This will help us documenting the process for future installations a hopefully will help someone that is requiering something similar.
So the objective we are poursuting is:
Install a secure intranet server, with the necesary tools for controlling the versioning of our source code, an continuos integration server that help us automatizate the process of building, unit testing, releasing, reporting, etc,
a repository for our librarys, builds, and maven artifacts that proxies the remote librarys reducing the use of our internet access and finally a repository for storing in an indexed and ordered way accesible for all the developers,
designers, etc, the documentation, extra tools, example code, etc. Also, we going to install a bug tracking system to have a precise control over the issues, bugs and failures of all of our software projects.
A secondary and extra objective is:
Creating a sample application in Netbeans Platform using all the servers mentioned to show the way having this tools provide a rapid development, testing and deployment enviroment.
Prerequisites: Nothing, we will be installing everything from scrath, from the operating system to the demo proyect.
Tools that we will use:
1.Of course a linux distribution. In our case Debian Lenny. Why? Is easy, well documented, have a great package management system and we already are really used to this. The instructions provided could vary in for example RefHat based
distributions but the roots may be really similar. You know changing the apt for yum or rpm, finding configuration files in different paths but nothing drastic.
2.SSH for remote access to our server.
3.Apache to host the documentation of our projects, javadocs, and other interesting reports.
4.-Subversion as source control versioning system.
5.Hudson will be the continuos integration server.
6.Nexus as Maven artifact repository.
7. Nuxeo as document repository
8. MantisBT bug tracking system.
9. PostgreSQL 8.3 data base server.
1.Installing and configuring the base system.
2.Installing and configuring the basic servers.
1.Installing and configuring the base system.
Ok, lets start. The first task is adquiring the net-install Debian Lenny package in this place.
I prefeer to download only the net-install that contains the base system and all the extra software get it by demand after installation. Under Small Cds choose the correct implementation for your hardware.
You can burn it on a CD and boot from it, but also you can load it in a USB pendrive to boot from it. This is really useful in the case that in your hardware don't have available a CD-ROM drive. So, to do this we need to
follow the following steps:
CAUTION: This process will delete ALL the data that are in the USB pendrive.
1.- Download the boot.img.gz file from the /debian/dists/lenny/main/installer-i386/current/images/hd-media directory that is located in the debian mirrors: http://www.debian.org/mirror/list
2.- We execute the following command with the pendrive umounted:
zcat boot.img.gz >/dev/sdX
Note: if we get a "Permission denied" output we have to do the following:
sudo sh -c 'zcat ~/boot.img.gz > /dev/sdX'
Or this one
sudo chmod 666 /dev/sdX
(Replace the sdX with the correct device name of the pendrive. To know what's the device name execute the fdisk -l command. Remember that only the name of the device is required here, so the number
of the partition is avoided)
3.- Mount the pendrive and copy the .iso file that we previusly downloaded in the root directory of the device. Yes, a simple copy of the .iso file.
4.- Make sure that the motherboard of the server are available to boot from a removable USB device.
5.- Insert the pendrive into the USB port of the server and start it. The debian install program will be displayed. Follow the instructions of the screen and we are done.
(Note: In the rest of this post, we assume that the user (not root) that is created in the installation process has the username demoserveradministrator)
Now that the base system is installed we need to take some steps before installing any program or server.
Log in as the user you created (no root) in this demo demoserveradministrator and after that supplant root using the command and providing the root password.
First of all, lets remove the line that points to the installation cd from our software repositories list, if you don't do this every time you try to install software the apt-get command will ask you to insert
the first cd of debian. If thats not a problem for you ommit this step.
Comment the line that points to the installation cd.
In addition to remove the CD repository line in the sources.list file, you can add more repositories.These work for us:
## Debian Stable (Lenny)
deb http://ftp.es.debian.org/debian/ stable main contrib non-free
deb-src http://ftp.es.debian.org/debian/ stable main contrib non-free
## Actualizaciones de seguridad
deb http://security.debian.org/ stable/updates main contrib
deb-src http://security.debian.org/ stable/updates main contrib
Save and exit.
