The Perfect Server - Fedora 11 x86_64 [ISPConfig 2] - Page 3

4 Adjust /etc/hosts

Next we edit /etc/hosts. Make it look like this:

vi /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.0.100           server1.example.com server1

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

It is important that you add a line for server1.example.com and remove server1.example.com and server1 from the 127.0.0.1 line.

 

5 Disable SELinux

SELinux is a security extension of Fedora that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

Edit /etc/selinux/config and set SELINUX=disabled:

vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted - Targeted processes are protected,
#       mls - Multi Level Security protection.
SELINUXTYPE=targeted

Afterwards we must reboot the system:

reboot

 

6 Install Some Software

Next we update our existing packages on the system:

yum update

Now we install some software packages that are needed later on:

yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc gcc-c++

 

7 Quota

(If you have chosen a different partitioning scheme than I did, you must adjust this chapter so that quota applies to the partitions where you need it.)

To install quota, we run this command:

yum install quota

Edit /etc/fstab and add ,usrquota,grpquota to the / partition (/dev/mapper/vg_server1-lv_root):

vi /etc/fstab

#
# /etc/fstab
# Created by anaconda on Wed Jun 10 16:05:26 2009
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or vol_id(8) for more info
#
UUID=8a6c1f40-1948-429d-873e-c1bead3ccbea /boot                   ext3    defaults        1 2
/dev/mapper/vg_server1-lv_root /                       ext4    defaults,usrquota,grpquota        1 1
/dev/mapper/vg_server1-lv_swap swap                    swap    defaults        0 0
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  defaults        0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0

Then run

touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

to enable quota.

 

8 Install A Chrooted DNS Server (BIND9)

To install a chrooted BIND9, we do this:

yum install bind-chroot

Next, we change a few permissions:

chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot

Then we open /etc/sysconfig/named and add the following line to tell BIND that it's running chrooted in /var/named/chroot:

vi /etc/sysconfig/named

[...]
ROOTDIR="/var/named/chroot"

Then we create the system startup links for BIND:

chkconfig --levels 235 named on

We don't start BIND now because it will fail because of a missing /var/named/chroot/etc/named.conf. This will be created later on by ISPConfig (if you use ISPConfig's DNS Manager, that is).

Share this page:

5 Comment(s)

Add comment

Comments

From: stroem at: 2009-06-18 10:31:59

"but should apply to the 32-bit version with very little modifications as well"

Falko , please ,  which are modifications?

I am new in linux world!

 

From: at: 2009-09-19 19:33:03

Are we supposed to install a desktop environment like KDE or Gnome?

I am very new to linux and i am trying to learn as much as i can.

From: Anonymous at: 2009-08-09 16:24:21

You might want to explain where and why you are using that nameserver ip.

 

From: Thierry at: 2009-06-15 07:00:29

Hi,

 Reading through this tutorial I find extremely worrying from a security standpoint the following lines:

 chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/

The last one especially. This is creating a wide hole in your system

From: DudeOfX at: 2009-11-29 14:01:08

 I'd like some elaboration on the issue Thierry brought up. I am following instructions like a drone cause I don't know much of the dynamics of how the DNS server works, but I don't understand why does the public need to go into those directories and specially why do they need write access to /var/named/chroot/var/run/named/