«
»

Configure a personal server with Debian Linux

By Laurent Soron

This article is listing the differents modules to set up a personal server with the most common services (Web, mail, file servers).

This article is targetted to an user that know already the operating system GNU/Linux and particulary the distribution Debian. This article presents how to configure a server multi-services (web, mail, files..) for a user group.This article will explain the installation of the following modules:

  • Web Server (Apache) with support of the PHP scripts
  • Mysql database server
  • Mail server (Exim 3)
  • Server POP3 / IMAP4
  • Webmail
  • Fetch of distant mailboxes (Fetchmail) and sorting of the mails in different mailboxes (Procmail)
  • Samba, MLDonkey, Geneaweb…

The installation of the operating system, internet connection… will not be explained in details here. It would be admitted that the reader has some competences in system administration and basic knowledge bout the Linux distribution Debian.
For each package, a minimum configuration will be presented.

An old computer can be used for this usage. The computer must have a flat rate connection to internet to download the necessary packages and updates.

Note: All installed packages is proposing a documentation. These files are accessible through the man pages (man <paquet>) or in /usr/share/doc/<paquet>

The command lines beginning with # mean that the current user must be the super user root.
The ones beginning with $ can be typed by all normal user.

Installation of a functional operating system

Operating system

The installation of the operating system is already well documented on the internet. Please refer to the following documents:

Note: So far, a minimum Debian system is sufficient. The necessary packages for each module will be automatically downloaded and installed with their dependances.

Updates

Note : Once the operating system, it is important to keep it up-to-date. Please refer to my article on this subject.

System Tuning

Expand the cache size for apt-get

Create the file /etc/apt/apt.conf with the following content:
APT::Cache-Limit 25165824;

Colorize the screens

All users will appreciate to have different colours to et apart the directories from the files.
Open the file $HOME/.bashrc (par exemple /root/.bashrc) and delete the prefix # (comment sign) in front of the following lines

   export LS_OPTIONS='--color=auto'

   eval `dircolors`

   alias ls='ls $LS_OPTIONS'

   alias ll='ls $LS_OPTIONS -l'

   alias l='ls $LS_OPTIONS -lA'

Note: to set this option for each new user added to the system, the same modification must be performed on the file /etc/skel/.bashrc.

Text editor

Each UNIX, Linux… contain the vi text editor. It is recommended to install its clone vim that offer a colorized screen and more options.
Nevertheless, the syntax of vi(m) is quite difficult for a new user. The editor nano is far easier to use.
#apt-get install nano

Remote configuration

To administrate remotly the server, it is highly recommended to install the ssh package. It offers the possibility to crypt the communications between the remote server and the local computer.

#apt-get install ssh

The administrator will connect the server by typing ssh [login]@MySite.net (on Linux sytems)).

On Microsoft Windows sytems, it is recommended to use the free utils PuTTy and WinSCP

Important options:
It is important to set some options to slightly increase the server security level. The configuration of ssh is done through the file /etc/ssh/ssh_config:

#vi /etc/ssh/ssh_config

        PermitRootLogin no

        ServerKeyBits 1024

        RSAAuthentication no

        PubkeyAuthentication no

        PermitEmptyPasswords no

        PasswordGuesses 2

        IgnoreRHosts yes

        IgnoreRootRHosts yes

Save the new configuration and restart the daemon with the following command line:
#/etc/init.d/ssh restart

Litterature:

Web server

Typically, each member of the group would like to set up his own web site, like a blog à la DotClear or a CMS (Content Management system) a la Mambo.

The following components are necessary to configure this kind of web server

  • Apache for the web server itsself
  • Php4 to compile the scripts of the web pages.
  • MySQL as a database serve (to save the configuration of the websites).
  • A web interface to manage the tables of the MySQL databases, phpmyadmin

Installation

All the components will be automatically retrieved by installing only two packages:
#apt-get install phpmyadmin mysql-server

The package Exim (mail server) will be installed. Choose the option 5 (No configuration) as it will be configured in a further step.

Apache:
-The file /etc/apache/httpd.conf is used to configure the Apache server.
-Restart the server with:

#apachectl restart

The root level of the web server is /var/www/ (http://test.net displays the content of the directory /var/www/ of the server).

Mysql:
Per defaut, the MySQL super administrator is root, without any password. It is highly recommended to set a password immediatly!

To change the password of the MySQL root user, type the command:

#mysqladmin -u root password MyNewPassword

The password MyNewPassword is set for the user root.

It is recommended to add differents users:

shell> mysql --user=root mysql --password MyNewPassword

mysql> grant all on user1_database.* to user1@localhost identified by 'user1pw';

Note: It is important to grant the minimum of rights to those users. For instance, the administrator should not grant the create database (neither users) right to the normal users.

The administrator will create one database web site and associate it to one user. This user will be granted all rights on this database but the ‘drop database’ right.

Litterature:

http://dev.mysql.com/doc/mysql/en/adding-users.html

Configuration of PHP3

Some website systems like spip (http://www.spip.net) are still using the old version php3.

Modify the file /etc/apache/httpd.conf in the following way
vi /etc/apache/httpd.conf

Add index.php3 o the line DirectoryIndex DirectoryIndex:

  <IfModule mod_dir.c>

      DirectoryIndex index.html index.php index.php3 index.htm index.shtml index.cgi

  </IfModule>

This line lists the possible extensions for the default file to load by opening a directory.

PHP:

As PHP4 is able to compile the php3 scripts, the administrator must indicate to Apache to use the php4 module for the php3 scripts.

Modify
“ AddType application/x-httpd-php .php “
to get:
“ AddType application/x-httpd-php .php .php3“

Save (ESC, :wq) and restart Apache (apachectl restart)

To test the installation, it could be a great idea to configure a blog system like DotClear or a CMS like Mambo or SPIP

Most of the time, the installation of a CMS is in two steps. First, the files must be copied in a directory of the web server (e.g. /var/www/mambo). Then, the user is invited to access the default page of the site to start the setup (e.g. http://localhost/mambo/index.php). Some scripts are able to create automatically the database in MySQL. If not, phpmyadmin can be used for this task (http://localhost/phpmyadmin).

Redirection

At this moment, we will choose the following usecase: http://test.net/ points the website of the group (presenting its activity) and each member will have his own website.

  1. The administrator will install each personal website in a first-level directory on the web server (e.g. /var/www/mambo/, /var/www/user1/, …).
    Each website will be accessible from http://test.net/[Directory] (e.g. http://test.net/mambo/).
  2. The website of the group will be installed in a sub-directory to make easy the migration to another CMS and this directory will be loaded per default.The structure of the web server will be like following:
    \
    \Group Website using spip
    \User1’s Website using Mambo
    \User2’s Website using Dotclear

Note: All the files for each website system (Mambo, dotclear…) are stored in the first-level directory. Commonly the websites will save their configuration in a database managed by the MySQL server installed before (one database server can manage several databases). The database name must be different for each website.

Create a text file /var/www/index.html and insert this content:
<meta http-equiv="refresh" content="0;url=http://mysite.net/mambo/">

In this example, the public name of the web server is test.net and the visitor is redirected in the directory mambo. The redirection is immediate (wait time = 0)

Personnal Web sites

Per default each user can create a directory $HOME/public_html and save web pages there. This mini web site will be accessible at http://test.net/~[User]
For example the directory /home/lolo/public_html is accessible at the URL (Uniform ressource locator, an internet address) http://test.net/~lolo

Secured web server (https protocol)

The https protocol creates a secured connection between the client and the server before sending any data.

Install the module libapache-mod-ssl to the web server Apache.
#apt-get install libapache-mod-ssl

Create the file /etc/apache/libsslconfig.conf and insert the following content:

  Listen 443

  Listen 80

  NameVirtualHost *  <VirtualHost *:443>

          ServerName arnest.net

          DocumentRoot /var/www/

          SSLEngine on

          SSLCertificateKeyFile /etc/apache/ssl.key/server.key

          SSLCertificateFile /etc/apache/ssl.crt/server.crt

          SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

  </VirtualHost>

<VirtualHost *:80>

          ServerName arnest.net

          DocumentRoot /var/www/

  </VirtualHost>
  • Modify the Apache configuration file (/etc/apache/httpd.conf)
    #vi /etc/apache/httpd.confIn the part LoadModules add:LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so

At the end of the file, add the line

Include /etc/apache/libsslconfig.conf

  • Create a certificate with the command mod-ssl-makecert (installed with the package libapache-mod-ssl)The following informations are provided as an example.
  • Step 2 : Generating X.509 Certificate signing request for CA [ca.csr] 1. Country Name : fr2. State or Province Name : Alsace3. Locality Name : Wissembourg4. Organization Name : Laurent Soron

    5. Organization Unit Name : arnest.net

    6. Common Name : Arnest CA

    7. Email Address : sslca@arnest.net

    8. Certificate Validity : 365 (days)

  • Step 3 : Certificate Version – 3
  • Step 5 : Generating X.509 Certificate signing request SERVER [server.csr] 1. Country Name : fr2. State or Province Name : Alsace3. Locality Name : Wissembourg4.Organization Name : Arnest

    5. Organization Unit Name : arnest.net

    6. Common Name : www.arnest.net

    7. Email Address : ssl@arnest.net

    8. Certificate Validity : 365 (days)

  • Step 6 : Certificate Version – 3
  • Step 7, 8 : if the administrator enter a passphrase here, this text must be entered each time Apache will be started or restarted (recommandation: let empty)

Restart Apache

#apachectl restart

It can be interesting to install the documentation of the mod-ssl Apache module.
#apt-get install libapache-mod-ssl-doc

The package libapache-mod-ssl-doc will install the documentation in /usr/share/doc/libapache-mod-ssl-doc/htm.

To access easily to this documentation from any browser, the administrator should create a symbolic link on the web server.
#ln -s /usr/share/doc/libapache-mod-ssl-doc/html/ssldoc

Note: The documentation will be accessible to all visitors at the URL http://test.net/ssldoc/

Password protecting some directories

For instance: limit the access to the directory http://test.net/temp to certain users.
Add in /etc/apache/httpd.conf

  <Location /temp>

      AuthType Basic

      AuthName Temporary

      AuthGroupFile /dev/null

      AuthUserFile /etc/apache/apache_passwd

      require valid-user

  </Location>

Add the authorized users with the tool htpasswd or use a httpasswd file online generator like http://www.euronet.nl/~arnow/htpasswd/

Litterature:

Email Server

At this time, one default user must be set. For example, the administrator will add an user lolo to the system

#adduser lolo

Exim

The mail server is already installed, so it must only be configured.

Note: Exim is a MTA (Mail Transfer Agent), the software that will send the emails on the network (internet). But it can be configured as a MDA (Mail Delivery Agent) to receive the emails from the network and deliver it to the local users.

The configuration (sending and receiving emails) is done through the script

#eximconfig

  • Choose the option 1. Internet Site
  • ‘Visible’ mail name: mysite.net
  • No second domain: [enter]
  • No Relay: [enter], [enter]
  • The mails for root will be forwared to the user lolo: lolo

The file /etc/email-adresses makes the connection between the alias and the local users.

Note: /etc/aliases contains the aliases for the local accounts (e.g.: laurent seeks lolo : any mail sent to laurent@test.net will be received by the local user lolo on test.net)

The logs files of Exim are to be found in /var/log/exim/mainlog

The field MX1 of the domain name must be set to the IP of the server to make possible that the mails reach exim.

Webmail

It exists a large variety of web email interfaceÖ squirrelmail, ilohamail, IMP…

Squirrelmail is simple to install and to use. It’s a good default choice.

#apt-get install squirrelmail

POP3 / IMAP4 (port 443)

POP3: By using this protocol, the user fetchs all his mails on his local computer.

Candidates: Qpopper ou popa3d

#apt-get install qpopper

The administrator can choose to install the package pop3s to create a secure connection (port 995)

Imap4: By using this protocol, the user manage his emails remotly on the server. The emails are not fetcheed on the local computer of the user.
Per default, the mails are saved in /var/mail/[login], so it is recommanded to use the package UW-Imapd

#apt-get install uw-imapd

The administrator can choose to install the package uw-imapd-ssl to create a secure connection (port 993)

Litterature: Receiving mail securely, part 5.6
http://www.linuxsecurity.com/resource_files/host_security/securing-debian-howto/ch-sec-services.en.html

Fetchmail / Procmail

These two software are often used together. Fetchmail fetchs the emails from several mail accounts per POP3 and forward them to procmail that will sort the emails between different email directories.

The administrator should read these two Howto:

Fetchmail

The installation is straight forward

#apt-get install fetchmail

Each user must create a configuration file $HOME/.fetchmailrc if he wants to use this functionnality.

For each mailbox, one line must be configured
poll [AutreServeur] with protocol pop3: user [Login_Distant] there has password [Password_Distant] is [Login_Local] here

where

  • [OtherServer] is the name of the POP3 server of the distant mail server (e.g. pop.laposte.net)
  • [Distant_Login] is the user name to use for the POP3 Server.
  • [Distant_Password] is the corresponding password on the POP3 server
  • [Login_Local] is the local username

Check the configuration with fetchmail -v

Run the command on a regular basis

For this action, the user will use the daemon Cron.

Launch the Cron editor with

$crontab -e

and insert the line (only one line):

/120 * * * * /usr/bin/fetchmail -m "/usr/bin/procmail -f - "` >> /home/LocalUser/. fetchlog 2>&

The cron editor is using the same commands than vi (save and exit by typing ESC :wq)

If everything is working properly, the following line will be displayed:

crontab: installing new crontab

Note:

fetchmail -c: displays the number of mails on the distant server.

Fetch and sort the mail manually with the command:

fetchmail -m /usr/bin/procmail >>/home/MyUser/.fetchlog 2>&1

As this file contain usernames and password, it is recommanded to secure the file with

chmod 600 $HOME/.fetchmailrc

Procmail

Howto: http://ernest.cheska.net/index.php?fichier=procmail&status=loaddocumentation

The installation is straight forward
#apt-get install procmail

Then, each user must create a file $HOME/.procmailrc with his configuration.

  .procmailrc

  SHELL=/bin/sh

  MAILDIR=$HOME/mail

  #DEFAULT=$HOME/mail/Default

  DEFAULT=/var/mail/lolo

  LOGFILE=$HOME/.log_procmail

  VERBOSE=yes  #Humour dans la boite Humour

  :0:

  *^(From|Cc|To).*humour@(MySite|MySite2).net

  Humour

#Tri des listes par rapport au sujet

  :0:

  *^Subject:.*[[]MyListe[]]

  MyListe

:0:

  *^To:.*@kde.org

  Listes

.forward:

  |/usr/bin/procmail

Litterature: http://www.linux-france.org/article/lgazette/issue-26/issue-26-4.html

Timo’s procmail tips and recipes: http://www.uwasa.fi/~ts/info/proctips.html

Filter the spam with spamassassin

Install the package with

#apt-get install spamassassin

Modify .procmailrc

  :0fw

  | spamassassin -P  :0:

  * ^X-Spam-Status: Yes

  spambox

The first rule will forward all mails to Spamassassin which will attach to it a Spam score and the second will put all mails considered as spam in the mail forlder spambox.

FTP Server

Pure-ftpd is a good choice

#apt-get install pure-ftpd

Picture Gallery

The package gallery is a well known picture manager.
#apt-get install gallery

The administrator should consider also Coppermine Coppermine. This software is using a database.

Statistics

Le paquet Webalizer will analyse the log files of the server and create a report with charts in a html file.

#apt-get install webalizer

Reference

Uptime

Installer le paquet ud

“UD runs in the background constantly checking the current uptime against your 3 best uptime records. If the current uptime surpasses a record, that becomes the new record.” (Source)

The package will maintain up-to-date a report (in html) that will contain these informations.

