The idea for this series was borne out of the excessive questions from clients in my work life. Some have made the switch to Ubuntu, many are interested and some don’t know enough, because they’ve never tried working with a Linux based operating system like Ubuntu.

The two Ubuntu versions I used (in my own business as well as suggest to clients) are:

Ubuntu Server Edition.
The server edition is where various business related packages are installed. Such as print servers, web servers, billing systems, firewalls, and so on.

Ubuntu Desktop Edition.
The desktop edition (also used on laptops) is where various applications are installed and used to access the resources on the server.

Note: The newest Ubuntu version “Lucid” 10.04 is scheduled for release in April of 2010 and will be an LTS (“Long Term Support”) version. At which time, I’d suggest this as the version to use.

For business owners not familiar with Ubuntu, please check the official FAQ found at: http://www.ubuntu.com/aboutus/faq

If you need to purchase support (or other services), that can be obtained by visiting the Ubuntu services from Canonical section of their web site. And to obtain local support, you can again visit the official Ubuntu Ubuntu Marketplace section of their site.

Please make sure you do spend some time reading the material on the official Ubuntu web site as it will provide a valuable resource to this simple introductory post.

To address the most common questions I receive from the business owners I work with, I can sum many of them into one common threaded question “What’s in it for me?”

To answer, the biggest benefit I’ve personally experienced and Ubuntu business users also express is “Reduced ownership costs!”

In general, I find that the following specifics provide business owners with some very tangible points:

Maintenance costs are lower as a result of simpler installation and package management.
Advanced security is provided by regular updates as well more flexible configuration.
Faster and easier updating as a result of superior package management applications.
Saves a lot of money as a result of using free and open source based applications and other packages.
System operation is generally faster and more efficient as there is no bloatware or like packages preinstalled with the desktop version.
Superior reliability in that the server system is a very stable robust. In fact the “2008 Server OS Reliability Survey” states that Ubuntu only had 1.1 hour of per server of downtime per year. That’s incredible!

As I alluded, this series (hopefully) will provide you with the knowledge on how to set up your own business network using Ubuntu, or at the very least, provide you with enough information you can use to discuss with an ubuntu support professional.

Needless to say, your comments, input and suggestions are most welcome!

In that post, I was careful to install Squid3 first, so that Webmin would use it (in the management interface) instead of the older Squid 2.x; and that the installation would be smoother. One thing I noticed was that webmin was using an older version of squid:

“…I noticed that webmin (for some strange reason) thought squid 2.6 was installed…”

One of our readers (atass) provided a useful comment in that post:

“The reason is that you have also installed squid3 AND 2.6. 2.6 was installed via webmin because it is not configured by default to find squid3

I think you should correct this procedure so that you correctly configure webmin to use squid3 by going to module configuration and changing to squid3 paths. Avoid installing Squid via webmin cause it will install Squid 2.6 regardless if you have squid 3 installed”

So this needed fixing, here are the settings (below) I changed to get Squid3 going. Above all, remember to back up data or settings before changing anything.

Log into your webmin interface and select “Squid Proxy Server” from the left side navigation menu.
At the top select “Module Config“.
Change the following values:

Full path to squid config file: /etc/squid3/squid.conf
Squid executable: squid3
Full path to squid cache directory: /var/spool/squid3
Full path to squid log directory: /var/log/squid3

Now remember to stop squid and start squid3, via ssh (substituting for your IP address instead of mine):

ssh root@192.168.1.200

sudo /etc/init.d/squid3 restart

sudo /etc/init.d/squid stop

Now try surfing with your web browser configured to use the Squid3 proxy. If you get an error message (like I did):

————————————————————————–

The requested URL could not be retrieved

While trying to retrieve the URL: http://ubuntulinuxhelp.com/

The following error was encountered:

* Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is xxxx@xxxx.com.

Generated Tue, 01 Dec 2009 17:44:31 GMT by squidbox (squid/3.0.STABLE1)

————————————————————————–

Double check your Access Control in the “Squid Proxy Server”, Select the padlock icon that says “Access Control”.

Mirror the original settings you had in the Access Control for the older version of Squid. Then select the “Proxy Restrictions” tab, and again mirror the settings.

Then I restarted Squid3

sudo /etc/init.d/squid3 restart

And tried to surf the web… and everything works!

Big thanks to the reader that pointed out the issue. That’s appreciated! :)

One thing you’ll notice in this post is that the command line does not use “sudo”. This is because the last post configured the server to permit root logins via SSH. In fact, there is a lot of information in the last post that directly relates to (or effects) what we’ll do in this one, again, please read it: Faster Internet With an Old Laptop – Ubuntu and Squid. Otherwise some of us might get a bit lost trying to complete the hands-on activities in this post. Also a reminder that this is an Ubuntu server 8.04 LTS, if using other versions of Ubuntu (or other Debian based distributions, you’ll probably need to make a few adjustments).

In order to make this old laptop even more useful, in addition to the previously installed Squid proxy server, we’re going to add an Apache webserver with PHP, MySQL database server and Mail server (SMTP/POP3). The mailserver is just for the future in the event it’s needed or any PHP based package requires it (so you can skip that if you don’t need it). More importantly, Apache and MySQL are needed so I can successfully install and use MediaWiki.

First SSH into your server. The command for me is:

ssh root@squid.localdomain (You’ll need to substitute the hostname you chose for your server).

Let’s get some packages for  compiling, zip, perl, ssl, certificates and so on. Remember, because you logged in as root, you don’t have to “sudo”.

aptitude install binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.3-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential

Let’s get the database server installed and configured;

aptitude install mysql-server mysql-client libmysqlclient15-dev

During the installation of MySQL, you’ll be asked to  provide and confirm a new MySQL root password. DO NOT FORGET IT! (as the MySQL root password is not going to be the same as your system root password – Right?) You can use upper case and lower case letters, numbers and special characters. To check that MySQL is listening for connections, use the netstat command:

root@squid:~# netstat -tap | grep mysql
tcp    0      0 localhost.localdo:mysql *:*      LISTEN      28746/mysqld

See how MySQL is only listening on localhost?

For future projects, I don’t want the database server to listen only on the localhost, I want it to listen on any interfaces. This is simple to do when editing the configuration file:

nano /etc/mysql/my.cnf

Look for: bind-address = 127.0.0.1
And comment out (#) that line. The line should now look like this:

# bind-address = 127.0.0.1

Doing this does make it less secure, but this is on an internal network, not a public one. Also, note that the default port is 3306, if you ever need to change the port, this is the file you can edit. However, to keep it simple, leave the default port as is.

When done editing, Ctrl o will save the file and Ctrl x will exit nano.

Restart MySQL so the new setting takes effect:

/etc/init.d/mysql restart

Let’s check to see if our settings work:

netstat -tap | grep mysql

You should see something similar to this:

root@squid:~# netstat -tap | grep mysql
tcp    0   0 *:mysql   *:*   LISTEN      28895/mysqld

Note that there is no mention of localhost!

