The
following instrution cover the installation of CentOS 5.0 on my Compaq
ProLiant DL380 Dual 1Ghz server.
As ever, if you use any of the information remember that I run a network securely protected by a firewall.
These instructions are for installing GNU/Linux as the
only operating system on a PC. All existing data and operating systems
will be overwritten and lost!
To install on a Compaq ProLiant DL380, the Compaq SmartStart v5.5 CD will be needed as well as the CentOS 5.0 installation CDs.
Remove the SmartStart CD and insert the first CentOS CD, then click on Continue.
| hda1 | 200 MB | /boot | ||
| hda2 | 4,000 MB | /home | ||
| hda3 | 4,000 MB | /var | ||
| hda5 | 2,000 MB | /tmp | ||
| hda6 | 1,000 MB | (swap) | ||
| hda7 | 23,500 MB | / |
| eth0 | eth1 | |
| Hostname | magpie.stevesearle.com | |
| IP Address | 192.168.126.2 | 192.168.126.7 |
| Netmask | 255.255.255.0 | 255.255.255.0 |
| Gateway | 192.168.126.254 | |
| Primary DNS | 127.0.0.1 | |
| Secondary DNS | 192.168.126.4 |
Change CDs as prompted, and click on Reboot when the installation is complete.
Create a .forward file for root to ensure that you receive any mail sent to root.
Customise the shell prompt by adding the following lines to the end of /etc/bashrc.
ColourFuscia="\[\033[0;36m\]"
ColourGreen="\[\033[0;32m\]"
ColourDefault="\[\033[0m\]"
# Set green to red if root
if [ "$UID" = "0" ]; then
ColourGreen="\[\033[1;31m\]"
fi
PS1="$ColourGreen($ColourFuscia\u@\h$ColourGreen:$ColourFuscia\w$ColourGreen)$ColourFuscia\\$ $ColourDefault"
Edit /boot/grub/grub.conf to change the resolution of the virtual terminals (running on Ctrl-Alt-1 through Ctrl-Alt-6). Add vga=790 to the end of the menu kernel line, e.g.
kernel /vmlinuz-2.4.22-1.2115.nptlsmp ro root=LABEL=/ vga=790
790 produces a 1024x768 resolution with 32,768 colours. You could use any of the following (if you video card supports them).
Bugzilla bug 236195 means that if you make this change in CentOS 5.0 you will get a blank screen. This bug is expected to be fixed in 5.1, so don't make this change for the time being.
| Colours | 640x480 | 800x600 | 1024x768 | 1280x1024 | 1600x1200 |
| 256 | 769 | 771 | 773 | 775 | 796 |
| 32,768 | 784 | 787 | 790 | 793 | 797 |
| 65,536 | 785 | 788 | 791 | 794 | 798 |
| 16.8M | 786 | 789 | 792 | 795 | 799 |
Keep /tmp tidy. Create a script in /etc/cron.daily containing the following lines. It will delete files and directories that are more than a week old.
find /tmp -mtime +7 -type f -print -exec rm {} ";"
find /tmp -empty -mtime +7 -type d -print -exec rm -rf {} ";"
I don't allow ssh access to the root account, or any access with a password. The ClientAliveInterval and ClientAliveCountMax lines stop the terminal from locking up when using a ssh shell. Edit /etc/ssh/sshd_config as follows.
... PermitRootLogin no ... PasswordAuthentication no ... ClientAliveInterval 30 ClientAliveCountMax 5 ...
Restart the SSH daemon.
# service sshd restart
By default, CentOS 5.0 uses
the yum-updatesd daemon to tell the user when updates are available, and
then user can then manually download and install them. I prefer to stop
this daemon, and create a cron job to download and install any yum
updates. Stop the daemon and prevent it re-starting with:
# service yum-updatesd stop # chkconfig yum-updatesd off
Create the following bash script in /etc/cron.daily
#!/bin/bash yum -y update exit 0
Run yum to update any RPM packages that are out of date.
# yum update
Clean the old yum headers occaisionally with a monthly cron job to run.
yum clean all
Install extra packages. For multitail, you will need Dag Wieers's RPM packages for CentOS. Ensure you have the latest version of his rpmforge-release, then install the packages required.
# rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm # yum install unarj # used by trashscan # yum install sendmail-devel # yum install ntp # yum install dhcp # yum install php-mysql # yum install php-mbstring # used by phpMyAdmin # yum install multitail # yum install arpwatch
By default, CentOS installs with a number of daemons that I don't need. Turning these off saves system resources and makes the machine more secure. I also want aprwatch to run by default.
