Once your OS is grown enough to play (I mean installed), you have to sit down with it and do the SECURITY TALK.

A little on the philosophical side of it, I think sense of security is just a fad and a perception. You are secure when you start feeling it, or we can keep on going paranoid tweaking it deeper and deeper, there will always exploits to to be known, more tools to be learnt, more WMDs to be discovered!

Always have a second plan- backup your data.

Lets get back to our Linux Box.

One of the requirements that our installs are going to have is a mail server. The linux box can email me complaining it has stomach ache, or any activity that goes on it.

TechRepublic has an old, yet not obsolete article for recipe indegrients of a mail server. We just need postfix.

After some reading about postfix, here is the route I took

$ sudo aptitude install postfix

Now head over to the postfix configuration documentation and tweak the settings. The only change I did was to make sure that my server is relaying mail originating only from local machine.

$ sudo vi /etc/postfix/main.cf
    mynetworks = 127.0.0.0/8

Save and exit. Now reload the changes.

$ postfix reload

Remember? We had put up a firewall on this box. However, nmap scan from another machine shows port 25 open (smtp being used by postfix.) Lets add some rules. User --dry-run to test command syntax.

sudo --dry-run ufw deny proto tcp from 0.0.0.0/0 to xx.xx.xx.xx port 25
sudo ufw deny proto tcp from 0.0.0.0/0 to xx.xx.xx.xx port 25

I think, I’m not as happy with ufw. Its good for starters, however it does not have advanced flexibility. I’m going to return to Shorewall within coming weeks.

Although linux machines hardly have the risk of being affected by viruses, still they can be threatened by trojans, worms by a vital part replaced by a rootkit.

chkrootkit is a tool to locally check for signs of a rootkit.

$ sudo aptitude install chkrootkit  
$ sudo chkrootkit

The run returned system not infected. Next lets install Rootkit Hunter. .Rootkit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools. This tool scans for rootkits, backdoors and local exploits.

$ sudo aptitude install rkhunter
$ sudo rkhunter -c --skip-keypress

We came out clean.

Next I should look at AppArmour and GRSecurity. However there are other things crying for my attention. I’ll come back to them later.

The security paranoids can look at top 100 security tools.

Photo credits: GD Senior @ Flickr

Now back to coniguring the machine. I will be using the test server for Drupal websites, Rails projects and possibly Lift projects. Also, I love Punjabi and I love Unicode. So I’m going to try to make things as Unicode friendly as they can be.

Let’s start.

People love internet, internet loves images, and images love GD.

sudo aptitude search gd

It gave a numbers of options. I was confused between installing libgd or php5-gd. It turns out after giving

sudo aptitude install php5-gd

all other gd libraries were installed as dependencies.

Restart Apache

sudo /etc/init.d/apache2 restart

Tuning PHP/MySQL

cd /etc/php5/apache2/

By default the installations comes without a php.ini file. Rename it to php.ini-orignal.

sudo mv php.ini php.ini-orignal

Find recommended file

locate php.ini-recommended

Found it in /usr/share/doc/php5-common/examples/php.ini-recommended . Copy it to orignal php.ini localtion and rename it.

sudo cp /usr/share/doc/php5-common/examples/php.ini-recommended ./php.ini

For drupal to work properly, change session.save_handler = files to to session.save_handler = user

Restart Apache

sudo /etc/init.d/apache2 restart

MySQL fun

Login into mysql as root. By default, root mysql account has no password

mysql -u root

Lets change the mysql superuser using a hard to guess password.

mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$a-hard-to-guess-password-here$');
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

Now lets look around

show databases;

+--------------------+
| Database           |
+--------------------+
| information_schema | 
| mysql              | 
+--------------------+
2 rows in set (0.01 sec)

mysql> use mysql;

mysql> show tables;

There is a table name user. Aha! This is the one with mysql user list.

mysql> desc user;

Amoung other things, it did show me three important fields – Host, User, Password

Lets look into it. Lets filter our view to just these three.

mysql> select Host,User, Password from user;

