Some security

It's time to begin hardening our machine (just a little bit for now).
With the help of this page, we proceed by preventing the root to log remotely to our box. We will provide another user that will become superuser if needed.

First move, create an user account

useradd your-user -G users,wheel
passwd your-passwd

Allow this user to become root, without supplying a password (to be more accurate, all the users of group whell can do that)

visudo

This is a vi editor window so type a to enter edit mode. Uncomment the line

%wheel ALL=(ALL) NOPASSWD: ALL

And then type esc :wq to save and exit.

We have to prevent root to login remotelly : edit /etc/ssh/sshd_config and add or uncomment the line

PermitRootLogin no

We finish all this by restarting the sshd service

service sshd restart

Now, the user we created can log-in with ssh and become super-user with

sudo su -

Done.

Actually I don't like very much to have another user log as root without a password. So I modified back the visudo line to

%wheel ALL=(ALL) ALL

Now the ugly-one : MySql

Let's start by installing one MySql dependency :

yum install perl-DBI

And now go to MySql site and copy the url of the file to download, from "Red Hat Enterprise Linux 4 RPM (x86) downloads" in our case. We need two files :

• one for the server : MySQL-server-standard-5.0.27-0.rhel3.i386.rpm
• and another for the client : MySQL-client-standard-5.0.27-0.rhel3.i386.rpm

Let's do some wget (in the /opt folder, just to be consistent) :

wget http://mysql.org/get/Downloads/MySQL-5.0/MySQL-server-standard-5.0.27-0.rhel3.i386.rpm/from/http://mysql.mirror.redwire.net/

wget http://mysql.org/get/Downloads/MySQL-5.0/MySQL-client-standard-5.0.27-0.rhel3.i386.rpm/from/http://mysql.mirror.redwire.net/

Just don't rush to install anything. It won't work (the server, at least). It's because of the dreaded SELinux. Don't ask my what is it. Ask Google ;-) But it prevents some services to run as expected.
We need to circumvent this. It is not easy, but thanks to this post, it's doable :

• install SELinux policy sources

  yum install selinux-policy-targeted-sources.noarch

• now type

  setenforce 0

  go to /etc/selinux/targeted/src/policy/domains/program (added by the previous install) and edit the file mysqld.te
• find the lines (!! all 3)

  # because Fedora has the sock_file in the database directory
  file_type_auto_trans(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
  ')

• just below add the following

  #
  allow mysqld_t var_lib_t:dir { write add_name remove_name };
  allow mysqld_t var_lib_t:file { append create lock read write getattr unlink };
  allow mysqld_t var_lib_t:sock_file { create getattr unlink };
  #

• Go back to /etc/selinux/targeted/src/policy and run :

  make load
  setenforce 1

• Ready ! I mean you are ready to continue with the MySql install

Now go back to /opt. And do :

rpm -ivh MySQL-*

And done with the tricky part !

Now let's set a password for the root mysql user :

mysqladmin -u root password 'root'

Testing a little bit :

mysql -proot

You can perform an \s to see the server status. You exit from there with \q

Are we ready ? Nooo .... We must access our server from outside (from our Windows machine, for example, to work on the databases).

Out of the box mysql doesn't allow this. But we can type :

mysql -u root -proot

and then

mysql> grant all privileges on *.* to your-user@'%' identified by your-password with grant option;

Now you can carelessly fire you MySql Administrator or Query Browser and connect using the linux box's IP and the user you just set (your-user with the password your-password).

Tomcat, at last ...

And now the great moment : enter the big one, Tomcat. With some help from here we will proceed.

To start from somewhere, go to the Tomcat website, copy the url for your prefered version (5.5 at the time of writing) and do the same old wget trick :

wget http://apache.iasi.roedu.net/tomcat/tomcat-5/v5.5.20/bin/apache-tomcat-5.5.20.tar.gz

Be sure to be in the /opt folder, and of course you will replace the example I gave here with your own URL.

Untar :

tar -zxvpf apache-tomcat-5.5.20.tar.gz

and set a symbolic link to the newly created folder

ln -s apache-tomcat-5.5.20 tomcat

Ok for now. Go to /etc/init.d/ and create the file named tomcat. In fact, just copy one already there, for example yum. This will preserve all the file attributes we need.

Edit the file (F4 in MC) and enter the following content :

#! /bin/sh
#
# tomcat Starts tomcat
#
# chkconfig: 2345 98 02
# description: tomcat is a J2EE web application container.
#
export TOMCAT_HOME=/opt/tomcat
export JAVA_HOME=/usr/java/jdk1.5.0_11
[ -f ${TOMCAT_HOME}/bin/startup.sh ] exit 0
[ -f ${TOMCAT_HOME}/bin/shutdown.sh ] exit 0

set -e

case "$1"
in
start)
echo -n "Starting tomcat... "
$TOMCAT_HOME/bin/startup.sh >> /var/log/tomcat 2>&1
echo "started."
;;
stop)
echo -n "Stopping tomcat... "
$TOMCAT_HOME/bin/shutdown.sh >>/var/log/tomcat 2>&1
sleep 1
rm -f $TOMCAT_HOME/logs/*
echo "stopped."
;;
restartforce-reload)
echo -n "Restarting
tomcat... "
$TOMCAT_HOME/bin/shutdown.sh >>/var/log/tomcat 2>&1
sleep 1
$TOMCAT_HOME/bin/startup.sh >>/var/log/tomcat 2>&1
echo "restarted."
;;
*)
N=/etc/init.d/tomcat
echo "Usage: $N
{startstoprestart}" >&2
exit 1
;;
esac

exit 0

Now add tomcat as a service

chkconfig --add tomcat

Start tomcat

service tomcat start

With a little luck you will see

Starting tomcat... started.

