This will help you install RedHat 7.2 to function in the following environment, with some optional properties:
Normal instructions are in plain text. Material dealing with DNS connections is in blue. Material dealing with IP-masquerading is in green. And finally, anything commands or other typeins you should enter at on your linux machine will be in red-bold. For example, if you see
ls -lait indicates you should enter those characters. The terminating RETURN or ENTER key is assumed.
When you bootstrap from a CD, you get to chose the installation display type. I chose text , since I did not intend installing X on the server. Follow all the suggested defaults. They're pretty obvious.
Window Title | Choice | Comments | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Language Selection | English | |||||||||||||||||||
Keyboard Selection | US | |||||||||||||||||||
Mouse Selection | None | Since this is a text system, we really don't need any mouse | ||||||||||||||||||
Installation Type | Server | This seems to include most of the desired stuff | ||||||||||||||||||
Disk Partitioning Setup | Autopartition | The setup seems to make the right choices | ||||||||||||||||||
Automatic Partitioning | Remove all partitions on this system Select only hda for the installation |
We assume no data will survive, but the system will reside on the first disk only | ||||||||||||||||||
Partitioning | OK | An interesting display | ||||||||||||||||||
Boot Loader Configuration | Use GRUB Boot Loader | |||||||||||||||||||
Boot Loader Configuration | Choose the MBR | |||||||||||||||||||
Boot Loader Configuration | OK | I don't think you need special parameters to the Kernel, and I don't think you need a boot password. | ||||||||||||||||||
Network Configuration | Fill in the data correct for your situation | |||||||||||||||||||
Firewall Configuration | Choose None | We'll fix this later | ||||||||||||||||||
Time Zone Selection | Make it right | |||||||||||||||||||
Root Password | Choose carefully | There is a remedy if you forget, but you don't want an easily guessed one. | ||||||||||||||||||
Add User | Add at least one user. | Please include the user "daku", as well as your own account. | ||||||||||||||||||
Package Group Selection | Unselect the Classic X window System Select the Web Server. Check the Select Individual Packages | |||||||||||||||||||
Individual Package Selection |
| |||||||||||||||||||
Video Configuration | If it arises, you can skip the X-configuration |
I used the supplied default functions for everything else. If Package Dependencies appear, allow them to be fulfilled.
Complete the install (many minutes). You can make a boot diskette at this time, but it's not required.
Reload the machine. Make sure you revise the boot sequence in your ROM, so it doesn't start with the CD. When your system comes up, you're running without any firewall protection, but it will be for only a very short time. If you get invitations from kudzu, choose the yes-configure option. This is Linux's Plug-and-Play detection.
The Network can be configured at this point, but you still will have to give the local machine a name.
First, after you log in as root, type:
hostname your-host-nameThe name you choose here makes a difference, so you should choose the DNS name by which you are known to the outside world. This is important if you ever hope to do any mail functions, since SMTP involves a reverse dns lookup.
such as
hostname alpha.beta.com
Internet access will be important, so that's our first job. So, type:
linuxconfYou should read the Introduction, which gives you an idea of how to navigate, and then choose quit.
Go to Config -> Networking -> Client tasks -> Host name and IP network devices Fill in the following information:
Heading Value Comments Host name + domain yourhost.yourdomain.com This is the simple name by which your system knows itself. This should match the value you defined as the hostname above. Adaptor 1 Enabled X Adaptor 1 Config Mode Choose. If you select DHCP, nothing else matters. Adaptor 1
Primary name + domainyourhost.yourdomain.com This should be a copy of the Host Name field. Details of adaptor If you're manual, fill in the details Adaptor 1 .... The net device and Kernel Module should be filled in automatically; the rest should be empty Configuring eth1 is needed only if you plan on supporting masquerading (Network Address Translation, NAT) Adaptor 2 Enabled X if you plan on using an internal network. You can always turn this on later. Adaptor 2 Config Mode Manual This is the DHCP master for your internal network Adaptor 2 Primary name + domain xxx Whatever you choose to enter. It probably doesn't matter Adaptor 2 IP address 192.168.1.2 The IP address you choose here is important for the first three digits. If you change the 4th field, you'll have to modify the dhcpd configuration I load later. You will find me using 192.168.1.* all over the place. I personally have adopted the convention that the fixed IP addresses are 192.168.1.1 - 192.168.1.127, and the dynamic ones are awarded from 128 up. Adaptor 2 Netmask (opt) 255.255.255.0
Use the Accept function to return to Linuxconf's main screen.
If you are using static IP addresses for your eth0 configuration, you should walk through the Name Server, Routing and Host-Name search path screens to make sure all is good.
At this point, your network should work. Reboot your machine.
At this point, I can remotely enter your system and watch what goes on. Your system will be vulnerable for a few minutes.
Type the command screen and then I can join you and watch.
Find Control->Control Panel->Control Service Activity and modify stuff as follows:
Control Service Desired Setting apmd Manual, unless you're on a portable with batteries gpm Manual, since we don't use a mouse httpd Auto ipchains Manual lpd Manual, unless you have a printer ntpd Automatic, and start it. xfs Manual
After you've finished these, use Dismiss to return to linuxconf.
Space down to the date & time selection inside the control section, enter it. Put an X in the "store in GMT Format, and set up your time zone (use the (control)X to open up the options). For the "get date" option, I chose the server
ntp0.cornell.eduHit accept
You can now exit linuxconf, selecting Act/Changes, then Do it. With luck, all should work without complaint, and you return to the Linuxconf main screen.
