Friday 29 March 2013

Playing Around with a Linux Server

This post describes how to install Linux and set it up as a home webserver from scratch.

I took an opportunity to get a free Dell PowerEdge 600SC server through Freecycle and wanted to use it to play around with a Linux server.  I didn't really know what I would use it for and this was an opportunity to find out.

Hardware

The server was almost empty and came without any HDD and the Poweredge manual (yes I read a manual) said it could take four HDDs up to 120GB each.  I bought a second hand 120GB IDE drive from ebay for a few pounds so I could get started, but had the intention to add three more later on to have maximum capacity and possibly play around with RAID.

Installing Linux

After several days of playing around with different Linux distros (including Ubuntu Server 12.04) I finally got Ubuntu Server 8.04.4 to work on the Dell box very easily.

The installation was easy enough – the only difficult question was how to partition the hardrive. I plumped for whole disk which ended up with two partitions: / and swap.  I did not try any other option but didn't think I needed any other partitions especially as I intended to add three more HDDs later.

I planned to install a couple of things during installation (e.g. SSH, LAMP) but accidentally skipped that step.  Space selects the options, return (which I pressed to select an option) continues installation.

Tip: When choosing to install packages make sure you read the screen instructions first!

I didn't worry too much thinking I'd find out how to add them in from the command line rather than start the installation from scratch – a good opportunity to learn some stuff.

Removing the CD and rebooting took me to the login prompt. Finally – I got it working!!

Setting a Static IP address

The first thing I did was to set up a static ip address for the machine. I found a tutorial at www.howtoforge.com/perfect-server-ubuntu-10.04-lucid-lynx-ispconfig-3-p3

Sign in as superuser: sudo su
Edit network interface config: nano /etc/network/interfaces, adding the text shown below under #The primary network interface set my servers IP address to always be 192.168.0.69.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.0.69
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1
Ctrl-O then return saves the file, Ctrl-X exits the nano text editor

Then restart the network from root (cd /) by typing: /etc/init.d/networking restart

Next edit hosts adding the ip address and names for the server (3rd line shown below): nano /etc/hosts
127.0.1.1    ubuntu8
127.0.0.1       localhost.localdomain   localhost
192.168.0.69   ubuntu8.chanzachanzo.com    ubuntu8

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Then run:
echo ubuntu8.msquared.com > /etc/hostname
hostname restart

now running hostname and hostname -f should bring up ubuntu8.msquared.com
This didn't work for me until I rebooted the system – but try running /etc/init.d/hostname.sh start next time.

Update my Linux installation

The howtoforge tutorial told me to check /etc/apt/sources.list to make sure the CD was commented out and all the universe and multiverse repositories were enabled. Lines with ## at the start are commented out – I didn't have to change anything in this file.

Next run: aptitude update and aptitude safe-upgrade

This downloaded about 31MB of updates and spent a couple of minutes unpacking and installing them all automatically. Once finished I issued a reboot command.

I also installed a program to automatically update the server's time: aptitude install ntp ntpdate

Install OpenSSH

Installing Secure Shell (ssh) was one of the steps I missed during installation of Ubuntu which indicates its usefulness.  It allows you to connect to the server remotely e.g. from Terminal on a Mac.
aptitude install ssh openssh-server 
The port that ssh listens on is set in /etc/ssh/sshd_config and is 22 by default.

To test ssh I opened a Terminal window on my Mac and typed:
ssh <username>@192.168.0.69
password: <set during installation>

this got me logged onto my Linux box from my Mac.  When I tried to use nano in terminal I constantly got an error relating to xterm-256color preventing me from editting any files.  This is simple to solve for Mac's Terminal.  Open Preferences from the Terminal menu, go to the Settings page and its Advanced button.  Change the Declare terminal as: from xterm-256color to xterm-color.

