====== Network Services ======
Below are a few services that are useful and may not be included as part of the default Ubuntu install (Desktop or Server)
===== Avahi =====
What is Avahi - it's multicast DNS and service discovery - while invented by Apple, it's been adopted across multiple platforms - hint, if you're on Windows - install iTunes, and you can play along as well. iTunes for Windows includes a full mDNS stack - Win10 has a partial implementation, but is sort of broken, so again install iTunes - Macs all have it, Androids use it, and many printers and set-top boxes also take advantage of it.
Few people know how much useful avahi could be. You can forget to run ifconfig on the target machines/devices to know the IP, you don’t need a static IP anymore for those…
Installing avahi is quite simple - the client on Ubuntu Desktop is usually installed, but for our small server, we need to install the avahi-daemon and avahi-utils packages.
sudo apt install avahi-daemon avahi-utils
After that you can reach that machine over the net using its new domain name.
ping testbox.local
One can also do network discovery - might be surprised at how many devices support zerocong/msDNS
test@testbox:~$ avahi-browse -at
You might also consider running avahi-browse-domain utility:
test@testbox:~$ avahi-browse-domains -at
Avahi is useful enough that this series is dependent upon it for many of the examples and configurations - so it is a pre-requistie item.
//Editors note - Avahi, like NetworkManger, systemd, and LVM - these are newer technologies that actually make life easier for Linux users - both in the server as well as desktop environments - change is inevitable... this series will meet them head-on and make use of them - there are many benefits for the SmallNetwork SNB Basics admin and their users//
===== NTP =====
Time is the school in which we learn,\\
Time is the fire in which we burn.
-- Delmore Schwartz
Time is incredibly important when tracking performance, so we need to have a solid baseline for current time.
**Install NTP**
sudo apt install ntp
Not much to do here, except enable logging, and set up the servers...
sudo nano /etc/ntp.conf
Uncomment the stats...
# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/
Optional - Update/modify the servers - in 16.04, the default pack has pools, not servers, so it's a choice, both are good.
# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
server 0.ubuntu.pool.ntp.org
server 1.ubuntu.pool.ntp.org
server 2.ubuntu.pool.ntp.org
server 3.ubuntu.pool.ntp.org
# Use Ubuntu's ntp server as a fallback.
server ntp.ubuntu.com
And save the file, restart/kick ntp...
sudo service ntp restart
you can check status by;
$ ntpq -p
Should see something similar to
$ ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
repos.lax-noc.c 127.67.113.92 2 u 1 64 1 19.803 -0.605 1.258
blue.1e400.net 173.66.221.127 2 u - 64 1 85.346 -0.744 0.581
hydrogen.consta 200.98.196.212 2 u 1 64 1 154.068 -32.902 16.849
*time-a.timefreq .ACTS. 1 u 1 64 1 75.428 2.214 1.264
2001:67c:1560:8 193.79.237.14 2 u 7 64 1 173.743 10.322 0.000
===== SNMP =====
NOTE - this section is dropped here and will be added to another upcoming section - please update any local copies====== Network Management ======
Now is a good time to set a persistent and constant IP for your server - DHCP has been good enough, but as we start pouring in more services, it's good to get this done now.
Note - this was supposed to be pretty quick, but then... the brave new way of doing things stepped in.
Setting a static IP is not the same as setting a DHCP reservation in your Router/AP - so choose an IP that is within your range, but outside of your DHCP server scope.
For purposes here - we're working in the 192.168.1.0/24 space, so we have the 192.168.1.0 thru 192.168.1.254 range to work with - most Router/AP's will start a DHCP scope ranging from 192.168.1.100-150, or 192.168.1.2 thru whatever - check with the vendor on how to limit the DHCP scope for those devices.
** Discover Interfaces **
To quickly identify all available Ethernet interfaces, you can use the ifconfig command as shown below.
sudo ifconfig -a | grep inet*
You will see a response similar to below
<code>
test@testbox:~$ sudo ifconfig
enp1s0 Link encap:Ethernet HWaddr 44:8a:5b:35:21:c1
inet addr:192.168.1.122 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::468a:5bff:fe35:21c1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
snip...
</code>
Used to be easy, we could just see eth0 as the primary, and eth1 (n+1) as secondaries - not so much any more with UEFI and other advances...
