Standard Redhat RHEL 4 AS Server Build
The Standard Linux Server build was designed around the RHEL 4 release to document all processes related to installing Linux AS4 server software, securing the system, setting up monitoring, setting up backups and verifying that all required services are operational in accordance with best practices.
Install Package Management and Patch the System 6
Security and Configuration Standards 9
Process and File Handle Limits 11
Default Password Expiration 12
Register System with Redhat 14
Create Standard Mountpoints 14
Installation
- Boot the system from Redhat Enterprise Linux 4 disc 1.
- When prompted, press enter to start the install in graphical mode.
- Skip the media check (unless you want to spend an hour having it scan the disc for errors.)
- Welcome Screen: Click “Next”
- Language Selection: English should be selected. Click “Next”.
- Keyboard Configuration: U.S. English should be selected. Click “Next”.
- Disk Partitioning: Select “Manually partition with Disk Druid” and click “Next”.
If it says that the partition table was unreadable and asks if you want to destroy all data on the drive, click “Yes”. Using the interface, set up the following partitions with at least as much disk space as is listed:
To Create LVM Volumes:
Chose your structure based upon server type while keeping in mind that it's always good to separate out your /var /tmp and any logging filesystems so you don't fill up / and bring your system to a halt..... Also, if it's a file server with /home directories for users you will definately want a separate mount point for /home, preferably an LVM so you can grow the filesystem when necessary.
o Make a new, ext3 for “/boot” of at least 150MB – Click on New. In the Add Partition dialog box, change the file system type to ext3. Set size to 150MB and select Fixed size as well as option to force to be a primary partition.
o Make a new, LVM PV – Click on New. In the Add Partition dialog box, change the file system type to physical volume (LVM). Make the size such that you have a substantial amount of space to accommodate “swap”, “/” and “/var” plus 64MB for partition overhead. The size will be a minimum of 18496MB in our case. Be sure not to check the option force to be a primary partition and Fixed Size.
o Now click on LVM. In the Make LVM Volume Group dialog box, we’re going to add three logical volumes. First add the swap space (file system type = swap) of size 2048, and then add mount point “/” (type ext3) and give it 18000MB, and finally add mount point “/var” (type ext3) and give it 4096MB.
o If the partitioning gets confused in some way, just click back, and then click “Next” to start the partitioning over again.
| Mount Point | Filesystem Type | Size (MB) | Options |
| / | ext3 | 18000 + | 8192 for smaller systems |
| /boot | ext3 | 150 |
|
| /tmp | ext3 | 4096 |
|
| /var | ext3 | 4096 + |
|
| /apps | ext3 | 8192 | Dependent on available disk |
| /u01 | ext3 | Remainder | All space left |
| (none) | swap | 2048 | This is optional (you don't want this on some database servers, i.e. use 14MB on Oracle server) |
Click “Next” when you are done with partitioning.
- Boot Loader Configuration: Accept the defaults, and click “Next”.
- Network Configuration: Configure the settings as needed, and click “Next”.
- Firewall Configuration: Enable the firewall, and select to only allow SSH and FTP access. Change 'Enable SELinux?' to 'Warn'. Click “Next”.
- Additional Language Support: Click “Next”.
- Time Zone Select: Enable 'System clock uses UTC'. Select 'America/Chicago' for the location. Click “Next”.
- Set Root Password: Enter the current root password twice, and click “Next”.
- Package Installation Defaults: Select 'Customize software packages to be installed' and click “Next”.
- Package Group Selection (Also review Appendix A kickstart file): Select Minimal Install
- About to Install: Click “Next”, and then click Continue at the popup window.
The system will now partition the hard disk, format the file systems, and install the software. It will ask to switch discs: do so and click OK. When the install is finished, remove the CD from the drive and click the Reboot button.