Now read that I wanted to set up ssh so I could connect from my Mac without sending passwords for ease of use and security. To do this I followed the following link http://inside.mines.edu/~gmurray/HowTo/sshNotes.html

On mac in terminal:
ssh-keygen -t dsa
chmod 600 .ssh/id_dsa
scp .ssh/id_dsa.pub <username>@192.168.0.69:
<enter password for username on 192.168.0.69>

Go to the remote computer (the server) and go to your home directory where you should find the id_dsa.pub file you just copied across.

Now:
cat id_dsa.pub >> .ssh/authorized_keys
chmod 700 .ssh

Back on my mac running ssh <username>@192.168.0.1 should have logged me into my server without having to type in and send my password.  Unfortunately this didn't work for me - I will update this post once (if) I get it working.

Now I had an up-to-date Linux server that I could remotely connect to from my Mac.  In fact I could also connect to it from my Android phone using a free App called Server Auditor.

What to do with a Linux Server?

I was well pleased I'd finally got the server running, but so what?  I had a look round and found a useful blog on 'the perfect server'.

This site has instructions on how to set up:
Web Server to host your own web site
Database Server – why?
Mail Server – own email using Postfix
DNS Server – why?
FTP Server – file sharing
POP3/IMAP – email stuff
Webalizer for web site stats

This may have been a better tutorial to follow for installing Ubuntu etc. This guide mentions disabling Apparmor which offers enhanced security but also fouls things up. I may do this if I get some funny things happening later by doing this:
/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
and possibly
apt-get remove apparmor apparmor-utils

I paused over night at this point and decided to focus on installing a web server.  I found these alternative sites that seemed more focussed on what I wanted to achieve right now.
or
or

Used the first of those sites (net.tusplus tutorial) to install LAMP - at least the AMP bit of it as I'd already done the L.

Signed in as root by typing sudo su and entering the password:
aptitude install apache2 php5-mysql libapache2-mod-php5 mysql-server

This installs a web server (Apache2), server side software language (PHP) and a database (MySQL).  The MySQL installation process asks for a password – this is very important for online security and should not be left blank.

Once installation is complete you should be able to open a browser on another computer on the same LAN, type in the ip address of the server and see a webpage below displaying 'It Works'.

Now some config items to secure the server when it gets exposed to the internet. Still logged in as root edit the apache2 configuration:
cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.bak
nano /etc/apache2/apache2.conf

scroll down and change ServerTokens Full to ServerTokens Prod
scroll down more and change ServerSignature On to ServerSignature Off
Press Ctrl-O, Return, Ctrl-X to save and exit nano

Now edit the php configuration:
cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.bak
nano /etc/php5/apache2/php.ini
scroll a long way down to change expose_php = On to expose_php = Off
Then Ctrl-O, Return, Ctrl-X to save and exit nano

Finally /etc/init.d/apache2 restart and LAMP (Linux, Apache, MySQL, PHP) is installed.

Install a firewall

Logged in as root:
aptitude install shorewall
cp /usr/share/doc/shorewall-common/examples/one-interface/* /etc/shorewall
nano /etc/shorewall/rules
Above #LAST LINE at the bottom of the file add the following using tabs to line up with the existing ACCEPT line (yes net and $FW are the other way round to what's already there):
HTTP/ACCEPT net $FW
SSH/ACCEPT net $FW
Ctrl-O, Return, Ctrl-X

nano /etc/shorewall/shorewall.conf
Scroll down and change STARTUP_ENABLED=No to Yes.
Ctrl-O, Return, Ctrl-X
nano /etc/default/shorewall
On line three change startup=0 to startup=1
Ctrl-O, Return, Ctrl-X
/etc/init.d/shorewall start

That's it – the firewall is up and running.  Note - I was blindly following the tutorial at this point.  Later on I made a decision to use 'port forwarding' instead of a 'DMZ' to expose the server to the internet.  This means that my router's firewall would do its job and the server's firewall may be unnecessary.  At least it's protected if I did connect it to some other network.