Old-school...
eth0 Link encap:Ethernet HWaddr 74:e6:e2:11:22:33
New school... with a wink towards to old-school - see how things change
<code>
$ ifconfig -a
enp1s0 Link encap:Ethernet HWaddr 74:e6:e2:11:22:33
inet addr:192.168.1.122 Bcast:192.168.1.255 Mask:255.255.255.0
</code>
enp1s0 is the gigabit wired adapter (if you're really clever, you can chase down the OUI's on the MAC addresses, lol...)
So now that we know where the interfaces are, let's bind an interface to an address.
** Network Manager - the modern way of managing interfaces **
Editing the network configuration in a data center view, we've got tools to do this automatically on the install, but here, we're working with a single instance, and we don't need/have those tools available. Network Manager helps here, as we can do it on a single line command without having to call sed and write up a complication regex - now that the cloud is here, NM is really a better way.
Now knowing that we have a working DHCP config, and have already downloaded/installed packages - let's get the Network-Manger, and configure things from the CLI...
NOTE - before installing network manager, need to make a small change to a network configuration file, otherwise apt will complain - no worry here, as one we install and reboot, network manager will capture and manage the interfaces
sudo nano /etc/network/interfaces
Comment out the current interfaces - should look similar to below; be sure to leave the source and loopback sections as they are, just the ethernet, and perhaps if installed, the wireless interface
It should look similar to this when you are done:
<code>
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
#auto enp1s0
#iface enp1s0 inet dhcp
# This is an autoconfigured IPv6 interface
#iface enp1s0 inet6 auto
</code>
save the file, and now we install network-manager
sudo apt install network-manager
And reboot - ... and cross fingers ;)
(keep a keyboard/monitor handy, just in case)
With NetworkManger - all the connection configuration files will be stored here.
/etc/NetworkManager
/etc/NetworkManager/system-connections
Since we've already installed avahi, and NetworkManager, by default, is DHCP, the server should come back after the reboot...
** Network Manager CLI **
Again, we're in the new world of UEFI, Systemd, ipv6, etc and some things are a bit different, but...
Drive around a little bit - notice the device enumerations - they're still a bit consistent, perhaps a bit more - e.g. e is for ethernet, w is for wireless..
$ nmcli device status
DEVICE TYPE STATE CONNECTION
enp1s0 ethernet connected Wired connection 1
wlp2s0 wifi disconnected --
lo loopback unmanaged --
and even better... if you have a WiFi adapter installed on the server - can tickle this directly from nm...
<code>
$ nmcli dev wifi list
SSID MODE CHAN RATE SIGNAL BARS SECURITY
MYSSID Infra 11 54 Mbit/s 100 ▂▄▆█ WPA2
MYSSID Infra 132 54 Mbit/s 100 ▂▄▆█ WPA2
SOMEOTHERSSID Infra 52 54 Mbit/s 49 ▂▄__ WPA2
MYSSID Infra 149 54 Mbit/s 45 ▂▄__ WPA2
MYSSID Infra 11 54 Mbit/s 42 ▂▄__ WPA2
SOMEOTHERSSID Infra 1 54 Mbit/s 27 ▂___ WPA2
</code>
Cool, eh?
Now to set up a static IP address - the semantics here are pretty easy to follow - here's a template;
nmcli connection add type ethernet con-name connection-name ifname interface-name ip4 address gw4 address
So as an example
$ sudo nmcli con add type ethernet con-name homenet ifname enp1s0 ip4 192.168.1.6/24 gw4 192.168.1.1
and after a reboot - we get this...
<code>
test@testbox:~$ sudo nmcli con add type ethernet con-name homenet ifname enp1s0 ip4 192.168.1.6/24 gw4 192.168.1.1
[sudo] password for test:
Connection 'homenet' (6542f1df-76b2-4bdd-80e5-d38739947bc0) successfully added.
</code>
$ ifconfig
enp1s0 Link encap:Ethernet HWaddr 74:e6:e2:11:22:33
inet addr:192.168.1.5 Bcast:192.168.1.255 Mask:255.255.255.0
And then we can add some DNS servers - using google's public dns here
$ sudo nmcli con mod homenet ipv4.dns "8.8.8.8 8.8.4.4"
NetWorkManager, for many on the desktop world, has been a source of pain/disgust, but if you give it a chance, it's a very powerful solution - with a bit of a learning curve - the brave new world... change is never easy, but if you make it thru this one, you'll be set for the future.
