The Perfect Server - Fedora 10 - Page 3

4 Adjust /etc/hosts

Next we edit /etc/hosts. Make it look like this:

vi /etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost.localdomain localhost
192.168.0.100           server1.example.com server1
::1             localhost6.localdomain6 localhost6

It is important that you add a line for server1.example.com and remove server1.example.com and server1 from the 127.0.0.1 line.

 

5 Configure The Firewall

(You can skip this chapter if you have already disabled the firewall at the end of the basic system installation.)

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That's why I disable the default Fedora firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the Fedora firewall).

Run

system-config-firewall

and disable the firewall.

To check that the firewall has really been disabled, you can run

iptables -L

afterwards. The output should look like this:

[root@server1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@server1 ~]#

 

6 Disable SELinux

SELinux is a security extension of Fedora that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

Edit /etc/selinux/config and set SELINUX=disabled:

vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted

Afterwards we must reboot the system:

reboot

 

7 Install Some Software

Next we update our existing packages on the system:

yum update

Now we install some software packages that are needed later on:

yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc gcc-c++

 

8 Quota

(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)

To install quota, we run this command:

yum install quota

Edit /etc/fstab and add ,usrquota,grpquota to the / partition (/dev/VolGroup00/LogVol00):

vi /etc/fstab

#
# /etc/fstab
# Created by anaconda on Wed Nov 26 16:56:06 2008
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or vol_id(8) for more info
#
/dev/VolGroup00/LogVol00 /                       ext3    defaults,usrquota,grpquota        1 1
UUID=41be1fc5-8b1a-456d-9fb9-cd0f5d764f36 /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0

Then run

touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

to enable quota.

 

9 Install A Chrooted DNS Server (BIND9)

To install a chrooted BIND9, we do this:

yum install bind-chroot

Next, we change a few permissions and start BIND:

chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
chkconfig --levels 235 named on
/etc/init.d/named start

BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig to configure BIND (zones, etc.).

Share this page:

18 Comment(s)

Add comment

Comments

From: at: 2009-06-05 05:42:04

I admire your work, but I would not use a HOWTO that recommends making the operating system far less secure by disabling SELinux.

From: at: 2009-07-24 01:45:49

SELinux is a terrible feature that has absolutely no place in a dedicated server. In my opinion it was meant for the increased number of home users using linux nowadays, but I spent 4 days trying to figure out why a forum on my new Fedora 9 server couldn't upload images, even though I had properly chown'd the upload directory and everything. After I found out it was SELinux, I promptly disabled it.

 Servers running UNIX were fine for decades with an absence of SELinux. As long as you know how to do crap right, you don't need it.

From: at: 2009-07-24 16:26:27

I do not agree, just because you do not know how to use it does not make it crap. Selinux is quite useful and has been know to secure servers that would otherwise have been compromised due to software vulnerabilities.


From: Anonymous at: 2009-05-08 22:44:16

i think you forgot flex

From: Anonymous at: 2009-05-06 11:30:25

After following the procedure...  After quit from configuration with firewall, network, and others (blue screen with lists of configuration) then reboot , it came up black screen with logon which I didn't input any of my username yet?? 

From: Léonce at: 2009-11-01 06:59:59

Hi!

I have the same probleme. I've finished the install steps and decided to reboot my computer.

And was really surprised that i can't log in. Nothing. I've try to enter command mode (Ctrl+Alt+F2) succesfully.

But I'll rather know how to log in with GUI, because I want to configure the ISPConfig.

So I hope that you finally found a solution.

I'll be please if you can helped.

From: Anonymous at: 2009-03-23 18:11:03

Hi,

i just finished all the steps from the 'fedora the perfect server' guide (except ispconfig), and i got the message '[warn] NameVirtualHost *:80 has no VirtualHosts'.

i can not start apache through the service HTTP restart or stop/start, and i don't really know what i should do.

 

any advise?thanks

From: Terry Jennings at: 2008-12-03 15:47:28

Warning: Most servers would likely be using SCSI disks or RAID arrays.  Fedora 10 currently has bugs that make these configurations either difficult or impossible to use.  See these two threads:

From: Anonymous at: 2008-12-04 03:21:04

Wrong path to mysql daemon start stop script! Should be /etc/rc.d/init.d/mysqld instead of /etc/init.d/mysqld/ which is where you will find this on Debian based systems.

From: admin at: 2008-12-07 00:43:44

/etc/init.d is a symlink to /etc/rc.d/init.d so both are working.

From: Anonymous at: 2008-12-06 23:54:00

Disabling iptables and selinux is down-right stupid and negligent.  The rest of the guide is mostly nonsense..

From: admin at: 2008-12-07 00:44:50

Can you give me some reasons, or are you just having a bad day?

From: at: 2009-01-06 11:36:26

hi

how can i run or use the run command ? i am in the fedora desktop?

From: at: 2009-01-12 18:50:07

########## MAIL SERVER ##########

Checking for MTA...
./setup2: line 439: which: ??????? ?? ???????
./setup2: line 439: which: ??????? ?? ???????
ERROR: Your system configuration is not compatible with ISPConfig! The installation routine stops here!

 

=(

From: papalozarou at: 2009-03-07 21:01:01

You need to install which - yum install which. After that everything should run okay, but you need to delete the install_ispconfig folder (rm -Rf install_ispconfig) first and untar it again

 

 

 

From: at: 2009-01-13 12:48:21

Hello! I've successfully installed Fedora10 server, ISPConfig2 and some extensions: php-ffmpeg, memcashed, locale. It's working in terminal but not the Web. The CMS can not found ffmpeg dir, memcashed can not configured ( not available). The same problem in Ubuntu 8.10 too. What should I do?

From: at: 2009-02-10 14:24:06

I have done the perfect setup for Core 10 a couple of times lately over a basic install of Fedora Core 8 upgraded to 9 and then to 10 with yum. 

In both cases, mod_ssl was not installed along the way.  Simple fix: 

yum install mod_ssl

Anyway, was wondering at first why no https...  and that was the problem.

 

From: DTR at: 2009-06-21 12:47:17

If you want ssl to work you must have mod_ssl

<code>yum install mod_ssl</code>