What's new

[DIY] - SmallNetworks - Learning by Doing

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

There is a lot to learn, but I enjoy it so much

Just be very, very careful running NMAP - in the workplace, there are usually UTM/IDS platforms, and they know all about NMAP. Running NMAP inappropriately in the workplace is a quick way to a meeting with HR and a Resume/CV update..

Also - NMAP can run a target completely out of resources and memory - causing them to get into a bad state or flat out crash...
 
Update - network services section - removing SNMP to add to another section

Avahi, NTP

Code:
====== Network Services ======

Below are a few services that are useful and may not be included as part of the default Ubuntu install (Desktop or Server)

===== Avahi =====

What is Avahi - it's multicast DNS and service discovery - while invented by Apple, it's been adopted across multiple platforms - hint, if you're on Windows - install iTunes, and you can play along as well. iTunes for Windows includes a full mDNS stack - Win10 has a partial implementation, but is sort of broken, so again install iTunes - Macs all have it, Androids use it, and many printers and set-top boxes also take advantage of it.

Few people know how much useful avahi could be. You can forget to run ifconfig on the target machines/devices to know the IP, you don’t need a static IP anymore for those…

Installing avahi is quite simple - the client on Ubuntu Desktop is usually installed, but for our small server, we need to install the avahi-daemon and avahi-utils packages.

  sudo apt install avahi-daemon avahi-utils

After that you can reach that machine over the net using its new domain name.

  ping testbox.local

One can also do network discovery - might be surprised at how many devices support zerocong/msDNS

  test@testbox:~$ avahi-browse -at

You might also consider running avahi-browse-domain utility:

  test@testbox:~$ avahi-browse-domains -at
Avahi is useful enough that this series is dependent upon it for many of the examples and configurations - so it is a pre-requistie item.

//Editors note - Avahi, like NetworkManger, systemd, and LVM - these are newer technologies that actually make life easier for Linux users - both in the server as well as desktop environments - change is inevitable... this series will meet them head-on and make use of them - there are many benefits for the SmallNetwork SNB Basics admin and their users//

===== NTP =====

Time is the school in which we learn,\\
Time is the fire in which we burn.

-- Delmore Schwartz

Time is incredibly important when tracking performance, so we need to have a solid baseline for current time.

**Install NTP**

  sudo apt install ntp
Not much to do here, except enable logging, and set up the servers...

  sudo nano /etc/ntp.conf
Uncomment the stats...

  # Enable this if you want statistics to be logged.
  statsdir /var/log/ntpstats/
Optional - Update/modify the servers - in 16.04, the default pack has pools, not servers, so it's a choice, both are good.

  # Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
  # on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
  # more information.
  server 0.ubuntu.pool.ntp.org
  server 1.ubuntu.pool.ntp.org
  server 2.ubuntu.pool.ntp.org
  server 3.ubuntu.pool.ntp.org
  # Use Ubuntu's ntp server as a fallback.
  server ntp.ubuntu.com

And save the file, restart/kick ntp...

  sudo service ntp restart

you can check status by;

  $ ntpq -p
Should see something similar to

  $ ntpq -p
   remote           refid      st t when poll reach   delay   offset  jitter
  ==============================================================================
  repos.lax-noc.c 127.67.113.92    2 u    1   64    1   19.803   -0.605   1.258
  blue.1e400.net  173.66.221.127   2 u    -   64    1   85.346   -0.744   0.581
  hydrogen.consta 200.98.196.212   2 u    1   64    1  154.068  -32.902  16.849
  *time-a.timefreq .ACTS.           1 u    1   64    1   75.428    2.214   1.264
  2001:67c:1560:8 193.79.237.14    2 u    7   64    1  173.743   10.322   0.000

===== SNMP =====

NOTE - this section is dropped here and will be added to another upcoming section - please update any local copies
 
Tossing another section over - this one is managing the local server network config.

NetworkManager rocks... many folks don't appreciate what it can do...

Code:
====== Network Management  ======

Now is a good time to set a persistent and constant IP for your server - DHCP has been good enough, but as we start pouring in more services, it's good to get this done now.

Note - this was supposed to be pretty quick, but then... the brave new way of doing things stepped in.

Setting a static IP is not the same as setting a DHCP reservation in your Router/AP - so choose an IP that is within your range, but outside of your DHCP server scope.

For purposes here - we're working in the 192.168.1.0/24 space, so we have the 192.168.1.0 thru 192.168.1.254 range to work with - most Router/AP's will start a DHCP scope ranging from 192.168.1.100-150, or 192.168.1.2 thru whatever - check with the vendor on how to limit the DHCP scope for those devices.

** Discover Interfaces **

To quickly identify all available Ethernet interfaces, you can use the ifconfig command as shown below.

  sudo ifconfig -a | grep inet*
You will see a response similar to below

<code>
test@testbox:~$ sudo ifconfig
enp1s0    Link encap:Ethernet  HWaddr 44:8a:5b:35:21:c1  
          inet addr:192.168.1.122  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::468a:5bff:fe35:21c1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

snip...
</code>

Used to be easy, we could just see eth0 as the primary, and eth1 (n+1) as secondaries - not so much any more with UEFI and other advances...

