Virtual Appliance Installation and Configuration¶

Download and Verify the Virtual Appliance Image¶

A .zip Archive containing the virtual appliance’s disk image and VM configuration can be obtained from the following URL:

https://s3download.teamdrive.net/Server/TD-Host-Server-CentOS9-64bit-5.0.2.0.zip

Download the .zip archive and the corresponding SHA256 checksum file:

https://s3download.teamdrive.net/Server/TD-Host-Server-CentOS9-64bit-5.0.2.0.zip.sha256

You should verify the SHA256 checksum to ensure that the zip archive is intact.

You can use the sha256sum command line utility on Linux to verify the integrity of the downloaded file.

For guidance on how to verify this checksum on other platforms, see the following articles:

Apple Mac OS X: How to Check sha256 Hash of a File on Mac
Microsoft Windows: Get-Filehash - sha256sum Windows

For additional safety, we recommend to verify the cryptographic signature of the zip archive as well.

You need to have a working GnuPG installation in order to verify this signature. The installation and configuration of GnuPG is out of the scope of this document — see the documentation at https://gnupg.org/ for details.

The public TeamDrive Build GPG key can be downloaded from here:

https://repo.teamdrive.net/RPM-GPG-KEY-TD2024

Import the key into your keyring and double check it matches the fingerprint provided below:

$ gpg --fingerprint support@teamdrive.net
pub   3072R/FAFDFE49 2024-02-05 [expires: 2026-02-04]
      Key fingerprint = 3E0F A901 D96F 2B61 15FC 7A96 CEA7 D6ED FAFD FE49
uid                  TeamDrive Systems ((RPM Build Key 2024) <support@teamdrive.net>
sub   3072R/F583896E 2024-02-05 [expires: 2026-02-04]

Each official release is signed with this TeamDrive GPG key. The signature can be obtained from the following URL:

https://s3download.teamdrive.net/Server/TD-Host-Server-CentOS9-64bit-5.0.2.0.zip.asc

To verify the signature on a Linux operating system, the .zip and corresponding .asc file should be located in the same directory. Now run the following command:

$ gpg --verify TD-Host-Server-CentOS9-64bit-5.0.2.0.zip.asc
gpg: Signature made Mo 18 Mai 2015 10:34:09 CEST using RSA key ID 9A34C453
gpg: Good signature from "TeamDrive Systems (RPM Build Key 2024) <support@teamdrive.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8F9A 1F36 931D BEFA 693B  9881 ED06 27A9 9A34 C453

The procedure on other platforms may vary, please consult the GnuPG documentation for details on how to accomplish this task.

Import the Virtual Appliance¶

After you have confirmed the integrity and authenticity, unzip the zip archive.

The archive contains four files, a virtual disk image (.vmdk), two virtual machine description files (.ovf) and a manifest file (.mf), containing the file names and SHA1 checksums.

Import the virtual machine image according to the documentation of your virtualization technology and adjust the VM parameters (e.g. number of virtual CPUs, RAM) based on your requirements, if necessary.

Note

An import to VMWare ESXi might fail with the error:

Unsupported hardware family 'virtualbox-2.2'.

In this case use the .ovf file starting with vmx_*.ovf

Start up the virtual machine and observe the virtual machine’s console output.

First Boot and Initial Configuration¶

Log in as the teamdrive user with the standard password teamdrive on SSH port 2021 (not ssh default port 22).

To change the default password, type in:

[teamdrive@localhost ~]# passwd

and define your own strong password (please notice the password requirements described in Shell). Do the same with the root user. Type in:

[teamdrive@localhost ~]# sudo -i

and use standard password teamdrive for the root-user authorization. Change the default password:

[root@localhost ~]# passwd

The server is configured with DNSCrypt using a list of public DNSCrypt-Server as described in DNSCrypt. To change the network device and DNS, type in:

[root@localhost ~]# nmtui

Whitelist your ssh login ip as described in Fail2Ban and restart the service:

systemctl restart fail2ban

Updating the Installed Software Packages¶

As a first step, we strongly advise to perform an update of the installed software packages. New security issues or software bugs might have been discovered and fixed since the time the Virtual Appliance has been built.

This can be done using the dnf package management tool. As a requirement, the Virtual Appliance needs to be connected to the network and needs to be able to establish outgoing HTTP connections to the remote RPM package repositories. To initiate the update process, enter the following command:

[root@hostserver ~]# dnf update -y

dnf will first gather the list of installed packages and will then determine, if updates are available. If any updates need to be installed, the affected RPM packages will now be downloaded from the remote repositories and installed.

If the dnf update installed any updated packages, consider performing a reboot before you proceed, to ensure that the updates are activated.

Note

Performing a regular update of all installed packages is an essential part of keeping your system secure. You should schedule a regular maintenance window to apply updates using dnf update (and perform a reboot, to ensure that the system still boots up fine after these updates). Failing to keep up to date with security fixes may result in your system being vulnerable to certain remote exploits or attacks, which can compromise your system’s security and integrity.

