Red Hat Fedora Linux 3 Bible

With a domain name, a suitable Internet connection, and one or more static IP addresses, you need to prepare your server to share it on the Internet. In addition to choosing the types of services you want to offer, you must be more thoughtful about the security of your servers.

Configuring networking

Whether you’re configuring your computer for browsing the Web or offering up a server, procedures for creating network interfaces are very similar. See Chapters 15 and 16 for information on configuring TCP/IP for your computer. Following is a quick review of what you need to do to get a live connection to the Internet that’s suitable for your server:

• Add network interfaces — Depending on what type of network connection you have, you must configure TCP/IP to work across that connection. Most likely, that connection requires that you configure an Ethernet, PPP, or ISDN interface. If you didn’t already configure the connection when you installed Red Hat Linux, you can do so at any time by using the Red Hat Network Configuration window (via the neat command).

  Note

  One major difference between configuring a server for connection to the Internet and a computer that you use primarily for Internet access is in how you set your IP address. You quite likely got the IP address for your Internet connection by using DHCP. Now you will probably enter the IP address that you got from your ISP as a static IP address.

• Add DNS server information — Although the server IP addresses that you enter for DNS servers are probably ones that your ISP configured, you may want to add your own DNS servers. If so, make sure that your server points to your master and slave DNS servers for IP address resolution. You can also have the other computers on your LAN point to your DNS servers to resolve domain names to IP addresses. (The /etc/resolv.conf file is where you identify your DNS servers.) After you add your own DNS server, all your clients should change their /etc/resolv.conf files to include the new domain name and DNS server information.

• Add host name — As soon as you have a real domain name, you can name your computer within the structure of that domain name. If you haven’t installed Fedora or Red Hat Linux, you can enter this host name during installation. For example, to add a host called duck at handsonhistory.com, you’d enter duck.handsonhistory.com as you install Red Hat. Later, you can change the name in the /etc/sysconfig/network file.

  Note

  Changing your host name after you install Red Hat Linux can sometimes cause problems. Services such as printing and the X server (for your graphical desktop) sometimes fail after you change your host name. Check to make sure that printing and other network services are still working after you change your host name. Sometimes restarting the network interface can solve the problem.

After you set up your network interfaces and related information for your server, test the Internet connection by using the ping command, as I describe in Chapter 16. Next, if DNS is already configured for your domain, try to ping your server by name to see whether those in the outside world can reach you by name. Make sure that the static IP address that appears in response matches the static IP address that you were assigned.

Configuring servers

Some services are more appropriate for public exposure than others. You probably don’t want to offer your print server, for example, to anyone on the Internet. Similarly, file sharing with Samba or NFS isn’t appropriate to share publicly across the Internet.

If you’re creating your first public server, you may want to consider setting up at least the following basic types of servers:

• Web server — This type of server, of course, provides the most common way to publish text, images, and a variety of other content to the Internet. Refer to Chapter 21 for information on configuring an Apache Web server.

• FTP server — This type of server provides the most common way of sharing directories of documents, images, application programs, and other content that users can download from your site. See Chapter 20 for information on setting up an FTP server.

• Mail server — Presumably, if you have a domain name that you like and a Linux server up and running, you may very well want to get a mail server running too. That way, you can create one or more e-mail addresses that look like chris@linuxtoys.net. See Chapter 19 for information on configuring a mail server.

Of course, you can share any type of server that you choose. Web, FTP, and mail servers, however, are designed for sharing publicly. The basic configuration for these types of servers isn’t that difficult. Securing and monitoring these — or any — public servers, however, requires special effort, as the following sections describe.

Managing security

Before you set up your Red Hat Linux system as a server, you can use it simply to make outgoing connections to the Internet. You can use your firewall (iptables) to close off the ports on your interface to the Internet (making your computer quite secure). Now, however, you need to open some of the ports on that interface to accept incoming requests. With more ports open, you must also become more consistent in monitoring those ports.

Opening your firewall

Making your server public doesn’t mean leaving your computer wide open. By using firewall rules, you can set your computer to allow outsiders to open connections to certain ports and block requests on other ports. Assuming that you set up your firewall to block incoming connections, here’s a list of services (and the associated port numbers) that you may want to consider accepting through your firewall from your external interface to the Internet:

• Web server — Port 80

• Mail server — Port 25

• FTP server — Port 21

• DNS server — Port 53 (if you’re supporting your own DNS)

• SSH server — Port 22 (allows secure login service to administer the computer remotely or remote users to add Web content or other server content to the server)

To see which ports are assigned to which services by default, refer to the /etc/services file. In most cases, a configuration file for a service indicates the default port number the service listens on. One way of making a service more private is to change the port number that a service listens on. Then the user must know to ask for the service at that particular port.

Chapter 14 describes how to change your firewall to accept requests for these services. I start with the iptables example in that chapter when I create the DNS example later in this chapter. You can use that description as a model for setting up a firewall to go with DNS. In the DNS example, you have separate computers for mail, FTP, and Web services. For a low-volume server, however, you can have them all on the same computer.

Checking logs and system files

By making your servers public, you also make them more open to attacks. Although firewalls are a good first line of defense, you still need to watch the activity on those ports that you leave open. A consistent program of monitoring traffic and checking changes to your server, therefore, becomes more critical. The following are a few techniques that you can use to help secure your servers:

• General security — Make sure that you protect all your user accounts by using good passwords and the correct file permissions settings.

• Tripwire — Use tripwire to take a snapshot of your critical system files so that you can check later whether anyone’s altered those files. (Although tripwire is no longer included with Fedora Core, you can get earlier versions of tripwire from www.tripwire.org.)

• Logcheck — Use logcheck to screen log files and e-mail suspicious messages to you.

I describe these and other security techniques in Chapter 14.

Keeping up with updates

You can expect to find and correct security breaches continuously. You must keep up with software updates that are published to plug security holes. Although some of these updates address theoretical security problems, others are created in response to real break-ins or denial- of-service attacks that are known to exploit weaknesses in the components that come with your operating system.

For Red Hat Enterprise Linux systems, using the Red Hat Network (and its up2date facility) is the best way of getting security updates on a timely basis that are tailored for Red Hat Linux. For Fedora Linux, you can use up2date or yum to download and install updates from Fedora mirror sites that carry those updates (see Chapter 5 for information on using yum). You should also check CERT and other organizations (which I describe in Chapter 14) for security alerts.

After your server is secure and correctly configured, your last step is to start the server on the Internet with a domain name that points to it. Either ask your service provider to configure DNS for you, or set up your own DNS server, as I describe in the following section.