This section covers the configuration of the firewall, ssh, and creating user accounts. The final part will cover the install of MySQL, PHP, and Pure-ftp.

Now this part is all command line baby!!!  So I’m not going to provide any screen shots since you shouldn’t need them.  If you think you need screen shots for this section just stop reading now.  Seriously leave!  Okay so first I’m going to setup ssh.  It should already be installed so all we need to do is configure it.

I’m kind of a security freak so I’m going to walk you through how to do public-key authentication, and how to change the port of the ssh server so you aren’t logging in on the standard port 22.  But before we do that I’m going to show you how to setup the firewall.  This is a basic setup but should be pretty secure. If you want to know more about configuring the firewall check out this tutorial.

cd ~
mkdir scripts
vim .ssh/myfirewall


Just paste in this script (make modifications where you see fit):
#!/bin/bash
#
# iptables firewall configuration script

# flush all current rules from iptables
iptables -F

# allow ssh connections on tcp port 8768 <-- this is just random pick anything over 6000
iptables -A INPUT -p tcp --dport 8768 -j ACCEPT
# allow ftp connections on tcp port 21 <-- for more security you can change this
iptables -A INPUT -p tcp --dport 21 -j ACCEPT

# set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# set access for localhost
iptables -A INPUT -i lo -j ACCEPT

# accept packets belonging to esablished and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# save settings
/sbin/service iptables save

# list the rules
iptables -L -v

Finally make this file executable and you have a script:
chmod +x myfirewall

To run it you just type (you must be logged in as root):
~/scripts/myfirewall

This will make it easier when you want to add rules. It flushes all the rules, rebuilds the rules, saves them, and lists all the rules at the end. Once this is done we should reboot to let the firewall settings take effect.
shutdown -r now

Another thing we want to do before we configure ssh is to create a user. We aren’t going to allow root access to ssh so we need someone to login as. Once it’s restarted we are going to login as root and create a user. (just replace username and password with your desired username and password)
useradd username
passwd username password

Now when you login to that username you can always switch to the root user by typing:
su -
Then it will prompt you for the root password. To switch back:
logout

Rule of thumb is to never login to root unless you absolutely have to in order to change something. It can be really dangerous to login as root all the time because if you make a mistake there is most likely no way of going back. Now that I gave you that warning we are going to login as root because we need to setup the ssh server.

First let’s create a backup of the sshd_config file so we can go back if we make a mistake.
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Now let’s edit the original file.
vim /etc/ssh/sshd_config

And just copy this configuration and paste it into the window. Or you can type it in manually, just make sure to double check everything at the end.

After you have done that all you need to do is to create the .ssh folder with the authorized keys file.  Make sure you are logged in as a user other than root and do this.

mkdir ~/.ssh
chmod 700 ~/.ssh

Now all you have to do is to upload your public key to the server. If you do not have one it’s pretty easy to make.

Now that you have the public-key authentication set up we need to disable the password authentication. Just go edit the sshd_config file:

vim /etc/ssh/sshd_config

Find the line that says:

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

and change it to:

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

Warning: only disable the password authentication if you for sure can login using public-key authentication. If you don’t then you will have to have console access to fix it.

Okay so I didn’t plan on having a part 3 to this tutorial, but there is a lot more than I thought there would be. So now that we have ssh setup properly and have the firewall configured then we are good to move on to the next part.

It will then prompt you with something like this:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): <– I just press enter here
Enter passphrase (empty for no passphrase): <– I usually put in a password
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key finger print is:
9d:27:2f:d5:6f:31:a3:fc:8f:f2:10:76:6e:bc:aa:88 user@localhost.localdomain

Now that you have a public and private key pair you need to upload your public key to the server you want to connect to.

scp ~/.ssh/id_rsa.pub user@host:.

Once you do that you need to login to the remote machine and copy the contents of your public key to the users authorized_keys file.

cat ~/id_rsa.pub >> .ssh/authorized_keys

if there is no .ssh directory:

mkdir .ssh
chmod 700 .ssh

if there wasn’t an authorized_keys file before, make sure to modify the permissions (this only needs to be done if you are using strict permissions in the /etc/ssh/sshd_config):
chmod 600 .ssh/authorized_keys

That is all you have to do from the client side on a Linux/Unix/Mac Os X machine. Now lets look at the Windows way of doing things. I have done this with both XP and Vista before so it should work the same way, that is as well as I can remember it works the same.

Windows doesn’t come with an ssh client, unlike the other operating systems, so you must download a client in order to use ssh. Luckily there is PuTTY! If you click on the very top download it should only take a minute since it is a very lightweight application. While you are there you are going to need PuTTYgen as well.

Now for the part that sucks for me… having to take screen shots, optimize the images, upload them and paste them. All the while supplying you with step by step instructions. Seriously I give props to the people that do this more than I do, this takes a long time to make a tutorial.

So lets open up PuTTYgen and see what it looks like.

Just click on the “Generate” button.  And you will get this screen.

This part is kind of fun because you get to move your mouse around in that area to generate the key.  The only time it sucks is when you set the number of bits to higher than 1024, I would normally go with 2048 but you always have the choice of 4084 as well.  If you choose the last one I hope you have some stamina because it takes a while.

