New site launched about Gadget News & Reviews go check it out ! I decided against posting News & Reviews here, iPhone HowTo will remain for iPhone HowTo guides only

This is a step by step guide showing you how to install Ubuntu 11.04 Desktop on VMWare workstation running on a Windows 7 Host, running an IT Support company in Bristol we find that being able to run Ubuntu on top of Windows 7 very handy for building & testing new Ubuntu virtual servers.

Download Ubuntu Desktop

Download Ubuntu from http://www.ubuntu.com/download make sure you download the right version and the correct architecture (i686 / AMD64).

Create a new Virtual Machine in VMWare Player

Open VMWare Player and select “Create New Virtual Machine”.

New Virtual Machine Wizard

Enter in the location of the ISO you downloaded above and click next.

VMWare EasyInstall for Ubuntu

Enter in the Ubuntu information, the information requested is used for the Ubuntu install, so this will be the username and password you will eventually use to log into your Ubuntu system.

Name the Ubuntu Virtual Machine

Enter the virtual machine name and the location you want to install the Ubuntu virtual machine.

Enter Hard drive Size

Enter the size you want your Ubuntu VM to be, I selected 20Gb as this virtual machine is just for testing. I never split my VM disk files either, I have had problems with this in the past.

Create Ubuntu Virtual Machine

Verify your VM settings and click Finnish.

Ubuntu install screen

You should now be presented with the following Ubuntu 11.04 (Natty Narwhal) installation screens, telling you all about Ubuntu’s new and exciting features…

VMWare tools login for EasyInstall

You may see this screen:

Ubuntu Login Screen

I went for a coffee with this screen showing, came back and I was at the login screen… Which looks like this.

Ubuntu Desktop

Login and your desktop should look like this!

Ubuntu Install Finished

That’s basically it, go forth and login to your new Ubuntu 11.04 vitalized desktop environment! Once installed I would recommend checking for updates using aptitude.

Any problems or questions please post a comment below and I will get back to you ASAP.

Please share using the icons above and below the post

By default the root account on Ubuntu is disabled, you can login as root on Ubuntu or even enable root account on Ubuntu. I will explain below how to run commands as root and how to enable the root user on Ubuntu.

Run commands using sudo

You can run root commands with root privileges by prefixing your commands with “sudo”. The example below shows you how to add a user using sudo.

sudo useradd dave

You will then be prompted to enter your password, enter the password for your user account (the same password you use to login to your ubuntu system).

Here is what your terminal output should look like.

Stay logged in as root using sudo

If you are going to be doing a lot of work as root or find some commands won’t work with sudo then you can stay permanently logged in as root on Ubuntu using:

sudo -s

You will then be prompted for your password as before, then your prompt will change to root@hostname. (example below).

sudo and sudo -s have covered me for every eventuality for getting root on Ubuntu, however if you need to enable the root user on ubuntu read on…

Enable root on Ubuntu

Enabling the root account on Ubuntu is as simple as setting the password for the account.

sudo passwd root

You will be prompted for a password enter your user account password first to authenticate for sudo, then enter your root password.

You will now be able to login as root on Ubuntu!

If you wish to disable the root account on Ubuntu enter the following:

sudo passwd -l root

Thats it! Comments welcome and please share using the buttons provided!

apt-get update && apt-get dist-upgrade

Once this has completed reopen Firefox and you should see a small migration wizard pop up for a second or two, after this click “Help” then “About Firefox” you should then be presented with the following:

Any problems or questions please post a comment below and I will get back to you ASAP.

Please share using the icons above and below the post

You should already have an SSH Server installed and running if you don’t install one now with:

apt-get install ssh

Now before I start you maybe wondering “Who would want to break into my SSH Server?” the answer is more than likely a Bot. Bot’s scan subnets of boxes with high bandwidth or those on government ranges (to look cool on IRC when then have a reverse DNS with something like nasa.gov or .mod). Once the Bot has compromised your machine it is added to a large network of other compromised computers which is controlled by the “Hacker”, the machines are then “normally” used to DDOS other sites offline, if you can Imagen the power of say 1000 hacked servers with 100 Mbp connections to the internet bombarding TCP connections at another server on the Internet, the result is downtime. The web server is overloaded with requests and the server is rendered useless causing you frustration, money, time, pain and a possible sacking. So bottom line secure your SSH Server and any other services for that matter and make sure you keep your servers up to date!

