Monthly Archives: February 2012

How To Set Up A DHCP Server For Your LAN

20 February 2012 05:07 admin Leave a Comment

How To Set Up A DHCP Server For Your LAN

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 09/20/2006

This tutorial describes how to set up a DHCP server (ISC-DHCP) for your local network. DHCP is short for “Dynamic Host Configuration Protocol”, it’s a protocol that handles

the assignment of IP addresses, subnet masks, default routers, and other IP parameters to client PCs that don’t have a static IP address. Such computers try to find a DHCP server in their local network which in turn assigns them an IP address, gateway, etc. so that they can connect to the internet or other computers from the local network.

In this short guide I will show how to set up a simple DHCP server (ISC-DHCP) on a Debian Sarge (3.1) system whose sole purpose is to assign IP adresses, a gateway, DNS servers, etc. to client computers from the local network that don’t have a static IP address. You can use such a DHCP server in your home network, your office, etc., for example if your router doesn’t come with a built-in DHCP server. If you set up such a DHCP server, please make sure you don’t already have another one in your LAN as this might result in conflicts.

Of course, one can imagine much more complicated DHCP setups, but these are outside the scope of this document.

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Preliminary Note

This is the current situation:

I’m using the network 192.168.0.0, subnetmask 255.255.255.0, broadcast address 192.168.0.255.
My gateway to the internet is 192.168.0.1; on the gateway there’s no DHCP server..
My ISP told me the DNS servers I can use are 145.253.2.75 and 193.174.32.18.
I have a pool of 30 IP addresses (192.168.0.200 – 192.168.0.229) that can be dynamically assigned to client PCs and that are not already in use.
I have an unused Debian Sarge server with the hostname server1.example.com on the IP address 192.168.0.100 which will act as my DHCP server.

2 Installing The DHCP Server

Now let’s install our DHCP server on our Debian Sarge system:

apt-get install dhcp3-server

You will be asked a few questions:

On what network interfaces should the DHCP server listen? <– eth0

Please configure the DHCP server as soon as the installation finishes. <– Ok

The version 3 DHCP server is now non-authoritative by default <– Ok

At the end of the installation you will see errors like these:

Generating /etc/default/dhcp3-server…
Starting DHCP server: dhcpd3 failed to start – check syslog for diagnostics.
invoke-rc.d: initscript dhcp3-server, action “start” failed.

That’s ok because we did not have the chance yet to configure our DHCP server.

3 Configuring The DHCP Server

Now we must configure our DHCP server. We must tell it from which IP range it should assign IP addresses to requesting clients, which gateway it should assign, which DNS servers, etc.

The configuration file for our DHCP server is /etc/dhcp3/dhcpd.conf. Currently it contains a sample configuration which we copy to /etc/dhcp3/dhcpd.conf_orig for future reference:

cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf_orig
cat /dev/null > /etc/dhcp3/dhcpd.conf

With the last command we have emptied /etc/dhcp3/dhcpd.conf so that we can place our own configuration in it which we do now:

vi /etc/dhcp3/dhcpd.conf

The file should look like this:

ddns-update-style none;

option domain-name-servers 145.253.2.75, 193.174.32.18;

default-lease-time 86400;
max-lease-time 604800;

authoritative;

subnet 192.168.0.0 netmask 255.255.255.0 {
        range 192.168.0.200 192.168.0.229;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.0.255;
        option routers 192.168.0.1;
}

I explain the configuration options here:

ddns-update-style: You can tell the DHCP server to update a DNS server if the IP address of a server in your LAN has changed (because it has been assigned a different IP by DHCP). As we do not run servers in our LAN or always give them static IP addresses (which is a good idea for servers…) we don’t want to update DNS records so we set this to none.
option domain-name-servers: This tells the DHCP server which DNS servers it should assign to a client. You can specify more than one DNS server here, seperated by commas.
default-lease-time, max-lease-time: A client can tell the DHCP server for how long it would like to get an IP address. If it doesn’t do this, the server assigns an IP address for default-lease-time seconds; if it does, the server grants the requested time, but only up to max-lease-time seconds.
authoritative: If this is not set this means that if a client requests an address that the server knows nothing about and the address is incorrect for that network segment, the server will _not_ send a DHCPNAK (which tells the client it should stop using the address.) We don’t want this so we set authoritative.
subnet: The subnet to use.
netmask: The netmask to use.
range: Tells the DHCP server from which range it can assign IP addresses to clients. In our example it’s from 192.168.0.200 to 192.168.0.229 (30 IP addresses).
option broadcast-address: The broadcast address to use.
option routers: Tells the DHCP server the gateway address it should assign to requesting clients. In our case the gateway is 192.168.0.1.

If you are not sure about your personal network settings (network, netmask, broadcast address, etc.), visit www.subnetmask.info where you can calculate your settings.

You see, this is a very simple and basic configuration, but it’s enough to make our DHCP server functionable. Now let’s start it:

/etc/init.d/dhcp3-server restart

Afterwards you can check the output of

ps aux

to see if DHCP is running. You should also see it in the output of

netstat -uap

which should resemble this one:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 *:bootps                *:*                                2185/dhcpd3
udp        0      0 *:868                   *:*                                1964/rpc.statd
udp        0      0 *:871                   *:*                                1964/rpc.statd
udp        0      0 *:sunrpc                *:*                                1553/portmap

You can see that DHCP is running on the bootps UDP port which translates to port 67 UDP (run

grep bootps /etc/services

and you will see that bootps means port 67).

Finally you can check /var/log/syslog if any errors occurred during the DHCP server start. To see the last 100 lines of /var/log/syslog, for example, run

tail -n 100 /var/log/syslog

4 How Can I See That My DHCP Server Is Working OK?

To see if your DHCP server is working as expected, boot another PC (Windows, Linux, MAC, …) in your LAN that doesn’t have a static IP address. Wait a few seconds, and in /var/log/syslog on the DHCP server you should see that the DHCP server assigns an IP address to your PC. For example, in this excerpt of /var/log/syslog, a client PC named matze has been assigned the IP address 192.168.0.229:

Sep 19 16:01:26 server1 dhcpd: DHCPDISCOVER from 00:0c:76:8b:c4:16 via eth0
Sep 19 16:01:26 server1 dhcpd: DHCPOFFER on 192.168.0.229 to 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:27 server1 dhcpd: DHCPDISCOVER from 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:27 server1 dhcpd: DHCPOFFER on 192.168.0.229 to 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:31 server1 dhcpd: DHCPDISCOVER from 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:31 server1 dhcpd: DHCPOFFER on 192.168.0.229 to 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:31 server1 dhcpd: Wrote 1 leases to leases file.
Sep 19 16:01:31 server1 dhcpd: DHCPREQUEST for 192.168.0.229 (192.168.0.100) from 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:31 server1 dhcpd: DHCPACK on 192.168.0.229 to 00:0c:76:8b:c4:16 (matze) via eth0

The DHCP server writes all current IP address “leases” to the file /var/lib/dhcp3/dhcpd.leases so you should also find the lease there:

vi /var/lib/dhcp3/dhcpd.leases

# All times in this file are in UTC (GMT), not your local timezone.   This is
# not a bug, so please don't ask about it.   There is no portable way to
# store leases in the local timezone, so please don't request this as a
# feature.   If this is inconvenient or confusing to you, we sincerely
# apologize.   Seriously, though - don't ask.
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-V3.0.1

lease 192.168.0.229 {
  starts 2 2006/09/19 14:01:31;
  ends 3 2006/09/20 14:01:31;
  binding state active;
  next binding state free;
  hardware ethernet 00:0c:76:8b:c4:16;
  uid "010014v\213\30426";
  client-hostname "matze";
}

Have Fun!

