Assessment 1 - WordPress.com3 Securing Ubuntu Server 4 Installing Gallery 4.1 CLI 4.2 Web interface part 5 Configuring Gallery 6 Summary . ... [Ubuntu-Server 10.10 _Maverick Meerkat_

Internet & Network Services

Assessment 1

Building secure server to host Gallery.

Marcin Iwinski R00036586

[email protected]

Table of contents:

1 Installing Ubuntu Server

2 Installing additional packages

3 Securing Ubuntu Server

4 Installing Gallery

4.1 CLI

4.2 Web interface part

5 Configuring Gallery

6 Summary

1 Installing Ubuntu Server

Description below comes from http://www.howtoforge.com/perfect-server-ubuntu-10.10-

maverick-meerkat-ispconfig-3

1 Requirements

To install such a system you will need the following:

the Ubuntu 10.10 server CD, available here: http://releases.ubuntu.com/releases/10.10/ubuntu-

10.10-server-i386.iso (i386) orhttp://releases.ubuntu.com/releases/10.10/ubuntu-10.10-server-

amd64.iso (x86_64)

a fast Internet connection.

2 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100 and

the gateway 192.168.0.1. These settings might differ for you, so you have to replace them where

appropriate.

3 The Base System

Insert your Ubuntu install CD into your system and boot from it. Select your language:

Then select Install Ubuntu Server:

Choose your language again (?):

Then select your location:

Choose a keyboard layout (you will be asked to press a few keys, and the installer will try to detect

your keyboard layout based on the keys you pressed):

The installer checks the installation CD, your hardware, and configures the network with DHCP if

there is a DHCP server in the network:

Enter the hostname. In this example, my system is called server1.example.com, so I

enter server1:

Please check if the installer detected your time zone correctly. If so, select Yes, otherwise No:

Now you have to partition your hard disk. For simplicity's sake I select Guided - use entire disk

and set up LVM - this will create one volume group with two logical volumes, one for the / file

system and another one for swap (of course, the partitioning is totally up to you - if you know what

you're doing, you can also set up your partitions manually).

Select the disk that you want to partition:

When you're asked Write the changes to disks and configure LVM?, select Yes:

If you have selected Guided - use entire disk and set up LVM, the partitioner will create one

big volume group that uses all the disk space. You can now specify how much of that disk space

should be used by the logical volumes for / and swap. It makes sense to leave some space unused

so that you can later on expand your existing logical volumes or create new ones - this gives you

more flexibility.

When you're finished, hit Yes when you're asked Write the changes to disks?:

Afterwards, your new partitions are being created and formatted:

Now the base system is being installed:

Create a user, for example the user Administrator with the user name administrator (don't use

the user name admin as it is a reserved name on Ubuntu 10.10):

I don't need an encrypted private directory, so I choose No here:

Next the package manager apt gets configured. Leave the HTTP proxy line empty unless you're

using a proxy server to connect to the Internet:

I'm a little bit old-fashioned and like to update my servers manually to have more control,

therefore I select No automatic updates. Of course, it's up to you what you select here:

We need a DNS, mail, and LAMP server, but nevertheless I don't select any of them now because I

like to have full control over what gets installed on my system. We will install the needed packages

manually later on. The only item I select here is OpenSSH server so that I can immediately

connect to the system with an SSH client such as PuTTY after the installation has finished:

The installation continues:

The GRUB boot loader gets installed:

Select Yes when you are asked Install the GRUB boot loader to the master boot record?:

The base system installation is now finished. Remove the installation CD from the CD drive and

hit Continue to reboot the system:

4 Get root Privileges

After the reboot you can login with your previously created username (e.g. administrator).

Because we must run all the steps from this tutorial with root privileges, we can either prepend all

commands in this tutorial with the string sudo, or we become root right now by typing

sudo su

(You can as well enable the root login by running

sudo passwd root

and giving root a password. You can then directly log in as root, but this is frowned upon by the

Ubuntu developers and community for various reasons.

Seehttp://ubuntuforums.org/showthread.php?t=765414.)

5 Install The SSH Server (Optional)

If you did not install the OpenSSH server during the system installation, you can do it now:

aptitude install ssh openssh-server

From now on you can use an SSH client such as PuTTY and connect from your workstation to your

Ubuntu 10.10 server and follow the remaining steps from this tutorial.

