|
Post by raisinman on Jan 12, 2011 22:34:27 GMT 7
This is my first attempt at posting any guides like this so please bear with me. I'll do my best to explain all my steps as I go along. Also I wrote this up in a plain text file so sorry that there is no formatting and no hyperlinks, I just tried to use consistent symbols etc. to highlight sections. I have added some colouring in these posts for convenience: blue = linux commands or text to be edited in config files, green = bits you need to customise not just copy and paste blindly. I first set up all this config in a VirtualBox with Ubuntu 10.04 LTS. I created 3x50Gb virtual drives just to mess about with the RAID config. This guide doesn't cover any VirtualBox stuff. I started out with minimal Linux knowledge or experience. The only stuff I knew was what I had already done with the N5200, i.e. installing the SYS module to gain root access and playing with some basic commands. Doing this was a great way to learn a lot and using a VB test set up allowed me to experiment and make a lot of mistakes. From starting my testing to having a fully set up Ubuntu N5200 took about 2 months. Many thanks to all the helpful post in this forum and the Ubuntu forums. You can follow this guide and not have any data loss from your existing RAID however as always make sure you have backups. FIRST...SOME USEFUL TIPS TO MAKE LIFE EASIER AND AVOID SILLY MISTAKES Persistent Rootsudo -i You should use this all the time when following this set up guide or else you'll have to type sudo in front of all commands. File & Folder Permissionshelp.ubuntu.com/community/FilePermissionsvi Commands for editing config files etcwww.lagmonster.org/docs/vi.htmlINS to edit mode ESC to finish edit :x to exit and save SSH AccessUse SSH access to do all config as it allows copy and pasting from other machines, i.e. from this guide. Command line tutoriallifehacker.com/5633909/who-needs-a-mouse-learn-to-use-the-command-line-for-almost-anythingUbuntu / DebianUbuntu is based on Debian so when looking for stuff to install on Ubuntu you’ll typically be installing the Debian packages. Just wanted to let you know in case you spent ages searching for an Ubuntu installation file! #===== Hardware Stuff =====#The hardware I used for my set up was: VGA Header: D-sub 15 Pin Connector for Motherboard/VGA Adapter Card, got mine off eBay (http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=310274177266) but I also saw a couple on a German website. They just clip in so no need to do any soldering. Might need to jiggle a little when you connect the monitor as it probably won’t be tight against the contacts. New 1Gb RAM stick: www.amazon.co.uk/gp/product/B0000V1A8A/ref=oss_product - Kingston Technology 1GB 400MHz DDR Non-ECC CL3 (3-3-3) DIMM Ordered after reading this post: thecususergroup.proboards.com/index.cgi?action=gotopost&board=n5200modifications&thread=1499&post=14298New DOM:www.amazon.co.uk/gp/product/B003ZSQDJQ/ref=oss_product- 8GB Integral MLC 44pin Horizontal ATA IDE Flash Module I had originally planned to go for a Transcend as that's what most people seem to use but ended up going for an Integral one as it was much cheaper. Worked fine though. 4Gb will prob do too but 8 was as low as I could find. CPU:And no, you can't replace the CPU in a non-pro unfortunately. You can in a Pro. Don’t know any other details. First remove all your drives and note the position they were in. This is especially important if you want to try to restore your RAID later without reformatting and starting from scratch. The N5200 is set up really nicely inside. It took me about 10 min to finish the hardware mods. Hopefully you'll have some previous experience in taking apart and putting together things. There is a nice guide with pictures on this forum somewhere (here: thecususergroup.proboards.com/index.cgi?board=n5200modifications&action=display&thread=3855) which shows where the VGA header goes. Just open up your N5200 and stick the VGA header on the motherboard wher the holes are near the other ports. Plug in a USB keyboard and a VGA monitor and startup. Now turn off the system. Plug in the new RAM in place of the old, reboot and make sure the system identifies the new RAM correctly. The RAM is counted during the boot up process, very obvious on screen. Turn off again, pull out the old DOM chip and put in your new one. This can be a bit tricky as it is very tight so be carefully not to bend pins. Let's move onto the next section to install Ubuntu... (will be in next post)
|
|
|
Post by raisinman on Jan 12, 2011 22:51:51 GMT 7
Following on from my first post... #===== UBUNTU INSTALLATION =====#Useful links: mixeduperic.com/linux/how-to-install-ubuntu-server-part-1.html User security: www.devarticles.com/c/a/JavaScript/Building-a-Secure-Web-Server/2/ Download Ubuntu 10.04 LTS ISO. 32-bit. Make bootable USB, I’m not going to describe this here. Just follow this guide: www.ubuntu.com/desktop/get-ubuntu/downloadPlug in the USB stick and switch on the N5200 (still no hard drives). At partitioning options select 'guided, used entire disk and set up LVM', use 'max' volume. Make sure you don’t select your USB stick by mistake. Don't auto update software and install OpenSSH as the only option on the software selection menu. For everything else use the defaults. For network interfaces, eth0, is the network port on the actual motherboard i.e. the lower on down on the back of the N5200. I used this as I figured it would be better than using the one on the expansion card (eth1), just make sure and pick the right one when it asks you. -> update packages on first run apt-get update apt-get upgrade-> install vim (text editor), for some reason it didn't install for me, it usually has done in the past. apt-get install vim>>>>> Make sure SSH is installed <<<<< www.cyberciti.biz/faq/ubuntu-linux-openssh-server-installation-and-configuration/apt-get install openssh-server openssh-clientTry SSH'ing into your new install from a PC. Might need to check your router to see what IP address has been assigned to the new install. Or run the ifconfig command in Ubuntu. Now you can poweroff and replace all your drives. And disconnect your monitor and keyboard. From now on we’ll be using SSH from another PC. >>>>> Basic OS hardening after installation <<<<<-> Disable unneeded users cp /etc/passwd /etc/passwd.original vi /etc/passwd Assign a 'no login shell' to disable access to unneded accounts: /bin/nologinDelete users you know you don't need (be cautious, deleting users can mess up your install!) My file now looks like: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/nologin games:x:5:60:games:/usr/games:/bin/nologin man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/nologin mail:x:8:8:mail:/var/mail:/bin/nologin news:x:9:9:news:/var/spool/news:/bin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/nologin www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/nologin libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/nologin sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin landscape:x:103:108::/var/lib/landscape:/bin/nologin <adminuser>:x:1000:1000:<adminuser>,,,:/home/<adminuser>:/bin/bash -> this is the line created for the user configured on installation -> Running processes A fresh install won't usually have any unneeded services but you can check all services with: ps aux | less netstat -aLet’s move onto our RAID configuration...
