Table of Contents (Hide)

How to install Ubuntu Server (22.04 LTS)

and Get Started to Run a Production Server

This article is meant for installing a "production" Ubuntu server. For Ubuntu programmers/developers, see "Ubuntu Desktop - How-To".

There are various types of releases:

  • Ubuntu is released every six months - in April and October, identified as YY.04 and YY.10 .
  • The "LTS" or "Long Term Support" releases will be supported for 5 years; while "non-LTS" releases will only be supported for 9 months. LTS releases every two years. For production, use the latest LTS release.
  • Ubuntu introduced ESM (Expanded Security Maintenance) which provides "security" patches and support for 10 years, instead of 5 years.
  • Ubuntu Pro Plan.

Commonly-Used Unix Commands

APT (Advanced Packaging Tool)
// Refresh the software list
$ sudo apt update
// Run the actual upgrade
$ sudo apt upgrade
// Run both in one-line
$ sudo apt update && sudo apt upgrade
// Install or Remove a package
$ sudo apt install <package>
$ sudo apt remove <package>
Shutdown/Restart
// Shutdown and Restart(-r) the machine
$ sudo shutdown -r now
// Same as above
$ sudo reboot
// Shutdown and halt(-h) or power down the machine "now"
$ sudo shutdown -h now
Users and Groups
// Add a new user. "adduser" is a wrapper UI for low-level "useradd".
$ sudo adduser <username>
// Add a new group
$ sudo addgroup <groupname>
// Add a user to a group, -a needed for append
$ sudo usermod  -a -G <groupname> <username>
// List groups for a user
$ groups <username>
// List users defined in /etc/passwd
$ sudo less /etc/passwd
// List groups defined in /etc/group
$ sudo less /etc/group
// Change password for a user
$ sudo passwd <username>
Files and Directories
// Change owner for files/directories, recursive(-R)
$ sudo chown -R <user>:<group> <files>
// Change mode for files/directories, recursive(-R)
$ sudo chmod -R <mode> <files>  // ugoa+-rwx u:user owner, g:group, o:others not in group, a:all
// Listing files
$ ll              // Same as ls -al below
$ ll -d <filenames-with-wildcard>  // -d:do not list the contents inside directory
$ ls -al          // -a:all including files beginning with dot; -l:long format
$ ls -alR         // -R:recursive
$ ls -alR | less  // pipe long output thru less
$ ls -ald <filenames-with-wildcard>
// List file contents
$ less <filename>    // for long file, q to quit
$ cat <filename>     // for short file
$ head <filename>    // first few lines
$ tail <filename>    // last few lines
// Remove files/directories recursively
$ rm -r <file>
Tar
// Create target path, if necessary (target path shall exist)
$ mkdir <target-path>
// Extract(x) into current directory, z(zip), f(filename), v(verbose).
$ cd <target-path>
$ tar xzfv <tarball>
// or specifying target path via -C
$ tar xzfv <tarball> -C <target-path>

// Create(c) tarball, z(zip), f(filename), v(verbose)
$ tar czfv <tarball> <files>
Remote Access
// Remote login client to OpenSSH (Secure SHell) server
$ ssh <user>@<host>
// OpenSSH Secure file CoPy
$ scp <source> <target>   // <user>@<host>:<files>

Install "Production" Ubuntu Server

Installing Ubuntu Server

  1. Download the Ubuntu Server installation file from the Ubuntun mother site (@ https://ubuntu.com/download/server) in ISO format. Use a "Bootable USB Creator Software" (e.g., https://www.pendrivelinux.com/) to create a bootable USB thumb drive from the downloaded ISO file.
  2. Boot up the machine from USB, e.g., Hit F11 for the Boot menu, and choose UEFI Boot from USB. (UEFI or Unified Extensible Firmware Interface is a replacement for BIOS.)
  3. Follow the screen instructions to install the server:
    1. Select your language and location.
    2. In "Network Configuration", choose your network card (eth0 for the first network card). If you have an static IP number, choose "Configure the network manually". Otherwise, use DHCP (which is the default) for dynamic IP.
    3. Enter your chosen "hostname".
    4. Enter the "username" and "password" for the system administrator. By default, Ubuntu creates but locks up the "root" super user for security reason. Do not user "root" here. Select "no" to encrypt the home directory.
    5. Set your time zone.
    6. For hard disk partition, select "Use entire disk and setup LVM (Logical Volume Manager)". Select the entire disk space for LVM. The installer will create the \boot, \swap and the \ (root) partitions on "sda" (the first disk). You can check the partitions via "lsblk" (list block devices) command or Webmin later.
    7. Leave blank for HTTP proxy information.
    8. Select "No Automatic Update". We will run manual update later.
    9. For packages, select Ubuntu Server, OPEN SSH, LAMP (Linux-Apache-MySQL-PHP), SAMBA (File and Print services for Windows clients), Mail (Local) Server, Postfix (Local) Mail Server, and PostgreSQL. Select other packages if needed.
    10. Set the root password for MySQL, if LAMP was selected.
    11. Select "yes" to GRUB boot loader. GRUB (GRand Unified Bootloader) is a Multiboot boot loader.
  4. Roboot the machine, and login as the system administrator you created earlier.