Since we're on a server, and wired up, we may not need WiFi at the moment - this works nicely for laptops as well, if you're hardcore and run linux all the time there (which many actually do in the circle I run with)
sudo nmcli radio wifi off
And we can confirm by going back to nmcli and asking device status
<code>
$ nmcli dev status
DEVICE TYPE STATE CONNECTION
enp1s0 ethernet connected homenet
wlp2s0 wifi unavailable --
lo loopback unmanaged --
</code>
to turn wifi back on
sudo nmcli radio wifi on
Good quote comes to mind - "wax on/wax off" - miyagi-san
TIP - might also consider nmtui - I know it's not fair, but better to get the hard stuff first off
<code>
┌───────────────────────────┤ Edit Connection ├───────────────────────────┐
│ ↑│
│ Profile name homenet_________________________________ ▮│
│ Device enp1s0 (44:8A:5B:35:21:C1)______________ ▒│
│ ▒│
│ ═ ETHERNET <Show> ▒│
│ ▒│
│ ╤ IPv4 CONFIGURATION <Manual> <Hide> ▒│
│ │ Addresses 192.168.1.6/24___________ <Remove> ▒│
│ │ <Add...> ▒│
│ │ Gateway 192.168.1.1______________ ▒│
│ │ DNS servers 8.8.8.8__________________ <Remove> ▒│
│ │ 8.8.4.4__________________ <Remove> ▒│
│ │ <Add...> ▒│
│ │ Search domains <Add...> ▒│
│ │ ▒│
│ │ Routing (No custom routes) <Edit...> ▒│
│ │ [ ] Never use this network for default route ▒│
│ │ [ ] Ignore automatically obtained routes ▒│
│ │ ▒│
│ ↓│
└─────────────────────────────────────────────────────────────────────────┘
</code>
(bask in the ANSI glory, it's back to 1983)
nm is the next gen, and it's very powerful - we've only touched on a couple of the capabilities here.
Good reference here - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Using_the_NetworkManager_Command_Line_Tool_nmcli.html===== Conventions =====
These items are used to facilitate documentation - it is assumed that in a individual installation, that the items below will be custom to that installation.
<code>
Admin User (not root): test
Hostname: testbox
Hostname FQDN: testbox.local
Host IP: 192.168.1.6
Network: 192.168.1.0/24
mysqladmin: test
smbadmin: test
email: gmailuser@gmail.com <-- for postfix and some alerting
passwords: when indicated, and this is only for example use - getaccess
</code>
//GMAIL note - there are sections where email is needed - GMAIL works well, it's tested, and the instructions in this series will be focused on that service - you may use a primary GMail account if you wish, or my recommendation is to set up a dedicated GMAIL account specific to monitor your SNB Basics Server.//==== SSH Server ====
Let's sort ssh - we have lots of space, so let's use OpenSSH vs Dropbear
//**Comment** - Dropbear, like BusyBox, is awesome software, and great for an small footprint (mem/storage) environment - they're safe and secure to use, but in this walkthru, we have a full linux install, and there are better tools to use//.
=== Install OpenSSH Server ===
sudo apt install openssh-server
ssh back into the box
ssh test@192.168.1.6
or try if you have installed avahi-daemon as noted above
ssh test@testbox.local
Note - most of the defaults are fine, so we'll hit the high points to improve security
edit the /etc/ssh/sshd_config - save a copy first -
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
and then
sudo nano /etc/ssh/sshd_config
edit/change the following:
<code>
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
# LogLevel INFO
LogLevel VERBOSE
# Authentication:
# LoginGraceTime 120
LoginGraceTime 30
# PermitRootLogin prohibit-password
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# X11Forwarding yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
MaxStartups 2:30:10
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
MaxAuthTries 3
DebianBanner no
AllowUsers test
</code>
In summary, the lines we changed are below;
LogLevel VERBOSE
LoginGraceTime 30
PermitRootLogin no
X11Forwarding no
MaxStartups 2:30:10
Add this line - this is for additional security - if the AllowUsers directive is used, then only user accounts that follow will be allowed to authenticate, others, even if they have an account on the system, will not be allowed - this is whether passwords are used or keyfiles.
