Fedora 11 Server Installation Guide

 [1] First, Make a DVD for installing Fedora 11. Download ISO-file 

[2] Install Fedora 11
Initial Configuration After Installing Fedora 11

[1] Add a new user. I used user name as 'fedora' on following examples, but set any names you like to use.

[root@dlp ~]#useradd fedora
[root@dlp ~]#passwd fedora
Changing password for user fedora.
New UNIX password: # input password you want to set
Retype new UNIX password: # verify
passwd: all authentication tokens updated successfully.
[root@dlp ~]#exit # logout

[2] Try to switch by user that was added in section [1].

ns login: fedora # input user name
password: # input password
[pixel@dlp ~]$su - # switch to root
Password: # input password for root
[root@dlp ~]# # done to switching to root

[3] Make 'fedora' user that was added in section [1] be only a user who can switch to root.

[root@dlp ~]#vi /etc/group

# line 11: add user
Wheel:x:10:root,fedora
[root@dlp ~]#vi /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
# remove '#' that was on the head of line
auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so

[root@dlp ~]#vi /etc/login.defs

# add this line at the bottom
SU_WHEEL_ONLY yes

[4] Set config to forward mails for root to a user who is a system administrator you set as.

[root@dlp ~]#vi /etc/aliases

# Person who should get root's mail
# bottom: remove '#' and add user name
root:fedora

[root@dlp ~]#newaliases # set new aliases
/etc/aliases: 77 aliases, longest 10 bytes, 776 bytes total

Fw & SELinux :

[1] It's unnecessarry to enable FireWall because it's enable on the Routers, so Change it to disabled.

[root@dlp ~]#/etc/rc.d/init.d/iptables stop
iptables: Flushing firewall rules: [OK]
iptables: Setting chains to policy ACCEPT: filter [OK]
iptables: Unloading iptables modules: [OK]

[root@dlp ~]#chkconfig iptables off
[root@dlp ~]#chkconfig ip6tables off

[2] Change to disabled SELinux (Security-Enhanced Linux).

[root@dlp ~]#vi /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled # change
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

[3] Installing NTP Server :

-->

It's an example to install and Configure NTP server for system clock.

[root@dlp ~]#yum -y install ntp
It will install NTP packages

[root@dlp ~]#mv /etc/ntp.conf /etc/ntp.conf.bk
[root@dlp ~]#vi /etc/ntp.conf

# Set servers for synchronizing

server ntp1.jst.mfeed.ad.jp

server ntp2.jst.mfeed.ad.jp

server ntp3.jst.mfeed.ad.jp

[root@dlp ~]#/etc/rc.d/init.d/ntpd start
Starting ntpd: [ OK ]

[root@dlp ~]#chkconfig ntpd on
[root@dlp ~]#ntpq -p

[4] Installing SSH Server

[1] Configure SSH server for Windows clietnts' computer to be able to login from them. This is the way with Password Authentication.

[root@dlp ~]#vi /etc/ssh/sshd_config

# line 42: make valid and change 'no'

PermitRootLogin no

# line 63: make valid

PermitEmptyPasswords no
PasswordAuthentication yes
[root@dlp ~]#/etc/rc.d/init.d/sshd restart

[2] Get an appreciation which you can login from Windows clients by using PUTTY.

[5] Installing Apache Web Server

This is an example to build Web Server. Install Apache for it. In addition to do it, Install PHP and SSL because there are often used with Web Server. And it's also neccessary to configure router so that TCP and UDP packets to 80 and 443 can pass through.

[root@www ~]#yum -y install httpd php php-mbstring php-pear mod_ssl

[root@www ~]#rm -f /etc/httpd/conf.d/welcome.conf

[root@www ~]#rm -f /var/www/error/noindex.html
[root@www ~]#ln -s /usr/bin/perl /usr/local/bin/perl

Here is an example to configure Apache. I set it that users can open to the public their Web site and can execute CGI in any directories. ( SSI is disabled because it's not used so often )

[root@www ~]#vi /etc/httpd/conf/httpd.conf

ServerTokens Prod // line 44: change
KeepAlive On // line 74: change to ON
ServerAdmin root@server-linux.info // line 250: Admin's address
ServerName www.server-linux.info:80 // line 264: server's name
Options FollowSymLinks ExecCGI // line 319: change (disable Indexes)
AllowOverride All // line 326: change

#UserDir disable // line 354: make it comment

UserDir public_html // line 361: make valid

// line 369 - 380 : remove # and make valid

AllowOverride All // change
Options ExecCGI // CGI enabled
Order allow,deny
Allow from all
Order deny,allow
Deny from all

// line 390: add file name that it can access only with directory's name

DirectoryIndex index.html index.cgi index.php
ServerSignature Off // line 523: change

#AddDefaultCharset UTF-8 // line 746: make it comment

// line 777: make valid and add file-type that apache looks them CGI

AddHandler cgi-script .cgi.pl

[root@www ~]#/etc/rc.d/init.d/httpd start
Starting httpd:[ OK ]
[root@www ~]#chkconfig httpd on

[2] Make HTML test page and Make sure Apache is working.

[6] Config SSl

Configure for SSL that is installed in section (1). I made a Certification File for SSL by myself in this example, but if you use server for business, It's better to buy and use a Certification File from CA like verisign.com.

