Monday, March 28, 2011

Fun with linux - Ubuntu Server 10.04 LTS

Ubuntu Server 10.04 LTS (Lucid Lynx)
Got this baby to run on a small file server... These are notes I needed to make it work the way I want.
[work in progress]

Setup and installation

- Ubuntu Server Edition x64 (version 10.04.1)
- check System Requirements
- consult, if neccessary, the Ubuntu Installation Guide (i386 | amd64)

Upon installation:
- configure installation for no automatic updates [note on apticron], or enable automatic update
- install OpenSSH server for Putty access [there is also possible to add it manually]

etckeeper - a tool keep track of /etc changes (via VCS)
# aptitude install etckeeper bzr bzrtools Links:

Network setup:
Add static IP address (to /etc/network/interfaces):
# The primary network interface
auto eth0
iface eth0 inet static

... then restart network:
# /etc/init.d/networking restart
Edit /etc/hosts like this:       localhost.localdomain   localhost     server1

# echo > /etc/hostname
# /etc/init.d/hostname restart

Then, run:
# hostname
# hostname -f
... both should answer now.

Change default shell (from /bin/dash to /bin/bash)
# dpkg-reconfigure dash
Install dash as /bin/sh? NO!

SSH login with Putty, without password


[working on it]
Ubuntu manual
Ubuntu firewall: Netfilter, ufw, iptables
Ubuntu Security on UbuntuForums
Bastille Linux - hardening the security of Ubuntu system

denyhosts and fail2ban
# aptitude install python python2.6-dev python2.6 denyhosts

Installing DenyHosts (The Ubuntu Way)
How to secure ubuntu server from bruteforce ssh attacks?

rkhunter and chkrootkit

Disable AppArmor
AppArmor is a security extension (similar to SELinux) that should provide extended security. Some people believe that it causes more problems than advantages and I disable it (this is a must if you want to install ISPConfig - see installation of Ubuntu 8.10 | Ubuntu 9.10 | Ubuntu 10.04 LTS):
/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
aptitude remove apparmor apparmor-utils

Just in case in need to install AppArmor, the manual shows how to do it:
# aptitude install apparmor apparmor-profiles

Links: AppArmor in Ubuntu Manual | AppArmor Failures (Wiki) | AppArmor on Ubuntu Documentation | SECURITY - Is it a bad idea to run SELinux and AppArmor at the same time? | Is troubleshooting AppArmor with 'teardown' unsafe?


# aptitude install ntp [details]
Update /etc/ntp.conf adding the following (if you live in RO):
# aptitude install arj binutils bridge-utils cabextract cpio darkstat ethtool flip iptraf lha links2 mc nomarch ntop pax rar screen sysstat unison unrar unzip vim-nox zip

Links and info:
- darkstat: a packet sniffer that runs as a background process on a cable/DSL router, gathers all sorts of statistics about network usage, and serves them over HTTP. - elinks2: The history and evolution of the Links browsers (ELinks vs. Links vs. Lynx
- ethtool (instead of mii-tool, obsolete)
- flip (use "flip -a file_name" to convert DOS TXT files to UNIX) [website]
- mc: Midnight Commander / MC Tutorial - ntop: tutorial
- sysstat: sar, mpstat, iostat, sadf and sa
- unison (rsync at the next level!) [websitee | tutorial]
- vim-nox (VIsual editor iMproved - noX): strange behavior of vi in Ubuntu is now corrected

Setting-up hardware

Mount points If the partitions and other mount-points are not set up upon installation, Fstab introduction in Ubuntu Comunity Documentation might be at hand, as well as a nice tutorial which shows how to automatically mount partitions or network shares.

This machine has a hardware raid controller and 3 x RAID0 arrays. Everything can be set up easily as explained on the guide on Ubuntu manual. [Software RAID explained]
Notes: Linux disk failures: Areca is not so SMART | Areca utilities

Serving clients (computers or users)

Note, that self-signed certificates should not be used in most production environments.
(from the Ubuntu Manual)

LAMP - LinuxUbuntu-Apache2-MySQL5-PHP5
# echo "ServerName localhost" | sudo tee /etc/apache2/conf.d/fqdn
# tasksel install lamp-server
Links: HTTPD / Apache in Ubuntu Manual | Apache-MySQL-PHP on Ubuntu Wiki | Apache official manual |

To access / check / modify MySQL database, install PhpMyAdmin or/and mysql-admin:
# aptitude install phpmyadmin mysql-admin
Links: Securing the Initial MySQL Accounts | MySQL official manual | PhpMyAdmin on Ubuntu Manual

DNS server with Bind + (web-)admin with smbind
# aptitude install bind9 dnsutils
# aptitude install smbind

Links: configuration (in Ubuntu Manual) | Simple Management for BIND | Smbind installation (DE) | How to Install and Configure Smbind

smbind configtest ( complained with the following:
smbind configtest
This script will try to check some aspects of your smbind configuration and point you to errors where ever it can find them. You need to edit config.php and read the INSTALL file first before you run this script.
Testing config.php...OK
Testing PEAR DB...OK
Testing Smarty...OK
Testing templates_c...OK
Testing path...OK
Testing conf directory...OK
Testing conf file...OK
Testing named-checkconf...OK
Testing named-checkzone...OK
Testing rndc...OK
Testing (guess) /etc/rndc.conf...not found.
Testing (guess) /etc/rndc.key...not found.
Testing (guess) connection to localhost:953...OK
Testing rndc execution...Could not run rndc as www-data. Please make sure that www-data is a member of the group that runs named, and that all rndc config files and keys are readable by www-data.
output was: rndc: could not load rndc configuration

I was able to fix them:
1. Add the following to /etc/bind/named.conf:
include "/etc/smbind/smbind.conf";
2. Make a symbolic link for rndc.key to the proper location:
# ln -s /etc/bind/rndc.key /etc/rndc.key

