Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Internet & Network Services
Assessment 1
Building secure server to host Gallery.
Marcin Iwinski R00036586
Table of contents:
1 Installing Ubuntu Server
2 Installing additional packages
3 Securing Ubuntu Server
4 Installing Gallery
4.1 CLI
4.2 Web interface part
5 Configuring Gallery
6 Summary
1 Installing Ubuntu Server
Description below comes from http://www.howtoforge.com/perfect-server-ubuntu-10.10-
maverick-meerkat-ispconfig-3
1 Requirements
To install such a system you will need the following:
the Ubuntu 10.10 server CD, available here: http://releases.ubuntu.com/releases/10.10/ubuntu-
10.10-server-i386.iso (i386) orhttp://releases.ubuntu.com/releases/10.10/ubuntu-10.10-server-
amd64.iso (x86_64)
a fast Internet connection.
2 Preliminary Note
In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100 and
the gateway 192.168.0.1. These settings might differ for you, so you have to replace them where
appropriate.
3 The Base System
Insert your Ubuntu install CD into your system and boot from it. Select your language:
Then select Install Ubuntu Server:
Choose your language again (?):
Then select your location:
Choose a keyboard layout (you will be asked to press a few keys, and the installer will try to detect
your keyboard layout based on the keys you pressed):
The installer checks the installation CD, your hardware, and configures the network with DHCP if
there is a DHCP server in the network:
Enter the hostname. In this example, my system is called server1.example.com, so I
enter server1:
Please check if the installer detected your time zone correctly. If so, select Yes, otherwise No:
Now you have to partition your hard disk. For simplicity's sake I select Guided - use entire disk
and set up LVM - this will create one volume group with two logical volumes, one for the / file
system and another one for swap (of course, the partitioning is totally up to you - if you know what
you're doing, you can also set up your partitions manually).
Select the disk that you want to partition:
When you're asked Write the changes to disks and configure LVM?, select Yes:
If you have selected Guided - use entire disk and set up LVM, the partitioner will create one
big volume group that uses all the disk space. You can now specify how much of that disk space
should be used by the logical volumes for / and swap. It makes sense to leave some space unused
so that you can later on expand your existing logical volumes or create new ones - this gives you
more flexibility.
When you're finished, hit Yes when you're asked Write the changes to disks?:
Afterwards, your new partitions are being created and formatted:
Now the base system is being installed:
Create a user, for example the user Administrator with the user name administrator (don't use
the user name admin as it is a reserved name on Ubuntu 10.10):
I don't need an encrypted private directory, so I choose No here:
Next the package manager apt gets configured. Leave the HTTP proxy line empty unless you're
using a proxy server to connect to the Internet:
I'm a little bit old-fashioned and like to update my servers manually to have more control,
therefore I select No automatic updates. Of course, it's up to you what you select here:
We need a DNS, mail, and LAMP server, but nevertheless I don't select any of them now because I
like to have full control over what gets installed on my system. We will install the needed packages
manually later on. The only item I select here is OpenSSH server so that I can immediately
connect to the system with an SSH client such as PuTTY after the installation has finished:
The installation continues:
The GRUB boot loader gets installed:
Select Yes when you are asked Install the GRUB boot loader to the master boot record?:
The base system installation is now finished. Remove the installation CD from the CD drive and
hit Continue to reboot the system:
4 Get root Privileges
After the reboot you can login with your previously created username (e.g. administrator).
Because we must run all the steps from this tutorial with root privileges, we can either prepend all
commands in this tutorial with the string sudo, or we become root right now by typing
sudo su
(You can as well enable the root login by running
sudo passwd root
and giving root a password. You can then directly log in as root, but this is frowned upon by the
Ubuntu developers and community for various reasons.
Seehttp://ubuntuforums.org/showthread.php?t=765414.)
5 Install The SSH Server (Optional)
If you did not install the OpenSSH server during the system installation, you can do it now:
aptitude install ssh openssh-server
From now on you can use an SSH client such as PuTTY and connect from your workstation to your
Ubuntu 10.10 server and follow the remaining steps from this tutorial.