I like using phpMyAdmin to manage the DB server via Firefox:

aptitude install phpmyadmin

When prompted, select the option “apache2”

After the install, you can visit the URL: squid.localdomain/phpmyadmin (substitute you own URL, which may be different from mine).

Use the login credentials that you created when installing and configuring MySQL:

Username = root
Password = The MySQL password (not the normal root password used to login).

If you’ve forgotten the MySQL root password, you can reset it. Here are the steps to fix the “forgot root MySQL password” issue (this has happened to me a few times):

Stop the DB server:
/etc/init.d/mysql stop

Restart MySQL without it accessing the user information (user tables):
mysql mysqld_safe –skip-grant-table &

Now connect to MySQL using the MySQL root account (you won’t need a password):
mysql -u root

Finally change the password via these commands:
use mysql;
UPDATE user SET password=PASSWORD(‘enter-new-password-here’) WHERE user = ‘root’;
flush privileges;
exit;

Currently I only intend to run MediaWiki to replace Tomboy notes (which I’ve probably mentioned a few too many  times now), but perhaps I might add a couple other PHP based sites in the future. Some of them may require email connectivity. Let’s put something in place now (Postfix, Courier).

aptitude install postfix procmail

When issuing the above command, I received the following output:

root@squid:~# aptitude install postfix procmail
Reading package lists… Done
Building dependency tree
Reading state information… Done
Reading extended state information
Initializing package states… Done
Building tag database… Done
The following packages are BROKEN:
sendmail
The following packages will be automatically REMOVED:
sendmail-bin
The following packages have been kept back:
apt apt-utils cron dash initscripts libcurl3-gnutls libkrb53 libssl0.9.8
libvolume-id0 linux-image-2.6.24-23-server linux-image-server
linux-server linux-ubuntu-modules-2.6.24-23-server python-apt sudo
sysv-rc sysvutils tasksel tasksel-data tzdata udev update-manager-core
The following NEW packages will be installed:
postfix
The following packages will be REMOVED:
sendmail-bin
0 packages upgraded, 1 newly installed, 1 to remove and 22 not upgraded.
Need to get 1160kB of archives. After unpacking 799kB will be used.
The following packages have unmet dependencies:
sendmail: Depends: sendmail-bin but it is not installable
Resolving dependencies…
The following actions will resolve these dependencies:

Remove the following packages:
sendmail

Score is 121

Accept this solution? [Y/n/q/?]

I selected Y (yes) to remove the (broken) sendmail package and install the remainder. After accepting the above solution, I saw the following (further) output:

Accept this solution? [Y/n/q/?] Y
The following packages are unused and will be REMOVED:
procmail sensible-mda
The following packages will be automatically REMOVED:
sendmail sendmail-bin
The following packages have been kept back:
apt apt-utils cron dash initscripts libcurl3-gnutls libkrb53 libssl0.9.8
libvolume-id0 linux-image-2.6.24-23-server linux-image-server
linux-server linux-ubuntu-modules-2.6.24-23-server python-apt sudo
sysv-rc sysvutils tasksel tasksel-data tzdata udev update-manager-core
The following NEW packages will be installed:
postfix
The following packages will be REMOVED:
sendmail sendmail-bin
0 packages upgraded, 1 newly installed, 4 to remove and 22 not upgraded.
Need to get 1160kB of archives. After unpacking 102kB will be freed.
Do you want to continue? [Y/n/?]

The install will give you some prompts (questions) to answer. Here’s how I answered them:

General type of mail configuration:
Internet Site

System mail name:
squid.localdomain (Your’s may be different, so make sure you input the correct name).

I noticed that the installation for procmail did not go through, so:

aptitude install procmail

We can always configure postfix later when needed, but let’s do a quick tweak of it now:

dpkg-reconfigure postfix

For “General type of mail configuration”, leave the setting we already made (Internet Site).

Also leave our “System mail name” as the one we just defined (squid.localdomain) – Again, your name may have been different.

For the “Root and postmaster mail recipient”, we don’t want to add any aliases, therefore leave this blank.

In the next prompt we see “Other destination to accept mail for (blank for none)”. It should be pre-populated with something like this:

squid.localdomain, localhost.localdomain, , localhost

Yes, let’s add this (by selecting “ok“).

No, we do not want to “Force synchronous updates on mail queue”.

The next section that asks about “Local Networks”, populating the input fields with something like this:

127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

Select “ok“.

“Use procmail for local delivery” – Select Yes!

We don’t need a limit on mailbox files. In the next windows make sure the entry is “0” and select “ok“.

“Local address extension character” prepopulated with “+“, leave it as is, select “ok“.

Finally, “Internet protocols to use”, select “all” and “ok“.

Start Postfix with /etc/init.d/postfix start, however if you need to make changes manually (to /etc/postfix/main.cf), remember to reload postfix with /etc/init.d/postfix reload

Installing courier:

aptitude install courier-authdaemon courier-base courier-imap courier-pop gamin libgamin0 libglib2.0-0

During the installation, you’ll receive a prompt asking “Create directories for web-based administration”, select “No“.

Quick tweak: Let’s configure postfix to drop mail to the users Maildir. We can issue the following command to do this:

postconf -e ‘home_mailbox = Maildir/’ && postconf -e ‘mailbox_command =’ && /etc/init.d/postfix restart

Finally let’s get Apache and PHP installed. I’m going to install PHP as a module, not as CGI, because I want to be able to easily change the configuration settings using directives in Apache configuration files (such as httpd.conf) and .htaccess files.

First, let’s get Apache going:

aptitude install apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert

I received some errors in the output:

.
.
.
Get:3 http://ca.archive.ubuntu.com hardy/main libaprutil1 1.2.12+dfsg-3 [70.0kB]
Err http://ca.archive.ubuntu.com hardy-updates/main apache2-utils 2.2.8-1ubuntu0.5
404 Not Found [IP: 91.189.88.46 80]
Err http://security.ubuntu.com hardy-security/main apache2-utils 2.2.8-1ubuntu0.5
404 Not Found
Err http://security.ubuntu.com hardy-security/main apache2.2-common 2.2.8-1ubuntu0.5
404 Not Found
Err http://security.ubuntu.com hardy-security/main apache2-mpm-prefork 2.2.8-1ubuntu0.5
404 Not Found
Err http://security.ubuntu.com hardy-security/main apache2 2.2.8-1ubuntu0.5
404 Not Found
Err http://security.ubuntu.com hardy-security/main apache2-doc 2.2.8-1ubuntu0.5
404 Not Found
Fetched 478kB in 2s (180kB/s)
Selecting previously deselected package libapr1.
.
.
.

If you get this error, try updating the repositiries like this:

aptitude update

The reissue the installation command.

