The Pigstye

I assume in the following that you have a Debian Etch server up and running with Apache2 and Mysql.  The bold lines can be copy and pasted into your terminal window.

1)  Install the normal Debian packages for ruby and rails.

aptitude install ruby libzlib-ruby rdoc irb rubygems rails eruby

2)  Now we will install fastcgi and the ruby mysql bindings.  To do this you will have to edit you /etc/apt/sources.list and add the contrib and non-free options.  Your main deb line should look like this:

deb http://ftp.debian.org/debian/ etch main contrib non-free

Now we do the install

aptitude update;aptitude install libapache2-mod-fastcgi libmysql-ruby apache2-prefork-dev

3) Next we update some apache modules and restart apache.

a2enmod ssl
a2enmod rewrite
a2enmod suexec
a2enmod include
a2enmod fastcgi
/etc/init.d/apache2 force-reload

4)  Now we get down to the business of updating ruby and rails.

First update gem

gem update –system

This will break gem.  To fix it do

cp /usr/bin/gem1.8 /usr/bin/gem

Now update rails

gem update -d rails

if you need an older version of rails to be available then install it like this

gem install -d -v1.1.6 rails

This will install rails 1.1.6 (the version installed by debian package manager) and make it know to gem.

4)  Now if you want the latest rails speed up install Phusion Passenger

gem install passenger

passenger-install-apache2-module

The passenger install is good about telling you if you don’t have everything it needs and how to get it.

Thats it you should have a fully updated and functioning Ruby on Rails system on Debian Etch.

 

 

1) Install the debian package

aptitude install dspam-webfrontend

2) Create the Virtual Host file in /etc/apache2/sites-available. It should contain the following at least. I called it dspam.

        ServerAdmin admin@yourhost.com
        DocumentRoot "/var/www/dspam"
        ServerName dspam.yourhost.com
        SuexecUserGroup dspam dspam
        
           Options ExecCGI
           Options -Indexes
           Addhandler cgi-script .cgi
           DirectoryIndex dspam.cgi
       

3) Enable the site:

a2ensite dspam

4) Create an .htaccess file in the /var/www/dspam directory. I used digest mode.

AuthName 'Dspam'
AuthType Digest
AuthDigestProvider file
AuthUserFile /var/www/dspam.password
require valid-user

5) Create the password file for valid users with htdigest.

htdigest -c /var/www/dspam.password Dspam User1
htdigest /var/www/dspam.password Dspam User2
. . . .

6) Reload apache to make it all work

/etc/init.d/apache2 force-reload

7) Goto dspam.yoursite.com and log in.

Step 1 -- Generate the DSA key pair

ssh-keygen -t dsa

Step 2 -- Copy key to remote server

cd
scp .ssh/id_dsa.pub user@server:/

Step 3 -- Logon to remove server and append key to authorized_keys

ssh server
cat id_dsa.pub >> .ssh/authorized_keys

That's It

Install Apache2 with php and perl support

apt-get install apache2 apache2-doc

apt-get install libapache2-mod-php5 libapache2-mod-perl2 php5 php5-cli php5-common php5-curl php5-dev php5-gd php5-imap php5-ldap php5-mhash php5-mysql php5-odbc php-pear curl libwww-perl imagemagick xml-core

Edit /etc/apache2/ports.conf and add Listen 443:

  Listen 80
  Listen 443

Now we have to enable some Apache modules (SSL, rewrite and suexec):

a2enmod ssl;a2enmod rewrite;a2enmod suexec

Restart Apache

/etc/init.d/apache2 restart

New Debian Server 4.0 Etch

Boot the Netinstall Disk choosing a mail server.

Now login to the server through ssh.

First update your system to the latest versions. But before doing that add the line for volatile sources to /etc/apt/sourses.list

nano /etc/apt/sources.list

deb http://volatile.debian.org/debian-volatile etch/volatile main contrib non-free

aptitude update;aptitude upgrade

Now Install some basic software, note you can cut and paste the following command lines. Command lines are in bold.

aptitude install wget bzip2 rdate fetchmail unzip zip ncftp libarchive-zip-perl zlib1g-dev libpopt-dev nmap openssl lynx fileutils binutils linux-kernel-headers build-essential

aptitude install fetchmailconf ca-certificates ntp-doc ntp ntpdate joe arj lha

Note I added the joe editor as its my favorite (love those wordstar bindings) but you can substitute your favorite.