Remove Unneeded Pacakges
The first thing we need to do is remove some packages that contain unnecessary software that carries serious security risks. Run the following command as root:
rpm --erase rsh rdate talk rdist tog-pegasus-devel tog-pegasus redhat-lsb-3.0-8.EL.i386 redhat-lsb-3.0-8.EL.x86_64 redhat-lsb
Next, we need to remove some packages that are generally only useful for desktop systems, and not used on our servers. Run the following command (if you encounter errors you must go back and run one command at a time and resolve errors as you proceed i.e. rpm –e wvdial by itself followed by the next package until all have been removed):
rpm --erase wvdial rp-pppoe ppp isdn4k-utils irda-utils anacron redhat-lsb at pcmcia-cs lftp bluez-utils bluez-bluefw bluez-hcidump bluez-libs NetworkManager-gnome NetworkManager wireless-tools vconfig lksctp-tools lksctp-tools-devel OpenIPMI OpenIPMI-libs lha
64 bit:
If you get error: "bluez-libs" specifies multiple packages
rpm -qa --queryformat "%{NAME}-%{VERSION}.%{ARCH} \n" | grep bluez-libs |sort
returns:
bluez-libs-2.10.i386
bluez-libs-2.10.x86_64
Then run:
rpm –e bluez-libs-2.10.i386 bluez-libs-2.10.x86_64
If you get error: Failed dependencies: libbluetooth.so.1()(64bit) is needed by (installed) bluez-pin 0.23-3.x86_64
Then remove the dependency with:
rpm –e bluez-pin
Then return to previous command to remove the primary package/s
Disable Services
To disable a service, use the command:
chkconfig --levels 123456 [servicename] off
Where [servicename] is the name of the service.
The following are the services that should be disabled:
| Service name(s) | Description |
| apmd | This is an older power-management system. Disable on VMWare hosts. |
| cups | Only required if you are printing from this server. |
| cpuspeed | This throttles CPU speed to save power. You MUST disable this on VMware clients, otherwise it plays havoc with the system's timekeeping. |
| gpm | Console mouse service. Marginally useful at best. |
| smartd | Disk monitoring for IDE. Disable on VMWare hosts and on servers that are using SCSI disks. |
| netfs | Mounts network filesystems (NFS, Samba, etc.) Not needed if you are not mounting network filesystems. |
| rawdevices | Only useful if you have applications that want to use raw disk space (like Oracle) |
| rpcidmapd portmap nfslock rpcgssd | These are only needed if you are using the system as an NFS server. |
Network Configuration
Configure any additional network settings on the system that were not configured, or incorrectly configured, during the installation. The interface configuration files can be found in /etc/sysconfig/network-scripts
For example (ifcfg-eth0):
DEVICE=eth0
BOOTPROTO=static
BROADCAST=10.10.1.255 ##### set to correct Broadcast
HWADDR= ##### leave as is
ONBOOT=yes
TYPE=Ethernet
NETMASK=255.255.255.0 ##### set to correct SM
IPADDR=10.10.1.169 ##### set to correct IP
GATEWAY=10.10.1.1 ##### set correct GW
Make sure that /etc/hosts looks like the following:
127.0.0.1 localhost localhost.localdomain
10.10.1.169 server-new ##### set correct hostname and IP here
Make sure that /etc/resolv.conf looks like the following:
search pvalentino.lan pvalentino.org
nameserver 10.10.1.22
nameserver 10.10.1.33
Make sure /etc/sysconfig/network has the hostname
Make sure you can access the network, and resolve any problems before continuing, as the following steps require network access.
Install Package Management and Patch the System
Refer to my other document regarding Centralized YUM setup to use these settings, otherwise just point your yum.conf to the appropriate internet based repository for your build.
