Thecus N5200 Ubuntu Install #4

Continuation of the installation and configuration guide for Ubuntu on the Thecus N5200 NAS. Initial post here
Original location where I first posted it in 2011 here: http://thecususergroup.proboards.com/thread/4226+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+Now that we have Ubuntu and our RAID set up we’ll do the long bit …

#===== INSTALL SERVICES/PACKAGES =====#

Feel free to skip any of these services/packages. They are just a set of what I would consider essentials in my own build.

apt-get moo


#—– EXIM – Mailsever for error warnings/notifications, etc.—–#

Useful links::
www.manu-j.com/blog/wordpress-exim4-ubuntu-gmail-smtp/75/
blog.mansonthomas.com/2009/04/send-mail-through-gmail-smtp-server.html
basskozz.wordpress.com/2008/12/07/how-to-setup-a-raid5-software-mdadm-array-w-email-notifications-via-gmail-the-easy-way/


This is my guide to configuring for GMail. I don’t know how to do it for anything else. Do some Googleing to find out if you need to.

>>>>> Installation and initial config <<<<
apt-get install exim4 openssl
dpkg-reconfigure exim4-config

For installation options choose:
– mail sent by smarthost; recieved by SMTP…
– <your desired mail source e.g. companyname.com>
– leave as is i.e. 127.0.0.1
– leave other destinations blank
– Leave Machines to relay mail for: blank
– Type Machine handling outgoing mail for this host (smarthost): smtp.gmail.com::587
– Choose NO, don’t hide local mail name in outgoing mail.
– Chose NO, don’t keep number of DNS-queries minimal (Dial-on-Demand).
– Choose mbox
– Choose NO, split configuration into small files
– Mail for postmaster. Leaving blank will not cause any problems though it is not recommended.

These options may not all be presented to you depending on any updates that EXIM make to their package. When install on my N5200, one of the options had disappeared since my first testing on VirtualBox.

>>>>> Edit config file <<<<<
cp /etc/exim4/exim4.conf.template /etc/exim4/exim4.conf.template.original
vi /etc/exim4/exim4.conf.template

Find ‘.ifdef DCconfig_smarthost DCconfig_satellite’ section around 50% down file and add this:
send_via_gmail:
driver = manualroute
domains = ! +local_domains
transport = gmail_smtp
route_list = * smtp.gmail.com

If you have any other smarthost defined with “domains = ! +local_domains” remove that smarthost. I had to comment out all of ‘smarthost:’. But don’t comment out the last ‘.endif’

Find comment ‘transport/30_exim4-config_remote_smtp_smarthost’ about 80% down the file and add this to section:
gmail_smtp:
driver = smtp
port = 587
hosts_require_auth = $host_address
hosts_require_tls = $host_address

Now comment out section ‘remote_smtp_smarthost:’ all the way down to the next comment section.

Find ‘begin authenticators’ about 87% down file and add this to section, don’t forget to add your email details:
gmail_login:
driver = plaintext
public_name = LOGIN
client_send = : YourGmailLogin@gmail.com : YourGmailPassword

Make sure you have no other authenticators with the same public_name (LOGIN). 
Comment them out if needed. I had to comment out all of ‘login:’ section starting at 99% to end of file.

>>>>> Add Gmail authentication info <<<<<
vi /etc/exim4/passwd.client
Add: 
Gmail-smtp.l.google.com:YourGmailLogin@gmail.com:YourGmailPassword
*.google.com:YourGmailLogin@gmail.com:YourGmailPassword
smtp.gmail.com:YourGmailLogin@gmail.com:YourGmailPassword

>>>>> Edit aliases to avoid delivery failure messages <<<<<
(http://ubuntuforums.org/showthread.php?t=1057294)
vi /etc/aliases
Check what <name> is beside ‘root:’ it should be your admin user.

vi /etc/exim4/email-addresses
Add:
<name- the one in the aliases file next to root>: <real email address you want it to come from>

>>>>> Test config & restart <<<<<
Test for errors in your config, if errors exist, fix them. Usually the detail returned is sufficient to fix the error. If not use Google.
update-exim4.conf