AllowUsers test
We set this directive to reduce information leakage - the bundled package includes a banner that identifies the operating system in use, we remove that by telling OpenSSH to not show it
DebianBanner no
Along with the MaxStartUps directive above, we add this as well, this effectively rate limits the OpenSSH daemon, used in conjunction with LoginGraceTime, it does help with brute force attacks - In the UFW section, we discuss additional steps to further lock things down
MaxAuthTries 3
Save changes - restart ssh keep current session open
sudo service ssh restart
Try to login to the ssh server again - should work, if not, check your edits...
=== SSH Hardening for Security ===
We've already done the two best steps - Disabling the Root Login, and the Access Users directive. These two items will block every connect attempt - I've had an SSH server sitting in my home network forwarded out to the public internet for many years, with thousands of attempts a week, and no compromises.
The absolute very best way to secure SSH is to use public/private key based logins. The downside is that keybased logins do incur a bit more effort to set up on the server side, and if one works with many clients, there's the overhead of managing all those key files across the client machines.
//**Comment** - Public/Private Keys by themselves do not offer more security, however they do offer more 'trust' which is just as important - I use them at work, and I think they're a good idea - I'm just not in a position to answer 1000 questions on certificates, key management, client configurations - when username/passphrase (the PW isn't sent in the clear, btw) is sufficient for most folks - the best security is simple security, things break when more steps are added.//
If you want to set up Public/Private Keys for OpenSSH, see the excellent reference on Ubuntu's wiki, the steps there apply pretty much to any linux based OpenSSH server.
**Changing SSHD Ports**
I'm only adding this as folks will say - How to change the sshd port?
Changing ports is not always a good idea, as it's security thru obscurity, which is no security at all as the robots will always find a way.
I've seen posts on the forums where folks are unwisely using port 80 and/or port 443 - without understand the issues with those ports and processes that run as root, or owned by root - bad idea.
If you __must__ change the SSH port keep in mind that port numbers below 1024 are privileged ports that can only be opened by root or processes running as root.
So pick always port above that - used to be that above TCP port 8000 was good, but many apps are starting to use them.
If you change the SSH port also open the new port you have chosen on the firewall and close port 22.
sudo vi /etc/ssh/sshd_config
Change or add the following line and save. Again, consider above before doing this.
Port <ENTER YOUR DESIRED PORT>
Restart SSH server:
sudo service ssh restart
If you get locked out, you know why.
OpenSSH is very secure if done right.==== VNC server ====
Now that we have SSH going, we'll add a secure VNC connection endpoint - and we can scrub using an attached keyboard/mouse/monitor
Remote Desktop - tightvnc with xfce, xfce is a lighteight desktop environment - as an option, if one installed Ubuntu Server addition, it's a good time to consider installing a desktop environment - I recommend Xubuntu-Desktop as it's lightweight enough, and very fast over a VNC connection.
Install XuBuntu-Desktop and Firefox
sudo apt install xubuntu-desktop firefox
Install VNC
sudo apt install xfce4 xfce4-goodies tightvncserver
To complete the VNC server's initial configuration after installation, use the vncserver command to set up a secure password.
vncserver
**Configuring the VNC Server**
First, we need to tell our VNC server what commands to perform when it starts up. These commands are located in a configuration file called xstartup in the .vnc folder under your home directory. The startup script was created when you ran the vncserver in the previous step, but we need modify some of the commands for the Xfce desktop.
When VNC is first set up, it launches a default server instance on port 5901. This port is called a display port, and is referred to by VNC as :1. VNC can launch multiple instances on other display ports, like :2, :3, etc. When working with VNC servers, remember that :X is a display port that refers to 5900+X.
Because we are going to be changing how the VNC server is configured, we'll need to first stop the VNC server instance that is running on port 5901.
vncserver -kill :1
The output should look like this, with a different PID:
Output
Killing Xtightvnc process ID 17648
Before we begin configuring the new xstartup file, let's back up the original.
sudo mv ~/.vnc/xstartup ~/.vnc/xstartup.bak
Now create a new xstartup file with nano or your favorite text editor.
sudo nano ~/.vnc/xstartup
Paste these commands into the file so that they are performed automatically whenever you start or restart the VNC server, then save and close the file.
