Tomfmason Fedora Server Setup

From Wiki

Jump to: navigation, search

Contents

Current Setup & Config of Tomfmason's Fedora Server

A few of us over at phpfreaks are planning to organise and setup a QualityCoders group. Tom (tomfmason) has kindly loaned the use of his rented server to help the cause.

I went through his fedora server, cleaning up some bits and setting up others, trying to achieve a secure and stable platform for the QualityCoders launchpad.

Initial Apps removed

Although ISPConfig can be very useful to setup multiple domains and packages, the version installed was a Dev. version. Also, as there would only be a couple of domains hosted on the server, it was decided to remove ISPConfig. With ISPConfig removed, a key selection of packages were installed and are kept up-to-date using yum.

Inital Apps Installed

  • Munin-node was installed providing monitoring of the server.
  • Shorewall was installed. This also cleaned/removed the old ISPConfig firewall rules.
  • vim was installed and symlinked to vi
  • trac was installed. etc.

Configs Carried out

Shorewall Firewall Management

Shorewall firewall was initially installed as per: http://wiki.kartbuilding.net/index.php/Shorewall_Firewall

Shorewall keeps its firewall rules in small config files, which are symlinked into place. For example, to allow HTTP, the following was done:

ln -s /usr/share/shorewall/macro.Web /etc/shorewall/
vi /etc/shorewall/rules
#add in the following at the bottom:
Web/ACCEPT  net       $FW
/etc/init.d/shorewall restart

Postfix

Postfix was next to be tidied up. The main file to watch for (allowing mail to be delivered to a particular domain) is: /etc/postfix/local-host-names Other tweaks were cosmetic.

Mutt Mail reader

Anyone who as a ssh/user account on the server has an email address: user@tomfmason.net To read/send emails, ssh into tomfmason.net and type "mutt", and the mail program will open. Hitting "q" will quit the current screen in mutt, and "q" again will quit the mutt program.

Note, if you are su'ing into an account from root, you need to go "su - username".

YUM - Package Management

Although there is apt-get installed on the fedora server, it doesnt easily allow you to list currently installed packages (as far as Im aware).

All packages installed should be from yum/apt as these will recieve security updates. Anyhoo, to use yum (which I recommend):

yum update
yum upgrade
yum list installed
yum list installed | grep nameofpackage
yum list available | grep packagetoinstall
yum install packagename
up2date yum
yum search packagetoinstall (a verbose version of list available)

Special Apps Installed

phpmyadmin installed from yum

As phpmyadmin is a php web app, where there are several security updates occurring, I did not want to install it from a gzip/zip file, as it would never get updated!!. As a result, I added in a repository to yum which would recieve updates, and from which I could install phpmyadmin. More info is at: http://dries.ulyssis.org/rpm/packages/phpmyadmin/info.html

vi /etc/yum.repos.d/dries.repo
[dries]
name=Extra Fedora rpms dries - $releasever - $basearch
baseurl=http://ftp.belnet.be/packages/dries.ulyssis.org/fedora/linux/$releasever/$basearch/dries/RPMS/
includepkgs=phpmyadmin

yum update
yum install phpmyadmin

phpmyadmin config

phpmyadmin is only installed once on a server. It is NOT installed everwhere it is needed.

phpmyadmin's main files are stored in /usr/share/phpmyadmin/

To get this to work for a particular website, just use an alias inside a <VirtualHost>. E.g.:

       Alias /phpmyadmin /usr/share/phpmyadmin/
       <Location "/phpmyadmin">
               SSLRequireSSL
               AuthType Basic
               AuthName "phpmyadmin Access Login on tomfmason.net"
               AuthUserFile /var/www/www.tomfmason.net/.htpasswd
               Require valid-user
       </Location>

An apache reload should suffice:

/etc/init.d/httpd reload

Just a last tweak, phpmyadmin needs a random password for cookies. It will complain when you go to it first saying a 'blowfish_secret' is needed. Simply:

vi /usr/share/shorewall/config.inc.php
#change the following, putting in a password (and not 123123 !!)
#$cfg['blowfish_secret'] = 'A123123'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */

fail2ban on fedora

Similar to how phpmyadmin was installed, fail2ban is going to be installed from yum also.

vi /etc/yum.repos.d/dries.repo
[dries]
name=Extra Fedora rpms dries - $releasever - $basearch
baseurl=http://ftp.belnet.be/packages/dries.ulyssis.org/fedora/linux/$releasever/$basearch/dries/RPMS/
includepkgs=phpmyadmin,fail2ban

yum update
up2date yum
yum install fail2ban

Done. It works with SSH out of the box. The config is at: /etc/fail2ban.conf

As proftpd is currently running, and fail2ban only has configs for vsftpd, a special rule/config will have to be written over the next while. Also - the shorewall firewall currently blocks ftp :).

Apache, SSL, Vhost, SVN, Trac Setup and Config

Apache was already installed, however its VirtualHosts were all messed up with ISPConfig. The main details are here:

/etc/httpd/conf/httpd.conf  - main apache config
/etc/httpd/conf/vhosts/    - files placed here, in the order ##-name are all virtual hosts. Look at existing ones for examples.
/etc/httpd/conf.d/*.conf   - files are placed here after yum installs them. E.g. ssl, php etc.
/etc/httpd/conf/ssl       - custom ssl folder where the self generated ssl certs are kept.

