WebMO Home Page
Features
Pro Features
Enterprise Features
Compare Features
System Requirements
Screen Shots
Working Demo
Support & Tutorials
Support Forum
Testimonials
Revision History
Mailing List
Educational Resources
Workshops
License Info
Pricing
Buy WebMO Pro/Ent
Obtain Free License
Download
|
|
|
Recent news
WebMO 19.0 is now available for free download!
WebMO 19.0 Pro and Enterprise have a variety of additional features and is available for
purchase.
The WebMO app is now available for iOS and Android.
|
December 12, 2019
|
|
Installation of Fedora Core 4
|
These instructions can be used to install and configure Fedora Core 4 (as a server) on a typical PC. They may need to be tweaked slightly, depending on the exact configuration of your PC.
- Download the Fedora Core 4 distribution from the Fedora Project and burn the iso's to a single DVD or to 4 CD's
- Install Linux
- Turn on computer and quickly insert either cd 1 of Fedora Core 4 or the Fedora Core 4 DVD
- Workaround: For a 64-bit x86_64 Fedora Core 4 installation, at the boot prompt, type "junk" and the press the 'Enter' key. Otherwise, the installer will crash due to a bug in the version of syslinux used by the installer. This is not a problem for 32-bit Fedora Core 4.
- At the boot prompt, press the 'Enter' key
- At the CD Found media test, select 'Skip' unless you're uncertain of the CD
- At Welcome to Fedora Core, click Next
- At Language Selection, choose English
- At Keyboard Configuration, choose U.S. English
- If Upgrade Examine option comes up, choose 'Install Fedora Core' which will overwrite all contents on the harddisk
- At Installation Type, choose Custom
- Disk Partitioning
- Choose Manually partition with Disk Druid
- A warning may come up on systems with a brand new hard drive asking if Disk Druid should initilize the drive, select yes.
- Highlight existing partitions and click 'Delete'; confirm 'Delete'
- Create the following partitions (sizes suggested for a single 250 GB disk):
- / (from dropdown menu) 20480 MB (20 GB)
- swap (under file system type) 1024 MB (or twice RAM size)
- /home (from dropdown menu) 102400 MB (100 GB)
- /scratch Click 'Fill to maximum allowable size' (about 120 GB)
- Accept defaults if satisfied with mount points, filesystem types, and formatting; otherwise, select each partition and click Edit
Note: Only 4 primary partitions are allowed on each hard drive. One of these may be an extended partition, which can contain up to 12 logical partitions. Some very old BIOS limitations require that the Linux /boot directory be contained in its own partition which does not extend beyond cylinder 1024.
- At Boot Loader Configuration, accept the default (use GRUB boot loader)
- Network Configuration
- Select an interface from the list
- Click 'Edit'
- Uncheck 'Configure using DHCP'
- Set the following options: (ask you network adminstrator for correct values)
- IP address: {ip_address}
- Netmask: {subnet_mask}
- Back on the main network configuration page set the following options:
- Hostname: {hostname.domain}
- Gateway: {gateway_address}
- Primary DNS: {dns1_server_address}
- Firewall Configuration
- Be sure that Enable Firewall is selected
- Check Remote Login (SSH) and Web Server (HTTP, HTTPS); if desired, also allow File Transfer (FTP) and Mail Server (SMTP)
- IMPORTANT: Set Enable SELinux to Disabled
- Time Zone Selection
- America/Detroit (or your timezone)
- Check "System clock uses UTC" to enable proper handling of daylight savings
- Set Root Password
- Package Group Selection
