Peter Terence Roux - Technical - Ubuntu Secure Server

PCI DSS Secure

A step by step guide to implementing an Ultra-Secure Ubuntu Server

1 Introduction

This document describes the process of installing an Ubuntu Server.

The information provided is biased towards the Ubuntu Karmic Koala (Ubuntu 9.10) version, but should work with newer versions too.

Additional steps should then be taken to harden the server to ensure compatibility with PCI Compliance standards.


2 Requirements

2.1. To install such a system you will need the following:-

The Ubuntu 9.10 server CD, available here: http://releases.ubuntu.com/releases/9.10/ubuntu-9.10-server-i386.iso (i386)

or http://releases.ubuntu.com/releases/9.10/ubuntu-9.10-server-amd64.iso (x86_64)

A fast Internet connection.

2.2. Decide on the network settings for the system

Information, such as the following, is required:-

Network CommsExample Details
Hostnamedb1.sharewiz.net
Gateway192.168.40.254
NIC 1 IP Address192.168.40.21
NIC 2 IP Address192.168.40.22

3 Install the Base System

Insert your Ubuntu install CD into your system and boot from it.

1. Choose the Language for the final system.

2. Select the installation type - Select "Install Ubuntu Server".

3. Select the language to be used during the installation process.

4. Select your location.

5. Choose the Keyboard Layout. You will be asked to press a few keys, and the installer will try to detect your keyboard layout based on the keys you pressed.

6. Select the Primary Network Interface, i.e. eth0.

7. The installer then checks the installation CD, your hardware, and configures the network with DHCP if there is a DHCP server in the network.

8. If DHCP is not found, select the "Configure Network Manually" option, and configure with the requested fields.

9. Enter the hostname. If the system is to be called db1.sharewiz.net, enter db1.

10. Enter the domain name. Enter sharewiz.net.

11. The system will attempt to set the clock and will try to get the time from a network time server. This will take a time, and the system will probably not be successful in doing this, as it will not have external internet access. Ignore the error.

12. Now you have to partition the hard disk. We want to use Logical Volume Manger, or LVM, which allows administrators to create logical volumes out of one or multiple physical hard disks. LVM volumes can be created on both software RAID partitions and standard partitions residing on a single disk. Volumes can also be extended, giving greater flexibility to systems as requirements change. There are several installation options for LVM, "Guided - use the entire disk and setup LVM" which will also allow you to assign a portion of the available space to LVM, "Guided - use entire and setup encrypted LVM", or "Manually setup the partitions and configure LVM". At this time the only way to configure a system with both LVM and standard partitions, during installation, is to use the Manual approach. Remember that there can be a maximum of 4 primary partitions per disk.

13. Configuring LVM in Ubuntu takes place in 5 steps

  • Create a non-LVM boot partition
  • Create Physical Volume (PV)
  • Create a Volume Group (VG), and assign the PV created earlier to the VG
  • Create the Logical Volumes within the VG
  • Assign file-systems and mounts points to the logical volumes created earlier

14. Select "Manual" to manually partition the disk on the system. Note that if you select any one of the "Guided" options for LVM configuration, all the available disk space will be used up, leaving you no free space to grow any logical volume if or when the need arises. Ultimately, our goal is to use just enough space to get the system up and running, and leave the rest for when we need to grow logical volumes.

15. If partitions already exist, then select the existing partitions and delete them.

16. Create a standard (non-LVM) primary partition for the /boot file system.

  • Select the "pri/log" line
  • Select "Create a new partition"
  • Enter the size required - we want 255MB
  • Select "Primary Partition"
  • Select "Beginning"
  • Select ext4 as the file-system
  • Change the default mount point to /boot
  • Set bootable flag to "on"
  • Select "Done setting up the partition"

17. The next step is to use the unallocated space to create a physical volume.

18. A Physical volume is the first major component of LVM, and can be created from a disk partition or a full disk drive. To create the PV for this configuration, we are going to use the unallocated disk space.

