Every Server Setup Imaginable: SMB, SSH, VPN, VNC, HTTPD (+ PHP), MySQL, More!

[Firewing1]

Hi,

I use 2 main tools for server setup; I highly recommend installing them prior to server setup. Here's how:

Code:

yum install system-config-users system-config-services

To access them, system-config-users and system-config-services are both under "System [Menu] > Administration".

Prior/Background Knowledge Needed

• GUI = Graphical User Interface, meaning you can interact in a graphical interface with text, images, buttons, etc
• CLI = Command Line Interface, you see only the black / white text and background, no windows or buttons. (eg. a terminal)
• I love gedit, but if you prefer another editor, simply replace all instances of gedit with your favourite editor. Some other popular editors are kedit and vi.
• A commented line in a file is a line starting with a # or a ;. To uncomment this line remove this symbol from the beginning. Commented lines are in 99% of cases ignored, so they're useful for making quick notes about what something does or why. eg:
  # This line won't do anything!
  But this one will.
• system-config-services is a GUI to the chkconfig command; I don't use it in this howto very often here because chkconfig more direct when copy>pasting commands, however if you wish to edit many services or runlevels at once, this is the prefect tool.
• By the way, I expect all the commands here to be executed as root. You can use su - to become root, and yes, that's a dash. Many people forget that dash, and get "command not found" errors. Please be sure to include it when becoming root for these commands.

HTTPD (PHP enabled)
Name: Apache and PHP
Function: Web server with PHP installed
Installation:

Code:

yum install php httpd system-config-httpd mod_ssl
chkconfig httpd on
service httpd restart

Configuration:
/etc/php.ini
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/*
Edit at your will. Personally, I think the defaults work fine except for the error display in php.ini - I like to set DISPLAY_ERRORS to YES to see when thing go wrong in the PHP files. You may also want to enable UserDir so that you can publish files to ~/public_html as your regular user instead of /var/www/html as root.
Tips:

• To install encryption modules for PHP (FC5 or later):
  
  Code:

  yum install php-mhash php-mcrypt

• To generate a custom SSL certificate (optional; by default one is automatically generated for your system):
  Code:

  openssl genrsa -aes256 -out /etc/pki/tls/certs/temp.key 2048
  openssl rsa -in temp.key -out /etc/pki/tls/private/your_hostname.key
  openssl req -new -key /etc/pki/tls/private/your_hostname.key -x509 -out /etc/pki/tls/certs/your_hostname.crt -days 365
  rm -f /etc/pki/tls/certs/temp.key
  chmod 600 /etc/pki/tls/private/your_hostname.key /etc/pki/tls/certs/your_hostname.crt
  service httpd restart

  Change your_hostname for your real hostname. All that's left is to edit /etc/httpd/conf.d/ssl.conf and change the certificates to use your_hostname.crt and your_hostname.key

MySQL
Name: My [Structured Query Language]
Function: Easy, fast and secure database
Installation:

Code:

yum install mysql-server mysql mysql-gui-tools
chkconfig mysqld on
service mysqld restart

If you'd like the MySQL extension in PHP, run this:

Code:

yum install php-mysql

Configuration:

Code:

/usr/bin/mysqladmin -u root password 'newpwd'
/usr/bin/mysqladmin -u root -p -h localhost.localdomain password 'newpwd'

Please change newpwd with a real password. On the second command, newpwd when promted to. A hard to guess, alpha-numerical password is highly recommended.
Tips:

• When using tables, make each row in the table have a 'id' column that is set to be the primary-key and auto-increments. This way, when referring to rows in a DELETE of UPDATE statement, you won't delete unwanted rows. Just use the unique 'id' number that was created for that row

VNC
Name: Virtual Network Computing
Function: Graphical remote administration
Please note that Gnome now includes a 'Remote Desktop' feature, or in other words the Vino server. I've found it to work quite well, and you can even run both Vino and VNC+GDM at the same time. If you do, Vino will run on the first available port above 5900.

Installation:

Code:

yum install gdm xinetd vnc{,-server}
chkconfig vncserver off
chkconfig xinetd on

Configuration:

Code:

su -
gedit /etc/xinetd.d/vnc1024

Paste this into the new file:

Code:

      service vnc1024
      {
        disable     = no
        socket_type = stream
        protocol    = tcp
        wait        = no
        user        = nobody
        server      = /usr/bin/Xvnc
        server_args = -inetd -query 127.0.0.1 -geometry 1024x768 -depth 24 -once -securitytypes=none
      }

Close the file.