- Desktop
- X Window System
- Gnome
- KDE
- Applications
- Editors (Details: Emacs, joe, and vim-enhanced only)
- Engineering & scientific
- Graphical internet
(Details: remove gaim and xchat)
- Text-based internet (Details: elinks, fetchmail, lynx, and mutt only)
- Office productivity (Details: add xpdf)
- Sound & video
(Details: add xcdroast)
- Authoring and Publishing
- Graphics
- Servers
- Server configuration tools
- Web server
(Details: add mod_auth_mysql, php-mysql, and php-odbc)
- Mail Server (Details: add postfix)
- Windows file server
- FTP server
- MySQL Database (Details: add mod_auth_mysql and php-mysql)
- Development
- Development tools
- Compatibility Arch Development Support
- Legacy Software Support
- System
- Adminstration tools
- System tools (Details: add ethereal-gnome, nmap-frontend, rdesktop, tsclient)
- Printing support
- Compatability Arch Support (this option will only be available when installing a 64 bit computer using the x86_64 distribution of Fedora Core)
- About to Install. This is the last chance to safely cancel the installation process. Click Next, and wait while partitions are formatted and packages are installed. If installing from CD's, insert disks 2, 3, and 4 when prompted and click OK. A log will be written to /root/install.log and a kickstart file will be written to /root/anaconda_ks.cfg
- Installing Packages. Wait patiently during formatting and installation
- Congratulations, the installation is complete. Remove CD/DVD, close the CD tray, and click 'Reboot'
- First Boot
- At Welcome screen, click Next
- At License Agreement, select 'Yes, I agree...' and click Next
- At Date and Time, on Network Time Protocol tab, enable Network Time Protocol, enter server name, and click Next
- At Display, accept defaults and click Next
- At System User , set up a user account and click Next
- At Sound card, click Next
- At Additional CDs, click Next
- At Finish setup, click Next
- Verify aspects of the system configuration
Note: Ctrl+Alt+F1 and Alt+F7 can be used to switch between text and graphic logins
- Verify the date and time
$ date
Adjust the date and time if necessary
# date MMDDhhmm[YYYY].ss
Write the new date and time to the system's CMOS clock
# hwclock --systohc --utc
- Verify that all of the machine's RAM and swap space has been detected
$ free
If Linux reports less RAM than is actually installed your system, follow instructions to specify at boot time the amount of available RAM. If swap space has not been detected, the nakke sure that the label for /etc/fstab for swap is reasonable, and use the mkswap -L command to fix the the label if necessary
- Verify that domainname can be determined
$ hostname -d
If the domainname is not reported, then edit /etc/hosts so that the fully qualified domain name appears before the hostname
# cd /etc
# cp -p hosts hosts.000
# vi hosts
127.0.0.1 {hostname.domain} {hostname} localhost.localdomain localhost
- Workaround: On 64-bit systems, insure that /var/log/lastlog is a reasonable size, i.e., not a sparse 1.2 terabyte file!
# cd /var/log
# ls -alFh lastlog
-rw-r--r-- 1 root root 1.2T Sep 25 09:44 lastlog
# rm lastlog
# touch lastlog
# ls -alFh lastlog
-rw-r--r-- 1 root root 0 Sep 25 09:48 lastlog
- Install update packages from RedHat
It is critical that any security related updates be applied to your system. Root access security holes are regularly uncovered, and machines connected to the internet are regularly probed for these weaknesses. It is a certainty that unpatched machines will soon be hacked.