Post Installation - Upgrading Software

Ubuntu uses apt tool for managing software. Read "APT Tool for Managing Software".

To apply the latest software patches:

// Update (Synchronize) the local package index files 
// (in /etc/apt/sources.list and /etc/apt/sources.list.d directory).
// No actual software upgrade.
$ sudo apt update
// or "sudo apt-get update"

// Run the actual software upgrade, without upgrading the version.
$ sudo apt upgrade
// or "sudo apt-get upgrade"

// Run both commands in one-line
$ sudo apt update && sudo apt upgrade

// Run the actual software upgrade, upgrading to new version if available.
// Not recommended for production system.
$ sudo apt full-upgrade
// or "sudo do-release-upgrade"
// or "sudo apt-get dist-upgrade"
      
// The following packages have been kept back ......
// Install each of the kept-back packages one by one
$ sudo apt install <kept-back-package>

To clean-up the server:

// Remove old kernel (if "df -h" shows /boot is 100% - no new software can be installed)
// (for 16.04 LTS)
$ sudo apt install -y byobu   // If not installed  
$ sudo purge-old-kernels -y --keep 1  // Purge old kernels except the current one
// (for 14.04 LTS)
// Check the current kernel version
$ uname -r
// List all the old kernels
$ sudo dpkg --list 'linux-image*'|awk '{ if ($1=="ii") print $2}'|grep -v `uname -r`
linux-image-3.19.0-25-generic
linux-image-3.19.0-56-generic
......
// Remove old kernel one by one
$ sudo apt purge linux-image-3.19.0-25-generic
$ sudo apt purge linux-image-3.19.0-56-generic
......

// Remove old software
$ sudo apt autoremove

// Update GRUB for kernel changes
$ sudo update-grub

// Clean APT cache
$ sudo du -sh /var/cache/apt/archives  // display the cache size
$ sudo apt clean  // clean up

Shutdown/Restart Server

To shutdown the machine via a terminal (remotely thru SSH, or local system console):

// Shutdown and restart(-r)
$ sudo shutdown -r now
// Reboot (same as above)
$ sudo reboot
// Shutdown the machine, halt(-h) and "power down" after shutdown
$ sudo shutdown -h now

You can also shutdown the server remotely via Webmin (Goto "System" ⇒ "Bootup and Shutdown" ⇒ "Shutdown System" or "Reboot System").

UPS (Uninterruptible Power Supply)

  1. Install "Dell UPS Local Node Manager".
  2. Configure via http://ip-addr:4679.

To shutdown server with UPS:

  1. Halt and power down the server via "sudo shutdown -h now".
  2. Cut off the power supply to the UPS.
  3. Push the "power" button of the UPS. UPS will take a while to power off.

To power-on server with UPS:

  1. Turn on the power supply to UPS.
  2. Push the "power" button of the UPS to supply power to the server.
  3. Switch on the server (push the "power" button of the server). The server shall boot.

NAS (Network-Attached Storage) Drives

"Network-attached storage (NAS) is file-level computer data storage server connected to a computer network providing data access to a heterogeneous group of clients."

[TODO]

Using Static IP Address

To configure your system to use a static IP address, edit the configuration file /etc/network/interfaces. For example, to set up static IP on the first network card (identified as eth0):

# eth0 for the first network card with static IP address
auto eth0
iface eth0 inet static
address x.x.x.x
netmask 255.255.255.0
gateway x.x.x.x
dns-nameservers x.x.x.x x.x.x.x

To enable the network interface eth0:

$ sudo ifup eth0
      // Network Interface Up

To disable the network interface eth0:

$ sudo ifdown eth0
      // Network Interface Down

You can configure static IP address via webmin too. Goto "Networking" ⇒ "Network Interfaces" ⇒ Click on the network interface to be used ⇒ Select "Static Configuration" and enter the "IP address" and "Netmask" (255.255.255.0).

Configuring Logical Volume (via Webmin)

If you have multiple disks (physical volumes), you can configure them into a single logical volume.

