søndag den 23. december 2007

Installing Apache 2.2 from source on Ubuntu

Two reasons you might want to do this.


  • You want to host a Rails application using Mongrel via Apache and mod_proxy_balancer.


  • You’re studying in a Website administration module for your 3rd year Software Engineering degree :)

Seriously though, if you don’t want to use mod_proxy_balancer, just do a normal apt-get install of Apache 2 and you’ll be fine. mod_proxy_balancer is only available for Apache 2.2, and currently, that’s not available from the Ubuntu repositories via apt-get.

This article only covers installing Apache 2.2 - I’ll write another one for getting Subversion and PHP working shortly afterwards.

Workspace
If you’ve not got the build-essential package installed yet:

sudo apt-get install build-essential

It’s best to keep all of the source files in a seperate directory so they don’t mess up your home
directory.

cd
mkdir src
cd src

Zlib
So that Apache can compress output to browsers that support it, we’re going to install Zlib first of all:

wget http://www.zlib.net/zlib-1.2.3.tar.gz
tar xvfz zlib-1.2.3.tar.gz
cd zlib-1.2.3/
./configure --prefix=/usr/local
make
sudo make install


Apache 2.2
Now download the Apache 2.2 source files:

cd ..
wget http://apache.rmplc.co.uk/httpd/httpd-2.2.3.tar.gz


Extract and move into the directory:

tar xvfz httpd-2.2.3.tar.gz
cd httpd-2.2.3/


Now to configure the build of Apache 2.2 that we want:

./configure --prefix=/usr/local/apache2 --enable-mods-shared=all --enable-deflate --enable-proxy --enable-proxy-balancer --enable-proxy-http

Besides setting the modules we’d like installed, and the location of the install, this paramater --enable-mods-shared=all is telling Apache 2.2 to build modules so that they can be dynamically loaded when it is started. This means, we can add further modules to our Apache 2.2 install when we like - as we will do with the Subversion modules and PHP.

Once the configuration is complete:

make
sudo make install

Let’s test that it’s working:

sudo /usr/local/apache2/bin/apachectl start

Now navigate to http://localhost/ and you should see a message saying “It works!”.

Stop Apache:

sudo /usr/local/apache2/bin/apachectl stop

Apache at start-up
Now let’s get Apache to start at boot time automatically:

sudo cp /usr/local/apache2/bin/apachectl /etc/init.d/apachectlsudo chmod +x /etc/init.d/apachectl

What we’re doing here is copying the Apache Control script into the start-up directory.
We just need to add a few lines to the file for it to work nicely:sudo nano /etc/init.d/apachectl
Add the followinig, so the top of the file looks like:

#!/bin/sh
#
# chkconfig: - 85 15
# description: Apache is a web server.

Save the file.

Now we need to register it with the start-up manager:

sudo /usr/sbin/update-rc.d apachectl defaults


Securing Apache
It’s also a good idea to create a dedicate Apache system user account. It’ll make your install much more secure.

sudo adduser --system apache

Now we just need to make sure that Apache runs under this user. We do that by editting the configuration file:

sudo nano /usr/local/apache2/conf/httpd.conf

You need to find the lines that say:

User daemon
Group daemon

And change them so they look like:

User apache
Group nogroup


Save the file.
Now, let’s start Apache:

sudo /usr/local/apache2/bin/apachectl start


Now to check it’s running under the new user, apache:

ps -aux grep httpd

If you see the word apache in there, it’s working.

Check it’s all working
Now just reboot the system and before logging in, check on another machine by visiting the servers IP in the web browser and you should see the “It works!” message. This means Apache started up correctly automatically.

Building Apache 2.2 from source. Done.

torsdag den 13. september 2007

Verifying Which Ports Are Listening with Nmap

Once you have configured services on the network, it is important to keep tabs on which ports are actually listening on the system's network interfaces. Any open ports can be evidence of an intrusion.

