red-hat.xml
Delivered as text/xml
[ hide source ] | [ make this the default ]
File Contents
<?xml version='1.0' ?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd" [
<!ENTITY % myvars SYSTEM "../variables.ent">
%myvars;
]>
<appendix id="install-redhat">
<title>Install Red Hat 8/9</title>
<authorblurb>
<para>by <ulink url="mailto:joel@aufrecht.org">Joel Aufrecht</ulink></para>
</authorblurb>
<para>This section takes a blank PC and sets up some supporting
software. You should do this section as-is if you have a machine
you can reformat and you want to be sure that your installation
works and is secure; it should take about an hour. (In my
experience, it's almost always a net time savings of several hours
to install a new machine from scratch compared to installing each
of these packages installed independently.)</para>
<para>The installation guide assumes you have:</para>
<itemizedlist>
<listitem><para>A PC with hard drive you can reinstall</para>
</listitem>
<listitem><para>Red Hat 8.0 or 9.0 install discs</para>
</listitem>
<listitem><para>A CD with the current <ulink
url="http://www.redhat.com/apps/support/errata/">Security
Patches</ulink> for your version of Red Hat.</para>
</listitem>
</itemizedlist>
<para>The installation guide assumes that you can do the following on
your platform:
</para>
<itemizedlist>
<listitem><para>
Adding users, groups, setting passwords
</para></listitem>
<listitem><para>
(For Oracle) Starting an X server and running an X program remotely
</para></listitem>
<listitem><para>
Basic file management using <computeroutput>cp, rm,
mv,</computeroutput> and <computeroutput>cd</computeroutput>
</para></listitem>
<listitem><para>
Compiling a program using ./config and make.
</para></listitem>
</itemizedlist>
<para>
You can complete this install without the above knowledge,
but if anything goes wrong it may take extra time to
understand and correct the problem. <link linkend="install-resources">Some useful UNIX resources</link>.
</para>
<orderedlist>
<listitem id="install-first-step"><para>Unplug the network cable from your
computer. We don't want to connect to the network
until we're sure the computer is secure.
<indexterm>
<primary>security</primary>
<secondary>definition</secondary>
</indexterm>
(Wherever you see
the word secure, you should always read it as, "secure
enough for our purposes, given the amount of work we're
willing to exert and the estimated risk and
consequences.")</para>
</listitem>
<listitem>
<para>Insert Red Hat 8.0 or 9.0 Disk 1 into the
CD-ROM and reboot the computer</para></listitem>
<listitem><para>At the
<computeroutput><guilabel>boot:</guilabel></computeroutput>
prompt, press Enter for a
graphical install. The text install is fairly different, so
if you need to do that instead proceed with caution, because
the guide won't match the steps.</para></listitem>
<listitem><para>Checking the media is probably a waste of
time, so when it asks press Tab and
then Enter to skip it.</para></listitem>
<listitem><para>After the graphical introduction page loads, click <computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput></para></listitem>
<listitem><para>Choose the language you want to use and then click
<computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput>
</para>
</listitem>
<listitem><para>Select the keyboard layout you will use and Click <computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput></para></listitem>
<listitem><para>Choose your mouse type and Click <computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput></para></listitem>
<listitem><para>Red Hat has several templates for new
computers. We'll start with the "Server" template and then
fine-tune it during the rest of the install. Choose
<computeroutput><guilabel>Server</guilabel></computeroutput>
and click
<computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput>.</para>
</listitem>
<listitem>
<para>Reformat the hard drive. If you know what you're doing,
do this step on your own. Otherwise: we're going to let the
installer wipe out the everything on the main hard drive and then arrange things to
its liking.</para>
<orderedlist>
<listitem><para>Choose <computeroutput><guilabel>Automatically Partition</guilabel></computeroutput>
and click <computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput></para></listitem>
<listitem><para>Uncheck
<computeroutput><guilabel>Re<accel>v</accel>iew (and modify if needed) the partitions created</guilabel></computeroutput> and click <computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput></para></listitem>
<listitem><para>On the pop-up window asking "Are you sure
you want to do this?" click
<computeroutput><guibutton><accel>Y</accel>es</guibutton></computeroutput>
IF YOU ARE WIPING YOUR HARD DRIVE.</para></listitem>
<listitem><para>Click <computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput> on the boot loader screen</para></listitem>
</orderedlist>
</listitem>
<listitem>
<para>Configure Networking. <indexterm>
<primary>security</primary>
<secondary>firewall</secondary>
</indexterm>
Again, if you know what you're doing, do this step
yourself, being sure to note the firewall holes. Otherwise,
follow the instructions in this step to set up a computer directly connected to the internet with a dedicated IP address.</para>
<orderedlist>
<listitem><para>DHCP is a system by which a computer that
joins a network (such as on boot) can request a temporary IP address
and other network information. Assuming the machine has a dedicated
IP address (if it doesn't, it will be tricky to access the OpenACS
service from the outside world), we're going to set up that address.
