Virtual Appliance Installation and Configuration¶

Download and Verify the Virtual Appliance Image¶

A .zip Archive containing the virtual appliance’s disk image and VM configuration can be obtained from the following URL:

https://s3download.teamdrive.net/Server/TD-Web-Portal-CentOS9-64bit-5.0.0.0.zip

Download the .zip archive and the corresponding SHA1 checksum file:

https://s3download.teamdrive.net/Server/TD-Web-Portal-CentOS9-64bit-5.0.0.0.zip.sha256

You should verify the SHA256 checksum to ensure that the zip archive is intact.

You can use the sha256sum command line utility on Linux to verify the integrity of the downloaded file.

For guidance on how to verify this checksum on other platforms, see the following articles:

Apple Mac OS X: How to Check sha256 Hash of a File on Mac
Microsoft Windows: Get-Filehash - sha256sum Windows

For additional safety, we recommend to verify the cryptographic signature of the zip archive as well.

You need to have a working GnuPG installation in order to verify this signature. The installation and configuration of GnuPG is out of the scope of this document — see the documentation at https://gnupg.org/ for details.

The public TeamDrive Build GPG key can be downloaded from here:

https://repo.teamdrive.net/RPM-GPG-KEY-TD2024

Import the key into your keyring and double check it matches the fingerprint provided below:

$ gpg --fingerprint support@teamdrive.net
pub   3072R/FAFDFE49 2024-02-05 [expires: 2026-02-04]
      Key fingerprint = 3E0F A901 D96F 2B61 15FC 7A96 CEA7 D6ED FAFD FE49
uid                  TeamDrive Systems ((RPM Build Key 2024) <support@teamdrive.net>
sub   3072R/F583896E 2024-02-05 [expires: 2026-02-04]

Each official release is signed with this TeamDrive GPG key. The signature can be obtained from the following URL:

https://s3download.teamdrive.net/Server/TD-Web-Portal-CentOS9-64bit-5.0.0.0.zip.asc

To verify the signature on a Linux operating system, the .zip and corresponding .asc file should be located in the same directory. Now run the following command:

$ gpg --verify TD-Web-Portal-CentOS9-64bit.zip.asc
gpg: Signature made Do 27 Aug 2015 12:57:38 CEST using RSA key ID 9A34C453
gpg: Good signature from "TeamDrive Systems (RPM Build Key) <support@teamdrive.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8F9A 1F36 931D BEFA 693B  9881 ED06 27A9 9A34 C453

The procedure on other platforms may vary, please consult the GnuPG documentation for details on how to accomplish this task.

Import the Virtual Appliance¶

After you have confirmed the integrity and authenticity, unzip the zip archive.

The archive contains four files, a virtual disk image (.vmdk), two virtual machine description files (.ovf) and a manifest file (.mf), containing the file names and SHA1 checksums.

Import the virtual machine image according to the documentation of your virtualization technology and adjust the VM parameters (e.g. number of virtual CPUs, RAM) based on your requirements, if necessary.

Note

An import to VMWare ESXi might fail with the error:

Unsupported hardware family 'virtualbox-2.2'.

In this case use the .ovf file starting with vmx_*.ovf

Start up the virtual machine and observe the virtual machine’s console output.

First Boot and Initial Configuration¶

Log in as the teamdrive user with the standard password teamdrive on SSH port 2021 (not ssh default port 22).

To change the default password, type in:

[teamdrive@localhost ~]# passwd

and define your own strong password (please notice the password requirements described in Shell).

Do the same with the root user. Type in:

[teamdrive@localhost ~]# sudo -i

and use standard password teamdrive for the root-user authorization. Change the default password:

[root@localhost ~]# passwd

The server is configured with DNSCrypt using a list of public DNSCrypt-Server as described in DNSCrypt. To change the network device and DNS, type in:

[root@localhost ~]# nmtui

Whitelist your ssh login ip as described in Fail2Ban and restart the service:

service fail2ban restart

Check your network interface:

[root@localhost ~]# ifconfig

and update the device name ( af-packet –> interface ) and change your network address group ( vars –> address-groups –> HOME_NET ) in the suricata ( Intrusion Detection (IDS/File Integrity) ) config file:

/etc/suricata/suricata.yaml

Updating the Installed Software Packages¶

As a first step, we strongly advise to perform an update of the installed software packages. New security issues or software bugs might have been discovered and fixed since the time the Virtual Appliance has been built.

This can be done using the dnf package management tool. As a requirement, the Virtual Appliance needs to be connected to the network and needs to be able to establish outgoing HTTP connections to the remote RPM package repositories. To initiate the update process, enter the following command:

[root@localhost ~]# dnf update -y

dnf will first gather the list of installed packages and will then determine, if updates are available. If any updates need to be installed, the affected RPM packages will now be downloaded from the remote repositories and installed.

If the dnf update installed any updated packages, consider performing a reboot before you proceed, to ensure that the updates are activated.