Clear any old logs, usually only needed if you had errors before. You can refer to these logs later if the email doesn’t work. Then Google is your friend.
rm /var/log/exim4/paniclog
rm /var/log/exim4/mainlog

Restart EXIM service
/etc/init.d/exim4 restart

>>>>> Send test email <<<<<
mail <your email address>
<enter subject>
<type message, end message by typing . on a new line>

Try this command if test email doesn’t work, give it a few minutes though. It seems to force mail through if it is stuck somewhere in a queue.
exim -qff

>>>>> Add alerting to mdadm <<<<<
vi /etc/mdadm/mdadm.conf
Add: 
MAILADDR <YourEmailAddress_Where-you-want-mdadm-notifications-sent@email.com>

Test alerting:
mdadm –monitor –scan –test –daemonise

Add cron job to alert every day at 00:01. Or whenever you want. Check out en.wikipedia.org/wiki/Cron for details of the structure of the crontab file.
vi /etc/crontab
Add:
01 0 * * * root mdadm –monitor –scan –test –daemonise
And at the top of crontab add this to stop delivery failure notices:
‘MAILTO=example@example.com





#—– SendEmail – Nice easy email sending tool for cronjob or command line emails —–#

This section will detail how to set up a notication email which is to be sent everytime the sever starts up. You can set up other alerting etc if you want. This is just a basic guide to how it can be used.

apt-get install sendemail 

>>>>> Add email alerting on startup <<<<<
Make a script file:
vi /home/<adminuser>/startupemail/startupemail.sh

The file should contain:
#!/bin/bash
# a script for sending myself an email on startup

echo “Server startup notification for:” > startupemail.txt
hostname >> startupemail.txt
echo ” ” >> startupemail.txt
echo “Startup occured at:” >> startupemail.txt
date >> startupemail.txt

sendEmail -f <source email address> -t <destination email address> -u “Server Startup” -o message-file=startupemail.txt

I believe that <source email address> can be anything you want but I just use the same thing for both source and destination which seems to work.

>>>>> Set to executable and configure to run on startup <<<<<
chmod 755 /home/<adminuser>/startupemail/startupemail.sh

ln -s /home/<adminuser>/startupemail/startupemail.sh /etc/init.d/startupemail.sh

Add to startup script:
update-rc.d startupemail.sh defaults

-> Reboot to test
reboot





#—– SAMBA (SMB) —–# 

Useful links:
www.howtogeek.com/howto/ubuntu/install-samba-server-on-ubuntu/
tldp.org/HOWTO/SMB-HOWTO-7.html
linux.die.net/man/5/smb.conf
www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
www.brennan.id.au/18-Samba.html
www.cyberciti.biz/tips/how-do-i-set-permissions-to-samba-shares.html


SAMBA allows you to access your server from PCs/MACs etc. And it lets you configure who gets access to what. You’ll need this set up before you start trying to map drives from your computer.

apt-get install samba smbfs

>>>>> Configure users <<<<<
TO allow mapping of drive you need to add a username and password to SMB. If the name you added is associated to an linux user but is not identical you need to let SMB know the mapping.

Lets add ‘John’, but john already has a linux account called ‘john’.
smbpasswd -a John
vi /etc/samba/smbuses
add line: john = “John”

For each user you need a linux account (useradd Jane) & a SMB account (smbpasswd –a Jane). But unless you know they will be logging directly into the server via SSH then they don’t need a home directory, and you can disable the ability to log in directly. Do this with
useradd -M -s /sbin/nologin Jane

-M creates user without a home dir, 
-s stops login 
And if you later want to remove them: userdel -r Jane

Now set a password and set up their SMB account:
passwd Jane 
smbpasswd -a Jane


>>>>> Make the shares you need on your RAID array <<<<<
Make all the shares you need for now. I like to replicate the structure of the N5200 as I already have mappings to these locations in Windows.