# chkconfig apmd off # service apmd stop # chkconfig arpwatch on # service arpwatch start # chkconfig bluetooth off # service bluetooth stop # chkconfig cpuspeed off # service cpuspeed stop # chkconfig hidd off # service hidd stop # chkconfig mdmonitor off # service mdmonitor stop
These instructions have
been derived from the excelent SpamAssassin-ClamAV-Procmail-Howto.
Download Clam AntiVirus to /tmp.
Create a user group and user.
# groupadd -r clamav # useradd -r -m -g clamav -s /bin/false -c "Clam AntiVirus" clamav
Install.
$ cd /tmp $ tar -xzf clamav-0.80.tar.gz $ cd clamav-0.80 $ ./configure $ make $ su -c "make install"
Edit both /usr/local/etc/clamd.conf and /usr/local/etc/freshclam.conf and remove or comment out the Example directive.
... # Comment or remove the line below. # Example ...
Create /etc/init.d/clamd as follows.
#!/bin/bash
TMPDIR=/tmp
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin
case "$1" in
start)
echo "Starting ClamAV..."
if [ -S /tmp/clamd ]; then
echo "ClamAV is already running!"
else
/usr/local/bin/freshclam -d -c 10 --datadir=/usr/local/share/clamav
/usr/local/sbin/clamd
fi
echo "ClamAV is now up and running!"
;;
stop)
echo "Shutting down ClamAV..."
array=(`ps ax | grep -iw '/usr/local/bin/freshclam' | grep -iv 'grep' \
| awk '{print $1}' | cut -f1 -d/ | tr '\n' ' '`)
element_count=${#array[@]}
index=0
while [ "$index" -lt "$element_count" ]
do
kill -9 ${array[$index]}
let "index = $index + 1"
done
array=(`ps ax | grep -iw '/usr/local/sbin/clamd' | grep -iv 'grep' \
| awk '{print $1}' | cut -f1 -d/ | tr '\n' ' '`)
element_count=${#array[@]}
index=0
while [ "$index" -lt "$element_count" ]
do
kill -9 ${array[$index]}
let "index = $index + 1"
done
if [ -S /tmp/clamd ]; then
rm -f /tmp/clamd
fi
echo "ClamAV stopped!"
;;
restart)
$0 stop && sleep 3
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
Make it executable and start it.
# chmod 755 /etc/init.d/clamd # /etc/init.d/clamd start
Make it start at boot up and stop at close down.
# ln -s /etc/init.d/clamd /etc/rc2.d/S20clamd # ln -s /etc/init.d/clamd /etc/rc3.d/S20clamd # ln -s /etc/init.d/clamd /etc/rc4.d/S20clamd # ln -s /etc/init.d/clamd /etc/rc5.d/S20clamd # ln -s /etc/init.d/clamd /etc/rc0.d/K20clamd # ln -s /etc/init.d/clamd /etc/rc1.d/K20clamd # ln -s /etc/init.d/clamd /etc/rc6.d/K20clamd
Schedule the following command to run regularly to check for viruses.
/usr/local/bin/clamscan -ir --stdout /
Uptimed is used to keep track of the highest uptimes my GNU/Linux computers have.
Download it, and build and install it with
$ cd /tmp $ tar -xjf uptimed-0.3.1.tar.bz2 $ cd uptimed-0.3.1 $ ./configure $ make $ su -c "make install"
Then add the following to /etc/rc.d/rc.sysinit to create a unique id each time the server is booted.
echo "Creating unique uptime daemon bootid..." /usr/local/sbin/uptimed -b
Now add these lines to /etc/rc.d/rc.local to start the uptime daemon.
echo "Starting uptime daemon..." /usr/local/sbin/uptimed
Rename uptimed.conf-dist
# mv /usr/local/etc/uptimed.conf-dist /usr/local/etc/uptimed.conf
then edit this to set the EMAIL and SEND_EMAIL variables.
Reboot and enter:
$ uprecords
to see how long the server has been up for.
I export a directory that I like to have available on any workstation I may be using. Create /etc/exports as follows.
/home/steve/share *(rw,sync,no_root_squash)
Then start the NFS daemon, and set it to start automatically in the future.
# service nfs start # chkconfig nfs on
Change the firewall settings to allow other machines to mount these exports.
Mount any NFS exports from other machines, by editing /etc/fstab and adding the appropriate lines, e.g.
hayley:/backups /backups nfs rsize=8192,wsize=8192
This would mount hayley's /backups directory under /backups on this machine. (Permission would have to be granted on hayley via the /etc/exports file to allow this.) Don't forget to create the /backups directory on the local machine.