6 Install vim-nox (Optional)

I'll use vi as my text editor in this tutorial. The default vi program has some strange behaviour on

Ubuntu and Debian; to fix this, we install vim-nox:

aptitude install vim-nox

(You don't have to do this if you use a different text editor such as joe or nano.)

7 Configure The Network

Because the Ubuntu installer has configured our system to get its network settings via DHCP, we

have to change that now because a server should have a static IP address.

Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP

address 192.168.0.100):

vi /etc/network/interfaces

# This file describes the network interfaces available

on your system

# and how to activate them. For more information, see

interfaces(5).

# The loopback network interface

auto lo

iface lo inet loopback

# The primary network interface

auto eth0

iface eth0 inet static

address 192.168.0.100

netmask 255.255.255.0

network 192.168.0.0

broadcast 192.168.0.255

gateway 192.168.0.1

Then restart your network:

/etc/init.d/networking restart

Then edit /etc/hosts. Make it look like this:

vi /etc/hosts

127.0.0.1 localhost.localdomain localhost

192.168.0.100 server1.example.com server1

# The following lines are desirable for IPv6 capable

hosts

::1 localhost ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

Now run

echo server1.example.com > /etc/hostname

/etc/init.d/hostname restart

Afterwards, run

hostname

hostname -f

Both should show server1.example.com now.

8 Edit /etc/apt/sources.list And Update Your Linux Installation

Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make

sure that the universe and multiverse repositories are enabled. It should look like this:

vi /etc/apt/sources.list

#

# deb cdrom:[Ubuntu-Server 10.10 _Maverick Meerkat_ -

Release i386 (20101007)]/ maverick main restricted

#deb cdrom:[Ubuntu-Server 10.10 _Maverick Meerkat_ -

Release i386 (20101007)]/ maverick main restricted

# See http://help.ubuntu.com/community/UpgradeNotes for

how to upgrade to

# newer versions of the distribution.

deb http://de.archive.ubuntu.com/ubuntu/ maverick main

restricted

deb-src http://de.archive.ubuntu.com/ubuntu/ maverick

main restricted

## Major bug fix updates produced after the final

release of the

## distribution.

deb http://de.archive.ubuntu.com/ubuntu/ maverick-

updates main restricted

deb-src http://de.archive.ubuntu.com/ubuntu/ maverick-

updates main restricted

## N.B. software from this repository is ENTIRELY

UNSUPPORTED by the Ubuntu

## team. Also, please note that software in universe

WILL NOT receive any

## review or updates from the Ubuntu security team.

deb http://de.archive.ubuntu.com/ubuntu/ maverick

universe

deb-src http://de.archive.ubuntu.com/ubuntu/ maverick

universe

deb http://de.archive.ubuntu.com/ubuntu/ maverick-

updates universe

deb-src http://de.archive.ubuntu.com/ubuntu/ maverick-

updates universe

## N.B. software from this repository is ENTIRELY

UNSUPPORTED by the Ubuntu

## team, and may not be under a free licence. Please

satisfy yourself as to

## your rights to use the software. Also, please note

that software in

## multiverse WILL NOT receive any review or updates

from the Ubuntu

## security team.

deb http://de.archive.ubuntu.com/ubuntu/ maverick

multiverse

deb-src http://de.archive.ubuntu.com/ubuntu/ maverick

multiverse

deb http://de.archive.ubuntu.com/ubuntu/ maverick-

updates multiverse

deb-src http://de.archive.ubuntu.com/ubuntu/ maverick-

updates multiverse

## Uncomment the following two lines to add software

from the 'backports'

## repository.

## N.B. software from this repository may not have been

tested as

## extensively as that contained in the main release,

although it includes

## newer versions of some applications which may provide

useful features.

## Also, please note that software in backports WILL NOT

receive any review

## or updates from the Ubuntu security team.

# deb http://de.archive.ubuntu.com/ubuntu/ maverick-

backports main restricted universe multiverse

# deb-src http://de.archive.ubuntu.com/ubuntu/ maverick-

backports main restricted universe multiverse

## Uncomment the following two lines to add software

from Canonical's

## 'partner' repository.

## This software is not part of Ubuntu, but is offered

by Canonical and the

## respective vendors as a service to Ubuntu users.

# deb http://archive.canonical.com/ubuntu maverick

partner

# deb-src http://archive.canonical.com/ubuntu maverick

partner

## Uncomment the following two lines to add software

from Ubuntu's

## 'extras' repository.

## This software is not part of Ubuntu, but is offered

by third-party

## developers who want to ship their latest software.

# deb http://extras.ubuntu.com/ubuntu maverick main

# deb-src http://extras.ubuntu.com/ubuntu maverick main

deb http://security.ubuntu.com/ubuntu maverick-security

main restricted

deb-src http://security.ubuntu.com/ubuntu maverick-

security main restricted

deb http://security.ubuntu.com/ubuntu maverick-security

universe

deb-src http://security.ubuntu.com/ubuntu maverick-

security universe

deb http://security.ubuntu.com/ubuntu maverick-security

multiverse

deb-src http://security.ubuntu.com/ubuntu maverick-

security multiverse

Then run

aptitude update

to update the apt package database and

aptitude safe-upgrade

to install the latest updates (if there are any). If you see that a new kernel gets installed as part of

the updates, you should reboot the system afterwards:

reboot

9 Change The Default Shell

/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do

this:

dpkg-reconfigure dash

Install dash as /bin/sh? <-- No

If you don't do this, the ISPConfig installation will fail.

10 Disable AppArmor

AppArmor is a security extension (similar to SELinux) that should provide extended security. In my

opinion you don't need it to configure a secure system, and it usually causes more problems than

advantages (think of it after you have done a week of trouble-shooting because some service

wasn't working as expected, and then you find out that everything was ok, only AppArmor was

causing the problem). Therefore I disable it (this is a must if you want to install ISPConfig later

on).

We can disable it like this:

/etc/init.d/apparmor stop

update-rc.d -f apparmor remove

aptitude remove apparmor apparmor-utils

11 Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over

the Internet. Simply run

aptitude install ntp ntpdate

and your system time will always be in sync.

The system is now ready to be used.

2 Installing additional packages

Description below comes from http://www.howtoforge.com/installing-apache2-with-php5-and-mysql-support-on-ubuntu-10.10-lamp

1 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100.

These settings might differ for you, so you have to replace them where appropriate.

I'm running all the steps in this tutorial with root privileges, so make sure you're logged in as root:

sudo su

2 Installing MySQL 5

First we install MySQL 5 like this:

aptitude install mysql-server mysql-client

You will be asked to provide a password for the MySQL root user - this password is valid for the

user root@localhost as well as [email protected], so we don't have to specify a MySQL

root password manually later on:

New password for the MySQL "root" user: <-- yourrootsqlpassword

Repeat password for the MySQL "root" user: <-- yourrootsqlpassword

3 Installing Apache2

Apache2 is available as an Ubuntu package, therefore we can install it like this:

aptitude install apache2

Now direct your browser to http://192.168.0.100, and you should see the Apache2 placeholder

page (It works!):

Apache's default document root is /var/www on Ubuntu, and the configuration file

is /etc/apache2/apache2.conf. Additional configurations are stored in subdirectories of

the /etc/apache2 directory such as /etc/apache2/mods-enabled (for Apache

modules), /etc/apache2/sites-enabled (for virtual hosts), and/etc/apache2/conf.d.

4 Installing PHP5

We can install PHP5 and the Apache PHP5 module as follows:

aptitude install php5 libapache2-mod-php5

We must restart Apache afterwards:

/etc/init.d/apache2 restart

5 Testing PHP5 / Getting Details About Your PHP5 Installation

The document root of the default web site is /var/www. We will now create a small PHP file

(info.php) in that directory and call it in a browser. The file will display lots of useful details about

our PHP installation, such as the installed PHP version.

vi /var/www/info.php

<?php

phpinfo();

?>

Now we call that file in a browser (e.g. http://192.168.0.100/info.php):

As you see, PHP5 is working, and it's working through the Apache 2.0 Handler, as shown in

the Server API line. If you scroll further down, you will see all modules that are already enabled in

PHP5. MySQL is not listed there which means we don't have MySQL support in PHP5 yet.

