Get the Ubuntu Server 6.06.2 LTS Installion CD First thing to do is to download Ubuntu Server installation CD suitable for your hardware platform.
CDs can be downloaded from http://releases.ubuntu.com/
Burn the CD image to a CD-R.
Installing Ubuntu Server 6.06.2 LTS Select 'Install to Hard Disk'
After system has booted up, the Ubuntu installation system starts.
In first screen you need to select installation language:
Select your language:
Choose a keyboard layout:
Setup starts to inspect your hardware setup:
If your network doesn't have DHCP, you can configure network manually:
Insert the hostname for your system, for example 'winkle':
Insert your domain name, for example 'example.com':
Next thing to do is a disk partitioning.
I generally partition in the following manner:
Partition
Bootable
Size
FS
Mount-point
Note
1
Y
500MB
ext3
/boot
needs enough space to ensure that kernel upgrades don’t fill it
2
N
1-2x system memory, usually 2-8GB
swap
swap
may as well have a ton of it
3
N
Usualy 10% of your harddrive
xfs
/root
To separate /root file system from the root file system
4
Y
the rest
xfs
/
The reason for the partitions I do use are as follows:
/boot needs to be at the beginning of the disk to ensure compatibility with BIOSes and bootloaders; it should also be ext3 for bootloader and rescue CD purposes
/root needs to be in separate file space for security reasons
I use XFS because it seems better than JFS, ext3 and ResierFS to me.
Select your timezone.
Create a new user
Base system installation procedure starts:
Remove installation CD and reboot system:
Base system installation is finished
System will reboot Enable The root Account Ubuntu disables the root user account by default. Because we must run all the steps from this tutorial as root user, we must enable the root account now. To enable it, login as winkle , then run $ sudo passwd root to set the root password. Afterwards we become root by running $ su -First update the 'apt' repositories so we can then upgrade the system. Updating 'apt' repositories Update the apt repositories so to include main , restricted ,backports, universe and multiverse . Also disable cdrom access. This is done by editing '/etc/apt/sources.list'.
# nano -w /etc/apt/sources.list
Here is example
root@server:~# cat /etc/apt/sources.list # # deb cdrom:[Ubuntu-Server 6.06.2 _Dapper Drake_ - Release amd64 (20080110.1)]/dapper main restricted #deb cdrom:[Ubuntu-Server 6.06.2 _Dapper Drake_ - Release amd64 (20080110.1)]/ dapper main restricted deb http://ca.archive.ubuntu.com/ubuntu/ dapper main restricted deb-src http://ca.archive.ubuntu.com/ubuntu/ dapper main restricted ## Major bug fix updates produced after the final release of the ## distribution. deb http://ca.archive.ubuntu.com/ubuntu/ dapper-updates main restricted deb-src http://ca.archive.ubuntu.com/ubuntu/ dapper-updates main restricted ## Uncomment the following two lines to add software from the 'universe' ## repository. ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team, and may not be under a free licence. Please satisfy yourself as to ## your rights to use the software. Also, please note that software in ## universe WILL NOT receive any review or updates from the Ubuntu security ## team. deb http://ca.archive.ubuntu.com/ubuntu/ dapper universe multiverse deb-src http://ca.archive.ubuntu.com/ubuntu/ dapper universe multiverse ## Uncomment the following two lines to add software from the 'backports' ## repository. ## N.B. software from this repository may not have been tested as ## extensively as that contained in the main release, although it includes ## newer versions of some applications which may provide useful features. ## Also, please note that software in backports WILL NOT receive any review ## or updates from the Ubuntu security team. deb http://ca.archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse deb-src http://ca.archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse deb http://security.ubuntu.com/ubuntu dapper-security main restricted deb-src http://security.ubuntu.com/ubuntu dapper-security main restricted deb http://security.ubuntu.com/ubuntu dapper-security universe deb-src http://security.ubuntu.com/ubuntu dapper-security universe
Now update repositories.
# apt-get update
Now the repositories are complete we can proceed with an system upgrade.
# apt-get upgrade -y
Now reboot. The reason for this is kernel image was updated and needs to take effect.