Remove some software not needed on a internet server

aptitude remove lpr nfs-common portmap pidentd pcmcia-cs pppoe pppoeconf ppp pppconfig

Now edit .bashrc to set things up like I expect.

Change it from:

# ~/.bashrc: executed by bash(1) for non-login shells.

export PS1='\h:\w\$ '
umask 022

# You may uncomment the following lines if you want `ls' to be colorized:
# export LS_OPTIONS='--color=auto'
# eval "`dircolors`"
# alias ls='ls $LS_OPTIONS'
# alias ll='ls $LS_OPTIONS -l'
# alias l='ls $LS_OPTIONS -lA'
#
# Some more alias to avoid making mistakes:
# alias rm='rm -i'
# alias cp='cp -i'
# alias mv='mv -i'

to

# ~/.bashrc: executed by bash(1) for non-login shells.

export PS1='\[\033[1;33m\]\u\[\033[1;37m\]@\[\033[1;32m\]\h\[\033[1;31m\]\w\[\033[1;36m\]\$ \[\033[0m\]'
umask 022

# You may uncomment the following lines if you want `ls' to be colorized:
export LS_OPTIONS='--color=auto'
eval "`dircolors`"
alias ls='ls $LS_OPTIONS'
alias ll='ls $LS_OPTIONS -l'
alias l='ls $LS_OPTIONS -lA'
#
# Some more alias to avoid making mistakes:
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

Exit and relogin to see the changes

Since I use the Joe Editor and let it make backups, there can be a lot of backups around. To deal with them I have created a little batch file to remove them in any directory tree. So now we will create this little batch file

touch /usr/sbin/rmbak

Now edit that file and insert the following contents:

#!/bin/bash
echo "Deleting backup files . . ."
find . -name '*~' -print -exec rm {} \;

Make this file executable with chmod and it is ready to go.

Verify than /etc/network/interfaces and /etc/resolv.conf are correct, if not fix them.

Set the hostname

echo someserver.somehost.net > /etc/hostname
hostname -F /etc/hostname

Update some services

update-inetd --remove daytime;update-inetd --remove telnet;update-inetd --remove time;update-inetd --remove finger

update-inetd --remove talk;update-inetd --remove ntalk;update-inetd --remove ftp

Ok now we have a base system to work from.

The previous setup I was running I detailed here. I modified this install by upgrading the mod_fastcgi code by doing the following:

cd /usr/local/src
wget http://www.fastcgi.com/dist/mod_fastcgi-SNAP-0404142202.tar.gz
tar -zxf mod_fastcgi-SNAP-0404142202.tar.gz
cd mod_fastcgi-SNAP-0404142202

I then created a file I called ap22.patch in the /usr/local/mod_fastcgi-SNAp-0404142202 directory with the following contents:

----------------------------------- cut -------------------------------------
diff -ruN mod_fastcgi-2.4.2/fcgi.h mod_fastcgi-2.4.2-ap22/fcgi.h
--- mod_fastcgi-2.4.2/fcgi.h    2003-02-04 00:07:37.000000000 +0100
+++ mod_fastcgi-2.4.2-ap22/fcgi.h       2005-12-07 21:05:55.000000000 +0100
@@ -73,6 +73,36 @@
 #define ap_reset_timeout(a)
 #define ap_unblock_alarms()
 
+/* starting with apache 2.2 the backward-compatibility defines for
+ * 1.3 APIs are not available anymore. Define them ourselves here.
+ */
+#ifndef ap_copy_table
+
+#define ap_copy_table apr_table_copy
+#define ap_cpystrn apr_cpystrn
+#define ap_destroy_pool apr_pool_destroy
+#define ap_isspace apr_isspace
+#define ap_make_array apr_array_make
+#define ap_make_table apr_table_make
+#define ap_null_cleanup apr_pool_cleanup_null 
+#define ap_palloc apr_palloc
+#define ap_pcalloc apr_pcalloc
+#define ap_psprintf apr_psprintf
+#define ap_pstrcat apr_pstrcat
+#define ap_pstrdup apr_pstrdup
+#define ap_pstrndup apr_pstrndup
+#define ap_push_array apr_array_push
+#define ap_register_cleanup apr_pool_cleanup_register
+#define ap_snprintf apr_snprintf
+#define ap_table_add apr_table_add
+#define ap_table_do apr_table_do
+#define ap_table_get apr_table_get
+#define ap_table_set apr_table_set
+#define ap_table_setn apr_table_setn
+#define ap_table_unset apr_table_unset
+
+#endif /* defined(ap_copy_table) */
+
 #if (defined(HAVE_WRITEV) && !HAVE_WRITEV && !defined(NO_WRITEV)) || defined WIN32
 #define NO_WRITEV
 #endif
diff -ruN mod_fastcgi-2.4.2/Makefile.AP2 mod_fastcgi-2.4.2-ap22/Makefile.AP2
--- mod_fastcgi-2.4.2/Makefile.AP2      2002-07-29 03:36:34.000000000 +0200
+++ mod_fastcgi-2.4.2-ap22/Makefile.AP2 2005-12-07 20:27:50.000000000 +0100
@@ -20,8 +20,6 @@
 