I want to test my SMB configuration to make sure it works also so I am creating a couple of directories which will have restricted access. You’ll need to have a read of this to understand the permissions and chmod/chown: help.ubuntu.com/community/FilePermissions

Share for everyone:
mkdir /raid/data
chmod -R 0777 /raid/data

Share for John only:
mkdir /raid/ john
chown ryan /raid/ john
chmod -R 0700 /raid/ john

Share for Jane only:
mkdir /raid/jane
chown Jenna /raid/jane
chmod -R 0700 /raid/jane

>>>>> Configure SMB <<<<<
Make a copy of the file in case you wreck it! It’s a mistake I made.
cp /etc/samba/smb.conf /etc/samba/smb.conf.master

Now we edit the ‘master’ file which will later be parsed to the non-master file. So always do your editing in the master one.
vi /etc/samba/smb.conf.master

Edit server string to ‘%h’ only
Add these lines under Global section:
#dos filenames
dos charset = cp950

#hosts
hosts allow = 127.0.0.1 192.168.0.0/24 
hosts deny = 0.0.0.0/0

Uncomment ‘security=user’
To make our user mapping from earlier work add this below the ‘security=user’ bit:
username map = /etc/samba/smbusers 

Change unix password sync to ‘yes’

Now lets add our network share details. Details of all the options can be found at www.brennan.id.au/18-Samba.html Add these under the commented out [homes] section:

[shared]
comment = Shared Data
path = /raid/data
read only = No
guest ok = Yes
public = Yes
browseable = Yes
writeable = Yes
create mask = 0777
directory mask = 0777
inherit permissions = yes 

[johnonly]
comment = John Only
path = /raid/john
read only = No
guest ok = No
browseable = No
create mask = 0700
directory mask = 0700
valid users = John

[janeonly]
comment = Jane Only
path = /raid/jane
read only = No
guest ok = No
browseable = No
create mask = 0700
directory mask = 0700
valid users = Jane

Comment out all the other junk, e.g. printers, unless you are going to use them of course. I didn’t so don’t know how they should be config’ed.

>>>>> Test config & write master file <<<<<
Test the configuration file for errors. Output of test is usually clear enough to fix the error. Otherwise Google it.
testparm /etc/samba/smb.conf.master

Parse the ‘master’ into the smb.conf file. This strips out all the comments and leaves only the valid content. Apparently this significantly speeds up SMB since it no longer has to trawl through all the redundant crap. This is why when you make changes always edit the ‘master’ file and then run this command to strip out the comments and make the ‘real’ file.
testparm -s /etc/samba/smb.conf.master > /etc/samba/smb.conf

>>>>> Restart SAMBA <<<<<
service smbd reload

>>>>> Map some drives <<<<<
In Windows (or your OS of choice) you can now map network drives. Just create a new mapped drive and use your network location and share. You’ll be asked to connect using a username and password. Try mapping your shared folder and your John/Jane only folders. And try accessing Jane’s folder with John’s credentials and vice verse to make sure the security works.

Note that the location is <server IP address><share name>
The share name is the bit in the square brackets in the smb.conf file. e.g. 192.168.1.10johnonly






#—– WEBSERVER —–# 

Useful Links:
www.howtoforge.com/installing-apache2-with-php5-and-mysql-support-on-ubuntu-10.04-lamp
netbeans.org/kb/docs/php/configure-php-environment-ubuntu.html – Moving doc root
developer.spikesource.com/wiki/index.php/How_to_change_the_mysql_database_location – Moving php db’s
www.symantec.com/connect/articles/securing-php-step-step
www.dagondesign.com/articles/automatic-mysql-backup-script/

Obviously you only need all this stuff if you plan to host any webpages/webservices on your server. I do plan to (e.g. I have a nice PHP file which can be configured to send out a wake on LAN packet to my desktop machine to turn it on remotely just by visiting a webpage, I put this up on the forum if anyone is interested) so I’m installing it.

