that you have connectivity by going to another +chkconfig --del netfs
If you installed PostgreSQL, do also
+service postgresql start
and chkconfig --add postgresql
.
Plug in the network cable.
Verify that you have connectivity by going to another
computer and ssh'ing to
- yourserver
, logging in as
- remadmin, and promoting yourself to root:
[joeuser@someotherserver]$ssh
+ yourserver, logging in as + remadmin, and promoting yourself to root:remadmin@yourserver.test
[joeuser@someotherserver]$-ssh remadmin@yourserver.test
The authenticity of host 'yourserver.test (1.2.3.4)' can't be established. DSA key fingerprint is 10:b9:b6:10:79:46:14:c8:2d:65:ae:c1:61:4b:a5:a5. Are you sure you want to continue connecting (yes/no)?yes
@@ -233,16 +169,12 @@ Last login: Mon Mar 3 21:15:27 2003 from host-12-01.dsl-sea.seanet.com [remadmin remadmin]$su -
Password: -[root root]#
If you didn't burn a CD of patches and use it, can still +[root root]#
If you didn't burn a CD of patches and use it, can still download and install the necessary patches. Here's how to do it for the kernel; you should also check for other - critical packages.
-Upgrade the kernel to fix a security hole. The default + critical packages.
Upgrade the kernel to fix a security hole. The default
Red Hat 8.0 system kernel (2.4.18-14, which you can check
- with uname -a
) has several security problems. Download the new kernel, install it, and reboot.
[root root]#cd /var/tmp
+ withuname -a
) has several security problems. Download the new kernel, install it, and reboot.[root root]#-cd /var/tmp
[root tmp]#wget http://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm
--20:39:00-- http://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm => `kernel-2.4.18-27.7.x.i686.rpm' @@ -265,10 +197,7 @@ The system is going down for reboot NOW! [root tmp]# -cd /var/tmp +cd /var/tmp wget http://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm rpm -Uvh kernel-2.4.18-27.7.x.i686.rpm -reboot