1. Setting up sendmail to handle the UNT mailhost (allows for sending mail off campus) # yum install sendmail-cf vi /etc/mail/sendmail.mc delete dnl from line: dnl define(`SMART_HOST',`smtp.your.provider') and change to: define(`SMART_HOST',`mailhost.unt.edu') add dnl to the line: dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl save and exit make the changes # cd /etc/mail # ./make restart sendmail # /sbin/service sendmail restart 2. Setting the .forward file so that all group members get daily watch logs on system security cd /root vi .forward on each line enter the e-mail address of each group member 3. Mail a message to root as a test # mail root Subject: Test to the Group This is a test message . (return on cc)
This will send an e-mail to root that should then get sent to all in the .forward file for root. If this doesn't work, then you missed or have a mistake in the steps above. Review and check your edits and try to send e-mail again.
You will now get all system e-mails includin the nightly logs. It is your responability to read these daily messages and monitor activity on your system.
FC10 uses what is called IPTABLES to control the firewall on your server. IPTABLES is a rules file that tells the OS which ports should be open and how and who should have access to them. We will be doing the basic setup for assignment 2. IPTABLES provides a many ways to configure your server to provide protection from outside attacks. One of the best ways to protect your server is to only open ports that you are using and to control access as required. This is in addition to only running software that accesses these ports as required.
Since, we have not enabled remote desktop access yet (assignment 3), we will editing the iptables file by hand using vi or another command line editor. IPTABLES is already installed on your server as the basic install package. You will need to open up port 80 allow the apache server, that we have not started yet to talk to the outside world via this port. As discussed in the defition above, a port can be thought of as a conduit between the outside network and software running on your server. While port 80 is the default for web services, you can run a web server on any port you want to define depending on conditions you find your server operating in.
a. edit /etc/sysconfig/iptables
b. when you edit iptables, you will notcie that port 22, which is what you are using for SSH is already open.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
c. We can clone this line (look up the vi commands for copy and past) and then edit port 22 to port 80, such that you get this addiontional line in the file. If you would like to see a list of standard ports, you can cat /etc/services to view them. The line you want to add to the file iptables is:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
d. Save and quit the editor
e. The next step is to restart the iptables service, so that it reads in the new settings you have created.
# service iptables restart
f. If this work correctly, you will get the following OKs back. If you get an error message, then go back and look at the file to see if you made a mistake in the edit
iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ]
g. You have now opened up port 80. There is way using the GUI to control these ports, but learning to work on the file directly allows you to use SSH to open a session to your server from just about anywhere (like from my iphone now) to be able to control access.
a. First, lets check to make sure that httpd is installed.
#yum install httpdb. Most likely yum came back with the following, since it should be installed already. If it didn't then it probably asked you to install it.
Package httpd-2.2.10-2.i386 already installed and latest version Nothing to do
a. We have two steps to enable and start the httpd service. The first is to set auto start and the second it to actually start httpd
# chkconfig --levels 235 httpd on
# service httpd start
b. the service command should have outputed
Starting httpd: [ OK ]
c. As a further check, lets look at the process table and see if https was started. You should something like this in the table out
# ps -efJust as a side note, lets look at an example of using a pipe in the command. Try
root 17960 1 0 15:14 ? 00:00:00 /usr/sbin/httpd apache 17962 17960 0 15:14 ? 00:00:00 /usr/sbin/httpd apache 17963 17960 0 15:14 ? 00:00:00 /usr/sbin/httpd apache 17964 17960 0 15:14 ? 00:00:00 /usr/sbin/httpd apache 17965 17960 0 15:14 ? 00:00:00 /usr/sbin/httpd apache 17966 17960 0 15:14 ? 00:00:00 /usr/sbin/httpd apache 17967 17960 0 15:14 ? 00:00:00 /usr/sbin/httpd apache 17968 17960 0 15:14 ? 00:00:00 /usr/sbin/httpd apache 17969 17960 0 15:14 ? 00:00:00 /usr/sbin/httpd
# ps -ef | grep httpd
a. You have now set httpd to autostart on server reset and have started the web server. It should display the default web page if you go to your server.
