Phase Shift

This guide is a step by step walk through for setting up an Ubuntu 8.04 LTS 64-bit server on Linode.

Assuming a Linode 360 with 12288 megs of space, partition as follows:

• Ubuntu Image: 11776MB
• Swap: 512

The default swap size is only 256MB, but the recommended standard is to use between 1 to 2 times the amount of RAM installed on the machine. A base Linode has 360MB of RAM, so 512 is a safe size to use.

Getting Started

First thing, grab your favorite text editor, such as nano or vi using aptitude or apt-get.

aptitude install nano

If you would like auto completion in interactive shells, edit your bash.bashrc file

nano /etc/bash.bashrc

and uncomment the following block to look as follows

[...]
# enable bash completion in interactive shells
if [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
[...]

For some reason bash-completion is not installed by default

aptitude install bash-completion

There is no need to reboot, just restart bash and autocomplete should be working for interactive shells

bash

To try it out, you can do something like ‘aptitude inst<tab>’ and it should complete as ‘aptitude install’

If you enjoy having using manpages, you will need to install the man binary.

aptitude install man-db

You may have seen perl warnings complaining that the locale information is not set when trying to install anything from the repositories. To get this fixed, first install the locales package

aptitude install locales

and then define your locale information with the following command.

localedef -i en_US -c -f UTF-8 en_US.UTF-8

Be sure to replace the locale name if you need something other than en_US.

Now we need to get everything up to date

aptitude update
aptitude safe-upgrade

Clean up any old update files and reclaim some space

aptitude autoclean

Server Configuration

HowtoForge has a great guide for setting up an Ubuntu 8.04 server. Credit goes to them for several of the server configuration sections listed below, and I highly recommend supporting them and checking out their library of guides.

By default, Ubuntu will have DHCP enabled. To get a static IP address, edit the interfaces file

nano /etc/network/interfaces

Replace the line

iface eth0 inet dhcp

with the following (substitute the values for your Linode’s information)

iface eth0 inet static
address 192.168.1.150
netmask 255.255.255.0
gateway 192.168.1.1

Restart networking

/etc/init.d/networking restart

Edit your hosts file

nano /etc/hosts

Add a line mapping your host name to your server IP. For example

[...]
127.0.0.1    localhost
[...]

becomes

[...]
127.0.0.1    localhost
192.168.1.150    myserver.com    myserver
[...]

Add the host name to the hostname file (it should be empty)

nano /etc/hostname

and add your host name

myserver.com

Start the hostname.sh shell script

/etc/init.d/hostname.sh start

Test that everything is working by running

hostname

It should display your host name.

Install Applications

MySQL

aptitude install mysql-server mysql-client libmysqlclient15-dev

You will be prompted to enter and re-enter a root password for MySQL.

Apache

aptitude install apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert

PHP5/Ruby

aptitude install libapache2-mod-php5 libapache2-mod-ruby php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-json php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

Edit /etc/apache2/mods-available/dir.conf

nano /etc/apache2/mods-available/dir.conf

Change

DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm

to (adding ‘index.shtml index.php3′ to the line above)

DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm index.shtml index.php3

Enable common apache modules

a2enmod ssl
a2enmod suexec
a2enmod include
a2enmod rewrite

eAccelerator for PHP (optional)

cd /usr/src
wget http://bart.eaccelerator.net/source/0.9.5.3/eaccelerator-0.9.5.3.tar.bz2
tar -xvjf eaccelerator-0.9.5.3.tar.bz2
cd eaccelerator-0.9.5.3
phpize
./configure
make
make install

Create the eaccelerator cache directory and assign the right ownership to it (the owner and group has to be the user and group apache is running as – in this case www-data) by executing the commands:

mkdir /tmp/eaccelerator
chown -R www-data:www-data /tmp/eaccelerator/

The last thing to do is to enable eAccelerator in your php.ini file:

nano /etc/php5/apache2/php.ini

And add the following lines to the end of the file:

;uncomment if you want to use as a Zend extension
;zend_extension="/usr/lib/php5/eaccelerator.so"
extension="eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"

For more information on what these settings do, check out the eAccelerator config file settings page.

Reload Apache to load the new modules

/etc/init.d/apache2 force-reload

Go to your site (i.e. http://192.168.1.150) and you should see the default Apache page displaying ‘It works!’

To test that Apache is parsing PHP, make a new php file for Apache to display

nano /var/www/test.php

and add the following

Go to the test page (i.e. http://192.168.1.150/test.php) and you should see all the information about your PHP install. It is a good idea to synchronize the clock to an internet time server

aptitude install ntp ntpdate

If you want a little protection from brute force attacks, fail2ban is an easy tool that uses IPTables and does the hard stuff for you.

aptitude install fail2ban

Fail2ban has a main configuration file that you should not edit. Instead the main config file is used as the default and local configurations override those settings when needed. This way you can create finer grain control and still have the defaults in place to catch situations for which you haven’t defined rules. To start, copy over the main config file into a local config file to edit.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Now edit the local config file

nano /etc/fail2ban/jail.local

The comments in the config file explain the options pretty well. A quick rundown of some of the basics:

ignoreip

Space separated list of IPs that will never be banned. Localhost is added by default, and you should add any machines that you don’t think fail2ban needs to monitor for brute force attacks (such as your personal computers).

bantime

The time an IP address will be blocked if it exceeds the maximum number of login attempts. After that time, the IP will be removed from the banned list and allowed to login again. Set this to -1 if you want bans to remain in effect indefinitely.

maxretry

The maximum number of login attempts before the IP is banned.

action

This determines the how fail2ban reacts when an IP exceeds the allowed number of logins. There are 3 predefined shortcuts so you don’t have to figure out the syntax on this. The first, ‘action_’, just bans the IP. ‘action_mw’ will ban the IP and send you an e-mail with a whois report on that IP. Last, ‘action_mwl’ will ban the IP and send an e-mail with a whois report and the relevant log file lines that caused the IP to be banned. The default is u ‘action = %(action_)s’. To change to one of the other shortcuts, replace only the ‘action_’ part. For example, if you wanted to ban with e-mail alerts containg the whois report and log file lines you would use ‘action = %(action_mwl)s’ since the shortcut for is ‘action_mwl’.

destmail

If you elect to receive emails from fail2ban, this specifies the e-mail address tp which it should send the notifications.

The last thing to do in the config file is enable the sections that correspond to the services you want to monitor. These are under the ‘JAILS’ section. This is done by setting the ‘enabled’ flag to true for a given section. For the simple server above, I would recommend the following:

...
[ssh]
enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6
...
[apache]
enabled = true
port    = http,https
filter  = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
...

After you get your configuration in place, restart the fail2ban service

/etc/init.d/fail2ban

I am not going to cover how to setup a mail server here because there is now a wonderful guide on HowToForge. Using the HowtoForge guide for Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail (Ubuntu 8.04 LTS) will give you a mail server that supports IMAP and POP with virtual users and domains all configured via a MySQL database and much more.

Note that if you do use the mail server guide and run fail2ban, enable the [postfix], [courierpop3], [courierimap], and [sasl] sections in the fail2ban jail.local file.

Tags: linode, server, ubuntu