  1. In "Webmin", Select "Hardware" ⇒ "Logical Volume Management".
  2. Select "Physical Volumes" ⇒ "Add a physical volume" ⇒ Select a hard disk. Start with /dev/sdb. Repeat this to add /dev/sdc, /dev/sdd, etc. [Hard disks are labelled as /dev/sdx, where x is a running alphabet a, b, c... for each disk.]
  3. Select "Logical Volumes" ⇒ click on the icon named "root" ⇒ then under "Edit Logical Volume" ⇒ check the button "Use all free VG space" ⇒ save.

All the physical volumes (hard disks) is now available under a logical volume, under root file system /.

Remote Access Ubuntu Server with GUI

I have 2 servers. I designated one as test machine installed with desktop GUI supporting remote access; another one as production without GUI.

How to install a Desktop GUI on Ubuntu Server

Ubuntu server does not comes with GUI. To add:

  1. Update Repositories and Packages:
    $ sudo apt update && sudo apt upgrade
  2. Install and set up a Display Manager: A display manager is an application that starts the display server, launches the desktop, and manages user authentication. The default GDM3 is a resource-intensive display manager. To conserve system resources, consider a lighter tool, such as SLiM or LightDM.
    // Check if GDM3 is installed
    $ apt list gdm3 --installed
    
    // If GDM3 is not already installed. To install SLiM, type:
    $ sudo apt install slim
  3. Install GUI on Ubuntu Server: With a display manager installed, we could install the Ubuntu Desktop. The default Ubuntu Desktop is a modified version of the GNOME desktop environment.
    $ sudo apt install ubuntu-desktop
  4. Reboot the machine:
    $ sudo reboot
    After the system reboots, a graphical login screen appears.
  5. For the vanilla GNOME experience, install the following packages:
    $ sudo apt install vanilla-gnome-desktop vanilla-gnome-default-settings
  6. Miscellaneous settings:
    // To set the font size for gnome
    $ gsettings set org.gnome.desktop.interface text-scaling-factor 1.4

Setup Remote Desktop Access to Ubuntu Server from Windows

(Tested on Ubuntu Server 22.04LTS and Windows 10.)

  1. First step is to install Remote Desktop Protocol (RDP) server xrdp on the Ubuntu desktop:
    $ sudo apt install xrdp
  2. Enable to start after reboot and run the remote desktop sharing server xrdp:
    $ sudo systemctl enable --now xrdp
  3. Open a firewall port 3389 for an incoming traffic:
    $ sudo ufw allow from any to any port 3389 proto tcp
  4. Move to Windows host and open the "Remote Desktop Connection" client. Use the search box to search for “remote”.

Webmin

References:

  1. Webmin mother site @ http://www.webmin.com.
  2. Michał Karzyński, "Webmin Administrator's Cookbook", Packt Publishing, 2014.


Webmin (@ http://www.webmin.com) provides a web-based interface for Unix System Administrator. You could configure operating system internals, such as users, disk quotas, services or configuration files, as well as modify and control apps, such as the Apache HTTP Server, PHP and MySQL. Webmin runs its own TCP/IP server. The default TCP port number is 10000.

Installing Webmin

To install webmin:

  1. Read the instructions in http://www.webmin.com/deb.html. Follow the section "Using the Webmin APT repository". Webmin is written in perl, which shall be automatically installed.
  2. login to Webmin using URL https://hostname:10000, via a web browser. You need to login with root user or an account with sudo privilege.

Webmin Configurations, Users and Groups

Webmin stores its configurations in directory /etc/webmin.

Webmin Users and Groups

Webmin maintains its own users and groups, different from your Unix system users/groups. Webmin's user management is complex. For example, you can choose to synchronize Webmin account and the system account, or you can separate them by creating Webmin only users/groups; you can create sub-administrators and restrict them to certain modules and configurations. To configuration Webmin users, goto "Webmin" ⇒ "Webmin Users".

By default, Webwin allows the system's root user and sudo group to login. This is sufficient for a small production environment, as Webmin is meant for the System Administrator and not for the regular users (who should use Usermin). This is configured via:

  1. Under "Webmin" ⇒ "Webmin Users" ⇒ a default Webmin user called root was created during the installation with "Password" option set to "Unix authentication".
  2. Under "Webmin" ⇒ "Webmin Users" ⇒ "Configure Unix User Authentication" ⇒ Check "Allow users who can run all commands via sudo to login as root".
    Webmin issues a "sudo su" command to gain root privilege to perform privileged operations.

Webmin logs all the actions performed by users through it for auditing and security.

