Server:setup

From Linux How-To Repository

Initial Considerations

Sorting Out Your Domain Name

You want to run a home server and you don't have a domain name registered, what do you do?

It's simple. You create an account at one of the many free domain name services. Perhaps the most well-known is DynDNS, which is here.

You are probably going to need the dynamic IP address option when setting up an account. This is because most ISPs use dynamic IPs, which means your IP address is changing all of the time. The dynamic IP address option will ensure that your domain name or web address is always linked to the IP assigned to you at any given time. It's all automatic.

It's useful to obtain your domain name details because you'll use them in setting up the Linux server.

• See below for information on creating an IP auto-check for DynDNS.

Linux Partioning

The Ubuntu installation process is straight forward, even the partitioning, if you want it to be. However, many people wonder which is the best way to go for partitioning.

The forums are full of users confidently asserting you need a 10 GIG root partition just like they have, etc. Sure, that'll work. As I said, if you want to make it easy, just accept the default the setup gives you. After all, you only really need one partition.

As for me, I wanted something tidier, safer and more elegant. The following shows how I did it and how it looks after everything was installed.

Size 75 GB

    Type          Dir        Allotted    Used       Free

    ext3          /           996 MB    316 MB     679 MB
    extended                   73 GB              
    ext3          /tmp          2 GB     66 MB     1.9 GB
    ext3          /usr          8 GB    2.4 GB     5.4 GB
    ext3          /usr/local    4 GB    210 MB     3.7 GB
    ext3          /var          4 GB    2.4 GB     1.5 GB
    ext3          /home        54 GB   1.60 GB      52 GB
    linux-swap                996 MB    
    linux-swap               1004 MB

As you can see, you really don't need a large root partition.

When the partitioner is running, it'll show the partition or unallocated space (provided you created it beforehand) where you intend to install Ubuntu. The first thing I did was install the primary "/" partition, giving it 1 MB of space.

What you can do next is select the guided partition option for the rest of the unallocated space. This will create a logical partition and your swap space for you. Then the swap is taken care of and you can go ahead and configure all of the other partitions. One by one, just create a new partition, and select what it will be by hitting enter at the line it highlights by default, where you name the partition directory.

After each one, select done and it'll take you back to the partitioner's main screen. Then select the write to disk option once you've checked it's exactly how you want it.

I gave more space to /usr because Ubuntu installs most programs to /usr/share and not /usr/local as might happen on other systems. You might give less to /usr/local than I did, unless you plan to keep backups there.

If you plan to have a web site at /var/www, naturally you give more space to /var. I'm using /home/www instead.

Also, if I'd been able, I would have had a further primary partition solely for /boot of perhaps around 100 MB.

  But only 4 primary partitions are allowable on PCs.  

Since my machine is a dual boot system, and Windows was already using two partitions, that meant I only had 2 to play with.

Here is the setup of my current HP Proliant ML350:

In this case I could use 4 primary partitions. This shows how the usage has panned out over about a year. I was perhaps over-generous in some allowances, but it is a huge disk, so it's hardly an issue.

Source

Much of what I did was based on this sound [Partitioning How To] -- well, as often happens, it disappeared. Here is some of the text from that source that explains things in detail:

Preliminary Setup

Initial Update Tasks

Setup Root Login

  sudo passwd root

Give root a password. Needless to say, don't forget it.

Install The SSH Server

Ubuntu does not install OpenSSH by default so you have to do it.

  apt-get install ssh openssh-server

This will download and install it, or you will be asked to insert the installation CD.

Update Software Repositories

Edit the repositories list:

  gedit /etc/apt/sources.list

Unhash the repositories you want and add others you might know of. You can also change the country code for a closer mirror, if need be. Then, update.

   apt-get update
   apt-get upgrade
   apt-get dist-upgrade

Or run

   aptitude update
   aptitude upgrade
   aptitude dist-upgrade

Change the Default Shell

/bin/sh is a symlink to /bin/dash, but we need /bin/bash, not /bin/dash. Remove the symlink and create another.

   rm -f /bin/sh
   ln -s /bin/bash /bin/sh

Setup Desktop Environment

Of course, if the desktop version of Ubuntu was installed, these steps are not necessary except for perhaps the tweaks to get your graphics working.

 sudo apt-get update

 sudo apt-get install ubuntu-desktop

Now make sure you have the latest graphics card drivers for you machine (Source: [Martii's Ubuntu Installation]):

For NVIDIA cards, type the following commands:

 sudo apt-get install nvidia-glx nvidia-kernel-common
 sudo nvidia-glx-config enable

For ATI cards, type the following commands:

 sudo apt-get install xorg-driver-fglrx
 sudo dpkg-reconfigure xserver-xorg

There are more steps you have to do to the /etc/X11/xorg.conf file. For these tweaks, you'll need to search around for what is needed with your card.

If it's all too much and nothing's working, you might try this guy's program, Envy, to sort it out automatically: http://albertomilone.com/nvidia_scripts1.html

Here are some of my Tweaks for ATI and Nvidia

Setup Networking

After installing, Ubuntu will be configured to get its network settings via DHCP. For a server setup, we need to have a static IP address. For this edit /etc/network/interfaces and put in the right IP address, which will be the server's address on your network (i.e. with a router).

   gedit /etc/network/interfaces

Alternatively, since the desktop is setup, it is just as easy to fire up the Networking utility under System in the Ubuntu desktop menu. Fill out the same details there.

The Interfaces file should look like this:

 # The loopback network interface
 auto lo
 iface lo inet loopback

 # The primary network interface
 auto eth0
 iface eth0 inet static
       address 192.168.0.100
       netmask 255.255.255.0
       network 192.168.0.0
       broadcast 192.168.0.255
       gateway 192.168.0.1

Now restart the network:

 /etc/init.d/networking restart

Next, edit your hosts file. You can also do this via the same program described above.

 gedit /etc/hosts

It should look like something like this (of course, with your domain instead of example.com):

 127.0.0.1       localhost.localdomain    localhost
 192.168.0.100   server1.example.com      server1

 # The following lines are desirable for IPv6 capable hosts
 ::1     ip6-localhost ip6-loopback
 fe00::0 ip6-localnet
 ff00::0 ip6-mcastprefix
 ff02::1 ip6-allnodes
 ff02::2 ip6-allrouters
 ff02::3 ip6-allhosts

Now run

 echo server1.example.com > /etc/hostname

Reboot the system:

 shutdown -r now

Once it's all running type:

 hostname
 hostname -f

Both should show server1.example.com.

At this point, test that you can connect to the Internet properly. Just run "apt-get update" again.

Install DNS Server

Source: [Falko's Setup at HowToForge]

 apt-get install bind9

For security reasons we want to run BIND chrooted so we have to do the following steps:

 /etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS=" -u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":

 gedit /etc/default/bind9

 OPTIONS="-u bind -t /var/lib/named"
 # Set RESOLVCONF=no to not run resolvconf
 RESOLVCONF=yes

Create the necessary directories under /var/lib:

 mkdir -p /var/lib/named/etc
 mkdir /var/lib/named/dev
 mkdir -p /var/lib/named/var/cache/bind
 mkdir -p /var/lib/named/var/run/bind/run

Move the config directory from /etc to /var/lib/named/etc:

 mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when bind is upgraded in the future):

 ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

 mknod /var/lib/named/dev/null c 1 3
 mknod /var/lib/named/dev/random c 1 8
 chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
 chown -R bind:bind /var/lib/named/var/*
 chown -R bind:bind /var/lib/named/etc/bind

Modify the startup script /etc/init.d/sysklogd of sysklogd so that important messages still get logged to the system logs. Modify the line: SYSLOGD="-u syslog" so that it reads: SYSLOGD="-u syslog -a /var/lib/named/dev/log":

 gedit /etc/init.d/sysklogd

 [...]
 SYSLOGD="-u syslog -a /var/lib/named/dev/log"
 [...]

