The Perfect Setup - CentOS 4.4 (32-bit) - Page 3

2 Adjust /etc/hosts

Next we edit /etc/hosts. Make it look like this:

vi /etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost.localdomain localhost
192.168.0.100           server1.example.com server1

 

3 Configure Additional IP Addresses

(This section is totally optional. It just shows how to add additional IP addresses to your network interface eth0 if you need more than one IP address. If you're fine with one IP address, you can skip this section.)

Let's assume our network interface is eth0. Then there is a file /etc/sysconfig/network-scripts/ifcfg-eth0 which looks like this:

vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=static
BROADCAST=192.168.0.255
HWADDR=00:0C:29:C8:AA:7C
IPADDR=192.168.0.180
NETMASK=255.255.255.0
NETWORK=192.168.0.0
ONBOOT=yes
TYPE=Ethernet

Now we want to create the virtual interface eth0:0 with the IP address 192.168.0.101. All we have to do is to create the file /etc/sysconfig/network-scripts/ifcfg-eth0:0 which looks like this (we can leave out the HWADDR line as it is the same physical network card):

vi /etc/sysconfig/network-scripts/ifcfg-eth0:0

DEVICE=eth0:0
BOOTPROTO=static
BROADCAST=192.168.0.255
IPADDR=192.168.0.101
NETMASK=255.255.255.0
NETWORK=192.168.0.0
ONBOOT=yes
TYPE=Ethernet

Afterwards we have to restart the network:

/etc/init.d/network restart

You might also want to adjust /etc/hosts after you have added new IP addresses, although this is not necessary.

 

4 Configure The Firewall

(You can skip this chapter if you have already disabled the firewall during the basic system installation.)

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That's why I disable the default CentOS firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn't use any other firewall later on as it will most probably interfere with the CentOS firewall).

Run

system-config-securitylevel

Select Disabled and press OK.

To check that the firewall has really been disabled, you can run

iptables -L

afterwards. The output should look like this:

[root@server1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

 

5 Disable SELinux

(You can skip this chapter if you have already disabled SELinux during the basic system installation.)

SELinux is a security extension of CentOS that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only SELinux was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

Edit /etc/selinux/config and set SELINUX=disabled:

vi /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

Afterwards we must reboot the system:

shutdown -r now

 

6 Install Some Software

First we import the GPG keys for software packages:

rpm --import /usr/share/rhn/RPM-GPG-KEY*

Then we update our existing packages on the system:

yum update

Now we install some software packages that are needed later on:

yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc gcc-c++

Share this page:

13 Comment(s)

Add comment

Comments

From: hoihtah at: 2006-10-11 23:53:44

Thank you guys for putting up this well written guide.

 Just one question,  how do I do this setup with mysql version 5 instead of 4?

From: orentocy at: 2006-10-12 16:09:59

Enable CentOS plus yum repository in your /etc/yum.repos.d/CentOS-Base.repo, then you will be able to upgrade both your mysql and php to version 5.

From: at: 2006-11-04 07:57:58

Hi, I enabled cetosplus section using enabled=1,  No my system is updated with php 5 and mysql 5 with the command

yum update -y 

Enabling the centosplus section: 

vi /etc/yum.repos.d/CentOS-Base.repo
[centosplus]
gpgcheck=1
enabled=1

From: at: 2006-11-07 20:14:43

there is one more thing you need to do.  update php.conf file

 cp /etc/httpd/conf.d/php.conf.rpmnew /etc/httpd/conf.d/php.conf

Otherwise, httpd will error out when trying to start.  Or at least it does on mine.  :) 

From: at: 2007-02-13 23:14:51

Hi all,

I found some bugs if the yum CentOS Plus is enabled before starting the ISPconfig  OS  preparation.

If it happens to you, go back to mysql4 and php4, make your ISPconfig prep THEN enable the CentOS plus repo to install Mysql5 and php5.

Now you are ready for ISPconfig install.

Thanks for this perfect howto. Saves a lot of hours. 

From: jperrin at: 2006-10-13 00:28:30

Very good tutorial, and very detailed, however one part concerns me. Your rebuild of zlib at the end does not address removing the currently installed zlib, or address the problem of future rpms which may rely on zlib failing because of the one built from source (rpms are rather ignorant about source built software). I would also posit that you cannot rely on the version of zlib to identify that it's vulnerable. Security fixes are backported in centos (and it's parent distro, RHEL), so version numbers may be inaccurate. The changelog for the zlib rpm lists several CAN- advisory fixes, so I wonder if the bug you claim is one of these. If it is not, has this been reported to the centos folks, or to the upstream RedHat bugzilla?