Using a browser, enter http://yourserverdomainname
b. if it does not, then you need to check iptables again (did you enter the right enter and did you restart it) and check httpd (did you start it).
a. It is now time to upload a web site (or pages) to replace the default page just seen
b. Using whatever web authoring package you like, create a home page for your site. Please create a motif/layout that goes with the name of your system. NOTE: Apache uses index.html as the default startup web page, so make sure your first page in any new web directory is called index.html. We will talk more about how to configure httpd.conf in a bit, when we setup user web areas.
c. Uising WINSCP upload the new web content to the default web area of /var/www/html.
d. Using your browser check your new home page. Congrats! You now have a working web server.
a. You now have a server web area. apache supports the ability to setup user web areas that reside under the user's account. This is handy in several cases. One of the main reasons is that users are then responsble for their own content and you do not have to allow user access to your web directory (/var/www/html) for security issues. Keep in mind, there are some downsides, so the choice of enabling this or not depends on your server needs. We will enable it on your server as a further use of apache.
b. The first is to edit the httpd configuration file. /etc/httpd/conf/httpd.conf is a very complex settings file. It controls everything to do with httpd startup. Before we edit it though, lets make a backup copy so if things stop working, you can copy the backup over the edited version and get back to an operational state.
# cp /etc/httpd/conf/httpd.conf httpd.conf.backup
This command will copy the file httpd.conf in the same directory named httpd.conf.backup
e. edit /etc/httpd/conf/httpd.conf
Change UserDir disable to #UserDir disable and Change #UserDir public_html to UserDir public_html
f. restart httpd service
# service httpd restart
g. the service command should have outputed OK. If it didn't, then you have an error in your edit. Either try to find it or copy back the backup and start the edit again. Mistakes in editing httpd.conf are very unforgiving.
Stopping httpd: [ OK ] Starting httpd: [ OK ]
h. we have a number of steps now to create a user's public_html area and the open it for outside viewing. This is the more complex part of the process and any problem in this chain can cause a failure notice when you try to access the user web area.
Please watch the Creating a Public_Html movie for a step by step demo.
The basic steps are as follows:
# mkdir public_htmlIf you create this account using root, then you have to change owner so that the user can work in the directory (see demo above)
# chown username:username public_html
# chcon -R -h root:object_r:httpd_sys_content_t public_html
# chmod a+x .which opens up the home directory to move into the directory not see any files. Another way is to simply change the group to apache
# chgrp apache . # chmod g+x .which will allow apache and no other users as a group to move into the user directory.
# cd public_html vi index.html <html> <body> <h1>systemname</h1> <body> <html>save and exit the file editing
# chown username:username index.html
a. It is now time to upload a web site (or pages) for the empty user home page
b. Using whatever web authoring package you like, create a home page for your user site. Be sure to put your name, photo, and a bio about yourself on the personal page. Also, be sure to provide a link on your system home page to your personal web site. NOTE: Apache uses index.html as the default startup web page, so make sure your first page in any new web directory is called index.html.
c. Uising WINSCP upload the new web content to the public_html web area.
d. Using your browser check your new home page. http://servername.cecs.unt.edu/~youraccount
e.Congrats! You now have a working web server.
Use the informaiton and steps you have learned for assignment 2 to open ports 5901 and port 8080. Be sure to restart iptables
#yum install vnc-serverb. Most likely yum came back with the following:
Loaded plugins: refresh-packagekit Setting up Install Process Parsing package install arguments Resolving Dependencies --> Running transaction check ---> Package vnc-server.i386 0:4.1.3-1.fc10 set to be updated --> Processing Dependency: librfb.so.0 for package: vnc-server --> Running transaction check ---> Package vnc-libs.i386 0:4.1.3-1.fc10 set to be updated --> Finished Dependency Resolution Dependencies Resolved =================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================== Installing: vnc-server i386 4.1.3-1.fc10 updates 884 k Installing for dependencies: vnc-libs i386 4.1.3-1.fc10 updates 167 k Transaction Summary =================================================================================================================================== Install 2 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 1.0 M Is this ok [y/N]: y Downloading Packages: (1/2): vnc-libs-4.1.3-1.fc10.i386.rpm | 167 kB 00:00 (2/2): vnc-server-4.1.3-1.fc10.i386.rpm | 884 kB 00:00 ----------------------------------------------------------------------------------------------------------------------------------- Total 69 kB/s | 1.0 MB 00:15 ======================================================== Entering rpm code ======================================================== Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : vnc-libs 1/2 Installing : vnc-server 2/2 ======================================================== Leaving rpm code ========================================================= Installed: vnc-server.i386 0:4.1.3-1.fc10 Dependency Installed: vnc-libs.i386 0:4.1.3-1.fc10 Complete!
vncsever should only be run when you need to access the server remotely. There several reasons for this. The primary ones are 1) it isn't a secure service and 2) it takes resources away from other things.Setting up the VNC server the first time
After you install the server, you need to run it the first time and edit some files to get it operational.
