Ubuntu Tutorials & How-To's

Latest

Ubuntu 11.10 – Incremental Backups with Rsync

This will show you how to do incremental backups using rsync. This was done on Ubuntu 11.10 Oneiric Server Edition. Each time a backup is run the oldest backup is removed and all the unchanged files from the newest backup will be hard linked into the next backup. Hard links allow the data of a file to exists in multiple locations on the file system. A hard link is only an additional name for data that already exists on a partition, the operating system makes no distinction between the original file and the hard link created from the file. If the original file is deleted as long as there is at least one hard link the data will remain on the partition.

The script below will create 7 backups, each time a backup is run the oldest backup will be deleted.

1
2
3
4
5
6
7
8
9
10
#!/bin/sh
rm -rf /backups/backup.7
mv /backups/backup.6 /backups/backup.7
mv /backups/backup.5 /backups/backup.6
mv /backups/backup.4 /backups/backup.5
mv /backups/backup.3 /backups/backup.4
mv /backups/backup.2 /backups/backup.3
mv /backups/backup.1 /backups/backup.2
mv /backups/backup.0 /backups/backup.1
rsync --archive --progress --delete --super --hard-links --acls --xattrs --link-dest=/backups/backup.1 /source /backups/backup.0

The first line will delete the oldest backup. The next 7 lines will increment each backup number so that “backup.6″ will become “backup.7″. Options “–archive –hard-links –acls –xattrs” preserve file permissions, modification times, file links and some other things. If you don’t want to backup file permissions or don’t use acls you can remove some of these settings. Options “–progress –super” shows a progress bar when coping files and tells rsync to run as root which is needed to preserve file owners. Option “–delete” deletes extraneous files from the backup, by default if a file is deleted from the source location rsync will keep the file in the backup including this option will remove any files from the backup that no longer exists on the source location. This option will not delete any files from previous backups.

Option “–link-dest=/backups/backup.1″ is the folder that rsync will use for hard links. Any files found in this folder that have not changed will be hard linked into the next backup then any changed or new files will be copied. Option “/source” is the directory that rsync will backup. Option “/backups/backup.0″ is the directory to place the newest backup any changes to this location will need to be reflected in the previous 8 lines.

To run the backup every day create a file in “/etc/cron.daily”.

1
administrator@ubuntu:~$ sudo nano /etc/cron.daily/rsyncbackup

After adding the lines above to the file and saving give the file executable permissions.

1
administrator@ubuntu:~$ sudo chmod +x /etc/cron.daily/rsyncbackup

Ubuntu 10.04 – iSCSI

This will show you how to install a iSCSI target and initiator on Ubuntu 10.04 Lucid Server Edition.

First install the iSCSI target on the server that will be sharing the disk.

1
administrator@ubuntu0:~$ sudo aptitude install iscsitarget

Edit “/etc/default/iscsitarget” and change the line below to enable the iSCSI target.

1
2
administrator@ubuntu0:~$ sudo nano /etc/default/iscsitarget
ISCSITARGET_ENABLE=true

If you want to create a disk image file instead of sharing an entire disk partition use fallocate to create the image file. Change 1024m to the size in MiB you want the disk image to allocate.

1
administrator@ubuntu0:~$ sudo fallocate -l 1024m /media/disk0.img

Edit the iSCSI target configuration file “/etc/ietd.conf”. Newer version of Ubuntu will use “/etc/iet/ietd.conf”. Change the target name, IncomingUser username/password and the lun path and alias. The OutgoingUser can also have a username/password if you want the extra security.

1
2
3
4
5
6
administrator@ubuntu0:~$ sudo nano /etc/ietd.conf
Target iqn.2011-07.com.example:storage.disk0
IncomingUser username password
OutgoingUser
Lun 0 Path=/media/disk0.img,Type=fileio
Alias LUN0

Edit the iSCSI target permissions file “/etc/initiators.allow”. Newer version of Ubuntu will use “/etc/iet/initiators.allow”. Comment out “ALL ALL” and add the Target name used above and the IP address of the initiator.

1
2
3
administrator@ubuntu0:~$ sudo nano /etc/initiators.allow
#ALL ALL
iqn.2011-07.com.example:storage.disk0 10.0.0.51

Start the iSCSI target.

1
2
administrator@ubuntu0:~$ sudo /etc/init.d/iscsitarget start
* Starting iSCSI enterprise target service                              [ OK ]

On the iSCSI initiator install open-iscsi.

1
administrator@ubuntu1:~$ sudo aptitude install open-iscsi

Edit the iSCSI initiator configuration file “/etc/iscsi/iscsid.conf”. Comment out “node.startup = manual” and uncomment ‘node.startup = automatic”. This will automaticaly connect the iSCSI disk on startup.

1
2
3
administrator@ubuntu1:~$ sudo nano /etc/iscsi/iscsid.conf
node.startup = automatic
# node.startup = manual

Restart the iSCSI initiator. Then do a sendtargets discovery on the target a list of available iSCSI disk should be shown. Change the IP address to your iSCSI target.

