 Michael and Rebecca Wong |
 |
Michael and Rebecca Wong |
|
Like many people, I run a webserver at home for simple tasks (and large files on occasion) which aren't practical to host on a commercial webhost. I also have a home network. To make this work, I took an older PC and installed Linux on it. I won't go into all the reasons why a home server should have Linux on it right here, but suffice it to say that if you use a Windows variant in such an application, you're being foolish.
So how hard is it to install Linux? It's actually easier than you might think. Most Linux distros nowadays (I use Mandrake) come with a nice slick GUI-based menu-driven installer (the bad old days of complex text-mode installers are long gone). Simply pop the installation CD or DVD into your drive and reboot. There will be a number of self-explanatory questions, and there are only a few special caveats you must keep in mind:
If you don't want to dual-boot with Windows, you should go into your system BIOS and reconfigure the hard drive so that it uses "normal" head and cylinder allocations, as opposed to "LBA". LBA is only required for Windows, because Windows is too stupid to recognize large hard drives natively, so the system must remap all of the heads and cylinders for it.
If it asks you whether to install Development libraries, always say yes. You can't compile anything without the development stuff, and even if you're a Linux novice, you will soon find yourself wanting or needing to compile stuff, since a lot of freeware must be compiled as part of the installation process. Same goes for the kernel source files (if you don't know what those are, don't worry about it; just take my word for it and install them).
When it asks you for your network address, use a Class C address in the 192.168.X.X range (this is one of the legal private IP address blocks, and it helps with IP address spoofing because Internet routers generally won't route packets claiming to come from these ranges). Also, unless you absolutely need a DNS server, don't bother running one.
Use a fully qualified host name, eg. Firewall.foo.bar instead of a truncated host name, eg. Firewall. If you don't, then services such as postfix and httpd will get confused and you'll have to manually edit config files in order to make them work properly.
Go through the list of start-up services (daemons) and for security purposes, pare them down to only that which you absolutely need (in my case, I need local system functions, httpd, mysql, and ssh). In the case of Mandrake, it has a setup tool (DrakConf, also known as "Configure my Computer" from the main menu) which tells you what each service does and lets you turn them on and off, and it also has a "Security" setup area where you can configure all kinds of things, including firewalls.
You generally don't want people on the Internet to be able to access the services on your computer, so edit the /etc/hosts.allow and /etc/hosts.deny files as follows:
hosts.allow
ALL: 127.0.0.1,192.168.1.
hosts.deny
ALL:ALL
In this example, it is assumed that all of your local machines have IP addresses in the 192.168.1.X subnet, so you would obviously have to alter it to suit your particular configuration. This will block access from any machines not on your home LAN, although it should be noted that individual services need not necessarily obey the directives in /etc/hosts.allow and /etc/hosts.deny.
Services which observe /etc/hosts.allow and /etc/hosts.deny are those which use the TCP wrapper (tcpd) and the portmapper. This would include nfs, and pretty much everything under xinetd. However, not all services examine /etc/hosts.allow and /etc/hosts.deny, so be sure to edit the appropriate config files for any service you want to run.
That is one line of defense. The other line of defense is to use a firewall. There are numerous setup scripts available on the Internet (for example, see the Bastille Linux project, or gShield). In the case of Mandrake, it uses "Shorewall" which you can configure via DrakConf.
How the hell do I play DVDs on Linux? This is a short question with a long answer. Suffice it to say that the MPAA, with the backing of its corrupt hired cronies in the US government, has basically made it illegal to make or distribute open-source DVD player software. That's not to say that such software does not exist, but it's not legal in the US. Mandrake 10.0 comes with a version of Totem that will play DVDs, but with one hitch: it can't play encrypted DVDs, and most commercial DVDs are encrypted for copy-protection purposes (you don't have to know about this encryption because set-top DVD players and commercial DVD player software on Windows pay royalties to use the decryption code). The solution is to download and install a little (illegal in the US) package called libdvdcss, which will allow Totem to play encrypted DVDs. Of course, I can't legally offer it for download myself, but you can Google it.