#!/bin/bash
xrdb $HOME/.Xresources
startxfce4 &
The first command in the file, xrdb $HOME/.Xresources, tells VNC's GUI framework to read the server user's .Xresources file. .Xresources is where a user can make changes to certain settings of the graphical desktop, like terminal colors, cursor themes, and font rendering. The second command simply tells the server to launch Xfce, which is where you will find all of the graphical software that you need to comfortably manage your server.
To ensure that the VNC server will be able to use this new startup file properly, we'll need to grant executable privileges to it.
sudo chmod +x ~/.vnc/xstartup
Now, restart the VNC server.
vncserver
The server should be started with an output similar to this:
<code>
test@testbox:~$ vncserver
New 'X' desktop is testbox:1
Starting applications specified in /home/test/.vnc/xstartup
Log file is /home/test/.vnc/testbox:1.log
</code>
**Testing the VNC Desktop**
In this step, we'll test the connectivity of your VNC server.
Next, you may now use a VNC client to attempt a connection to the VNC server at testbox.local:5901 (or 192.168.1.6:5901)
You'll be prompted to authenticate. The correct password to use is the one you set in the vncserver initial setup
Once you are connected, you should see the default Xfce desktop that was included as part of the TightVNC installation.
**Creating a VNC Service File**
Next, we'll set up the VNC server as a systemd service. This will make it possible to start, stop, and restart it as needed, like any other systemd service.
First, create a new unit file called /etc/systemd/system/vncserver@.service using your favorite text editor:
sudo nano /etc/systemd/system/vncserver@.service
Copy and paste the following into it. Be sure to change the value of User and the username in the value of PIDFILE to match your username.
<code>
[Unit]
Description=Start TightVNC server at startup
After=syslog.target network.target
[Service]
Type=forking
User=test
PAMName=login
PIDFile=/home/test/.vnc/%H:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i
ExecStop=/usr/bin/vncserver -kill :%i
[Install]
WantedBy=multi-user.target
</code>
Save and close the file.
Next, make the system aware of the new unit file.
sudo systemctl daemon-reload
Enable the unit file.
sudo systemctl enable vncserver@1.service
Stop the current instance of the VNC server if it's still running.
vncserver -kill :1
Then start it as you would start any other systemd service.
sudo systemctl start vncserver@1
You can verify that it started with this command:
sudo systemctl status vncserver@1
To save memory/cpu time, you can turn off the VNC server on the fly, and turn it on when you need it.
sudo systemctl stop vncserver@1
=== Updating VNCServer Password ===
TightVNC uses it's own password scheme as part of the install - to update it, use the **vncpasswd** command - it prefers passwords longer than 8 characters - as part of the big project that this is turning into, pwgen is pretty handy
Generate a good password - note, don't use any of the ones in this post 8-)
<code>
test@testbox:~$ pwgen 12
Aech6aeXupha Avughi7ohf9e vaep7Ahca7ja ueYier4co2Ah DaiGhahwe6Ji Ia9AhSielaey
</code>
Now update the vncpasswd
<code>
test@testbox:~$ vncpasswd
Using password file /home/test/.vnc/passwd
Password:
Verify:
Would you like to enter a view-only password (y/n)? n
</code>
Sfx,
===== SNB Basics =====
* [[SNB Basics - Learning by Doing]]
* [[SNB Basics - Front Matter]]
* [[SNB Basics - HW and SW Recommendations]]
* [[SNB Basics - Linux Install]]
* [[SNB Basics - Managing Users]]
* [[SNB Basics - Network Management]]
* [[SNB Basics - Network Services]]
* [[SNB Basics - Remote Access]]
* [[SNB Basics - Postfix SMTP Agent]]
* [[SNB Basics - LAMP Server Install]]
* [[SNB Basics - WebApps]]
* [[SNB Basics - Network Monitoring]]
* [[SNB Basics - Monitoring]]
* [[SNB Basics - Storage]]
* [[SNB Basics - Simple NAS Server]]
* [[SNB Basics - Security]]
* [[SNB Basics - Security Extras]]
* [[SNB Basics - Extras]]====== Hardware/Software Recommendations ======
The makes/models of HW are not hard requirements - just the memory and storage are
The Software recommendation - Ubuntu was chosen due to feature set, long term support, and the large 3rd party community that uses and supports it.
