ShareWiz Ultra Secure Server Setup

Install the Base System

setup

Insert your Ubuntu install CD into your system and boot from it.

  1. Choose the Language for the final system.
  2. Select the installation Type – Select “Install Ubuntu Server”.
  3. Select the Language to be used during the installation process.
  4. Select your Location.

    5. If you've selected an uncommon combination of language and location (like English as the language and Germany as the location), the installer might tell you that there is no locale defined for this combination; in this case you have to select the locale manually, such as en_US.UTF-8.

  5. Choose the Keyboard Layout. Select "No" unless you have an unusual keyboard layout when it may be best to select "Yes", and then you will be asked to press a few keys, and the installer will try to detect your keyboard layout based on the keys you pressed.
  6. Choose the Keyboard Country, followed by any additional Keyboard settings.
  7. The installer then checks the installation CD, your hardware, and configures the network with DHCP if there is a DHCP server in the network.
  8. Enter the hostname. If the system is to be called server1.sharewiz.net, enter server1.
  9. Enter the full name of the Administrator of the system.
  10. Enter the username for the Administrator account, for example the user name administrator.

    11. IMPORTANT: Do not use the user name admin as it is a reserved name on Ubuntu 14.04.

  11. Enter a password for this Adminstration account. It's best to use a combination of letters, numbers and other characters.
  12. Re-enter exactly the same password.

    13. If you used a very weak password that consists of less than 8 characters you will be prompted whether you actually do want to use this weak password. As we want a very secure server, select "No" and re-enter a much stronger password.

  13. We don't need an encrypted private directory, so choose No here.
  14. The system will attempt to set the clock. If it successfully shows the correct time zone then select "Yes", else "No".

    15. The system will try to get the time from a network time server. This may take a time, and the system may not be successful in doing this, as it might not have external internet access. Ignore the error.

  15. Now you have to partition the hard disk. We want to use Logical Volume Manger, or LVM, which allows administrators to create logical volumes out of one or multiple physical hard disks. LVM volumes can be created on both software RAID partitions and standard partitions residing on a single disk. Volumes can also be extended, giving greater flexibility to systems as requirements change. There are several installation options for LVM, "Guided - use the entire disk and setup LVM" which will also allow you to assign a portion of the available space to LVM, "Guided - use entire and setup encrypted LVM", or “Manually setup the partitions and configure LVM”. At this time the only way to configure a system with both LVM and standard partitions, during installation, is to use the Manual approach. Remember that there can be a maximum of 4 primary partitions per disk.
  16. Configuring LVM in Ubuntu takes place in 5 steps:
    • Create a non-LVM boot partition.
    • Create Physical Volume (PV).
    • Create a Volume Group (VG), and assign the PV created earlier to the VG.
    • Create the Logical Volumes within the VG.
    • Assign file-systems and mounts points to the logical volumes created earlier.
  17. Select “Manual” to manually partition the disk on the system.

    18. Note that if you select any one of the “Guided” options for LVM configuration, all the available disk space will be used up, leaving you no free space to grow any logical volume if or when the need arises. Ultimately, our goal is to use just enough space to get the system up and running, and leave the rest for when we need to grow logical volumes.

  18. Select the physical disk that will be partitioned.

    19. This is usually the option right in the middle, such as SCSI1 (0, 0, 0) (sda).

  19. Select Yes to create new empty partition table

    20. WARNING: If you do select "Yes", then this will delete any existing partitions, so ALL data will be lost.

  20. Create a standard (non-LVM) primary partition for the /boot file system.

    21. Recent versions of Linux and Ubuntu do support having the /boot volume within the LVM. See Grub2.

    However, this sometimes still causes issues, especially after updates, so the instructions we use is to put the boot partition into a non-LVM partition.

    • Select the “pri/log” line.
    • Select “Create a new partition”.
    • Enter the size required – we want 256 MB.
    • Select “Primary Partition”.
    • Select “Beginning”.
    • Select ext4 journalising file system as the file-system.
    • Change the default mount point to /boot.
    • Set bootable flag to “on”.
    • Select “Done setting up the partition”.
  21. The next step is to use the unallocated space to create a physical volume.
  22. A Physical volume (PV) is the first major component of LVM, and can be created from a disk partition or a full disk drive. To create the PV for this configuration, we are going to use the unallocated disk space.
    • Select the “pri/log” line, hit Enter.
    • Select “Create a new partition”, hit Enter.
    • The size of the new partition will be the unallocated space on the hard drive. The installer will automatically show the unallocated free space. Enter the size of the partition. It is recommended to use 99% so that there is some free space left for growth.
    • Therefore, enter “99%”, hit Enter
    • Select “Primary Partition”, hit Enter
    • Select “Beginning”, hit Enter.
    • For the new partition that we just created, we want to tell the installer what to use it for. So with “Use as” selected, hit Enter.
    • Select “Physical Volume for LVM”, hit Enter.
    • Select “Done setting up the partition”, hit Enter.
    • Select “Configure the logical volume manager”, hit Enter
    • Select “Yes” to “Write he changes to disk”, hit Enter
  23. The next step is to create a Volume Group (VG).
    • Select the “Create Volume Group” option, hit Enter.
    • Creating a VG starts with giving it a name. Any name will do, but we use the standard of vg01, vg02, etc. For now we only have a single VG so we use vg01.
    • Assign the PV we created earlier to the VG. By default, this is not selected. Use the Space Bar on the keyboard to select the partition representing the PV (This will usually be the 2nd entry, i.e. /dev/sda2).
    • Select Continue
  24. Next, create the Logical Volumes. With the PV and VG created, and the PV assigned to the VG, the next step is to create the Logical Volumes. A Logical Volume (LV) is LVM jargon for partition. We will create a number of LVs, one each for the following file-system directories:
    25. / (root), swap, /usr, /var, /tmp, /srv, /opt, /home, /backup, /sharewiz

    • Select the option to create logical volumes, hit Enter.
    • We have to tell the installer what VG to create the LVs under. Since we created only one VG, vg01, that is the only one shown, hit Enter
    • Start by creating the logical volume for swap, by giving it the name swap, hit Enter
    • Note that the recommended size of a swap partition is twice the amount of memory in the system, so set this accordingly, such as 4G.
    • Repeat the last two options for the other logical volumes. Suggested sizes in parenthesis.
      • root (2G)
      • usr (2G)
      • var (2G)
      • tmp (2G)
      • srv (0.5G)
      • opt (0.5G)
      • home (0.5G)
      • backup (4G)
      • sharewiz (0.5G)
    • The suggested sizes should be more than enough to install and get the system up and running. This leaves enough free space to grow any LV that needs it.
    • It makes sense to leave some space unused so that you can later on expand your existing logical volumes or create new ones - this gives you more flexibility.
    • Select “Display the configuration details” to check that all LVs are created okay. Hit enter.
    • Select “Finish”, hit Enter.
  25. The final task is to assign a file-system and a mount point to each LV.
    • Select the line “#1” for each LV, hit Enter.
    • Set the mount point, hit Enter.

      • Before pressing Enter, make a note of the LV name being worked on.

      This can be seen in the line above, for instance LV backup refers to the backup partition.

    • Select “Use as”, hit Enter.
    • Select ext4 journaling file system as the file-system, (for swap use the swap area file-system type), hit Enter.
    • Set the mount point, hit Enter.

      • For the swap partition use the swap area file-system type.

      For cases where the mount point is not one of / (root), /tmp, /usr, /var, /srv, /opt, /home select the Enter manually option.

      So, for the backup partition, simply use /backup as the manually entered name.

      Same for the sharewiz partition, simply use /sharewiz as the manually entered name.

    • Select “Done setting up the partition”, hit Enter.
    • Repeat the last five steps for the other logical volumes that you created.
  26. Finally, select "Finish partitioning and write changes to disk". Then confirm the changes and continue with the rest of the installation.
  27. Afterwards, your new partitions are being created and formatted.
  28. Now the base system will be being installed. Note that this may take a while.

    29. The ALT-F4 key combination can be used to monitor what is actually happening with the install process.

    Use the ALT-F1 key combination to return back to the normal install screen.

  29. Leave the HTTP proxy line empty unless you're using a proxy server to connect to the Internet.
  30. Next the package manager apt gets configured.

    31. The system will probably seem to pause for a long time (due to the fact that it cannot yet get external internet access). This is optional, but to speed up the install a bit, press Enter to cancel current step – and the graph should jump to around 80% completed. Enter can be pressed once more to skip to the end of this step).

  31. To update the server manually in order to have more control, select No automatic updates.
  32. Only select the OpenSSH Server, by pressing the Space bar on your keyboard.

    33. A choice of different types of server servers can be selected, but nevertheless don't select any of them now in order to have full control over what gets installed on the system. The packages required on the system will be manually installed later on. The only item to select here is OpenSSH server so that one can immediately connect to the system with an SSH client such as PuTTY after the installation has finished.

  33. The installation continues.
  34. Select Yes to install GRUB boot loader to the master boot record.
  35. The base system installation is now finished. Remove the installation CD from the CD drive and hit Continue to reboot the system.

top

First Configuration

first config

Login

Login with your previously created Administrator's username and password (e.g. administrator and adminpass).

Get root privileges (Optional)

Because we must run all the next steps from this document with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing:

sudo -i

...and entering the Administrator's password, adminpass.

IMPORTANT: If this is done, then remember to remove the sudo command from the front of any future issued command.

IMPORTANT: Do not use the following command:

sudo su

and do not enable the root login by running:

sudo passwd root

and giving root a password.

With these options one can log in as the root user, but this is frowned upon by the Ubuntu developers and community for various reasons.

If for some reason the root account has been enabled then disable it again, issuing the following command:

sudo passwd -dl root

top

Configure the network

Because the Ubuntu installer has configured the system to get its network settings via DHCP, we have to change that now because a server should have a static IP address.

Change the following entry iface eth0 inet dhcp in the network interfaces file.

Issue the following command:

sudo vi /etc/network/interfaces

and edit the file as follows:

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

# The loopback network interface

auto lo

iface lo inet loopback

 

# The primary WAN interface

auto eth0

iface eth0 inet static

    address 192.168.0.11

    netmask 255.255.255.0

    network 192.168.0.0

    broadcast 192.168.0.255

    gateway 192.168.0.1

# dns-* options are implemented by the resolvconf package, if installed

    dns-nameservers 8.8.8.8     8.8.4.4

 

# The primary LAN interface

auto eth1

iface eth1 inet static

    address 192.168.1.1

    netmask 255.255.255.0

    network 192.168.1.0

    broadcast 192.168.1.255

You cannot edit /etc/resolv.conf directly anymore, but have to specify your nameservers in your network configuration. Use the command man resolvconf to find out more.

You may need to manually remove the DHCP record (lease) associated to this Ubuntu server from your DHCP server so the correct IP can be found by other machines on the network.

You might also need to manually add a HOST(A) record to your DNS server (for server1.sharewiz.net).

By the way, 8.8.8.8 and 8.8.4.4 are Google's DNS servers. 208.67.222.222 and 208.67.220.220 could also be used. They are the OpenDNS DNS servers.

Lines beginning with the word auto are used to identify the physical interfaces to be brought up when ifup is run with the -a option. (This option is used by the system boot scripts.) Physical interface names should follow the word auto on the same line.

top

Enable packet forwarding by the kernel

Issue the following command:

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

and then:

sudo vi /etc/sysctl.conf

...and uncomment the line:

net.ipv4.ip_forward=1

To uncomment the line, simply remove the hash mark # from the front of the line.

IP forwarding essentially turns your server into a router, and can be used as the server has multiple Network Interfaces (NICs).

It allows traffic from the internal network to be routed through the external network and vice-versa.

If traffic comes in on one network interface that matches a subnet of another network interface, that traffic will be forwarded to the other network interface.

If using IPv6, then also uncomment the line: net.ipv6.conf.all.forwarding=1

IMPORTANT: When doing routing, security is a very important consideration. It is essential that firewalling and security measures are in place. These requirements will be covered through instructions later on in this setup guide.

top

Refresh sysctl

Issue the following command:

sudo sysctl -p

sysctl is used to modify kernel parameters at runtime.

top

Restart the Network

To enable the new settings to be recognized, the network needs to be restarted.

Issue the following command:

sudo service networking restart

If this fails to restart the network then try using this command instead: sudo /etc/init.d/networking restart.

An error message such as this might be displayed, but can be ignored:

ERROR: Calling a sysvinit script on a system using upstart isn't supported. Please use the 'service' command instead.

top

Check the network interfaces

Issue the following command:

sudo mii-tool

...which should show something like:

eth0: no autonegotiation, 1000baseT-FD flow-control, link ok

eth1: no autonegotiation, 1000baseT-FD flow-control, link ok

Ensure that all interfaces are shown. If not then revisit the above config changes around the network.

In the example output above, we can see that both eth0 and eth1 have been picked up, so all well.

top

Setup the Network Hosts File

Edit the /etc/hosts file.

Issue the following command:

sudo vi /etc/hosts

and edit the file as follows:

127.0.0.1 localhost.localdomain localhost

192.168.0.11 server1.sharewiz.net server1

192.168.1.1 server1.sharewiz.local server1.local

# The following lines are desirable for IPv6 capable hosts

::1 localhost ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

ff02::3 ip6-allhosts

top

Check the network config is working

Issue the following command:

sudo ifconfig

and make sure the settings are correct.

If it's working then eth0 should show the IP Address 192.168.0.11.

eth1 should also show the IP Address 192.168.1.1.

One of the lines for each NIC should show UP BROADCAST RUNNING MULTICAST.

top

Check the network is working

Issue the following command:

sudo ping www.google.com

and make sure this is working.

If it's working then multiple lines should start with something like 64 bytes from....

Press CTRL-C to cancel the pinging.

top

Set the hostname

Issue the following command:

sudo sh -c "echo server1.sharewiz.net > /etc/hostname"

top

Restart the System

To enable the new hostname settings to be recognized, restart the system.

Issue the following command:

sudo reboot

Once the system is rebooted simply login again and issue the sudo -i command to continue implementing the system.

top

Check the Network Settings

To enable the new network settings to be recognized, restart the system.

Issue the following commands:

sudo hostname

and

sudo hostname -f

Both should show server1.sharewiz.net now.

top

Install Putty (Highly Recommended)

putty

It is better using Putty to connect to the system than directly logging into the console.

Putty is not only usually quicker, but it also allows for scrolling and copying of text.

It also allows commands to be pasted in, which could be copied from these directions.

Start Putty.

Type the following and click the save button:

Host Name: server1 (or the IP Address 192.168.0.11)

Port: 22

Connection Type: SSH

Saved Sessions: server1.sharewiz.net

Double-click on the server1.sharewiz.net session and it will connect to your server.

The first time you connect to the server with Putty you will be shown a Putty Security Alert about the Server's host key not being cached.

Select "Yes" to this alert.

top

Continue to the Initial Config...