Why doesn't Java work in my browser? Not all distros include Java, especially the free downloadable versions. However, Java is a free download from Sun, so you can just download and install it. Then the remaining trick is to configure your browser to see it. In Konqueror, it's a matter of going into the Java options and setting the path to the java executable (look in /usr/java to find it). In Netscape or Mozilla, it's a matter of making symbolic links from the /usr/lib/netscape/plugins or /usr/lib/mozilla/plugins directories to the libjavaplugin_oji.so file in the ns610-gcc32 directory under /usr/java.
Why doesn't Flash work in my browser? Same answer: it's not always installed. But you can download it from Macromedia and install it yourself, since it comes with handy-dancy installation instructions. Same goes for RealAudio, where you have to download the "Community-supported" Linux realaudio player (and they don't do a very good job of making it obvious where to find it, so you're better off just googling it).
How do I get Windows software to work? Linux geeks will tell you to use Wine, but I've got to be honest and say that it just doesn't work very well and is a pain in the ass to set up. If you want to run Windows apps, use Windows. Linux is good for surfing the Internet, doing E-mail, running local servers, developing websites, etc. because it's secure, but for the job of running Windows apps, Windows will always be better.
What's Squid? Squid is a "proxy server", which is useful if you are using your server as a firewall between your home LAN and the Internet (note: this means you would have two network cards in your server; the Internet would be hooked up to one network card and your home LAN would be hooked up to the other, thus forcing all traffic to go through your server). It's more secure than a standard firewall because it only allows properly formatted HTTP requests to go through, so bogus traffic attempting to sneak through on the HTTP port will be denied. Just make sure that if you install squid, it's set up to only recognize requests coming from your LAN, and not the Internet!
What's SSH? SSH is the secure version of Telnet, and it's essential for any kind of remote administration. Traditional tools like telnet, rsh, and rlogin are horrendous security holes which date back to a more naïve, innocent era and which should no longer be used under any circumstances. SSH is not only secure and encrypted, but the ssh client can also be used to securely "tunnel" insecure FTP and POP connections to outside hosts on the Internet. Configuration is generally not necessary if you have strong passwords, but if you're paranoid, there are a number of things you can do to make it more secure. For example, see the following lines in my /etc/ssh/sshd_config file:
Protocol 2
PermitRootLogin no
PasswordAuthentication no
These three lines force is to only accept SSH Protocol 2 connections rather than Protocol 1 connections (the default line is "Protocol 1,2"), they disallow remote root logins, and they disallow the use of passwords to connect. Of course, you might ask how you're supposed to connect if you're not allowed to use passwords, but there's a neat feature called the "authorized_keys" file in your home directory under the .ssh subdirectory. It takes "public keys" generated by ssh-keygen and stores them in a list of people who are allowed to connect without a password. This, in conjunction with an entry in hosts.allow which only allows certain IP addresses to conect to SSH in the first place, will make your remote login feature available to you while making it virtually impervious to outsiders.