Old-school...

  eth0      Link encap:Ethernet  HWaddr 74:e6:e2:11:22:33

New school... with a wink towards to old-school - see how things change

<code>
$ ifconfig -a
enp1s0    Link encap:Ethernet  HWaddr 74:e6:e2:11:22:33  
          inet addr:192.168.1.122  Bcast:192.168.1.255  Mask:255.255.255.0
</code>

enp1s0 is the gigabit wired adapter (if you're really clever, you can chase down the OUI's on the MAC addresses, lol...)

So now that we know where the interfaces are, let's bind an interface to an address.

** Network Manager - the modern way of managing interfaces **

Editing the network configuration in a data center view, we've got tools to do this automatically on the install, but here, we're working with a single instance, and we don't need/have those tools available. Network Manager helps here, as we can do it on a single line command without having to call sed and write up a complication regex - now that the cloud is here, NM is really a better way.

Now knowing that we have a working DHCP config, and have already downloaded/installed packages - let's get the Network-Manger, and configure things from the CLI...

NOTE - before installing network manager, need to make a small change to a network configuration file, otherwise apt will complain - no worry here, as one we install and reboot, network manager will capture and manage the interfaces

  sudo nano /etc/network/interfaces

Comment out the current interfaces - should look similar to below; be sure to leave the source and loopback sections as they are, just the ethernet, and perhaps if installed, the wireless interface

It should look similar to this when you are done:

<code>

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#auto enp1s0
#iface enp1s0 inet dhcp

# This is an autoconfigured IPv6 interface
#iface enp1s0 inet6 auto
</code>

save the file, and now we install network-manager

  sudo apt install network-manager

And reboot - ... and cross fingers ;)

(keep a keyboard/monitor handy, just in case)

With NetworkManger - all the connection configuration files will be stored here.

  /etc/NetworkManager
  /etc/NetworkManager/system-connections

Since we've already installed avahi, and NetworkManager, by default, is DHCP, the server should come back after the reboot...

** Network Manager CLI **

Again, we're in the new world of UEFI, Systemd, ipv6, etc and some things are a bit different, but...

Drive around a little bit - notice the device enumerations - they're still a bit consistent, perhaps a bit more - e.g. e is for ethernet, w is for wireless..

  $ nmcli device status
  DEVICE  TYPE      STATE         CONNECTION        
  enp1s0  ethernet  connected     Wired connection 1 
  wlp2s0  wifi      disconnected  --                
  lo      loopback  unmanaged     --    

and even better... if you have a WiFi adapter installed on the server - can tickle this directly from nm...

<code>
  $ nmcli dev wifi list
  SSID                  MODE   CHAN  RATE       SIGNAL  BARS  SECURITY 
  MYSSID         Infra  11    54 Mbit/s  100     ▂▄▆█  WPA2    
  MYSSID         Infra  132   54 Mbit/s  100     ▂▄▆█  WPA2    
  SOMEOTHERSSID  Infra  52    54 Mbit/s  49      ▂▄__  WPA2    
  MYSSID         Infra  149   54 Mbit/s  45      ▂▄__  WPA2    
  MYSSID         Infra  11    54 Mbit/s  42      ▂▄__  WPA2    
  SOMEOTHERSSID               Infra  1     54 Mbit/s  27      ▂___  WPA2  
</code>

Cool, eh?

Now to set up a static IP address - the semantics here are pretty easy to follow - here's a template;

  nmcli connection add type ethernet con-name connection-name ifname interface-name ip4 address gw4 address

So as an example

  $ sudo nmcli con add type ethernet con-name homenet ifname enp1s0 ip4 192.168.1.6/24 gw4 192.168.1.1
and after a reboot - we get this...

<code>
test@testbox:~$ sudo nmcli con add type ethernet con-name homenet ifname enp1s0 ip4 192.168.1.6/24 gw4 192.168.1.1
[sudo] password for test: 
Connection 'homenet' (6542f1df-76b2-4bdd-80e5-d38739947bc0) successfully added.
</code>

  $ ifconfig
  enp1s0    Link encap:Ethernet  HWaddr 74:e6:e2:11:22:33  
            inet addr:192.168.1.5  Bcast:192.168.1.255  Mask:255.255.255.0


And then we can add some DNS servers - using google's public dns here

  $ sudo nmcli con mod homenet ipv4.dns "8.8.8.8 8.8.4.4"

NetWorkManager, for many on the desktop world, has been a source of pain/disgust, but if you give it a chance, it's a very powerful solution - with a bit of a learning curve - the brave new world... change is never easy, but if you make it thru this one, you'll be set for the future.

