Ubuntu 11 - Creating a LAMP sandbox to play with
Deploy an Ubuntu LAMP server on your old PC, plug it to your home network and start web developing. The following guidelines were tested on a Pentium III x86 CPU processor, Ubuntu 11 Desktop edition and Windows 7 as the complementary primary PC. This is not a detailed tutorial, it is a notepad of necessary software and Ubuntu 11 specific solutions.
Let’s make this Apache a little more useful
Let’s make this box a little more secure
- A desktop PC (your old one) with an Ethernet network card.
- The Ubuntu OS. Download the Desktop Edition or the Server one.
If you have a decent Pentium III, I recommend choosing the Desktop edition. Why?
You can have a fully functional rescue workstation whenever you like or need. We are not betting on performance here. We are building something to play with.
- Of course, experience in using and utilizing the Linux GNU OS.
- Partitions… let the installer decide automatically, it is a sandbox.
If you are more sensitive on that subject… I recommend reading https://help.ubuntu.com/community/SwapFaq and https://help.ubuntu.com/community/PartitioningSchemes or search the Ubuntu Forums for more information. If you have two HDDs use the second for /home and /var. It will help you for backup purposes.
- If you used the Server edition you will be asked for “software to install”. You can choose the OpenSSH server , LAMP server, Samba file server.
Install a GUI (for Server Edition)
sudo apt-get install --no-install-recommends ubuntu-desktop
Use the --no-install-recommends switch to get a clean gnome without the extras.
By default, the Root account password is locked in Ubuntu. This means that you cannot login as Root directly or use the su command to become the Root user. However, since the Root account physically exists it is still possible to run programs with root-level privileges.
This is where sudo comes in - it allows authorized users (normally "Administrative" users) to run certain programs as Root without having to know the root password.
Advantages and Disadvantages
Benefits of using sudo
Some benefits of leaving Root logins disabled by default include the following:
- The Ubuntu installer has fewer questions to ask.
- Users don't have to remember an extra password (i.e. the root password), which they are likely to forget (or write down so anyone can crack into their account easily).
- It avoids the "I can do anything" interactive login by default (e.g. the tendency by users to login as an "Administrator" user in Microsoft Windows systems), you will be prompted for a password before major changes can happen, which should make you think about the consequences of what you are doing.
- sudo adds a log entry of the command(s) run (in /var/log/auth.log). If you mess up, you can always go back and see what commands were run. It is also nice for auditing.
- Every cracker trying to brute-force their way into your box will know it has an account named Root and will try that first. What they don't know is what the usernames of your other users are. Since the Root account password is locked, this attack becomes essentially meaningless, since there is no password to crack or guess in the first place.
- Allows easy transfer for admin rights, in a short term or long term period, by adding and removing users from groups, while not compromising the Root account.
- sudo can be setup with a much more fine-grained security policy.
- The Root account password does not need to be shared with everybody who needs to perform some type of administrative task(s) on the system (see the previous bullet).
- The authentication automatically expires after a short time (which can be set to as little as desired or 0); so if you walk away from the terminal after running commands as Root using sudo, you will not be leaving a Root terminal open indefinitely.
Downsides of using sudo
Although for desktops the benefits of using sudo are great, there are possible issues which need to be noted:
- Redirecting the output of commands run with sudo requires a different approach. For instance consider sudo ls > /root/somefile will not work since it is the shell that tries to write to that file. You can use ls | sudo tee -a /root/somefile to append, or ls | sudo tee /root/somefile to overwrite contents. You could also pass the whole command to a shell process run under sudo to have the file written to with root permissions, such as sudo sh -c "ls > /root/somefile".
- In a lot of office environments the ONLY local user on a system is Root. All other users are imported using NSS techniques such as nss-ldap. To setup a workstation, or fix it, in the case of a network failure where nss-ldap is broken, Root is required. This tends to leave the system unusable unless cracked. An extra local user, or an enabled Root password is needed here. The local user account should have its $HOME on a local disk, _not_ on NFS (or any other networked filesystem), and a .profile/.bashrc that doesn't reference any files on NFS mounts. This is usually the case for Root, but if adding a non-Root rescue account, you will have to take these precautions manually.