- Point to a mirror or local yum repository by editing the files within /etc/yum.repos.d A list of mirrors is available at http://fedora.redhat.com/Download/mirrors.html
# cd /etc/yum.repos.d
# cp -p fedora.repo fedora.repo.000
# cp -p fedora-updates.repo fedora-updates.repo.000
# cp -p fedora-extras.repo fedora-extras.repo.000
# vi fedora.repo
comment out "mirrors" line
uncomment baseurl line and replace "download.fedora.redhat.com" with a mirror or local site
# vi fedora-updates.repo
comment out "mirrors" line; uncomment and edit baseurl line
# vi fedora-extras.repo
comment out "mirrors" line; uncomment and edit baseurl line
- Update packages
# yum update rpm*
# yum update yum*
# yum update kernel*
Workaround: one must reboot at this point, or subsequent yum updates will not complete properly
# init 6
# yum update
should report "No Packages marked for Update/Obsoletion"
# yum clean all
- Customize Linux
-
Forward root's email
It is critical that a human actually read root's email, so that logwatch output, system problems, or security breaches are quickly noted
# vi /root/.forward
{joe@university.edu}
-
Activate locate database updates
# cd /etc
# cp -p updatedb.conf updatedb.conf.000
# vi updatedb.conf
Change to
DAILY_UPDATE=yes
-
Optionally, boot to a text console rather than a graphics console
# cd /etc
# cp -p inittab inittab.000
# vi inittab
Change to
id:3:initdefault:
-
Optionally, install additional system level software
- Pine mail reader and pico editor
# mkdir /home/download
# cd /home/download
for 32-bit Fedora Core
# wget http://ftp.belnet.be/packages/dries.ulyssis.org/fedora/fc4/i386/RPMS.dries/pine-4.64-1.2.fc4.rf.i386.rpm
or for 64-bit Fedora Core
# wget http://ftp.belnet.be/packages/dries.ulyssis.org/fedora/fc4/x86_64/RPMS.dries/pine-4.64-1.2.fc4.rf.x86_64.rpm
# rpm -ihv pine*
# pine
E
Q
Y
- Turn on desired services
- Understand background concepts about access to services
Access to system services over the network is controlled at multiple levels:
- A firewall controls what packets are accepted by the system and which are dropped or rejected. The default firewall rules are defined in /etc/sysconfig/iptables, which is created during the Firewall Configuration step of the installation process. The syntax of this file is explained in the iptables man page and on the many websites devoted to explaining iptables.
- The software for the service must be installed on the system, which can be checked with the command "rpm -qa | grep {servicename}". Many services have both client and server rpm's, and it is the server package that must be present.
- The service must be started by the system. Some services (apache, ssh, samba, sendmail) are always in memory running as daemons. These may be specified to start at boot time with "/sbin/chkconfig {servicename} on|off" or controlled manually with "/sbin/service {servicename} start|stop". Other services (telnet, ftp, rsh, rexec) are controlled by the xinetd daemon. Install xinetd with "yum install xinetd". Turn on desired services by editing the appropriate file in /etc/xinet.d and setting "disable=no". Then restart the xinetd daemon with "/sbin/service xinetd restart".
- Access to individual services can be restricted to specific IP address. This is done most fundamentally in the firewall configuration file, which can be configured to only allow access to certain services (ports) by certain IP address ranges. This can also be done for the xinetd services with the /etc/hosts.allow and /etc/hosts.deny files. (Note that /etc/hosts.allow is processed first, and then /etc/hosts.deny. Thus, it is generally best to allow access to specific services by certain address in hosts.allow and then deny all other access in hosts.deny.) Also, some of the services (ssh, sendmail) running as permanent daemons respect /etc/hosts.allow and /etc/hosts.deny. Finally, some services (apache, samba) allow access to be restricted to certain IP addresses through their own configurations files (httpd.conf, smb.conf).
When troubleshoting access to services, you need to consider all of the above factors. If access is denied at any level, then the service will appear to fail.
- Ssh, sftp, and scp
Ssh, sftp, and scp are secure shell and file transfer programs, replacing telnet and ftp. Ssh is installed by default on Fedora Core 4 systems. However, ssh client software is not part of the typical desktop PC installation (e.g. Microsoft Windows) and must be installed separately as third party software.
