Hornford Associates Old Website
Link to current website

The following section provides step-by-step instructions to install and perform a base configuration of a CentOS 5 server.
We will start with a bare server and build it to the point where it can be remotely managed and configured for a specific purpose and application stack.

The reference SME for this how-to is a single office SMB with less than 100 employees. All different departments function in the single location. A limited number of staff require regular access to information and services remotely. Microsoft Windows desktops and laptops are networked over a wired ethernet network. Several meeting spaces have wireless networks available. Internet connection is provided by a single 512 KB ADSL link. An external service provider hosts the SME's internet presence and e-commerce activity.

Howto follows a cook-book format.
While it will create a functional senvironment, this should only be your starting point. It is unwise to operate infrastructure key to your business if you do not really understand how it works or the implications of the settings that have been made.

Our base philosophy is to only install the applications that we need on a server. This approach requires more work upfront. However avoiding unused, unwanted and unnecessary applications lowers operational requirements and minimizes vulnerability to security holes in applications. See Linux Management Best Practices.
Note: Install created on a MacBook using Parallels Desktop

1. Planning
   'Think About' contains a discussion of what to pre-plan, as well as things to think about. Topics will include:
1. Domain structure
2. Network
3. Storage
4. Applications
2. Obtain CentOS
   DVD (CD-ROM) ISO's are available from www.centos.org
   Note: The CentOS community is funded by volunteers and donations. Use of Bittorrent, and leaving your Bittorrent upload open, helps minimize the bandwidth burden.
   Hornford Associates supports the CentOS community by configuring one of our servers as a Bittorrent seed for CentOS 5 DVD and CentOS 5 CD ISOs.
   Are you helping the community?
   Note: This base install requires CDs 1 - 6. We reccomend using the DVD.
   
3. Boot your server with CentOS DVD or the CentOS CD set 1-6 and select graphical install
   Note: The best disk formatting tools are only available with a graphical install.
   
4. Skip Media Test
   Note: You can burn a new set of media in the time his test takes
   Note: Burn CDs using a speed below 24x, it will dramatically improve most success rates (cheapest CD's the store sold, a commodity CD burner and the free software provided with your Windows-PC do not combine to a high-performance CD/DVD burning set set-up)
5. Select Next at Welcome
6. Select Language
   English(English)
   
7. Select Keyboard
   Will default to US English
   
   
8. Warning
   Either there will be a warning about your disk if this is a first install, or Anaconda, the install program, will look for old installations at this point. If you have old installations completely overwrite them.
9. Select Install Type
   Custom
10. Format storage
    CentOS' automatic partitioning is fairly good. You won't go far wrong selecting automatic. If this is a test install, just select automatic.
    
    A detailed discussion of disk formatting is beyond the scope of this Introductory How-to. At a minimum separate the disk environment into a few separate mount points. Unless you understand what you are doing, and have a very good reason you will be well served with a larger RAID 5 set and using LVM to create 'disks' that can be used as mount points. At a minimum use RAID 0 and mirror your primary disk - you will be happiest using hardware mirroring (We prefer HP ProLiant SmartArray for purely historic & habit reasons).
    
    This separation is partially for good reasons, and partially from habit. (For a review of the Linux file system click here). One critical reason to separate volumes is protection against runaway processes - CentOS, like other professional server operating systems, should be able to sustain itself while problems happen - however, we do not like to rely on an operating system to save itself if it is causing problems. Separate partitions don't all get filled up.
    
    Select Custom to create the mount points in selected in Thinking About:
    
11. Create two normal partitions
    This path is based on an unreasoned concern about LVM - we just feel better with the boot partition and swap existing outside of LVM
    
    
• /swap 3x RAM
  Larger than you need, but most recommendations are based on the olden days when disk was expensive.
• /boot
  100 MB
12. Create a Physical Volume using the rest of the available disk
    Note: If you have multiple disks or RAD sets we do not suggest combining them using LVM. LVM does not provide data protection spanning volumes - failure of a subcomponent will effectively destroy your disk infrastructure.
    Future Exercise: Spend some ime with a test system modifying your LVM settings. The first time we needed to enlarge a volume it was an emergency and a white knuckle session with a production server. You will be happier trying this with a test server.
    
13. Create the remaining partitions using LVM
    Note: We recommend leaving a bit of space unused in the Physical Volume. It allows you to adjust things after the fact without having to use LVM to shrink a volume.
    
    Note: We extend the default VolGroup and LogVol names. This is not necessary, but if we leave these in place then the next admin won't have to guess as much about the systems disk structure. However you proceed be consistent.
    