Ok, our software database is up to date. Now lets change some parametters to enhance the security of the system.
apt-get install sudo
Now add your demoserveradministrator to sudoers archive and give him all the privileges.
And add this line:
demoserveradministrator ALL=(ALL) ALL
save the file and after that type:
to finish suplanting root. Now
sudo passwd -l root
to lock root.
Ok, what we did in the last lines was locking the root account this means that after this point you cant login to the server using "root" or "su", this is a healty practice because if a hacker tries to break our server
the first step he or she will try is breaking our root password but if root is locket he will need to deduce first the user name that have the root priviledges. Warning, from this point the demoserveradministrator is just
like root so choose a hard password and never create more than one user with the ALL=(ALL) ALL options, that would be worse than never install sudo.
NOTE: To unlock root just type at anytime:
sudo passwd root
and provide a new password for root.
Configure some network parametters:
The demo network topology...
## Here should be placed the diagram of the network##
This will be a dedicated server so we really recomend you to avoid using dhcp and set a static ip to the server.
And comment the iface eth0 inet dhcp line and replace it with your network preferences:
iface eth0 inet static
After that restart the network services.
sudo /etc/init.d/networking restart
At this stage you should test the static configuration pinging some host inside your intranet and some in the internet. If everithing is alraight proceed.
Next, we will install a firewall, this will use the computer as a intranet server but that doesn't mean you should not install a firewall. Is easy, quick and really becomes your server more secure. This configurations
are very dependent of your intranet network topology anyway I will give an example using this simple network topology.
apt-get install shorewall
Enable shorewall in startup.
sudo nano /etc/default/shorewall
and change the value of startup var to 1
Now copy the example configuration files to use them as template:
cp /usr/share/doc/shorewall-common/default-config/zones /etc/shorewall/
cp /usr/share/doc/shorewall-common/default-config/interfaces /etc/shorewall/
cp /usr/share/doc/shorewall-common/default-config/hosts /etc/shorewall/
cp /usr/share/doc/shorewall-common/default-config/policy /etc/shorewall/
cp /usr/share/doc/shorewall-common/default-config/rules /etc/shorewall/
And modify the /etc/shorewall/zones
sudo nano /etc/shorewall/zones
Uncomment the fw zone if is commented and and this two zones after fw
Save and exit, now modify interfaces file:
sudo nano /etc/shorewall/interfaces
Add the unique network interface to the file:
- eth0 detect dhcp,tcpflags,logmartians,nosmurfs,blacklist
Save and exit, now modify hosts file:
Save and exit, now modify the policy file:
fw all ACCEPT info
all all REJECT info
Save and exit, now modify the rules file:
Ping/ACCEPT loc $FW
ACCEPT loc $FW tcp 80
ACCEPT loc $FW tcp 54352
ACCEPT loc $FW tcp 8080
ACCEPT loc $FW tcp 21
##Add the ports missing#
Now the time of the truth, run:
sudo /etc/init.d/shorewall start
If you have a typo in an archive the startup will fail and you should verify shorewall init log to find the error.
Ok, now a brief description of what we done in the last lines:
1. In the zones file we defined three zones. One for the firewall, one for the internet and subnets that not belong to our intranet and a loc for our local network or intranet.
2. In interfaces we informed to shorewall that we have only one interface and that all the zones are accesible trough that unique eth0 interface.
3. In the hosts file we provided the subnet that covers our intranet.
4. In policy we informed shorewall that the server can access to the internet and intranet but anything outside the firewall should not access. (This could appeer like an error because how will our intranet
users are supposed to access the services hosted in the server? Dont worry we add some exceptions in the next archive )
5. Finally in rules we provide some exception. (All for the intranet users) For example we permit the pings that comes from the intranet, we opened the port 80 to access apache, etc.
A small parenthesis:
What ports we will be using?