 all: local-shared-build

 
-install: install-modules
-
 clean:
        -rm -f *.o *.lo *.slo *.la 
 
-------------------------- cut ---------------------------------------------

This patch came from http://www.fastcgi.com/archives/fastcgi-developers/2005-December/004060.html.

Then I applied the patch with:

patch -p 1 < ap22.patch

I copied Makefile.AP2 to Makefile and did the make and install.

cp Makefile.AP2 Makefile
make top_dir=/usr/share/apache2
make install top_dir=/usr/share/apache2

I then restarted apache -- actually started it because it wouldn't start before and it works!

Hope this helps someone. Tomw

Install Proftpd

 

apt-get install proftpd

To the prompt: Run proftpd from inetd or standalone? answer standalone

For security reasons you can add the following lines to /etc/proftpd.conf

        joe /etc/proftpd.conf

        DefaultRoot ~
        IdentLookups off
        ServerIdent on "FTP Server ready."

and restart Proftpd:

/etc/init.d/proftpd restart

My firewall consists of two scripts and one file which holds malicious IPs I wish to block.

The main script ipreset sets up the main firewall rules. You should edit this script to set your IP and comment/uncomment the rules for your environment.

The secondary script helps you keep track of malicious IPs. It is called ipblock and it does exactly that.

The third file is just a simple list of malicous IPs you wish to block. The default location for this file is /etc/ipblock

To install these scripts, simply create them form the source below somewhere in your path. I use /usr/sbin. Then create the directory /etc/ipblock and a blank file in that directory called dropip. Edit the ipreset file and set the ip address of your server and the ip address of a computer you always want to have access to the server with through ssh. While you are there comment /uncomment the various rules you want to use.

By default the script is set up for a Debian system -- though there are instructions in the end of the file you might need to follow. It can also be used with a Red Hat system if a small modification is made also at the end of the ipreset file.

To use the scripts, execute ipreset to install the basic rules and read the dropip file and insert the drops fromit.

To add an IP to the drop list simply execute the ipblock script with the IP as the argument. You can also remove the block by executing the with off as the second parmater. Thus:

ipblock 12.12.12.12

will block ip 12.12.12.12. Whereas

ipblock 12.12.12.12 off

will remove the block

The scripts are pretty much self explanatory and easy to hack, enjoy

#!/bin/bash
# file: ipreset
#
# Copyright (C) 2006 by the following authors:
# Authors      Tom Willett     tomw AT pigstye DOT net
#
# Licensed under GNU General Public License
#
# Configuration Variables
#
# IP of machine    
ip=12.12.12.12
# IP of machine that should always have ssh access
safeip=12.12.12.13   

#Flush all rules
iptables -F

#Make it possible to get in from my machine at all time through ssh
iptables -A INPUT -s $safeip -d $ip -p tcp --dport 22 -j ACCEPT

#Now allow normal traffic
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#Rejects first
#block outside IP addresses that are causing problems
#iptables -A INPUT -s 12.12.12.12 -j LOG
#iptables -A INPUT -s 12.12.12.12 -j DROP
# or the easier way
# Read from dropip file


drop_ip() {
        iptables -A INPUT   -s $1 -j LOG --log-prefix "IPDROP"
        iptables -A INPUT   -s $1 -j DROP
}
 
load_ips() {
        if [ ! -e /etc/ipblock/dropip     ]
        then
                return
        fi
        sort /etc/ipblock/dropip > /etc/ipblock/t
        uniq /etc/ipblock/t > /etc/ipblock/dropip
        rm -f /etc/ipblock/t
        dropips=`cat /etc/ipblock/dropip`
        for i in $dropips
        do
                drop_ip $i
                echo "Blocking ${i}."
        done
}
 
load_ips
#Open Up Our Ports 
# Note Only open up ports you need to for serving things by commenting or uncommenting

