Setup a Linux Server from Start to Finish Using Webmin

Version 3.
84
Are you using the most current version of this how-to? Version numbers are located at the top right of this page.
Latest versions are available at my homepage http://woodel.com
Setting up a Linux Server, Start to Finish, using Webmin. By Kevin Elwood
This how-to assumes your looking to setup a Linux Server, not a Linux Desktop. For use without a keyboard, mouse, or GUI
interface. After setup completes you will be remotely managing it, and will not have a need for the monitor and keyboard once
you have finished the initial setup. This how-to also assumes you are connected to the internet, and have at least (2) computers
on the same network. It also assumes you will have at least (2) hard-drives in the server, one for the O.S. and one for the data.
Only one network card is needed until the optional \ advanced section.
For every download link, I offer an alternative source (from my server) so that you may follow this how-to exactly, down to the
same versions I used. Newer is better, and you’re encouraged to upgrade after you complete this how-to. But for continuity and
flow, I provide a link to the same exact versions used in this how-to. Also due to upgrades some versions may no longer be
available, if you run into this just use the links to my server, this will ensure matching print screens, or go to webmin.com and find
the newer link.
This how-to covers everything from the most basic setup, to a full blown server. You can choose how far to go in this step by step
how-to, even setting your Linux box up as your Router, Samba FileServer, Firewall, DNS, HTTP, HTTPS, FTP, VMWare Server,
backup solution, and more.
No table-of-contents, it is assumed you will follow this how-to, step by step, as each page builds off the previous ones. If you skip
a page, you could miss an installer or file called for later in the how-to. I hope you will find this how-to helpful. I will try my best to
respond via email at kevinthecomputerguy@gmail.com if you have questions, I will try my best to respond to all of them, but
please try my BLOG first. With any luck that will turn into a knowledge base.
My stuff will always be free for personal use, but if you would still like to contribute, you can donate money towards this, or one
of my other how-to's

Page 1

*Special thanks to:
Bill M., Mike J., Julio C., NathanR., Tim R., James M., Melissa E., Peter B., ggaron, till, sammydee, Mad Professor,
AdamLis, Mihai Marinof, Lani78, Jordan Sissel, Jerome1232, Drdos2006, and of course Jamie Cameron (Webmin\ Usermin)
Putty, Cobian Backup, Debian Linux, Ubuntu Linux, Ubuntuforums.org, and the millions of people that make it possible.
- OK... Let’s begin
Although this guide was created using Debian, it will also help Ubuntu users. You will run into some problems with Ubuntu’s firewall
(UFW) and Ubuntu’s Network Manager. Ubuntu’s local email and the way Ubuntu restarts services. Ubuntu uses vi not vim. But
these aren’t major problems, the work a rounds and differences are fairly minor, you can email me or read my blog for help. For a
step-by-step install, please use Debian.
Start by downloading and burning the latest stable Debian .iso from
http://www.debian.org/CD/http-ftp/
… Or from my sever
(32 bit)
http://t3.woodel.com/my-linux-how-to/debian-503-i386-CD-1.iso
(64 bit)
http://t3.woodel.com/my-linux-how-to/debian-503-amd64-CD-1.iso

Page 2

* You only need CD #1 , if there is more than one to choose from
*Due to upgrades some versions may no longer be available, if you run into this just use the links to my server, this will ensure
matching print screens. Or go to debian.org and find the newer link.
Before you begin the install… Remove any unwanted \ unneeded hardware. Such as zip drives, sound cards, etc…
Disable any useless BIOS options, such as com ports, integrated sound cards, etc…
Disable any Keyboard or Mouse warnings
Disable any power management features

Page 3

If your BIOS has an OS option, choose “Other”
Remove all hard drives except the one you’re planning on being the OS drive. This will ensure you do not format the wrong drive, and
help make this how-to a little smaller and easier to follow.
It is assumed you only have one network card at this point. If you have more than one, you may want to remove or disable them. The
second NIC won’t be used until the optional \ advanced sections, and can interfere with the eth numbering and firewall setup pre
optional \ advanced section.
Boot the computer off the Debian install CD, and choose “Install”

Page 4

Do not choose “Graphical Install” you don’t want that, just choose Install.
Everything in this how-to is case sensitive, so if I use lower-case, then use lower-case.
If you see something in capital letters, make sure to use capitals.
Basically copy it exactly as you see it.

Page 5

Page 6

Page 7

Page 8

Choose a unique name for the computer, I did deb32server1
To me that means, Debian, 32bit, Server, first one of several
Think of it as your computers first name, and on the next page we will set the last name.
You can make something up, we will be referring to this computer by its IP address anyway

Page 9

So the name is somewhat meaningless, as long as the name is unique, so that you don’t have a same name conflict with another
computer on your network.
You can even use deb32server1 just like I did
This is private to your network, it doesn’t matter if you copy me exactly. It may even help make the how-to a little easier to follow.

Page 10

Choose a domain name for the computer, I did diy.lan
Which to me means, Do It Yourself . Local Area Network
You can make something up. It’s almost like a last name for your computers.
It’s totally private to your network. But just like your family, you’re going to want to have all the same last name on all your
computers.
Which makes this computers full name deb32server1.diy.lan
Which to me means
Debian, 32bit, Server, first one of several, on a custom do it yourself Local Network
We will be referring to this computer by its IP address for now anyway, so this isn’t too important at this point.

Page 11

Much later on in the how-to, when we setup a Local Dynamic DNS server
(which is optional and advanced) you might find it easier to follow the how-to, if you also use diy.lan
It doesn’t have to end with .lan you could make something up.
I just think it will help the flow of the how-to if you chose something ending in .lan

Page 12

Choose your time zone

Page 13

Choose “Guided – use entire disk”

Page 14

If you removed all the other hard-drives pre install, you should only see one option here.

Page 15

Choose “All files in one partition”

Page 16

Page 17

Page 18

Choose a password for the account named root (choose a very strong password here)

Page 19

Created a second user, so you don’t always have to login as root.
Here I used the name wood
You can use anything you want

Page 20

I like to keep the username the same as the full name, this can help avoid confusion later on.

Page 21

Choose a password for the account you just created
(Choose a very strong password here, this user will have more rights than a normal user)

Page 22

Page 23

Page 24

Page 25

Page 26

You should be able to leave this blank, and click “Continue”
If you have a proxy, chances are you would know what to do here anyway.

Page 27

Page 28

Using the Space bar on your keyboard, un-check Desktop environment.
Make sure to un-check everything. With the exception of Standard system

We will install most of these things later in the how-to, don’t be tempted to click on them now. And most importantly, do not choose
Desktop environment. This is a server how-to, not a desktop how-to.

Page 29

Page 30

Remove the CD, and press Continue

Page 31

Did you see this screen? If not you probably didn’t remove the CD.
Make sure you are not booting off the CD anymore.

Page 32

If everything goes right, you should get a lot of text on the screen and finally a login prompt like this one.
Please ignore that mine says debian-1 at the bottom left. I am just at a different computer today.
If you were expecting that to say; deb32server1 login : you are right
I am just at a different computer today.
Your screen will say your computer name, followed by a login prompt
This won’t interrupt the flow of anything at this point

Page 33

Login as username root with the password you specified during setup.
*Note, if you can’t login as root, login as your username, and type sudo before every command

Page 34

Type vim /etc/apt/sources.list
*Note, if you get an error, some versions of Linux might want you to type vi instead of vim
Then hit the Enter key on your keyboard
(there is always a space after vim)

Page 35

* If you don’t see anything on the screen (the contents of that file) then you typed something wrong.
** When you see the screen above, you know you typed it correctly
Press the insert key on your keyboard to allow you to type inside the file
Use the # symbol to comment out un-wanted lines
Comment out any lines that have “cdrom” in them

Page 36

When you are finished press the Esc key on your keyboard, this will take you out of insert mode and should move your cursor to the
bottom left of the screen
Then press the : key
You should see this symbol on the bottom left of your screen
Then typewq!
So that it reads :wq! In the bottom left corner of the screen
Then press the enter key
It should then save the changes to that file, and exit you back to the command prompt.

Page 37

It will say something like “filename written”
You won’t need to use that vim editor very often after we complete the setup. But if you’re stuck
on it and can’t get it to work. Do a Google search on “Linux vi editor” there should be some
good examples that will help you on the previous page. Only if you’re stuck.
What that did was tell the computer to not use the CD when looking for software.
Now run apt-get update so it will both realize your cd-rom changes, and go look on the internet for the newest software
sources. This only looks for new sources, it doesn’t actually go get them.
(there is always a space after apt-get)

Page 38

As long as you’re connected to the internet, you should see something like this.
This next step is optional. After an apt-get update you will almost always want to
do an apt-get upgrade
That’s the command that actually goes out and installs the newest versions. But… if you want your screens to match mine exactly, you
might want to hold off on this step until your further into the setup and more comfortable with the screens.

Page 39

I will leave this as optional right now, and rest assured we will perform one later.
Newer is better, but doing it now could put you at a version that doesn’t match this how-to. Pick your poison :- )
If you have chosen to upgrade now, here is how.
Type apt-get upgrade and it will go get any approved updates that are available
for your computer.
If it finds something, you will probably be asked to type Y or YES and hit enter.
Either way, you’re ready for the next page.

Page 40

Now we are going to install some packages (software)
Type apt-get install samba smbfs ssh dhcp3-server openssl dnsutils apt-show-versions

(there is a space between each installer above)
(this is the hard-way, later on in the how-to we will get into copying and pasting)

Page 41

Type it word for word
It’s going to tell you that you need some additional installers, and it will prompt you to go get them.
When asked make sure you type Y for yes and hit enter.
*note, you do not have to specify whether you want 64 or 32 bit installers, apt-get will decide for you based on your system. This is an
excellent feature.

Page 42

The install of Samba is going to ask you a few questions on screen. A GUI box will come up, without any mouse support. So use the
TAB key on your keyboard to move around it, and the enter key to choose things like next, continue, and OK.
Enter the same name you did earlier
I’m going to use diy.lan

Page 43

Choose “Yes” to this

Page 44

The DHCP server software will warn you that it’s being installed as non-authorative. This is fine. You will also get a warning during
reboots that DHCP Server failed to start. This isn't an error and can be ignored it won’t actually load unless we tell it to, so ignore any
thoughts you might have about this for now. We will come back to it much later in the how-to.
You are almost ready to remove the keyboard and the monitor. We just need to set a static IP address
(or reserve a DHCP one)

Page 45

If you type ifconfig and hit enter, it will show your current eth0 (Ethernet) IP address
(inet addr) as well as your MAC address (HWadrr)

Page 46

You should see something like this.
If you’re familiar with setting up DHCP reservations from your router, you just need the MAC address
and you will know what to do from here.
If you’re not familiar with how to do that and just want to set a local static IP address, here is how.
Note, later on in this how-to it’s assumed you have a static IP address, so you may want to setup a static address, even if you know
how to do DHCP reservations.

Page 47

First chose an IP address that isn’t part of your DHCP scope. For example, if your router is handing out IP addresses in a pool of
192.168.2.2 – through -192.168.2.100 then you wouldn’t want to use any of those available 98 address’s in that pool (.2 through .100)
But you could safely choose anything above that pool, such as 192.168.2.101, 192.168.2.102, etc…
just as long as it isn’t in the range of the available IP addresses to the DHCP server pool of addresses.
If you don’t know how to check what IP range your router is handing out, just add 100 to the IP address you currently have. This is
sloppy, but will most likely work. For example, if you automatically got an IP address of 192.168.2.72 it’s probably safe to set a static
address of 192.168.2.172, as most address pools are not larger than 100 (100 higher than what you currently have) This is sloppy, but
should work

Page 48

If this all sounds French to you. Giving this a lot of extra thought can help with future problems, for example on my network anything
above a .100 address means it’s a server or printer of some kind. Anything above .200 means its wireless. Setting up meaning to these
can be of great importance later on, as your network starts to grow.
If all those numbers look French to you, just remember to make sure you give your Linux box an IP address that is on your same
network. For example
If you’re on a 192.168.2.xxx network
address 192.168.2.111 (replace 111 with the IP address you want)

netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
gateway 192.168.2.1

netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

Page 49


netmask 255.255.255.0
network 10.10.10.0
broadcast 10.10.10.255
gateway 10.10.10.1
To enter a static IP address type vim /etc/network/interfaces

(there is a space after vim)

Page 50

You should see something like this
Find the area that says

iface eth0 inet dhcp
Hit the insert button on your keyboard. Change it to say static instead of “dhcp” and add the following lines
iface eth0 inet static

address 192.168.2.111 (the IP address you want)
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
gateway 192.168.2.1

Page 51

That’s it, you just have to tell the editor to save it
Press esc on your keyboard, this should drop your cursor to the bottom left of the screen.
Type :wq!
Press enter on your keyboard
If you did it correctly it should say something like “filename written”
And return you to the command prompt.
Once you are back at the command prompt, type reboot and hit enter on your keyboard.
Your system should reboot, and load up the new ip address.

Page 52

After you login again as username root , type ifconfig and make sure eth0 is getting
the IP address you specified.
Now go to different computer, running Windows, and make sure you can ping that IP address.
Type ping 192.168.2.111 (or whatever IP address you gave it)

Page 53

If you’re not familiar with ping on a Windows machine. Just click on the start button
and type cmd
In the black DOS like window, type ping 192.168.2.111

Page 54

Make sure it replies back from the IP you’re pinging. If it comes back saying something like
“Destination Unreachable” go back and figure out what’s wrong.
Look for typos

Maybe your network card is eth1, and not eth0
Don’t continue with the how-to until it replies.
Now go back to the Linux box, and make sure you’re connected to the internet
try to ping www.google.com

Page 55

It should reply back something like this, the numbers don’t really matter, just make sure its replying.
You can hit control + c on your keyboard to make it stop pinging
That’s the Ctrl key and the C key, hold down Ctrl and press the C key
If it replies, you’re connected to the internet
If it doesn’t reply, check your internet connection.

Page 56

Make sure in your /etc/network/interfaces file, the IP address of your “gateway” is the same IP address as your router.
If you have checked everything, and determined you are having a DNS issue.
And that your Linux box is the only computer having this issue
You can edit the file /etc/resolv.conf by typing

vim /etc/resolv.conf
And add some name servers
I got these numbers from dyndns.org

http://www.dyndns.com/services/dynguide/readme.html

Page 57

They provide some awesome name servers. Another good one is OpenDNS
http://www.opendns.com
And just like before, to save and exit its
Escape
:
wq!
Enter
Or you can use the name-servers (DNS servers) from your ISP, that you’re actually paying for.
To figure out what your name-servers are from your ISP, launch another cmd window from
your Windows computer, and type ipconfig /all

Page 58

Look towards the bottom, for DNS servers, and use those IP addresses as
your nameservers in /etc/resolv.conf

Page 59

Once you can ping your Linux box, and your Linux box can ping www.google.com
You can go back over to your Linux box and shutdown by typing halt –p
It will turn off, and you can remove the monitor and keyboard.
You may want to just remove the keyboard, and leave the monitor plugged in for now. So you can watch it power on \ boot up the
first time, and make sure your computer isn’t complaining that it can’t find the keyboard. If it complains about the keyboard, go into
your BIOS and tell it not to warn about missing keyboards or mice.
Once you sure it will boot up without a keyboard, you can go ahead and remove the monitor.
Fight any temptation to plug the monitor and keyboard back in. doing so will hurt your learning experience, as it’s no longer needed.
We will be accessing and managing the computer remotely from here on. So the rest of this how to will be completed remotely, using
a Windows computer.

Page 60

You will be using two forms of remote management tools to access the Linux server. Putty is one of them and Webmin is the other.
You will be using Webmin most of the time, until you get more familiar with Putty.
You can download Putty from http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
Or from my sever http://t3.woodel.com/my-linux-how-to/putty.exe
matching print screens, or go to http://the.earth.li/~sgtatham/putty/latest/x86/ and find the newer link.
You have to choose save, not “run” or “open” It isn’t an installer, it’s a self contained exe, and has to be saved to the hard drive before
running.
We will use Putty to install Webmin onto the Linux box. Then you won’t need Putty again until much later in the how-to.
Launch Putty, and enter the IP address of the Linux box.

Page 61

Everything else is already configured correctly, just enter the IP address of the Linux box and click “Open”
The very first time you connect, it will ask you if you want it to remember that you trust this computer you can say yes.
If successful you should get a black box asking you to login. Login as username root.
(We will continue to use root until the setup is complete)

Page 62

Once logged in, type or copy and paste the following commands
To paste into Putty Window, all you have to do is right-click
Once it is pasted into the Putty window, press the enter key on your keyboard. Your Linux box will now go out to the internet and
download \ install those software packages above.
Say yes if prompted.
Paste in the following command, then press enter.
apt-get install apache2 vsftpd quota bind9 perl libnet-ssleay-perl

Page 63

apt-get install libauthen-pam-perl libpam-runtime rssh libio-pty-perl
apt-get install libmd5-perl etherwake ntpdate libio-socket-ssl-perl
apt-get install monit fail2ban libapt-pkg-perl ethtool exim4
This should take awhile to complete, after it finishes
Type the following command
mkdir /options and hit enter on your keyboard

Page 64

This stands for “make directory” and will make a folder called options on the root of the hard drive.
We are going to use this folder to download the webmin installer into.
Type cd /options and hit enter on your keyboard
This will put you into the options folder

Page 65

Next we will use the wget command to download the webmin installer.
wget + the full path to the location of a website file, will download that file
Type or paste wget http://prdownloads.sourceforge.net/webadmin/webmin_1.520_all.deb
and hit enter on your keyboard.
(there is a space after wget)
Or from my server wget http://t3.woodel.com/my-linux-how-to/webmin_1.520_all.deb
*Due to upgrades some versions may no longer be available, if you run into this just use the links to my server
this will ensure matching print screens, or go to webmin.com and find the newer link by right-clicking the download link, and viewing
its properties.

Page 66

Once you have the http path to the Webmin installer, type wget http://xxxxxxxxxxxxxxxxxxx and hit enter

Page 67

You should see it start to download the file, and will show you the download progress.
It will download it to the current folder that you’re in, so it just downloaded it to the /options folder
When it finishes downloading, type dpkg –i webmin_1.520_all.deb and hit enter on your keyboard.
Or dpkg –i /options/ webmin_1.520_all.deb or dpkg –i /options/webmin_x.xxx_all.deb if newer version
That stands for Debian Package – Install, and will install the Webmin program packaged for Debian.

Page 68

If it tells you you’re missing something, just type
apt-get install “those-things-it-says-your-missing” and hit enter on your keyboard.
It will remember you were trying to install Webmin, and will finish installing it after any missing packages
are installed. You should now have Webmin installed, and can exit out of Putty
by typing exit or logout
To login to Webmin, open Internet Explorer or Firefox and type your IP address, followed by :10000
proceeded by https://
https://the-ipaddress-of your-linux-box:10000
For example if your Linux box IP address is 192.168.2.172 you would type
https://192.168.2.172:10000
*Note, If you have been following along, you probably expect my IP address to be 192.168.2.111
or 192.168.2.172 (your right)
I’m just at a different office and server today.

Page 69

In the example below, this Linux box is now 192.168.2.1 so I need to type
https://192.168.2.1:10000
You would type the same thing, but with your IP address instead.
You will probably get a warning telling you not to trust the webpage. You can ignore this, it’s completely secure. It’s just your using a
self signed ssl certificate, and not a paid one. This is still completely secure from within your internal network.
If you have problems with this later on, switch to Firefox. With Firefox you can choose to save the certificate so you’re not always
prompted. In Internet Explorer you just have to choose “Continue to this Webpage” every time.

Page 70

It’s safe, just click continue

Page 71

You should get to a screen that looks like this
With all of your management tools are on the left. You can do almost everything from here,
Webmin is an extremely powerful tool.
I like to use a combination of Putty and Webmin to administer my Linux servers. But since this how-to is about doing it all
through Webmin, we will stop using Putty, and start using the SSH module within Webmin when needed. The copy & paste
works best in Putty, so if you see me switch back to Putty, it’s because I want you to copy \ paste a command, simply to
avoid a hand cramp or typo.

Page 72

I just wanted you to have the experience of using Putty, in case you lock yourself out of Webmin, and to hopefully influence
you to learn Putty, and learn command line later on down the road.
First thing we have to do is remove the current SSH module that came with Webmin, it has outdated ciphers in it, and
will not work. To remove the SSH Webmin Module, click on “Webmin” in the top left corner and choose
“Webmin Configuration”

Page 73

Next click on the icon that says “Webmin Modules”

Page 74

Once inside the Webmin Modules page, click on the delete tab towards the top

Page 75

Choose “SSH Login” and then click on “Delete Selected Modules”
*Make sure you don’t accidently choose SSH Server, it’s SSH Login you want to click on

Page 76

Page 77

Put a checkbox in the “Remove from users and reset control settings” and then choose “Delete”

Page 78

If successful, it should say the module was successfully deleted
That’s it, it’s uninstalled. Now we have to install the new one.

Page 79

Click on “Webmin” in the top left corner and choose “Webmin Configuration” again
Click on the icon that says “Webmin Modules”
Make sure you’re in the “Install” tab of the webpage
And choose “from ftp or http URL”

Page 80

And paste the following URL into the box to the right
http://www.webmin.com/download/modules/ssh2.wbm.gz
Or from my server http://t3.woodel.com/my-linux-how-to/ssh2.wbm.gz
matching print screens, or go to webmin.com and find the newer link.
Click on “Install Module” and Webmin will go get the module file, and install it

Page 81

If successful you should see something like this, telling you it put it in your access control list, under the category “Others”
Click on the “Others” category on the left menu and choose “SSH2 Login”
The SSH2 Module will begin to open
If you’re ever prompted to install Java, it’s talking about the web browser on your Windows PC, not Java for your Linux box. Just go
to http://java.com from your Windows PC and run the install if needed. If you’re using Firefox, you may need to do this after every
time you upgrade your browser.

Page 82

Once you see the MindTerm logo below, you’re good to go.
Just hit the “enter” key on your keyboard, and you can login using username root
If you still don’t see SSH2 Login, try hitting the Refresh Modules button at the bottom left, and or looking under Un-used Modules.

Page 83

If you don’t like this single window view, you can click on the “Module Config” button and tell it to open in separate window.

Page 84

Make the following changes
Then Click on “Save” and the next time you launch the SSH2 Module, it will open in its own little window.

Page 85

Here is what it will look like in separate window mode
Click “enter” on your keyboard, and login as root

Page 86

This should look familiar to you, it works almost the same as Putty.
When you’re done, type logout and press “enter” on your keyboard.
Wait 10 seconds for the logout to happen, then you can hit the “X” in the right hand corner to close the window.
This will be helpful when you want to run a command, that answers you back, asking a question, like “are you sure” or “hit yes to
continue”

Page 87

Webmin has a built-in command shell, that works awesome. And most commands have a built in –yes option that can answer some
prompts. But it doesn’t allow you to interact and answer questions the way this SSH2 Module and Putty can. Putty allows you a much
wider copy\paste range than this SSH2 module. So if you’re a copy and paste’r, you will like Putty much more (right-click = paste in
Putty)
Again, I would encourage you to use Putty instead of this, but this particular how-to isn’t about that :- )
For the next step we are going to use Webmin’s built in command shell. It’s super convenient when you don’t need to interact with the
answer.
Click on “Others” and click on “Command Shell”
We are going to execute the command mii-tool
Type mii-tool in the box and then click “Execute Command”

Page 88

The grey area is where it will show you the results of the command.
We need to make sure you’re getting a “full duplex” connection and not “half duplex”
If yours answers back “full duplex” then you’re all set, and you can skip this part of the how-to.
If it says “half duplex” then do not skip any pages
If you simply got an error, that means mii-tool doesn’t support your network card, this isn’t a problem. Just run the command ethtool
eth0
Click on “Others” click on “Command Shell” and Execute command ethtool eth0
(there is a space after ethtool)

(that’s eth ZERO, not eth OH)

Page 89

If it says Duplex: Full then your good to go, you can skip the commands below.
If it says Duplex: Half then do not skip any parts, you must fix this.
If mii-tool told you that you had a half duplex connection, then the fix is to add the following line to the /etc/rc.local file
mii-tool –F 100baseTX-FD eth0
If that doesn’t work, try ethtool, ethtool is better for newer network cards anyway.

