Hornford Associates

Hornford Associates > Resources > How-to Library > Virtual CentOS 5

Virtual CentOS 5

A key feature of Red Hat Enterprise Linux Advanced Platform is embedded virtualization. With RHEL Advanced Platform xen-virtualization allows virtualized guests running multiple operating systems, multiple versions, multiple performance and security settings, all running on the same server. The Open Source path: Red Hat's commercial use of open source Xen, enables the CentOS community to exist (Red Hat's support of the Xen project must be noted).
Note: Ironically, we run our test CentOS 5 virtual servers on Macintosh OSX-based Parallel Desktop, and Windows 2003-based VMware ESX guest images.

CentOS 5 (Red Hat Linux 5)

We are updating this howto to support CentOS 5. Red Hat released the RHEL 5 source in April 2007, and  in early April the CentOS project provided a final release of CentOS 5. We are in the process of running through the base installation & detailed configuration to confirm all the directions.
The following How-to is a Work-in-progress based on CentOS 5. It will have typos, spelling errors, gaps & errors until we have completed a detailed run-through and updated the steps. While this is underway we are mainatianing the legacy open-source howtos at www.old.hornfordassociates.com.

Audience and Summary

This Virtual CentOS Linux Server How-To is written for small/medium businesses looking at providing virtual servers operating within their CentOS 5 environment.
This How-to will provide the infrastructure to support normal business operations including TBD

Applications Used

For an overview discussion of why these applications were used look here. Core application list:

How-to Introduction

The following link provides step-by-step instructions to install and perform a base configuration of a CentOS 5 server.
These steps are common to several CentOS How-tos

First Login

NEVER login as Root. Always login as a user with less privileges. The fewer privileges your account has the less likely you will cause inadvertent damage. If more than one person administers a server provide accounts for administration do not share the sysadmin account. In many SMB's the system administrator will also be a normal user. In this case use the sysadmin account for administration and the personal account for normal-day-to-day use of the system.

Login As Root

No other accounts have been created so the next section must be performed as Root

.

 

As an alternative you can logon to you server through SSH. We will disable direct logon by root in this configuration section.

Yum

The mainstream installing/uninstalling/updating tool in CentOS is YUM (Up2Date is also installed and supported). YUM is an adequate text-based update tool that you will have to learn to manage a CentOS server. Once Webmin is installed YUM is used through Webmin's graphical interface. For a detailed How-to on Yum see this link.
Note: The best over-all update tool is Mandriva's. It clearly tells you which applications are being ungraded because of security-fix, bug-fix or enhancement and enables adding new applications at the same time. The closest available on CentOS is Webmin's Software module and YUM for updates - which are used in this How-to. Note: Often running Yum update will result in a prompt asking if you want to install the CentOS GPG key. However, in our experience this doesn't occur on all releases.
The GPG Key helps ensure that only trusted sources for applications can be used on your system. If you would not like this key to be automatically installed you can do this step manually.

Enter:
rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-centos5

Next perform a basic update. This initial update helps ensure Yum itself is up-to-date and the Centos Yum configuration is up-to-date. This update will also highlight applications that were installed that you don't want.

Clean-up

Use the initial YUM update to review applications that are installed that you are not interested in installing. If the update identifies an application you do not need (gaim, blue-tooth, wireless services, etc.) stop the update and uninstall that application.
Note theunwanted applications and adjust bith your Technical Architecture for your CentOS servers and your kick-start file.

Dependencies Resolved

=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
kernel i686 2.6.18-8.1.1.el5 updates 12 M
Updating:
Deployment_Guide-en-US noarch 5.0.0-21.el5.centos updates 7.3 M
autofs i386 1:5.0.1-0.rc2.43.0.2 updates 760 k
bind-libs i386 30:9.3.3-8.el5 updates 834 k
bind-utils i386 30:9.3.3-8.el5 updates 162 k
dhclient i386 12:3.0.5-5.el5 updates 274 k
file i386 4.17-9 updates 320 k
gnupg i386 1.4.5-13 updates 1.8 M
kernel-headers i386 2.6.18-8.1.1.el5 updates 724 k
krb5-libs i386 1.5-23 updates 593 k
krb5-workstation i386 1.5-23 updates 894 k
libgcc i386 4.1.1-52.el5.2 updates 82 k
libstdc++ i386 4.1.1-52.el5.2 updates 350 k
module-init-tools i386 3.3-0.pre3.1.16.0.1.el5 updates 411 k
nss i386 3.11.5-3.el5.centos updates 799 k
nss-tools i386 3.11.5-3.el5.centos updates 650 k
tzdata noarch 2007d-1.el5 updates 746 k

Transaction Summary
=============================================================================
Install 1 Package(s)
Update 16 Package(s)
Remove 0 Package(s)

Total download size: 29 M

The first update we performed found the highlighted Deployment Guide in need of an update. Decided we didn't want the Deployment Guide on every server.

Enter
yum remove Deployment_Guide-en-US

 

 

Clean-up known unwanted applications

There are a number of applications that keep getting installed despite best efforts. Some, like gaim, an instant messenger client, have no business being on a server.

