AIM: Install Ubuntu 10.

04 LTS server with the following applications and services: LAMP, Linux, Apache, MySQL, PHP & PERL Firewall, Router / NAT Translator OpenVPN Client / Server PPtP Client / Server Squid 3.1 NTLM authentication and ACLs using Windows AD MySAR reporting on Squid Automatic browser configuration (wpad.dat) Samba / Winbind (AD Integration) Cups server SWAT OCSInventory (latest version) GLPI Latest version Munin from repositories Nagios from repositories SNMP Drupal6 Webmin Sendmail Time sync / time source

Basic Install Procedure 1. Boot server with CD (or ISO if I virtual environment) 1. Pick country / language keyboard 2. Partition / setup RAID / setup LVM according to requirements 3. Enter hostname (ubu-squid31 for the testbed) 4. Username (firewall) / create password 5. Install security updates automatically 6. Choose to install the following software: 1. LAMP Server 2. OpenSSH Server 3. Insert Password for MySQL 7. 2. Reboot / SSH login 3. sudoaptgetupdate&&sudoaptgetupgrade 4. Reboot Webmin 1. FTP to http://ftp.us.debian.org/debian/pool/main/libm/libmd5-perl/ - download the latest (at the time of writing, libmd5-perl_2.03-2_all.deb) 2. sudodpkgilibmd5perl_2.0322_all.deb 3. Obtain the latest .deb for webmin from www.webmin.com 4. sudodpkgiwebmin_1.510_all.deb(willgiveerrors) 5. sudoaptgetinstalllibnetssleayperl(willgiveerrors) 6. sudoaptgetfinstall 7. https://your-server-ip:10000 NIC Configuration 1. sudonano/etc/sysctl.conf 1. Uncomment the line #net.ipv4.ip_forward=1 2. Reboot 3. sudotouch/etc/iptables.up.rules 4. sudo nano /etc/network/interfaces 5. The default file will look something like this:
#Thisfiledescribesthenetworkinterfacesavailableonyoursystem #andhowtoactivatethem.Formoreinformation,seeinterfaces(5). #Theloopbacknetworkinterface autolo ifaceloinetloopback #Theprimarynetworkinterface autoeth0 ifaceeth0inetdhcp

3. Edit the file to look like this. (A bit of trial an error may be needed to work out what's what, PUBLIC faces the Internet, PRIVATE faces your local network
#Thisfiledescribesthenetworkinterfacesavailableonyoursystem #andhowtoactivatethem.Formoreinformation,seeinterfaces(5). #Theloopbacknetworkinterface autolo ifaceloinetloopback #ThePUBLICnetworkinterface autoeth0 ifaceeth0inetdhcp #ThePRIVATEnetworkinterface autoeth1 ifaceeth1inetstatic address10.0.0.1 netmask255.255.255.0

4. sudo/etc/init.d/networkingrestart Firewall 1. sudoiptablestnatAPOSTROUTINGoeth0jMASQUERADE 2. goto https://your-server-ip:10000 (Webmin) Networking | Firewall | Enable | Save | Apply 3. Overwrite the file /etc/iptables.up.rules with the following content (again, eth0 is PUBLIC!)
#Generatedbyiptablessavev1.4.4onMonApr2610:54:392010 *filter :FORWARDACCEPT[0:0] :INPUTDROP[0:0] :OUTPUTACCEPT[0:0] #Accepttrafficfrominternalinterfaces AINPUT!ieth0jACCEPT #AccepttrafficwiththeACKflagset AINPUTptcpmtcptcpflagsACKACKjACCEPT #Allowincomingdatathatispartofaconnectionweestablished AINPUTmstatestateESTABLISHEDjACCEPT #Allowdatathatisrelatedtoexistingconnections AINPUTmstatestateRELATEDjACCEPT #AcceptresponsestoDNSqueries AINPUTpudpmudpdport1024:65535sport53jACCEPT #Acceptresponsestoourpings AINPUTpicmpmicmpicmptypeechoreplyjACCEPT #Acceptnotificationsofunreachablehosts AINPUTpicmpmicmpicmptypedestinationunreachablejACCEPT #Acceptnotificationstoreducesendingspeed AINPUTpicmpmicmpicmptypesourcequenchjACCEPT #Acceptnotificationsoflostpackets AINPUTpicmpmicmpicmptypetimeexceededjACCEPT #Acceptnotificationsofprotocolproblems AINPUTpicmpmicmpicmptypeparameterproblemjACCEPT #AllowconnectionstoourSSHserver AINPUTptcpmtcpdport22jACCEPT #AllowconnectionstoourIDENTserver

4.