5 Links

ISC-DHCP: http://www.isc.org/index.pl?/sw/dhcp/
dhcpd.conf configuration options: http://www.bind9.net/dhcpd.conf.5
Network Calculators: http://www.subnetmask.info

[Debian-Sarge] Tunneling NFS over SSH

20 February 2012 05:07 admin Leave a Comment

[Debian-Sarge] Tunneling NFS over SSH

Last Update: 27-09-2006 @ ~21:40
Reason: Added fixed ports for nfs server to make life easy

Welcome

The goal of this howto is building a NFS server that works on a SSH tunnel. This way all traffic between your hosts and the file server is encrypted and thus more secure
Normally you should enter a password every time you try to establish a SSH connection but since we could be mounting at bootup we will use ssh-keygen to create a keypair so we can login without entering a password. We will, however, limit that login session to executing just 1 command
We will use a new clean Debian Sarge install to begin with.

In this howto I will use the fictional domain “linux.lan”.

Installing Software

We will start with the NFS server.

apt-get -y install nfs-kernel-server

First configure it to run on fixed ports, this will make building a firewall much easier but equally important it aids in simpler client mounts.

echo “STATDOPTS=–port 2231″ > /etc/default/nfs-common
echo “options lockd nlm_udpport=2232 nlm_tcpport=2232″ >> /etc/modules.conf
echo “RPCNFSDCOUNT=8 RPCMOUNTDOPTS=’-p 2233′” > /etc/default/nfs-kernel-server

Thats it, now we can use port 2233 later on when we mount the shares check if it worked with rpcinfo -p.
If nlockmgr still uses random ports it is a compiled in setting. Configure this in grub/lilo as kernel parameters:
“lockd.udpport=2232 lockd.tcpport=2232″.

Create a new user called sleeper to use for setting up the ssh tunnel from other hosts. We will generate a key for this account so you can login with a keyfile instead of typing your password everytime. The account will also be restricted to execute ‘sleep’ trough this way. Other commands will simply fail.

adduser sleeper
su sleeper

Now switch over to a client that will use our fileserver.
First we need a key:

ssh-keygen -t rsa -b 2048

(use defaults and NO passphrase!)

Now copy the .pub file to the homedir of sleeper on the server:

scp -P 12345 ~/.ssh/id_rsa.pub sleeper@10.0.0.241:~/

Now back to the server:
As the ‘sleeper’ user we need to configure/install the key:

mkdir ~/.ssh
cd ~/.ssh
mv ../id_rsa.pub ./id_rsa.pub
cat id_rsa.pub >> authorized_keys
chmod 600 authorized_keys

Add this to the beginning of authorized_keys (before ssh-rsa [...]):

client="client.linux.lan",command="/bin/sleep 600d"

substitute “client” with the correct hostname of your client, or use ip numbers.
(but make sure every entry stays on 1 line!)

Every client that needs access to the fileserver needs to store his security data (from the id_rsa.pub file) in the authorized_keys file, so you should repeat this for every host.

Mounting NFS over SSH on your clients

Issue these commands to start the tunnels for nfs and mountd:
(syntax: ssh -f -c encyption -L localport:nfsserver:nfsport -l username nfsserver remotecommand)
Also note that the portnumber for mountd is different with every restart of the NFS server… Keep that in mind.

ssh -f -i /root/.ssh/id_rsa -c blowfish -L 61001:10.0.0.241:2049 -l sleeper 10.0.0.241 sleep 600d
ssh -f -i /root/.ssh/id_rsa -c blowfish -L 62001:10.0.0.241:2233 -l sleeper 10.0.0.241 sleep 600d

This creates a connection that will stay alive for almost 2 years…
Now edit your fstab and mount:

echo “localhost:/export/data /mnt nfs tcp,rsize=8192,wsize=8192,intr,rw,bg,nosuid,port=61001,mountport=62001,noauto” >> /etc/fstab
mount /mnt

Ofcourse we need some mountable folders (shares) defined on the NFS server:

mkdir /export
mkdir /export/data
mkdir /export/www-virtual
mkdir /export/www-conf
mkdir /export/mail-virtual
mkdir /export/mail-conf

Add them to /etc/exports:

/home/export/data 10.0.0.241(rw,root_squash,sync)

Notice the ip address is the nfs server itself? Its because youll mount them from localhost when you have established the ssh tunnel.

Some security settings since we dont want anyone from outside our network to access the server:

echo “portmap: ALL” > /etc/hosts.deny
echo “portmap: 10.0.0.0/255.255.255.0″ > /etc/hosts.allow

Restart NFS:

/etc/init.d/nfs-kernel-server restart

Thats it ! You can now mount the filesystem on your clients without the need to supply a password. And ofcourse all traffic will be encrypted

Copyright © 2006 harm
All Rights Reserved.

MySQL Backup And Recovery With mysql-zrm On Debian Sarge

20 February 2012 05:05 admin Leave a Comment

MySQL Backup And Recovery With mysql-zrm On Debian Sarge

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 09/27/2006

This guide describes how to back up and recover your MySQL databases with mysql-zrm on a Debian Sarge system. mysql-zrm is short for Zmanda Recovery Manager for MySQL, it is a new tool that lets you create full logical or raw backups of your databases (regardless of your storage engine and MySQL configuration), generate reports about the backups, verify the integrity of the backups, and recover your databases. It can also send email notifcations about the backup status, and you can implement multiple backup policies (based on your applications and based on time (e.g. daily, weekly, etc.)).

1 Preliminary Note

mysql-zrm works on MySQL 4.1 and above, so I assume you already have a MySQL server installed on your Debian Sarge system, e.g. like this:

apt-get install mysql-client-4.1 mysql-common-4.1 mysql-server-4.1

This also installs the package libdbd-mysql-perl which is needed by mysql-zrm as mysql-zrm is written in Perl.

