SGI Techpubs Library

Linux  »  Books  »  Administrative  »  
SGI Internet Server for Messaging Installation and Quick Start
(document number: 007-4294-003 / published: 2001-01-04)    table of contents  |  additional info  |  download
find in page

Chapter 1. Configuring the SGI Internet Server for Messaging


Note: You should read through this document first before completing the steps in the SGI 1200-Family of Servers Quick Start Guide.

This chapter covers the following:

What Do I Need to Do?

The following is an overview of the tasks required to use your SGI Internet Server for Messaging.


Note: Steps 8 and 10 below, Bastille Linux and Linuxconf HTTP access, are optional but recommended.


  1. Unpack the hardware. Check for damage and completeness.

  2. Read through this SGI Internet Server for Messaging Installation and Quickstart and the SGI 1200-Family of Servers Quick Start Guide to understand the hardware requirements.

    The SGI 1200-Family of Servers Quick Start Guide is not preinstalled, but is available in hardcopy and on the SGI 1200-Family of Servers Hardware Documents CD

  3. Understand the vendor recommendations:


    Note: The port naming conventions applied by Linux for single-port FastEthernet PCI adapters (PCI 00010) are not what most users would expect. See SGI 1200-Family of Servers Errata.

    Dual-port FastEthernet PCI adapters (PCI 00011) have normal port naming conventions.


  4. Install the hardware according to the directions in the SGI 1200-Family of Servers Quick Start Guide:

  5. Fill out the following worksheets:

  6. Power on the server and log in as root using the SGI factory password sgisgi.


    Note: You will be asked to change the password.


  7. The system will boot to multiuser mode and Linuxconf will be automatically invoked. You will supply the information from Appendix B, “Network Connectivity Worksheet”. For more information, see Chapter 3, “Configuring the Network”.


    Note: You must enter all of the information for this step or the Bastille Linux step will fail.


  8. Use the Bastille Linux hardening script to lock down the server. See Chapter 4, “Server Lockdown Using Bastille Linux”. This step is optional but recommended.

  9. Reboot the server.

  10. Enable Linuxconf HTTP access. See Chapter 5, “Enabling HTTP Access for Linuxconf Administration”. This step is optional but recommended for ease of use only if you restrict access to a private network port.

  11. Connect serial consoles if not already done in step 4. See “Serial Console Access” in Chapter 2.

  12. Log on using the serial console and the new root password.

  13. Ensure that your server is accessible on the preproduction network (but not yet in production).

  14. Point your browser to the SGI Internet Server for Messaging Web administration graphical user interface (GUI) using the following URL, where hostname is the name of the server:

    http://hostname/sgi-iserver/

    Use user iseadmin and password iseadmin . For more information, see Chapter 6, “SGI Internet Server for Messaging Web Administration GUI”

  15. Use the GUI to configure additional features, such using Tripwire intrusion detection software. For information about these tasks, see the SGI Internet Server Administrator's Guide. The GUI can also be used to manage the mail server and user accounts. See the SGI Internet Server for Messaging Guide for information about these tasks.

  16. Change the mail server site admin account and password. (See the following url for information on configuring the mail server: http://hostname:81/msadm/)


    Note: The default ID and password can be found in “Accessing the Messaging Administration GUI” in Chapter 6.


  17. Connect the server into your production environment.

Vendor Recommendations

This section contains information about hardware that is specific to ISEM:

Security Policies

You must know the corporate security policy for systems and applications. If you do not have a policy, you should consider establishing one. See “Network Port Use Security Policy”.

You should establish a security policy that specifies how domain name service (DNS) names for secondary network interfaces are derived from the basic hostname. In particular, private network interfaces should be readily identified as such by a standard prefix or suffix.

The basic hostname should be associated with the public interface on which incoming requests are received. If you have multiple public interfaces, your network architecture may call for giving the default gateway interface a derived name.

Network Port Use Security Policy

To simplify the integration of new systems into your network architecture, you should do the following before plugging in any network cables:

  • Establish a security policy that defines how port names should be mapped to untrusted (public) and trusted (private) networks.

    Apply the policy consistently when cabling up all of your servers -- regardless of vendor -- to your network equipment (this equipment is not included in the SGI Internet Server for Messaging). Doing so greatly reduces the risk of accidental misconfiguration, including the opening up of security holes in your production environment.

  • If you have only one interface, it will be named eth0. If your architecture calls for a private network, you should reserve the name eth1 for that private network, irrespective of its physical location. Ports eth0, eth2, and so on, may be used for public networks.

    For a front-end server, the outbound traffic will typically be to an untrusted network like the Internet; therefore, you should use port eth0 as your default gateway interface.

  • If you must use eth1 for a public interface, you should mark the exception clearly in the following places:

    • Affected name tag

    • /etc/motd file on that system

    • Diagrams of your production network operations center network architecture

    Alternatively, you can choose to purchase network adapters such that eth1 need not be used at all. If the port physically exists but there are security reasons why it should not be used on that system, the port should be covered up with tape (not included).


Note: An SGI Internet Server for Messaging that has a connection to a public network, or communicates with systems or applications that run on a public network, should implement an IP filtering tool to increase security. Therefore, you should run the Bastille Linux script when prompted.

You may also wish to lockdown other systems at your site using Bastille Linux. You can copy the Bastille Linux software from the ISM package or download the latest copy from the Bastille Web site. However, your license does not permit you to copy the entire ISM software package to a non SGI Internet Server for Messaging.


Support

For SGI Linux support services, see http://support.sgi.com/linux.

General Product Feedback

For general feedback (not support) about the SGI Internet Server for Messaging, see:

http://www.sgi.com/cgi-bin/feedback/

For marketing information, see:

http://www.sgi.com/solutions/broadband/sgi_internet.html

SGI Internet Server for Messaging Installation and Quick Start
(document number: 007-4294-003 / published: 2001-01-04)    table of contents  |  additional info  |  download

    Front Matter
    About This Guide
    Chapter 1. Configuring the SGI Internet Server for Messaging
    Chapter 2. Setting Up Console Access
    Chapter 3. Configuring the Network
    Chapter 4. Server Lockdown Using Bastille Linux
    Chapter 5. Enabling HTTP Access for Linuxconf Administration
    Chapter 6. SGI Internet Server for Messaging Web Administration GUI
    Appendix A. Password Worksheet
    Appendix B. Network Connectivity Worksheet
    Appendix C. Reinstalling from CD-ROM
    Index


home/search | what's new | help