80 for APACHE
54352 for SSH
21 for FTP
#Add the ports missing#
Testing the configuration:
After starting the firewall if the configuraion is ok you should be able to:
1. Ping from the server to any place on earth.
2. Ping from the intranet 192.168.1.X to the server.
3. Access one of the ports that are configured in rules archive from the intranet. (This will not work until a server is listening to one of those ports, be pantient)
After starting the firewall you should not be able to:
1. Ping from any other subnet that is not 192.168.1.X obviuslly internet included.
2. Access any other port that is not listed in rules from any place. Including the intranet itself.
Once again, the configuration of shorewall depends a lot of your network topology, but is a really easy firewall and there are tons of documentation of this in the net, so for the firewall configuration we are done.
Ok, administrating the server locally is a painfull so lets install ssh to access the server from our personal computer.
sudo apt-get install ssh
Change port 22 for 54352. Using a different port that the default increase the security of the server. Disable X11 Access, the command line is just enough an once again limiting to command line improves the server security.
Disable root access (This could be skipped because we locked root some steps below but this will not hurt you), allow only remote access to demoserveradministrator, enable the welcome Banner for SSH session. To do all that
you should have this lines in sshd_conf.
sudo nano /etc/ssh/sshd_conf
Save and exit and now modify the access banner with a nice scarecrow message and usage contract:
You are loggin to a server of YOURCOMPANY if
you logged to this terminal by error
loggoff inmediatly...etc... etc... more and
Run ssh server:
Done... now try accessing using putty or a linux terminal with ssh client in your intranet using a command like:
ssh 192.168.1.10 -l demoserveradministrator -p 54352
If you follow the steps you should log in to the server and see the scary welcome message.
Almost done!! one more server and we finish the base system installation!
Having an ftp server always is usefull, you can copy files using SSH but wen you want to copy tons of files this can become tiring. We will install proftp that is a fpt server for linux systems that
have a really easy configuration.
sudo apt-get install proftpd
This will prompt a configuration wizard. Select the initd configuration (but remember we are not installing the ftp server to provide an ftp service to our users we are installing this to have a confortable way for the administrator
for uploading and downloading files to and from the server).
Now configure the server:
sudo nano /etc/proftpd/proftpd.conf
1. Disable ipv6
2. Change the server name to Demo Development Sever
3. Jail the users to their home to increase security
4. Once again add the scarecrow message
5. Add some tweeks to the ftp navigation system.
#Tweeks to the ftp navigation system
ListOptions "" maxdepth 3
ListOptions "" maxdirs 10
ListOptions "" maxfiles 1000
Now, restart the service:
sudo /etc/init.d/proftpd restart
And try logging from your intranet to the ftp server using an ftp client like filezilla.
Using a web browser:
PLUS: Navigating in console mode can be easier if you enable bash colors. To do that just modify /home/demoserveradministrator/.bashrc and uncomment the force colors clause.
Congratulations you now have a secured (you could tweek a lot more the security but this will be an intranet server, so this should be enogh), accesible, fast and relaible linux debian base system.
2.Installing and configuring the basic servers.
The firts server we are going to install is the apache server.
sudo apt-get install apache2
To avoid dispaching version info of our server to the clients we need to open /etc/apache2/apache2.conf and modify or add this lines:
Now lets create a webadmin user.
sudo useradd webadmin
We need to change the apache folder to the www folder of the webmaster user.
sudo nano /etc/apache2/sites-available/default
Change the DirectoryRoot from /var/www/ to /home/webmaster/www/ and do the same to the Directory param.
Now open your ftp clien (filezilla for example), and login to the server using webmaster user. Create a www folder in the webmaster home directory and inside www put an index.html file with your welcome homepage.
Restart the apache service:
sudo /etc/init.d/apache2 restart
Now from any host in your intranet using a web browser you can see the welcome homepage.
At this point we have a basic Apache web server. To make it more useful we need to install the PHP distribution environment addon to allow to our server to dispatch dynamic content sites. Let's do the
sudo apt-get install php5 php5-pgsql php5-gd
The last command will install the PHP version 5 distribution and a connector module to a PostgreSQL data base server. The "php5" package makes the configuration needed between the Apache server and the PHP
distribution automaticly, so we don't need to do anything more here.