- Alternatively, a sysadmin type account can be implemented as a local user on all systems, and granted proper sudo privileges. As explained in the benefits section above, commands can be easily tracked and audited.
- When using sudo, your password is stored by default for 15 minutes. After that time, you will need to enter your password again.
- Your password will not be shown on the screen as you type it, not even as a row of stars (******). It is being entered with each keystroke!
I know some/many of you do not approve but I am going to enable root. I just don’t like sudo-ing all the time. If you choose not to, place a “sudo” before most of the commands bellow.
sudo passwd root
disable root account at anytime later
sudo passwd -dl root
Open as root command for nautilus (gnome GUI)
Enabling root does not mean you will login as root if it is not needed.
I find useful when using gnome and its’ file explorer Nautilus to have a shortcut for opening folders with root permissions.
nano /home/user/.gnome2/nautilus-scripts/ Open\ as\ root
insert the following
#!/bin/sh gksudo "gnome-open $NAUTILUS_SCRIPT_SELECTED_URIS"
Ctrl+X to save and exit
Then make it executable
chmod +x /home/user/.gnome2/nautilus-scripts/Open\ as\ root
From now on you are considered to be logged in as root
LAMP is an acronym for a solution stack of free, open source software, originally coined from the first letters of Linux (operating system), Apache HTTP Server, MySQL (database software) and Perl/PHP/Python, principal components to build a viable general purpose web server.
apt-get install tasksel tasksel install lamp-server
Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices.
OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on.
apt-get install openssh-server openssh-client
Now you can perform any console command as if you were sitting in front of your server.
If you production PC is on Windows you can use the excellent putty ssh client (32bit / 64bit) or the kitty (recommended) alternative.
phpMyAdmin is a very famous MySQL mangement software package.
Install phpMyAdmin from the Universe repository see InstallingSoftware for detailed instructions on using repositories and package managers. (Note, however, that installation from a package manager often does not work).
apt-get install phpmyadmin
# Include phpmyadmin Include /etc/phpmyadmin/apache.conf
is in /etc/apache2/apache2.conf - if not add it and restart apache
To access phpMyAdmin, go to http://localhost/phpmyadmin
Once phpMyAdmin is installed point your browser to http://localhost/phpmyadmin to start using it. You should be able to login using any users you've setup in MySQL. If no users have been setup, use admin with no password to login.
Should you get a 404 "Not Found" error when you point your browser to the location of phpMyAdmin (such as: http://localhost/phpmyadmin) this is likely caused by not checking the 'Apache 2' selection during installation. To redo the installation run the following:
dpkg-reconfigure -plow phpmyadmin
Then select Apache 2 for the webserver you wish to configure.
If this does not work, then you can do the following to include the phpMyadmin-shipped Apache configuration into Apache:
ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf.d/phpmyadmin.conf /etc/init.d/apache2 reload
Samba is software that can be run on a platform other than Microsoft Windows, for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems. Samba uses the TCP/IP protocol that is installed on the host server. When correctly configured, it allows that host to interact with a Microsoft Windows client or server as if it is a Windows file and print server.
apt-get install samba samba-common
and for ridiculously easy GUI configuration
apt-get install system-config-samba
If you never installed gnome
Find this section in the file:
# Change this to the workgroup/NT-domain name your Samba server will part of workgroup = yourwindowsworkgroup
at the end you can add folders and user that may have access to them e.g.:
[www] path = /var/www writeable = yes ; browseable = yes valid users = user
I find convenient to have the same username and password on your Windows PC and the Server. Therefore, username should be the same and you will not be prompted for Create samba shares and give access to the users that you listed here. Your first shared folder would be /var/www/ (transfer and edit your websites' files - windows workstation <-> linux webserver)
Checking Apache 2 installation
With your web browser, go to the URI http://localhost : if you read "It works!", which is the content of the file /var/www/index.html , this proves Apache works.
Apache2 has the concept of sites, which are separate configuration files that Apache2 will read.
You will find two folders inside /etc/apache2/
This contains configuration files for sites which are available but not necessarily enabled.