# shutdown -r now
Login as root
I nstalling MC - GNU Midnight Commander GNU Midnight Commander is a file manager for free operating systems. Being a text mode application, GNU Midnight Commander can be used locally or remotely, on the console or under X Window System. By using full screen space of the terminals, it provides an intuitive user interface to the operating system, aiming to be a useful tool for users with any level of experience, from a newbie to a guru. # apt-get install mc -y Now change midnight commander settings so that startup folder is in the current folder, not at root. # mv /usr/share/mc/bin/mc.sh /usr/share/mc/bin.mc.sh.norun # cat /usr/share/mc/bin.mc.sh.norun >> /etc/bash.bashrc SSHSSH is a protocol designed to provide remote secure access for administration purpose. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.Ubuntu does not install OpenSSH by default, therefore we do it now. Run apt-get install ssh openssh-server -y
Configure the /etc/ssh/sshd_config file
# nano -w /etc/ssh/sshd_config file
Changing the default SSH port Change the default SSH port (22) to stop the brute force attacks (most of them).
ServerKeyBits The option ServerKeyBits specifies how many bits to use in the server key. Change dafault value to 1024. These bits are used when the daemonstarts to generate its RSA key Disabling root login Disable root access login . Administrators should have to login under non privileged user name ( winkle ) first & then su to root.
# Changes to the /etc/ssh/sshd_config file Port 38475 ServerKeyBits 1024 PermitRootLogin no AllowUsers winkle
Remove sudoers entries # visudo
Sudoers file /etc/sudoers should something look like this
root@server:~# cat /etc/sudoers # /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Host alias specification # User alias specification # Cmnd alias specification # Defaults Defaults !lecture,tty_tickets,!fqdn # User privilege specification root ALL=(ALL) ALL
Configure The Network Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100): nano -w /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 208.233.68.149 netmask 255.255.255.240 gateway 208.233.68.145 Then restart your network: # /etc/init.d/networking restart Then edit /etc/resolv.conf #nano -w /etc/resolv.conf Make it look like this: search example.com nameserver 208.233.3.3 nameserver 208.233.5.5 Then edit /etc/hosts. # nano -w /etc/hosts Make it look like this: 127.0.0.1 localhost.localdomain localhost 208.233.68.149 server.example.com server # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts Now run # hostname # hostname -f Both should show server.example.com. If they do not, reboot the system: # shutdown -r now Afterwards, run # hostname # hostname -f again. Now they should show server.example.com.
Installing DNS resolver
Having a local DNS cache is highly recommended, this can have a big effect on the server performance. djbdns is a replacement for BIND. It is secure, reliable, small, fast, etc etc etc. dnscache is a recursive resolver, intended to be listed in /etc/resolv.conf's "nameserver" entry. It makes DNS queries via UDP and TCP as needed. daemontools manages all the djbdns services and daemons.
First run:
# apt-get install daemontools-installer djbdns-installer -y
Then build daemontools run:
# build-daemontools
(just hit [Enter] at any questions it asks)
Then build djbdns, run:
# build-djbdns
(just hit [Enter] at any questions it asks)
Configure the dnscache program, run: # dnscache-conf dnscache dnslog /etc/dnscache Create a symlink to the dnscache program in the /service directory so svscan will start it, run: # ln -s /etc/dnscache /service Wait at least 5 seconds, then see if the dnscache service is running, run: # svstat /service/dnscache Create a new resolv.conf (pointing to ourselves as the DNS server), run: # echo "domain example.com" > /etc/resolv.conf # echo "nameserver 127.0.0.1" >> /etc/resolv.conf Test that you are able to resolve a host name on the Internet, run: # dnsip www.cnn.com Tail the log file to verify dnscache is working, run: #tail -40 /service/dnscache/log/main/current NTP NTP is a protocol designed to synchronize the clocks of computers over a network. Lots of server processes depend on the system clock for proper operation, so it is crucial to have NTP running and to select servers that are reliable and close to you from a network standpoint. First get ntp client, run: #apt-get install ntp ntpupdate -y Then create script to update system clock, run: # cd /etc/init.d # touch ntp-update.sh # chmod 755 ntp-update.sh Edit ntp-update.sh, run: # nano -w /etc/init.d/ntp-update.sh Here is example of ntp-update.sh file #!/bin/sh -e # sleep 5 ntpdate -u 0.north-america.pool.ntp.org hwclock --adjust hwclock --systohc # wait 1 hour sleep 3600 /etc/init.d/ntp-update.sh & Then edit /etc/rc.local, run: nano -w /etc/rc.local Here is example of rc.local file #!