Now you just need to type in the information you want.  If you don’t want to put a password for the private key that is your choice.  If you want to make a password you can always use pageant to make it so you don’t have to type a password everytime.  MAKE SURE YOU SAVE BOTH THE PRIVATE AND PUBLIC KEYS!  And put them in a location you can find.

Now we insert that private key into PuTTY.  So lets configure our PuTTY session.

First we are going to open up PuTTY and go to the Auth section under SSH.  Leave the defaults and browse for where you saved your private key.  Now go back up to Sessions.

Fill out the connection information, create a session name and save the configuration.  Now we have to upload the public key to the server.

Hopefully the ssh server is using password authentication right now, or you have some means to ssh into the server.  Because this is now command line via ssh.  Let’s upload the public key to the server.

scp /path/to/file/publickey.pub user@host:.

Now connect via ssh to the server, we are going to add the public key to the authorized_keys file.  Since we used PuTTYgen to create the public key we need to convert it to the openssh format. And in that same command we append it to the end of the authorized_keys file.

ssh-keygen -if publickey.pub >> .ssh/authorized_keys

and that’s all folks!  Now you should be able to connect to your server using public key authentication.  Hope you made it through this okay.

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 8768
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel DEBUG

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
#X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

This is good news for me, and good news for you if you want to be like me and build servers.  This server is going to be a Pure-ftp server install.  So I’m going to have it setup for everything I need to have a working FTP server

So I guess we can start at the beginning. I’m going to walk through the install steps that I did. I don’t really like the way that CentOS takes up so much space when you install a Graphical User Interface (GUI, I know most of you are thinking, “I’m not a moron I know what that means”). Luckily CentOS gives you lots of options in the installation.

I downloaded the DVD image here: http://isoredirect.centos.org/centos/5/isos/i386/

If you want the 64-bit version: http://isoredirect.centos.org/centos/5/isos/x86_64/

I am using the i386 version but I’m assuming the install goes pretty much the same way.

Once you have that, and a ready machine to install it on (mine is a virtual machine) then we are ready to begin.

So pop the CD in and boot up the machine to the CD.

Just hit enter at this screen.

The next screen asks you to check the CD, just go ahead and skip it.

Then once it loads the GUI install screen hit next.

Select the language.

Choose your keyboard layout.

Now my (virtual) disk was completey unformatted so I got this warning.  I just clicked yes.

Now on this next screen I don’t really need any special partitioning schemes.  I’m installing this on to an 8 GB disk and once I have it up on my servers I’m going to add like a 20 GB secondary disk.  If you don’t know much about partitioning you should read this.

I told it to delete everything on the disk so it will throw a warning which I accept.

On this you normally want to do a manual static IP address assignment.  But I’m not going to do that, because I am using DHCP assignments so this will have it’s own reserved address on my network.  So while you might want to use a static address, I’m going to accept the default and use DHCP.

Next you want to choose your time zone.

Choose a password for the root login.  I recommend at least 8 characters, and using a random password generator making sure to include both capital and lowercase alphanumeric characters as well as symbols. (ex. Niu!5a?L, but just so you know I didn’t use this one) I have these generated for me using a random password generator online. I usually have it generate like 10-15 then I choose the ones I like.  Just make sure you can remember it.

Next we are going to choose our environment.  I am looking for optimal performance in this server so I’m not going to choose a GUI, they just take up too many resources, so I am selecting server.  This will be command line only after the OS install.  Notice at the bottom how I selected “customize now” at the bottom of the screen.

Next we are going to choose some packages to install from the CD.  We are going to leave the defaults in most categories but we need to add and subtract a few here and there.  On this screen I chose that I wanted the development tools (this is so we can compile programs from source if neccessary).

In the server category we are going to uncheck most of them.  I only left the mail server (in case I want to setup notifications later using a service monitor), server configuration tools, and at the very bottom even though you can’t see it Windows file integration.

After those customizations we hit next and move on and everything gets installed.

It takes about 15-20 minutes.  But we are finally finished with the CentOS install.  Next we will add our apache, php, mysql, pureftp, and other goodies.  We didn’t add them earlier because I like to have a little more control, I like to have the latest and greatest.  There are other cases where you want to install a certain version of apache or mysql and php because of support and what not.  Let’s move on shall we?

I am not going to cover the actual install of Ubuntu because this is going to be long enough without that. Ubuntu makes their installer very easy but if I get some requests to document the install process I might post it up later.

Once you have Ubuntu 8.04 installed the first thing you are going to want to do is edit your software repository sources list. Open up the command line (because the rest of this will be done using that) and away we go.

First make a backup of the sources.list file so if we screw it up you can revert back:

#: sudo cp /etc/apt/sources.list /etc/apt/sources.list_backup

Next edit the file:

#: sudo vi /etc/apt/sources.list

Comment out the line about the cd-rom drive. Uncomment the lines about the universe, backports, and security repositories, Save the file: (vi command -> :wq) and update the repositories packages:

#: sudo apt-get update

Next we are going to install the ssh server. I am only going to mention the things that I configure for ssh but I am not going to discuss why, so once it is installed you should check this out for getting the configuration to work.

Install ssh server:

#: sudo apt-get install ssh

Make a backup of the ssh configuration file:

#: sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup

Edit the ssh configuration file:

#: sudo vi /etc/ssh/sshd_config

Look for the line that says:

# What ports, Ips and protocols we listen for
Port 22

Change the port number to some arbitrary number like 6302, but make sure you remember the port number because you will need it to connect to the server. Look for the line like this:

PasswordAuthentication yes

and change it to no. Don’t do this until after you have verified that you can ssh into your server and it accepts the public key. Save the file. Then restart ssh using the following command:

#: sudo /etc/init.d/ssh restart

Next we are going to install ruby using apt-get. Some might prefer to install a particular version if this is the case look into building it from source. If you just want a working ruby on rails server and don’t care if it is version 1.8.6 then proceed with my instructions.

#: sudo apt-get install ruby irb ri rdoc ruby1.8-dev libzlib-ruby libyaml-ruby libreadline-ruby libncurses-ruby libcurses-ruby libruby libruby-extras build-essential libopenssl-ruby libdbm-ruby libdbi-ruby libxml-ruby libxml2-dev

(Note: that was all one line so don’t add any carriage returns)

Now that ruby is installed we are going to install RubyGems from source and use that to get rails and other things. First we need to download it using wget, I am installing RubyGems version 1.1.1 but you can download any version you want.

#: wget http://rubyforge.org/frs/download.php/35283/rubygems-1.1.1.tgz

Now lets extract and install it:

#: tar -xzf rubygems-1.1.1.tgz
#: cd rubygems-1.1.1
#: sudo ruby setup.rb
#: sudo ln -s /usr/bin/gem1.8 /usr/bin/gem

Next we will use Ruby Gem to install Rails:

#: sudo gem install rails

Once that is done we will install Mongrel (used for serving up rails):

#: sudo gem install mongrel
#: sudo gem install mongrel_cluster

Finally install Nginx (our webserver):

#: sudo aptitude install nginx

Alright we have everything installed, now it is time to configure it. But for now I am going to take a break, I know I know it only took 30 minutes to get to this point, but it has taken me hours to make this post so BACK OFF! I promise to post up the configuration for everything soon.


#!/bin/bash
#
# daily backup script the rsync way


# command variables
# this makes it easier to transfer the script to different
# flavors of Linux/Unix. sometimes the locations of these
# commands are in different places.
RSYNC=/usr/bin/rsync
SSH=/usr/bin/ssh
CP=/bin/cp


# directory variables
# RDIR is the remote directory you will be copying the contents of.
# LDIR is the local directory you want to copy to.
# BACKUP is the backup folder that will hold everything.
RDIR=./www/
LDIR=~/backup


# remote host variable
# this is the remote host you are connecting to via ssh.
RHOST=hostname


# rsync exclude file
# this file must exist or it will cause an error. anything you don't
# want to include from the source you will add it as a line in this file.
EXCLUDED=$LDIR/excluded_backup


# rsync options variable
# these are the options used for rsync to get the kind of backups
# you want.
# -a is the archive option which will do a lot of different things
# for you.
# -z is for compression, and -H is for preserving the hard-links.
# --delete will delete any files on the destination that are no longer
# in the source directory.
OPTS="-azH --backup --delete --exclude-from=$EXCLUDED"


# finally the rsync command that should create 7 daily backups
$RSYNC -e $SSH $OPTS $RHOST:$RDIR $LDIR/daily-`date +%u`

Now that you have it I will explain what this application does.  Quicksilver is, in the most simple explanation possible, an application launcher.  It will allow you to quickly access all of the applications and files in your computer.  It will save you tons of time, and you will soon become addicted to it.  It does do more than just launching applications of course but the other functions are more of an advanced use.  Luckily for you I am providing links to videos that will explain everything from the begining to the advanced.

I would explain it all myself, but why put in the work that someone has already done and probably better than I could do.  So without further ado here are the instructions to help you out with your new favorite program.

Introduction and Basic Use:

Intermediate:

Advanced:

After watching these you should hopefully see the value in this application, and your probably a pro at using it.  Enjoy!

How could I convey to them, in a one-hour period, that learning a program is not going to give them the knowledge they needed? So I gave up and showed them around Dreamweaver but made sure to throw out as many resources at the end, for those that really wanted to learn how to make websites.

But now my sister is stuck searching for classes on basic web design just to supplement what should have been built in to her $30,000 a year education. The maddening frustration of it all lit a spark under me and now I have set out to educate the world. I offer my services free of charge, that is unless someone decides to offer me millions of dollars to package my lessons into a book or something. Then you guys will be deciding which you need more, food or my fabulous book or DVD set or whatever it turns out to be.

But until that day I hope you guys at least learn a few things. Make sure to post comments on lessons telling me what you like and don’t like. I take constructive criticism very well but blatant bashing of a personal nature will not be tolerated. With that said enjoy the rest of the blog.