Tuesday, February 12, 2008

Generic Linux Server - Based on Ubuntu 6.06.2 LTS

This document describes how to install Generic Linux Server. This document is work in progress since March of 2001.

It is intended to be my private collections of notes and deferent bits of useful informations collected over years from various sources from Internet, books, etc. Also it my be found useful for everybody who is interested in creating safe and stable basic Linux server which can then be adapted for more specific tasks. Internet access is required to complete the installation.

Get the Ubuntu Server 6.06.2 LTS Installion CD

  • First thing to do is to download Ubuntu Server installation CD suitable for your hardware platform.

  • CDs can be downloaded from http://releases.ubuntu.com/

  • Burn the CD image to a CD-R.

Installing Ubuntu Server 6.06.2 LTS

  • Boot up from the Ubuntu Server Installation CD you created.

  • Select 'Install to Hard Disk'

  • After system has booted up, the Ubuntu installation system starts.

  • In first screen you need to select installation language:

  • Select your language:

  • Choose a keyboard layout:

  • Setup starts to inspect your hardware setup:

  • If your network doesn't have DHCP, you can configure network manually:

  • Insert the hostname for your system, for example 'winkle':

  • Insert your domain name, for example 'example.com':

  • Next thing to do is a disk partitioning.

I generally partition in the following manner:

Partition

Bootable

Size

FS

Mount-point

Note

1

Y

500MB

ext3

/boot

needs enough space to ensure that kernel upgrades don’t fill it

2

N

1-2x system memory, usually 2-8GB

swap

swap

may as well have a ton of it

3

N

Usualy 10% of your harddrive

xfs

/root

To separate /root file system from the root file system

4

Y

the rest

xfs

/


The reason for the partitions I do use are as follows:

  1. /boot needs to be at the beginning of the disk to ensure compatibility with BIOSes and bootloaders; it should also be ext3 for bootloader and rescue CD purposes

  2. /root needs to be in separate file space for security reasons

I use XFS because it seems better than JFS, ext3 and ResierFS to me.

  • Select your timezone.

  • Create a new user

  • Base system installation procedure starts:

  • Remove installation CD and reboot system:

  • Base system installation is finished

System will reboot

Enable The root Account



Ubuntu disables the root user account by default. Because we must run all the steps from this tutorial as root user, we must enable the root account now.To enable it,

login as winkle, then run

$ sudo passwd root

to set the root password. Afterwards we become root by running

$ su -

First update the 'apt' repositories so we can then upgrade the system.

Updating 'apt' repositories

Update the apt repositories so to include main, restricted,backports, universe and multiverse. Also disable cdrom access. This is done by editing '/etc/apt/sources.list'.

# nano -w /etc/apt/sources.list

Here is example

root@server:~# cat /etc/apt/sources.list

#
# deb cdrom:[Ubuntu-Server 6.06.2 _Dapper Drake_ - Release amd64 (20080110.1)]/dapper main restricted
#deb cdrom:[Ubuntu-Server 6.06.2 _Dapper Drake_ - Release amd64 (20080110.1)]/ dapper main restricted
deb http://ca.archive.ubuntu.com/ubuntu/ dapper main restricted
deb-src http://ca.archive.ubuntu.com/ubuntu/ dapper main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://ca.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
deb-src http://ca.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
## Uncomment the following two lines to add software from the 'universe'
## repository.
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb http://ca.archive.ubuntu.com/ubuntu/ dapper universe multiverse
deb-src http://ca.archive.ubuntu.com/ubuntu/ dapper universe multiverse
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://ca.archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse
deb-src http://ca.archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu dapper-security main restricted
deb-src http://security.ubuntu.com/ubuntu dapper-security main restricted
deb http://security.ubuntu.com/ubuntu dapper-security universe
deb-src http://security.ubuntu.com/ubuntu dapper-security universe

Now update repositories.

# apt-get update

Now the repositories are complete we can proceed with an system upgrade.

# apt-get upgrade -y

Now reboot. The reason for this is kernel image was updated and needs to take effect.

# shutdown -r now

Login as root

Installing MC - GNU Midnight Commander

GNU Midnight Commander is a file manager for free operating systems. Being a text mode application, GNU Midnight Commander can be used locally or remotely, on the console or under X Window System. By using full screen space of the terminals, it provides an intuitive user interface to the operating system, aiming to be a useful tool for users with any level of experience, from a newbie to a guru.