Page 90

If you got an error running mii-tool, and or if ethtool eth0 told you that you had a half duplex connection, then add the following line
to the /etc/rc.local file
ethtool –s eth0 speed 100 duplex full autoneg off

Page 91

Here is how to edit that file the Webmin way, using the File Manager (you’re going to like this) It makes everything a lot easier
Click on “Others” and then Click on “File Manager”
Click on the etc folder and then in the right side window, scroll down until you find the file name rc.local
This file is executed at startup, so we can use it to make changes that happen every time the computer restarts.
Single click on the rc.local file (do not double-click) double-click will try to download the file, that isn’t what you want.

Page 92

Single click the file, so that it is highlighted, then using the buttons along the top, choose “Edit”
A new window should open, and will let you edit the contents of that file.
You can type directly into that window
If mii-tool told you that you had a half duplex connection, copy and paste this
above exit 0
mii-tool –F 100baseTX-FD eth0
(if you know the card is giga-bit, use 1000base in place of 100 in these commands)

Page 93

You should have something like this
Click “Save & Close” and that’s it, the file is edited, all you need to do is reboot, I will show you how to do that on the next couple
pages.
If mii-tool gave you an error and or ethtool eth0 told you that you had a half duplex connection, then edit the rc.local file and
copy\paste this instead

Page 94

ethtool –s eth0 speed 100 duplex full autoneg off
Click “Save & Close” and that’s it, the file is edited
(if you know the card is giga-bit, use speed 1000 in place of 100 in these commands)
If you have skipped to this page, you missed how to use the Webmin File Manager to edit files.
We are going to do it again so that everyone is on the same page.

Page 95

Click on the etc folder and then in the right side window, scroll down until you find the file name rc.local
This file is executed at startup, so we can use it to make changes that happen every time the computer restarts.
Single click on the rc.local file (do not double-click) double-click will try to download the file, that isn’t what you want.

Page 96

Single click the file, so that it is highlighted, then using the buttons along the top, choose “Edit”
A new window should open, and will let you edit the contents of that file.
You can type directly into that window
Somewhere above the exit 0, copy and paste this
# hello world

Page 97

You should have something like this.
Click “Save & Close” and that’s it, the file is edited
We put a # in front of hello world so that it would ignore that line, Linux ignores lines that start with a #
And in most cases, will ignore lines that start with a ;

Page 98

Now we are going to use Webmins Bootup and Shutdown module to reboot the computer.
Click on “System” click on “Bootup and Shutdown” then scroll down to the bottom and click “Reboot System”
It will ask you if your sure, tell it to do it, then computer should reboot, at that point your screen will be un-usable while it reboots.
Just wait about 5 minutes and you should be able to use Webmin again.
Assuming the reboot went OK, let’s go back to the File Manager and edit some more files.

Page 99

We need to disable IPv6, this how-to later on assumes you’re only using IPv4
Let’s edit the file /etc/modeprobe.d/aliases
(you can tell by the line above it’s a file named “aliases” inside the folder called “modprob.d” which is located inside the “etc” folder.

Page 100

Change the line
#alias net-pf-10 ipv6
To
alias net-pf-10 off

Page 101

Make sure you remove the # from the beginning, or Linux won’t read it.
Click on “Save and Close”

Page 102

Next let’s edit the file /etc/modeprobe.d/blacklist
Adding the line
blacklist ipv6
Click on “Save and Close”
So far we have stopped it from loading, and stopped it from coming back after upgrades.

Page 103

We are done with disabling IPv6, and can move on to something else.
It is good practice to make comments in these files, of the changes you make, like
#Changed by Kevin, from “ipv6” to “off”
But since you have this how-to to refer back to, there isn’t much point in making any comments.
But it is a good habit to get into once you complete the how-to, and start editing files on your own.
This is a good time to mention a few quarks about computer names in Linux.
The Webmin installer probably told you that you can access your machine from https://your – computers - name:10000
And you probably found that didn’t work.
This isn’t a Webmin problem. Anytime you switch from DHCP to static, or switch from one static IP to another, there are a few files
you need to edit. As these files are expecting to get this information from the DHCP server, but static IP’s don’t communicate back
with the DHCP server.

Page 104

/etc/hosts (replace 127.0.1.1 with your Linux boxes static IP address)
*not to be confused with 127.0.0.1, leave that line alone, you want to edit\replace 127.0.1.1
Click on Save and Close

Page 105

Then edit
/etc/hostname (make sure it’s right)

Page 106

Then edit
/etc/resolv.conf (make sure your router is listed as one of the nameservers, and that it’s searching the right local domain)
Click Save and Close
Reboot your Server, and the computer name should now be playing nice with your static IP address. This is just the foundation, it
won’t actually come into play until we configure Samba later on in the how-to, but you now have the right settings for using names
along with static IP addresses.

Page 107

Next let’s familiarize ourselves with the Upload and Download module for Webmin.
This isn’t a very fast way of sending \ receiving files, because of the https encryption Webmin is using. That level of encryption is an
awesome thing, and it keeps your passwords very safe from prying eyes. But inside your local network it can be a little over-kill, and
will really slow you down.
But once we cover it, we can move on to the faster and more convenient ways, like ftp, http, and Samba file shares.
Inside of Webmin, click on “Others” and then Click on “Upload and Download”

Page 108

This module is pretty easy to use, just make sure you change the
“Download to file to directory” field to be /options
This will make it much easier to find files that you upload \ download to the Linux box.
Let’s walk through it once, click on the “Upload to Server” tab at the top
Assuming the file you want to upload is located on your Windows PC. Just make sure to change the
Then browse to the file you want to upload

Page 109

Click “Upload” and it will upload it to the /option folder on your server.
You can then browse to it using the File Manager
Click on “Others” and then Click on “File Manager”, and then click on “options”
Or if the file you want to upload to the server is located on a the web, and not on your Windows PC
Go back to the Upload and Download module, and choose the “Download from Web” tab instead.
They work the same way, the file will end up in your /options folder.

Page 110

Just make sure to change the
And then paste the URL to the website\file you want to download
Into the “URLs to download” field

Page 111

You won’t always know the URL to the file you want, but you should be able to right click on it from your Windows PC, choose
properties, and copy and paste the URL into the “URLs to download” field

Page 112

Paste it into Webmins Upload and Downloads, “URLs to download” field
You probably noticed how very slow that was, that’s again due to the encryption, we will speed all that up later on in the how-to

Page 113

Using the File Manager, you should be able to see your newly uploaded file
Let’s edit some more files

Page 114

Let’s edit the file /etc/ssh/sshd_config (to limit the users who are allowed to SSH)
Make sure there is a “d” in there, this isn’t the same as ssh_config, you don’t want that, you want to edit sshd_config

Page 115

Somewhere towards the bottom, add the following line
AllowUsers root wood
Replacing wood with whatever username you created during the initial install.
Anyone that can SSH can browse all your folders and list all your files, so it's extremely important to limit that.
Basically don’t give anyone but yourself SSH access.

Page 116

Don’t give anyone but yourself Webmin access
Later in the how-to we will cover rssh for users

That stands for Restricted SSH, and does work as promised.
Later in the how-to we will cover Usermin

This is a Webmin like interface, but can be locked down for users
But basically, don’t ever give someone else Webmin or SSH access, it not a good idea until you have mastered Linux and are
comfortable with file permissions and jailing home directories.
We will even be taking access away for root later on in the how-to. That way you’re not ever typing that password over the internet.
But for now, during the initial setup on your local network, it’s ok.
Next we are going to install the second hard-drive (the data drive) and use Webmin to mount it.
Everything in Linux is treated like a file or a folder. So when you are adding hard-drives, you go through a mounting process, which
makes that drive appear as a folder amongst the other folders on your system. This can be a little strange at first, but if you do some
good planning on your folder names, it can help with some of the confusion.

Page 117

Let’s start by powering off the Linux box. You do this the same way you restart it using the Bootup and Shutdown module, but just
choose “Shutdown System” instead of Reboot.

Page 118

This how-to assumes you know how to physically install the second hard-drive, go ahead and do that now. When you done, use the
computers power button to turn it back on.
Wait about 5 minutes then you should be able to get back into Webmin.
Using the File Manager module create a folder called /mymounts

Page 119

As you can probably guess by the name, this folder is going to contain drives that you have mounted. The system mounts a lot of
drives and partitions for you, as well as the CD drive, Floppy drives, etc… to help avoid some of the confusion of mount points, you
will know anything inside this folder is actually a separate device (hard drive or partition) that you mounted yourself, this will help
refresh your memory every time you navigate to it.
The forward slash / just tells it to be its own folder, at the root, on the beginning of the drive, and not a subfolder of some other
deeper folder.
Just make sure to choose the new folder button, and not new file, and don’t be tempted to click on mount, that isn’t want you want

Page 120

You should see something like this when you’re done

Page 121

Now go inside the mymounts folder and create a folder called d2p1
You should see something like this when you’re done

Page 122

d2p1 stands for (drive two partition one)
It’s the second drive in the system, and it’s the first partition on that drive
So what this folder structure means is. It’s something you mounted yourself, because it’s in the mymounts folder. And it’s the second
drive inside the computer, and is the first partition on that drive.
(If you had a second partition on the second drive, you would mount that in
/mymounts/d2p2) a third drive would be /mymounts/d3p1/ and so on…
We need to format the second hard-drive. We need to so this before mounting it, because when it’s mounted, it’s considered in use. So
pre-mounting, lets format it.
Using the Webmin module “Partitions on Local Disks”
Click on your second hard-drive, if you have followed the how-to exactly, it will be the second one in the list (B)
Click “Device B” (assuming that is for sure your second hard-drive)

Page 123

Click on “Number 1”
(There should be only 1 number, if there is more than 1, click on them and delete them)
(Triple check you are on Device B though!)

Page 124

You should see something that looks like this
Change the “Type” to Linux

Then click Save.
This will kick you back to the main screen again, where you will have to click on device B again
Click on device B again

And next to the “Create Filesystem” button change that to Linux Native
(Linux Native = filesystem ext3 as of the date of this writing)
Write down your device file name, on mine its /dev/hdb1

This stands for device , hard drive B (B meaning 2nd) , 1 (meaning first partition)

Page 125

If you have a newer computer, it will most likely list them beginning with an “S” (example sdb1)
Meaning it thinks it a SCSI or SATA disk.
Then click “Create Filesystem”
Don’t check for bad blocks, it takes way too long and the webpage will time out
We will talk about how to check for bad blocks later in the how-to
Then click on “Create Filesystem”

Page 126

This can take hours to finish
If it fails, just run it again.

Page 127

If successful, you should eventually see “command complete” at the bottom of the screen.
Now that it’s installed and formatted, we can mount it.

Page 128

Using the Webmin module “Disk and Network Filesystems”

Page 129

Change the “Type” box next to the “Add mount” button to
“Linux Native Filesystem ext3”

Page 130

Then click the “Add mount” button

Page 131


Page 132

You should see something like this, Make the following changes
In the “Mounted As” field type /mymounts/d2p1

Change “Check Filesystem at boot” to “Check First”
In the “Other Device” field, check the button so it knows to use that field, and put the actual device name of the second hard-drive.
*If you forgot what is was, refer back to previous section.

Page 133

On mine its /dev/hdb1
This stands for device , hard drive B (B meaning 2nd) , 1 (meaning first partition)
If you have a newer computer, it will most likely list them beginning with an “S” (example sdb1)
Meaning it thinks it a SCSI or SATA disk.
If you get confused just refer back to the previous section, it will show you how to check what your device name is.

Page 134

Change Use Quotas to “User and Group”

Page 135

If successful, you should see it listed in the next screen
Sometimes in this how-to I will have you do things the hard way, or the long way. When it will help you to understand some of the
more confusing tasks.
Like for instance you probably already wondering why I didn’t have you install Putty much much earlier, so you could have copied
and paste straight from this how-to. But then you wouldn’t have learned how to type them correctly.

Page 136

You probably also saw a few options that would have made mounting easier, like this button
But then you wouldn’t have learned the \dev\ device names

Page 137

Or maybe you saw this window during the format
But if you would have used that mount button, you wouldn’t have seen how to enable the Quotas.
So even if you see a shortcut, try to follow the how-to exactly, because I’m going to make assumptions later on in the how-to, that
certain things are already enabled. And if you skip any of these steps, you could get lost and have to start over.

Page 138

You done with the mounting part, the second hard drive is now accessible from the File Manager module, under /mymounts/d2p1/
Just for practice, let’s put a file in that folder, this will be an example of putting files on your data drive (hard drive #2)

Page 139

Using the File Manager, copy and paste a file from the /options folder to the /mymounts/d2p1 folder
Click the file once to highlight it, then click “Copy” from the toolbar above
Navigate to the /mymounts/d2p1/ folder, and paste it using the “Paste” button from the toolbar above

Page 140

If successful, you should see something like this
And that would be an example of saving a file to hard-drive number 2
If you ever need to un-mount it.
(You shouldn’t ever need to do this) except maybe to re-format it or scandisk it.

Page 141

Just navigate back to the Disk and Network Filesystems module, and click on /mymounts/d2p1/

Page 142

Check the “Save” option so it keeps a record of it, then click the “Unmount” option
Then click “Save” at the bottom, and it will un-mount the drive.
And because you checked the save option you can easily re-mount it by coming back to this page and choosing “Save and mount at
boot” and “mount” and then click “Save” at the bottom.
That’s it for mounting and un-mounting. Again you shouldn’t ever need to un-mount it, but you know how if you need it.

Page 143

Next let’s make sure your Linux box has the right time, and set it to automatically sync up with a time server at midnight each night.
Using the “System Time” module, set the time and date for both fields to be correct. You only have to do this manually once, keeping
in mind that it’s a 24 hour clock.
We have to do it manually once, because the sync feature doesn’t work if the time is off by more than a couple of hours, so we do this
to ensure the time is “almost” right, so the sync will work and always keep it accurate.
Don’t be tempted to use the “Set system time to hardware time” or the other one, just set each one manually.

Page 144

This should work, but if you’re getting errors manually setting the time you can do it the command line way like this (using the SSH2
module) ntpdate pool.ntp.org
Once both are set right, navigate to the “Time server sync” tab at the top right.

Page 145

Set the “Timeserver hostname or address” field to the timeserver closest to your area
1.us.pool.ntp.org
*If you’re having DNS issues you can use IP addresses here until you fix that.
Check the box that says “Set hardware time too”
Check the box that says “Yes, at times below”
Check the box that says “Simple schedule” and “Daily at midnight”

Page 146

You can ignore all the time tables below, because you’re using the simple schedule above.
Click “Sync and Apply” at the bottom of the screen, and your all set
You should be able to navigate back to the “Set time” tab at the top, and see that it did in fact set the correct time for both fields.
You’re all done with setting the time.
*If you get errors about the hardware clock not being set, you may have to enable the following at boot time, and then reboot. Only do
this if you are experiencing problems with the hardware clock.

Page 147

Navigate to the Bootup and Shutdown module, place a checkmark next to hwclock.sh and click Start Now and on Boot
That’s about it for the time settings.

Page 148

Next let’s make sure your MTU is set right on your network card. You usually won’t see a problem here unless you have multiple
NIC’s, but let make sure anyway.
Using the “Command Shell” module, run the following command

ifconfig eth0 then click the “Execute command” button

Page 149

For most purposes your MTU should be 1500, if yours comes up right you can skip this part of the how-to.
It should have found the right setting for you automatically, I’ve only see it get confused when there is more than one NIC.
There are some DSL setups that are not 1500, you will have to Google your current situation to find your correct number. 1500 is right
for LAN setups and all the major Coax Cable Modem ISP’s.
This is an advanced problem, but if you have exhausted all other options, here is how you can force the right setting.

Page 150

Using the “File Manager” module. Edit the file /etc/network/interfaces and make the following edits

Page 151

up /sbin/ifconfig eth0 mtu 1500
The placement of that line is important, make sure you put it under the iface command, and make sure if you have two or more NICs
that you put it on the right line for that particular NIC. (example, eth0, eth1, eth2, etc..) and of course you would change the command
to reflect the NIC number (example : up /sbin/ifconfig ethx mtu 1500)
Again, this is a more advanced problem, make sure you have exhausted other easier fixes first.
That’s it for MTU
Now we are going to talk about an optional install, called md or mdadm

Page 152

md is a software RAID, usually called a fake raid. It can do most everything, but expect a little performance loss, as it doesn’t actually
use a real hardware raid controller, it just mimics it. So as awesome as it is, it’s doing the job twice, so limit your expectations
accordingly.
You can install this if you want, it does work extremely well. I would just caution you to not use it unless you have a real need for it.
For instance, it can group many smaller hard drives together to form one big one. But if you are going to setup a bunch of folders and
organize the drive, dividing the data into categories. (example: Folders such as “images” or “software”) you could just designate each
drive for those categories, and have an Images drive, and a Software drive, and not have to deal with a RAID configuration at all.
Another wasted use of this program is setting up RAID 0

Raid 0 is a performance raid, and since you are faking it, you’re not going to get a performance increase.
If you looking to combine 2 or more disks into 1 large disk, use concatenated-linear setting (often called JBOD Just a Bunch Of
Disks) in the RAID configuration and not RAID 0. But again don’t waste your time joining smaller disks if you’re going to organize
the data into categories that could have fit on the single drives.
RAID 1 is nice, it’s a 2 disk setup, that is an exact copy of each other. But even with this simple convenient raid, there are many
reasons to not use it. You’re adding another disk to the system, so you just doubled your chances of having a bad hard drive, so it’s
almost like your preventing something you’re causing. And if you’re truly worried about backups (as you should be) you should be
doing offsite backups, backups to another computer, external backups. All of these things are superior to raid, because if that computer
is involved in a fire, earthquake, flood, etc… your RAID is toast. And if your system gets a virus, you’re just going to have a bunch of
copies of infected files.
Where raid really saves you, is when you’re lazy with your backups like I am or when you have a real hardware raid solution, that is
doing all the work, leaving the computers resources available for computing. mdadm is amazing, but don’t use it if you don’t need it
Don’t get me wrong, I use RAID, I like fake RAID, I use this mdadm everyday, it’s awesome. Just don’t set it up if you’re not getting
the right use out if it. And there are only 3 configurations I would use with fake raid. RAID 1 (mirror) or Concatenated-Linear (joining
of multiple disks to make one large one) and maybe RAID 5, if your computer is really bad ass. I do RAID 5 with SATA 3G, on
monster systems.

Page 153

If you have decided you want to, here is how. If not, you can skip this section.
Using the SSH2 Module, or Putty (preferred) run the following command
apt-get install mdadm
It will probably ask you to say Y or Yes

Page 154

The install will later pop up a GUI window asking you some questions.
Using your keyboard, Tab down to the word “OK” and then hit enter on your keyboard.
The screen will look a little fuzzy and off centered, this SSH2 module doesn’t handle these GUI pop ups very well. If your screen is
totally un-useable, you can use Putty instead. But for the most part, you should be able to follow along.
Next it’s going to ask you which RAID configs you want it to start, erase ALL and type NONE. Because we are going to use Webmin
to configure it.

Page 155

Once you have the word none types in there, tab down to OK and press enter on your keyboard.
If your cursor is giving you a hard time, it might help to type noneeeeeeeee in the field, and then backspace the extra eeeeeee until it
reads just none
Then it will ask you if you want the raid config to start automatically, tab over to YES and hit enter. This will cause an error at boot
up, but its ok, it’s just telling us we haven’t configured it yet (we will do that later in Webmin)

Page 156

Page 157

Once you answer yes, it will take a couple minutes to setup. Then you should eventually get back to the normal SSH2 Module screen,
where you can type halt –p to shutdown the computer.
Once the computer shuts off you can physically install the additional hard-drives.
Using the Partitions on Local Disks module, format any of the new drives to ext3, just like you did on previous section.
If the second hard-drive you install earlier in this how-to is going to be part of this RAID configuration, then you have to un-mount it
first. Navigate to the Disk and Network Filesystems module and un-mount it. And this time, tell it to not remember the configuration.
This will make it available for RAID.

Page 158

Once you have them all physically installed, formatted, and un-mounted (if needed) then your ready to configure the RAID using
Webmins “Linux RAID” module.
If you do not see the “Linux RAID” module under other, try hitting “Refresh Modules” at the bottom left of the screen.
It will look for a couple minutes

Page 159

And the next time you click on the Hardware tab, it should be there.

Page 160

Enable Monitoring, Enable sending notifications, Send them to yourname@localhost
and click “Save”
Choose a RAID configuration, in the drop down menu next to the

“Create RAID device level of” button.
Again, for a fake software raid, I would only recommend RAID 1, or J.B.O.D. (Concatenated Linear) unless you have some incredibly
fast SATA or SCSI drives, then RAID 5 would be the highest I would go with the fake software raid.
Chose whichever one will work for your situation, and click the “Create RAID device level of” button.
All these RAIDs do work awesomely, I’m just saying limit your expectations down to what your hardware can handle.

Page 161

You should see something like this (this is an example of Concatenated Linear)
We are joining a 40GB and a 20GB disk together to act like a single 60GB disk.
Set “Force initialization of RAID” to yes
And in the Partitions in RAID field, you have to select the participating disks. They appear to be selected, but they are not. You have
to click on them with your mouse. In order to select the second disk, just hold down the control key on your keyboard when selecting
the second disk.
Click the “Create” button, and it will create the RAID for you.
This can take a very long time. If you’re doing Terabyte disks, go to sleep :- )
As you can see it’s going to treat it as /dev/md0

Page 162

And earlier in this how-to, you learned how to mount /dev/xxx into folders, so you already know how to mount this virtual raid into a
folder for use on your system.
You should eventually be returned to a screen that looks like this, if it shows your correct RAID configuration, and then you’re ready
to format it.
Click on the device name, /dev/md0

Page 163

Change the drop down box to ext3, and click “Create filesystem of type” button
This should take a long time, and do not be tempted to use the “Mount RAID on” button you see above. If you do that you will miss a
few important options that are only available by doing it the long way that we covered earlier.

Page 164

Don’t chose check for bad blocks, it will take forever, and the webpage could time out.

Page 165

Page 166

You just have to mount it now, as Linux ext3, using the “Disk and Network Filesystems” module like you did earlier.
A good folder name to use would be /mymounts/vraid

That name lets you know you mounted it, and that it’s a virtual or fake raid.
You want to use the “File Manager” module to create that /mymounts/vraid folder first, before you attempt to mount
it using the “Disk and Network Filesystems” module.

Page 167

Here is what it should look like, make the following changes.
Then hit the “Create” button

Page 168

If successful, it will look like this, and be accessible as a folder in /mymounts/vraid with almost 60GB free space
(40GB harddrive + 20GB harddrive)
This is a very small example, I have done multiple Terabyte raids, and they work great. Just make sure you really need it, and are
getting a good use out of it.
For those of you that skipped to this page, I created a new data drive, in a RAID configuration. I’m no longer using /mymounts/d2p1
as my data drive.
I’m using my virtual raid setup of /mymounts/vraid
The how-to will continue to reference the /mymounts/vraid folder as my data drive. Whereas on your system, if you skipped the raid
how-to, you will need to be thinking /mymounts/d2p1/
This shouldn’t interrupt the flow of the how-to, we are still talking about that same thing, a folder, that is really a second hard drive
mount point, that contains our data.
That’s it for the data drive, now let’s configure the web server (Apache)

Page 169

The web server is already running and functioning, if you type the IP address of your Linux box into a browser window, you should
see it displaying something like this.
By default the web server listens in folder /var/www/ and looks for a file called index.html
There is already a file called index.html in that folder, that file has the words “It works!”
Inside of it, that’s why you see that on your screen.
If you were to delete that file, and replace it with your own index.html file, it would display that instead.

Page 170

So let’s use the File Manager module to delete the contents of the /var/www/ so we can replace it with our own index.html file, for
our own custom website.
Next you need to create your own index.html file. There are countless ways to do this, in this how-to we are going to use Microsoft
Excel to make the webpage file and save it as filename index.html. But if you Google html editor, you will find millions of other ways
to achieve this.

Page 171

Launch Excel, and put some words and colors on there.