Code:

su -
gedit /etc/xinetd.d/vnc1024x8

Paste this into the new file:

Code:

     service vnc1024x8
      {
        disable     = no
        socket_type = stream
        protocol    = tcp
        wait        = no
        user        = nobody
        server      = /usr/bin/Xvnc
        server_args = -inetd -query 127.0.0.1 -geometry 1024x768 -depth 8 -once -securitytypes=none
      }

Restart xinetd:

Code:

/sbin/service xinetd restart

Open /etc/gdm/custom.conf as root and add:

Code:

[xdmcp]
Enable=true
[security]
DisallowTCP=false
[daemon]
RemoteGreeter=/usr/libexec/gdmgreeter

If any of the [section] names exist, don't add a durplicate section but add the config lines to the existing section instead. For example, if [daemon] is already present, simply add "RemoteGreeter=/usr/libexec/gdmgreeter" underneath it rather than adding a second [daemon] section.
Now, add the VNC+GDM services to /etc/services so the system knows about it:

Code:

echo "vnc1024 5900/tcp                        # VNC & GDM" >> /etc/services
echo "vnc1024x8 5901/tcp                        # VNC & GDM" >> /etc/services

You can now add ports 5900 and 5901 tcp, along with 177 UDP, to be allowed in your firewall if you have one enabled. A simple way to do this is with the system-config-firewall tool. The last step is to reboot to get a fresh start of GDM and then everything should be working.

VNC desktop 0 is 1024x768 normal quality, desktop 1 is the same but 8bit color mode (for laggiers connections).
Tips:

• You can continue adding more VNC services by adding a respective entry in /etc/xinetd.d and /etc/services.
• You can secure your VNC by tunneling it though SSH:
  
  Code:

  ssh -l username  ip_address  -L to_port:127.0.0.1:from_port -p ssh_port

  Change the bold values to show the real ones. For example:
  Code:

  ssh -l myuser 12.34.56.78 -L 5905:127.0.0.1:5900

  Will map port 5900 (VNC display 0 or service "vnc1024") onto port 5905 of localhost - in other words, VNC display 5. So if that command is run in the background, you can view VNC display 5 on localhost to view the remote machine's VNC display, all over a secure tunnel!

SSH
Name: Secure Shell
Function: CLI remote administration
Installation:

Code:

yum install openssh-server
chkconfig sshd on
service sshd restart

Configuration:

Code:

gedit /etc/ssh/sshd_config

If you see a line that says:

Code:

PermitRootLogin yes

Please chanage it to:

Code:

PermitRootLogin no

You will also see a line:

Code:

MaxAuthTries 6

If it's commented, please change it to

Code:

MaxAuthTries 3

Next, close the text file editor, and now we have to restart SSH to make changes permanent:

Code:

service sshd restart

All Done.
Tips:

• You can also make SSH more secure by changing it's default port: in the /etc/ssh/sshd_config file, comment out the
  Code:

  Port 22

  line if it's not already commented, and add a line:
  Code:

  Port 1234

  1234 can be any number, but I recommend having it greater than 1056 as this is usually what port scanners look for. This way, your system won't be constantly spammed with login attempts.

[Firewing1]

VPN
Name: Virtual Private Network
Function: Remote Networking, enter your personal LAN from remote locations securely
Installation:
fedoraproject.org/wiki/Openvpn
Configuration:
NetworkManager new has a great OpenVPN plugin that should let you configure VPN connections.

SMB
Name: Samba
Function: Windows, Linux, Mac OS X file & printer sharing
Installation:

Code:

yum install system-config-samba samba-client samba-common samba system-config-samba system-config-users

Configuration:
Type into a terminal:

Code:

system-config-users

Now, add a user for each person you want to have a Samba or SMB account on your computer. You all your new users share a common home if you'd like, such as /home/smb. By the way, don't be afraid to assign these users a extremely strong password. If they're not going to be signing in to this box directly, always through Samba (the internet shares), make a random password for them so hackers can't gain control of your system easily in the case that they try to do so. Their samba password is completely different from their password on your box.. Example, I could give my Linux box user friendsname "1s4d21f3g4t4" as a password, and have the same user with a Samba password "easytoguess". friendsname will login from his Windows box with the password "easytoguess", not "1s4d21f3g4t4".