# apt-get install mc -y

Now change midnight commander settings so that startup folder is in the current folder, not at root.

# mv /usr/share/mc/bin/mc.sh /usr/share/mc/bin.mc.sh.norun
# cat /usr/share/mc/bin.mc.sh.norun >> /etc/bash.bashrc

SSH

SSH is a protocol designed to provide remote secure access for administration purpose. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.Ubuntu does not install OpenSSH by default, therefore we do it now. Run

apt-get install ssh openssh-server -y

Configure the /etc/ssh/sshd_config file

# nano -w /etc/ssh/sshd_config file

Changing the default SSH port

Change the default SSH port (22) to stop the brute force attacks (most of them).

ServerKeyBits

The option ServerKeyBits specifies how many bits to use in the server key. Change dafault value to 1024. These bits are used when the daemonstarts to generate its RSA key

Disabling root login

Disable root access login. Administrators should have to login under non privileged user name (winkle) first & then su to root.

# Changes to the /etc/ssh/sshd_config file

Port 38475
ServerKeyBits 1024
PermitRootLogin no
AllowUsers winkle

Remove sudoers entries

# visudo

Sudoers file /etc/sudoers should something look like this

root@server:~# cat /etc/sudoers
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults
Defaults !lecture,tty_tickets,!fqdn
# User privilege specification
root ALL=(ALL) ALL

Configure The Network

Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):

nano -w /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 208.233.68.149
netmask 255.255.255.240
gateway 208.233.68.145

Then restart your network:

# /etc/init.d/networking restart


Then edit /etc/resolv.conf

#nano -w /etc/resolv.conf

Make it look like this:

search example.com
nameserver 208.233.3.3
nameserver 208.233.5.5

Then edit /etc/hosts.

# nano -w /etc/hosts

Make it look like this:

127.0.0.1 localhost.localdomain localhost
208.233.68.149 server.example.com server

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Now run

# hostname
# hostname -f

Both should show server.example.com. If they do not, reboot the system:

# shutdown -r now

Afterwards, run

# hostname
# hostname -f

again. Now they should show server.example.com.

Installing DNS resolver

Having a local DNS cache is highly recommended, this can have a big effect on the server performance. djbdns is a replacement for BIND. It is secure, reliable, small, fast, etc etc etc. dnscache is a recursive resolver, intended to be listed in /etc/resolv.conf's "nameserver" entry. It makes DNS queries via UDP and TCP as needed. daemontools manages all the djbdns services and daemons.

First run:

# apt-get install daemontools-installer djbdns-installer -y

Then build daemontools run:

# build-daemontools

(just hit [Enter] at any questions it asks)

Then build djbdns, run:

# build-djbdns

(just hit [Enter] at any questions it asks)

Configure the dnscache program, run:

# dnscache-conf dnscache dnslog /etc/dnscache

Create a symlink to the dnscache program in the /service directory so svscan will start it, run:

# ln -s /etc/dnscache /service

Wait at least 5 seconds, then see if the dnscache service is running, run:

# svstat /service/dnscache

Create a new resolv.conf (pointing to ourselves as the DNS server), run:

# echo "domain example.com" > /etc/resolv.conf
# echo "nameserver 127.0.0.1" >> /etc/resolv.conf

Test that you are able to resolve a host name on the Internet, run:

# dnsip www.cnn.com

Tail the log file to verify dnscache is working, run:

#tail -40 /service/dnscache/log/main/current

NTP

NTP is a protocol designed to synchronize the clocks of computers over a network. Lots of server processes depend on the system clock for proper operation, so it is crucial to have NTP running and to select servers that are reliable and close to you from a network standpoint.

First get ntp client, run:

#apt-get install ntp ntpupdate -y

Then create script to update system clock, run:

# cd /etc/init.d
# touch ntp-update.sh
# chmod 755 ntp-update.sh

Edit ntp-update.sh, run:

# nano -w /etc/init.d/ntp-update.sh

Here is example of ntp-update.sh file

#!/bin/sh -e
#
sleep 5
ntpdate -u 0.north-america.pool.ntp.org
hwclock --adjust
hwclock --systohc
# wait 1 hour
sleep 3600
/etc/init.d/ntp-update.sh &

Then edit /etc/rc.local, run:

nano -w /etc/rc.local

Here is example of rc.local file

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

#
# NTP script
#
/etc/init.d/ntp-update.sh &
#
exit 0

SMAIL


Most of the services on server are sending messages to local root account. The best way to deal with thous messages is to send them out. For that reason we have to setup email account outside of organization ( on yahoo or gmail, etc) something like example-co-root@gmail.com and setup forwarding of all messages to your admin account admin@example.com. This way you will have redundancy even if your mal server is down or unaccessible. On this account messages from all server in your organization will be received and stored.