Page 172

Choose “File” “Webpage Preview” to see a preview of what it will look like.
Then if you like it, choose “File” “Save as Webpage” when you done

Page 173

And save it as file name index.html

Page 174

Now using Webmin’s Upload and Download module, upload that index.html file to the /var/www/ directory.
Click on the “Upload to server” tab
Change the “File or directory to upload to” /var/www/
Then click the “Browse” button
Then browse your Windows PC for that index.html file you created. And choose “Open”

Page 175

Page 176

Then click the “Upload” button
That’s it, it will upload the file to the directory, Apache is listening in that folder, and will read that file the next time you visit your
website.
To see it, just open a browser window and type your IP address again, and viola, your own custom webpage running on your very own
web server, for free.

Page 177

If you didn’t want a webpage showing, but instead wanted a file chooser type of view, you could delete the index.html file, and any
files you uploaded to the /var/www/ folder would show up in a download like view, like this.

Page 178

This way your users can see what files you have available for download, and can download and navigate just by clicking on them.
------------------------------------------------------------------------------------------------------------

Page 179

Which looks like this from your File Manager view
Or, you could have both a webpage and the file download view by making a deeper subfolder called “files” and putting the files you
want available for download in there.
Just put your index.html file back in /var/www/

Page 180

So when people go to your IP address, they see your webpage file

Page 181

But when they go to you IP address /files (http://192.168.2.1/files) they see this
Which would look like this from your File Manager view
That’s pretty much it for a basic Apache web server setup, it works right out of the box. If you want to be able to setup passwords, so
that people cannot get to certain websites or folders without a password, here is how.

Page 182

We are going to install the “Protected Web Directories” module from Webmin.com
Go to http://webmin.com/standard.html from your Windows PC, and look for the module.

Page 183

Right click on the link that says htaccess-htpasswd.wbm.gz and choose “Properties”

Page 184

This will give you the URL you need

Page 185

Highlight and Copy that URL
Now go to the Webmin Configuration module

Page 186

Double-Click “Webmin Modules”

Page 187

Make sure you’re in the “Install” tab of the module page.
And choose “from ftp or http URL”
And paste the following URL into the box to the right
http://download.webmin.com/download/modules/htaccess-htpasswd.wbm.gz
Or from my server http://t3.woodel.com/my-linux-how-to/htaccess-htpasswd.wbm.gz
matching print screens,
or go to webmin.com and find the newer link.

Page 188

Click on “Install Module” and Webmin will go get the module file, and install it

Page 189

If successful you should see something like this, telling you it put it in your access control list, under the category “Others”

Page 190

Click on it, you should see something like this
But we aren’t ready to use it just yet.
We have to make a change to our Apache configuration file, before it will allow password files to be used.

Page 191

Using the File Manager module, edit the following file.
/etc/apache2/sites-available/default

Page 192

Change the following two lines from AllowOverride None to
AllowOverride AuthConfig
Click the Save and Close button.

Page 193

Then use the Bootup and Shutdown module to restart Apache (called apache2)
Click Restart
*Advanced* If you know you’re not going to use apple-talk on your network, you can disable it on this page
By putting a checkmark next to netatalk and choose Disable Now and On Boot
If you know you don’t need it, this will speed up the boot time and free up some resources

Page 194

Once it’s been restarted, navigate back to the Protected Web Directories module
And click on “Add protection for a new directory”
Directory meaning folder
In this example we will password protect the files folder on your website

Page 195

After you click on “Add protection for a new directory”
You should see something like this, make the following changes.

Page 196

In the Directory path type /var/www/files
Because that is the directory we are wanting to password protect
Set the File containing users button to selected file
In the selected file field type /options/.htpasswd-4-var-www-files
Notice there is a dot in that filename. That’s important, it means hidden.
It’s going to create this file for you, but it won’t create folders for you. So make sure your specifying a directory that already exists,
like /options

Page 197

In the Authentication realm type Restricted Area
Usually you would name the file containing user’s .htpasswd
That’s the industry standard.
But we named it .htpasswd-4-var-www-files
Or
/options/.htpasswd-4-var-www-files
Meaning to me, it’s in the /options folder
I like to name it more descriptive then just .htpasswd, because I tend to have three or four of these files protecting different directories
and with different passwords.
In Linux the leading period or dot in front of a filename means it’s a hidden file
So when I see the filename .htpasswd-4-var-www-files we know it’s a hidden password file, protecting the folder /var/www/files

Page 198

So if I were going to protect a second folder, something like
/var/www/photos/wedding
I would name the file containing users .htpasswd-4-var-www-photos-wedding
Or /options/.htpasswd-4-var-www-photos-wedding
Meaning the answer to the password for that directory is in the /options folder
Once you have it all filled out, click the create button

Page 199

So the structure is all there, now you just have to add usernames and passwords to it.
Click on “Add a new user”

Page 200

Here you can add as many usernames and passwords that you want. These aren’t real accounts on your server. You can make
something up here, these are just password prompts on your websites.
For instance, maybe you had family photos in that files folder, and you only wanted your family members and your friend Ed to see
them. You could add a username and password like
Username: my
Password: family
And another one like
Username: ed
Password: 12345

Page 201

Whenever someone tries to your website, it works just fine.

Page 202

But if they try to go any deeper into your website, or are sent a deeper link. like / files. Then they are prompted for a password

Page 203

And if they enter the right username and password here, they will be able to see the files inside the files folder (directory)
It’s a good idea to use made-up usernames and passwords for these websites. By made-up I mean not actual usernames and passwords
that you’re using as accounts on the server.
These website passwords are sent over the network and internet in plain text, meaning it’s easy for a hacker to see the username and
password that you’re typing, so don’t use a username and password here that actually has an account on the server.
This isn’t a huge deal because (at this point) you shouldn’t be exposing files to the internet that you don’t want people to see. Not over
an http website anyway. If you doing really private information make sure you’re using the Webmin File Manager module, or
something else that uses ssl (https) or ssh.
You’re not going to provide Webmin access to your users, so later on in the how-to we will cover how to allow your users to securely
transfer files using https. The “s” stands for secure and will secure the transfer using ssl.
These http (non “s”) website passwords above will keep 95% of people out, but you would be putting yourself at a huge risk if you put
anything confidential on a non http’s” website. And as a rule of thumb, don’t expose anything confidential to the internet. And never
type your password on a website that isn’t https. And never type your password on a website you don’t know, trust, and recognize.
Without the “s” your sending them in plain text. So a hacker would see your typing just as you see the words in this sentence.
Later on we will cover how to do it securely, but at this point don’t put any confidential files on your web server, and don’t type
usernames and passwords that matter, over a non http’s” connection.
No worries about Webmin and Putty, they are safe, I’m mainly talking about http and ftp sites.

Page 204

And if you ever want to remove the passwords permanently, you can use the Protected Web Directories module, and click the “Un-
protect and Remove Files” button
Apache is very powerful and can do a million more things. Later on in this how-to we will change its listening directory from
/var/www/ to our data drive, so that files on our data drive can be accessible over the web.
Later on in this how-to we will also create users whose home directories are on the data drive, so they will be able to upload and
download their files, over the web, all residing on the data drive.
You can probably see where this is going. Your users will have a home directory on the web. Often referred to as web space. But with
a lot more functionality. They will be able to FTP, build websites, use the secure https File Manager, change their passwords, see
graphs on how much space is available, have disk space Quotas, etc… all over a webpage.

Page 205

Let’s configure the FTP server (vsftp)
Using the File Manager module, edit the file /etc/vsftpd.conf

Page 206


Page 207

You need to make the following changes to it
Change line 23 from anonymous_enable =YES to anonymous_enable =NO
Uncomment line 26 by removing the “#” so that it reads local_enable=YES
Uncomment line 29 by removing the “#” so that it reads write_enable=YES
Uncomment line 33 by removing the “#” so that it reads local_umask=022
On or around line 34, add the following entry file_open_mode=0755
Uncomment line 94 by removing the “#” and change the Welcome string to something custom of your own
Uncomment line 105 by removing the “#” so that it reads chroot_local_user=YES

Page 208

You should eventually see something like this
When you have made all the changes, click save and close
The next time the computer is restarted, the FTP server will read the new changes, and will be ready to use. We haven’t added any
users for it yet, we will get to that later, but we are done as far as its configuration.

Page 209

If you don’t want to reboot, you can just restart the vsftp service instead.
Using the Bootup and Shutdown module, find vsftpd
Put a check in the box next to vsftpd and click the “Restart” button
This will restart the FTP service, without restart your computer. Either way is fine. Now you have a fully functional FTP server. We
will test it later, when we add some more users with less important passwords. Much like HTTP, passwords sent over FTP are also
sent in plain text, that’s why I don’t want you to test it right now with your important accounts and important passwords.
That’s it for FTP for now

Page 210

Next let’s see how to check local email messages and syslog. When something goes wrong with the system, or there is a change, or a
scheduled job has failed, you can use one of these two messaging systems to check it. Similar to Windows Event Viewer, you can find
a lot of helpful information here.
Using the Read User Mail module, you can see if you have any mail.
As you can see I have messages here.

In this configuration you can send and receive local emails to users of this server, using this module.

Page 211

And to check the syslog, use the System Logs module

Page 212

You can also find useful information in the View Module Logs module
A lot of the time the answer to your problems will be in one of those (3) places

Page 213

And the homepage (also called the System Information module) does a good job of showing you your current usages.
As we can see above, even with everything we have added to the computer, it’s still only using 34MB of ram, 0MB of the Pagefile,
and 0.02 of the processor. *** note, this particular computer is a only a P3 \ 450Mhz … a paper-weight at best. Isn’t Linux
amazing?
These awesomely low numbers are because we are using the command line version of Linux, and not a GUI Operating System.

Page 214

You can also see your Uptime and OS version, Disk-Space, and other important information.
Next let’s add some user accounts, these would be people you would give access to your server and its resources.
We will create the accounts, and setup their home directories to be on the data drive, and exposed to the network\internet.
Using the Users and Groups module
We are going to get a lot of use out of this module. It will allow us to make users, groups, set passwords, set home directories, and
even setup their shell, where we can further restrict them if needed.
Click on “Create a new user”

Page 215

You should see something like this, make the following changes

Page 216

With the username jdoe and the real name jdoe.
I like to keep the username and the real name the same, but the only important one is the username, that will be the actual login name.
You could set the real name to Mr. John Doe, or something more descriptive if you like. I personally like to keep them the same.
Un-check “Automatic” and set the Home directory to

/mymounts/vraid/users/xhomes/jdoe
If you aren’t using raid, and are using d2p1, you would type
/mymounts/d2p1/users/xhomes/jdoe
What these descriptive folder structures tell us is

-It’s a drive I mounted
-What drive its on
-Its user data
-Its and exposed home directory “xhomes”
-Its user jdoe
By exposed home directory, I mean that directory is exposed to the network or the internet. A constant reminder to me about security
and confidentiality of what goes in there
We are later going to change the web server (Apache) to listen in those directories, so these home directories will be folders that are
exposed and viewable over the network or internet.
That’s on purpose, to give them web space.
After you have set the username and home directory, choose “normal password” and let’s type in the password jdabc123
Set the Group to “New Group With Same Name As User”

Page 217

Then click the “Create” button

Page 218

Little advice, careful if you ever click on a user, it will go into Edit User mode, and will try to reset the password.
Of course it won’t do it unless you hit apply
But try not to edit your users once they start using it, unless you know their password.
You probably noticed I didn’t have you put jdoe in a group, but instead created a group with the same name of jdoe. Groups are
awesome, so that’s a good question. We will cover groups later, but for now let’s focus on users.
In this scenario you really don’t need groups, because your users will be accessing their own home directories. And the entire
operating system is kind of built around that idea, and gets the right settings and permissions by default.
It’s when you venture outside the home directories that you will find yourself overwhelmed with permissions, and then groups are a
wonderful thing. Also if you want your users to be able to edit each other’s files, then you would have a big need for grouping.

Page 219

In our current configuration, every time you create an account the way we just did above. The users will have access to other user’s
files, and shares, for like downloading and viewing and such, but won’t have the rights to change or deleting anything they didn’t
create. Which is usually what you’re trying to achieve with non confidential user data. But is easily tweak-able to fit any need you
might have.
Now that you have a user with a password we don’t care about, let’s make sure your FTP is working. Remember this password will be
sent in plain text, if there is a hacker on your network, he is about to see it, so make sure you don’t type any of your important
passwords in these next couple of steps.
We are going to use Windows Explorer to test our FTP. Not to be confused with Internet Explorer. Windows Explorer is not the same
as Internet Explorer.
If you don’t know how to access Windows Explorer, open up “my computer”

Page 220

In that address bar, you can type FTP address’s, and hit the Go button or the Enter key on your keyboard.
It’s important you are not in browser like Internet Explorer or Firefox, those are for viewing, and are not fully functional FTP clients.
Make sure you’re in a My Computer like window

Page 221

Type ftp:// followed by your IP address
Mine would be ftp://192.168.2.1
And would look like this
If your IP was 192.168.2.178, then you would type
ftp://192.168.2.178

Page 222

Hit go or enter, and you should be prompted for a username and password

Page 223

Use the username and password you created earlier
Username: jdoe
Password: jdabc123
And click the “Log on” button
It should login, and you should see something like this

(if not, re-read this section, and fix it before moving on)

Page 224

It’s empty because we haven’t put anything in there yet. Uploading file this way is as easy as copy \ paste. You should be able to copy
a file and or folder from your Windows Desktop and paste it right into the FTP window above.
Copy something

Page 225

And paste it

Page 226

And you should see something like this
That folder or file that you pasted in there is now in user jdoe home directory.

Page 227

You can see that in a more familiar view by using the File Manager module.
(If you don’t see it, hit the refresh button)
Those files are now exposed to the network \ internet. We are going to make it even easier to get to by changing Apache to listen in
those folders. We will use the password protected FTP way you just did to upload files, we will use a no-password-needed webpage
approach to view and download them.
Everyone will be able to view and download these files, but only user jdoe will be able to upload, modify, and delete.
Well… jdoe and you (root). Logged into the File Manager as root you can do anything you want.

Page 228

Ok, so let’s redirect the apache listening folder to our data drive, deep enough to expose our external users home directories.
Open the File Manager module and create the following folder
/mymounts/vraid/users/xhomes/no_auth
Or, if you’re not raided
/mymounts/d2p1/users/xhomes/no_auth
Then click once to highlight the newly created no_auth folder, and click the info button

Page 229


Page 230

Un-check all the boxes, make sure username root are the User and Group, and then click save.
We want this folder to be totally locked down, this is where apache is going to dump people if they don’t know where they are going.
And with these super strict permissions, they won’t be able to use the back button, or do anything we don’t want them to.

Page 231

These permissions are a little over-kill, but we can get away with that because we are root.
Next, using the file manager, navigate to the folder
/etc/apache2/sites-available
Highlight the file default by clicking on it once
And then click the edit button

Page 232


Page 233

That third line can be a little hard to type, if you want to copy and paste it, here it is below.
RedirectMatch ^/$ /no_auth/
Make those three changes and click save
We have to restart apache for it to realize the changes

Page 234

Using the Bootup and Shutdown module, restart apache2
Now when you try to go to your webpage, you should get what looks like an error. This is what we want.
Open Internet Explorer, and navigate to your Linux box IP address

Page 235

Mine is 192.168.2.111
So I would type http://192.168.2.111
This would be an example of someone who didn’t know where they were going. We are creating disk space on the internet for people
who know where they going. Notice there is no back button or Parent Directory buttons above the word forbidden, this keeps people
from browsing your directories. There is still a back button at the top left of the page, but that back button is ok, it takes them back to
the last page they visited. The back button we prevented is the one that is used to move back and forth through your directories.

Page 236

So unless someone knows where they are going, your website would seem down, or not available to them.
But… if you were a user of the system, (like jdoe) you would know where you were going, you would know that your homepage or
your web space is
http://192.168.2.111/jdoe
Type that into internet explorer, and you will arrive at user jdoes home directory.

Page 237

Notice if jdoe had files he wanted to share over the internet, people could download them from this page. Or if user jdoe uploaded a
file called index.html
Then he would have a webpage, that people could visit
And if someone gets snoopy, and clicks on that Parent Directory button, they get dumped back to the no_auth folder, and won’t be
able to snoop around.
Now you can start providing web space and or webpages to people. All you have to do is make them an account. Make sure to put
their home directory in folder
/mymounts/vraid/users/xhomes/
Or
/mymounts/d2p1/users/xhomes/ depending on your setup
And that user can now ftp files to their space, requiring a password. And share them with the world via their webpage (http) without a
password
The secret behind all of that is

Page 238

We told apache to listen in the folder xhomes
Then we told apache, if anyone lands here, immediately redirect them to the no_auth folder
jdoe would never land in xhomes, because he knows to specify the path
/jdoe
http://192.168.2.111/jdoe
Therefore skipping the redirect to no_auth, because he never actually landed in xhomes, he landed deeper in the jdoe folder, where he
wanted.
If you made a new user account called kevin

Kevin could do the same thing
http://192.168.2.111/kevin

Page 239

And so on and so on, for all your exposed users. Hence the name xhomes
That’s it for redirecting apache, just remember to make their home directory in the xhomes folder, and teach them that these files are
in no way confidential.
You can also make yourself folders in here, without needed to keep making new accounts. Because anything you put inside the
xhomes folder will be exposed to the web.
So if you made a few new folders like
/mymounts/vraid/users/xhomes/public
/mymounts/vraid/users/xhomes/vegas09pix
/mymounts/vraid/users/xhomes/rex-the-dog
/mymounts/vraid/users/xhomes/website-for-mom
You could send internal people links like these, and later when we setup port forwarding you can send them to external users as well
http://192.168.2.111/public (internally) or http://your-public-ip-address/public (externally)
http://192.168.2.111/vegas09pix (internally) or http://your-public-ip-address/vegas09pix (externally)
http://192.168.2.111/rex-the-dog (internally) or http://your-public-ip-address/rex-the-dog (externally)
http://192.168.2.111/website-for-mom (internally) or http://your-public-ip-address/website-for-mom (externally)

Page 240

And people could access the files and or webpages inside
And later on in the how-to, when we give your server a public hostname, you can send people links that look like
http://MyWebsite/vegas09pix
That has a name, that makes sense, instead of those confusing numbers. But they couldn’t look at your other users folders, unless they
knew where they were going. This isn’t a very secure way of keeping people out, but these are not confidential files, so it works great!
And jut like you did earlier, you could add a password to the /mymounts/vraid/users/xhomes/vegas09pix directory using the
Protetced Web Directories module, and limit who could see those pictures.
This is a little of topic. I am not a Macintosh fan, but if you find yourself having to support some. You can also use this Linux box to
image Macintosh boxes. Mac lets you uni-cast images of desktops and laptops from a web-server. So now that you have a fully
functioning web-server. You can use the Disk-Utility on the CD that came with your Mac, and create a .dmg image of the computer to
a USB or Firewire drive…. Upload it to your web-server, and dump it to other Macintoshes.
Once you have the dmg file uploaded
It should be available with 755 permissions, and look something like this
http://192.168.2.5/macs/g6.dmg
And that’s it, the other Macs can download that as an image when booted of the Mac CD and running the Disk-Utility
And viola, it will reboot fully imaged.
Later in the how-to, we setup a DHCP server, this also helps with MAC imaging, as MAC doesn’t let you use a static IP address in the
disk utility GUI.

Page 241

That’s about it for apache
Next we are going to make another user, who’s password we don’t care about, and who’s home directory is not inside the website
listening folder. Because right now, anything we upload is instantly exposed to the web-server. And sometimes we will want to upload
files without them being exposed to the web. And sometimes on a LAN, FTP is the best way to do this.
The Upload and Download module you have been using in Webmin is awesome, it’s easy to use and keeps your passwords safe… but
at a price. Because of the https encryption it’s really slow, it doesn’t understand all file type headers, and sometimes it has problems
with really large files.
So we will us FTP or Samba for those needs, large files, weird file types, etc…
Just remember that password is sent in plain text, so make sure it’s a password you don’t care about.
Same steps as before

Page 242

Using the Users and Groups module
Click on Create a new user

Page 243


Page 244

Name the user uploadman
Do not change the Home directory option, leave it at Automatic this time
Set the password to umabc123
Click “Create”

Page 245

That’s it, this users home directory can now be found under /home/uploadman/
Now you should be able to ftp in as user uploadman

Page 246

Remember to use Windows Explorer, not Internet Explorer, when FTP’ing

Page 247

Using copy \ paste, let’s upload a large file
Copy something big, like a CD iso
And paste it

Page 248

Close the FTP window, and go look at it in the Webmin File Manager
Then using the buttons at the top, you could cut that file, and paste it into the
/options/ directory
And that would be an example of how to get huge files uploaded to your server, and put into the /options folder. Much later in the
how-to we will use this method heavily to upload .iso’s to the Datastore (advanced)
Or even easier, if the file you’re after is on the internet, you could just use the wget command you learned earlier. By using the ssh2
module or putty, login as root, then change directory to the options directory
cd /options
Then type wget http://the-website-that-has-it/debian503.iso

Page 249

That would accomplish the same thing, but the file would have to be on the internet or a web-server for that option to work.
Either way, now you have a couple work-arounds, for large files, if the Upload and Download Webmin module gives you problems
(and it sometimes will)
And now you have an ftp account “uploadman” who’s home directory isn’t exposed to the web-server. And a user “jdoe” who’s
home directory is exposed to the web-server.
Now let’s setup disk space restrictions, called Quotas. These are very important, because without them, there isn’t anything stopping
your users from uploading too many files, eating up your bandwidth, disk space, and ultimately crashing your server.
Let’s think of user uploadman as an account probably only you, the administrator would use. And let’s think of jdoe and an account
you made for your friend or your client
(John Doe)
You most likely wouldn’t put a quota restriction on yourself (uploadman) but you should restrict jdoe. And because of the way we
have been mounting the hard drives, quota is almost already setup.
Just go into Webmin, and click on System in the left menu, and then click on the Disk Quotas module
Notice mine says Filesystem /mymounts/vraid

Page 250

Yours will either say that or /mymounts/d2p1/
Depending on if you followed the raid how-to, or not.
I will continue to call it /mymounts/vraid but you will know I mean either one.
Click on Enable Quotas
Don’t get clicky, this can take a good 10 minutes or longer to respond.

Page 251

And you should finally see something like this…
Click on “Users” not groups

Page 252

There is a lot of good info here. Notice username uploadman is not listed here.
That’s because he doesn’t live on this hard drive, and hasn’t been given any access to it.
uploadman lives on /home/uploadman which is the main hard drive. This is drive number 2. So only jdoe shows up, and of
course root, because root has access to everything.
Let’s setup a quota for user jode

To limit the amount of space he can use on /mymounts/vraid

Page 253

Click on jdoe

Page 254

Soft Limit = 2GB

Hard Limit = 3GB
Then click the “Update” button.
That’s it
This means the user (jdoe) has 3 Gigs of storage space he can use.
He will start to get warned above 2GB, and cut off after 3GB
We don’t change the file limit, just the overall size limits. I don’t really care how many files he puts on there, just as long as the
overall size of his home directory doesn’t exceed 3GB.

Page 255

When you get back to the main quota screen, you should see something like this.
There is all the information you could need right there. You can see user jdoe is using 26MB. He is allowed to use 3GB. He will be
warned when he reaches above 2GB. And I put red x’s through the file limits, because I don’t care how many files he puts on there.
You don’t want to set a quota for root, because root is un-stoppable, and root is you. And you don’t want to set a limit for user
uploadman because that is also you.
But always set quotas for your users
Lets make another user called testuser with a password of abc123

With a home directory of /mymounts/vraid/users/xhomes/testuser
*or /mymounts/d2p1/users/xhomes/testuser depending on your setup

Page 256

We will use this user to test things your setup for your users. Because once you go live with this and start giving people access, you
won’t know their passwords, and will need an account of your own to test user settings with.
So navigate to the Webmin Users and Groups module, and create a new user
And very similar to what you did for user jdoe
setup user testuser

Page 257

Page 258

Click the Create button
And using the Disk Quotas module, give him a limit of 5GB, warned at 4GB.
Similar to what you did earlier
Click on testuser

Page 259

Setup the quota, and click update
That’s it for quotas, and now you have a user name testuser you can use for testing
Next we are going to setup Usermin.
Usermin, is a Webmin like interface you can give your users access to. Remember, you never want to give them Webmin access,
that’s for you, so Usermin is a great medium.
After we install it, we have to do a lot to lock it down. It’s a little too powerful, so we have to configure to only allow access to the
things we want your users to see.
First we need to download the Usermin installer from http://webmin.com

So let’s navigate to our Upload and Download module, so we can download it.

