The Perfect Server - OpenSUSE 11.2 x86_64 [ISPConfig 3] - Page 3

4 Configure the Network settings

We use Yast, the OpenSuSE system management tool to reconfigure the network card settings. After the first boot, the system is configured to get the IP address with DHCP. For a server we will switch it to a static IP address.

Run

yast2

Select Network Devices > Network Settings:

Select your network card and then Edit:

Select Statically assigned IP Address and enter the IP address, subnet mask and hostname and save the changes by selecting Next:

Now select Hostname/DNS and enter the hostname (e.g. server1.example.com) and nameservers (e.g. 145.253.2.75 and 213.191.92.86):

Now select Routing and enter the default gateway and hit OK:

To configure the firewall (in case you didn't configure it during the basic installation), select Security and Users > Firewall in Yast:

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That's why I disable the default OpenSUSE firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the OpenSUSE firewall).

Select Disable Firewall Automatic Starting and Stop Firewall Now, then hit Next:

Hit Finish and leave Yast:

 

5 Install updates

Now we install the latest updates from the openSUSE repositories. Run

zypper update

And then reboot the server as you most likely installed some kernel updates, too:

reboot

 

6 Journaled Quota

To install quota, run

yast2 -i quota

Edit /etc/fstab to look like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the mountpoints / and /srv):

vi /etc/fstab

/dev/sda1            swap                 swap       defaults              0 0
/dev/sda2            /                    ext4       acl,user_xattr,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0        1 1
/dev/sda3            /srv                 ext4       acl,user_xattr,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0        1 2
proc                 /proc                proc       defaults              0 0
sysfs                /sys                 sysfs      noauto                0 0
debugfs              /sys/kernel/debug    debugfs    noauto                0 0
devpts               /dev/pts             devpts     mode=0620,gid=5       0 0

Then run:

touch /aquota.user /aquota.group
chmod 600 /aquota.*
touch /srv/aquota.user /srv/aquota.group
chmod 600 /srv/aquota.*

mount -o remount /
mount -o remount /srv

quotacheck -avugm
quotaon -avug

Dont be worried if you see these error messages - they are normal when you run quotacheck for the first time:

server1:~ # quotacheck -avugm
quotacheck: WARNING - Quotafile //aquota.user was probably truncated. Cannot save quota settings...
quotacheck: WARNING - Quotafile //aquota.group was probably truncated. Cannot save quota settings...
quotacheck: Scanning /dev/sda2 [/] done
quotacheck: Checked 4670 directories and 51529 files
quotacheck: WARNING - Quotafile /srv/aquota.user was probably truncated. Cannot save quota settings...
quotacheck: WARNING - Quotafile /srv/aquota.group was probably truncated. Cannot save quota settings...
quotacheck: Scanning /dev/sda3 [/srv] done
quotacheck: Checked 6 directories and 2 files
server1:~ #

 

7 Install some basic packes and the compilers that we need later

Run

yast2 -i findutils readline libgcc glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico

Share this page:

9 Comment(s)

Add comment

Comments

From: z14mx at: 2010-01-29 08:09:41

7 Install some basic packes and the compilers that we need later

Run

yast2 -i findutils readline libgcc glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico

I first want to thank you for your great post, and ask you since I have problems when I write that the server says

follow packages haven't been found on the medium: db-deve1       glibc-dev1

and this is the same, thanks for your attention

yast2 -i postfix postfix-mysql mysql mysql-client courier-imap courier-authlib courier-authlib-mysql python cron cyrus-sasl cyrus-sasl-crammd5 cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-sasl-otp cyrus-sasl-plain cyrus-sasl-saslauthd libmysqlclient-devel pwgen

From: Tom at: 2010-01-26 22:24:58

Hi,

at first thanks for this guideline!