This directory contains site files which are enabled.
By default, there is one site available called 000-default (/etc/apache2/sites-enabled) this is what you will see when you browse to http://localhost or http://127.0.0.1. You can have many different site configurations available, and activate only those that you need.
As an example, you may want the default site to be /home/user/public_html/. To do this, edit the 000-default
and change the DocumentRoot to /home/user/public_html/
I prefer the standard location /var/www
Understand that virtual hosts (apache2 sites) are not a necessity so to test/install different websites on your home webserver. Virtual hosts are a concept of hosting several domain names under the same Apache server and that is not our scenario. You can setup the default site (virtual host) with root folder the "/var/www/" and then create subfolders. Several non/dynamic websites can be placed inside these subfolders and can be pointed to as http://localhost/site1, http://localhost/site2 etc.
As you will notice the 000-default has a small amount of settings. The default Apache2 configuration file is the /etc/apache2/apache2.conf (not the httpd.conf).
The virtual host configuration files (like the 000-default) just override the apache2.conf settings.
This contains apache modules which are available but not necessarily enabled.
This directory contains the apache modules which are enabled.
You can also use the a2enmod command (Debian/Ubuntu).
Enable Clean Urls for Drupal and other CMSs that use the mod rewrite:
Securing Apache – External Access
If you just want to run your Apache installation as a development server and you want to prevent it from listening for incoming connection attempts, this is easy to do.
Change ports.conf so that it contains:
Leave ports.conf as is if you want to access the web-server outside your home network. Create an account to http://www.no-ip.com/ and setup your modem-router (all modern modem-routers have this option) accordingly. You can point to your webserver and websites then as http://webserver.no-ip.com. It is a domain name that points to your ip regardless if it is dynamic or static. You can use it also for connecting to server via ssh when you are outside the home network.
Password-Protect a Directory
There are 2 ways to password-protect a specific directory. The recommended way involves editing /etc/apache2/apache2.conf . (To do this, you need root access). The other way involves editing a .htaccess file in the directory to be protected. (To do this, you need access to that directory).
Password-Protect a Directory With .htaccess
If you plan to use .htaccess files, you will need to have a server configuration that permits putting authentication directives in these files. This is done with the AllowOverride directive, which specifies which directives, if any, may be put in per-directory configuration files.
Since we're talking here about authentication, you will need an AllowOverride directive like the following:
Or, if you are just going to put the directives directly in your main server configuration file, you will of course need to have write permission to that file.
Getting it working
You'll need to create a password file. This file should be placed somewhere not accessible from the web e.g. /etc/apache2/poasswords/
To create the file, use the htpasswd utility that came with Apache. This will be located in the bin directory of wherever you installed Apache. To create the file, type:
htpasswd -c . /etc/apache2/passwords/ user
htpasswd will ask you for the password, and then ask you to type it again to confirm it:
New password: mypassword
Re-type new password: mypassword
Adding password for user user
If htpasswd is not in your path, of course you'll have to type the full path to the file to get it to run.
Next, you'll need to configure the server to request a password and tell the server which users are allowed access. You can do this either by editing the httpd.conf file or using an .htaccess file.
For example, if you wish to protect the directory /var/www/secret, you can use the following directives, either placed in the file /var/www/secret/.htaccess, or placed in httpd.conf inside a
AuthType Basic AuthName "Restricted Files" AuthUserFile /etc/apache2/passwords/passwords Require user user
Let's examine each of those directives individually. The AuthType directive selects that method that is used to authenticate the user. The most common method is Basic, and this is the method implemented by mod_auth. It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data. Apache supports one other authentication method: AuthType Digest. This method is implemented by mod_auth_digest and is much more secure. Only the most recent versions of clients are known to support Digest authentication.
If you want to let more than one person in, you'll need to create a group file that associates group names with a list of users in that group. The format of this file is pretty simple:
GroupName: user user2 user3
That's just a list of the members of the group in a long line separated by spaces.
To add a user to your already existing password file, type:
htpasswd /etc/apache2/passwords/passwords user2
You'll get the same response as before, but it will be appended to the existing file, rather than creating a new file. (It's the -c that makes it create a new password file).
