The Perfect Server - Fedora 10 - Page 3

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Submitted by falko (Contact Author) (Forums) on Wed, 2008-11-26 20:19. ::

4 Adjust /etc/hosts

Next we edit /etc/hosts. Make it look like this:

vi /etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost.localdomain localhost
192.168.0.100           server1.example.com server1
::1             localhost6.localdomain6 localhost6

It is important that you add a line for server1.example.com and remove server1.example.com and server1 from the 127.0.0.1 line.

 

5 Configure The Firewall

(You can skip this chapter if you have already disabled the firewall at the end of the basic system installation.)

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That's why I disable the default Fedora firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the Fedora firewall).

Run

system-config-firewall

and disable the firewall.

To check that the firewall has really been disabled, you can run

iptables -L

afterwards. The output should look like this:

[root@server1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@server1 ~]#

 

6 Disable SELinux

SELinux is a security extension of Fedora that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

Edit /etc/selinux/config and set SELINUX=disabled:

vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted

Afterwards we must reboot the system:

reboot

 

7 Install Some Software

Next we update our existing packages on the system:

yum update

Now we install some software packages that are needed later on:

yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc gcc-c++

 

8 Quota

(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)

To install quota, we run this command:

yum install quota

Edit /etc/fstab and add ,usrquota,grpquota to the / partition (/dev/VolGroup00/LogVol00):

vi /etc/fstab

#
# /etc/fstab
# Created by anaconda on Wed Nov 26 16:56:06 2008
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or vol_id(8) for more info
#
/dev/VolGroup00/LogVol00 /                       ext3    defaults,usrquota,grpquota        1 1
UUID=41be1fc5-8b1a-456d-9fb9-cd0f5d764f36 /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0

Then run

touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

to enable quota.

 

9 Install A Chrooted DNS Server (BIND9)

To install a chrooted BIND9, we do this:

yum install bind-chroot

Next, we change a few permissions and start BIND:

chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
chkconfig --levels 235 named on
/etc/init.d/named start

BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig to configure BIND (zones, etc.).

up

Copyright © 2008 Falko Timme
All Rights Reserved.
add comment | view as pdf view as pdf | print: this | all page(s) |
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
SELinux
Submitted by burschik (registered user) on Fri, 2009-06-05 06:42.
I admire your work, but I would not use a HOWTO that recommends making the operating system far less secure by disabling SELinux.
reply | view as pdf view as pdf
Re: SELinux
Submitted by leimeisei (registered user) on Fri, 2009-07-24 02:45.

SELinux is a terrible feature that has absolutely no place in a dedicated server. In my opinion it was meant for the increased number of home users using linux nowadays, but I spent 4 days trying to figure out why a forum on my new Fedora 9 server couldn't upload images, even though I had properly chown'd the upload directory and everything. After I found out it was SELinux, I promptly disabled it.

 Servers running UNIX were fine for decades with an absence of SELinux. As long as you know how to do crap right, you don't need it.

reply | view as pdf view as pdf
Re: Re: SELinux
Submitted by topdog (registered user) on Fri, 2009-07-24 17:26.

I do not agree, just because you do not know how to use it does not make it crap. Selinux is quite useful and has been know to secure servers that would otherwise have been compromised due to software vulnerabilities.


reply | view as pdf view as pdf
Sponsored Links: Unified Communications: Thoughts, Strategies and Predictions
Join the discussion.
www.seamlessenterprise.com

IP Convergence
Integrate your wireless and wireline networks.
Learn how from the experts at Sprint.
www.seamlessenterprise.com

Wireless & Wireline Integration
Thoughts, strategies and solutions: join the discussion
www.seamlessenterprise.com

Unified Communications 2009
Join the Discussion. Now.
www.seamlessenterprise.com