TTSEC Linux Environment

By: ChrisDev

Wednesday, January 20, 2010

 Install Base System

Boot from CentOS 5.3 CD ROM (CD1)

Choose Language - English
Select Keyboard layout

Wednesday, January 20, 2010

 Partition Hard Drive

We are installing CentOS 5.3 on a fresh system, so

answer [Yes] to the question
"Would you like to initialize this drive, erasing ALL
DATA?"
For the clone we select
“Remove linux partitions on selected drives and create
default layout.”
This will result in a small /boot and a large / partition as
well as a swap partition.

Wednesday, January 20, 2010

 Network Settings and Time
The default setting here is to configure the network
interfaces with DHCP.
We are installing a server, so we are using static IP
addresses are
Click on the Edit button at the top right. Uncheck Use dynamic
IP configuration (DHCP) give you network card a static IP
address and a subnet mask
Set the hostname manually, e.g. server1.ttsec.org.tt
Enter a gateway and up to two DNS servers
Choose the Time Zone
Remember your system clock for servers should use UTC
Root Password
Give a root password
You will probably change later
Wednesday, January 20, 2010
 Initial Software Install

At this stage select nothing but server

Don't check Packages from CentOS Extras.
Then check Customize Later, and click on Next

Wednesday, January 20, 2010

 Install and Reboot

Click next to complete the installation

Remove your CD or DVD from the computer and
reboot it
On reboot the system will show the Setup Agent
Disable firewall - we will install (iptables script later)
Make sure you do not install SELinux
Login as root and reboot

Wednesday, January 20, 2010

 User Administration
Add admin user as you never want to log on as root
adduser admiuser
passwd adminuser
Add the adminuser to the wheel group
usermod -a -G wheel adminuser
Give adminuser sudo powers
visudo
Uncomment the line
# %wheel ALL=(ALL) ALL

Wednesday, January 20, 2010

 SSH Configuration
We need to use the text editor nano or vi
nano /etc/ssh/sshd_config
Here are some of the changes we would make
Port 30000 <--- change to a port of your choosing
PermitRootLogin no
#PasswordAuthentication no - use if you plan to use
public/private keys for ssh access
X11Forwarding no
UsePAM no
UseDNS no
AllowUsers adminuser
Do not restart till you have configured firewall
Wednesday, January 20, 2010
 Firewall
We want to allow the following services
ssh (on port 30,000)
http and https (port 80,443)
smtp (We acually use exchange to send mail port 25)
Netfilter provides a set of hooks within the Kernel for
intercepting and manipulating network packets
Iptables is a user space tool used to create rules
iptables -L to view the current rules
iptables -F (to flush the current rule set
Wednesday, January 20, 2010
 Firewall (cont’d)
Here an example script
#!/bin/sh
IPT=/sbin/iptables
$IPT -F
#policies
$IPT -P OUTPUT ACCEPT
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
#allowed inputs
$IPT -A INPUT --in-interface lo -j ACCEPT
$IPT -A INPUT -p tcp --dport 30000 -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT
$IPT -A INPUT -p tcp --dport 25 -j ACCEPT
#allow responses
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Wednesday, January 20, 2010
 Firewall (cont’d)
Insure that iptables are restarted on reboot
sudo service iptables save
Saved to
/etc/sysconfig/iptables
Start up script
/etc/init.d/iptables

Wednesday, January 20, 2010

 Logging in as Admin User

Do not log out from the initial session

Reload the sshd
/etc/init.d/sshd reload
On the local computer open a new putty session
ssh -p 30000 adminuser@123.45.67.890

Wednesday, January 20, 2010

 OS and Memory check

$ cat /etc/redhat-release
$ free -m

Wednesday, January 20, 2010

 Profile check!!

nano /etc/profile ~
/.bash_profile
/etc/bashrc
~/.bashrc
/etc/profile .bash_profile read every time you login
bashrc is run for other shells

Wednesday, January 20, 2010

 Package Management
RPM, UpdateY,UM
Yum repositories
$ ls /etc/yum.repos.d/
$ cat /etc/yum.repos.d/CentOS-Base.repo
Update the package list and install yum utils.
$ sudo yum update
$ sudo yum install yum-utils
Install development tools
sudo yum groupinstall ‘Development Tools’
sudo yum grouplist
yum groupinstall ‘Development Tools’
Wednesday, January 20, 2010
 More YUM
YUM - Yellow Dog Updater Modified (python)
Official package manager for RHEL and replacement for up2date
Yum provides
Automatic metadata syncing
Repositoriies
Plugins
GUI’s
Typical Tasks
Register system RHEL - not required with CentOS
# rhn_register
Display updates (security)
# yum list updates
Patch the system and apply updates
# yum update

Wednesday, January 20, 2010

 More Tasks
List all packages
# rmp -qa
# yum list installed
Find out if packaged is installed or not
# rpm -qa|grep http*
# yum list installed httpd
Update a package
# yum update {package-name}
Search for packages
# yum list {package-name or wildcard}
# yum list python*
Install/Remove
# yum install {package1,...}
# yum remove {package1,..}

