The Perfect Setup - CentOS 4.3 (64-bit) - Page 3

2 Configure Additional IP Addresses

(This section is totally optional. It just shows how to add additional IP addresses to your network interface eth0 if you need more than one IP address. If you're fine with one IP address, you can skip this section.)

Let's assume our network interface is eth0. Then there is a file /etc/sysconfig/network-scripts/ifcfg-eth0 which looks like this:

vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.0.255
HWADDR=00:0C:29:C8:AA:7C
IPADDR=192.168.0.180
NETMASK=255.255.255.0
NETWORK=192.168.0.0
ONBOOT=yes
TYPE=Ethernet

Now we want to create the virtual interface eth0:0 with the IP address 192.168.0.101. All we have to do is to create the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 which looks like this (we can leave out the HWADDR line as it is the same physical network card):

vi /etc/sysconfig/network-scripts/ifcfg-eth0:0

DEVICE=eth0:0
BOOTPROTO=static
BROADCAST=192.168.0.255
IPADDR=192.168.0.101
NETMASK=255.255.255.0
NETWORK=192.168.0.0
ONBOOT=yes
TYPE=Ethernet

Afterwards we have to restart the network:

/etc/init.d/network restart


3 Configure The Firewall

(You can skip this chapter if you have already disabled the firewall during the basic system installation.)

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That's why I disable the default CentOS firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the CentOS firewall).

Run

system-config-securitylevel

Select Disabled and press OK.

To check that the firewall has really been disabled, you can run

iptables -L

afterwards. The output should look like this:

[root@server1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


4 Disable SELinux

(You can skip this chapter if you have already disabled SELinux during the basic system installation.)

SELinux is a security extension of CentOS that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

Edit /etc/selinux/config and set SELINUX=disabled:

vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

Afterwards we must reboot the system:

shutdown -r now


5 Install Some Software

First we import the GPG keys for software packages:

rpm --import /usr/share/rhn/RPM-GPG-KEY*

Then we update our existing packages on the system:

yum update

No we must uninstall the OpenSSL package because otherwise you will get errors similar to this:

Transaction Check Error: file /usr/share/man/man1/asn1parse.1ssl.gz from install of openssl-0.9.7a-43.8 conflicts with file from package openssl-0.9.7a-43.8

when you try to install software with yum later on. To do this, we run

rpm -e --nodeps openssl

Now we install some software packages that are needed later on:

yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc gcc-c++

This will also install a new OpenSSL package that does not cause problems anymore.

Share this page:

9 Comment(s)

Add comment

Comments

From: andalucia at: 2006-09-07 13:37:18

Free SSH (ssh/sftp) Client for windows users from ssh.com 

ftp://ftp.ssh.com/pub/ssh/SSHSecureShellClient-3.2.9.exe

not for commercial or corporate use.
Thank You

 

From: putra koreng at: 2009-01-01 07:28:10

thanks, this is so Help for me

From: Anonymous at: 2006-06-26 09:40:28

Everything worked fine for me on Centos 4.3 (32bit) but I had to add the lines:

ssl_cert_file = /etc/postfix/ssl/smtpd.crt
ssl_key_file = /etc/postfix/ssl/smtpd.key

to /etc/dovecot.conf to stop the warning

fetchmail: Server CommonName mismatch: localhost.localdomain != xxxxx.com

when fetching POP mail using fetchmail

Thanks for the excellent howto!

Steve 

  

 

 

From: Anonymous at: 2006-04-12 04:20:18

Excellent.... Ive been waiting for a guide like this for a while. When ever i install a new system, almost never does a person give me all the steps in one guide... until now ;). Believe me it sucks to have to download the linux offline system command webpages (all 300 of em) via bittorent. This is a eye opener indeed.

From: Anonymous at: 2006-08-22 07:20:29

very nice! I was trying to do something just like this with a plain centos server build (did the text install, not GUI) and this worked out great. I was struggling trying to get my ssl working on apache when I stumbled into this... great work! ( I did not see it install the php-xml package though, and my ssl is acting screwy, saying I have an identical certificate already on file... but I will figure it out...)

From: Anonymous at: 2006-06-21 22:15:48

Just wanted to mention, for some of the last steps,

 yum install gcc

is required to rebuild zlib 

and that if  you are planning on installing ispconfig,

yum install flex

will be required to avoid the PHP errors. 

From: so_ at: 2006-09-11 22:14:16

Rebuilding zlib is not required.  The author has failed to understand the Redhat/Centos versioning and how security fixes to packages such as zlib are backported.

http://www.redhat.com/advice/speaks_backport.html 

 

The security problems that the zlib upgrade are designed to solve, were already patched long ago and continue to be patched as security requires.

  • REDHAT:RHSA-2006:0101
  • URL:http://www.redhat.com/support/errata/RHSA-2006-0101.html
  • REDHAT:RHSA-2006:0144
  • URL:http://www.redhat.com/support/errata/RHSA-2006-0144.html
  • REDHAT:RHSA-2006:0190
  • URL:http://www.redhat.com/support/errata/RHSA-2006-0190.html
  • REDHAT:RHSA-2006:0191
  • URL:http://www.redhat.com/support/errata/RHSA-2006-0191.html
  • From: so_ at: 2006-09-11 22:18:56

    Those previous URLs are the kernel fixes due to zlib problems.  Here is the advisory for the zlib package itself.

    http://www.redhat.com/support/errata/RHSA-2005-569.html
    http://rhn.redhat.com/errata/RHSA-2005-584.html 

    From: at: 2006-11-05 10:11:38

    Edit the compile file and add --disable-zlib-vcheck

     

    vi  install_ispconfig/compile_aps/compile

     

    Such as: 

    cd ${CLAMAV}
    ./configure --prefix=/home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav --sysconfdir=/home/adm${APPLICATION_NAME}/${APPLICATION_NAME}/tools/clamav/etc --with-user=adm${APPLICATION_NAME} --with-group=adm${APPLICATION_NAME} --disable-clamav --disable-zlib-vcheck --disable-bzip2 || error "Could not configure ClamAV"