(ve):Getting Started with Fedora 12
- This page was last modified on October 26, 2010, at 08:33.
From (mt) Community Wiki
Contents |
Keep in mind that your (ve) Server is very much a blank slate when provisioned. It is your responsibility to administer your server from Day 1. Following some of the information below will definitely help you on your way, with an emphasis on security. After completing this guide, you will probably want to install some software. Following our LAMP guide would be a great way to get your feet wet.
Logging in as root
By default, all of the distributions offered with your (ve) Server have only the root user installed. For security reasons we do not include the root password in your Service Activation Letter. To obtain the root user password, you will need to visit the "SSH Access" section of your (ve) Control Panel in the AccountCenter. Then you can change the password to one you know.
After you change the password, you can simply use a ssh client to connect to your server using your new password and root as the user.
ssh root@ve.example.com
Once connected you will have root access to your server.
Adding a User
For security reasons, we strongly encourage setting up an "admin" user that has 'sudo' privileges. With 'sudo' you can give selected users temporary "root" privileges. This is a good safeguard to prevent misuse of the root user. Follow the steps below to add a user with sudo access:
Create the new user. We will use the name jsmith
adduser jsmith
Now lets set the password for the user
passwd jsmith
We now need to grant jsmith sudo privileges using the visudo command. <source lang=bash enclose=pre>visudo</pre> This will launch the '/etc/sudoers' file for editing. Using root as an example just add another line for jsmith and save the file using the vi command ":wq!":
# /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Defaults env_reset # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL) ALL jsmith ALL=(ALL) ALL # Uncomment to allow members of group sudo to not need a password # (Note that later entries override this, so you might need to move # it further down) # %sudo ALL=NOPASSWD: ALL
To test your new user and sudo privileges logout as root and log back in as jsmith.
Now that you have sudo enabled you can simply run any command typically run by root as the jsmith user. Just add sudo to the beginning of your command. You will be prompted to enter your password.
Updating your Server
It is very easy to keep your Fedora server up to date using the YUM packaging system. This system uses a private database to keep track of which packages are installed, which are not installed, and which are available for installation. YUM uses this database to find out how to install packages requested by the user, and to find out which additional packages are needed in order for a selected package to work properly.
To update your server run the following command:
sudo yum update
You should get output similar to the following:
[root@ve.example.com ~]# sudo yum update
Loading "fastestmirror" plugin Loading mirror speeds from cached hostfile * base: mirror.skiplink.com * updates: mirrors.unbornmedia.com * addons: mirror.steadfast.net * extras: mirrors.unbornmedia.com base 100% |=========================| 1.1 kB 00:00 updates 100% |=========================| 951 B 00:00 addons 100% |=========================| 951 B 00:00 extras 100% |=========================| 1.1 kB 00:00 Setting up Update Process Resolving Dependencies --> Running transaction check ---> Package sudo.x86_64 0:1.6.9p17-3.el5_3.1 set to be updated ---> Package shadow-utils.x86_64 2:4.0.17-14.el5 set to be updated ---> Package authconfig.x86_64 0:5.3.21-5.el5 set to be updated ---> Package coreutils.x86_64 0:5.97-19.el5 set to be updated ---> Package iproute.x86_64 0:2.6.18-9.el5 set to be updated ---> Package perl.i386 4:5.8.8-18.el5_3.1 set to be updated ---> Package tmpwatch.x86_64 0:2.9.7-1.1.el5.2 set to be updated ---> Package python.x86_64 0:2.4.3-24.el5 set to be updated ---> Package unzip.x86_64 0:5.52-3.el5 set to be updated ---> Package pam.x86_64 0:0.99.6.2-4.el5 set to be updated ---> Package openssh.x86_64 0:4.3p2-29.el5 set to be updated ---> Package iputils.x86_64 0:20020927-45.el5 set to be updated ---> Package newt.x86_64 0:0.52.2-12.el5 set to be updated ---> Package tcpdump.x86_64 14:3.9.4-14.el5 set to be updated ---> Package perl.x86_64 4:5.8.8-18.el5_3.1 set to be updated ---> Package bash.x86_64 0:3.2-24.el5 set to be updated ---> Package mlocate.x86_64 0:0.15-1.el5.1 set to be updated ---> Package udev.x86_64 0:095-14.20.el5_3 set to be updated ---> Package procps.x86_64 0:3.2.7-11.1.el5 set to be updated ---> Package