Thursday, August 16, 2012

Centos Minimal Install with Railo 4

I have been using Centos Minimal as a basis for a project for a while
now. I like it because it is small and light and very basic. There
is a small attack surface to it as the only thing it does by default
is allow SSH connections to it. If you are a total Centos Minimal
newbie, it will throw you for a loop. The problem is that the network
is not configured by default and the tools to configure it are not
installed by default. It is like buying a car with the keys locked
inside of it.

Well, not really. You can edit the network configuration (
/etc/sysconfig/network-scripts/ifcfg-eth0 ). A further note to Centos
newbies, nano is not installed by default either so you need to use
vi. For as much my own reference as for anyone who might bother
reading this, here are the settings I normally put in the ifcfg file:

DEVICE=eth0
IPADDR=10.10.10.80
NETMASK=255.255.255.0
GATEWAY=10.10.10.1
DNS1=8.8.8.8
ONBOOT="yes"

This is for a static IP configuration. If you need DHCP then the
config file is more like this:

DEVICE=eth0
BOOTPROTO="dhcp"
HWADDR=00:0C:41:22:33:44
ONBOOT="yes"

Once you have edited the file, save it and restart networking. I
usually use the service command like this: "service network restart"

Now networking should hopefully be up, if you are in a VM like
Virtualbox, be sure to set the network interface mode properly -- in
my case I set it to bridged so that I can use real IPs from my
network. You can test by doing yum update to get the system up to
date. At this point I install my services and tools I need. At least
I get wget, apache httpd, and php with "yum install wget httpd php".

For my project I need Railo (http://www.getrailo.org). Installing
Railo has gotten so much easier with the version 4 beta. To grab
Railo I use: "wget
http://www.getrailo.org/down.cfm?item=/railo/remote/download/4.0.0.013/tomcat/linux/railo-4.0.0.013-BETA2-linux-installer.run"
or you can trust me and use "wget http://bit.ly/P0vi2g". Make the
installer executable with "chmod +x
railo-4.0.0.013-BETA2-linux-installer.run" and then run it
"./railo-4.0.0.013-BETA2-linux-installer.run"

The wizard will ask you questions about your apache installation,
usernames, and passwords for your configuration. The defaults are
more or less sufficient, it is a good idea to run services with their
own service account and not root.

If you were to test the installation at this point, you would be
disappointed to find that it will not work. The reason is the
firewall installed by default blocks everything except SSH. You will
need to add some rules for the firewall to allow connections. Here is
my basic set of commands to open the firewall for httd and Railo:

iptables -I INPUT 2 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 8888 -j ACCEPT
service iptables save
service iptables restart

The 8888 is the Tomcat management port set during the wizard. If you
made a change to that port then be sure to open the proper port in the
firewall. Some online documentation says to use the iptables -A
command to append the chain "INPUT", the problem with that is that it
will insert your rules below the "deny all" rule. As we all want the
rules we add to work, I Insert them (iptables -I) as the second rule.
This is rather harmless as it will push each subsequent rule down.

Before you mess with the iptables rules it might be wise to look them
over with "iptables -L -v" to be sure there are not important rules at
the top. When I set up firewall rules, if I am specifically blocking
something, I put that rule first and the last rule should be the "deny
all" rule. Say I am blocking a specific troublesome IP address, then
I would add the blocking rule to the first entry. This might be
"iptables -I INPUT 1 -s 211.144.68.163 -j DROP" or if I wanted to
block a troublesome network "iptables -I INPUT 1 -s 202.0.0.0/8 -j
DROP".

Good luck!

Popular Posts