Now that Apache is installed, let’s get PHP and related packages:

aptitude install libapache2-mod-php5 libapache2-php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl

From dealing with other web servers, I’ve often found that I need to add the appropriate directives to Apache’s dir.conf file (because they will not all be included):

nano /etc/apache2/mods-available/dir.conf

You should see this line:

DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm

Change it to this:

DirectoryIndex index.html index.shtml index.xhtml index.htm index.php index.php3 index.pl index.cgi

We also need to enable the rewrite, include and SSL modules:

a2enmod rewrite && a2enmod include && a2enmod ssl

You’ll get a prompt that tells you to run the command:

/etc/init.d/apache2 force-reload

You should get a success message like:

root@squid:~# /etc/init.d/apache2 force-reload
* Reloading web server config apache2   [ OK ]

Side note: If you need to disable a module, the command would be a2dismod, and an example would look something like: a2dismod ssl && /etc/init.d/apache2 force-reload I generally prefer to disable instead of delete as one never know if a module might be needed in the future (or if disabling causes an error). It’s usually a simpler fix to re-enable a module.

Lets get FTP going:

aptitude install proftpd

You’ll see a prompt asking you how to “Run proftpd”. I’m selecting “Standalone” because I want the ability to restart proftpd (or stop it) if needed. It will create the directory /home/ftp on your server. Here’s some of the output of that command:

Adding system user `proftpd’ (UID 114) …
Adding new user `proftpd’ (UID 114) with group `nogroup’ …
Not creating home directory `/var/run/proftpd’.
Adding system user `ftp’ (UID 115) …
Adding new user `ftp’ (UID 115) with group `nogroup’ …
Creating home directory `/home/ftp’ …
`/usr/share/proftpd/templates/welcome.msg’ -> `/home/ftp/welcome.msg.proftpd-new’
ProFTPd is started from inetd/xinetd.

Side note: If you ever need to restart the FTP server (after changing a configuration), the command would usually be: /etc/init.d/proftpd restart

For those who followed on from the original Squid installation post, we now need to access Webmin. For me the Firefox URL is:

http://squid.localdomain:26395/ (remember, use your server’s correct url and port number).

After logging in, select “Refresh Modules” and see an output similar to mine below:

Checking for usable Webmin modules ..
.. found 58 with installed applications, 46 not installed.

Now select “Servers” and you should see that:

Apache Webserver
Fetchmail Mail Retrieval
MySQL Database Server
Postfix Mail Server
ProFTPD Server
Procmail Mail Filter

have been added to the list. (Originally there was only Read User mail, SSH Server and Squid Proxy Server).

Finally, visit the URL of your nifty web server on Ubuntu, my URL would be:

squid.localdomain (once again, substitute the URL of your server).

And you’ll see the “It works!” message.

By default root is denied the ability to log in via FTP. Because this is my local network, I’ll allow root to access FTP. DO NOT do this is a public environment!

Still in Webmin, select “ProFTPD Server” (listed under “Servers“), then select the “Denied FTP Users” icon. This will open /etc/ftpusers, and display the following directives:

# /etc/ftpusers: list of users disallowed FTP access. See ftpusers(5).  root daemon bin sys sync games man lp mail news uucp nobody

Find: root

and remove it from the list. Click “Save“.

Now we’ll need to allow root in the proftpd.conf via our command line, like this:

nano /etc/proftpd/proftpd.conf

Look for:

# Set the user and group that the server normally runs at.
User                proftpd
Group                nogroup

And underneath the above add:

# Permit root logins
RootLogin on

Side note: If you ever need to reconfigure proftpd (to use inetd instead of standalone for example), the command is: dpkg-reconfigure proftpd

In your terminal, restart FTP so that root will now be allowed:

/etc/init.d/proftpd restart

root can now login and transfer files via FTP.

To change pages that Apache serves, you should be uploading files to:

/var/www

Guess what? We’re done!

While in the Webmin interface I noticed that I had to fix an issue from the last post:

Error: The Squid cache manager program /usr/lib/cgi-bin/cachemgr.cgi was not found on your system. Maybe your module configuration is incorrect.

I encountered this error when trying to access the “Cache Manager Statistics” under “Squid Proxy Server”.
/usr/local/squid/etc/squid.conf

Fix:

aptitude install squid-cgi

More information on Firewall Builder, pre-built binary packages and source code, documentation and Firewall Builder Cookbook can be found on the project web site at www.fwbuilder.org. Watch Project Blog for announcements and articles on all aspects of using Firewall Builder.

After firewall configuration has been generated by one of the policy compilers and saved in a file on disk in the format required by the target firewall, it needs to be transferred to the firewall machine and activated. This function is performed by the component we call “Policy Installer” which is part of the Firewall Builder GUI.

Starting with version 2.0, Firewall Builder comes with built-in installer that uses SSH to communicate with the firewall. Installer works on all OS where Firewall Builder is available: Linux, FreeBSD, Windows and Mac OS X. On Linux, *BSD and Mac OS X it uses standard ssh client that comes with the system; on Windows it uses putty.

Installer needs to be able to copy generated firewall script to the firewall and then run it there. In order to do so, it uses secure shell. The program does not include ssh code, it uses external ssh client. On Linux, BSD and Mac OS X it uses standard ssh client ssh and secure shell file copy program scp that come with the system; on Windows it uses plink.exe and pscp.exe. Full directory path to ssh client program can be configured in the Preferences dialog (accessible via Edit/Preferences menu), however if you are on Linux, *BSD or Mac and use standard ssh client that is available via your PATH environment variable, you do not need to change default value there.

Installer works differently depending on the targert platform. In case of Linux and BSD based firewalls it uses scp to copy generated configuration files to the firewall machine and then uses ssh to log in and run the script. In case of Cisco routers or ASA appliance (PIX), it logs in, switched to enable and then configuration mode and executes configuration commands one by one in a manner similar to expect scripts. It inspects router’s replies looking for errors and stops if it detects one. In the end, it issues command write mem to store new configuration in memory and logs out.

Built-in policy installer has been designed to work with dedicated firewall machine, that is, when computer where you run Firewall Builder GUI and actual firewall are different machines. Nevertheless, it can be used when they are the same machine as well. The only difference is that in all commands below you would use the name or address of the machine where you run Firewall Builder instead of the name or address of the dedicated firewall. SSH client will then connect back to the same machine where it runs and everything will work exactly the same as if it was different computer.

How does installer decide what address to use to connect to the firewall

Installer does not use the name of the firewall to connect to, it always connects to its IP address. It starts by scanning interfaces of the firewall object looking for one that is marked as “Management interface” using checkbox in the interface object dialog. Installer will use address of this interface to connect to. The “management interface” checkbox looks like shown on the next screenshot:

If your firewall has multiple addresses and you want to use the one that is not assigned to its interface in the fwbuilder object, then you can overwrite the address using entry field in the “installer” tab of the “advanced” firewall object settings dialog, like this:

More about other input fields in this dialog below.

Finally you can overwrite the address on one-time basis just for the install session using entry field in the installer options dialog. This is the same dialog where you enter password:

This works for all supported firewall platforms, i.e. iptables on Linux, pf on OpenBSD and FreeBSD, ipfw on FreeBSD and Mac OS X, ipfilter on FreeBSD, Cisco IOS access lists and Cisco ASA (PIX). Regardless of the platform, installer follows the rules described here to determine what address it should use to connect to the firewall.