Since we're on a server, and wired up, we may not need WiFi at the moment - this works nicely for laptops as well, if you're hardcore and run linux all the time there (which many actually do in the circle I run with)

  sudo nmcli radio wifi off
And we can confirm by going back to nmcli and asking device status

<code>
$ nmcli dev status
DEVICE  TYPE      STATE        CONNECTION 
enp1s0  ethernet  connected    homenet    
wlp2s0  wifi      unavailable  --        
lo      loopback  unmanaged    --  
</code>

to turn wifi back on

  sudo nmcli radio wifi on

Good quote comes to mind - "wax on/wax off" - miyagi-san

TIP - might also consider nmtui - I know it's not fair, but better to get the hard stuff first off

<code>

   ┌───────────────────────────┤ Edit Connection ├───────────────────────────┐
   │                                                                        ↑│ 
   │         Profile name homenet_________________________________          ▮│ 
   │               Device enp1s0 (44:8A:5B:35:21:C1)______________          ▒│ 
   │                                                                        ▒│ 
   │ ═ ETHERNET                                                    <Show>   ▒│ 
   │                                                                        ▒│ 
   │ ╤ IPv4 CONFIGURATION <Manual>                                 <Hide>   ▒│ 
   │ │          Addresses 192.168.1.6/24___________ <Remove>                ▒│ 
   │ │                    <Add...>                                          ▒│ 
   │ │            Gateway 192.168.1.1______________                         ▒│ 
   │ │        DNS servers 8.8.8.8__________________ <Remove>                ▒│ 
   │ │                    8.8.4.4__________________ <Remove>                ▒│ 
   │ │                    <Add...>                                          ▒│ 
   │ │     Search domains <Add...>                                          ▒│ 
   │ │                                                                      ▒│ 
   │ │            Routing (No custom routes) <Edit...>                      ▒│ 
   │ │ [ ] Never use this network for default route                         ▒│ 
   │ │ [ ] Ignore automatically obtained routes                             ▒│ 
   │ │                                                                      ▒│ 
   │                                                                        ↓│ 
   └─────────────────────────────────────────────────────────────────────────┘ 
                                                                               

</code>                                                                        

(bask in the ANSI glory, it's back to 1983)

nm is the next gen, and it's very powerful - we've only touched on a couple of the capabilities here.

Good reference here - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Using_the_NetworkManager_Command_Line_Tool_nmcli.html
 
And this is part of another section - but this will help it all make sense - had to use this to document things - they're all variables that you, as the admin need to choose...

Code:
===== Conventions =====

These items are used to facilitate documentation - it is assumed that in a individual installation, that the items below will be custom to that installation.

<code>
Admin User (not root): test
Hostname: testbox
Hostname FQDN: testbox.local
Host IP: 192.168.1.6
Network: 192.168.1.0/24

mysqladmin: test
smbadmin: test

email: gmailuser@gmail.com <-- for postfix and some alerting
passwords: when indicated, and this is only for example use - getaccess
</code>
//GMAIL note - there are sections where email is needed - GMAIL works well, it's tested, and the instructions in this series will be focused on that service - you may use a primary GMail account if you wish, or my recommendation is to set up a dedicated GMAIL account specific to monitor your SNB Basics Server.//
 
Updated OpenSSH section - some folks are going to give me some grief on this one - but I caution, do the homework first - this will result in a very, very secure OpenSSH install

Code:
==== SSH Server ====

Let's sort ssh - we have lots of space, so let's use OpenSSH vs Dropbear

//**Comment** - Dropbear, like BusyBox, is awesome software, and great for an small footprint (mem/storage) environment - they're safe and secure to use, but in this walkthru, we have a full linux install, and there are better tools to use//.

=== Install OpenSSH Server ===


  sudo apt install openssh-server

ssh back into the box

  ssh test@192.168.1.6

or try if you have installed avahi-daemon as noted above

  ssh test@testbox.local

Note - most of the defaults are fine, so we'll hit the high points to improve security

edit the /etc/ssh/sshd_config - save a copy first - 

  sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

and then 

  sudo nano /etc/ssh/sshd_config

edit/change the following:

<code>

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
# LogLevel INFO
LogLevel VERBOSE

# Authentication:
# LoginGraceTime 120
LoginGraceTime 30

# PermitRootLogin prohibit-password
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# X11Forwarding yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
MaxStartups 2:30:10
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

MaxAuthTries 3
DebianBanner no
AllowUsers test
</code>

In summary, the lines we changed are below;

  LogLevel VERBOSE
  LoginGraceTime 30
  PermitRootLogin no
  X11Forwarding no
  MaxStartups 2:30:10

Add this line - this is for additional security - if the AllowUsers directive is used, then only user accounts that follow will be allowed to authenticate, others, even if they have an account on the system, will not be allowed - this is whether passwords are used or keyfiles.

  AllowUsers test

We set this directive to reduce information leakage - the bundled package includes a banner that identifies the operating system in use, we remove that by telling OpenSSH to not show it

  DebianBanner no

Along with the MaxStartUps directive above, we add this as well, this effectively rate limits the OpenSSH daemon, used in conjunction with LoginGraceTime, it does help with brute force attacks - In the UFW section, we discuss additional steps to further lock things down

  MaxAuthTries 3

Save changes - restart ssh keep current session open

  sudo service ssh restart

Try to login to the ssh server again - should work, if not, check your edits...

=== SSH Hardening for Security ===


We've already done the two best steps - Disabling the Root Login, and the Access Users directive. These two items will block every connect attempt - I've had an SSH server sitting in my home network forwarded out to the public internet for many years, with thousands of attempts a week, and no compromises.

The absolute very best way to secure SSH is to use public/private key based logins. The downside is that keybased logins do incur a bit more effort to set up on the server side, and if one works with many clients, there's the overhead of managing all those key files across the client machines.