1
2
3
administrator@ubuntu1:~$ sudo /etc/init.d/open-iscsi restart
administrator@ubuntu1:~$ sudo iscsiadm -m discovery -t st -p 10.0.0.50
10.0.0.50:3260,1 iqn.2011-07.com.example:storage.disk0

Set the authorization method, username and password using the commands below. Change the IP address to your iSCSI target and username/password.

1
2
3
administrator@ubuntu1:~$ sudo iscsiadm -m node -T iqn.2011-07.com.example:storage.disk0 -p 10.0.0.50 -o update -n node.session.auth.authmethod -v CHAP
administrator@ubuntu1:~$ sudo iscsiadm -m node -T iqn.2011-07.com.example:storage.disk0 -p 10.0.0.50 -o update -n node.session.auth.username -v username
administrator@ubuntu1:~$ sudo iscsiadm -m node -T iqn.2011-07.com.example:storage.disk0 -p 10.0.0.50 -o update -n node.session.auth.password -v password

Login the the iSCSI target using the command below. Change the IP address to your iSCSI target.

1
2
3
administrator@ubuntu1:~$ sudo iscsiadm -m node -T iqn.2011-07.com.example:storage.disk0 -p 10.0.0.50 --login
Logging in to [iface: default, target: iqn.2011-07.com.example:storage.disk0, portal: 10.0.0.50,3260]
Login to [iface: default, target: iqn.2011-07.com.example:storage.disk0, portal: 10.0.0.50,3260]: successful

Use lshw to find the iSCSI disk.

1
2
3
4
5
6
7
8
9
10
11
12
13
administrator@ubuntu1:~$ sudo lshw -C disk
*-disk
description: SCSI Disk
product: VIRTUAL-DISK
vendor: IET
physical id: 0.0.0
bus info: scsi@3:0.0.0
logical name: /dev/sdb
version: 0
size: 1GiB (1073MB)
capacity: 1GiB (1073MB)
capabilities: 15000rpm
configuration: ansiversion=4

Ubuntu 10.04 – Amazon S3 Encrypted Backups with Duplicity and Trickle

This will show you how to setup backups to Amazon S3 (other storage services can be used instead) with Duplicity on Ubuntu 10.04 Lucid Server Edition. Trickle will be used to throttle the speed of the backups.

First install “python-software-properties” which is needed for “apt-add-repository”. Desktop edition will already have the “apt-add-repository” installed. Then add the Duplicity repository, the Ubuntu repository has an old version. Then update apt and install duplicity and trickle. Package “python-boto” is needed for duplicity to connect to an Amazon S3 storage if your using a different storage service you shouldn’t need the package. Package “trickle” is used to throttle the speed of the backup and isn’t needed if you don’t want to throttle the backup.

1
2
3
4
administrator@ubuntu:~$ sudo aptitude install python-software-properties
administrator@ubuntu:~$ sudo apt-add-repository ppa:duplicity-team/ppa
administrator@ubuntu:~$ sudo aptitude update
administrator@ubuntu:~$ sudo aptitude install duplicity python-boto trickle

Create a script in the home directory that will be used to run the backup. The first two lines are your Amazon access credentials which can be found in you account info. The first part of the next line “trickle -s -u 500 -d 1000″ is used for throttle the speed of the backup. Option “-s” uses trickle in standalone mode by default it looks for trickled which can be used to control multiple trickle processes. Option “-u 500 -d 1000″ sets the upload speed to 500 kbytes/s and download to 1000 kbytes/s duplicity will only need to download the signatures file if the local copy was deleted from “~/.cache” when running backups. Leave the first part out if you don’t want to throttle the speed. Option “–verbosity 5″ outputs status messages as the backup copy’s files by default no output is displayed until the backup completes. Option “–s3-unencrypted-connection” uses a plain text http connection which will be faster to the Amazon storage server the backup data will already be encrypted before it is sent to the server. The Amazon access credentials will be sent in plain text so if your on an insecure network don’t use this option. Option “–gpg-options “–s2k-cipher-algo=AES256″” uses AES-256 for the encryption by default CAST5 is used which has a smaller key size. Option “–exclude “/media/storage/temp/”" is used to exclude directory’s from the backup. The next option is the source directory “/media/storage/”. The last part “s3+http://BUCKET_NAME/PREFIX” is the location of your Amazon S3 bucket, if your buckets name is “backupdata” the url will be “s3+http://backupdata/backup01″ the program will add Amazons S3 domain. The prefix is optional and is the folder the backups will be saved in. Other backup locations can be used which are listed in the manual just run “man duplicity”. The first backup will be a full backup all backups after that are incremental backups adding “full” after “duplicity” will specify to run a new full backup.

1
2
3
4
5
6
administrator@ubuntu:~$ nano .backup
export AWS_ACCESS_KEY_ID=AMAZON ACCESS KEY ID
export AWS_SECRET_ACCESS_KEY=AMAZON SECRET ACCESS KEY
trickle -s -u 500 -d 1000 duplicity --verbosity 5 --s3-unencrypted-connection --gpg-options "--s2k-cipher-algo=AES256" --exclude "/media/storage/temp/" /media/storage/ s3+http://BUCKET_NAME/PREFIX
export AWS_ACCESS_KEY_ID=
export AWS_SECRET_ACCESS_KEY=

To run the backup just run “sudo sh .backup” and it will ask you to enter an encryption password. The encryption password will need to be entered every time the backup is run and will be needed to restore the data.

1
2
3
administrator@ubuntu:~$ sudo sh .backup
GnuPG passphrase:
Retype passphrase to confirm:

If you want to close the ssh session while running the backup you can use screen to run it in the background. Run “screen” to start a new screen then start the backup and press Ctrl+A then press D. To restore the screen type “screen -r ” then press Tab and it should auto-complete if not run “screen -ls” to get a list of sreens.

1
2
3
4
5
6
7
administrator@ubuntu:~$ screen
administrator@ubuntu:~$ sudo sh .backup
administrator@ubuntu:~$ screen -ls
There is a screen on:
17271.pts-35.ubuntu    (03/29/2011 04:40:30 AM)    (Detached)
1 Socket in /var/run/screen/S-administrator.
administrator@ubuntu:~$ screen -r 17271.pts-35.ubuntu

To check the encryption to ensure AES-256 is used do a test run with duplicity to local storage. Then run the second command below (any of gpg backup files can be used) which should return “cipher 9″, “s2k 3″ and “hash 2″. Cipher is set with “–s2k-cipher-algo=AES256″, s2k is set with “–s2k-mode=3″ which should be the default and hash is set with “–s2k-digest-algo=SHA1″ which should also be the defualt. The numbers for the settings come from “gpg -v –version”.

1
2
3
4
5
administrator@ubuntu:~$ duplicity --verbosity 5 --s3-unencrypted-connection --gpg-options "--s2k-cipher-algo=AES256" --exclude "/media/storage/temp/" /media/storage/ file:///media/temp/
administrator@ubuntu:~$ gpg --list-packets /media/temp/duplicity-full.20110330T214158Z.manifest.gpg
:symkey enc packet: version 4, cipher 9, s2k 3, hash 2
salt 988b032635ad0d50, count 65536 (96)
gpg: AES256 encrypted data

Ubuntu 10.04 – Cacti

This will show you how to install Cacti on Ubuntu 10.04 Lucid Server Edition. Apache and MySQL are needed for Cacti.

Install Cacti and snmpd. If your not going to monitor the server Cacti is on snmpd isn’t needed. It will ask what kind of webserver to use select “Apache2″. There may be a warning about libphp-adodb include path.

1
administrator@ubuntu:~$ sudo aptitude install cacti snmpd

Edit snmpd.conf and find/edit the lines below. Change “secret” to your community name which is very weak password for the snmp server. Change “10.0.0.0/24″ to your subnet, 24 represents a 255.255.255.0 subnet mask. Then restart snmpd. For instructions on setting up snmpd on other machines read the bottom of the post. If your installing smnpd Ubuntu 10.10 or newer read bottom of post for setting up snmp v3.

1
2
3
4
5
6
administrator@ubuntu:~$ sudo nano /etc/snmp/snmpd.conf
com2sec readonly localhost secret
com2sec readonly 10.0.0.0/24 secret
syslocation domain.com
syscontact administrator
administrator@ubuntu:~$ sudo /etc/init.d/snmpd restart

Go to http://server/cacti select “New Install” click next and all the paths should be found like it appears below.

Login with default username:admin password:admin. Click “Devices” on right and select “localhost” and set “Choose an action” to “Delete” and click “go”. Select “Delete all associated graphs and data sources.” and click “yes”. The default isn’t configured for snmp so it won’t be needed.

On the “devices” page click “Add” at top right. Enter a description for device, set the hostname to “127.0.0.1″, set “Host Templete” to “ucd/net SNMP Host” and set SNMP Version to “Version 1″. Then set “SNMP Community” to the community name you used in the snmpd.conf.

Click “create” the page will reload and you should see the SNMP information at the top like it is below if it says “SNMP ERROR” there was an error connecting to the server.

Click “New Graphs” at the top right there should be network interfaces listed if not click “run this data query in debug mode” which will refresh the list and they should show up. Select the graphs you want created and click “create”.

Click “Graph Trees” on the right and click “Default Tree”. Click “Add” on the right. Set “Tree Item Type” to “Host” and set “Host” to “(127.0.0.1)” then click “create”. Set the name of the tree and click “save”.

Click “graphs” at the top and the graphs should be listed for the device. It takes 5 minutes for the graphs to appear after they were created.