  • You can view all the action logs via "Webmin" ⇒ "Webmin Actions Log".
  • You can inspect the currently open sessions via "Webmin" ⇒ "Webmin Users" ⇒ "View Login Sessions" ⇒ Select "View Logs" for a particular "Session ID".
TCP Port Number

By default, Webmin listens at TCP port 10000 on all IP addresses of the server. You can change the port number via "Webmin" ⇒ "Webmin Configuration" ⇒ "Listen on port" and "Bind to IP address".

Time-out Inactive Webmin Sessions Automatically

Goto "Webmin" ⇒ "Webmin Configuration" ⇒ "Authentication" ⇒ Check "Auto-logout" and set the time-out period ⇒ "Save".

Webmin Commonly-Used Tools and Utilities

Command Shell (Others ⇒ Command Shell)

You can issue command directly via the Webmin command shell (instead of logging in via SSH).

To issue multiple commands, separate the commands with semicolon (;). To execute command conditionally, chain the commands with the AND operator (&&).

File Manager (Others ⇒ File Manager)

A graphical file manager (written in Java Applet) for create/delete/modify files, directories, symlinks; and viewing text files. You can also set the file/directory permissions.

Note: To run the applet, you need to add the Webmin's URL to the "Exception site list" under "Control Panel" ⇒ "Java".

Upload and Download (Others ⇒ Upload and Download)

You can upload files from your PC (running Webmin) to the server, download files from server to PC, or download files from the web (by providing a URL) to the server. This substitutes SCP (Secure Copy).

Text Login (Others ⇒ Text Login) and SSH login (Others ⇒ SSH Login)

You can log in to the system via "Text Login" or "SSH Login". "Text Login" uses a component called Ajaxterm, while "SSH Login" uses a Java applet.

Managing Unix Users

Managing Users/Groups

You can create/delete/Edit users and groups via menu "System" ⇒ "Users and Groups".

You can also create users in batch, via "System" ⇒ "Users and Groups" ⇒ "Run batch file".

Changing User's Password

To change a user's password, goto "System" ⇒ "Users and Groups" ⇒ Click on the desired user ⇒ Under "Password" ⇒ Select "Normal Password" ⇒ Enter the new password. Furthermore, under "Password Options", you can set "Force change at next login", or set the password expiry period.

Webmin issues the "sudo password username" command to update the password file /etc/shadow.

Monitoring the System

Show Recent User Logins

Goto "System" ⇒ "Users and Groups" ⇒ Goto the bottom of the screen, click "Display Logins By". You can choose "All Users" or select a particular user.

Webmin inspects /var/log/wtmp, which store the history of all logins/logouts. wtmp is a binary file, which works with last and lastlog commands. Similarly, /var/log/btmp stores the failed logins; and /var/log/utmp maintains the current status. For examples,

$ last
      // Show all recent logins
$ last username
      // Show recent logins by username
$ lastlog
      // List all users with their last login
$ lastb
      // List all failed login captured in /var/log/btmp
$ who
      // List the current logined user
View Log Files

Goto "System" ⇒ "System Logs", which lists the log files available thru Webmin.

Adding more Log Files

To add log files of Webmin supported servers (such as Apache 2, MySQL, PostgreSQL, PHP), goto "System" ⇒ "System Logs" ⇒ "Module Config" ⇒ "Other log files to show" ⇒ Enter the log file name and description, e.g.,

/var/log/apache2/access.log Apache access log
/var/log/apache2/error.log Apache error log
Triggering Email Alerts

Webmin can periodically check the status of your system (e.g., CPU load, disk usage) and servers (e.g., Apache, MySQL) and send you an email if one failed.

To enable email alert: Goto "Others" ⇒ "System and Server Status" ⇒ "Scheduled Monitoring" ⇒ In "Scheduled checking enabled", select to "yes" ⇒ Set "Send email when" to "When a service goes down" ⇒ ... ⇒ "Save".

Monitoring System Load

To monitor system load, goto "Others" ⇒ "System and Server Status" ⇒ In "Add monitor of type", select "Load Average" and click the button ⇒ In "Load average to check", select "15 minute" ⇒ In "Maximum load average", set to the CPU cores your machine has ⇒ "Create".

Monitor Disk Space

To monitor disk space, goto "Others" ⇒ "System and Server Status" ⇒ In "Add monitor of type", select "Disk Space" and click the button ⇒ In "Filesystem to check", select \ (root file system) ⇒ In "Percentage of total", set to 90 percent ⇒ "Create".

Monitoring a remote server

For servers such as Apache, you need to monitor from another machine, in case the entire machine fails.

