Configuration (Ubuntu)

From vwiki
Jump to navigation Jump to search

Packages

Command Purpose
dpkg --get-selections Show installed packages
dpkg -L php5-gd Show file locations of php5-gd package
apt-get update Update the package database
apt-get install <package> Install the <package> package
apt-get remove <package> Uninstall the <package> package
apt-get autoremove <package> Uninstall the <package> package and any other packages installed as dependencies which are no longer required
apt-get upgrade Upgrade installed system and packages with latest levels in package database
aptitude safe-upgrade Upgrade installed system and packages with latest levels in package database (including linux image and libraries, not always possible with apt-get upgrade)
aptitude hold '<package>' Prevents a package from being upgraded
tasksel install <task> Installs a collection of packages as a single task, eg lamp-server
tasksel --list-task Show list of available tasks

See also Troubleshooting

See below for specific help on installing the following packages

Firewall

See also Troubleshooting > Firewall

Ubuntu comes with UFW (Uncomplicated Firewall), which is a config tool used to modify the standard inbuilt Netfilter. If preferred, iptables can still be used, both ufw and iptables are essentially config tools for Netfilter.

Changes are applied immediately. Once you've added your first rule there's an implied deny all.

Command Purpose
ufw enable Enables the firewall
ufw status Shows the firewall status and existing filters
ufw status numbered Shows the firewall status and numbered existing filters (easier to delete)
ufw allow from 192.168.1.10 Allow all traffic from 192.168.1.10
ufw allow http Allow http from any IP
ufw allow proto tcp from 192.168.1.10 to any port 22 Allow TCP 22 (SSH) from 192.168.1.10
ufw allow proto udp from any to any port 123 Allow UDP 123 (NTP) from any host
ufw delete 2 Delete rule 2

So, for example, to create a couple of rules and enable...

ufw allow proto tcp from 192.168.10.0/24 to any port 22
ufw allow proto tcp to any port 443
ufw enable

Be aware that rules are processed in order, despite the fact that there is no easy way to alter the order of your rules using ufw or insert rules above existing ones. Therefore you need to think about the order of your rules carefully.

See TCP UDP Ports for further info on common ports.

Deny a Specific Host

If you want to deny a specific host (because its spamming or hacking you for example) you need to ensure that the deny rule is one of the first processed. Otherwise the host might still be able to access on port 80 (if you're running a web server and have a general allow rule for http traffic). To do so you need to insert a deny rule at the top of your rule-set,

To deny all traffic from 46.118.117.13...

 ufw insert 1 deny from 46.118.117.13 to any 

Alternatively you can edit the UFW config file direct, but the denied hosts will not appear when showing the firewall status, which will cause you problems later down the line...

  1. Edit /etc/ufw/before.rules
  2. Create a new section under the # drop INVALID packets section (near the top of the file)
  3. Add deny rules as required
    • # Block IP's
    • -A ufw-before-input -s 46.118.117.13 -j DROP
  4. Repeat the last line for as many IP's as you need to block (CIDR style notation can be used for ranges, eg 46.118.117.0/24)
  5. Reload the firewall to apply the new config
    • ufw reload

SNMP

Note that the way in which the SNMP daemon/agent needs to be configured varies between OS version.

Setup (Pre v10 Ubuntu)

  1. Run the following command to update the package database
    • apt-get update
  2. Run the following command to install SNMP
    • apt-get install snmpd
  3. Create config file with contents as shown below
    • vi /etc/snmp/snmpd.conf
  4. Edit SNMPD config to allow remote polls
    • vi /etc/default/snmpd
  5. Remove 127.0.0.1 from line below
    • #snmpd options (use syslog, close stdin/out/err).
    • SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'
  6. Restart SNMP
    • /etc/init.d/snmpd restart
  7. Test with the following, replacing <hostname> with server's hostname
    • snmpwalk -v 1 -c public -O e <hostname>
rocommunity public
syslocation "CR DC"
syscontact info@sandfordit.com

