4 Change Name Of Your NIC To ethx

Now we must configure Fedora to not use BIOS device names for our network interface anymore. Instead of p3p1, we need our good, old eth0 back (because otherwise ISPConfig's firewall will go crazy and block everything because it expects eth0 instead of p3p1). Open /etc/grub.conf...

vi /etc/grub.conf

... and add biosdevname=0 to the kernel line:

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/mapper/vg_server1-lv_root
#          initrd /initrd-[generic-]version.img
#boot=/dev/sda
default=0
timeout=0
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Fedora (2.6.38.6-27.fc15.x86_64)
        root (hd0,0)
        kernel /vmlinuz-2.6.38.6-27.fc15.x86_64 ro root=/dev/mapper/vg_server1-lv_root rd_LVM_LV=vg_server1/lv_root rd_LVM_LV=vg_server1/lv_swap rd_NO_LUKS rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYTABLE=de rhgb quiet biosdevname=0
        initrd /initramfs-2.6.38.6-27.fc15.x86_64.img

Then reboot the system:

reboot

After the reboot, your NIC should be named eth0. Run...

ifconfig

... to verify:

[root@server1 ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:15:60:FA
          inet addr:192.168.0.100  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe15:60fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:48 errors:0 dropped:0 overruns:0 frame:0
          TX packets:58 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5226 (5.1 KiB)  TX bytes:9682 (9.4 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:100 (100.0 b)  TX bytes:100 (100.0 b)

[root@server1 ~]#

5 Adjust /etc/hosts

Next we edit /etc/hosts. Make it look like this:

vi /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.0.100   server1.example.com     server1

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

It is important that you add a line for server1.example.com and remove server1.example.com and server1 from the 127.0.0.1 line.

6 Configure The Firewall

(You can skip this chapter if you have already disabled the firewall at the end of the basic system installation.)

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That's why I disable the default Fedora firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the Fedora firewall).

Run

system-config-firewall

and disable the firewall.

To check that the firewall has really been disabled, you can run

iptables -L

afterwards. The output should look like this:

[root@server1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@server1 ~]#

7 Disable SELinux

SELinux is a security extension of Fedora that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

Edit /etc/selinux/config and set SELINUX=disabled:

vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Afterwards we must reboot the system:

reboot

8 Install Some Software

First we import the GPG keys for software packages:

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*

Next we update our existing packages on the system:

yum update

Now we install some software packages that are needed later on:

yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc gcc-c++

9 Journaled Quota

(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)

To install quota, we run this command:

yum install quota

Edit /etc/fstab and add ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the / partition (/dev/mapper/vg_server1-lv_root):

vi /etc/fstab

#
# /etc/fstab
# Created by anaconda on Wed May 25 15:57:24 2011
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/vg_server1-lv_root /                       ext4    defaults,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0        1 1
UUID=366ba6a7-7e68-4ec9-9743-4b02dd105180 /boot                   ext4    defaults        1 2
/dev/mapper/vg_server1-lv_swap swap                    swap    defaults        0 0
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0

Then run

mount -o remount /

quotacheck -avugm
quotaon -avug

to enable quota.

10 Install A Chrooted DNS Server (BIND9)

To install a chrooted BIND9, we do this:

yum install bind-chroot

Next, we change a few permissions:

chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot

Then we open /etc/sysconfig/named and make sure that it has the following line to tell BIND that it's running chrooted in /var/named/chroot:

vi /etc/sysconfig/named

[...]
ROOTDIR=/var/named/chroot

Next open /etc/rsyslog.conf...

vi /etc/rsyslog.conf

... and add the line $AddUnixListenSocket /var/named/chroot/dev/log to it:

[...]
$AddUnixListenSocket /var/named/chroot/dev/log

Restart rsyslog:

/etc/init.d/rsyslog restart

Then we create the system startup links for BIND:

chkconfig --levels 235 named on

We don't start BIND now because it will fail because of a missing /var/named/chroot/etc/named.conf. This will be created later on by ISPConfig (if you use ISPConfig's DNS Manager, that is).