|
|
|
Post by raisinman on Jan 13, 2011 0:05:31 GMT 7
We have already set up our hardware and installed Ubuntu, next... #===== RAID CONFIG =====## HOW TO CREATE A NEW RAID #Useful links: help.ubuntu.com/community/Installation/SoftwareRAIDwww.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch26_:_Linux_Software_RAIDsysadmingeek.com/articles/how-to-setup-software-raid-for-a-simple-file-server-on-ubuntu/ www.ducea.com/2009/03/08/mdadm-cheat-sheet/I can’t overstate how useful the mdadm cheat sheet (http://www.ducea.com/2009/03/08/mdadm-cheat-sheet)can be when dealing with RAID stuff, so make sure and familiarise yourself with it. It will be invaluable when you inevitably have a disk failure in the future. I like to start with a fresh RAID and restore a backup. Don't panic though, details of restoring a Thecus RAID are further down. >>>>> Install required packages <<<<<apt-get install mdadm lvm2You will be asked to config Postfix during this install. Just pick the defaults options. >>>>> Find devices <<<<<cd /devls -l - Your devices will be 'sd*'. e.g. with 5 disks mine are sdb,sdc,sdd,sde,sdf. Just make sure you don't use your DOM by mistake. You can query individual devices to confirm tehir details with ' hdparm -I /dev/sd*'>>>>> List mounted devices to check not already in use (just in case...) <<<<<df -k umount /dev/sd** - unmount devices if required >>>>> Check md0 (RAID mount point) not in use and stop & remove if required (just in case...) <<<<<cat /proc/mdstat mdadm --stop /dev/md0 mdadm --remove /dev/md0>>>>> Adjust partitions <<<<<fdisk /dev/sd*-> Useful commands m = help p = list partition table n = create partition t = change file system fd = Linux RAID auto mount FS w = write to disk and exit For my disks I did: delete the old partitions (d) – 2 per disk if coming from N5200, created new partitions (n) – all default options, changed filesystem (t) to Linux RAID auto mount FS (fd), check partition table (p), wrote to disk (w). >>>>> Create RAID <<<<<mdadm --create --verbose /dev/md0 --chunk=256 --level=5 --raid-devices=5 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1 /dev/sdf1>>>>> Check RAID started okay <<<<<cat /proc/mdstatOr you can watch live status of build with: watch -d cat /proc/mdstatMy build took about 10 hours with 5x750Gb disks. >>>>> Format RAID <<<<<I'm using the XFS file system since it is apparently slightly faster. Only draw back is that you can't shrink it, but who would want to shrink a RAID? mkfs.ext4 /dev/md0Just change to mkfs.ext4 /dev/md0 for ext4 or stick in ext3 for that too. I also think the N5200 has a problem with ext4, I'm sure I read it somewhere but can't recall where. >>>>> Create mdadm.conf file so that Ubuntu remembers RAID details <<<<<Let’s have a look at the details of the RAID then copy into conf file so that Ubuntu remembers on reboot mdadm --detail --scan --verbose mdadm --detail --scan --verbose > /etc/mdadm/mdadm.conf Notice that examining the RAID ( mdadm --examine --scan) gives you an error, so we need to edit the config file and change 'metadata=00.90' to 'metadata=0.90'. vi /etc/mdadm/mdadm.confThe examine command should now run without error mdadm --examine --scan>>>>> Optional: Have a look at the RAID read speed (I got 268.66Mb/sec on Virtualbox, 104Mb/sec on my N5200) <<<<<hdparm -t /dev/md0 >>>>> Mount RAID array <<<<<mkdir /mnt/raid Configure the fstab file to mount RAID on startup vi /etc/fstabAdd: /dev/md0 /mnt/raid ext4 defaults 1 2 Now we can mount anything in fstab not already mounted & list mounted devices to confirm that it has been mounted correctly mount -a mount>>>>> Optional: add symlink for easy access if you want to access RAID via a different path <<<<< linux.byexamples.com/archives/19/how-to-create-symlink/cd /ln -s /mnt/raid /raid>>>>> Reboot and see if raid is there <<<<<rebootIf it’s not there you did something wrong! Read some of the links at the top of this section and try to sort it out. Chances are the RAID has been created ok it just hasn’t been configured in mdadm.conf or fstab properly. # HOW TO RESTORE EXISTING RAID #This is a fairly generic guide to remounting an existing RAID which should take you through the basic steps. I have used this to recover RAID arrays and it should work fine for the N5200. A working knowledge of mdadm is useful and you can find out all about it using the links in the section above. A very detailed N5200 specific guide is at: thecususergroup.proboards.com/index.cgi?board=n5200installations&action=display&thread=4156apt-get install mdadm lvm2>>>>> Find existing RAIDS and assemble <<<<<mdadm --examine --scan mdadm --assemble --scan --verbosecat /proc/mdstatThis might create two arrays, one