Sendmail is a mail transfer agent. MTAs are
used to transfer messages between machines. Normally Sendmail will send
out any mail with headers showing it as coming from the fully qualified
name of the local machine, e.g. steve@magpie.stevesearle.com. Some
servers may refuse to accept email unless it comes from a recognisable
Internet domain. So the following changes to the Sendmail configuration
make it look as if the email has come from my Internet domain,
stevesearle.com. To do this, the following lines are changed or added to
the /etc/mail/sendmail.mc file (uncomment - remove dnl ... dnl - and edit
where neccessary). The EXPOSED_USER andDAEMON_OPTIONS lines
are commented out so that root's mail will be masquaraded and so that
email can be received from other clients on the local network.
... dnl # EXPOSED_USER(`root')dnl ... dnl # DAEMON_OPTIONS(`Port=smpt,Addr=127.0.0.1, Name=MTA')dnl ... MASQUERADE_AS(`stevesearle.com') ... FEATURE(masquerade_envelope) ... FEATURE(masquerade_entire_domain) ...
Regenerate the /etc/mail/sendmail.cf with the following command (note the sendmail-cf package must be installed for this to work, and no warnings are displayed if it isn't installed).
# make -C /etc/mail
Add the following lines to /etc/mail/access to allow the server to relay mail for local network clients.
... 192.168.126 RELAY 192.168.127 RELAY
Add the following lines to /etc/mail/local-host-names to allow the server to receive mail from these domains.
... orange.searle searle.afraid.org stevesearle.com wormwoodstarsoft.co.uk wormwoodstarsoft.com
Comment out any general redirection lines in /etc/aliases that would otherwise receive spam, and add lines for users who might recieve email addressed to something other than their normal user name.
... #sales: postmaster ... kaysearle: kay mail steve mufc: steve stevesearle: steve webmaster: steve
Update the aliases database and restart sendmail.
# newaliases # service sendmail restart
Create a .forward file to ensure that any mail to root gets read.
Note that the EXPOSED_USER line in /etc/mail/sendmail.mc will prevent mail sent by root from being masqueraded, this should be removed if this is a problem.
Fetchmail retrieves mail from
remote mailservers. I use it to retrieve mail from a number of different
mailservers on which I have accounts. I use pop3, but it also supports
other POP and IMAP protocols.
Create /etc/fetchmailrc as follows.
# Multidrop mail where there is no matching local recipient should
# be sent to steve
set postmaster "steve"
# Don't bounce errors back to the sender, but forward to the
# postmaster
set nobouncemail
# Don't bounce spam-blocked email back to the originator
set no spambounce
# Used by extention scripts
set properties ""
# Retrieve mail every 300 seconds
set daemon 300
poll pop3.demon.co.uk with proto POP3
user 'kay+starsoft' there with password 'somepassword' is 'kay' here
poll pop3.demon.co.uk with proto POP3
user 'starsoft' there with password 'somepassword' is 'steve' here
poll pop3.uklinux.net with proto POP3 envelope Envelope-To
aka stevesearle.com
user 'searle' there with password 'anotherpassword' is 'steve' 'kay' 'kaysearle ' = 'kay' 'kieren' 'liam'
This will fetch any email for kay on my demon account (...@starsoft.demon.co.uk) and pass it to user kay. Any other email sent here will be retrieved and passed to user steve. Mail retrieved from my uklinux account (...@stevesearle.com) will be passed to steve, kay, kieren or liam if it is addressed to them. Mail addressed to kaysearle@... will also be passed to kay. Any other mail will be passed to steve because of the set postmaster "steve" line.sent here will be retrieved and passed to user steve. Mail retrieved from my uklinux account (...@stevesearle.com) will be passed to steve, kay, kieren or liam if it is addressed to them. Mail addressed to kaysearle@... will also be passed to kay. Any other mail will be passed to steve because of the set postmaster "steve" line.
Create a group and user for fetchmail - its a security risk if you run it as root. Then change the permissions and ownership of /etc/fetchmailrc to this user.
# groupadd -r fetchmail # useradd -r -m -g fetchmail -s /bin/false -c "Fetchmail" fetchmail # chmod 600 /etc/fetchmailrc # chown fetchmail:fetchmail /etc/fetchmailrc
Now setup a daemon for fetchmail. Create /etc/rc.d/init.d/fetchmaild.
#!/bin/sh
# chkconfig: - 99 00
# description: Starts and stops fetchmail
. /etc/init.d/functions
case "$1" in
'start')
# daemon fetchmail -f /etc/fetchmailrc
su fetchmail -s /bin/sh -c "fetchmail -v -d 900 -f /etc/fetchmailrc"
touch /var/lock/subsys/fetchmaild
;;
'stop')
su fetchmail -s /bin/sh -c "fetchmail --quit"
rm -f /var/lock/subsys/fetchmaild
;;
*)
echo "Usage :$0 { start | stop }"
;;
esac
exit 0
Make it executable, and set it to run automatically at bootup. Then start it.