Page 260

Make sure you are on the download from web tab
Paste this link into the URLs to download field
http://prdownloads.sourceforge.net/webadmin/usermin_1.450_all.deb
Eventually these links will stop working due to new versions, so you may have to use the versions from my server, or go to
webmin.com and find the newest link.
My server
http://t3.woodel.com/my-linux-how-to/usermin_1.450_all.deb

Page 261

This will download the installer to the /options folder for you.
And we will install it using the Software Packages module

Page 262

Chose From local file, provide the path, and click the install button

Page 263

Click the install button
Ignore the fact it’s telling you to login above, we are not ready for that yet.
Usermin is now installed, we have to lock it down now, because its default install give the user way more control than we want them
to have.
You should have a Usermin Configuration module within your Webmin screen now, towards the top, under Webmin

Page 264

If you don’t see it, you may have to hit Refresh Modules at the bottom on the screen
Usermin has a lot of features we need to disable for our users.

Page 265

Starting from the top and working to the right lets click on User Interface
You should see something like this, make the following changes, and click save.

Page 266

Page 267

Next click on Upgrade Usermin, but don’t click anything else
This is how you would check for updates for Usermin, but resist doing this now if you can, that way our screens continue to look the
same.
Click Return to Usermin configuration

Page 268

Next click on SSL Encryption
And change Enable SSL if available to No
And click save
This will disable https for Usermin, and force it run un-encrypted, using http

Page 269

This would normally be a horrible idea, https is awesome. It’s what keeps your passwords and transactions safe on the internet. We
just disabled one of Usermins best features. But we are going to use Usermin as an FTP alternative for our users. We have already told
our users to not put files on the internet they don’t want others to see, and have already told our users not to use important passwords
(meaning don’t use the same password here as you do for your bank or for your email)
Since this is just an alternative to FTP we are offering, and since FTP isn’t safe, we can go ahead and disable https.
This only affects your users and Usermin, your Webmin is still https, so no worries there.
Again that was a terrible change we just made. Hopefully someday you will turn it back on. We disabled it for ease of use for our
users, as that https certificate warning will get in the way of a lot of stuff they will try to do, and running non https will speed up their
downloads.
With a little training you could teach them (your users) how to interact with the certificate warning, or better yet, buy your own ssl
certificate from http://dyndns.org and not get any warnings at all.
If you ever buy one, you could return to this page and insert it here, and change it back to SSL mode

Page 270

But this how-to is focused on the free and easy, so we will continue with non https for Usermin, and instruct our users to not use re-
use important passwords and not put confidential files onto the web.
And to make sure I didn’t confuse you, do not ever disable SSL for Webmin, I am strictly referring to Usermin and non confidential
user files.
Next click on Usermin Module Configuration
Then click on Upload and Download

Page 271

And make the following changes
Then click save
You should be returned to this screen, click on File Manager

Page 272


Page 273

Page 274

Then click save

Page 275

You should be returned to this screen, click on File Manager again, there is another change we need to make to it.

Page 276

Click on the Default users preferences tab, on the top right, and make the following changes.
Click save

Page 277

You should be returned to this screen
Click Return to Usermin Configuration

Page 278

Then click on Available Modules

Page 279

Make sure you un-check everything except
File Manager, Disk Quotas, Upload and Download, and Change Password.
Everything else needs to be unchecked
Then click save

Page 280

Next click on Allowed Users and Groups
Then click save
Next click on Access Control Options

Page 281

Then click save
That’s it for Usermin, you can login as see the fruits of your labor

Page 282

To login, open your browser and type http://your-linux-box-IP-address:20000
My IP address is 192.168.2.111
So I would type http://192.168.2.111:20000
Login as testuser with password abc123

Page 283

Here your users can use the Browse button to choose and upload files over the internet or network, directly to their home directories.

Page 284

This is the FTP alternative we were talking about. Most users will find this a lot easier to use than FTP. Especially those using a lot of
different computers \ operating system. Since it’s web-based, it will always look the same, no matter if they are on a Mac, PC, Linux,
or something else. FTP is still available, and they both still work, side by side.
It isn’t anywhere near as fast or dependable as FTP, but your internet users and non-computer savvy users will like it.
For extremely large files, you will want to use FTP or Samba
(we will cover Samba later in this how-to)
This Upload and Download module will load as the homepage for your users, but they can also click on the menu items on the left.

Page 285

Here they can check their disk space usage and quota, use the File Manager module, and even change their own passwords.

Page 286

Just remember to tell your users about the dangers of entering passwords over a non https connection.
That’s it for Usermin, your users will really like how easy and flexible it is.
Hopefully you will change it back to https \ SSL mode, and teach your users about the certificate prompts, disabling that is always a
bad idea.
Or purchase your own ssl certificate, and have the best of both worlds.
If you’re going to be offering this server to internet users, you’re going to need to setup a dynamic hostname, so you can give your
users a website name to go to, instead of an IP address that they will never remember.

Page 287

So instead of telling user jdoe this is his website, which he will never remember
http://123.123.123.123/jdoe
You can do something like
http://example.com/jdoe Or http://jdoe.example.com
And instead of telling jdoe this to manage his account http://123.123.123.123:20000
You could do http://members.example.com or http://my.example.com
Your users are already accustom to website names like this, most of their other online accounts will start with members, or
cardholders, or my. And then the website name
In all of these examples, you would replace example.com with the unique name you chose as your dynamic hostname. It’s
dynamic because, your IP address will change over time, but the name will not.
There are many sites that will do this for you. In this example we will use is http://dyndns.org
I use them, and I think they do a great job.
You can go to their website, and chose either a paid dynamic hostname, like example.com.
Or you can choose a free dynamic hostname, but the free ones put a little advertisement in the name, like example.drink-beer.com
It’s a small price to pay, but every time you tell your users their link, your advertising for beer.
I would go with the paid version, the support is better, the names are shorter, and your users will take you more seriously.
http://dyndns.org calls their paid version custom dns

Page 288

Start by going to their website http://dyndns.org
Chose a free one, or a paid one
I use the paid one, the names are easier to remember, its more robust and the support is better. With the paid one you can email them,
and a real tech will answer you. If you go with the free one, I think email is disabled and you have to use the knowledge base.
Both works great, I have a couple free ones I have never had a problem with as well.
Chose your poison, type the name you want in the example box, and click the add button.

Page 289

For example, we will say you selected kevin.gotdns.org
*Don’t use kevin.gotdns.org, that’s an example
If the name isn’t available, it will ask you to pick a different name. Once you find one your happy with, click add.
The website will walk you through everything you need to do, and you will leave with a dynamic hostname and a username \
password for making changes.
Then all you need to do is tell your router at home that information, so it can dynamically update the IP address at your house, to
match the hostname you picked out.
Your routers management interface should have a tab call DDNS. Log into your router and fill in the information.

Page 290

*Don’t use kevin.gotdns.org, that’s an example, use the name you picked at the dyndns website.
Now your router will tell the dyndns.org website if ever your home IP address changes, so that your hostname will always point back
to your router at home, even if your IP address changes (and it will)
Now your router will always respond to the hostname you picked.

Page 291

Now all you have to do, is tell your router what computer, inside your house, to send the traffic to.
So far we have a need to port forward ports 20, 21, 22, 80, 10000, 20000 to be directed to the Linux box inside your house. Today
mine is ip address 192.168.2.111. That would look like this
Now your router will send web traffic (that’s port 80) to 192.168.2.111 (your Linux box)
Now your router will send ftp traffic (that’s ports 20 and 21) to 192.168.2.111
Now your router will send ssh \ putty traffic (that’s port 22) to 192.168.2.111
Now your router will send webmin traffic (that’s port 10000) to 192.168.2.111
Now your router will send usermin traffic (that’s port 20000) to 192.168.2.111
This way your Linux box (192.168.2.111) isn’t totally exposed to the internet, you control what traffic is allowed to get to it.

Page 292

Now if a user types http://kevin.gotdns.org into a browser window, browsers talk on port 80, and you router will know where that
is supposed to go.
Now if you type kevin.gotdns.org into a putty window, putty talks on port 22, and your router will know where that is supposed to
go.
And so on and so on.

That’s pretty much it for the dynamic hostname and the firewall \ port forwarding configuration. If everything is working but ftp, you
could be having a min_passv, max_passv problem with your firewall. Or a modprobe ip_conntrack_ftp problem. Those are advanced
problem, and we will cover that much later in the how-to. But if everything is working beside ftp, you will want to keep reading into
the advanced section.
You should now be able to get to your Linux box from the internet. Meaning you should be able to get to it from work, a friend’s
house, etc… using your dynamic hostname.
Next we are going to setup Samba. This isn’t something that’s going to benefit your internet users, but you’re going to love Samba for
your network users. Meaning people inside your same small business network or home network. It’s basically File Shares for Linux.
It has very few limitations, and is really an all in one solution for your LAN. Once you go Samba you will never go back. Everything
you do from a Samba share is streamed and or ran live, directly off the server, not downloaded to the user’s PC. So when you play
music or movies from the Samba share, you don’t have to wait for them to download first, they play right off the server. Same with
documents, they live on the server, and you work on them live, never downloading to your PC.
We need to disable one of Sambas coolest feature, the home shares. By default Samba shares every user’s home directory, with the
correct permissions, so only that user can see his or her files over the network.
Home shares are awesome, they work perfectly with very little configuration. But we need to disable them because we have ftp
enabled on everyone’s home directories. We are going to consider the data in peoples Samba shares to be confidential. So we do not
want them accessible via ftp.

Page 293

We are even going to use Samba to put a users “My Documents” folder on the server, so when they save to their My Documents
folder on the windows PC, it actually saves to the server. There will surely be confidential data in there, so we don’t want FTP and
Samba listening in the same folders.
FTP is not secure, and is provided for our external users. So we need to move our shares to a different directory, only accessible by
our internal users. Plus once your internal users experience Samba’s awesomeness, they will never want to FTP again anyway.
It’s our fault for running both FTP and Samba on the same server. Realistically you would want two servers, one private, and one
public. But this how-to assumes you have limited resources, and wish to run both FTP and Samba on the box.
So unfortunately, we will need to delete all the share’s listed below.

Page 294

And then we are going to setup the defaults for all new shares. That way when we create new ones, they already have most the right
settings, kind of like a template.
Click on Unix Networking
*Reminder, much earlier in this how to, I changed my IP address from 192.168.2.111 to 192.168.2.1 so when
You see me refer to 192.168.2.1 im just talking about the local IP address of your Linux box.

Page 295

For the listen on address, use your local IP address.

Page 296

Mine is 192.168.2.1 use your IP address of your Linux box
This is important later on in the how-to, we when add another network card.
Next click on Windows Networking

Page 297

Click save

Page 298

Next click on File Share Defaults
There are a few sub menus under File Share Defaults, if you get lost, just click File Share Defaults again from this main screen

Page 299

The “Other Share Options” are the sub menus I was talking about, if you get lost, just click the File Share Defaults icon on the main
menu again.
Click the Security and Access Control icon, and make the following changes

Page 300

Under Host to allow, allow only 127.0.0.1 and your subnet
If you’re on a 192.168.2.xxx network, then use the settings above
If you’re on a 192.168.1.xxx network, use 192.168.1.0/24

Page 301

Don’t be worried that we just set the default value to writeable. We are going to fix that later. All that will mean by the time we are
done is that they are all writeable by their owner, and not really everyone, the way it appears now.
Setting up these defaults will save you a lot of steps, and pre-fill in some information for you when making new shares. So they come
up as kind of like a template, where you just have to make a few changes, and it will make more sense.
After you click save, you should be returned to the sub-menu, where you can click on
File Permissions
Click on File Permissions

Page 302

There is a ton of good information right there, and I will explain what it all means as soon as we finish these sub menus.
Click save, and you should be returned to the sub menu

Page 303

We don’t need to change anything under the File Naming icon, so we will skip to the
Miscellaneous Options icon.
Click on the Miscellaneous Options icon

Page 304


Page 305

This should return you to the sub menu, make the following changes
And then click save

Page 306

This should finally return you to the main share menu
Now that we are back at the main share menu, and are done with the confusing sub menus, I wanted to take a moment to explain these
settings, knowledge of what these mean are pretty important…

Page 307

Here is what 700 permissions mean, we will be using 700 the most, and now is a good time to talk about it.

Page 308

Its unlimited rights for the user. (wood)
In our setup the user is the owner of the file. The owner of the file is the person that uploaded it to the server. So when your users
upload a file, they own it, because it’s theirs.
There are no rights for anyone else, to others it would appear as if the file isn’t there.
In the group field you see root, it’s just filling a blank space for us. You have to put something there, we aren’t using groups just yet,
we will be covering that later. So putting root there just fills in the spot for us. All the rights are unchecked anyway, it’s just filling the
field for us.
There is one exception, root doesn’t need rights. Root is too cool for that. Using the File Manager module, or being logged in as root,
you can see and do anything you want. So as long as you’re logged in as root, or using the Webmin File Manager module, then these
rules don’t apply to you. But try to forget that, it’s an exception to the rule. You should consider that 700 example above as only being
accessible by user wood. And you’re the only one that can Webmin anyway. This isn’t any less secure, it’s just so you don’t lock
yourself out.
So if user wood uploads a file, he is the user, he owns it, he can do whatever he wants to it. This is pretty standard, it’s his file, he
can do what he wishes to it.

Page 309

Here is where we forced that all to happen by default when we create a share
Any files uploaded to the shares will get the 700 permissions we talked about. Meaning only that user can see and use those files.
We don’t allow the following of shortcuts (symlinks)
And we allow deleting of read only files, because that user put that file there, they own it, they should be able to delete it if they want.
Most of the shares we are going to make will use this 700 setting.

Page 310

We will be making a couple that use 755, that looks like this

Page 311

Above you can see this folder would be usable by everyone, in a read only like mode. This is not the kind of permissions you would
want on confidential files. They can download files, run files, view documents, they just can’t add files or delete files, because they
can’t write. Only user wood can write, modify, and delete.
So this kind of access would be ideal for providing your users the ability to download files you put in there. But you don’t want them
to delete anything, add anything, or change anything. At home this may be your media share, with your playlist, music, pictures,
moves, etc. In a small business this might be where users could download installers, pdf’s, forms, and non confidential data, etc.
These permissions only pertain to files uploaded via Samba. If you interact with these folders using the File Manager (or some other
module other than Samba) they won’t get the permission we specified, as Samba wouldn’t even know it was put there.
If you accidently mess up a file\folder permission, you can use the File Manager to fix it.

Page 312

You just have to highlight the file or folder in question and hit the info button
Just be careful, you’re un-stoppable this way. You won’t be warned if you’re doing something wrong. Good rule of thumb is never do
this to a file or folder that you didn’t create. That way you’re not messing with system folders ever.

Page 313

We had to go through all of this with Samba because we disabled the home directory shares. So we caused the problem :- ) but it was
necessary for our particular setup, because we have internet exposed home directories. If this were a server only running Samba, and
we didn’t have so many different ways to access it, we could have avoided a lot of these lock downs.
Ok, back to work.
We are almost ready to start making shares, we just have to configure the server to automatically make a samba account every time
you make a new user account.
Linux treats samba accounts and user accounts as two different accounts, so we need to tell it to stop doing that.
Scroll down on the main share page until you see

Configure Automatic Unix and Samba user synchronization

Page 314

This will only work on newly added users, and only if you keep using the Webmin module “User and Groups” to add them.

Page 315

I say that because at the end of the how-to, im going to encourage you to learn the command-line way of doing everything. This would
be the exception. For adding users and groups, keep using this module.
So all of the users we add from here on out will automatically get a samba account.
Which means we missed user wood

As he was created on page 18 before we even installed Samba
This is really easy to fix, just launch the ssh2 module, and run the following command

Page 316

smbpasswd –a wood
Remember to replace wood with the name you picked during setup
And use the same password
This will create him a Samba account, and you will be all set

Page 317

You should see something like this, you can now exit the SSH2 module
That should be the only time you need to do that, as now they are being created automatically every time you make a new account.
(using the Webmin module)

Page 318

You might be wondering… what about user jdoe and user testuser…
Those are internet users, they don’t apply here, you don’t need to add them.
We don’t want them to Samba, because they are examples of people who are not on your local network.
Let’s make (5) example users, these will be examples of people on your network, in the same house, building, or network as you.
Using the Users and Groups module, create the following (5) users
Username: roommate1 Password: roommate1

Page 319

Username: public Password: public
When creating them, leave their home directories at the default setting, don’t specify a custom home directory for them.

Page 320

Page 321

I used roommate as an example, meaning that they are in the same building as you, meaning same internal network.
Continue on, and make all (5) accounts
You should see something like this, notice their home directories are in the default location.
Once you have all (5) accounts created, We are finally ready to start making some shares.
Open the File Manager Module, and navigate to /mymounts/vraid/users/
(Or /mymounts/d2p1/users/ depending on your setup)

Page 322

Create a folder called nshares
To me this means internal shares

You should now have something like this
/mymounts/vraid/users/nshares
Your users folder now contains an xusers folder and a nshares folder
This folder structure reminds you that
It was mounted by you (mymounts)

It’s on a virtual raid (vraid)
It contains user data (data)
xhomes = exposed homes (exposed to the internet, and the web-server)
nshares = internal shares (internal to your network)
*Always remember your xhomes folder is exposed to the internet, because apache and FTP are listening in there, so triple check
you’re not making any shares inside that folder, you want to be at least one directory higher, in the nshares directory.

Page 323

Like this
/mymounts/vraid/users/nshares/ …
Not this !
/mymounts/vraid/users/xusers/nshares/ …
We won’t be using the File Manager to make any folders deeper than
/mymounts/vraid/users/nshares/
Because the File Manager won’t make the file permissions the way we want.

Page 324

Here is how you can tell, click on the nshares folder once to highlight it, then press the info button

Page 325

As you can see, these are not the ideal file permissions for our shares.
It is the ideal set of permissions for the nshares folder. But not for the shares inside it, the deeper sub-folders we are going to make
inside of them need to be created by Samba. And these sub-folders will be the actual shares.
So once you have create the nshares folder, you can exit out of the File Manager, and return to the Samba Windows File
Sharing Module
And click on Create a new file share

Page 326

You should see something like this every time you create a new share
You were probably expecting that box to say 700
This screen is talking about creating the share. All that 700 template stuff we setup earlier was for the files that will be uploaded by
your users, and eventually populate the share.
This screen is talking about something else, it’s talking about creating the share.

Page 327

Let’s make the following changes, this will be the share for user roommate1
We are considering this a confidential share, as it will house roommate1 personal data.
That’s why we need to change the permissions to 700
You probably noticed the directory /mymounts/vriad/users/nshares/roommate1 doesn’t exist yet.

That’s perfect, that’s what we want. This way Samba creates that folder, with the permissions we filled in here.

Page 328

You probably feel like you have entered this information twice. That’s not true. All that default share stuff we did pertains to the files
roommate1 will later be uploading and using. This screen is setting up the correct permissions for his share.
For the directory put

/mymounts/vraid/users/nshares/roommate1
Click the Create button

Page 329

You should be returned to the main screen, and see something like this.
Click on Create a new file share

Page 330

And make all of the following shares
Notice that the fields all say roommate2
Click Create
Create another one

Page 331

Click Create
Create another one

Page 332

Click Create
Create another one

Page 333

Notice that the fields all say wood
Click Create
Create another one

Page 334

Notice this one is a little different, this one is using 755.
As you can probably tell, this one is going to be readable by all, but only writable by you (wood)
Click Create
Create another one

Page 335

Notice this one is a little different. Set the owner to username nobody
That isn’t an example, really use the name nobody
And the permissions to 755
We are going to do something different with this one, make sure to type the word nobody in there, just as you see it.
This is going to be a publicly writable share, so your users can share files with each other.
Right now they probably email everything as an attachment, this will help cut that down a lot.
I will explain the username nobody later
Click create

Page 336

This should be returned to the main sharing screen, and you should see all the shares you just made listed.
Because of all the defaults you setup, roommates 1 through 4 are done.
We have to make a small change to media, and a few changes to public.

Page 337

Click on media, and make the following changes

Page 338

At the media sub-menu, click on File Permissions
Make sure you’re at the sub-menu for the media share, and not in the defaults for all shares.
It should say Edit File Share at the top, and not File Share Defaults.

Page 339

Then click on File Permissions and make the following changes.
Click save
You will have to click save at the next screen too.
Do these exact same steps for the public share too, and click save.
There are a couple more changes we need to make to the public share.

Page 340

Click on public and make the following few changes
You will see a sub menu
Click on Security and Access Control

Page 341

Make the following two changes
And click save
User nobody isn’t an example, really use the name nobody
You will be returned to the sub-menu, where you need to click save again

Page 342

You will be returned to the main screen, scroll down to the very bottom and click

Page 343

Restart Samba Server (If you’re using Ubuntu you may need to reboot. Ubuntu now stops and starts services differently)

Page 344

Now all (7) shares are setup and ready to use, you now have a fully functional file server.
You can connect to them from your Windows PC now by typing
\\your-linux-box-IP-address\
Mine is 192.168.2.1
So I would type \\192.168.2.1\

Page 345

Do this in an explorer window, like the my computer window.
You can click go or hit the enter key on your keyboard
You should be prompted to login

Page 346

Let’s use
username: roommate1
password: roommate1

Page 347

Your logged in as username roommate1
So you should be able to do anything you want inside of the roommate1 folder

Page 348

Here you are in the roommate1 folder, making a new folder

Page 349

And you should be able to do anything inside of the public folder

Page 350

If you double-click on any of the other roommates folders, you should get an error, and not be allowed in. This is what we want.
That’s their confidential folders. Not yours.
You should also be able to see inside the media folder, there isn’t anything there yet, but you should be able to double-click it.

Page 351

You shouldn’t be able to add or delete anything.
Only user wood can do that.
Once user wood uploads some files into there, your users should be able to access them, but not change or delete them.

Page 352

That user nobody stuff we did is pretty cool.
It’s going to force all users as a “guest user” anytime you enter that folder. That’s the magic behind everyone being able to edit that
folder, even though it’s got 755 permissions. Because it thinks anyone inside that folder is user nobody, and user nobody is the owner.
The username public might never be used, but is needed because we require an account from anyone wanting to access a share.
This would be one you could give to someone wanting temporary access to your shares.
It would be for someone on your network who doesn’t have an account.

You could tell them “just login as username public password public
And they would be able to access the media and public shares, but none of the confidential roommate’s shares.
This is extremely helpful at home, when you have LAN parties. Someone always has a patch or a cd key they need to share, you can
tell all of them to use username public, and they can put the needed files up in the public folder for everyone to access.
Or in a small business, you might have a vendor stop by to show off a product, and they need share access. Just tell them to use
username public password public, and they are in, with no work for you to do, and they can’t get to anything confidential.
It’s just a complete solution, once you have it you won’t be able to live without it.
You can combine these shares with this awesome backup utility. Cobian backup
It’s free, and amazing. You will throw away your paid backup software and use this one, it’s the best.
http://www.educ.umu.se/~cobian/cobianbackup.htm
Just install this on your user’s windows computers, and tell the backup destination to be the share on the server, and your done. It’s
beautiful.

Page 353

File permissions vs. share permissions, and why to do it the hard way.
There are both File Permissions, and Share Permissions at work whenever you attach to a share. File Permissions are the grand daddy
of them all, if the File Permissions don’t allow it, its not going to happen, no matter what you tell the Share Permissions to do.
On the flip side, you could loosen up the File Permissions, (something greater than 700) and control access over the Share
Permissions. There is a great amount of flexibility here, it’s always tempting, you can pretty much achieve anything this way, but let’s
talk about why you shouldn’t use them.
As seen in the screen below, there are some very tempting choices

Page 354

You probably see a ton of flexibility there. But the reason I don’t use this is because these share permissions only apply to Samba, and
in this how-to our Linux box has several different access modules in use. If someone gets in a different way, via some overflow hack,
or FTP misplacement. They get dumped to the root of the drive, and can explore all of your files and folder that are set to 755. Which
are the default permissions for most folders. This is a pretty common mistake with SSH servers. By default SSH users can change
directory to wherever they want and explore the entire hard drive. Anything 755 would be exposed. We are of course going to tighten
up SSH later, but you see the point. Limiting users this way is only respected by Samba, and not any of the other modules.
That’s why I always make the Share Permissions match the File Permissions, because I’m telling myself this is the maximum access
anyone could have, no matter what module they use to access it. And always keep confidential directories 700 or below.
It’s more work, and slightly less flexible, but it’s better to make a mistake and not let a user in, then to make a mistake and let a hacker
in.

