Este es el procedimiento con el que suelo instalar un servidor ubuntu (escrito con Ubuntu 8.10 Intrepid Ibex, pero debería funcionar con 8.04 sin problemas).
Esto lo escribí para un proyecto en particular pero como lo uso en muchos lugares, le saco lo específico del proyecto y lo dejo acá... como el proyecto era con gente de afuera, está en inglés... ya lo traduciré.
Tabla de Contenidos
Install linux
Decide how to partition your disk drive(s).
Usually, we create a small (~200Mb) /boot partition at the beginning and a 4Gb swap partition at the end and use the rest of the disk for the system.
If we are cool with no more than 4 partitions in a disk, it's much better to create all partitions as primary and never use extended partitions.
We can further partition this middle space in a 4Gb partition to hold / with all the operating system and the rest in a /data partition where we'll put /home (symlinked) and other local stuff.
Use this:
- Minimal ubuntu 8.10 server setup with ssh server
- substitute ar.* repos by br.* which are actually closer and have great connectivity
User created during setup must be called localadmin.
If there is an apt-cacher-ng running in the network, configure this machine to use it as explained in AptCacherNg#client
locales
Unlike (North)Americans most people hate the MM-DD-YYYY default (you can prefer to go from more specific to more general or viceversa, but a spiral is not the most reasonable way to describe a date)... the locale en_GB gives us DD-MM-YYYY and prevents lots of system scripts to complain if it is not installed.
We can also add locales for Spanish and Brazilian Portuguese and a couple of friendly standards (eg_GB, es_ES) are covered, so:
# create the locales file (the sudo sh trick is explained at # SudoRedirectStdOut ) sudo sh -c 'cat > /var/lib/locales/supported.d/local' <<EOF en_US.UTF-8 UTF-8 en_GB.UTF-8 UTF-8 es_AR.UTF-8 UTF-8 es_ES.UTF-8 UTF-8 EOF # now generate the locale definitions sudo locale-gen
disable ipv6
If we don't use it, better have it disabled (otherwise, we have to enable IPv6 firewalling):
sudo sh -c 'echo "blacklist ipv6" > /etc/modprobe.d/blacklist-ipv6' # this requires rebooting... sudo reboot
See DeshabilitarIpV6EnUbuntu for references and more info.
move localadmin user away from /home
In order to later have /home in some encrypted partition, our administrative user must have it's home elsewhere (e.g. in /), so do the following:
cd / # move localadmin home directory from /home to / sudo mv -v /home/localadmin / # modify /etc/passwd accordingly sudo usermod -d /localadmin -c "Administrative user" localadmin
upgrade all
sudo apt-get update ; sudo apt-get upgrade
additional packages
sudo apt-get install ntp
In /etc/ntp.conf add (below the line server ntp.ubuntu.com) additional public server addresses (in case the default ubuntu servers are down or their DNS is not resolving fine):
server pool.ntp.org server 0.pool.ntp.org server 1.pool.ntp.org server 2.pool.ntp.org
configure encrypted partitions
If we were to encrypt some partitions, this is an appropiate point to do it. This is dependent on why and what we encrypt a partition and how we partition the disk drive(s).
additional (non-essential) steps
Let's make the server friedlier (at least for me):
useful packages
- vim (rather than the tiny-vim that is in the default setup
- subversion (we want the client, but the server is in the same package
- keychain
- patch
- build-essential (pack of compilers needed to build some packages)
sudo apt-get install vim vim-runtime subversion keychain patch build-essential
baby's environment
Until we get the global logins, we'll be working from the localadmin shell account for sysadmin tasks, so I'll make myself @home here for the time being (aliases, prompt and the like)... I'm also backing up the original .bashrc just in case:
cd ~
# BACKUP current environment
mkdir .ORI_ENVIRONMENT
mv .bash* .profile .ssh .ORI_ENVIRONMENT
# Get baby's environment from his subversion repo
USERNAME=baby
svn --username ${USERNAME} checkout http://svn.ybab.net/baby/conf/baby/home_env .
# Create empty .bash_localadmin
make .bash_${LOGNAME}
Firewall
It is A Good Thing(TM) to have a firewall running in a production server even if it is in a protected network.
I'll use Shoreline Firewall (Shorewall) since it is powerful enought to do most anything you'd like to do with the netfilter/iptables linux kernel native packet filtering framework and it is way easier to configure than plain iptables commands. It only consists of text files for configuration (no fancy GUI, thanx).
Since debian and ubuntu packages usually lag behind the current stable release (sometimes even by a full major step), we'll go to the source packages. These are easy to install and upgrade (as of 2008-12, shorewall is at 4.2.3 and latest ubuntu intrepid package is 4.0.12).