# chmod 755 /etc/rc.d/init.d/fetchmaild # chkconfig --add fetchmaild # chkconfig fetchmaild on # service fetchmaild start
Procmail processes my emails before I read them. I use it to check for spam and viruses and copy emails to other users. This is done using a procmail recipe. Create /home/steve/.procmailrc as follows.
# Some variables
SHELL=/bin/bash
MAILDIR=$HOME/.mail
DEFAULT=$MAILDIR
LOGFILE=$MAILDIR/.log
VERBOSE=no
# If the email contains the following line, it has already been
# delivered to me and is deleted to avoid any infinite delivery
# loops which might arise.
:0
* ^X-Loop: 5a42f054-92aa-494b-b71e-e2eb99da5fec
/dev/null
# Otherwise mark all mail passing through.
:0 fhw
| formail -A "X-Loop: 5a42f054-92aa-494b-b71e-e2eb99da5fec"
# Put liam's and Robbie's mail into a separate folder so I can
# check it is suitible for them (they are only kids).
:0
* ^To.*liam@stevesearle.com|\
^To.*rob@stevesearle.com
liam
# Send my wife a copy of anything from family and friends.
:0
* ^From.*friend@somedomain.com|\
^From.*family@somedomain.com
{
:0 c
! kay
}
# Anything that gets through to here ends up in my inbox.
:0
/var/spool/mail/steve
Enable the imap and pop3 services.
# chkconfig dovecot on # service dovecot start
Now add the following -j ACCEPT lines to /etc/sysconfig/iptables (before the -j REJECT line).
... # SMTP -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT # IMAP -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT #POP3 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT ... -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ...
Restart the firewall.
# service iptables restart
Most of the information in this seciton is derived from the SpamAssassin-ClamAV-Procmail-Howto. It assumes SpamAssasin has been installed - if it is missing use yum to install it - and that Clam AntiVirus has been installed as specified earlier.
Install trashscan, a script that is used to scan incomming emails for viruses.
$ tar -xzf trashscan-0.12.tar.gz $ cd trashscan-0.12 $ su -c "cp trashscan /usr/local/sbin"
Now make the following changes to /usr/local/sbin/trashscan. Change to use uudeview rather than metamail, change the --unarj=... argument on the VSCANOPT line to --arj=... and set the correct email addresses.
...
# DECODER=metamail # Decoder: "metamail" or "uudeview"
# DECODPRG=/usr/bin/metamail # Absolute path to decoder: metamail
DECODER=uudeview # Decoder: "metamail" or "uudeview"
DECODPRG=/usr/local/bin/uudeview # Absolute path to decoder: uudeview
VSCANNER=clamav # Scanner: "clamav". If you are using
# clamav and you define "clamav" here
# then the name of the detected virus
# will be reported
...
...
VSCANOPT="--quiet --tempdir=$HOME/tmp --recursive --max-files=500 \
--max-space=30M --unzip=/usr/bin/unzip --unrar=/usr/bin/unrar \
--arj=/usr/bin/unarj --lha=/usr/bin/lha --jar=/usr/bin/unzip \
--tar=/bin/tar --tgz=/bin/tar"
...
...
ALERT=yes # send alert messages if a virus was detected (yes | no)
ALERTRCVR=steve@stevesearle.com # Receiver of virus alert messages
ALERTSNDR=mailservice@stevesearle.com # Sender of virus alert messages
ALERTCTCT=steve@stevesearle.com # Person to contact (appears in the
...
Install uudeview which is used to decode emails.
$ tar -xzf uudeview-0.5.20.tar.gz $ cd uudeview-0.5.20 $ ./configure $ make $ su -c "make install"
Configure procmail
Add the follwing recipes to /home/steve/.procmailrc to scan email with attachments for viruses, and to delete them if they are infected. Note that these two recipes go either side of the recipes that check and set X-Loop to avoid infinite delivery loops.
... # Check for viruses :0 * multipart * !^X-Virus-Scan: | /usr/local/sbin/trashscan ... # Virus? :0 : * ^X-Virus-Scan: Suspicious /dev/null ...
I use SpamAssassin to check for spam. Set the spamassassin service to start when the server is booted, and start it now.
# chkconfig spamassassin on # service spamassassin start
Configure procmail
Add the follwing recipes to /home/steve/.procmailrc to put any spam into a separate spam folder. If you become confident enough in that only spam is being diverted there, you can change this to delete the spam instead. These recipes should follow the virus checking recipes added earlier.