vim-common.x86_64 2:7.0.109-4.el5_2.4z set to be updated ---> Package mcstrans.x86_64 0:0.2.11-3.el5 set to be updated ---> Package krb5-libs.i386 0:1.6.1-31.el5_3.3 set to be updated ---> Package e2fsprogs-libs.i386 0:1.39-20.el5 set to be updated ---> Package openssl.i686 0:0.9.8e-7.el5 set to be updated ---> Package m2crypto.x86_64 0:0.16-6.el5.3 set to be updated ---> Package stunnel.x86_64 0:4.15-2.el5.1 set to be updated ---> Package vixie-cron.x86_64 4:4.1-76.el5 set to be updated ---> Package device-mapper.x86_64 0:1.02.28-2.el5 set to be updated ---> Package yum.noarch 0:3.2.19-18.el5.centos set to be updated ---> Package util-linux.x86_64 0:2.13-0.50.el5 set to be updated ---> Package python-urlgrabber.noarch 0:3.1.0-5.el5 set to be updated ---> Package nss.x86_64 0:3.12.2.0-4.el5.centos set to be updated ---> Package curl.i386 0:7.15.5-2.1.el5_3.4 set to be updated ---> Package krb5-libs.x86_64 0:1.6.1-31.el5_3.3 set to be updated ---> Package findutils.x86_64 1:4.2.27-5.el5 set to be updated ---> Package vim-minimal.x86_64 2:7.0.109-4.el5_2.4z set to be updated ---> Package tzdata.noarch 0:2009i-2.el5 set to be updated ---> Package nspr.x86_64 0:4.7.3-2.el5 set to be updated ---> Package libutempter.x86_64 0:1.1.4-4.el5 set to be updated ---> Package ftp.x86_64 0:0.17-35.el5 set to be updated ---> Package traceroute.x86_64 3:2.0.1-5.el5 set to be updated ---> Package quota.x86_64 1:3.13-1.2.5.el5 set to be updated ---> Package module-init-tools.x86_64 0:3.3-0.pre3.1.42.el5 set to be updated ---> Package e2fsprogs-libs.x86_64 0:1.39-20.el5 set to be updated ---> Package tcp_wrappers.x86_64 0:7.6-40.6.el5 set to be updated ---> Package man-pages.noarch 0:2.39-12.el5 set to be updated ---> Package centos-release.x86_64 10:5-3.el5.centos.1 set to be updated ---> Package tcsh.x86_64 0:6.14-14.el5 set to be updated ---> Package openssh-clients.x86_64 0:4.3p2-29.el5 set to be updated ---> Package device-mapper.i386 0:1.02.28-2.el5 set to be updated ---> Package usermode.x86_64 0:1.88-3.el5.2 set to be updated ---> Package nscd.x86_64 0:2.5-34 set to be updated ---> Package e2fsprogs.x86_64 0:1.39-20.el5 set to be updated ---> Package SysVinit.x86_64 0:2.86-15.el5 set to be updated ---> Package openssl.x86_64 0:0.9.8e-7.el5 set to be updated ---> Package setup.noarch 0:2.5.58-4.el5 set to be updated ---> Package centos-release-notes.x86_64 0:5.3-3 set to be updated ---> Package gnupg.x86_64 0:1.4.5-14 set to be updated ---> Package openssh-server.x86_64 0:4.3p2-29.el5 set to be updated ---> Package ethtool.x86_64 0:6-2.el5 set to be updated ---> Package vim-enhanced.x86_64 2:7.0.109-4.el5_2.4z set to be updated ---> Package initscripts.x86_64 0:8.45.25-1.el5.centos set to be updated ---> Package filesystem.x86_64 0:2.4.0-2.el5.centos set to be updated ---> Package glib2.x86_64 0:2.12.3-4.el5_3.1 set to be updated ---> Package curl.x86_64 0:7.15.5-2.1.el5_3.4 set to be updated ---> Package yum-fastestmirror.noarch 0:1.1.16-13.el5.centos set to be updated ---> Package libutempter.i386 0:1.1.4-4.el5 set to be updated --> Finished Dependency Resolution Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Updating: SysVinit x86_64 2.86-15.el5 base 117 k authconfig x86_64 5.3.21-5.el5 base 454 k bash x86_64 3.2-24.el5 base 1.9 M centos-release x86_64 10:5-3.el5.centos.1 base 19 k centos-release-notes x86_64 5.3-3 base 39 k coreutils x86_64 5.97-19.el5 base 3.5 M curl i386 7.15.5-2.1.el5_3.4 updates 232 k curl x86_64 7.15.5-2.1.el5_3.4 updates 229 k device-mapper x86_64 1.02.28-2.el5 base 686 k device-mapper i386 1.02.28-2.el5 base 656 k e2fsprogs x86_64 1.39-20.el5 base 987 k e2fsprogs-libs i386 1.39-20.el5 base 118 k e2fsprogs-libs x86_64 1.39-20.el5 base 117 k ethtool x86_64 6-2.el5 base 67 k filesystem x86_64 2.4.0-2.el5.centos base 117 k findutils x86_64 1:4.2.27-5.el5 base 294 k ftp x86_64 0.17-35.el5 base 57 k glib2 x86_64 2.12.3-4.el5_3.1 updates 693 k gnupg x86_64 1.4.5-14 base 1.8 M initscripts x86_64 8.45.25-1.el5.centos base 1.6 M iproute x86_64 2.6.18-9.el5 base 822 k iputils x86_64 20020927-45.el5 base 131 k krb5-libs i386 1.6.1-31.el5_3.3 updates 660 k krb5-libs x86_64 1.6.1-31.el5_3.3 updates 672 k libutempter x86_64 1.1.4-4.el5 base 22 k libutempter i386 1.1.4-4.el5 base 22 k m2crypto x86_64 0.16-6.el5.3 base 493 k man-pages noarch 2.39-12.el5 base 4.1 M mcstrans x86_64 0.2.11-3.el5 base 17 k mlocate x86_64 0.15-1.el5.1 base 48 k module-init-tools x86_64 3.3-0.pre3.1.42.el5 base 436 k newt x86_64 0.52.2-12.el5 base 109 k nscd x86_64 2.5-34 base 161 k nspr x86_64 4.7.3-2.el5 base 117 k nss x86_64 3.12.2.0-4.el5.centos updates 1.1 M openssh x86_64 4.3p2-29.el5 base 285 k openssh-clients x86_64 4.3p2-29.el5 base 