I had to make the following changes in order to get thing work:

  Error (mail.log)
  ...temporary failure. Command output: /usr/bin/maildrop: Cannot set my user or group id

  Resolution
  Change user vmail via yast:
  Set home dir to /var/vmail incl. change owner option
  Lookup uid and guid of vmail in yast and set this in ispconfig accordingly
  ----
  Error
  Jan 26 14:40:02 tbonetom postfix/smtpd[26747]: warning: no entropy for TLS key generation: disabling TLS support
  Jan 26 14:45:03 tbonetom postfix/smtpd[27153]: warning: connect to private/tlsmgr: No such file or directory
  Jan 26 14:45:03 tbonetom postfix/smtpd[27153]: warning: problem talking to server private/tlsmgr: No such file or

  Resolution
  you have to uncomment
    tlsmgr unix - - n 1000? 1 tlsmgr
  in /etc/postfix/master.cf
  Restart postfix
  ----
  Error
  authentication failure (in mail.log from smtp session)
 
  Resolution
  Do not do this from the how-to:
  ..............................................................................
  Next I install the pam_mysql module from source. pam_mysql is not available
  from the main OpenSUSE repository and the package from the build service did
  not work for me.

  yast2 -i pam-devel pam-32bit pam-devel-32bit pam-modules-32bit

  cd /tmp
  wget http://heanet.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.7RC1.tar.gz
  tar xvfz pam_mysql-0.7RC1.tar.gz
  cd pam_mysql-0.7RC1
  ./configure
  make
  make install
  rm -rf /tmp/pam_mysql-0.7RC1
  rm /tmp/pam_mysql-0.7RC1.tar.gz
  ..............................................................................
 
  BUT THIS:
  rpm -i http://download.opensuse.org/repositories/home:/buschmann23/openSUSE_11.2/x86_64/pam_mysql-0.7RC1-12.1.x86_64.rpm
  respective the most recent version. The link can be found here:
  http://software.opensuse.org/search
  Search for pam_mysql and select the x86_64 version for 64bit installations

From: Blazonj at: 2010-04-05 23:03:43

Now I install some rpm packages which are not available from the OpenSUSE main repositories.

cd /tmp
rpm -i http://download.opensuse.org/repositories/server:/mail/openSUSE_11.2/noarch/getmail-4.13.0-1.1.noarch.rpm
rpm --force -i http://download.opensuse.org/repositories/server:/mail/openSUSE_11.2/x86_64/maildrop-2.2.0-2.9.x86_64.rpm

Warnings like warning: /var/tmp/rpm-tmp.OW27Dr: Header V3 DSA signature: NOKEY, key ID 367fe7fc can be ignored.

 

Everything went really smooth with the exception of the link in the above referenced section which is broken due to a newer version. the new link is: http://download.opensuse.org/repositories/server:/mail/openSUSE_11.2/noarch/getmail-4.16.0-1.1.noarch.rpm

 

Thanks for tutorial!

From: blathori at: 2010-07-14 13:39:48

Now only have this in the repositories:

http://download.opensuse.org/repositories/server:/mail/openSUSE_11.2/noarch/getmail-4.20.0-1.1.noarch.rpm

i supose is the same awever  it give me a warning:

/var/tmp/rpm-tmp.qK8ilu: Header V3 DSA signature: NOKEY, key ID 367fe7fc

but that can be ignored   ;) (seek in tutorial)

From: Anonymous at: 2009-12-08 16:18:25

Hi, you state:

  * In my opinion you don't need it to configure a secure system

people is probably already be looking for servers configured by you, for fun and profit, lol

  * think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem

Never heard of AppArmor complain mode? Using a technology implies being able to use that technology. AppArmor is great, and you won't spend a week in torubleshooting, if you know how to use it.

A "perfect" setup, in my book, includes security, especially if you're building a server which offers services to the Internet (but not only).

Your setup may be good, but quite far from perfect.

JMTC, Javier

 

From: Anonymous at: 2010-06-13 11:39:55

I find it very difficult to deal with AppArmor and the above configuration, because of lack of time. If AppArmor important, could you please maybe extend this tutorial by adding AppArmor configuration tutorial?

From: at: 2010-01-19 21:27:42

Hello all and pardon the noob, stupid questions. I need to know where one would drop this server in a 3 legged network. External Firewall, "dmz servers", internal Firewall and private network. Can someone provide a visio diagram on this complete with sample ip addresses? (ie 192.168.x.x or 10.10.x.x)

From: Anonymous at: 2010-03-09 13:58:35

To run Mydns after Mysql just add mydns to Runlevel 2.

Then you won't get any errors, like mydns can't connect to the database.

From: Anonymous at: 2010-06-13 11:42:05

This is not exactly so on OpenSUSE, but to start mydns after mysql change in mydns script this line:

From:

# Required-Start:    \$syslog \$remote_fs

To:

# Required-Start:    \$syslog \$remote_fs mysql

Then, if you have already added the service, use chkconfig --del mydns   and   chkconfig --add mydns  again. This will fix the dependency.