Various

Change the name of the computer

The command hostname -v will modify the system name until the next reboot

#hostname -v [New Name]

To set permanently this name, the following files must be modified:

  /etc/hostname

  /etc/hosts

  /etc/resolv.conf

Modify the prompt

Edit the file $HOME/.bashrc

export PS1="[\u@\h:\W, \@, \d]> " #custom prompt options: root@mysite.net:etc,10:13am,Thu Mar 10]>

Test the password of the users with John le ripper

  • Install with# apt-get install john
  • Test the users passwords
    # john /etc/shadowIt is possible to set a job (in cron) to test the passwords on a regular basis.
    Execute the script john.cron install(Check the configuration file in /etc/john-mail.conf)

Read the man pages in html format (Man2Html))

It can be useful to read the man pages in a browser rather tan in a command line console. The utility man2html is used for this task

#apt-get install man2html

and open the page http://mysite.net/cgi-bin/man2html

Packages harden-*

Some package are known for their past security issues. So one can think that these packages present some issues that are not public at the moment.

From http://packages.debian.org/unstable/admin/harden-servers

“Avoid servers that are known to be insecure
This package is intended to give the administrator a easy option to avoid servers that in some sense are insecure. It can be a servers that needs passwords in plaintext, packages that can give someone access to the local host without permission, or packages that gives system information to remote users.
NOTE! This package will not make your system uncrackable, and it is not intended to do so. Making your system secure involves a LOT more than just installing a package.”

#apt-get install harden-clients harden-servers harden-localflaws harden-tools

Others Servers

Genealogy server – Geneweb

If the group has some interest in genealogy, the well known software geneweb can be installed locally on the server.

Official site: http://cristal.inria.fr/~ddr/GeneWeb/

This software is packaged in Debian::

#apt-get install geneweb

To access to the local Geneweb server, open the following adress in the internet browser:
http://mysite.net:2317/

P2P – ML Donkey

#apt-get install mldonkey-server

As a normal user, create a directory ~/mldonkey, and start the MLDonkey server from this directory

./mldonkey/mlnet&

At start, mldonkey will create a default structure. The help explain the content of it.

This package is containing a web interface. Per default, only the localhost can access to this interface. To add other computers, the administrator must modify the parameter allowed_ips in the file ~/mldonkey/downloads.ini

allowed_ips = ["127.0.0.1";"192.168.2.255";]

In this example, the IP address of the computers in the local network (192.168.2.XXX) are allowed to access the mldonkey interface.

Proxy – SQUID

If all the users are located on the same network, the administrator has the option to configure the server to save in cache the pages frequently seen by the users. In the same way, some websites can be blocked.

File Server for Windows/Linux clients- Samba

Samba is to be used to simulate a Windows file or printer server. It can be used as well as a domain controller for Windows clients. The Windows client computer will access this server as any other Windows user.

Notes: The users in Samba must exist already on the Linux system. They can have different passwords, but will keep the same user rights (to access or not to one directory).

The software SWAT is an easy-to-use web interface for Samba.

Litterature:

Conclusion

Different services have been presented. The administrator should install the services one after the other by understanding the different options offered. The defaults chosen by the Debian package maintainers are often ‘good enough’.
Once the server configured and released, the users will begin to use it, and the administrator must keep this server up-to-date by installing the hotfixes and updates on a regular basis (e.g. Every two weeks).

The following command will update the package list and make the necessary upgrades if any.

#apt-get update ; apt-get upgrade

Note: it is recommended to execute nmap from another computer to scan the opened ports of the server. The administrator should check if the ports are opened by services that are still in use.

References

http://qref.sourceforge.net/ Guide de reference

Note: This document is licensed according to the Creative-Common by-nc-sa License.

Mots-clefs : , , , , ,

Cette entrée a été publiée le Dimanche, 18 mars 2007 à 16:00 et est en lien avec Articles, English, Obsolete, OpenSource. Vous pouvez suivre toutes les réponses à cet article à l'aide du flux RSS 2.0. Vous pouvez laisser une réponse, ou un trackback depuis votre site.

Laisser un commentaire