Month: November 2007

    What is the “Ultimate Linux Server”? I suppose that if you asked ten different people you would get just as many different answers. My definition is a basic server running a stripped down operating system to which services can be added as necessary. Simplicity and security go hand-in-hand; the fewer services or “bells and whistles” a server is running, the more secure and reliable it will be.

    My version of the “Ultimate Linux Server” starts with a minimal install of Debian Linux and an application called Webmin. Webmin is a web based administrative interface for managing all aspects of a Linux server.

    This article is the first in a series of several installments. For now, we will build the basic server and install a web proxy application on it. Future articles will explain how to build upon this base server, adding services such as a mail server, anti-spam filter, DHCP server, DNS server, etc. The Webmin application also contains features to manage the server itself, such as back up, service monitoring and alerts to email and SMS, etc. These features will also be covered in future articles.

    As the title of this article infers, we will be installing a web proxy application. Why do you need a web proxy? A question was posed by a colleague recently concerning how to monitor web traffic and report on which users were going to what sites on the internet. A web proxy can be used to intercept all HTTP traffic destined for the internet and log which computers are going where. In addition, the web proxy we are going to install (Squid) acts as a caching web proxy which can speed up the loading of previously accessed web sites. An additional application called “SARG” produces very nice reports of all web traffic based upon such criteria as source IP, destination web site, the time frame web sites were accessed, the most active users of HTTP, etc.

    In an attempt to make the installation and configuration as easy as possible, we will use a method where-by the server is accessed remotely from your own desktop PC and commands are run on the server via a terminal application (with the exception of the initial installation of the operating system which must be done using a keyboard and monitor attached directly to the server).  These commands are presented in bold type and can simply be copied and pasted into the terminal window. This server is designed to run “lights out” without a monitor or keyboard attached during normal operation.

    The recommended minimum hardware configuration would be a P4 1.5 GHz (or equivalent), 512Mb RAM, and a 40 GB (or bigger) hard drive. Linux isn’t as resource intensive as some other operating systems so the above recommendations should work very nicely. Feel free to add more RAM as you install additional services.

    Let’s begin by getting the operating system installed. Download and burn a copy of Debian Linux. I recommend getting the network install image; it’s very small and you only need a very few basic packages anyway. Go here: Debian and download the appropriate “netinst” image (i386 for most of you). Make sure you burn this as an ISO “image” and then boot your new server to this CD. Go ahead and install Debian, making sure that you are plugged into the network and the internet is accessible. You can safely accept the defaults most of the way through, with the following exceptions:

1.    If your server grabs a DHCP address, use the tab key to choose “go back”, then choose “configure network manually” and assign an appropriate static IP.
2.    When you get to the “Software selection” screen, unselect everything (trust me). This is done by using the space bar to toggle your selection and the “down” arrow key to move through the menu. Once you have deselected all options, use the “tab” key to choose continue and hit “enter”.

    After it installs grub (the boot loader), it will spit the CD out at you and you simply hit “enter” to continue and boot into your new Debian system.

    At this point, you should be staring at a login prompt (yes, it’s all text based, no “point and click” here). Simply type root, hit “enter”, and then the password you chose for root when you installed the OS. Now, we’re going to do some basic setup:

1.    Type nano -w /etc/apt/sources.list. This will open a file up in an editor.
2.    Using your arrow keys to move around, put a “#” sign in front of the second line that starts with “deb cdrom” (this is called a “comment” and it means that the line will be ignored). Then move the cursor to the end of the first line that starts with “deb http” and add “contrib” and “non-free”. It should look something like this:
“deb http://ftp.debian.org/debian/ etch main contrib non-free”
3.    Do the same for the remaining lines.
4.    Hit “ctrl o” (the ctrl button and the letter “o” at the same time), then “enter”, and then “ctrl x” to save and exit.
5.    Type the command apt-get update.
6.    Type the command apt-get install openssh-server (just hit enter when it asks you if you want to continue).

    It is a very bad idea to allow root logins via SSH so we need to edit the SSH configuration file to prevent this

1.    Enter the command nano -w /etc/ssh/sshd_config, this will open up a file in an editor. Using the same method that you used earlier to edit the “apt” file, look for the line that reads “PermitRootLogin Yes”, change “yes” to “no”, and save your changes (crtl o/enter/crtl x).
2.    Enter the command etc/init.d/ssh restart and hit enter.

    We can now finish the install remotely from our desktop by simply cutting and pasting commands into a terminal window connected to the Debian box. Linux users can simply open a terminal and connect to the Debian box using SSH. Windows users will need to download a small program that will allow terminal connections to a Linux box. This program, called “putty”, allows a Windows box to use SSH (the secure shell protocol) and can be found here: putty (just grab “putty.exe” and save it to your desktop). Open up putty, enter the IP address of your Debian box, the “regular user” name (that you created when you installed Debian), and the corresponding password.