Wednesday, January 20, 2010

 YUM software groups
Display a list of group software
# yum grouplist
Display information about a list a software group
# yum groupinfo “Development Tools”
Install/Remove/Update all the packages in a group
# yum groupinstall “Development Tools”
# yum groupremove “Development Tools”
# yum groupupdate “Develop Tools”
Dependcies
yum whatprovides /etc/passwd

Wednesday, January 20, 2010

 Install MySQL
Used for Knowledge tree
Install MySQL Database packages
$ sudo yum groupinstall ‘MySQL Database’
MySQL start up script is installed but the deamon is not
started. Start to initialize
$ sudo /etc/init.d/mysqld start
Use chkconfig to ensure that mysql starts on bootup
$ sudo /sbin/chkconfig --level 2345 mysql on
MySQL Basic security configuration
Users and privileges
Wednesday, January 20, 2010
 Install PostgreSQL
Install using yum
$ sudo yum grouplist
$ sudo yum groupinstall ‘PostgreSQL Database”
Set up the rc.d system so that PostgreSQL will start at
bootup
$ /sbin/chkconfig --list postgresql
$ sudo /sbin/chkconfig -postgresql on
Start the database
$ sudo /etc/init.d/postgresql start
This will also initialize the database
Basic Security
Host based access -pg_hba.conf
Users and user access
Wednesday, January 20, 2010
 Apache
Install using yum
$ sudo yum install httpd mod_ssl
$ sudo yum groupinstall “Web Server”
This may install too many extra packages
$ sudo yum groupinfo “Web Server”
Set the Server Name
sudo nano /etc/httpd/conf/httpd.conf
Uncomment and change the #ServerName to the
hostname
reload apache
sudo /etc/init.d/httpd reload
Wednesday, January 20, 2010
 Application Software

Source control
SVN - Standard and used as the distribution
mechanism for chrisdev packages
git and Mecurical (Hg) - the new wave used by many
external libraries
Linux Development tools required to install other
packages GCC, make etc.

Wednesday, January 20, 2010

 Application Software (cont’d)
Python 2.5
easy_install - installer for python packages
Database adapters
psycopg2 - PostgresSQL
MySQLdb - MySQL
django - Web framework used in all new chridev
applications
spyce - legacy web framework (currently being
deprecated)
Wednesday, January 20, 2010
 Application Software (cont’d)
General purpose third party python libraries
ChartDirector - Commercial requires sever license
FeedParser - Parsing RSS feeds
BeautifulSoup - Web scraping
PIL - Python image manipulation
mx.datetime - datetime library for python
XLRD - cross platform library to extract information from Excel
files
ipython - Replacement of python shell
twill/mechanize - automate HTTP form submission
python-dateutil - python datetime extensions
pysol - python implementation of solango api
akismet.py - API for Akismet span monitoring service (used for
comments)
Wednesday, January 20, 2010
 Application Software (cont’d)
Django reusable apps
profiles - users profiles
registration - user registration
supertagging - Tagging using Open Calais
tinymce - django tinymce integration
pagination
Other
Java
Apache Solr - Solr, a search server based on Lucene
PHP/mod_php - used by knowledge tree
Wednesday, January 20, 2010
 SMW
Current version requires spyce
Create SMW database using dump for production
(smw-yyyymmdd.tar.gz)
createdb -U smwuser smw
pg_restore -Ox -d smw smw.yyyymmmmdd.tar

Use SVN to deploy source

$ cd /var/www/
$ svn co https://dev.chrisdev.com/svn/smw/trunk smw

Edit smw/lib/sec_utils.py and create a connection

string in the get_connection_str function
Wednesday, January 20, 2010
 SMW (cont’d)
Create Apache virtual server for smw
use smw/smw.conf as a template
nano /etc/httpd/http.conf
Restart and test /etc/init.d/httpd restart
Setup cron jobs for webscraping and other
maintenence operations
Use smw/deploy/mycrontab as a template
sudo crontab mycrontab
Wednesday, January 20, 2010
 CIS Monitor
Uses django framework
production version uses mod_python
but we will migrate to mod_wsgi
Create civ database using dump for production (civ-
yyyymmdd.tar.gz)
createdb -U smwuser smw
pg_restore -Ox -d civ civ.yyyymmmmdd.tar

Use SVN to deploy source

$ cd /usr/local
$ sudo svn co https://dev.chrisdev.com/civ_monitor/smw/trunk civmonitor
Wednesday, January 20, 2010
 CIS Monitor
Create a local_settings .py file and edit
DATABASE_ENGINE = 'postgresql_psycopg2' # 'postgresql_psycopg2',
'postgresql', 'mysql', 'sqlite3' or 'oracle'.
DATABASE_NAME = 'civ' # Or path to database file if using sqlite3.
DATABASE_USER = 'smwuser' # Not used with sqlite3.
DATABASE_PASSWORD = '***'

Create an Apache virtual server for cis monitor

use apache.conf in the deployment directory as a
template
nano /etc/httpd/http.conf
Restart and test /etc/init.d/httpd restart
Wednesday, January 20, 2010
 MASS

Wednesday, January 20, 2010

 Knowledge Tree

Wednesday, January 20, 2010

 Backups and other
maintenance

Wednesday, January 20, 2010