( I don’t recommend using this information, it is here for archival purposes only! )

Installation of Gentoo on the epic Realm Server

Spent approximately 14 hours getting this all setup

  1. Started with Gentoo minimal livecd
  2. boot options: gentoo doscsi noapic
  3. it had a cd rom removed from it?
  4. rmmod eth1394
  5. modprobe eepro100
  6. net-setup eth0 - dns: 63.240.76.19
  7. passwd
  8. /etc/init.d/sshd start
  9. 4 partitions: /dev/sda1 - /boot ext2 64MB, /dev/sda2 - swap 512MB, /dev/sda2 / ext3, /dev/sdb1 /storage ext3
  10. chose gs-sources - Gentoo Stable
  11. When configuring kernel, set eepro100, scsi support, and cdrom support. what about the other devices?
  12. kept on getting an annoying error about /dev/rtc /dev/misc/rtc * mknod /dev/misc/rtc c 10 135 o mknod /dev/rtc c 10 135 o nano /etc/modules.d/i386: alias char-major-10-135 off o modules-update
  13. Even though I turned on Character Devices-> Enhanced rtc in the kernel config and re-compiled.
  14. Decided to try reiserfs
  15. Added kernel support
  16. Didn't do anything
  17. cd /usr/src/linux
  18. make mrproper
  19. make menuconfig - loaded old config from /boot/
  20. set rtc, reiserfs support
  21. make dep && make clean bzImage
  22. cp arch.... (from Gentoo instructions - copy over)
  23. fixed modules.d/i386 (changed off to rtc)
  24. reboot
  25. yeah
  26. emerge iozone
  27. emerge mysql
  28. emerge apache
  29. emerge curl
  30. curl php_build
  31. emerge sudo

Gentoo Kernel Config with epic realm server

Side notes:

  • Excellent terminology in their docs: steps, choices, default, optional, warnings, notes, important
  • tar has a p option to preserve permissions!

Edits to directions:

  • Don't emerge iozone, mysql, apache, curl or sudo
  • Remove boot option from grub.conf
  • Install all the software manually using scripts, change the php script to /usr/local, write script for apache.
  • Print out David Lechnyer's instructions for mysql, apache, and mod_ssl

MySQL

  • Followed instructions from David L.'s howto
  • /usr/bin/mysql_install_db
  • forums.devarticles.com/archive/t-4635
  • ERROR 2002: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql. - this was because mysql wasn't running! Needed to have base db installed, and then rc-update add mysql default
chown -R mysql /var/lib/mysql/*
chgrp daemon /var/lib/mysql/*

New software config:

Linux: emerge gentoolkit

Server software config:

APACHE:

ACCEPT_KEYWORDS=”~x86” emerge -p =net-www/apache-1.3.31 mod_ssl mysql

Stupidly emerge unmerge openssl and broke wget! So now I am revdep-rebuild, that didn’t work, so now trying again. My email to the list:

These emails sometimes help out the bewildered when posted to GMANE and located through Google… I tried:

ACCEPT_KEYWORDS=”~x86” emerge =net-www/apache-1.3.31 mod_ssl openssl mysql

on a ck-sources machine with a reiser4 partition, something went wrong and it seemed like something had installed, so I

ACCEPT_KEYWORDS=”~x86” emerge unmerge =net-www/apache-1.3.31 mod_ssl openssl mysql

All it did was unmerge openssl. Uh-oh. It was already installed and very useful! It broke wget, and then I couldn’t emerge anymore. I had done a stage3 and still had the tarball around so I cp’d it to /root/ and decompressed it. I found libssl* and libcrypt* in /usr/lib (had a feeling they would be in the right place) so I cp’d them to their natural locations and it fixed wget. Yeah! I then emerge openssl and everything seems cool.

While I am at it I am revdep-rebuild and emerge -u world just in case, I’m not sure exactly what these do but I figure they can’t hurt. I’m just trying to make this setup very stable.

etc-update updates conf files in /etc

emerge sync
emerge -uDpv world
emerge -uDv world
emerge -pv depclean - seriously, be careful using this! Make sure there really is a replacement for each item. Try and do each of the entries manually.
emerge -v depclean
revdep-rebuild -pv
revdep-rebuild -v
dispatch-conf
glsa-check -l all

What is fixpackages? Moves binary packages from one directory to another in portage tree. That’s all no biggie.