What's Samba? Samba is really cool. It lets your Linux box present itself on the network as if it's a Windows box. Your other Windows machines won't know the difference; they can browse it on Network Neighbourhood (or whatever stupid childish name Microsoft is calling it now) just as if it were a Windows PC. Configuration is definitely required, so you'll have to edit /etc/smb.conf. If you are directly connected to the Internet, you can make Samba ignore requests from the Internet by adding the lines "interfaces eth0 127.0.0.1" and "bind interfaces only = yes" to the /etc/smb.conf file (you'll also want to set the workgroup name, define some shares, enable password encryption, and run smbpasswd to set up passwords). You could also enable swat to configure smb.conf via a pretty graphical interface, but that entails running another service. Besides, real men don't need anything but vi and a man page :)
Mail Services (postfix, xinetd, ipop3, imap): If you want to have a local mail server/relay, you will need to enable all of these individual services. Postfix is the SMTP server, and it's a drop-in replacement for sendmail. Xinetd is the meta-daemon, and it's necessary to run ipop3 and imap. Ipop3 and imap are POP-3 and IMAP-3 mail servers, respectively. Xinetd, ipop3, and imap don't require any configuration, but Postfix does. In order to make Postfix ignore requests from the Internet, search /etc/postfix/main.cf for the "inet_interfaces $myhostname localhost" line and change it to "inet_interfaces X.X.X.X localhost", where X.X.X.X is the IP address of your LAN interface. You might also want to add the following lines:
defer_transports = smtp
relayhost = X.X.X.X
disable_dns_lookups = yes
virtual_maps = hash:/etc/postfix/virtual
This will defer the transmission of mail messages , it will relay messages through your ISP's SMTP server (assuming you replace the X.X.X.X term with your ISP's mail server IP address), it will disable DNS lookups on hosts (which can improve performance), and it will let you use virtual domains (which is handy if your LAN domain name is different from your ISP's domain name, and you want to receive mail addressed to your mailbox on the ISP). Of course, if you want to use a virtual map, you will have to create one, which might look like this:
blimpy@foo.bar blimpy@lan.net
In this example, your ISP is foo.bar and you decided to call your local network lan.net. Once the map is created, you would run "postmap virtual" to create the virtual.db hash file. You might also want to edit /etc/postfix/aliases in order to make yourself the recipient for all root mail, and then run "newaliases" to update the aliases.db hash file. One final note: while imapd is very reliable, the ipop3d binary that ships with LM 7.2 is a little flaky. It may be necessary to download the source from the University of Washington IMAP home page at http://www.washington.edu/imap/ and compile a fresh binary.
One last toy: Sitecopy Sitecopy is my personal favourite when it comes to updating websites. Not only is it free, but it's easy to configure, it's quick and dirty, it doesn't require an FTP gateway, and it can be easily used in conjunction with SSH. Go to http://www.lyra.org/sitecopy/ to get the source, and then compile and install it. Then, simply create a .sitecopy subdirectory in your home directory (with 700 permissions), and a file called .sitecopyrc, which might look something like this:
site MySite.Com
server ftp.host.com
port 21
url http://www.host.com/blimpy
protocol ftp
ftp showquit
username blimpy
password win2ksucks
remote ~/public_html
local ~/website
exclude *tmp*
In this example, the website is called MySite.Com, and it's stored at host.com, which is presumably your ISP. We're using the FTP protocol, our login username is blimpy, and our login password is win2ksucks. The local and remote directories are specified, and any file with tmp anywhere in its name will be excluded. The first time you use it with a brand new website, you would type "sitecopy -i" in order to initialize the directories. From then on, whenever you want to update the website, you would type "sitecopy -u MySite.Com", and it would automatically upload whichever files have changed since your last update. Unlike Crystal SiteUpdater, it works by maintaining a local table of filenames and dates, so it knows which files have changed without having to perform a time-consuming datestamp comparison with the files on the FTP server.
There are two reasons that I use sitecopy instead of Crystal SiteUpdater. First, sitecopy is free, while Crystal SiteUpdater is crippleware (after 30 days it shuts down). Secondly, sitecopy works with SSH tunneling, so you won't have to send cleartext passwords over the Internet. This is no small consideration, particularly in this day and age of cable modems, where every idiot in your entire neighbourhood can run ethereal or tcpdump and see all your passwords.
In order to create an SSH tunnel, you would execute the following command: "ssh -l blimpy -L 5021:ftp.host.com:21 ftp.host.com". This tells SSH to connect to ftp.host.com as user "blimpy", and it also tells it to tunnel local port 5021 to remote port 21. Once you've connected through SSH, you would then access the remote FTP server by FTPing to localhost, port 5021 (it sounds weird, but it works). The only caveat is that you must use pftp (passive FTP) instead of regular FTP, or it won't work (that's part of the nature of FTP and SSH tunneling). Many FTP clients don't support passive FTP, but sitecopy does. Therefore, you can simply set the server to localhost and the port to 5021 in .sitecopyrc, and sitecopy will tunnel through SSH to access your website. Presto, no more cleartext passwords over the wire!
Last changed: 2004/08/15
Continue to Mandriva Linux Setup Guide
Jump to:
This site was written using KWrite and OpenOffice, running on Mandriva Linux.