The Perfect SpamSnake - Ubuntu 8.04 LTS - Page 2
On this page
- 1.3 Enable The root Account
- 1.4 Install vim-full (Optional)
- 1.5 Configure The Network
- 1.6 Edit /etc/apt/sources.list And Update Your Linux Installation
- 1.7 Change The Default Shell
- 1.8 Disable AppArmor
- 1.9 Install Some Software
- 1.10 Install Unarj
- 1.11 Install Perl Modules(Pre-requisites)
- 1.12 Webmin
- 1.13 Remove Programs
- 1.14 Cleaning up services
1.3 Enable The root Account
After the reboot you can log in with your previously created username (e.g. administrator). Because we must run all the steps from this tutorial as root user, we must enable the root account now. Run
sudo passwd root
and give root a password. Afterwards we become root by running
su
1.4 Install vim-full (Optional)
I'll use vi as my text editor in this tutorial. The default vi program has some strange behaviour on Ubuntu and Debian; to fix this, we install vim-full:
apt-get install vim-full
(You don't have to do this if you use a different text editor such as joe or nano.)
1.5 Configure The Network
Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):
vi /etc/network/interfaces
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 192.168.0.100 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1
Then restart your network:
/etc/init.d/networking restart
Then edit /etc/hosts. Make it look like this:
vi /etc/hosts
127.0.0.1 localhost.localdomain localhost 192.168.0.100 server1.example.com server1 # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts
Now run
echo server1.example.com > /etc/hostname
/etc/init.d/hostname.sh start
Afterwards, run
hostname
hostname -f
Both should show server1.example.com now.
1.6 Edit /etc/apt/sources.list And Update Your Linux Installation
Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled. It should look like this:
vi /etc/apt/sources.list
# # deb cdrom:[Ubuntu-Server 8.04 _Hardy Heron_ - Release i386 (20080423.2)]/ hardy main restricted #deb cdrom:[Ubuntu-Server 8.04 _Hardy Heron_ - Release i386 (20080423.2)]/ hardy main restricted # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to # newer versions of the distribution. deb http://de.archive.ubuntu.com/ubuntu/ hardy main restricted deb-src http://de.archive.ubuntu.com/ubuntu/ hardy main restricted ## Major bug fix updates produced after the final release of the ## distribution. deb http://de.archive.ubuntu.com/ubuntu/ hardy-updates main restricted deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates main restricted ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team, and may not be under a free licence. Please satisfy yourself as to ## your rights to use the software. Also, please note that software in ## universe WILL NOT receive any review or updates from the Ubuntu security ## team. deb http://de.archive.ubuntu.com/ubuntu/ hardy universe deb-src http://de.archive.ubuntu.com/ubuntu/ hardy universe deb http://de.archive.ubuntu.com/ubuntu/ hardy-updates universe deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates universe ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team, and may not be under a free licence. Please satisfy yourself as to ## your rights to use the software. Also, please note that software in ## multiverse WILL NOT receive any review or updates from the Ubuntu ## security team. deb http://de.archive.ubuntu.com/ubuntu/ hardy multiverse deb-src http://de.archive.ubuntu.com/ubuntu/ hardy multiverse deb http://de.archive.ubuntu.com/ubuntu/ hardy-updates multiverse deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates multiverse ## Uncomment the following two lines to add software from the 'backports' ## repository. ## N.B. software from this repository may not have been tested as ## extensively as that contained in the main release, although it includes ## newer versions of some applications which may provide useful features. ## Also, please note that software in backports WILL NOT receive any review ## or updates from the Ubuntu security team. # deb http://de.archive.ubuntu.com/ubuntu/ hardy-backports main restricted universe multiverse # deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-backports main restricted universe multiverse ## Uncomment the following two lines to add software from Canonical's ## 'partner' repository. This software is not part of Ubuntu, but is ## offered by Canonical and the respective vendors as a service to Ubuntu ## users. # deb http://archive.canonical.com/ubuntu hardy partner # deb-src http://archive.canonical.com/ubuntu hardy partner deb http://security.ubuntu.com/ubuntu hardy-security main restricted deb-src http://security.ubuntu.com/ubuntu hardy-security main restricted deb http://security.ubuntu.com/ubuntu hardy-security universe deb-src http://security.ubuntu.com/ubuntu hardy-security universe deb http://security.ubuntu.com/ubuntu hardy-security multiverse deb-src http://security.ubuntu.com/ubuntu hardy-security multiverse
Then run
apt-get update
to update the apt package database and
apt-get upgrade
to install the latest updates (if there are any).
1.7 Change The Default Shell
/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:
ln -sf /bin/bash /bin/sh
1.8 Disable AppArmor
AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem).
We can disable it like this:
/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
1.9 Install Some Software
Now we install a few packages that are needed later on. Run
apt-get install binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.3-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential dpkg-dev db4.3-util vim bzip2 perl-doc libwww-perl libdbi-perl libconvert-binhex-perl libmail-spf-query-perl rblcheck libnet-ident-perl tnef pax libberkeleydb-perl unzoo arj lzop nomarch arc zoo libdb-file-lock-perl
(This command must go into one line!)
1.10 Install Unarj
cd /usr/src
wget http://http.us.debian.org/debian/pool/main/a/arj/unarj_3.10.21-2_all.deb
dpkg -i unarj_3.10.21-2_all.deb
1.11 Install Perl Modules(Pre-requisites)
Can be installed via perl -MCPAN or Webmin. I find that doing this through Webmin is better.
perl -MCPAN -e shell
install Module::Build
install Mail::SPF (Needed for SPF Checking)
install NetAddr::IP (Needed for SPF Checking)
install MLDBM::Sync this should also install MLDBM (Needed for MailWatch)
apt-get install libdbd-mysql-perl libapache-dbi-perl (Needed for MailWatch)
1.12 Webmin
apt-get install libauthen-pam-perl libio-pty-perl libmd5-perl libnet-ssleay-perl
Download latest webmin using the following command:
wget http://internap.dl.sourceforge.net/sourceforge/webadmin/webmin_1.410_all.deb
Now we have webmin_1.410_all.deb package; you need to install it using the following command:
dpkg -i webmin_1.410_all.deb
If your server complains that there is some library it does not find, just run the following command
apt-get install -f
You should now be able to login to Webmin at the URL https://localhost:10000/
1.13 Remove Programs
Now we also need to remove some programs, hopefully you don't need PCMCIA or printer support. This server will not need dial-up support either. You will not necessarily have all of these programs installed.
Uninstall the following software (all one line):
apt-get remove pcmciautils ubuntu-minimal pppoeconf ppp pppconfig
1.14 Cleaning up services
Some services might still linger even after uninstalling the daemons. First we need to backup inet.d:
cp -R /etc/init.d /etc/init.d.backup
Now we can stop all of the services that might be running which we don't need:
/etc/init.d/pcmciautils stop
update-rc.d -f pcmciautils remove
Disable all of the services we stopped:
update-inetd --disable time
update-inetd --disable daytime
update-inetd --disable echo
update-inetd --disable chargen
update-inetd --disable ident
update-inetd --disable discard
The last one may ask you a question regarding "multiple entries", answer yes (y).
Check that we got everything:
lsof -i | grep LISTEN
The only daemon you should see at this point is *:ssh and miniserv. You may have to run this again:
update-inetd --disable discard
If there are other programs shown, try rebooting and test again.