The Perfect Server - Ubuntu Hardy Heron (Ubuntu 8.04 LTS Server) - Page 3

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Submitted by falko (Contact Author) (Forums) on Thu, 2008-04-24 14:07. ::

4 Enable The root Account

After the reboot you can login with your previously created username (e.g. administrator). Because we must run all the steps from this tutorial as root user, we must enable the root account now.

Run

sudo passwd root

and give root a password. Afterwards we become root by running

su

 

5 Install The SSH Server (Optional)

If you did not install the OpenSSH server during the system installation, you can do it now:

apt-get install ssh openssh-server

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Ubuntu 8.04 LTS server and follow the remaining steps from this tutorial.

 

6 Install vim-full (Optional)

I'll use vi as my text editor in this tutorial. The default vi program has some strange behaviour on Ubuntu and Debian; to fix this, we install vim-full:

apt-get install vim-full

(You don't have to do this if you use a different text editor such as joe or nano.)

 

7 Configure The Network

Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):

vi /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.0.100
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

Then restart your network:

/etc/init.d/networking restart

Then edit /etc/hosts. Make it look like this:

vi /etc/hosts

127.0.0.1       localhost.localdomain   localhost
192.168.0.100   server1.example.com     server1
# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Now run

echo server1.example.com > /etc/hostname
/etc/init.d/hostname.sh start

Afterwards, run

hostname
hostname -f

Both should show server1.example.com now.

 

8 Edit /etc/apt/sources.list And Update Your Linux Installation

Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled. It should look like this:

vi /etc/apt/sources.list

#
# deb cdrom:[Ubuntu-Server 8.04 _Hardy Heron_ - Release i386 (20080423.2)]/ hardy main restricted
#deb cdrom:[Ubuntu-Server 8.04 _Hardy Heron_ - Release i386 (20080423.2)]/ hardy main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu/ hardy main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ hardy main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ hardy-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb http://de.archive.ubuntu.com/ubuntu/ hardy universe
deb-src http://de.archive.ubuntu.com/ubuntu/ hardy universe
deb http://de.archive.ubuntu.com/ubuntu/ hardy-updates universe
deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu/ hardy multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ hardy multiverse
deb http://de.archive.ubuntu.com/ubuntu/ hardy-updates multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates multiverse
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://de.archive.ubuntu.com/ubuntu/ hardy-backports main restricted universe multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-backports main restricted universe multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository. This software is not part of Ubuntu, but is
## offered by Canonical and the respective vendors as a service to Ubuntu
## users.
# deb http://archive.canonical.com/ubuntu hardy partner
# deb-src http://archive.canonical.com/ubuntu hardy partner
deb http://security.ubuntu.com/ubuntu hardy-security main restricted
deb-src http://security.ubuntu.com/ubuntu hardy-security main restricted
deb http://security.ubuntu.com/ubuntu hardy-security universe
deb-src http://security.ubuntu.com/ubuntu hardy-security universe
deb http://security.ubuntu.com/ubuntu hardy-security multiverse
deb-src http://security.ubuntu.com/ubuntu hardy-security multiverse

Then run

apt-get update

to update the apt package database and

apt-get upgrade

to install the latest updates (if there are any).

 

9 Change The Default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

ln -sf /bin/bash /bin/sh

If you don't do this, the ISPConfig installation will fail.

 

10 Disable AppArmor

AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later on).

We can disable it like this:

/etc/init.d/apparmor stop
update-rc.d -f apparmor remove

Till told me that he also had to do this step (which was not necessary on my installation), so if you want to go sure, do this on your system as well:

apt-get remove apparmor apparmor-utils

up

Copyright © 2008 Falko Timme
All Rights Reserved.
add comment | view as pdf view as pdf | print: this | all page(s) |
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
dont enable root
Submitted by Anonymous (not registered) on Sat, 2009-12-12 02:27.
instead just go sudo -i and type your password and then it spawns a root shell
reply | view as pdf view as pdf
Steps 9 and 10
Submitted by Kees Cook (not registered) on Fri, 2008-12-05 23:00.

Step 9: do not symlink over /bin/sh.  This will slow down your system, and will be broken by any updates that reinstall dash.  If ISPConfig requires bash, fix ISPConfig -- don't break the OS.

 

Step 10: do not uninstall AppArmor.  If there are specific services that are modified to work outside of the existing service profiles, just disable the one profile until you can fix the profile.  For example:

  aa-complain bind9

Then review your logs (via dmesg or /var/log/messages), and update your profiles:

  aa-logprof

For more details on how to use AppArmor and other new features of Ubuntu, please read the official documentation:

 https://help.ubuntu.com/community/AppArmor

reply | view as pdf view as pdf
Re: Steps 9 and 10
Submitted by Lee (not registered) on Tue, 2009-01-06 09:10.
How will you fix ISPconfig?
reply | view as pdf view as pdf
Re: Steps 9 and 10
Submitted by EnKK (not registered) on Fri, 2008-12-19 08:26.