  • Select the "pri/log" line, hit Enter
  • Select the "pri/log" line, hit Enter
  • The size of the new partition will be the unallocated space on the hard drive. The installer will automatically show the unallocated free space. Enter the size of the partition. It is recommended to use 95% so that there is some free space left for growth.
  • Therefore, enter "95%", hit Enter
  • Select "Primary Partition", hit Enter
  • Select "Beginning", hit Enter
  • For the new partition that we just created, we want to tell the installer what to use it for. So with "Use as" selected, hit Enter
  • Select "Physical Volume for LVM", hit Enter
  • Select "Done setting up the partition", hit Enter
  • Select "Configure the logical volume manager", hit Enter
  • Select "Yes" to "Write he changes to disk", hit Enter

19. The next step is to create a Volume Group (VG).

  • Select the "Create Volume Group" option, hit Enter
  • Creating a VG starts with giving it a name. Any name will do, but we use the standard of vg01, vg02, etc. For now we only have a single VG so we use vg01.
  • Assign the PV we created earlier to the VG. By default, this is not selected. Use the Space Bar on the keyboard to select the partition representing the PV (This will usually be the 2nd entry, i.e. /dev/sda2).
  • Click on the Continue button

20. Next, create the Logical Volumes. With the PV and VG created, and the PV assigned to the VG, the next step is to create the Logical Volumes. A Logical Volume (LV) is LVM jargon for partition. We will create a number of LVs, one each for the following file-system directories:-

/ (root), swap, /home, /usr, /var, /tmp

  • Select the option to create logical volumes, hit Enter
  • We have to tell the installer what VG to create the LVs under. Since we created only one VG, that is the only one shown, hit Enter
  • Start by creating the logical volume for swap, by giving it the name swap, hit Enter
  • Note that the recommended size of a swap partition is twice the amount of memory in the system, so set this to 12GB.
  • Repeat the last two options for the other logical volumes. Suggested sizes in parenthesis.
    • root (10GB)
    • usr (10GB)
    • var (100GB)
    • tmp (5GB)
    • data(ALL OTHER SPACE) -> only on the secondary database server to hold extra backups
  • The suggested sizes should be more than enough to install and get the system up and running. This leaves enough free space to grow any LV that needs it.
  • It makes sense to leave some space unused so that you can later on expand your existing logical volumes or create new ones - this gives you more flexibility.
  • Select "Display the configuration details" to check that all LVs are created okay. Hit enter.
  • Select "Finish", hit Enter

21. The final task is to assign a file-system and a mount point to each LV.

  • Select the line "#1" for each LV, hit Enter
  • Select "Use as", hit Enter
  • Select ext4 as the file-system, (for swap use the swap file-system type), hit Enter
  • Set the mount point, hit Enter
  • Select "Done setting up the partition", hit Enter
  • Repeat the last five steps for the other logical volumes that you created.

22. Finally, select "Finish partitioning and write changes to disk". Then confirm the changes and continue with the rest of the installation.

23. Afterwards, your new partitions are being created and formatted.

24. Now the base system will be being installed. Note that this may take a while. The ALT-F4 key combination can be used to monitor what is actually happening with the install process. Use the ALT-F1 key combination to return back to the normal install screen.

25. Create a user, for example the user Administrator with the user name administrator (IMPORTANT:- don't use the user name admin as it is a reserved name on Ubuntu 9.10).

26. We don't need an encrypted private directory, so choose No here.

27. Next the package manager apt gets configured. Leave the HTTP proxy line empty unless you're using a proxy server to connect to the Internet.

28. The system will probably seem to pause for a long time (due to the fact that it cannot yet get external internet access). This is optional, but to speed up the install a bit, press Enter to cancel current step - and the graph should jump to around 80% completed. Enter can be pressed once more to skip to the end of this step).

29. To update the server manually in order to have more control, select No automatic updates.

30. A choice of different types of server servers can be selected, but nevertheless don't select any of them now in order to have full control over what gets installed on the system. The packages required on the system will be manually installed later on. The only item to select here is OpenSSH server so that one can immediately connect to the system with an SSH client such as PuTTY after the installation has finished.

31. The installation continues.

32. The GRUB boot loader gets installed.

33. The base system installation is now finished. Remove the installation CD from the CD drive and hit Continue to reboot the system.


4 Setup Basic Software

4.1. Get root privileges

After the reboot you can login with your previously created username (e.g. administrator). Because we must run all the next steps from this document with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing:-

sudo -i

IMPORTANT:- Do not use the following command:-

sudo su

and do not enable the root login by running:-

sudo passwd root

and giving root a password.

With these options one can log in as the root user, but this is frowned upon by the Ubuntu developers and community for various reasons.

See http://ubuntuforums.org/showthread.php?t=765414.)


4.2. Setup HTTP Proxy Access, if required

For a global http proxy, add this line to the /etc/environment file:-

http_proxy=http://192.168.5.2:3128

and this will be enabled at boot.

By default, the Ubuntu server will not have access to the internet. However, to install software on the system and to keep the system updated usually requires HTTP access. One way of obtaining this is through an HTTP proxy server:- Enabling access to the HTTP proxy usually requires the exporting of an environment variable as:-

export http_proxy=http://username:password@proxy:port

or

export http_proxy="http:// proxy:port"

but by adding it to the /etc/environment file will allow the http proxy to be set at boot.

NOTE: When adding the proxy to the /etc/environment file, do not include the export command.

If an http proxy is supplied during installation, then the /etc/apt/apt.conf file is automatically populated with the proxy information. This file is used by the aptitude command, which is used to install new software and to upgrade the system.

To set this manually, create the file /etc/apt/apt.conf if it does not exist:-

sudo vi /etc/apt/apt.conf

and populate it with:-

Acquire::http::Proxy "http://192.168.5.2:3128";

NOTE: To remove the http proxy, simply remove the line from the file, or alternative simply remove the entire file.


4.3. Install SSH

If you did not install the OpenSSH server during the system installation, you can do it now.

Issue the following command:-

sudo aptitude install ssh openssh-server


4.4. Install vim-nox (Recommended)

Issue the following command:-

sudo aptitude install vim-nox

The default vi package installed on Debian and Ubuntu is vim-tiny, which is really restricted and only really appropriate for very small environments.

To update to the full vim package, install vim-nox.

Of course, different text editor such as joe or nano can be installed as well.



5 Setup the Network

5.1. Configure the network

Because the Ubuntu installer has configured the system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup the IP address 192.168.40.21 is used).

Issue the following command:-

sudo vi /etc/network/interfaces

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

# The loopback network interface

auto lo

iface lo inet loopback

# The primary network interface

auto eth0

iface eth0 inet static

address 192.168.40.21

netmask 255.255.255.0

network 192.168.40.0

broadcast 192.168.40.255

gateway 192.168.40.254

# dns-* options are implemented by the resolvconf package, if installed

dns-nameservers 192.168.80.1 192.168.80.2 192.168.80.3

dns-search sharewiz.net


5.2. Restart the Network

To enable the new settings to be recognized, the network needs to be restarted

Issue the following command:-

sudo /etc/init.d/networking restart


5.3. Setup the Network Hosts File

Edit the /etc/hosts file.

Issue the following command:-

sudo vi /etc/hosts

127.0.0.1 localhost.localdomain localhost

192.168.40.21 db1.sharewiz.net db1

# The following lines are desirable for IPv6 capable hosts

::1 localhost ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

ff02::3 ip6-allhosts


5.4. Setup the Resolv Config File

Then edit the /etc/resolv.conf file.

Issue the following command:-

sudo vi /etc/resolv.conf

search sharewiz.net

nameserver 192.168.80.1

nameserver 192.168.80.2

nameserver 192.168.80.3


5.5. Set the hostname

Issue the following command:-

echo db1.sharewiz.net > /etc/hostname


5.6. Restart the System

To enable the new network settings to be recognized, restart the system

Issue the following command:-

sudo reboot


5.7. Check the Network Settings

Issue the following command:-

hostname

hostname -f

Both should show db1.sharewiz.net now.



STILL UNDER DEVELOPMENT

Please be patient....finished soon...







This page visisted 198 times since 3 March 2011