2 Installation

Zmanda has released an rpm package of mysql-zrm for rpm-based distributions like Fedora, RedHat, SuSE, CentOS, etc., but no package for Debian Sarge. So we must download the mysql-zrm source package from http://www.zmanda.com/downloads.html. Select the stable release (at the time of this writing it was 1.0.3) and download it to your /tmp directory:

cd /tmp
wget http://www.zmanda.com/downloads/community/ZRM-MySQL/1.0.3/Source/MySQL-zrm-1.0.3.tar.gz

Next we unpack the sources and go to the source directory:

tar xvfz MySQL-zrm-1.0.3.tar.gz
cd MySQL-zrm-1.0.3

Unfortunately the installation instructions in the INSTALL file only say that you can install the mysql-zrm rpm package if you are on an rpm-based distribution, but nothing more. Also, there’s no installation script and no installation instructions for the source package on the Zmanda web site, so I had to find out myself how to get mysql-zrm installed on my Debian Sarge system. This is how I did it:

chown root:root *
mv mysql-zrm /usr/bin
mv mysql-zrm-reporter /usr/bin
mv mysql-zrm-scheduler /usr/bin
gzip mysql-zrm.1
mv mysql-zrm.1.gz /usr/share/man/man1
gzip mysql-zrm.conf.5
mv mysql-zrm.conf.5.gz /usr/share/man/man5
gzip mysql-zrm-reporter.1
mv mysql-zrm-reporter.1.gz /usr/share/man/man1
gzip mysql-zrm-reporter.conf.5
mv mysql-zrm-reporter.conf.5.gz /usr/share/man/man5
gzip mysql-zrm-scheduler.1
mv mysql-zrm-scheduler.1.gz /usr/share/man/man1
mkdir /etc/mysql-zrm
mv *.conf /etc/mysql-zrm
mkdir -p /usr/lib/mysql-zrm/Data/Report/Plugin
mv Report.pm /usr/lib/mysql-zrm/Data
mv Base.pm /usr/lib/mysql-zrm/Data/Report
mv *.pm /usr/lib/mysql-zrm/Data/Report/Plugin
mkdir /var/log/mysql-zrm
gzip AUTHORS
gzip COPYING
gzip INSTALL
gzip README
mkdir /usr/share/doc/MySQL-zrm
mv * /usr/share/doc/MySQL-zrm
mkdir /var/lib/mysql-zrm
touch /etc/mysql-zrm/mysql-zrm-release

That’s it. The executable files have been moved to /usr/bin, the configuration files are in /etc/mysql-zrm, and we even have man pages for our executables (mysql-zrm, mysql-zrm-reporter, and mysql-zrm-scheduler), so if you are not sure about the usage of the executables, you can run

man mysql-zrm

man mysql-zrm-reporter

man mysql-zrm-scheduler

MySQL Backup And Recovery With mysql-zrm On Debian Sarge – Page 2
MySQL Backup And Recovery With mysql-zrm On Debian Sarge – Page 3
MySQL Backup And Recovery With mysql-zrm On Debian Sarge – Page 4
MySQL Backup And Recovery With mysql-zrm On Debian Sarge – Page 5

next MySQL Backup And Recovery With mysql-zrm On Debian Sarge – Page 2
Copyright © 2006 Falko Timme
All Rights Reserved.

Securing Your Server With A Host-based Intrusion Detection System

20 February 2012 05:04 admin Leave a Comment

Securing Your Server With A Host-based Intrusion Detection System

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 09/18/2006

This article shows how to install and run OSSEC HIDS, an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. It helps you detect attacks, software misuse, policy violations and other forms of inappropriate activities.

With OSSEC HIDS you can monitor multiple systems, with one system being the OSSEC HIDS server and the others the OSSEC HIDS agents that report back to the server. However, in this tutorial I want to monitor just one system, so I perform a “local” installation so that OSSEC HIDS will do its work locally on that system.

In the following I use a Debian Sarge (3.1) system to install OSSEC HIDS on.

1 Installing OSSEC HIDS

Installing OSSEC HIDS is very easy, it’s just a matter of downloading the sources, running the installation script and answering the questions of the installation script. First, we download and unpack the OSSEC HIDS sources:

cd /tmp
wget http://www.ossec.net/files/ossec-hids-0.9-1a.tar.gz
tar xvfz ossec-hids-0.9-1a.tar.gz

Then we run the installation script:

cd ossec-hids-0.9-1a
./install.sh

The installation script will ask you a few questions:

** Para instalaÃ§Ã£o em portuguÃªs, escolha [br].
** Fur eine deutsche Installation wohlen Sie [de].
** For installation in English, choose [en].
** Para instalar en EspaÃ±ol , eliga [es].
** Pour une installation en franÃ§ais, choisissez [fr]
** Per l’installazione in Italiano, scegli [it].
** æ¥æ¬èªã§ã¤ã³ã¹ãã¼ã«ãã¾ãï¼é¸æãã¦ä¸ãã
ï¼[jp].
** Aby instalowaÄ w jÄzyku Polskim, wybierz [pl].
** ÐÐ»Ñ Ð¸Ð½ÑÑÑÑÐºÑÐ¸Ð¹ Ð¿Ð¾ ÑÑÑÐ°Ð½Ð¾Ð²ÐºÐµ Ð½Ð° ÑÑÑÑÐºÐ¾Ð¼ ,Ð²Ð²ÐµÐ´Ð¸ÑÐµ [ru].
** TÃ¼rkÃ§e kurulum iÃ§in seÃ§in [tr].
(en/br/de/es/fr/it/jp/pl/ru/tr) [en]: <– en (or one of the other options, if you don’t want to use English)

OSSEC HIDS v0.9-1 Installation Script – http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).

– System: Linux server1.example.com 2.6.8-2-386
– User: root
– Host: server1.example.com

— Press ENTER to continue or Ctrl-C to abort. – <– [ENTER]

1- What kind of installation do you want (server, agent, local or help)? <– local

- Choose where to install the OSSEC HIDS [/var/ossec]: <– /var/ossec

3.1- Do you want e-mail notification? (y/n) [y]: <– y

- What’s your e-mail address? <– example@example.com (please enter your own email address here)

- We found your SMTP server as: mail.example.com.
- Do you want to use it? (y/n) [y]: <– y (normally you can accept the installer’s proposal, unless you want to use another SMTP server)

3.2- Do you want to run the integrity check daemon? (y/n) [y]: <– y

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: <– y

- Do you want to enable active response? (y/n) [y]: <– y

- Do you want to enable the firewall-drop response? (y/n) [y]: <– y

- Do you want to add more IPs to the white list? (y/n)? [n]: <– n (unless you want to whitelist more IP addresses)

3.6- Setting the configuration to analyze the following logs:
– /var/log/messages
– /var/log/auth.log
– /var/log/syslog
– /var/log/mail.info

– If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

— Press ENTER to continue — <– [ENTER]

- System is Linux (SysV).
- Init script modified to start OSSEC HIDS during boot.
Adding system startup for /etc/init.d/ossec …
/etc/rc0.d/K20ossec -> ../init.d/ossec
/etc/rc1.d/K20ossec -> ../init.d/ossec
/etc/rc6.d/K20ossec -> ../init.d/ossec
/etc/rc2.d/S20ossec -> ../init.d/ossec
/etc/rc3.d/S20ossec -> ../init.d/ossec
/etc/rc4.d/S20ossec -> ../init.d/ossec
/etc/rc5.d/S20ossec -> ../init.d/ossec

– Configuration finished properly.

– To start OSSEC HIDS:
/var/ossec/bin/ossec-control start

– To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop

– The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
(http://mailman.underlinux.com.br/mailman/listinfo/ossec-list).

More information can be found at http://www.ossec.net

— Press ENTER to finish (maybe more information below). — <– [ENTER]

That’s it, OSSEC HIDS is now installed and ready to be started.

