SELinux: Extra security protection

SELinux stands for Security-Enhanced Linux and is a comprehensive feature of Linux that allows system administrators to control security access policies with highly advanced modules in the Linux kernel. It can be applied to any Linux distribution and comes installed by default on some. It was originally based upon projects initiated by the U.S. National Security Agency and is considered to be a high-level security feature.

Redhat Enterprise Linux and CentOS are both designed to run SELinux out of the box with little effort. Some desktop Linux users disable it and see it as overkill, but for a server, particularly one that runs web servers, mail servers, database servers, and other servers accessible via the Internet, have that extra security can go a long way in preventing attacks.

To read a full tutorial on setting up SELinux in CentOs/Redhat, visit nixCraft.

Photo: Flickr

How to force YUM to exclude certain packages

Question: Is there a way to tell YUM to ignore certain packages when performing updates on a CentOS Linux server?

Answer: There certainly is, and in some cases it can save your server from an unfortunate mishap. When running a dedicated server, particularly one with multiple websites, you run the risk of alienating a particular site or site application by updating key services without first testing them.

For example, the Linux kernel, PHP, and even Apache release new versions on a regular basis, but sometimes a new version might break currently installed scripts or applications. By excluding those or other packages from updates, you can ensure that you have time to notify users and clients and prepare updates of any scripts.

To use the exclude function, edit your yum.conf file:

Under the [main] section, add the following line:

exclude=php* kernel*

This would exclude any package with the words “php” or “kernel”. You can list any packages there. If you only want to exclude a package from a specific update instance, you can exclude it directly from the command line:

# yum --exclude=packagename* update

How to install and configure ProFTPD in RHEL/CentOS/Fedora Linux

ProFTPD is one of the most widely used and trust Linux-based FTP servers. When installed on a dedicated server, ProFTPD can act as a virtual ftp server host to multiple user accounts. It also allows anonymous FTP, if needed, chroot jail support, SSL/TLS encryption, and much more.

nixCraft has an excellent tutorial for installation and configuration of ProFTPD in CentOS, Redhat Enterprise Linux, and Fedora.

To install ProfFTPD, type the following as root:

# yum install proftpd

To make ProFTPD start whenever the system boots, enter:

# chkconfig --level 3 proftpd on

To start it immediately, type:

# service proftpd start

Read the rest of the nixCraft article.

The sysconfig directory in Redhat-based Linux

Redhat Enterprise Linux, Fedora, and Centos have a convenient directory called “sysconfig”. It is located under the main /etc directory and contains many of the frequently-used configuration files necessary to operate a server. Often the configuration files are for command line options or very specific settings rather than the complete settings for a particular application.

For example, the httpd file under sysconfig is the configuration for the httpd server rather than Apache as a whole. In it you can set startup options and command flags. Other configuration files include crond (for configuring the crontab frequency), syslog (which configures the system log rotation), and spamassassin (setup for the spam filtering service).

One of the most important folders in sysconfig is “networking“. This is where a user sets up network devices, and devices that are automatically setup appear here as well. You would only need to configure this file if you were running a locally housed server. If your server is remote, this will never need to be changed and attempting to change it could cause you to lose the ability to access the server at all. I recommend browsing through the complete list of files in /etc/sysconfig and at least becoming aware of them, in case you need one of them in the future.

Fixing YUM Dependency Problems: Part 1

Question: YUM is telling me I have broken dependencies. I can’t install anything. Help!

Answer: Fiddling with your server can lead you to problems, very serious ones if it lands you in what is affectionately called RPM Hell. This usually happens when you download an RPM outside of your standard distribution repository and install it over top of your current Linux distribution. For example, you might be running CentOS and install a Fedora package that has a different set of dependencies.