445 k openssh-server x86_64 4.3p2-29.el5 base 261 k openssl i686 0.9.8e-7.el5 base 1.4 M openssl x86_64 0.9.8e-7.el5 base 1.4 M pam x86_64 0.99.6.2-4.el5 base 964 k perl i386 4:5.8.8-18.el5_3.1 extras 12 M perl x86_64 4:5.8.8-18.el5_3.1 updates 12 M procps x86_64 3.2.7-11.1.el5 base 212 k python x86_64 2.4.3-24.el5 base 5.9 M python-urlgrabber noarch 3.1.0-5.el5 base 131 k quota x86_64 1:3.13-1.2.5.el5 base 339 k setup noarch 2.5.58-4.el5 base 124 k shadow-utils x86_64 2:4.0.17-14.el5 base 1.0 M stunnel x86_64 4.15-2.el5.1 base 112 k sudo x86_64 1.6.9p17-3.el5_3.1 updates 226 k tcp_wrappers x86_64 7.6-40.6.el5 base 111 k tcpdump x86_64 14:3.9.4-14.el5 base 459 k tcsh x86_64 6.14-14.el5 base 475 k tmpwatch x86_64 2.9.7-1.1.el5.2 base 19 k traceroute x86_64 3:2.0.1-5.el5 base 41 k tzdata noarch 2009i-2.el5 updates 783 k udev x86_64 095-14.20.el5_3 updates 2.4 M unzip x86_64 5.52-3.el5 base 165 k usermode x86_64 1.88-3.el5.2 base 155 k util-linux x86_64 2.13-0.50.el5 base 1.8 M vim-common x86_64 2:7.0.109-4.el5_2.4z base 6.5 M vim-enhanced x86_64 2:7.0.109-4.el5_2.4z base 1.3 M vim-minimal x86_64 2:7.0.109-4.el5_2.4z base 337 k vixie-cron x86_64 4:4.1-76.el5 base 80 k yum noarch 3.2.19-18.el5.centos base 917 k yum-fastestmirror noarch 1.1.16-13.el5.centos base 18 k Transaction Summary ============================================================================= Install 0 Package(s) Update 67 Package(s) Remove 0 Package(s) Total download size: 75 M Is this ok [y/N]:
Be sure to look over the packages and verify you want to update them all before typing 'y'. If you do not wish to update every package, then please type 'n' and see our guide Managing packages with Yum.
If you continue and type 'y', you should see results similar to this:
Downloading Packages: (1/67): libutempter-1.1.4 100% |=========================| 22 kB 00:00 (2/67): yum-fastestmirror 100% |=========================| 18 kB 00:00 (3/67): curl-7.15.5-2.1.e 100% |=========================| 229 kB 00:00 (4/67): glib2-2.12.3-4.el 100% |=========================| 693 kB 00:00 (5/67): filesystem-2.4.0- 100% |=========================| 117 kB 00:00 (6/67): initscripts-8.45. 100% |=========================| 1.6 MB 00:00 (7/67): vim-enhanced-7.0. 100% |=========================| 1.3 MB 00:00 (8/67): ethtool-6-2.el5.x 100% |=========================| 67 kB 00:00 (9/67): openssh-server-4. 100% |=========================| 261 kB 00:00 (10/67): gnupg-1.4.5-14.x 100% |=========================| 1.8 MB 00:00 (11/67): centos-release-n 100% |=========================| 39 kB 00:00 (12/67): setup-2.5.58-4.e 100% |=========================| 124 kB 00:00 (13/67): openssl-0.9.8e-7 100% |=========================| 1.4 MB 00:00 (14/67): SysVinit-2.86-15 100% |=========================| 117 kB 00:00 (15/67): e2fsprogs-1.39-2 100% |=========================| 987 kB 00:00 (16/67): nscd-2.5-34.x86_ 100% |=========================| 161 kB 00:00 (17/67): usermode-1.88-3. 100% |=========================| 155 kB 00:00 (18/67): device-mapper-1. 100% |=========================| 656 kB 00:00 (19/67): openssh-clients- 100% |=========================| 445 kB 00:00 (20/67): tcsh-6.14-14.el5 100% |=========================| 475 kB 00:00 (21/67): centos-release-5 100% |=========================| 19 kB 00:00 (22/67): man-pages-2.39-1 100% |=========================| 4.1 MB 00:00 (23/67): tcp_wrappers-7.6 100% |=========================| 111 kB 00:00 (24/67): e2fsprogs-libs-1 100% |=========================| 117 kB 00:00 (25/67): module-init-tool 100% |=========================| 436 kB 00:00 (26/67): quota-3.13-1.2.5 100% |=========================| 339 kB 00:00 (27/67): traceroute-2.0.1 100% |=========================| 41 kB 00:00 (28/67): ftp-0.17-35.el5. 100% |=========================| 57 kB 00:00 (29/67): libutempter-1.1. 100% |=========================| 22 kB 00:00 (30/67): nspr-4.7.3-2.el5 100% |=========================| 117 kB 00:00 (31/67): tzdata-2009i-2.e 100% |=========================| 783 kB 00:00 (32/67): vim-minimal-7.0. 100% |=========================| 337 kB 00:00 (33/67): findutils-4.2.27 100% |=========================| 294 kB 00:00 (34/67): krb5-libs-1.6.1- 100% |=========================| 672 kB 00:00 (35/67): curl-7.15.5-2.1. 100% |=========================| 232 kB 00:00 (36/67): nss-3.12.2.0-4.e 100% |=========================| 1.1 MB 00:00 (37/67): python-urlgrabbe 100% |=========================| 131 kB 00:00 (38/67): util-linux-2.13- 100% |=========================| 1.8 MB 00:00 (39/67): yum-3.2.19-18.el 100% |=========================| 917 kB 00:00 (40/67): device-mapper-1. 