2 Starting And Running OSSEC HIDS

In order to start OSSEC HIDS, we run this command:

/etc/init.d/ossec start

The output should look like this:

server1:/etc/init.d# /etc/init.d/ossec start
Starting OSSEC HIDS v0.9-1 (by Daniel B. Cid)…
Started ossec-maild…
Started ossec-execd…
Started ossec-analysisd…
Started ossec-logcollector…
Started ossec-syscheckd…
Completed.
server1:/etc/init.d#

As you might have seen during OSSEC HIDS installation, the installer also created the necessary system startup links for OSSEC HIDS, so that OSSEC HIDS will be started automatically whenever you boot/reboot your system.

After OSSEC HIDS has been started, it will run silently in the background, performing log analysis, integrity checking, rootkit detection, etc. You can check that it’s running by executing

ps aux

In the output you should find something like this:

ossecm    2038  0.0  0.4  1860  792 ?        S    12:40   0:00 /var/ossec/bin/ossec-maild
root      2042  0.0  0.3  1736  648 ?        S    12:40   0:00 /var/ossec/bin/ossec-execd
ossec     2046  0.2  0.5  2192 1136 ?        S    12:40   0:00 /var/ossec/bin/ossec-analysisd
root      2050  0.0  0.2  1592  556 ?        S    12:40   0:00 /var/ossec/bin/ossec-logcollector
root      2054 12.2  0.3  1756  616 ?        S    12:40   0:05 /var/ossec/bin/ossec-syscheckd

The OSSEC HIDS log file is /var/ossec/logs/ossec.log, so you can check it to see what’s going on, e.g. with the tail command.

tail -f /var/ossec/logs/ossec.log

shows what’s happening in real-time. Press CTRL-C to leave it.

tail -n 100 /var/ossec/logs/ossec.log

shows you the last 100 lines of the OSSEC HIDS log.

Whenever OSSEC HIDS detects something suspicious, it sends an email with a report about the activity to the email address you specified during installation:

If you want to change OSSEC HIDS’ settings (e.g. change the email address, add custom rulesets, etc.), you can do this by editing the configuration file /var/ossec/etc/ossec.conf (which is in XML format). You can do this by using a command-line editor such as vi:

vi /var/ossec/etc/ossec.conf

The file looks like this:

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>example@example.com</email_to>
    <smtp_server>mail.example.com.</smtp_server>
    <email_from>ossecm@example.com</email_from>
  </global>
[...]

If you change the file, make sure to restart OSSEC HIDS afterwards:

/etc/init.d/ossec restart

In order to learn how to add custom rulesets, etc. to the OSSEC HIDS configuration, please refer to the OSSEC HIDS manual: http://www.ossec.net/en/manual.html

3 Links

OSSEC HIDS: http://www.ossec.net

Setting up Subversion and websvn on Debian

20 February 2012 04:58 admin Leave a Comment

Setting up Subversion and websvn on Debian

Purpose of this howto

This howto will illustrate a way to install and configure
Subversion and websvn on a Debian server with the following features:

multiple repository Subversion
access to the repositories via WebDAV (http, https) and ssh
Linux system account access control and/or Apache level access control
a secured websvn (php web application for easy code browsing)
configured syntax coloring in websvn with gnu enscript

I will not specifically configure inetd with svnserve in this howto. Rest assured that Subversion will be totally functional without it.
You can copy/paste most of the howto to get it working.

Packages that are assumed to already be installed

This howto assumes PHP and apache2 are installed and configured. Configuring apache2 with SSL is optional.

Setting up Subversion

Subversion packages

As root you can enter the following commands to install the packages required for our Subversion setup:

# apt-get update
# apt-get install subversion
# apt-get install libapache2-svn

The package libapache2-svn will install the subversion WebDAV apache module.

Creating and populating repositories

To work with in this howto we’ll create two repos:

# mkdir /var/svn-repos/
# svnadmin create –fs-type fsfs /var/svn-repos/project_zen
# svnadmin create –fs-type fsfs /var/svn-repos/project_wombat

The repository directories need the proper permissions for apache and the other users. I’ll make a group and add users to it (don’t just copy/paste here). The apache user won’t be put in the group because I find it less secure.

# groupadd subversion
# addgroup john subversion
# addgroup bert subversion
# addgroup you subversion
…
# chown -R www-data:subversion /var/svn-repos/*
# chmod -R 770 /var/svn-repos/*

Let’s set up easy ssh connectivity, on a user machine enter the following commands:

$ mkdir ~/.ssh/
$ cd ~/.ssh/
$ ssh-keygen -t dsa
$ cat ~/.ssh/id_dsa.pub | ssh you@example.com “cat – >> ~/.ssh/authorized_keys”

The server example.com is the server we installed
Subversion on. For easy ssh use you can chose not to use a passphrase
with your key or use an agent to keep authenticated. Otherwise each
transaction between the user machine and Subversion will require the
user to enter a password (very inconvenient). Using an agent can be
done like this:

$ ssh-agent
$ ssh-add
$ ssh you@example.com

All should be set now to use the a repository. You may test it like this, it shows an import and a checkout:

$ mkdir ~/TEMP/
$ echo “testing svn” > ~/TEMP/testing.txt
$ svn import -m “importing test over ssh+svn” ~/TEMP/ svn+ssh://example.com/var/svn-repos/project_zen/trunk
$ svn co svn+ssh://example.com/var/svn-repos/project_zen/trunk testcheckout

As a result the testing.txt file should be in a directory called testcheckout. On the serverside you can check the repositories with svnlook.

# svnlook tree /var/svn-repos/project_zen/

Configuring Subversion WebDAV

Normally the apache mod will be enabled by default, to ensure this is true enter the following commands:

# a2enmod dav
# a2enmod dav_svn

Configuration is done in the file /etc/apache2/mods-available/dav_svn.conf, but first we’ll make an access file.

# htpasswd2 -c /etc/apache2/dav_svn.passwd you
# htpasswd2 /etc/apache2/dav_svn.passwd john
# htpasswd2 /etc/apache2/dav_svn.passwd sten
…

This is the content my /etc/apache2/mods-available/dav_svn.conf file:

		<Location /svn_zen>		  DAV svn		  SVNPath /var/svn-repos/project_zen		  AuthType Basic		  AuthName "Subversion Repository"		  AuthUserFile /etc/apache2/dav_svn.passwd		  Require valid-user		  SSLRequireSSL		</Location>

		<Location /svn_wombat>		  DAV svn		  SVNPath /var/svn-repos/project_wombat		  AuthType Basic		  AuthName "Subversion Repository"		  AuthUserFile /etc/apache2/dav_svn.passwd		  Require valid-user		  SSLRequireSSL		</Location>

You can uncomment the SSLRequireSSL file if you don’t want to use SSL, but then you need to use http and not https
in the commands that follow. Apache should be restarted and we can test
from a user machine. We’ll import the same testfile in the wombat
project.

# /etc/init.s/apache2 restart
$ svn import -m “testing over https” https://example.com/svn_wombat ~/TEMP/

Using a webbrowser you can visit your URL https://example.com/svn_wombat
and see what was just committed. This is a basic on-line view on the
repository, but using a web font-end like websvn will offer a better
repository browsing experience.

Setting up websvn

Required packages

To get rolling with websvn we’ll need to install the following
packages, both will show you configuration screens (explained in the
next paragraph):

# apt-get install enscript
# apt-get install websvn

Enscript isn’t mandatory but we’ll need it for syntax coloring in websvn.