===== Hardware Recommendations =====
**Required -i386/ARMv7 **
1GB RAM, 16GB local storage
**Preferred - x86_64**
2GB RAM, 32GB Local storage
**Virtualization**
Everything should work fine with VirtualBox, VMWare's Fusion/VMWare Workstation, and Parallel's desktop.
Several sections were tested with VMWare Fusion and VMWare Workstation.
HyperV from Microsoft (part of Windows Pro 8 and 10) should work, as would other low level hypervisors such as ESXi, Xen, KVM/QEMU, and perhaps even in a Docker container - supporting these is outside of the scope of this document.
===== Software Recommendations =====
**Minimum:**
Debian Jessie (8.*), Raspian, Ubuntu Desktop 16.04LTS
**Recommended**
Ubuntu 16.04LTS - support for ARMv7 (RaspPI for UbuntuMATE), Ubunutu Server 16.04LTS
**Why Ubuntu?**
16.04 brings us a modern kernel (4.4), along with updates across the board - including newer technologies like Docker/LXD for containers, and a full set of management tools that range from the older tried and true, to the newer replacements.
16.04LTS is a Long Term Release - which means that Canonical has pledged support for 5 years for security updates.
I've carefully chosen a set of applications that are well supported, generally best in their class, and are fairly easy to set up and maintain.
**A quick note about Raspberry PI** - the PI 2 is one of the candidate HW choices, and there's two main distributions - Rapsbian and Ubuntu 16.04 Mate Desktop for Raspberry PI 2 and 3. Raspbian should work fine for all steps, however, some of the packages may not be present, or named differently. The MATE for RPi2/3 is built specifically for the ARMv7 Cortex-A7 chip in the Pi 2, and generally performs a bit better than the ARMv6 code in the Raspbian distro.
Ubuntu MATE on the Pi 2 is what ultimately made the decision easy.
Everything we cover below will run fine on a Pi 2 with MATE installed.
===== Additional SW Recommendations =====
While not required - most sysadmins need three basic programs
A good text editor, a good terminal app, and Wireshark
**Windows**
* Notepad++ - Windows text editor and replacement for Notepad - works correctly with Unix and Mac text documents, and very powerful set of tools to work with
* Putty for Windows - popular SSH client
* MobaXterm - SSH/VNC client for Windows, not as well known, but it's very highly recommended
* TightVNC - Windows VNC client - www.tightvnc.org
* uNetBootin - Windows/Mac/Linux ISO to USB Drive writer - see more at the uNetBootin site
**Mac**
* TextWrangler - Mac Text Editor - free version of BBEdit's BBEdit, quite possibly the best text editor in the world
**Packet Debug**
* Wireshark - win/mac/linux===== Forward =====
Networking is a mind-set, and Linux is a philosophy - as we go down this path, we go thru stages - from curious to the enthusiast, and then to the hobbyist or professional as a day to day job - we go thru our challenges, and at some point, we raise up to a point where we can contribute even more - and then we're at the end - but the end is not the end, but an opportunity to reflect and teach others.
One of my favorite books is Mushasi's Book of Five Rings - The lessons that are taught, and the parables, these are opportunities to learn and grow...
- The Book of Earth - serves as an introduction, and metaphorically discusses martial arts, leadership, and training as building a house.
- The Book of Water - It describes some basic technique and fundamental principles.
- The Book of Fire - refers to the heat of battle, and discusses matters such as different types of timing.
- The Book of Wind - is something of a pun, since the Japanese character can mean both "wind" and "style" (e.g., of martial arts). It discusses what Musashi considers to be the failings of various contemporary schools of sword fighting.
- The Book of the Void - short epilogue, describing, in more esoteric terms, Musashi's probably Zen-influenced thoughts on consciousness and the correct mindset.
It's a great read and a good metaphor - in many ways reflects how we learn and grow in our chosen fields/professions.
For more info on Five Rings see below
https://en.wikipedia.org/wiki/The_Book_of_Five_Rings
===== Abstract =====
Most of Linux is like a swiss army knife, it can do just about anything. The trick to mastering Linux is to have the ability to ignore 99% of the options and to focus on the task at hand.
**Purpose**
The purpose here is to share some knowledge and make something useful for your small network - and the learning by doing concept transfers skills that you may be able to use in your career.