//**Comment** - Public/Private Keys by themselves do not offer more security, however they do offer more 'trust' which is just as important - I use them at work, and I think they're a good idea - I'm just not in a position to answer 1000 questions on certificates, key management, client configurations - when username/passphrase (the PW isn't sent in the clear, btw) is sufficient for most folks - the best security is simple security, things break when more steps are added.//

If you want to set up Public/Private Keys for OpenSSH, see the excellent reference on Ubuntu's wiki, the steps there apply pretty much to any linux based OpenSSH server.

**Changing SSHD Ports**

I'm only adding this as folks will say - How to change the sshd port?

Changing ports is not always a good idea, as it's security thru obscurity, which is no security at all as the robots will always find a way.

I've seen posts on the forums where folks are unwisely using port 80 and/or port 443 - without understand the issues with those ports and processes that run as root, or owned by root - bad idea.

If you __must__ change the SSH port keep in mind that port numbers below 1024 are privileged ports that can only be opened by root or processes running as root. 

So pick always port above that - used to be that above TCP port 8000 was good, but many apps are starting to use them.

If you change the SSH port also open the new port you have chosen on the firewall and close port 22.

  sudo vi /etc/ssh/sshd_config

Change or add the following line and save. Again, consider above before doing this.

  Port <ENTER YOUR DESIRED PORT>

Restart SSH server:

  sudo service ssh restart

If you get locked out, you know why. 

OpenSSH is very secure if done right.
 
This section is very optional - most of the tasks you might want to run day to day can be completely done via the shell over ssh - I'm adding this section as some folks might feel better with a full desktop - and there are advantages having this in some situations...

And to be honest - it's something that the embedded linux variants (*WRT) just can't do - but this will all work fine on a RaspPI2...

Code:
==== VNC server ====

Now that we have SSH going, we'll add a secure VNC connection endpoint - and we can scrub using an attached keyboard/mouse/monitor

Remote Desktop - tightvnc with xfce, xfce is a lighteight desktop environment - as an option, if one installed Ubuntu Server addition, it's a good time to consider installing a desktop environment - I recommend Xubuntu-Desktop as it's lightweight enough, and very fast over a VNC connection.

Install XuBuntu-Desktop and Firefox

  sudo apt install xubuntu-desktop firefox

Install VNC

  sudo apt install xfce4 xfce4-goodies tightvncserver

To complete the VNC server's initial configuration after installation, use the vncserver command to set up a secure password.

  vncserver

**Configuring the VNC Server**

First, we need to tell our VNC server what commands to perform when it starts up. These commands are located in a configuration file called xstartup in the .vnc folder under your home directory. The startup script was created when you ran the vncserver in the previous step, but we need modify some of the commands for the Xfce desktop.

When VNC is first set up, it launches a default server instance on port 5901. This port is called a display port, and is referred to by VNC as :1. VNC can launch multiple instances on other display ports, like :2, :3, etc. When working with VNC servers, remember that :X is a display port that refers to 5900+X.

Because we are going to be changing how the VNC server is configured, we'll need to first stop the VNC server instance that is running on port 5901.

  vncserver -kill :1

The output should look like this, with a different PID:

  Output
  Killing Xtightvnc process ID 17648

Before we begin configuring the new xstartup file, let's back up the original.

  sudo mv ~/.vnc/xstartup ~/.vnc/xstartup.bak

Now create a new xstartup file with nano or your favorite text editor.

  sudo nano ~/.vnc/xstartup

Paste these commands into the file so that they are performed automatically whenever you start or restart the VNC server, then save and close the file.

  #!/bin/bash
  xrdb $HOME/.Xresources
  startxfce4 &

The first command in the file, xrdb $HOME/.Xresources, tells VNC's GUI framework to read the server user's .Xresources file. .Xresources is where a user can make changes to certain settings of the graphical desktop, like terminal colors, cursor themes, and font rendering. The second command simply tells the server to launch Xfce, which is where you will find all of the graphical software that you need to comfortably manage your server.

To ensure that the VNC server will be able to use this new startup file properly, we'll need to grant executable privileges to it.

  sudo chmod +x ~/.vnc/xstartup

Now, restart the VNC server.

  vncserver

The server should be started with an output similar to this:
<code>
test@testbox:~$ vncserver

New 'X' desktop is testbox:1

Starting applications specified in /home/test/.vnc/xstartup
Log file is /home/test/.vnc/testbox:1.log
</code>

**Testing the VNC Desktop**

In this step, we'll test the connectivity of your VNC server.

Next, you may now use a VNC client to attempt a connection to the VNC server at testbox.local:5901 (or 192.168.1.6:5901) 

You'll be prompted to authenticate. The correct password to use is the one you set in the vncserver initial setup

Once you are connected, you should see the default Xfce desktop that was included as part of the TightVNC installation.



**Creating a VNC Service File**

Next, we'll set up the VNC server as a systemd service. This will make it possible to start, stop, and restart it as needed, like any other systemd service.

First, create a new unit file called /etc/systemd/system/vncserver@.service using your favorite text editor:

  sudo nano /etc/systemd/system/vncserver@.service

Copy and paste the following into it. Be sure to change the value of User and the username in the value of PIDFILE to match your username.