Configuration

Enscript will ask for paper size, this might seem awkward
but that’s because enscript is also used for converting ASCII files to
PostScript. We need it for it’s syntax coloring features.

Websvn will first ask for which kind of server to configure, go ahead and just press enter.

websvn server configuration websvn parent directory websvn repository directories

The next screens ask for a parent repository folder (/var/svn-repos/
in this case) and specific repository folders, this will determine
which repositories will show up in websvn. We will only enter a parent
repository, all repositories created in this folder will show up in
websvn for users to browse. If you want to show only specific
repositories enter their full paths in the second screen and leave the
parent path blank.

As a result the file /etc/websvn/svn_deb_conf.inc will be written. You can rerun debian package configuration screens with dpkg-reconfigure. Further websvn configuration is done in the file /etc/websvn/config.inc. This is the content of my file with some extension mappings for the syntax coloring.

		<?php		// --- LOOK AND FEEL ---		//		// Uncomment ONLY the display file that you want.  		$config->setTemplatePath("$locwebsvnreal/templates/Standard/");		// $config->setTemplatePath("$locwebsvnreal/templates/BlueGrey/");		// $config->setTemplatePath("$locwebsvnreal/templates/Zinn/");		// $contentType[".c"] = "plain/text"; // Create a new association		// $contentType[".doc"] = "plain/text"; // Modify an existing one		unset($contentType[".sh"]); // Remove a default association -> .sh is regarded as a binary file by default, needs to be unset		// --- COLOURISATION ---		// Uncomment this line if you want to use Enscript to colourise your file listings		//		// You'll need Enscript version 1.6 or higher AND Sed installed to use this feature. 		// Set the path above.		//		$config->useEnscript();		// Enscript need to be told what the contents of a file are so that it can be colourised		// correctly.  WebSVN includes a predefined list of mappings from file extension to Enscript		// file type (viewable in setup.inc).		//		// Here you should add and other extensions not already listed or redefine the default ones. eg:		//		// php is default correctly colourized		$extEnscript[".java"] = "java";		$extEnscript[".pl"] = "perl";		$extEnscript[".py"] = "python";		$extEnscript[".sql"] = "sql";		$extEnscript[".java"] = "java";		$extEnscript[".html"] = "html";		$extEnscript[".xml"] = "html";		$extEnscript[".thtml"] = "html";		$extEnscript[".tpl"] = "html";		$extEnscript[".sh"] = "bash";		// --- MISCELLANOUS ---		// Uncomment this if you don't have the right to use it.  Be warned that you may need it however!		set_time_limit(0);		// Comment this line to turn off caching of repo information.  This will slow down your browsing.		$config->setCachingOn();		// Number of spaces to expand tabs to in diff/listing view across all repositories		$config->expandTabsBy(8);		// To change the global option for individual repositories, uncomment and replicate		// the required line below (replacing 'myrep' for the name of the repository to be changed).		// $config->findRepository("myrep")->expandTabsBy(3); // Expand Tabs by 3 for repository 'myrep'		?>		<?php		if ( file_exists("/etc/websvn/svn_deb_conf.inc") ) {		  include("/etc/websvn/svn_deb_conf.inc");		}		?>

Next up is configuring the apache virtualhost for websvn.
Example using SSL:

		<VirtualHost *:443>			ServerAdmin webmaster@example.com		    ServerName svn.example.com		    DocumentRoot /var/www/websvn/			<Location />				Options FollowSymLinks 				order allow,deny				allow from all				AuthType Basic				AuthName "Subversion Repository"				Require valid-user				AuthUserFile /etc/apache2/dav_svn.passwd 				<IfModule mod_php4.c>					php_flag magic_quotes_gpc Off					php_flag track_vars On		        </IfModule>			</Location>			SSLEngine on			SSLCertificateFile /etc/apache2/ssl/apache.pem		</VirtualHost>

Example without SSL:

		<VirtualHost *:80>			ServerAdmin webmaster@example.com	        ServerName svn.example.com	        DocumentRoot /var/www/websvn/

			<Location />				Options FollowSymLinks 				AllowOverride None				order allow,deny				allow from all				AuthType Basic				AuthName "Subversion Repository"				Require valid-user				AuthUserFile /etc/apache2/dav_svn.passwd 				<IfModule mod_php4.c>					php_flag magic_quotes_gpc Off					php_flag track_vars On			    </IfModule>			</Location>		</VirtualHost>

Restart apache and have a look at the result at your https://svn.example.com/.

Useful Subversion references

Getting more information

official subversion site
Version Control with Subversion, free on-line book
websvn

Subversion clients

Subclipse
RapidSVN
kdesvn
Zigversion (Mac OS X)
Quicksilver plugin (Mac OS X)
svnX (Mac OS X)
TortoiseSVN (Windows)

I hope you find this howto useful. This isn’t a perfect setup, but
hopefully it will help you in using Subversion. Please feel free to add
comments or corrections.

[Creative Commons Attribution-NonCommercial-ShareAlike 2.0 License] This page is licensed under a Creative Commons License.

Filed Under: Debian

Setting Up A Highly Available NFS Server

4 February 2012 13:14 admin Leave a Comment

This is a “copy & paste” HowTo! The easiest way to follow this tutorial is to use a command line client/SSH client (like PuTTY for Windows) and simply copy and paste the commands (except where you have to provide own information like IP addresses, hostnames, passwords,…). This helps to avoid typos.

Setting Up A Highly Available NFS Server

Version 1.0
Author: Falko Timme
<ft [at] falkotimme [dot] com>
Last edited: 03/07/2006

In this tutorial I will describe how to set up a highly available NFS server that can be used as storage solution for other high-availability services like, for example, a cluster of web servers that are being loadbalanced. If you have a web server cluster with two or more nodes that serve the same web site(s), than these nodes must access the same pool of data so that every node serves the same data, no matter if the loadbalancer directs the user to node 1 or node n. This can be achieved with an NFS share on an NFS server that all web server nodes (the NFS clients) can access.

As we do not want the NFS server to become another “Single Point of Failure”, we have to make it highly available. In fact, in this tutorial I will create two NFS servers that mirror their data to each other in realtime using DRBD and that monitor each other using heartbeat, and if one NFS server fails, the other takes over silently. To the outside (e.g. the web server nodes) these two NFS servers will appear as a single NFS server.

In this setup I will use Debian Sarge (3.1) for the two NFS servers as well as for the NFS client (which represents a node of the web server cluster).

I want to say first
that this is not the only way of setting up such a system. There are many ways
of achieving this goal but this is the way I take. I do not issue any guarantee
that this will work for you!

1 My Setup

In this document I use the following systems:

NFS server 1: server1.example.com, IP address: 192.168.0.172; I will refer to this one as server1.
NFS server 2: server2.example.com, IP address: 192.168.0.173; I will refer to this one as server2.
Virtual IP address: I use 192.168.0.174 as the virtual IP address that represents the NFS cluster to the outside.
NFS client (e.g. a node from the web server cluster): client.example.com, IP address: 192.168.0.100; I will refer to the NFS client as client.
The /data directory will be mirrored by DRBD between server1 and server2. It will contain the NFS share /data/export.

