Archive for April, 2008

April 7th, 2008

Setting up your first server

If you’re new to server management and use the terminal on GNU/Linux from time to time, this guide will hopefully come in handy for you to get started with your own server.

Unless you have good reasons to use another GNU/Linux distribution, I recommend you to install Debian. It has a lot of ready-to-install applications, is very stable and it’s perhaps the distribution with more tutorials around.

Please notice that this is a very basic tutorial and has only been tested on Debian.

Connect to your server

First of all, log in as root:
ssh root@123.123.123.123 # where 123.123.123.123 is your server's IP address

Some hosting providers disable ssh root access, so you will need to replace root by your user name. If this is the case, after you log in you should become root:

su -

Update your system

aptitude update
aptitude upgrade
aptitude dist-upgrade

Add your user

If your hosting provider disables root access, then you should skip this step.

adduser emacs

Replace emacs by VI VI VI if you don’t believe in Saint IGNUcius.

Sudo setup

sudo is a very useful utility, and I recommend you to use it.

First, let’s install it:

aptitude install sudo

Then, we add your user to the list of sudoers, by running visudo and then adding the following line at the end of the file emacs ALL=(ALL) ALL.

Now you become yourself:

su emacs -

Shared key ssh authentication

At this point you should use shared key ssh authentication, but for that there’s a great tutorial at ammonlauritzen.com.

Configuring the SSH daemon

Open /etc/ssh/sshd_config with your favorite text editor, say:

sudo nano /etc/ssh/sshd_config

And make sure the following lines are set this way, if not, add or modify them accordingly:
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
UsePAM no
AllowUsers emacs # separate two or more usernames by spaces

Finally, apply your modifications:
sudo /etc/init.d/ssh reload

Don’t log out yet, we need to check that you will be able to access your server via ssh (this is, that you didn’t break anything on the /etc/ssh/sshd_config file). To check if everything is OK, try to log in:
ssh emacs@123.123.123.123

If you’re able to access, then it’s well configured and you may close the second session. If not, then you should check your modifications and try again.

Setting up a basic firewall

We are going to setup a very basic firewall with the powerful netfilter/iptables. For this step you need to be root:
sudo -s

First, store the current iptables rules, in case something goes wrong with ours:
iptables-save > /etc/iptables.conf.old

Now, create the file /etc/iptables.conf and add the following contents:
# boring stuff for someone new to server administration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [495:60715]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# this is the port used by the SSH daemon
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
COMMIT

Please pay attention to this line:
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

You should use a line similar for every open port that you want to be accessible from the Internet. This is, if you have a webserver, you should copy that line but replace “22″ by “80″ (or any other port):
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

This is how you “enable” ports.

Then we load the configuration (and don’t log out until we test it!):
iptables-restore < /etc/iptables.conf

Testing the rules

To test the rules, open another terminal and try to access your server:

ssh emacs@123.123.123.123

If you could access, then the rules should be OK. If not, reload the original rules until you find help:
iptables-restore < /etc/iptables.conf.old

Loading the rules when the server stars

If the rules we defined work, then our the firewall should be loaded when the server starts:

Create the file /etc/network/if-pre-up.d/iptables with the following contents:
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.conf

Then make it executable:
chmod +x /etc/network/if-pre-up.d/iptables

We can now go back to our normal user:
exit

Your server is ready!

At this point, you are ready to start installing applications on your brand-new server!

What’s next?

4 Comments »

  • About the author

    You're visiting the technical blog of Gustavo Narea, a Software Developer based in Oxford.