... # Check for spam (only check email smaller than 250Kb) :0 fw: spamassassin.lock * < 256000 | spamc # Spam? :0 : * ^X-Spam-Status: Yes spam ...
Training SpamAssassin's Bayesian Classifier
Bayesian spam analysis allows you to refine SpamAssassin to identify spam and ham (non-spam) by training it with your own spam and ham. This can greatly reduce the number of false positives and negatives. Assuming all spam not caught by SpamAssassin is saved to a ~/.mail/spam mailbox, and all legitimate mail is saved to ~/.mail/trash (instead of being deleted), create executable script learn.spam as follows, and set up a cron job to run it once a week.
#!/bin/bash HAMBOX=/home/steve/.mail/trash SPAMBOX=/home/steve/.mail/spam if sa-learn --mbox --ham $HAMBOX then cat /dev/null > $HAMBOX fi if sa-learn --mbox --spam $SPAMBOX then cat /dev/null > $SPAMBOX fi exit 0
Greylisting is a method of defending against spam. I do this by configuring sendmail to use milter-greylist to temporarily reject any email from a sender which isn't recognised. The originating mail server for any legitimate email will attempt to send it again later at which point it will be accepted. Many spammers don't retry, however, so I never have to accept their spam. I can also whitelist users who are regular contacts, so their email is never delayed.
Download and install milter-greylist.
$ cd /tmp $ tar -xzf milter-greylist-3.0.tgz $ cd milter-greylist-3.0 $ ./configure $ make $ su -c "make install"
Even after the make install there is a fair amount of manual installation to be done.
# cp rc-redhat.sh /etc/rc.d/init.d/milter-greylistd # chmod 755 /etc/rc.d/init.d/milter-greylistd # ln -s /etc/init.d/milter-greylistd /etc/rc2.d/S79milter-greylistd # ln -s /etc/init.d/milter-greylistd /etc/rc3.d/S79milter-greylistd # ln -s /etc/init.d/milter-greylistd /etc/rc4.d/S79milter-greylistd # ln -s /etc/init.d/milter-greylistd /etc/rc5.d/S79milter-greylistd # ln -s /etc/init.d/milter-greylistd /etc/rc0.d/K21milter-greylistd # ln -s /etc/init.d/milter-greylistd /etc/rc1.d/K21milter-greylistd # ln -s /etc/init.d/milter-greylistd /etc/rc6.d/K21milter-greylistd # cp /usr/local/etc/mail/greylist.conf /etc/mail # mkdir /var/milter-greylist # chown smmsp:smmsp /var/milter-greylist # touch /var/milter-greylist/greylist.db # chown smmsp:smmsp /var/milter-greylist/greylist.db # /etc/rc.d/init.d/milter-greylistd start # cp milter-greylist.m4 /usr/share/sendmail-cf/feature
Add the FEATURE(`milter-greylist') line to /etc/mail/sendmail.mc.
... FEATURE(`milter-greylist') ...
Regenerate sendmail.cf and restart sendmail.
# make -C /etc/mail # service sendmail restart
I run an old machine as a backup device. A backup folder is NFS exported to the rest of the network, and each machine runs a cron tar job to back up various files and directories.
Setup an NTP server, synchronising its time with some servers on the Internet and serving the rest of the machines on the LAN with the time. NTP is installed already, so just replace the server ... lines in /etc/ntp.conf with the following lines.
... server ntp1.demon.co.uk server ntp1.pucpr.br server fartein.ifi.uio.no server ntp2b.mcc.ac.uk ...
You should pick your own timeservers, look for some here. Set the NTP service to start when the server is booted, and start it now.
# chkconfig ntpd on # service ntpd start
Now add the following -j ACCEPT lines to /etc/sysconfig/iptables (before the -j REJECT line).
... # ntp -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT ... -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ...
Restart the firewall.
# service iptables restart
Download various perl modules as follows. The SSLeay stuff is needed to
use SSL with Webmin. You need to be on-line for this.
# perl -MCPAN -e shell cpan> install MD5 cpan> install Bundle::CPAN cpan> reload CPAN cpan> install Date::Calc cpan> install Number::Format cpan> exit
Install Webmin, an excellent browser based tool for
administering and configuring the system.
The tarball should be un-tarred in /usr/local or similar, as this is just configured in the directory it was un-tarred in.
# cd /usr/local # tar -xzf webmin-1.130.tar.gz # cd webmin-1.130 # ./setup.sh
Now add the following -j ACCEPT lines to /etc/sysconfig/iptables (before the -j REJECT line).
... # Webmin -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT ... -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ...
Restart the firewall.
# service iptables restart
Download and install
Vim, the best editor around.