<code>
[Unit]
Description=Start TightVNC server at startup
After=syslog.target network.target

[Service]
Type=forking
User=test
PAMName=login
PIDFile=/home/test/.vnc/%H:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i
ExecStop=/usr/bin/vncserver -kill :%i

[Install]
WantedBy=multi-user.target
</code>

Save and close the file.

Next, make the system aware of the new unit file.

  sudo systemctl daemon-reload

Enable the unit file.

  sudo systemctl enable vncserver@1.service

Stop the current instance of the VNC server if it's still running.

  vncserver -kill :1

Then start it as you would start any other systemd service.

  sudo systemctl start vncserver@1

You can verify that it started with this command:

  sudo systemctl status vncserver@1

To save memory/cpu time, you can turn off the VNC server on the fly, and turn it on when you need it.

  sudo systemctl stop vncserver@1

=== Updating VNCServer Password ===
TightVNC uses it's own password scheme as part of the install - to update it, use the **vncpasswd** command - it prefers passwords longer than 8 characters - as part of the big project that this is turning into, pwgen is pretty handy

Generate a good password - note, don't use any of the ones in this post 8-)

<code>
test@testbox:~$ pwgen 12
Aech6aeXupha Avughi7ohf9e vaep7Ahca7ja ueYier4co2Ah DaiGhahwe6Ji Ia9AhSielaey
</code>

Now update the vncpasswd

<code>
test@testbox:~$ vncpasswd
Using password file /home/test/.vnc/passwd
Password: 
Verify:  
Would you like to enter a view-only password (y/n)? n
</code>
 
Do what? You don't have to read the thread.

SFX: It would be helpful if you stated the point of the project in your first post.

I probably should have - but it's becoming clear as the thread progresses...

What is my agenda? - well, basically I'm pretty offended by big stylish boxes that cost $400 plus with a hundred bucks of parts inside - when one can do just as much for far less...

By pulling aside the curtain - seeing what is Oz, people can build their own...

I used to do this stuff - designing routers and AP's and NAS boxes - it's not that hard... takes some patience and knowledge, and that's what I'm trying to impart here.

Once we build the Basics - one wants a router, they can do it, a NAS, they can do it, WebApp server, they can do it - it's all good...
 
I probably should have - but it's becoming clear as the thread progresses...

What is my agenda? - well, basically I'm pretty offended by big stylish boxes that cost $400 plus with a hundred bucks of parts inside - when one can do just as much for far less...

By pulling aside the curtain - seeing what is Oz, people can build their own...

I used to do this stuff - designing routers and AP's and NAS boxes - it's not that hard... takes some patience and knowledge, and that's what I'm trying to impart here.

Once we build the Basics - one wants a router, they can do it, a NAS, they can do it, WebApp server, they can do it - it's all good...
Sfx,

A big thank you for sharing your knowledge and your effort of writing and publishing these excellent tutorials on how to set up and manage a linux server with security, network services, web functionality etc.

When you started this thread I had just installed Ubuntu in a VirtualBox VM with the purpose of learning some basic linux commands. I´ve learned a lot from studying and practicing your tutorials, some of them I´ve redone several times just to practice.

Also, thank you very much for all your kind help and willingness to answer questions from noobs like myself.

Kind regards,
Ole
 
I probably should have - but it's becoming clear as the thread progresses...

What is my agenda? - well, basically I'm pretty offended by big stylish boxes that cost $400 plus with a hundred bucks of parts inside - when one can do just as much for far less...

By pulling aside the curtain - seeing what is Oz, people can build their own...

I used to do this stuff - designing routers and AP's and NAS boxes - it's not that hard... takes some patience and knowledge, and that's what I'm trying to impart here.

Once we build the Basics - one wants a router, they can do it, a NAS, they can do it, WebApp server, they can do it - it's all good...

Sfx,

I also appreciate the effort you have put into this thread. When I first started following it encouraged me to purchase a Rasberry PI 3B just to see what the little box was capable of doing.

Well, I am totally amazed at it's performance thus far!

The tutorial has been a great wealth of information that I have now stored in one place via dokuwiki. Something I previously knew nothing about.

Many Thanks
 
When you started this thread I had just installed Ubuntu in a VirtualBox VM with the purpose of learning some basic linux commands. I´ve learned a lot from studying and practicing your tutorials, some of them I´ve redone several times just to practice.

VM's are a great way to set up a platform to learn - the ability to make snapshot images and roll back if a change goes awry is something that even big enterprise level providers do all the time... hence the explosion of low and high level virtualization techniques like Xen, KVM, LXC, Docker, etc...

Just for kicks - one can bring up Xen in a VirtualBox or VMWare desktop machine, install Linux on it as a guest OS, once the Linux is up, bring up a KVM image inside it, install another guest Linux image, and then install LXC and Docket inside that...

So one would have a nested stack...

Docker Containers
LXC
KVM Machine
XenGuest <kvm>
Xen Hypervisor
Hardware...

And network everything via the virtual switch which allow you to create different VLAN and routes, etc.. and then for storage you can virtualize that as well..
 

Attachments

  • KVM_architecture-.png
    KVM_architecture-.png
    153 KB · Views: 477
  • Docker_architecture-1-1.png
    Docker_architecture-1-1.png
    47.7 KB · Views: 689
Last edited:
Will all the how-to's reappear in this thread or will they be accessible from another location?

