Web Server & Software
So now the server is built and RAID5 configured. You can find the previous article here. I'm slowly beginning to see the light at the end of the tunnel. All I have to do now, is select the server software and that's it; or is it?
This project has seen its fair share of setbacks; smoke pouring out - frightening; a failed brand new hard drive - frustrating, to name but two! Surely now, all I had to do to complete the project would be completed in an hour or so, with time for a little self congratulation on a job well done.
On talking to colleagues at soslug, it became apparent that SME Server would fit the bill very nicely. It has a GUI and will provide all the services I need. Based on CentOS which in turn is based on Redhat, one would assume this to be more than adequate for a home/web server, and no doubt it is - but not for me!
I spent a fruitless weekend trying to install this system, without success.
The problem revolved around RAID5 and the Adaptec card. SME server insisted it needed drivers and try as I may to provide them, it wouldn't play ball. The first issue, was SME insisted I load the drivers via a floppy drive, which doesn't exist on my server. But I did try, and even jerry-rigged a temporary floppy drive to accommodate the system, but still it refused to find the drivers. Now, it's fair to say it may have been my lack of knowledge that assisted this disaster, but come on guys, floppy drives in this day and age? At least provide an alternative like a USB stick or USB drive.
Needless to say, after much cursing, SME went out of the door. I'm not saying it's bad, just that it wasn't suitable for my purposes.
I have to admit to being a massive Debian fan, so the next obvious choice, was Debian and that's what I ended up using. Debian has come a long, long way with it's installation procedure and those that claim it's difficult, really aught to take another look.
Debian installation.Debian in its entirety, is a massive installation, but it is not necessary to go down that road. For some time now, I've been using the network installer, which is relatively fast and only requires an initial small download.
Essentially, what happens is, the Debian network install, installs a base system, that is able to connect to the Internet and install just the packages you need. This has at least two major advantages:
- You limit the time required getting the initial iso file and
- You get an absolutely up-to-date installation, with no updates being required, post installation.
At this point, I'm assuming you know how to burn an iso file and if not, there is another wiki page I wrote, explaining how that is done. You can find that here. So on with the installation.
Reminder: as with the previous page, you will see some screen shots edited in order to help protect the integrity of my server. This should not interfere with your understanding of the installation.
Turn the computer on and as quick as you can, place your Debian CD in the drive. Providing you have told the BIOS to treat your DVD/CD drive as the first boot device, you will end up seeing this:
Pressing F1, gives you a menu, with all sorts of useful information and should be consulted according to your particular installation requirements.
Moving back to the main screen, I chose Advanced options:
Which will then offer yet another menu for you to choose from:
In this case, I chose Graphical expert install and highlighting it and pressing Enter, will initiate the first batch of files to run the installer.
Once this is completed, you will be presented with this screen:
This is where you start the installation proper. You will work though a menu driven system, that will configure the system for you. Essentially, you will move though the pages and sub-pages of the installation menu, telling the system what you require and it will configure the system precisely how you want it. Once you have made your selection, pressing '''Continue''' at the lower right hand corner, will allow you to proceed through the menu.
So first choose your language:
Then your Country:
and your locale (character set).
Then your keyboard layout:
Now let it detect and mount your CD ROM:
Next you choose whether to include USB detection. This is open to debate. In a production environment, in a commercial premises, it could be a security risk. No one likes the thought of their data disappearing down the road on a USB stick, or even a mp3 player! In my case, I have 24 hour access at home to the server. No one (other than my family) can get near it, so for convenience, it made sense to allow this option. Your mileage may vary.
The next option concerns PCMCIA cards and as this server has none, there is absolutely no point in taking that option.
The next part of the installation will detect and mount your CD drive. I always find this a bit curious, as you're already using it. But I think it's for the purposes of configuring your installation, rather than using the CD drive at that moment in time.
Now it's time to load the actual installer components. This is the point at which you get to choose, which additional modules you wish to install.
Next, detect the network hardware:
and configure the network:
Notice, Debian has found both the additional network cards, the on-board network port and the firewire port. Worthy of note, is to mentally determine now, which one of these you propose to use as your primary network port. It will be useful later, when you come to connect your server to the Internet, both to download the required files and ultimately, to connect your server to the Internet in its role as a server.
You can now choose to '''configure the network''' automatically via DHCP, or if you prefer, manually.