If ssh service fails, make sure that the iptables firewall contains a line for service 22 (ssh) like
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
that the ssh server software is installed
rpm -qa | grep openssh-server
that the ssh daemon is running
/sbin/service sshd status
and that either /etc/hosts.deny contains no entries or /etc/hosts.allow permits access by the client
ALL:{network_address}/{subnet_mask}
or
sshd:ALL
- Apache Web Server
A few directories need to be set up in the skeleton profile directory (/etc/skel/) to make new user's web directory work correctly
# cd /etc/skel/
# mkdir public_html
# chmod 755 public_html
# cd public_html
# mkdir cgi-bin
# chmod 755 cgi-bin
Edit the apache configuration file
# cd /etc/httpd/conf
# cp -p httpd.conf httpd.conf.000
# vi httpd.conf
In the <IfModule mod_userdir.c> section
Comment the line
UserDir disable
Uncomment the line
UserDir public_html
Uncomment the line
AddHandler cgi-script .cgi
Add the lines (to bottom of file)
<Directory /home/*/public_html/cgi-bin>
#Enable cgi scripts in user directories
Options ExecCGI
</Directory>
It is recommended that directory browsing be disabled. Search for and delete any instances of "Indexes" within "Options" statements, which can be located with
# grep -n ^[[:space:]]*Options httpd.conf | grep Indexes
For example, change
Options Indexes FollowSymLinks
to
Options FollowSymLinks
Make sure that the /etc/sysconfig/iptables firewall configuration file contains a line for service 80 (http) like
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
Restart the firewall if the iptables file was edited
# /sbin/service iptables restart
Since web service is not started by default, start the apache server
# /sbin/chkconfig httpd on
# /sbin/service httpd start
Note that suexec is turned on by default. Thus all user cgi scripts run as the user in whose directory they are installed, instead of as the 'apache' user. Suexec imposes many security restrictions upon cgi scripts. Not only must the scripts by nonwritable by others, the directory containing the cgi script must be non writable by others, e.g., mode 755. By default, directories and files are created with mode 775 in Fedora Core. Therefore, one must manually do a 'chmod 755' on any directory containing cgi scripts as well as the files themselves.
- Samba
Samba permits access to files on the Linux system via Windows networking. By default, Samba uses "security=user", which requires that a user have a Linux account with the same name as their Windows login name, and "encrypt passwords = yes", which requires that users (or the Linux administrator) maintain a separate samba password list on the Linux machine with the user's Window's password that is in general different than their Linux password. The following instructions configure Samba to use "security=share", which allows users to access any home directories for which they know the password (similar to Windows98 directory sharing). However, passwords for these shares are maintained separately from the Linux login passwords.
Edit the samba configuration file
# cd /etc/samba
# cp -p smb.conf smb.conf.000
# vi smb.conf
In the [global] section
Set
workgroup = {workgroup}
server string = %h
load printers = no
security = share
Add
oplocks = no
level2 oplocks = no
preserve case = yes
short preserve case = yes
Add in the [homes] section
Set
browseable = yes
Add
create mode = 0664
directory mode = 0775
Let samba packets across the firewall
# vi /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -m state --state NEW -s {network address}/{network mask} -m tcp -p tcp --dport 137:139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -s {network address}/{network mask} -m udp -p udp --dport 137:139 -j ACCEPT
Restart the firewall
# /sbin/service iptables restart
Start the samba server
# /sbin/chkconfig smb on
# /sbin/service smb start
Add the samba share password
# smbpasswd -a {user}
Users may now change their password with
$ smbpasswd
Browse the samba shares from the Windows "Network Neighborhood". Shares which do not appear may be accessed from Start: Run...: \\{serverhostname}\{sharename}.
- Sendmail (not recommended)
By default, Fedora Core configures sendmail to only accept mail from the localhost, which should be fine in almost all cases. Since you probably already have an email account on a centralized server, you do not need to accept email from the outside world on your Linux machine. Do not allow outsiders to access sendmail unless you thoroughly understand how relaying works (which permits massive spamming), are prepared to administer an email system, and are willing to accept reponsibility for any spam forwarded by your system!