degraded array with 4/5 disks and a one disk array with the last disk. If that happens stop the one disk array and add the disk to fix the correct array: mdadm --stop /dev/md_d0mdadm /dev/md0 --add /dev/sdc1cat /proc/mdstat (or: watch cat /proc/mdstat) mdadm --detail --scan --verbose > /etc/mdadm/mdadm.conf mkdir /mnt/raid Configure fstab to mount raid on startup. Note that you will need the correct files system noted in here (xfs in this instance). To get your RAID filesystem try ‘sbin/fdisk –l’ or ‘df-h’. vi /etc/fstab Add: /dev/md0 /mnt/raid xfs defaults 1 2-> mount anything in fstab not already mounted & list mounted devices mount -a mount # IF YOU HAVE A DISK FAILURE # Useful links: en.wikipedia.org/wiki/Mdadmwww.howtoforge.com/how-to-resize-raid-partitions-shrink-and-grow-software-raidwww.ducea.com/2009/03/08/mdadm-cheat-sheet/Hopefully this won’t happen but the point of a RAID array is to allow this without any data loss. You can test a failure before you have any data on your drives by simulating a failure using an mdadm command: mdadm /dev/md0 --fail /dev/sdXX (see: ubuntuforums.org/showthread.php?p=10002640)mdadm /dev/md0 --fail /dev/sdXX mdadm /dev/md0 --remove /dev/sdXX mdadm /dev/md0 --add /dev/sdXXOnwards to configuring your new server...
|
|
|
Post by raisinman on Jan 13, 2011 4:42:59 GMT 7
Cheers drewy, you posts helped me in this too. Anyway, next installment. Now that we have Ubuntu and our RAID set up we'll do the long bit ... #===== INSTALL SERVICES/PACKAGES =====#Feel free to skip any of these services/packages. They are just a set of what I would consider essentials in my own build. #----- EXIM – Mailsever for error warnings/notifications, etc.-----#Useful links:: www.manu-j.com/blog/wordpress-exim4-ubuntu-gmail-smtp/75/blog.mansonthomas.com/2009/04/send-mail-through-gmail-smtp-server.htmlbasskozz.wordpress.com/2008/12/07/how-to-setup-a-raid5-software-mdadm-array-w-email-notifications-via-gmail-the-easy-way/This is my guide to configuring for GMail. I don’t know how to do it for anything else. Do some Googleing to find out if you need to. >>>>> Installation and initial config <<<<apt-get install exim4 openssl dpkg-reconfigure exim4-configFor installation options choose: - mail sent by smarthost; recieved by SMTP... - <your desired mail source e.g. companyname.com> - leave as is i.e. 127.0.0.1 - leave other destinations blank - Leave Machines to relay mail for: blank - Type Machine handling outgoing mail for this host (smarthost): smtp.gmail.com::587 - Choose NO, don’t hide local mail name in outgoing mail. - Chose NO, don’t keep number of DNS-queries minimal (Dial-on-Demand). - Choose mbox - Choose NO, split configuration into small files - Mail for postmaster. Leaving blank will not cause any problems though it is not recommended. These options may not all be presented to you depending on any updates that EXIM make to their package. When install on my N5200, one of the options had disappeared since my first testing on VirtualBox. >>>>> Edit config file <<<<<cp /etc/exim4/exim4.conf.template /etc/exim4/exim4.conf.template.original vi /etc/exim4/exim4.conf.templateFind '.ifdef DCconfig_smarthost DCconfig_satellite' section around 50% down file and add this: send_via_gmail: driver = manualroute domains = ! +local_domains transport = gmail_smtp route_list = * smtp.gmail.comIf you have any other smarthost defined with “domains = ! +local_domains” remove that smarthost. I had to comment out all of 'smarthost:'. But don't comment out the last '.endif' Find comment 'transport/30_exim4-config_remote_smtp_smarthost' about 80% down the file and add this to section: gmail_smtp: driver = smtp port = 587 hosts_require_auth = $host_address hosts_require_tls = $host_addressNow comment out section 'remote_smtp_smarthost:' all the way down to the next comment section. Find 'begin authenticators' about 87% down file and add this to section, don't forget to add your email details: gmail_login: driver = plaintext public_name = LOGIN client_send = : YourGmailLogin@gmail.com : YourGmailPasswordMake sure you have no other authenticators with the same public_name (LOGIN). Comment them out if needed. I had to comment out all of 'login:' section starting at 99% to end of file. >>>>> Add Gmail authentication info <<<<<vi /etc/exim4/passwd.client Add: Gmail-smtp.l.google.com:YourGmailLogin@gmail.com:YourGmailPassword *.google.com:YourGmailLogin@gmail.com:YourGmailPassword smtp.gmail.com:YourGmailLogin@gmail.com:YourGmailPassword
>>>>> Edit aliases to avoid delivery failure messages <<<<< (http://ubuntuforums.org/showthread.php?t=1057294) vi /etc/aliases Check what <name> is beside 'root:' it should be your admin user.