To monitor a remote HTTP server, goto "Others" ⇒ "System and Server Status" ⇒ In "Add monitor of type", select "Remote HTTP Service" and click the button ⇒ In "URL to request", enter the URL for the remote server ⇒ "Create".

Similarly, to monitor whether a remote serve is up, choose "Remote Ping" and set "Host to ping" to the IP address or hostname.

Network Bandwidth Monitoring

Goto "Network" ⇒ "Bandwidth Monitoring" ⇒ ... [TODO]

Scheduling One-time/Periodic Jobs

Schedule a Command to Run Once in Future (with at)

Goto "System" ⇒ "Scheduled Commands" ⇒ In "Run as user", set the user to run the script ⇒ Enter the date/time ⇒ Set the "Run in directory" ⇒ Enter the "Command to execute" ⇒ Choose "Yes" to "Send email on completion" ⇒ "Create".

To display the scheduled commands: goto "System" ⇒ "Scheduled Commands". You can also cancel a scheduled command.

Webmin issues the following Unix at commands:

$ su run-as-username
# cd run-in-directory
# echo 'command' | at -m date-time
      // The at command wraps the commands into a script and stores in /var/spool/cron/atjobs/.
      // The atd (at daemon) run the script at the specified date-time.
Schedule a Command to run regularly (with cron)

Goto "System" ⇒ "Scheduled Cron Jobs" ⇒ "Create a new Scheduled cron job" ⇒ Set the username in "Execute cron job as" ⇒ Set "Yes" to "Active" ⇒ Type the command in "Command" ⇒ Set the schedule ⇒ "Save".

Webmin adds the task to crontab (cron table in /var/spool/cron/crontabs). The cron daemon then executes the task at the regular schedule.

Create frequently-used custom commands

Goto "Others" ⇒ "Custom Commands" ⇒ "Create a new custom command" ⇒ ...

The custom command created will be displayed as a menu item.

Securing the System

Setting up the Firewall

Reference: "IPTables How-To" @ https://help.ubuntu.com/community/IptablesHowTo.

Linux has a built-in Firewall called netfilter, which works via the iptables tool. It uses 3 so-called iptables:

  1. the filter table for filtering the IP packets,
  2. the nat table for network address translation, and
  3. the mangle table for modifying the IP packets.

Each table contains a set of chains. Each chain has rules.

For the filter table, there are 3 chains (of rules): INPUT (applied to incoming packets), OUTPUT (applied to the outgoing packets), and FORWARD (applied to incoming packets destined for another system). You can list all the current filter rules via the following command:

$ sudo iptables -L   // -L to list the current filtering rules.
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
      // The filter table has 3 chains with no rules

The iptables tool is complex. But, we are only concerned about the incoming IP packets, i.e., the INPUT chain of the filter table. To setup incoming packet-filtering via Webmin:

  1. Goto "Webmin" ⇒ "Networking" ⇒ "Linux Firewall" ⇒ Select the option "Allow all traffic" and check "Enable firewall at boot time" ⇒ "Setup Firewall".
  2. Select the iptable "Packet filtering (filter)". On a fresh installation, there shall be no rules under all the 3 chains: INPUT, OUTPUT and FORWARD.
  3. Add the following rules, which are necessary for proper operations of the network interface.
    Under "Incoming packets (INPUT)":
    1. "Add Rule" ⇒ Set "Action to take" to "Accept" ⇒ For "Connection states", select "Equals" for both "Established" and "Related" ⇒ "Create".
      This rule is necessary to allow incoming packets that are part of an already established IP connection. We will set the rules for new connection later.
      The corresponding Unix command is:
      $ sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
            // -A INPUT: append this rule to the INPUT chain
            // -m conntrack:
            // -ctstate ESTABLISHED,RELATED: connection state
            // -j ACCEPT: accept the packet
    2. "Add Rule" ⇒ Set "Action to take" to "Accept" ⇒ For "Network protocol", select "Equals" for "ICMP" ⇒ "Create".
      This rule allows incoming packets for ICMP diagnostics such as ping and traceroute.
    3. "Add Rule" ⇒ Set "Action to take" to "Accept" ⇒ For "Incoming interface", select "Equals" for "lo" (local) ⇒ "Create".
      This rule allows incoming packets for local loopback interface (or, localhost).
  4. Next, create rules for each of the protocol services that are permitted to access the server. This depends on your specific environment.
    Under "Incoming packets (INPUT)":
    1. To allow incoming SSH connection, which runs on TCP port 22 by default: "Add Rule" ⇒ Set "Action to take" to "Accept" ⇒ For "Network protocol", select "Equals" for "TCP" ⇒ For "Destination TCP or UDP port", select "Equals" and set "Port(s)" to 22 ⇒ For "Connection states", select "Equals" for "NEW".
      The corresponding Unix command is:
      $ sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
            // -A INPUT: append this rule to INPUT chain
            // -p tcp: network protocol of tcp
            // --dport ssh: ssh default port number (22)
            // -j ACCEPT: accept the packet
    2. To allow incoming Webmin connection, which runs on TCP port 10000 by default: repeat the above, but choose port 10000.
    3. Similarly, you can allow incoming connection for services such as HTTP (default on TCP port 80), HTTPS (default on TCP port 443), Usermin (default on TCP port 20000) Samba (UDP Ports 137-139, TCP ports 137, 139 and 445), PhpMyAdmin (...) ...
  5. Finally, set the INPUT chain's default policy to drop packets that don't match any rules. Select "Default action" to "Drop", and click "Set Default Action To" button.
Temporarily Disabling Firewall