Provide a host name for your server:
and if you have one, a domain name:
Now we need to configure the clock.
You can if you wish, use a Network Time Protocol (NTP) server. These servers are often University or Research Institution servers, who require very accurate time for their work. Always (as far as I know) based on atomic time clocks, these servers can provide your computer with reliable accurate time. There are certain recognised conventions when using this service: In general, don't connect to a Stratum 1 server, use Stratum 2 or lower. It's not that you're banned from using Stratum 1, but ask yourself if you really need to. It is a finite resource and one shouldn't abuse it. If it's not a public server, make sure you obtain the owners permission to connect to it.
Having said all that, Debian thoughtfully provides a server for you.
Now Debian will detect your disks, meaning your hard drives, or in our case the RAID5 array.
and now we come to the part that many find difficult; Partitioning.
You get the option of Guided Partitioning.
You can see, Debian has discovered the RAID 5 array and is correctly listing it. '''Highlight the disc you want to partition''' and click Continue.
Now a warning.
and now you get four options:
- Guided - use entire disc.
- Guided - use entire disc and set up LVM (Logical Volume Management)
- Guided - use entire disc and set up encrypted LVM
As I wanted to use the entire volume, I opted for the second choice, but of course, you should choose whatever suits you. Note especially for secure servers, there is now an option to encrypt the entire volume. I've never done this, as I believe it could lead to problems if you ever need to recover the RAID array, but in these days of never ending security attacks, it should be seriously considered.
Select the drive you want to partition.
Now select how you want to partition it. Remember, we are using guided partitioning. If you were using Manual, you have infinite control as to how you divide up the drive into separate partitions. However, I chose to have separate partitions for /home, /usr, /var and /temp.
Next is your last chance to opt out of the decisions you've made so far. Well, that's not quite true. You could in fact, start the installation process again, delete the present partition scheme and start again. But for us, we're going to plod on!
Now Debian asks for a Name for the new system.
Once Debian has completed it's work, you get a list of your newly created partition set.
Remember, at this point, you have ''only written the partition table''. No formatting has yet taken place. As it happens, I was happy using ext3 formatting, but it is at this point in the installation, you can make changes to modify the settings. Clicking Continue, will initiate the formatting.
Now we get to install the Base System.
and off it goes!
Now choose the kernel you want to use
and include which drivers you want. I chose the larger option, but if you really want to lock your system down, you could opt for the minimal install.
Next we set up the Users.
You now need to make a couple of decisions.
The first, is whether to allow shadow passwords. Unless you have a very good reason not to, I would always choose this option. It creates a separate file in which the passwords are placed in an encrypted form. This is without question, the best security solution.
The second, is whether to allow root to log in. There are differing views on this subject. My own preference is to allow it. The reason is, I don't like a user being given root privileges via '''sudo''' and being able to use a single password for both operations. I prefer root to have it's own (very strong) password and something a little more memorable for the user.
Never-the-less, there are plenty of Ubuntu users that happily use ''sudo'' and a single password. So at the end of the day, it's your choice.
If you choose not to let root log in, you will create an account that will be the equivalent of an administrator account in Windows. But in Linux, it's known as a super user account. In practice, each time you want to carry out an administrative function, you will be asked for your password.
You now get advice on suitable password construction and asked to verify your password.
Next, the normal user(s) account(s). Remember, you can set up as many as you need here. You can also add accounts (and indeed delete accounts) later, once the system is up and running, so don't worry if you forget a family member now. First, your real name:
then your selected user name:
and now a password.
Now it's time to move on and configure the package manager. This is not the ultimate package manager you will use in the system, but the package manager you will use to carry out the network installation.
So tell Debian to use a network mirror:
and the protocol (I chose http):
The Country you're in:
and choose a mirror.
Here's where you enter any proxy information, if you need it to connect to the outside world: Leave it blank if you have a direct connection.
Now choose if you want to use non-free software. It's worth mentioning a little about this, as it can be very confusing to new users. Non-free, in this sense, means software that may be proprietary in nature and therefore, may not be able to be modified in the traditional sense that open source software promotes. It does not mean software you necessarily have to pay for.
and off it goes:
Now decide which services you require. I certainly wanted security updates and as I was going to run anti-virus software on the server, it was prudent to choose volatile as well.