To configure another computer running Ubuntu 10.04 with SNMP V1 install snmpd. Open the snmpd.conf file and find/edit the lines below. Change “secret” to your community name which is very weak password for the snmp server. Change “10.0.0.0/24″ to your subnet, 24 represents a 255.255.255.0 subnet mask. Then restart snmpd. Use the steps above to add the computer just change the hostname to the correct IP address.

1
2
3
4
5
6
administrator@ubuntu2:~$ sudo aptitude install snmpd
sudo nano /etc/snmp/snmpd.conf
com2sec readonly 10.0.0.0/24 secret
syslocation domain.com
syscontact administrator
administrator@ubuntu2:~$ sudo /etc/init.d/snmpd restart

To configure a computer running Ubuntu 10.10 with SNMP V3 install snmpd. Open the snmpd.conf file and find/edit the line below. Then run the next command to create a readonly snmp user. Then restart snmpd.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
administrator@ubuntu2:~$ sudo aptitude install snmpd
sudo nano /etc/snmp/snmpd.conf
agentAddress udp:161,udp6:[::1]:161
sysLocation domain.com
sysContact administrator
administrator@ubuntu2:~$ sudo net-snmp-config --create-snmpv3-user -ro
Enter a SNMPv3 user name to create:
snmp
Enter authentication pass-phrase:
password
Enter encryption pass-phrase:
[press return to reuse the authentication pass-phrase]

adding the following line to /var/lib/snmp/snmpd.conf:
createUser snmp MD5 "password" DES
adding the following line to /usr/share/snmp/snmpd.conf:
rouser snmp
administrator@ubuntu2:~$ sudo /etc/init.d/snmpd restart

To add a SNMP V3 computer add a device and select “Version 3″ enter the password used above in all three of the password forms.

Ubuntu 10.04 – SVN Server

This will show you how to install an SVN server on Ubuntu 10.04 Lucid Server Edition using Subversion with SVN protocol and user authentication.

Install subversion.

1
administrator@ubuntu:~$ sudo aptitude install subversion

Create a root directory for the repository’s.

1
administrator@ubuntu:~$ sudo mkdir /media/storage/SVN

Edit the rc.local file and add the line below so that the SVN server will start on boot. The line must be placed before “exit 0″. This will share all the repository in the directory.

1
2
administrator@ubuntu:~$ sudo nano /etc/rc.local
svnserve -d -r /media/storage/SVN

To create a repository make a new directory and run the svnadmin command to create a repository inside the directory. This will create the necessary config files and sub-directories.

1
2
administrator@ubuntu:~$ sudo mkdir /media/storage/SVN/test
administrator@ubuntu:~$ sudo svnadmin create /media/storage/SVN/test

Edit the repository config file. If you want the repository to require authentication to have read access uncomment and change the first line below. If you want to use the repository’s passwd file for authentication uncomment the second line below.

1
2
3
administrator@ubuntu:~$ sudo nano /media/storage/SVN/test/conf/svnserve.conf
anon-access = none
password-db = passwd

Edit the repository’s passwd file and add users.

1
2
administrator@ubuntu:~$ sudo nano /media/storage/SVN/test/conf/passwd
test = pass1234

If you didn’t restart after editing the rc.local file start the SVN server.

1
administrator@ubuntu:~$ svnserve -d -r /media/storage/SVN

Test the repository using the command below.

1
administrator@ubuntu2:~$ svn co svn://SERVER_HOSTNAME/test

Ubuntu 10.10 – NILFS

This will show you how to install NILFS on Ubuntu 10.10 Maverick. NILFS is a log-structured file system, it is similar to Microsoft’s Shadow Copy. As files are changed, deleted and created NILFS creates checkpoints. Each checkpoint is the state of the partition at that point in time, the checkpoints can be mounted allowing any file to be restored to the way it was at the time of the checkpoint. Checkpoints are only stored for about one or two days depending on disk space and usage (The newer version of NILFS in Ubuntu 11.04 will not remove checkpoints until disk space usage is 80%-90%). To prevent a checkpoint from being removed they can be changed into snapshots or new snapshots can be created. The snapshots will not be removed until they are changed back to checkpoints. There is no limit on the number of snapshots until the volume gets full.

Install the nilfs2-tools

1
administrator@ubuntu:~$ sudo aptitude install nilfs2-tools

Using the command below to determine which hard drive will be used for NILFS.

1
2
3
4
5
6
7
administrator@ubuntu:~$ sudo lshw -C disk
*-disk:2
description: SCSI Disk
physical id: 0.2.0
bus info: scsi@2:0.2.0
logical name: /dev/sdc
size: 20GiB (21GB)

Formate the hard drive using the command below replace “/dev/sd$” with the “logical name” of the hard drive you want formatted from the lshw output. This will delete all partitions and all data on the hard drive.

1
2
3
4
5
administrator@ubuntu:~$ sudo mkfs -t nilfs2 /dev/sd$
mkfs.nilfs2 ver 2.0
Start writing file system initial data to the device
Blocksize:4096  Device:/dev/sdc  Device Size:21474836480
File system initialization succeeded !!