Once they're all complete - I'll probably pull the works in progress and post the 'final' versions -

Like Linux however, this is dynamic content, and I'm looking into ways that I can host a community DokuWiki so that others can contribute and collaborate.
 
Like Linux however, this is dynamic content, and I'm looking into ways that I can host a community DokuWiki so that others can contribute and collaborate.

Depends on how much interest there is, and whether a justification can be built around it. The original intent was to drive page views back into Smallnetbuilder.com and snbforums.com - my small way of contributing to the site...

(quick note - if folks are ad-blocking the main site or forums, please whitelist - those ad's help keep the lights on for all of us that have the site in their 'favorites' list)
 
Latest TOC for DokuWiki folks

Code:
===== SNB Basics =====

  * [[SNB Basics - Learning by Doing]]
    * [[SNB Basics - Front Matter]]
    * [[SNB Basics - HW and SW Recommendations]]
    * [[SNB Basics - Linux Install]]
    * [[SNB Basics - Managing Users]]
    * [[SNB Basics - Network Management]]
    * [[SNB Basics - Network Services]]
    * [[SNB Basics - Remote Access]]
    * [[SNB Basics - Postfix SMTP Agent]]
    * [[SNB Basics - LAMP Server Install]]
    * [[SNB Basics - WebApps]]
    * [[SNB Basics - Network Monitoring]]
    * [[SNB Basics - Monitoring]]
    * [[SNB Basics - Storage]]
    * [[SNB Basics - Simple NAS Server]]
    * [[SNB Basics - Security]]
    * [[SNB Basics - Security Extras]]
    * [[SNB Basics - Extras]]
 
HW/SW Recommendations Section

Code:
====== Hardware/Software Recommendations ======

The makes/models of HW are not hard requirements - just the memory and storage are

The Software recommendation - Ubuntu was chosen due to feature set, long term support, and the large 3rd party community that uses and supports it.

===== Hardware Recommendations =====

**Required -i386/ARMv7 **

1GB RAM, 16GB local storage

**Preferred - x86_64**

2GB RAM, 32GB Local storage

**Virtualization**

Everything should work fine with VirtualBox, VMWare's Fusion/VMWare Workstation, and Parallel's desktop. 

Several sections were tested with VMWare Fusion and VMWare Workstation.

HyperV from Microsoft (part of Windows Pro 8 and 10) should work, as would other low level hypervisors such as ESXi, Xen, KVM/QEMU, and perhaps even in a Docker container - supporting these is outside of the scope of this document.

===== Software Recommendations =====

**Minimum:**

Debian Jessie (8.*), Raspian, Ubuntu Desktop 16.04LTS

**Recommended**

Ubuntu 16.04LTS - support for ARMv7 (RaspPI for UbuntuMATE), Ubunutu Server 16.04LTS

**Why Ubuntu?**

16.04 brings us a modern kernel (4.4), along with updates across the board - including newer technologies like Docker/LXD for containers, and a full set of management tools that range from the older tried and true, to the newer replacements.

16.04LTS is a Long Term Release - which means that Canonical has pledged support for 5 years for security updates.

I've carefully chosen a set of applications that are well supported, generally best in their class, and are fairly easy to set up and maintain.

**A quick note about Raspberry PI** - the PI 2 is one of the candidate HW choices, and there's two main distributions - Rapsbian and Ubuntu 16.04 Mate Desktop for Raspberry PI 2 and 3. Raspbian should work fine for all steps, however, some of the packages may not be present, or named differently. The MATE for RPi2/3 is built specifically for the ARMv7 Cortex-A7 chip in the Pi 2, and generally performs a bit better than the ARMv6 code in the Raspbian distro. 

Ubuntu MATE on the Pi 2 is what ultimately made the decision easy. 

Everything we cover below will run fine on a Pi 2 with MATE installed.

===== Additional SW Recommendations =====

While not required - most sysadmins need three basic programs

A good text editor, a good terminal app, and Wireshark

**Windows**

  * Notepad++ - Windows text editor and replacement for Notepad - works correctly with Unix and Mac text documents, and very powerful set of tools to work with
  * Putty for Windows - popular SSH client
  * MobaXterm - SSH/VNC client for Windows, not as well known, but it's very highly recommended
  * TightVNC - Windows VNC client - www.tightvnc.org
  * uNetBootin - Windows/Mac/Linux ISO to USB Drive writer - see more at the uNetBootin site

**Mac**

  * TextWrangler - Mac Text Editor - free version of BBEdit's BBEdit, quite possibly the best text editor in the world

**Packet Debug**

  * Wireshark - win/mac/linux
 
front matter - this is general stuff one finds at the front of a document - as this is how it was originally intended, and kind of grew from there

Code:
===== Forward =====
Networking is a mind-set, and Linux is a philosophy - as we go down this path, we go thru stages - from curious to the enthusiast, and then to the hobbyist or professional as a day to day job - we go thru our challenges, and at some point, we raise up to a point where we can contribute even more - and then we're at the end - but the end is not the end, but an opportunity to reflect and teach others.

One of my favorite books is Mushasi's Book of Five Rings - The lessons that are taught, and the parables, these are opportunities to learn and grow...

