Index: openacs-4/packages/acs-core-docs/www/xml/install-guide/red-hat.xml =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/xml/install-guide/red-hat.xml,v diff -u -r1.9 -r1.10 --- openacs-4/packages/acs-core-docs/www/xml/install-guide/red-hat.xml 17 Jul 2006 05:38:38 -0000 1.9 +++ openacs-4/packages/acs-core-docs/www/xml/install-guide/red-hat.xml 7 Aug 2017 23:47:55 -0000 1.10 @@ -15,7 +15,7 @@ software. You should do this section as-is if you have a machine you can reformat and you want to be sure that your installation works and is secure; it should take about an hour. (In my - experience, it's almost always a net time savings of several hours + experience, it's almost always a net time savings of several hours to install a new machine from scratch compared to installing each of these packages installed independently.) @@ -61,15 +61,15 @@ Unplug the network cable from your - computer. We don't want to connect to the network - until we're sure the computer is secure. + computer. We don't want to connect to the network + until we're sure the computer is secure. security definition (Wherever you see the word secure, you should always read it as, "secure - enough for our purposes, given the amount of work we're + enough for our purposes, given the amount of work we're willing to exert and the estimated risk and consequences.") @@ -81,7 +81,7 @@ prompt, press Enter for a graphical install. The text install is fairly different, so if you need to do that instead proceed with caution, because - the guide won't match the steps. + the guide won't match the steps. Checking the media is probably a waste of time, so when it asks press Tab and then Enter to skip it. @@ -94,16 +94,16 @@ Choose your mouse type and Click Next Red Hat has several templates for new - computers. We'll start with the "Server" template and then + computers. We'll start with the "Server" template and then fine-tune it during the rest of the install. Choose Server and click Next. - Reformat the hard drive. If you know what you're doing, - do this step on your own. Otherwise: we're going to let the + Reformat the hard drive. If you know what you're doing, + do this step on your own. Otherwise: we're going to let the installer wipe out the everything on the main hard drive and then arrange things to its liking. @@ -123,32 +123,32 @@ security firewall -Again, if you know what you're doing, do this step +Again, if you know what you're doing, do this step yourself, being sure to note the firewall holes. Otherwise, follow the instructions in this step to set up a computer directly connected to the internet with a dedicated IP address. DHCP is a system by which a computer that joins a network (such as on boot) can request a temporary IP address and other network information. Assuming the machine has a dedicated -IP address (if it doesn't, it will be tricky to access the OpenACS -service from the outside world), we're going to set up that address. -If you don't know your netmask, 255.255.255.0 is usually a pretty safe +IP address (if it doesn't, it will be tricky to access the OpenACS +service from the outside world), we're going to set up that address. +If you don't know your netmask, 255.255.255.0 is usually a pretty safe guess. Click Edit, uncheck Configure using DHCP and type in your IP and netmask. Click Ok. Type in your host name, gateway, and DNS server(s). Then click Next. - We're going to use the firewall template for high -security, meaning that we'll block almost all incoming traffic. Then -we'll add a few holes to the firewall for services which we need and + We're going to use the firewall template for high +security, meaning that we'll block almost all incoming traffic. Then +we'll add a few holes to the firewall for services which we need and know are secure. Choose High security level. Check WWW, SSH, and Mail (SMTP). In the Other ports box, enter 443, 8000, 8443. Click Next. -Port 443 is for https (http over ssl), and 8000 and 8443 are http and https access to the development server we'll be setting up. +Port 443 is for https (http over ssl), and 8000 and 8443 are http and https access to the development server we'll be setting up. @@ -162,15 +162,15 @@ Type in a root password, twice. - On the Package selection page, we're going to -uncheck a lot of packages that install software we don't need, and add + On the Package selection page, we're going to +uncheck a lot of packages that install software we don't need, and add packages that have stuff we do need. You should install everything -we're installing here or the guide may not work for you; you can +we're installing here or the guide may not work for you; you can install extra stuff, or ignore the instructions here to not install -stuff, with relative impunity - at worst, you'll introduce a security -risk that's still screened by the firewall, or a resource hog. Just -don't