Note

Performing a regular update of all installed packages is an essential part of keeping your system secure. You should schedule a regular maintenance window to apply updates using dnf update (and perform a reboot, to ensure that the system still boots up correctly after these updates). Failing to keep up to date with security fixes may result in your system being vulnerable to certain remote exploits or attacks, which can compromise your system’s security and integrity.

Changing the Default MySQL Database Passwords¶

The TeamDrive Web Portal Virtual Appliance uses the following default passwords for the MySQL database. We strongly suggest changing the passwords of the MySQL users root and teamdrive before connecting this system to a public network.

Account type	Username	Password (default)
MySQL Database Server	root	teamdrive
MySQL Database Server	teamdrive	teamdrive
Admin Console	HostAdmin	(defined during setup)
GRUB Bootloader		(contact Teamdrive)

As described in GRUB bootloader password the GRUB Bootloader is protected with a password.

To change the passwords for the MySQL root and teamdrive user, please use the following commands. First change the password for the root user:

[root@localhost ~]# mysqladmin -u root -pteamdrive password
Warning: Using a password on the command line interface can be insecure.
New password: <new password>
Confirm new password: <new password>

Next, log into the MySQL database as the root user (using the new password) and change the password for the user teamdrive:

[root@localhost ~]# mysql -u root -p
Enter password: <new password>

[...]

mysql> SET PASSWORD FOR 'teamdrive'@'localhost' = '<new password>';
Query OK, 0 rows affected (0.00 sec)

mysql> quit
Bye

Note

Take note of the new MySQL password for the teamdrive user, as you will need to change some configuration files using that password as outlined in the following chapters Creating TeamDrive MySQL User and Databases.

Firewall Configuration¶

The iptables-based OS firewall on the TeamDrive Host Server Virtual Appliance has been configured to only allow access to the following services:

SSH (TCP Port 2021, not the default SSH Port 22)
Secure WWW (HTTPS, TCP Port 443)
WWW (HTTP, TCP Port 80)

If necessary, you can change the firewall configuration using the following utility:

[root@localhost]# firewall-cmd

An instructions how to configure the firewall can be found here https://www.server-world.info/en/note?os=CentOS_Stream_9&p=firewalld&f=1

If your firewall or other network component supports ssl offloading, please notice the configuration changes described in Running the Server behind component with SSL offloading functionality

Proxy Configuration¶

Please configure a proxy in the following config files. For dnf add in /etc/dnf/dnf.conf the following line:

proxy=http://<host>:<port>

In /opt/dnsmasq/urlhaus.sh set the proxy in the script in this variable:

PROXY_URL

The Webportal needs access to his Registration Server and TDNS. Configure the proxy in the Webportal Admin under Settings –> Outgoing Connections in ProxyHost (format <host>:<port>) and UseProxy true/false.

Time Server¶

If you use an own internal time server, add the server in /etc/chrony.conf and disable the default time server and restart the service:

systemctl restart chronyd.service

Suricate Configuration¶

Suricata is an open source network security system designed to detect and respond to threats in real time. It is based on the Intrusion Detection Engine and uses various techniques such as signatures, anomaly detection and log analysis to identify threats.

Please update the network interface name from your environment. You can get the name of your network interface with:

[root@hostserver ~]# ip --brief add | grep "UP"

Update the interface name in these files and by replacing “ens160” with your name in:

/etc/sysconfig/suricata

and in:

/etc/suricata/suricata.yaml

below this line:

# Linux high speed capture support
af-packet:
  - interface: ens160

Restart the suricate service with:

[root@hostserver ~]# service suricata restart

Replacing the self-signed SSL certificates with proper certificates¶

In order to use SSL without any problems, you will need a properly signed SSL certificate (+ key) and an intermediate certificate (certificate chain) from a trusted authority.

Edit /etc/httpd/conf.d/ssl.conf and enter the absolute location of your files into the appropriate settings:

SSLCertificateFile /path/to/your_domain.crt
SSLCertificateKeyFile /path/to/your_domain.key

Depending on your certificate provider and your security needs, you probably want to set:

SSLCertificateChainFile /path/to/server-chain.crt

or:

SSLCACertificateFile /path/to/gd_bundle.crt

After saving the changes, restart your httpd and watch out for errors:

[root@localhost ~]# service httpd restart

Now you can logout and proceed with the configuration via browser to register the Web Portal as described in Associating the Web Portal with a Provider. For production use please read the following two chapters about the necessary storage.

Mount user data Volume¶

As described in Pre-Installation Tasks the user data will be stored in /teamdrive. The VM Image has only a small internal disk with max. 10 GB storage capacity. Please mount a larger additional use data volume in /teamdrive if necessary. The approx. necessary storage per user is 50 MB. The user data will be automatically removed, after ContainerStorageTimeout is reached (see Web Portal Settings).

SELinux Configuration¶

Please note that the TeamDrive WebPortal currently can not be run when SELinux is enabled. Therefore SELinux has been disabled by setting SELINUX=disabled in file /etc/selinux/config. It is important to leave it disabled, otherwise the correct functionality of the WebPortal can not be ensured.