100% |=========================| 686 kB 00:00 (41/67): vixie-cron-4.1-7 100% |=========================| 80 kB 00:00 (42/67): stunnel-4.15-2.e 100% |=========================| 112 kB 00:00 (43/67): m2crypto-0.16-6. 100% |=========================| 493 kB 00:00 (44/67): openssl-0.9.8e-7 100% |=========================| 1.4 MB 00:00 (45/67): e2fsprogs-libs-1 100% |=========================| 118 kB 00:00 (46/67): krb5-libs-1.6.1- 100% |=========================| 660 kB 00:00 (47/67): mcstrans-0.2.11- 100% |=========================| 17 kB 00:00 (48/67): vim-common-7.0.1 100% |=========================| 6.5 MB 00:00 (49/67): procps-3.2.7-11. 100% |=========================| 212 kB 00:00 (50/67): udev-095-14.20.e 100% |=========================| 2.4 MB 00:00 (51/67): mlocate-0.15-1.e 100% |=========================| 48 kB 00:00 (52/67): bash-3.2-24.el5. 100% |=========================| 1.9 MB 00:00 (53/67): perl-5.8.8-18.el 100% |=========================| 12 MB 00:03 (54/67): tcpdump-3.9.4-14 100% |=========================| 459 kB 00:00 (55/67): newt-0.52.2-12.e 100% |=========================| 109 kB 00:00 (56/67): iputils-20020927 100% |=========================| 131 kB 00:00 (57/67): openssh-4.3p2-29 100% |=========================| 285 kB 00:00 (58/67): pam-0.99.6.2-4.e 100% |=========================| 964 kB 00:00 (59/67): unzip-5.52-3.el5 100% |=========================| 165 kB 00:00 (60/67): python-2.4.3-24. 100% |=========================| 5.9 MB 00:00 (61/67): tmpwatch-2.9.7-1 100% |=========================| 19 kB 00:00 (62/67): perl-5.8.8-18.el 100% |=========================| 12 MB 00:02 (63/67): iproute-2.6.18-9 100% |=========================| 822 kB 00:00 (64/67): coreutils-5.97-1 100% |=========================| 3.5 MB 00:00 (65/67): authconfig-5.3.2 100% |=========================| 454 kB 00:00 (66/67): shadow-utils-4.0 100% |=========================| 1.0 MB 00:00 (67/67): sudo-1.6.9p17-3. 100% |=========================| 226 kB 00:00 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : bash ##################### [ 1/134] Updating : shadow-utils ##################### [ 2/134] Updating : nspr ##################### [ 3/134] Updating : nss ##################### [ 4/134] Updating : tcp_wrappers ##################### [ 5/134] Updating : glib2 ##################### [ 6/134] Updating : device-mapper ##################### [ 7/134] Updating : e2fsprogs-libs ##################### [ 8/134] Updating : procps ##################### [ 9/134] Updating : iproute ##################### [ 10/134] Updating : iputils ##################### [ 11/134] Updating : findutils ##################### [ 12/134] Updating : ethtool ##################### [ 13/134] Updating : vim-minimal ##################### [ 14/134] Updating : libutempter ##################### [ 15/134] Updating : vim-common ##################### [ 16/134] Updating : mlocate ##################### [ 17/134] Updating : unzip ##################### [ 18/134] Updating : traceroute ##################### [ 19/134] Updating : ftp ##################### [ 20/134] Updating : tmpwatch ##################### [ 21/134] Updating : centos-release-notes ##################### [ 22/134] Updating : centos-release ##################### [ 23/134] Updating : setup ##################### [ 24/134] Updating : filesystem ##################### [ 25/134] Updating : man-pages ##################### [ 26/134] Updating : tzdata ##################### [ 27/134] Updating : device-mapper ##################### [ 28/134] Updating : e2fsprogs ##################### [ 29/134] Updating : e2fsprogs-libs ##################### [ 30/134] Updating : libutempter ##################### [ 31/134] Updating : coreutils ##################### [ 32/134] Updating : pam ##################### [ 33/134] Updating : krb5-libs ##################### [ 34/134] Updating : openssl ##################### [ 35/134] Updating : python ##################### [ 36/134] Updating : perl ##################### [ 37/134] Updating : krb5-libs ##################### [ 38/134] Updating : perl ##################### [ 39/134] Updating : udev ##################### [ 40/134] Updating : util-linux ##################### [ 41/134] Updating : newt ##################### [ 42/134] Updating : curl ##################### [ 43/134] Updating : usermode ##################### [ 44/134] Updating : m2crypto ##################### [ 45/134] Updating : SysVinit ##################### [ 46/134] Updating : module-init-tools ##################### [ 47/134] Updating : initscripts ##################### [ 48/134] Updating : openssh ##################### [ 49/134] Updating : openssh-clients ##################### [ 50/134] Updating : openssh-server ##################### [ 51/134] Updating : mcstrans ##################### [ 52/134] Updating : vixie-cron ##################### [ 53/134] Updating : quota ##################### [ 54/134] Updating : authconfig ##################### [ 55/134] Updating : gnupg ##################### [ 56/134] Updating : stunnel ##################### [ 57/134] Updating : vim-enhanced ##################### [ 58/134] Updating : tcpdump ##################### [ 59/134] Updating : sudo ##################### [ 60/134] Updating : tcsh ##################### [ 61/134] Updating : nscd ##################### [ 62/134] Updating : openssl ##################### [ 63/134] warning: /etc/pki/tls/openssl.cnf created as /etc/pki/tls/openssl.cnf.rpmnew Updating : curl ##################### [ 64/134] Updating : python-urlgrabber ##################### [ 65/134] Updating : yum-fastestmirror ##################### [ 66/134] Updating : yum ##################### [ 67/134] Cleanup : sudo ##################### [ 68/134] Cleanup : shadow-utils ##################### [ 69/134] Cleanup : authconfig ##################### [ 70/134] Cleanup : coreutils ##################### [ 71/134] Cleanup : iproute ##################### [ 72/134] Cleanup : perl ##################### [ 73/134] Cleanup : tmpwatch ##################### [ 74/134] Cleanup : python ##################### [ 75/134] Cleanup : unzip ##################### [ 76/134] Cleanup : pam ##################### [ 77/134] Cleanup : openssh ##################### [ 78/134] Cleanup : iputils ##################### [ 79/134] Cleanup : newt ##################### [ 80/134] Cleanup : tcpdump ##################### [ 81/134] Cleanup : perl ##################### [ 82/134] Cleanup : bash ##################### [ 83/134] Cleanup : mlocate ##################### [ 84/134] Cleanup : udev ##################### [ 85/134] Cleanup : procps ##################### [ 86/134] Cleanup : vim-common ##################### [ 87/134] Cleanup : mcstrans ##################### [ 88/134] Cleanup : krb5-libs ##################### [ 89/134] Cleanup : e2fsprogs-libs ##################### [ 90/134] Cleanup : openssl ##################### [ 91/134] Cleanup : m2crypto ##################### [ 92/134] Cleanup : stunnel ##################### [ 93/134] Cleanup : vixie-cron ##################### [ 94/134] Cleanup : device-mapper ##################### [ 95/134] Cleanup : yum ##################### [ 96/134] Cleanup : util-linux ##################### [ 97/134] Cleanup : python-urlgrabber ##################### [ 98/134] Cleanup : nss ##################### [ 99/134] Cleanup : curl ##################### [100/134] Cleanup : krb5-libs ##################### [101/134] Cleanup : findutils ##################### [102/134] Cleanup : vim-minimal ##################### [103/134] Cleanup : tzdata ##################### [104/134] Cleanup : nspr ##################### [105/134] Cleanup : libutempter ##################### [106/134] Cleanup : ftp ##################### [107/134] Cleanup : traceroute ##################### [108/134] Cleanup : quota ##################### [109/134] Cleanup : module-init-tools ##################### [110/134] Cleanup : e2fsprogs-libs ##################### [111/134] Cleanup : tcp_wrappers ##################### [112/134] Cleanup : man-pages ##################### [113/134] Cleanup : centos-release ##################### [114/134] Cleanup : tcsh ##################### [115/134] Cleanup : openssh-clients ##################### [116/134] Cleanup : device-mapper ##################### [117/134] Cleanup : usermode ##################### [118/134] Cleanup : nscd ##################### [119/134] Cleanup : e2fsprogs ##################### [120/134] Cleanup : SysVinit ##################### [121/134] Cleanup : openssl ##################### [122/134] Cleanup : setup ##################### [123/134] Cleanup : centos-release-notes ##################### [124/134] Cleanup : gnupg ##################### [125/134] Cleanup : openssh-server ##################### [126/134] Cleanup : ethtool ##################### [127/134] Cleanup : vim-enhanced ##################### [128/134] Cleanup : initscripts ##################### [129/134] Cleanup : filesystem ##################### [130/134] Cleanup : glib2 ##################### [131/134] Cleanup : curl ##################### [132/134] Cleanup : yum-fastestmirror ##################### [133/134] Cleanup : libutempter ##################### [134/134] .... .... Complete!
Installing Developer Tools
(ve) distributions do not have any developer tools installed by default. All developer tools, including GCC C/C++ compilers, make and others, can easily be installed using the yum package manager. There is a convenient meta-package called 'Development Tools' that will install all the Developer Tools with just one command.
Run the following command to begin:
sudo yum groupinstall 'Development Tools'
