Bound and Armed

Just completed my configuration of Bind9 and entered into the world of AppArmor.

From what I read, AppArmor appears to help protect my system from the “unknown” security flaws by limited access when someone manages to break through an exploit. I’m sure it won’t be the end all be all of security, but it goes with my philosophy of having a nice layered approach with security.

The hardest part was figuring out how to add applications. By default AppArmor already has a profile for Bind9. The command to execute is:

sudo aa-genprof vsftpd

I used VSFTPD since that is the one I want to secure. It will go through the process of asking you some questions which are pretty straight forward. At the end, it will ask you to launch the service, and then use it. At which point when you are done, you’ll have AppArmor scan the log files for how the program behaved. My guess is that is how AppArmor knows when the application is doing something it isn’t suppose to.

You will then save the new profile and it should be activated.

However I ran into this error when trying to save the profile:

RPC::XML::Client::send_request: HTTP server error: Not Found

Thankfully this blogger had the solution.

http://ericlefevre.net/wordpress/2009/11/23/apparmor-how-to-fix-the-create-new-user-issue-with-logprof/

Bind9 was pretty easy to setup. The configuration was a bit different then what I’m used to in FreeBSD, but overall went well. Just use this guide and you should do fine.

https://help.ubuntu.com/community/BIND9ServerHowto

Next up will be Email, which could be the hardest thing to put together.

Connected and Going

So far so good with Ubuntu 10.04 Server. I’ve been very pleased with how easy it is to get up and running. Right now I have the server configured in a standalone mode and not as a cloud implementation. Though, I’m thinking that if I have a site that will generate a lot of traffic, then configuring a cloud would be fun.

I’ve got SSH up and running and can now connect via my laptop and my desktop system. Here are the resources I used to get it setup:

https://help.ubuntu.com/10.04/serverguide/C/openssh-server.html

http://vladgh.com/blog/secure-your-ubuntu-1004-server

The updating of the server is nice and easy, I just need to run the following command:

sudo apt-get upgrade

The server boots up very quickly and when installing Ubuntu on ESXi, I just chose Linux -> Ubuntu 64bit. The install was very straight forward with easy to understand questions. The big concern I’ll have is security. With FreeBSD I am fairly confident that it is locked down very nicely. But I’m guessing that as long as I keep the software patched, use reasonable precautions, that I’ll be okay.

The only other piece of software I’ve loaded up was VSFTPD and I used this resource for configuration:

https://help.ubuntu.com/6.06/ubuntu/serverguide/C/ftp-server.html

I may circle back and get Xinetd for both my VSFTPD server and SSH server so both processes are not constantly running using memory.

I needed and FTP server up and running to get my SSH keys uploaded and the configuration was incredibly simple. I’ve to say I love the easy to use documenation I’ve found for Ubuntu so far. My biggest complaint over the years about Linux (and I what I think holds it back) is the hard to understand documenation.

At this point I’m off to configure Bind9 and I’ll give another writeup on how that goes.

Quick Change of Mind

After only one day, I bailed out on Fedora 13. It might be a great Operating System, but I had to odd problems.

The first problem was that I was never prompted for my root password during install, so I had to spend about an hour trying to figure out how to set it. Granted after some trial and error, I did get it figured out.

The next problem came to adding software. I wanted to switch from TigerVNC to VNC Server since I am totally familiar with what TigerVNC is. When trying to switch over to VNC server, the system kept prompting me to accept a certificate, which I did, but the software would be applied to the system. In the in end I went to a command line and did a yum install and that seemed to work fine.

In the end, my initial impression wasn’t very good. So for now I am going to give Ubuntu a try and see happens. I like the Desktop version so with luck, the server will turn out to be just as good.

Back with a New Project

Been a bit since my last post, but I have kicked off my next project.

For awhile I wanted something else to blog about and run a new website. Though my FreeBSD server is doing fine, Fedora is another intriguing option. For the last few days I’ve been playing around with Fedora 13 and FreeBSD 8.1.

Pros for FreeBSD? Well, the obvious is that I know the system and know what to expect. Con for FreeBSD? No nice way of doing an auto-update. Which leads to the plus side of Fedora. I like the idea of doing “yum update” and grabbing all the updates automatically.

The other learning angle is to try and break away from a command line and move towards GUI. Downside for Fedora is that I am not familiar with the system.

