Operating System Configuration¶
Installing a base operating system¶
Start by performing a minimal OS installation of a recent 64-bit Red Hat Enterprise Linux 6 (RHEL 6) or derivative Linux distribution (e.g. CentOS 6, Oracle Linux 6), using your preferred installation method (manual install, Kickstart, etc). The details of how to perform this task are out of the scope of this document.
For performing the installation, the system needs to be able to establish outgoing TCP connections (mainly to download additional components).
Boot up the system and log in as the root user, either via the console or via an SSH connection.
Enable Time Synchronization with NTP¶
We strongly advise that the clocks of all servers in a TeamDrive installation are synchronized using the Network Time Protocol (NTP). This can be achieved by installing the ntp package and enabling the NTP daemon:
[root@hostserver install]# yum install ntp
[root@hostserver install]# service ntpd start
[root@hostserver install]# chkconfig ntpd on
Edit and update the configuration file /etc/ntp.conf
, if necessary for your
local environment.
Disable SELinux¶
The TeamDrive Host Server currently can not be run when SELinux is enabled.
Edit the file /etc/selinux/config
and set SELINUX=disabled
.
Reboot the system or change the SELinux enforcing mode at run time using the following command:
[root@hostserver install]# echo 0 > /selinux/enforce
Firewall configuration¶
You should configure a local firewall so the server is protected against remote attacks. The only TCP ports that should be reachable from outside are 22 (SSH, optional for remote administration), 80 (http) and 443 (https).
On a minimal installation, you can install and use the text-based firewall configuration utility to enable access to the following services:
- SSH
- Secure WWW (HTTPS)
- WWW (HTTP)
To configure the firewall, you need to run:
[root@hostserver install]# yum install system-config-firewall-tui newt-python
[root@hostserver install]# system-config-firewall-tui
Follow the instructions to configure the firewall. Enable additional protections based on your local requirements or security policies.
You can check the result with iptables -L
:
[root@hostserver ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination