Basic Configuration on a Linux Server (Slackware 13.1)

Hello everyone,

Today will be bringing together a couple of nice ideas etc for a semi-tight packet on configuring a Slackware server. Keep in mind that these are just general settings and should reflect your own settings.

If you have installed the full Slackware packet (which is quite normal thing to do) this should be relatively painless.

What is generally covered :

SSH configuration, X11 forward.

Apache install, settings.

Samba (to share in network with CIFS/Windows) general config.

A little on IPTABLES.

It does not cover all aspects of setting firewall rules etc.

It does not give all details. Just general setup.

Ok, lets get started.

Typically you should have SSH Daemon (sshd) installed, along with Apache and Samba. Should any of these not be present, please use SlackBuilds.org. It has an extensive repository of build scripts. (you need to extract the actual code, not the source code, and to run the (packet).SlackBuilds as sudo/root with the source code .tar or .tar.gz packet in the same directory as the .SlackBuilds file). You need to use SlackBuilds to get port knocking (additional feature for SSH).

SSH configuration :

This one should be installed, but disabled in the PC. First, lets make sure that the configuration files are ok.

Open up terminal instance, and go to /etc/ssh. Fire up your favorite editor with sudo/root rights (for instance sudo nano sshd_config) and open up sshd_config.

I recommend changing the Port variable to high value (to make it harder to identify from outside). To do this, find a line with

“# Port”

Take the # away (delete) and put in a desirable value.

It should look close to this :

“Port 11832″, except with your port number there. No “#” or other symbols in front.

I recommend using protocol 2 with sshd.

LoginGraceTime (lower in the file) is time to provide password/user id when connection is started up. I got this one set to 30.

Very important, disable PermitRootLogin (to make it “#PermitRootLogin”). Also change the MaxAuthTries to value of your choosing (2 or 3 max normally).

If you have kerberos or other auth services, look in the manual of sshd_config for more details. It would take longer to provide all the finer points of kerberos auth mechanisms.

If you want X forwarding (graphical side), enable X11Forwarding and set X11DisplayOffset to 10 (or 11). Look in the manual if you want to have X11 to use localhost (I do) and set it to what you want.

“X11Forwarding yes

X11DisplayOffset 10

X11UseLocalhost yes”

Also it is recommended to use TCPKeepAlive and Compression. These help with slower and more unreliable connections.

After this, set rights for the sshd startup script to run it at boot time / startup.

(sudo chmod 700 /etc/rc.d/rc.sshd)

After this you can try connecting to your servers IP and to see if you get a good connection. Remember to use the port that you want.

If you have putty and windows, please use the following :

Get a Xming or similar X software for windows.

Open Putty, change the options :

Connection – Keepalive time (set to 5 secs or similar)

Connection – Enable keepalive.

Connection – X11 – Enable X11.

Connection – X11 – set Display to “localhost:0″.

The connection should be up and running now.

To manually configure the sshd, use “sudo /etc/rc.d/rc.sshd start|stop|restart”. Choose either start, stop or restart to how you want to control the service.

Setting up Apache :

Apache is pretty extensive web server, so I will keep this somewhat quick.

The configuration file is /etc/httpd/httpd.conf.

Important to note is the ServerRoot. This is main folder with is used for the Apache.

Another important is the port to listen for, this is normally set to 80 (which is normal http://) (parameter is “Port 80″).

After this is main server configuration after module listings. Find ServerAdmin entry and change it to what you want. Below that is ServerAddress (the IP or DNS name here).

DocumentRoot is where you will actually have the .html and other pages.

This covers the main configuration. As above, make sure to make the /etc/rc.d/rc.httpd service file executable (chmod 700 [file]) and try starting it up. If it has errors, it will display them.

For more details on this, see the manual pages. (man httpd).

That was it for general Apache. Yay.