AINPUTptcpmtcpdportauthjACCEPT COMMIT #CompletedonMonApr2610:54:392010 #Generatedbyiptablessavev1.4.4onMonApr2610:54:392010 *nat :PREROUTINGACCEPT[1:48] :POSTROUTINGACCEPT[1:48] :OUTPUTACCEPT[0:0] APOSTROUTINGoeth0jMASQUERADE COMMIT #CompletedonMonApr2610:54:392010 #Generatedbyiptablessavev1.4.4onMonApr2610:54:392010 *mangle :PREROUTINGACCEPT[1:48] :INPUTACCEPT[0:0] :FORWARDACCEPT[1:48] :OUTPUTACCEPT[0:0] :POSTROUTINGACCEPT[1:48] COMMIT #CompletedonMonApr2610:54:392010 sudoinit6

Optional DHCP Server (if no other DHCP server is on your PRIVATE subnet) (I have to do this in my particular VM environment . . .) 1. sudoaptgetinstalldhcp3server 2. Webmin : Refresh Modules | Servers | DHCP Server Add a new subnet Need, Name, subnet address, subnet mask and range of IP to assign. Under Client Options for the new subnet, enter a value for Domain Name & DNS server (use a .local domain e.g. private.home.local. Ensure that the default gateway is the IP of your PRIVATE NIC Start the server Rsyslog 1. sudoaptgetinstallrsyslogmysqlrsyslogdoc 2. Give root mysql password, create new password for rsyslog-mysql

Sendmail 1. sudoaptgetinstallsendmailsendmaildocrmaillogcheckmailutils Samba / Cups 1. sudo apt-get install samba winbind swat samba-doc samba-doc-pdf cups smbldap-tools ldbtools hplip cups-pdf smbclient libfont-freetype-perl hplip-cups openprinting-ppds openprintingppds-extra cjet foomatic-db-hpijs hpijs-ppds hplip-doc libauthen-sasl-perl slpd openslp-doc sensord read-edid Munin 1. sudoaptgetinstallmuninmuninlibvirtpluginsmuninpluginsextralibdbd
csvperllibxmldomperlliblogdispatchperlmuninjavapluginsliblwp useragentdeterminedperlsmartmontoolsrubyethtoollibcachecacheperl libcryptssleayperllibtextcsvxsperllibxmlsimpleperllibnetnetmask perl sudonano/etc/apache2/conf.d/munin Insert a line Allowfrom10.0.0.0/24 (or whatever your local subnet is, or be more

2. 3.

restrictive) just below the existing Allowfrom line 4. sudoapache2ctlrestart 5. Go to http://your-server-ip/munin

Nagios 1. sudoaptgetinstallnagios3docnagios3nagios3cginagios3commonnagios3
corelibgd2xpmnagiosgraphernagiosnrpepluginnagiospluginsextra nagiossnmppluginsnagiosstatdservernagiosstatdclientnagvisnbtscan ndoutilsmysql

2. Provide password for nagios3-cgi (webaccess). User is nagiosadmin 3. Provide sqlpassword for nagvis 4. Say yes to the dbconfig-common dialog, provide admin password and then new password (twice) 5. goto http://your-server-ip/nagios3

OCS Inventory Server 1. sudoaptgetinstallphp5suhosinphp5cgiphp5cliphp5tidyphppear

libapache2modperl2readedidnmap

2. sudoapache2ctlrestart 3. sudocpan 1. 'yes'totheconfigureautomaticallyprompt 2. installApache::DBI 3. installNet::IP 4. installSOAP::Lite 5. <enter> 6. yes 7. yes(toprepend) 8. installXML::Entities 9. exit 4. Obtain tarballs from http://www.ocsinventory-ng.org/ 1. OCSNG_UNIX_SERVER-1.3.1.tar.gz 2. OCSNG_WINDOWS_AGENT_4061.1.zip (Windows)) 3. Ocsinventory-Agent-1.1.2.tar.gz 4. OCSNG_AGENT_DEPLOYMENT_TOOL_1.02.zip (Windows) 5. Copy the .tar.gz files to /home/firewall 6. tarzxvfOCSNG_UNIX_SERVER1.3.1.tar.gz 7. tarzxvfOcsinventoryAgent1.1.2.tar.gz 8. cdOCSNG_UNIX_SERVER1.3.1/ 9. sudo./setup.sh 10. Accept all defaults 11. sudoapache2ctlrestart 12. Goto http://your-server-ip/ocsreports/install.php 13. login first time as database admin user (root) and password as created during initial server install 14. 'Submit Query', then follow the link to open the gui, login admin password admin

GLPI 1. 2. 3. 4. 5. 6.