vi /etc/exim4/email-addresses Add: <name- the one in the aliases file next to root>: <real email address you want it to come from>
>>>>> Test config & restart <<<<< Test for errors in your config, if errors exist, fix them. Usually the detail returned is sufficient to fix the error. If not use Google. update-exim4.conf
Clear any old logs, usually only needed if you had errors before. You can refer to these logs later if the email doesn’t work. Then Google is your friend. rm /var/log/exim4/paniclog rm /var/log/exim4/mainlog
Restart EXIM service /etc/init.d/exim4 restart
>>>>> Send test email <<<<< mail <your email address> <enter subject> <type message, end message by typing . on a new line>
Try this command if test email doesn't work, give it a few minutes though. It seems to force mail through if it is stuck somewhere in a queue. exim -qff
>>>>> Add alerting to mdadm <<<<< vi /etc/mdadm/mdadm.conf Add: MAILADDR <YourEmailAddress_Where-you-want-mdadm-notifications-sent@email.com>
Test alerting: mdadm --monitor --scan --test --daemonise
Add cron job to alert every day at 00:01. Or whenever you want. Check out en.wikipedia.org/wiki/Cron for details of the structure of the crontab file. vi /etc/crontab Add: 01 0 * * * root mdadm --monitor --scan --test --daemonise And at the top of crontab add this to stop delivery failure notices: 'MAILTO=example@example.com'
#----- SendEmail - Nice easy email sending tool for cronjob or command line emails -----#
This section will detail how to set up a notication email which is to be sent everytime the sever starts up. You can set up other alerting etc if you want. This is just a basic guide to how it can be used.
apt-get install sendemail
>>>>> Add email alerting on startup <<<<< Make a script file: vi /home/<adminuser>/startupemail/startupemail.sh
The file should contain: #!/bin/bash # a script for sending myself an email on startup
echo "Server startup notification for:" > startupemail.txt hostname >> startupemail.txt echo " " >> startupemail.txt echo "Startup occured at:" >> startupemail.txt date >> startupemail.txt
sendEmail -f <source email address> -t <destination email address> -u "Server Startup" -o message-file=startupemail.txt
I believe that <source email address> can be anything you want but I just use the same thing for both source and destination which seems to work.
>>>>> Set to executable and configure to run on startup <<<<< chmod 755 /home/<adminuser>/startupemail/startupemail.sh
ln -s /home/<adminuser>/startupemail/startupemail.sh /etc/init.d/startupemail.sh
Add to startup script: update-rc.d startupemail.sh defaults
-> Reboot to test reboot
#----- SAMBA (SMB) -----#
Useful links: www.howtogeek.com/howto/ubuntu/install-samba-server-on-ubuntu/ tldp.org/HOWTO/SMB-HOWTO-7.html linux.die.net/man/5/smb.conf www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html www.brennan.id.au/18-Samba.html www.cyberciti.biz/tips/how-do-i-set-permissions-to-samba-shares.html
SAMBA allows you to access your server from PCs/MACs etc. And it lets you configure who gets access to what. You’ll need this set up before you start trying to map drives from your computer.
apt-get install samba smbfs
>>>>> Configure users <<<<< TO allow mapping of drive you need to add a username and password to SMB. If the name you added is associated to an linux user but is not identical you need to let SMB know the mapping.
Lets add ‘John’, but john already has a linux account called ‘john’. smbpasswd -a John vi /etc/samba/smbuses add line: john = "John" For each user you need a linux account (useradd Jane) & a SMB account (smbpasswd –a Jane). But unless you know they will be logging directly into the server via SSH then they don’t need a home directory, and you can disable the ability to log in directly. Do this with useradd -M -s /sbin/nologin Jane
-M creates user without a home dir, -s stops login And if you later want to remove them: userdel -r Jane
Now set a password and set up their SMB account: passwd Jane smbpasswd -a Jane
>>>>> Make the shares you need on your RAID array <<<<< Make all the shares you need for now. I like to replicate the structure of the N5200 as I already have mappings to these locations in Windows.
I want to test my SMB configuration to make sure it works also so I am creating a couple of directories which will have restricted access. You’ll need to have a read of this to understand the permissions and chmod/chown: help.ubuntu.com/community/FilePermissions
Share for everyone: mkdir /raid/data chmod -R 0777 /raid/data
Share for John only: mkdir /raid/ john chown ryan /raid/ john chmod -R 0700 /raid/ john
Share for Jane only: mkdir /raid/jane chown Jenna /raid/jane chmod -R 0700 /raid/jane
>>>>> Configure SMB <<<<< Make a copy of the file in case you wreck it! It’s a mistake I made. cp /etc/samba/smb.conf /etc/samba/smb.conf.master
Now we edit the ‘master’ file which will later be parsed to the non-master file. So always do your editing in the master one. vi /etc/samba/smb.conf.master
Edit server string to '%h' only Add these lines under Global section: #dos filenames dos charset = cp950
#hosts hosts allow = 127.0.0.1 192.168.0.0/24 hosts deny = 0.0.0.0/0 Uncomment 'security=user' To make our user mapping from earlier work add this below the ‘security=user’ bit: username map = /etc/samba/smbusers
Change unix password sync to ‘yes’ Now lets add our network share details. Details of all the options can be found at www.brennan.id.au/18-Samba.html Add these under the commented out [homes] section:
[shared] comment = Shared Data path = /raid/data read only = No guest ok = Yes public = Yes browseable = Yes writeable = Yes create mask = 0777 directory mask = 0777 inherit permissions = yes [johnonly] comment = John Only path = /raid/john read only = No guest ok = No browseable = No create mask = 0700 directory mask = 0700 valid users = John [janeonly] comment = Jane Only path = /raid/jane read only = No guest ok = No browseable = No create mask = 0700 directory mask = 0700 valid users = Jane Comment out all the other junk, e.g. printers, unless you are going to use them of course. I didn’t so don’t know how they should be config’ed. >>>>> Test config & write master file <<<<< Test the configuration file for errors. Output of test is usually clear enough to fix the error. Otherwise Google it. testparm /etc/samba/smb.conf.master
Parse the ‘master’ into the smb.conf file. This strips out all the comments and leaves only the valid content. Apparently this significantly speeds up SMB since it no longer has to trawl through all the redundant crap. This is why when you make changes always edit the ‘master’ file and then run this command to strip out the comments and make the ‘real’ file. testparm -s /etc/samba/smb.conf.master > /etc/samba/smb.conf
>>>>> Restart SAMBA <<<<< service smbd reload
>>>>> Map some drives <<<<< In Windows (or your OS of choice) you can now map network drives. Just create a new mapped drive and use your network location and share. You’ll be asked to connect using a username and password. Try mapping your shared folder and your John/Jane only folders. And try accessing Jane’s folder with John’s credentials and vice verse to make sure the security works.