If you make a mistake in configuring firewall, it might lock you up for remote access (e.g., via SSH). You need to login thru the local system console to temporarily disable the firewall via:

$ sudo iptables -F INPUT
      // Flush (remove) all rule from the INPUT chain.
$ sudo iptables -P INPUT ACCEPT
      // Set the default policy to ACCEPT for INPUT chain.
      // These changes are applicable to the current session only.
      // The configurations will be restored from the configuration files after reboot.
Verifying Firewall Settings via Port Scanning

Use a Port Scanning software such as Nmap (@ http://nmap.org) to scan your server. For example,

$ nmap -sT hostname
      // Scan 1000 most commonly used port numbers
$ nmap -sT -p- hostname
      // Scan all ports, may take a few minutes

You can issue command netstat to check the open server listening ports on your server (via SSH or Webmin's Command Shell):

$ netstat -tulpen
      // -t: list TCP connections
      // -u: list UDP connections
      // -l: list listening (server) connections
      // -p: show PID and program name
      // -e: show extended information
      // -n: display as numbers instead of names
Controlling which services are started at boot and Turning of unnecessary services

Firstly, check the services that open network port via the following command. You can issue the command via SSH or Webmin's Command Shell.

$ netstat -tulpen
      // -t: list TCP connections
      // -u: list UDP connections
      // -l: list listening (server) connections
      // -p: show PID and program name
      // -e: show extended information
      // -n: display as numbers instead of names

To disable services at boot, goto "System" ⇒ "Bootup and Shutdown" ⇒ Select the service ⇒ Click "Disable Now on Boot".

Note: After OS boots, it starts a process called init, which executes the service initialization scripts under /etc/init.d directory.

Checking User Passwords

You can use a password cracking program such as "John the Ripple" (@ http://www.openwall.com/john) to periodically attempt to crack the passwords on your system via brute-force or dictionary attack.

$ john /etc/shadow
      // Start password cracking
$ john -show /etc/shadow
      // Show the cracked password

To terminal John the Ripple, kill the process (via System ⇒ Running Processes ⇒ Get the Process ID ⇒ Goto Process information ⇒ Terminate the PID). John keeps the cracked password under /root/.john directory. Remove the directory for security.

Disable root Login Remotely via SSH

Allowing root login remotely over SSH exposes your system to brute force password cracking. It is much better to disable remote root login, but uses another administrator account to sudo to root.

To disable root login over SSH, goto Servers ⇒ SSH Server ⇒ Authentication ⇒ Allow login by root ⇒ No.

Webmin edits the SSH configuration file /etc/ssh/sshd_config by setting the PermitRootLogin to no; and restart SSH Server via "sudo service ssh restart" or "sudo /etc/init.d/sshd restart".

Note: By default, the root account password is actually locked in Ubuntu.

Managing Samba

Samba is a File Sharing service for Windows clients. It uses TCP ports 137, 139, 445 and UDP ports 137-139, which shall be unlock if firewall is enabled. It uses Unix services nmb, smb and winbind, which shall be started at boot time.

Configuring Samba

Firstly, check if Samba module is enable under Webmin. Goto "Servers" ⇒ Look for "Samba Windows File Sharing". Otherwise, enable Samba module from the "Un-used Modules".

Next, setup the server to be visible on the network. Goto "Servers" ⇒ "Samba Windows File Sharing" ⇒ "Windows Networking" ⇒ Set "Workgroup" to WORKGROUP or workshop name in your organization ⇒ Set "Server description" to the name for which your server to be visible in the network; or "%h" for the server's default hostname.

