Install Red Hat 8.0
by Joel Aufrecht
This section takes a blank PC and sets up some supporting
software. You should do this section as-is if you have a machine
you can reformat and you want to be sure that your installation
works and is secure; it should take about an hour. You can skip
this section if you already have a machine ready with this
software (see for details):
libxml2
tcl
gmake and the compile and build environment.
and these optional items
emacs
cvs
ImageMagick
DocBook and supporting software
(In my experience, it's almost always a net time savings of several hours to install a new machine from scratch compared to installing each of these packages installed independently.)
Unplug the network cable from your
computer. We don't want to connect to the network
until we're sure the computer is secure.
security
definition
(Wherever you see
the word secure, you should always read it as, "secure
enough for our purposes, given the amount of work we're
willing to exert and the estimated risk and
consequences.")
Insert Red Hat 8.0 Disk 1 into the
CD-ROM and reboot the computer
At the
boot:
prompt, press Enter for a
graphical install. The text install is fairly different, so
if you need to do that instead proceed with caution, because
the guide won't match the steps.
Checking the media is probably a waste of
time, so when it asks press Tab and
then Enter to skip it.
After the graphical introduction page loads, click Next
Choose the language you want to use and then click
Next
Select the keyboard layout you will use and Click Next
Choose your mouse type and Click Next
Red Hat has several templates for new
computers. We'll start with the "Server" template and then
fine-tune it during the rest of the install. Choose
Server
and click
Next.
Reformat the hard drive. If you know what you're doing,
do this step on your own. Otherwise: we're going to let the
installer wipe out the everything on the main hard drive and then arrange things to
its liking.
Choose Automatically Partition
and click Next
Uncheck
Review (and modify if needed) the partitions created and click Next
On the pop-up window asking "Are you sure
you want to do this?" click
Yes
IF YOU ARE WIPING YOUR HARD DRIVE.
Click Next on the boot loader screen
Configure Networking.
security
firewall
Again, if you know what you're doing, do this step
yourself, being sure to note the firewall holes. Otherwise,
follow the instructions in this step to set up a computer directly connected to the internet with a dedicated IP address.
DHCP is a system by which a computer that
joins a network (such as on boot) can request a temporary IP address
and other network information. Assuming the machine has a dedicated
IP address (if it doesn't, it will be tricky to access the OpenACS
service from the outside world), we're going to set up that address.
If you don't know your netmask, 255.255.255.0 is usually a pretty safe
guess. Click Edit, uncheck Configure using DHCP
and type in your IP and netmask. Click Ok.
Type in your host
name, gateway, and DNS server(s). Then click Next.
We're going to use the firewall template for high
security, meaning that we'll block almost all incoming traffic. Then
we'll add a few holes to the firewall for services which we need and
know are secure. Choose High
security level. Check
WWW,
SSH, and
Mail (SMTP). In the Other ports
box, enter 443, 8000, 8443. Click
Next.
Port 443 is for https (http over ssl), and 8000 and 8443 are http and https access to the development server we'll be setting up.
language
installation
Select any additional languages you want the
computer to support and then click
Next
Choose your time zone and click Next..
Type in a root
password, twice. To
improve security, we're going to prevent anyone from
connecting to the computer directly as root. Instead,
we'll create a different user, called
remadmin, used solely to
connect to the computer for administration. Click
Add
and enter username remadmin and a password,
twice, then click OK. Then click
Next.
On the Package selection page, we're going to
uncheck a lot of packages that install software we don't need, and add
packages that have stuff we do need. You should install everything
we're installing here or the guide may not work for you; you can
install extra stuff, or ignore the instructions here to not install
stuff, with relative impunity - at worst, you'll introduce a security
risk that's still screened by the firewall, or a resource hog. Just
don't install a database or web server, because that would conflict
with the database and web server we'll install later.
check Editors (this installs emacsemacsinstallation),
click Details next to Text-based Internet, check lynx, and click OK;
check Authoring and Publishing (docbookinstallationthis installs docbook),
uncheck Server Configuration Tools,
uncheck Web Server,
uncheck Windows File Server,
check Development Tools (this installs gmake and other build tools),
uncheck Administration Tools, and
uncheck Printing Support.
