I’m setting up an old desktop as a server at school. I was going to post details about it later, but after seeing this article claiming that there are hundreds of thousands of unsecured databases out there, I thought I’d go ahead and post some of the basics on installing and securing a server running Ubuntu Linux. UPDATE: These notes were created when Ubuntu 7.10 “Gutsy” was out, but I’ve tweaked them for changes in 8.10 Intrepid. They should hopefully work with 9.04 Jaunty too.
I’m assuming Ubuntu is already installed. In my case, the desktop version (not the server version which already has most of this pre-installed). I want to quickly convert it to a server to use for some research.
Step 0: Do You Need It? – There are cheap and much more reliable ways to run your own server applications. Providers such as Linode or Bytemark offer you “virtual root” linux servers for as little as under $20 a month using Linux virtual machines such as User-Mode Linux (UML), Xen, and VMWare. I’ve used them before for years.
I’m running a server on my own machine instead for this project because it is a small project, it is free this way, and because I think the .edu domain name makes a difference (the URL is part of any website’s interface).
Most of the information below applies anyway if you are using a virtual root hosting service, since you’ll have to install and set up much of your server software in the same manner.
Step 1: Get Connected – Make sure you have a stable IP address and a domain name that can be used to connect to your machine. You’ll have to work with your network administrator to do this, or purchase your own domain name at places like NetworkSolutions.com [UPDATE: don’t use networksolutions, anytime you search for a domain, they automatically register it themselves so they can charge more], Register.com, or GoDaddy.com, or else use a free service like DynDNS.com.
If want to find out what is your IP address and hostname, you can use commands like “ifconfig” and “nslookup” or visit sites like whatismyip.com and samspade.com.
Once you are assigned an IP address and domain name, set the domain name for your machine by editing the /etc/hostname file:
sudo nano /etc/hostname
And put your hostname there all alone on one line:
Type control-X to quit and save the file.
You can also add information about your IP address and hostname to the /etc/hosts file. Say for example your IP is 126.96.36.199, add a line like this to the file (using “sudo nano /etc/hosts”):
Step 2: Use a Strong Password – Something very long that uses lower case, upper case letters, numbers, and symbols. This is very important.
You can do it graphically by going to System->Administration->Users and Groups, or on the command line (using Terminal), by simply running:
Optional: You can also set passwords for your bios and for the grub bootloader. In your BIOS also, you can set the boot order of devices so that the hard drive is first, so that people can’t pop in a CD and override your system.
Step 3: Install SSH Server – This is so you can login to your computer remotely through an encrypted connection. If you are using the Terminal command line shell application, you can install like so:
apt-get install ssh openssh-server
Otherwise, you can use the graphical Synaptic package manager to search for “ssh” and install the same packages.
Optional: Edit the /etc/ssh/sshd_config file to change the default port ssh uses for connections from 22 to some other value. Change the line that reads “Port 22”. Our ssh servers on campus are attacked all the time. Changing the port to something non-default alleviates it somewhat (but you still need to run a firewall and keep system up to date and backed up, too).
sudo nano /etc/ssh/sshd_config
sudo invoke-rc.d ssh restart
Test it out by connecting to your server from another computer, using an ssh client (like “ssh” on the command line, or Putty on windows, etc.). Say you made the port 987 and your username is “bob”, then the command to connect is:
ssh email@example.com -p 987
Step 4: Install LAMP software – the Apache 2 webserver, PHP 5, & MySQL 5. To do this quickly, we can use either tasksel (on the command line), or Synaptic. In Synaptic, selected Edit->Mark Packages by Task… and check the LAMP server option and install.
Or else on the command line, run
and select the LAMP server option. If tasksel is not installed run “sudo apt-get install tasksel”.
Apache, MySQL, and PHP will now be installed. It should ask you for a root password to use with MySQL. Again, pick a strong password. MySQL should be already configured also to not accept any connections except from the local machine.
The main Apache configuration files are located at:
in case you want to make any changes.
The root folder for your webserver HTML documents is:
Edit the index.html file, for example, to change the homepage.
Check out your webserver at http://your.domain.name.edu/
Step 5: Setup a Firewall – This is very important, too. You can block all outside access to your machine except via the ports you want to keep open. The webserver uses port 80, and ssh uses whatever port you set in /etc/ssh/sshd_config (22 by default).