Page 355

I always consider permissions on the bottom row to be public. That’s horribly inaccurate, especially on a private LAN… but it’s a
good rule of thumb.
Other is basically everyone, not requiring an account on the server to access the file.
We used it on a couple of our public shares, just give that bottom row a lot of thought, make sure you really need it.

Page 356

If you don’t want the Printers and Faxes folder to show up
Add these three entries to the Samba configuration file /etc/samba/smb.conf
# In the section that talks about printer
load printers = no
disable spools = yes
show add printer wizard = no
# These have to be in the printers section

Page 357

You can do that with either the File Manger or the Edit Config button on the Samba screen below.
Click on Edit Config File

Page 358

Scroll down to the printer’s area, and add these three lines
load printers = no
disable spoolss = yes
show add printer wizard = no

Page 359


Page 360

And while you’re in there, scroll up and find the line that says include =
And comment it out with a #
Webmin doesn’t seem to like that include statement in there, so just comment it out.
Click Save.
Then just restart the Samba service, and you should be good to go.

Page 361

If you ever have problems logging into your shares, try 127.0.0.1\ or .\
Placed before your username. Sometimes the computer will prepend a domain name to your login, if you’re having that problem,
127.0.0.1\username or .\username as your username should fix that. Also make sure all your computers are in the same
workgroup.
Username 127.0.0.1\roommate1
Example:

Page 362

Samba is cross-platform, MAC, Unix, Windows. Windows boxes use \\ip-address and or \\server-name
GUI Linux clients and Macintosh use smb://ip-address and or smb://server-name

Page 363

In Ubuntu, that’s under Go \ Location
Then just hit enter, and you should see a list of shares, Just as you did in Windows.

Page 364

I wouldn’t recommend it, but … If you’re wanting to browse to your shares, using something like network neighborhood or
workgroups for windows. And you aren’t planning on completing the advanced section of this how-to, where you setup a local DNS
and DHCP server. Then there are a few tweaks you can do to make the name browsing work. Again, I wouldn’t recommend you do
this, I would recommend navigating to your shares by IP address, map a drive, make a shortcut, any of these are better solutions then
browsing your network for computer names. But if you have a dire need to browse to your shares by name, here are two tweaks that
can help.
I’m purposely going to move fast through this, using red font on the non recommended parts, and not show any print-screens, because
I don’t recommend you do it.
*Make sure all your computers are using the same workgroup (probably diy.lan if you’re following this guide)
*If you’re using static DNS entry’s on your Windows PC’s. Make sure the only entry is your routers private IP address, and then enter
the public DNS entry’s into your routers configuration page, instead of statically at each machine. This way your local networked
computers searches for names from your router and local network(s) and not the internet.
First, on your Windows computers, if you’re using static IP addresses, you’re probably not getting the right DNS suffix for your local
network. If you right-click on your network card, and choose properties. Then double-click on TCP\IP (version 4 if you have two
choices)
Then click on advanced, and click on the DNS tab at the top. Add diy.lan (use your workgroup name) to the fields that says “Append
these DNS suffixes in order” and “DNS suffix for this connection”
Apply and reboot, and now your windows machines will add .diy.lan to the end of everything you’re browsing for, which should fix
any name resolution problems you may be having. This is a manual band aide for not having a local DNS server and DHCP. I don’t
recommend doing it because it’s really easy to forget that setting is there, and will cause you major problems if you change your
network setup and forget that it’s still hard coded at each machine.

Page 365

The second fix is even more extreme and not recommended. If you open up Webmin and navigate to the Samba Windows File
Sharing module, and click on Windows Networking. You should see a field that says “Remote announce to” Just click the button that
says “from list” and enter an IP address on the left. And your workgroup name on the right (diy.lan)
You can play around with what IP address works best for you. You can put the IP address of your router, so the Samba server
announces its name to the router. Most routers will block directed broadcasts like this, so play around with it, you can put the IP
address of certain computers you want the Samba server to announce its name to. You can announce it to all your machines by using
192.168.2.255 on the left and your workgroup name on the right.
This ends the non-recommended part. It’s my opinion that these settings should not be used. Remote announce to: is very noisy on
your network, and static DNS entries are way too easy to forget they are there. But if you have a browsing by computer name need, a
combination of those should fix it. If you’re on a GUI Linux box with static IP’s, then the steps on pages 104,105,106, and 107 of the
PDF should be applied as well.
Next we are going to setup Samba groups. On a small home network you probably won’t need this. But as your network grows, or if
your setting up a small business network, this will become a must have.
Extremely similar to what we did early, when we told Samba and Webmin anytime a user account is made, also make a matching
Samba account. We need to tell Samba anytime a group is made, also make a matching Samba group. This isn’t the law, but if you’re
following my how-to exactly, we are requiring every user to have a system account, and a Samba account, and are matching
filesystem permissions to share permissions. So for this to work right we have to have matching users and groups in both. But after a
few clicks that will all be transparent anyway, and the system will automatically take care of all that for us.

Page 366

Navigate to the Samba Windows File Sharing module, and scroll down towards the bottom and click on the
Configure automatic Unix and Samba group synchronization icon

Page 367

You should see something like this, make the following changes and click apply
Just a reminder, you have to forever use the Webmin module for creating new users and groups, or this function won’t happen.

Page 368

Next navigate to the Users and Groups module, and click on Local Groups.

Page 369

And then click on Create a new group

Page 370


Page 371

Click Create
Now you have a group called mygroup1 that is both a Linux group and a Samba group
With the following members: roommates 1, 2, 3, and 4, and yourself (wood)
Next navigate to the Samba module, and click on Create a new file share

Page 372

Notice the share is called pub4roomies

Which to me mean a public share, but only the roommates can access it (and you) everyone in the group mygroups1
Notice the Create with permissions are 770

That’s unlimited for the owner, unlimited for the group, and zero for anyone else.
Make sure the owner is you, and the group is mygroup1, and click Create.

Page 373

You should have been returned to the main Samba screen, but there are few more changes we still need to make.
Click on the pub4roomies share

Page 374

Click on File Permissions

Page 375

You will have to click save at this screen, and the next one.
You’re almost done, we just have to make one small change to the permissions of the pub4roomies folder.

Page 376

Using the Webmin File Manger module, navigate to the pub4roomies folder, click on it, then click Info.

Page 377

Click the Files inherit group checkbox, and then click save

Page 378

You could also optionally click the only owners can delete files checkbox. If you didn’t want the roommates deleting each other’s
stuff. But this is a public share for them, so I wouldn’t recommend check that box, unless you have one jerk roommate :- )

Page 379

That’s it, just navigate back to the Samba module and restart Samba.
Now any member of the mygroup1 group can access the pub4roomies share with full rights.
Newly uploaded files will get the uploading roommate as the owner, and mygroup1 as the group, and be fully accessible by all of that
groups members.
That’s pretty much it for Samba, there is just a little preventive stuff we should do.
Lets ...
Setup Quota’s for these new users
Setup restricted password change module
Show users how to map their My Documents folder to the server.
We should setup Quota’s for the following users
roommate1
roommate2
roommate3
roommate4
public
nobody
I left wood out, because wood is you

Page 380

You will need some big Quota’s here, your users will get a lot of use out of these Samba shares.
Similar to what you did earlier

Set them up with a quota
We also need to be concerned about the OS drive. Because we set these users up in the /home directory as well as the /mymounts
directory.
We need to limit what they can put in /home. That’s on the OS drive or /

Page 381

The roommate users and public user can still access /home via FTP
Rather than disable FTP, let’s just set them a ridiculously small quota, like 1MB
Quota isn’t enabled yet on the OS drive, so we need to enable it.

We just need to make a simple change to the Disk and Network Filesystem Module.
Navigate to the Disk and Network Filesystem Module.
And click on /
*sometimes listed as / (root filesystem)

Page 382

Change that from No to User only
And click save

Page 383

Now the next time you navigate to the Quotas Module, the OS disk /
Should now be there
Click on Enable Quotas
Your computer will freak-out for a couple minutes while the Quota is checking the OS. Give it time, it will eventually finish.

Page 384

Once it finishes, click on /
And limit these users to 1MB
roommate1
roommate2
roommate3
roommate4
public
nobody
*If you don’t see a name you’re looking for, you can click the “Edit Quota For” and browse for it.

Page 385

This way everyone you create still gets an FTP account, but these users can’t really use it for anything.

Page 386

Now let’s give them Usermin access, but restrict it to only password changes and Quota view.
Navigate to the Usermin Configuration Module.
And click on Module Restrictions

Page 387

Then click Add a new user or group restriction

Page 388

Do these same steps for
roommate2
roommate3
roommate4
wood
You don’t have to worry about users public or nobody

Page 389

After you have added those other four users, we need to allow them Usermin access.
Click on the Allowed Users and Groups icon

Page 390

You should see something like this, start adding the users
Add the following users
roommate1
roommate2
roommate3
roommate4
wood
Click Save

Page 391

Click Restart Usermin
Now you Samba users, from inside your network, should be able to change their own passwords and view there Quota, without seeing
the File Manager like your internet users have.
To access Usermin, its http://your-ip-iaddress:20000
My ip is 192.168.2.1

Page 392

So I would type http://192.168.2.1:20000
Login as username roommate1

Page 393

And you should see something like this
As you can see, they only have two choices instead of four, because we don’t want them to have the File Manager or the Upload and
Download modules.
This is a really convenient way for your users to change their own password

Page 394

That’s it for the locked down Usermin config, now you can show your users how to map their My Documents folder to the server
(if you want)
That way when they save files to their My Documents folder on their PC’s and Laptop’s, they are actually saving them to their server
share.

Page 395

First have them login to their share, and make a folder per computer. Something like
my_dell_laptop and my_gateway_pc
Assuming this is roommate1 your working on, and assuming he has a Gateway Desktop PC and a Dell Laptop
And assuming your sitting in front of the laptop right now.

Page 396

Just right-click on his My Documents folder, and choose Properties

Page 397

And change the Target path from whatever it says to
\\192.168.2.1\roommate1\my_dell_laptop
Now everything roommate1 saves to his My Documents folder, will actually be on the server.
And now from his Gateway desktop, if he goes to \\192.168.2.1\ and logs in
He can get to his laptop files from his desktop
And vice versa, once both are setup this way
Just make sure to move the current data out of the My Documents first, and paste it back in after the target has been changed. If you
change the target while their data is still in there, it will appear to the user like all the data is gone, because the My Document folder
isn’t looking at their c:\Documents and Settings\user profile anymore.

Page 398

For users doing the My Documents thing… you will probably want to set them up to pass through authenticate. Meaning you will
want them logging into windows with the same username and password as their share. In this example, you would set the
roommate1’s computer to login to windows as username roommate1.
That will allow him to pass-through his windows login credentials to the shares.
If this isn’t possible, then you will probably want to map a network drive, to a drive letter, and then move the My Documents target to
that drive letter.

Page 399

Either way works fine, the pass-through authentication is best.
That’s about it for Samba, it would have been better to set it up on a separate computer. A computer without internet access even.
In the more advanced parts of this how-to, we are going to setup a VMware Server, which can run multiple virtual machines off this
one machine, all managed over a webpage. This can also be a helpful way to separate Samba from FTP into two machines, just have
them running on different virtual machines.
There are countless ways to do it, depending on your security philosophies.
Anyway, back to work
Next we are going to connect to a file share running on a Windows machine. Let’s say the IP address of the Windows machine is
192.168.2.6 and its allowing Admin$ shares on C.
We will mount this on our Linux box as folder /mymounts/samba2dot6
This folder naming to me means
I mounted it (hence the folder mymounts)

And that it’s a samba connection to machine 192.168.2.6
In this example, the entire contents of 192.168.2.6 hard drive will be accessible and useable from your Linux box.

Page 400

Navigate to the Disk and Network File systems and click on Mount type smbfs
I have had many users say that option isn’t there. If it isn’t there, the following three steps should make it show up.
First, make sure you didn’t miss the page that talked about apt-get install smbfs
*This how-to isn’t written to be able to skip pages
Second upgrade Webmin to the latest version

Page 401

Navigate to the Webmin Configuration module, and click on Upgrade Webmin

Page 402

Choose Latest Version from www.webmin.com
And then click Upgrade Webmin

Page 403

If successful you should see something like this
Third click on Refresh Modules
*Note, remember you can also upgrade Usermin the same way

Page 404

After the refresh is finished you should have smbfs as a mount type in the Disk and Network Filesystems Module

Page 405

Add the mount type smbfs, and you should see something like this
Give some thought to mounting it at boot or not. If 192.168.2.6 is on all the time, this shouldn’t be a problem. But for the most part,
you wouldn’t want to choose to mount it at boot time.
Also give some thought to the account you use. Because that password will be saved in the file /etc/fstab
This isn’t a security risk at all, nobody should have that kind of access to your machine to be able to read that file. Linux is already
setup to not allow that. But without local file encryption, and a couple security guards, there is always a chance it can happen.
(like if the computer was stolen, or booted off a live cd)

Page 406

We talk about file system encryption later in the how-to. But giving a lot of thought to the passwords you put in that file is important
to.
As you can see, I’m accessing computer 192.168.2.6 admin share on c$
Which should mean you have to provide an admin level password of that machine to access that share. But a work around is that
Windows Backup Operators can also access admin shares. So if you make and account on the Windows PC your wanting to connect
to, and you made that account a Backup Operator, and not an admin, it would still work.
Or even better, create an actual share that a user level account can access, instead of using the admin share C$. I’m just lazy and use
the admin shares, as a Backup Operator, so I can access the entire drive without giving up the admin password.
But putting a less important password in the box is smart anyway you look at it.
After you create the mount, you can view the Windows PC files on your Linux box by navigating to the folder
/mymounts/samba2dot6/
Next we are going to create some scheduled backup schemes.
Using the File Manager, create a folder called
/mymounts/vraid/osbackups
We are going to create one schedule for Operating System related stuff, and another for our data. For the Operating System scheduled
backup, we are going to use the Backup Configuration Modules module.

Page 407

Navigate to the Backup Configuration Modules module, and click on scheduled backups.
And then click on “Add a new scheduled backup”
Notice there is also a Restore Now tab at the top. In the event something goes horribly wrong, or your setting up a new system, you
can restore them using these backups and the restore now tab.

Page 408

Click on Add a new schedule backup, you should see something like this

Page 409

Notice how you are able to click on multiple choices in the modules to backup box. You can do this by holding down the control key
(Ctrl) on your keyboard, while clicking on the choices. Click on all the modules you would like to be part of this scheduled backup.
Select as many as you want.

Page 410

Page 411

Notice I selected backup destination local file
/mymounts/vraid/osbackups/bcf.tar
That’s bcf.tar
That means to me, Backup Configuration Files
And it’s important we put it on disk2 (/mymounts/vraid/)

That way if disk 1 goes bad, we have a backup on disk 2
Check all three boxes under Include in backup

And list system files you want a backup of, that didn’t have a module associated with it.
Operating System stuff only ( / ), don’t include anything from the second hard-drive
(The data drive /mymounts/vraid/)
We will make a different kind of backup scheme for that data, using a different module.
Put your local email address, username-created-on- page 18 @localhost

So mine is wood@localhost
If you select Simple schedule

You don’t have to use the minutes\hours\days schedule below
Click the Save button, and it will schedule the backup job, every month, on the 1st.
Or better yet, click Save and Backup now so you can make sure it works.
It will overwrite that file every month, which is probably what you want. But if you rather keep every backup job it makes, you can
change the filename from

Page 412

/mymounts/vraid/osbackups/bcf.tar
To
/mymounts/vraid/osbackups/%m_%d_%Y_bcf.tar
This will add the current date to the filename, which will be different every month, and so it won’t overwrite your backups.
That’s pretty much it, you can import these backups as a restore, and be back up in running in minutes instead of days.
The backups will be compressed into a single file using the TAR format, you can extract them and see them using
the File Manager module.
Just navigate to where the backup jobs are, and you should see a .tar file.

Page 413

Extracting can be messy if you don’t contain it to a folder. So create a new folder called
2bdeleted
And copy the .tar file in there.

Page 414

Then highlight it, and click extract
Say yes if prompted
Once they extract, you will see all the configuration files you selected to be backed up were indeed backed up.

Page 415

The folder structure will be a little confusing at first. If you told it to backup /etc/vsftpd.conf . It will copy the folder structure.
You won’t just see the file vsftpd.conf
You will see the folder etc, and the file vsftpd.conf inside of it.
That’s about it, if you ever need to restore the file or refer to it, you can find them here.

Page 416

And you should have a local email, telling you all about it.
Now we will setup a scheduled backup for the data drive. That uses a different module called Filesystem Backup.
Navigate to the Filesystem Backup Module

Page 417

Select in TAR format
And browse to user jdoe’s home directory

Then click the Add a new backup of directory button
Expand the two green arrows so you can see everything, and make the following changes

Page 418

The Backup to field reads /options/%m_%d_%Y_jdoe.tar

Page 419

Keep the backup label name short and sweet, they don’t allow it to be very long.
You only need to change the Minutes, Hours, and Days. That’s because we want it to run every month, so we don’t want to specify
A month, or it will only run on that particular month.

Page 420

This particular schedule says at 23:01 (11:01pm)
On the second day of every month, run the backup.
I did the second day, because we already have Operating System backups schedule on the first. You don’t want to schedule them at
the same time, that is too much work for the server to handle, so I did the second on every month.
Careful to not select more than one number, like this
Because it will let you, if you not careful. Holding down the Control key on your keyboard will help you deselect them if this happens.

Page 421

That’s about it, except the backup directory (/options) I selected would be a horrible place for your backups.
You would want to installed a third or fourth disk for these backup jobs, or maybe even a large USB drive. Or even better, take
advantage of that SSH button, and do offsite backups. Meaning the backups exist on a different computer. A separate Linux box
somewhere.
Earlier we talked about having a second computer setup only with Samba and SSH. You could use that SSH option to send the
backups to that computer. This is the best form of backups, as it gets the files off the computer, and in a second location. Just in case
that computer catches fire or is stolen or something.
This second computer doesn’t even have to be on your same network, it can be on the internet somewhere, and SSH will encrypt the
transfer and the passwords for you.
Click the Create Button and it should return you to the main screen.

Page 422

If you get an error like this one below
Then just click on the Module Config link at the top of the page

Page 423

And change the following two options to yes.
Then click save.
You should be return to the main page

Page 424

Notice the TAR option is gone, because we set it as the default. Also that red error message should be gone as well.

Page 425

Let’s make anther backup, they get easier after the first one, because instead of choosing a specific time, you can tell it to start after
the one before it finishes.
Select the home directory for user testuser

Notice now there is an Enable after option now

Page 426

So instead of picking times, and guessing when you think they will be done by. Just tell it do start the next job, after the previous one
finishes.
You can keep building on this, have the third job start after the second job finishes, and the fourth job after the third finishes, and so
on and so on. Don’t forget about your samba users (nshares folder)
As your list starts to grow, you can see the schedule on the right

Page 427

Here we can see that second job starts after the first one finishes.
That’s pretty much it for the backups, just set it and forget it. And you should get local emails with the statuses.
Just remember /options/ is a horrible place, I just used that as an example. Get some more hard drives, or an external drive, or better
yet use SSH to another computer.
You can also export your users and their passwords to a file, this is really useful if you’re planning on upgrading to a new server, but
don’t want to have to rest all your users password.

Page 428

Navigate to the Users and Groups module
Take note of the User ID numbers your interested in
(They will usually be over 1,000)
And then click on Export to batch file

Page 429

Make the following changes, tweak your UIDs range
Click Export now

Page 430

And be a nice admin, and consider that file extremely confidential.
Now you can build a new server, import those accounts using the run batch file button under the users and groups module, and your
users will never know anything has changed.
See why you should change your password more often :- )
That’s pretty much all there is to it
Next we will talk about disk maintenance and trouble shooting. Every so often you should run fsck (File System Check) on your hard
drives, it’s a lot like scandisk. There are few things you need to know before running this. The hard-drive can’t be mounted, it first
needs to be un-mounted. Some Google searched will tell you the –options to force it to check mounted drives, don’t ever do that.
Never scan a drive that is mounted. It only takes a second to un-mount it, take the time to do that, it’s well worth it.
You can’t really scandisk your OS drive, because you’re not able to un-mount it. Some Google searches will tell you have to use
Single-User-Mode to do it, which is similar to a Windows Safe-Mode, don’t ever do that either. It’s do-able, but not worth the
repercussions of typing something wrong. If you want to scan your OS drive, you should boot off a Linux Live CD, and run the
commands below. Being booted of the Live CD will ensure the drive is not in use. It’s worth the extra effort.
Your data drives are a lot easier to scan, because you can easily un-mount them

Page 431

Let’s say you want to run a quick scan on the hard drive /dev/sdb1
You would launch a Putty or SSH2 module session, and type
umount /dev/sdb1
That will un-mount the partition
Then type
fsck.ext3 –y /dev/sdb1
This command assumes your checking a drive formatted as EXT3. If you have been following this how-to, your drives are ext3.
Running this on a non EXT3 formatted drive will cause major problems, and you won’t get the warning, because of the –y will answer
yes to any prompts.
This will run a quick scan on the hard drive, and the –y tells it to answer yes to any questions.
If you wanted to do a more in-depth scan, you could run

fsck.ext3 -c -p -v -f /dev/sdb1
The –c tells it to look for bad blocks on the hard drive, this scan will take a very very long time.
And if you wanted to take it ever further, maybe you have a drive you’re having problems with, you could run the following command
fsck.ext3 -c -c -p -v -f /dev/sdb1
Specifying –c –c twice like that, will do a read and then write test to every spot on the partition.
It claims to be non-destructive. I’m not sure I would feel comfortable doing this command on a drive that I didn’t have a backup of.
I’ve personally never done it on a drive that had data on it that I cared about. I’m sure it’s safe, Linux is amazing, it’s just the “write”
part of that scares me. Do yourself a favor and make a backup first.

Page 432

Options –c and –c –c will note any bad blocks that are found, and mark them as not useable. At this point the disk is “fixed” a couple
bad blocks is bound to happen. But if you have this problem more that once on the same disk, I would consider replacing it, and
making sure your backups are up to date for that drive.
If you already have a backup, and you want to really want to try reviving the disk, you can do the following. Note these are
destructive, and your data will for sure be gone.
Type the following commands (this series of commands will take many days to complete)
Do yourself a favor and just buy another hard-drive :- )
fdisk /dev/sdb
m
d
w
dd if=/dev/zero of=/dev/sdb
fdisk /dev/sdb
m
d
n
p
1
Enter
Enter
w

Page 433

mkfs.ext3 /dev/sdb1
fsck.ext3 –c –c –y /dev/sdb1
You just used fdisk to delete the partition. Then you used dd to zero out the drive. Then you used fdisk to create a new partition. Then
you mkfs to format it with the EXT3 file system. Then you checked the file system both read and write using fsck
That’s extremely thorough, and will take many days to complete those steps. You may even want to hookup a keyboard and monitor,
because it will take so long, you will probably be tempted to close your Putty or SSH2 connection. This would make it hard to watch
the progress. This is pretty extreme, with today’s prices and warranties, you may want to consider replacing the drive when fsck finds
problems more than once.
You can then use the Disk and Network Filesystem Module to remount the drive. And that’s about it for disk maintenance.
Next we are going to setup the Firewall, using IPTables. This is optional at this point because you’re behind the firewall of your
router. So this would, at this point, just be a firewall inside your LAN. But in some cases, especially small business networks, not
everyone on your internal network is trusted. So if you don’t completely trust all the traffic inside your network, then you would want
to setup the firewall.