6 Getting MySQL Support In PHP5

To get MySQL support in PHP, we can install the php5-mysql package. It's a good idea to install

some other PHP5 modules as well as you might need them for your applications. You can search for

available PHP5 modules like this:

aptitude search php5

Pick the ones you need and install them like this:

aptitude install php5-mysql php5-curl php5-gd php5-idn php-pear php5-imagick php5-

imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-ps php5-pspell php5-recode

php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-json

Now restart Apache2:

/etc/init.d/apache2 restart

Now reload http://192.168.0.100/info.php in your browser and scroll down to the modules

section again. You should now find lots of new modules there, including the MySQL module:

7 phpMyAdmin

phpMyAdmin is a web interface through which you can manage your MySQL databases. It's a good

idea to install it:

aptitude install phpmyadmin

You will see the following questions:

Web server to reconfigure automatically: <-- apache2

Configure database for phpmyadmin with dbconfig-common? <-- No

Afterwards, you can access phpMyAdmin under http://192.168.0.100/phpmyadmin/:

3 Securing Ubuntu Server

In order to make our Ubuntu Server more secure we still have few post-installation tasks to

perform.

First of all – we need to make sure that we are running the latest version of packets. It is very

straight forward using aptitude – built-in packet manager.

While logged in to local console we switch to root user by running the command:

sudo -s

(system should prompt us for our password) and we issue the following commands:

aptitude update

aptitude safe-upgrade

Once finished, aptitude should inform us that there is no more updates available:

After downloading and installing all available packets, in order to allow secure remote access

to our server, we will install openssh server:

aptitude install openssh-server

After finishing we should be able to connect to our server from a remote machine over ssh.

As a huge fan of simple solutions, I prefer to manage the services directly, without adding an

extra level of complexity, therefore I decided not to go for ISPconfig.

To make sure that there is no unwanted connectivity to any services that we do not trust, we

will enable firewall (called ufw) and allow only ssh, http and https traffic.

To enable firewall we simply execute:

ufw enable

This will block all the network connectivity to the server. To allow remote management of

our server over ssh we need to open port 22:

ufw allow 22

As we are going to use our server as a web server, we also need to allow HTTP and HTTPS

traffic:

ufw allow 80

ufw allow 443

To make sure that our firewall is up and running with only required ports being opened we

can check ufw status:

ufw status

If everything is configured properly we should see the following output:

Status: active

To Action From

-- ------ ----

22 ALLOW Anywhere

80 ALLOW Anywhere

443 ALLOW Anywhere

4 Gallery – general information and system requirements

Gallery is an open source project with the goal to develop and support leading photo

sharing web application solutions.

The Gallery project develops open source software licensed under the GPL, and is

maintained and developed by a community of users and developers. The development is

a distributed effort, with collaboration from around the globe. The team is well organized,

with weekly meetings, and constant communication. Serving millions worldwide, the

Gallery project is the most widely used system of its kind. Gallery is free to download and

use.

Gallery is an online photo album organizer. Gallery gives you an intuitive way to blend

photo management seamlessly into your own website whether you're running a small

personal site or a large community site.

Gallery is available for download at: http://codex.gallery2.org/Downloads

5 Installing Gallery

4.1 CLI Part

Gallery itself is also available in Ubuntu’s repositories, however to make sure that we have

the latest version of it, we will download the installer form its website.

First of all, we will need a root access to our server to write to some system folders.

To switch to root user execute the following command:

sudo -s

It will prompt for your users password.

Once switched to root, change folder to Apache web folder (/var/www – folder where Apache

Web server stores all the websites).

cd /var/www

Once in that folder, we can download the gallery installer from here.

To download the file directly to the server, from CLI, simply execute the following:

wget http://downloads.sourceforge.net/gallery/gallery-3.0.1.zip

We should see the following output:

root@ubuntuSRV:/var/www# wget http://downloads.sourceforge.net/gallery/gallery-

3.0.1.zip

--2011-03-15 02:36:11-- http://downloads.sourceforge.net/gallery/gallery-3.0.1.zip

Resolving downloads.sourceforge.net... 216.34.181.59

Connecting to downloads.sourceforge.net|216.34.181.59|:80... connected.

HTTP request sent, awaiting response... 301 Moved Permanently

Location: http://downloads.sourceforge.net/project/gallery/gallery3/3.0.1/gallery-

3.0.1.zip [following]

--2011-03-15 02:36:11--

http://downloads.sourceforge.net/project/gallery/gallery3/3.0.1/gallery-3.0.1.zip

Reusing existing connection to downloads.sourceforge.net:80.