There are 2 options to consider for your firewall in Ubuntu. If you are still using the machine as a desktop machine, too, you might consider installing FireStarter, a graphical firewall manager. I use that on my laptop. On the server though, I am using Shorewall, since it can be configured from the command line (perhaps Firestarter can as well, but I don’t know).
To install Shorewall, type this on the command line:
sudo apt-get install shorewall
Then type these commands:
##old: cd /usr/share/doc/shorewall/default-config cd /usr/share/doc/shorewall-common/default-config sudo cp interfaces /etc/shorewall/ sudo cp policy /etc/shorewall/ sudo cp rules /etc/shorewall/ sudo cp zones /etc/shorewall/
Using your text editor command (such as sudo nano or sudo gedit), you need to edit those 4 files. Add this line before the last line of /etc/shorewall/interfaces:
net eth0 detect
Add this line before the last line of /etc/shorewall/zones:
You should also have a line that says “fw firewall” in the zones file.
Put these lines before the last line of /etc/shorewall/policy:
fw net ACCEPT net all DROP info all all REJECT info
And add these lines to your /etc/shorewall/rules file after the SECTION NEW line:
#change "22" to the port you used for ssh if not the default one: ACCEPT net fw tcp 22 ACCEPT net fw tcp www,https
Change 22 to the port you used for ssh. Remove “,https” if you have no intention of ever installing the ssl module for the apache webserver (for secure web transactions).
Finally, edit /etc/default/shorewall file by changing the line that reads startup=0 to:
You can startup the firewall with the command:
sudo invoke-rc.d shorewall start
Other options you can pass to invoke-rc.d in general include start, stop, and restart.
(Update) Step 5b: Install fail2ban – fail2ban will block attackers who try to brute force your ssh or apache or other services.
sudo apt-get install fail2ban sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
and edit the jail.local file.
I set “enabled=true” for the ssh, apache, postfix jails. I also added the apache-badbots jail:
[apache-badbots] enabled = true port = http,https filter = apache-badbots logpath = /var/log/apache*/*access.log maxretry = 2
I would also add that if you want ban reports emailed to you, change “destemail” to your email and set “action = %(action_mwl)s”.
You will also probably have to “sudo apt-get install mailx” for email sending to work. “cat /var/log/fail2ban.log” to see errors or log messages.
Step 6: Keep Your System Up to Date – Run the commands
sudo apt-get update sudo apt-get upgrade
to keep all your installed software up to date. This is important for example if a security flaw is revealed in apache or ssh, for example (or webmin, which had a huge hole in it until recently). Updating your machine will install new versions that fix the security flaws. You can run the above commands automatically every day even using crontab if you wish, and/or install the unattended-upgrades package:
sudo apt-get unattended-upgrades
There are various crontab tutorials around the web.
Step 7: Monitor Your Site – There are various tools you can install and use to monitor your site, such as webalizer (apache statistics), webmin (a web-based control panel for your server), and others. crontab plus shell scripts (in bash, python, perl, etc.) can be used to email you whenever a server application goes down, or restart the application automatically. There are other watchdog tools out there for this kind of thing as well.
Step 8: Backup Your Machine – You’ll want to keep regular backups of the files on your server. You can backup the files to a remote computer, for example, or a second hard drive. You can setup a RAID configuration so that multiple drives store your information redundantly.
For a simple copy and compress backup to another drive (something like I use on the laptop), you can run a command like this:
sudo tar cpzf /media/path/to/backup/folder/my-backup.tar.gz –exclude=/proc/* –exclude=/lost+found/* –exclude=/dev/* –exclude=/mnt/* –exclude=/media/* –exclude=/sys/* –exclude=/tmp/* –exclude=/var/cache/apt/* /
For a server though, it is better to use something like rsync, which can be configured to only backup what has changed since the last time you backed up (incremental backups). See for example:
- Time Machine-like Backup for Linux Computers
- Easy Automated Snapshot-Style Backups with Rsync
- Backups using rync
- and google for rsync backup for other tutorials
Remember to learn how to recover the files from your backup as well.
For more resources, see sites such as these:
- Ubuntu Server Guide
- Securing Your Ubuntu Server – my shorewall instructions were based on these
- The Perfect Server – Ubuntu 7.10
- Quick Linux Server