3. Add www-data to group bind:
# id www-data
uid=33(www-data) gid=33(www-data) Gruppen=33(www-data)
# adduser www-data bind
# id www-data
uid=33(www-data) gid=33(www-data) Gruppen=33(www-data),117(bind)
# /etc/init.d/apache2 restart

E-mail server (Postfix, Dovecot IMAP, Dovecot POP3, Mailman)
# aptitude install postfix dovecot-common dovecot-imapd dovecot-pop3d mailman

Filtering email:
# aptitude install amavisd-new spamassassin clamav-daemon dkim-filter python-policyd-spf pyzor razor

Once installed, check for configuration (must read!)
Webmailaptitude install squirrelmail # aptitude install squirrelmail # ln -s /usr/share/squirrelmail/ /var/www/webmail # squirrelmail-configure
or E-mail server (Postfix, Courier, Saslauthd, MySQL) + rkhunter
# aptitude install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl getmail4 rkhunter maildrop

This setup cand be configured following the tutorial (must read!)
Note. Step 17 ("cp -prf /usr/share/doc/awstats/examples/ /usr/share/awstats/tools/" returned an error: "cannot create regular file `/usr/share/awstats/tools/': No such file or directory"). I managed to solve this making the required directory which does not exist:
# mkdir /usr/share/awstats/tools
Everything is great now!

Squid - Proxy Server (transparent, by default)
# aptitude install squid
Links: Squid on Ubuntu Manual

# aptitude install dhcp3-server
More info:

File server (for Windows clients) - Samba
Install Samba File Server:
# aptitude install samba

Add persistent share upon reboot:
# aptitude install smbfs

Links:>Securing a Samba File and Print Server | smb.conf examples

# aptitude install vsftpd
Note1: vsftpd is supposed to be configured after installation to allow only anonymous read acces, by default (as per Ubuntu manual), but it's configured to allow system users' access (root disabled).
Note2: I get a strange message log if I try to login anonymously or with fake user ("lo: Disabled Privacy Extensions"). This message in log can be avoided adding the following to /etc/vsftpd.conf:
- allow write access for users (write_enable=YES) in:
# vim /etc/vsftpd.conf
Note: making a symlink to any mount point in the home directory of one user, will make them visible via ftp to that user

Links: FTP server on Ubuntu Manual

NFS (Network File System)
# aptitude install nfs-kernel-server nfs-common
[Network File System (NFS) in Ubuntu manual]
Note: NFS is often used on linux, UNIX and FreeBSD. It is also available to other OS's such as Windows and Mac OS.

OpenLDAP Server
More info in Ubuntu Manual

(Web-)Monitoring (Apache or other web-server required to be installed)
# aptitude install -y nagios3
Links: Nagios in Ubuntu Manual | Nagios3 how-to in Ubuntu Wiki | Monitoring Windows

Munin (disk, network, processes, system; DNS, DHCP, Samba)
# aptitude install munin munin-node munin-plugins-extra
Links: Munin in Ubuntu Manual | Munin docs
(an open source IT monitoring product that delivers the functionality to effectively manage the configuration, health, performance of networks, servers and applications through a single, integrated software package)
to be checked

Cloud computing

Virtualized Clustering = OpenNebula

Real Clustering - Distributed Replicated Block Device (DRBD)



# aptitude install vlogger webalizer awstats

To see visitors' country (not required):
# aptitude install libnet-ip-perl libgeo-ipfree-perl

Create configuration file
# cp /etc/awstats/awstats.conf /etc/awstats/

Modify /etc/awstats/
# Use '1' for more detailed information (default '4'):



Generate the initial stats for AWStats:
# /usr/lib/cgi-bin/ -update

Add the following text to '/etc/apache2/sites-available/default' (and every domain's config file) inside 'VirtualHost' tag:
# AWStats (to be placed in every domain's config file):
Alias /awstatsclasses "/usr/share/awstats/lib/"
Alias /awstats-icon/ "/usr/share/awstats/icon/"
Alias /awstatscss "/usr/share/doc/awstats/examples/css"
ScriptAlias /awstats/ /usr/lib/cgi-bin/
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch

The AWStats statistics should be available at:

Update statistics with cron: in /etc/crontab add:
# AWStats runs update every 1h
0 */1 * * * root /usr/lib/cgi-bin/ -update > /dev/null

Links: kastang tutorial | awstats on Ubuntu server 8.04 (Hardy Heron) | Configuring AWStats on Ubuntu Server | Apache2 + Awstats setup on Debian/Ubuntu (Edgy Eft) | Setting up awstats with apache 2 on debian-ubuntu):

Personal preferences

Monitoring (CLI/ASCII)

This is a cool task that should be implemented: add status info about system (temperature, HDD SMART errors etc.) upon login via MOTD.Check pam_motd in Ubuntu Manual for more info.

Other cool staff:
- sysstat (installed by default in all distros):
- iostat (installed by default in all distros) [I/O statistics for devices, partitions and network filesystems]
- mpstat [CPU statistics]
- pidstat [tasks/processes : I/O, CPU, memory, etc.]

- top (installed by default in all distros) [tutorial]
- vmstat (installed by default in all distros) [virtual memory statistics of process, virtual memory, disk, trap, and CPU activity]
- htop [an advanced 'top']
- nmon [multiple performance statistics in one screen]
- atop [performance monitor of system-level activity]
- netstat (installed by default in all distros) [network-related data structures]
- iotop [I/O processes monitor, hard disk activity]
- Collectl [monitor processes with a lot of customization]
- smartmontools (smartctl)
- hddtemp
- iWatch (monitors filesystem's integrity)


Admin staff

Last update: 2011.03.17