Configuring installer on Windows

You can skip this section if you run Firewall Builder GUI on Linux, *BSD or Mac OS X.

Here is the link to slide show that demonstrates the process.

Download and install putty.exe, plink.exe and pscp.exe somewhere on your machine (say, in C:putty). Download URL is http://www.chiark.greenend.org.uk/~sgtatham/putty/

Installer does not use putty.exe but it will be very useful for troubleshooting and for setting up sessions and ssh keys.

In the Edit/Preferences dialog, in the “SSH” tab, use “Browse” buttons to locate plink.exe. Hit “OK” to save preferences. If you installed it in C:putty, then you should end up with C:puttyplink.exe in this entry field. Do the same to configure path to pscp.exe.

You may log in to the firewall using regular user account or as root. See instructions below for an explanation how to configure sudo if you use regular user accounts. This part of the configuration does not depend on the OS you run Firewall Builder.

Before you try to use fwbuilder installer with plink.exe and pscp.exe, test it from the command line to make sure you can log in to your firewall. If this is the first time you try to log in to the firewall machine using putty.exe, plink.exe or pscp.exe, then it will discover new host key and ask you if it is correct and if you want to save it in cache. There are lots of resources on the Internet that explain what does this mean and how you should verify key accuracy before you accept it. If the key is already known to the program it will not ask you about it and will just proceed to the part where it asks you to enter password. Enter the password and hit “Return” to see if you can log in and see command line prompt from the firewall.

Here is the command (assuming you use account “fwadmin” to manage firewall “guardian”):

C:Usersvadim>c:PuTTYplink.exe -l fwadmin guardian

NOTE: Built-in installer does not use GUI ssh client putty.exe, it uses command line utilities that come from the same author plink.exe and pscp.exe. You can test with putty.exe but do not enter path to it in the SSH tab of the Preferences dialog in fwbuilder, it won’t work.

Configuring installer to use regular user account to manage the firewall:

Before v3.0.4 built-in installer could only use regular account to activate policy if this account was configured on the firewall to use sudo without password. Starting with v3.0.4 this is not necessary anymore because installer can recognize sudo password prompts and enter password when needed.

• Create an account on the firewall (say, “fwadmin”), create a group “fwadmin” and make this user a member of this group. Most modern Linux systems automatically create group with the name the same as the name of the user account.

  useradd fwadmin

• Create directory /etc/fw/ on the firewall, make it belong to group fwadmin, make it group writable

  mkdir /etc/fw
  chgrp fwadmin /etc/fw
  chmod g+w fwadmin /etc/fw

• Configure sudo to permit user fwadmin execute firewall script and a couple of other commands used by fwbuilder policy installer. Run visudo on the firewall to edit file /etc/sudoers as follows:

  Defaults:%fwbadmin !lecture , passwd_timeout=1 , timestamp_timeout=1
  # User alias specification
  %fwbadmin ALL = PASSWD: /etc/fw/<FWNAME>.fw , /usr/bin/pkill , /sbin/shutdown

  here <FWNAME> is the name of the firewall. Installer will log in to the firewall as user fwadmin, copy firewall script to file /etc/fw/<FWNAME>.fw and then use the following command to execute it:

  ssh fwadmin@firewall sudo -S /etc/fw/<FWNAME>.fw

  Installer needs to be able to run pkill shutdown to kill shutdown command that may be running if you tried to install policy in testing mode before. In testing mode installer copies firewall script to temporary directory /tmp then runs command shutdown -r timeout to schedule reboot in a few minutes and finally runs firewall script. To cancel scheduled reboot you need to install policy again, with test mode checkbox turned off. In this case installer will copy firewall script to its permanent place and use pkill to kill running shutdown command to cancel reboot.

• set up ssh access to the firewall. Make sure you can log in as user fwadmin using ssh from your management workstation:

  ssh -l fwadmin <FWNAME>

  You may use either password or public key authentication; the installer will work either way. Use putty.exe or plink.exe to test ssh access if you are on Windows (see above for the explanation how to do this on Windows).

• in the “installer” tab of the “firewall settings” dialog of the firewall object put user name you use to log in to the firewall (here it is “fwadmin”):
• if you need to use alternative name or IP address to communicate with the firewall, put it in the corresponding field in the same dialog page
• Make sure entry field “directory on the firewall where script should be installed” is set to /etc/fw. Firewall Builder is not going to create this directory, so you need to create it manually before you install firewall policy (see above).
• Leave “Policy install script” and “Command line options” fields blank.

Configuring installer if you use root account to manage the firewall:

• Create directory /etc/fw/ on the firewall, make it belong to root, make it writable
• set up ssh access to the firewall. Make sure you can log in as root using ssh from your management workstation:

  ssh -l root <firewall_name>

  You may use either password or public key authentication; the installer will work either way.

• in the “installer” tab of the “firewall settings” dialog of the firewall object put “root” as the user name you use to log in to the firewall
• Make sure entry field “directory on the firewall where script should be installed” is set to /etc/fw
• Leave “Policy install script” and “Command line options” fields are blank

Configuring installer if you regularly switch between Unix and Windows workstations using the same .fwb file and want to manage the firewall from both

First of all, the .fwb file is portable and can be copied back and forth between Linux/BSD and windows machines. Even comments and object names entered in local language should be preserved since the GUI uses UTF-8 internally.

Built-in installer relies on path settings for ssh and scp in Edit/Preferences/SSH. Since preferences are stored outside of the .fwb file, the installer should work just fine when .fwb file is copied from Unix to Windows and back. Just configure path to ssh program in preferences on each system using default settings “ssh” on Linux and path to plink.exe on windows and give it a try.

Always permit SSH access from the management workstation to the firewall

One of the typical errors that even experienced administrators make sometimes is block ssh access to the firewall from the management workstation. You need your workstation to be able to communicate with the firewall in order to be able to make changes to the policy, so you always need to add a rule to permit this. Firewall Builder can simplify this and generate this rule automatically if you put an IP address of your workstation in the entry field on the first page of firewall settings dialog. Here is the screenshot that illustrates this setting for an iptables firewall; management station has an IP address 192.168.1.100

Using putty sessions on Windows

putty allows one to store destination host name or address, user name and bunch of other parameters in a session so that they all can be called up at once. If you wish to use sessions, do the following:

• Configure putty as usual, create and test session for the firewall, test it using putty outside of the Firewall Builder. When you use session, firewall host name and user name are stored in the session file. Firewall Builder allows you to enter session name in the entry field in the firewall settings dialog where you would normally enter alternative address of the firewall. Comment next to the entry field reminds you about this. Just type session name in that field, leave user name field blank and save the settings.
• Once you start the installer, do not enter user name in the “User name” field on the first page of installer wizard, however you need to enter the login and enable passwords. Configure the rest of installer options as usual, they do not change when you use putty sessions.

