Quickly Setting Up and Securing an Ubuntu Server_web-based control panel

You may find:

buy cheap web hosting php ; mysql support ; web hosting unlimited bandwidth ; web hosting companies ; buy domain hosting site web ; buy domain network layout for web hosting service free

Quickly Setting Up and Securing an Ubuntu Server

Tag：web-based control panel buy web hosting |

18 Viewers|

edtechdev 2007-11-15 10:56:41 Publish:

I'm setting up an old desktop as a server at school. I was going to post details about it later, but after seeing this article claiming that there are hundreds of thousands of unsecured databases out there, I thought I'd go ahead and post some of the basics on installing and securing a server running Ubuntu Linux. UPDATE: These notes were created when Ubuntu 7.10 "Gutsy" was out, but I've tweaked them for changes in 8.10 Intrepid. They should hopefully work with 9.04 Jaunty too.

I'm assuming Ubuntu is already installed. In my case, the desktop version (not the server version which already has most of this pre-installed). I want to quickly convert it to a server to use for some research.

Step 0: Do You Need It? - There are cheap and much more reliable ways to run your own server applications. Providers such as Linode or Bytemark offer you "virtual root" linux servers for as little as under $20 a month using Linux virtual machines such as User-Mode Linux (UML), Xen, and VMWare. I've used them before for years.
I'm running a server on my own machine instead for this project because it is a small project, it is free this way, and because I think the .edu domain name makes a difference (the URL is part of any website's interface).
Most of the information below applies anyway if you are using a virtual root hosting service, since you'll have to install and set up much of your server software in the same manner.

Step 1: Get Connected - Make sure you have a stable IP address and a domain name that can be used to connect to your machine. You'll have to work with your network administrator to do this, or purchase your own domain name at places like NetworkSolutions.com [UPDATE: don't use networksolutions, anytime you search for a domain, they automatically register it themselves so they can charge more], Register.com, or GoDaddy.com, or else use a free service like DynDNS.com.

If want to find out what is your IP address and hostname, you can use commands like "ifconfig" and "nslookup" or visit sites like whatismyip.com and samspade.com.

Once you are assigned an IP address and domain name, set the domain name for your machine by editing the /etc/hostname file:

sudo nano /etc/hostname

And put your hostname there all alone on one line:

my.domain.name.edu

Type control-X to quit and save the file.
You can also add information about your IP address and hostname to the /etc/hosts file. Say for example your IP is 123.123.123.123, add a line like this to the file (using "sudo nano /etc/hosts"):

123.123.123.123 your.domain.name.edu

Step 2: Use a Strong Password - Something very long that uses lower case, upper case letters, numbers, and symbols. This is very important.
You can do it graphically by going to System->Administration->Users and Groups, or on the command line (using Terminal), by simply running:

passwd

Optional: You can also set passwords for your bios and for the grub bootloader. In your BIOS also, you can set the boot order of devices so that the hard drive is first, so that people can't pop in a CD and override your system.

Step 3: Install SSH Server - This is so you can login to your computer remotely through an encrypted connection. If you are using the Terminal command line shell application, you can install like so:

apt-get install ssh openssh-server

Otherwise, you can use the graphical Synaptic package manager to search for "ssh" and install the same packages.

Optional: Edit the /etc/ssh/sshd_config file to change the default port ssh uses for connections from 22 to some other value. Change the line that reads "Port 22". Our ssh servers on campus are attacked all the time. Changing the port to something non-default alleviates it somewhat (but you still need to run a firewall and keep system up to date and backed up, too).

sudo nano /etc/ssh/sshd_config

Restart ssh

sudo invoke-rc.d ssh restart

Test it out by connecting to your server from another computer, using an ssh client (like "ssh" on the command line, or Putty on windows, etc.). Say you made the port 987 and your username is "bob", then the command to connect is:

ssh bob@my.domain.name.edu -p 987

Step 4: Install LAMP software - the Apache 2 webserver, PHP 5, & MySQL 5. To do this quickly, we can use either tasksel (on the command line), or Synaptic. In Synaptic, selected Edit->Mark Packages by Task... and check the LAMP server option and install.
Or else on the command line, run

sudo tasksel

and select the LAMP server option. If tasksel is not installed run "sudo apt-get install tasksel".