You will see a lot of text scroll by as the server determines what packages need to be installed. A base install should output the following packages to be installed/updated. Please enter 'y' for yes when prompted. At this time all the packages will be downloaded and installed. There is no need to reboot your server. All changes are made live on the server. Please take note of any warnings displayed and act accordingly.
============================================================================= Package Arch Version Repository Size ============================================================================= Installing: automake14 noarch 1.4p6-13 base 205 k automake15 noarch 1.5-16 base 234 k automake16 noarch 1.6.3-8 base 246 k automake17 noarch 1.7.9-7 base 284 k bison x86_64 2.3-2.1 base 549 k byacc x86_64 1.9-29.2.2 base 41 k cscope x86_64 15.5-15.1.el5_3.1 updates 144 k ctags x86_64 5.6-1.1 base 131 k cvs x86_64 1.11.22-5.el5 base 746 k dev86 x86_64 0.16.17-2.2 base 398 k diffstat x86_64 1.41-1.2.3.el5 base 19 k dogtail noarch 0.6.1-2.el5 base 173 k doxygen x86_64 1:1.4.7-1.1 base 2.4 M flex x86_64 2.5.4a-41.fc6 base 131 k gcc-c++ x86_64 4.1.2-44.el5 base 3.8 M gcc-gfortran x86_64 4.1.2-44.el5 base 3.6 M gettext x86_64 0.14.6-4.el5 base 1.4 M gettext i386 0.14.6-4.el5 base 1.4 M indent x86_64 2.2.9-14.fc6 base 97 k libtool x86_64 1.5.22-6.1 base 680 k ltrace x86_64 0.5-7.45svn.el5 base 60 k oprofile x86_64 0.9.3-18.el5 base 2.2 M patchutils x86_64 0.2.31-2.2.2 base 111 k pfmon x86_64 3.2-0.060926.5.el5 base 690 k pkgconfig x86_64 1:0.21-2.el5 base 61 k pstack x86_64 1.2-7.2.2 base 4.5 k python-ldap x86_64 2.2.0-2.1 base 123 k rcs x86_64 5.7-30.1 base 349 k redhat-rpm-config noarch 8.0.45-29.el5 base 54 k rpm-build x86_64 4.4.2.3-9.el5 base 303 k splint x86_64 3.1.1-16.el5 base 1.5 M subversion i386 1.4.2-4.el5 base 2.3 M subversion x86_64 1.4.2-4.el5 base 2.4 M swig x86_64 1.3.29-2.el5 base 2.9 M systemtap x86_64 0.7.2-3.el5_3 updates 1.1 M texinfo x86_64 4.8-14.el5 base 763 k valgrind i386 1:3.2.1-6.el5 base 11 M valgrind x86_64 1:3.2.1-6.el5 base 11 M Updating: audit-libs x86_64 1.7.7-6.el5_3.3 updates 81 k binutils x86_64 2.17.50.0.6-9.el5 base 2.9 M elfutils x86_64 0.137-3.el5 base 215 k elfutils-libelf x86_64 0.137-3.el5 base 53 k elfutils-libs x86_64 0.137-3.el5 base 183 k glibc i686 2.5-34 base 5.2 M glibc x86_64 2.5-34 base 4.7 M glibc-common x86_64 2.5-34 base 16 M libgcc i386 4.1.2-44.el5 base 94 k libgcc x86_64 4.1.2-44.el5 base 96 k libselinux i386 1.33.4-5.1.el5 base 76 k libselinux x86_64 1.33.4-5.1.el5 base 77 k libstdc++ x86_64 4.1.2-44.el5 base 353 k libstdc++ i386 4.1.2-44.el5 base 363 k openldap x86_64 2.3.43-3.el5 base 301 k popt x86_64 1.10.2.3-9.el5 base 75 k rpm x86_64 4.4.2.3-9.el5 base 1.2 M rpm-libs x86_64 4.4.2.3-9.el5 base 927 k strace x86_64 4.5.18-2.el5_3.3 updates 177 k Installing for dependencies: GConf2 x86_64 2.14.0-9.el5 base 1.5 M ORBit2 x86_64 2.14.3-5.el5 base 263 k alsa-lib x86_64 1.0.17-1.el5 base 414 k apr i386 1.2.7-11 base 122 k apr x86_64 1.2.7-11 base 118 k apr-util x86_64 1.2.7-7.el5_3.1 updates 74 k apr-util i386 1.2.7-7.el5_3.1 updates 76 k at-spi x86_64 1.7.11-3.el5 base 304 k atk x86_64 1.12.2-1.fc6 base 224 k audiofile x86_64 1:0.2.6-5 base 107 k audit-libs-python x86_64 1.7.7-6.el5_3.3 updates 79 k autoconf noarch 2.59-12 base 647 k automake noarch 1.9.6-2.1 base 484 k avahi x86_64 0.6.16-1.el5_2.1 updates 255 k avahi-glib x86_64 0.6.16-1.el5_2.1 updates 14 k cairo x86_64 1.2.4-5.el5 base 386 k chkfontpath x86_64 1.10.1-1.1 base 15 k cpio x86_64 2.6-20 base 122 k cpp x86_64 4.1.2-44.el5 base 3.0 M crash x86_64 4.0-7.2.3.el5.centos.1 updates 1.7 M cryptsetup-luks x86_64 1.0.3-4.el5 base 627 k cups-libs x86_64 1:1.3.7-8.el5_3.6 updates 189 k cyrus-sasl-lib i386 2.1.22-4 base 127 k dbus x86_64 1.1.2-12.el5 base 233 k dbus-glib x86_64 0.73-8.el5 base 162 k dbus-libs x86_64 1.1.2-12.el5 base 122 k dbus-python x86_64 0.70-7.el5 base 187 k dmidecode x86_64 1:2.7-1.28.2.el5 base 62 k esound x86_64 1:0.2.36-3 base 130 k expat i386 1.95.8-8.2.1 base 77 k file x86_64 4.17-15.el5_3.1 updates 318 k fontconfig x86_64 2.4.1-7.el5 base 175 k freetype x86_64 2.2.1-21.el5_3 updates 309 k gail x86_64 1.9.2-1.fc6 base 352 k gamin x86_64 0.1.7-8.el5 base 126 k gcc x86_64 4.1.2-44.el5 base 5.3 M gdb x86_64 6.8-27.el5 base 3.4 M glibc-devel x86_64 2.5-34 base 2.4 M glibc-headers x86_64 2.5-34 base 589 k gmp x86_64 4.1.4-10.el5 base 201 k gnome-keyring x86_64 0.6.0-1.fc6 base 166 k gnome-mime-data x86_64 2.4.2-3.1 base 691 k gnome-mount x86_64 0.5-3.el5 base 70 k gnome-python2 x86_64 2.16.0-1.fc6 base 130 k gnome-python2-bonobo x86_64 2.16.0-1.fc6 base 71 k gnome-python2-gconf x86_64 2.16.0-1.fc6 base 34 k