install a database or web server, because that would conflict -with the database and web server we'll install later. +stuff, with relative impunity - at worst, you'll introduce a security +risk that's still screened by the firewall, or a resource hog. Just +don't install a database or web server, because that would conflict +with the database and web server we'll install later. check Editors (this installs emacsemacsinstallation), click Details next to Text-based Internet, check lynx, and click OK; @@ -188,7 +188,7 @@ We need to fine-tune the exact list of packages. The same rules apply as in the last step - you can add more stuff, but -you shouldn't remove anything the guide adds. We're going to go +you shouldn't remove anything the guide adds. We're going to go through all the packages in one big list, so select Flat View and wait. In a minute, a @@ -199,21 +199,21 @@ uncheckisdn4k-utils (unless you are using isdn, this installs a useless daemon), check mutt (a mail program that reads Maildir), uncheck nfs-utils (nfs is a major security risk), -uncheck pam-devel (I don't remember why, but we don't want this), +uncheck pam-devel (I don't remember why, but we don't want this), uncheck portmap, -uncheck postfix (this is an MTA, but we're going to install qmail later), +uncheck postfix (this is an MTA, but we're going to install qmail later), check postgresql-devel, uncheck rsh (rsh is a security hole), -uncheck sendmail (sendmail is an insecure MTA; we're going to install qmail instead later), +uncheck sendmail (sendmail is an insecure MTA; we're going to install qmail instead later), check tcl (we need tcl), and -uncheck xinetd (xinetd handles incoming tcp connections. We'll install a different, more secure program, ucspi-tcp). +uncheck xinetd (xinetd handles incoming tcp connections. We'll install a different, more secure program, ucspi-tcp). Click Next - Red Hat isn't completely happy with the combination -of packages we've selected, and wants to satisfy some dependencies. -Don't let it. On the next screen, choose + Red Hat isn't completely happy with the combination +of packages we've selected, and wants to satisfy some dependencies. +Don't let it. On the next screen, choose Ignore Package Dependencies and click Next. @@ -228,7 +228,7 @@ If you know how to use it, create a boot disk. Since you can also boot into recovery mode with the Install CDs, this is less useful than it used to be, and we - won't bother. Select No,I do not want to create a boot disk and click Next. + won't bother. Select No,I do not want to create a boot disk and click Next. Click Exit, remove the CD, and watch the computer reboot. @@ -267,7 +267,7 @@ emacs /etc/ssh/sshd_config - Search for the word "root" by typing C-s (that's emacs-speak for control-s) and then root. + Search for the word "root" by typing C-s (that's emacs-speak for control-s) and then root. Make the following changes: @@ -291,18 +291,18 @@ - Red Hat still installed a few services we don't need, and + Red Hat still installed a few services we don't need, and which can be security holes. Use the service command to turn them off, and then use chkconfig to automatically edit the System V init directories to permanently (The System V init directories are the ones in /etc/rc.d. They consist of a bunch of scripts for starting and stopping programs, and directories of symlinks for each system level indicating which services should be up and down at any given service - level. We'll use this system for PostgreSQL, but we'll use + level. We'll use this system for PostgreSQL, but we'll use daemontools to perform a similar function for AOLserver. (The reason for this discrepencies is that, while daemontools - is better, it's a pain in the ass to deal with and nobody's + is better, it's a pain in the ass to deal with and nobody's had any trouble leaving PostgreSQL the way it is.) [root root]# service pcmcia stop @@ -322,11 +322,11 @@ Verify that you have connectivity by going to another - computer and ssh'ing to + computer and ssh'ing to yourserver, logging in as remadmin, and promoting yourself to root: [joeuser@someotherserver]$ ssh remadmin@yourserver.test -The authenticity of host 'yourserver.test (1.2.3.4)' can't be established. +The authenticity of host 'yourserver.test (1.2.3.4)' can't be established. DSA key fingerprint is 10:b9:b6:10:79:46:14:c8:2d:65:ae:c1:61:4b:a5:a5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'yourserver.test (1.2.3.4)' (DSA) to the list of known hosts. @@ -337,8 +337,8 @@ [root root]# - If you didn't burn a CD of patches and use it, can still - download and install the necessary patches. Here's how to + If you didn't burn a CD of patches and use it, can still + download and install the necessary patches. Here's how to do it for the kernel; you should also check for other critical packages. Upgrade the kernel to fix a security hole. The default