Creating a Samba Share

First, create a special Unix pseudo (non-login) user named samba to own the shared directory (says /srv/samba): Goto "System" ⇒ "Users and Groups" ⇒ "Create User" ⇒ Set the "Username" to "samba" ⇒ Set the "Real Name" to "Samba Share Pseudo-User" ⇒ Set the "Home directory" to "/srv/samba" ⇒ Set the "Shell" to "/usr/sbin/nologin" or "/bin/false" ⇒ Set the "Password" to "No login allow" ⇒ Set the "Primary group" to "New group with same name as user" ⇒ Set "Copy template files to home directory" to "No" ⇒ Set "Create user in other modules" to "No".

Next, create a Samba shared network folder: Goto "Servers" ⇒ "Samba Windows File Sharing" ⇒ "Create a new file share" ⇒ Set the "Share name" to "SharedFolder" or a more appropriate name ⇒ Set the "Directory to share" to "/srv/samba" ⇒ Set "Automatically create directory" to "No" ⇒ Set both "Available" and "Browseable" to "Yes" ⇒ "Create".

Next, create Samba user accounts: Samba maintains it own users separate from the Unix users. To convert Unix users to Samba: Goto "Convert Users" ⇒ Set "Unix users to convert" to "Only listed users or UID ranges" ⇒ Browse user list to select a user ⇒ "Convert Users".

Finally, grant Samba users access to the shared folder: Goto "Servers" ⇒ "Samba Windows File Sharing" ⇒ Click on the name of the share. Click "Security and Access Control" ⇒ Set "Writable" to "Yes" ⇒ Set "Read/Write users" to the permitted users ⇒ "Save". Click "File Permissions" ⇒ Set "Force Unix user" and "Force Unix group" to "samba" ⇒ "Save".

Authenticating users using Microsoft's Active Directory Service

[TODO]

Sharing home directory

Samba creates home directory shares automatically.

To share the home directory: Goto "Servers" ⇒ "Samba Windows File Sharing" ⇒ "Create new shares" ⇒ In "Share name", select "Home Directories Share". Click "Security and Access Control" ⇒ Set "Writable" to "Yes". In "Authentication" set to "revalidate user".

[TODO]

Backing up the System

[TODO]

Configuring Apache HTTP Server under Webmin

Webmin places Apache under the "Server" ⇒ "Apache Webserver".

If Firewall is enabled, you need to permit incoming connection for HTTP (default on TCP port 80) and HTTPS (default on TCP port 443).

Starting/Stopping Apache Server via Webmin

You can start/stop Apache server via link "Start Apache" or "Stop Apache" on the top-right corner. Webmin issues commands:

$ sudo service apache2 start
      // Start the apache server
$ sudo service apache2 stop
      // Stop the apache server
$ sudo service apache2 restart
      // Stop and Start the apache server
$ sudo service apache2 reload
      // Reload the apache configurations without restarting the server
apachectl

apachectl is a front end to Apache HTTP server, meant for the administrator to control the Apache server. The commands are:

$ sudo apachectl start|stop|restart
      // Start, stop, or restart the server
$ sudo apachectl fullstatus|status
      // Show the status of the server
$ sudo apachectl graceful
      // Gracefully restart the server
$ sudo apachectl graceful-stop
      // Complete all requests and stop the server
$ sudo apachectl start|stop|restart
      // Start, stop, or restart the server
$ sudo apachectl configtest
      // Check the configuration files
Configuring Apache to start at boot time

Goto "System" ⇒ "Bootup and Shutdown" ⇒ Click on "apache2" ⇒ Set "Start at boot time" to "Yes".
You can also view the Apache init script (/etc/init.d/apache2) here.

Apache Configuration

The Apache configuration is divided into 3 sections: global settings, default server and virtual hosts. If a request matches one of the virtual hosts, it will be handled by the matched virtual host; otherwise, it will be processed by the default server.

Configuring the Default Server

Goto "Servers" ⇒ "Apache Webserver" ⇒ Select tab "Global configuration" ⇒ Select "Networking and Addresses" ⇒ In "Listen on addresses and ports", set "Addresses" to "All" and "Port" to 80 (the default HTTP TCP port number) ⇒ Select tab "Existing virtual hosts" ⇒ choose "Default Server" ⇒ Click "Document Options", set "Document root directory" to "/var/www" (or your choice) ⇒ "Save" ⇒ "Apply Changes".

Configuring a virtual host

Goto "Servers" ⇒ "Apache Webserver" ⇒ Select tab "Create virtual host" ⇒ ...

<VirtualHost *:80>
ServerName example.com
DocumentRoot "/var/www/example.com"
</VirtualHost>
Setting options for directories, files and locations

Goto "Servers" ⇒ "Apache Webserver" ⇒ Select tab "Existing virtual hosts" ⇒ Select the virtual host to be configured ⇒ In "Create Per-directory, file or location" ⇒ Set "Type" to ...