There are two basic approaches for listing the ports that are listening on the network. The less reliable approach is to query the network stack by typing commands such as:


netstat -an

or

lsof -i

This method is less reliable since these programs do not connect to the machine from the network, but rather check to see what is running on the system. For this reason, these applications are frequent targets for replacement by attackers. In this way, crackers attempt to cover their tracks if they open unauthorized network ports.
A more reliable way to check which ports are listening on the network is to use a port scanner such as nmap.


First install Nmap with:

apt-get install nmap

The following command issued from the console determines which ports are listening for TCP connections from the network:

nmap -sT -O localhost


The output of this command looks like the following:
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1596 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
111/tcp open sunrpc
515/tcp open printer
834/tcp open unknown
6000/tcp open X11
Remote OS guesses: Linux Kernel 2.4.0 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)
Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds

This output shows the system is running portmap due to the presence of the sunrpc service. However, there is also a mystery service on port 834. To check if the port is associated with the official list of known services, type:

cat /etc/services grep 834

This command returns no output. This indicates that while the port is in the reserved range (meaning 0 through 1023) and requires root access to open, it is not associated with a known service.

Next, you can check for information about the port using netstat or lsof. To check for port 834 using netstat, use the following command:

netstat -anp grep 834

The command returns the following output:

tcp 0 0 0.0.0.0:834 0.0.0.0:* LISTEN 653/ypbind


The presence of the open port in netstat is reassuring because a cracker opening a port surreptitiously on a hacked system would likely not allow it to be revealed through this command. Also, the [p] option reveals the process id (PID) of the service which opened the port. In this case the open port belongs to ypbind (NIS), which is an RPC service handled in conjunction with the portmap service.

The lsof command reveals similar information since it is also capable of linking open ports to services:

lsof -i grep 834


Below is the relevant portion of the output for this command:

ypbind 653 0 7u IPv4 1319 TCP *:834 (LISTEN)
ypbind 655 0 7u IPv4 1319 TCP *:834 (LISTEN)
ypbind 656 0 7u IPv4 1319 TCP *:834 (LISTEN)
ypbind 657 0 7u IPv4 1319 TCP *:834 (LISTEN)


As you can see, these tools can reveal a great about the status of the services running on a machine. These tools are flexible and can provide a wealth of information about network services and configuration. Consulting the man pages for lsof, netstat, nmap, and services is therefore highly recommended.

søndag den 9. september 2007

Test an MX record

Test an MX record by typing the following in a Dos prompt:

nslookup -q=mx server.domain.dk

The reply should look like this:

server.domain.dk MX preference = 10, mail exchanger = server.domain.dk

tirsdag den 21. august 2007

To start or stop services under any debian based distro

  1. Get the name of the service you want to start or stop

ls /etc/init.d

then

sudo invoke-rc.d servicename startstop

Which is only a shortcut to

sudo /etc/init.d/servicename startstop

The easiest way (my opinion) to do all this is to use this nice little app here:

apt-get install sysv-rc-conf

sysv-rc-conf

mandag den 20. august 2007

WordPress Installation on Ubuntu

  1. First check that Apache, Mysql and Phpmyadmin is installed and working (sort of an AMP server?;-)
  2. Download WordPress (in my case in DK version): http://svn.automattic.com/wordpress-i18n/da_DK/tags/2.2.2/wordpress-2.2.2-da_DK.zip
  3. Extract your WordPress archieve into your server directory.

    sudo tar zxvf wordpress-x.x.x.tar.gz --directory=/var/www/
  4. Create a database for WordPress on your Ubuntu, as well as a MySQL user who has all privileges for accessing and modifying it. You can use phpMyAdmin to make it easier (http://localhost)
  5. First create database: wordpress
  6. Then create a new user: wordpress with password: wordpresspassword
    Write down the values you used for databasename, wordpressusername, hostname, and password for future purpose.
  7. Rename the wp-config-sample.php file to wp-config.php. Open and edit wp-config.php file to:

// ** MySQL settings ** //
define('DB_NAME', 'wordpress');

define('DB_USER', 'wordpress');

define('DB_PASSWORD', 'wordpresspassword');

define('DB_HOST', 'localhost');

  1. Run the Install Script by browsing to wp-admin/install.php within the directory into which you just installed WordPress. For example: point your browser to http://localhost/wordpress/wp-admin/install.php.
  2. To test: Point your browser to http://localhost/wordpress.

onsdag den 15. august 2007

Installing AlienBBC on Linux

AlienBBC is a plugin for slimserver, the software platform used by the Slim Devices line of networked music players.

