Configuration (Ubuntu): Difference between revisions
m (→Firewall: Added NTP example) |
m (→Firewall: Added link to Troubleshooting) |
||
Line 34: | Line 34: | ||
= Firewall = | = Firewall = | ||
'''See also [[Troubleshooting_(Ubuntu)#Firewall|Troubleshooting > Firewall]]''' | |||
Ubuntu comes with UFW (Uncomplicated Firewall), which is a config tool used to modify the standard inbuilt Netfilter. If preferred, <code>iptables</code> can still be used, both <code>ufw</code> and <code>iptables</code> are essentially config tools for Netfilter. | Ubuntu comes with UFW (Uncomplicated Firewall), which is a config tool used to modify the standard inbuilt Netfilter. If preferred, <code>iptables</code> can still be used, both <code>ufw</code> and <code>iptables</code> are essentially config tools for Netfilter. | ||
Revision as of 21:09, 11 October 2012
Packages
Command | Purpose |
---|---|
dpkg --get-selections |
Show installed packages |
dpkg -L php5-gd |
Show file locations of php5-gd package
|
apt-get update |
Update the package database |
apt-get install <package> |
Install the <package> package
|
apt-get remove <package> |
Uninstall the <package> package
|
apt-get autoremove <package> |
Uninstall the <package> package and any other packages installed as dependencies which are no longer required
|
apt-get upgrade |
Upgrade installed system and packages with latest levels in package database |
aptitude safe-upgrade |
Upgrade installed system and packages with latest levels in package database (including linux image and libraries, not always possible with apt-get upgrade )
|
aptitude hold '<package>' |
Prevents a package from being upgraded |
tasksel install <task> |
Installs a collection of packages as a single task, eg lamp-server |
tasksel --list-task |
Show list of available tasks |
See also Troubleshooting
See below for specific help on installing the following packages
Firewall
See also Troubleshooting > Firewall
Ubuntu comes with UFW (Uncomplicated Firewall), which is a config tool used to modify the standard inbuilt Netfilter. If preferred, iptables
can still be used, both ufw
and iptables
are essentially config tools for Netfilter.
Changes are applied immediately. Once you've added your first rule there's an implied deny all.
Command | Purpose |
---|---|
ufw enable |
Enables the firewall |
ufw status |
Shows the firewall status and existing filters |
ufw status numbered |
Shows the firewall status and numbered existing filters (easier to delete) |
ufw allow from 192.168.1.10 |
Allow all traffic from 192.168.1.10 |
ufw allow http |
Allow http from any IP |
ufw allow proto tcp from 192.168.1.10 to any port 22 |
Allow TCP 22 (SSH) from 192.168.1.10 |
ufw allow proto udp from any to any port 123 |
Allow UDP 123 (NTP) from any host |
ufw delete 2 |
Delete rule 2 |
So, for example, to create a couple of rules and enable...
ufw allow proto tcp from 192.168.10.0/24 to any port 22 ufw allow proto tcp to any port 443 ufw enable
Be aware that rules are processed in order, despite the fact that there is no easy way to alter the order of your rules using ufw
or insert rules above existing ones. Therefore you need to think about the order of your rules carefully.
See TCP UDP Ports for further info on common ports.
Deny a Specific Host
If you want to deny a specific host (because its spamming or hacking you for example) you need to ensure that the deny rule is one of the first processed. Otherwise the host might still be able to access on port 80 (if you're running a web server and have a general allow rule for http traffic). It's easiest to edit the config files directly.
To deny all traffic from 46.118.117.13...
- Edit
/etc/ufw/before.rules
- Create a new section under the
# drop INVALID packets
section (near the top of the file) - Add deny rules as required
# Block IP's
-A ufw-before-input -s 46.118.117.13 -j DROP
- Repeat the last line for as many IP's as you need to block (CIDR style notation can be used for ranges, eg 46.118.117.0/24)
- Reload the firewall to apply the new config
ufw reload
Note that the denied hosts will not appear when showing the firewall status, which is an irritation.
SNMP
Setup (Pre v10 Ubuntu)
- Run the following command to update the package database
apt-get update
- Run the following command to install SNMP
apt-get install snmpd
- Create config file with contents as shown below
vi /etc/snmp/snmpd.conf
- Edit SNMPD config to allow remote polls
vi /etc/default/snmpd
- Remove
127.0.0.1
from line below#snmpd options (use syslog, close stdin/out/err).
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'
- Restart SNMP
/etc/init.d/snmpd restart
- Test with the following, replacing <hostname> with server's hostname
snmpwalk -v 1 -c public -O e <hostname>
rocommunity public syslocation "CR DC" syscontact info@sandfordit.com
Setup (v10 Ubuntu onwards)
- Run the following command to update the package database
apt-get update
- Run the following command to install SNMP
apt-get install snmpd
- Create config file with contents as shown below the procedure
vi /etc/snmp/snmpd.conf
- Edit SNMPD config to allow remote polls
vi /etc/default/snmpd
- Remove
127.0.0.1
from line below#snmpd options (use syslog, close stdin/out/err).
