Operating System Configuration

Installing a base operating system

Start by performing a minimal OS installation of a recent 64-bit Red Hat Enterprise Linux 6 (RHEL 6) or derivative Linux distribution (e.g. CentOS 6, Oracle Linux 6), using your preferred installation method (manual install, Kickstart, etc). The details of how to perform this task are out of the scope of this document.

For performing the installation, the system needs to be able to establish outgoing TCP connections (mainly to download additional components).

Boot up the system and log in as the root user, either via the console or via an SSH connection.

Enable Time Synchronization with NTP

We strongly advise that the clocks of all servers in a TeamDrive installation are synchronized using the Network Time Protocol (NTP). This can be achieved by installing the ntp package and enabling the NTP daemon:

[root@hostserver install]# yum install ntp
[root@hostserver install]# service ntpd start
[root@hostserver install]# chkconfig ntpd on

Edit and update the configuration file /etc/ntp.conf, if necessary for your local environment.

Disable SELinux

The TeamDrive Host Server currently can not be run when SELinux is enabled. Edit the file /etc/selinux/config and set SELINUX=disabled.

Reboot the system or change the SELinux enforcing mode at run time using the following command:

[root@hostserver install]# echo 0 > /selinux/enforce

Firewall configuration

You should configure a local firewall so the server is protected against remote attacks. The only TCP ports that should be reachable from outside are 22 (SSH, optional for remote administration), 80 (http) and 443 (https).

On a minimal installation, you can install and use the text-based firewall configuration utility to enable access to the following services:

  • SSH
  • Secure WWW (HTTPS)
  • WWW (HTTP)

To configure the firewall, you need to run:

[root@hostserver install]# yum install system-config-firewall-tui newt-python
[root@hostserver install]# system-config-firewall-tui

Follow the instructions to configure the firewall. Enable additional protections based on your local requirements or security policies.

You can check the result with iptables -L:

[root@hostserver ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination