Friday, July 31, 2009

HOWTO : Godaddy.com's Relay Mail Server with Postfix on Ubuntu 9.04 Server

Your Internet Services Provider (ISP) may block SMTP port (Port 25) if you are not using a business plan (like in Hong Kong). However, you can still send email with reverse lookup of your domain name when your domain registrar is Godaddy.com.

Step 1 :

Create and enable your free email account at Godaddy.com when you have a domain name there. Set the password accordingly. Your username of the account may be look like this : yourname@yourdomain.

Incoming Mail Server Type : POP3
Incoming Mail Server : pop.secureserver.net
Incoming Mail Server Port : 110

Outgoing Mail Server : smtpout.secureserver.net
Outgoing Mail Server Port : 25, 80, 587 or 3535

Step 2 :

Create a file namely "sasl_passwd".

sudo nano /etc/postfix/sasl/sasl_passwd

Add the following line.

smtpout.secureserver.net username:password


Step 2a :

Save and quit. Issue the following commands.

chown root:root /etc/postfix/sasl/sasl_passwd
chmod 600 /etc/postfix/sasl/sasl_passwd
postmap /etc/postfix/sasl/sasl_passwd

Step 3 :

Go to your mail server (Postfix).

sudo nano /etc/postfix/main.cf


Edit or/and add the following lines.

relayhost = [smtpout.secureserver.net]
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
mynetworks = 192.168.0.0/24, 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

*If your network is 192.168.0.0/24, otherwise; change it accordingly.

Step 4 :

Restart the Postfix to make it work.

sudo /etc/init.d/postfix restart

Step 5 :

Now, you can send email with reverse lookup via Godaddy.com's relay mail server. Your email will not be blocked or redirected to "Junk Mail" folder by Gmail, Yahoo Mail or others.

Be keep in mind that you have 250 quota every day. Or, you are required to purchase more quota.

Point to your email server on other servers that will send email.

That's all. See you!

Sunday, July 26, 2009

HOWTO : Performance tuning for PostgreSQL on Ubuntu 9.04 Server

Step 1 :

Edit postgresql.conf.

sudo nano /etc/postgresql/8.3/main/postgresql.conf

Step 2 :

The performance tuning setting is as the following :

(1) shared_buffers

Recommended : 0.25 * Available Memory

(2) work_mem

Recommended : Available Memory / max_connections
(If your queries tend to be more complicated, then divide that by 2. If you typically run very close to max_connections connections, then consider dividing by 2 again. If that gives you a number that isn't at least 16MB, buy more memory.)

(3) maintenance_work_mem

Recommended : Available Memory / 8

(4) wal_buffers

Recommended : 8MB

(5) checkpoint_segments

Recommended : 16 to 128

(6) effective_cache_size

Recommended : Available Memory * 0.75

(7) cpu_tuple_cost

Recommended : 0.0030

(8) cpu_index_tuple_cost

Recommended : 0.0010

(9) cpu_operator_cost

Recommended : 0.0005

(10) fsync

Recommended : off

Warning : If “fsync” is set to “off”, you may encounter data loss when the power failure unless you have a battery backup unit at your hardware RAID card.

(11) max_connection


Recommended : 140% (100 clients average means 140 max connections)

(12) checkpoint_timeout

Recommended : 1h

Step 3 :

Restart PostgreSQL server.

sudo /etc/init.d/postgresql-8.3 restart


Step 4 :

If it produces error message and cannot restart, change the setting for "kernel.shmmax" on sysctl.conf as suggested.

Edit the sysctl.conf as suggested.

sudo nano /etc/sysctl.conf




Reference #1 :

The following is the my setting of a 8GB RAM server which is running PostgreSQL.

/etc/postgresql/8.3/main/postgresql.conf

max_connections = 140
shared_buffers = 2GB
temp_buffers = 8MB
work_mem = 16MB
maintenance_work_mem = 1GB
wal_buffers = 8MB
checkpoint_segments = 128
effective_cache_size = 6GB
cpu_tuple_cost = 0.0030
cpu_index_tuple_cost = 0.0010
cpu_operator_cost = 0.0005
fsync = off
checkpoint_timeout = 1h


Reference #2 :

The following is my setting of sysctl.conf on the same server.