# MYSQL (Allow Remote Access To Particular IP):
# iptables -A INPUT -s 172.50.3.45 -d $ip -p tcp --dport 3306 -j ACCEPT

# SSH:
iptables -A INPUT -d $ip -p tcp --dport 22 -j ACCEPT


#Sendmail/Postfix:
iptables -A INPUT -d $ip -p tcp --dport 25 -j ACCEPT

# FTP: (Notice how you can specify a range of ports 20-21)
iptables -A INPUT -d $ip -p tcp --dport 20:21 -j ACCEPT   

# Passive FTP Ports Maybe: (Again, specifying ports 50000 through 50050 in one rule)
iptables -A INPUT -d $ip -p tcp --dport 50000:50050 -j ACCEPT

# HTTP/Apache
iptables -A INPUT -d $ip -p tcp --dport 80 -j ACCEPT

# SSL/Apache
iptables -A INPUT -d $ip -p tcp --dport 443 -j ACCEPT

# IMAP
iptables -A INPUT -d $ip -p tcp --dport 143 -j ACCEPT

# IMAPS
iptables -A INPUT -d $ip -p tcp --dport 993 -j ACCEPT

# POP3
# iptables -A INPUT -d $ip -p tcp --dport 110 -j ACCEPT

# POP3S
# iptables -A INPUT -d $ip -p tcp --dport 995 -j ACCEPT

# Any Traffic From Localhost:
iptables -A INPUT -d $ip -s 127.0.0.1 -j ACCEPT

# Auth
iptables -A INPUT -d $ip -p tcp --dport 113 -j ACCEPT


# ICMP/Ping:
iptables -A INPUT -d $ip -p icmp -j ACCEPT
#DNS
#iptables -A INPUT -d $ip -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -d $ip -p udp --dport 53 -j ACCEPT

# Drop and log all udp below 1024.
iptables -A INPUT -i ! lo --proto udp --dport :1023 -j LOG --log-prefix "UDP Drop "
iptables -A INPUT -i ! lo --proto udp --dport :1023 -j DROP

# Authorize > 1024 udp packets.
iptables -A INPUT --proto udp --dport 1024: -j ACCEPT

# GLOBAL REJECTS LAST:

# Reject everything else to that IP and log it:
iptables -A INPUT -d $ip -j LOG --log-prefix "REJECTED "
iptables -A INPUT -d $ip -j REJECT

# Save you rules so they will be loaded on reboot
# This is the Debian iptables init script
# Sarge does not have this installed by default now so use
# gunzip /usr/share/doc/iptables/examples/oldinitdscript.gz -c > /etc/init.d/iptables
# chmod +x /etc/init.d/iptables
# mkdir /var/lib/iptables
# chmod 700 /var/lib/iptables
/etc/init.d/iptables save active

# For RedHat use
# /etc/init.d/iptables save

# Now display your new rulset
iptables -L -n

#!/bin/bash
#
#file: ipblock
#
# Copyright (C) 2006 by the following authors:
# Authors      Tom Willett     tomw AT pigstye DOT net
#
# Licensed under GNU General Public License
#
# Based on Gentoo Linux Dynamic Firewall Scripts 1.0
# Copyright 2001 Gentoo Technologies, Inc."
# Distributed under the GPL
# contact: 
#

# Add or remove IP from dropip file
drop_check() {
        local isthere
        local doerror
        isthere="no"
        if [ -e /etc/ipblock/dropip ]
        then
                mygrep=`cat /etc/ipblock/dropip | grep ^${1}`
                if [ "$mygrep" != "" ]
                then
                        isthere="yes"
                fi
        fi
        doerror="no"
        if [ "${2}" = "off" ]
        then
                if [ "${isthere}" = "no" ]
                then
                        doerror="yes"
                fi
        elif [ "${isthere}" = "yes" ]
        then
                doerror="yes"
        fi
        if [ "${doerror}" = "yes" ]
        then
                echo "Already Blocked: Exiting."
                exit 1
        fi
}
 
record() {
        echo $1 >> /etc/ipblock/dropip
}
 
unrecord() {
        if [ ! -e /etc/ipblock/dropip     ]
        then
                return
        fi
        myinfo=`cat /etc/ipblock/dropip | grep -v "^${1}"`
        cat /dev/null > /etc/ipblock/dropip
        for x in $myinfo
        do
                echo $x >> /etc/ipblock/dropip
        done
}
if [ "$2" == "off" ]
then
        FUNCT="D"
        drop_check $1 $2
        unrecord $1
else
        FUNCT="I"
        drop_check $1
        record $1
fi      
        