• /home
  To Do: Calculation recommendation for /home
• /tmp
  500 MB
• /var/tmp
  500 MB
• /var/backup
  To Do: Calculation recommendation for /var/backup
  Base 1000 MB
  
• /var/email
  To Do: Calculation recommendation for /var/email
  Base 1000 MB
  
• /var/netshare
  To Do: Calculation recommendation for /var/netshare
  Base 1000 MB
  
• /var/log
  To Do: Calculation recommendation for /var/log
  1,000 MB
• /
  
14. Select Next to accept Grub bootloader defaults
15. Network
    Fill in the network setting from the 'Thinking About' page.
    Example uses
• eth0 - active on boot
  IP address: 10.40.40.10
  Host Mask: 255.255.255.0
• hostname: centos5.limestone.local
• Miscellaneous Settings:
  Gateway: 10.40.40.1
  Primary DNS: 10.40.40.1
  Other DNS from your ISP
16. Select location
    We recommend setting the system clock to UTC
    Americas/Edmonton
17. Root Password
    Set a good root password (See: Password Detail). The root password provides a base level of protection
18. Unselect all default packages & select customize now
    Note: However well meaning we find far too many unwanted packages are included with default installations. Only install what you need
    
    
    We recommend selecting only the Base System and looking through the optional packages to remove packages you do not want.
    
    
    

As a final step we will be building a kickstart file to use in future installations. The base kickstart is found at /root/anaconda-ks.cfg Select Next This should require CentOS CD #1 (CentOS DVD). It will take a number of minutes to complete the base install. Note: The kickstart file for this configuration will be made available for download. Following the base install you will need to re-boot your server to complete the install.

 

Congratulations, you have a minimally configured CentOS system.

At every restart CentOS provides the ability to edit basic system services (Authentication, Firewall, Network & System Services)

 

Authentication

Allows you to configure authentication model - local passwords, WinBind, ldap, etc.
Note: in the future we will be experimenting with WinBind. Windows Active Directory is ubiquitous, and since 2003 RC it has included basic UNIX LDAP services. We are encouraged to see Winbind provided out of the box.

Firewall

The firewall will be configured and set elsewhere. The base configuration has the IPtables firewall configured and limiting connections to TCP port 22. This is a responsible setting, however it prevents use of Webmin. Select the Firewall option and disable. We also disable SELinux (in part becuase so many of our CentOS/Red Hat systems run Oracle and Oracle requires this, in part becuase we are conservative and have not established an operation practice for SELinux)

Network

Allows you to reconfigure Network services.

System Services

Allows you to enable or disable system services at boot.

NEVER login as Root. Always login as a user with less privileges. The fewer privileges your account has the less likely you will cause inadvertent damage. If more than one person administers a server provide accounts for administration do not share the sysadmin account. In many SMB's the system administrator will also be a normal user. In this case use the sysadmin account for administration and the personal account for normal-day-to-day use of the system.

Login As Root

No other accounts have been created so the next section must be performed as Root

.

 

As an alternative you can logon to you server through SSH. We will disable direct logon by root in this configuration section.

Yum

The mainstream installing/uninstalling/updating tool in CentOS is YUM (Up2Date is also installed and supported). YUM is an adequate text-based update tool that you will have to learn to manage a CentOS server. Once Webmin is installed YUM is used through Webmin's graphical interface. For a detailed How-to on Yum see this link.
Note: The best over-all update tool is Mandriva's. It clearly tells you which applications are being ungraded because of security-fix, bug-fix or enhancement and enables adding new applications at the same time. The closest available on CentOS is Webmin's Software module and YUM for updates - which are used in this How-to. Note: Often running Yum update will result in a prompt asking if you want to install the CentOS GPG key. However, in our experience this doesn't occur on all releases.
The GPG Key helps ensure that only trusted sources for applications can be used on your system. If you would not like this key to be automatically installed you can do this step manually.

Enter:
rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-centos5

Next perform a basic update. This initial update helps ensure Yum itself is up-to-date and the Centos Yum configuration is up-to-date. This update will also highlight applications that were installed that you don't want.

Clean-up

Use the initial YUM update to review applications that are installed that you are not interested in installing. If the update identifies an application you do not need (gaim, blue-tooth, wireless services, etc.) stop the update and uninstall that application.
Note theunwanted applications and adjust bith your Technical Architecture for your CentOS servers and your kick-start file.