Use Dismiss and you should be back at the shell prompt. With luck, lots of stuff should be working, and your system is vulnerable. So, try a simple ping just to make sure stuff is working, and we'll proceed with the fixups. A reboot is Not necessary (Isn't Linux nice?)
You now mount the diskette on your new linux box, and execute a script on it.
You must type in the following sequence
The typein The explanation mount -t vfat /dev/fd0 /mnt/floppy Mounts the floppy as a MSDos file system . /mnt/floppy/part1 Runs the script. Note the initial period; it's important. You will be asked a set of questions to which you should respond either Y or N. See below for a discussion of what's happening.
- The NAT question asks whether you plan on having a second interface supporting an internal masqueraded network. If you choose Y, several utilities are installed.
- The DYNDNS question asks whether you have a static IP address for your primary connection, or whether you use the services of dyndns.org.
This form of the command puts all the output into the file /usr/part1.out, so we can look at it when it's done.
You can monitor the output by opening another window (hit alt-F2), and typing
tail -f /usr/part1.outDon't worry about the "dude" diagnostics. That is what OIDENTD talks about.
umount /dev/fd0 Dismount the diskette. Always wait until the light on the diskette drive goes out before removing the diskette.
Here are the files you just copied in
File Function Tailoring /root/scripts A collection of scripts /root/scripts/httpd_logger A cron job to rotate HTTP logs /root/scripts/export_to_floppy A job to recreate the above diskette /etc/dhcpd.conf DHCP daemon configuration /etc/firewall.conf The firewall configuration /etc/init.d/firewall The firewall script /etc/rc.d/fixup An extra after rc.local /etc/xinetd.d/oidentd The controls for Oinetd /etc/xinetd.d/telnet Telnet daemon permissions The "only_from" argument probably needs to be augmented by adding any IP addresses that are allowed to TELNET in. /etc/xinetd.d/wu-ftp WU-FTP daemon permissions See above. /etc/httpd/conf/extras.conf My tailoring of the Apache server Install oidentd This is the daemon that allows you to run mIRC behind the firewall.
Add the following lines:
10 0 * * * . /root/scripts/httpd_logger dakuwhich has the effect of running the "httpd_logger" procedure at 10 past midnight every night. Replace the word "daku" with whatever is the name of your special user, the one selected to receive the system-wide error and security logs for monitoring. If you instead wanted peform this at 11:09pm (local time), you'd enter the first line as
*/5 * * * * . /root/scripts/update_network
0 1 * * * /usr/sbin/up2date -fu
9 23 * * * . /root/scripts/httpd_logger dakuThe second line (update_network) is needed only if you use dyndns, and informs dyndns.org of any IP address change by testing once every 5 minutes.. The third line performs a nightly update at 00:01 (one minute past midnight) via the RedHat network.
If you are masquerading, edit the line that begins with
RELAY_TO_128=
and enter the port numbers of interest. It turns out that
whatever you enter here is discarded if you don't have eth1. These ports are
forwarded from the firewall through the masquerading directly to the windows
machine at 192.168.1.128. Ports 5631 and 5632 are used for PC-Anywhere; ports
4901-5000 are used for IRC's DCC protocol.
Change the line beginning with OPEN_PORTS
and enter the port numbers
to which you will attach the Apache web server. I avoid port 80 because it's
often hacked.
Internal mail is generated whenever crontab runs those timed jobs. That should be 2 messages per day assuming no IP changes occur.
Your next step is to register your RedHat LInux with the Redhat folks, so that we can perform a huge set of updates. Assuming you have the registration number, you run the program
rhn_registerand follow directions. After you've successfully done that, you can run your first update by typing in
up2date -fuand watch the bits fly. Remember that we perform this action every night.
Device name | Where |
---|---|
/dev/hda1 | Primary, Master, first partition |
/dev/hda2 | Primary, Master, Second partition |
/dev/hda3 | Primary, Master, Third partition |
/dev/hda4 | Primary, Master, Fourth partition, usually an extended one, which contains other partitions. |
/dev/hdb1 | Primary, Slave, often a CD |
/dev/hdc1 | Secondary Master |
/dev/hdd1 | Secondary Slave |
/dev/hde1 | Tertiary master, in case you have an extra IDE card. |
Let's assume you have a new empty disk and it attaches as the secondary master. This makes its UNIX name /dev/hdc1. You also have to decide where you'll mount the device in the Unix file system. The steps are:
mkfs /dev/hdc1 | This is much like the "format" command in DOS. |
mkdir /mount-name | Where you will be mounting the new disk |
tune2fs -j /dev/hdc1 | This creates the journaling structures on the disk |
mount -t ext3 /dev/hdc1 /mount-name | This mounts the device at the place indicated. |
In the below, let's assume you've added a new user named newguy, via Linuxconf, and you specified /home/newguy as his home directory. The following assumes you are running as 'root'
chmod 711 /home/newguy
mkdir /home/newguy/public_html
chmod 711 /home/newguy/public_html
chown newguy.newguy /home/newguy/public_html
Listen webport <VirtualHost * *:webport> ServerAdmin me@daku.org ServerName your-machine-name:webport DocumentRoot /home/newguy/public_html Options Includes FollowSymLinks LogFormat Combined TransferLog "|rotatelogs /var/log/httpd/newguy_access_log 86400" ErrorLog "|rotatelogs /var/log/httpd/newguy_error_log 86400" </VirtualHost>
. /root/scripts/new_user name password portwhere the name is the name of the user, password is his password (which I haven't been able to make work), and port is the port number for his web services.
You will have to go back into LINUXCONF to set this user's password; I haven't found a way to do it successfully in the script.
@your-domain.com the-user
The user access is as follows. Assume an external customer with a domain name sammygarden.com.