# Uncomment the following block to have instant addition and deletion of the iptables 
# rules. It is best, however, to use ipreset to set rules.
# note rules are inserted at the front of the chain in order listed so drop is first
if [ "$FUNCT" == "I" ]
then
  iptables -I INPUT 3 -s $1 -j DROP
  iptables -I INPUT 3 -s $1 -j LOG --log-prefix "IPDROP"
  whois $1
elif [ "$FUNCT" == "D" ]
then
  iptables -D INPUT -s $1 -j DROP
  iptables -D INPUT -s $1 -j LOG --log-prefix "IPDROP"
fi
  
echo "IP ${1} block ${2}."

Install DNS-Server

apt-get install bind9

For security reasons we want to run BIND chrooted so we have to do the following steps:

/etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user 'bind', chrooted to /var/lib/named. Modify the line: OPTS="-u bind" so that it reads OPTS="-u bind -t /var/lib/named":

  OPTS="-u bind -t /var/lib/named"

Create the necessary directories under /var/lib:

mkdir -p /var/lib/named/etc;mkdir /var/lib/named/dev;mkdir -p /var/lib/named/var/cache/bind;mkdir -p /va r/lib/named/var/run/bind/run

Then move the config directory from /etc to /var/lib/named/etc:

mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when bind is upgraded in the future):

ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

mknod /var/lib/named/dev/null c 1 3;mknod /var/lib/named/dev/random c 1 8;chmod 666 /var/lib/named/dev/n ull /var/lib/named/dev/random;chown -R bind:bind /var/lib/named/var/*;chown -R bind:bind /var/lib/named/etc/bind

We need to modify the startup script /etc/init.d/sysklogd of sysklogd so that we can still get important messages logged to the s ystem logs. Modify the line: SYSLOGD="" so that it reads: SYSLOGD="-a /var/lib/named/dev/log"

#! /bin/sh
# /etc/init.d/sysklogd: start the system log daemon.

PATH=/bin:/usr/bin:/sbin:/usr/sbin

pidfile=/var/run/syslogd.pid
binpath=/sbin/syslogd
test -x $binpath || exit 0

# Options for start/restart the daemons
#   For remote UDP logging use SYSLOGD="-r"
#
SYSLOGD="-a /var/lib/named/dev/log"

create_xconsole()
{
    if [ ! -e /dev/xconsole ]; then
        mknod -m 640 /dev/xconsole p
    else
        chmod 0640 /dev/xconsole
    fi
    chown root:adm /dev/xconsole
}

running()
{
    # No pidfile, probably no daemon present
    #
    if [ ! -f $pidfile ]
    then
        return 1
    fi

    pid=`cat $pidfile`

    # No pid, probably no daemon present
    #
    if [ -z "$pid" ]
    then
        return 1
    fi

    if [ ! -d /proc/$pid ]
    then
        return 1
    fi

    cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1`

    # No syslogd?
    #
    if [ "$cmd" != "$binpath" ]
    then
        return 1
    fi

    return 0
}
 
case "$1" in
  start)
    echo -n "Starting system log daemon: syslogd"
    create_xconsole
    start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
    echo "."
    ;;
  stop)
    echo -n "Stopping system log daemon: syslogd"
    start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
    echo "."
    ;;
  reload|force-reload)
    echo -n "Reloading system log daemon: syslogd"
    start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
    echo "."
    ;;
  restart)
    echo -n "Restarting system log daemon: syslogd"
    start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
    sleep 1
    start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
    echo "."
    ;;
  reload-or-restart)
    if running
    then
        echo -n "Reloading system log daemon: syslogd"
        start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
    else
        echo -n "Restarting system log daemon: syslogd"
        start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
    fi
    echo "."
    ;;
  *)  
    echo "Usage: /etc/init.d/sysklogd {start|stop|reload|restart|force-reload|reload-or-restart}"
    exit 1
esac

exit 0

Restart the logging daemon:

/etc/init.d/sysklogd restart

Start up BIND, and check /var/log/syslog for any errors:

/etc/init.d/bind9 start;tail -f /var/log/syslog