---

Dependencies Resolved

=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
kernel i686 2.6.18-8.1.1.el5 updates 12 M
Updating:
Deployment_Guide-en-US noarch 5.0.0-21.el5.centos updates 7.3 M
autofs i386 1:5.0.1-0.rc2.43.0.2 updates 760 k
bind-libs i386 30:9.3.3-8.el5 updates 834 k
bind-utils i386 30:9.3.3-8.el5 updates 162 k
dhclient i386 12:3.0.5-5.el5 updates 274 k
file i386 4.17-9 updates 320 k
gnupg i386 1.4.5-13 updates 1.8 M
kernel-headers i386 2.6.18-8.1.1.el5 updates 724 k
krb5-libs i386 1.5-23 updates 593 k
krb5-workstation i386 1.5-23 updates 894 k
libgcc i386 4.1.1-52.el5.2 updates 82 k
libstdc++ i386 4.1.1-52.el5.2 updates 350 k
module-init-tools i386 3.3-0.pre3.1.16.0.1.el5 updates 411 k
nss i386 3.11.5-3.el5.centos updates 799 k
nss-tools i386 3.11.5-3.el5.centos updates 650 k
tzdata noarch 2007d-1.el5 updates 746 k

Transaction Summary
=============================================================================
Install 1 Package(s)
Update 16 Package(s)
Remove 0 Package(s)

Total download size: 29 M

The first update we performed found the highlighted Deployment Guide in need of an update. Decided we didn't want the Deployment Guide on every server.

Enter
yum remove Deployment_Guide-en-US

 

 

---

Clean-up known unwanted applications

There are a number of applications that keep getting installed despite best efforts. Some, like gaim, an instant messenger client, have no business being on a server.

Enter:
yum remove finger gaim cups-libs cups bluez-libs desktop-file-utils
Note: Finger should only be installed if you have a good reason, gaim is unnecessary on a server and print managment should only be there if you want it. Removing this list also removes the blue-tooth utilities (I'm sure someone has a good reason for blue-tooth on their headless remotely managed servers, we don't)

Other applications we'd rather not have, such as wireless-tools, are required dependencies of other applications we'd like to have.

 

Switch PostFix for Sendmail

yum install postfix
yum remove sendmail

Note: You must install PostFix before removing Sendmail. Your system needs an MTA and sendmail is the default.

Look for more

Look in /root at install.log for a fill list of installed applications

Enter
more /root/install.log

Review the list and make your choices. Remember to update your kickstart-file.

Webmin is a web-based graphical LINUX/UNIX system administration tool developed by Jamie Cameron. Webmin is a lightweight, functional, and easily extensible. Using any browser that supports tables and forms, you can perform normal system administration (setup user accounts, DNS, file sharing, etc.).
Best operational practices use auditable tools to manage configuration - Webmin provides a solid tool. The use of a tool avoids the need to remember the details of every configuration file - where the graphical interface is a barrier Webmin provides direct access to the configuration files.
As a rule we reccomend limiting the use of applications to those drawn from an established repository. For Webmin we do not follow this guideline and recommend going direct to the developer.

Webmin Guides

www.linuxjunkies.org/adminstration%20Howto/webminguide/book1.htm
webmin.com

Fetch Webmin

The first step is to install Webmin using Curl. Webmin uses Sourceforge so the URL will change. Look at the Webmin website for a download slink.
You can save the Webmin RPM to the RPM repository, or simply save in Roots directory. We save in Root's home, then delete.

Enter
curl -o (name of file to save to) (url of file)
Enter
curl -o webmin-1.330-1.noarch.rpm
http://umn.dl.sourceforge.net/sourceforge/webadmin/webmin-1.330-1.noarch.rpm

While we are still installing tools from the command line it is a good idea to install perl-Net-SSLeay. This package is required for Webmin to use SSL.

Enter
yum install perl-Net-SSLeay

Install Webmin

With Webmin's RPM saved in Root's home directory the next step is to install Webmin, then delete the RPM to clean-up.

Enter:
rpm -Uvh webmin-1.330-1.noarch.rpm

After a successful install enter:
rm webmin-1.330-1.noarch.rpm

With Webmin's install complete and Webmin started you can now login to https://centos5.limestone.lan:10000/
Note: you may need to change the hostname to IP address if you are using DHCP, or do not have DNS configured for your new server.

Root

Again, you will have to login as root. This will be the last time we directly connect as root.

Default Webmin Theme

 

Preferred Theme

Note: We prefer the old MSC.Linux theme.

Minimum Security

We will need to fix a number of things:

1. Create a new user
   Stop using root!
   
2. Convert Webmin to https from http
3. Change port to 443
4. Enable logging
   
5. Change SSH to prevent Root login
6. Set Webmin update
   
7. Back-up base Configuration

Create a new user

1. Select Webmin's System Tab
2. Select Users & Groups Module
3. Create New User
   username: sysadmin (use a real name of a sysadmin NOT a generic user account.
   Real Name: System Administrator
   User ID: 5000
   Note: CentOS defaults at 500, we recommend planning your users community and using UID & GID blocks to support administration.
   Normal Password: Enter Password
   Note: If you have a number of users that must be created look at the ability of webmin to create users from a batch-file. In any event, if you are not using Directory Services today set yourself up to use a Directory in the future and ensure user names, UIDs & GIDs are common across systems
   
4. Select Webmin's Webmin Tab
5. Select Webmin Users
6. Create sysadmin as a user with UNIX authentication. Select access to all modules
7. Logout
8. Login as "sysadmin"
9. Select Webmin's Webmin Tab
10. Select Webmin Users
11. Delete root as a Webmin User

Convert Webmin to https from http

Note: If you started with perl-NET-SSLeay installed SSL is automatically enabled. Then simply follow the directions to re-route all http traffic to https.
Encrypting administrative traffic, and user names/password combinations, is simply a good idea.

1. Select Webmin's Webmin Tab
2. Select Webmin Configuration Module
3. Select SSL Encryption Module
   Note: This section follows the simple default of using the SSL certificate that is provided. It generates errors at every access - you can create a self-signed certificate here, or upload a proper SSL certificate. The correct option depends upon your requirements. We tend to use the default & click 'OK' often.
4. Select Enable SSL
5. Select Redirect non-SSL requests to SSL mode

Change port to 443

Webmin's default port 10000 often requires changes to firewalls for access. We tend to switch to 443 to enable access from wherever we are.

1. Select Webmin's Webmin Tab
2. Select Webmin Configuration Module
3. Select Ports and Addresses Module
   
4. Change port 10000 to 443
   Note: You can have Webmin monitor multiple ports
   Note: If you want more than two, you will need to Save & Re-open multiple times.
   

Enable logging

Webmin's default logging is fairly good. However, we have the option of extending the logging to allow for configuration roll-backs. It isn't perfect, but any opportunity we have to undo a mistake is a good thing.

1. Select Webmin's Webmin Tab
2. Select Webmin Configuration Module
3. Select Logging Module
4. Select: Log changes made to files by each action
5. Select: Record all modified files before actions, for rollbacks

Note: Without selecting the time-based rollback we will need to rotate Webmin's log on a regular basic.

Change SSH to prevent Root login

By default CentOS 5 allows SSH login by Root. This is necessary for remote installation, but is poor operational practice (anti-pattern).

1. Select Webmin Servers Tab
2. Select SSH Server Module
3. Select Authentication Module
4. Deny Root login

Extra SSH Security Configuration

If your system is in an exposed location it is a good idea to use the SSH network configuration to limit the network locations that can SSH to the server. We will also use the firewall to limit this - security for exposed systems isn't so much 'belt & suspenders' as 'belt, suspenders, wellingtons, 'Nor-wester, PFD, North Atlantic immersion suite, & satellite phone'

1. Select Network Module
   Configure appropriate network range. We include the full network range of our administrators ISPs to protect against random DHCP changes.
2. Select Access Control Module
   Enter allowed users in 'Only allow users'
3. Apply Changes
   

Set Webmin update

Webmin has been compromised in the past. A system we maintain was compromised through the Webmin Usermin Arbitrary File Disclosure Vulnerability (July 2006) that affected versions 1.28 and below. The system that was exploited was not running a current version of Webmin. We were not monitoring Webmin's site- rather using Webmin provided as an RPM from a repository. Unfortunately, between the exploit and the update of the repository we were exploited.
Note: Best security practice is to stay on top of patching your system. In addition to limit packes used to those from responsible maintained repositories subscribe to the Announce List of applications you install.

1. Select Webmin's Webmin Tab
2. Select Webmin Configuration
   
3. Select Upgrade Webmin Module
4. Add all administrative users to "New module grants"
5. In "Update modules on schedule" section select 'Only Show Updates' and email report to your sysadmin.
6. Save & Apply
   

Back-up base Configuration

Before going any create a Configuration baseline and set a regular back-up of Webmin Configuration.