Enter:
yum remove finger gaim cups-libs cups bluez-libs desktop-file-utils
Note: Finger should only be installed if you have a good reason, gaim is unnecessary on a server and print managment should only be there if you want it. Removing this list also removes the blue-tooth utilities (I'm sure someone has a good reason for blue-tooth on their headless remotely managed servers, we don't)

Other applications we'd rather not have, such as wireless-tools, are required dependencies of other applications we'd like to have.

 

Switch PostFix for Sendmail

yum install postfix
yum remove sendmail

Note: You must install PostFix before removing Sendmail. Your system needs an MTA and sendmail is the default.

Look for more

Look in /root at install.log for a fill list of installed applications

Enter
more /root/install.log

Review the list and make your choices. Remember to update your kickstart-file.

Webmin Installation & Basic Webmin Configuration

Webmin is a web-based graphical LINUX/UNIX system administration tool developed by Jamie Cameron. Webmin is a lightweight, functional, and easily extensible. Using any browser that supports tables and forms, you can perform normal system administration (setup user accounts, DNS, file sharing, etc.).
Best operational practices use auditable tools to manage configuration - Webmin provides a solid tool. The use of a tool avoids the need to remember the details of every configuration file - where the graphical interface is a barrier Webmin provides direct access to the configuration files.
As a rule we reccomend limiting the use of applications to those drawn from an established repository. For Webmin we do not follow this guideline and recommend going direct to the developer.

Webmin Guides

www.linuxjunkies.org/adminstration%20Howto/webminguide/book1.htm
webmin.com

Fetch Webmin

The first step is to install Webmin using Curl. Webmin uses Sourceforge so the URL will change. Look at the Webmin website for a download slink.
You can save the Webmin RPM to the RPM repository, or simply save in Roots directory. We save in Root's home, then delete.

Enter
curl -o (name of file to save to) (url of file)
Enter
curl -o webmin-1.330-1.noarch.rpm
http://umn.dl.sourceforge.net/sourceforge/webadmin/webmin-1.330-1.noarch.rpm

While we are still installing tools from the command line it is a good idea to install perl-Net-SSLeay. This package is required for Webmin to use SSL.

Enter
yum install perl-Net-SSLeay

Install Webmin

With Webmin's RPM saved in Root's home directory the next step is to install Webmin, then delete the RPM to clean-up.

Enter:
rpm -Uvh webmin-1.330-1.noarch.rpm

After a successful install enter:
rm webmin-1.330-1.noarch.rpm

With Webmin's install complete and Webmin started you can now login to https://centos5.limestone.lan:10000/
Note: you may need to change the hostname to IP address if you are using DHCP, or do not have DNS configured for your new server.

Root

Again, you will have to login as root. This will be the last time we directly connect as root.

Default Webmin Theme

Default Webmin Theme

 

Preferred Theme

Preferred Webmin Theme

Note: We prefer the old MSC.Linux theme.

Minimum Security

We will need to fix a number of things:

  1. Create a new user
    Stop using root!
  2. Convert Webmin to https from http
  3. Change port to 443
  4. Enable logging
  5. Change SSH to prevent Root login
  6. Set Webmin update
  7. Back-up base Configuration

Create a new user

  1. Select Webmin's System Tab
  2. Select Users & Groups Module
  3. Create New User
    username: sysadmin (use a real name of a sysadmin NOT a generic user account.
    Real Name: System Administrator
    User ID: 5000
    Note: CentOS defaults at 500, we recommend planning your users community and using UID & GID blocks to support administration.
    Normal Password: Enter Password
    Note: If you have a number of users that must be created look at the ability of webmin to create users from a batch-file. In any event, if you are not using Directory Services today set yourself up to use a Directory in the future and ensure user names, UIDs & GIDs are common across systems
  4. Select Webmin's Webmin Tab
  5. Select Webmin Users
  6. Create sysadmin as a user with UNIX authentication. Select access to all modules
  7. Logout
  8. Login as "sysadmin"
  9. Select Webmin's Webmin Tab
  10. Select Webmin Users
  11. Delete root as a Webmin User

Convert Webmin to https from http

Note: If you started with perl-NET-SSLeay installed SSL is automatically enabled. Then simply follow the directions to re-route all http traffic to https.
Encrypting administrative traffic, and user names/password combinations, is simply a good idea.

  1. Select Webmin's Webmin Tab
  2. Select Webmin Configuration Module
  3. Select SSL Encryption Module
    Note: This section follows the simple default of using the SSL certificate that is provided. It generates errors at every access - you can create a self-signed certificate here, or upload a proper SSL certificate. The correct option depends upon your requirements. We tend to use the default & click 'OK' often.
  4. Select Enable SSL
  5. Select Redirect non-SSL requests to SSL mode

Change port to 443

Webmin's default port 10000 often requires changes to firewalls for access. We tend to switch to 443 to enable access from wherever we are.