How to configure installer to use alternative ssh port number

If ssh daemon on your firewall is listening on an alternative port, then you need to configure built-installer so that it will run scp and ssh clients with command line parameters that would make them connect to this port. This is done in the “installer” tab of the firewall object “advanced” settings dialog as shown on the following screenshot (here we set the port to “2222″):

On Unix command line option that specifies port number is different for ssh and scp. It is lowercase -p for ssh and uppercase -P for scp. If you use putty tools plink.exe and pscp.exe on Windows, the option to specify alternative port number is -P (capital “P”) for both.

You can use the same input fields in this dialog to add any other command line parameters for ssh and scp, for example this is where you can confiugre parameters to make it use alternative identity file (private keys). This information is saved with a firewall object rather than globally because you may need to use different parameters for different firewall machines, such as different key files or ports.

How to configure installer to use ssh private keys from a special file

You can use the same entry fields in this dialog to provide other additional command line parameters for ssh and scp, for example to use keys from a different identity file. Here is how it looks like:

Here I configure ssh and scp to use alternative port and alternative identity file ~/.ssh/fwadmin_identity. The command line parameter for the port is different for ssh and scp, but parameter for the identity file is the same -i for both utilities.

On Windows, the simplest way (or may be the only way) to use alternative keys is to use putty sessions.

Troubleshooting ssh access to the firewall

Built-in policy installer will not work if ssh access to the firewall is not working. Test it using this command on Linux if use you user “fwadmin” to manage firewall:

ssh -l fwadmin firewall

If you use root account to manage the firewall, the command becomes

ssh -l root firewall

On Windows use putty.exe or plink.exe to do this:

C:Usersvadim>c:PuTTYplink.exe -l fwadmin firewall

C:Usersvadim>c:PuTTYplink.exe -l root firewall

If you can not log in using ssh at this point, verify that ssh daemon is working on the firewall, that existing firewall policy does not block ssh access and ssh daemon configuration in /etc/ssh/sshd_config permits login for root (if you plan to use root account to manage the policy).

Running built-in installer to copy generated firewall policy to the firewall machine and activate it there.

Now that all preparations are complete, we can move on and actually try to install newly generated firewall policy. Select firewall object in the object tree in Firewall Builder GUI, click right mouse button and use menu item “Install”. The program will recompile the policy and open installer dialog.

(This how installer options dialog looks like for iptables, pf, ipfilter and ipfw firewalls).

Here the program already entered user name fwadmin in the “User Name” field, but you can change it for one installation session if you wish. Next you need to enter the password for this user. This is the password of user fwadmin on the firewall machine. Address that will be used to comunicate with the firewall is also entered by the program automatically, it is taken from the firewall settings. You can change it for one installation session as well.

Other installer parameters do the following:

• Quiet install: as the name implies, this checkbox suppresses all progress output of the installer
• Verbose: this checkbox has the opposite action, it makes the installer print a lot of debugging information, including ssh client debug output.
• Store a copy of fwb file on the firewall: if this checkbox is on, the installer will copy not only generated firewall configuration files to the directory on the firewall machine which is configured in the “installer” tab of the firewall object dialog, but also original .fwb data file as well. Use of this option is discouraged if you manage many firewalls from the same .fwb file because distributing file that contains security policy of multiple firewalls to all of them is a bad idea.
• Test run: if this checkbox is on, policy installer will copy firewall configuration files to a temporary directory on the firewall and will run them from there. The intent is to test generated configuration without making it permanent. If firewall machine reboots, it will activate previous firewall policy. Installer uses subdirectory “tmp” inside installation directory on the firewall machine which is configured in the “installer” tab of the firewall object dialog. If installation directory configured there is /etc/fw (as in the screenshot earlier in this HOWTO), then installer will put files in the directory /etc/fw/tmp when test install option is in effect. You need to create this directory on the firewall before using this installation mode.
• Schedule reboot in… : If this option is on, installer schedules firewall reboot after given time in minutes. This can be used as a measure of last resort to protect against lost of communication with the firewall which may happen if there is an error in the new firewall policy which makes it block ssh access from the management machine. Installer uses command shutdown -r +10min to schedule reboot in 10 min. If installation has been successfull and everything works right, you need to repeat installation with options “test install” and “Schedule reboot” turned off to cancel reboot and install new policy permanently.

After all parameters are set and the password entered, hit “OK” to start installation.

If this is the first time your management machine is logging in to the firewall via ssh, it will find out that ssh host key of the firewall is unknown to it and will present you with a dialog:

Here is says that it does not know host key of the firewall “crash”. This is nothing more than a copy of the warning message presented by the ssh client. You should verify the host key manually and if it matches, click “Yes”. If you click “No” in the dialog, installation process will be interrupted.

Installer only recognizes ssh client warning message about unknown public host keys. If you rebuld your firewall machine, which means its host key changes, ssh will print different warning message which fwbuilder installer does not recognise. In this case you will see this message in the installer progress window, but installation process will get stuck. You need to use ssh client (ssh on Unix or putty.exe on Windows) to update host key before you can use fwbuilder policy installer with this firewall again.

After this, installer copies files to the firewall and runs policy script there. You can monitor its progress in the dialog as shown on the screenshot:

This is an example of successfull installation session. Installer records the status in the left hand side panel of the dialog. If you use installer to update several firewall machines in one session, their names and corresponding status of the installation session for each will be shown in the panel on the left. You can save installer log to a file using “Sabe log to file” button, this can be useful for documentation or troubleshooting.

Running built-in installer to copy generated firewall policy to Cisco router or ASA (PIX)

From the user’s point of view the installer works the same when you manage Cisco router or ASA firewall, with only few minor differences. First of all, the first screen of the installer, where you enter the password, offers another input field for the enable password as well.

You should be able to use IPv6 address to communicate with the router.

Most of the options and parameters in this dialog are the same as those for Linux firewalls (see above). The following parameters work differently for Cisco devices:

• Test run: if this checkbox is on, policy installer will copy new access lists configuration to the router or ASA appliance but will not issue write mem command in the end.
• Schedule reboot in… : If this option is on, installer issues command reload in NNN after new configuration has been loaded. This schedules reboot in NNN minutes. In combination with “test run” option this can serve as a roll-back mechanism in case of complete loss of contact with the router or firewall because of an error in the policy. Since “test run” does not perform “write mem” in the end, the original access list stays in startup configuration of the router and will be loaded after reboot.
• Cancel reboot if policy activation was successful: If this option is on, installer issues command reload cancel in the end of the policy activation process to cancel previously scheduled reboot.

Here is a screenshot of installation session to a Cisco router. Note the output at the very top of the log that shows how installer detected previously unknown RSA host key and accepted it after the user clicked “Yes” in the pop-up dialog (not shown on the screenshot). It then logged into the router; you can see the banner motd output from the router. After this, installer switched to enable mode, set terminal width and turned off terminal pagination using terminal length 0 command and finally switched to the configuration mode. It then started enterig generated configuration line by line.

The final part of the installation session looks like this:

This was a successful installation session, with no errors. Installer finished entering configuration lines and issued exit command to exit configuration mode, then wr mem command to save configuration to memory and finally exit again to log out.