Samba :

There are many ways of setting Samba up. Here is my general configuration for the main file (/etc/samba/smb.conf) :

[global]

# workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2
workgroup = WORKGROUP

# server string is the equivalent of the NT Description field
server string = Samba Server

# Security mode. Defines in which mode Samba will #operate. Possible
# values are share, user, server, domain and ads. Most #people will want
# user level security. See the Samba-HOWTO-Collection for #details.
security = user

hosts allow = 192.168.1.

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = yes

[homes]
comment = Home Directories
browseable = no
read only = no

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
printable = yes

[common]
comment = commonstore
path = /mnt/common
guest ok = yes
read only = no

[work]
comment = work
path = /mnt/wdbook/******/work
guest ok = yes
read only = no

You can simply add other shares in the same way. This is a very crude, but working solution. It allows windows “guest” users to access the shares, to copy and delete material from there.

Its useful for sharing just some sections. For more info check, like always, the manual pages. (man samba).

And lastly, a little on IPTABLES.

Most Linux distributions come with their own firewall.  If you do not have iptables installed, it is recommended to do so now.

Iptables comes with a quick idea, lets restrict as much as we want, and punch holes where we want access to.

This is an extensive subject, which I think is better to note if I just paste my common quick iptable rules, followed by explanation.

file : /etc/rc.d/rc.iptables :

#!/bin/sh
echo -e “Getting IPTABLES”
echo input drop
iptables -P INPUT DROP
#echo forward ok
#iptables -P FORWARD
echo allow established to maintain
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
echo allow loopback
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
echo allow to port 80 tcp
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
echo allow to tcp 0000 – sshd
iptables -A INPUT -p tcp –dport 0000 -j ACCEPT
echo syn flood drop break
iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
echo fragment packet check
iptables -A INPUT -f -j DROP
echo malformed xmas drop
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
echo null packet drop
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp -m tcp –sport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp –dport 443 -j ACCEPT

The first line just explains that this is a script file.

Lines with “echo” explain and prompt what is going on at this time.

The entries are added one on top of another, which explains the current layout. First, I add a rule that everything will be dropped (this will be the actual _lasts_ rule). Every other rule is checked first in order, and if none match, the packet will be dropped and ignored in the future.

One core rule is to allow established connections (ones that I started for one) and loopback connections (this is linux, loopbacks are _critical_). After this I open port 80 (for my apache web server) and my SSH (I just put port 0000 here for obvious reasons).

After that I block all syn flood attacks from addresses I have not even seen or connected to.

After that malformed and null packets.

And finally I allow Samba to work properly (port 443).

The syn flood protection and others are needed to provide slightly hardened iptables and thus prevent hanging and possible crashing of _some_ services due to being spammed by these malicious packets over the internet.

There is one more thing to do.

We need to actually use this file (it is not automatically loaded otherwise).

open up /etc/rc.d/rc.local (or rc.M, or similar core startup script file) (rc.local is loaded as the _last_ bootup script before user logs in).

Add to there (close to top if you want, but after Samba etc have loaded. To the bottom if you are unsure where). :

#start iptables

if [ -x /etc/rc.d/rc.iptables ]; then

. /etc/rc.d/rc.iptables

fi

This will tell the linux to actually run the file. After this you can just run it manually with

sudo ./etc/rc.d/rc.iptables

To start it up directly.

This pretty much sums up quick iptables section.

Thats about it. Now you can remotely setup your email and other services for the server if wanted. There are good tutorials for these and at the moment I do not have a need or a desire to set this up from scratch again.

However, I hope this helps some other fellow Slacker out there. Or people who like to do it manually :)

Feel free to comment and to provide more common iptable rules.

About these ads
This entry was posted in linux, Other, security, Slackware, Uncategorized and tagged , , . Bookmark the permalink.

One Response to Basic Configuration on a Linux Server (Slackware 13.1)

  1. Jerome says:

    Hi, your tutorial on samba was quite useful to me. I would appreciate if you can send me how to set up email on slacware 13.1. Cheers!!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s