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'
- Restart SNMP
/etc/init.d/snmpd restart
- Test with the following, replacing <hostname> with server's hostname (must be run from a machine with snmp installed, not just snmpd)
snmpwalk -v 1 -c public <hostname> system <hostname>
#### # First, map the community name (COMMUNITY) into a security name # (local and mynetwork, depending on where the request is coming # from): # sec.name source community #com2sec paranoid default public <- Comment com2sec readonly default public <- Uncomment
... then later ...
syslocation "CR DC" syscontact info@sandfordit.com
Hostname Change
Procedure below guides you through the files etc that need updating in order to change a machine's hostname. Note that if you get probs SSH'ing to the server afterwards see Server Hostname Change
- Update the following files
/etc/hosts
/etc/hostname
- Set the hostname (not FQDN)
hostname <servername>
- Reboot
Allow Remote SSH Login Without Password Prompt
In order to be able to access a remote server via an SSH session without needing to suppy a password, the remote server needs to trust the user on the local server. In order to do this, the public key for the user needs to be imported to the remote server. This is particularly useful when trying to script using ssh, scp, rsync, etc where you need to interract with a remote server.
You need to be clear on which user will access the remote the server, if your script is run as root, then its the root user that needs to have its public key exported.
Similarly, on the remote server you need to ensure that that the user that has the public key key imported into, has the rights to perform whatever it is that you want to achieve. This shouldn't be the root user (to do so you'd need to allow PermitRootLogin
in the remote server's SSH config, which is a security no-no).
- On the local server, create a public/private rsa key pair while logged in as the user that will access the remote server
ssh-keygen -t rsa
(leave passphrase blank)- This creates a public key in
~/.ssh/id_rsa.pub
- This creates a public key in
- Copy the public key to the user on the remote server
ssh-copy-id -i user@remote-svr
- The
user
is the user account on the remote server that the local server will be trusted by and run as.
- The
- Test the login as suggested by
ssh-copy-id
ssh user@remote-svr
Perl
Install Module
Installing a perl module isn't tricky, but there is a certain knack to it, see below...
- Get the module's package name (eg for Net::XWhois)
sudo apt-cache search perl net::xwhois
- Then install the package
sudo apt-get install libnet-xwhois-perl
Check Module(s) Installed
To check for a specific module use (checking for Net::XWhois
)
perl -MNet::XWhois -e "print \"Module installed.\\n\";"
To list all installed modules
perl -MFile::Find=find -MFile::Spec::Functions -Tlwe \ 'find { wanted => sub { print canonpath $_ if /\.pm\z/ }, no_chdir => 1 }, @INC'
Python
Python v2 comes pre-installed, however if you want to run newer Python 3 scripts, this will need to be installed alongside.
- Install the package
apt-get install python3
- Note that more than one version of Python 3 may be available, cancel the install are retry with specific version if required, eg
apt-get install python3.1
- Note that more than one version of Python 3 may be available, cancel the install are retry with specific version if required, eg
To enter the Python 3 interpreter, run phython3
, to make sure you get the right environment for a script use the following shebang
#! /usr/bin/env python3
Syslog to MySQL Database
This procedure achieves three things...
- Allows remote hosts to use the local server as a syslog destination
- Directs syslogs to MySQL database on the server
- Allows viewing of syslogged events through LogAnalyser web front end
...it is assumed that you already have a local MySQL and Apache server running!
- Set-up your server to send syslog messages to a MySQL database
apt-get install rsyslog-mysql
- Enter the root password to your MySQL instance when prompted
- Update the
rsyslog
config (/etc/rsyslog.conf
) to receive syslog data, and to route messages through a queue- Uncoment the following..
$ModLoad ommysql # load the output driver (use ompgsql for PostgreSQL)
$ModLoad imudp # network reception
$UDPServerRun 514 # start a udp server at port 514
- Add the following...
$WorkDirectory /rsyslog/work # default location for work (spool) files
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName dbq # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
- Restart the service
service rsyslog restart
- Uncoment the following..
- Install LogAnalyser
- Download latest build from http://loganalyzer.adiscon.com/downloads
- Uncompress
- EG
tar xf loganalyzer-3.5.0.tar.gz
- EG
- Move the contents or
/src
to webserver- EG
mkdir /var/www/syslog
- EG
mv /src/* /var/www/syslog/
- EG
- Move utility scripts to same folder
- EG
mv /contrib/* /var/www/syslog/
- EG
- Make them both executable,
- EG
chmod +x /var/www/syslog/*.sh
- EG
- Run the config script in the directory
- EG
/var/www/syslog# ./configure.sh
- EG
- Browse to webpage
- Ignore the error, and follow the link to install (configure)
- Accept defaults until step 7, where you change the following
- Name of the Source - your name for the local syslog db
- Source Type - MySQL Native
- Database Name - Syslog
- Database Tablename - SystemEvents
- Database User - rsyslog
- Database Password - rsyslog
- Config completed!
Random Settings
System Locale
To change the local time-zone use...
dpkg-reconfigure tzdata
To change the keyboard layout in use...
dpkg-reconfigure console-data
...if console-data
isn't installed, use...
apt-get install console-data
...and reboot to apply
\tmp
Boot Time Clean-up
The files in /tmp
get deleted if their last modification time is more than TMPTIME
days ago.
- Edit
/etc/default/rcS
- Change
TMPTI80aM80E
value to specify no of days- Use
0
so that files are removed regardless of age. - Use
-1
so that no files are removed.
- Use
Proxy Server
Proxy settings need to be added as environment variables, which can be added to to your profile file so as to be always be applied
- Edit
/etc/profile
- Append to the bottom (edit as required)
export http_proxy=http://username:pass@proxyserver:port/
export ftp_proxy=http://username:pass@proxyserver:port/
Note that some applications will ignore the environment variables, and will need to be set specifically for those apps.