After updating world, make sure you check all init scripts with a restart, and then check to make sure additional logins are working. Try logging in through another terminal, before you restart or logout.

Big Question: Can I emerge sync with current firewall configuration?

Last did all these updates on Houdini on July 27, 2004. Also for lewis and houdini, but need to install more packages for them also.!Semi-Final Configuration: * 192.168.0.69 * Used ck-sources. * Reiserfs /, Reiser4 /webserver, ext2 /boot (64MB), swap 512MB * Emerge apache, samba, mod_ssl, mysql. rc-update them all, set up the confs. * Compiled and install PHP with modules.

Final Configuration: * Use Gentoo infrastructure design for your server. www.gentoo.org/proj/en/infrastructure/server-standards.xml

make.conf 1. These settings were set by the catalyst build script that automatically built this stage 2. Please consult /etc/make.conf.example for a more detailed example

CFLAGS="-O2 -mcpu=i686 -fomit-frame-pointer -march=pentium3 -pipe"
CHOST="i686-pc-linux-gnu"
CXXFLAGS="${CFLAGS}"
MAKEOPTS="-j2"
GENTOO_MIRRORS="http://128.213.5.34/gentoo/
http://mirror.datapipe.net/gentoo http://gentoo.mirrors.pair.com/"#ftp://cudlug.cudenver.edu/pub/mirrors/distributions/gentoo/"
SYNC="rsync://160.36.178.159/gentoo-portage/"#USE="-aalib -acpi -alsa -apm -arts -audiofile -avi -berkdb -bonobo -cdr -cscope -cups crypt curl -dga -direcfb -doc -dvd -emacs -evo -emacs -encode -ethereal -fam -fastcgi#fbcon fdftk -flac flash -foomaticdb -gb gd -gdbm gif ginac -gmp -gnome -gphoto2 -gpm -gps -gstreamer -gtk -gtk2 -gtkhtml -hardened imagemagick -icc -icc-pgo -icq -imap#-imlib jpeg -informix -ipv6 -jabber -jack -java jikes innodb -joystick -junit -kde -kerberos -krb4 -ladcca lcms -ldap -leim libwww -libgda -lirc -mad -maildir -mbox -mcal#-mikmod memlimit mmx -motif mysql -lesstif -mozilla -mpeg -mpi -msn -mule ncurses -nhc98 -netcdf nls nocd -nocardbus -oci8 -odbc -offensive -oggvorbis -opengl -oscar#-oss pam -pcmcia -pda -ppds -pnp -postgres pdflib perl png prelude python -qt -quicktime#readline ruby samba -scanner sasl -sdl -slang -slp -socks5 snmp spell -speex sse ssl -sqlite svga tcltk tcpd -tetex -theora tiff -truetype -trusted unicode usb vhosts#-videos -voodoo3 -wavelan wmf -wxwindows -X -xface -xinerama -xosd xml xml2 -xmms -xv yaz#-yahoo -zeo zlib x86"
USE="-* ncurses ssl gd gif imagemagick jpeg innodb memlimit mysql nls samba tiff vhosts xml xml2 crypt berkdb tcpd pam xml perl python pic snmp mmx"
ACCEPT_KEYWORDS="x86"
FEATURES="sandbox sfperms strict buildpkg"
LDFLAGS="-pie"

Now we’ll see if I am brave enough, or stupid enough to do this:

emerge -p bind-tools cfengine iptables keychain lsof net-snmp strace stunnel tcptraceroute grsec-sources

Notes 1. for iptables, grsec-sources was required, therefore I had to get rid of reiser4 in lieu of reiserfs * compiled and installed grsec - then found: www.gentoo.org/proj/en/hardened/grsecurity.xml which describes the actual kernel modifications in detail, so it might make sense to recompile the kernel using this info.