/etc/sysctl.conf

kernel.sem = 250 32000 100 128
kernel.shmall = 2097152
kernel.shmmax = 2209914880
kernel.shmmni = 4096
fs.file-max = 262140
vm.vfs_cache_pressure = 50
vm.min_free_kbytes = 65536

net.core.rmem_default = 33554432
net.core.rmem_max = 33554432
net.core.wmem_default = 33554432
net.core.wmem_max = 33554432
net.ipv4.tcp_rmem = 10240 87380 33554432
net.ipv4.tcp_wmem = 10240 87380 33554432
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_mem = 786432 1048576 26777216
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_max_tw_buckets = 360000



Step 5 :

Add the following parameters to the kernel tag of Grub.

reservation,nodiratime,noatime


Step 6 :

sudo mount -a


If no error message produced, issue the following command to make it work.

sudo mount -o remount /


That's all. See you!

Friday, July 17, 2009

HOWTO : Sockso 1.1.8 (Music Server) on Ubuntu 9.04 Server

Sockso is a cross platform music server and requires no installation. She runs on a standalone personal computer or on a server. For running on personal computer with GUI, please refer to her official site.

The client computer requires no mp3 player to play the music but needs a Flash player.

The advantage of Sockso is that you can listen to your mp3 files at anytime and anywhere under the condition that fast internet connection is available. The disadvantage is that you should have at least IEEE 802.11g (54M) Wifi connection for smooth operation.

Sockso requires Sun Java only and it is requires no Apache or other web server to run.

Step 1 :

Sockso requires Sun Java to work. You should install the following packages.
sudo apt-get install sun-java6-bin sun-java6-fonts sun-java6-jre unzip


Step 2 :

Download the latest version of Sockso. The current version is 1.1.8 at the time of this writing.
wget http://sockso.googlecode.com/files/sockso-1.1.8.zip

unzip sockso-1.1.8.zip

sudo mkdir /usr/share/sockso

sudo cp -R /home/samiux/sockso-1.1.8/* /usr/share/sockso/*

sudo mkdir /var/sockso
sudo chmod -R 0755 /var/sockso

Step 3 :

Run the Sockso at command prompt.
sudo sh /usr/share/sockso/linux.sh --nogui --datadir /var/sockso

If you have some mp3 at /home/samiux/music and /home/mary/mp3, just runs the following command to make the music collection.
#SockSo#>coladd /home/samiux/music
#SockSo#>coladd /home/mary/mp3

If you want to list all collections, use the following command.
collist
If you want to delete one of the collections, use the following command.
coldel
Add a user to the Sockso.
#SockSo#>useradd samiux <your_password_here> samiux@gmail.com

To exit the #SockSo#> command prompt.
exit


Step 4 :

Copy the init.d script to /etc/init.d/
sudo cp /usr/share/sockso/scripts/init.d/sockso /etc/init.d/sockso.pl


Create a sockso script file.
sudo nano /etc/init.d/sockso


-------- CUT HERE ---------
#!/bin/bash

perl /etc/init.d/sockso.pl $1

exit 0
-------- CUT HERE ---------


Edit the sockso.pl as the following.
sudo nano /etc/init.d/sockso.pl

use constant SOCKSO_DIR => "/usr/share/sockso/";

system( 'sh linux.sh --nogui --datadir /var/sockso > /dev/null 2>&1 &' );

Step 5 :

Now, you can start the sockso with the following command.

sudo chmod +x /etc/init.d/sockso
sudo chmod +x /etc/init.d/sockso.pl

sudo /etc/init.d/sockso start


You can also stop the sockso with the following command.
sudo /etc/init.d/sockso stop


Listen to the music with your browser.
http://192.168.0.100:4444

Step 6 :

Make the script to be ran automatically after reboot.

sudo update-rc.d sockso defaults

Remarks : Make sure you have stopped the Sockso before reboot or shutdown; otherwise, the mp3 databases would be corrupted. If so, you should delete everything inside /var/sockso and redo the Step 3.