[root@www ~]#cd /etc/pki/tls/certs
[root@www certs]#make server.key
umask 77 ; \

/usr/bin/openssl genrsa -des3 1024 > server.key

Generating RSA private key, 1024 bit long modulus
......................................................++++++
.............++++++
e is 61251 (0x10001)
Enter pass phrase: // input pass phrase
Verifying - Enter pass phrase: // verify

// it's troublesome to input pass phrase always, so remove it from private key

[root@www certs]#openssl rsa -in server.key -out server.key
Enter pass phrase for server.key: // input pass phrase
writing RSA key
[root@www certs]#make server.csr
umask 77 ; \

/usr/bin/openssl req -utf8 -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: IN
State or Province Name (full name) [Berkshire]:Tamilnadu
Locality Name (eg, city) [Newbury]:Tamilnadu
Organization Name (eg, company) [My Company Ltd]:Server Linux
Organizational Unit Name (eg, section) []:IT Solution
Common Name (eg, your server's hostname) []:www.server-linux.info
Email Address []:root@server-linux.info
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: // Enter with empty
An optional company name []:// Enter with empty

[root@www certs]#openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650 // make CertificateFile
Signature ok
subject=/C=JP/ST=Hiroshima/L=Hiroshima/O=Server Linux/OU=IT Solution/CN=www.server-linux.info/
emailAddress=root@server-linux.info Getting Private key
[root@www certs]#chmod 400 server.*
[root@www certs]#vi /etc/httpd/conf.d/ssl.conf

DocumentRoot "/var/www/html" // line 84: make valid
ServerName www.server-linux.info:443 // line 85: make valid and change
SSLCertificateFile /etc/pki/tls/certs/server.crt // line 112: change
SSLCertificateKeyFile /etc/pki/tls/certs/server.key // line 119: change

[root@www certs]#/etc/rc.d/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]

	Access to the page that is made in section (2) with https. Following window is shown because Certification File is not by CA. Click Ok to proceed.

[7] Installing FTP Server
[1] Build FTP server to transfer files. Install and configure vsftpd for it.

[root@www ~]#yum -y install vsftpd

[root@www ~]#vi /etc/vsftpd/vsftpd.conf

anonymous_enable= NO // line 12: no anonymous
ascii_upload_enable=YES // line 79: make valid
ascii_download_enable=YES (permit ascii mode transfer)
chroot_list_enable=YES // line 94: make valid

(enable chroot list)

chroot_list_file=/etc/vsftpd/chroot_list // line 96: make valid
ls_recurse_enable=YES // line 102: make valid
chroot_local_user=YES // bottom: enable chroot

local_root=public_html // root directory

use_localtime=YES // use local time

[root@www ~]#vi /etc/vsftpd/chroot_list

fedora // write users you permit

[root@www ~]# /etc/rc.d/init.d/vsftpd start
Starting vsftpd for vsftpd: [ OK ]
[root@www ~]#chkconfig vsftpd on

[8] Samba File Server

Build File server to share files between Windows computer and Linux Server computer. Install Samba for it. I created this File server in a GuestOS named 'lan' in this example.

[root@lan ~]#yum -y install samba
Create a shared directory that anybody can read and write, and authentication is not needed.

[1] Configure Samba
[root@lan ~]#mkdir /home/share
[root@lan ~]#chmod 777 /home/share
[root@lan ~]#vi /etc/samba/smb.conf

unix charset = UTF-8 // line 24: add the line
workgroup =WORKGROUP // line 27: change (Windows' default)
security =share// line 35: change
hosts allow =192.168.0. 127. // line 41: change IP address you permit

// add these lines at the bottom

[Share] // any name you like
path = /home/share // shared directory
writable = yes // OK to write
guest ok = yes // guest OK
guest only = yes // guest only
create mode = 0777 // fully accessed
directory mode = 0777 // fully accessed
share modes = yes

[root@lan ~]#/etc/rc.d/init.d/smb start
Starting SMB services:[ OK ]
Starting NMB services:[ OK ]
[root@lan ~]#chkconfig smb on

[9] Mysql

Install MySQL for database server.

[root@www1 ~]# yum -y install mysql-server
[root@www1 ~]# /etc/rc.d/init.d/mysqld start

[root@www1 ~]#mysql -u root # login to MySQL
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.0.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

# show user info

mysql>select user,host,password from mysql.user;

# delete user that has no password

mysql>delete from mysql.user where user='';
Query OK, 2 rows affected (0.00 sec)

# set root password

mysql>set password for root@localhost=password('password');
Query OK, 0 rows affected (0.00 sec)

# set root password

mysql>set password for root@'www1.server-linux.info'=password('password');
Query OK, 0 rows affected (0.00 sec)

# set root password

mysql>set password for root@127.0.0.1=password('password');
Query OK, 0 rows affected (0.00 sec)

# show user info

mysql>select user,host,password from mysql.user;

mysql>exit # logout
Bye
[root@www1 ~]#mysql -u root -p # login with root
Enter password: # password
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4 to server version: 5.0.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql>exit
Bye

Install phpmyadmin to operate MySQL from Web browser. Webserver is also needed.

[1] Install and configure phpmyadmin

[root@www1 ~]#yum -y install phpMyAdmin php-mysql php-mcrypt
[root@www1 ~]#vi /etc/phpMyAdmin/config.inc.php

# add this line around line 13

# set password

$cfg['blowfish_secret'] = 'password';

# line 28: change

$cfg['Servers'][$i]['auth_type'] = 'cookie';

[root@www1 ~]#vi /etc/httpd/conf.d/phpMyAdmin.conf

# line 8: change

Alias /mysql /usr/share/phpMyAdmin
# line 13: add IPs you permit
Allow from 127.0.0.1 192.168.0.0/24

[root@www1 ~]#/etc/rc.d/init.d/httpd reload
Reloading httpd: [ OK ]

[2] Access to 'http://(your hostname)/(alias name you set)/' with web browser