$ cd /tmp $ tar -xjf vim-6.2.tar.bz2 $ cd vim62 $ ./configure $ make $ su -c "make install"
Add the following line to your /etc/bashrc, to make Vim the default editor for mutt, crontab, etc. The "-f" will prevent it forking when invoked, and will avoid the update encoding warning when editing an email.
export EDITOR="vim -f"
Mutt is my email client of choice. Dowload it
and build it. Note that version 1.4.2.1 won't compile with Fedora Core 4,
but development version 1.5.9 does.
$ cd /tmp $ tar -xzf mutt-1.4.2.1i.tar.gz $ cd mutt-1.4.2.1 $ ./configure --enable-pop --enable-imap --with-ssl $ su -c "make install"
Now install urlview, a utility that will fire up the browser to display any URLs in any emails.
$ cd /tmp $ tar -xzf urlview-0.9.tar.gz $ cd urlview-0.9 $ ./configure $ make $ su -c "make install" $ su -c "cp url_handler.sh /usr/local/bin"
/usr/local/bin/url_handler.sh needs to be edited to select the preferred browser. Change any occurances of /usr/X11R6/bin/netscape to /usr/bin/firefox.
I use BIND as the DNS Server for my system. I got most of the information here from the excellent DNS HOWTO.
Check that the nameserver line in /etc/resolv.conf includes the localhost IP address. It should look something like this.
search stevesearle.com nameserver 127.0.0.1 nameserver 158.152.1.58
Create /var/named/chroot/etc/named.conf as follows. The DHCP_UPDATER lines allow the dhcpd daemon to update the name server with names and addresses of the clients it hands out IP addresses to, so DHCP needs to be set up as well.
options {
directory "/var/named";
};
logging {
category lame-servers { null; };
};
key "rndckey" {
algorithm hmac-md5;
secret "somesecretgoeshere==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndckey"; };
};
key DHCP_UPDATER {
algorithm hmac-md5;
secret "anothersecretgoeshere==";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." {
type hint;
file "root.hints";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "pz/127.0.0";
};
zone "stevesearle.com" {
type master;
file "pz/stevesearle.com";
notify yes;
allow-update { key DHCP_UPDATER; };
};
zone "126.168.192.in-addr.arpa" {
type master;
file "pz/192.168.126";
notify yes;
allow-update { key DHCP_UPDATER; };
};
zone "orange.searle" {
type master;
file "pz/orange.searle";
notify yes;
allow-update { key DHCP_UPDATER; };
};
zone "127.168.192.in-addr.arpa" {
type master;
file "pz/192.168.127";
notify yes;
allow-update { key DHCP_UPDATER; };
};
zone "red.searle" {
type master;
file "pz/red.searle";
notify yes;
allow-update { key DHCP_UPDATER; };
};
zone "128.168.192.in-addr.arpa" {
type master;
file "pz/192.168.128";
notify yes;
allow-update { key DHCP_UPDATER; };
};
See rndc for how to create the key and controls sections of this file.
The /var/named/chroot/var/named directory should have permissions, owner and group set like this.
drwxr-x--- 4 root named 4096 Dec 11 23:52 named
Create root.hints, which describes the root name servers in the world, and as long as you have internet access and access to another DNS server, can be created or refreshed with:
# dig @e.root-servers.net . ns > /var/named/chroot/var/named/root.hints
Create directory /var/named/chroot/var/named/pz with permissions, owner and group like this.
drwxr-xr-x 2 named named 4096 Dec 23 21:22 pz
Create the following network zone files in this directory. These should all have permissions, owner and group set like this.
-rw-r--r-- 1 named named 199 Apr 1 16:49 127.0.0 -rw-r--r-- 1 named named 325 Apr 1 16:50 192.168.126 -rw-r--r-- 1 named named 220 Apr 1 16:50 192.168.127 -rw-r--r-- 1 named named 219 Apr 1 16:50 192.168.128 -rw-r--r-- 1 named named 344 Apr 1 16:49 orange.searle -rw-r--r-- 1 named named 345 Apr 1 16:49 red.searle -rw-r--r-- 1 named named 561 Apr 1 16:49 stevesearle.com
/var/named/chroot/var/named/pz/127.0.0
$TTL 295200
@ IN SOA magpie.stevesearle.com. steve.stevesearle.com. (
1 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
NS magpie.stevesearle.com.
1 PTR localhost.
/var/named/chroot/var/named/pz/192.168.126
$TTL 3D
@ IN SOA magpie.stevesearle.com. steve.stevesearle.com. (
200604011 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
NS magpie.stevesearle.com.