It’s an older IBM Thinkpad T22, Type 2647 with 256MB of RAM and a 20GB hard drive. A couple years ago, I had 2o of these units, bought from a recycling depot. I sold them all on eBay, and only have a couple left now.

Whilst packing up the stuff to cart off, it occurred to me that I could put this old laptop to work by installing a proxy / caching server on it, and have my we browsers, pull much of the regularly requested web content off a locally cached network server. This means installing Squid. Not sure what Squid is: Squid (software), from their site:

“…Squid is a proxy server and web cache daemon. It has a wide variety of uses, from speeding up a web server by caching repeated requests, to caching web, DNS and other computer network lookups for a group of people sharing network resources, to aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including TLS, SSL, Internet Gopher and HTTPS. The development version of Squid (3.1) includes IPv6 and ICAP support…”

Needless, as I currently enjoy using Ubuntu, that’s what I used as the OS for this project. Installing a Squid server on the network, provided me with a few important benefits:

• Less bandwidth usage.
• Faster web surfing.
• Network cached copies of pages I regularly visit (if the original server is down).

Firstly, make sure you’ve installed a copy of Ubuntu 8.04 Server (Hardy) on the old laptop. Not sure how to do that? Here’s a guide: The Perfect Server – Ubuntu Hardy Heron (Ubuntu 8.04 LTS Server). In my case I skipped (did not install) Apache, MySQL, Postfix, BIND9, Proftpd, POP3/IMAP and Webalizer. I don’t need those, I only need the Squid proxy / caching server. I also installed Webmin (see below), so that I can easily manage this server remotely. A word to the wise however, I found out (about 2 years ago) to install Squid first! – That way the Webmin installation goes much smoother (I was using Debian for the server  at that time, and Ubuntu in another instance). Also, for those of you who have been following my blog (and for my welcomed new readers), I also played with Squid and Ubuntu about a year ago, in this post: Speed Up and Improve Web Surfing With an Ubuntu Squid Server. My earlier Ubuntu, Squid post was based on Ubuntu 6.06LTS and Squid 2.6 – Things have changed and applications, etc. have improved, so I though a revisit and reinstallation of the Squid server was in order.

I downloaded and burned a copy of the Ubuntu 8.04 LTS Server from Ubuntu’s official site at: http://www.ubuntu.com/getubuntu/download-server. The bare minimum requirements are:

300 MHz x86 processor
64 MB of system memory (RAM)
At least 4 GB of disk space (for full installation and swap space)
VGA graphics card capable of 640×480 resolution
CD-ROM drive or network card

256MB of RAM, made the install slower than I’m used to. You can find more requirements info for Ubuntu Server (Hardy) at Ubuntu System Requirements.

After downloading, and burning a copy of the ubuntu-8.04.2-server-i386 CD, complete a base install of Ubuntu server (using the howtoforge.com guide above as a reference). I also installed an SSH server so that I could tuck the old laptop away and complete everything else in  comfort,  using my desktop.

sudo aptitude install ssh openssh-server

will get the ssh server up and running for you.

Throughout this post, you’ll need to substitute your IP addresses and names to match those in your own network. After the installation of the base server is complete, open a terminal from your (comfortable) desktop and enter:

ssh root@192.168.1.200

192.168.1.200 is the address of  there server I just installed.

Use the command:

su

to enter root. That way I don’t have to keep typing “sudo”.

Install Squid usingthe command:

aptitude install squid3

After Squid has finished installing and you’ve rebooted the system, you may want to install Webmin, a GUI interface to manage that server, still in terminal, you can download a copy of the webmin package into and directory you like. The command to download is:

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.470.tar.gz

Untar it like this:

tar xzvf webmin-1.470.tar.gz

Webmin needs perl to run, so I installed some packages:

aptitude install install libauthen-pam-perl libnet-ssleay-perl libpam-runtime openssl perl perl-modules

Enter my extracted contents of the webmin-1.470.tar.gz package  by:

cd webmin-1.470

And run the installation for webmin:

./setup.sh

I changed the port number away from 10000 to 26395. I changed the admin account to “root”, and entered a new password.

At the end of the webmin installation, I got the success message that include the URL: http://squid.localdomain:26395/

On my local PC, I had to edit my hosts file like this:

sudo gedit /etc/hosts

Then added the following line:

192.168.1.200 squid.localdoman    squid

Now we want to reboot the squid server using:

shutdown -r now

After rebooting the server and logging back in (via ssh), you can see if the webmin service is running by using the command:

sudo /etc/init.d/webmin status

You should see something like:

webmin (pid 4573) is running

To see if it is listening on the correct port number, the command to check that is:

sudo netstat -tap

You should find a line in the output of the above command that says something like:

tcp    0    0 *:26395    *:*    LISTEN    4573/perl

(Remember, port 26395 was the one we chose to tun webmin on – And webmin uses perl).

Now open a web browser and visit webmin. The URL I would use is:

http://squid.localdomain:26395/

(Again, remember that I added the appropriate information to my hosts file so that the browser can find the URL).

I chose not to enable SSL for logging into webmin (as I don’t need it in this LAN). After logging in, we want to configure squid. Look for something (on the left) that says “Unused Modules” and look for “Squid Proxy Server“, click that link. You will see an option to install the squid (webmin) module. Select that link to install it.

After installing, look on the left side menu and under “Servers” you will see “Squid Proxy Server“. Select “Squid Proxy Server” and then select the “Ports and Networking” option.

Note that squid is running on the default port 3128. Now return back to the squid module page by clicking “Module Index” (at the top of the page). Select the “Access Control” icon and see a button at the bottom of the page that says “Browser Regexp” – That contains a drop down list. Use the drop down list to select “Client Address” then click the button that says “Create new ACL“.

Enter your values in the form. I used the following:

ACL Name: localdomain
From IP: 192.168.1.0
To IP: 192.168.1.255
Netmask: 255.255.255.0

I didn’t change anything else and clicked on “Save”.

Now click the tab (at the top) that says “Proxy restrictions“. Click (at the bottom) “Add proxy restrictions” and look for the new ACL name you just created (mine was called “localdomain”) *** Make sure you are looking under the column that says “Match ACLS” *** and click on that name. Now click the radio button that says “Allow“. Then select “save” at the bottom.

In the new screen that display, use the up arrow to move “localdomain” (or whatever you called your new ACL rule) so that it is just above the line that says “Deny all”. If you don’t, your browsers will not be able to get access.

Now in your ssh window, use the command:

shutdown -r now

This will restart the server and squid3 (along with then new configuration). I noticed that webmin (for some strange reason) thought squid 2.6 was installed. Therefore, webmin was unable to start the server. But after rebooting the system, the “Stop Squid” button appeared – so I assume the webmin module has started working properly (no need for me to play with webmin again, as I’ll use SSH to access and reboot, etc., so I did not try).

As a final step, make sure that you set the proxy server address in your web browser. In my case the information to enter as a proxy server for each web browser is:

192.168.1.200:3128

Update, July 03, 2009: I found a problem when trying to access statistics. Here’s the issue and fix…

Issue:  When trying to access the “Cache Manager Statistics” under “Squid Proxy Server”, the following error displays:

“The Squid cache manager program /usr/lib/cgi-bin/cachemgr.cgi was not found on your system. Maybe your module configuration is incorrect.”

