Debian Linux Installation Notes

This page contains some notes for installing a Debian Linux system, web server, Java and Tomcat from the perspective of one who is familiar with RedHat Linux.

Contents:

Contents

Initial setup
Configuring/stopping/starting daemon services
Firewall Config
SSHblack install
Forwarding LogWatch and root email
Installing and configure an Shibboleth SP
Configuring JK connector
Other niggles
References

1. Initial setup

We started with a minimal Debian system install, (created with dbootstrap, using only "essential" components, with the addition of sshd). Compared with RedHat, the initial system is very bare, so there is more to do to bring it up to the level of a working server platform. Although the installed debian system includes the iptables firewall software, no rules are preconfigured - Debian cognoscenti point out that this is because there are no services that need to be protected.

Set the root password to something secure
Enable the shadow password file (shadowconfig on).
Create initial user accoubnts (use adduser, not useradd, to fully set up the accounts)
Secure SSH access to selected user accounts -- see http://www.ontonet.org/moin/ServerConfiguration/SecurityChecklist
Update the system (apt-get update. then apt-get dist-upgrade).
Install cron-apt: apt-get install cron-apt. Edit file /etc/cron-apt/actions.d/3-update so that it actually installs downloaded packages. The resulting file looks like this:
- ```
autoclean -y 
dist-upgrade -y -o APT::Get::Show-Upgraded=true
```
Install build and installation tools: (apt-get install build-essentials, apt-get install rpm and apt-get install alien). These are needed later to build and install the Shibboleth SP module.
Install curl (apt-get install libcurl3).
Install doxygen (apt-get install doxygen).
Install apache web server (apt-get install apache2-mpm-worker.)
Install apache web server documents (apt-get install apache2-doc.)
Install Java to /opt/java-jdk. This is a bit tricky, as Sun licensing rules mean that Java cannot be distributed in the normal way for debian packages, yet some installed package is required so the debian package manager will allow dependent packages (e.g. Tomcat) to be installed. We used the procedure described in reference [2], as it seems to work better when a Java SDK has been installed.
Now install a bunch of packages that are dependent on Java:
- apt-get install libapache2-mod-jk
- apt-get install tomcat5-webapps - installs Tomcat and standard web applications that come with Tomcat (e.g. jsp-example(?)).
Edit file /etc/default/tomcat5 to define a correct value for JAVA_HOME, corresponding to the actual location where Java was installed. Now it should be possible to start Tomcat by executing /etc/init.d/tomcat/restart. The main tomcat directories are revealed by examination of /etc/init.d/tomcat5:
- ```
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 
NAME=tomcat5
DESC="Tomcat 5 servlet engine"
CATALINA_HOME=/usr/share/$NAME
DAEMON=$CATALINA_HOME/bin/catalina.sh
DEFAULT=/etc/default/$NAME
TOMCAT5_USER=tomcat5
CATALINA_BASE=/var/lib/tomcat5
```

2. Configuring/stopping/starting daemon services

For Debian, use these commands:

invoke-rc.d
update-rc.d
dpkg

3. Firewall Config

To summarize the problem: debian has about fifteen ways to build a firewall and at least four ways to make sure it comes up after a restart, most of those combinations support both iptables and ipchains firewall syntax. In a recent upgrade, the default was removed, forcing deployers to research and make their own choice. I eventually asked for help on an IRC channel and the issue was explained to me and the comment was passed that:

"in true debian style they've removed the script that worked for 80% of the people so that the 20% wouldn't complain about being forced what to run"

The solution I selected was the one that involved the smallest changes to the current system:

I've added a file /etc/iptables.up.rules with a copy of the firewall config of the sakai-vre-demo firewall config.
I've added a post-up line in /etc/network/interfaces which loads the config into the running iptables whenever the network interface is bought up.

I'm beginning to see how the red hat approach is sometimes better.