2 Basic Installation Of server1 and server2

First we set up two basic Debian systems for server1 and server2. You can do it as outlined on the first two pages of this tutorial: http://www.howtoforge.com/perfect_setup_debian_sarge. As hostname, you enter server1 and server2 respectively, and as domain you enter example.com.

Regarding the partitioning, I use the following partition scheme:

/dev/sda1 — 100 MB /boot (primary, ext3, Bootable flag: on)
/dev/sda5 — 5000 MB / (logical, ext3)
/dev/sda6 — 1000 MB swap (logical)
/dev/sda7 — 150 MB unmounted (logical, ext3) (will contain DRBD’s meta data)
/dev/sda8 — 26 GB unmounted (logical, ext3) (will contain the /data directory)

You can vary the sizes of the partitions depending on your hard disk size, and the names of your partition might also vary, depending on your hardware (e.g. you might have /dev/hda1 instead of /dev/sda1 and so on). However, it is important that /dev/sda7 has a little more than 128 MB because we will use this partition for DRBD’s meta data which uses 128 MB. Also, make sure /dev/sda7 as well as /dev/sda8 are identical in size on server1 and server2, and please do not mount them (when the installer asks you:

No mount point is assigned for the ext3 file system in partition #7 of SCSI1 (0,0,0) (sda).
Do you want to return to the partitioning menu?

please answer No)! /dev/sda8 is going to be our data partition (i.e., our NFS share).

After the basic installation make sure that you give server1 and server2 static IP addresses (server1: 192.168.0.172, server2: 192.168.0.173), as described at the beginning of http://www.howtoforge.com/perfect_setup_debian_sarge_p3).

Afterwards, you should check /etc/fstab on both systems. Mine looks like this on both systems:

# /etc/fstab: static file system information.##
proc            /proc           proc    defaults        0       0
/dev/sda5       /               ext3    defaults,errors=remount-ro 0       1
/dev/sda1       /boot           ext3    defaults        0       2
/dev/sda6       none            swap    sw              0       0
/dev/hdc        /media/cdrom0   iso9660 ro,user,noauto  0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

If you find that yours looks like this, for example:

# /etc/fstab: static file system information.##
proc            /proc           proc    defaults        0       0
/dev/hda5       /               ext3    defaults,errors=remount-ro 0       1
/dev/hda1       /boot           ext3    defaults        0       2
/dev/hda6       none            swap    sw              0       0
/dev/hdc        /media/cdrom0   iso9660 ro,user,noauto  0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

then please make sure you use /dev/hda instead of /dev/sda in the following configuration files. Also make sure that /dev/sda7 (or /dev/hda7) and /dev/sda8 (or /dev/hda8…) are not listed in /etc/fstab!

3 Synchronize System Time

It’s important that both server1 and server2 have the same system time. Therefore we install an NTP client on both:

server1/server2:

apt-get install ntp ntpdate

Afterwards you can check that both have the same time by running

server1/server2:

date

Setting Up A Highly Available NFS Server – Page 2
Setting Up A Highly Available NFS Server – Page 3
Setting Up A Highly Available NFS Server – Page 4
Setting Up A Highly Available NFS Server – Page 5

next Setting Up A Highly Available NFS Server – Page 2
Copyright © 2006 Falko Timme
All Rights Reserved.

Installing Beryl On A CentOS 5.0 Desktop

4 February 2012 13:13 admin Leave a Comment

Installing Beryl On A CentOS 5.0 Desktop

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 07/16/2007

This tutorial shows how you can install and use Beryl on a CentOS 5.0 desktop (the system must have a 3D-capable graphics card). With Beryl, you can make your desktop use beautiful 3D effects like wobbly windows or a desktop cube.

This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Preliminary Note

I have tried this on my 3-year old HP Pavilion zt3000 notebook which has an ATI Mobility Radeon 9200 graphic card, and it works really good there. I have used the CentOS Gnome desktop. If you use KDE, a few things might be different from this tutorial.

2 Installing Beryl

There’s no Beryl package in the official CentOS 5.0 repositories, but the centos.karan.org repository has a Beryl package for CentOS 5.0 (in the kbs-CentOS-Testing repository). Therefore we add this repository to our official CentOS repositories. Open a terminal (Applications > Accessories > Terminal) and become root by typing:

Then we run these two commands to add the new repositories to our existing repositories:

cd /etc/yum.repos.d/
wget http://centos.karan.org/kbsingh-CentOS-Extras.repo

Now we must enable the kbs-CentOS-Testing repository. To do this, we open the file kbsingh-CentOS-Extras.repo and change enabled=0 to enabled=1 in the kbs-CentOS-Testing stanza:

gedit kbsingh-CentOS-Extras.repo

# All new packages are now released to the testing repository first
# and only moved into Stable after a period of time
# Note: The testing repository is disabled by default

[kbs-CentOS-Extras]
name=CentOS.Karan.Org-EL$releasever - Stable
gpgcheck=1
gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
enabled=1
baseurl=http://centos.karan.org/el$releasever/extras/stable/$basearch/RPMS/

[kbs-CentOS-Testing]
name=CentOS.Karan.Org-EL$releasever - Testing
gpgcheck=1
gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
enabled=1
baseurl=http://centos.karan.org/el$releasever/extras/testing/$basearch/RPMS/

Then we import the GPG key of our new repository:

rpm –import http://centos.karan.org/RPM-GPG-KEY-karan.org.txt

Now we can install Beryl with a single command:

yum install beryl

This will install Beryl and all needed dependencies on your system.

That’s it. We can now start Beryl by going to Applications > System Tools > Beryl Manager. If all goes well, your desktop should now have 3D effects, and you should see the red Beryl gem in the top right corner of your desktop:

3 Make Beryl Start Automatically

Of course, you don’t want to start Beryl manually each time you log in to your desktop. Fortunately, there’s a way to make it start automatically. Open a terminal (Applications > Accessories > Terminal) and become root by typing:

First, we create the file /usr/bin/startberyl.sh:

gedit /usr/bin/startberyl.sh

#!/bin/sh
beryl-manager
sleep 4
exec gnome-session

Then we make it executable:

chmod a+x /usr/bin/startberyl.sh

Afterwards, we create the file /usr/share/xsessions/Beryl.desktop:

gedit /usr/share/xsessions/Beryl.desktop

[Desktop Entry]
Encoding=UTF-8
Name=Beryl
Exec=/usr/bin/startberyl.sh
Icon=
Type=Application

Then we log out of our current desktop session. On the login screen, go to Session, choose Beryl and click on the Change Session button. Then log in with your username and password. You will then be asked:

Do you wish to make Beryl the default for future sessions?

You can choose between Just For This Session and Make Default. If this is your first try, I recommend to select Just For This Session to see if Beryl really starts automatically. If it works, you can select Make Default at the next login.

4 Customize Beryl Behaviour And Window Themes

If you like to modify Beryl’s behaviour and effects, you can go to Applications > System Tools > Beryl Settings Manager. You can then customize Beryl:

To change window decorations and themes, you must start the Emerald Theme Manager by going to System > Preferences > More Preferences > Emerald Theme Manager:

5 Links

CentOS: http://www.centos.org
Beryl: http://www.beryl-project.org

The (Almost) Perfect Setup – Debian Sarge (3.1) On A Strato Dedicated-Server (With ISPConfig)

4 February 2012 13:12 admin Leave a Comment

The (Almost) Perfect Setup – Debian Sarge (3.1) On A Strato Dedicated-Server (With ISPConfig)

Based and abuttet to the HowTo – The Perfect Setup Debian Sarge (3.1) – of Falko Timme I wrote this HowTo for STRATO-Server, because Strato has some specifics in it´s Debian Sarge (3.1) – Image.

