Chapter 4. Machine Configuration

Table of Contents

Introduction to Machine Configuration
Update the Machine
Hostname
Set the Correct Time Zone
Adding a Regular User
Firewall Introduction
SELinux
Machine Configuration Check Point

Introduction to Machine Configuration

In this chapter, we'll do some additional configuration in the server itself. These configuration steps will make the server customized and a little more secure, they're simple "move in and settle" type steps. The steps we'll take are:

  1. Update the machine.
  2. Set the hostname.
  3. Add a regular user.
  4. Check out the firewall.
  5. Take a look at SELinux.
[Note] SSH Access Required

Completion of these tasks will require access to the machine via SSH as the root user. For questions about SSH Access see Chapter 5, SSH, particularly the section called "SSH Client".

Update the Machine

Figure 4.1. Machine Update Image #1

Machine Update Image #1

Updating the machine is one of the most important steps to take. It will install all the latest releases of software and security enhancements. As shown in the screenshot above, the command to issue is `yum update`.

Figure 4.2. Machine Update Image #2

Machine Update Image #2

Once the update command is issued, the system will check to verify that there are updated packages that can be installed. If so, there is a verification step involved. Type "y" to proceed.

[Note] Update Command All-in-One

To install the updates all in one step, issue the command `yum -y update`.

Figure 4.3. Machine Update Image #3

Machine Update Image #3

The screenshot above shows the updates as they are being installed. Sit back, relax, and enjoy the show.

Figure 4.4. Machine Update Image #4

Machine Update Image #4

Finally, all the available updates have been installed. In most instances, a reboot will not be necessary.

[Important] Reboot Necessary When Kernel is Updated

Note in the screenshot above that the kernel was updated. This is the one instance that requires a reboot. Therefore, as shown at the bottom of the image, the command `shutdown -r now` is issued to reboot the machine.

Hostname

Figure 4.5. Hostname Configuration Image #1

Hostname Configuration Image #1

The next step in machine configuration is to establish the correct hostname for the machine. It's best if the name of the machine, as established from within the operating system, is the same as the hostname given in the RackSpace interface. Issuing the command `hostname` tells what the current hostname is. If it is not correct, there are two ways to set the hostname. The first is shown above. Editing the file /etc/sysconfig/network will establish the correct hostname.

Figure 4.6. Hostname Configuration Image #2

Hostname Configuration Image #2

The screenshot above shows the contents of the file /etc/sysconfig/network. Change the appropriate entry as required to alter the name of the host.

The second way to change the hostname is from the command line. Issue the command `hostname <name>`.

[Note] Another Reboot Required

To make the name change fully effective after using either method, the best way is to reboot the machine once again. Issue the command `shutdown -r now`.

Set the Correct Time Zone

We need to configure our server to have the correct time. This involves two steps: a) set the correct time zone, and b) enable time synchronizaiton. The sequence of commands below shows how this is done.

 
    `mv /etc/localtime /etc/localtime.bak` 1
    `ln -s /usr/share/zoneinfo/America/Chicago /etc/localtime` 2 
    `service ntpd start` 3
    `chkconfig ntpd on` 4

1

Back up the current time zone file.

2

Create a link to the time zone of choice. You can take a look inside the '/usr/share/zoneinfo' directory for a listing of time zones. Choose the one that the machine resides in.

3

Start the time synchronization service. It's typically installed by default but not enabled.

4

Enable the time synchronization service to start at boot time. This will automatically keep your server on the correct time.

If you now issue the command `date`, you should see the time zone had been adjusted and the time is correct.

Adding a Regular User

We need to add a regular user to the system. There are several reasons for this step, one of them being that the superuser, root, is not the best account to use for login. In the initial steps of machine configuration it's necessary, but under production use the machine logn should be changed. At this point, all we're going to do is add a regular user.[8]

Figure 4.7. Adding a User Image #1

Adding a User Image #1

There are two steps to adding a regular user, both shown in the screen shotabove. Please name your user as you see fit. Both commands must be run as the root user. The following list gives both steps.

  1. Issue the command `useradd <user>`.
  2. Issue the command `passwd <user>`.

Firewall Introduction

Linux uses a firewall called iptables. Among the many functions provided by iptables, restricted access is the one we will deal with. All services run on a specifically numbered port. The screenshots below show how the iptables firewall works with these ports.

Figure 4.8. Firewall Configuration Image #1

Firewall Configuration Image #1

Figure 4.9. Firewall Configuration Image #2

Firewall Configuration Image #2

Both of the screenshots above show very similar, or exactly duplicated, information. This output was garnered from two commands, very similar: `service iptables status`, and `iptables -vnL`. The output of these commands that we are interested in is the line that contains the number 22. This means that the firewall is open on port 22, which is the port that SSH runs on. If this were not true, we would not be able to log in to the server via SSH. In future chapters, we will need to open specific ports for other services. In this chapter, we need to install a utility that will allow us to open the ports with the minimum amount of hassle. The utility we're interested in is called system-config-firewall-tui. The first part of the name is obvious. The tui part stands for terminal user interface.

Figure 4.10. Firewall Configuration Image #3

Firewall Configuration Image #3

The screenshot above shows that the system-config-firewall-tui utility is not installed.

Figure 4.11. Firewall Configuration TUI

Firewall Configuration TUI

Running the command shown in the screenshot above (`rpm -qa | grep system-config-firewall-tui` gives, as shown, no output. That means that the interface is not installed. The screenshot below outlines the process for installing this utility.

Figure 4.12. Installing system-config-firewall-tui

Installing system-config-firewall-tui

While logged in to the server, run the following commands:

  1. `yum search system-config-firewall-tui`: shows the packages that are related to the utility we're interested in.
  2. `yum -y install system-config-firewall-tui`: installs the interface with all dependencies.

If the install command completes without error, congratulations. We're good to go. If it doesn't, don't proceed until the problem is addressed and fixed.

SELinux

Configuration of SELinux is beyond the scope of this course. Indeed, SELinux is a study all to itself. For the purpose of this course we will run SELinux in Disabled mode.[9]

Figure 4.13. SELinux Configuration Image #1

SELinux Configuration Image #1

The image above shows the output of the command `getenforce`. The output should be as shown, Disabled. If it is Enabled, it will need to be reset.

[Note] Disabling SELinux

To disable SELinux, issue the command `vi /etc/sysconfig/selinux` and edit the file according to the instructions given within the file. Once finished. Then reboot the machine, and run the command `getenforce` to verify that the SELinux was successfully disabled.[10]

Machine Configuration Check Point

When you finish the steps above, send me an email with the name and password of your regular user. I will log in to the machine as that user to verify that we are on track.



[8] Public-facing web servers are prone to a variety of attacks. For a brief outline of just one of the maladies that one faces, see Script Kiddie on Wikipedia .

[9] What is SELinux? Simply put, it's fine grained-security tuning established by the NSA. See SELinux on Wikipedia and National Security Agency Security-Enhanced Linux for more information.

[10] The command `getenforce` will return one of the following: Enforcing, Permissive, or Disabled. Permissive or Disabled will be sufficient for this course.