Adding website to web server

Files that Apache web server makes available (over the LAN and/or internet) must be put into /var/www folder. To give permissions do the following:

usermod -g www-data <username>
chown -R www-data:www-data /var/www
chmod -R 775 /var/www

Then I downloaded Cyberduck application from cyberduck.ch which lets me use SFTP (secure file transfer protocol) to transfer files between my laptop and server. In particular php, html and other files for the webpages I want to serve through the Apache web server.

Once downloaded, installed and running I logged in using CyberDuck using SFTP to my server's IP address, username and password. Before clicking connect I added /var/www to the path in More Options.

The existing file on the server that produces the 'It Works!' page above is /var/www/index.html. You can transfer that to your other computer, edit it and reload it up to the server and see that the web page 192.168.0.69 (or whatever you set your server's IP address to) changes. Cyberduck also has a 'Synchronise' function that makes it easier to keep everything in sync between server and laptop.

Opening server up to the internet

Port forwarding or DMZ?  This is to do with exposing your server to the internet by making carefully selected holes in your firewall.  I chose port forwarding because the router protects my server using its firewall but allows certain requests through two holes (http and ssh requests).  DMZ makes my whole server available to the internet and I'm not sure how good the shorewall firewall is set up to protect it.

Setting up port forwarding on Sky Sagem router was very straight forward.
My Sky provided router is made by Sagem. This is how I set up port forwarding.
In a browser go to address 192.168.0.1
Type in username and password (default is user:admin, password:sky)
Go to Security -> Firewall rules and add two rules to Inbound Services HTTP and SSH shown below:


How to get a domain name for a dynamic IP address.
My home server is at home where I get my internet connection from Sky. This ISP have a pool of internet IP addresses that they allocate everytime a router logs on. This means that the internet IP address of my house (my router) changes periodically. I could overcome this by monitoring my router's IP address and manually changing domain's web forwarding to match. This is both tedious and means my website could become unavailable.

www.noip.com amongst others offer a free service where you can overcome this problem by installing a small piece of software that monitors your internet IP from the server and updates a subdomain name that you can use all the time.  I signed up to 'No-IP Free' at https://www.noip.com/personal/ and set up a sub-domain based upon one of my registered domains – <mydomain>.no-ip.org.   I then installed the DNS Update Client on my server with the command 
sudo apt-get install noip2
 The installation process required some answers: my No-IP username and password, an update interval (default is 30 minutes), the host name (i.e. <mydomain>.no-ip.org, and device name (leave blank if only one network connection).

When I installed noip2 I chose to disable NAT which meant that noip2 updated noip.com with the *local* IP address which meant <mydomain>.no-ip.org resolved to 192.168.0.xxx.  This cannot be reached from the internet so I needed noip2 to find the IP address of my router as seen from the internet instead. To change noip2 configuration on Linux you can repeat the questions you were asked during installation by typing into a terminal:
sudo dpkg-reconfigure noip2
This time I chose 'No' do not disable NAT and it immediately started working correctly.

Having done that I could type <mydomain>.no-ip.org into any browser on the internet or my LAN at home and see the It Works page generated by my home server.

This whole process took a couple of weeks on and off.  I had the most difficult time at the beginning getting a version of Linux to work on my old, free server box.  The rest was fairly straight forward and I'm looking forward to exploiting my new server!  Next? Install and use Wordpress over my web server; investigate email/calendar services.

Finally, thanks to all those already out there on the web whose blogs, tutorials and forum posts helped me do this.  I hope my small contribution helps others too.

1 comment:

  1. The easiest way to set up a static IP address is to use your router to assign your chosen IP addr to the MAC address of your hardware. You an find the MAC Address (also known as HWaddr) by typing ifconfig at the command line on Linux. NB ethernet (eth0) and wifi (wlan0) have different MAC addresses.

    This has the benefit of letting your server be plugged into another LAN and continue to use DHCP without the danger of clashing with another static IP.

    ReplyDelete