Redirecting incoming requests

Goto "Servers" ⇒ "Apache Webserver" ⇒ "Existing virtual hosts" ⇒ Select the virtual host to be configured ⇒ Click "Aliases and Redirects" ⇒ Fill up "Regexp URL redirects": set "From" to ..., "Status" to 301, "To" to ....

Webmin adds directive RedirectMatch or Redirect under the virtual host:

// With Regex matching
RedirectMatch 301 /test/(.*) "http://example.com/test/$1"
 
// Without regex
Redirect 301 /test/ "http://example.com/test/"
Setting up Secure Website with SSL
  1. Enable Apache module ssl.
  2. Generate a private key via openssl:
    $ openssl genrsa -out key.pem 2048
          // genrsa 2048: use RSA algorithm with key length of 2048
          // -out: output key filename
    
  3. Make a self-signed certificate:
    $ openssl req -new -key key.pem -x509 -nodes -days 365 -out cert.pem
           // -new -x509: generate a new X509 certificate
           // -nodes: ???
           // -key key.pem: input private key filename
           // -days 365: valid for 365 days
           // -out cert.pem: output certificate filename
           // The "Common Name" of the certificate shall be the same as
           //   the full domain name of the server.
     
    $ openssl x509 -noout -text -in cert.pem
           // Display the certificate data
    
  4. Move the private key file and certificate to the Apache configuration directory (/etc/Apache2) and set permissions of the private key file to protect it:
    $ sudo chmod 400 key.pem
          // Set permission to read-only by owner (r--------)
          // Owner? Group?
  5. Goto "Servers" ⇒ "Apache Webserver" ⇒ "Create virtual host" ⇒ Set the "Port" to 443 (HTTPS default) ⇒ Set the "Document Root" ⇒ Set the "Server Name" to be the same as the Common name in the certificate ⇒ Set "Enable SSL" to "yes" ⇒ Set the Certificate and private key file.

Webmin activate SSL by adding the following directive to the virtual host:

SSLEngine on
SSLCertificateFile /etc/apache2/cert.pem
SSLCertificateKeyFile /etc/apache2/key.pem
Configure the Apache's Access and Error Log Files

By default, Apache keeps two log files: an access log which contains all incoming request, and an error log which contains the error messages. We typically separate the two logs in two files. Also, each virtual host may maintain its own log files.

The log record format can be specified as:

%h %l %u %t "%r" %>s %O "%{Referer}i" "%{User-Agent}i"
      // %h: Remote IP or hostname
      // %l:
      // %u: Remote user if request was authenticated
      // %t: time
      // %r: Request header line (Request method and path)
      // %>s: HTTP response code (e.g., 200 for OK, 404 for not found)
      // %O: Response size in bytes
      // %{Referer}i: Referer
      // %{User-Agent}i: user agent, which identifies the browser

These directives are added under the <VirtualHost>:

ErrorLog /var/log/apache2/example.com-error.log
LogLevel warn
LogFormat "combined"
TransferLog /var/log/apache2/example.com-access.log
Analyzing Log Files using Webalizer
  1. Check if Webalizer is already installed.
  2. Goto "Servers" ⇒ "Webalizer Logfile Analysis" ⇒ "Add a new log fie for analysis" ⇒ Set "Base logfile path" to the access log ⇒ Set "Write report to directory" to ... ⇒ Set "Run webalizer as user" to root ⇒ Set "Always re-process log files" to "no" ⇒ Set "Clear log file after scheduled report" to "no" ⇒ Set "Report options" to "User global options" ⇒ Set "Scheduled report generation" to "Enabled, at times chosen below" ⇒ Select "Simple schedule", set to "Daily (at midnight)" ⇒ "Create".

Configuring MySQL under Webmin

I recommend using PhpMyAdmin.

Post Installation

Run mysql_secure_installation script, which:

  • Set a password for MySQL root user.
  • Remove anonymous user.
  • Disable remote login by root user. (SSH permitted. PhpMyAdmin?)
  • Remove the test database.

[TODO]

Usermin

Usermin (@ http://www.webmin.com/usermin.html) is a web-based user interface for Unix-like systems. It is a simplified version of Webmin, meant for regular users (instead of system administrator for webmin) for tasks such as reading mail, configuring mail forwarding, and setting up SSH (Secure Shell).

Mail Server

[TODO]

REFERENCES & RESOURCES

  1. Ubuntu Mother site @ http://www.ubuntu.com.