2 PTR magpie.stevesearle.com.
4 PTR hayley.stevesearle.com.
5 PTR kirsty.stevesearle.com.
6 PTR lisa.stevesearle.com.
8 PTR nina.stevesearle.com.
50 PTR steve.stevesearle.com.
52 PTR wormwood.stevesearle.com.
254 PTR angie.stevesearle.com.
/var/named/chroot/var/named/pz/192.168.127
$TTL 3D
@ IN SOA magpie.stevesearle.com. steve.stevesearle.com. (
200604011 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
NS magpie.stevesearle.com.
1 PTR elaine.orange.searle.
254 PTR angie.orange.searle.
/var/named/chroot/var/named/pz/192.168.128
$TTL 3D
@ IN SOA magpie.stevesearle.com. steve.stevesearle.com. (
200604011 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
NS magpie.stevesearle.com.
1 PTR angie.red.searle.
254 PTR becky.red.searle.
/var/named/chroot/var/named/pz/orange.searle
$TTL 3D
@ IN SOA magpie.stevesearle.com. steve.stevesearle.com. (
200604011 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D ; Minimum TTL
)
NS magpie.stevesearle.com.
MX 10 magpie.stevesearle.com.
TXT "orange.searle, Steve Searle's DMZ"
localhost A 127.0.0.1
elaine A 192.168.127.1
angie A 192.168.127.254
/var/named/chroot/var/named/pz/red.searle
$TTL 3D
@ IN SOA magpie.stevesearle.com. steve.stevesearle.com. (
200604011 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D ; Minimum TTL
)
NS magpie.stevesearle.com.
MX 10 magpie.stevesearle.com.
TXT "red.searle, Steve Searle's red zone"
localhost A 127.0.0.1
angie A 192.168.128.1
becky A 192.168.128.254
/var/named/chroot/var/named/pz/stevesearle.com
$TTL 3D
@ IN SOA magpie.stevesearle.com. steve.stevesearle.com. (
200604011 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D ; Minimum TTL
)
NS magpie.stevesearle.com.
MX 10 magpie.stevesearle.com.
TXT "stevesearle.com, Steve Searle's domain"
localhost A 127.0.0.1
magpie A 192.168.126.2
ns CNAME magpie
hayley A 192.168.126.4
kirsty A 192.168.126.5
lisa A 192.168.126.6
nina A 192.168.126.8
steve A 192.168.126.50
wormwood A 192.168.126.52
angie A 192.168.126.254
www A 80.84.64.24
Then set the named service to start when the server is booted, and start it now with:
# chkconfig named on # service named start
Now add the following -j ACCEPT lines to /etc/sysconfig/iptables (before the -j REJECT line) to allow other machines to query the server.
... # named -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT ... -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ...
Restart the firewall.
# service iptables restart
The rndc utility can be used to control named, if it connects form the local host and identifies itself with an encoded secret key. For this to work, generate an rndc.conf file.
# rndc-confgen > /etc/rndc.conf
The second half of this file is commented out. This commented section should be copied into the named.conf file and uncommented to form the key and control section.
If the BIND configuration files are changed, they can be reloaded with:
$ rndc reload
BIND can be restarted with either of the following commands:
$ rndc stop; named -u named -t /var/named/chroot
or
# service named restart
The server provides a DHCP service to my network.
Create /etc/dhcpd.conf
authoritative;
ddns-updates on;
ddns-domainname "stevesearle.com.";
ddns-rev-domainname "in-addr.arpa.";
ddns-update-style interim;
allow client-updates;
default-lease-time 86400;
max-lease-time 172800;
min-lease-time 43200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.126.255;
option routers 192.168.126.254;
option domain-name-servers 192.168.126.1, 192.168.126.4;
option domain-name "stevesearle.com orange.searle red.searle";
subnet 192.168.126.0 netmask 255.255.255.0 {
range 192.168.126.128 192.168.126.191;
}
key DHCP_UPDATER {
algorithm hmac-md5;
secret "anothersecretgoeshere==";
};
zone stevesearle.com. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
zone 126.168.192.in-addr.arpa. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
This will provide an IP address in the range 192.168.126.128 to 192.168.126.191 to any machine requesting an IP address. It will also update the BIND files so that it can serve the names for these machines.
Set the DHCPD daemon to start when the server is booted, and start it now with:
# chkconfig dhcpd on # service dhcpd start
I use MySQL as my preferred database. Set it to run at bootup, and start it with the following commands.