Now, you need to modify your .htaccess file to look like the following:
AuthType Basic AuthName "Restricted Files" AuthUserFile /etc/apache2/passwords/passwords AuthGroupFile /etc/apache2/passwords/groups Require group GroupName
After installing PHP
You may need to increase the memory limit that PHP imposes on a script, upload limits etc.
After installing MySQL
Set mysql bind address
Before you can access the database from other computers in your network, you have to change its bind address. Note that this can be a security problem, because your database can be accessed by other computers than your own. Skip this step if the applications which require mysql are running on the same machine.
and change the line:
bind-address = localhost
to your own internal ip address e.g. 192.168.1.20
bind-address = 192.168.1.20
If your ip address is dynamic you can also comment out the bind-address line and it will default to your current ip.
If you try to connect without changing the bind-address you will recieve a "Can not connect to mysql error 10061".
Set mysql root password
Before accessing the database by console you need to type:
mysql -u root
At the mysql console type:
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('yourpassword');
A successful mysql command will show:
Query OK, 0 rows affected (0.00 sec)
Mysql commands can span several lines. Do not forget to end your mysql command with a semicolon.
Note: If you have already set a password for the mysql root, you will need to use:
mysql -u root -p
(Did you forget the mysql-root password? See MysqlPasswordReset.)
Now you have a LAMP web-server up and running
- You can put your drupal websites to subfolders in /var/www/
- Create and manage MySQL databases via phpmyadmin
- Transfer files to server like it was a windows PC
- Create restricted access folders to share files with your friends
Let’s make this Apache a little more useful
In computing, Virtual Network Computing (VNC) is a graphical desktop sharing system that uses the RFB protocol to remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction, over a network.
(gnome) System>Administration>Login Screen
Set auto login to your mainstream account (not root). Not you just the turn-on bottom and walk away.
Setup VNC and download the tightVNC client for your windows PC. Remote Desktop is going to be mandatory sometime in the future. It will be useful to remote control GUI programs other than the web-server related.
Vino is the default VNC server in Ubuntu to share your existing desktop with other users. If you are using Ubuntu 8.04 LTS (Hardy Heron), you will probably need to install another server because of a known bug that stops vino working for most people.
To configure vino from within GNOME, go to System > Preferences > Remote Desktop
Krfb is the default VNC server in Kubuntu, and is recommended for KDE users. Because it's highly integrated with KDE, running it in other environments is difficult.
To configure krfb, go to System Settings > Sharing > Desktop Sharing > Configure....
X11vnc is a VNC server that doesn't depend on GNOME or KDE, and is recommended for use by Xubuntu users. It's designed to be run from the command-line, which makes it flexible but difficult to learn. The few graphical parts of the interface are quite unattractive, because they're designed to work even on a very minimal installation. X11vnc is available in the x11vnc package in the Universe repository.
Whereas most VNC servers share your desktop, tightvnc creates a completely new desktop, not attached to any actual screen. This makes it much less useful for some things (like remote help), but much more useful for others (like creating a public area for collaboration). If tightvncserver won't start, you might need to uncomment the $fontpath lines in /etc/vnc.conf.
Remove keyring for VNC
Every time you VNC-ing to your server it will prompt to enter the server-side password. What is the meaning of that in our situation… We don’t want to leave our chair, go to server’s room and type…
Open up (gnome) Applications->Accessories->Passwords and Encryption Keys
Right click Passwords:login and unlock it.
You should be able to expand the tree and find a listing for vino. Right click and delete it.
Close Passwords and Encryption Keys.
Open gconf-editor as and navigate to /desktop/gnome/remote_access
Enter in your BASE64 encoded password into the vnc_password key.
Save the config and close the editor.
Reboot and you can now use your VNC client to connect to your machine without being first prompted with the keyring.