Restart the logging daemon:

 /etc/init.d/sysklogd restart

Start up BIND, and check /var/log/syslog for errors:

 /etc/init.d/bind9 start

Main Server Software

Uninstall AppArmor

It has been recommended that AppArmor be uninstalled: http://www.howtoforge.com/perfect-server-ubuntu8.04-lts-p3

/etc/init.d/apparmor stop
update-rc.d -f apparmor remove

This gets rid of the package:

apt-get remove apparmor apparmor-utils

Install Perl / Compilers / Other Useful Packages

This should be on one line.

 apt-get install binutils cpp fetchmail flex gcc libarchive-zip-perl 
 libc6-dev libcompress-zlib-perl libdb4.3-dev libpcre3 libpopt-dev lynx m4 
 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 
 libtool bison autotools-dev g++

And other stuff for compiling source:

apt-get install linux-headers-`uname -r` build-essential

Install Apache

Use apt-get to install everything in one hit:

   apt-get install apache2 apache2-common apache2-doc apache2-mpm-prefork apache2-utils libapr0 
libexpat1 ssl-cert

Edit apache2.conf or httpd.conf to change or create DirectoryIndex

  gedit /etc/apache2/apache2.conf

Or

  gedit /etc/apache2/httpd.conf

Make sure you have this entry:

  [...]
  DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml
  [...]

Edit ports.conf and add Listen 443:

  gedit /etc/apache2/ports.conf

  Listen 80
  Listen 443

Enable some Apache modules (SSL, rewrite, suexec, and include):

  a2enmod ssl
  a2enmod rewrite
  a2enmod suexec
  a2enmod include

Reload Apache:

  /etc/init.d/apache2 force-reload

Open a browser and type http://localhost in the address window. You should get a default page or index list showing up. The wonderful Apache Server is installed!

If not, something's wrong and system logs might give you a clue to what it is.

Once it's working, then it's time to start configuring. Some tips for that are here.

Install MySQL

First run

 apt-get install mysql-server mysql-client libmysqlclient15-dev

Have MySQL listen on all interfaces, not just localhost. Edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

 gedit /etc/mysql/my.cnf

 [...]
 #bind-address           = 127.0.0.1
 [...]

Then restart MySQL:

 /etc/init.d/mysql restart

Now check that networking is enabled. Run

 netstat -tap

In the output you should see a line like this one:

 tcp        0      0 *:mysql                 *:*                     LISTEN     4997/mysqld

Run

 mysqladmin -u root password yourrootsqlpassword
 mysqladmin -h server1.example.com -u root password yourrootsqlpassword

Set a password for the user root (otherwise anybody can access your MySQL database).

Note that I've had errors when trying to do the server1 password setup. I think I sorted that out once phpMyAdmin was installed. See Server:software:phpmyadmin for more details.

Install PHP

Use apt-get to install everything in one hit:

   apt-get install autoconf automake1.4 autotools-dev libapache2-mod-php5 php5 php5-common php5-curl 
  php5-dev php5-gd php-pear php5-ldap php5-mhash php5-mysql php5-mysqli php5-snmp php5-sqlite 
 php5-xmlrpc php5-xsl php5-imap php5-mcrypt php5-pspell

If you are asked the following question:

   Continue installing libc-client without Maildir support? 

   Say "Yes"

Nothing more to do really.