Page 434

Navigate to the Linux Firewall Module

Page 435

Choose block all except SSH and IDENT on external interface eth0
Do not click the Enable firewall at boot time option. We eventually will enable that, but not yet. Since we are doing this remotely, we
need a way to un-do it if we mess something up, so for now, don’t start it at boot time.
Then click the Setup Firewall button
You should see something like this, stay away from that Apply button for awhile, if you click it now you will lock yourself out of
Webmin

Page 436

Page 437

If you lock yourself out, rebooting will let you back in
We can get away with this only because we are not setting the firewall to start at boot time (yet)
Also stay away from that Apply button for now.
Next delete the following conditions by putting a check box next to them, and clicking Delete Selected

Page 438

Make sure to delete all the ones I have checked. We will add ICMP (ping) later on, but for this test it needs to be gone.

Change the default action for forwarded packets to Drop
Then click the Set Default Action To button

Page 439

Stay away from Apply button.

Page 440

Click on the green word Accept next to port 22

Page 441

You should see something like this, don’t make any changes

Page 442

Page 443

We aren’t making changes to this screen, we are going to press the Clone Rule button at the bottom, this will save us lots of typing.
Press Clone Rule the screen will refresh and you’re now looking at a “copy” of the port 22 firewall rules

Page 444

Change the Rule Comment

Page 445

From Allow connections to our SSH Server
To Allow connections to our Webmin Server
Change Destination TCP or UDP port

From 22
To 10000
Now scroll down and press the Create button

Page 446

Note the port 22 exception is still there, because we didn’t change it, we only cloned it.

Page 447

And now we have a port 10000 firewall exception as well
Keep doing that for ports
20 (ftp20)
21 (ftp21)
80 (web80)
445 (samba)
20000 (usermin)
Don’t forget to click Clone every time you click on port 22, you don’t want to make changes to port 22, you just want to keep
cloning it.

Page 448


Page 449

Stay away from the apply button
Click on the green word accept next to port 445
We are going to lock Samba down a little further, it’s a little overkill for this setup, but its expected later on in the how-to

Page 450

Page 451

This will tell the firewall to only let in Samba clients that have a 192.168.2.xxx ip address. The /24 tells it to allow any 3 numbers, up
to 254

Page 452

If you’re on a 192.168.0.1 network, you would use 192.168.0.0/24
Again, a little overkill right now, but we need it later on. Click on Save

Page 453


Page 454

You’re now ready to hit Apply at the bottom, but make sure Active at Boot still says no

Page 455

Page 456

Test everything, except FTP (there is another change we have to make for FTP before it will work)
Make sure you can still get to Webmin, Usermin, Putty, Samba, your websites, etc…

Page 457

If everything is working, return to the Linux Firewall module and tell to be active at boot time. Click yes, and then click the
Activate at boot button
Then hit the Apply Configuration but, and navigate to the Bootup and Shutdown module.

Page 458

Using the Bootup and Shutdown module, reboot the Linux box.
Wait a couple minutes and make sure you can still get back into everything.
Now from your Windows PC, try to ping your Linux box
This should fail
If it fails, then that’s good, it means your firewall is loading at startup and doing its job.

Page 459

If it replies like this
Then something isn’t right, go back and fix it.
Once you have it working, you will probably want to allow pings. Pinging is very useful for trouble-shooting.

Page 460

So once you’re sure your firewall is working, you can allow ping by going back to the Linux Firewall module and adding the
following input rule

Page 461

Click on Add Rule

Page 462

Page 463

Then click the Create button
Then click the Apply button
You should now be able to ping the Linux box
Now let’s make sure you are still able to access the internet
Using the Command Shell module, run the following command
tracert google.com

Page 464

I like to use tracert instead of ping from a Linux box, because I can never remember the ping limit commands off the top of my head.
By default ping never gives up in Linux unless you give it extra instructions. So from this view don’t use ping, because it will
run forever in the background. If you want to use ping, make sure you’re using Putty or the SSH2 module, where you can interact
with ping, and stop it. (using Control + C on your keyboard) Or include the extra command line options to tell ping to give up after
like 5 attempts ping –c 5 google.com

Page 465

If successful, you should see something like this with a bunch of numbers. It’s ok if you have more than or less than
13 hops, we are just looking to see that it is hoping outside your network.
If you get a bunch of fails, go back and figure it out. Your firewall is blocking everything incoming, unless you request it. Here your
requesting it, so it Established \ Related, and your firewall should be letting that through, as it originated from you, inside the firewall
first.
That’s pretty much it, we just have to do one more step to allow FTP through.

Page 466

Navigate to the File Manager module, and edit the file /etc/rc.local
Add the following line
/sbin/modprobe ip_conntrack_ftp

Page 467

Save it, and reboot the computer.
That rc.local file executes every time the computer starts up, so it should load every time now.

Page 468

Once the reboot is finished, try FTP
It should be working now, if not, go back and figure it out.
You now have an extremely powerful firewall running, doing per packet inspection and filtering. That’s just the tip of the iceberg of
what IPTables can do, but it should be all you need for now. As you get more comfortable with it, you can enable logging, and start
reading the log files of blocks and attempts.

Page 469

Next we will setup etherwake
A Wake-On-Lan tool that will allow you to Wake On Lan computers on your network, from within Webmin.
Navigate to the Custom Commands and click on Create a new custom command

Page 470

Give it a description as to what computer it is (A computer on your LAN \ Subnet that you are trying to wake up)
And the actual command is etherwake –b mac address
Just make sure the MAC address is separated by colons :

For help finding the mac address of a computer, refer back to pages 44, 56, 57 (often referred to as hwaddress or physical address)
Click Save
Make one for every computer you think you would ever want to wake up

Page 471

*Advanced* Later on in the how-to, you will have two NICs. One will be so strongly firewalled that it will stop etherwake from
working, there is a simple fix, just use the interface option –i to tell etherwake which NIC to use
example: etherwake –i eth1 –b 00:1a:a0:a9:3b:bo

You can use these custom commands for just about anything you want. I like to use them for hard to remember commands, or
commands I run a lot.
Eventually you will have an entire page of custom commands button, just point, click, and viola

Page 472

I like to make tracert and ping buttons as well, because a Linux ping won’t stop unless you interact with it, so you can make a custom
command button, with the / option to tell it when to stop and what to do.
*Advanced* If you have a smart phone with a browser, you can access these custom command buttons from your phone, and do tasks
like wake-on-lan right from your cell phone, without the need for any kind of shell access. Just make sure your phone is not set to
remember any passwords or web history. Make a lot of these custom command buttons, they are very cool.
That’s it for the basic setup, if you start to have stability problems with your server, you can use a program called monit, that will
monitor services, and restart them if they fail. It also has a web interface with some cool functionality. Also if you start to see a lot of
hack attempts in your log files you can use a program called fail2ban. This program will block a user by their IP address for a
configurable amount of time after a configurable amount of attempts. Both of these programs are already installed, you installed them
back on page one. They simply have to be configured. They are super easy to configure and you can find many excellent examples on
Google and on http://ubuntuforums.org
Next is the optional \ advanced setup. Not that it’s any harder than anything you have done so far, it’s just we are going to move on to
more dedicated uses, where the computer needs to be up 24 hours and day 7 days a week. We are going to turn the Linux box into
your Router \ NAT \Firewall, a VMWare server, a Local DNS box with dynamically updating clients, a DHCP server, etc…
If you’re not interested in any of that, you can stop at the end of this page. You’re encouraged to continue, its all really cool stuff, but
setting the Linux box up as your router is kind of a big commitment on your part, when its down, your internet connection is down.
Setting up VMWare requires a powerful computer with lots of RAM. DNS is a lot of work for small networks. You don’t need a
DCHP server if you’re not replacing your router and you don’t need a DDNS update client if you’re not using Local DNS. So this may
be a good time to stop if you’re not interested in virtualization and networking. Thanks for using my how-to, let me know how it goes.
*Side note, if you were interested in setting up software RAID 1 for your Operating System drive, this link will help you get that
going. https://help.ubuntu.com/9.04/serverguide/C/advanced-installation.html
If you’re stopping here, you can run an apt-get remove dhcp3-server this will remove that DHCP warning at startup.
Then run apt-get update and finally an apt-get upgrade

Page 473

That will ensure you have the latest patches and upgrades, if you’re not stopping here, do not run the apt-get upgrade just yet.
You can find my email address and blog link on my homepage http://woodel.com Thanks ! KevinTheComputerGuy
Advanced.
If you’re choosing to go on, welcome to the advanced section.
First we are going to setup rssh (restricted ssh)
I’m not going to spend too much time on this one. We are going to move pretty fast through this one, as many of its uses are far
more complicated than some of the software solutions that exists today.
SSH is awesome, but it gives the users access to way too much. rssh gives you basic SSH functionality, with the ability to pick and
choose what access to give them. Which is perfect for giving users shell access.
Due to a typo in an earlier version, you may have missed this install, its apt-get install rssh
If you are not sure, just run it again. After the install completes, edit the file /etc/rssh.conf

Page 474

Comment everything out except allowscp
And change the umask to 777

Page 475

Then click save and close
That’s probably throwing up some red flags to you. 777 means full access right?
In file permissions it does, umask is the opposite. Setting the umask to 777 will result in the exact opposite file permissions 000
As you can tell, we are really locking down this user. To the point of paranoia.
With file permissions of 000, only root will be able to see these files. That’s because we are going to use this user, in a batch file, to
remotely backup
files from a Windows PC. His password will be in plain text in said batch file, and could be compromised.
So we want to make sure, even if the password fell into the wrong hands, that they couldn’t do anything with it.

Page 476

Next let’s create an rssh user, named backupbot
Navigate to the Users and Groups module, and click on Create a new user
Now when you make a new user, rssh is available as a shell you can choose from for newly created users.
If you don’t see it in the drop down menu, just choose other and browser to /usr/bin/rssh
See below, this user I created, I put in shell /usr/bin/rssh
Select normal password, give this user a password

Page 477

And, you want to make sure you don’t select to make him in other modules.
This user is going to be an rssh user only

Page 478

Now for the next level of paranoia. Navigate to user backupbot home directory, and set the following permissions.

Page 479

Page 480

With these permissions, that user won’t even be able to see the files they upload. This is because if someone finds this password in
your batch file, you don’t want them browsing the home directory.
That’s some pretty extreme lock down we just did. You can take it even further with chroot in rssh, and use it to jail the user inside a
directory. And you can use the file permissions to inherit a group that doesn’t exist, or doesn’t have a user in it. I’m not going to go
too much into the rest of this setup, but here are some hints if you’re interested in pursuing it.
You could go to Puttys website

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
And download the following tools
PSCP.exe
and
PLINK.exe
These are rock solid secure, just like Putty is

Page 481

You could use a command like this one, using a combination of PSCP and WinRar ( http://rarlabs.com )to do offsite backups of
Windows PCs over a secure connection.
rem start batch file
cd %userprofile%
taskkill /f /im OUTLOOK.EXE
"c:\program files\winrar\rar.exe" a -agHH-MM-SS--MMM-DD-YYYY %computername%_My_Docs_Folder_Win2K_XP "my

documents"
"c:\program files\winrar\rar.exe" a -agHH-MM-SS--MMM-DD-YYYY %computername%_Docs_Folder_WinVista_7 "documents"
%temp%\pscp.exe -4 -2 -P 22 -l backupbot -pw abc123 *.rar backupbot@kevin.gotdns.org:
exit
rem end batch file
This command closes Outlook if its running, and then compresses the users my documents folder into a single file, then uploads it.
It will name the backup file the same name as the user’s computer, tell you if it’s Windows 2000\XP, or Vista\7 and add the date.
As you can see the password abc123 is exposed, that’s why the permissions have to be so tight.
rem start batch file
%temp%\pscp.exe -4 -2 -P 22 -l backupbot -pw abc123 *.rar backupbot@kevin.gotdns.org:
rem end batch file

Page 482

But even if it fell into the wrong hands, there isn’t much of anything they could do with it.
Of course a disk space quota is important for any user, always set disk space quotas to prevent abuse.
Also this will be an outgoing request from your users PCs, so you don’t have to worry about a firewall configuration on the users end
at all.
That’s PSCP
Next is PLINK
PLINK is a really cool SSH tunneling tool. You can secure almost anything you want to do, because you can wrap the entire
communication up in an SSH tunnel, much like a VPN connection. Everything you do on the port you specified for the tunnel, will be
secured by SSH. And this will be also be an outgoing request from your users PCs, so you don’t have to worry about a firewall
configuration at all.
For PLINK you could do something like this
rem startbatch file
%temp%\plink.exe -ssh -4 -P 22 -l backupbot -pw abc123 -R 5900:localhost:5900 kevin.gotdns.org
rem end batch file
This would create an awesomely secure tunnel form your users PCs to yours. Port 5900 is VNC, so when you launch VNC from your
network, you can remote the Windows PC user over that tunnel, with no firewall config needed on the users side.

Page 483

But I don’t want to spend too much time on those because there are easier alternatives. If you’re looking to remote a user, just use
Adobe’s ConnectNow software at http://acrobat.com
*On Acrobat.com, click on the web conferencing link.
Its works on MAC and PC, it’s free and web based and there is no configuration needed on either side. Your user can login as Guest
without a need for an account, and all traffic is outbound, so again, no firewall worries.
And if you’re looking to do offsite backups of user files. You should use something like Cobian backup, to a local Linux box running
Samba. And then have that Linux box use the Webmin Filesystem Backup module to schedule offsite backups to another Linux box
over SSH.
But it’s good to have the knowledge above, and I mostly talk about it so you know to not pick SSH when giving someone else an
account to your Linux box. SSH by default lets them change directory to wherever they want. And without jailing knowledge, your
files are way too exposed. So think this rssh = SSH for users besides yourself.
That’s about it for those.
Next we are going to setup VM Ware Server. This is optional, as it requires a really fast computer with tons of ram and hard-drive
space. If you don’t have 100+GB of hard drives space and a couple extra gigs of ram, you should probably skip this part.
When you’re done setting this up, you will have a separate https webpage (not within webmins menus) that you can use to control and
create Virtual machines. Virtual machines use file(s) on your server that it treats as a hard-drive. And you can install Operating
systems into these files. So your server, with no keyboard and mouse can host multiple GUI virtual operation systems, that you control
over Remote Desktop, VNC, Or the VMWare Player. We are going to walk through how to install VMWare Server, and install a
virtual instance of Windows 7. It’s amazing what you can do with these virtual machines. You can choose bridged networking, and it
will appear as a computer on your network. You can create snapshots before making changes and revert back to those snapshots. Or
my favorite… set it up “independent non-persistent”. You can make all the changes you want, you can reboot a million times, and all
your changes stay there. But it you chose shutdown, instead of reboot, it will then revert back to the original settings. I find that feature
to be priceless.
So first you have to download VMware Sever from VMware’s website

https://www.vmware.com/tryvmware/?p=server20&lp=1

Page 484

I can’t provide a direct link to the file. And or put one on my server. Even though VMWare Server is free, they make you register your
email address, and send you your serial number that way. Make sure to use a real email address when registering, as they are going to
email you the serial number, you have to have that to complete the install.
Make sure once you finally get logged in, that you’re downloading VMWare Server for Linux (preferably version
2.02xxxxxxxxxxxxxx) That’s the version I used. You want the binary file, in .gz format.
It should look something like this

Page 485

Make sure to get the right version. If you running a 64bit version of Linux, then download the 64-bit installer. If you’re running a
32bit version of Linux, then download the 32bit installer.
Download this file using your windows PC, and we will upload it to the Linux box, and then move it into place.
If this is your first time uploaded a large file to your Linux box, you will notice the Upload and Download manager will take way too
long, and will probably fail. So you will want to use FTP or Samba. If your using FTP, make sure to use account name uploadman
as his home directory is not exposed to the web. You don’t want to share this file with anyone, this is your own registered copy. If
using Samba use account name wood or the name you chose on page 18
If you never went back and made that account work with Samba, just use one of the roommate accounts that aren’t in use.
Once you have uploaded that giant VMWare installer file, Open up Webmin and navigate to the File Manager Module. Navigate to
the home directory you uploaded the installer file to. Remember uploadmans home directory is in a different place than your other
users, he is in /home/uploadman and not /mymounts.
Once you find the installer, cut and paste it to the /options directory.
I’m on a different computer today and will be using the 64bit installer, so my filename may look a little different than yours.
Wait for the paste to finish, then navigate to the options directory, and highlight the VMWare file by clicking on it once

Page 486

Once you highlight the file, click extract button at the top
Choose Yes
If you’re hurting for space you could choose yes, then delete

Page 487

But if you’re hurting for space you probably shouldn’t be installing this :- )
That file is uber compressed, so give it a couple minutes to finish.

When it’s finished, you should have a folder like this one
You’re done with the File Manager for now, the rest of the setup will be done command line.
Do yourself a favor and use Putty. The SSH2 module is very convenient, but I haven’t figured out the copy and paste problems yet,
and I want you to be able to copy and paste these next few commands exactly, so let’s use Putty.

Page 488

Login to Putty as username root
And change directory to the /options directory
Type cd /options
Then type dir, or ls –a
And press the enter key on your keyboard

Page 489

Then type cd vmware-server-distrib
or cd vmw*
Note vmw* will only work if that is the only folder in that directory starting with vmw
Remember you can also copy\paste these commands
Once you’re in the vmware-server-distrib folder, type dir

Page 490

Run apt-get update Then type the following command, and hit enter on your keyboard.
Copy and paste it exactly as shown, even that uname part, that’s not your name, copy it exactly.
apt-get install linux-headers-`uname -r` libxi6 libx11-6 libx11-dev libxtst6 psmisc build-essential x11-common libxau6 libxdmcp6
libx11-data libxrender1 libice6 libxext6

Page 491

It may ask you a few times if you are sure, say yes
After that completes, run the following command, and hit the enter key
./vmware-install.pl
It’s going to ask you a bunch of questions, you can hit enter to almost all of them. Hitting enter accepts the default answer to the
questions that it’s asking you. Almost all are the correct answer, with the exception of a few preferences

Page 492

So far all of these have just been enter

Page 493

You can also hit enter for that last question in the print-screen, yes it is ok to invoke that process

Page 494

It’s ok that these two failed
It trying to stop services that don’t exist yet, just hit enter
Click enter to read the End User agreement
You will have to press enter like 100 times to get to the bottom. Holding down the enter key works nicely for this part if you have
already read it before.
You can tell they assumed people would just hold down the enter key, as the next question makes you type yes

Page 495

Type yes and hit the enter key

Page 496

It’s time to slow down here and pay close attention when you get asked this question.
Press enter to say yes, but get ready to pay attention

Page 497

If you get this warning about gcc versions, say no !!!!!!!!!!!!!!!!!
No should be the default answer, so you can still get away with pressing enter
Saying no will kick you out of the installer, that’s ok, that’s what we want

Page 498

Type the following command and press enter on your keyboard
export CC=/usr/bin/gcc-4.1
*remember you can copy\paste

Page 499

It will just do it, and not tell you anything back, this is what we want
Now type the following command and press enter
vmware-config.pl

Page 500

This will re-start the installer right where we left off
Again these fails are ok

Page 501

Say yes to this question by pressing enter
You shouldn’t get the gcc error this time.

As long as you don’t get that gcc error again, you can keep saying yes for the following.
*Never say yes to that gcc error
The screen will start scrolling very fast as it installs the modules.

Page 502

When you get to this question, say yes, it’s just making sure the gcc error is fixed
If all goes well, the gcc error is gone and the installer will continue
You can say yes, press enter for these

Page 503

Keep pressing enter, these default answer and network names are perfect

Page 504

Say no when asked to configure a 2nd NAT device, this is the default answer anyway, so pressing enter will work here too.

Page 505

Don’t be alarmed by that weird looking IP address. That is a private address for the VM’s if you choose to not expose them to the
network, and pretty much make them invisible. We will cover that later.
You can say yes, we won’t use it, but this is the best time to set it up

Page 506

You can keep hitting enter until you are asked if you want to setup a 2nd host only network. Say no, one is enough.
Don’t be alarmed by the weird IP addressed, we won’t even use them.

Page 507

The default answer to the second host-only prompt is no, that’s what we want, go ahead and click enter.
You can say yes to this, this isn’t the gcc error

Page 508

Write down these port numbers, you will need them later

Page 509

Just hit enter to the admin question. This tells the computer you want to use your root password, just hit enter
Finally the question we have been waiting for.

Page 510

This question and the gcc error are the only reasons you couldn’t just close your eyes and hold down the enter key.
It’s asking you where to keep the virtual machines at, you want this to be your data drive
/mymounts/vraid/vm folder
Or /mymounts/d2p1/vm depending on your setup
As this is your big hard-drive and you don’t want the vm files on your os drive, slowing down your OS.
That VM folder doesn’t exist yet, so it’s going to warn you it’s going to create it.

Page 511

Notice its warning you it’s going to make some parent folders, this is OK, say yes
Next it will ask you for your serial number. That should be in your email by now.

Page 512

Copy and paste the serial number in there and press enter
For the VIX questions you can keep hitting enter

Page 513

You should finally see something like this, you done installing the VMWare Server

Page 514

Earlier you wrote down some port numbers

Page 515

Should look something like this
Now open up an internet explorer page on your Windows PC and type

https://your-linux-box-ip:8333
*Note, this isn’t working in Firefox at the present time, but I am sure they will fix it soon. And is probably more
Of a Java problem then a Firefox problem. It does work on IE 7 and IE 8
Today my IP is 192.168.2.5
So I would type
https://192.168.2.5:8333

Page 516

Get ready to be really impressed :- )
If you get the certificate error, say yes or continue
It is completely safe

Page 517

Login as root
And viola !!!

Page 518

Your own VMWare Server, running on a non-gui OS !
If you’re prompted to install the plug-in, go ahead and do so.
Notice its calling your /mymounts/vraid/vm folder a Datastore

And it’s named that Datastore standard
These are just VMWare terms, when you’re inside VMWare refer to it as Datastore standard, and when you’re in Webmin refer to it
as /mymount/vraid/vm

Page 519

Now we are ready to install a virtual instance of windows. Im going to do Windows 7, you can do any flavor you want. If you don’t
have a Windows CD, you could setup Linux instead. The steps will be pretty much the same.
Go stick the Windows installer CD\DVD into the CD\DVD drive of the Linux box, and then come back.
…or even better, upload an .iso of the CD via Samba or FTP, then use the Webmin File Manager module to move it into
/mymounts/vraid/vm
*Similar to the same way you got the VMWare installer into the /options folder
If you doing the .iso file

Once you get it pasted into the /mymounts/vraid/vm folder
Make sure the permissions are 755, im not sure what user the process uses, so 755 should make it accessible.
*reminder, use the Info button to change permissions

Page 520

Page 521

Once you have either the disk in the drive or the .iso uploaded, return to the VMWare Server Management webpage and click on the
Virtual Machines tab, and then click on
Create Virtual Machine

Page 522

I called it “from scratch” because this isn’t the only way to make one. You can actually download the VMware converted from
VMware’s website, and capture images of real computers on your network, and import them into your server. Never needing to
actually build them, and they bootup and act just like the real thing. It’s really impressive, and also free. But let’s get back to building
ours from scratch.
After you name it, click next, you should see something like this.
Chose your operating system

Page 523

*Windows 7 wasn’t in the list, you can usually get away with choosing something close. It’s just trying to determine what type of file
system and hardware you’re going to use, so choosing something close usually works.
Click next
I usually go with double the Recommended ram size, and 1 Processor.

Page 524

Click next
Click create new virtual disk

Page 525


Page 526

I doubled it from 16GB to 32GB
And told it to allocate the space now

Click next

Page 527

Here is that cool feature I was telling you about, don’t enable it now, as you want it to remember all the changes your doing. But if
you get to a point where you want it to start forgetting changes, here is where the setting is at
Again, don’t select that now, you can change that later once the OS is installed. But I wanted to show you where it was at. It’s under
the hard-drive properties of each virtual machine you create.