Base64 encoder could be found here http://www.motobit.com/util/base64-decoder-encoder.asp
You can make a nice welcome home page for your server. Place some useful links on that page for quick access: Indexer (list of subfolders) – phpmyadmin (http://localhost(or .no-ip.org)/phpmyadmin/ ) – phpinfo (http://localhost(or .no-ip.org)/sysinfo/phpinfo.php) – sysinfo (http://localhost(or .no-ip.org)/sysinfo/)
Download the script “Indexer” from http://www.miniapps.ca/ and customize it. Move the script files in the web-server root folder (/var/www/). Your home page should be in plain html (index.html) and the link “Index” should point to index.php.
Phpinfo - Sysinfo
Download sysinfo from http://phpsysinfo.sourceforge.net/ and extract it at /var/www/sysinfo
Follow the directions above and password protect that folder.
Create a phpinfo.php file inside the same folder
<?php phpinfo(); ?>
Done! A useful server home page.
install mail utils to send and receive emails
apt-get install mailutilshttp://www.w3schools.com/cssref/css_websafe_fonts.asp
Welcome MSG – MOTD
When a user logs in to SSH (or terminal - console session) usually he sees a welcome message.
The file responsible for that message was /etc/motd
Things changed. If MOTD (message of the day) it is not installed:
apt-get install update-motd
nano /etc/update-motd.d/00-header nano /etc/update-motd.d/10-help-text nano /etc/issue nano /etc/issue.net
according to your taste…
You may want to install the websafe fonts. Some need the extra windows fonts…
1. Copy your favorite fonts and paste them into /usr/share/fonts/windows
2. Or use the Ubuntu Software Center to install windows fonts
Transmission – I can’t think of a better torrent client. The web interface rocks. Put a strong password, configure you rooter and check-add-delete torrents miles away from home.
Nicotine + for soulseek. No web interface here, VNC.
Bazaar – It is a version control system that helps you track project history over time and to collaborate easily with others. Whether you're a single developer, a co-located team or a community of developers scattered across the world, Bazaar scales and adapts to meet your needs.
all the above can be found and easily installed in the Ubuntu Software Center
Let’s make this box a little more secure
apt-get install swatch
A very useful tool for monitoring logfiles is Swatch (aka Simple WATCHer of Logfiles).
This is a perl program that essentially watches a logfile. You can run as many instances of it as you want, but you can only watch one logfile per instance.
Depending on the log file you want to watch, you may have to run swatch with some additional privilege. For instance, /var/log/messages is likely to be the primary target for anyone interested in using swatch. But this file should be readable by root on most, if not all, systems. So Joe User can't just monitor the logfile.
A good solution here is to use sudo to give root priv to a given swatch command. This reduces the risk of a) opening a root shell and using it to execute swatch and b) giving root access to swatch, thus allowing one to view any file they want. For instance, you may use the following in your /etc/sudoers file:
user ALL = /usr/local/swatch/swatchmsgs
Then create the /usr/local/swatch/swatchmsgs script which may look like this:
#!/bin/sh /usr/bin/swatch --config-file=/usr/local/swatch/swatchrc \ --script-dir=/usr/local/swatch \ --tail-file=/var/log/messages
And make sure that the swatchmsgs script is mode 700 so that no user other than root can modify it (to change the --tail-file, for example). It is probably a good idea to make the /usr/local/swatch directory accessible only by root as well, and make /usr/local/swatch/swatchrc (the configuration file) mode 600.
So now, user can execute:
$ sudo /usr/local/swatch/swatchmsgs
and watch the log messages according to the system configuration in /usr/local/swatch/swatchrc. I suggest taking this sort of precaution because logfiles are sources for a wealth of information and you don't want the wrong person able to browse them.
Configuring swatch is pretty easy. The configuration file has an extremely straightforward syntax. A typical stanza for something to monitor begins with the keywords watchfor or ignore. Each keyword takes a perl regular expression to match the message you wish to act upon. Following that, you can take a number of actions upon the matched line. You can use these actions:
- echo [modes]; this echos the matched line to stdout and the text mode can be normal, bold, inverse, a color (red, green, magenta, etc.) or a highlighted color (red_h, green_h, magenta_h, etc.).
- bell [N]; echo the matched line and send a bell N times (default is once).
