Build a Linux Server for Fip

Build a Linux Server for Fip

Contents

1. [Requirements](#fipreq)
1. [Install](#fipinstall)
1. [Tuning](#fiptune)
1. Apache
    + [Ubuntu](#fipapacheubuntu)
    + [CentOS/RedHat](#fipapachecentos)
1. [selinux (CentOS)](#selinux)
1. [FIP startup](#fipstart)

Linux


1. Make sure all the linux packages/modules are loaded correcty
  • Ubuntu

This is valid for all 16.xx, 18.xx and 20.xx versions

You MUST update and upgrade before installing anything else

As root or sudo :

apt -y update                
apt -y upgrade               

Then install these as root or sudo : (apt will check first if already installed)

apt -y install tcsh           
apt -y install zip            
apt -y install unzip          
apt -y install perl           
apt -y install net-tools      
apt -y install openssh-server 
apt -y install openssl        
apt -y install imagemagick    
apt -y install ghostscript    
apt -y install ntpdate        
apt -y install apache2        
apt -y install tcpdump        
apt -y install traceroute     
apt -y install systemd        
apt -y install icinga2        
apt -y install file           
  • Centos/RedHat 8

Centos 8 uses dnf NOT yum

  • ImageMagick is renamed GraphicsMagick
  • ntpdate is replaced by crony
  • sshpass will (probably) need to be downloaded, built and loaded manually

We suggest you use Centos 8 if you are NOT going to subscribe to RedHat maintenance as much of the doc and extras are behind the paywall

You MUST upgrade before installing anything else

As root or sudo :

dnf -y upgrade

Then run these as root or sudo : (dnf will check first if already installed)

dnf -y install tcsh
dnf -y install zip
dnf -y install unzip
dnf -y install perl
dnf -y install openssl
dnf -y install httpd
dnf -y install mod_ssl
dnf -y install file
dnf -y install crony
dnf -y install sshpass
dnf -y install systemd
dnf -y install psmisc
dnf -y install network-scripts
dnf -y install curl
dnf -y install traceroute
dnf -y install tcpdump
dnf -y install ftp
dnf -y install GraphicsMagick
dnf -y install ghostscript
  • Centos/RedHat 6+7

You MUST upgrade before installing anything else

As root or sudo :

yum -y upgrade

Then run these as root or sudo : (yum will check first if already installed)

yum -y install tcsh
yum -y install zip
yum -y install unzip
yum -y install perl
yum -y install openssl
yum -y install httpd
yum -y install mod_ssl
yum -y install file
yum -y install ntpdate
yum -y install sshpass
yum -y install systemd
yum -y install psmisc
yum -y install network-scripts
yum -y install curl
yum -y install traceroute
yum -y install tcpdump
yum -y install ftp
yum -y install ImageMagick
yum -y install ghostscript

2. Security and Environment

All this section will be using root or sudo

  • add root passwd

If the instance is a virtual instance, use the AWS/GCP/DigitalOcean/whatever CONSOLE until you add a root password and also allow SSH access inbound.

  • locale

if needed

List all

locale -a

List current

localectl status

make sure UTF8 version of your country/language locale exists and is current (normally en_US.utf8 or en_GB.utf8 or en_CA.utf8)

to set, for example:

localectl set-locale LANG=en_US.utf8

to check:

localectl status

On Ubuntu, install/manage all locales via the UI or, if using the command line:

apt-get install language-pack-eu
dpkg-reconfigure locales
  • FireWall (iptables, netplan, firewall-cmd etc)

FIP requires following incoming ports open

TCP 22 for ssh
TCP 20/21 and hihports for ftp
TCP 80  for http/apache
TCP 443 for https/apache
UDP 9001-9009 for fipnet (note UDP)
TCP 9140-9149 for fipbalance
  • /etc/hosts

check/all any/all ip addresses and hostnames of FIP servers

  • /etc/resolve.conf

check/add nameserver addresses

  • nsswitch.conf

check it exists and that hosts is set correctly for your environment

hosts   files dns
  • crontab -e

If you do NOT wish to automatically upgrade everynight, leave the apt/yum/dnf commented out

# UBUNTU and CENTOS 6/7 ................
# time 
2 0 * * * /usr/sbin/ntpdate 0.centos.pool.ntp.org
# UBUNTU  ..............................
#5 7 * * * /usr/bin/apt -y update && /usr/bin/apt -y upgrade
# CENTOS 6/7 ...........................
# upgrade
#5 7 * * * /usr/bin/yum -y update
# CENTOS 8 .............................
# upgrade
#5 7 * * * /usr/bin/dnf -y update
  • perl

Fip requires perl to be /perl/bin/perl

mkdir -p /perl/bin
which perl
ln -s `which perl` /perl/bin
ls -l /perl/bin

/perl/bin/perl -v
  • add fip user
which tcsh
mkdir /fip
useradd -d /home/fip -m -s /usr/bin/tcsh fip
or
usermod -s /usr/bin/tcsh fip
passwd fip
  • lock down ssh

Make a copy of /etc/ssh/sshd_config and edit acordingly : Other Users/logins should be added if required - fip is the only necessary one Make sure to comment out lines with the same keywords further down the file

Be very careful editing this file as you can lock yourself out completely very easily .. and you have to trash the instance and restart !

PermitRootLogin no
AllowUsers fip fipdata
X11Forwarding no
PermitTunnel no

restart

systemctl status sshd.service
systemctl restart sshd.service
systemctl status sshd.service
  • fstab - check for noAtime

Fip requires the access time, Atime, to be tracked on all files/folders. If not Fip will run the system at 100% !

more /etc/fstab and if the option 'noatime' is on ANY disk you want Fip to poll,

- copy /etc/fstab
- edit /etc/fstab
- remove the 'noatime' option from that disk
- reboot to check

  • selinux off

turn it off if client will accept

check status

which sestatus
/sbin/sestatus

change status

vi /etc/selinux/config
SELINUX=disabled
##SELINUX=enforcing

...and ++++ REBOOT ++++

  • selinux on

if selinux must remain on

semanage fcontext -a -t system_u "/fip"
semanage fcontext -a -t object_r "/fip"
semanage fcontext -a -t httpd_sys_content_t "/fip(/.*)?"
semanage fcontext -a -t httpd_sys_script_exec_t "/fip/bin(/.*)?"
semanage fcontext -a -t httpd_sys_script_exec_t "/fip/local(/.*)?"
semanage fcontext -a -t httpd_sys_script_exec_t "/fip/web(/.*)?"
restorecon -R -v /fip
semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/html/nono(/.*)?"
restorecon -R -v /var/www/html/nono
semanage fcontext -a -t httpd_sys_script_exec_t "/perl/bin(/.*)?"
restorecon -R -v /perl/bin

is cgi enabled for http access?

getsebool -a | grep http

should yield

httpd_enable_cgi -> on

if not, run

setsebool -P  httpd_enable_cgi 1

Then

chcon -R -t httpd_sys_rw_content_t /fip
chcon -R -t httpd_sys_script_exec_t /fip/bin
chcon -R -t httpd_sys_script_exec_t /fip/local
chcon -R -t httpd_sys_script_exec_t /fip/web/fip-cgi
chcon -R -t httpd_sys_content_t /fip/help
chcon -R -t httpd_sys_content_t /fip/info
chcon -R -t httpd_sys_content_t /fip/sfftables
chcon -R -t httpd_sys_content_t /fip/tables
chcon -R -t httpd_sys_content_t /fip/zsav
chcon -R -t httpd_sys_script_exec_t /perl/bin