Remarks : Don't broadcast copyrighted musics or songs. Or, you may be in lawsuit.

That's all. See you!

Tuesday, July 14, 2009

HOWTO : WebDAV on Ubuntu 9.04 Server

WebDAV is a file manager that running on web server. You can access it like on your desktop. Easy and enjoyable.

Install Ubuntu 9.04 server as usual and select LAMP and OpenSSH when asked for choice. You can also install vsFTPd if you want to but it is optional.

Step 1 :

sudo a2enmod dav_fs
sudo a2enmod dav
sudo a2enmod dav_lock

sudo a2dissite default

sudo /etc/init.d/apache2 restart

Step 2 :

To create a virtual host for the WebDAV.

sudo mkdir -p /var/www/webdav
chown www-data /var/www/webdav

sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/webdav

sudo nano /etc/apache2/sites-available/webdav

Make the a portion of the file as the following :


....
DocumentRoot /var/www/webdav
<Directory /var/www/webdav/>
   Options Indexes FollowSymLinks MultiViews
   AllowOverride None
   Order allow,deny
   allow from all
</Directory>
<Location />
   DAV On
   AuthType Basic
   AuthName "webdav"
   AuthUserFile /var/www/.passwd.dav
   Require valid-user
   DavMinTimeout 600
   <LimitExcept GET PUT HEAD OPTIONS POST>
      Require valid-user
   </LimitExcept>

</Location>
....

Step 3 :

sudo htpasswd -c /var/www/.passwd.dav samiux

chown root:www-data /var/www/.passwd.dav
chmod 640 /var/www/.passwd.dav

suod chmod -R 0777 /var/www/webdav
sudo chown www-data:www-data /var/www/webdav

sudo /etc/init.d/apache2 restart

Step 4 :

To test if WebDAV works or not.

sudo apt-get install cadaver

sudo cadaver http://localhost/

If you got “dav:/” prompt, enter “quit” to quit. Otherwises, fix the problem.

Step 5 (Windows only) :

Download NetDrive at http://www.netdrive.net/ and set it accordingly. The port should be 80.

Now you can access your WebDAV server from Windows.

Step 6 (Ubuntu only) :

Go to “Place” > “Connect to Server“. Select “WebDAV (HTTP)“. Enter the IP of your WebDAV server and then press “Connect“. Submit the username and password. An icon will be displayed on your desktop. Double click it and go.

Now you can access your WebDAV server from Ubuntu.


OpenOffice

If you open the OpenOffice files on the WebDAV by clicking, you can only open it in read only mode. However, there is method to overcome this problem. You open OpenOffice Write (for example), click the “Open file” and at the “Name of file” enter the following :

vnd.sun.star.webdav://192.168.0.100/openoffice_readonly_on_webdav.odt

Now you can edit and save it on WebDAV.


Limitation of WebDAV


You can paste a file onto WebDAV directly but there is a file size limitation, that is, the file should be less than 1GB. If you want to paste a file larger than 1GB, I suggest to use FTP instead.

Make sure to change the ownership of the files that you have uploaded by FTP.

sudo chown -R www-data:www-data /var/www/webdav


That’s all!

Friday, July 10, 2009

HOWTO : Rebootless with Ksplice Uptrack on Ubuntu 9.04 Server

By using Ksplice Uptrack, your Ubuntu Server 9.04 will become rebootless even the kernel is updated.

Step 1 :

Get the access key of Ksplice Uptrack at the following link.

http://www.ksplice.com/uptrack/key

The access key will email to you.

Step 2 :

sudo nano /etc/apt/sources.list.d/ksplice.list

Append the following lines to the file.

deb http://www.ksplice.com/apt jaunty ksplice
deb-src http://www.ksplice.com/apt jaunty ksplice

Add the key to repository.

sudo wget -N https://www.ksplice.com/apt/ksplice-archive.asc
sudo apt-key add ksplice-archive.asc

Step 3 :

Install Ksplice Uptrack.

sudo apt-get update
sudo apt-get install uptrack

When installing uptrack, you will be asked for the access key. Go to your email and copy the just received access key to the space provided on the screen.