4. SSHblack install

(See also: InstallingSshblack)

The script for auto-starting SSHblack looks like this:

#! /bin/sh (-)
### BEGIN INIT INFO
# Provides:          sshblack
# Required-Start:    $local_fs $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      S 0 1 6
# Short-Description: SSH blacklister
# Description:       This file is the start/stop script for sshblack.;
### END INIT INFO

# Author: Graham Klyne <graham.klyne@oucs.ox.ac.uk>

# Do NOT "set -e"

# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/bin
DESC="SSH blacklister"
NAME=sshblack
PROG=${NAME}.pl
DAEMON=/opt/sshblackv28/$PROG
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
LOGFILE=/var/log/sshblacklisting

# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables
[ -f /etc/default/rcS ] && . /etc/default/rcS

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

#
# Function that starts the daemon/service
#
do_start()
{
        # Return
        #   0 if daemon has been started
        #   1 if daemon was already running
        #   2 if daemon could not be started
        start-stop-daemon --start --quiet --name $PROG --exec $DAEMON --test > /dev/null \
                || return 1
        start-stop-daemon --start --quiet --name $PROG --exec $DAEMON \
                || return 2
        # Add code here, if necessary, that waits for the process to be ready
        # to handle requests from services started subsequently which depend
        # on this one.  As a last resort, sleep for some time.
}

#
# Function that stops the daemon/service
#
do_stop()
{
        # Return
        #   0 if daemon has been stopped
        #   1 if daemon was already stopped
        #   2 if daemon could not be stopped
        #   other if a failure occurred
        start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --name $PROG
        RETVAL="$?"
        [ "$RETVAL" = 2 ] && return 2
        # Wait for children to finish too if this is a daemon that forks
        # and if the daemon is only ever run from this initscript.
        # If the above conditions are not satisfied then add some other code
        # that waits for the process to drop all resources that could be
        # needed by services started subsequently.  A last resort is to
        # sleep for some time.
        start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
        [ "$?" = 2 ] && return 2
        # Many daemons don't delete their pidfiles when they exit.
        rm -f $PIDFILE
        return "$RETVAL"
}

#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
        #
        # If the daemon can reload its configuration without
        # restarting (for example, when it is sent a SIGHUP),
        # then implement that here.
        #
        start-stop-daemon --stop --signal 1 --quiet --name $PROG
        return 0
}

case "$1" in
  start)
        [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
        do_start
        case "$?" in
                0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
        ;;
  stop)
        [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
        do_stop
        case "$?" in
                0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
        esac
        ;;
  #reload|force-reload)
        #
        # If do_reload() is not implemented then leave this commented out
        # and leave 'force-reload' as an alias for 'restart'.
        #
        #log_daemon_msg "Reloading $DESC" "$NAME"
        #do_reload
        #log_end_msg $?
        #;;
  restart|force-reload)
        #
        # If the "reload" option is implemented then remove the
        # 'force-reload' alias
        #
        log_daemon_msg "Restarting $DESC" "$PROG"
        do_stop
        case "$?" in
          0|1)
                do_start
                case "$?" in
                        0) log_end_msg 0 ;;
                        1) log_end_msg 1 ;; # Old process is still running
                        *) log_end_msg 1 ;; # Failed to start
                esac
                ;;
          *)
                # Failed to stop
                log_end_msg 1
                ;;
        esac
        ;;
  *)
        #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
        echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
        exit 3
        ;;
esac

:

It may be appropriate to include some logic to recreate the iptables configuration for SSH blacklisting, alomng these lines:

# Create firewall table for blacklist (in case it got lost) 
# (On Redhat Linux, running the system security level script causes additional
# IPtables entries to be removed, so this code reinstates the sshblack entries
if iptables -L INPUT | grep BLACKLIST >/dev/null
then
    # Blacklist already configured
    :
else
    # Blacklist missing.  
    # Lines 2-4 below may need adjusting to match the local iptables usage:
    # currently they insert the blacklist check at the start of the INPUT chain
    iptables -N BLACKLIST
    iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -I INPUT 2 -i lo -j ACCEPT
    iptables -I INPUT 3 -p tcp --dport 22 -j BLACKLIST
    # Remove any old blacklist cache 
    # (if iptables is reset without clearing this, previously started attacks 
    # may be allowed through)
    rm -f /var/tmp/ssh-blacklist-pending
fi

