Enable The root Account
After the reboot you can login with your previously created username (e.g. administrator). Because we have to run all the steps from this tutorial as root user, so we will enable the root account.Run
sudo passwd root
and give root a password. Afterwards we can switch root by runningsu
5 Install The SSH Server (Optional)
If you did not install the OpenSSH server during the system installation, you can do it now:apt-get install ssh openssh-server
From now on you can use an SSH client such as PuTTY and connect from your workstation to your Ubuntu 8.04 LTS server and follow the remaining steps from this tutorial. 6 Install vim-full (Optional)
I'll use vi as my text editor in this tutorial. The default vi program has some strange behavior on Ubuntu; to fix this, we install vim-full:apt-get install vim-full
(You don't have to do this if you use a different text editor such as joe or nano.)7 Configure The Network
Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):vi /etc/network/interfaces
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 192.168.0.100 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1 |
Please make sure your network configuration are set correctly, feel free to change that based on your network configuration.
Then restart your network:
/etc/init.d/networking restart
Then edit /etc/hosts. Make it look like this:vi /etc/hosts
127.0.0.1 localhost.localdomain localhost 192.168.0.100 server1.tm.local server1 # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts |
echo server1.tm.local > /etc/hostname
/etc/init.d/hostname.sh start
Afterwards, run/etc/init.d/hostname.sh start
hostname
hostname -f
Both should show server1.tm.local now.hostname -f
8 Edit /etc/apt/sources.list And Update Your Linux Installation
Edit /etc/apt/sources.list. Comment out or remove the installation CD from the file and make sure that the universe and multiverse repositories are enabled. It should look like this:vi /etc/apt/sources.list
# # deb cdrom:[Ubuntu-Server 8.04 _Hardy Heron_ - Release i386 (20080423.2)]/ hardy main restricted #deb cdrom:[Ubuntu-Server 8.04 _Hardy Heron_ - Release i386 (20080423.2)]/ hardy main restricted # See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to # newer versions of the distribution. deb http://de.archive.ubuntu.com/ubuntu/ hardy main restricted deb-src http://de.archive.ubuntu.com/ubuntu/ hardy main restricted ## Major bug fix updates produced after the final release of the ## distribution. deb http://de.archive.ubuntu.com/ubuntu/ hardy-updates main restricted deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates main restricted ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team, and may not be under a free licence. Please satisfy yourself as to ## your rights to use the software. Also, please note that software in ## universe WILL NOT receive any review or updates from the Ubuntu security ## team. deb http://de.archive.ubuntu.com/ubuntu/ hardy universe deb-src http://de.archive.ubuntu.com/ubuntu/ hardy universe deb http://de.archive.ubuntu.com/ubuntu/ hardy-updates universe deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates universe ## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu ## team, and may not be under a free licence. Please satisfy yourself as to ## your rights to use the software. Also, please note that software in ## multiverse WILL NOT receive any review or updates from the Ubuntu ## security team. deb http://de.archive.ubuntu.com/ubuntu/ hardy multiverse deb-src http://de.archive.ubuntu.com/ubuntu/ hardy multiverse deb http://de.archive.ubuntu.com/ubuntu/ hardy-updates multiverse deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-updates multiverse ## Uncomment the following two lines to add software from the 'backports' ## repository. ## N.B. software from this repository may not have been tested as ## extensively as that contained in the main release, although it includes ## newer versions of some applications which may provide useful features. ## Also, please note that software in backports WILL NOT receive any review ## or updates from the Ubuntu security team. # deb http://de.archive.ubuntu.com/ubuntu/ hardy-backports main restricted universe multiverse # deb-src http://de.archive.ubuntu.com/ubuntu/ hardy-backports main restricted universe multiverse ## Uncomment the following two lines to add software from Canonical's ## 'partner' repository. This software is not part of Ubuntu, but is ## offered by Canonical and the respective vendors as a service to Ubuntu ## users. # deb http://archive.canonical.com/ubuntu hardy partner # deb-src http://archive.canonical.com/ubuntu hardy partner deb http://security.ubuntu.com/ubuntu hardy-security main restricted deb-src http://security.ubuntu.com/ubuntu hardy-security main restricted deb http://security.ubuntu.com/ubuntu hardy-security universe deb-src http://security.ubuntu.com/ubuntu hardy-security universe deb http://security.ubuntu.com/ubuntu hardy-security multiverse deb-src http://security.ubuntu.com/ubuntu hardy-security multiverse |
apt-get update