6 Install vim-nox (Optional)
I'll use vi as my text editor in this tutorial. The default vi program has some strange behaviour on
Ubuntu and Debian; to fix this, we install vim-nox:
aptitude install vim-nox
(You don't have to do this if you use a different text editor such as joe or nano.)
7 Configure The Network
Because the Ubuntu installer has configured our system to get its network settings via DHCP, we
have to change that now because a server should have a static IP address.
Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP
address 192.168.0.100):
vi /etc/network/interfaces
# This file describes the network interfaces available
on your system
# and how to activate them. For more information, see
interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
Then restart your network:
/etc/init.d/networking restart
Then edit /etc/hosts. Make it look like this:
vi /etc/hosts
127.0.0.1 localhost.localdomain localhost
192.168.0.100 server1.example.com server1
# The following lines are desirable for IPv6 capable
hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Now run
echo server1.example.com > /etc/hostname
/etc/init.d/hostname restart
Afterwards, run
hostname
hostname -f
Both should show server1.example.com now.
8 Edit /etc/apt/sources.list And Update Your Linux Installation
Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make
sure that the universe and multiverse repositories are enabled. It should look like this:
vi /etc/apt/sources.list
#
# deb cdrom:[Ubuntu-Server 10.10 _Maverick Meerkat_ -
Release i386 (20101007)]/ maverick main restricted
#deb cdrom:[Ubuntu-Server 10.10 _Maverick Meerkat_ -
Release i386 (20101007)]/ maverick main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for
how to upgrade to
# newer versions of the distribution.
deb http://de.archive.ubuntu.com/ubuntu/ maverick main
restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ maverick
main restricted
## Major bug fix updates produced after the final
release of the
## distribution.
deb http://de.archive.ubuntu.com/ubuntu/ maverick-
updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ maverick-
updates main restricted
## N.B. software from this repository is ENTIRELY
UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe
WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://de.archive.ubuntu.com/ubuntu/ maverick
universe
deb-src http://de.archive.ubuntu.com/ubuntu/ maverick
universe
deb http://de.archive.ubuntu.com/ubuntu/ maverick-
updates universe
deb-src http://de.archive.ubuntu.com/ubuntu/ maverick-
updates universe
## N.B. software from this repository is ENTIRELY
UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please
satisfy yourself as to
## your rights to use the software. Also, please note
that software in
## multiverse WILL NOT receive any review or updates
from the Ubuntu
## security team.
deb http://de.archive.ubuntu.com/ubuntu/ maverick
multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ maverick
multiverse
deb http://de.archive.ubuntu.com/ubuntu/ maverick-
updates multiverse
deb-src http://de.archive.ubuntu.com/ubuntu/ maverick-
updates multiverse
## Uncomment the following two lines to add software
from the 'backports'
## repository.
## N.B. software from this repository may not have been
tested as
## extensively as that contained in the main release,
although it includes
## newer versions of some applications which may provide
useful features.
## Also, please note that software in backports WILL NOT
receive any review
## or updates from the Ubuntu security team.
# deb http://de.archive.ubuntu.com/ubuntu/ maverick-
backports main restricted universe multiverse
# deb-src http://de.archive.ubuntu.com/ubuntu/ maverick-
backports main restricted universe multiverse
## Uncomment the following two lines to add software
from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered
by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu maverick
partner
# deb-src http://archive.canonical.com/ubuntu maverick
partner
## Uncomment the following two lines to add software
from Ubuntu's
## 'extras' repository.
## This software is not part of Ubuntu, but is offered
by third-party
## developers who want to ship their latest software.
# deb http://extras.ubuntu.com/ubuntu maverick main
# deb-src http://extras.ubuntu.com/ubuntu maverick main
deb http://security.ubuntu.com/ubuntu maverick-security
main restricted
deb-src http://security.ubuntu.com/ubuntu maverick-
security main restricted
deb http://security.ubuntu.com/ubuntu maverick-security
universe
deb-src http://security.ubuntu.com/ubuntu maverick-
security universe
deb http://security.ubuntu.com/ubuntu maverick-security
multiverse
deb-src http://security.ubuntu.com/ubuntu maverick-
security multiverse
Then run
aptitude update
to update the apt package database and
aptitude safe-upgrade
to install the latest updates (if there are any). If you see that a new kernel gets installed as part of
the updates, you should reboot the system afterwards:
reboot
9 Change The Default Shell
/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do
this:
dpkg-reconfigure dash
Install dash as /bin/sh? <-- No
If you don't do this, the ISPConfig installation will fail.
10 Disable AppArmor
AppArmor is a security extension (similar to SELinux) that should provide extended security. In my
opinion you don't need it to configure a secure system, and it usually causes more problems than
advantages (think of it after you have done a week of trouble-shooting because some service
wasn't working as expected, and then you find out that everything was ok, only AppArmor was
causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later
on).
We can disable it like this:
/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
aptitude remove apparmor apparmor-utils
11 Synchronize the System Clock
It is a good idea to synchronize the system clock with an NTP (network time protocol) server over
the Internet. Simply run
aptitude install ntp ntpdate
and your system time will always be in sync.
The system is now ready to be used.
2 Installing additional packages
Description below comes from http://www.howtoforge.com/installing-apache2-with-php5-and-mysql-support-on-ubuntu-10.10-lamp
1 Preliminary Note
In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100.
These settings might differ for you, so you have to replace them where appropriate.
I'm running all the steps in this tutorial with root privileges, so make sure you're logged in as root:
sudo su
2 Installing MySQL 5
First we install MySQL 5 like this:
aptitude install mysql-server mysql-client
You will be asked to provide a password for the MySQL root user - this password is valid for the
user root@localhost as well as [email protected], so we don't have to specify a MySQL
root password manually later on:
New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword
3 Installing Apache2
Apache2 is available as an Ubuntu package, therefore we can install it like this:
aptitude install apache2
Now direct your browser to http://192.168.0.100, and you should see the Apache2 placeholder
page (It works!):
Apache's default document root is /var/www on Ubuntu, and the configuration file
is /etc/apache2/apache2.conf. Additional configurations are stored in subdirectories of
the /etc/apache2 directory such as /etc/apache2/mods-enabled (for Apache
modules), /etc/apache2/sites-enabled (for virtual hosts), and/etc/apache2/conf.d.
4 Installing PHP5
We can install PHP5 and the Apache PHP5 module as follows:
aptitude install php5 libapache2-mod-php5
We must restart Apache afterwards:
/etc/init.d/apache2 restart
5 Testing PHP5 / Getting Details About Your PHP5 Installation
The document root of the default web site is /var/www. We will now create a small PHP file
(info.php) in that directory and call it in a browser. The file will display lots of useful details about
our PHP installation, such as the installed PHP version.
vi /var/www/info.php
<?php
phpinfo();
?>
Now we call that file in a browser (e.g. http://192.168.0.100/info.php):
As you see, PHP5 is working, and it's working through the Apache 2.0 Handler, as shown in
the Server API line. If you scroll further down, you will see all modules that are already enabled in
PHP5. MySQL is not listed there which means we don't have MySQL support in PHP5 yet.
6 Getting MySQL Support In PHP5
To get MySQL support in PHP, we can install the php5-mysql package. It's a good idea to install
some other PHP5 modules as well as you might need them for your applications. You can search for
available PHP5 modules like this:
aptitude search php5
Pick the ones you need and install them like this:
aptitude install php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-
imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode
php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-json
Now restart Apache2:
/etc/init.d/apache2 restart
Now reload http://192.168.0.100/info.php in your browser and scroll down to the modules
section again. You should now find lots of new modules there, including the MySQL module:
7 phpMyAdmin
phpMyAdmin is a web interface through which you can manage your MySQL databases. It's a good
idea to install it:
aptitude install phpmyadmin
You will see the following questions:
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- No
Afterwards, you can access phpMyAdmin under http://192.168.0.100/phpmyadmin/:
3 Securing Ubuntu Server
In order to make our Ubuntu Server more secure we still have few post-installation tasks to
perform.