  - The Book of Earth - serves as an introduction, and metaphorically discusses martial arts, leadership, and training as building a house.
  - The Book of Water - It describes some basic technique and fundamental principles.
  - The Book of Fire - refers to the heat of battle, and discusses matters such as different types of timing.
  - The Book of Wind - is something of a pun, since the Japanese character can mean both "wind" and "style" (e.g., of martial arts). It discusses what Musashi considers to be the failings of various contemporary schools of sword fighting.
  - The Book of the Void - short epilogue, describing, in more esoteric terms, Musashi's probably Zen-influenced thoughts on consciousness and the correct mindset.

It's a great read and a good metaphor - in many ways reflects how we learn and grow in our chosen fields/professions.

For more info on Five Rings see below

https://en.wikipedia.org/wiki/The_Book_of_Five_Rings

===== Abstract =====

Most of Linux is like a swiss army knife, it can do just about anything. The trick to mastering Linux is to have the ability to ignore 99% of the options and to focus on the task at hand. 

**Purpose**

The purpose here is to share some knowledge and make something useful for your small network - and the learning by doing concept transfers skills that you may be able to use in your career.

**Audience**

Technically interested people that perhaps want to learn more about Linux, and how Linux is applied to the various parts and components of your network.

As long as your are handy with a keyboard, and an interest to learn and even to share, you're part of the intended audience.


===== Attributions =====

This is distilled from 15 years worth of notes I've collected that I would consider "best practices" - about 60 percent of the content below is my direct writing, and I've heavily edited the rest from vendor documents, various how-to's, and message threads from the USENET to Mailing Lists to Web Forum posts.

===== Thanks and Dedications =====

I want to thank the community here at SmallNetworkBuilder.com - I've learned much from you, and this is an opportunity to share back.

To the entire FOSS community - this would not be possible without your ongoing contributions - thank you!


===== Conventions =====

These items are used to facilitate documentation - it is assumed that in a individual installation, that the items below will be custom to that installation.

<code>
Admin User (not root): test
Hostname: testbox
Hostname FQDN: testbox.local
Host IP: 192.168.1.6
Network: 192.168.1.0/24

mysqladmin: test
smbadmin: test

email: gmailuser@gmail.com <-- for postfix and some alerting
passwords: when indicated, and this is only for example use - getaccess
</code>

//GMAIL note - there are sections where email is needed - GMAIL works well, it's tested, and the instructions in this series will be focused on that service - you may use a primary GMail account if you wish, or my recommendation is to set up a dedicated GMAIL account specific to monitor your SNB Basics Server.//
 
Linux install tips

Code:
====== Install Linux ======


===== Install Linux =====

Prepare the installer - Ubuntu, on their download page, includes instructions on how to create a DVD or USB thumbdrive on their download page for Windows, Linux, and Mac

Prepare the Computer - if your board is UEFI based (many are these days), make sure to disable "Secure Boot", while leaving UEFI enabled - Having Secure Boot enabled will generally result in a failed installation - the Ubuntu Server installed will lock up on the initial select language screen (good sign that Secure Boot is still enabled). Set the appropriate disk in the Start Up portion of UEFI setup, check the vendors documentation.

Note - always best to have a wired connection for installation - wireless might work, but many times I've seen it not work.

Some notes on the installer;

Disks and LVM - LVM is not required (it's a check box option to select), and I would recommend not using that option for the boot disk - LVM is a great storage manager, and we'll cover that in the storage section on how to use it.

Server Install specific note - you'll get to a screen in the installer that asks what software packages would you like to install - select the standard package and openssh-server, forgo the web/samba/postgres, mail, etc - we'll add them in one at a time, and keep the installation focused.

===== Post Install =====

Now that we've completed the installation of linux, there's a few packages that are optional, but highly recommended - I find them useful, and I install them on every box I build.

  sudo apt install build-essential aptitude git htop sysstat pwgen nano unzip zip

  * build-essential - basic compiler/build environment
  * aptitude - extension of APT, the debian package manager
  * git - source code manager
  * htop - extended process manager
  * sysstat - metapack with many useful system statistics tools
  * pwgen - password generator - makes sound/secure passwords of different lengths
  * nano - oddly enough, some distro's don't come with this, I'm using it for this doc as it's easy to master - normally I use VIM, and let's not engage in that EMACS is better.


Might as well get the CPAN going, and install these a couple of perl modules - when CPAN is initially started, it wants to be configured - let it autoconfigure for now...

  sudo cpan

<code>
  CPAN.pm requires configuration, but most of it can be done automatically.
  If you answer 'no' below, you will enter an interactive dialog for each
  configuration option instead.

  Would you like to configure as much as possible automatically? [yes]
</code>

type quit once you get to the main CPAN prompt, and you'll be back on the terminal shell

You can go deep into CPAN, but generally, auto configuration just works...

More about the CPAN here - http://learnperl.scratchcomputing.com/tutorials/configuration/

Once the CPAN is configured - install the following two modules for now. They'll be useful later in this doc...

  sudo perl -MCPAN -e 'install Sys::CPU' 
  sudo perl -MCPAN -e 'install Sys::MemInfo'
 
After all that data dump...

I'm a bit of an impasse... now that we have a fully functional battle station - erm, Basics Server

1) Storage Basics - and how to recreate a NAS box - this is 98 percent done, but it goes deep, and it's a huge section

2) Routing and how to build a Router - including network ninja examples regarding virtual interfaces/etc...