Step 4 :

sudo nano /etc/uptrack/uptrack.conf

Change the following line and makes Ksplice Uptrack to be installed automatically.

autoinstall = yes

Step 5 :

sudo /etc/init.d/uptrack restart


That's all. See you!

HOWTO : SSH to use RSA key for login

Generate RSA key.

ssh-keygen -t rsa -b 2048

or

ssh-keygen -t rsa -b 4096

“Enter file in which to save the key (/home/samiux/.ssh/id_rsa): (Hit Enter)”

Press “Enter”

“Enter passphrase (empty for no passphrase):”

Enter your password twice.

nano /home/samiux/.ssh/id_rsa.pub

Copy the content.

SSH to your server. At the username directory.

sudo mkdir .ssh
sudo nano /home/username/.ssh/authorized_keys

Then pasted the previous copied key onto the authorized_keys file. Save it.

Still at the server.

sudo nano /etc/ssh/sshd_config

Change the following settings as is.

AuthorizedKeysFile %h/.ssh/authorized_keys
IgnoreUserKnownHosts yes
PasswordAuthentication no
#UseLogin no
UsePAM no

sudo /etc/init.d/ssh restart

When you login to the server again, you will ask for your RSA key passphrase once. Later, you will not be asked for any passphrase or password in the same session.

For Ubuntu Desktop users, you may consider to install SSHMenu. It will make your work more easily.

http://sshmenu.sourceforge.net/
That's all. See you!

HOWTO : Fail2ban on Ubuntu 9.04 Server

Fail2ban cannot work properly with Ubuntu 9.04 Server as Ubuntu installed with Python 2.6. It is very easy to overcome this problem.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install python2.5

sudo nano /usr/bin/fail2ban-server

Change the first line from

#!/usr/bin/python
to

#!/usr/bin/python2.5

Set the /etc/fail2ban/jail.conf as usual.

sudo /etc/init.d/fail2ban restart

Make change to the related services to "True". By default, any unauthorized access will be blocked after 6 invalid attempts.

sudo nano /etc/fail2ban/jail.conf

After that, restart fail2ban.

sudo /etc/init.d/fail2ban restart

That's all. See you!

HOWTO : Make sure no rootkit on Ubuntu 9.04 Server

To ensure your server will not be installed rootkits or trojans as well as worm without your approval, you should check it frequently.

ChkRootKit

Get the chkrootkit package :

sudo apt-get install chkrootkit

Make a Cron Job to do the scan daily at 0700 hours :

sudo crontab -e

0 7 * * * /usr/sbin/chkrootkit; /usr/sbin/chkrootkit -q 2 >&1 | mail -s "Daily ChkRootKit Scan" samiux@gmail.com

Do a manual scan :

sudo /usr/sbin/chkrootkit


Rootkit Hunter

sudo apt-get install rkhunter


Make a Cron Job to do the scan daily at 0500 hours :

sudo crontab -e

0 5 * * * rkhunter --cronjob --rwo | mail -s "Daily Rootkit Hunter Scan" samiux@gmail.com


Do a manual scan :

sudo rkhunter --check


Forensic tool to find hidden processes and ports – unhide

Get the unhide package :

sudo apt-get install unhide

Make a Cron Job to do the scan daily between 0800 and 0930 hours :

sudo crontab -e

0 8 * * * unhide proc; unhide proc -q 2 >&1 | mail -s "Daily unhide proc Scan" samiux@gmail.com

30 8 * * * unhide sys; unhide sys -q 2 >&1 | mail -s "Daily unhide sys Scan" samiux@gmail.com

0 9 * * * unhide brute; unhide brute -q 2 >&1 | mail -s "Daily unhide brute Scan" samiux@gmail.com

30 9 * * * unhide-tcp; unhide-tcp -q 2 >&1 | mail -s "Daily unhide-tcp Scan" samiux@gmail.com

Do a manual scan :

sudo unhide proc
sudo unhide sys
sudo unhide brute
sudo unhide-tcp

Beware :
There will be produced some false positive by RootKit Hunter or ChkRootKit when your packages or files had been updated or have the similar behavior as the rootkit.