It is primarily designed to allow the user to listen to BBC Radio streams but also adds the ability to listen to any RealAudio stream. Currently, it is capable of parsing and playing the following resources:

All the main BBC Radio 'Live' streams
The BBC 'Listen Again' Audio on Demand content
All Available BBC Radio 2 Content
All Available BBC Radio 4 Content
The BBC7 Audio Archive
The Available BBC Local Radio Stations
Radio 5 Live Audio Archive
Some of the ABC Content (Australian Broadcasting Corporation)
A number of other streams, suggested by AlienBBC Users
For a complete list of stations see here


These instructions assume you are installing on to SlimServer V6.2 or later.

  1. Download the linux archive http://www.x2systems.com/alienbbc/alienbbc-linux-v1.06_6.2-3.tar.gz.
  2. Extract this tar file into the main slimserver directory. This is usually: /usr/local/slimserver.
  3. Ensure that /usr/local/slimserver/Bin/mplayer.sh is executable by the user 'slimserver'.
  4. Ensure that mplayer is installed and available on the path for slimserver (as for previous AlienBBC versions) and has the relevant codecs available.If you need help with installing mplayer this may help: http://forums.slimdevices.com/showthread.php?t=17015.
    If using mplayer pre7 or later edit slimserver-convert.conf to comment out the lines that follow "# Default mplayer up to pre6". Then uncomment the lines that follow "# Alternative for mplayer pre7 or later".
  5. Restart slimserver and see if AlienBBC appears on the web page.
    If you have trouble, Run './slimserver.pl -d_plugin' in a shell from /usr/local/slimserver to check for error messages at startup.

Extra Information

For detailed instructions on installing on linux see ripcaster's website http://www.ripcaster.co.uk/node

tirsdag den 14. august 2007

Instructions for installing Slimserver Ubuntu (Debian)

/* install as su */
sudo su

/* setup slimserver user */
addgroup slimserver
adduser --ingroup slimserver slimserver

/* unpack slimserver code */
cd /usr/local
tar -xzvf ....SlimServer_v2005-08-02.tar.gz
ln -s SlimServer_v2005-08-0 slimserver (link or rename directory as required)
chown -Rf slimserver:slimserver /usr/local/slimserver

/* create pref file with write permissions for slimserver */
nano /etc/slimserver.pref
(save as empty file)
chmod 666 /etc/slimserver.pref

/* create startup script */
nano /etc/init.d/slimserver
cut & paste:

#!/bin/sh

# slimserver init script for Debian Linux
#
# This script expects slimserver to be installed in
# /usr/local/slimserver
#
# logfile will be written to
# /tmp/slimserver.log
#

DAEMON=/usr/local/slimserver/slimserver.pl
PIDFILE=/var/tmp/slimserver.pid
LOGFILE=/tmp/slimserver.log
USER=slimserver
SLIMSERVER_OPTS=""

test -x ${DAEMON} || exit 0

case "$1" in
start) echo -n "Starting Slimserver: "
HOME=/home/$USER
start-stop-daemon --start --quiet --exec $DAEMON \
--chuid ${USER} -- --daemon \
--prefsfile=/etc/slimserver.pref --pidfile=${PIDFILE} \
--logfile=${LOGFILE} ${SLIMSERVER_OPTS}
echo "slimserver"
;;

stop) echo -n "Stopping Slimserver: "
start-stop-daemon --stop --quiet --user ${USER} --pidfile ${PIDFILE} --retry 5
echo "done"
;;

force-reload|restart) $0 stop
$0 start
;;

*) echo "Usage: $0 {start|stop|restart|force-reload}"
exit 1;
;;

esac

exit 0

(save file)
chmod chmod 755 /etc/init.d/slimserver

/* start slimserver */
/etc/init.d/slimserver start

/* add to init */
update-rc.d slimserver defaults

/* kill su */
exit

Blog-arkiv