> Step 9: do not symlink over /bin/sh

I don't know what issues does ISPConfig have with dash, but you won't be able to compile apache when dash is /bin/sh. Apache's config script complains about the broken echo command, and, using awk and echo to do the needed preparations for compilation, apache is unable to configure itself. There are plenty of situations when you need to compile the code yourself.

> will be broken by any updates that reinstall dash

Easily fixed by hand. OK, I have a maniac solution here, put it on cron to check if /bin/sh is properly simlinked LOL

> If ISPConfig requires bash, fix ISPConfig

:-) That's one great note! I was told there's some company in Redmond that thinks exactly this way. Seriously, if the dash thing is the problem, let's not break something that works smoothly.

Have a nice day!

reply | view as pdf view as pdf
Re: Re: Steps 9 and 10
Submitted by Anonymous (not registered) on Mon, 2009-09-07 11:44.
>> If ISPConfig requires bash, fix ISPConfig

>:-) That's one great note! I was told there's some company in Redmond that thinks exactly this way. Seriously, if the dash thing is the problem, let's not break something that works smoothly.
 
 If ISPConfig requires bash to work, it MUST use /bin/bash instead of /bin/sh, so ISPConfig IS broken and MUST be fixed. Asuming that /bin/sh acts like /bin/bash is WRONG.
 
 It's foolish to break the system to fix a broken app.
reply | view as pdf view as pdf
regarding 5 Install The SSH Server (Optional):
Submitted by serge.kutin (registered user) on Fri, 2008-06-20 00:32.

apt-get install vim-full will install the full version with GUI (a lot of extra useless libs)

to change tiny version to full but with no GUI I would recommend

apt-get install vim

Regards,

Serge

reply | view as pdf view as pdf
Missing info for newbies - IMPORTANT -
Submitted by Freq E Tag (registered user) on Tue, 2008-08-19 15:44.

It should really be noted what the commands to enter text, save and quit are.

To begin editing in vi - type "a" (no quotes on any command)

When editing complete hit "esc"

To save file type ":w"

To exit vi type ":q"

I struggled with this for quite some time, and it may be a simple thing for gurus who use vi, but there many people with limited knowledge here (like me) so it may make sense to include the commands in with the actual tutorial.

Thanks for a great howto!

reply | view as pdf view as pdf
Re: Missing info for newbies - IMPORTANT -
Submitted by Kim Mogensen (not registered) on Thu, 2010-01-14 22:57.

Why not just post one of the many sites you find at google when you search the web. Took me 5 seconds and first hit is quite ok: http://www.cs.colostate.edu/helpdocs/vi.html.

 Cheers!

 Kim

reply | view as pdf view as pdf
Is the Static IP Necessary?
Submitted by Illuma (registered user) on Thu, 2008-05-01 18:52.
I was wondering if the Static IP configuration step is absolutely necessary in order for the rest of this tutorial to work correctly. I use DHCP for all of my servers so that I can manage their IP allocation from one central place.
reply | view as pdf view as pdf
Root user issue:
Submitted by cornbread (registered user) on Fri, 2008-04-25 00:54.
Please change this page to tell people they need to use sudo for all of their commands. If they really need to access the root user in ubuntu they can type sudo su and it will go to root user. It is inherintly insecure to enable the root user. TIA
reply | view as pdf view as pdf
You don't have to use sudo
Submitted by Leszek (registered user) on Fri, 2008-04-25 20:18.
You don't have to use sudo if you've done what's written in step 4 of the tutorial.
reply | view as pdf view as pdf
whole comment
Submitted by cornbread (registered user) on Sat, 2008-04-26 17:20.

My whole comment is pertaining to opening up a security hole in your computer by enabling the root account. The second part of my comment talks about how to use root permissions without needing to enable the root account by using sudo su whch gives you root access #.

If the tutorial must show how to enable the root account(which it doesn't) I would appreciate it if it told users how to lock the root account when done. sudo passwd -l root

reply | view as pdf view as pdf
I don't think of it as a
Submitted by Leszek (registered user) on Tue, 2008-04-29 01:47.

I don't think of it as a security hole if you enable root account but it's good to use sudo.You can disable the root account after finishing the tutorial.

reply | view as pdf view as pdf
Sponsored Links: Turn your desk phone and mobile phone into one with Sprint Mobile Integration.
www.seamlessenterprise.com

One number. One voicemail. Seize the lead. Sprint Mobile Integration.
www.seamlessenterprise.com

One Number. One Voicemail.
Make it easier for clients to reach you. Turn your desk phone and mobile phone into one with Sprint Mobile Integration.
www.seamlessenterprise.com

One number. One voicemail. Sprint Mobile Integration.
www.seamlessenterprise.com

AT&T Synaptic Compute as a Service. Boost your power on demand.

Trial: IBM Cognos Express Reporting, Analysis & Planning