When you first run vncserver
You will get the following
You will require a password to access your desktops. Password:
Enter a strong password
Now stop the vncserver:
# vncserver -kill :1 Killing Xvnc process ID 23364
When you run vncserver for the first time, it created a directory in the home directory of the account it has been run under. If you run this under your account then vnc setting files will be saved to /home/youraccountname/.vnc
You need to edit the xstartup file and edit the last line and add one line:
#twm & /usr/bin/gnome-session &
The vncserver is ready to start and stop as you need it.
When you need to access your server remotely using the GUI, login using ssh, then start the vncserver
When you are finished (best not to logout of the ssh while doing remote desktop) you then stop the vncserver
# vncserver -kill :1
In this way, the service is only operating when needed and does not present a long term security issue.
Example of VNCSERVER First Time, Starting, and Stoping
Run the client viewer software and enter the system name and view 1 (for windows this is denoted with :1 after the system name).
VNC numbers views starting at 0 = port 5900 on your system. 1 is the default = port 5901, which is the port you opened and the default on the vnc-server install
For additional security, you can always change the port on your server to another port that might not be as easy to find.
If you have everything setup right, then you will see your desktop. If not, go back up to the top and review your changes.
For this part of the exercise there will not be many step-by-step directions provided. Be sure to read the install information comntained in the software.
Swiki is a standalone wiki that is based on squeak, which is based on the small-talk 80 language.
This is an example of an application that does not require php or apache to run.
You can download the software at http://minnow.cc.gatech.edu/swiki
Now that you have remote access to your server GUI, you can run firefox on your server and download it directly to the file system.
Once you have it downloaded and extracted, read the install steps.
The first time you run it will be using the remote GUI so that you can see the Swiki gui and configure it for port 8080 and the other elements that are required as stated in the install directions.
If all things are right and the swiki is started, you can access your server swiki remotely using your web browser.
Once you know this works when running it by hand from the GUI, you need to read the directions on how to run it "headless".
Fedora provides a file that is always read at startup to run scripts and applications. It is named /etc/rc.d/rc.local. You will want to place the swiki headless command in this file
You can test if headless runs, by running rc.local
Just be sure to kill any processes that are started so that you do not have more than one swiki runningHow to find and kill a process
find the process
# ps -ef | less
Look to see if you can find the process in question, for swiki we ran the command squeak..so we are looking for something line
root 3041 1 2 Feb08 ? 06:05:30 ./squeak -headless squeak.image
This tells us that the process for squeak is 3041
You can now kill that process:
# kill -9 3041
and be able to run the rc.local again for testing
once you know the swiki runs okay in rc.local, try restarting your computer remotely and testing to see if it comes up as you expect
the command to restart your server is
NOTE: you have to be root to issue this command and YOU MUST ALWAYS put -r (for restart). If you don't your server will shutdown and turn off.
# /sbin/shutdown -r now
Your computer will NOW restart. Hopefully!
The following steps will install mysql.
1. To Install Mysql (this will update and expand the default install) # yum install mysql mysql-devel mysql-server 2. Create the system startup links for MySQL and start the MySQL server: # chkconfig --levels 235 mysqld on 3. Start Mysql (this will generate some start up messages) # /etc/init.d/mysqld start 4. Set the Root Password # mysqladmin -u root password yourrootsqlpassword 5. Install mysql admin (this will allow you to admin the database via VNC) # yum install mysql-administrator
This will update the current install on the system.
1. Install/Update Apache with PHP 5 Support (the following are a selection of common php moduls) # yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel 2. Edit /etc/httpd/conf/httpd.conf change DirectoryIndex to DirectoryIndex index.html index.htm index.php Add the following line under #AddType application/x-tar .tgz AddType application/x-httpd-php .php .html 3. Configure start Apache at boot time # chkconfig --levels 235 httpd on 4. Start Apache # /etc/init.d/httpd restart
Create a php test file and view the php into page.
1. Create phptest.html file that contains the following information. This allows us to test both html and php <html> <body> html test <hr> <?php echo "php test<hr>"; phpinfo(); ?> 2. Upload the file into your root html directory. 3. Using your browser view the web page. You should see this. 4. You want to confirm that you have a MYSQL module installed, otherwise talking to the database does nothing. If you do not see mysql in the list of modules, then you missed something. 5. NOTE: In order for mysql to showup in the php install, it has to be installed and RUNNING at the time of the php install above.