Run the following as root to install YUM, the package management system:
mkdir /root/yum ; cd /root/yum
For 32 bit systems:
wget http://patch.pvalentino.org/repository/yum/yum-rhel4-i386.tar.gz
tar xzf yum-rhel4-i386.tar.gz
tar zxvf yum-rhel4-i386.tar.gz
rpm -ivh *.rpm
cd /root
rm -rf yum
For 64 bit systems:
wget http://patch.pvalentino.org/repository/yum/yum-rhel4-x86_64.tar
tar xvf yum-rhel4-x86_64.tar
cd yum_install
rpm -ivh *.rpm
cd /root
rm -rf yum
Now, run the following to patch the system to the latest patch revisions:
32 bit:
yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf -y update
64 bit:
yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf -y update
After the patching is completed, reboot the system.
Install xinetd
This doesn't get installed in some cases. It is needed for having Netbackup installed. Run the following:
32 bit:
yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf install xinetd
64 bit:
yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf install xinetd
Then run:
service xinetd start
Install Other Packages
Run the following to ensure we didn’t miss any required packages:
On 32 bit systems:
yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf -y install openldap-clients emacs mkisofs net-snmp net-snmp-libs net-snmp-utils
yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf -y install compat-libgcc-296 compat-glibc compat-libstdc++-33 compat-libstdc++-296 gcc-c++ dev86
yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf -y install samba samba-client
Or for 64 bit systems:
yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf -y install openldap-clients emacs mkisofs net-snmp net-snmp-libs net-snmp-utils
yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf -y install compat-libgcc-296 compat-glibc compat-libstdc++-33 compat-libstdc++-296 gcc-c++ dev86
yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf -y install samba samba-client
Install and Configure NTP
Run the following to install the NTP service:
32 bit:
yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-i386.conf install ntp
64 bit:
yum -c http://patch.pvalentino.lan/repository/patch/current/rhel4-x86_64.conf -y install ntp
Run the following to configure NTP:
cat <<EOF > /etc/ntp.conf
restrict 10.20.0.1 mask 255.255.255.255
server 10.20.0.1
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
authenticate yes
keys /etc/ntp/keys
EOF
echo "10.20.0.1" > /etc/ntp/step-tickers
echo "10.20.0.1" > /etc/ntp/ntpservers
For ESX…
Run the following command. This opens the appropriate ports and enables the NTP daemon to talk with the external server.
esxcfg-firewall --enableService ntpClient
Restart the NTP service…
service ntpd restart
To enable the NTP daemon to autostart when the server is rebooted, run:
chkconfig --level 345 ntpd on
Monitor the NTP service as desired:
To see the offset (in seconds) between the local clock and the source clock, run:
ntpdate -q 10.2.0.1
sync. the Hardware Clock with ESX system.
hwclock --systohc
If you are running a VMWare host, you will also want to edit /etc/grub.conf and add "clock=pit" to the end of the first entry's "kernel" line, like such:
kernel /vmlinuz-2.6.9-42.0.10.ELsmp ro root=LABEL=/ clock=pit
This will set the kernel to use a different method for counting clock ticks which is more compatible with running under the VMWare environment.
Install VMWare Tools
If the server is a VMWare host, you will need to install the VMWare tools package.
Open the console for the system, and log in as root. You MUST do this from the console, and not from a SSH session.
Select "Install VMWare Tools..." from the "VM" menu on the console window. On the system, do the following:
- mount /media/cdrom
- cd /root
- tar xvzf /media/cdrom/VMwareTools*tar.gz
- umount /media/cdrom
- cd vmware-tools-distrib
- ./vmware-install.pl
- Accept all the defaults
- Reboot the system after the install finishes.