Page 528

Click on Add and network Adapter

Page 529

Choose Bridged
Click next

Page 530

If you’re using a real CD\DVD disk, click next
If you’re using an .iso like me, then click Use and ISO Image

Page 531

You should see something like this (if you selected iso)
Click on Browse, find the .iso under your datastore, under inventory. And click OK

Page 532

Click next
Choose don’t add a floppy drive

And click next

Page 533

Choose Add a USB controller
and click next

Page 534

Put a check box next to Power on your Virtual Machine now
And click Finish

Page 535

You should notice a new entry under the Inventory tab
Click on the Virtual Machine name

Then click on Console

Page 536

As soon as that progress bar gets to 100%, you should start to see the virtual machine boot up.
*it takes a long time the first time, because we told it to allocate that disk space, so its making a 32GB file right now, be patient.
Once it gets to 100%, it will say

Powered on, click anywhere in the screen to open the virtual machine

Page 537

Click in the black box, and you should get a pop up, with the new virtual machine

Page 538

Eventually you will get to a screen where you can start installing the OS

Page 539

Pretty awesome right

Page 540

This view is called a console view or player view. You probably won’t get a lot of use out of this view. Except for the initial install,
and maybe some trouble-shooting. Once your installer finished, the Virtual Machine will get an IP address, then you can remote
desktop into it (if Windows) and it will appear to you as a real computer, just like any other computer on your network.
It’s pretty limitless what you can do with this stuff. You can create raids that are actually just copies of the same files. You can create
virtual switches, which are actually a bunch of virtual nics on the same computer.
Earlier we mentioned NAT and Host-Only networks. We aren’t going to use those in this how-to. Those are private networks, between
your Virtual computers and your server. One is totally private (host only) and the other acts like there is a router between you and the
real network. This is useful of you want to run servers that aren’t allowed on the real network. Example, if you want to play around
with a DHCP server, you wouldn’t want two of those on your real network. We will only be using Bridged, this way the virtual
computer acts like a real computer, and shows up on your network with a real IP address, just like a real computer would.
Don’t be scared to format your Virtual Machines hard drives. This won’t re-format your Linux Box hard-drive. These are just files to
your Linux box, acting like hard-drives for the Virtual machines.

Page 541

You will probably be tempted to share your /mymounts/vraid/vm folder using Samba
Don’t do that. It’s way too easy to run into an access violation. Do like we did earlier and use a combination of different shares, and
the Webmin File Manager to move files in and out of that Share. And make sure to always power down your Virtual Machines before
clicking, touching, moving any vm files around (this included just copying)

Page 542

If your mouse cursor seems stuck inside the vm, just press Ctrl + Alt on your keyboard to release it

Page 543

You should eventually find yourself at the virtual machines desktop. Again this player view is the worst performance mode, you will
want to remote desktop into it, once you have all the IP, Firewall, and port-forwarding settings in place.

Page 544

The player mode is mostly for the initial setup, trouble shooting, guest access, and maybe if you do any VPN type stuff…. You could
benefit from the player view, but strive to get into a remote desktop session for way better performance.
As far as guest \ cloud user access, you can provide shortcuts directly to the player mode. Navigate back to your https :8333 page,
click on the virtual machine you want to give access to, and look over in the right-most pane
If you click on create shortcut

Page 545

It will let you download a link you can send to people, to access the virtual machine in player mode.
This is pretty amazing stuff, but be careful here!. This 600 plus page how-to would be about 600,000 pages if we had to talk about
local \ internal security. We can skip a lot of that because all access to your internal network from the bid bag internet is blocked. If
you give someone access to a bridged VM, it the exact same thing as them walking in with a laptop and plugging directly into your
network. They are now on your wired, internal, trusted private network. And following this how-to, we trust all internal wired
computers.
So, don’t give these shortcuts to anyone who you don’t trust as a local user inside your network. And remember… this view is the
worst performance view, consider giving them remote desktop access instead.
I only give these shortcuts to people who aren’t savvy enough to remote desktop in. Or need boot time access to the drive.
If you find yourself needing to add more storage or Datastores as VMware calls them. And you have decided you want to add
network storage instead of another local harddrive. VMware is going to try to walk you through setting up a NIS server.
Don’t do that, that’s too much work for something so simple. Use Samba instead. It will appear in the VMware options that you can’t.
But you can trick it using Samba. Just mount a file share to another computer using the Disk and Filesystem module, mount type
SMBFS
(like you did earlier ) and VMware will think that folder or mount-point is a another local drive, and will set it up as a Datastore.
If you’re going to be doing really hardcore stuff, then you should connect to an iSCSI server. But for non enterprise use, the share will
work just fine, and only takes seconds to setup.
Your VMware server will see /mymounts/samba2dot6/

As a local folder in the add Datastore wizard, and won’t bother you to set up a NIS server.
That’s about it for VMware, pretty amazing stuff, enjoy.
*Side note, If this VMware Server doesn’t meet your needs, you can take it to the next level and setup an ESXi server. On a dedicated
64-bit computer you can install VMware’s ESXi operating system. Just go to http://vmware.com make and account, and download the
ESXi iso. The install will erase your hard drive and install the proprietary ESXi operating system. All it does is host Virtual Machines,

Page 546

but it’s very good at it. You manage your Virtual Machines remotely using VMwares Vsphere client, it’s pretty amazing stuff, if you
needed something more than what we have done here.
That’s it for VMware.
Next let’s stop for a second and talk about file encryption. In the same way that local backups pale in comparison to offsite backups.
File encryption pales to Filesystem encryption. We are talking about this now because you are in the Advanced how-to.
If you can’t lock the door where this Linux box is. If you can’t setup a $20 webcam too watch for people trying to steal your Linux
box. If you’ve got enemies at the FBI… :- )
Then you would want to setup complete Filesystem encryption. Anything less than encryption at the Filesystem level is un-acceptable.
This is really easy to setup. Start this how-to all over again, and on page 12, choose LVM encryption.
That’s it, except for the format taking a couple days (literally) your computer will boot up and ask for a password before mounting the
drives, without the correct password, it’s as if the data doesn’t exist. I’ve tried to break it, leaving just one letter off the right password.
No go, it’s so very strong. It’s the only one worth doing. I prefer to only use it on laptops, it can make data rescue a pain in the butt.
And I have a fat pad-lock on every one of my servers, so as far as what I practice, I only do this on laptops and servers I’m solely
responsible for.
But once you chose LVM encryption, the kernel will be built correctly during setup, and you can then tweak it via Webmin under the
Hardware \ Local Volume Management module (LVM)
Make sure your first Linux experience isn’t with encryption. It can make disaster recovery a pain, and remote reboots aren’t really
going to work for you, as you’re prompted for a password to reboot. A couple Google searches will teach you how to hardcode that
password in, but hopefully you see that flaw in that. I prefer to not hide the key next to the lock :- )
If this is your first Linux experience, hold of until your third or fourth time before you dive into that. But it’s amazing, and worth the
effort.
Ok, we have come to the final part of our how-to. The next steps deal with setting up your Linux box as a router and then optionally, a
local DDNS server. Setting up your Linux box as a router means anytime you want to reboot or trouble-shoot. Your users will have no
internet access. So make sure this is something you really want to do.

Page 547

And I say DDNS not DNS because it (D)ynamically updates your local DNS records via your DHCP clients. Basically your DHCP
clients will all get DNS entries automatically, when they get their DHCP leases, very cool stuff. Extremely useful on a large network,
but can be a little overkill on a small one. I have a problem where I memorize IP address, because I am weird like that, and wind up
never using the DNS name. But your users will never remember IP address, that’s when it becomes necessary, and the flexibility of
name control on your network is nice.
Ok, truth is your about to build a very powerful router. So let’s do this. Warning!!! These next steps will disconnect you from the
internet for a very long period of time. You might want to finishes reading the how-to before moving on.
Warning, if you have ADSL, DSL, PPOE and or an All-In-One Modem\Gateway\Router, you may not want to continue.
This how-to was written mostly for Cable internet users, and or small business users on a LAN wishing to create a sub network \
private network.
Even Cable internet users, if you have All-In-One Modem\Gateway\Router, you may not want to continue.
The reasons ADSL, DSL, and or an All-In-One Modem\Gateway\Router users may not want to continue is, this how-to walks you
through setting up your computer as a drop in replacement for your router. But if your router is an all-in-one solution, you can’t really
remove it from your network, as the modem still needs to do its function in order to get you out to the internet. You could disable the
routing feature of the all-in-one, but it would still be powered on and using electricity, and sitting next to a computer doing the same
exact function.
And even if you decided to disable those features and continue on, most ADSL and DSL modems use proprietary instructions written
in their firmware that won’t let you back out to the internet without passing through its NAT first, so disabling that function would
unfortunately break your internet connection.
So long story short, only continue if you have a setup, where the modem is a piece of hardware all by itself, (this is usually only cable
subscribers, as in cable TV or coax cable modem) and or a internet source with a public IP address without PPOE, and or you’re on a
small business network and your wanting to create a sub network behind your current network.

Page 548

You will also need a second network card to continue. You will later be installing this into your Linux server.
You will need to set a couple Static IP addresses, as you are going to be without DHCP for awhile.
If your Linux server is still DHCP, you must change it to static. Also if you’re still using a static IP address
of 192.168.2.111 (x.x.x.111) or 192.168.2.174 (x.x.x.174) You should change it to 192.168.2.1 (x.x.x.1) before continuing.
It is good practice to have your router and gateway be x.x.x.1 basically the first IP address of your scheme. You’re about
to turn this box into a router \ gateway, so change the IP address if you haven’t already. You can refer to pages 48 and 49 if you
forgot how to make this change. And reboot to make the change affective.
You will need to temporarily set your Windows PC to use a static IP address, within your same IP scheme. I’m going to use IP address
192.168.2.9 on my Windows PC. There are some screen shots on the next page on how to do this. Don’t move on until you have
figured out how to give you Windows PC a static IP address within your same IP scheme.
If you right-click on the network card (Local Area Connection) on your Windows PC, and go to properties, we can walk through how
to set that up.

Page 549

Right-click on it and go to Properties

Page 550


Page 551

Page 552

Click-on Internet Protocol TCP\IP and then click Properties
*Note, if your screen shows IPv4 and IPv6, choose IPv4
You should see something like this, make the following changes and click OK

Page 553

Page 554

If these numbers look French to you, refer to page 47 for an IP scheme refresher.
Click OK again, as many times as it takes to get out of those screens, and then reboot your Windows PC.
At this point, if you’re using my same numbering scheme, you should have a Windows PC with a static IP address of 192.168.2.9
And a Linux server, with one NIC, with a static IP address of 192.168.2.1
For now on we will be referring to your original Network card (eth0) as eth_safe that is the one with IP address 192.168.2.1
And the new NIC, the second one (eth1) as eth_bad that’s jumping a little ahead, as we haven’t even installed it yet, its just
important you grasp this before moving on.
eth_safe will be the LAN side of your network, and eth_bad will be your WAN side of your network.
Before moving on, make sure you can still get to Webmin from your Windows PC.
Webmin should now be at https://192.168.2.1:10000 if you’re following my numbering scheme.
*If you just recently changed the IP address, Webmin will take an extra long to load the first time you open it, just give it a minute.
We need to stop the Firewall from loading at startup on your Linux server. The configuration of it is no longer valid now that you
want to do routing. Navigate to the Linux Firewall module, and stop it from loading at startup.

Page 555


Page 556

Change Active at boot to No
Then click the Active at boot button to make it stick, then click the Apply Configuration button
Reboot your Linux server, you should have no active firewall at this point.
Triple check by logging back into Webmin and Navigating back to the Firewall Module, and make sure that button still says No.
Power off your current router (example: Linksys) and remove it from your network. Note, this assumes you have a switch you will be
using instead. If not, you can still use the 4 LAN ports on your old Linksys router. And re-introduce it back into your network as a
switch. As long as you don’t ever plug anything into the WAN port of the Linksys router ever again. Put a piece of tape over it if you
have to, and never use it again. (Some router models call it an uplink port)
Never use the Uplink port or WAN port on the Linksys router ever again, this will cause it to act just like a switch. If it has wireless
capabilities that’s ok, later I will show you how to make that work with your new setup.
Removing your Linksys router from your network, and or using it as a switch instead of a router can be kind of hard to picture the first
time you do it. So I drew you a few pictures. This first one would be an example of salvaging your current wireless router.

Page 557

Page 558

This second view would be if you ditched your Linksys router all together, and just used an actual switch.

Page 559

Page 560

This third view would be if you used both a switch and a wireless router (AKA wireless switch) to move your wireless access to a
better spot in the house. Now you have what’s knows as a wireless access point

Page 561

Page 562

Decide which picture best describes what you want to do, and then shut off the Linux box.
After powering off your Linux box, install the second network card inside the computer, but do not plug the cable in yet!
Again… do not plug the cable in ! Only your original network card you started this how-to with should have a cable going into it.
Keep the cable coming from your ISP out of the picture for now, it should be sitting there not plugged into anything.
Once you have the NIC properly installed, power on the Linux box.
Once we configure it, the new NIC will then be known to the system as eth1 and known to us as eth_bad
Visually you will know it as your WAN port, but we will continue to refer to that as eth_bad.
It just helps in visualizing what’s going on, as this will be the NIC eventually connected to the big bad internet, via your Cable\DSL
modem.
eth0, or our trusted NIC, the one plugged into your switch will be referred to as eth_safe. Just for clarification, I’m calling your old
Linksys router with a piece of tape over the old WAN port, a switch.
Later in the how-to, when we setup our firewall rules, we will trust everything from eth_safe, so it’s important to stop here if you
don’t understand that. You have 2 NICs now, one is eventually going to be plugged into the Cable or DSL modem, that’s eth_bad.
And again, it should not have a cable plugged into it right now.
If later you get confused, eth_safe should have a static \ private IP address, and eth_bad should have a DHCP IP address it obtained
from outside this network, better known as a Public Address. If that doesn’t make sense to you, don’t continue the how-to until it does.
Or maybe keep reading without doing, a wrong choice here could expose your network to the outside world.
If your Linux box has internet access right now, stop! You have done something wrong.
Next we are going to configure eth_bad (eth1)

Page 563

Using the Webmin File Manager module, navigate to and edit file
/etc/network/interfaces
Go ahead and enter the following info, or copy \ paste.
allow-hotplug eth1
iface eth1 inet dhcp

Page 564

You can Ignore that up /sbin/ifconfig part for now
Also enter anything you might be missing for eth0. Once everything looks good, click on Save and Close
Hopefully you won’t need that “/up/sbin mtu” line, we will talk about that later
Reboot your Linux box to activate that new NIC
You can’t really test all that speed, duplex, and MTU stuff until you have a cable plugged in. So we will have to come back to that
later. Don’t plug the cable in yet, just remind yourself later to check that out. Like you did on earlier in this how-to, use a combination
of ifconfig, mii-tool and ethtool to make sure you have the right speed, duplex, and MTU settings. These problems are rare, but nasty.
In that last print screen you could see I had a problem with the MTU on this NIC and had to force it. Hopefully you won’t have that
problem, I rarely see it. But if you do, just Google search the right MTU settings for your ISP. Cable modems and LAN are almost
always 1500 MTU, some DSL connections I have seen are 1400+ MTU. Docsis 2.0 = 10\100, Docsis 3.0 = 10\100\1000. A Google
search should show the right setting for your situation. Try Google first, most people at your ISP customer support center won’t know
what you are talking about :- )
We are now going to change a setting that is going to allow packet forwarding between to two NICs. This is reason we have done so
many overkill security settings, because after you make this change eth_bad with be able to forward packets to eth_safe and vice versa

Page 565

Navigate the File Manager module, and edit file
/etc/sysctl.conf
Add or un-comment the following line
net.ipv4.ip_forward=1

Page 566

Now is a good time to reboot, This reboot will enable packet forwarding between the two NICs
You computer may take a long time to start up, as its searching for DHCP on eth_bad, but there is no cable plugged in yet, just wait a
few more minutes than usual, it will come up. Do not plug in the cable yet.
Next we are going to setup the DHCP server, it will hand out DHCP IP addresses to your internal network, originating from eth_safe
(eth0) and feeding addresses to anything behind it (your switch)

Page 567

You already have the DHCP server installed, we just have to tell it which NIC to use and enable it. Navigate to the DHCP Sever
module, and click on Edit Network Interface

Page 568

Choose (eth_safe) eth0 and click save

Page 569

You should be returned to the main DHCP screen, click on Add a new Subnet

Page 570

Subnet description – Make something up

Network address - 192.168.2.0
Netmask - 255.255.255.0
Address range – 192.168.2.50 - 192.168.2.99
Leave all the other options alone and click Create Now and or Save depending on what your screen looks like.

Page 571

Now a new icon should have appeared on the main DHCP server page underneath Subnets, called 192.168.2.0. Click this icon, you
will be returned to a screen similar to the one you just left except it has some new buttons at the bottom. Click the one that says "Edit
Client Options".
Subnet mask - 255.255.255.0

Default routers - 192.168.2.1
Broadcast address - 192.168.2.255
DNS servers - 192.168.2.1

Page 572

You will have to hit save twice, here and the next screen.
You should be returned to the main DHCP screen, where you can start the DHCP server
You now have a fully functioning DHCP server. You should be able to release the IP address on your Windows PC, and get a new one
handed out from your Linux box.
If you don’t know how to release your IP, just reboot your Windows PC, that will do it to.
*If you’re using a static IP address on your Windows PC, you would have to switch it to DHCP to see the fruits of your labor.
At this point you have your Windows PC plugged into your switch, and your switch plugged into eth_safe

Page 573

If your wireless there are a couple setting changes you to need make on the old wireless router
(Wireless switch \ Wireless access point)
You should be able to access the wireless routers admin webpage using your Windows PC and cable going into one of its LAN ports.
Login and make the following changes.
-Disable its Built-in DHCP server
-Change its routing function from a Gateway to Router (not all models have this feature, if not, just leave it at Gateway)
-Disable its Built-in Firewall
-And optionally you can delete all your Port-Forwarding, NAT, DDNS, and any other custom settings on your old router, as they are
no longer functioning in this scenario. All that will be handled by your Linux server from now on, so these settings are not longer
doing anything for you.
You can then use the 4 LAN ports just like a switch, never using the WAN port again.
(the WAN port is usually 10\100, so you may have just removed a future bottle-neck in your network)
And voila, now you have a wireless router that is dumbed down to act like a wireless switch instead.
If you had to set a static IP address to talk to your Wireless router (aka wireless switch) don’t forget to set yourself back to DHCP.
What’s nice about this setup is you can now put that wireless router wherever you want in your house or building
(as long as there is wiring going to it)
You’re no longer confined to have it next to your Cable \ DSL modem. Which is normally in some closet somewhere surrounded by
lead and 4 foot thick walls :- )
Smart placement of your Wireless router is the key to good signal strength.

Page 574

Next we need to destroy the current Firewall configuration so we can set it up the right way.
Even though it’s not loading right now, it still has all the wrong settings in it.

Page 575

Navigate to the Linux Firewall Module, and click the Reset Firewall button

Page 576

You should then see a screen like this, make the following changes
Do Network Address Translation (nat) on eth_bad (eth1)
If you see a checkbox about starting the Firewall at startup, make sure that is not checked.
Like before, we want a way back in if we mess something up
Once your screen matches mine, Click Setup Firewall

Page 577


Page 578

At the bottom of the screen change Active at Boot to No
And press the Active at boot button
And then press the Apply Configuration button
We do eventually want it activate at boot, just not yet
Change the field at the top, next to the Showing IPtable button
Click the drop down arrow and select Packet Filtering (filter)

Page 579

Once you are sure you in the filter screen

Page 580

Set the default action for (Forward) to drop
Then click the Set Default Action To button next to it

Page 581

Do not click the Apply Configuration button, not yet anyway
Do the same thing for (INPUT)

Page 582

Do not click the Apply Configuration button, not yet anyway. However make sure you are clicking the Set Default Action button.

Page 583

It won’t let you change those both at the same time, so double check that (FORWARD) and (INPUT) are set to Drop
And double check that you have clicked the Set Default Action To: button for both
Double check that your screen looks like this

Page 584

Do not hit Apply yet
“If” you accidently hit apply and have locked yourself out, just manually reboot the Linux box. We don’t have these rules in startup
yet, so a reboot will get you back in for now. Once we are sure it is working, we will finally put in startup.
Let’s talk a brief second about the Firewall and the settings we are going to make.
The Linux firewall works with three IP tables:
MANGLE, PREROUTING and FILTER.
The actual firewall part is done with FILTER
In this configuration we are going to allow anything and everything on eth_safe (eth0) because that network card is internal, and is
running from the Linux box, to a local switch inside your network. We are going to allow everything from (lo) the local loopback
interface. We are going to block everything (with the exception of outgoing traffic) on eth_bad (eth1) as that network card is exposed
to the internet, as it is running from the Linux box, to your high-speed modem or internet feed. The idea is for eth_bad to be a way out
to the internet, not a way in, unless requested from behind the Firewall, or explicitly specified by you.
And any PortForwarding you might need is done in PREROUTING, and then passed to the FILTER (FORWARD). That’s why later
when we setup PortForwarding, we have to make sure we allow them in both places.
OK, Let’s configure the Firewall
Here is a glance at rules we will be defining

Page 585

INPUT
Accept if protocol is ICMP (This is optional, but recommended, very handy)
Accept if incoming interface is lo
Accept if incoming interface is eth_safe (eth0)
Accept if incoming interface is eth_bad (eth1)

and state of connection is ESTABLISHED,RELATED
FORWARD
Accept if incoming interface is eth_safe (eth0)

and outgoing interface is eth_bad (eth1)
Accept if incoming interface is eth_bad (eth1)

and outgoing interface is eth_safe (eth0)
and state of connection is ESTABLISHED,RELATED

Page 586

To add these rules, click the Add Rule button, under INPUT

Page 587

Make the following changes for ICMP (ping)

Page 588

Then click Create

Page 589

Click the Add Rule button again

Page 590

Make the following changes for lo (LoopBack)
Then click Create

Page 591

Make the following changes for eth_safe (eth0)

Page 592

Then click Create

Make the following changes for eth_bad (eth1)

Page 593

You have to hold down the control button on your keyboard to select more than one item.
Select both Established and Related
Then click Create

Page 594

You should now be seeing something like this

Page 595

Now under the FORWARD section, click Add Rule

Make the following changes for forwards from eth_safe to eth_bad

Page 596

Then click Create
Click the Add Rule button again , make sure your still under FORWARD
Make the following changes for forwards from eth_bad to eth_safe

Page 597

Then click Create

Page 598


Page 599

Cross your fingers and click the Apply Configuration button
Did you disconnected from Webmin? Can you still click around on the other modules?
If you can, then congratulations, you did everything right.
If you got disconnected, and your sure your plugged into eth_safe, then you did something wrong, you can turn off the firewall by
manually rebooting your computer.
If you didn’t get disconnected then you are ready to put the Firewall in startup.

Page 600

Navigate back to the Linux Firewall module, and change the Activate at Boot
to yes and click the Activate at boot button.

Page 601

And then click Apply Configuration
It is now safe to plug your cable into eth_bad, now you should have two cables in the same machine.
The cable coming from your Cable\DSL modem, or your ISP \ internet connection, goes into eth_bad (eth1)
The cable from eth_safe (eth0) should be leading back to switch inside your private network.
Once you have both cables where they are supposed to be, reboot your Linux box.
After the Linux box reboots, use the Command Shell module to run
The ifconfig command
ifconfig
*Note, if there is just too much information on the screen for you after you run ifconfig
You can instead run…
ifconfig eth0
ifconfig eth1
etc….
And only see the details for the NIC you specify after the command

Page 602

You should see at least 3 network interfaces, you will have more than that if you did the VMware portion of this how-to
eth_bad (eth1) should be getting a Public DHCP IP address from your ISP.
This IP address should look a little weird to you, and in most cases, shouldn’t start with 192.168

Page 603

Also, this is a good time to make sure the MTU, speed and duplexes are correct.
If you’re not getting a Public IP address for eth_bad (eth1) something’s wrong.
It could be as simple as your ISP is doing MAC address restrictions, meaning they want you to call them every time you get a new
router.
You can do that, call them and give them the MAC address for eth1
(also known as the hardware address)
Or you can clone your old routers MAC address, so eth1 acts like its MAC address is the same as your old router, then you don’t have
to call your ISP. Because they won’t know there was a change. But in most cases, you have to call your ISP and give them the MAC
address for eth_bad
If you still want to try and clone your old routers MAC address, navigate to the File Manager module, and edit
The file /etc/network/interfaces

Page 604

Somewhere under allow-hotplug eth1
Put the following command
hwaddress ether xx:xx:xx:xx:xx:xx
Use your old routers WAN port MAC address in place of these numbers and or x’s

Page 605

This will force eth1 (eth_bad) to act like it has the MAC address you specified.
Save and Close
Reboot your Linux box
Do an ifconfig
And you should see that eth1 now has that MAC address you specified and has a public IP address.
At this point your server is configured as a working router/dns/dhcp server. It should work ok in this setup for everything you need it
to do
The rules implement thus far create a very simple (yet powerful) firewall that allows absolutely nothing in from the outside world
unless it is part of an established connection. It also assumes the internal network is completely trusted and allows unfettered access to
the server and outside world from the internal network. This is the default setting for pretty much every NAT device ever.
At this point you are effectively finished. You can just leave your server as a simple router with no other rules at the point. It is very
secure and will work fine for most purposes. If, however, you want to run publicly accessible servers, then we need to add some
additional rules.
If the server you’re trying to get to is on this very same Linux box, then it’s just an INPUT rule in the filter. For example, if you want
to be able to SSH (Putty) into this Linux box from the outside world, that is INPUT rule, or exception to the firewall. That wouldn’t
involve PREROUTING or FORWARD at all.
Let’s setup a port 22 Firewall Exception so you can SSH in from the outside world.