to update the apt package database and apt-get upgrade
to install the latest updates (if there are any). 9 Disable AppArmor (This is a must for things to go well here)
AppArmor is a security extension (similar to SELinux) that should provide extended security, which usually causes more problems than advantages. Therefore I disable it.We can disable it like this:
/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
update-rc.d -f apparmor remove
10 Install the DNS Server
Runapt-get install bind9
For security reasons we want to run BIND chrooted so we have to do the following steps: /etc/init.d/bind9 stop
Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":vi /etc/default/bind9
OPTIONS="-u bind -t /var/lib/named" # Set RESOLVCONF=no to not run resolvconf RESOLVCONF=yesCreate the necessary directories under /var/lib:
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
Then move the config directory from /etc to /var/lib/named/etc:mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
mv /etc/bind /var/lib/named/etc
Create a symlink to the new config directory from the old location (to avoid problems when bind gets updated in the future): ln -s /var/lib/named/etc/bind /etc/bind
Make null and random devices, and fix permissions of the directories: mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
We need to modify /etc/default/syslogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads: SYSLOGD="-a /var/lib/named/dev/log":mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
vi /etc/default/syslogd
# # Top configuration file for syslogd # # # Full documentation of possible arguments are found in the manpage # syslogd(8). # # # For remote UDP logging use SYSLOGD="-r" # SYSLOGD="-a /var/lib/named/dev/log"Restart the logging daemon:
/etc/init.d/sysklogd restart
Start up BIND, and check /var/log/syslog for errors:/etc/init.d/bind9 start
11 Configure BIND
Now the main configuration file in BIND is named.conf, however named.conf.local is already included in named.conf and its there for customized configuration, so we will edit named.conf.local and we will add our zones, here I added a zone camed tm.local as well as a reverse zone for 192.168.0.0:vi /etc/bind/named.conf.local
zone "tm.local" {
type master;
file "/etc/bind/zones/tm.local.db";
};
zone "3.13.10.in-addr.arpa" {
type master;
file "/etc/bind/zones/rev.0.168.192.in-addr.arpa";
};Please note that if you want to add a comment in named.conf or named.conf.local use //, also you can see above the zone file for tm.local is called tm.local.db and is located in /etc/bind/zone, the most important thing that the zone file uses ; as the prefix for a comment and not //, as I saw confusions in a lot of forums so I thought to add it here - (same for the reverse zone).12 Configure the Zones
We will start with the zone tm.localmkdir /etc/bind/zones
vi /etc/bind/zones/tm.local.db
$TTL 1500 @ IN SOA server1.tm.local. root ( 2007062703 ;serial 28800 ;refresh 3600 ;retry 604800 ;expire 38400 ) ;minimum 25 minutes tm.local. IN NS server1.tm.local. server1 IN A 192.168.0.100 webserver1 IN A 192.168.0.103 webserver2 IN A 192.168.0.104 loadb1 IN A 192.168.0.101 loadb2 IN A 192.168.0.102 tm.local. IN MX 10 server1.tm.local.
Feel free to replace the above zone name (tm.local) or your dns server name (server1) as needed, just note the . DOT after the zone name.
Now let's go ahead with the reverse zone.
vi /etc/bind/zones/rev.3.13.10.in-addr.arpa
$TTL 1500 @ IN SOA server1.tm.local. root ( 2007062703 ;serial 28800 ;refresh 3600 ;retry 604800 ;expire 38400 ) ;minimum 25 minutes IN NS server1.tm.local. 100 IN PTR server1.tm.local. 103 IN PTR webserver1.tm.local. 104 IN PTR webserver2.tm.local. 101 IN PTR load1.tm.local. 102 IN PTR load2.tm.local.
Now configure the server to forward any requests to your ISP server so it case resolve external IPs.
vi /etc/bind/named.conf.options
Uncomment the forwarder section to look like this:forwarders {
# Replace the address below with the address of your ISP DNS server
123.123.123.123;
};13 Configure the server to use itself as DNS
vi /etc/resolv.conf
search tm.local nameserver 192.168.0.100
Postar um comentário