Setting up the ACL’s

Setting all init scripts to 0700, these are the old values:

root@houdini init.d # ls -la
total 162
drwxr-xr-x 2 root root 1056 May 26 17:30 .
drwxr-xr-x 37 root root 2840 Jun 4 08:16 ..-r-------- 1 root root 2530 May 24 14:17 apache2-rwxr-xr-x 1 root root 2809 May 20 22:16 bootmisc-rwxr-xr-x 1 root root 5120 May 20 22:16 checkfs-rwxr-xr-x 1 root root 2327 May 20 22:16 checkroot-rwxr-xr-x 1 root root 1963 May 20 22:16 clock-rwxr-xr-x 1 root root 1919 May 20 22:16 consolefont-rwxr-xr-x 1 root root 1191 May 20 22:16 crypto-loop-rwxr-x--- 1 root root 622 May 20 09:34 dcron
lrwxrwxrwx 1 root root 21 May 20 22:16 depscan.sh -> ../../sbin/depscan.sh-rwxr-xr-x 1 root root 1583 May 20 22:16 domainname
lrwxrwxrwx 1 root root 23 May 20 22:16 functions.sh -> ../../sbin/functions.sh-rwxr-xr-x 1 root root 5119 May 20 22:16 halt.sh-rwxr-xr-x 1 root root 2137 Apr 13 06:25 hdparm-rwxr-xr-x 1 root root 1607 May 20 22:16 hostname-rwxr-xr-x 1 root root 2092 May 26 16:49 iptables-rwxr-xr-x 1 root root 1123 May 20 22:16 keymaps-rwxr-xr-x 1 root root 728 May 20 22:16 local-rwxr-xr-x 1 root root 1637 May 20 22:16 localmount-rwxr-xr-x 1 root root 2944 May 20 22:16 modules-rwxr-xr-x 1 root root 953 May 21 07:04 mysql-rwxr-xr-x 1 root root 8823 May 20 22:16 net.eth0-rwxr-xr-x 1 root root 513 May 20 22:16 net.lo-rwxr-xr-x 1 root root 2522 May 20 22:16 netmount-rwxr-xr-x 1 root root 857 May 20 22:16 nscd-rwxr-xr-x 1 root root 912 May 20 22:16 numlock-rwxr-xr-x 1 root root 239 May 20 22:16 reboot.sh-rwxr-xr-x 1 root root 384 May 20 22:16 rmnologin-rwxr-xr-x 1 root root 423 Apr 13 06:07 rsyncd
lrwxrwxrwx 1 root root 23 May 20 22:16 runscript.sh -> ../../sbin/runscript.sh-rwxr-xr-x 1 root root 882 May 21 08:01 samba-rwxr-xr-x 1 root root 1105 May 20 22:16 serial-rwxr-xr-x 1 root root 239 May 20 22:16 shutdown.sh-rwxr-xr-x 1 root root 718 May 26 17:27 snmpd-rwxr-xr-x 1 root root 1286 May 20 22:16 sshd-rwxr-xr-x 1 root root 541 May 26 17:30 stunnel-rwxr-xr-x 1 root root 1339 May 20 09:32 syslog-ng-rwxr-xr-x 1 root root 928 May 20 22:16 urandom-rwxr-xr-x 1 root root 491 May 21 08:01 winbind
root@houdini init.d #

Made changes as prescribed in www.gentoo.org/proj/en/infrastructure/firewall/server-firewall.xml, created init and conf file, added reporting binary, now I am missing depscan.sh! Figured that out I think - (emerge ulugd or something like that) now trying to update world and keep getting errors about C cannot create executable, so just trying to update other stuff and hope that it works.

Checking to see if the use flags are OK: * ncurses ssl gd gif imagemagick jpeg innodb memlimit mysql nls samba tiff vhosts xml xml2 crypt berkdb tcpd pam xml perl python pic snmp

It wasn’t compiling apache2 because of the berkdb use flag, here is the new make.conf: 1. These settings were set by the catalyst build script that automatically built this stage 2. Please consult /etc/make.conf.example for a more detailed example

CFLAGS=”-O2 -mcpu=i686 -fomit-frame-pointer -pipe”

CHOST=”i686-pc-linux-gnu”

CXXFLAGS=”${CFLAGS}”

MAKEOPTS=”-j2”

GENTOO_MIRRORS=”http://128.213.5.34/gentoo/

http://mirror.datapipe.net/gentoo http://gentoo.mirrors.pair.com/”#ftp://cudlug.cudenver.edu/pub/mirrors/distributions/gentoo/”