At the bottom, check Select Individual Packages and click Next
We need to fine-tune the exact list of packages.
The same rules apply as in the last step - you can add more stuff, but
you shouldn't remove anything the guide adds. We're going to go
through all the packages in one big list, so select
Flat
View and wait. In a minute, a
list of packages will appear.
uncheck apmd (monitors power, not very useful for servers),
check ImageMagick (required for the photo-albuminstallationImageMagickphoto-album packages,
uncheckisdn4k-utils (unless you are using isdn, this installs a useless daemon),
check mutt (a mail program that reads Maildir),
uncheck nfs-utils (nfs is a major security risk),
uncheck pam-devel (I don't remember why, but we don't want this),
uncheck portmap,
uncheck postfix (this is an MTA, but we're going to install qmail later),
uncheck rsh (rsh is a security hole),
uncheck sendmail (sendmail is an insecure MTA; we're going to install qmail instead later),
check tcl (we need tcl), and
uncheck xinetd (xinetd handles incoming tcp connections. We'll install a different, more secure program, ucspi-tcp).
Click Next
Red Hat isn't completely happy with the combination
of packages we've selected, and wants to satisfy some dependencies.
Don't let it. On the next screen, choose
Ignore Package
Dependencies and click
Next.
Click
Next
to start the copying of files.
Wait. Insert Disk 2 when
asked.
Wait. Insert Disk 3 when asked.
If you know how to use it, create a boot
disk. Since you can also boot into recovery mode with the
Install CDs, this is less useful than it used to be, and we
won't bother. Select No,I do not want to create a boot disk and click Next.
Click Exit, remove the CD, and watch the
computer reboot.
After it finishes rebooting and shows the login
prompt, log in:
yourserver login: root
Password:
[root@yourserver root]#
Lock down SSH
ssh
SSH is the protocol we use to connect
securely to the computer (replacing telnet, which is
insecure). sshd is the daemon that listens for incoming
ssh connections. As a security precaution, we are now going
to tell ssh not to allow anyone to connect directly to this
computer as root. Type this into the shell:
emacs /etc/ssh/sshd_config
Search for the word "root" by typing C-s (that's emacs-speak for control-s) and then root.
Change the line #PermitRootLogin yes to PermitRootLogin no and save and exit by typing C-x C-s C-x C-c
Restart sshd so that the change takes effect.service sshd restart
Red Hat still installed a few services we
don't need, and which can be security holes. Use the service command to turn them off, and then use chkconfig to automatically edit the System V init directories to permanently (The System V init directories are the ones in /etc/rc.d. They consist of a bunch of scripts for starting and stopping programs, and directories of symlinks for each system level indicating which services should be up and down at any given service level. We'll use this system for PostGreSQL, but we'll use daemontools to perform a similar function for AOLServer. (The reason for this discrepencies is that, while daemontools is better, it's a pain in the ass to deal with and nobody's had any trouble leaving PostGreSQL the way it is.)
[root@yourserver root]# service pcmcia stop
[root@yourserver root]# service netfs stop
[root@yourserver root]# chkconfig --del pcmcia
[root@yourserver root]# chkconfig --del netfs
[root@yourserver root]#
service pcmcia stop
service netfs stop
chkconfig --del pcmcia
chkconfig --del netfs
Plug in the network cable.
Verify that you have connectivity by going to another
computer and ssh'ing to
yourserver, logging in as
remadmin, and promoting yourself to root:
[joeuser@someotherserver]$ ssh remadmin@yourserver.test
The authenticity of host 'yourserver.test (1.2.3.4)' can't be established.
DSA key fingerprint is 10:b9:b6:10:79:46:14:c8:2d:65:ae:c1:61:4b:a5:a5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'yourserver.test (1.2.3.4)' (DSA) to the list of known hosts.
Password:
Last login: Mon Mar 3 21:15:27 2003 from host-12-01.dsl-sea.seanet.com
[remadmin@yourserver remadmin]$ su -
Password:
[root@yourserver root]#