**Audience**
Technically interested people that perhaps want to learn more about Linux, and how Linux is applied to the various parts and components of your network.
As long as your are handy with a keyboard, and an interest to learn and even to share, you're part of the intended audience.
===== Attributions =====
This is distilled from 15 years worth of notes I've collected that I would consider "best practices" - about 60 percent of the content below is my direct writing, and I've heavily edited the rest from vendor documents, various how-to's, and message threads from the USENET to Mailing Lists to Web Forum posts.
===== Thanks and Dedications =====
I want to thank the community here at SmallNetworkBuilder.com - I've learned much from you, and this is an opportunity to share back.
To the entire FOSS community - this would not be possible without your ongoing contributions - thank you!
===== Conventions =====
These items are used to facilitate documentation - it is assumed that in a individual installation, that the items below will be custom to that installation.
<code>
Admin User (not root): test
Hostname: testbox
Hostname FQDN: testbox.local
Host IP: 192.168.1.6
Network: 192.168.1.0/24
mysqladmin: test
smbadmin: test
email: gmailuser@gmail.com <-- for postfix and some alerting
passwords: when indicated, and this is only for example use - getaccess
</code>
//GMAIL note - there are sections where email is needed - GMAIL works well, it's tested, and the instructions in this series will be focused on that service - you may use a primary GMail account if you wish, or my recommendation is to set up a dedicated GMAIL account specific to monitor your SNB Basics Server.//====== Install Linux ======
===== Install Linux =====
Prepare the installer - Ubuntu, on their download page, includes instructions on how to create a DVD or USB thumbdrive on their download page for Windows, Linux, and Mac
Prepare the Computer - if your board is UEFI based (many are these days), make sure to disable "Secure Boot", while leaving UEFI enabled - Having Secure Boot enabled will generally result in a failed installation - the Ubuntu Server installed will lock up on the initial select language screen (good sign that Secure Boot is still enabled). Set the appropriate disk in the Start Up portion of UEFI setup, check the vendors documentation.
Note - always best to have a wired connection for installation - wireless might work, but many times I've seen it not work.
Some notes on the installer;
Disks and LVM - LVM is not required (it's a check box option to select), and I would recommend not using that option for the boot disk - LVM is a great storage manager, and we'll cover that in the storage section on how to use it.
Server Install specific note - you'll get to a screen in the installer that asks what software packages would you like to install - select the standard package and openssh-server, forgo the web/samba/postgres, mail, etc - we'll add them in one at a time, and keep the installation focused.
===== Post Install =====
Now that we've completed the installation of linux, there's a few packages that are optional, but highly recommended - I find them useful, and I install them on every box I build.
sudo apt install build-essential aptitude git htop sysstat pwgen nano unzip zip
* build-essential - basic compiler/build environment
* aptitude - extension of APT, the debian package manager
* git - source code manager
* htop - extended process manager
* sysstat - metapack with many useful system statistics tools
* pwgen - password generator - makes sound/secure passwords of different lengths
* nano - oddly enough, some distro's don't come with this, I'm using it for this doc as it's easy to master - normally I use VIM, and let's not engage in that EMACS is better.
Might as well get the CPAN going, and install these a couple of perl modules - when CPAN is initially started, it wants to be configured - let it autoconfigure for now...
sudo cpan
<code>
CPAN.pm requires configuration, but most of it can be done automatically.
If you answer 'no' below, you will enter an interactive dialog for each
configuration option instead.
Would you like to configure as much as possible automatically? [yes]
</code>
type quit once you get to the main CPAN prompt, and you'll be back on the terminal shell
You can go deep into CPAN, but generally, auto configuration just works...
More about the CPAN here - http://learnperl.scratchcomputing.com/tutorials/configuration/
Once the CPAN is configured - install the following two modules for now. They'll be useful later in this doc...
sudo perl -MCPAN -e 'install Sys::CPU'
sudo perl -MCPAN -e 'install Sys::MemInfo'====== Storage Basics ======
Once we have the SNB Basics server set up, it's relatively easy to set up some additional storage for your small network - while this is a long section, if followed thru, you will have a fairly decent NAS to work with - and one much more flexible and useful that many off the shelf consumer grade Router/AP's.