Obtain glpi .deb file from http://www.glpi-project.org/spip.php?lang=en sudodpkgiglpi_0.72.42_all.deb Yes to configure database using dbconfig Authenticate with root dbadmin password, give glpi database a password & confirm it Goto http://your-server-ip/glpi/ login glpi, password glpi

OCSInventory GLPI mass import plugin 1. Obtain plugin from https://forge.indepnet.net/projects/massocsimport/files 2. tarzxvfglpimassocsimport1.3.0.tar.gz 3. sudomvmassocsimport//usr/share/glpi/plugins/ 4. Goto http://your-server-ip/glpi/ 5. Setup | Plugins | Install | Activate 6. OCS Import (left side, green) 7. Configuration | Restrictions | Activate OCSNG Mode Yes. Post, screen refreshes! 8. Click localhost (left, green) 9. Activate Automatic Link, MAC Address, Serial Number. 10. General Information, make all 'No' into 'Yes' 11. POST! (underneath) 12. Inventory Number 'TAG' 13. Location 'Hardware ID' 14. Note, above settings depend on what you need, not cast in stone after the activate automatic link part OCSInventory Client (Unix) 1. Change to directory where the unified unix client was untarred earlier 2. cdOcsinventoryAgent1.1.2/ 3. sudocpan 1. installProc::Daemon 2. Proc::PID::File 3. installNet::CUPS(ifCUPSisinstalled) 4. perlMakefile.PL 5. make 6. sudomakeinstall 7. yes to configure agent 8. 2 for /etc/ocsinventory-agent 9. yes 10. enter ip / fqdn of your server 11. n for credentials 12. y for tag 13. Write something here 14. y for crom task 15. defaults for rest !

Squid 3.1 It's a shame that Squid 3.1 is not in the Ubuntu repositories.... I didn't want an old 2.7 or 3.0 squid box... 1. sudoaptgetinstallbuildessentiallibldap2devlibpam0gdevlibdbdev 2. 3. 4.
dpatchcdbslibsasl2devdebhelperlibcppunitdevlibkrb5devcomerrdev libcap2devlibexpat1devlibxml2devlibcap2devdpkgdevcurl wgethttp://ftp.de.debian.org/debian/pool/main/s/squid3/squid3_3.1.11.dsc wget http://ftp.de.debian.org/debian/pool/main/s/squid3/squid3_3.1.1.orig.tar.gz wgethttp://ftp.de.debian.org/debian/pool/main/s/squid3/squid3_3.1.1 1.diff.gz dpkgsourcexsquid3_3.1.11.dsc cdsquid33.1.1/ dpkgbuildpackageb cd../

5. 6. 7. 8. 9. Download squid-langpack...deb from http://packages.debian.org/sid/squid-langpack 10. sudodpkgisquidlangpack...deb (just use latest version number) 11. sudodpkgisquid3common_3.1.11_all.deb 12. sudodpkgisquid3_3.1.11_amd64.deb(note, 64-bit system produces this file) 13. sudodpkgisquid3cgi_3.1.11_amd64.deb 14. sudocp/usr/share/doc/squid3common/squid.conf.documented.gz/etc/squid3 15. sudogunzipsquid.conf.documented.gz 1. Activate squid for testing, no authentication yet...
1. sudonano/etc/squid3/squid.conf

2. Edit one of the acl localnet lines, uncomment & match the subnet address to yours. 3. Add http_accessallowlocalnet just below http_accessallowlocalhost 4. Uncomment and edit the 'cache_dir' line 1. default is cache_dirufs/var/spool/squid310016256 1. The 100 is the size of cache in Mb 100 is tiny, I'm going for 1024 (in my VM) 2. 16 is the number of first level directories I'm going for 64 16. That's a very basic, but working Squid configuration 17. sudo/etc/init.d/squid3restart (should see the cache directories being created). 18. Edit your browser's configuration to 'manual proxy' enter your-server-ip as the IP address and 3128 as the port. Goto http://www.whatismyip.com/ . You should see Possible Proxy
Detected: 1.1 localhost (squid/3.1.1)

19. sudotail/var/log/squid3/access.log should be stuff there.

Further Squid Configuration 1. sudonano/etc/squid3/squid.conf 2. Insert the following just after the (default) acl localnet src section: 1. acllocservdst127.0.0.1192.168.35.0/24 3. Insert the following just after the http_access deny CONNECT !SSL_PORTS directive: 1. no_cachedenylocserv 4. Insert the following after the cache_dir directive: 1. maximum_object_size50MB 2. cache_mgrwebmaster@YourDomain 3. visible_hostnameYour_Domain 4. always_directallowlocserv 5. uri_whitespaceencode 5. Save and Exit 6. sudo/etc/init.d/squid3restart

MySAR 1. Download from http://sourceforge.net/projects/mysar/files/ 2. tarzxvfmysar2.1.4.tar.gz 3. sudomvmysar//usr/local/ 4. lns/usr/local/mysar/etc/mysar.apache/etc/apache2/conf.d/mysar 5. sudoapache2ctlrestart 6. Goto http://your-server-ip/mysar 7. Follow instructions in wizard 8. On the MySAR page | Administration, change access.log location to /var/log/squid3/access.log 9. Copy the contents of /usr/local/mysar/etc/mysar.cron and append them to /etc/crontab 1. (the ln -s as per default procedure did not work for some reason...) Drupal6 1. sudoaptgetinstalldrupal6 2. Yes to use the dbconfig thing 3. Choose MySQL 4. Do the password ritual 5. Goto http://your-server-ip/drupal6/install.php 6. Follow the simple wizard OpenVPN / PptP 1. sudoaptgetinstallopenvpnpptpplinux