Note that the location is \\<server IP address>\<share name> The share name is the bit in the square brackets in the smb.conf file. e.g. \\192.168.1.10\johnonly\
#----- WEBSERVER -----#
Useful Links: www.howtoforge.com/installing-apache2-with-php5-and-mysql-support-on-ubuntu-10.04-lamp netbeans.org/kb/docs/php/configure-php-environment-ubuntu.html - Moving doc root developer.spikesource.com/wiki/index.php/How_to_change_the_mysql_database_location - Moving php db's www.symantec.com/connect/articles/securing-php-step-step www.dagondesign.com/articles/automatic-mysql-backup-script/
Obviously you only need all this stuff if you plan to host any webpages/webservices on your server. I do plan to (e.g. I have a nice PHP file which can be configured to send out a wake on LAN packet to my desktop machine to turn it on remotely just by visiting a webpage, I put this up on the forum if anyone is interested) so I’m installing it.
>>>>> Installation <<<<< -> Install MySQL and associated packages. You will be asked for a password for MySQL, you can have anything but I just use my server admin password to keep it all simple. apt-get install mysql-server mysql-client
-> Install apache2 apt-get install apache2 Goto http://<serverIPaddress> to confirm install worked. If not try reinstalling it again or try restarting it with /etc/init.d/apache2 restart
-> Install PHP5 apt-get install php5 libapache2-mod-php5 php5-mysql php5-mcrypt php5-cli Restart apache to apply PHP changes. /etc/init.d/apache2 restart
To test if PHP was installed correctly create a webpage we can visit: vi /var/www/info.php Add this to the blank file: <?php phpinfo(); ?> Goto http://<serverIPaddress>/info.php and the PHP ifo should be displayed if everything worked. -> Install phpMyAdmin apt-get install phpmyadmin Pick webserver 'apache2' and answer ‘no’ to 'Configure database for phpmyadmin with dbconfig-common?'
Access at http://<serverIPaddress>/phpmyadmin/ to confirm that it is working. The username is ‘root’ and the password is the MySQL password you picked earlier.
We will change the phpmyadmin admin website to something less obvious vi /etc/phpmyadmin/apache.conf Change 'Alias /phpmyadmin /usr/share/phpmyadmin' to Alias /<new location> /usr/share/phpmyadmin
Reload apache to apply changes and try to access phpMyAdmin at http://<serverIPaddress>/<newlocation>/ /etc/init.d/apache2 reload
>>>>> Configuration <<<<< -> Disable insecure modules Most of these were not actually installed by default on my machine but I ran the disable command anyway in case. If you end up needing them later use a2enmod. a2dismod mod_imap a2dismod mod_include a2dismod mod_info a2dismod mod_userdir a2dismod mod_status a2dismod mod_cgi a2dismod mod_autoindex
-> Move webserver directory I wanted my webserver directory to be on the RAID so that it would be subject to the same disk failure protection as the rest of my files. The default location is on the DOM module with the rest of the Ubuntu installation. I followed this guide on moving the document root directory to the RAID (http://netbeans.org/kb/docs/php/configure-php-environment-ubuntu.html), but here is my brief summary of the commands I used: mkdir /raid/webserver mkdir /raid/webserver/www cp /etc/apache2/sites-available/default /etc/apache2/sites-available/default.original vi /etc/apache2/sites-available/default
Change document root & directory directive to '/raid/webserver/www/' or wherever you want to store it. Save file and reload apache.
/etc/init.d/apache2 reload -> Configure regular backups of SQL DBs Although the webserver files are on the RAID, the SQL DBs are still on the DOM. SO I wanted a way to make sure I had these backed up on the RAID. I followed this guide: www.dagondesign.com/articles/automatic-mysql-backup-script/
But again I have included the steps for you here too. You’ll have to download the two PHP files from the website linked above.
Copy the two PHP files into a directory in your user home: mkdir /home/<admin user>/DBBackup Edit (with vi) the config file and add your MySQL root password, DB backup location, etc.