# chkconfig mysqld on # service mysqld start
Fire up a MySQL session with:
# mysql -u root
Create a regular mysql user - searle, the one created here, will have full access from any workstation on my domain.
mysql> GRANT ALL ON *.* TO searle@localhost IDENTIFIED BY 'somepassword' WITH GRANT OPTION; mysql> GRANT ALL ON *.* TO searle@'%' IDENTIFIED BY 'somepassword' WITH GRANT OPTION; mysql> GRANT ALL ON *.* TO searle@magpie.stevesearle.com IDENTIFIED BY 'somepassword' WITH GRANT OPTION;
All three statements are necessary. Then check that the database is accessable by this user, before setting a password on the root login as follows:
mysql> SET PASSWORD FOR root@localhost=PASSWORD('anotherpassword');
mysql> SET PASSWORD FOR root@magpie.stevesearle.com=PASSWORD('anotherpassword');
Again, both lines are necessary.
Now add the following -j ACCEPT lines to /etc/sysconfig/iptables (before the -j REJECT line).
... # MySQL -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT ... -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ...
Restart the firewall.
# service iptables restart
I use Apache to host the development copy of my website. I configure Apache to allow virtual hosting so that I have the flexibility to create multiple websites. To create the steve.stevesearle.com site which is hosted on this server, the following steps are required.
First give this server eth0 ethernet interface a second IP address, 192.168.126.50, which was assigned to steve.stevesearle.com when BIND was set up earlier. Add the folowing lines to /etc/rc.d/rc.local - you will also need to enter the commands manually unless you reboot before attempting to view the site.
ifconfig eth0:1 192.168.126.50 route add -host 192.168.126.50 dev eth0:1
Now add the following to the end of /etc/httpd/conf/httpd.conf.
NameVirtualHost steve
<VirtualHost steve>
ServerAdmin webmaster@stevesearle.com
DocumentRoot /var/www/steve
ServerName steve.stevesearle.com
ErrorLog logs/steve.stevesearle.com-error_log
CustomLog logs/steve.stevesearle.com-access_log common
ScriptAlias /cgi-bin/ /var/www/steve/cgi-bin/
Options ExecCGI Includes
<Directory "/var/www/steve">
AllowOverride None
Options Includes ExecCGI
Order allow,deny
Allow from all
</Directory>
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
AddHandler server-parsed .shtml .html
</VirtualHost>
To enable html includes on the web server root, make the following changes to /etc/httpd/conf/httpd.conf. These changes and additions are made within the <Directory "/var/www/html"> section
<Directory "/var/www/html">
...
# The following line was originally: Options Indexes FollowSymLinks
Options Indexes FollowSymLinks Includes
...
AddHandler server-parsed .html
<Directory>
Create /var/www/steve which is where the sites files will be kept. Then set Apache to start at bootup, and start it with:
# mkdir /var/www/steve # chkconfig httpd on # service httpd start
Now add the following -j ACCEPT lines to /etc/sysconfig/iptables (before the -j REJECT line).
... # http -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT # https -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT ... -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ...
Restart the firewall.
# service iptables restart
I use Samba to enable MS Windows computers to
access files on the server. Make the following changes or addittions to
/etc/samba/smb.conf.
...
workgroup = 10FORBES
...
# The following line prevents Samba outputting getpeername failed
# messages when Windows clients attempt to connect using port 445 as
# well as 139.
smb ports=139
...
# This was added to enbable people to share files
[tmp]
comment = Temporary file space
path = /tmp
read only = no
public = yes
# This was added to enable Windows user steve to access steve's home directory
[steve]
comment = steve's home
path = /home/steve
valid users = steve
public = no
writable = yes
printable = no
Set the Samba password for steve (the same as his Windows one).
# smbpasswd -a steve
Set Samba to start at bootup, and start it with:
# chkconfig smb on # service smb start
Now add the following -j ACCEPT lines to /etc/sysconfig/iptables (before the -j REJECT line).
... # Samba -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT ... -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ...
Restart the firewall.
# service iptables restart
I use phpMyAdmin as one way of maintaining my MySQL database. To install it untar into the webserver's document root, change the ownership of the files, restrict access to config.inc.php and create a soft link for the directory, as follows.
# cd /var/www/html # tar -xjf /backups/downloads.linux/phpMyAdmin-2.6.1-pl3.tar.bz2 # chown -R steve:apache phpMyAdmin-2.6.1-pl3 # ln -s phpMyAdmin-2.6.1-pl3 phpMyAdmin # cd phpMyAdmin # mkdir config # chmod 757 config
User your browser to perform the setup, go to https://magpie/phpMyAdmin/scripts/setup.php to do this.
Now copy the config file to the phpMySql directory and delete the config directory.
# cd /var/www/html/phpMyAdmin # cp config/config.inc.php . # rm -rf config
I use arpwatch to keep an eye on what machines join my network - there are so few changes that it is an extra belt and braces approach to wireless network security. Install it, set it to start on bootup, and start it with:
# chkconfig arpwatch on # service arpwatch start