    Once you have connected to the server via SSH, you can simply copy and paste the remaining commands (one line at a time unless otherwise noted, followed by hitting the “enter” key) into the terminal window to complete the installation and configuration.

    The next step is to add an additional repository to our /etc/apt/sources.list file and then perform a quick upgrade (“apt” is the package manager for Debian, it is used to download and install any of the tens of thousands of freely available software applications). Use the code below:

su
(enter root password)
nano -w /etc/apt/sources.list
(cut and paste the following on a new line at the bottom of the file)
deb http://download.webmin.com/download/repository sarge contrib
save your changes (crtl o/enter/crtl x)
apt-get update
apt-get dist-upgrade (choose “yes” when asked if you want to continue, if any dialog boxes pop up, hit “tab” and then “enter”)
reboot

    The reboot will knock you out of the remote session, so wait a minute for the box to reboot, then reconnect with SSH (or putty). We will now install Squid (the web proxy application) and SARG (Squid Analysis Report Generator). Use the code below:

su
(enter root password)
apt-get install squid sarg
(answer “yes” to any questions asked)

    If all went well, Squid and SARG are now installed but we need to edit the Squid configuration file to allow our local network to use the proxy server. While this can be accomplished through the Webmin interface, it involves several detailed steps to do it that way and it is much easier just to edit the underlying configuration file on the command line. Use the code below:

nano -w /etc/squid/squid.conf
(scroll waayyyy down to “# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS” and uncomment “acl our_networks” by removing the “#” at the beginning of the line and then adapt as necessary for your network)
(mine looks like this: “acl our_networks src 192.168.12.0/24”)
(uncomment the  “http_access allow our_networks” line)
save your changes (crtl o/enter/crtl x)
/etc/init.d/squid restart

    Now we need to install Webmin and any other packages that it depends upon to function properly. Use the code below:

apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl mailx webmin (NOTE: this command should all be on one line!)
(choose “yes” to any questions asked)

    That should do it as far as the installation and configuration goes, now it’s time to log into Webmin and have a look around. Open up a browser and point it to:

 https://the_IP_address_of_your_new_Debian_server:10000

    Log in as “root” with the same root password that you use to log into the server itself. You should now be looking at the Webmin interface. Take some time and explore a bit; you’ll get an idea of how powerful this interface really is! You will also discover that quite a few options are either unavailable or not installed/configured yet. We’ll get to those in a future article.

    Expand “Servers” in the left side panel, then click on “Squid Analysis Report Generator”.  Now, click on “Generate Report Now”. Whoops! Error, no records found. This is because there is no information in the log files to report. We now need to configure the web browsers on all the PC’s on our LAN to use our new proxy server to get to the internet. Configure the settings in the web browsers of your LAN machines to use a proxy (but ONLY for HTTP!). Enter the IP address of the new server as a proxy and 3128 as the proxy port. (The specifics on how to do this depend on which browser you use.) I also recommend checking the “do not use proxy for local connections” setting.  If you are a Microsoft shop and use IE, you should be able to push this out with a GPO. Now, hit a few web sites from a LAN PC then go back to Webmin and click on “Generate Report Now”. Click on “View completed report”, then click on the date under “FILE/PERIOD”. You should see some data. Everything in blue is a link to detailed data, the tiny icons are clickable too. Use the browser “back” button to return to the previous page. (Cool stuff, huh?)

    I must advise you that there is a bug with the software: If you click the “Log Source and Report Destination” icon, there is an option to enter an email address to have reports sent to. When you enable this particular option and enter an email address, subsequent report generation will fail. Bottom line is do not enable the “Email report to” option. (This is really no big deal because the emailed reports are nothing but a simple text message with very little useful information anyway). Otherwise, feel free to play with the other settings for SARG.

    One last note: savvy users will probably catch on to the fact that you are watching them and will change their proxy settings back to “connect to internet directly” to avoid being monitored. To prevent this, you should create an egress (outbound) rule on your firewall that will only allow outbound HTTP traffic if it originates from the proxy server IP (heh heh).

    As always, if you have any questions, comments, problems, or want to make a large charitable donation in my name, please feel free to contact me at thughes@fwpm.com.

RESOURCES:
Squid: http://www.squid-cache.org/

SARG: http://sarg.sourceforge.net/sarg.php

Webmin: http://www.webmin.com/

Debian: http://www.debian.org/

Putty: http://www.chiark.greenend.org.uk/~sgtatham/putty/

Burning CD images: http://www.petri.co.il/how_to_write_iso_files_to_cd.htm