Now we get to the nitty-gritty. Choose the software you want to install.
You can if you wish help the developers here, by offering anonymous feedback about the software you installed. I chose not to, as I wasn't at this point fully clear on what I was going to install. You can see from the screen-shot, you can still offer that help later
We start off with a basic system. Up until this point, it makes no difference whether you are installing Debian on a desktop or a server. It is now, you decide what you want to install.
As this was a server, I couldn't see any point in having a desktop, though many would feel more comfortable with one, therefore I deselected the desktop option, but selected others:
Next; samba. Samba is the utility that talks to Windows machines on a network. You need to tell it what your workgroup is called - most commonly: WORKGROUP!
Decide whether you want to use WINS settings (I didn't).
And now it downloads and installs:
You now have three options (you will only choose one of these):
- Install Grub
- Install Lilo
- Continue without a boot manager.
If you want the system to boot, you need a boot manager! The only time you may choose to ''Continue without a boot manager'', is if you had a specialist installation, that required an alternative boot manager, that you proposed to set-up separately. I chose Grub. It generally works well with Debian, but sometimes plays up with other distros. Lilo is a good boot loader, if you're experiencing trouble booting the system and can sometimes succeed, when Grub fails.
Yet more choices. Grub is offered in two forms. As this is a server, I wanted the most stable installation possible, therefore I chose Legacy.
In a one system computer, you install Grub to the master boot record. Multi-boot systems may differ, for the reasons touched on earlier.
You can password protect Grub if you wish (good idea on a server).
and confirm it.
Now Finish the installation.
Tell the system whether the BIOS clock is set to UTC (GMT).
and we're done! (Note the warning about removing any CD or Floppy in the drives).
The moment of truth.
This page is substantial. It's taken a damn sight longer to write, than the complete installation took; expect about 45 - 60 minutes once you're used to it.
There's no doubt about it, Debian is one of the premier server systems available today and should rank alongside Redhat and SuSE. It installed easily, without any of the issues that SME Server exhibited and is a masterpiece of software engineering.
While I don't intend to attempt to write about server security as such (it's a vast subject that no doubt could fill many books), it would be as well to remind everyone, that your server installation does not stop here. You now have a responsibility, to enable as far as you can, a secure environment for the server to operate. Do you really want your ISP contacting you complaining your sever is part of a botnet?
Simple configuration changes can turn a page like this;
which shows a number of details about the server, into something like this:
Or of course, you can create your own bespoke ''page not found'' page, along with any other error pages you wish to modify.
Why give hackers a fighting start?
As a general rule, only install services you're likely to use. Services not installed (by definition) cannot be a security risk.
Review from time to time whether you still need your original services running. If not, close them down.
Make sure you keep up to date with security patches. I know it's an old chestnut, but immense effort is made by developers to keep you secure. It is not unknown in the Linux world, for security patches to become available within hours of the vulnerability being discovered. If you can, always test it on a test server prior to putting on the production server. If that's not possible, try and have a current image of your server, that can be rapidly replaced, if the patch causes unforeseen problems. It's a rare occurrence in Linux, but not impossible.
The Internet is awash with security information for Apache and Apache2. You would be well advised to browse some of that, to improve the default settings of your server.
As if I thought I was home and dry, yet another issue raised its ugly head.
I had already arranged to have a fixed Internet address supplied by my Internet Service Provider (ISP) and often, the "address" is supplied as a pair. Now, there was some misunderstanding on my part, when my ISP gave me my fixed address and a ''gateway'' address. I thought this was a pair, but in fact it wasn't. This caused me all sorts of problems in configuring the server to attach to the Internet.
The original plan, was to have one network card facing the Internet and the other facing the home network, with a DHCP server sorting out the address issues (known as IP masquerading). This is why I said earlier, it was important to know which network card would be your ''primary'' card. However, in the fullness of time, when I became so frustrated as to begin to doubt my own knowledge, it became clear I only had one fixed address to use. This meant that (at least for the time being) the original plan had to be shelved and another plan conceived to overcome this problem. The resolution was to use the ADSL/Router and configure it to allow a DMZ (Demilitarized Zone), in which the server would reside. This allows the server to be Internet facing, without subjecting the home network to any more security issues than normal.
This concludes the trilogy of pages dedicated to building a home web server. I hope you found it useful.