+------------------------+------------------+---------------------------------
| Host                   | User             | Password                                  
+------------------------+------------------+---------------------------------
| localhost              | root             | *6F50F9BB1F8C9DD174B66A8087FD4FA 
| xxx.xxxx.olemiss.edu   | root             | *6F50F9BB1F8C9DD174B66A8087FD4FA 
| 127.0.0.1              | root             | *6F50F9BB1F8C9DD174B66A8087FD4FA 
| localhost              |                  |                                 
| xxx.xxxx.olemiss.edu   |                  |                                  
| localhost              | debian-sys-maint | *C9D6F50F9B087D174B66A8FD4B1F8FA

What? No information in user column? Then what kind of user is it. Aha! Thats guest user also called anonymous user. Means any user while on the server can log into localhost. Guests should be served Tea and biscuits, not a mysql database. So from now “O mighty guest, I banish thee from my MySQL database.”

mysql> delete from user where User='';
Query OK, 2 rows affected (0.00 sec)

Much better. Now I have only two users(4 listed, although root is the same user using different hostnames) and debian-sys-maint. I refuse to get super-paranoid about security for now and this is good enough. (Remeber I did set my root password while installation. If you have not, I strongly recommend you to.) Other thing you can do is make another user and grant limited privilges. Keep root user as a backup only with a super secure password, and do not list it in any application code.

Now lets identify mysql database encoding. Wrong encoding can mess up non-Roman characters.

mysql> status;

Shows latin1. We want default to utf8. There might be other recommended changes too. Like PHP uses php.ini for configurations, MySQL uses my.cnf. Exit mysql.

mysql> exit
locate my-large.cnf
cp /usr/share/doc/mysql-server-5.0/examples/my-large.cnf /etc/mysql/my.cnf

Adding following to my.cnf

[client]
default-character-set = utf8

[mysqld]
skip-character-set-client-handshake
default-character-set = utf8
character-set-server = utf8
collation-server = utf8_general_ci
init-connect = SET NAMES utf8

[mysqldump]
default-character-set = utf8

[mysql]
default-character-set = utf8

Optimize my.cnf, but do not waste too much time here now. You can do it later. Keep moving. Save my.cnf and restart mysql.

Log back into mysql. Now lets create a test database and see how it goes.

mysql> create database dm_drupal;
Query OK, 1 row affected (0.00 sec)

mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER ON dm_drupal.* TO 'someuser'@'localhost' IDENTIFIED BY 'somepassword';
Query OK, 0 rows affected (0.00 sec)

Before leaving, you need to flush, otherwise changes will start stinking and fill the room.

flush privileges;

status;

The encoding is happily unicode.

Now a little MySQL benchmarking (Never fully trust benchmarks though. Remember there are lies, damned lies and benchmarks:)) Output shows 10000000 simple additions can be performed in 0.71 seconds

mysql> SELECT BENCHMARK(1000000,1+1);
+------------------------+
| BENCHMARK(1000000,1+1) |
+------------------------+
|                      0 | 
+------------------------+
1 row in set (0.08 sec)

mysql> SELECT BENCHMARK(10000000,1+1);
+-------------------------+
| BENCHMARK(10000000,1+1) |
+-------------------------+
|                       0 | 
+-------------------------+
1 row in set (0.71 sec)

I’m not a testing-for-a-living-guy, however what this seems to me is that my database is pretty decently configured.

Setting up Virtual Hosts

I’m going to test the setting using a test installation of Drupal. First I’m going to create a virtual named host for drupal.

cd  /etc/apache2/sites-available/
cp default drupal

Modify drupal to point to where you want to keep your installs (by default in /var/www/). I am keeping my sites in my home directory in ~/Sites directory

NameVirtualHost *
<VirtualHost *>
    ServerAdmin me@myself.com 

    DocumentRoot /home/myname/Sites/drupal/ 

    <Directory /home/myname/Sites/drupal>
        Options Indexes FollowSymLinks MultiViews
        # AllowOverride None
        AllowOverride All 
        Order allow,deny
        allow from all
    </Directory>

    ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    CustomLog /var/log/apache2/access.log combined
    ServerSignature On

</VirtualHost>

Save and restart Apache.

To start with, I’m going to test a Drupal installation. Download drupal in your Sites folder

cd ~/Sites
wget http://ftp.drupal.org/files/projects/drupal-6.10.tar.gz
tar -xvzf drupal-6.10.tar.gz
mv drupal-6.10 to drupal

Copy settings.php in director

cp drupal/sites/default.settings.php drupal/sites/settings.php

chmod a+w drupal/sites/settings.php

We are ready. Point your browser to http://localhost to start the install process.