Email Server

Postfix: SMTP-AUTH And TLS

Install Postfix with SMTP-AUTH and TLS:

   apt-get install postfix libsasl2 sasl2-bin libsasl2-modules libdb3-util procmail

You will be asked two questions. Answer as follows:

   General type of configuration? <-- Internet Site
   Mail name? <-- server1.example.com

Then run

     dpkg-reconfigure postfix

More questions:

   General type of configuration? <-- Internet Site
   Where should mail for root go <-- NONE
   Mail name? <-- server1.example.com
   Other destinations to accept mail for? (blank for none) <-- server1.example.com, localhost.example.com, localhost
   Force synchronous updates on mail queue? <-- No
   Local networks? <-- 127.0.0.0/8
   Use procmail for local delivery? <-- Yes
   Mailbox size limit <-- 0
   Local address extension character? <-- +
   Internet protocols to use? <-- all

Now put entries into the main.cf file:

   postconf -e 'smtpd_sasl_local_domain ='
   postconf -e 'smtpd_sasl_auth_enable = yes'
   postconf -e 'smtpd_sasl_security_options = noanonymous'
   postconf -e 'broken_sasl_auth_clients = yes'
   postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
   postconf -e 'inet_interfaces = all'
   echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
   echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf

Certificates for TLS:

   mkdir /etc/postfix/ssl
   cd /etc/postfix/ssl/
   openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
   chmod 600 smtpd.key
   openssl req -new -key smtpd.key -out smtpd.csr
   openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
   penssl rsa -in smtpd.key -out smtpd.key.unencrypted
   mv -f smtpd.key.unencrypted smtpd.key
   openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Configure Postfix for TLS:

   postconf -e 'smtpd_tls_auth_only = no'
   postconf -e 'smtp_use_tls = yes'
   postconf -e 'smtpd_use_tls = yes'
   postconf -e 'smtp_tls_note_starttls_offer = yes'
   postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
   postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
   postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
   postconf -e 'smtpd_tls_loglevel = 1'
   postconf -e 'smtpd_tls_received_header = yes'
   postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
   postconf -e 'tls_random_source = dev:/dev/urandom'
   postconf -e 'myhostname = server1.example.com'

Check the /etc/postfix/main.cf file to see that these are there. See /usr/share/postfix/main.cf.dist for a complete version of the file.

File main.cf

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Restart Postfix:

   /etc/init.d/postfix restart

Authentication will be done by saslauthd. Because Postfix runs chrooted in /var/spool/postfix do the following:

   mkdir -p /var/spool/postfix/var/run/saslauthd

Now edit /etc/default/saslauthd in order to activate saslauthd. Remove # in front of START=yes and add the line PARAMS="-m /var/spool/postfix/var/run/saslauthd -r":

   gedit /etc/default/saslauthd

Make sure there are in there:

   START=yes

   PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"

   # You must specify the authentication mechanisms you wish to use.
   # This defaults to "pam" for PAM support, but may also include
   # "shadow" or "sasldb", like this:
   # MECHANISMS="pam shadow"

   MECHANISMS="pam"

Now start saslauthd:

   /etc/init.d/saslauthd start

To see if SMTP-AUTH and TLS work properly, run

   telnet localhost 25

Once a connection is established, run

   ehlo localhost

If you see the lines

   250-STARTTLS

and

   250-AUTH

everything is fine.

It should look something like this . . .

Type

   quit

You're done.

Further Information:

Advanced Email Setup

Setting Up a Mail Server

• How to set up a mail server on a GNU / Linux system: Postfix

Setting Up Virtual Users

• Tutorial: ISP-style Email Service with Debian-Sarge and Postfix 2.1
• Virtual Users And Domains With Postfix, Courier And MySQL (+ SMTP-AUTH, Quota, SpamAssassin, ClamAV)

Courier IMAP

• Configuring Exim and Courier IMAP under Debian GNU/Linux

Links

• Postfix FAQ

Install Courier

IMAP/IMAP-SSL/POP3/POP3-SSL (IMAP-SSL is for IMAP on port 993 and POP3-SSL is for POP3s on port 995)

   apt-get install courier-authdaemon courier-base courier-imap courier-imap-ssl courier-pop 
   courier-pop-ssl courier-ssl gamin libgamin0 libglib2.0-0

It will ask two questions:

   Create directories for web-based administration ? <-- No
   SSL certificate required <-- OK

Configure Postfix to deliver emails to a user's Maildir*:

   postconf -e 'home_mailbox = Maildir/'
   postconf -e 'mailbox_command ='
   
   /etc/init.d/postfix restart 

Excellent. Have another green tea.