First of all – we need to make sure that we are running the latest version of packets. It is very
straight forward using aptitude – built-in packet manager.
While logged in to local console we switch to root user by running the command:
sudo -s
(system should prompt us for our password) and we issue the following commands:
aptitude update
aptitude safe-upgrade
Once finished, aptitude should inform us that there is no more updates available:
After downloading and installing all available packets, in order to allow secure remote access
to our server, we will install openssh server:
aptitude install openssh-server
After finishing we should be able to connect to our server from a remote machine over ssh.
As a huge fan of simple solutions, I prefer to manage the services directly, without adding an
extra level of complexity, therefore I decided not to go for ISPconfig.
To make sure that there is no unwanted connectivity to any services that we do not trust, we
will enable firewall (called ufw) and allow only ssh, http and https traffic.
To enable firewall we simply execute:
ufw enable
This will block all the network connectivity to the server. To allow remote management of
our server over ssh we need to open port 22:
ufw allow 22
As we are going to use our server as a web server, we also need to allow HTTP and HTTPS
traffic:
ufw allow 80
ufw allow 443
To make sure that our firewall is up and running with only required ports being opened we
can check ufw status:
ufw status
If everything is configured properly we should see the following output:
Status: active
To Action From
-- ------ ----
22 ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
4 Gallery – general information and system requirements
Gallery is an open source project with the goal to develop and support leading photo
sharing web application solutions.
The Gallery project develops open source software licensed under the GPL, and is
maintained and developed by a community of users and developers. The development is
a distributed effort, with collaboration from around the globe. The team is well organized,
with weekly meetings, and constant communication. Serving millions worldwide, the
Gallery project is the most widely used system of its kind. Gallery is free to download and
use.
Gallery is an online photo album organizer. Gallery gives you an intuitive way to blend
photo management seamlessly into your own website whether you're running a small
personal site or a large community site.
Gallery is available for download at: http://codex.gallery2.org/Downloads
5 Installing Gallery
4.1 CLI Part
Gallery itself is also available in Ubuntu’s repositories, however to make sure that we have
the latest version of it, we will download the installer form its website.
First of all, we will need a root access to our server to write to some system folders.
To switch to root user execute the following command:
sudo -s
It will prompt for your users password.
Once switched to root, change folder to Apache web folder (/var/www – folder where Apache
Web server stores all the websites).
cd /var/www
Once in that folder, we can download the gallery installer from here.
To download the file directly to the server, from CLI, simply execute the following:
wget http://downloads.sourceforge.net/gallery/gallery-3.0.1.zip
We should see the following output:
root@ubuntuSRV:/var/www# wget http://downloads.sourceforge.net/gallery/gallery-
3.0.1.zip
--2011-03-15 02:36:11-- http://downloads.sourceforge.net/gallery/gallery-3.0.1.zip
Resolving downloads.sourceforge.net... 216.34.181.59
Connecting to downloads.sourceforge.net|216.34.181.59|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://downloads.sourceforge.net/project/gallery/gallery3/3.0.1/gallery-
3.0.1.zip [following]
--2011-03-15 02:36:11--
http://downloads.sourceforge.net/project/gallery/gallery3/3.0.1/gallery-3.0.1.zip
Reusing existing connection to downloads.sourceforge.net:80.
HTTP request sent, awaiting response... 302 Found
Location: http://puzzle.dl.sourceforge.net/project/gallery/gallery3/3.0.1/gallery-
3.0.1.zip [following]
--2011-03-15 02:36:12--
http://puzzle.dl.sourceforge.net/project/gallery/gallery3/3.0.1/gallery-3.0.1.zip
Resolving puzzle.dl.sourceforge.net... 195.141.111.5
Connecting to puzzle.dl.sourceforge.net|195.141.111.5|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1810327 (1.7M) [application/zip]
Saving to: `gallery-3.0.1.zip'
100%[======================================================>] 1,810,327 439K/s
in 4.4s
2011-03-15 02:36:16 (401 KB/s) - `gallery-3.0.1.zip' saved [1810327/1810327]
Gallery installer is distributed as a singe ZIP archive which need to be extracted.