HTTP request sent, awaiting response... 302 Found

Location: http://puzzle.dl.sourceforge.net/project/gallery/gallery3/3.0.1/gallery-

3.0.1.zip [following]

--2011-03-15 02:36:12--

http://puzzle.dl.sourceforge.net/project/gallery/gallery3/3.0.1/gallery-3.0.1.zip

Resolving puzzle.dl.sourceforge.net... 195.141.111.5

Connecting to puzzle.dl.sourceforge.net|195.141.111.5|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1810327 (1.7M) [application/zip]

Saving to: `gallery-3.0.1.zip'

100%[======================================================>] 1,810,327 439K/s

in 4.4s

2011-03-15 02:36:16 (401 KB/s) - `gallery-3.0.1.zip' saved [1810327/1810327]

Gallery installer is distributed as a singe ZIP archive which need to be extracted.

Unfortunately, stock Ubuntu server

does not have zip installed and we need to install it manualy:

aptitude install unzip

After installation of unzip, to extract the file, issue the following command:

unzip gallery-3.0.1.zip

This should extract all the files into gallery3 folder.

At this stage, we should be able to open our web browser and start the installer from

http:///gallery3 however it still requires few steps directly on the server, before the installation

can start properly.

We need to create a folder accessible for everyone, where gallery will store the pictures:

cd gallery3

mkdir var

chmod 777 var

the above commands will create a folder called var in gallery3 folder and it will make it

writable for everyone.

In order to manipulate pictures directly from gallery, we need to install a graphic toolkit (like

imagemagick or graphicsmagic).

aptitude install imagemagick graphicsmagic

From now on, we will continue our installation from a web browser pointed to gallery

installation.

4.2 Web interface part

To start proper installation, from any client in same network as our Ubuntu Server, open a

web browser and go to http:///gallery3.

You should see a Gallery 3 Installer, prompting for mysql parameters. Use default but provide

mysql password created during installation of Ubuntu Server. For ease of DB management,

we are also going to use gallery_ prefix.

After you hit “Continue” the installer should send you to an information page, stating that the

installation completed successfully and that an admin account is created for you.

From now on, you can go to http://<servers IP/gallery3 and start sharing your pictures online.

6 Customizing Gallery

To make our gallery safer, and more interesting we are going to customize it slightly. For

security reasons, first thing we need to do with a freshly installed Gallery, is to change

admin’s password.

In order to do that simply click on “Gallery Administrator” in top right corner and then on

“Change Password”. A new password prompt should appear:

To get rid of the “Graphics toolkit missing!…” warning at the top of our gallery, just set a

proper toolkit by clicking on “Choose a toolkit” and by activating the available toolkits

(ImageMagic and GraphicsMagic installed during gallery installation).

When I tried to upload a picture, an error “Error #2038″ was thrown (see below)

According to what I have found on Gallery’s wiki – it is due to simultaneous upload

limitations which can be changed in Admin -> Settings -> Advanced by changing the

gallery simultaneous_upload_limit to 1 (by default it is set to 5).

The last step to make our gallery more colorful is to change the default theme. Unfortunately,

additional themes need to be

downloaded manually. We can however synchronize with Gallery’s community git repository

and download some extra themes.

First of all we need to install git:

aptitude install git

after it is done, change folder to root’s home directory and create a new folder dedicated for

gallery’s git repository:

sudo -s

cd ~

mkdir git

Now we need to synchronize our new folder with remote repository:

git clone https://github.com/gallery/gallery3-contrib.git ./git

Once completed we can copy all the themes to our gallery installation folder:

cp -R git/3.0/themes/* /var/www/gallery3/themes/

After completing this step, we should be able to enable new them by browsing our gallery’s

website -> Apperance -> Theme choice.

6 Summary

Installation and configuration of both Ubuntu server and Gallery system was

undoubtedly a very interesting assessment. I had an opportunity to create my first blog. I

have also learned how to use Wordpress and social media like Vimeo or slideshare. I have

got familiar with Ubuntu and various software required for the server.

While preparing my project I used the Internet as my prime and only source of

information I find that Internet is non-questionable source of information for all aspects

related to the configuration of the server. Many websites contain step by step guides to

server configuration. What is more, there are many on-line forums with interesting and

helpful topics.

Ubuntu Linux, which I have worked on during this assignment, turned out to be easy

to use and intuitive. Ubuntu Linux’s look is very similar to that of MS Windows and Mac OS

,hence, it is very easy to migrate and switch between those three systems.

As in regards to the Gallery itself - installation of it appeared to be a straight-forward

task and the only problem that caught me was error “Error #2038″ when I tried to upload

pictures, but again – Internet appeared to be of extreme help and after quick search I found a

resolution on Gallery’s wiki page.