This guide is a step by step walk through for setting up an Ubuntu 8.04 LTS 64-bit server on Linode.
Assuming a Linode 360 with 12288 megs of space, partition as follows:
- Ubuntu Image: 11776MB
- Swap: 512
The default swap size is only 256MB, but the recommended standard is to use between 1 to 2 times the amount of RAM installed on the machine. A base Linode has 360MB of RAM, so 512 is a safe size to use.
Getting Started
First thing, grab your favorite text editor, such as nano or vi using aptitude or apt-get.
aptitude install nano
If you would like auto completion in interactive shells, edit your bash.bashrc file
nano /etc/bash.bashrc
and uncomment the following block to look as follows
[...]
# enable bash completion in interactive shells
if [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
[...]
For some reason bash-completion is not installed by default
aptitude install bash-completion
There is no need to reboot, just restart bash and autocomplete should be working for interactive shells
bash
To try it out, you can do something like aptitude inst<tab> and it should complete as aptitude install
If you enjoy having using manpages, you will need to install the man binary.
aptitude install man-db
You may have seen perl warnings complaining that the locale information is not set when trying to install anything from the repositories. To get this fixed, first install the locales package
aptitude install locales
and then define your locale information with the following command.
localedef -i en_US -c -f UTF-8 en_US.UTF-8
Be sure to replace the locale name if you need something other than en_US.
Now we need to get everything up to date
aptitude update
aptitude safe-upgrade
Clean up any old update files and reclaim some space
aptitude autoclean
Server Configuration
HowtoForge has a great guide for setting up an Ubuntu 8.04 server. Credit goes to them for several of the server configuration sections listed below, and I highly recommend supporting them and checking out their library of guides.
By default, Ubuntu will have DHCP enabled. To get a static IP address, edit the interfaces file
nano /etc/network/interfaces
Replace the line
iface eth0 inet dhcp
with the following (substitute the values for your Linode’s information)
iface eth0 inet static
address 192.168.1.150
netmask 255.255.255.0
gateway 192.168.1.1
Restart networking
/etc/init.d/networking restart
Edit your hosts file
nano /etc/hosts
Add a line mapping your host name to your server IP. For example
[...]
127.0.0.1 localhost
[...]
becomes
[...]
127.0.0.1 localhost
192.168.1.150 example.com example
[...]
Add the host name to the hostname file (it should be empty)
nano /etc/hostname
and add your host name
example.com
Start the hostname.sh shell script
/etc/init.d/hostname.sh start
Test that everything is working by running
hostname
It should display your host name.
Install Applications
MySQL
aptitude install mysql-server mysql-client libmysqlclient15-dev
You will be prompted to enter and re-enter a root password for MySQL.
Apache
aptitude install apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert
PHP5/Ruby
aptitude install libapache2-mod-php5 libapache2-mod-ruby php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-json php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
Edit /etc/apache2/mods-available/dir.conf
nano /etc/apache2/mods-available/dir.conf
Change
DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
to (adding index.shtml index.php3 to the line above)
DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm index.shtml index.php3
Enable common apache modules
a2enmod ssl
a2enmod suexec
a2enmod include
a2enmod rewrite
eAccelerator for PHP (optional)
cd /usr/src
wget http://bart.eaccelerator.net/source/0.9.5.3/eaccelerator-0.9.5.3.tar.bz2
tar -xvjf eaccelerator-0.9.5.3.tar.bz2
cd eaccelerator-0.9.5.3
phpize
./configure
make
make install
Create the eaccelerator cache directory and assign the right ownership to it (the owner and group has to be the user and group apache is running as – in this case www-data) by executing the commands:
mkdir /tmp/eaccelerator
chown -R www-data:www-data /tmp/eaccelerator/
The last thing to do is to enable eAccelerator in your php.ini file:
nano /etc/php5/apache2/php.ini
And add the following lines to the end of the file:
;uncomment if you want to use as a Zend extension
;zend_extension="/usr/lib/php5/eaccelerator.so"
extension="eaccelerator.so"
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"
For more information on what these settings do, check out the eAccelerator config file settings page.
Reload Apache to load the new modules
/etc/init.d/apache2 force-reload
Go to your site (i.e. http://192.168.1.150) and you should see the default Apache page displaying “It works!”
To test that Apache is parsing PHP, make a new php file for Apache to display
nano /var/www/test.php
and add the following
<?php
phpinfo();
Go to the test page (i.e. http://192.168.1.150/test.php) and you should see all the information about your PHP install.
It is a good idea to synchronize the clock to an internet time server
aptitude install ntp ntpdate
If you want a little protection from brute force attacks, fail2ban is an easy tool that uses IPTables and does the hard stuff for you.
aptitude install fail2ban
Fail2ban has a main configuration file that you should not edit. Instead the main config file is used as the default and local configurations override those settings when needed. This way you can create finer grained control and still have the defaults in place to catch situations for which you haven’t defined rules. To start, copy over the main config file into a local config file to edit.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now edit the local config file
nano /etc/fail2ban/jail.local
The comments in the config file explain the options pretty well. A quick rundown of some of the basics:
ignoreip - Space separated list of IPs that will never be banned. Localhost is added by default, and you should add any machines that you don’t think fail2ban needs to monitor for brute force attacks (such as your personal computers).
bantime - The time an IP address will be blocked if it exceeds the maximum number of login attempts. After that time, the IP will be removed from the banned list and allowed to login again. Set this to -1 if you want bans to remain in effect indefinitely.
maxretry - The maximum number of login attempts before the IP is banned.
action - This determines the how fail2ban reacts when an IP exceeds the allowed number of logins. There are 3 predefined shortcuts so you don’t have to figure out the syntax on this. The first, action_, just bans the IP. action_mw will ban the IP and send you an e-mail with a whois report on that IP. Last, action_mwl will ban the IP and send an e-mail with a whois report and the relevant log file lines that caused the IP to be banned. The default is action = %(action_)s. To change to one of the other shortcuts, replace only the action_ part. For example, if you wanted to ban with e-mail alerts containing the whois report and log file lines you would use action = %(action_mwl)s since the shortcut for is action_mwl.
destmail - If you elect to receive emails from fail2ban, this specifies the e-mail address to which it should send the notifications. The last thing to do in the config file is enable the sections that correspond to the services you want to monitor. These are under the JAILS section. This is done by setting the enabled flag to true for a given section. For the simple server above, I would recommend the following:
...
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
...
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
...
After you get your configuration in place, restart the fail2ban service
/etc/init.d/fail2ban
I am not going to cover how to setup a mail server here because there is now a wonderful guide on HowToForge. Using the HowtoForge guide for Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail (Ubuntu 8.04 LTS) will give you a mail server that supports IMAP and POP with virtual users and domains all configured via a MySQL database and much more.
Note that if you do use the mail server guide and run fail2ban, enable the [postfix], [courierpop3], [courierimap], and [sasl] sections in the fail2ban jail.local file.