Setup (v10/v12 Ubuntu)

  1. Run the following command to update the package database
    • apt-get update
  2. Run the following command to install SNMP
    • apt-get install snmpd
  3. Create config file with contents as shown below the procedure
    • vi /etc/snmp/snmpd.conf
  4. Edit SNMPD config to allow remote polls
    • vi /etc/default/snmpd
  5. Remove 127.0.0.1 from line below
    • #snmpd options (use syslog, close stdin/out/err).
    • SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'
  6. Restart SNMP
    • /etc/init.d/snmpd restart
  7. Test with the following, replacing <hostname> with server's hostname (must be run from a machine with snmp installed, not just snmpd)
    • snmpwalk -v 1 -c public <hostname> system <hostname>
####
# First, map the community name (COMMUNITY) into a security name
# (local and mynetwork, depending on where the request is coming
# from):

#       sec.name  source          community
#com2sec paranoid  default         public	<- Comment
com2sec readonly  default         public	<- Uncomment
... then later ...
syslocation "CR DC"
syscontact info@sandfordit.com

Setup (Post v12 Ubunutu)

  1. Run the following command to update the package database
    • apt-get update
  2. Run the following command to install SNMP
    • apt-get install snmpd
  3. Replace existing config file with contents as shown below the procedure
    • vi /etc/snmp/snmpd.conf
  4. Throttle down logging verbosity (otherwise log is spammed with Connection from UDP messages
    • vi /etc/default/snmpd
    • Set the option -LS0-5d so the config line starts...
    • SNMPDOPTS='-LS0-5d -Lf /dev/null
  5. Restart SNMP
    • systemctl restart snmpd
  6. Test with the following, replacing <hostname> with server's hostname (must be run from a machine with snmp installed, not just snmpd)
    • snmpwalk -v 1 -c public <hostname> system <hostname>
#  Allows SNMP Get's from IP 
rocommunity    dont-leave-as-public     192.168.123.10
sysLocation    CR DC
sysContact     info@sandfordit.com

Hostname Change

Procedure below guides you through the files etc that need updating in order to change a machine's hostname. Note that if you get probs SSH'ing to the server afterwards see Server Hostname Change

  1. Update the following files
    • /etc/hosts
    • /etc/hostname
  2. Set the hostname (not FQDN)
    • hostname <servername>
  3. Reboot

Allow Remote SSH Login Without Password Prompt

In order to be able to access a remote server via an SSH session without needing to suppy a password, the remote server needs to trust the user on the local server. In order to do this, the public key for the user needs to be imported to the remote server. This is particularly useful when trying to script using ssh, scp, rsync, etc where you need to interract with a remote server.

You need to be clear on which user will access the remote the server, if your script is run as root, then its the root user that needs to have its public key exported.

Similarly, on the remote server you need to ensure that that the user that has the public key key imported into, has the rights to perform whatever it is that you want to achieve. This shouldn't be the root user (to do so you'd need to allow PermitRootLogin in the remote server's SSH config, which is a security no-no).

  1. On the local server, create a public/private rsa key pair while logged in as the user that will access the remote server
    • ssh-keygen -t rsa (leave passphrase blank)
      • This creates a public key in ~/.ssh/id_rsa.pub
  2. Copy the public key to the user on the remote server
    • ssh-copy-id -i user@remote-svr
      • The user is the user account on the remote server that the local server will be trusted by and run as.
  3. Test the login as suggested by ssh-copy-id
    • ssh user@remote-svr

Perl

Install Module

Installing a perl module isn't tricky, but there is a certain knack to it, see below...

  1. Get the module's package name (eg for Net::XWhois)
    • sudo apt-cache search perl net::xwhois
  2. Then install the package
    • sudo apt-get install libnet-xwhois-perl

Check Module(s) Installed

To check for a specific module use (checking for Net::XWhois)

perl -MNet::XWhois -e "print \"Module installed.\\n\";"

To list all installed modules

perl -MFile::Find=find -MFile::Spec::Functions -Tlwe \
'find { wanted => sub { print canonpath $_ if /\.pm\z/ }, no_chdir => 1 }, @INC'

Source: http://www.linuxquestions.org/questions/linux-general-1/how-to-list-all-installed-perl-modules-216603/

Python

Python v2 comes pre-installed, however if you want to run newer Python 3 scripts, this will need to be installed alongside.