Apache, MySQL, and PHP will now be installed. It should ask you for a root password to use with MySQL. Again, pick a strong password. MySQL should be already configured also to not accept any connections except from the local machine.

The main Apache configuration files are located at:

/etc/apache2/apache2.conf
/etc/apache2/sites-enabled/000-default

in case you want to make any changes.
The root folder for your webserver HTML documents is:

/var/www

Edit the index.html file, for example, to change the homepage.
Check out your webserver at http://your.domain.name.edu/

Step 5: Setup a Firewall - This is very important, too. You can block all outside access to your machine except via the ports you want to keep open. The webserver uses port 80, and ssh uses whatever port you set in /etc/ssh/sshd_config (22 by default).
There are 2 options to consider for your firewall in Ubuntu. If you are still using the machine as a desktop machine, too, you might consider installing FireStarter, a graphical firewall manager. I use that on my laptop. On the server though, I am using Shorewall, since it can be configured from the command line (perhaps Firestarter can as well, but I don't know).

To install Shorewall, type this on the command line:

sudo apt-get install shorewall

Then type these commands: whforl_old: cd /usr/share/doc/shorewall/default-config cd /usr/share/doc/shorewall-common/default-config sudo cp interfaces /etc/shorewall/ sudo cp policy /etc/shorewall/ sudo cp rules /etc/shorewall/ sudo cp zones /etc/shorewall/ Using your text editor command (such as sudo nano or sudo gedit), you need to edit those 4 files. Add this line before the last line of /etc/shorewall/interfaces: net eth0 detect Add this line before the last line of /etc/shorewall/zones: net ipv4 You should also have a line that says "fw firewall" in the zones file. Put these lines before the last line of /etc/shorewall/policy: fw net ACCEPT net all DROP info all all REJECT info And add these lines to your /etc/shorewall/rules file after the SECTION NEW line: #change "22" to the port you used for ssh if not the default one: ACCEPT net fw tcp 22 ACCEPT net fw tcp www,https Change 22 to the port you used for ssh. Remove ",https" if you have no intention of ever installing the ssl module for the apache webserver (for secure web transactions).

Finally, edit /etc/default/shorewall file by changing the line that reads startup=0 to:

startup=1

You can startup the firewall with the command:

sudo invoke-rc.d shorewall start

Other options you can pass to invoke-rc.d in general include start, stop, and restart.

(Update) Step 5b: Install fail2ban - fail2ban will block attackers who try to brute force your ssh or apache or other services. sudo apt-get install fail2ban sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local and edit the jail.local file.

See more instructions here and here.
I set "enabled=true" for the ssh, apache, postfix jails. I also added the apache-badbots jail: [apache-badbots] enabled = true port = http,https filter = apache-badbots logpath = /var/log/apache*/*access.log maxretry = 2 I would also add that if you want ban reports emailed to you, change "destemail" to your email and set "action = %(action_mwl)s". You will also probably have to "sudo apt-get install mailx" for email sending to work. "cat /var/log/fail2ban.log" to see errors or log messages.

Step 6: Keep Your System Up to Date - Run the commands sudo apt-get update sudo apt-get upgrade to keep all your installed software up to date. This is important for example if a security flaw is revealed in apache or ssh, for example (or webmin, which had a huge hole in it until recently). Updating your machine will install new versions that fix the security flaws. You can run the above commands automatically every day even using crontab if you wish, and/or install the unattended-upgrades package: sudo apt-get unattended-upgrades There are various crontab tutorials around the web.

Step 7: Monitor Your Site - There are various tools you can install and use to monitor your site, such as webalizer (apache statistics), webmin (a web-based control panel for your server), and others. crontab plus shell scripts (in bash, python, perl, etc.) can be used to email you whenever a server application goes down, or restart the application automatically. There are other watchdog tools out there for this kind of thing as well.

Step 8: Backup Your Machine - You'll want to keep regular backups of the files on your server. You can backup the files to a remote computer, for example, or a second hard drive. You can setup a RAID configuration so that multiple drives store your information redundantly.