Smail is an implementation of an Electronic Mail Transport Agent (MTA), i.e. a program used for sending and receiving electronic mail, for Unix-like (POSIX compatible) systems.

Smail's job is to accept mail messages from local files or programs running on the local machine (such as any mail user agent), or from remote hosts by way of network protocols such as SMTP or UUCP, and deliver those messages to the appropriate destinations, be they to remote hosts or to files or programs on the local machine. Smail-3 can also gateway e-mail traffic bi-directionally between disparate underlying mail transport systems, for example between SMTP and UUCP.

To install and configure smail run:

# apt-get --purge install smail

Here is example of install and setup:

Reading package lists... Done
Building dependency tree... Done
smail is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Need to get 0B of archives.
After unpacking 0B of additional disk space will be used.
Setting up smail (3.2.0.115-5.1) ...

I can do certain kinds of automatic configuration of your mail system, by
asking you a number of questions. Later you may want to confirm and/or correct
your answers. In any case, comprehensive information on configuring Smail is
in smail(5) and in /usr/share/doc/smail/ .

You must choose one of the options below:
(1) Internet site: you send and receive Internet mail on this
machine, using SMTP over TCP/IP, select this if you have a smarthost
reachable over SMTP.
(2) UUCP to smarthost (upstream site):
You send and receive mail via UUCP; outbound mail is sent to your
smarthost (probably your service provider) for routing and delivery.
(3) No mail is to be delivered or routed here. Any mail generated on this
system is sent to a central mail switch using SMTP. This configuration is
for workstation, which have mounted /var/mail from a central server.
(4) Local delivery only:
You are not on a network. Mail for local users is delivered.
(5) No configuration will be done now; your mail system will be broken and
should not be used. Use /usr/sbin/smailconfig as root, later.
Select a number from 1 to 4, from the list above.
Enter value (default=`4', `x' to restart): 1


What is the `visible' mail name of your system ?
This will appear on From: lines of outgoing messages.
Enter value (default=`server.example.com', `x' to restart): ip149.example.com

Does this system have any other names which may appear on incoming
mail messages, apart from the visible name above (ip149.example.com)
and the system's hostname (server.example.com) ?
If so enter them here, separated with spaces or commas. If there are
none, say `none'.
Enter value (default=`none', `x' to restart): none

Do you have a smarthost available (and accessible via SMTP) ?

A smarthost is a system to which you forward mail you don't want to
deliver yourself; it presumably has better connectivity or routing
information than you do. Commercial providers usually provide a
smarthost for their customers, and large organisations will often have
a site mail switch which can be used. Use of a smarthost is strongly
recommended (you'll be able to specify exactly when to use it soon).

If a smarthost is available please enter its name (otherwise, `none').
Enter value (`x' to restart): none

Do you want to relay mail from anybody ?

If you allow relay from somewhere, that machine will send it's mail
to this server for delivery, you will become it's smarthost.
You can specify the word 'localnet', that will dinamically match
the net of your localhost, or you can specify the net by it's ip
number and using wildcards. (Example: 192.168.1.*).
If you want to relay to everyone, just write 'all'.
Beware, allowing everyone to relay from your machine, will let
spamers send their junk-mail througth your machine, making you
responsible for that. You shouldn't allow mail relaying from
unknown machines.
You can especify more than one net separating the ip numbers by ':'
Enter value (default=`127.0.0.1', `x' to restart):127.0.0.1

Mail for the `postmaster' and `root' accounts is usually redirected
to one or more user accounts, of the actual system administrators.
By default, I'll set things up so that mail for `postmaster' and for
various system accounts is redirected to `root', and mail for `root'
is redirected to a real user. This can be changed by editing /etc/aliases.

Note that postmaster-mail should usually be read on the system it is
directed to, rather than being forwarded elsewhere, so (at least one of)
the users you choose should not redirect their mail off this machine.