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. # # NTP script # /etc/init.d/ntp-update.sh & # exit 0 SMAIL Most of the services on server are sending messages to local root account. The best way to deal with thous messages is to send them out. For that reason we have to setup email account outside of organization ( on yahoo or gmail, etc) something like example-co-root@gmail.com and setup forwarding of all messages to your admin account admin@example.com. This way you will have redundancy even if your mal server is down or unaccessible. On this account messages from all server in your organization will be received and stored. Smail is an implementation of an Electronic Mail Transport Agent (MTA), i.e. a program used for sending and receiving electronic mail, for Unix-like (POSIX compatible) systems. Smail's job is to accept mail messages from local files or programs running on the local machine (such as any mail user agent), or from remote hosts by way of network protocols such as SMTP or UUCP, and deliver those messages to the appropriate destinations, be they to remote hosts or to files or programs on the local machine. Smail-3 can also gateway e-mail traffic bi-directionally between disparate underlying mail transport systems, for example between SMTP and UUCP. To install and configure smail run: # apt-get --purge install smail Here is example of install and setup: Reading package lists... Done Building dependency tree... Done smail is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 1 not fully installed or removed. Need to get 0B of archives. After unpacking 0B of additional disk space will be used. Setting up smail (3.2.0.115-5.1) ... I can do certain kinds of automatic configuration of your mail system, by asking you a number of questions. Later you may want to confirm and/or correct your answers. In any case, comprehensive information on configuring Smail is in smail(5) and in /usr/share/doc/smail/ . You must choose one of the options below: (1) Internet site: you send and receive Internet mail on this machine, using SMTP over TCP/IP, select this if you have a smarthost reachable over SMTP. (2) UUCP to smarthost (upstream site): You send and receive mail via UUCP; outbound mail is sent to your smarthost (probably your service provider) for routing and delivery. (3) No mail is to be delivered or routed here. Any mail generated on this system is sent to a central mail switch using SMTP. This configuration is for workstation, which have mounted /var/mail from a central server. (4) Local delivery only: You are not on a network. Mail for local users is delivered. (5) No configuration will be done now; your mail system will be broken and should not be used. Use /usr/sbin/smailconfig as root, later. Select a number from 1 to 4, from the list above. Enter value (default=`4', `x' to restart): 1 What is the `visible' mail name of your system ? This will appear on From: lines of outgoing messages. Enter value (default=`server.example.com', `x' to restart): i p149.example.com Does this system have any other names which may appear on incoming mail messages, apart from the visible name above (ip149.example.com) and the system's hostname (server.example.com) ? If so enter them here, separated with spaces or commas. If there are none, say `none'. Enter value (default=`none', `x' to restart): none Do you have a smarthost available (and accessible via SMTP) ? A smarthost is a system to which you forward mail you don't want to deliver yourself; it presumably has better connectivity or routing information than you do. Commercial providers usually provide a smarthost for their customers, and large organisations will often have a site mail switch which can be used. Use of a smarthost is strongly recommended (you'll be able to specify exactly when to use it soon). If a smarthost is available please enter its name (otherwise, `none'). Enter value (`x' to restart): none Do you want to relay mail from anybody ? If you allow relay from somewhere, that machine will send it's mail to this server for delivery, you will become it's smarthost. You can specify the word 'localnet', that will dinamically match the net of your localhost, or you can specify the net by it's ip number and using wildcards. (Example: 192.168.1.