gnome-python2-gnomevfs x86_64 2.16.0-1.fc6 base 69 k gnome-vfs2 x86_64 2.16.2-4.el5 base 1.3 M gnutls x86_64 1.4.1-3.el5_2.1 base 364 k gtk2 x86_64 2.10.4-20.el5 base 6.5 M hal x86_64 0.5.8.1-38.el5 base 368 k hicolor-icon-theme noarch 0.9-2.1 base 25 k hwdata noarch 0.213.11-1.el5 base 357 k imake x86_64 1.0.2-3 base 319 k kbd x86_64 1.12-21.el5 base 1.3 M kernel-headers x86_64 2.6.18-128.2.1.el5 updates 955 k libFS x86_64 1.0.0-3.1 base 30 k libICE x86_64 1.0.1-2.1 base 54 k libIDL x86_64 0.8.7-1.fc6 base 87 k libSM x86_64 1.0.1-3.1 base 28 k libX11 x86_64 1.0.3-9.el5 base 795 k libXTrap x86_64 1.0.0-3.1 base 23 k libXau x86_64 1.0.1-3.1 base 18 k libXaw x86_64 1.0.2-8.1 base 329 k libXcursor x86_64 1.1.7-1.1 base 32 k libXdmcp x86_64 1.0.1-2.1 base 19 k libXevie x86_64 1.0.1-3.1 base 14 k libXext x86_64 1.0.1-2.1 base 37 k libXfixes x86_64 4.0.1-2.1 base 15 k libXfont x86_64 1.2.2-1.0.3.el5_1 base 246 k libXfontcache x86_64 1.0.2-3.1 base 9.7 k libXft x86_64 2.1.10-1.1 base 44 k libXi x86_64 1.0.1-3.1 base 25 k libXinerama x86_64 1.0.1-2.1 base 9.8 k libXmu x86_64 1.0.2-5 base 63 k libXpm x86_64 3.5.5-3 base 44 k libXrandr x86_64 1.1.1-3.1 base 15 k libXrender x86_64 0.9.1-3.1 base 28 k libXres x86_64 1.0.1-3.1 base 14 k libXt x86_64 1.0.2-3.1.fc6 base 181 k libXtst x86_64 1.0.1-3.1 base 16 k libXxf86misc x86_64 1.0.1-3.1 base 12 k libXxf86vm x86_64 1.0.1-3.1 base 14 k libart_lgpl x86_64 2.3.17-4 base 75 k libbonobo x86_64 2.16.0-1.fc6 base 521 k libbonoboui x86_64 2.16.0-1.fc6 base 394 k libdaemon x86_64 0.10-5.el5 base 24 k libfontenc x86_64 1.0.2-2.2.el5 base 19 k libgcrypt x86_64 1.2.4-1.el5 base 162 k libgfortran x86_64 4.1.2-44.el5 base 244 k libglade2 x86_64 2.6.0-2 base 96 k libgnome x86_64 2.16.0-6.el5 base 860 k libgnomecanvas x86_64 2.14.0-4.1 base 224 k libgnomeui x86_64 2.16.0-5.el5 base 984 k libgomp x86_64 4.3.2-7.el5 base 66 k libgpg-error x86_64 1.4-2 base 60 k libjpeg x86_64 6b-37 base 139 k libnotify x86_64 0.4.2-6.el5 base 38 k libpfm x86_64 3.2-0.060926.4.el5 base 39 k libpng x86_64 2:1.2.10-7.1.el5_3.2 updates 234 k libselinux-python x86_64 1.33.4-5.1.el5 base 59 k libselinux-utils x86_64 1.33.4-5.1.el5 base 55 k libsemanage x86_64 1.9.1-3.el5 base 138 k libstdc++-devel x86_64 4.1.2-44.el5 base 2.8 M libtiff x86_64 3.8.2-7.el5_2.2 base 314 k libvolume_id x86_64 095-14.20.el5_3 updates 39 k libwnck x86_64 2.16.0-4.fc6 base 185 k libxml2-python x86_64 2.6.26-2.1.2.7 base 706 k libxslt x86_64 1.1.17-2.el5_2.2 base 488 k logrotate x86_64 3.7.4-9 base 40 k m4 x86_64 1.4.5-3.el5.1 base 171 k neon i386 0.25.5-10.el5 base 101 k neon x86_64 0.25.5-10.el5 base 100 k notification-daemon x86_64 0.3.5-9.el5 base 48 k openldap i386 2.3.43-3.el5 base 293 k pango x86_64 1.14.9-5.el5.centos updates 338 k patch x86_64 2.5.4-29.2.3.el5 base 63 k pciutils x86_64 2.2.3-5 base 80 k perl-URI noarch 1.35-3 base 116 k pm-utils x86_64 0.99.3-10.el5.centos base 134 k policycoreutils x86_64 1.33.12-14.2.el5 base 633 k postgresql-libs x86_64 8.1.11-1.el5_1.1 base 195 k postgresql-libs i386 8.1.11-1.el5_1.1 base 196 k pycairo x86_64 1.2.0-1.1 base 28 k pygobject2 x86_64 2.12.1-5.el5 base 98 k pygtk2 x86_64 2.10.1-12.el5 base 1.2 M pyorbit x86_64 2.14.1-1.1 base 49 k pyspi x86_64 0.6.1-1.el5 base 98 k python-numeric x86_64 23.7-2.2.2 base 804 k readline i386 5.1-1.1 base 223 k shared-mime-info x86_64 0.19-5.el5 base 149 k sqlite i386 3.3.6-2 base 213 k startup-notification x86_64 0.8-4.1 base 32 k systemtap-runtime x86_64 0.7.2-3.el5_3 updates 54 k ttmkfdir x86_64 3.0.9-23.el5 base 46 k xorg-x11-filesystem noarch 7.1-2.fc6 base 5.4 k xorg-x11-font-utils x86_64 1:7.1-2 base 77 k xorg-x11-fonts-base noarch 7.1-2.1.el5 base 3.7 M xorg-x11-server-Xvfb x86_64 1.1.1-48.52.el5 base 1.6 M xorg-x11-server-utils x86_64 7.1-4.fc6 base 171 k xorg-x11-xauth x86_64 1:1.0.1-2.1 base 32 k xorg-x11-xfs x86_64 1:1.0.2-4 base 73 k xorg-x11-xinit x86_64 1.0.2-15.el5 base 26 k Updating for dependencies: rpm-python x86_64 4.4.2.3-9.el5 base 60 k Transaction Summary ============================================================================= Install 181 Package(s) Update 20 Package(s) Remove 0 Package(s) Total download size: 147 M Is this ok [y/N]:
For more information on installing packages with Yum please visit Managing_packages_with_Yum
Securing Your Server
This guide is a general overview of how to get started with your (ve) Server. It covers a good general overview of basic security philosophy and a number of specific examples of how to better secure your (ve) Virtual-Environment server when first getting started. If you have any improvements, constructive criticism, additions, or corrections, please feel free to provide feedback on the discussion page.