Enabling clean URLs

Okay now I found out apache was missing the mod-rewrite, required for clean URL’s. To enable I typed

sudo a2enmod rewrite
sudo /etc/init.d/apache2 force-reload
apache2ctl -M

The last command showed mod-rewrite was enables, however the drupal installation still could not make clean URLs. After some Googling and reading the forums, I found the solution.

Disable the site by

sudo a2dissite drupal 
vi /etc/apache2/sties-available/thedmonline

find AllowOverride and change AllowOverride None to AllowOverride All at four places.

Now enable site again sudo a2ensite drupal sudo /etc/init.d/apache2 restart

Turn on the clean URL option in drupal.

Ruby 1.9

Ruby1.9 is out of beta. So is the Pragmatic Ruby book (kind of).

So I rolled my sleeves up (That was a lie my friend, added to give drama… I was wearing a half sleeve t-shirt).

wget ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.1-p0.tar.gz
tar xvzf ruby-1.9.1-p0.tar.gz
cd ruby-1.9.1-p0
sudo aptitude install build-essential libssl-dev libreadline5-dev
./configure --prefix=/usr/local
make && make install

Okay I rolled my (virtual)sleeves down. Lets test

ruby -v # ruby 1.9.1p0 (2009-01-30 revision 21907) [powerpc64-linux]

The post has gone too long(Who cares, its for my own documentation). In the next post, we get to managing development using new content versioning kid around the block, git. We’ll probe how to install multiple Drupal and Ruby sites using Git and how it can co-exist and interact with CVS/SVN.

I hardly get enough time away from my Mac machines, so I planned to get back in touch with the penguin, and to build a test server.

My plan was to install Xen, and then run a Linux instance on top of it. However the only spare machine was a G5 Xserve, I could not find any information of Xen on ppc processor.

Choosing Linux flavour for ppc wasn’t easy either. Most of the open source linux flavours have stopped supporting ppc, as it seems like a dying platform. Red Hat and Suse seem to support the architecture in their enterprise versions. I did’nt wanted to run YDL, the only flavour I could find truely supporting ppc architecture.

Finally, I decided to go ahead with the Ubuntu 8.04 Server community version for ppc.

Once decided, the install was pretty much a breeze. Popped in the CD, and followed GUI to install. Chose ssh-server and Lamp Server during install option.

After the server restart, configured the network interface /etc/network/interfaces to provide a static address.Restarted the network.

sudo /etc/init.d/networking restart

Update the installation. I prefer aptitude over apt-get.

sudo aptitude update
sudo aptitude safe-upgrade

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the internet.

sudo aptitude install ntp ntpdate

Check hostname and hostname -f return the same value. It matched our specified domain name in the file /etc/hosts to FQDN (Fully Qualified Domain Name) of the machine.

Lets bring the walls up

Ubuntu comes with a iptables-wrapper known as UFW.

sudo aptitude install ufw

Turn firewall on.

sudo ufw enable

Turn firewall logging on.

sudo ufw logging on

Display status of firewall and ports in the listening state

sudo ufw status

I changed the rules so that the output of above command was

Firewall loaded

To                         Action  From
--                         ------  ----
Anywhere                   ALLOW   xx.xx.xx.0/24
22:tcp                     ALLOW   xx.xx.xx.0/24
80:tcp                     ALLOW   Anywhere
80:udp                     ALLOW   Anywhere

Therefore only port 80 was open to outside world, for serving web pages, and ssh port for local network. The rest of the requests were dropped.

To make sure, use nmap from another machine to do a port scan of your server. Only port 80 should be open from outside your lan.

As the result of port scan delivered expected results, I paused for a while and looked at my old friend, penguin. I flashed-forward to years of our friendship, of growing up churrning big-a$$ web apps, becoming millionaires, and the taking a vacation to Mars, our children going to the same schools, and becoming friends and fighting amoung themselves all the time. Ah! It was such a touching moment! I’m glad on our renewed friendship.

Next time we’ll bring in PHP and MySQL, the Indian tribe some Jewels and another Dutch-looking friend.

This party is gonna rock!

Image credits: Tux by Daniele Florio shared under CC Share Alike licence