Which user account(s) should system administrator mail go to ?
Enter one or more usernames separated by spaces or commas . Enter
`none' if you want to leave this mail in `root's mailbox - NB this
is strongly discouraged. Also, note that usernames should be lowercase !
Enter value (`x' to restart): none


The following configuration has been entered:

Mail generated on this system will have `ip149.example.com' used
as the host part (after the @) in the From: field and similar places.

Message-ID's, Received lines, etc. will use the system's canonical
hostname, which is currently set to server.example.com.

The following hostname(s) will be recognised as referring to this system:
mail.areyouverified.com, ip149.example.com

Mail for postmaster, root, etc. will be sent to root.

Local mail is delivered.

Outbound remote mail is looked up in the Internet DNS, and delivered
using that data if any is found; failing that messages are bounced.
Mail for the non-DNS UUCP and BITNET domains are sent to the backbone
sites uu.net and cunyvm.cuny.edu for routing, respectively.

Is this OK ? Hit Return or type `y' to confirm it and install,
or `n' to make changes (in which case we'll go round again, giving you
your previous answers as defaults. (y/n) y

You have to select a method starting smail:
The decision as to whether to use a smail daemon, or the inet
daemon depends upon how much mail passes through your site and whether
or not you can always spare 300K of virtual memory.
(1) Generate a line in /etc/inetd.conf. For every remote-connections a
smail session is started. It is the standard.
(2) To invoke a smail daemon at system boot time.
Select a number from 1 to 2, from the list above.
Enter value (default=`1', `x' to restart): 1
Current crontab entry for smail:
# Default `mail' user's crontab, supplied Smail for Debian Linux.
# See /usr/doc/smail/copyright for details, or read smail(5) for details of
# how to configure Smail. Autoconfiguration done by /usr/sbin/smailconfig.
# (min, hour) (dm,m,dw) (command)
3,23,43 * * * * runq

Configuration installed.


Would you like to send a test message now ? Select one of:

Return or Y Yes, test offsite delivery with a message to Harald Alvestrand's
Linux Counter project - you should then receive an autoreply
to postmaster@ip149.example.com.

Do not use this option until mail routing to your machine has
been properly enabled, please !

L Just a local message from root@ip149.example.com
to postmaster@ip149.example.com.

N No, thanks. (You can do this later using /usr/sbin/smailtest.)

Send a test message now ? (y/l/n) l

Test message sent.

Good. You have a recent smail configuration
You have selected to start smail in inetd.conf

You have mail in /var/mail/root

After installation and configuration you have to add root account forwarding in /etc/aliases

# echo "root: example-co-root@gmail.com" >> /etc/aliases
# newaliases

Now test is it working, run:

# /usr/sbin/smailtest --localonly

Here is example file

Would you like to send a test message from `root' to `postmaster' ?
Send a test message now ? (y/n) y

Check your example-co-root@gmail.com you should receive test message.


SYSTEM LOG


Update /etc/logrotate.conf, run:

nano -w /etc/logrotate.conf

Here is example file:

# see "man logrotate" for details
# rotate log files daily
daily


# keep 52 weeks worth of backlogs
rotate 365

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
compress

# packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
missingok
monthly
create 0664 root utmp
rotate 1
}

/var/log/btmp {
missingok
monthly
create 0664 root utmp
rotate 1
}

# system-specific logs may be configured here

Install logcheck

# apt-get install logcheck -y

Install logwwatch

# apt-get install logwatch -y

Install MUNIN

# apt-get install munin munin-node

Configure MUNIN

# nano -w /etc/munin/munin.conf

Change lines from:

# a simple host tree
[localhost.localdomain]

to:

# a simple host tree
[server.example.com]

Restart munin

# /etc/init.d/munin-node restart


Then install thttpd

# apt-get install thttpd thttpd-util

Configure thttpd

# nano -w /etc/thttpd/thttpd.conf

Change

port = 38964

and change

dir = /var/www/munin

Ensure that port is not firewaled

Check is it working go to http://server.example.com:38964


32 bit extensions

If you are running 64 bit Linux install the 32-bit Extensions to allow 64-bit Linux to run 32-bit applications.

apt-get install ia32-libs linux32 -y




















































Posted by at No comments:
Subscribe to: Posts (Atom)