  1. Install the package
    • apt-get install python3
      • Note that more than one version of Python 3 may be available, cancel the install are retry with specific version if required, eg apt-get install python3.1

To enter the Python 3 interpreter, run phython3 , to make sure you get the right environment for a script use the following shebang

#! /usr/bin/env python3

Syslog

Server

To setup your server as a central syslog receiver, edit the /etc/resyslog.conf, and deleted the comment outs for the following

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Add the following section so that received syslog messages get put into a folder for each host its received from...

$template PerHostLog,"/var/log/%HOSTNAME%/messages"
*.* -?PerHostLog

Then restart the syslog service to apply...

service rsyslog restart

To MySQL Database

This procedure achieves three things...

  1. Allows remote hosts to use the local server as a syslog destination
  2. Directs syslogs to MySQL database on the server
  3. Allows viewing of syslogged events through LogAnalyser web front end

...it is assumed that you already have a local MySQL and Apache server running!

  1. Set-up your server to send syslog messages to a MySQL database
    • apt-get install rsyslog-mysql
    • Enter the root password to your MySQL instance when prompted
  2. Update the rsyslog config (/etc/rsyslog.conf) to receive syslog data, and to route messages through a queue
    1. Uncoment the following..
      • $ModLoad ommysql # load the output driver (use ompgsql for PostgreSQL)
      • $ModLoad imudp # network reception
      • $UDPServerRun 514 # start a udp server at port 514
    2. Add the following...
      • $WorkDirectory /rsyslog/work # default location for work (spool) files
      • $ActionQueueType LinkedList # use asynchronous processing
      • $ActionQueueFileName dbq # set file name, also enables disk mode
      • $ActionResumeRetryCount -1 # infinite retries on insert failure
    3. Restart the service
      • service rsyslog restart
  3. Install LogAnalyser
    1. Download latest build from http://loganalyzer.adiscon.com/downloads
    2. Uncompress
      • EG tar xf loganalyzer-3.5.0.tar.gz
    3. Move the contents or /src to webserver
      • EG mkdir /var/www/syslog
      • EG mv /src/* /var/www/syslog/
    4. Move utility scripts to same folder
      • EG mv /contrib/* /var/www/syslog/
    5. Make them both executable,
      • EG chmod +x /var/www/syslog/*.sh
    6. Run the config script in the directory
      • EG /var/www/syslog# ./configure.sh
    7. Browse to webpage
    8. Ignore the error, and follow the link to install (configure)
    9. Accept defaults until step 7, where you change the following
      • Name of the Source - your name for the local syslog db
      • Source Type - MySQL Native
      • Database Name - Syslog
      • Database Tablename - SystemEvents
      • Database User - rsyslog
      • Database Password - rsyslog
    10. Config completed!

Random Settings

System Locale

To change the local time-zone use...

  • dpkg-reconfigure tzdata

To change the keyboard layout in use...

  • dpkg-reconfigure console-data

...if console-data isn't installed, use...

  • apt-get install console-data

...and reboot to apply

\tmp Boot Time Clean-up

The files in /tmp get deleted if their last modification time is more than TMPTIME days ago.

  1. Edit /etc/default/rcS
  2. Change TMPTI80aM80E value to specify no of days
    • Use 0 so that files are removed regardless of age.
    • Use -1 so that no files are removed.

Proxy Server

Proxy settings need to be added as environment variables, which can be added to to your profile file so as to be always be applied

  1. Edit /etc/profile
  2. Append to the bottom (edit as required)

Note that some applications will ignore the environment variables, and will need to be set specifically for those apps.