1. Login via SSH
2. SU to Root
3. Enter:
1. touch /var/backup/webmin-baseline
2. touch /var/backup/webmin-daily
4. Exit SSH connection
   
5. Select Webmin's Webmin Tab
6. Select Back-up Configuration Module
1. Back-up Configuration Now
   Select all modules
   Enter /var/backup/webmin-baseline as local destination
   Include in backup Webmin module configuration files & Server configuration files
2. Select Back-up Now
7. Select "Add a new scheduled backup"
1. Select all modules
   Enter /var/backup/webmin-daily as local destination
   Include in backup Webmin module configuration files & Server configuration files
2. Schedule Daily at Midnight (Simple Schedule)

Configuration Back-up

It is always a very good idea to maintain a back-up of your system configuration files. Most applications maintain their configuration files where they belong in /etc.

1. Login via SSH
2. SU to Root
3. Enter:
1. touch /var/backup/etc-baseline.tar.gz
2. touch /var/backup/etc-daily.tar.gz
4. Exit SSH connection
   
5. Select Webmin's Systems Tab
6. Select File System Backup Module
1. Add Back-up of new directory "/etc"
   Select in TAR format
2. Select: File /var/backup/etc-baseline.tar.gz
3. Select: Compress with gzip
4. Select: Create
5. Select: Action Backup
6. Optional: Delete Selected Back-ups
7. Create Daily Back-up
1. Add Back-up of new directory "/etc"
   Select in TAR format
2. Select: File /var/backup/etc-daily.tar.gz
3. Select: Compress with gzip
4. Select: Schedule at Times Below
5. Select: Schedule
   Note: This will create a Crontab entry
   
6. Select: Create & Back-up Now

This provides you with a baseline of /etc and a daily back-up. If you ae making a number of changes we recommend returning to this module and manually taking a back-up before the changes are made. Being able to quickly return to a stable functioning system is the basic requirement of ITIL-based change management best practice.

Log Rotation

Base Configuration Complete

At this point we have a basic system installed & configured. We have provided minumal security, but must still protect this sytem with basic perimeter security.

To Do

1. SELinux (default is installed & disabled)
2. Basic Intrusion Detection
3. Add logrotation to the Webmin logs
   Where are they now?
   

The base of our Linux Operational best practices is to dramatically limit the applications installed to the applications that are used.
All of our servers share a common base-build, and diverge only for the additional applications to support their purpose.
We strongly recommend dramatically limiting the source of applications.
There are two repositories we use - CentOS Extras and the Third Party RPMForge (an expansion built upon Dag Wieers's RHEL Repository and Matthias Saou's FreshRPMS). RPMForge's principles support best-practice operations (1. don't replace base libraries or important core packages for repositories that are not EOL. 2. Everything is open. SPEC files are provided. 3. Active Bug-fix - either dedicated fix, implementation of provided bug-fix and most importantly, upstream bug-fix. 4. huge user-base that provide useful feedback)

Enable RPMforge

Enter
rpm -Uhv http://apt.sw.be/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

This section will outline some basic CentOS management and operational practices.

Time Management

All computer systems lose or gain time. The Network Time Protocol (NTP) is used to synchronize the time of a computer to another server or reference time source. While the NTP can provide millisecond level accuracy we suggest you understand what problem you are trying to solve. Is it more important that your environment be consistent or correct? Most sites need consistency more than correctness.
Webmin provides a simple toolset for synchronizing your system time with a NTP time server.

1. Select Webmin's Hardware Tab
2. Select Webmin's System Clock Module
3. Conform your timezone
   America/Edmonton - Mountain Time
4. Select the time server host
   time.nrc.ca
   See the NTP Pool for a good pooled time server for you to use. Again, consider your goal - consistent or accurate?
   
5. Select - Set Hardware Time
6. Select Synchronize on Schedule
7. Using Webmin's Cron interface set a time to synchronize.
   The NTP Pool resources are provided as a free service. The one we use time.nrc.ca is p a stratum 2 pool operated by Canada's National Research Council (NRC NTP Service). To do our small part helping minimize their system load (& we suspect get better response) we pick a time during the day. We probably don't need to do this, but assume consistent small actions add up.
8. Sync & apply

At the time you specified this cron-job will connect to the time server specified and update the server's clock.
Note: Implementation of a complete NTP server is beyond the scope of this how-to. If you choose to set-up a NTP server we recommend you consider offering your server to the the pool.ntp.org project.
Joining the NTP pool is a long term commitment. Personally, if you can competently run a server, have a static IP and can afford 30 Kbit/s we think you should join the pool - as an open source consumer a question to ask is 'what is your contribution to the open source community'? (Hornford Associates' contribution: In addition to these cookbook how-tos we provide ~200 Kb/s to the Debian & CentOS media bittorrents)

• Microsoft Exchange Integration
• Perimeter Security
• SMB Infrastructure
• Virtual CentOS 5

Hornford Associates
Hornford Associates Contact Details