Several Email Tests

Testing SMTP-AUTH

telnet localhost 25
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail ESMTP Postfix
helo localhost
250 mail
mail from: name@example.com
250 Ok
rcpt to: name@localhost
250 Ok
data
354 End data with <CR><LF>.<CR><LF>
some text
.
250 Ok: queued as B58E141D33
quit

If you get this, everything is fine. If you get an error like this:

   rcpt to: tester at localhost
   451 <tester  at localhost>: Temporary lookup failure

Then either MySQL is not running, DB permission are not set properly or you miss-configured /etc/postfix/main.cf. Examine /var/log/mail.

Test POP3 and IMAP

telnet localhost 110
Connected to localhost.
Escape character is '^]'.
+OK Hello there.
user username
+OK Password required.
pass password
+OK logged in.
stat
+OK 26 49857
retr 1
+OK 1073 octets follow.
... message
.
quit
+OK Bye-bye.
Connection closed by foreign host.

telnet localhost 143
Connected to localhost.
Escape character is '^]'.
* OK Courier-IMAP ready. Copyright 1998-2001 Double Precision, Inc.  See
COPYING for distribution information.
1 login username password
1 OK LOGIN Ok.
2 examine inbox
* FLAGS (\Answered \Flagged \Deleted \Seen \Recent)
* OK [PERMANENTFLAGS ()] No permanent flags permitted
* 26 EXISTS
* 0 RECENT
* OK [UIDVALIDITY 989061119] Ok
2 OK [READ-ONLY] Ok
3 logout
* BYE Courier-IMAP server shutting down
3 OK LOGOUT completed
Connection closed by foreign host.

NOTE: The daemons will fail to login if the mail directory does not exist. Deliver at least one message to the user, to create their mailbox, before they can login. Look for logging messages in /var/log/maillog and /var/log/debug.log.

Another version of the IMAP test

telnet 10.1.36.248 143
Trying 10.1.36.248...
Connected to 10.1.36.248 (10.1.36.248).
Escape character is '^]'.
* OK e-smith.pcunixx.com IMAP4rev1 v12.264 server ready
abc1 login linda AFr54Tui8
abc1 OK LOGIN completed
abc2 select inbox
* 1 EXISTS
* 2 EXISTS
* 1 RECENT
* OK [UIDVALIDITY 1020929003] UID validity status
* OK [UIDNEXT 1020929444] Predicted next UID
* FLAGS (\Answered \Flagged \Deleted \Draft \Seen)
* OK [PERMANENTFLAGS ()] Permanent flags
* OK [UNSEEN 2] first unseen message in inbox
abc2 OK [READ-WRITE] SELECT completed
abc3 fetch 2 body[text]
* 2 FETCH (BODY[TEXT] {25}

This is just a test

)
* 2 FETCH (FLAGS (\Recent \Seen))
abc3 OK FETCH completed
abc4 close
abc4 OK CLOSE completed
abc5 logout
* BYE e-smith.pcunixx.com IMAP4rev1 server terminating connection
abc5 OK LOGOUT completed

Some Last Steps: IP Auto-Check

• Dynamic IP Auto-Check

Links

Other Setup Guides

• [Falko's Ubuntu Server Setup]
• [Quick Linux Server Installation]
• [Aussie Linux Home Server HOWTO]
• [YoLinux: Internet Web Server and Domain Configuration Tutorial]
• [Set Up Ubuntu-Server 6.10 As A Firewall/Gateway For Your Small Business Environment]

Ubuntu General

• [The Unofficial Ubuntu Starter Guide]

Security

• [Intrusion Detection]