Test the backup by running this command: php backup_dbs.php
If you get an error about depreciated comments follow this solution: www.asim.pk/2010/06/21/php-depreciated-errors-on-ubuntu-10-04-lts/
Add to Cron to run regularly (monthly in this case at 3am on 1st of month) vi /etc/crontab Add line: 0 3 1 * * php /home/<admin user>/DBBackup/backup_dbs.php
>>>>> Apache user & webserver document root security <<<<<
Useful links: www.petefreitag.com/item/505.cfm www.linuxsecurity.com/content/view/133913/171/
-> Run apache under own user and group to increase security Add group and user for apache groupadd apache useradd apache -c "Apache Server" -d /dev/null -g apache -s /sbin/nologin
Edit envvars file and change the user and group names to the new ones cp /etc/apache2/envvars /etc/apache2/envvars.original vi /etc/apache2/envvars
Restart apache /etc/init.d/apache2 restart
List processes and users to confirm that apache is now running under new user ps -A u
-> Configure file permissions and SAMBA access to webserver directory Give webserver directory appropriate permissions: chown apache /raid/webserver/www chmod 0755 /raid/webserver/www
Edit the SMB config file to add the webserver as a share which can be mapped from other machines. Change the valid users section to whoever you want to be able to map it, make sure and include the ‘apache’ user. vi /etc/samba/smb.conf.master
Add to shares section: [webserver] comment = Webserver path = /raid/webserver/www read only = Yes guest ok = No browseable = No create mask = 0644 directory mask = 0755 valid users = John, Jane, apache write list = John, Jane, apache force group = apache force user = apache
Test your SMB config file and write the master to the ‘real’ file, then reload smb. testparm /etc/samba/smb.conf.master testparm -s /etc/samba/smb.conf.master > /etc/samba/smb.conf service smbd reload
>>>>> PHP security <<<<< The steps I followed are below. But I followed a good guide on this site: www.symantec.com/connect/articles/securing-php-step-step
Edit the php.ini config file. cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.original vi /etc/php5/apache2/php.ini
Make sure the following parameters are correctly set: safe_mode = On safe_mode_gid = Off expose_php = Off register_globals = Off display_errors = Off log_errors = On
-> Stop CSS and SQL Injection attacks using modsecurity (http://blog.bodhizazen.net/linux/how-to-mod_security-ubuntu-904/) apt-get install libapache-mod-security
vi /etc/apache2/conf.d/modsecurity2.conf Add: <ifmodule mod_security2.c> Include conf.d/modsecurity/*.conf </ifmodule>
mkdir /var/log/apache2/mod_security ln -s /var/log/apache2/mod_security/ /etc/apache2/log
Download modsecurity rule filename. Make sure and visit this website to find the latest rule filename update in the commands below: www.modsecurity.org/download/index.html
mkdir /etc/apache2/conf.d/modsecurity cd /etc/apache2/conf.d/modsecurity wget www.modsecurity.org/download/modsecurity-apache_2.5.13.tar.gz tar xzvf modsecurity-apache_2.5.13.tar.gz rm CHANGELOG LICENSE README modsecurity-apache_2.5.13.tar.gz
Update apache configuration vi /etc/apache2/apache2.conf
Find “Include /etc/apache2/conf.d/” (line 233 in my file) and change it to: Include /etc/apache2/conf.d/*.conf
Add these lines below it: Include /etc/apache2/conf.d/security Include /etc/apache2/conf.d/localized-error-pages Include /etc/apache2/conf.d/charset
Save file and run this command to enable modsecurity module: a2enmod mod-security
>>>>> Restart apache <<<<< /etc/init.d/apache2 restart apache2ctl -t apache2ctl restart
#----- VPN Server - PPTP -----#
Useful links: www.ubuntugeek.com/howto-pptp-vpn-server-with-ubuntu-10-04-lucid-lynx.html
This is easier to configure than Open VPM but less secure, an OpenVPN guide is below. Also Windows already has a built in client for PPTP VPNs but you need to install a new one for OpenVPN. I’d stick to this if your not too concerned about security and are just a regular home user.
>>>>> Install and configure your VPN server <<<<< apt-get install pptpd vi /etc/pptpd.conf edit settings at bottom to: localip 192.168.0.3 #this is the fixed IP of the NAS remoteip 192.168.0.60-65 #this is the IP range the remote connection will be assigned
vi /etc/ppp/chap-secrets Add: # client server secret IP addresses <yourusername> pptpd <yourpassword> *
>>>>> Hardening your VPN <<<<< vi /etc/rc.local Add these lines above 'exit 0': # PPTP IP forwarding iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# SSH Brute Force Protection iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP vi /etc/sysctl.conf Uncomment line: net.ipv4.ip_forward=1 reboot
#----- VPN Server - OpenVPN -----#
Useful links: www.ossramblings.com/configuring_openvpn_ubuntu_hardy
To be honest, I struggled to get this working and it was more bother than it was worth. I think in future I’ll stick to PPTP.
>>>>> Install VPN packages <<<<< apt-get install openvpn dnsmasq openssl
Install OpenVPN, the previous step only really downloaded it. mkdir /etc/openvpn cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/ cd /etc/openvpn/ mkdir keys touch /etc/openvpn/keys/index.txt echo 01 > /etc/openvpn/keys/serial
Save the index.txt file completely empty.
Edit vars file to configure OpenVPN vi vars Now amend the details at the end of this file for own locale. Then save file.