Page 606

Navigate back to the Linux Firewall module, make sure you’re in the FILTER screen, and make a new rule underneath INPUT

Page 607

And then click Create

Page 608

These are the easiest exceptions to make, as your explicitly allowing information coming into eth_bad (eth1) to not be dropped by the
firewall. That’s it for port 22, go ahead and make anymore you might need. Don’t forget to make good use of the Clone Rule button
inside each rule, it can make things much easier for you. Just Clone it, and change the port, and you’re done.

Page 609

Page 610

Make anymore that you need, for example, if you clicked on the port 22 exception, and cloned it, then change the port to 10000, you
would then have a port 10000 exception for Webmin. And just keep cloning and changing the info until you have all that you need.
Then hit Apply Configuration
You should limit the number of direct INPUT rules you allow, as these open up ways into your router, whereas your router should be
as invisible as possible. This is still secure, SSH (Putty) is pretty amazing stuff, and Webmin is https, just try to limit the number of
holes you allow directly into the router like this.
A better way to get into your network and manage systems is to PortForward to another computer already inside your network, and
execute commands from there.
For example, your Windows PC will accept Remote Desktop connections on port 3389.
So if you created a PortForwarding rule, the router can use the PREROUTING and FORWARD feature to redirect your connection to
a computer inside your network, and once inside, you’re totally trusted by the Firewall, all without exposing the router itself.
Windows Remote Desktop also offers some high level encryption options, so-far we haven’t made any Firewall exceptions that aren’t
highly encrypted, and that’s a beautiful thing.
Chance are, you will have more than one computer inside your network, that you want to access ports 3389 and port 22 on. That’s not
a problem, as you can forward an external number, to an internal number.
For example, we can make PREROUTING and FORWARD rules that says
Anything coming in on port 25505, PortForward that to computer 192.168.2.5:3389

Page 611

Specifying 25522 for that last one
This leaves port 22 available for the INPUT rule we made earlier
Anything coming in on port 22, allow directly into the router
This way you can have a bunch of computers, using all the same ports internally, and just specify some meaningless high-port at the
end of the hostname or Public IP address. Then tell the router what computer that is really supposed to go too.
These require a little bit more work on your part, as you have to specify them in two parts of the Linux Firewall module. One as a
PREROUTING rule, and one as a FORWARD rule. But one you have one set done, you can use that Clone rule feature to complete
the rest.

Page 612

Navigate back to the Linux Firewall Module and this time make sure you are in the Network Address Translation table
Make sure you are in the PREROUTING section, and Click on Add Rule

Page 613

Then click on Create

Page 614


Page 615

That’s one part of two, for the next part of that, Navigate to the Packet Filtering table.

Page 616

Make sure you’re in the FORWARD section, and then click Add Rule

Page 617

Then click the Create button
You should be returned to the main Firewall screen, where you can hit
Apply Configuration
What you just did was allow a PortForward to happen from the outside world, to a computer behind your firewall. And as long as you
have encryption enabled in your remote desktop clients, you don’t have too much you have to worry about.
Now external remote desktop requests like this
Will be forwarded to computer 192.168.2.5:3389 Inside your network

Page 618

That first rule was kind of a lot of work to create.
But now you can use the Clone rule button, inside of each rule, to quickly and easily make more PortForwards.
Just don’t forget to do it in both places when PortForwarding…
NAT \ POSTROUTING
And
FILTER \ FORWARD
As you can see from all those static numbers your entering, it would be a good idea if the computers inside your network had static IP
address or DHCP reservations.

Page 619

Setting up a DHCP reservation is the best choice. Navigate back to the DHCP Server module, and we will setup a DHCP reservation
for a computer inside the network.
Make sure you’re underneath the Hosts and Host Groups field, and click on
Add a new host

Page 620

* Hardware address would be the MAC address of the computer inside your network, that you want to always have IP address
192.168.2.5
Click Save

Page 621


Page 622

Page 623

Hit Apply Changes
And restart the computer inside your network with that MAC address, and it will forever get the IP address of 192.168.2.5
Do this for any computer you have a firewall exception for.
That’s about it for the firewall exceptions and PortForwarding.
You shouldn’t have any problems with you Virtual Machines, as they run bridged off of eth_safe. But if you do, just add a couple
rules for your VM nics, similar for what you did for lo and eth_safe
The VM nics are usually called something like VMnet1 and VMnet8, and should be available from the same drop down menus as
everything else you just did. But I haven’t had any issues so far in the bridged VM mode.
If you want to remotely access the VMware server from the outside world, you need to allow ports 8333 and 902.
If the VMware server and the router are the same computer, this is just a simple INPUT rule, similar to the one you made for port 22.
If the VMware server is on a different computer inside your LAN, and not on the router itself, you would need to setup four rules.
Two PREROUTING rules (8333 and 902) and two FORWARD rule (8333 and 902)
As far as security goes, that’s a little more access than I want from the outside world, I don’t want just anybody to be able to get to my
VMware server webpage, so if you’re going to do this, you should take advantage of the source address option.
Source address is supported in all of the firewall rules.
By limiting a source address, you make something available to the outside world, but only if you have the right “from” IP address.

Page 624

See below I am allowing connections on port 8333
But only if the computer im at has IP address 204.69.xxx.xxx
Only thing to be aware of is it’s got to be your public address. If you’re at work or on another network, your local IP address is
probably not your Public IP address.
For example, when I’m at work, my computer gets a 10.10.xxx.xxx IP address. But my Public IP address is 204.69.xxx.xxx

Page 625

So in my Firewall exception I would use the public address. And then port 8333 is only accessible from my work network. Granted
it’s anybody at my work place, as we all have the same public IP address, but you’ve still eliminated most of the possible connection
from the rest of the world.
If you don’t know what your Public IP is. You can go to

http://whatismyip.com/
And a webpage will pop up and tell you.
And as far as the port 902. that’s for the VMware player. You should be doing most of your stuff through remote desktop, and not the
VMware player. But sometimes you will need the player, so you will need port 902 open as well.
Earlier we made a port 22 exception, as a PortForward from 25522. you probably won’t need to do too many of these, not to SSH
(Putty) connection anyway.
You can from within Putty, connect to as many other SSH computers as you like. Meaning if you SSH into your router, and you’re in
a Putty window. You can simply type
ssh wood@192.168.2.5
Where wood is the username you want to use
And from within your current SSH connection to your router, it will connect you to computer 192.168.2.5 inside your private network,
without a need to PortForward anything. And when you exit or logout of that session, you’re returned back to your SSH screen on
your router. Pretty cool stuff.
You’re almost done with the router setup.

Page 626

If you were using a DDNS update client on your old router, to keep your hostname current, like this one, from Linksys
You’re going to have to install the Linux equivalent (ddclient)

So that your hostname stays up to date

Page 627

Launch a Putty session or navigate to the SSH2 module and
apt-get update
And then press the enter key on your keyboard
After that finishes

Page 628

apt-get install ddclient
And then press the enter key on your keyboard


Page 629

Press the Enter key on your keyboard
You should see something like this, answer the on screen questions
You should see something like this, answer the on screen questions
*This is an example, enter your own information, and do not copy mine

Page 630

Page 631

Pay close attention to this next question
Make sure you enter eth_bad here, because you want it to update from your public IP interface, not your private interface.

Page 632

So if you have been following this how-to word for word, then you would enter
eth1 in the box above.
Press the Enter key on your keyboard
You should then be returned to the command prompt
You can type exit and close Putty
You’re not done with ddclient yet, there is three more configs you have to do.

Page 633

Using the File Manager module, edit the file
/etc/ddclient.conf

Page 634

Add the following two lines
daemon=300
ssl=yes
Click the Save and Close button

Page 635

Using the File Manager module, edit the file
/etc/default/ddclient
Make sure run_ipup is set to false
Make sure run_daemon is set to true

Page 636

Make sure daemon_interval is set to the same interval you set in /etc/ddclient.conf
Save and Close
Restart your Linux box
Navigate to the Command Shell module, and execute the following command
/etc/init.d/ddclient status
As long as you see ddclient is running
You know its launching at startup, and checking for changes
Next execute the following command
/etc/init.d/ddclient restart

Page 637

And as long as you don’t see any errors, you should be all set.
Don’t worry that its checking every 300 seconds, I know that sounds too aggressive.
But it’s actually comparing your IP address to a local file, so you’re not beating up the DYNDNS website like it sounds.
Your also sending that username and password over ssl encryption. So you might even be better off then you were with your old
router
That’s about it for ddclient
Next we are going to setup a local DNS server.
This is not only a local DNS how-to, but it’s also a local DDNS how-to, meaning Dynamic DNS. It will not only control the naming
on your local network, but will also allow your DHCP clients to build, update, and maintain the list of their own computer names \
DNS entries.
I wouldn’t recommend setting this up on a small network. It’s a pain in the butt the first time you do it, and it’s very picky if you start
making changes. I’m not saying it isn’t stable, its rock solid stable, I’m just saying it’s easy to break if you want to tweak it later on.
On small networks I find myself just referring to everything by their IP addresses, so make sure this is something you want to do
before you continue.
OK, let’s get started
First stop the bind service. This service has to be stopped every time you want to make changes to it, it’s very picky like that.
You can either type
/etc/init.d/bind9 stop

Page 638

Or you can navigate to the Bootup and Shutdown module, and stop it from there.
If you have given your router eth_safe (eth0) a static IP (which you already did if you have been following this how-to) we need to
double check and make sure your computer name still matches the static IP address change in the following files

Page 639

/etc/hosts
Where it says 127.0.1.1 (not to be confused with 127.0.0.1)
Where it says 127.0.1.1, change it to your static IP address and servers hostname

Page 640

Then edit file
/etc/hostname
And make sure your servers hostname is in there

Page 641

Then edit file
/etc/resolv.conf
Write down all the info inside that file, and then delete everything inside this file.
Don’t just #comment it out, actually highlight and delete the contents of the file. Just delete the contents, (all the words inside) don’t
delete the actual file.
Although that info is important, we are going to use our DHCP server settings to overwrite this file at startup, but it just appends to the
file, and doesn’t always overwrite, so we have to make sure its empty first.

Page 642

Then edit file
/etc/dhcp3/dhcpd.conf
Underneath DNS Update Styles
Change it to ddns-update-style interim;
Remove the ; comment in front of word authoritative

This will make your Linux box the authoritative DHCP server for this network.
And under the part that reads
subnet 192.168.2.0 netmask 255.255.255.0 {
Paste in the following
ddns-domainname "diy.lan.";
allow client-updates;
option domain-name "diy.lan.";
max-lease-time 999999;
default-lease-time 888888;
range 192.168.2.50 192.168.2.99;
ddns-rev-domainname "2.168.192.in-addr.arpa.";
option broadcast-address 192.168.2.255;
option subnet-mask 255.255.255.0;
option routers 192.168.2.1;
ddns-updates on;
option domain-name-servers 192.168.2.1;
}

Page 643


Page 644

Some of that should look a little weird to you
Like this. ddns-rev-domainname "2.168.192.in-addr.arpa.";
That’s for reverse DNS
You may have to tweak it to fit your needs.
If you were on a 10.10.50.xxx network, you would use

Page 645

Or
If you were on a 192.168.0.xxx, you would use
Or
If you were on a 192.168.1.xxx, you would use
It’s just written backwards, and in place of the last octet, you just put rev instead
Also make sure you adjust these to fit your scheme
option domain-name-servers 192.168.2.1;

ddns-domainname "diy.lan.";
That would be the IP address of eth_safe (eth0) on your router
And then the local domain name that you selected on page 9
Once you have all that entered correctly, press Save and Close

Page 646

You’re not done with that file yet, because we have to make a secret key for DNS and DHCP to share with each other, so that only
your DHCP clients are able to update the server.
To do this, open up a Putty window or SSH2 module, and run the following commands
cd /options
Then press the enter key on your keyboard
Then run the following command

Page 647

dnssec-keygen -a hmac-md5 -b 128 -n USER dhcpupdate
This will create a 128bit HMAC-MD5 key file called kdhcpupdateXXXX.key

In the /options folder
Open the File Manger module, and navigate to the /options folder
Edit the Kdhcpupdate file that ends with .key

Page 648

That last solid string of numbers is your key
Do not share this key with anyone, consider this very confidential
Highlight the key, and copy it

Page 649

Then navigate back to editing the file
/etc/dhcp3/dhcpd.conf
And under the part that says
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

Page 650

Paste in the following
key dhcpupdate {
algorithm hmac-md5;
secret Oh+VKKP7uemLxrWg9lwwwQ==;
}
zone diy.lan. {
primary 127.0.0.1;
key dhcpupdate;
}
zone 2.168.192.in-addr.arpa. {
primary 127.0.0.1;
key dhcpupdate;
}

Page 651

Of course you need to use your own key here, not the example key above
Again keep that key confidential
Leave the IP addresses alone, they should be 127.0.0.1

Page 652

But tweak the zone name to be the same as the domain name you picked
And tweak the reverse DNS address to fit your scheme
Then click Save and Close
Next edit the file
/etc/dhcp3/dhclient.conf
And add the following two lines
supersede domain-name "diy.lan";
supersede domain-name-servers 127.0.0.1;

Page 653

Then click Save and Close
This is the file that is going to append to /etc/resolv.conf at startup

So you’re all set for both of these files now

Page 654

Next navigate to the /var/lib/ folder
And use the File Manager module to create a new folder called bind
With 0775 permission, and both owner and group as bind

Page 655

If the directory is already there, that’s cool too. Just change the permissions, groups, and owners to match

Page 656

Now go inside that directory and create the following two files
diy.lan.db
2.168.192.in-addr.arpa

Page 657

And something like this

Page 658

Save both, set both of the files to the following permissions, And bind as both the user and group

Page 659

These are some seriously wack file permissions, but bind gets a little crazy sometimes, and I find it works best this way
Next, use the File Manger module to edit the file
/var/lib/bind/diy.lan.db
And paste in the following
$ORIGIN .
$TTL 86400 ; 1 day
diy.lan IN SOA debrtr32x1.diy.lan. admin.diy.lan. (
2009122871 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS debrtr32x1.diy.lan.
MX 10 debrtr32x1.diy.lan.
$ORIGIN diy.lan.
debrtr32x1 A 192.168.2.1
printer1 A 192.168.2.74
sanx1 A 192.168.2.5
; is bind stopped
; did you update the serial number
; sometimes root should be the owner and bind should be the group
; hit enter here, must have one blank line, and only one

Page 660

It still wants you to have that MX 10 YourHostname.diy.lan entry even if it’s not really a mail server.
Add all computers here that have a static IP address, the rest will populate themselves when they get a DHCP lease.

Page 661

This program is so very picky about the following
Spacing, the file must end with one blank line, just one, don’t have bind running when you’re editing these files and changing the
serial number, +1 every time you make a change (it’s the date) sometimes it wants root to be the file or folder owner, and bind to be
the group.
Next, use the File Manger module to edit the file
/var/lib/bind/2.168.192.in-addr.arpa
And paste in the following
$ORIGIN .
$TTL 86400 ; 1 day
2.168.192.in-addr.arpa IN SOA debrtr32x1.diy.lan. admin.diy.lan. (
2009122871 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS debrtr32x1.diy.lan.
$ORIGIN 2.168.192.in-addr.arpa.
1 PTR debrtr32x1.diy.lan.
5 PTR sanx1.diy.lan.
74 PTR printer1.diy.lan.
; is bind stopped
; did you update the serial number
; sometimes root should be the owner and bind should be the group
; hit enter here, must have one blank line, and only one

Page 662

This program is so very picky about the following
Spacing, the file must end with one blank line, just one
Don’t have bind running when you’re editing these files
And changing the serial number, +1 every time you make a change (it’s the date)
Sometimes it wants root to be the file or folder owner, and bind to be the group.

Page 663

Next, using the File Manager module edit the file
/etc/bind/named.conf.local
Paste in the following info
key dhcpupdate {
algorithm hmac-md5;
secret Oh+VKKP7uemLxrWg9lwwwQ==;
};
zone "diy.lan" IN {
type master;
file "/var/lib/bind/diy.lan.db";
allow-update { key dhcpupdate; };
};
zone "2.168.192.in-addr.arpa" {
type master;
file "/var/lib/bind/2.168.192.in-addr.arpa";
allow-update { key dhcpupdate; };
};

Page 664


Page 665

Of course you need to put your own key in there, and tweak the IP scheme if different
Next, using the File Manager module edit the file
/etc/bind/named.conf.options
Paste in the following info

*But don’t use the same DNS servers or “forwarders” as I did, make sure obtain that info from your ISP.
forwarders {
216.146.35.35;
216.146.36.36;
71.9.127.107;
};
auth-nxdomain no; # conform to RFC1035
listen-on {
192.168.2.1; # listen on local interface only
127.0.0.1; # Make sure machine can get to itself
};
listen-on-v6 { none; };
};

Page 666

Do not use the same forwarders I did, make sure obtain that info from your ISP.

Page 667

Those are your Public DNS servers
In the above example, I’m using two DNS servers from dyndns.org (safe surfer) and then one from my ISP
That’s about it for dynamically updating local DNS

You should be able to reboot your Linux box, and then reboot your Windows PC, and the process should be underway.
There are several ways to test to make sure it’s working
You can try pinging computers by their name, and they should reply.
You should notice that your ping results are automatically appending the domain name for you. Meaning if you ping the computer
name
Sanx1

Page 668

You should see it’s actually ping the entire name Sanx1.diy.lan.
Without you actually typing all of that.
This is of course assuming your PC is set to DHCP and not Static.
You should also be able to run the following command from your Linux box
And see all kinds of good info

Page 669

host –l diy.lan
And the reverse, on your Windows PC’s, you should be able to do

ping –a IPaddress

Page 670

And the ping should return back with the computer name
If you were following how-to very closely, you were probably expecting that name to come back as BlueDell. Your right, I’m just on
a different network today.
Another cool feature is you can edit the files
/var/lib/bind/diy.lan.db
/var/lib/bind/2.168.192.in-addr.arpa
And add multiple names for the same computer. You could have computer 192.168.2.5 respond to as many different names as you
want. You could trick your roommates into thinking they each had their own personal server, by giving the same server multiple
names like

Page 671

Server4room1
Server4room2
Server4room3
Even though they are actually all the same computer.
There are more practical uses for that feature, but you can certainly have fun with it too.
Well that’s about it for DNS
Just remember when editing those DNS files, stop the bind service first. And always up the serial number plus one when editing, and
always end the file with a blank line.
There is always awesome trouble-shooting info in syslog, for whatever problem you might be having. If you are seeing permission
denied errors, it probably wants root to be the owner of the file, and bind to be the group. (file permissions)
A pretty common problem is the journals will get out of sync. All you have to do is delete them and reboot. They are in the
/var/lib/bind/ folder (.jnl) and are create by the bind service.

Page 672

Syslog is your friend

Page 673

And check your local email for notices of problems and statuses
Since we added another network card, we need to make sure Samba is for sure listening on your private network card.
We have done a lot of steps already to prevent this, but you can’t be too careful here.

Page 674

Navigate back to the Samba Windows File Sharing module
Click on Edit Config File

Page 675

Make sure both of those two lines are un-commented

(meaning remove the leading # or ;)
And change the lines to this
interfaces = 127.0.0/8 eth0
bind interfaces only = yes
Save the changes

Page 676

And restart the Samba service
Here is how you can check to make sure its working the way it is supposed to.
Navigate to the Command Shell module and execute the following command
netstat -tapn | grep smbd
Your concern is with the numbers on the left
Those represent the interfaces Samba is listening on

Page 677

If you see anything other than
192.168.2.xxx
And
127.0.0.1
On the left, then there is something wrong, disconnect your internet cable and figure it out.
If you have been following this how-to closely, you probably expected that print screen above to show IP 192.168.2.1. Your right, im
just on a different computer today.

Page 678

This command would make a good Custom Command button to, as it’s hard to remember
netstat -tapn | grep smbd
That brings us to the end of the how-to, I hope you enjoyed it. Don’t forget to visit my Website, http://woodel.com and click on the
blog link(s)
Now you can stop logging in as username root, and start using username wood.
Or whatever name you picked on page 18.
You can run an apt-get update and finally an apt-get upgrade
That will ensure you have the latest patches and upgrades for the 5.03 Debian OS.
Thanks ! Enjoy !!
-Kevin Elwood \ KevinTheComputerGuy
You can find my email address, more how-to’s, and blog link(s) on my homepage http://woodel.com
* Disclaimer: This how-to is try at your own risk, with absolutely no warranty, no promises, and no guarantees. I cannot be held
accountable for claims, statements, or damages of any kind. This how-to is for personal use only, and I reserve all rights.

Page 679

Setup a Linux Server from Start to Finish Using Webmin

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Setup a Linux Server from Start to Finish Using Webmin

Uploaded by

Copyright:

Available Formats

Version 3.

Latest versions are available at my homepage http://woodel.com

Setting up a Linux Server, Start to Finish, using Webmin. By Kevin Elwood

- OK... Let’s begin

You can even use deb32server1 just like I did

Which to me means, Do It Yourself . Local Area Network

Which makes this computers full name deb32server1.diy.lan

Here I used the name wood

You can use anything you want

Make sure to un-check everything. With the exception of Standard system

This won’t interrupt the flow of anything at this point

Then hit the Enter key on your keyboard

(there is always a space after vim)

Use the # symbol to comment out un-wanted lines

Comment out any lines that have “cdrom” in them

Then press the : key

Then press the enter key

(there is always a space after apt-get)

If you have chosen to upgrade now, here is how.

(there is always a space after apt-get)

Either way, you’re ready for the next page.

(there is always a space after apt-get)

Enter the same name you did earlier

I’m going to use diy.lan

If you’re on a 192.168.2.xxx network

address 192.168.2.111 (replace 111 with the IP address you want)

If you’re on a 192.168.1.xxx network

address 192.168.1.111 (replace 111 with the IP address you want)

If you’re on a 192.168.0.xxx network

address 192.168.0.111 (replace 111 with the IP address you want)

address 10.10.10.111 (replace 111 with the IP address you want)

To enter a static IP address type vim /etc/network/interfaces

Find the area that says

iface eth0 inet static

If you did it correctly it should say something like “filename written”

And return you to the command prompt.

Your system should reboot, and load up the new ip address.

In the black DOS like window, type ping 192.168.2.111

Look for typos

You can hit control + c on your keyboard to make it stop pinging

If it replies, you’re connected to the internet

If it doesn’t reply, check your internet connection.

You can edit the file /etc/resolv.conf by typing

And add some name servers

You should see something like this

I got these numbers from dyndns.org

And just like before, to save and exit its

You can download Putty from http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

Or from my sever http://t3.woodel.com/my-linux-how-to/putty.exe

Launch Putty, and enter the IP address of the Linux box.

You should see something like this

To paste into Putty Window, all you have to do is right-click

Paste in the following command, then press enter.

apt-get install apache2 vsftpd quota bind9 perl libnet-ssleay-perl

apt-get install libauthen-pam-perl libpam-runtime rssh libio-pty-perl

Paste in the following command, then press enter.

apt-get install libmd5-perl etherwake ntpdate libio-socket-ssl-perl

Paste in the following command, then press enter.

apt-get install monit fail2ban libapt-pkg-perl ethtool exim4

This should take awhile to complete, after it finishes

Type the following command

mkdir /options and hit enter on your keyboard