  1. Select Webmin's Webmin Tab
  2. Select Webmin Configuration Module
  3. Select Ports and Addresses Module
  4. Change port 10000 to 443
    Note: You can have Webmin monitor multiple ports
    Note: If you want more than two, you will need to Save & Re-open multiple times.

Enable logging

Webmin's default logging is fairly good. However, we have the option of extending the logging to allow for configuration roll-backs. It isn't perfect, but any opportunity we have to undo a mistake is a good thing.

  1. Select Webmin's Webmin Tab
  2. Select Webmin Configuration Module
  3. Select Logging Module
  4. Select: Log changes made to files by each action
  5. Select: Record all modified files before actions, for rollbacks

Note: Without selecting the time-based rollback we will need to rotate Webmin's log on a regular basic.

Change SSH to prevent Root login

By default CentOS 5 allows SSH login by Root. This is necessary for remote installation, but is poor operational practice (anti-pattern).

  1. Select Webmin Servers Tab
  2. Select SSH Server Module
  3. Select Authentication Module
  4. Deny Root login

Extra SSH Security Configuration

If your system is in an exposed location it is a good idea to use the SSH network configuration to limit the network locations that can SSH to the server. We will also use the firewall to limit this - security for exposed systems isn't so much 'belt & suspenders' as 'belt, suspenders, wellingtons, 'Nor-wester, PFD, North Atlantic immersion suite, & satellite phone'

  1. Select Network Module
    Configure appropriate network range. We include the full network range of our administrators ISPs to protect against random DHCP changes.
  2. Select Access Control Module
    Enter allowed users in 'Only allow users'
  3. Apply Changes

Set Webmin update

Webmin has been compromised in the past. A system we maintain was compromised through the Webmin Usermin Arbitrary File Disclosure Vulnerability (July 2006) that affected versions 1.28 and below. The system that was exploited was not running a current version of Webmin. We were not monitoring Webmin's site- rather using Webmin provided as an RPM from a repository. Unfortunately, between the exploit and the update of the repository we were exploited.
Note: Best security practice is to stay on top of patching your system. In addition to limit packes used to those from responsible maintained repositories subscribe to the Announce List of applications you install.

  1. Select Webmin's Webmin Tab
  2. Select Webmin Configuration
  3. Select Upgrade Webmin Module
  4. Add all administrative users to "New module grants"
  5. In "Update modules on schedule" section select 'Only Show Updates' and email report to your sysadmin.
  6. Save & Apply

Back-up base Configuration

Before going any create a Configuration baseline and set a regular back-up of Webmin Configuration.

  1. Login via SSH
  2. SU to Root
  3. Enter:
    1. touch /var/backup/webmin-baseline
    2. touch /var/backup/webmin-daily
  4. Exit SSH connection
  5. Select Webmin's Webmin Tab
  6. Select Back-up Configuration Module
    1. Back-up Configuration Now
      Select all modules
      Enter /var/backup/webmin-baseline as local destination
      Include in backup Webmin module configuration files & Server configuration files
    2. Select Back-up Now
  7. Select "Add a new scheduled backup"
    1. Select all modules
      Enter /var/backup/webmin-daily as local destination
      Include in backup Webmin module configuration files & Server configuration files
    2. Schedule Daily at Midnight (Simple Schedule)

Configuration Back-up

It is always a very good idea to maintain a back-up of your system configuration files. Most applications maintain their configuration files where they belong in /etc.

  1. Login via SSH
  2. SU to Root
  3. Enter:
    1. touch /var/backup/etc-baseline.tar.gz
    2. touch /var/backup/etc-daily.tar.gz
  4. Exit SSH connection
  5. Select Webmin's Systems Tab
  6. Select File System Backup Module
    1. Add Back-up of new directory "/etc"
      Select in TAR format
    2. Select: File /var/backup/etc-baseline.tar.gz
    3. Select: Compress with gzip
    4. Select: Create
    5. Select: Action Backup
    6. Optional: Delete Selected Back-ups
  7. Create Daily Back-up
    1. Add Back-up of new directory "/etc"
      Select in TAR format
    2. Select: File /var/backup/etc-daily.tar.gz
    3. Select: Compress with gzip
    4. Select: Schedule at Times Below
    5. Select: Schedule
      Note: This will create a Crontab entry
    6. Select: Create & Back-up Now

This provides you with a baseline of /etc and a daily back-up. If you ae making a number of changes we recommend returning to this module and manually taking a back-up before the changes are made. Being able to quickly return to a stable functioning system is the basic requirement of ITIL-based change management best practice.

Log Rotation

Base Configuration Complete

At this point we have a basic system installed & configured. We have provided minumal security, but must still protect this sytem with basic perimeter security.

To Do

  1. SELinux (default is installed & disabled)
  2. Basic Intrusion Detection
  3. Add logrotation to the Webmin logs
    Where are they now?
Home
Website Change
Enterprise Architecture
Project Management
Strategy
Business Continuity
Support Services
Resources
Library
How-to Library
Articles
Local Flying
New

Listing of Linux Commands

This directory of Linux commands is from Linux in a Nutshell, 5th Edition
www.linuxdevcenter.com/linux/cmd/

Locations of visitors to this page