This guide is a step by step walk through for setting up an Ubuntu 8.04 LTS 64-bit server on Linode.
Assuming a Linode 360 with 12288 megs of space, partition as follows:
- Ubuntu Image: 11776MB
- Swap: 512
The default swap size is only 256MB, but the recommended standard is to use between 1 to 2 times the amount of RAM installed on the machine. A base Linode has 360MB of RAM, so 512 is a safe size to use.
First thing, grab your favorite text editor, such as nano or vi using aptitude or apt-get.
aptitude install nano
If you would like auto completion in interactive shells, edit your
and uncomment the following block to look as follows
[...] # enable bash completion in interactive shells if [ -f /etc/bash_completion ]; then . /etc/bash_completion fi [...]
For some reason
bash-completion is not installed by default
aptitude install bash-completion
There is no need to reboot, just restart bash and autocomplete should be working for interactive shells
To try it out, you can do something like
aptitude inst<tab> and it should complete as
If you enjoy having using
manpages, you will need to install the man binary.
aptitude install man-db
You may have seen perl warnings complaining that the locale information is not set when trying to install anything from the repositories. To get this fixed, first install the locales package
aptitude install locales
and then define your locale information with the following command.
localedef -i en_US -c -f UTF-8 en_US.UTF-8
Be sure to replace the locale name if you need something other than
Now we need to get everything up to date
aptitude update aptitude safe-upgrade
Clean up any old update files and reclaim some space
HowtoForge has a great guide for setting up an Ubuntu 8.04 server. Credit goes to them for several of the server configuration sections listed below, and I highly recommend supporting them and checking out their library of guides.
By default, Ubuntu will have DHCP enabled. To get a static IP address, edit the interfaces file
Replace the line
iface eth0 inet dhcp
with the following (substitute the values for your Linode's information)
iface eth0 inet static address 192.168.1.150 netmask 255.255.255.0 gateway 192.168.1.1
Edit your hosts file
Add a line mapping your host name to your server IP. For example
[...] 127.0.0.1 localhost [...]
[...] 127.0.0.1 localhost 192.168.1.150 example.com example [...]
Add the host name to the
hostname file (it should be empty)
and add your host name
hostname.sh shell script
Test that everything is working by running
It should display your host name.
aptitude install mysql-server mysql-client libmysqlclient15-dev
You will be prompted to enter and re-enter a root password for MySQL.
aptitude install apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert
aptitude install libapache2-mod-php5 libapache2-mod-ruby php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-json php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl
DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
index.shtml index.php3 to the line above)
DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm index.shtml index.php3
Enable common apache modules
a2enmod ssl a2enmod suexec a2enmod include a2enmod rewrite
eAccelerator for PHP (optional)
cd /usr/src wget http://bart.eaccelerator.net/source/0.9.5.3/eaccelerator-0.9.5.3.tar.bz2 tar -xvjf eaccelerator-0.9.5.3.tar.bz2 cd eaccelerator-0.9.5.3 phpize ./configure make make install
Create the eaccelerator cache directory and assign the right ownership to it (the owner and group has to be the user and group apache is running as – in this case
www-data) by executing the commands:
mkdir /tmp/eaccelerator chown -R www-data:www-data /tmp/eaccelerator/
The last thing to do is to enable eAccelerator in your
And add the following lines to the end of the file:
;uncomment if you want to use as a Zend extension ;zend_extension="/usr/lib/php5/eaccelerator.so" extension="eaccelerator.so" eaccelerator.shm_size="16" eaccelerator.cache_dir="/tmp/eaccelerator" eaccelerator.enable="1" eaccelerator.optimizer="1" eaccelerator.check_mtime="1" eaccelerator.debug="0" eaccelerator.filter="" eaccelerator.shm_max="0" eaccelerator.shm_ttl="0" eaccelerator.shm_prune_period="0" eaccelerator.shm_only="0" eaccelerator.compress="1" eaccelerator.compress_level="9"
For more information on what these settings do, check out the eAccelerator config file settings page.
Reload Apache to load the new modules
Go to your site (i.e.
http://192.168.1.150) and you should see the default Apache page displaying "It works!"
To test that Apache is parsing PHP, make a new php file for Apache to display
and add the following
Go to the test page (i.e.
http://192.168.1.150/test.php) and you should see all the information about your PHP install.
It is a good idea to synchronize the clock to an internet time server
aptitude install ntp ntpdate
If you want a little protection from brute force attacks, fail2ban is an easy tool that uses IPTables and does the hard stuff for you.
aptitude install fail2ban
Fail2ban has a main configuration file that you should not edit. Instead the main config file is used as the default and local configurations override those settings when needed. This way you can create finer grained control and still have the defaults in place to catch situations for which you haven't defined rules. To start, copy over the main config file into a local config file to edit.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now edit the local config file
The comments in the config file explain the options pretty well. A quick rundown of some of the basics:
ignoreip - Space separated list of IPs that will never be banned. Localhost is added by default, and you should add any machines that you don't think fail2ban needs to monitor for brute force attacks (such as your personal computers).
bantime - The time an IP address will be blocked if it exceeds the maximum number of login attempts. After that time, the IP will be removed from the banned list and allowed to login again. Set this to -1 if you want bans to remain in effect indefinitely.
maxretry - The maximum number of login attempts before the IP is banned.
action - This determines the how fail2ban reacts when an IP exceeds the allowed number of logins. There are 3 predefined shortcuts so you don't have to figure out the syntax on this. The first,
action_, just bans the IP.
action_mw will ban the IP and send you an e-mail with a whois report on that IP. Last,
action_mwl will ban the IP and send an e-mail with a whois report and the relevant log file lines that caused the IP to be banned. The default is
action = %(action_)s. To change to one of the other shortcuts, replace only the
action_ part. For example, if you wanted to ban with e-mail alerts containing the whois report and log file lines you would use
action = %(action_mwl)s since the shortcut for is
destmail - If you elect to receive emails from fail2ban, this specifies the e-mail address to which it should send the notifications.
The last thing to do in the config file is enable the sections that correspond to the services you want to monitor. These are under the
JAILS section. This is done by setting the
enabled flag to true for a given section. For the simple server above, I would recommend the following:
... [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 ... [apache] enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 ...
After you get your configuration in place, restart the fail2ban service
I am not going to cover how to setup a mail server here because there is now a wonderful guide on HowToForge. Using the HowtoForge guide for Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail (Ubuntu 8.04 LTS) will give you a mail server that supports IMAP and POP with virtual users and domains all configured via a MySQL database and much more.
Note that if you do use the mail server guide and run fail2ban, enable the
[sasl] sections in the
fail2ban jail.local file.