Fix:  aptitude install squid-cgi

Cache manager statistics will now work.

Other sites with related information:

• Howto Block websites using Squid Proxy in Ubuntu Linux
• Howto Block a Port in Squid Proxy , Ubuntu Linux
• [Ubuntu]Installing an HTTP proxy server (Squid)
• Installing Squid Proxy using Webmin on Ubuntu Server 8.04.1
• Paranoid Penguin – Building a Secure Squid Web Proxy, Part I

Enjoy faster web surfing as less external files are requested for pages you commonly visit and local cached copies are delivered to your browser. I hope you ladies and gents have fun playing with this, as I hope this post helps you out. Questions, suggestions, corrections, even additions?…. Please feel free to add them to you comments!

You can download and read the latest publication (which includes the “Make Your Own Plug ‘N Play Zone Using Ubuntu Linux!” post) here: Issue 14 is out!

For those not aware, I posted a follow-up to the original about a month later, where I finalized some extra issues and information. You can find that post here: Ubuntu Linux Plug ‘N Play Zone Revisited

As always… Have fun :)

To recap, here is the list of hardware used:

Shuttle SN68SG2 Socket AM2 Barebone – NVIDIA 7025, Audio, Video, PCI Express, Gigabit LAN, USB 2.0, Firewire, Serial ATA, 250 Watt Power Supply.

AMD Athlon 64 X2 4200+ Processor ADA4200CUBOX – 2.20GHz, 1MB Cache, 1000MHz (2000 MT/s) FSB, Windsor, Dual-Core, Retail, Socket AM2, Processor with Fan.

Kingston 1024MB PC5400 DDR2 667MHz Memory (2 of these for 2GB).

Western Digital Caviar SE16 500GB Hard Drive – 7200, Browser Problems – Creating a Linux Based Virtual Box – Part 1 of 2 16MB, SATA-300, OEM.

DVD burner: LG GSA H55N Super-Multi Disk Drive 20×20×12

Putting the actual pieces together was very straight forward (use the guide that comes with the Shuttle package). However, I did make one mistake in ordering the hardware…

The Shuttle SN68SG2 comes with it’s own heat sink and cooling system. The metal fins are inserted right behind the fan of the power supply, so that the outbound air blows over the fins and draws heat away from the CPU. (I thought that was an innovative design idea when building such a small-footprint unit). As such, I did not need to order the retail version of the CPU (there’s no use or place, for the fan). Instead, I should have ordered the OEM version of the CPU (without the fan).

Also, after following the instructions that come with the shuttle unit, you may wish to flash the BIOS. I found that I was able to reboot the system with no problem, but whenever I powered it down and then back up (cold start), the PC always tries to boot off the network (until I use the ctrl-alt-del combo to restart it), the shuttle site indicated the fix was BIOS related. It’s probably better to flash the BIOS prior to moving forward (if you’re even interested in fixing this issue). You can fix it with Shuttle’s Flash Utility (awdflash) and the new BIOS (bin file) here: http://global.shuttle.com/download03.jsp?PI=647. Flashing the BIOS is not in the scope of this post, but one guide that gives you the basics of flashing is here: http://howflow.com/tricks/flash_your_award_bios_with_linux. Please remember that flashing a BIOS is serious, if you make a mistake (or power fails while flashing) you might damage the BIOS and have to buy a new motherboard! Be warned! ;) I chose not to flash the bios as (for now) the cold-start issue is just a minor thing.

I didn’t specify a monitor in the list above (I’m sure most would work), but I’ve had no problems using an Acer AL1916W. It’s a 19 inch wide screen (1440 x 900 – 16:10).

Make sure that you have a USB keyboard and USB mouse. I didn’t pay attention the first time and had to exchange the keyboard for a USB one. ;)

During the installation you’ll find two issues:

1. Video may not display clearly (it’s a driver issue).
2. The network card may not work properly (it’s also driver issue).

Here’s one trick I did to resolve this (and make my server install much smoother!)

After putting the hardware together, I did a quick install of Ubuntu 8.04 LTS Desktop Edition (64-bit) as I wanted to see if there were any issues. The most critical one I found was that network card appeared not to be working. By fixing this now, I found out I didn’t have to do it during the server install! I’d suggest (strongly) that you also do a quick desktop OS install as well, just to make sure everything is working as it should. (Besides, I don’t mind doing reinstalls as it helps me prepare and get a bit more exposure to some issues.) ;)

Fixing the Network Drivers:

To get the network card working properly took a bit of searching the learn that it was a Marvell. Once I had this information, I opened a terminal and tried:

sudo modeprobe marvell
sudo modeprobe marvell 88e1116

After (88E1116 was the model) the commands completed, I found the network card was able to connect and I could surf the web. I installed the desktop OS twice more and the server OS three times more (because I messed things up), but I never had to modeprobe the network card again – it always worked.

Fixing the Video Drivers:

Each time you install the OS (Server or Desktop), you’ll need to ensure you install the nVidia driver. To get the video drivers working, in terminal:

sudo apt-get install envyng-gtk

The above will install a tool in your desktop GUI. Use it to install the nVidia drivers. This solution came from: http://www.albertomilone.com/nvidia_scripts1.html

That’s it for this entry. The next post in this 12 part series, will have us rolling our sleeves up and installing the LAMP server software. :)

I did have two issues to fix after the initial install.

1) The integrated network card did not seem to work.
2) The integrated video was showing poor graphics.

The fix to get ethernet working was easy. Here’s how I got it functioning:

The specifications of the Shuttle SN68SG2 said that the embedded network card was a Marvell 88E1116.

We can use modeprobe in a terminal to try loading it:

sudo modprobe marvell
sudo modprobe marvell 88e1116

After the above command, the network card started to work and I was able to connect to the network.

The second issue, poor video because the drivers were not loaded, had already been solved by Alberto Milone in Italy. I found his solution, on his web site: http://www.albertomilone.com/nvidia_scripts1.html. And I used the instructions to install EnvyNG via apt-get (for this Ubuntu Linux 8.04 – Hardy installation).

As indicated, I needed to ensure the “universal” repository was enabled (and it was by default) and then ran the commands:

sudo apt-get install envyng-gtk

After the install, I found the “EnvyNG” configuration application in System tools (Under applications in the GUI). I selected the nVidia drivers and the script completed successfully. Both the network and the video issues were easily fixed.

Now I’m ready to install VirtualBox, so that I can virtually host testing environments for different operating systems, browsers, applications, etc. The terminal command:

sudo apt-get install virtualbox

will download and install the package. After the installation is complete, you will find “VirtualBox OSE” within Application -> System Tools in your GUI (in the same place the launcher for EnvyENG was found). Just launch VirtualBox and follow the prompts. Easy!