The ultimate goal will be the following:

Fedora 13 Installed and Patched

Postfix with a pop client

Apache

MySQL

Drupal for Blogging and site management

DNS

Gui Admin tools

This may not be the exact order, but with luck the system should run pretty good. The main concern I’ll have is security so this should be a fun project.

Slick as ice

This latest configuration has been the most interesting I’ve personally done to date. I did try to make the mt-daapd work on a more consistent basis, however iTunes keeps losing contact to the server. Since mt-daapd appears to be a defunct project, I may never get it resolved.

With that, I moved my focus to an Icecast server, which can be found here:

http://www.icecast.org/

The greatness is that with Icecast, is that I’ve created my own personal radio station. Right now it is only local to my LAN, but from any computer in my house, I can listen to my own music. I would love to be able to stream it online so I can listen to it my car, but I believe legality issues may prevent that. Further research is needed on my part.

The other issue would be locking it down so that only I (or my wife) would be able to tap into the stream. Icecast apparently has some user credentialing built in that I’ll have to look into.

Of course, Icecast is only one piece of the puzzle. The only thing it does is provides the stream, there are two other parts.

MPD is one piece and is found here:

http://mpd.wikia.com/wiki/Music_Player_Daemon_Wiki

MPC is for the playlist creation and music database storage:

http://sourceforge.net/projects/guliverkli/

With all three pieces installed, you have one fully functional streaming music player.

Just do these few steps to get the server installed.

- http://rpmfusion.org/Configuration Use this link for adding a couple extra repositories for Yum.
- yum install icecast mpc mpd

At this point you should have everything installed. Icecast and the other two pieces contain really good documentation on how use all three pieces together. So far everything has been very solid and I’ve been able to stream into iTunes, Windows Media Player and onto my Ubuntu machine.

iTunes Media Server

Okay, so I got my iTunes server up and running for my local network. The following steps were done on Fedora 12, so your mileage may vary

yum install vsftpd (you can use Samba too, but for now I am going run with FTP)
yum install avahi (for the bonjour service to find my media server)
yum install mt-daapd (this is what is providing the streaming to iTunes)
yum install libid3tag (allows the files to have tags)

The configuration file for mt-daapd is /etc/mt-daapd.conf. Make sure to add a password to be able to log in via the web interface. I changed the directory of the media files to another location. Careful of where you change this too since the service may not be able to access it.

On the firewall open ports:
3689 for daap and FTP (if using) to allow acces

As a side note too, to get VSFTP running and chrooted to a users local directory I had to issue the following command:
getsetbool -a | grep ftp
setsebool -P | ftp_home_dir on

This allows VSFTP to get access to your home directory and without this set, I kept getting OOPS 500 access denied messages.

To test the configuration run the following command:
sudo mt-daapd -f

The web interface for the application is here:

http://127.0.0.1:3689

Beyond that, that’s it. The server auto populated the music files when it started up. Granted for some reason it crashed when I uploaded new files while streaming, but hopefully it was just a fluke. I’ll be running some other tests, but so far so good. With luck the server will auto scan the directory looking for new music.

Next on my list? Get Windows Media Center connected to the server.

Block Head

After several hours today, I finally got Fedora 12 installed and it wasn’t as smooth as I hoped.

The initial problem I had was a rookie mistake. When building my ESXi server, I didn’t take into consideration that block size is very important. For more information, check out this thread:

http://communities.vmware.com/thread/233838

My original plan was to run a server with around 500 GB of space so I would have plenty of room to grow. However whenever I tried to create a 500 GB slice, ESXi kept complaining. So as a note to those setting up ESXi, keep in mind on what you plan on running and how much disk space you’ll need. Thankfully, the 256 GB limitation will not be a problem. I only have about 100 GB in music, so I’ll have more than enough room for awhile.

The install of Fedora I found was very slow. Not sure what was causing that, but it completed after running for a couple hours. I chose “Other Linux 32 bit” system as the OS that ESXi will host. Beyond that, Fedora never noticed anything and the install, though slow, ran without a problem.

The next issue I ran into was the software updater. It kept complaining about updating abrt. Just do the following commands as root:

yum clean all

yum check-update

yum update

With this install, I am going to remote into the server using a GUI. Since I am on my MacBook a lot, I need a good VNC client. First, on Fedora enable Remote desktop with the following options:

Allow others to view your desktop

Allow other users to control your desktop

Require users to enter a password

Open port 5900 in the firewall

For my Mac VNC client, go here:

http://sourceforge.net/projects/cotvnc/.