If this happened, you can do the following the reset it if anything is alright.

sudo rkhunter --propupd

Remarks :
It is not 100% to proof that your system is away from the attack of Rootkits.

That's all. See you!

HOWTO : Logwatch on Ubuntu 9.04 Server

Logwatch reads your log files and can send you email daily about the most interesting parts.

Step 1 :

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install logwatch


Step 2 :

sudo nano /usr/share/logwatch/default.conf/logwatch.conf

Change the following as shown :

Output = mail
Format = html
MailTo = samiux@gmail.com


Step 3 :

sudo nano /etc/cron.daily/00logwatch


/usr/sbin/logwatch --mailto samiux@gmail.com


That's all. See you!

HOWTO : Secure Ubuntu 9.04 Server in a passive way

Part 1

When root or sudoers access the server, you will be informed. It will also alert you when crackers gain rights of your server.

Add the following to the top of the file /root/.bashrc or sudoer's account and you will be informed by email when the root or sudoer account is being accessed.

echo -e "Root Shell Access on `tty` \n `w`" | mail -s "Alert: Root Access" samiux@gmail.com

or

echo -e "Sudoer Shell Access on `tty` \n `w`" | mail -s "Alert: Sudoer Access" samiux@gmail.com

Part 2

The official port of SSH is 22. You can change it to any port that between 1024 and 65535. You can do it at the router or firewall and you can do it at the configure file of SSH at /etc/ssh/sshd_config. You are recommended to disable the root account login via SSH even you are using Ubuntu.

Port 65535
PermitRootLogin no

sudo /etc/init.d/sshd restart
That's all. See you!

HOWTO : vsFTPd on Ubuntu Server 9.04

Your LAMP server requires FTP server to upload files to the related directory.

Install the vsFTPd.

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install vsftpd

Edit the configure file of vsFTPd.

sudo nano /etc/vsftpd.conf

Change the setting as the following.

# If you allow anonymous login then
anonymous_enable=YES
# If you do not allow anonymous login then
#anonymous_enable=NO
local_enable=YES
write_enable=YES
# Users are allowed to walk around at his directory only
chroot_local_user=YES


If you are behind a firewall or router, the following setting should be implemented and append to the end of the file.

pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=50000
pasv_max_port=50100
# If your server's IP address is 192.168.0.15
pasv_address=192.168.0.15

Make sure port 20 and 21 are opened at your firewall or router. Anonymous user can be download the files at /home/ftp directory.

Restart vsFTPd.

sudo /etc/init.d/vsftpd restart


That's all. See you!

HOWTO : Secure Socket Layer (SSL) for LAMP on Ubuntu 9.04 Server

Enable the mod_ssl module.

sudo a2enmod ssl


Edit the default or copy the default to another file for editing.

sudo nano /etc/apache2/sites-available/default

Add the following inside the mod_rewrite.c bracket.

RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]

Enable the default-ssl site.

sudo a2ensite default-ssl

Restart apache to reload the setting and make it active.

sudo /etc/init.d/apache2 restart

That's all. See you!

Wednesday, July 8, 2009

HOWTO : Performance tuning of LAMP and Ubuntu 9.04 Server

Performance tuning of LAMP

Step 1:

To control the bandwidth and allow faster cgi browsing, you should install the following modules.

sudo apt-get install libapache2-mod-bw libapache2-mod-fastcgi



Step 2 :

sudo a2enmod deflate

sudo nano /etc/apache2/conf.d/deflate.conf


Add the following lines at the file.