Let me say first: This is one way of many possible, but I try this more than one time and it works.

Anyway I must say to you, too => If you use this HowTo you do it on your own risk ! You will lose all Files on the Strato-Server, ´cause we start with a brandnew installation of the Debian-Image ! If you have question mail me or send me a PM.

If you want to have it in german language please mail me, too.

Wer diese Anleitung auf deutsch haben möchte, muss mir nur eine eMail oder PN schreiben.

You will need:

a Strato – Dedicatet Server

WinSCP3 and Putty or similar software on your computer at home

We use (based on the HowTo by Falko Timme) for the Server:

Apache 2 as web-server

Postfix as mailserver

Courier-POP3 and Courier-IMAP for eMail, too

BIND as DNS-server

proftpd as FTP-server

Webalizer for statistics

STEP 1 – Install a new Debian-Image 3.1 with the Strato-Konfigurationsmenü

choose Serverkonfiguration

choose Neuinstallation

mark the Box and choose Debian GNU/Linux 3.1 für Profis

click on weiter

fill in the code you will see

Don´t forget:

You will lose all Files on the Strato-Server,

´cause we start with a brandnew installation of the Debian-Image !

if you´re sure that you want it, click on weiter

wait until you get the eMail from Strato that the reinstallation is finished.

STEP 2 – Update the Debian Sarge Image

copy here the code and paste it in Putty

follow the instructions

apt-get update

If you´re asked that you want to stop now, ´cause a new kernel will be installed answer with no.

But don´t forget to reboot your server after this upgrade.

apt-get dist-upgrade

apt-get upgrade

(If someone said, that this is to much update and -grade, let me first answer:

I try it many times and it works everytime a little bit other – and rather one time often than one time too little.)

STEP 3 – Add some more nameservers

open and edit the file /etc/resolv.conf

add some more nameservers (only if you want)

nameserver 81.169.163.104
nameserver 81.169.163.106
search serverkompetenz.net
nameserver ip.number.from.another

STEP 4 – Setting the hostname

Instead of server1.example.com put in your real serverdomain (h12345.serverkompetenz.net)

echo server1.example.com > /etc/hostname
/bin/hostname -F /etc/hostname

STEP 5 – Install needed and missing software and remove unneeded software

apt-get install make gcc g++ cpp wget flex bzip2 rdate fetchmail libdb3++-dev unzip zip ncftp xlispstat libarchive-zip-perl zlib1g-dev libpopt-dev nmap openssl lynx fileutils (all in one line!)

Answer the questions with the default answers.

update-rc.d -f exim remove

update-inetd –remove daytime

update-inetd –remove telnet

update-inetd –remove time

update-inetd –remove finger

update-inetd –remove talk

update-inetd –remove ntalk

update-inetd –remove ftp

update-inetd –remove discard

/etc/init.d/inetd reload

STEP 6 – Install and configure quota

apt-get install quota quotatool

Answer the question with no.

open and edit the file /etc/fstab

# /etc/fstab: static file system information.
#
# file system     mount point    type     options                  dump pass
/dev/sda1         /boot          ext2     nosuid,nodev             0    2
/dev/sda2         none           swap     sw                       0    0
/dev/sda3         /              ext3     defaults,errors=remount-ro,usrquota,grpquota 0       1
proc              /proc          proc     defaults                 0    0

run the following steps:

touch /quota.user /quota.group

chmod 600 /quota.*

mount -o remount /

quotacheck -avugm

quotaon -avug

The (Almost) Perfect Setup – Debian Sarge (3.1) On A Strato Dedicated-Server (With ISPConfig) – Page 2
The (Almost) Perfect Setup – Debian Sarge (3.1) On A Strato Dedicated-Server (With ISPConfig) – Page 3

Configuring Tomcat5 and Apache2 with Virtual Hosts using mod_jk

4 February 2012 13:12 admin Leave a Comment

Configuring Tomcat5 and Apache2 with Virtual Hosts using mod_jk

Version 1.0

Author: C. Troy Popplewell

Visit the Endorsoft.com forums at http://www.endorsoft.com/forums .

Last edited: 02/10/2006

Overview

This tutorial explains how I was able to setup a web server in order to support Java Server Pages (JSP) and Servlets using virtually hosted websites. Although this setup worked for this particular environment, I can make no guarantees that it will work for yours, but it should with some tweaking. Iâ€™ll explain later on. I have spent a lot of time gathering several resources in order to get this to work. Many portions of these resources have been deprecated and required a few workarounds. It is my intention that this tutorial will help anyone that has attempted to install such a system without success. If you find any inconsistencies within this tutorial, please notify me at the email address above.

Outlook

The ultimate goal is to provide instructions on how to incorporate JSP/Servlet support on the ISPConfig web hosting software. I felt it was necessary to provide this first segment separately for those that do not wish to use the ISPConfig web hosting control panel.

System Details

The system used in this tutorial has the following installed:

Operating System: Debian Sarge (3.1) http://www.debian.org/

Webserver: Apache 2.0.54 http://www.apache.org/

JDK: JDK 5.0 http://java.sun.com/j2se/1.5.0/download.jsp

Servlet Container: Tomcat http://tomcat.apache.org/

Tomcat Connector: Jakarta Tomcat Connector mod_jk (not mod_jk2)

Debian Sarge (3.1)

If you plan on utilizing ISPConfig to host your websites with Debian Sarge, I highly recommend the how-to provided by Falko Timme here: The Perfect Setup – Debian Sarge (3.1) which prepares your system to support ISPConfig. There are â€œPerfect Setupâ€? tutorials for other distributions as well. Otherwise, you should be able to find many other resources on the internet for installing Debian. This tutorial is specifically based on configuring Apache and Tomcat to work on Debian using the mod_jk connector.

Apache2

Since installing Apache is beyond the scope of this tutorial, I will assume that you already have Apache 2.0.x installed and running. If you need instructions on installing and configuring Apache 2.0.x please refer to the documentation at the Apache website. Again, you can also find instruction here: The Perfect Setup – Debian Sarge (3.1).

Installing JDK (Java Development Kit)

In order to run Tomcat, you will need to install JDK and set the JAVA_HOME environment variable to identify the location of the JDK environment on your system. I have chosen to use JDK 5.0.

You can download JDK 5.0 at http://java.sun.com/j2se/1.5.0/download.jsp.

Click on Download JDK 5.0 Update 6 to go to the download page.

Click Accept to accept the license agreement.

Next choose the Linux self-extracting file. This is the download for the self-extracting binary file rather than the rpm.