If you don't know your netmask, 255.255.255.0 is usually a pretty safe
guess. Click <computeroutput><guibutton>Edit</guibutton></computeroutput>, uncheck <computeroutput><guilabel>Configure using <accel>D</accel>HCP</guilabel></computeroutput>
and type in your IP and netmask. Click <computeroutput><guibutton><accel>O</accel>k</guibutton></computeroutput>.</para>
</listitem>
<listitem><para> Type in your hostname, gateway, and DNS server(s). Then click <computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput>.</para></listitem>
<listitem><para>We're going to use the firewall template for high
security, meaning that we'll block almost all incoming traffic. Then
we'll add a few holes to the firewall for services which we need and
know are secure. Choose <computeroutput><guilabel>Hi<accel>g</accel>h</guilabel></computeroutput>
security level. Check
<computeroutput><guilabel>WWW</guilabel></computeroutput>,
<computeroutput><guilabel>SSH</guilabel></computeroutput>, and
<computeroutput><guilabel>Mail (SMTP)</guilabel></computeroutput>. In the <computeroutput><guilabel>Other <accel>p</accel>orts</guilabel></computeroutput>
box, enter <userinput>443, 8000, 8443</userinput>. Click
<computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput>.
Port 443 is for https (http over ssl), and 8000 and 8443 are http and https access to the development server we'll be setting up.</para>
</listitem>
</orderedlist>
</listitem>
<listitem><para><indexterm>
<primary>language</primary>
<secondary>installation</secondary>
</indexterm>Select any additional languages you want the
computer to support and then click
<computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput></para></listitem>
<listitem><para>Choose your timezone and click <computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput>.</para></listitem>
<listitem><para>Type in a root
password, twice.</para>
</listitem>
<listitem><para>On the Package selection page, we're going to
uncheck a lot of packages that install software we don't need, and add
packages that have stuff we do need. You should install everything
we're installing here or the guide may not work for you; you can
install extra stuff, or ignore the instructions here to not install
stuff, with relative impunity - at worst, you'll introduce a security
risk that's still screened by the firewall, or a resource hog. Just
don't install a database or web server, because that would conflict
with the database and web server we'll install later.
</para><simplelist>
<member>check <computeroutput><guilabel>Editors</guilabel></computeroutput> (this installs emacs<indexterm><primary>emacs</primary><secondary>installation</secondary></indexterm>),</member>
<member>click <computeroutput><guilabel>Details</guilabel></computeroutput> next to <computeroutput><guilabel>Text-based Internet</guilabel></computeroutput>, check <computeroutput><guilabel>lynx</guilabel></computeroutput>, and click <computeroutput><guibutton><accel>O</accel>K</guibutton></computeroutput>;</member>
<member>check <computeroutput><guilabel>Authoring and Publishing</guilabel></computeroutput> (<indexterm><primary>docbook</primary><secondary>installation</secondary></indexterm>this installs docbook),</member>
<member>uncheck <computeroutput><guilabel>Server Configuration Tools</guilabel></computeroutput>,</member>
<member>uncheck <computeroutput><guilabel>Web Server</guilabel></computeroutput>,</member>
<member>uncheck <computeroutput><guilabel>Windows File Server</guilabel></computeroutput>,</member>
<member>check <computeroutput><guilabel>SQL Database Server</guilabel></computeroutput> (this installs PostgreSQL),</member>
<member>check <computeroutput><guilabel>Development Tools</guilabel></computeroutput> (this installs gmake and other build tools),</member>
<member>uncheck <computeroutput><guilabel>Administration Tools</guilabel></computeroutput>, and</member>
<member>uncheck <computeroutput><guilabel>Printing Support</guilabel></computeroutput>.</member>
</simplelist>
<para>At the bottom, check <computeroutput><guilabel><accel>S</accel>elect Individual Packages</guilabel></computeroutput> and click <computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput></para>
</listitem>
<listitem><para>We need to fine-tune the exact list of packages.