 If this bug is not fixed in the RPM as one of the listed CAN changes in the changelog and the rpm does indeed contain vulnerable code, I'd like to see it fixed in the distro, rather than being bolted onto a(n excellent) tutorial.

From: till at: 2006-10-13 14:29:25

I dont think that theare is really a bug in the zlib that ships with CentOS, the problem is that the version number dont get updated when the fixes where applied.

For example if you want o compile ClamAV which is nescessary for ISPConfig, Clamav complains about a bug in zlib and stops compiling. So either the ClamAV team has to add a better zlib detection routine or the CentOS team has to set a higher version number in the zlib library when they apply fixes.

From: jperrin at: 2006-10-13 15:02:42

This is addressed a bit more thoroughly in the post by Johnny Hughes, who is one of the CentOS Project leads, http://www.howtoforge.com/perfect_setup_centos_4.4_p6#comment-3055 What it comes down to is an upstream versioning decision by redhat, which centos inherits as a clone/rebuild product. I would consider this to be a flaw in ClamAV/ISPConfig packaging, and that it should not be advertised as a CentOS vulnerability unless such a problem actually exists.

From: at: 2007-04-18 02:25:10

First, thanks for an excellent tutorial!

I had serious problems with ntp running the Perfect setup on a Windows host using VMWare GSX server. My clock was constantly running behind and I would use rdate to set the clock but very soon the clock was running behind again.

Googling I found a workaround that worked out well (if running SMP on single core processor):

1. Edit /etc/grub.conf
Add 'noapic nosmp nolapic clock=pit acpi=no' so your grub.conf looks like this:

title CentOS (2.6.9-42.0.10.ELsmp)
        root (hd0,0)
        kernel /vmlinuz-2.6.9-42.0.10.ELsmp ro root=/dev/VolGroup00/LogVol00 noapic nosmp nolapic clock=pit acpi=no
        initrd /initrd-2.6.9-42.0.10.ELsmp.img


2. Edit /etc/ntp.conf
Add 'burst iburst' after your server:

# --- OUR TIMESERVERS -----
server 0.pool.ntp.org burst iburst
server 1.pool.ntp.org burst iburst
server 2.pool.ntp.org burst iburst

This solved all my problems with a slow clock and my time is now on the spot 24/7.

My Windows system:
P4 3 GHz
3.5 GB RAM
VMWare GSX server

From: hughesjr at: 2006-10-13 12:16:39

This is an excellent article ... the only thing I am not sure about is the zlib comment.

The upstream provider uses a process called Backporting

Backporting takes security issues and rolls them into older packages to prevent breaking abi's that people have based custom programing on.

I have looked at the zlib that you mention at the end of the article and it fixes these security issues:

CAN-2004-0797

CAN-2005-2096

(see the zib website for more details) 

Both of these security issues are fixed in the zlib that is included in CentOS via backporting and I do not recommend that people compile their own zlib unless someone can point out a different issue that is fixed in zlib-1.2.3.

I would even say that installing your own zlib is BAD, as it will put different libraries than the ones used to build the other CentOS executables ... which can cause issues with how these applications function.  We are talking about very system critical applications like openssh, openssl, etc.

Thanks,

Johnny Hughes, CentOS-4 Lead Developer. 

From: at: 2006-11-02 11:07:15

The ISPConfig setup routine includes compiling ClamAV which is the culprit. It checks for a specific zlib version. This check can be skipped by modifying

install_ispconfig/compile_aps/compile

and adding

--disable-zlib-vcheck

to the ClamAV configure script. 

From: Anonymous at: 2009-02-16 07:44:14

yum -y remove ftp vsftpd webmin usermin xinetd php* httpd* proftpd mysql* bind* post*;yum update -y;cd /etc/yum.repos.d/;wget http://centos.karan.org/kbsingh-CentOS-Extras.repo;rpm --import http://centos.karan.org/RPM-GPG-KEY-karan.org.txt;yum -y install proftpd;chkconfig --levels 235 proftpd on;/etc/init.d/proftpd start;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/device-mapper-1.02.21-1.el4.i386.rpm;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/hotplug-2004_04_01-7.8.i386.rpm;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/lvm2-2.02.27-2.el4.i386.rpm;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/hwdata-0.146.33.EL-1.noarch.rpm;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/usbutils-0.11-7.RHEL4.1.i386.rpm;rpm -Uvh *.rpm;rm -r -f *.rpm;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/udev-039-10.19.el4.i386.rpm;rpm -ivh udev*rpm --justdb;yum -y install up2date nano;wget http://download.lxlabs.com/download/lxadmin/production/lxadmin-install-master.sh;yum update -y;nano /etc/pam.d/ftp;

From: Matthew at: 2011-09-25 16:22:06

yum install webalizer

 once you run that... then what? how do you configure it?