We have to install the shorewall-common and the shorewall-perl packages (shorewall-shell is less powerful and I think it will eventually get deprecated, and every reasonable linux distro comes with perl).
Download and install
# The current (2009-02) shorewall release is 4.2.5.3
MAJOR="4.2"
MINOR="5"
PATCH=".3"
# Shorewall's GPG key ID
GPGKEY="6C562AC4"
# let's get it
mkdir -pv ~/soft/shorewall
cd ~/soft/shorewall
# get shorewall's gpg signing key (ID 6C562AC4)
# regretfully, they don't have their key in a public
# key server and the https server where they have it has
# a self-signed certificate, so we can never be absolutely
# sure about this gpg key... anyway, let's get it
wget --no-check-certificate https://lists.shorewall.net/shorewall.gpg.key
# and add it to our keyring
gpg --import shorewall.gpg.key
# Now let's download and verify the packages
wget http://www.shorewall.net/pub/shorewall/${MAJOR}/shorewall-${MAJOR}.${MINOR}/shorewall-common-${MAJOR}.${MINOR}${PATCH}.tar.bz2
if [ $? ] ; then
# apparently, the -common package doesn't exist, let's try without ${PATCH}
wget http://www.shorewall.net/pub/shorewall/${MAJOR}/shorewall-${MAJOR}.${MINOR}/shorewall-common-${MAJOR}.${MINOR}.tar.bz2
wget http://www.shorewall.net/pub/shorewall/${MAJOR}/shorewall-${MAJOR}.${MINOR}/shorewall-common-${MAJOR}.${MINOR}.tar.bz2.asc
else
wget http://www.shorewall.net/pub/shorewall/${MAJOR}/shorewall-${MAJOR}.${MINOR}/shorewall-common-${MAJOR}.${MINOR}${PATCH}.tar.bz2.asc
fi
wget http://www.shorewall.net/pub/shorewall/${MAJOR}/shorewall-${MAJOR}.${MINOR}/shorewall-perl-${MAJOR}.${MINOR}${PATCH}.tar.bz2
wget http://www.shorewall.net/pub/shorewall/${MAJOR}/shorewall-${MAJOR}.${MINOR}/shorewall-perl-${MAJOR}.${MINOR}${PATCH}.tar.bz2.asc
# Let's verify them (ignore the WARNINGs about trusted signatures)
for PACKAGE in common perl; do
FILE=shorewall-${PACKAGE}-${MAJOR}.${MINOR}${PATCH}.tar.bz2
if [ ! -f ${FILE} ] ; then
FILE=shorewall-${PACKAGE}-${MAJOR}.${MINOR}.tar.bz2
fi
gpg --verify ${FILE}.asc ||
(echo '';echo '';echo 'STOP!!!!';echo ${FILE} ' SEEMS TO BE A FAKE!';echo '')
done
# if you didn't see a STOP!!!! sign, go ahead :-)
# let's open the packages
for PACKAGE in common perl; do
FILE=shorewall-${PACKAGE}-${MAJOR}.${MINOR}${PATCH}.tar.bz2
if [ ! -f ${FILE} ] ; then
FILE=shorewall-${PACKAGE}-${MAJOR}.${MINOR}.tar.bz2
fi
tar xjvf ${FILE}
done
# and install them
# FIRST the -perl package
cd shorewall-perl-${MAJOR}.${MINOR}${PATCH}
sudo ./install.sh
cd ~/soft/shorewall
# SECOND the -common package
if [ -d shorewall-common-${MAJOR}.${MINOR}${PATCH} ] ; then
cd shorewall-common-${MAJOR}.${MINOR}${PATCH}
else
cd shorewall-common-${MAJOR}.${MINOR}
fi
sudo ./install.sh
cd ~/soft/shorewall
Setup
Now we have to configure the firewall.
The shorewall configuration directory is /etc/shorewall. There's a bunch of files there, most of them are empty and a few of them we won't ever need. Just in case let's make a backup of all these files before we start:
cd ~/soft/shorewall
OWNER=`id -u`.`id -g`
sudo tar cvzf Shorewall-CONFIG-empty-${MAJOR}.${MINOR}${PATCH}.tgz /etc/shorewall
sudo chown ${OWNER} Shorewall-CONFIG-empty-${MAJOR}.${MINOR}${PATCH}.tgzThe files we want in /etc/shorewall are the following:
- shorewall.conf: global configuration file
- Makefile: used by shorewall to detect modified config files and restart if necessary
zones: we NAME all the zones (hosts and networks) that we need elsewhere (a zone named here must also be defined either in interfaces or hosts -but not both)
interfaces: we DEFINE the network interfaces here
tunnels: we DEFINE the VPNs here (what kind of vpn and over which actual interface it is tunneling)
hosts: we DEFINE all the hosts and networks we have to reference
policy: we DEFINE the POLICIES for default action between every pair of ZONES
rules: we DEFINE specific rules (exception to policies)
You'll have to sudo to edit these files
shorewall.conf
See the complete attached shorewall.conf.