The same rules apply as in the last step - you can add more stuff, but
you shouldn't remove anything the guide adds. We're going to go
through all the packages in one big list, so select
<computeroutput><guilabel><accel>F</accel>lat
View</guilabel></computeroutput> and wait. In a minute, a
list of packages will appear.</para>
<simplelist>
<member>uncheck <computeroutput><guilabel>apmd</guilabel></computeroutput> (monitors power, not very useful for servers), </member>
<member>check <computeroutput><guilabel>ImageMagick</guilabel></computeroutput> (required for the <indexterm><primary>photo-album</primary><secondary>installation</secondary><see>ImageMagick</see></indexterm>photo-album packages, </member>
<member>uncheck<computeroutput><guilabel>isdn4k-utils</guilabel></computeroutput> (unless you are using isdn, this installs a useless daemon), </member>
<member>check <computeroutput><guilabel>mutt</guilabel></computeroutput> (a mail program that reads Maildir),</member>
<member>uncheck <computeroutput><guilabel>nfs-utils</guilabel></computeroutput> (nfs is a major security risk), </member>
<member>uncheck <computeroutput><guilabel>pam-devel</guilabel></computeroutput> (I don't remember why, but we don't want this), </member>
<member>uncheck <computeroutput><guilabel>portmap</guilabel></computeroutput>, </member>
<member>uncheck <computeroutput><guilabel>postfix</guilabel></computeroutput> (this is an MTA, but we're going to install qmail later), </member>
<member>check <computeroutput><guilabel>postgresql-devel</guilabel></computeroutput>,</member>
<member>uncheck <computeroutput><guilabel>rsh</guilabel></computeroutput> (rsh is a security hole), </member>
<member>uncheck <computeroutput><guilabel>sendmail</guilabel></computeroutput> (sendmail is an insecure MTA; we're going to install qmail instead later),</member>
<member>check <computeroutput><guilabel>tcl</guilabel></computeroutput> (we need tcl), and </member>
<member>uncheck <computeroutput><guilabel>xinetd</guilabel></computeroutput> (xinetd handles incoming tcp connections. We'll install a different, more secure program, ucspi-tcp).</member>
<member>Click <computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput></member>
</simplelist>
</listitem>
<listitem><para>Red Hat isn't completely happy with the combination
of packages we've selected, and wants to satisfy some dependencies.
Don't let it. On the next screen, choose
<computeroutput><guilabel>I<accel>g</accel>nore Package
Dependencies</guilabel></computeroutput> and click
<computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput>.
</para>
</listitem>
<listitem><para>Click
<computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput>
to start the copying of files.</para></listitem>
<listitem><para>Wait. Insert Disk 2 when
asked.</para></listitem>
<listitem><para>Wait. Insert Disk 3 when asked.</para></listitem>
<listitem><para>If you know how to use it, create a boot
disk. Since you can also boot into recovery mode with the
Install CDs, this is less useful than it used to be, and we
won't bother. Select <computeroutput><guilabel>No,I <accel>d</accel>o not want to create a boot disk</guilabel></computeroutput> and click <computeroutput><guibutton><accel>N</accel>ext</guibutton></computeroutput>.</para></listitem>
<listitem><para>Click <computeroutput><guilabel><accel>E</accel>xit</guilabel></computeroutput>, remove the CD, and watch the
computer reboot.
</para>
</listitem>
<listitem><para>After it finishes rebooting and shows the login
prompt, log in:</para>
<screen>yourserver login: <userinput>root</userinput>
Password:
[root root]#</screen>
</listitem>
<listitem>
<para>Install any security patches. For example, insert your CD with
patches, mount it with <computeroutput>mount
/dev/cdrom</computeroutput>, then <computeroutput>cd
/mnt/cdrom</computeroutput>, then <computeroutput>rpm -UVH
*rpm</computeroutput>. Both Red Hat 8.0 and 9.0 have had both
kernel and openssl/openssh root exploits, so you should be
upgrading all of that. Since you are upgrading the kernel,
reboot after this step.
</para>
</listitem>
<listitem>
<para>Lock down SSH</para>
<orderedlist>
<listitem>
<para>
<indexterm><primary>ssh</primary></indexterm>
SSH is the protocol we use to connect
securely to the computer (replacing telnet, which is
insecure). sshd is the daemon that listens for incoming
ssh connections. As a security precaution, we are now going
to tell ssh not to allow anyone to connect directly to this
computer as root. Type this into the shell:
</para>
<screen><userinput>emacs /etc/ssh/sshd_config</userinput></screen>
</listitem>
<listitem>
<para>Search for the word "root" by typing <userinput>C-s</userinput> (that's emacs-speak for control-s) and then <userinput>root</userinput>.</para>
</listitem>
<listitem>
<para>Make the following changes:</para>
<simplelist>
<member><computeroutput>#Protocol 2,1</computeroutput> to
<computeroutput>Protocol 2</computeroutput>
(this prevents any connections via SSH 1, which is insecure)</member>
<member><computeroutput>#PermitRootLogin yes</computeroutput> to
<computeroutput>PermitRootLogin no</computeroutput>
(this prevents the root user from logging in remotely via
ssh. If you do this, be sure to create a remote access
account, such as "remadmin", which you can use to get ssh
before using "su" to become root)</member>
<member><computeroutput>#PermitEmptyPasswords no</computeroutput> to <computeroutput>PermitEmptyPasswords no</computeroutput>
(this blocks passwordless accounts) and save and exit by typing <userinput>C-x C-s C-x C-c</userinput></member>
</simplelist>
</listitem>
<listitem><para>Restart sshd so that the change takes effect.<screen role='screen'><userinput>service sshd restart</userinput></screen></para>
</listitem>
</orderedlist>
</listitem>
<listitem>
<para>
Red Hat still installed a few services we don't need, and
which can be security holes. Use the service command to turn
them off, and then use chkconfig to automatically edit the
System V init directories to permanently (The System V init
directories are the ones in /etc/rc.d. They consist of a
bunch of scripts for starting and stopping programs, and
directories of symlinks for each system level indicating
which services should be up and down at any given service
level. We'll use this system for PostgreSQL, but we'll use
daemontools to perform a similar function for AOLserver.