Hopefully, if you are reading this, you were just curious and have not taken that plunge. If so, heed the warning and think twice before you grab any RPM you can find and start plugging it in to your server hosting all of your hard-earned websites. If you have already sent YUM into fits, all hope is not lost. First, try uninstalling whatever started the problem. In some cases, all you need to do is clean YUM:

yum clean all

You can also ignore dependencies until you can install whatever packages you need to remedy the situation.

From the command line, enter:

yum --skip-broken update

Continued in Part 2…

Photo Source: Flickr

How to reinstall packages with YUM

Question: One of my applications in CentOS Linux is not working right. How do I reinstall it?

Answer: Early version of YUM did not have a “reinstall” function, but the newest version do. To reinstall a package, simply type as root:

yum reinstall package-name

If you are running a server with an older version of Fedora or other Redhat-based Linux distribution, your version of YUM may not support reinstallation. In such a case, you will have to manually reinstall it. From root, enter a command such as this to remove the files from the database:

rpm -e --justdb --nodeps packagename

YUM will then believe the package is not installed, even though it still is. Install as you normally would with:

yum install package-name

Using APT for installation and updates

The default update manager for Redhat-based Linux distributions is YUM, which is wonderful and all, but some people, especially those used to Debian-based distributions (such as Ubuntu), prefer to use APT for their updates. This is only for advanced users and should not be attempted on a server that already has working websites. Should something go wrong, you could break your distribution.

To install APT, follow these simple steps:

Download the corresponding Redhat Enterprise Linux package from this repository. Install it with:

rpm -Uhv package-name-release.rpm

Now to install APT, use YUM:

yum install apt

Now, you should be able to use APT to install and update Redhat, Fedora or CentOS packages. Tomorrow, you will learn how to use APT and some common tricks.

Making YUM Faster

Question: When I run updates with YUM (an update tool for Redhat, CentOS, or Fedora Linux), it seems like it takes forever. How can I make it faster?

Answer: Although there many things to consider when trouble-shooting speed issues, one specific YUM concern might be the speed of the mirror sites used for downloading packages. If download time seems to be the main concern (as opposed to actual installation time), installing yum-fastmirror should help.

This simple program will automatically seek out the fastest YUM mirror servers and then store the metadata in /var/cache/yum/timedhosts.txt. The plugin works by timing all the servers that come up in the mirror list and then selecting the one that is fastest for your location. Locations closer to you on less congested servers usually connect and send data faster. With yum-fastmirror, this can all be configured automatically.

To install the plugin, enter as root:

yum install yum-fastmirror

Setting the Correct Date for Your Linux Server

Question: My dedicated server is showing a different timezone than my home computer. How can I set it to be on my timezone.

Answer: Generally speaking it does not matter if your remote server is on a different timezone. It will still function, but when scheduling maintenance, upgrades, and backups, it is crucial to make sure the time you schedule and announce is the actual time of the server. With the Linux “date” command, you can display and set the time of your server.

To display the current day, date, time, timezone, and year, simply type “date” from the command line. To set a new time, type “date -s” or “date –set” followed by the date, time, or both. For example, to set the time to 11:15:00, enter:

date +%T -s "11:15:00"

Changing the actual timezone is a little more involved. Read more about that here. In Redhat Enterprise Linux, Fedora, or CentOS, however, simply type:

redhat-config-date

Photo Source: Flickr

The "setup" command in Redhat, Fedora, and CentOS

In Linux, most server configuration files are located in /etc. Most of them are text files, and although it is fairly easy to edit them, Redhat-based distributions have a handy graphical ncurses program that allows the dedicated server system administrator to handle certain tasks.

The program is simply called setup and is available by default in Redhad Enterprise Linux, Fedora, and CentOS. It includes the following options:

Authentication – Password management and configuration
Firewall – Setup iptables and determine which ports to allow through the firewall
Keyboard – This one is not relevant on a remote server
System service – Decide which services are started when the system boots
Timezone – Set the correct timezone for the server (very important for websites with dynamic content)
X configuration – For the graphical X system, not normally relevant on a remote server.