>>>>> Certificates & keys <<<<< Add certificate information, just answer the questions when you run this: source ./vars ./build-ca
Build server key ./build-key-server server
Build client certificate. If you are planning on using a certificate per client make sure you change the name of client to make it identifiable. You can use the same certificate across all remote clients. ./build-key <client-name>
NOTE: if you close the console and come back later to generate more keys, you'll need to run "source ./vars" before running build-key again.
Build DH key, could take a few minutes so don’t panic if it looks like it stops working. ./build-dh
Once completed, copy the "client-name.key" "client-name.crt" and "ca.crt" files securely to the client machine.
>>>>> Setup the server configuration file <<<<< cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ gunzip /etc/openvpn/server.conf.gz vi /etc/openvpn/server.conf Edit these lines: ;local 1.2.3.4 -> local <server's IP address> port 1194 -> port <whatever you want to listen on, also config firewall to let this through to server's IP> proto udp -> proto tcp [tcp is more reliable] dev tun [leave uncommented, this is the one we want]
Further down in the file we need to tell the config file where the keys are: ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key # This file should be kept secret dh /etc/openvpn/keys/dh1024.pem
Later in the file we need to specify the subnet for adding client IPs to. This example will give all connections an IP address of 10.8.0.* server 10.8.0.0 255.255.255.0 We need to specify what local network IP addresses are available to the clients. This example allows IP addresses 192.168.0.* to be accessed by the clients. push "route 192.168.0.0 255.255.255.0"
Now change the user and group to the ‘nobody’ user to make the VPN server run with least privileges. You can recheck your users by looking in /etc/passwd user nobody group nogroup
>>>>> Start the server to check for errors <<<<< openvpn /etc/openvpn/server.conf >>>>> Configure to run on startup <<<<< vi /etc/default/openvpn Uncomment: AUTOSTART="all"
/etc/init.d/openvpn start
Now install a client your remote OS (google for instructions) and point it to the key files created earlier, OpenVPN GUI is the Windows client.
#----- WEBMIN -----#
Useful links: doxfer.webmin.com/Webmin
Webmin is a really hand web interface for configuring your server. Saves a lot of command line work and can help when tweaking settings especially if your not certain what the commands are.
>>>> Install Webmin dependencies <<<< apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl
>>>>> Add Webmin repository to sources list <<<<< vi /etc/apt/sources.list Add these at the bottom of the file: #Webmin source deb download.webmin.com/download/repository sarge contrib deb webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib
>>>>> Download and install GPG key which Webmin is signed with <<<<< cd /root wget www.webmin.com/jcameron-key.asc apt-key add jcameron-key.asc rm jcameron-key.asc
>>>>> Update repository list and install Webmin <<<<< apt-get update apt-get install webmin
Access Webmin on https://<serverIP>:10000
And that is your server set up complete. Read on for some additional services which I installed...
|
|
|
Post by raisinman on Jan 13, 2011 4:43:39 GMT 7
Last installment... I have already shown you how to set up your server with what I consider essential services. The following a brief guides to other services I installed because I want a full media server. These guides will be a lot briefer with fewer comments. If you have gotten this far you should be familiar with what is happening and not need so much hand-holding. #----- TWONKYMEDIA SERVER -----# Links: www.thingyson.me.uk/2010/11/02/installing-twonkyserver-on-ubuntu-lucid-lunx-10-04-1/Tried and tested best media server for streaming media to the PS3. Download the linux version to a shared folder or using wget. Navigate to the download directory and run file: sh twonky...... Config network interface file if you can’t access Twonky on http:// <IPaddress>:9000 (I didn't need this step) cp /etc/network/interfaces /etc/network/interfaces.old vi /etc/network/interfacesAdd this to bottom: # Adding a multicast static route for Twonkymedia Server up route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0Config automatic startup: update-rc.d twonkyserver defaults 99 20Access at <IPaddress>:9000 #----- Squeezebox Server -----# Links: havetheknowhow.com/Install-the-software/Install-Squeezebox-server.htmltheskreegs.blogspot.com/2009/02/mythtv-squeezecenter-squeezeslave.htmlIf you don’t have a squeezebox then this will be pretty useless to you. >>>>> Add source <<<<<vi /etc/apt/sources.listAdd: #Squeezebox Server Source deb debian.slimdevices.com testing mainThis will allow you to install the stable beta version. This didn’t work for me so I had to change the source to deb debian.slimdevices.com stable mainapt-get update>>>>> Install & Configure <<<<<Beware of some issues with AppArmor where squeezeboxserver refuses to install properly. So stop it just in case, it will restart automatically next time you reboot: /etc/init.d/apparmor stop