Scare tactics

Still not convinced? You might be interested in seeing if your SSH Server has been attacked by crackers / hackers:

Use lastdb to quickly see last login attempts:

lastb

To see the top 5 most attacked accounts:

lastb | awk '{print $1}' | sort | uniq -c | sort -rn | head -5

Top 5 Attacker IP Addresses:

awk 'gsub(".*sshd.*Failed password for (invalid user )?", "") {print $3}' /var/log/secure* | sort | uniq -c | sort -rn | head -5

Securing SSH Server on Ubuntu

Ok So now your worried about the amount of attack attempts on your server here is the guide.

Secure passwords, simple don’t have weak passwords on your server, don’t base them on dictionary words, do use number and a combo of upper and lower case letters. I personally don’t like special characters in passwords as they have been known to cause problems…
Install “DenyHosts” amazing program that watches the /var/log/secure logfile for invalid ssh login attempts, and if a configurable threshold is crossed, they are automatically blocked by being added to /etc/hosts.deny. Install denyhosts, and optionally edit the good default configuration in /etc/denyhosts.conf, you might want to allow certain local users a higher incorrect password limit before blocking, I have had some problems with this in the past, I won’t name names, you know who you are! To install DenyHosts:
apt-get install denyhosts
Change the SSH port, security by obscurity, but it defiantly works my web servers were getting blasted with attackers on port 22. To change the port edit: /etc/ssh/ssh_config and edit the line
“Port 22″
to something else, i wouldn’t use 2222 as everyone else picks that port! (creative sysadmins?)
Allow only SSH Protocol 2 open “/etc/ssh/ssh_config” and change the following:
#Protocol 2,1
Protocol 2
Disable root logins, edit ssh_config:
PermitRootLogin no
Limit the maximum number of unauthenticated connections that the ssh server will handle at the same time. The smaller this is, the harder it is for script kiddies to make parallel, coordinated cracking attempts with multiple connections. edit sshd_config and change MaxStartups from the default of “10″ to “3:50:10″. The colon separated values tells the ssh server to, “allow 3 users to attempt logging in at the same time, and to randomly and increasingly drop connection attempts between 3 and the maximum of 10″. Note: this should be increased on servers with substantial numbers of valid ssh users logging in.

#MaxStartups 10
MaxStartups 3:50:10

Reduce the maximum amount of time allowed to successfully login before disconnecting. The default is 2mins I change my servers to 20 seconds, who takes 2 mins to login?

#LoginGraceTime 2m
LoginGraceTime 30

Allow only specific users to login, if you only want Stan, Kenny,Cartman and all user names starting with “mr” to login:

AllowUsers stan, kenny, cartman, mr*

You can do the same with groups, make a “sshusers” group and add your ssh users to it, then edit the ssh_config:

AllowGroups sshusers

Allow only users from certain IP addresses to connect. Before allowing specific IPs, the default policy must first be set to DENY to be effective. edit /etc/hosts.deny and add the following line:
sshd: ALL Next add to /etc/hosts.allow the networks you want to allow. For example, to allow all 254 hosts on the class C network “192.168.1.*”, all 16million hosts from the class A network “10.0.0.0″, and the lonely IP 24.42.69.101, you would add the following to /etc/hosts.allow:

 sshd: 192.168.1.0/255.255.255.0
sshd: 10.0.0.0/255.0.0.0
sshd: 24.42.69.101

Use keys instead of password auth, this will completely stop password crackers!

PasswordAuthentication no

By default SSH listens on all IP’s if you only need it on 1 IP:

ListenAddress 10.0.1.50

Please share using the links below, and above the post! Feel free to drop me a comment.

• Secure – Data must be transfered securely using encryption
• Automated – Must run each day without any user interaction
• Reliable – Must be reliable for obvious reasons!
• Email reports – I only want to hear if the backup has failed, I do not want an email every day saying the backup was successful! (I get enough mail already!).

With the above information, I took to the web and did many hours of research and decide on using rsnapshot, it basically works like Apple Time Machine, but on the command line, syncing only what has changed each day and creating snapshots via hard links.

Another advantage of rsnapshot is that it logs into remote servers and pulls the data back over SSH, which means the backup server can sit behind a firewall with no ports forwarded in, this is very important as the server is going to be authenticating to other servers via ssh keys without passphrases.

For more info check out http://www.rsnapshot.org

Installing Rsnapshot on Ubuntu

Login as root (or sudo -s)

aptitude install rsnapshot

This will install Rsnapshot and pull down any packages it depends on.
Open up the file “/etc/rsnapshot.conf” with you’re chosen text editor (I use vi), lets take a look at the first section “snapshot_root” this is the location where Rsnapshot stores it’s backups. By default it places them in the root directory, but I have changed mine to “/backup/snapshots/”.

# All snapshots will be stored under this root directory.
#
snapshot_root   /backup/snapshots/

Next I uncommented “no_create_root 1″ this stops rsnapshot creating the snapshot_root dir, (meaning you have to create it yourself). The benefit of this being, if your backing up to a USB drive and you forget to connect it rsnapshot will not backup to the mount point filling your drive space up and possibly causing a server crash (if you have partitioned incorrectly).

# If no_create_root is enabled, rsnapshot will not automatically create the
# snapshot_root directory. This is particularly useful if you are backing
# up to removable media, such as a FireWire or USB drive.
#
no_create_root  1

We are using Linux, so uncomment the “cmd_cp” line.

# LINUX USERS:   Be sure to uncomment "cmd_cp". This gives you extra features.
# EVERYONE ELSE: Leave "cmd_cp" commented out for compatibility.
#
# See the README file or the man page for more details.
#
cmd_cp          /bin/cp

Next uncomment “cmd_ssh” and give it the correct path to the ssh binary.

# Uncomment this to enable remote ssh backups over rsync.
#
cmd_ssh        /usr/bin/ssh

I uncommented the du option as well, cool little tool that shows you the size of each of your snapshots. (remember if you just did a “du -sh *” in the snapshot dir it would read wrong due to the hard linking).

# Uncomment this to specify the path to "du" for disk usage checks.
# If you have an older version of "du", you may also want to check the
# "du_args" parameter below.
#
cmd_du          /usr/bin/du

This brings us onto Backup Intervals, as you can see I have kept the defaults, so rsnapshot will keep 6 copies of my hourly backup before it starts over writing my old one, 7 copies of my daily backups, 4 of my weekly and 3 monthly backups! Worth noting that rsnapshot will not create the daily.0 backup until hourly.5 has been created in the snapshot_root, the same with weekly and monthly.

#########################################
#           BACKUP INTERVALS            #
# Must be unique and in ascending order #
# i.e. hourly, daily, weekly, etc.      #
#########################################

interval        hourly  6
interval        daily   7
interval        weekly  4
interval        monthly 3

Global Options

The defaults for these are normally fine, however I wanted to a bit more verbosity until I am happy the backup system is working. I changed the setting to 4 instead of 3, 4 displays the commands on the command line as if you were entering them by hand, this was good enough for me!

# Verbose level, 1 through 5.
# 1     Quiet           Print fatal errors only
# 2     Default         Print errors and warnings only
# 3     Verbose         Show equivalent shell commands being executed
# 4     Extra Verbose   Show extra verbose information
# 5     Debug mode      Everything
#
verbose

“logfile”, I uncommented this as logs are always handy for finding out what went wrong

# If you enable this, data will be written to the file you specify. The
# amount of data written is controlled by the "loglevel" parameter.
#
logfile /var/log/rsnapshot

“exclude” After running my first backup it became apparent that I had a bunch of VMWare disk image files in my home dir, so I excluded them with:

# The include and exclude parameters, if enabled, simply get passed directly
# to rsync. If you have multiple include/exclude patterns, put each one on a
# separate line. Please look up the --include and --exclude options in the
# rsync man page for more details on how to specify file name patterns.
#
#include        ???
#include        ???
#exclude        ???
exclude         /home/keith/vmware-disks/

The next thing I configured was the backup points, what I wanted backed up from each of my machines, starting with the localhost.

###############################
### BACKUP POINTS / SCRIPTS ###
###############################

# LOCALHOST
backup  /home/          localhost/
backup  /etc/           localhost/
backup  /usr/local/     localhost/
backup  /var/log/               localhost/
backup  /srv/           localhost/
backup  /boot/          localhost/
backup  /opt/           localhost/

Now I want to backup my email server “the-death-star”, so I configured my backup server to pull it’s data in over SSH (kinda of like when that Star Destroyer pulled in the Millennium Falcon with it’s tractor beam, yeah… Kind of…).

backup  root@the-death-star.techspotting.org:/home/		the-death-star/
backup  root@the-death-star.techspotting.org:/etc/		the-death-star/

backup  root@the-death-star.techspotting.org:/usr/local/bin/   the-death-star/

This is the end of the config file editing, now it’s time to give your config a test with:

rsnapshot configtest

This should come back and say “Syntax OK” unless you messed something up, in which case it will tell you the line it errors on, so go back and fix it!