Let's test the beast for real :

elinks http://127.0.0.1:8080/

Huraaa !!! It works ! Let's party ...

But wait, don't forget to set the tomcat users. Edit /opt/tomcat/conf/tomcat-users.xml and replace the content with :

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
   <role rolename="manager">
   <role rolename="admin">
   <user roles="admin,manager" password="mypwd" username="myuser">
</tomcat-users>

Of course, you will put the username and password you want. This user is the one that have the ability to manage the server trough the WEB admin console. Don't forget to restart Tomcat :

service tomcat restart

Prepare for Tomcat

The next big thing is to install my application server, aka Tomcat. But until then, we need some preparations.

First, install elinks. It's a text based browser, running in the console and really neat for testing local pages and downloading packages from the Internet. Again, simple :

yum install elinks

You already know to answer 'y' when prompted. Test the install with :

elinks http://www.sun .com

Type esc for menu and q to exit.

Now, the hard part : install Java, with some help from there. You begin by downloading the JDK kit from the Sun website.

Once there (with the browser from your regular Windows machine for simplicity, or with elinks from the linux console, if you prefer), accept the license agreement, then copy to the clipboard the URL corresponding to the jdk-1_5_0_11-linux-i586-rpm.bin file (right click on the link, copy shortcut). Of course, at the time of reading this, you will download the most recent JDK version.

Fire mc, and go to /opt. Press Ctrl-O to hide the panels.

Now, we do some wget-ing :

wget "the_url_you_copied" -O jdk-1_5_0_11-linux-i586-rpm.bin

Now you have a local copy of the compressed rpm in your /opt folder. You now type

sh jdk-1_5_0_11-linux-i586-rpm.bin

You read the eula with space, you answer yes to the question and you have the thing installed.
Go to /usr/java/jdk1.5.0_11 (you replace this with the jdk version number you installed) and type

./java -version

If by some accident the version returned is not the one you expected, it's probable to hava the "free" version of Java (GCJ) preinstalled. Remove-it :

rm /usr/bin/java

For some unknown reason (unknown for me, of course) the JAVA_HOME environment variable is not set, so go to /etc/profile, edit the thing and add the following lines :

JAVA_HOME="/usr/java/jdk1.5.0_11"
export JAVA_HOME

The environment variable will be set at the next reboot. If you can't wait until then, type

source /etc/profile

Start fighting with the machine

After the extremely successful attempt in my previous post, the first problems arise.
I deactivated the network on my working laptop (the one that host the vmware player and the centos "test" server) ... After that, the linux box lost his network connection, and refuse to regain-it again.

I started digging for a method to tell linux to use DHCP to fill the eth0 settings. Here it is (learned from here) :

• tell etho to go down (if your network interface is not eth0, use ifconfig to identify it):

  ifdown eth0

• edit (or create) /etc/sysconfig/network-scripts/ifcfg-eth0 and be sure it contains only :

  device=eth0
  bootproto="dhcp"
  onboot="yes"

• bring eth0 back up, and all is done :

  ifup eth0

My network is again up and running. Feeew !

But, cd-ing and vi-ing trough the linux file system, I starting to wonder if I could use something easier, like Midnight Commander (MC). OK, I admit, I was sure the answer is "Yes", but how ?

It's simple, type:

yum install mc

Answer 'y' when prompted, and you're ready. Really. Type mc and see for yourself.

In the world of CentOs

In the next postings I will highlight a few findings (nothing original, be assured) in configuring a CentOS box. Why CentOs ? My (future) hosting provider has a very sensible offer for a dedicated server and the cheapest option is a CentOs based box.

So, as I don't think I am some kind of Linux guru, I started by questioning myself about the best (I mean easiest) course of action. Obviously, I need something local to explore and learn, before messing with the production server.

As I hate digging for a long time on new things without seeing anything working, I decided to take the vmware approach, aka downloading a pre-configured centos virtual machine and working with it on my development machine.

I found one here. Thank you c_g-hills !
Of course, before you can do anything with it you must download and install the free vmware player (from here), if it doesn't happen to own the full vmware workstation.

The things are straightforward, and you find yourself running a CentOs server in no-time.

But, you need to configure the pretty boy, install tomcat and mysql and so on.

The first thing I made was to partially deactivate the firewall, in order to access the box trough SSH (with putty). At a later time I will reactivate all the security I need.
For this, you need to enter the following at the linux command prompt :

system-config-securitylevel-tui

In the (pseudo) gui that appear, click the "Customize" button, then check

Trusted Devices: [*] eth0"

Then two OKs, and you're done, for now.

Fire-up putty, enter the server address (ifconfig in the server console if you don't know the server IP) and port (23), and voila, you have remote access to your linux box.

By the way, to cleanly end your putty session, type

exit

But enough for this post ...