If you do need to set up a centralized email server on your system, do the following:
If necessary, install the sendmail configuration file package:
# yum install sendmail-cf
Edit the sendmail configuration file
# cd /etc/mail
# cp -p sendmail.cf sendmail.cf.000
# cp -p sendmail.mc sendmail.mc.000
# vi sendmail.mc
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
# m4 sendmail.mc >/etc/sendmail.cf
Allow external access to sendmail
# cd /etc
# vi hosts.allow
sendmail:ALL
# cd /etc/sysconfig
# vi iptables
-A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
# /sbin/service iptables restart
Restart sendmail
# /sbin/service sendmail restart
- Pop3 and imap (not recommended)
These mail access agents are probably only needed if sendmail has been set to allow access from other computers, i.e., the system is intended to be a mail server from which you will regularly read mail. In general, you will not do this, but would instead simply forward any mail from Linux account to an existing email account.
$ cd ~
$ vi .forward
{joe@university.edu}
If you do wish to set up pop3 or other mail retrieval services, you must install an imap package from their extras distribution:
yum install cyrus-imapd
or
yum install uw-imap
If necessary, allow external access to the service through xinetd
# cd /etc/xinet.d
# vi ipop3
disable=no
# /sbin/service xinetd restart
/etc/hosts.allow
# cd /etc
# vi hosts.allow
ipop3d:ALL
and iptables
# cd /etc/sysconfig
# vi iptables
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 110 -j ACCEPT
# /sbin/service iptables restart
Note that the above procedure has NOT been tested!
- Additonal comments about access control files
- /etc/sysconfig/iptables
The iptables configuration file defines which IP packets are accepted, rejected, or denied by the Linux machine. It is often preferable to limit accepted packets to the local network, rather than accept them from anywhere. For example, to accept WWW packets from anywhere, but limit telnet packets to being from the local network, one would use
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
-A input -s {network_address}/{subnet_mask} -d 0/0 23 -p tcp -y -j ACCEPT
where {network_address} may be calculated from
$ ipcalc --network {ip_address} {subnet_mask}
{subnet_mask} may also be specified as an integer equalling the number of nonzero bits starting from the left, e.g., 255.255.255.0=24 or 255.255.255.240.0=20
After editing /etc/sysconfig/iptables, restart the iptables service for the changes to take effect
# /sbin/service iptables restart
- /etc/xinetd.d
Filenames in this directory correspond to services that are controlled by the internet services daemon (formerly known as tcp_wrappers). Edit these files to disable (disable = yes) or enable (disable = no) these services. Restart the xinetd daemon for changes to take effect.
# /sbin/service xinetd restart
Access to the services is further controlled by the /etc/hosts.allow and etc/hosts.allow files as described below.
- /etc/hosts.allow and /etc/hosts.deny
These files control what IP addresses are allowed to access various services on the Linux machine. It is best to allow access for various services to some IP numbers, and then to deny all other access. An example of an /etc/hosts.allow entry that permits access to all services from a limited IP address range is
ALL: {network_address}/{subnet_mask}
An example of an /etc/hosts.allow entry that permits access to ssh from anywhere is
sshd: ALL
Other services controlled by these access files include
in.telnetd
in.ftpd
sendmail
ipop3d
If access is permitted to specific services as above, then it is recommended that the /etc/hosts.deny file consist of
ALL: ALL
The efect of these entries is immediate, and the xinetd daemon does not need to be restarted after making changes.
Note that if one properly configures the iptables firewall, then these access control files are redundant and no changes are needed from the default configuration (empty, which permits access to all services by anyone).
- Install and setup computational chemistry software
- Setup scratch directory
# cd /scratch
# rm -r lost+found
# chmod 777 /scratch
# chmod +t /scratch
- Install computational chemistry engines
- Pre-compiled binaries save the time and trouble of downloading and compiling program source code. Instructions and pre-compiled binaries are available for the Linux operating system
- Compiling the source code allows software to be installed on a wider array of hardware and oparting systems
- Install WebMO
WebMO installation instructions
Copyright © 2006, WebMO, LLC, all rights reserved.
|