Create a directory to mount the volume. Run the last command to mount the NILFS volume.

1
2
3
4
administrator@ubuntu:~$ sudo mkdir /media/storage
administrator@ubuntu:~$ sudo mount -t nilfs2 /dev/sd$ /media/storage
mount.nilfs2: WARNING! - The NILFS on-disk format may change at any time.
mount.nilfs2: WARNING! - Do not place critical data on a NILFS filesystem.

At the time this was written NILFS will cause the boot process to hang when attempting to mount the volume with an fstab entry if this happens press “s” to skip the mount. To fix this add the line below to the rc.local file which is run during boot. Replace “/dev/sd$” with the logical name of the NILFS hard drive.

1
2
administrator@ubuntu:~$ sudo nano /etc/rc.local
mount -t nilfs2 /dev/sd$ /media/storage

To list available checkpoints and snapshots run the command below. Its best to filter the output to a specific date as there will often be 100+ available checkpoints if the volume is used frequently.

1
2
3
4
5
6
7
8
administrator@ubuntu:~$ lscp | grep 2011-02-02
1  2011-02-02 00:27:26   cp    -         11          3
2  2011-02-02 00:42:43   cp    -         11          4
3  2011-02-02 00:46:57   cp    -         14          5
4  2011-02-02 00:47:08   cp    -         14          6
5  2011-02-02 00:47:27   cp    -         14          7
6  2011-02-02 00:47:33   ss    -         13          6
7  2011-02-02 00:47:41   cp    -         15          8

Checkpoints will be automatically removed to make room for new ones to prevent a checkpoint from being removed change the checkpoint to a snapshot using the command below. Replace “6″ with a ID from the lscp output which are in the first column. The snapshot will not be removed until it is turned back into a checkpoint using the next command.

1
2
administrator@ubuntu:~$ sudo chcp ss 6
administrator@ubuntu:~$ sudo chcp cp 6

New snapshots can also be created using the command below. The created snapshot will also not be removed until it is changed back to a checkpoint.

1
administrator@ubuntu:~$ sudo mkcp -s

To mount a checkpoint or snapshot first create a directory to mount the volume using the first command. Checkpoints will need to be changed to a snapshot before mounting using the second command. Mount the snapshot using the third command replace 7 with the snapshot ID and change the directories to reflect your system configuration. Restore any files from the volume than unmount the volume using the forth command. If the snapshot will no longer be needed change it to a checkpoint so that it will be automatically removed using the fifth command.

1
2
3
4
5
administrator@ubuntu:~$ sudo mkdir /media/snapshot
administrator@ubuntu:~$ sudo chcp ss 7
administrator@ubuntu:~$ sudo mount -t nilfs2 -r -o cp=7 /dev/sdc /media/snapshot
administrator@ubuntu:~$ sudo umount /media/snapshot
administrator@ubuntu:~$ sudo chcp cp 7

Ubuntu 10.04 – Vsftpd Server

This will show you how to install vsftpd FTP server on Ubuntu 10.04 Lucid Server Edition.

Install vsftpd using the command below.

1
administrator@ubuntu:~$ sudo aptitude install vsftpd

Open the vsftpd config file uncomment the first two lines listed then add the other two to the end of the file. The first line allows FTP clients to write files to the server, the second line chroots the FTP clients to their home directory’s preventing them from browsing other files on the system. The last two lines tell the FTP server to only allow the users listed in the user list file which will be created later. SSL won’t be enabled so connections should only be made within the FTP servers LAN.

1
2
3
4
5
administrator@ubuntu:~$ sudo nano /etc/vsftpd.conf
write_enable=YES
chroot_local_user=YES
userlist_deny=NO
userlist_enable=YES

Create the user list file and add the usernames you want to allow access to the FTP server.

1
2
3
sudo nano /etc/vsftpd.user_list
ftptest1
ftptest2

By default the FTP server will only allow users who have shell access meaning they are able to log into the server. For this server we will be creating users who only have access to FTP they will not have shell access so in order for them to access the FTP server the vsftpd pam service must be configured to allow any user to access the FTP server who is listed in the user list file. Edit the config file and comment the line shown below.

1
2
administrator@ubuntu:~$ sudo nano /etc/pam.d/vsftpd
#auth   required        pam_shells.so