SYNC=”rsync://rsync5.us.gentoo.org/gentoo-portage/”#USE=”-aalib -acpi -alsa -apm -arts -audiofile -avi -berkdb -bonobo -cdr -cscope -cups crypt curl -dga -direcfb -doc -dvd -emacs -evo -emacs -encode -ethereal -fam -fastcgi#fbcon fdftk -flac flash -foomaticdb -gb gd -gdbm gif ginac -gmp -gnome -gphoto2 -gpm -gps -gstreamer -gtk -gtk2 -gtkhtml -hardened imagemagick -icc -icc-pgo -icq -imap#-imlib jpeg -informix -ipv6 -jabber -jack -java jikes innodb -joystick -junit -kde -kerberos -krb4 -ladcca lcms -ldap -leim libwww -libgda -lirc -mad -maildir -mbox -mcal#-mikmod memlimit mmx -motif mysql -lesstif -mozilla -mpeg -mpi -msn -mule ncurses -nhc98 -netcdf nls nocd -nocardbus -oci8 -odbc -offensive -oggvorbis -opengl -oscar#-oss pam -pcmcia -pda -ppds -pnp -postgres pdflib perl png prelude python -qt -quicktime#readline ruby samba -scanner sasl -sdl -slang -slp -socks5 snmp spell -speex sse ssl -sqlite svga tcltk tcpd -tetex -theora tiff -truetype -trusted unicode usb vhosts#-videos -voodoo3 -wavelan wmf -wxwindows -X -xface -xinerama -xosd xml xml2 -xmms -xv yaz#-yahoo -zeo zlib x86”

USE=”-* ncurses ssl gd gif imagemagick jpeg innodb memlimit mysql samba tiff vhosts xml xml2 crypt tcpd pam perl python snmp nls pic mmx zlib” 1. Had to remove berkdb for some reason

ACCEPT_KEYWORDS=”x86”

FEATURES=”sandbox sfperms strict buildpkg”

LDFLAGS=”-pie”

Since then, emerge -a ulogd for firewall script, rc-update add firewall default, emerge -a gradm for acl gr-security . Next step is to configure ACLs. I was having a hell of a time getting the ACLs to work until finally someone explained to me I was using 1.9x rules on a 2.0 system. Now I’m using the learning tool to figure out what my system does, then I will activate it, and be done with it. This information comes from:

dev.gentoo.org/~solar/xml/grsecurity2.html
gradm -F -L /etc/grsec/learning.log
gradm -F -L /etc/grsec/learning.log -O /etc/grsec/learning.roles
then
gradm -F -L /etc/grsec/learning.log -O /etc/grsec/acl
gradm -E
everything was disable, but it wasn't in my start up init, thankfully. I need to try the learning mode again for longer, then manually check the acl, then try to enable it, then see if it works OK, then try to set it up to automatically load upon startup.

For a hardened system, I essentially used grsec-sources, compiled in iptables and grsecurity support, disabled sysctl, enabled iptables, enabled gradm learning mode, and was done. I think its pretty much set, although I’d like to have a clearer idea of how I have this system setup so that it can be duplicated more easily. I’ve got 2 more servers coming that will need to be setup properly. Also need to make all initscripts readonly.

SSH Config:

Port 22
Protocol 2
ServerKeyBits 2048
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 60
PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
PAMAuthenticationViaKbdInt no
Compression yes
KeepAlive yes
ClientAliveInterval 30
ClientAliveCountMax 4

Chmod 0400 /etc/init.d/*!SSL Config:

www.enchantedyak.net/~carik/HOWTO/apache2.html

Apache

openssl - this is used to start webserver

August 31, 2004

Emerged cvs.

BIG IMPORTANT NOTE REGARDING UPDATING THE WORLD:Libcurl updates to 3, and the php module you have compiled looks for 2. So make sure to either re-compile php_module, or keep libcurl2. If you recompile the module, remove libcurl2 from Lewis, as that is how it is band-aided together.

January 14, 2005<ul><li>Emerging awstats following instructions on blog.codefront.net/archives/2004/08/28/setting-up-awstats-on-gentoo/</li><li>AWStats now working </li></ul>

March 30, 2005<ul><li>Rebuilding and upgrading the processor. Need to form a plan on how to deal with the security. GRSec? Hardened sourced? Speed?</li></ul>