<IfModule mod_deflate.c>
   DeflateCompressionLevel 6
   AddOutputFilterByType DEFLATE text/plain
   AddOutputFilterByType DEFLATE text/html
   AddOutputFilterByType DEFLATE text/xml
   AddOutputFilterByType DEFLATE text/css
   AddOutputFilterByType DEFLATE application/xhtml+xml
   AddOutputFilterByType DEFLATE application/xml
   AddOutputFilterByType DEFLATE application/rss+xml
   AddOutputFilterByType DEFLATE application/atom_xml
   AddOutputFilterByType DEFLATE application/x-javascript
   AddOutputFilterByType DEFLATE application/x-httpd-php
   AddOutputFilterByType DEFLATE application/x-httpd-fastphp
   AddOutputFilterByType DEFLATE application/x-httpd-eruby
   AddOutputFilterByType DEFLATE image/svg+xml
   AddOutputFilterByType DEFLATE application/postscript
   <IfModule mod_headers.c>
      Header append Vary User-Agent
   </IfModule>
</IfModule>
sudo /etc/init.d/apache2 restart

Step 3 :

wget http://bart.eaccelerator.net/source/0.9.5.3/eaccelerator-0.9.5.3.tar.bz2

tar xvf eaccelerator-0.9.5.3.tar.bz2

sudo apt-get install build-essential php5-dev

cd eaccelerator-0.9.5.3
phpize
./configure
make
sudo make install

sudo mkdir /tmp/eaccelerator
sudo chmod 0777 /tmp/eaccelerator

Step 4 :

sudo nano /etc/php5/apache2/php.ini

Append the following lines at the end of the file.

extension="eaccelerator.so"
; shm_size default is 16, you may change to 64 or 128 depends on your RAM
eaccelerator.shm_size="16"
eaccelerator.cache_dir="/tmp/eaccelerator"
eaccelerator.enable="1"
eaccelerator.optimizer="1"
eaccelerator.check_mtime="1"
eaccelerator.debug="0"
eaccelerator.filter=""
eaccelerator.shm_max="0"
eaccelerator.shm_ttl="0"
eaccelerator.shm_prune_period="0"
eaccelerator.shm_only="0"
eaccelerator.compress="1"
eaccelerator.compress_level="9"

sudo /etc/init.d/apache2 restart


Performance tuning of Ubuntu 9.04 Server

Step 5 :

sudo nano /etc/sysctl.conf


Append the following lines at the end of the file.

kernel.sem = 250 32000 100 128
kernel.shmall = 2097152
kernel.shmmax = 2147483648
kernel.shmmni = 4096
# If you have more than 512MB RAM, use this setting (uncomment it and comment the setting just below)
#fs.file-max = 262140
# If you have 512MB RAM or less, use this setting
fs.file-max = 65535
vm.swappiness = 1
vm.vfs_cache_pressure = 50
vm.min_free_kbytes = 65536

net.core.rmem_default = 33554432
net.core.rmem_max = 33554432
net.core.wmem_default = 33554432
net.core.wmem_max = 33554432
net.ipv4.tcp_rmem = 10240 87380 33554432
net.ipv4.tcp_wmem = 10240 87380 33554432
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_mem = 786432 1048576 26777216
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_max_tw_buckets = 360000

sudo /sbin/sysctl -p


Step 6 :

sudo nano /etc/rc.local

Add the following lines before "exit 0".

echo 1024 > /sys/block/sda/queue/read_ahead_kb
echo 256 > /sys/block/sda/queue/nr_requests

*The captioned lines are for sda only.

Step 7 :

sudo nano /etc/fstab


Add "noatime" before "relatime". For example :

UUID=0e57987f-...... / ext3 noatime,relatime,errors=remount-ro 0 1

or

UUID=0e57987f-...... / ext4 noatime,relatime,errors=remount-ro 0 1


sudo mount -a


If there is no error message, you can now reboot your system.

That's all. See you!

Tuesday, July 7, 2009

HOWTO : Hardening your Apache and PHP on Ubuntu 9.04 Server

You have installed LAMP and OpenSSH on your Ubuntu 9.04 Server. The first thing to do is to harden it in order to avoid some kind of attacks.

You can do the following steps in front of your Ubuntu 9.04 Server or remote access it via OpenSSH.

For OpenSSH, your Ubuntu 9.04 Server is at 192.168.0.10 :

ssh 192.168.0.10 -l samiux


Step 1 :

The avoid someone to list your files on your Apache directory, you should do the following step.

sudo nano /etc/apache2/sites-available/default


Add a minus "-" in the front of "Indexes" and it will looking like this :

<Directory /var/www/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>


Step 2 :

To enable the rewrite module of Apache.

sudo a2enmod rewrite


To avoid Cross-Site-Tracing attack. Add the following lines within " <VirtualHost *:80>" :

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>


Step 3 :

To avoid HTTP DoS, DDoS or Brute Force attack, you should install this module.

sudo apt-get install libapache2-mod-evasive


Step 4 :

To screen out bad URL requests, such as /etc/shadow or MySQL injection and etc. You should install mod_security module. If you installed a amd64 (64-bit) version of Ubuntu Server, please replaced i386 with amd64 for the following commands.

wget http://etc.inittab.org/~agi/debian/libapache-mod-security2/libapache-mod-security_2.5.9-1_i386.deb

wget http://etc.inittab.org/~agi/debian/libapache-mod-security2/mod-security-common_2.5.9-1_all.deb

sudo dpkg -i libapache-mod-security_2.5.9-1_i386.deb mod-security-common_2.5.9-1_all.deb

Step 5 :

Do not allow any Apache and Ubuntu Server information to be print on the error pages.

sudo nano /etc/apache2/conf.d/security


Change the following lines as the following :

ServerToken Prod
ServerSignature Off

Step 6 :

Now, it is time to harden the PHP.

sudo nano /etc/php5/apache2/php.ini


Change the following lines as the following :

display_errors = Off
log_errors = On
allow_url_fopen = Off
safe_mode = On
expose_php = Off
enable_dl = Off
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd


Step 7 :

Final step is to restart Apache server.

sudo /etc/init.d/apache2 restart

Step 8 :

sudo nano /etc/sysctl.conf
Uncomment the following line and make it look like this.

#Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

Make the change active.

sudo /sbin/sysctl -p


That's all. See you!

Sunday, July 5, 2009

HOWTO : Install Ubuntu 9.04 Server

Introduction

Ubuntu is one of the most user-friendly Linux in the world so far. Not only her Desktop edition is user-friendly but so her Server edition. The current version of Ubuntu Desktop and Server edition is 9.04 at the time of this writing.

9.04 stands for released on April 2009. The next version will be 9.10, that is October 2009. Normally, she will release new version on every April and October. However, there is an exceptional. It is 6.06 which is released on June 2006 due to delay of bugs fix.

Hardware requirements

I suggest you have at least a Pentium 4 CPU with 512MB RAM and 40GB hard drive. For the minimum hardware requirement, please see her official site.

You can also install it on VMWare, Linux KVM (Kernal based Virtual Machine) or VirtualBox. It is running flawlessly on them.

Installation of Ubuntu 9.04 Server

Now, I am going to talk about how to install Ubuntu Server 9.04. First of all, you should download Ubuntu 9.04 from her official site. Burn the .iso file as disk image with your disc burning software, such as Nero (in Windows) or K3b (in Linux). Please do not extract the files from the .iso or just burn the file directly on a CD-R.

I suggest to change the ext3 filesystem to ext4 as it is much faster and it will be the next generation of Linux default filesystem. Selects LVM on the entire disk when asking. You may ask for entering user name and password. Please use a more complicated password which should includes uppercase and lowercase letters, numbers and symbols. In addition, it should be longer than 8 characters.

At the end of installation, you may asked to select some servers to install, such as LAMP, mail server, OpenSSH, virtual machine and etc. If you want to build a web server, I suggest you select LAMP, mail server and OpenSSH. I assumed you install LAMP, mail server and OpenSSH as it will be discussed in future tutorials of mine.

Make sure you are connecting to the internet while you are installing Ubuntu. The system will be reboot after the install.

That's all. See you!