Adjust time zone setting¶

The Virtual Appliance Image is set to time zone: Etc/UTC. Please adjust this to your timezone, because the TeamDrive Clients send a timestamp in each request to prevent Man-in-the-middle attacks. The TeamDrive Client automatically synchronises its time with the server, if the difference exceeds the allowed TimeDiffTolerance. To order to reduce the need for adjustment, the time zone should match those of your clients.

You can list the available timezones with:

[root@hostserver ~]# timedatectl list-timezones

To set the timezone execute:

[root@hostserver ~]# timedatectl set-timezone your_time_zone

To verify the timezone execute:

[root@hostserver ~]# timedatectl

Changing default passwords¶

The TeamDrive Host Server Virtual Appliance uses the following default passwords for user accounts of the different software components. The following list shows the accounts in question and their passwords.

Note

We strongly suggest changing the passwords of the OS and MySQL root user accounts before connecting this system to a public network.

Default accounts and passwords¶
Account type	Username	Password (default)
MySQL Database Server	root	teamdrive
MySQL Database Server	teamdrive	teamdrive
Admin Console	HostAdmin	(defined during setup)
GRUB Bootloader		(contact Teamdrive)

As described in GRUB bootloader password the GRUB Bootloader is protected with a password.

Changing the MySQL Database Passwords¶

To change the passwords for the MySQL root and teamdrive user, please use the following commands. First change the password for the root user:

[root@hostserver ~] mysqladmin -u root -pteamdrive password
New password: <new password>
Confirm new password: <new password>

Next, log into the MySQL database as the root user (using the new password) and change the password for the user teamdrive:

[root@hostserver ~]# mysql -u root -p
Enter password: <new password>

[...]

mysql> SET PASSWORD FOR 'teamdrive'@'localhost' = '<new password>';
Query OK, 0 rows affected (0.00 sec)

mysql> quit
Bye

Note

Take note of the new MySQL password for the teamdrive user, as you will need to update that password in a configuration file as outlined the following chapter.

Updating the MySQL Database Connection Information¶

The default Host Server Appliance installation assumes a MySQL database instance running on localhost that can be accessed using the user teamdrive and password teamdrive. If you changed the password of the teamdrive the following change need to be performed.

The Host Server Apache modules mod_pspace and mod_yvva as well as the yvvad daemon that performs the td-hostserver background tasks need to be able to communicate with the MySQL management database of the Host Server. To change the MySQL login credentials, edit the file /etc/td-hostserver.my.cnf. The password for the teamdrive MySQL user in the [p1db] option group must match the one you defined earlier:

[p1db]
database=pspace
user=teamdrive
password=<password>
host=localhost
socket=/var/lib/mysql/mysql.sock

Firewall Configuration¶

The iptables-based OS firewall on the TeamDrive Host Server Virtual Appliance has been configured to only allow access to the following services:

SSH (TCP Port 2021, not the default SSH Port 22)
Secure WWW (HTTPS, TCP Port 443)
WWW (HTTP, TCP Port 80)

If necessary, you can change the firewall configuration using the following utility:

[root@hostserver ~]# firewall-cmd

An instructions how to configure the firewall can be found here https://www.server-world.info/en/note?os=CentOS_Stream_9&p=firewalld&f=1

If your firewall or other network component supports ssl offloading, please notice the configuration changes described in Running the server behind component with SSL offloading functionality

Proxy Configuration¶

Please configure a proxy in the following config files. For dnf add in /etc/dnf/dnf.conf the following line:

proxy=http://<host>:<port>

In /opt/dnsmasq/urlhaus.sh set the proxy in the script in this variable:

PROXY_URL

The Host Server needs access to his Registration Server. Configure the proxy in the Host Server Admin under Settings –> Outgoing Connections in ProxyHost (format <host>:<port>) and UseProxy true/false.

Time Server¶

If you use an own internal time server, add the server in /etc/chrony.conf and disable the default time server and restart the service:

systemctl restart chronyd.service

Suricate Configuration¶

Suricata is an open source network security system designed to detect and respond to threats in real time. It is based on the Intrusion Detection Engine and uses various techniques such as signatures, anomaly detection and log analysis to identify threats.

Please update the network interface name from your environment. You can get the name of your network interface with:

[root@hostserver ~]# ip --brief add | grep "UP"

Update the interface name in these files and by replacing “ens160” with your name in:

/etc/sysconfig/suricata

and in:

/etc/suricata/suricata.yaml

below this line:

# Linux high speed capture support
af-packet:
  - interface: ens160

Restart the suricate service with:

[root@hostserver ~]# systemctl restart suricata

SELinux Configuration¶

Please note that the TeamDrive Host Server currently can not be run when SELinux is enabled. Therefore SELinux has been disabled by setting SELINUX=disabled in file /etc/selinux/config. It is important to leave it disabled, otherwise the correct functionality of the Host Server can not be ensured.