Create the home directory’s for the FTP users. Then add the FTP user and chown the home directory’s for each of the users. Setting the shell to /bin/false prevents the user from  logging into the server they will only have FTP access. If your using a login for the FTP server that you also use to login to the server do not change your shell to /bin/false.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
administrator@ubuntu:~$ sudo mkdir /media/storage/FTP/ftptest1
administrator@ubuntu:~$ sudo mkdir /media/storage/FTP/ftptest2
administrator@ubuntu:~$ sudo adduser --no-create-home --ingroup ftp --home /media/storage/FTP/ftptest1 --shell /bin/false ftptest1
Adding user `ftptest1' ...
Adding new user `ftptest1' (1001) with group `ftp' ...
Not creating home directory `/media/storage/FTP/ftptest1'.
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for ftptest1
Enter the new value, or press ENTER for the default
Full Name []: FTPTest1
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
administrator@ubuntu:~$ sudo adduser --no-create-home --ingroup ftp --home /media/storage/FTP/ftptest2 --shell /bin/false ftptest2
Adding user `ftptest2' ...
Adding new user `ftptest2' (1002) with group `ftp' ...
Not creating home directory `/media/storage/FTP/ftptest2'.
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for ftptest2
Enter the new value, or press ENTER for the default
Full Name []: FTPTest2
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
administrator@ubuntu:~$ sudo chown ftptest1:ftp /media/storage/FTP/ftptest1
administrator@ubuntu:~$ sudo chown ftptest2:ftp /media/storage/FTP/ftptest2

Edit the fstab and add mounts for the folders you want the FTP users to have access to. All of the directory’s you mount must have the needed file permissions for the FTP clients to access the files. If you backup your server you will need to exclude the mounted directory’s as most backup programs assume its a new directory and you will end up with duplicates of all the files you mounted. If your directory path contains a space replace it with “

Ubuntu 10.04 – Apache mod_evasive & mod_security

This will show you how to install mod_evasive and mod_security for Apache on Ubuntu 10.04 Lucid Server Edition. The module mod_evasive helps protect the server from DDOS attacks and mod_security helps protect the server from attacks.

Install the two modules and postfix which will be needed if you want mod_evasive to email you when a DDOS attack occurs. Postfix will need to be configured select “Internet site” and enter “localhost” as system mail name when asked.

1
administrator@ubuntu:~$ sudo aptitude install libapache2-mod-evasive libapache-mod-security postfix mailutils

Make a directory for mod_evasive to store the log files and chown it to www-data. Open the mod_evasive config file add the lines below and enter your email address.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
administrator@ubuntu:~$ sudo mkdir /var/log/mod_evasive
administrator@ubuntu:~$ sudo chown www-data:www-data /var/log/mod_evasive/
administrator@ubuntu:~$ sudo nano /etc/apache2/conf.d/modevasive
<ifmodule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir /var/log/mod_evasive
DOSEmailNotify EMAIL@DOMAIN.com
DOSWhitelist 127.0.0.1
</ifmodule>

Create a folder for mod_security rules. Go to ModSecurity.org and get the link for the latest mod_security and use it below. Then extract the files and move the rules to the folder that was created chown the files to root. Then remove the unneeded files.

1
2
3
4
5
6
administrator@ubuntu:~$ sudo mkdir /etc/apache2/mod_security_rules
administrator@ubuntu:~$ wget http://www.modsecurity.org/download/modsecurity-apache_2.5.13.tar.gz
administrator@ubuntu:~$ tar xf modsecurity-apache_2.5.13.tar.gz
administrator@ubuntu:~$ sudo mv modsecurity-apache_2.5.13/rules/base_rules/* /etc/apache2/mod_security_rules
administrator@ubuntu:~$ sudo chown -R root:root /etc/apache2/mod_security_rules
administrator@ubuntu:~$ rm -r modsecurity-apache_2.5.13.tar.gz modsecurity-apache_2.5.13/

Open the mod_security config file and add the lines below.

1
2
3
4
administrator@ubuntu:~$sudo nano /etc/apache2/conf.d/modsecurity
<ifmodule mod_security2.c>
Include mod_security_rules/*.conf
</ifmodule>

Make sure the modules are enabled and restart apache.

1
2
3
4
5
6
administrator@ubuntu:~$ sudo a2enmod mod-evasive
Module mod-evasive already enabled
administrator@ubuntu:~$ sudo a2enmod mod-security
Module mod-security already enabled
administrator@ubuntu:~$ sudo /etc/init.d/apache2 restart
* Restarting web server apache2                                               [ OK ]

Test mod_evasive with the perl script below change domain to your web server. Create a file name test.pl on desktop and run “perl test.pl” in terminal. A new file with your IP address should appear in “/var/log/mod_security”

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/usr/bin/perl

# test.pl: small script to test mod_dosevasive's effectiveness

use IO::Socket;
use strict;

for(0..100) {
my($response);
my($SOCKET) = new IO::Socket::INET( Proto   => "tcp",
PeerAddr=> "DOMAIN.com:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0nn";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}

Ubuntu 10.04 – Install LAMP Server

This will show you how install a LAMP (Linux, Apache, MySQL, PHP) on Ubuntu 10.04 Lucid Server Edition.

Install Apache, PHP, MySQL and phpmyadmin using the command below. The next command installs some usefull php modules. The third command will enable the rewrite module.