3) Virtualization - we can talk about Xen/KVM-QEMU and LXC/Docker stuff - this will likely not be about Pi2/Pi3

4) Cacti - which is a PITA - it's a bit more than apt-get install cacti - not an easy platform, but very useful - kick me in the pants, and I'll likely do it...

What do you want to learn about next? And the other question - what is important here to you?

thx

sfx
 
Storage Section Part One - Intro

Code:
====== Storage Basics ======

Once we have the SNB Basics server set up, it's relatively easy to set up some additional storage for your small network - while this is a long section, if followed thru, you will have a fairly decent NAS to work with - and one much more flexible and useful that many off the shelf consumer grade Router/AP's.

The LVM section - This is what many commercial NAS vendors use - they hide it perhaps behind a nice GUI, but we'll dive deep into how things work inside and behind the curtain.

The Simple NAS is a walk-thru on how to set up a basic Samba Server to extend filesharing to your small network/

**WARNING - everything in this section has the ability to completely and utterly destroy data**

** All sections here assume that you have sudo access, and I strongly recommend that you do this on the local machine in a single terminal window -- you may want to print this section out, review, and before taking any actions - backup and take very careful notes***
 
Storage Section Part Two - Mounts

Code:
===== Filesystems and Mounts =====

Directories in the mounted filesystems are abstract - what you see when you list a directory is a visual representation of where the OS sees it - but that directory might be on the same disk, another disk, on a big Storage Attached Network filer in the same data center, or a thousand miles away on a completely different server.

A handy tool for finding out where a directory is mounted is findmnt, for example

<code>
test@testbox:~$ findmnt --target /tmp
TARGET SOURCE    FSTYPE OPTIONS
/      /dev/sda2 ext4   rw,relatime,errors=remount-ro,data=ordered
</code>

So as you can see, right now /tmp is on /dev/sda2, using the EXT4 filesystem, and some additional parameters.

Knowing this, we can easily move things around - let's move /tmp over to the RAM filesystem, as this is a common tweak that many admins do for a bit of a performance boost

Keep in mind that the Temporary File System (tmpfs is in RAM, things here are not persistent, and will go away on a reboot.. so don't keep anything important in there

**Move /tmp from disk to tmpfs (RAM)**

As a first step - let's move /tmp to the temporary file system (aka tmpfs)

  nano /etc/fstab

add just the tmpfs line below - the syntax here is important - leave the other lines alone for now

<code>
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
tmpfs      /tmp            tmpfs        defaults           0    0
</code>

reboot the machine, and then look at the mounts...should look similar to this

<code>
test@testbox:~$ df -h
Filesystem      Size  Used Avail Use% Mounted on
udev            897M     0  897M   0% /dev
tmpfs           184M  5.8M  178M   4% /run
/dev/sda2       456G  2.2G  431G   1% /
tmpfs           916M     0  916M   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           916M     0  916M   0% /sys/fs/cgroup
tmpfs           916M     0  916M   0% /tmp
/dev/sda1       511M  3.6M  508M   1% /boot/efi
tmpfs           184M     0  184M   0% /run/user/1000
</code>

Now run findmnt again, and see that it moved

<code>
test@testbox:~$ findmnt --target /tmp
TARGET SOURCE FSTYPE OPTIONS
/tmp   tmpfs  tmpfs  rw,relatime
</code>

Now the File System Table - the fstab - tells the kernel where to expect to find things - it implies that anything underneath a mount is on the same filesystem - so the main mount for the machine above is on /dev/sda2 and it represented as the root directory "/" - by us explictly setting in the fstab, /tmp is now in tmpfs, and the kernel will look there instead.

Item entries in the fstab are persistent are persistent - immutable, so you typically won't see things that can be plugged in/out like a thumb drive, as if it is not there on reboot, the kernel tends to get pretty upset - sometimes even to the point of a kernel panic (the linux equivalent of the Blue Screen of Death).

Those thumbdrives are usually kept over in /mnt, and the hotplug daemon will see that the drive is inserted, and mount it there on a temporary basis until it's ejected.

Now we don't have to hard code a mount - we can do this on the fly by using the mount command -

  mount /sourcelocation /targetlocation
And then to make that mount go away (step lightly here)

  unmount /targetlocation
When in doubt - use the findmnt took like we discussed above before unmounting a directory

Make a couple of directories now - as they'll come in handy for the next couple of sections

First check to see if there is already something there - 

<code>
test@testbox:~$ ls /var/share
ls: cannot access '/var/share': No such file or directory
test@testbox:~$ ls /var/media
ls: cannot access '/var/media': No such file or directory
</code>

Now we can make those directories

  sudo mkdir /var/share /var/media

and findmnt will now show 

<code>
test@testbox:~$ findmnt --target /var/share
TARGET SOURCE    FSTYPE OPTIONS
/      /dev/sda2 ext4   rw,relatime,errors=remount-ro,data=ordered
test@testbox:~$ findmnt --target /var/media
TARGET SOURCE    FSTYPE OPTIONS
/      /dev/sda2 ext4   rw,relatime,errors=remount-ro,data=ordered
</code>
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top