Once you've added all the users you'd like, run this:

Code:

system-config-samba

Go to Preferences [menu] > Server Settings and now change:

• "Basic" Tab:
  --> Workgroup: Change to mshome
  --> Description: What's you server? I have mine set to Linux Samba Server... Anything helpful to you.
• "Security" Tab
  --> Authentication Mode: User
  --> Guest Account: No Guest Account
  --> Encrypt Passwords: Yes

Now close the window with an "OK"
Go to Preferences [menu] > Samba Users:
For each Samba user you wish to add, do:

• Add user
• Choose the Windows username & password
• Confirm the addition of the new user by clicking "OK"

Next, you have to add shares Samba shares -- Files or folders that will be shared over your local network.

• Click "Add Share".
• Choose the Share Name
• Write a short description
• Where applicable, check the "Visible" and "Writable" checks at the bottom. Visible means the user can see the share when browsing your server, so if it's unticked a user must manually type the server and share into the address bar.

Click on the "Access" tab, and customize your access control. You'll also need to configure your firewall to allow SMB. Click 'System' in the menu, then go to "Administration > Security level and firewall". Under "Trusted Services", be sure to check "Samba".

Tips:

• Use groups for permissions -- They help!
• Using system-config-users, you can create custom groups and allow certain users certain access by these permissions. Example:
  Code:

  [user@host ~]$ cd /Backups
  [user@host Backups]$ ls -l
  total 28
  drwx------  4 user1    user1    4096 Jan 26 21:24 user1
  drwx------  4 user2    user2    4096 Feb  2 15:43 user2
  drwx------  4 user3 user3 4096 Jan 21 21:32 user3
  drwx------  8 root     root     4096 Feb  7 02:03 Linux

  As you can see, even though this entire folder "/Backups" is shared, no one can see another user's documents because of file permissions: "drwx" means "I am a directory, the owner has read/write/execute permissions". The "------" means "No access to group and other users". You can change the owner, group and permissions of a file or folder with these three commands:
  Code:

  chown [OWNER] filename
  chgrp [GROUP] filename
  chmod ### filename

  respectively. For chmod, here are the common codes for "###":
  • 711 = Only owner has full access
  • 771 = Owner and group have full access,
  • 751 = Owner has full access, group has read only
  • 755 = Owner has full access, everyone else has read
  • 777 = Full access for everyone /!\ DANGEROUS /!\
• In some cases, you will be able to see the share from Windows XP but not the files in the shares. (You can display the share names but not their contents). The error message will probably look like this:
  
  Code:

  Server localhost cannot be found. Make sure you have access [...]

  To resolve this issue, do this:
  
  Code:

  gedit /etc/hosts

  In this /etc/hosts file, change the line looking like:
  
  Code:

  127.0.0.1               localhost.localdomain localhost

  to
  Code:

  127.0.0.1               NewHostName.localdomain NewHostName localhost.localdomain localhost

  NewHostName can be the hostname of you choice. Linux, linux_box, 1337h4xor, anything works. On one of my machines it's DellLin 'cause I'm running linux on a Dell, whatever floats your boat.
  
  Code:

  gedit /etc/sysconfig/network

  This line:
  Code:

  HOSTNAME=localhost.localdomain

  must be changed to:
  Code:

  HOSTNAME=NewHostName.localdomain

  NewHostName must be the same as the name chosen before.

FTP
Name: vsftpd
Function: File sharing (download/upload) via FTP
Installation:

Code:

yum install system-config-vsftpd vsftpd system-config-users

Configuration:

Code:

su -
system-config-vsftpd

Finally, reboot and you're done!

Firewing1

[Crux]

Your work and knowledge sharing is not without great thanks, and appreciation. Thanks a ton 'eh.

-cheers-
Ed,
Also in Canada.

BTW, your AV script makes virus control a snap.

[sej7278]

sshd - the maxauthretries and pam bit doesn't work for me on fc3, retries never seem to end.

another trick is to move it to a non-standard port, like 23 (telnet) or something high like 8000, either by changing the port in the config, or by running another instance of /usr/sbin/sshd -p23

[Firewing1]

Quote:

Originally Posted by Crux

-cheers-
Ed,
Also in Canada.
BTW, your AV script makes virus control a snap.