I cleaned out httpd.conf to its base config which it should be like. The last line of httpd.conf is:

Include /etc/httpd/conf/vhosts/
#and we take it from there.

Typical Vhost Config

Vhosts are named in numerical order. This is so, 01-default loads first, with NameVirtualHost settings etc.:

[root@server vhosts]# cat 01-default
ServerName server.net

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
       ServerAdmin ..
       ServerName localhost
       DocumentRoot /var/www/html/

       <Directory />
               Options Indexes FollowSymLinks
               AllowOverride Indexes AuthConfig Limit FileInfo
               AllowOverride None
               Order allow,deny
               allow from all
       </Directory>

       # Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
       LogLevel warn
       ErrorLog /var/log/httpd/error_log
       CustomLog /var/log/httpd/access_log combined
       ServerSignature On
</VirtualHost>

<VirtualHost *:443>
       ServerAdmin ..
       ServerName server
       DocumentRoot /var/www/html/

       <Directory />
               Options Indexes FollowSymLinks
               AllowOverride Indexes AuthConfig Limit FileInfo
               AllowOverride None
               Order allow,deny
               allow from all
       </Directory>

       # Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
       LogLevel warn
       ErrorLog /var/log/httpd/error_log
       CustomLog /var/log/httpd/access_log combined
       ServerSignature On
SSLEngine On
SSLCertificateFile /etc/httpd/conf/ssl/hostcert.pem
SSLCertificateKeyFile /etc/httpd/conf/ssl/hostkey.pem
</VirtualHost>

SSL Config

In order to get these working: SSLEngine On SSLCertificateFile /etc/httpd/conf/ssl/hostcert.pem SSLCertificateKeyFile /etc/httpd/conf/ssl/hostkey.pem

mkdir -p /etc/httpd/conf/ssl/
cd /etc/httpd/conf/ssl/
openssl req -x509 -days 365 -newkey rsa:1024 -keyout hostkey.pem -nodes -out hostcert.pem

Make sure to disable current ssl certs put in by default in /etc/httpd/conf.d/ssl.conf !!

Install mod_ssl:

yum install mod_ssl

See also: http://security.ncsa.uiuc.edu/research/grid-howtos/usefulopenssl.php#taskgenself and http://security.ncsa.uiuc.edu/research/wssec/gsihttps/gsiapache.php

SVN Setup and Config

The setup was much the same as: http://wiki.kartbuilding.net/index.php/Trac_and_SVN

The config is as follows:

[root@server vhosts]# cat 03-svn.server
<VirtualHost *:80>
       ServerAdmin root@server.net
       ServerName svn.server.net

       Redirect 301 / https://svn.server.net/

       # Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
       LogLevel warn
       ErrorLog /var/log/httpd/error_log
       CustomLog /var/log/httpd/access_log combined
       ServerSignature On
</VirtualHost>

<VirtualHost *:443>
       ServerAdmin webmaster@localhost
       ServerName svn.server.net

       DocumentRoot /var/www/www.server.net/svnwww

       <Location /svn/projectsteviewdr>
       DAV svn
       SVNPath /var/www/www.server.net/svn/projectsteviewdr
       AuthType Basic
       AuthName "Subversion Repository - Project Steviewdr"
       AuthUserFile /var/www/www.server.net/.htpasswd
               <LimitExcept GET PROPFIND OPTIONS REPORT>
                       Require valid-user
                       SSLRequireSSL
               </LimitExcept>
       </Location>
       ScriptAlias /trac/projectsteviewdr /var/www/cgi-bin/trac.cgi
       <Location "/trac/projectsteviewdr">
               AllowOverride Indexes AuthConfig Limit FileInfo
               AllowOverride None
               SetEnv TRAC_ENV "/var/www/www.server.net/trac/tracprojectsteviewdr"
       </Location>
       <Location "/trac/projectsteviewdr/login">
               SSLRequireSSL
               AuthType Basic
               AuthName "Trac Login for Project Steviewdr"
               AuthUserFile /var/www/www.server.net/.htpasswd
               Require valid-user
       </Location>

       # Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
       LogLevel warn
       ErrorLog /var/log/httpd/error_log
       CustomLog /var/log/httpd/access_log combined
       ServerSignature On
SSLEngine On
SSLCertificateFile /etc/httpd/conf/ssl/hostcert.pem
SSLCertificateKeyFile /etc/httpd/conf/ssl/hostkey.pem
</VirtualHost>

SVN Account Setup Details

svnadmin create /var/www/www.server.net/svn/projectname --fs-type fsfs
chown -R apache:apache /var/www/www.server.net/svn/projectname
#this is needed, as the svn is accessed via apache.

htpasswd -nb newuser newpassword >> /var/www/www.server.net/.htpasswd

trac-admin /var/www/www.server.net/trac/tracprojectname initenv
//enter data for the title
//enter data for the sql-lite database (choose defaults)
//enter path to svn info ( /var/lib/svn/projectname )
//enter path to Trac template (choose default)

trac-admin /var/www/www.server.net/trac/tracprojectname/  permission add username MILESTONE_ADMIN REPORT_ADMIN ROADMAP_ADMIN TICKET_ADMIN TRAC_ADMIN
chown -R apache:apache /var/www/www.server.net/trac/tracprojectname

Runlevels in Fedora / Centos / RPM

chkconfig --list
chkconfig --del nameofservice 

Misc Info

Extra Packages installed for php and mysql:

yum install php-mcrypt
yum install php-mbstring
Personal tools