(Optional) Expiring Passwords
When creating user accounts, you might want to consider expiring passwords after a given amount of time. This will force you and your users to change passwords every so often.
To easily view the current status of a user account, use the following syntax:
sudo chage -l jsmith
The output below shows interesting facts about the user account, namely that there are no policies applied:
Last password change : Aug 13, 2009 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
To set any of these values, simply use the following syntax, and follow the interactive prompts:
sudo chage jsmith
The following example will set a maximum password age (-M) of 90 days and a warning time period (-W) of 14 days before password expiration.
sudo chage -M 90-W 14 jsmith
To verify changes, use the same syntax from above:
sudo chage -l jsmith
The output below shows the new policies that have been established for the account:
Last password change : Aug 13, 2009 Password expires : Nov 11, 2009 Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 14
Disabling Root Login
Allowing the root user to login directly via ssh is a major security issue. You can still use the root account after logging in as another user first.
SSH into your server as 'jsmith' Open the /etc/ssh/sshd_config file using your editor of choice. We will use nano.
sudo nano /etc/ssh/sshd_config
Change the PermitRootLogin directive on Line 26 to 'no':
... 21 SyslogFacility AUTH 22 LogLevel INFO 23 24 # Authentication: 25 LoginGraceTime 120 26 PermitRootLogin no 27 StrictModes yes ...
Save the file and make sure to restart the SSH server:
sudo /etc/rc.d/init.d/sshd restart
Please note that you will no longer be able to login directly as root unless you revert these changes. Make sure you remember both passwords moving forward.
Securing SSH
Using SSH Keys
SSH keys should only be used on a computer that is not shared, or one that has multiple logins or accounts. If you share your computer with others under the same username you should NOT follow the steps outlined in this article.
Generating your key
The first step we need to take is generating a key on your local computer using strong encryption:
ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -C "Enter an optional comment about your key?
You should receive a prompt asking for a password. Please use a strong password. If you plan on using your key for automated tasks that don't require interaction, such as rsync, you might want to leave this blank. Once you have entered your password twice make sure you have the permissions set properly for your .ssh directory and your newly created ssh files on your local computer using the following commands:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
Installing your key
Your public key now needs to be uploaded to your server. The code below reads the content of your key, creates your ssh directory on your (ve), and creates a new file called 'authorized_keys' with the same information.
cat ~/.ssh/id_rsa.pub | ssh user@ve.example.com 'mkdir ~/.ssh;cat - >> ~/.ssh/authorized_keys
We should also change the permissions for the ssh directory and files as we did up above. On your (ve) run the same commands:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/*
Changing default SSH Port
By default SSH uses the standard port 22 for all connections. To help prevent malicious automated attacks on this port it is best to use a non-standard port. Please note that you will have to use the '-p' flag with the ssh command to specify the port you choose. SSH into your server as 'jsmith' Open the /etc/ssh/sshd_config file using your editor of choice. We will use nano.
sudo nano /etc/ssh/sshd_config
Change Line 5 to use your new port number. In the example we will use 4791. Please make sure to choose a port higher than 1024 to prevent conflicts with reserved port numbers:
... 1 # Package generated configuration file 2 # See the sshd(8) manpage for details 3 4 # What ports, IPs and protocols we listen for 5 Port 4791 6 # Use these options to restrict which interfaces/protocols sshd will bind to 7 #ListenAddress :: 8 #ListenAddress 0.0.0.0 ...
Save the file and make sure to restart the SSH server:
sudo /etc/rc.d/init.d/sshd restart
Using iptables
iptables is a powerful firewall that comes pre-installed with CentOS. Using iptables you can lock down your server, allowing access based on port numbers and IP addresses. Although you can create very sophisticated rules for your server, this brief introduction will just show you how to only allow access to ports 80/443 (http/https) and port 22, the default port for ssh. We will elaborate more on iptables usage in future articles.
Defining your rules
Out of the box you can see that no rules are defined by running:
sudo iptables -nL
You should see very minimal output:
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
As you can see we are allowing all traffic in and out of the server. We will need to create a file that includes new rules to only allow certain ports.
Create a file using your favorite text editor named iptables.test in the /etc directory.
sudo nano /etc/sysconfig/iptables.test
Once inside the editor place the following code and save the file:
*filter # Allow loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use the lo0 interface -A INPUT -i lo -j ACCEPT # Accept established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH # Change the value 22 if you are using a non-standard port -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping requests # Some might want to block this altogether. -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
Now that we have our rules in place let's test them. Using the iptables-restore command we can load these rules:
sudo iptables-restore < /etc/sysconfig/iptables.test
We can now verify the rules using the same command above:
sudo iptables -nL
You should see the following output:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT icmp -- anywhere anywhere icmp echo-request REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere
Saving your Rules
Once you have verified your rules you can save them in the default location for iptables on CentOS.
sudo sh -c 'iptables-save > /etc/sysconfig/iptables'
At this point you can rest assured that your rules will be automatically loaded at boot time. You can also run "/etc/init.d/iptables stop|start|restart" at any time to stop, start, or restart iptables.