5. Forwarding LogWatch and root email

With Postfix mail transport installed:

Edit file /etc/aliases, e.g.:

# See man 5 aliases for format 
postmaster:    root
root:          admin.foo@oucs.ox.ac.uk admin.bar@oucs.ox.ac.uk

Run command newaliases

To send a test message:

apt-get install nail 
nail
? mail root
Subject?: test
<test content>
^D
? q

6. Installing and configure an Shibboleth SP

(See also: ShibbolethInstallNotes, section 2.6)

Create a new key pair and certificate signing request. Note that the requested certificate CN should be the fully qualified domain name of the service provider host.
- ```
openssl genrsa -out sakai-vre-demo2.key 2048 
openssl req -new -key sakai-vre-demo2.key -out sakai-vre-demo2.csr
```
Obtain a certificate for use with InQueue by entering details at https://bossie.doit.wisc.edu:3443/cert/i2server/csr.
Apply to join the InQueue federation as a service provider by filling in the request form at http://inqueue.internet2.edu/1.3-join.html. (Only the certificate CN, and not the full certificate, is needed at this point.)
Follow the instructions at http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.3/sp/install-sp-1.3-debian.html to install the Shibboleth SP software.
A patch may be necessary for g++ 4.1, as used by debian. The patch is at http://www.mail-archive.com/security-dev@xml.apache.org/msg03270.html

7. Configuring JK connector

The JK connector software is installed through the usual Debian apt-get mechanism. JK may be part of Apache, or a separate module - at the time of writing this, I don't recall. To enable and configure the connector:

Load the module. Link file /etc/apache2/mods-enabled/jk.load to /etc/apache2/mods-available/jk.load:
- ```
ln -s /etc/apache2/mods-available/jk.load /etc/apache2/mods-enabled/jk.load 
```

Configure the module. Create file /etc/apache2/mods-enabled/jk.conf thus:

# Configure JK connector for use with Tomcat 
# See also jk.load

JkWorkersFile "/etc/apache2/conf.d/workers.properties"
JkLogFile "/var/log/apache2/mod_jk.log"

# JkLogLevel emerg
JkLogLevel debug

JkMount /shibboleth-idp/* ajp13w
JkMount /jsp-examples/* ajp13w

# End.

Configure the connections. Create file /etc/apache2/conf.d/workers.properties:

# The workers that jk should create and work with 
#
worker.list=wlb,jkstatus,ajp13w

#
# Defining a worker named ajp13w and of type ajp13
# Note that the name and the type do not have to match.
#
worker.ajp13w.type=ajp13
worker.ajp13w.host=localhost
worker.ajp13w.port=8009

#
# Defining a load balancer
# 
worker.wlb.type=lb
worker.wlb.balance_workers=ajp13w

#
# Define status worker
#
worker.jkstatus.type=status

8. Other niggles

Starting/stopping the Apache web server gives warning message: "Could not determine the server's fully qualified domain name". In our case, this turned out to be a formatting problem in /etc/hosts: the IP address and host names were separated by multiple spaces rather than a single tab. The man page entry says that multiple spaces are OK, but when I replaced them with a single tab the error message went away:
- ```
sakai-vre-demo2:/etc# invoke-rc.d apache2 restart 
Forcing reload of apache 2.0 web server....
```

9. References

http://www.crazysquirrel.com/computing/debian/java.jspx - installing Java on Debian
http://chrismetcalf.net/blog/archives/2005/05/19/mini-howto-installing-java-on-debian-unstable/ - another way
http://wiki.debian.org/JavaPackage - instructions from the Debian community

-- GrahamKlyne 2006-07-27 13:56:19