Malcom:UbuntuServer
From SubfireWiki
Contents |
Ubuntu Server Setup
Setting up my old machine as a server.
- Kernel: Linux malcom 2.6.12-10-386 #1 Thu Dec 22 11:37:10 UTC 2005 i686 GNU/Linux
- OS: Ubuntu - Breezy Badger - 5.10
apache2
apt-get install apache2 apache2-doc
HTTPS
Take a looksie at: http://localhost/manual/ssl/
- To generate a perm (cert) file issue this command (answer the questions):
- sudo apache2-ssl-certificate
- Listen to port 443, /etc/apache2/ports.conf:
- Listen 80
- Listen 443
- sites-available files:
- sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
- sudo ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/ssl
- Make sure the /etc/apache2/sites-enabled/ssl file looks something like:
- NameVirtualHost *:443
- <VirtualHost *:443>
- Finally, I added the following two lines to /etc/apache2/sites-enabled/ssl:
- SSLEngine On
- SSLCertificateFile /etc/apache2/ssl/apache.pem
- Restart apache2:
- sudo /etc/init.d/apache2 restart
NFS
Install the packages:
sudo apt-get install nfs-common nfs-kernel-server
Configure the share:
System -> Administration -> Shared Folder
- For allowed hosts I chose: 'Hosts in the eth0 network'
Add something like this to the client's /etc/fstab:
192.168.0.100:/share /nfs/share nfs user,ro,intr,soft,rsize=8192 0 0
I'd advise only using the 'ro' option, instead of 'rw', because of NFS security concerns.
CUPS
CUPS is the way to go for printer sharing.
To let others access your printers edit /etc/cups/cupsd.conf and replace the 127.0.0.1 line with 'Port 631':
#Listen 127.0.0.1:631 Port 631
You need to authorize certain IPs, too:
<Location /> Order Deny,Allow Deny From All Allow From 127.0.0.1 Allow From 192.168.1.* </Location>
Client config:
System -> Administration -> Printing Global Settings -> Detect LAN Printers
Security and Hardening
- http://www.debian.org/doc/manuals/securing-debian-howto/ap-harden-step.en.html
- http://www.debian.org/doc/manuals/securing-debian-howto/
- UserDocumentation has a 'security' section that looks pretty good.
iptables
First take a look at the current setup:
sudo iptables -L
First make sure the policies (default rules) are what we want:
sudo iptables -P INPUT DROP sudo iptables -P FORWARD DROP sudo iptables -P OUTPUT ACCEPT
If everything is OK, let's start adding some rules:
sudo iptables -A INPUT -p tcp -i eth0 --dport ssh -j ACCEPT sudo iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT sudo iptables -A INPUT -j ACCEPT -i lo -s 127.0.0.1 sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -p tcp -i eth0 --dport 631 -j ACCEPT
- Allow ssh from everywhere
- Allow https from everywhere
- Accept all localhost.localdomain to anywhere
- All currently connected services
- Let the IPP in (CUPS - printing)
- Drop everything else
For NFS, do something like this, before the DROP (all):
sudo iptables -A INPUT -p tcp -i eth0 -s 192.168.0.0/24 --dport 4000:4003 -j ACCEPT sudo iptables -A INPUT -p udp -i eth0 -s 192.168.0.0/24 --dport 4000:4003 -j ACCEPT sudo iptables -A INPUT -p tcp -i eth0 -s 192.168.0.0/24 --dport 2049 -j ACCEPT sudo iptables -A INPUT -p udp -i eth0 -s 192.168.0.0/24 --dport 2049 -j ACCEPT sudo iptables -A INPUT -p tcp -i eth0 -s 192.168.0.0/24 --dport 111 -j ACCEPT sudo iptables -A INPUT -p udp -i eth0 -s 192.168.0.0/24 --dport 111 -j ACCEPT
For Samba do something like this:
sudo iptables -A INPUT -p tcp --syn -s 192.168.0.0/24 --destination-port 139 -j ACCEPT