1
2
3
administrator@ubuntu:~$ sudo aptitude install apache2 php5 php5-mysql libapache2-mod-php5 ssl-cert mysql-server phpmyadmin
administrator@ubuntu:~$ sudo aptitude install php5-adodb php5-geoip php5-memcached php5-sqlite php5-auth-pam php5-gmp php5-midgard2 php5-suhosin php5-cgi php5-gpib php5-ming php5-svn php5-cli php5-imagick php5-mysql php5-sybase php5-common php5-imap php5-odbc php5-tidy php5-curl php5-interbase php5-pgsql php5-tokyo-tyrant php5-dbg php5-intl php5-ps php5-uuid php5-dev php5-lasso php5-pspell php5-xcache php5-enchant php5-ldap php5-radius php5-xdebug php5-exactimage php5-librdf php5-recode php5-xmlrpc php5-ffmpeg php5-mapscript php5-remctl php5-xsl php5-fpm php5-mcrypt php5-sasl php5-gd php5-memcache php5-snmp
administrator@ubuntu:~$ sudo a2enmod rewrite

If you want to be able to send mail using php install postfix using the commands below. Postfix will need to be configured select “Internet site” and enter “localhost” as system mail name when asked.

1
administrator@ubuntu:~$ sudo aptitude install postfix mailutils

If your concerned about security edit the apache conf and change the timeout use Ctrl+W to search the file. Add the other two lines to the bottom of the config file. The timeout setting will help with DDOS attacks and the other two hide the Apache version number information.

1
2
3
4
administrator@ubuntu:~$ sudo nano /etc/apache2/apache2.conf
Timeout 45
ServerSignature Off
ServerTokens Prod

Edit the php config file and set the correct time zone. Use Ctrl+W to find “date.timezone”. Make sure the leading ; is removed from the line. List of available time zones here List of Supported Timezones

1
2
administrator@ubuntu:~$ sudo nano /etc/php5/apache2/php.ini
date.timezone = America/New_York

Restart apache then create a php test page using the command below. The test page should display the php information for the server.

1
2
3
4
5
6
administrator@ubuntu:~$ sudo /etc/init.d/apache2 restart
* Restarting web server apache2                                               [ OK ]
administrator@ubuntu:~$ sudo nano /var/www/test.php
<?php
phpinfo();
?>

Use one of the Apache VirtualHost configurations below.

One IP address and one domain name.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
administrator@ubuntu:~$ sudo nano /etc/apache2/sites-available/default
NameVirtualHost *:80
<VirtualHost *:80>
DocumentRoot /var/www
ServerName www.domain.com
ServerAlias domain.com

<Directory /var/www>
Options FollowSymLinks
AllowOverride All
Order Allow,Deny
Allow from All
</Directory>
</VirtualHost>

One IP address and two domains.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
administrator@ubuntu:~$ sudo nano /etc/apache2/sites-available/default
NameVirtualHost *:80
<VirtualHost *:80>
DocumentRoot /var/www/domain1.com
ServerName www.domain1.com
ServerAlias domain1.com

<Directory /var/www/domain1.com>
Options FollowSymLinks
AllowOverride All
Order Allow,Deny
Allow from All
</Directory>
</VirtualHost>

<VirtualHost *:80>
DocumentRoot /var/www/domain2.com
ServerName www.domain2.com
ServerAlias domain2.com

<Directory /var/www/domain2.com>
Options FollowSymLinks
AllowOverride All
Order Allow,Deny
Allow from All
</Directory>
</VirtualHost>

Two IP address and two domains. Replace 255.255.255.255 with the IP address you want to use for that domain. Then run the commands at the end to disable the default site and enable the two new sites.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
administrator@ubuntu:~$ sudo nano /etc/apache2/sites-available/domain1.com.conf
<VirtualHost 255.255.255.255:80>
DocumentRoot /var/www/domain1.com
ServerName www.domain1.com
ServerAlias domain1.com

<Directory /var/www/domain1.com>
Options FollowSymLinks
AllowOverride All
Order Allow,Deny
Allow from All
</Directory>
</VirtualHost>

administrator@ubuntu:~$ sudo nano /etc/apache2/sites-available/domain2.com.conf
<VirtualHost 255.255.255.255:80>
DocumentRoot /var/www/domain2.com
ServerName www.domain2.com
ServerAlias domain2.com

<Directory /var/www/domain2.com>
Options FollowSymLinks
AllowOverride All
Order Allow,Deny
Allow from All
</Directory>
</VirtualHost>

administrator@ubuntu:~$ sudo a2dissite 000-default
Site default disabled.
Run '/etc/init.d/apache2 reload' to activate new configuration!
administrator@ubuntu:~$ sudo a2ensite domain1.com.conf
Enabling site domain1.com.conf.
Run '/etc/init.d/apache2 reload' to activate new configuration!
administrator@ubuntu:~$ sudo a2ensite domain2.com.conf
Enabling site domain2.com.conf.
Run '/etc/init.d/apache2 reload' to activate new configuration!

If you want to protect the server from DDOS attacks read Ubuntu 10.10 Maverick – Apache mod_evasive & mod_security

Ubuntu 10.04 – Install SSH File Server

This will show you how to setup a SSH file server on Ubuntu 10.04 Lucid Server Edition. It will use RSSH so the user connecting will only be able to use SFTP when connecting.

Install RSSH which is a restricted SSH this will restrict the user to running commands associated with file transfers. The user will not be able to login to the server with SSH.

1
2
3
4
5
6
7
8
9
10
11
12
13
administrator@ubuntu:~$ sudo aptitude install rssh
The following NEW packages will be installed:
rssh
0 packages upgraded, 1 newly installed, 0 to remove and 52 not upgraded.
Need to get 56.9kB of archives. After unpacking 233kB will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu/ maverick/universe rssh amd64 2.3.2-11 [56.9kB]
Fetched 56.9kB in 0s (92.0kB/s)
Preconfiguring packages ...
Selecting previously deselected package rssh.
(Reading database ... 40526 files and directories currently installed.)
Unpacking rssh (from .../rssh_2.3.2-11_amd64.deb) ...
Processing triggers for man-db ...
Setting up rssh (2.3.2-11) ...

Edit the rssh config file and uncomment the lines below to enable restricted access.

1
2
3
4
5
6
7
administrator@ubuntu:~$ sudo nano /etc/rssh.conf
allowscp
allowsftp
allowcvs
allowrdist
allowrsync
allowsvnserve

Create the directory where for the file share users to have access to with file permissions for full access. The Files folder is created inside the sshfs because the sshfs folder will be used for the home directory and will contain files such as .bash_history so the Files folder will be used as the root directory when connecting.

1
administrator@ubuntu:~$ sudo mkdir -m 777 /sshfs

Add a usergroup for the file share users.

1
2
3
administrator@ubuntu:~$ sudo addgroup sshfs
Adding group `sshfs' (GID 1001) ...
Done.

Create a user for the file share. Setting the home directory /sshfs and using restricted SSH as the shell. Change client to the user name you want.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
administrator@ubuntu:~$ sudo adduser --no-create-home --ingroup sshfs --home /sshfs --shell /usr/bin/rssh client
Adding user `client' ...
Adding new user `client' (1001) with group `sshfs' ...
Not creating home directory `/sshfs'.
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for client
Enter the new value, or press ENTER for the default
Full Name []: Client
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]

Now on client computer install sshfs enless you prefer a different application to access to file share and make the directory where the file share will be mounted.

1
2
administrator@client:~$ sudo aptitude install sshfs
administrator@client:~$ sudo mkdir -m 777 /media/Files

Test the file share using the command below. Replace USERNAME and SERVER with your user name and server. If the username for the client is the same as the server the “USERNAME@” is not needed. Then if the file share works run the next command to unmount the file share.

1
2
administrator@client:~$ sshfs USERNAME@SERVER:./Files /media/Files
administrator@client:~$ sudo umount /media/Files

The best way to login to the file share is using a SSH Key. Using a SSH Key will allow you to mount the file share without entering a password and is much safer then entering the password. If you don’t want to use a SSH Key you can skip the stuff below. For this to work the username for your client must be the same as the one used to access the server.Open “System -> Preferences -> Passwords and Encryption Keys” open the “My Personal Keys” tab and then click “File -> New…” select “Secure Shell Key” and click “Continue”.

Then enter a password to encrypt the key. This password should be at least 12 characters.

If the “Set Up Computer for SSH Connection” comes up click “Cancel” the RSSH and different home folder prevent this from working.

After the key is created right click the key and select “Export…”

Save the file to the Desktop with “authorized_keys” as the name

Connect to the file share using the same command from early and place the authorized_keys file in the root of the file share.

On the server move the authorized_keys file to /etc and apply the permissions shown below.

1
2
administrator@ubuntu:~$ sudo mv /sshfs/Files/authorized_keys /etc
administrator@ubuntu:~$ sudo chmod 700 /etc/authorized_keys

Edit the sshd_config and add the line shown below to the end of the config file. This needs to be changed because the home folder is different then the default. Then restart the SSH server.

1
2
3
administrator@ubuntu:~$ sudo nano /etc/ssh/sshd_config
AuthorizedKeysFile /etc/authorized_keys
administrator@ubuntu:~$ sudo /etc/init.d/ssh restart

Disconnect from the file share and attempt to connect to it again it should ask you to decrpyt the ssh key and then it should connect to the file share without asking for a password. If it works disconnect from the file share.

1
2
administrator@client:~$ sshfs USERNAME@SERVER:./Files /media/Files
administrator@client:~$ sudo umount /media/Files

To get the file share to mount when the computer starts edit the fstab file and add the line shown below to the end of the file. Replace USERNAME and SERVER with the username and server IP address. Then enter the last command to mount the file share it should mount without asking for a password if you setup the ssh key.

1
2
3
administrator@client:~$ sudo nano /etc/fstab
sshfs#USERNAME@SERVER:./Files /media/Files fuse user,noauto 0 0
administrator@client:~$ sudo mount -a