Unfortunately, stock Ubuntu server
does not have zip installed and we need to install it manualy:
aptitude install unzip
After installation of unzip, to extract the file, issue the following command:
unzip gallery-3.0.1.zip
This should extract all the files into gallery3 folder.
At this stage, we should be able to open our web browser and start the installer from
http:///gallery3 however it still requires few steps directly on the server, before the installation
can start properly.
We need to create a folder accessible for everyone, where gallery will store the pictures:
cd gallery3
mkdir var
chmod 777 var
the above commands will create a folder called var in gallery3 folder and it will make it
writable for everyone.
In order to manipulate pictures directly from gallery, we need to install a graphic toolkit (like
imagemagick or graphicsmagic).
aptitude install imagemagick graphicsmagic
From now on, we will continue our installation from a web browser pointed to gallery
installation.
4.2 Web interface part
To start proper installation, from any client in same network as our Ubuntu Server, open a
web browser and go to http:///gallery3.
You should see a Gallery 3 Installer, prompting for mysql parameters. Use default but provide
mysql password created during installation of Ubuntu Server. For ease of DB management,
we are also going to use gallery_ prefix.
After you hit “Continue” the installer should send you to an information page, stating that the
installation completed successfully and that an admin account is created for you.
From now on, you can go to http://<servers IP/gallery3 and start sharing your pictures online.
6 Customizing Gallery
To make our gallery safer, and more interesting we are going to customize it slightly. For
security reasons, first thing we need to do with a freshly installed Gallery, is to change
admin’s password.
In order to do that simply click on “Gallery Administrator” in top right corner and then on
“Change Password”. A new password prompt should appear:
To get rid of the “Graphics toolkit missing!…” warning at the top of our gallery, just set a
proper toolkit by clicking on “Choose a toolkit” and by activating the available toolkits
(ImageMagic and GraphicsMagic installed during gallery installation).
When I tried to upload a picture, an error “Error #2038″ was thrown (see below)
According to what I have found on Gallery’s wiki – it is due to simultaneous upload
limitations which can be changed in Admin -> Settings -> Advanced by changing the
gallery simultaneous_upload_limit to 1 (by default it is set to 5).
The last step to make our gallery more colorful is to change the default theme. Unfortunately,
additional themes need to be
downloaded manually. We can however synchronize with Gallery’s community git repository
and download some extra themes.
First of all we need to install git:
aptitude install git
after it is done, change folder to root’s home directory and create a new folder dedicated for
gallery’s git repository:
sudo -s
cd ~
mkdir git
Now we need to synchronize our new folder with remote repository:
git clone https://github.com/gallery/gallery3-contrib.git ./git
Once completed we can copy all the themes to our gallery installation folder:
cp -R git/3.0/themes/* /var/www/gallery3/themes/
After completing this step, we should be able to enable new them by browsing our gallery’s
website -> Apperance -> Theme choice.
6 Summary
Installation and configuration of both Ubuntu server and Gallery system was
undoubtedly a very interesting assessment. I had an opportunity to create my first blog. I
have also learned how to use Wordpress and social media like Vimeo or slideshare. I have
got familiar with Ubuntu and various software required for the server.
While preparing my project I used the Internet as my prime and only source of
information I find that Internet is non-questionable source of information for all aspects
related to the configuration of the server. Many websites contain step by step guides to
server configuration. What is more, there are many on-line forums with interesting and
helpful topics.
Ubuntu Linux, which I have worked on during this assignment, turned out to be easy
to use and intuitive. Ubuntu Linux’s look is very similar to that of MS Windows and Mac OS
,hence, it is very easy to migrate and switch between those three systems.
As in regards to the Gallery itself - installation of it appeared to be a straight-forward
task and the only problem that caught me was error “Error #2038″ when I tried to upload
pictures, but again – Internet appeared to be of extreme help and after quick search I found a
resolution on Gallery’s wiki page.