When connecting, just enter in the IP address and the password you setup for the VNC server on Fedora. The only down side is, that the console screen needs to stay logged in or the connection to the server gets rejected.

I did disable some un-needed services like blue tooth and Sendmail, but overall the system is pretty much untouched. Other then system patches, I won’t be doing a serious lock downs with it. My next item (and I thought of this last minute) is to create a streaming iTunes server.

The Long Break

My apologies to those who have been reading my blog and the long delay in posts. These last few months have been tough balancing school/work/family. Now that school is on break, I have some good free time to work on my next Linux project, my Fedora media server.

So what else have I been up to? The only Linux related item I’ve accomplished during my time between posts was upgrading my Ubuntu workstation from 9.10 to version 10.04. I’ve heard reports that the upgrade was breaking dual boot systems.

http://www.phoronix.com/scan.php?px=ODE5Ng&page=news_item

I am not doing any dual booting, so I never ran into a problem. I had made a complete conversion from Windows to Linux roughly a year ago. The reason being, I didn’t want to cheat and figured I wouldn’t look hard enough to find solutions if all I had to do was boot back into Windows.

With that said, the upgrade process was really smooth. The update notification came up and I downloaded the entire upgrade. I let it run over night so I am not sure how long the actual process took, but in the morning I rebooted and there was the new version. All my programs were retained and some minor updates were required from the Ubuntu updater.

10.04 has been running very smooth, with the exception of the window buttons moved to the left hand side, there hasn’t been a noticeable difference. Well, except I get the feeling that 10.04 is a bit more polished.

I’m still going strong on my MacBook Pro. Feels very much like my Ubuntu system so the learning curve was minor. Mac OS X is so much better then what I remember in the 9.x days.

So, now off to my media server project. As usual it will be running on my ESXi system and I’ll post howto’s as I figure them out. I’ve found that this blog has been a life saver a couple times when trying to remember how to do something. This project may include a post on how to add a new hard drive to the ESXi system, just not sure yet.

PHP and Zlib

Okay, I now have a new configure script so I can add zlib support for PHP.

./configure \
-prefix=/usr/local/php \
-with-config-file-path=/etc \
-enable-cgi \
-enable-force-cgi-redirect \
-enable-mbstring \
-without-sqlite \
-with-mysql-sock=/tmp/mysql.sock \
-with-zlib \
-with-mysql=/usr/local/mysql

The next problem I had was “The plugin does not have a valid header”. In the wp-content/plugin directory, go the new folder that your plugin created. Look for a readme.txt file and add the following information:

Tested up to: <exact WordPress version number>

WordPress Install

Managed to get WordPress installed, but I’m still in the middle of tweaking it. The instructions they have posted were excellent.

http://codex.wordpress.org/Installing_WordPress

The next part I worked on was locking down WordPress and I did that by following this individual’s instructions:

http://www.josiahcole.com/2007/07/11/almost-perfect-htaccess-file-for-wordpress-blogs/

Becareful when working with the .htaccess file. Any syntax errors will disable your site. Thankfully I can edit the file directly while it is on my server, so it is easy to reverse my changes.

I did try to replace the default theme, but got a “The Uploaded File Could Not Be Moved To” error. After some research, the error was caused by the upload setting in my php.ini file. It was set to 2M and I’ve changed it to 5M (value in php.ini is “upload_max_filesize“. I’ve seen people saying changed the permissions to 777 resolved this issue, doing this would be very bad. Another post said to disable some security features (secFilterEngine was one of them), again very bad.

Though my blog will probably never be popular to read, I do take my security seriously. I’ve seen plenty of bots coming along hammering at my server. Though, I’m sure that I am not 100% protected, I’d like to think that if I do get broken into, it wouldn’t be from the lack of trying on my part.

Another security measure I took was to add in a .htaccess file to my wp-admin. It is limiting just my local PC to be able to access that folder. Not a fool proof solution, but just another level of protection.

Here is was I entered in:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthType Basic
order deny,allow
deny from all
Allow from 000.000.000.000 (This is IP is the one you are going to be accessing wp-admin with)

Okay, now off to zlib errors.