- exec command; executes command, and command may contain variables with are substituted with fields from the matched line. Ie. $N will be replaced with the Nth field of the line ($3 being the third field), while $0 or $* will be replaced with the entire line. (Note that this is why you want your configuration file to be writeable only by root if you do need root privilege to view a logfile).
- mail [addresses=address:address:...][,subject=your_text_here]; send an email to the address(es) containing the matched lines as they appear in the body of the message, with the specified subject.
- pipe command[,keep_open]; pipe matched lines into command. If you specify keep_open then the pipe will be forced to remain open until a different pipe action is run or until swatch exits.
- write [user:user:...]; use write to send matched lines to user(s) (the lines will show up on any terminals they have open).
For example, to send an email to a pager Monday through Saturday, from 8:00am to 5:00pm, you would use:
mail=pager [at] somehost [dot] com,when=1-6:8-17
All very straightforward. The big thing is to know some perl regular expressions so you can fine-tune your rules. Let's look at a few examples test on Ubuntu 11.
# Bad login attempts watchfor /Invalid user|Failed password|Refused connect from/ echo red bell 3 mail addresses=sysadmin\@webserver.no-ip.com,subject=Bad_login_attempt throttle 01:00 # login watchfor /Accepted password for/ echo blue bell 1
Almost all logfiles are located under the /var/log directory (and subdirectory)
The “messages” file collects important logs from all the other system and software logfiles. You can define the level of “sensitivity”.
You may notice that the Ubuntu 11 installation /var/log/messages does not exist. https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/762505
cp /etc/rsyslog.d/50-default.conf /etc/rsyslog.d/50-default.bak
(back it up)
play with it as you like. The 2 sections you're looking for are these:
# # Some "catch-all" log files. # #*.=debug;\ # auth,authpriv.none;\ # news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.* -/var/log/messages #daemon.*;mail.*;\ news.err;\ *.=debug;*.=info;\ *.=notice;*.=warn |/dev/xconsole
After changes restart rsyslog
Start Swatch in a terminal windows right after logging in gnome
(gnome) System>Preferences>Startup Applications
Add a new entry
name it as swatch
and enter into the command field:
gnome-terminal -t Swatch_Monitor -x sudo /usr/local/swatch/swatchmsgs
Start swatch remotely via SSH
/usr/bin/swatch --config-file /usr/local/swatch/swatchrc
The all-time famous pc-speacker beep has been disabled. Unless you have a sound card and external speakers attached, you will never hear swatch alerting you. Enable it by commenting out the
nano /etc/modprobe.d/blacklist.conf: #blacklist pcspkr
For the GUI part (gnome running a swatch in terminal window) System>Preferences>Startup Applications
Add a new entry
name it as beep
and enter into the command field:
xset b on
DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).
apt-get install denyhosts
The default file in the Ubuntu package has been pre-configured for Ubuntu/Debian systems, so most of the settings should be fine:
The denyhosts.conf comments are plain straight and will guide you to easily configure denyhosts according to your taste
If the hosts.allow and hosts.deny files are missing. Create them
touch /etc/hosts.deny touch /etc/hosts.allow
I you want you can tail the hosts.deny / hosts.allow via swatch
Purging hosts from /etc/hosts.deny
If there are valid hosts that end up being blocked (i.e. during testing or forgotten password, etc.), you can purge any entries in the /etc/hosts.deny file by running the denyhosts script with the --purge option. The hosts must be older than the value set in PURGE_DENY, so you may want to lower the value temporarily in order to purge the valid host (i.e. to purge entries older than 1 minute, set PURGE_DENY = 1m in the /etc/denyhosts.conf file):
Stop the DenyHosts service: /etc/init.d/denyhosts stop
Purge Hosts: denyhosts --purge
Restart the DenyHosts service: /etc/init.d/denyhosts start
broken logrotate script bug
Denyhosts stops working...
Debian Bug report logs - #608672
apply the patch at
or uninstall denyhosts
apt-get remove denyhosts
download the newest deb file from http://packages.debian.org/wheezy/all/denyhosts/download (until now not available at Ubuntu repositories)
dpkg -i denyhosts.deb
Your OpenSSH server configuration file is located at /etc/ssh/sshd_config
alter important settings according to your security paranoia
# Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes