Posts Tagged gnu/linux

Setting up your first server

If you’re new to server management and use the terminal on GNU/Linux from time to time, this guide will hopefully come in handy for you to get started with your own server.

Unless you have good reasons to use another GNU/Linux distribution, I recommend you to install Debian. It has a lot of ready-to-install applications, is very stable and it’s perhaps the distribution with more tutorials around.

Please notice that this is a very basic tutorial and has only been tested on Debian.

Connect to your server

First of all, log in as root:
ssh root@123.123.123.123 # where 123.123.123.123 is your server's IP address

Some hosting providers disable ssh root access, so you will need to replace root by your user name. If this is the case, after you log in you should become root:

su -

Update your system

aptitude update
aptitude upgrade
aptitude dist-upgrade

Add your user

If your hosting provider disables root access, then you should skip this step.

adduser emacs

Replace emacs by VI VI VI if you don’t believe in Saint IGNUcius.

Sudo setup

sudo is a very useful utility, and I recommend you to use it.

First, let’s install it:

aptitude install sudo

Then, we add your user to the list of sudoers, by running visudo and then adding the following line at the end of the file emacs ALL=(ALL) ALL.

Now you become yourself:

su emacs -

Shared key ssh authentication

At this point you should use shared key ssh authentication, but for that there’s a great tutorial at ammonlauritzen.com.

Configuring the SSH daemon

Open /etc/ssh/sshd_config with your favorite text editor, say:

sudo nano /etc/ssh/sshd_config

And make sure the following lines are set this way, if not, add or modify them accordingly:
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
UsePAM no
AllowUsers emacs # separate two or more usernames by spaces

Finally, apply your modifications:
sudo /etc/init.d/ssh reload

Don’t log out yet, we need to check that you will be able to access your server via ssh (this is, that you didn’t break anything on the /etc/ssh/sshd_config file). To check if everything is OK, try to log in:
ssh emacs@123.123.123.123

If you’re able to access, then it’s well configured and you may close the second session. If not, then you should check your modifications and try again.

Setting up a basic firewall

We are going to setup a very basic firewall with the powerful netfilter/iptables. For this step you need to be root:
sudo -s

First, store the current iptables rules, in case something goes wrong with ours:
iptables-save > /etc/iptables.conf.old

Now, create the file /etc/iptables.conf and add the following contents:
# boring stuff for someone new to server administration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [495:60715]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# this is the port used by the SSH daemon
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
COMMIT

Please pay attention to this line:
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

You should use a line similar for every open port that you want to be accessible from the Internet. This is, if you have a webserver, you should copy that line but replace “22” by “80” (or any other port):
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

This is how you “enable” ports.

Then we load the configuration (and don’t log out until we test it!):
iptables-restore < /etc/iptables.conf

Testing the rules

To test the rules, open another terminal and try to access your server:

ssh emacs@123.123.123.123

If you could access, then the rules should be OK. If not, reload the original rules until you find help:
iptables-restore < /etc/iptables.conf.old

Loading the rules when the server stars

If the rules we defined work, then our the firewall should be loaded when the server starts:

Create the file /etc/network/if-pre-up.d/iptables with the following contents:
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.conf

Then make it executable:
chmod +x /etc/network/if-pre-up.d/iptables

We can now go back to our normal user:
exit

Your server is ready!

At this point, you are ready to start installing applications on your brand-new server!

What’s next?

I’ve seen the light: GNU/Linux Does Not Matter That Much

We freedomware advocates think that switching to a Freedom-respectful operating system (usually GNU/Linux) is the most important step when switching to freedomware, and therefore we focus on promoting these systems (myself included). However, I’ve found out that it does not matter that much.

The first and most important step when switching to Freedomware is using formats and protocols defined as Open Standards, even under a Freedom-trampling system like Windows: Vendor lock-in is only possible by means of closed standards. They are the stone corner of the non-free software industry.

Why those who know about Freedomware, and support the idea, don’t make the switch? Aside their inability to follow their thoughts (the games excuse is included here), because switching from Windows+Office+MSNMessenger/Etc to GNU/Linux+OpenOffice.org+Pidgin+Etc seems like a huge step, only made by adventurous souls.

The most important things for them, their information and communications, are already locked-in, tied to a single vendor. Encouraging them to switch to a freedom-respectful operating system is an unwise recommendation, if you know they still rely on closed standards:

  1. If you say that they won’t be able to use the programs they were used to, but their free alternatives, you will fright them. Not to mention what they’ll think when they know that their MP3s, WMVs and .doc documents won’t play nice, and that their MSN Messenger sucks under GNU/Linux.
  2. If you help them to keep their files under closed formats and communicate through closed protocols, then, why on the earth do you want them to use a free operating system? Using a free operating system simply means that most of your software is free. It seldom means that the user is reluctant to use Freedom-trampling software, closed formats and/or closed protocols, again. Quick demonstration: Take a look at any community of the easy-to-use distros and you will find that these standards are widely used among the majority of these users (although this doesn’t mean that Gentoo users, for example, are all disciples of the Church of Emacs).

The only way to make safely the switch to a Freedom-respectful computing environment, with no turning back, is by getting rid of closed formats and protocols, before switching to a free operating system. Windows-GNU/Linux dual boots wouldn’t be necessary anymore.

These closed standards have always been a top-priority for non-free software vendors, unlike for us. Closed standards represent the Achilles’ heel of the non-free software industry. We must hit them there! Pay attention to this excerpt from a memo sent by Aaron Contorer, Microsoft general manager for C++ development, to Bill Gates:

“The Windows API is so broad, so deep, and so functional that most ISVs would be crazy not to use it. And it is so deeply embedded in the source code of many Windows apps that there is a huge switching cost to using a different operating system instead…
“It is this switching cost that has given the customers the patience to stick with Windows through all our mistakes, our buggy drivers, our high TCO, our lack of a sexy vision at times, and many other difficulties […] Customers constantly evaluate other desktop platforms, [but] it would be so much work to move over that they hope we just improve Windows rather than force them to move.
“In short, without this exclusive franchise called the Windows API, we would have been dead a long time ago.”

OK, that’s the root problem, but what’s the solution!?

We must put more effort into making people switch to open formats and open protocols, than the effort we put into encouraging them to switch to a freedom-respectful operating system like GNU/Linux. This is, our goal should be that people will get rid of closed formats and protocols before switching to a free operating system. Don’t expect them to make the switch after installing the free system! Or at least don’t get your hopes up if you ignore this (take the longer yet save path!).

The above might seem obvious to you at this point, and you might wonder, how are we supposed to do so effectively?

My proposal

We have to carry out three tasks to reach our goal:

  1. First and foremost, make people worry about the formats and protocols they rely on;
  2. Make it really easy for people to switch to unconstrained formats and protocols, under the current operating system, but also warn them that everything won’t be completely solved until they throw the non-free system away;
  3. And finally, make people switch to a freedom-respectful operating system, like GNU/Linux.

(Notice that nowadays most of us start with task #3, then some of us go further and make #1, but nearly we all forget about task #2)

These tasks should be performed separately and harmoniously, with one project for each of them. The good news is that we won’t have to start from scratch, as there are some existing efforts: GNU/Linux Matters is going to develop Unconstrained.info, a project that would meet the requirements of task #1, and it also maintains GetGNULinux.org, the project that already meets the requirements of task #3.

The second task is by far the hardest one. The solution, in my opinion, is a software suite made up of the following well-integrated modules:

  1. A package manager, like those for GNU/Linux: It will make it easy for people to get started with Freedomware applications that support unconstrained formats and protocols. These programs must be stored on special repositories, so that we could disable support for constrained standards by default. This manager would only install Freedomware required to make the switch, excluding useful free add-ons for the operating system: Our goal is not to make people feel comfortable with their freedom-trampling operating system. Only the best Freedomware packages will be available, with no alternatives: It would make no sense to include both OpenOffice.org and Koffice (for example), we don’t want people to experiment with the free alternatives, just that they make the switch.
  2. A file format converter: An extremely easy to use Freedomware application to convert any file stored with a closed format into one stored with the best-suitable open format, preferably/optionally deleting the former file after the conversion. When the suite is being installed, it must configure the system to open those constrained-formats-based files with this converter.
  3. A Instant Messaging Migrator: The hardest to make module. It will help people migrate to open protocols such as Jabber or SIP. It would create a gratis Jabber account with any provider. Then, if allowed, it would let people’s contacts know that they are making the switch to an unconstrained and better messaging network (encouraging them to make the switch too). Finally, it would configure the pre-selected free IM client accordingly, making it ready to use.
  4. A tutor: A program, similar to a Help Center, that would advice people on unconstrained formats and protocols. It would provide guidance throughout the migration process. It would make sure that people keep in mind that they should switch to a free operating system once they get used to the new standards.

This suite must meet these requirements:

  • Be multi-platform: It must run on all the mainstream operating systems, including GNU/Linux (yes, haven’t you noticed the amount of GNU/Linux users tied to constrained formats and protocols?).
  • Be multilingual.
  • Be extremely easy to use.

Once Unconstrained.info and the liberation suite are ready, together with GetGNULinux.org, the final touch for us to be effective will be Animador.

In an ideal world…

… Organizations such as Mozilla, the FSF and the FFII will support GNU/Linux Matters with tasks #1 and #3, and the GNU project will take over task #2, with the support of all of us.

If everything fails, I’ll try my best to take over task #2 on behalf of GNU/Linux Matters.

On my part…

… I’ll try to make GNU/Linux Matters change its vision, according to this blog post.

On your part…

… This all sounds so beautiful, right? Well, we need you! And please don’t forget to comment on this blog post and spread the word about it if you find it useful.

PS: Got something to say? Talk about it on NXFD!