(The reason for these discrepancies is that, while daemontools
is better, it's a pain in the ass to deal with and nobody's
had any trouble leaving PostgreSQL the way it is.)
</para>
<screen>[root root]# <userinput>service pcmcia stop</userinput>
[root root]# <userinput>service netfs stop</userinput>
[root root]# <userinput>chkconfig --del pcmcia</userinput>
[root root]# <userinput>chkconfig --del netfs</userinput>
[root root]#
<action>service pcmcia stop
service netfs stop
chkconfig --del pcmcia
chkconfig --del netfs</action></screen>
<para>If you installed PostgreSQL, do also
<computeroutput>service postgresql start</computeroutput> and <computeroutput>chkconfig --add postgresql</computeroutput>.</para>
</listitem>
<listitem>
<para>Plug in the network cable.</para>
</listitem>
<listitem>
<para>Verify that you have connectivity by going to another
computer and ssh'ing to
<replaceable>yourserver</replaceable>, logging in as
remadmin, and promoting yourself to root:</para>
<screen>[joeuser@someotherserver]$ <userinput> ssh <replaceable>remadmin@yourserver.test</replaceable></userinput>
The authenticity of host 'yourserver.test (1.2.3.4)' can't be established.
DSA key fingerprint is 10:b9:b6:10:79:46:14:c8:2d:65:ae:c1:61:4b:a5:a5.
Are you sure you want to continue connecting (yes/no)? <userinput>yes</userinput>
Warning: Permanently added 'yourserver.test (1.2.3.4)' (DSA) to the list of known hosts.
Password:
Last login: Mon Mar 3 21:15:27 2003 from host-12-01.dsl-sea.seanet.com
[remadmin remadmin]$ <userinput>su -</userinput>
Password:
[root root]#</screen>
</listitem>
<listitem>
<para>If you didn't burn a CD of patches and use it, can still
download and install the necessary patches. Here's how to
do it for the kernel; you should also check for other
critical packages.</para>
<para>Upgrade the kernel to fix a security hole. The default
Red Hat 8.0 system kernel (2.4.18-14, which you can check
with <userinput>uname -a</userinput>) has several <ulink
url="https://rhn.redhat.com/errata/RHSA-2003-098.html">security problems</ulink>. Download the new kernel, install it, and reboot.</para>
<screen>[root root]# <userinput>cd /var/tmp</userinput>
[root tmp]# <userinput>wget http://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm</userinput>
--20:39:00-- http://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm
=> `kernel-2.4.18-27.7.x.i686.rpm'
Resolving updates.redhat.com... done.
Connecting to updates.redhat.com[66.187.232.52]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12,736,430 [application/x-rpm]
100%[======================================>] 12,736,430 78.38K/s ETA 00:00
20:41:39 (78.38 KB/s) - `kernel-2.4.18-27.7.x.i686.rpm' saved [12736430/12736430]
root@yourserver tmp]# <userinput>rpm -Uvh kernel-2.4.18-27.7.x.i686.rpm</userinput>
warning: kernel-2.4.18-27.7.x.i686.rpm: V3 DSA signature: NOKEY, key ID db42a60e
Preparing... ########################################### [100%]
1:kernel ########################################### [100%]
[root tmp]# <userinput>reboot</userinput>
Broadcast message from root (pts/0) (Sat May 3 20:46:39 2003):
The system is going down for reboot NOW!
[root tmp]#
<action>cd /var/tmp
wget http://updates.redhat.com/7.1/en/os/i686/kernel-2.4.18-27.7.x.i686.rpm
rpm -Uvh kernel-2.4.18-27.7.x.i686.rpm
reboot</action></screen>
</listitem>
</orderedlist>
</appendix>