The LVM section - This is what many commercial NAS vendors use - they hide it perhaps behind a nice GUI, but we'll dive deep into how things work inside and behind the curtain.
The Simple NAS is a walk-thru on how to set up a basic Samba Server to extend filesharing to your small network/
**WARNING - everything in this section has the ability to completely and utterly destroy data**
** All sections here assume that you have sudo access, and I strongly recommend that you do this on the local machine in a single terminal window -- you may want to print this section out, review, and before taking any actions - backup and take very careful notes***===== Filesystems and Mounts =====
Directories in the mounted filesystems are abstract - what you see when you list a directory is a visual representation of where the OS sees it - but that directory might be on the same disk, another disk, on a big Storage Attached Network filer in the same data center, or a thousand miles away on a completely different server.
A handy tool for finding out where a directory is mounted is findmnt, for example
<code>
test@testbox:~$ findmnt --target /tmp
TARGET SOURCE FSTYPE OPTIONS
/ /dev/sda2 ext4 rw,relatime,errors=remount-ro,data=ordered
</code>
So as you can see, right now /tmp is on /dev/sda2, using the EXT4 filesystem, and some additional parameters.
Knowing this, we can easily move things around - let's move /tmp over to the RAM filesystem, as this is a common tweak that many admins do for a bit of a performance boost
Keep in mind that the Temporary File System (tmpfs is in RAM, things here are not persistent, and will go away on a reboot.. so don't keep anything important in there
**Move /tmp from disk to tmpfs (RAM)**
As a first step - let's move /tmp to the temporary file system (aka tmpfs)
nano /etc/fstab
add just the tmpfs line below - the syntax here is important - leave the other lines alone for now
<code>
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
tmpfs /tmp tmpfs defaults 0 0
</code>
reboot the machine, and then look at the mounts...should look similar to this
<code>
test@testbox:~$ df -h
Filesystem Size Used Avail Use% Mounted on
udev 897M 0 897M 0% /dev
tmpfs 184M 5.8M 178M 4% /run
/dev/sda2 456G 2.2G 431G 1% /
tmpfs 916M 0 916M 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 916M 0 916M 0% /sys/fs/cgroup
tmpfs 916M 0 916M 0% /tmp
/dev/sda1 511M 3.6M 508M 1% /boot/efi
tmpfs 184M 0 184M 0% /run/user/1000
</code>
Now run findmnt again, and see that it moved
<code>
test@testbox:~$ findmnt --target /tmp
TARGET SOURCE FSTYPE OPTIONS
/tmp tmpfs tmpfs rw,relatime
</code>
Now the File System Table - the fstab - tells the kernel where to expect to find things - it implies that anything underneath a mount is on the same filesystem - so the main mount for the machine above is on /dev/sda2 and it represented as the root directory "/" - by us explictly setting in the fstab, /tmp is now in tmpfs, and the kernel will look there instead.
Item entries in the fstab are persistent are persistent - immutable, so you typically won't see things that can be plugged in/out like a thumb drive, as if it is not there on reboot, the kernel tends to get pretty upset - sometimes even to the point of a kernel panic (the linux equivalent of the Blue Screen of Death).
Those thumbdrives are usually kept over in /mnt, and the hotplug daemon will see that the drive is inserted, and mount it there on a temporary basis until it's ejected.
Now we don't have to hard code a mount - we can do this on the fly by using the mount command -
mount /sourcelocation /targetlocation
And then to make that mount go away (step lightly here)
unmount /targetlocation
When in doubt - use the findmnt took like we discussed above before unmounting a directory
Make a couple of directories now - as they'll come in handy for the next couple of sections
First check to see if there is already something there -
<code>
test@testbox:~$ ls /var/share
ls: cannot access '/var/share': No such file or directory
test@testbox:~$ ls /var/media
ls: cannot access '/var/media': No such file or directory
</code>
Now we can make those directories
sudo mkdir /var/share /var/media
and findmnt will now show
<code>
test@testbox:~$ findmnt --target /var/share
TARGET SOURCE FSTYPE OPTIONS
/ /dev/sda2 ext4 rw,relatime,errors=remount-ro,data=ordered
test@testbox:~$ findmnt --target /var/media
TARGET SOURCE FSTYPE OPTIONS
/ /dev/sda2 ext4 rw,relatime,errors=remount-ro,data=ordered
</code>
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!