Download to your preferred download directory. Change to that directory and make it executable by executing the following command:

chmod +x jdk-1_5_0_06-linux-i586.bin

Now execute the file:

./jdk-1_5_0_06-linux-i586.bin

You should now have a new directory called j2sdk1.5-sun. Now move this directory to the location where it should be run. I chose /usr/lib/.

mv j2sdk1.5-sun /usr/lib

Now create a symbolic link called jdk to JAVA_HOME by the following command. This allows you to easily switch back and forth between different jvms should you ever need to

cd /usr/lib

ln -s j2sdk1.5-sun jdk

Now we need to set the JAVA_HOME environment variable. Add the following at the end of /etc/profile just after export PATH.

JAVA_HOME=”/usr/lib/jdk”

export JAVA_HOME

/etc/profile is executed at startup and when a user logs into the system. In order to update the environment you will need to log out and log back in to the system.

Check to make sure JAVA_HOME is defined correctly by executing the command below. This should report the location of the Java SDK which should be /usr/lib/jdk.

echo $JAVA_HOME

Now test Java with the following command. You should be returned with /usr/bin/java. If so, you have successfully completed this section.

which java

Installing Tomcat

In this section you will download and install Apache Tomcat 5.5.15. For this particular setup, there is no need to build the package from source, we will download the binary version.

Download the binary version to your preferred download directory from here: http://tomcat.apache.org/download-55.cgi. Choose the tar.gz from the core section for 5.5.15.

Now change to that directory and extract the files using the following command:

cd /mydownloads (be sure to change to your download directory)

tar xvzf apache-tomcat-5.5.15.tar.gz

You should now have a new directory called apache-tomcat-5.5.15. Now move this directory to the location where it should be installed. Again, I chose /usr/lib/. Note that this location will be referred to as CATALINA_HOME in the Tomcat documentation.

mv apache-tomcat-5.5.15 /usr/lib

Next change to the /usr/lib/ directory.

cd /usr/lib

Now create a symbolic link called apache-tomcat to CATALINA_HOME by the following command.

ln -s apache-tomcat-5.5.15 apache-tomcat

This will save you from having to make changes to startup and shutdown scripts each time you upgrade Tomcat and if you so desire, it also allows you to keep several versions of Tomcat on your system and easily switch amongst them.

You should now be able to start and stop Tomcat from the CATALINA_HOME/bin directory. If you are using another shell other than the bash shell you will nee to add sh to the beginning of the command. You should now be able to test that Tomcat is installed by starting it and opening your browser and entering http://localhost:8080 into your browser. Port 8080 is the default port for Tomcat and can be easily changed in the /usr/lib/apache-tomcat/conf/server.xml file. (We will work with this file later on.) If you plan to access this page remotely, be sure to forward the respective port to your serverâ€™s IP address within your router. You should now see the Tomcat welcome page that contains links to Tomcat documentation as well as sample JSP/Servlet scripts. Verify that Tomcat is running by executing some of the examples found on the welcome page.

cd /usr/lib/apache-tomcat/bin

sh startup.sh

To shutdown the server, you will need to execute the following command. Feel free to try it, but for now we will leave Tomcat running.

sh shutdown.sh

Configuring Tomcat5 and Apache2 with Virtual Hosts using mod_jk – Page 2
Configuring Tomcat5 and Apache2 with Virtual Hosts using mod_jk – Page 3
Configuring Tomcat5 and Apache2 with Virtual Hosts using mod_jk – Page 4

Building A Virtual Server (VPS) With Debian 3.1 (Sarge) And OpenVZ

4 February 2012 13:11 admin Leave a Comment

Building A Virtual Server (VPS) With Debian 3.1 (Sarge) And OpenVZ

Version 1.2
Author: Till Brehm <t.brehm [at] howtoforge [dot] com >
Last edited 09/07/2006

In this HowTo I will describe the steps to be taken to prepare a server for OpenVZ virtual machines on Debian 3.1 (Sarge) 32Bit Linux. With OpenVZ you can create multiple Virtual Private Servers (VPS) on the same hardware, similar to Xen and the Linux Vserver project. OpenVZ is the open-source branch of Virtuozzo, a commercial virtualization solution used by many providers that offer virtual servers. The OpenVZ kernal patch is licensed under the GPL license, and the user-level tools are under the QPL license.

In the first chapter I will compile the linux kernel for Debian with the OpenVZ
patches. This results in an easy-to-install .deb package. This is nescessary when
you need drivers that are not compiled in the stock kernel that is avilable from systs.org.
You can skip the first chapter if the precompiled kernel fulfills your needs
and install the kernel as described in chapter 1.2.

Please note: if you want to use the precompiled OpenVZ kernel, you can skip the sections 1 and 1.1 and go directly to 1.2. If you want to compile your own kernel, please read the sections 1 and 1.1 before you proceed with 1.2.

1 Prepare Your Server To Host Virtual Private Servers

First we install some prerequisites for the kernel compilation.

apt-get install kernel-package libncurses5-dev fakeroot wget bzip2

1.1 Compiling The OpenVZ linux kernel

Downloading The Kernel Sources

The OpenVZ patch is currently available for the kernel 2.6.8 only. We will use the vanilla kernel from kernel.org and patch and configure it for our needs. To download and unpack the sources, execute the following commads:

cd /usr/src
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.8.tar.bz2
tar xjf linux-2.6.8.tar.bz2
cd linux-2.6.8/

Getting The OpenVZ Patch And Patch The Kernel

Now we download the OpenVZ kernel patch from OpenVZ.org and apply it to the kernel sources.

wget http://download.openvz.org/kernel/stable/022stab078.14/patches/patch-022stab078-combined.gz
gzip -d
patch-022stab078-combined.gz
patch -p1 < patch-022stab078-combined

Getting The Kernel Config For OpenVZ

OpenVZ.org offers several kernel configurations from generic i686 to enterprise configurations. I select the generic i686 configuration. You may select another config depending on your hardware and processor. The configs can be downloaded from here: http://openvz.org/download/kernel/

wget http://download.openvz.org/kernel/stable/022stab078.14/configs/kernel-2.6.8-022stab078-i686.config.ovz

Now run “make menuconfig“, select “Load an alternate configuration file” and select the file “/usr/src/linux-2.6.8/kernel-2.6.8-022stab078-i686.config.ovz“.

make menuconfig

If you have some special kernel config requirements, change them now. Then select Exit and then Save to save the kernel configuration.

make-kpkg clean

Now we compile the kernel.

fakeroot make-kpkg –revision=OpenVZ.2.6.8 kernel_image

If the compilation stops with an error, run

make clean

and then re-run the previous commands starting with

make menuconfig

1.2 Installing The OpenVZ Kernel

If you have skipped the first chapter, you can install the precompiled Debian kernel now.

Add the repository for the OpenVZ Tools to /etc/apt/sources.list:

echo “deb http://debian.systs.org/ stable openvz” >> /etc/apt/sources.list
apt-get update

Install the packages:

apt-get install kernel-image-2.6.8-stable-ovz

1.3 Installing OpenVZ Tools

Install the packages:

apt-get install vzctl vzquota vzctl-template

Now you should reboot your server:

shutdown -r now

Building A Virtual Server (VPS) With Debian 3.1 (Sarge) And OpenVZ – Page 2
Building A Virtual Server (VPS) With Debian 3.1 (Sarge) And OpenVZ – Page 3

February 2012
M	T	W	T	F	S	S
« Jan				Mar »
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29

Monthly Archives: February 2012