*). If you want to relay to everyone, just write 'all'. Beware, allowing everyone to relay from your machine, will let spamers send their junk-mail througth your machine, making you responsible for that. You shouldn't allow mail relaying from unknown machines. You can especify more than one net separating the ip numbers by ':' Enter value (default=`127.0.0.1', `x' to restart):127.0.0.1 Mail for the `postmaster' and `root' accounts is usually redirected to one or more user accounts, of the actual system administrators. By default, I'll set things up so that mail for `postmaster' and for various system accounts is redirected to `root', and mail for `root' is redirected to a real user. This can be changed by editing /etc/aliases. Note that postmaster-mail should usually be read on the system it is directed to, rather than being forwarded elsewhere, so (at least one of) the users you choose should not redirect their mail off this machine. Which user account(s) should system administrator mail go to ? Enter one or more usernames separated by spaces or commas . Enter `none' if you want to leave this mail in `root's mailbox - NB this is strongly discouraged. Also, note that usernames should be lowercase ! Enter value (`x' to restart): none The following configuration has been entered: Mail generated on this system will have `ip149.example.com' used as the host part (after the @) in the From: field and similar places. Message-ID's, Received lines, etc. will use the system's canonical hostname, which is currently set to server.example.com. The following hostname(s) will be recognised as referring to this system: mail.areyouverified.com, ip149.example.com Mail for postmaster, root, etc. will be sent to root. Local mail is delivered. Outbound remote mail is looked up in the Internet DNS, and delivered using that data if any is found; failing that messages are bounced. Mail for the non-DNS UUCP and BITNET domains are sent to the backbone sites uu.net and cunyvm.cuny.edu for routing, respectively. Is this OK ? Hit Return or type `y' to confirm it and install, or `n' to make changes (in which case we'll go round again, giving you your previous answers as defaults. (y/n) y You have to select a method starting smail: The decision as to whether to use a smail daemon, or the inet daemon depends upon how much mail passes through your site and whether or not you can always spare 300K of virtual memory. (1) Generate a line in /etc/inetd.conf. For every remote-connections a smail session is started. It is the standard. (2) To invoke a smail daemon at system boot time. Select a number from 1 to 2, from the list above. Enter value (default=`1', `x' to restart): 1 Current crontab entry for smail: # Default `mail' user's crontab, supplied Smail for Debian Linux. # See /usr/doc/smail/copyright for details, or read smail(5) for details of # how to configure Smail. Autoconfiguration done by /usr/sbin/smailconfig. # (min, hour) (dm,m,dw) (command) 3,23,43 * * * * runq Configuration installed. Would you like to send a test message now ? Select one of: Return or Y Yes, test offsite delivery with a message to Harald Alvestrand's Linux Counter project - you should then receive an autoreply to postmaster@ip149.example.com. Do not use this option until mail routing to your machine has been properly enabled, please ! L Just a local message from root@ip149.example.com to postmaster@ip149.example.com. N No, thanks. (You can do this later using /usr/sbin/smailtest.) Send a test message now ? (y/l/n) l Test message sent. Good. You have a recent smail configuration You have selected to start smail in inetd.conf You have mail in /var/mail/root After installation and configuration you have to add root account forwarding in /etc/aliases # echo "root: example-co-root@gmail.com" >> /etc/aliases # newaliases Now test is it working, run: # /usr/sbin/smailtest --localonly Here is example file Would you like to send a test message from `root' to `postmaster' ? Send a test message now ? (y/n) y Check your example-co-root@gmail.com you should receive test message. SYSTEM LOG Update /etc/logrotate.conf, run: nano -w /etc/logrotate.conf Here is example file: # see "man logrotate" for details # rotate log files daily daily # keep 52 weeks worth of backlogs rotate 365 # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed compress # packages drop log rotation information into this directory include /etc/logrotate.d # no packages own wtmp, or btmp -- we'll rotate them here /var/log/wtmp { missingok monthly create 0664 root utmp rotate 1 } /var/log/btmp { missingok monthly create 0664 root utmp rotate 1 } # system-specific logs may be configured here Install logcheck # apt-get install logcheck -y Install logwwatch # apt-get install logwatch -y Install MUNIN # apt-get install munin munin-node Configure MUNIN # nano -w /etc/munin/munin.conf Change lines from: # a simple host tree [localhost.localdomain] to: # a simple host tree [server.example.com] Restart munin # /etc/init.d/munin-node restart Then install thttpd # apt-get install thttpd thttpd-util Configure thttpd # nano -w /etc/thttpd/thttpd.conf Change port = 38964 and change dir = /var/www/munin Ensure that port is not firewaled Check is it working go to http://server.example.com:3896432 bit extensions If you are running 64 bit Linux install the 32-bit Extensions to allow 64-bit Linux to run 32-bit applications.
apt-get install ia32-libs linux32 -y
No comments:
Post a Comment