Security and Configuration Standards
Security Banners
Run the following to set the standard pvalentino security banner:
cat <<EOF > /etc/issue
*******************************************************************************
* pvalentino's systems must only be used for conducting pvalentino's *
* business or for purposes authorized by pvalentino. *
* *
*******************************************************************************
* *
* Use is subject to audit at any time by pvalentino. *
* *
*******************************************************************************
EOF
/bin/cp -f /etc/issue /etc/issue.net
/bin/cp -f /etc/issue /etc/motd
IPTables Configuration
Edit /etc/sysconfig/iptables to contain the following:
cp /etc/sysconfig/iptables iptables.bak
cat <<EOF > /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:NETBACKUP - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#### ENABLE THESE ON ORACLE ONLY
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5902 -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1521 -j ACCEPT
#### END OF ORACLE ENTRIES
# Netbackup ports get filtered to the NETBACKUP chain
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 13701 -j NETBACKUP
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 13711 -j NETBACKUP
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 13720:13724 -j NETBACKUP
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 13782:13783 -j NETBACKUP
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 13701 -j NETBACKUP
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 13711 -j NETBACKUP
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 13720:13724 -j NETBACKUP
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 13782:13783 -j NETBACKUP
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
##### End of RH-Firewall-1-INPUT definitions #####
# Netbackup chain -- only allow netbackup ports to/from netbackup servers
-A NETBACKUP -s 10.30.1.30 -j ACCEPT
-A NETBACKUP -s 10.40.1.20 -j ACCEPT
-A NETBACKUP -d 10.30.1.30 -j ACCEPT
-A NETBACKUP -d 10.40.1.20 -j ACCEPT
-A NETBACKUP -j REJECT --reject-with icmp-port-unreachable
COMMIT
EOF
And then restart IPTables:
service iptables restart
Kernel Parameters
Run the following:
cat <<EOF >> /etc/sysctl.conf
kernel.shmmax = 2147483648
kernel.shmmni = 4096
kernel.shmall = 2097152
kernel.sem = 250 32000 100 128
fs.file-max = 104032
net.ipv4.ip_local_port_range = 1024 65000
net.core.rmem_default = 1048576
net.core.rmem_max = 1048576
net.core.wmem_default = 262144
net.core.wmem_max = 262144
EOF
then run sysctl -p
For Oracle:
# replace kernel.shmmax from above with the following parameters for ORACLE db server
kernel.shmmax = 4294967296
You will need to reboot the system to properly affect these changes -- the system will be rebooted in a later step of this document.
Process and File Handle Limits
Add the following lines to /etc/security/limits.conf:
* hard nproc 8192
* hard nofile 8192
Oracle specific:
/etc/sysctl.conf
file-max = 65536
/etc/sercurity/limits.conf modifications:
Open file descriptors - system wide <nofile> 65536Max procs for a single user - system wide <nproc> 16384
oracle soft nproc 15360
oracle hard nproc 16384
oracle soft nofile 64512
oracle hard nofile 65536
Add this line to /etc/pam.d/login if it doesn't already exist:
session required pam_limits.so
Inittab Setting
/etc/inittab needs to be modified to ensure that the system boots to runlevel 3. Edit /etc/inittab and look for the line that has the word initdefault in the third colon-delimited field, like this:
id:3:initdefault:
If the number in the second field is not 3, change it.
Default Password Expiration
pvalentino standard is that passwords should expire after 90 days, and must be at least 7 characters in length. Edit /etc/login.defs and update the following lines:
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_MIN_LEN 7
PASS_WARN_AGE 7
Create User Account(s)
Since root access is limited to the console, you will need to add a personal account in order to ssh into the system and su to root. Run the following:
To create an oracle user (only required on an Oracle server):
groupadd -g 502 oinstall ; useradd –m -u 500 -g oinstall oracle ; passwd oracle
To create a standard user:
useradd -m -u 701 [username] ; passwd [username]
# replace [username] with the appropriate username
NOTE! Be sure to su – username to a standard user before changing the following settings
Restrict Root Access and Enable Public Key Authentication
Root access should only be done via the system console.
Edit /etc/ssh/sshd_config and look for the line that reads:
#PermitRootLogin yes
Change that to read:
PermitRootLogin no
Remove comment markers from beginning of the following two lines.
