Tomas Quintero

Typically I work with Windows for day-to-day tasks, however I do use *nix for various tasks both personally and professionally. My background is primarily with FreeBSD and recently I’ve transitioned over to the Debian/Ubuntu camp (although they’re far from the same camp).

I’m looking to take a crack at CentOS though, it seems popular, companies like it, etc. The best way to work with a new OS - run it in a virtual environment!

To turn this into a short story, I was attempting to boot the CentOS 5.3 installer using VirtualBox (2.2.4 r47978) on Windows Vista64 Ultimate. Unfortunately, the install kept hanging at the message of “NET: Registered protocol family 2″. Strange.

Next I began poking around and found that checking off “Enable IO APIC” in VBox’s advanced options proved to become a solution.

Now, my CentOS installer boots up, with no problem!

When I get time, I want to read http://xenamo.sourceforge.net/. It deals with live migration of Xen virtual machines, on the cheap.

I was checking my Google Analytics key words, and noticed I was getting hits for my JeOS posting, but also people looking to find out what the “root” password was for Ubuntu. I figure I’ll write a quick article, and maybe it’ll get me more hits on the Google’s!

Ubuntu, by default, does not have a password configured for the root user. That is, the user cannot logon through means authenticated via password.

Instead, ’sudo’ is advised to be used on Ubuntu systems. The first user created (when you are following the setup processes during the installer) is added to the file /etc/sudoers. This allows this user to execute commands with super-user privileges when they are prefixed with ’sudo’.

Typically, when a user wants to run many commands as root, they will issue the command

sudo su

… which will prompt them for their password (unless you have disabled that), and drop them into the root shell.

Alternatively, on my systems I like to run ’sudo passwd root’ as soon as I login, which allows me to set a password on the root account. Doing so allows me to login as root if I need to recover my system, say for instance my username has been removed from the /etc/sudoers file, and it gives me the warm and coozy feeling.

This is my simple guide for installing a LAMP stack on Ubuntu JeOS. In this I use Lighttpd instead of Apache, maybe we should call this version LLMP.

First, I like to begin with setting a password on root. This is a faux pas in the Ubuntu world, but I consider it critical. If you find yourself unable to sudo, because your sudoers file has run into issues, su will save you a headache.

sudo passwd root

Next, update your system.

sudo apt-get update && sudo apt-get upgrade

Personally, I don’t rock the vim. Let’s get nano

sudo apt-get install nano

I also don’t rock the console for very long, let’s get SSH installed and configured

sudo apt-get install openssh-server

Because we have set a root password, we need to restrict remote root login.

sudo nano /etc/ssh/sshd_config

Change PermitRootLogin yes to no, then restart SSHd

sudo /etc/init.d/ssh restart

At this point, I like to install iptables and create a policy.

sudo nano /etc/iptables_rules

and inside of /etc/iptables_rules:

#!/bin/sh

# Flushing all rules
iptables -F
iptables -X

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# Allow localhost traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established sessions
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH in and out
iptables -A INPUT -p tcp –dport 22 -j ACCEPT

# Allow HTTP traffic
iptables -A INPUT -p tcp –dport 80 -j ACCEPT

# Allow FTP traffic
iptables -A INPUT -p tcp –dport 21 -j ACCEPT
modprobe ip_conntrack_ftp

# Block SSH brute force attempts
iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH
iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 8 –rttl –name SSH -j DROP

Next, I don’t allow local users to see the rules

sudo chmod 770 /etc/iptables_rules

We want our rules to apply at each boot, so I symbolic link them into the network startup dir

sudo ln -s /etc/iptables_rules /etc/network/if-up.d/iptables_rules

Then we run the rules script for the first time

sudo /etc/iptables_rules

Next, I create a firewall rule stop script, incase it needs to be easily/quickly executed from console

sudo nano /root/fw.stop

and into fw.stop goes

#!/bin/sh
echo "Stopping firewall and allowing all connections..."
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Then I chmod it as well

chmod 770 /root/fw.stop

This is JeOS, you may want crontab, manpages, locate and wget, right? Let’s grab them all, I consider them essential.

sudo apt-get install cron manpages man-db locate wget

I also like an up-to-date locate. Locate updates daily, but if you wanted to use it right away it would report that the db was not built. Let’s run it.

sudo /etc/cron.daily/locate

Time to install our LAMP stack. I use Lighttpd, so that’s what will be installed and configured per this guide.

sudo install mysql-server mysql-client lighttpd php5-cgi php5-gd imagemagick postfix php-mail phpmyadmin

The above command gives us lots of things including MySQL, Lighttpd, PHP5, Postfix, PhpMyAdmin, and a few apps such as imagemagick which are used by popular software sets such as phpBB.

Next, we need to enable a few lighty configs

sudo cp /etc/lighttpd/conf-available/10-cgi.conf /etc/lighttpd/conf-enabled/10-cgi.conf
sudo cp /etc/lighttpd/conf-available/10-fastcgi.conf /etc/lighttpd/conf-enabled/10-fastcgi.conf
sudo cp /etc/lighttpd/conf-available/10-ssi.conf /etc/lighttpd/conf-enabled/10-ssi.conf
sudo cp /etc/lighttpd/conf-available/10-userdir.conf /etc/lighttpd/conf-enabled/10-userdir.conf

I also make a few modifications in lighty’s config file

sudo nano /etc/lighttpd/lighttpd.conf

"mod_compress", => # "mod_compress", ## disable mod_compress, causes issues in some environments
---
index-file.names => ADD index.shtml into the list ## enables index.shtml for SSI indices
---
server.dir-listing = "enable" => server.dir-listing = "disable" ## disable dir listings
---
compress.cache-dir => #compress.cache-dir ## disables this line item, since the module is disabled
compress.filetype => #compress.filetype ## disables this line item, since the module is disabled

Lastly, restart Lighttpd and we’re good to go

sudo /etc/init.d/lighttpd restart