SSH Keys

It’s all great pulling in the data over SSH but we need to be able to login automatically to our remote servers, we can’t just grab the data and drag it to our server, what do you think this is, a tractor beam?

I use remote root logins for my servers, as I am backing up files in locations like /etc/passwd which are only readable by root, yes there are ways around this, but I do not want this document to get to complex. I will do a separate blog post in the future for this, and link to it here.

So we need to setup SSH keys without passphrases, otherwise we are going to get prompted each time the backup runs for the pass phrase. So let me walk you through creating some SSH keys for key based authentication.

Create the key pair, this will create the public and private keys (never give your private key out!).

ssh-keygen -t rsa

Accept all the default, just push enter when it asks you for a passphrase

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.

You should now have a set of keys in /root/.ssh/ now we need to copy them to the remote machine we want to login to, in this case the-death-star.techspotting.org so this would be the command:

ssh-copy-id -i ~/.ssh/id_rsa.pub root@the-death-star.techspotting.org

You will then get prompted for the password for your account on the remote host, go ahead and enter it, ssh-copy-id will then copy the key to the correct dir and sort out the correct file system permissions, cool huh?

Give it a test and make sure it’s working:

ssh the-death-star.techspotting.org

If you look in “/etc/cron.d/rsnapshot” you should see a file that looks like this:

# This is a sample cron file for rsnapshot.
# The values used correspond to the examples in /etc/rsnapshot.conf.
# There you can also set the backup points and many other things.
#
# To activate this cron file you have to uncomment the lines below.
# Feel free to adapt it to your needs.

# 0 */4         * * *           root    /usr/bin/rsnapshot hourly
# 30 3          * * *           root    /usr/bin/rsnapshot daily
# 0  3          * * 1           root    /usr/bin/rsnapshot weekly
# 30 2          1 * *           root    /usr/bin/rsnapshot monthly

Providing you are happy with the default cron config (which I was) remove the comments so it looks like this:

# This is a sample cron file for rsnapshot.
# The values used correspond to the examples in /etc/rsnapshot.conf.
# There you can also set the backup points and many other things.
#
# To activate this cron file you have to uncomment the lines below.
# Feel free to adapt it to your needs.

0 */4         * * *           root    /usr/bin/rsnapshot hourly
30 3          * * *           root    /usr/bin/rsnapshot daily
0  3          * * 1           root    /usr/bin/rsnapshot weekly
30 2          1 * *           root    /usr/bin/rsnapshot monthly

Now you have enabled cron to backup your files using rsnapshot, you had better make sure it is going to work!

rsnapshot -t hourly

Check everything looks sane and nothing nasty is going to happen and repeat for daily, weekly, monthly.

Now it’s time for your first backup!

rsnapshot hourly

If you have verbosity set to 4 like me (optional), you will be able to see all the files your backing up flying up the screen! The first backup has to move all the file the snapshot_root so this is going to take some time, depending on the speed of your machine / connection, might be a good time to grab another coffee.

You should start to see files in your snapshot_root, after a few weeks you should see a bunch of hourly.*, daily.*, weekly.*

Here is what my snapshot_root looks like:

/backup/snapshots# ls -l
total 48
drwxr-xr-x 3 root root 4096 2010-03-21 18:19 daily.0
drwxr-xr-x 3 root root 4096 2010-03-21 18:19 daily.1
drwxr-xr-x 3 root root 4096 2010-03-21 18:18 daily.2
drwxr-xr-x 3 root root 4096 2010-03-21 17:57 daily.3
drwxr-xr-x 3 root root 4096 2010-03-21 17:57 daily.4
drwxr-xr-x 3 root root 4096 2010-03-21 17:56 daily.5
drwxr-xr-x 3 root root 4096 2010-03-21 18:20 hourly.0
drwxr-xr-x 3 root root 4096 2010-03-21 18:19 hourly.1
drwxr-xr-x 3 root root 4096 2010-03-21 18:19 hourly.2
drwxr-xr-x 3 root root 4096 2010-03-21 18:19 hourly.3
drwxr-xr-x 3 root root 4096 2010-03-21 18:19 hourly.4
drwxr-xr-x 3 root root 4096 2010-03-21 17:56 weekly.0

Thats it, if you have any questions drop me a comment below and don’t forget to share using the share buttons