Here are a few settings I put or modified from the packages file:
SHOREWALL_COMPILER=perl LOGFILE=/var/log/firewall STARTUP_LOG=/var/log/shorewall-init.log LOG_VERBOSITY=1 IMPLICIT_CONTINUE=Yes OPTIMIZE=1
zones
We NAME here the zones we know (or want to know) about. We always include the firewall itself as fw. So far, all we know about now is "the rest of the world" which we'll call net. We added a vpn zone to represent our vpn connected to tunX. Later on we'll want to address some fixed addresses here and there (e.g. the other LocalServer's if they have fixed IPs, the CloudServer, etc).
# # Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS ############################################################################### fw firewall net ipv4 vpn ipv4 ############################################################################### #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE # # vim:ts=4
interfaces
We define the (only) interface here:
# # Shorewall version 4 - Interfaces File # # For information about entries in this file, type "man shorewall-interfaces" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-interfaces.html # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS ############################################################################### net eth0 - tcpflags,logmartians,nosmurfs,norfc1918,blacklist vpn tun+ - tcpflags,nosmurfs,blacklist ############################################################################### #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # # vim:ts=4
tunnels
We define the (only) vpn here:
#
# Shorewall version 4 - Tunnels File
#
# For information about entries in this file, type "man shorewall-tunnels"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-tunnels.html
#
###############################################################################
#TYPE ZONE GATEWAY GATEWAY
ZONE
###############################################################################
openvpnserver net 0.0.0.0/0
###############################################################################
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# vim:ts=4
hosts
so far, this is empty. In the future, we'l add here the definition of hosts and subnets we know about.
# # Shorewall version 4 - Hosts file # # For information about entries in this file, type "man shorewall-hosts" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-hosts.html # ############################################################################### #ZONE HOST(S) OPTIONS ############################################################################### ############################################################################### #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE # # vim:ts=4
policy
Default actions between zones, so far, we have only 3 zones: the firewall itself, our vpn and the internet at large
# # Shorewall version 4 - Policy File # # For information about entries in this file, type "man shorewall-policy" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST CONNLIMIT:MASK ############################################################################### # So far, we let all outgoing trafic to the internet. # Some time it'd be wiser to analize it and only allow # what we know is correct (in order to minimize damage # if the host is compromised) fw net ACCEPT # The default incoming policy is, obviously, DROP. We also log this # (logs WILL be large, configure logrotate) net fw DROP info # Allow traffic between hosts in the vpn vpn vpn ACCEPT # Reject traffic from the vpn to the firewall # Log elsewhere to be able to spot problems vpn fw REJECT notice # Allow traffice from the firewall to the vpn fw vpn ACCEPT # This is a fail safe... we should never get here all all DROP info ############################################################################### #LAST LINE -- DO NOT REMOVE # # vim:ts=4
rules
Specific firewall rules (here's the action)
# # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # #################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME # PORT PORT(S) DEST LIMIT GROUP #################################################################################################################################################### #SECTION ESTABLISHED #SECTION RELATED SECTION NEW #################################################### # ICMP handling #################################################### # Allow all icmp traffic from known nets #ACCEPT frnd1 fw icmp #ACCEPT fw frnd1 icmp #ACCEPT frnd2 fw icmp #ACCEPT fw frnd2 icmp # Allow all icmp traffic from and to the vpn ACCEPT vpn fw icmp ACCEPT fw vpn icmp # Allow all outgoing ICMP traffic ACCEPT fw net icmp # Reject PING from outside Ping/REJECT net fw # Allow the rest of ICMP incoming traffic (failing to do so # may render communication impossible if MTU must be adjusted) ACCEPT net fw icmp #################################################### # SSH #################################################### # We allow outgoing ssh connections SSH/ACCEPT fw net SSH/ACCEPT fw vpn # For now at least, we also allow incoming ssh connections # !! INSTALL denyhosts !! SSH/ACCEPT net fw SSH/ACCEPT vpn fw #################################################### # DNS #################################################### # Firewall can query DNS servers (we ALWAYS want this) DNS/ACCEPT fw net DNS/ACCEPT fw vpn # If we set up a DNS server in here, enable incoming also #DNS/ACCEPT net fw DNS/ACCEPT vpn fw #################################################### # NTP #################################################### # Firewall can query NTP servers (we ALWAYS want this) NTP/ACCEPT fw net NTP/ACCEPT fw vpn # Accept NTP queries from friends # Aceptamos NTP desde nuestras redes #NTP/ACCEPT frnd1 fw #NTP/ACCEPT frnd2 fw NTP/ACCEPT vpn fw #################################################### # HTTP / HTTPS #################################################### # Allow firewall to access web servers (we MIGHT want # to restrict this later) HTTP/ACCEPT fw net HTTPS/ACCEPT fw net HTTP/ACCEPT fw vpn HTTPS/ACCEPT fw vpn # We accept web requests from outside (we'll have a # web server here) HTTP/ACCEPT net fw HTTPS/ACCEPT net fw HTTP/ACCEPT vpn fw HTTPS/ACCEPT vpn fw #################################################### # FTP #################################################### # Allow firewall to access ftp servers (we MIGHT want # to restrict this later) FTP/ACCEPT fw net # We will accept ftp requests from outside if we set # up a public ftp server #FTP/ACCEPT net fw #################################################### # MAIL (SMTP / POP3 / IMAP with or without SSL) #################################################### # Firewall can send mail # (Mail covers SMTP/SMTPS/Submission) Mail/ACCEPT fw net # Firewall can retrieve mail via POP3 POP3/ACCEPT fw net POP3S/ACCEPT fw net # Firewall can retrieve mail via IMAP4 IMAP/ACCEPT fw net IMAPS/ACCEPT fw net # Firewall can receive mail (it is a public # mail server) # (Mail covers SMTP/SMTPS/Submission) Mail/ACCEPT net fw # Anyone can retrieve mail from firewall # via POP3 (it is a public mailbox server) POP3/ACCEPT net fw POP3S/ACCEPT net fw # Anyone can retrieve mail from firewall # via IMAP4 (it is a public mailbox server) IMAP/ACCEPT net fw IMAPS/ACCEPT net fw #################################################### # OpenVPN #################################################### # Firewall can comunicate both ways to set up a VPN # using OpenVPN OpenVPN/ACCEPT fw net OpenVPN/ACCEPT net fw #################################################################################################################################################### #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # # vim:ts=4
Enabling Shorewall
To enable shorewall we have to edit /etc/default/shorewall and set
startup=1
and now to start it:
sudo invoke-rc.d shorewall start
startup at boot time
If all went well, shorewall will automatically start at boot time.
The install script in the -common package added a symlink to /etc/init.d/shorewall in /etc/rcS.d so that shorewall starts always even when booting in single user mode.
disabling shorewall startup at boot
If you don't want shorewall to startup at boot (but don't want to uninstall or unconfigure it) you can easily disable this:
sudo update-rc.d -f shorewall remove
This will show something like this:
Removing any system startup links for /etc/init.d/shorewall ... /etc/rcS.d/S40shorewall
Note the number (40) after /etc/rcS.d/S since you will have to use that same number to reenable shorewall startup at boot (it is not likely to change for current ubuntu/debian systems).
reenabling shorewall startup at boot
Use the number obtained above to initialize the STARTUPORDER variable below.
STARTUPORDER="40"
sudo update-rc.d shorewall start ${STARTUPORDER} S .
modifying syslog.conf so logs for the firewall are not mixed up with everything else
iptables uses syslog to log its activity, we'll modify it in order to have this done outside /var/log/syslog and /var/log/messages.
Download the patch file from here and put it in ~/soft/shorewall, then
cd /etc/ sudo patch < ~/soft/shorewall/Shorewall-syslog.conf.patch
Now create empty log files (they must exist) and restart syslog
sudo touch /var/log/firewall /var/log/firewall-friends.log sudo invoke-rc.d sysklogd restart
enabling log rotation
Now that we have two new log files, let's rotate them so that they don't grow indefinetly
Let's create a new file called /etc/logrotate.d/firewall with the following content:
/var/log/firewall {
rotate 9
weekly
postrotate
/usr/bin/killall -HUP syslogd
endscript
}
/var/log/firewall-friends.log {
rotate 9
monthly
postrotate
/usr/bin/killall -HUP syslogd
endscript
}Next time that logrotate runs, it will start applying these new rules for rotating firewall logs
djb useful stuff
Let's install some stuff from D. J. Bernstein:
daemontools for service handling and logging, installed as explained in InstalaciónDeDaemontools
ucspi-tcp for easy tcp client/server configuration, installed as explained in InstalaciónDeUcspiTcp
djbdns to have a safe local dns resolver, installed as explained in InstalaciónDeDjbDns and configured as a local resolver.
Now we don't depend of our ISP's resolvers
.