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
Save the file and exit the editor. Then run the following:
service sshd restart
Configure Sendmail
Sendmail must be configured to send out email. Edit /etc/mail/sendmail.cf and find the lines that read:
# "Smart" relay host (may be null)
DS
Change it to read:
# "Smart" relay host (may be null)
DSmail.pvalentino.org
Save and exit. Then run:
service sendmail restart
Limit Failed Logins
Through use of the Pluggable Authentication Modules (PAM), we can lock out multiple failed login attempts. To install, first run:
touch /var/log/faillog
Edit /etc/pam.d/system-auth and add to the top of the auth lines:
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
Add to the bottom of the account lines:
account required /lib/security/$ISA/pam_tally.so deny=3 reset no_magic_root
Save and quit.
To see who currently has failed login attempts, run the command:
/sbin/pam_tally
To unlock an account, run:
/sbin/pam_tally --user username --reset
Lockdown SU and SUDO Access
Add users that require access to root to the wheel group:
usermod -G wheel <username>
Add following line to /etc/pam.d/su
auth required /lib/security/$ISA/pam_wheel.so use_uid
cp /etc/pam.d/su /etc/pam.d/su.bak
cat <<EOF > /etc/pam.d/su
#%PAM-1.0
auth sufficient /lib/security/$ISA/pam_rootok.so
auth required /lib/security/$ISA/pam_wheel.so use_uid
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
session required /lib/security/$ISA/pam_stack.so service=system-auth
session optional /lib/security/$ISA/pam_xauth.so
EOF
using visudo command add entries as follows:
# for full admin
username ALL=(ALL) ALL
Register System with Redhat
The system should be registered with Redhat for monitoring and support purposes. First, import Redhat's GPG key into the RPM system with the following command:
rpm --import /usr/share/rhn/RPM-GPG-KEY
Then run the following to register the system:
up2date --register
Select '“Next”' until you get to 'Step 2: Register a User Account'. Enter the Educational Credit RHN username, enter the password in both password fields, and enter your email address. You will need to do this even if you already have an account. Select '“Next”'.
Use the system's name for the profile name, and make sure the 'Include the following information about hardware and network' checkbox is checked. Select '“Next”'.
Make sure the 'Include RPM packages installed on this system in my System Profile' checkbox is checked, and select '“Next”'. Select '“Next”' again to finish the registration process, and then click 'Finish' to leave the program.
If you run into an error when trying to register a system, we may not have any available licenses from Redhat. Licenses will either need to be reclaimed from dead systems, or more licenses will need to be purchased.
Create Standard Mountpoints
Run the following to create the standard mountpoints on the system:
for i in apps data log export auto; do mkdir /${i}; done
Reboot the System
After making all of the above changes, you must reboot the system to make sure all the configuration changes take effect. Run the following command on the system as root:
shutdown -r now or init 6
Install Netbackup
Submit a ticket to the Backup group to have the Netbackup client installed onto the system, and configured to back up the critical filesystems.
cd /tmp
wget http://patch/install/Netbackup5.1/linuxclient.tar
tar xvpf linuxclient.tar
/bin/sh /tmp/bp/bin/client_config
edit /usr/openv/netbackup/bp.conf with appropriate server and client settings
Configure Big Brother
Add bigbrother user and then add server public key to the authorized_keys file on this client:
useradd –m bigbrother; passwd bigbrother
su – bigbrother
mkdir .ssh; chmod 755 .ssh; cd .ssh; touch authorized_keys; chmod 644 auth*
vi auth*
paste the current keys for the bigbrother server into the file making sure not to add any whitespace or extra characters
Log into system ‘bigbrother’ as user 'bigbrother', and add a line like the following into the appropriate section of /home/bigbrother/bb/etc/bb-hosts
ip.address.y.z hostname.pvalentino.tld # svcs cpu disk msgs procs
Restart Big Brother with the following command:
Version 1.9:
cd /home/bigbrother/bb ; ./runbb.sh restart
Version 3.2:
service bigbrother restart
Posts
No comments:
Post a Comment