The above may seem like it’s over simplified, perhaps it is, but only in the respect that I’ve not included the many different fixes I tried. Instead, I’ve just posted the network card and video card fixes that worked (without subjecting you to a lengthy rendition of what did not work). ;)

Needless to say, I’ll soon be installing various virtual environments with this great new tool.

I hope this post and the “Part 1″ post are of help to some of you!
Enjoy…
:)

[tags]shuttle, linux ,ubuntu, video, network, drivers, fix, how to, SN68SG2, ethernet, virtualbox, marvell, envyeng, nvidia[/tags]

But, what if there were no backups? What if your hosting provider cannot restore data at their end? To be blunt, you’d be back to square one! Developing a whole new site or blog from the beginning! That’s a chilling thought, to lose everything and start again.

For peace of mind and data (intellectual property) , today’s post will highlight some of the steps we’ve taken to fully automate the backup process. Hopefully this will help many of you who may encounter the same issues, or are simply looking for a proactive, automated backup system for your web sites, blogs, ecommerce sites, etc.

We’ll need 5 things to ensure this system works:

• The remote host (your web hosting server).
• The local host (your Ubuntu or other Linux based desktop).
• The open source Rsync package.
• OpenSSH.
• Cron.

Let’s start with our desktop, which is the ‘localhost’. In my case the desktop is Ubuntu Linux 7.10, but this can be any Linux based system. This could also be another Linux server, if you tweak this a bit more. ;)

I know ‘cron’ is enabled (because it’s part of the default installation) of my Linux desktop. I also know SSH is installed (because it’s installed by default and I’ve used it), but I’m not sure if ‘rsych’ is there and if it works over SSH.

Side note: For those not familiar with Rsync, “rsync is an open source utility that provides fast incremental file transfer. rsync is freely available under the GNU General Public License and is currently being maintained by Wayne Davison.” Source: http://samba.anu.edu.au/rsync/

To see if rsych is installed, use the following terminal command:

apt-cache search rsync

If you see it’s installed, to determine if rsync works over SSH, open a terminal and type the following command (substituting your correct information):

rsync -avz -e ssh Your Remote Username@Your Remote Server Host:/The Remote/dir /Your Local/dir/

Here is what the switches mean:

a: Use ‘archive’ mode.
v: Use ‘verbose’ output.
z: Use ‘compression’ during file transfer.
e: Specify the ‘command’ to run. In this case SSH.

In my case the command could look something like this:

rsync -avz -e ssh backupadmin@ubuntulinuxhelp.com :/backupdir/daily /home/ubplay/sitebackups

After entering the above command, I’m prompted to enter the password and the file transfer begins.

In my case this is simple because the hosting provider uses ‘The’ industry standard software (Linux) as the standard applications, openssh, rsych, cron, etc. And my local Linux system already had the tools installed. Now that I’ve determined it works, cron can automate the system. However, before moving to cron, make sure your server is configured to backup the files and databases on a daily (or other) schedule.

If you’re using industry standard hosting services, you’ll be on a Linux box using cPanel. Personally, I’ve tried several others including Plesk, ISPConfig, etc, however in my opinion, they don’t have the amount of flexibility or options that cPanel does. In terms of a LAN however, in my opinion nothing beats Webmin. Webmin has the greatest flexibility and options. However, I’m going off topic here, back to the subject at hand!… Log into your hosting control panel and use the interface to configure your scheduled backups to occur during low-traffic periods. Make a note of the directory the backups are saved to. WHM/cPanel is great for this as it’s configured via a simple GUI, and is easy to use. :) In my case the server backs up the web site files and databases and stores them in /backupdir (so that my cron job can download any files in this directory later). For privacy issues, I’m not going to post the script as it contains a username and password among other “exposures”.

Before moving to cron itself, I needed to configure a script that will rsync over the SSH connection. Here are some example I found on the rsync site: Rsync Examples. Another great resource we found is here: resync-incr. On this site you’ll see another methodology and example scripts. And finally another great backup scripting resource here: Backup Script. I’m sure some of you have other great sites and resources listed, please comment below and add them. :)

After you’ve set up your script, however you want it (there are hundreds of ways!), use cron to run it. Setting up the cron job is not very difficult:

0 2 * * * /home/ubplay/cron/rsync-ubuntulinuxhelp

This (above) downloads the backup at 2am every day. Remember to ensure that your server has finished creating its backup by this time. Otherwise you’ll not be downloading the files you expect. In my case I use nano to create the file called “rsync-ubuntulinuxhelp” placed in the …/cron director. The file named rsync-ubuntulinuxhelp contains the actual bash script. To create the cron job itself (that calls the script), complete the following in a terminal:

sudo crontab -e

and use the following parameters:

* * * * * path to script/command to be executed and script/command
- – – – -
| | | | |
| | | | — Day of week (0 – 7)
| | | ——- Month (1 – 12)
| | ——— Day of month (1 – 31)
| ———– Hour (0 – 23)
————- Minute (0 – 59)

(‘*’ means ‘every’).

Side note: to view your existing cron jobs, in a terminal, type:

sudo cron -l

to delete a cron job:

sudo cron -r

As usual, I hope this helps some of you!

Enjoy :)

[tags]linux, ubuntu, automatic, backup, website, cron, rsync, how to, openssh, save website[/tags]

“…Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for email scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library…“

For me at least, this was a clear challenge to roll up my sleeves and create a small antivirus server (used to scan email). This would be useful to the small business owner, school, club or hobbyists in general. I’m not going to post the setup of the mail server for this (there are tons of tutorials on line), I’ll just be writing about the installation of clamAV on the server.

Depending on your platform, you should see the appropriate documentation here: http://www.clamav.org/download/packages/packages-linux. However, as I’m using Ubuntu Linux, I’ll simply run the following command on the mail server to install the package:

sudo apt-get install clamav clamav-daemon clamav-docs

clamav is the software and clamav-daemon is the service that will run the mail server modules that checks email attachments. The daemon will also ensure that the virus definitions are automatically updated. Be aware that the command will also install:

clamav-base
clamav-freshclam (Run by the daemon to keep the definitions updated).

After the installation is complete, you’ll be able to scan files manually using:

sudo clamscan -r /<whatever-directory-name-your-mailserver-uses-to-store-email>

Or… better to have it run automatically using cron like this:

sudo vi crontab -e

(you can use nano, vi, whatever, it does not matter – just as long as it’s a pure text editor) and add the following code to the cronjob:

*/10 * * * * sudo clamscan -r /<whatever-directory-name-your-mailserver-uses-to-store-email>

The above will scan the mail directory every 10 minutes.

Again, I’m not espousing that Linux “needs” anti virus protection. Rather, I’m suggesting one method we could use to protect all members, (by attempting to reduce virus transmission) to Windows and other platforms. If you need to remove this solution (because you’re just trying this out), the command to do so would be:

sudo apt-get autoremove clamav clamav-daemon clamav-docs

The “autoremove” statement will also remove the dependencies that were installed with clamav.

You can of course use this solution for your desktops and have it automatically scan the Thunderbird email folder via cron too. ;)

As always, I hope this is helpful to some of you!
:)