Thanks! I'm not sure where you are -- But down here in Quebec we sure have had a wierd winter! Lots of rain no big snowmen built *yet*

Quote:

Originally Posted by sej7278

sshd - the maxauthretries and pam bit doesn't work for me on fc3, retries never seem to end.
another trick is to move it to a non-standard port, like 23 (telnet) or something high like 8000, either by changing the port in the config, or by running another instance of /usr/sbin/sshd -p23

I dunno -- Check your system logs. They will tell you of any errors. As for the timeout -- It's designed to take forever. 15 minute lockout for 3-errors. You can use (as root)

Code:

pam_tally --user username --reset

to manually reset a tally and permit login.
Firewing1

[foobar47]

Great Work !!
Bon boulot !!

Bravo et thanks...: )

[wprauchholz]

I am trying to remote access my server via vncviewwer
I followed the proceduie to setup VNC server.
when trying to connect to the server, the command vncviewer 192.168.1.10:1

gives me the following error message

VNC Viewer Free Edition 4.1.1 for X - built Aug 4 2005 06:43:41
Copyright (C) 2002-2005 RealVNC Ltd.
See http://www.realvnc.com for information on VNC.

Tue Feb 7 16:05:06 2006
main: unable to connect to host: No route to host (113)

the iptables looks like this:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT


Any help is welcomed. Thanks

[foobar47]

Try :
vncviewer 192.168.1.10:5900

[wprauchholz]

thx for the quick reply.
Unfortunately the resutl is the same.

[root@ipnspain-desk01 ipnspain]# vncviewer 192.168.1.10:5900

VNC Viewer Free Edition 4.1.1 for X - built Aug 4 2005 06:43:41
Copyright (C) 2002-2005 RealVNC Ltd.
See http://www.realvnc.com for information on VNC.

Tue Feb 7 16:40:11 2006
main: unable to connect to host: No route to host (113)

[Firewing1]

Try disabling the firewall first, maybe that's the problem even if the ports are open... never know...
As for these hosts -- Are you going Win > Linux? That I haven't tested, although it should be the same.
Firewing1

[Firewing1]

Also, I'd try pinging the 192.168.1.10 host -- if there's no route maybe it's down or blocking traffic for some reason.
Firewing1

[foobar47]

Quote:

Originally Posted by wprauchholz

thx for the quick reply.
Unfortunately the resutl is the same.

[root@ipnspain-desk01 ipnspain]# vncviewer 192.168.1.10:5900

VNC Viewer Free Edition 4.1.1 for X - built Aug 4 2005 06:43:41
Copyright (C) 2002-2005 RealVNC Ltd.
See http://www.realvnc.com for information on VNC.

Tue Feb 7 16:40:11 2006
main: unable to connect to host: No route to host (113)

Are you on the same network ?

What is the result of the following command :

route

[wprauchholz]

Thanks for the replies.
192.168.1.10 is my home server I am (trying) to setup right know. The workstation from which I want to access the server is connected to the same adsl router as the server.
Workstation as well as server are FC4
Ping gives me:
[root@ipnspain-desk01 ~]# ping 192.168.1.10
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=0.275 ms
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=0.306 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.312 ms

vncvier command gives me know (is this command statement correct?):
vncviewer 192.168.1.10:1

VNC Viewer Free Edition 4.1.1 for X - built Aug 4 2005 06:43:41
Copyright (C) 2002-2005 RealVNC Ltd.
See http://www.realvnc.com for information on VNC.

Thu Feb 9 06:50:39 2006
main: unable to connect to host: Connection refused (111)

[wprauchholz]

BTW this happens with firewall switched on or off.

[wprauchholz]

I just made another test:
Firewall active on the server and tcp 5900/5901 no open, I get hte following message (I have changed menawhile IP of server, so don't be confused):
[root@ipnspain-desk01 ~]# vncviewer 192.168.1.2:1

VNC Viewer Free Edition 4.1.1 for X - built Aug 4 2005 06:43:41
Copyright (C) 2002-2005 RealVNC Ltd.
See http://www.realvnc.com for information on VNC.

Thu Feb 9 08:45:00 2006
main: unable to connect to host: No route to host (113)

The error I get with the ports open is :
[root@ipnspain-desk01 ~]# vncviewer 192.168.1.2:1

VNC Viewer Free Edition 4.1.1 for X - built Aug 4 2005 06:43:41
Copyright (C) 2002-2005 RealVNC Ltd.
See http://www.realvnc.com for information on VNC.

Thu Feb 9 08:46:28 2006
main: unable to connect to host: Connection refused (111)


So I get to the server, but are not able to login for whateverreason.