For a simple copy and compress backup to another drive (something like I use on the laptop), you can run a command like this:

sudo tar cpzf /media/path/to/backup/folder/my-backup.tar.gz --exclude=/proc/* --exclude=/lost+found/* --exclude=/dev/* --exclude=/mnt/* --exclude=/media/* --exclude=/sys/* --exclude=/tmp/* --exclude=/var/cache/apt/* /

For a server though, it is better to use something like rsync, which can be configured to only backup what has changed since the last time you backed up (incremental backups). See for example:

Time Machine-like Backup for Linux Computers

Easy Automated Snapshot-Style Backups with Rsync

Backups using rync

and google for rsync backup for other tutorials

Remember to learn how to recover the files from your backup as well.

More Resources

For more resources, see sites such as these:

Ubuntu Server Guide

Securing Your Ubuntu Server - my shorewall instructions were based on these

The Perfect Server - Ubuntu 7.10

Quick Linux Server

Comments:

I just want to say, THANK YOU SO MUCH for posting this tutorial! I am also setting up an ubuntu server at my school and didn't want to rely on the X-GUI any longer. Thanks again,
Rob

Comments:

Here also are instructions for fixing your server's ssh keys, which were vulnerable to an attack apparently until a recent fix was released:
http://ubuntu-tutorials.com/2008/05/13/openssh-openssh-vulnerabilities-confirm-fix-instructions/

Comments:

Also, in shorewall, the rules file, you might unblock port 25 too for email (the smtp server).

ACCEPT net fw tcp 25

ACCEPT net fw udp 25

Comments:

Ah, I thought setting up shorewall was complicated - you made it not! Thanks!

Comments:

I recommend using fail2ban also to block bots or whatever after they repeatedly try to login to ssh or other things.

sudo apt-get install fail2ban

Then

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

and edit the jail.local file

See:

http://www.pragmaticutopia.com/blog-mainmenu-125/Fail2ban-on-Ubuntu-LAMP.html

http://www.howtoforge.com/fail2ban_debian_etch

http://edin.no-ip.com/content/filter-spam-or-bad-robot-visit-your-apache-with-fail2ban

You can actually change the banaction line in jail.local from iptables-multiport to 'shorewall' but I can't find much documentation on that. I left it as the default for now. iptables is already installed by default (shorewall is an iptables wrapper).

Yahoo: buy web hosting Quickly Setting Up and Securing an Ubuntu Server web-based control panel
Google: web-based control panel Quickly Setting Up and Securing an Ubuntu Server buy web hosting

1
DIG IT

Related

›› GET MONEY ONLINE: Free Web Hosting List
›› SEO Tools Lead To Improved Search Engine
›› KVM & OpenVZ Virtualization And Cloud Co
›› instant Messenger: Openfire, Spark & web
›› LunarPages Control Panel
›› Web Based Malware Emphasizes on Anti-Deb
›› Open Source Hosting Control Panel
›› Control panel (web hosting)
›› A Teacher - Parent - Student Web-based P
›› Open source Web Hosting Control Panel

FreeHosting Latest

›› C++, J2EE, Perl application Support Engi
›› Perl's popularity probl...
›› PHP/Perl Web Server Programmer Needed Wo
›› CinePaint and Perl
›› DarkPAN SchmarkPAN -- STOP THE MEME
›› Padre Perl 6 Help and Tablets
›› Padre's Perl 6 version 0.54
›› Padre Perl 6 lucky grok release
›› The (bad) State of IPv6 in Perl
›› Reboot: Adding Perl Support to Google Ap
›› Padre's Perl 6 support and Ecliptic
›› The Mail app and Gmail!

FreeHosting Popular

›› Another question about Scarlet Letter...
›› Joomla/Virtuemart?
›› About invision power and vbulletin forum
›› HostRocket Review - HostRocket Web Hosti
›› Layered Adds Automation Platform
›› Phpbb forum hosting that allows checks?
›› Shameless Euro-Biotech Forum Promotion
›› Which are some of the free wbsite hostin
›› Top 10 Travel TV Show Hosts
›› How do you add PHP support to apache web
›› Calculate a bandwidth for a live event?
›› Megan Fox in Esquire Magazine