apt-get install squeezeboxserverKill Squeezeboxserver after install: ps -A lists all running processes kill #### kill relevant process id Run on new port to avoid conflict with Twonky: cd /etc/init.d/ squeezeboxserver --httpport 9010Kill with Ctrl+C and restart as a service: service squeezeboxserver start#----- SUBSONIC -----# Links: www.subsonic.org/pages/installation.jsp#Subsonic is a music streaming service. It can stream music to computers in your house or over the internet to other PCs or your phone over wifi or 3G. It doesn’t require the webserver to be installed. Download the Debian installer (subsonic-x.x.deb) and place in a shared folder so that you can access it. Or download with wget. >>>>> Install Java & Media codecs <<<<<apt-get install openjdk-6-jre lame flac faad vorbis-tools ffmpeg>>>>> Install Subsonic <<<<<Navigate to where you downloaded the subsonic setup file. mkdir -p /var/subsonic/standalone tar -C /var/subsonic/standalone -zvxf subsonic-x.x.x.tar.gz>>>>> Configure to run on startup <<<<<www.activeobjects.no/subsonic/forum/viewtopic.php?t=1634Access the configuration on http://<server IP>:4040 #----- NAIL -----#Simple email client for command line reading of /var/mail/* apt-get install nail#----- PS3 MEDIASERVER – I’ve not used yet but heard it's good -----#Links: help.ubuntu.com/community/Ps3MediaServer ps3mediaserver.org/forum/viewtopic.php?f=3&t=4253 ps3mediaserver.org/forum/viewtopic.php?f=3&t=254 Not installed it as Twonky is great for me. Heard it is good though but needs a bit of configuration to work. #----- System monitoring -----# www.ubuntugeek.com/monitoring-ubuntu-services-using-monit.htmlNot set up yet. Webmin allows you to set up email alerts for a lot of stuff anyway. I will probably get round to playing with this but not in any rush. # Extra Guide: How to map shares (e.g. windows folders) in Ubuntu # Links: randomspark.wordpress.com/2007/09/02/map-your-windows-shared-folder-into-linux-kubuntu/wiki.ubuntu.com/MountWindowsSharesPermanentlyThought I’d throw in a bit of useful info on mapping Windows shares in Ubuntu. It’s really helpful if you’re restoring backups or just trying to do some transfers from Windows to Ubuntu. smbmount //servername/sharename /media/mountname -o cifs username=myusername,password=mypassword, iocharset=utf8,file_mode=0777,dir_mode=0777This is the command I used to map my N5200 Thecus share to an Ubuntu share while playing in VirtualBox (get the admin UID,GID from /etc/passwd file on Thecus). I think this will work with any Linux or Mac share. mount -t cifs //<Thecus share directory> /mnt/network/N5200/ -o user=<username>,pass=<password>,uid=<UID>,gid=<GID>To create persisent mounts so that they don’t disappear at next reboot, add entry to fstab: vi /etc/fstabFor a SMB (Windows) share, add: //servername/sharename /media/mountname cifs username=myusername,password=mypassword,iocharset=utf8,file_mode=0777,dir_mode=0777 0 0For a N5200 (or probably any other Linux/MAC) share: //<Thecus share directory> /mnt/network/N5200/ cifs user=<username>,pass=<password>,uid=<UID>,gid=<GID>
|
|
|
Post by raisinman on Jan 13, 2011 4:44:14 GMT 7
And that's it.
Any mistakes please let me know and I'll edit them.
Hope this is useful for you.
|
|
|
Post by drewy on Jan 13, 2011 4:49:54 GMT 7
great post, thanks
|
|
|
Post by Arctra on Jan 13, 2011 12:30:09 GMT 7
Very nicely done! Thank you very much for this ;D
I keep hoping there is a way of headlessly (no monitor) initializing the install, but it seem I am going to just have to accept that putting in a VGA header - or butchering a VGA cable to just shove into the VGA header holes - is unavoidable.
Thanks again.
|
|
|
Post by raisinman on Jan 13, 2011 13:42:35 GMT 7
The VGA cable method doesn't destroy it, it can still be used as normal after as far as I know.
|
|
|
Post by shinger on Jan 14, 2011 19:50:24 GMT 7
Good job.. your guide is way more specified then mine. Ill change the topicname of the topic were i describe how to install certain software on the NAS. Mine N5200 is the pro one but it doesn't mater because if you have a linux version installed it has nothing to do with the hardware anymore. Maybe only performance
|
|
|
Post by raisinman on Jan 16, 2011 2:02:27 GMT 7
Thanks guys.
I thought if I was putting in the effort to learn how to do this I may as well make it a little easier for others.
And it is only the forums which have enabled me to do this so I wanted to give back some.
P.S. I've removed the '(non-pro) bit from the title so that it doesn't keep pro guys from having a look.
|
|
|
Post by gideon007 on Jan 16, 2011 19:30:20 GMT 7
nice guide, not yet brave enough to do it but I think eventually I will... But I wonder... couldn't you make an image available with all of that? Since the hardware doesn't change it might be possible to just copy that over (except for your personal information stored on that). With VNC available right away one could login and change all the passwords then. Thus one wouldn't need to do that much hardware modding to enable vga out. and yes, I know that would mean tremendous extra work on your part and trusting on ours...
|
|
|
Post by shinger on Jan 16, 2011 19:54:55 GMT 7
nice guide, not yet brave enough to do it but I think eventually I will... But I wonder... couldn't you make an image available with all of that? Since the hardware doesn't change it might be possible to just copy that over (except for your personal information stored on that). With VNC available right away one could login and change all the passwords then. Thus one wouldn't need to do that much hardware modding to enable vga out. and yes, I know that would mean tremendous extra work on your part and trusting on ours... Installing Ubuntu server on the NAS isn't the hardest thing. But applying the hardware and configuring the RAID. upgrading the hardware takes risks with it because people don't know how to old hardware with there hands etc. ..
|
|
|
Post by gideon007 on Jan 16, 2011 23:14:14 GMT 7
For me the VGA thing is the thing why I'm not too keen on tinkering with the hardware. Other than that I'm sure I can pull the other stuff off. So if I could just copy an image on a new DOM, plug that in and be done I'd be happy... though thinking about it I'm not sure how I could just flash a DOM (I'm not sure but I think I could just plug that into an ide controller right?) That link goes nowhere now
|
|
|
Post by raisinman on Jan 18, 2011 22:34:12 GMT 7
Thanks gideon, fixed it.
|
|