>>>>> Installation <<<<<
-> Install MySQL and associated packages. 
You will be asked for a password for MySQL, you can have anything but I just use my server admin password to keep it all simple.
apt-get install mysql-server mysql-client

-> Install apache2
apt-get install apache2
Goto <serverIPaddress> to confirm install worked. If not try reinstalling it again or try restarting it with /etc/init.d/apache2 restart

-> Install PHP5
apt-get install php5 libapache2-mod-php5 php5-mysql php5-mcrypt php5-cli
Restart apache to apply PHP changes.
/etc/init.d/apache2 restart

To test if PHP was installed correctly create a webpage we can visit:
vi /var/www/info.php
Add this to the blank file:
<?php
phpinfo();
?> 
Goto <serverIPaddress>/info.php and the PHP ifo should be displayed if everything worked.

-> Install phpMyAdmin
apt-get install phpmyadmin
Pick webserver ‘apache2’ and answer ‘no’ to ‘Configure database for phpmyadmin with dbconfig-common?’

Access at <serverIPaddress>/phpmyadmin/ to confirm that it is working. The username is ‘root’ and the password is the MySQL password you picked earlier.

We will change the phpmyadmin admin website to something less obvious
vi /etc/phpmyadmin/apache.conf
Change ‘Alias /phpmyadmin /usr/share/phpmyadmin’ to
Alias /<new location> /usr/share/phpmyadmin

Reload apache to apply changes and try to access phpMyAdmin at <serverIPaddress>/<newlocation>/
/etc/init.d/apache2 reload

>>>>> Configuration <<<<<
-> Disable insecure modules
Most of these were not actually installed by default on my machine but I ran the disable command anyway in case. If you end up needing them later use a2enmod.
a2dismod mod_imap
a2dismod mod_include
a2dismod mod_info
a2dismod mod_userdir
a2dismod mod_status
a2dismod mod_cgi
a2dismod mod_autoindex

-> Move webserver directory
I wanted my webserver directory to be on the RAID so that it would be subject to the same disk failure protection as the rest of my files. The default location is on the DOM module with the rest of the Ubuntu installation. I followed this guide on moving the document root directory to the RAID (http://netbeans.org/kb/docs/php/configure-php-environment-ubuntu.html), but here is my brief summary of the commands I used:
mkdir /raid/webserver
mkdir /raid/webserver/www
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/default.original
vi /etc/apache2/sites-available/default

Change document root & directory directive to ‘/raid/webserver/www/’ or wherever you want to store it. Save file and reload apache.

/etc/init.d/apache2 reload

-> Configure regular backups of SQL DBs
Although the webserver files are on the RAID, the SQL DBs are still on the DOM. SO I wanted a way to make sure I had these backed up on the RAID. I followed this guide: www.dagondesign.com/articles/automatic-mysql-backup-script/

But again I have included the steps for you here too. You’ll have to download the two PHP files from the website linked above.

Copy the two PHP files into a directory in your user home: 
mkdir /home/<admin user>/DBBackup
Edit (with vi) the config file and add your MySQL root password, DB backup location, etc.

Test the backup by running this command:
php backup_dbs.php

If you get an error about depreciated comments follow this solution: www.asim.pk/2010/06/21/php-depreciated-errors-on-ubuntu-10-04-lts/

Add to Cron to run regularly (monthly in this case at 3am on 1st of month)
vi /etc/crontab
Add line:
0 3 1 * * php /home/<admin user>/DBBackup/backup_dbs.php



>>>>> Apache user & webserver document root security <<<<<

Useful links: 
www.petefreitag.com/item/505.cfm
www.linuxsecurity.com/content/view/133913/171/ 


-> Run apache under own user and group to increase security
Add group and user for apache
groupadd apache
useradd apache -c “Apache Server” -d /dev/null -g apache -s /sbin/nologin 

Edit envvars file and change the user and group names to the new ones
cp /etc/apache2/envvars /etc/apache2/envvars.original
vi /etc/apache2/envvars

Restart apache
/etc/init.d/apache2 restart

List processes and users to confirm that apache is now running under new user
ps -A u

-> Configure file permissions and SAMBA access to webserver directory
Give webserver directory appropriate permissions:
chown apache /raid/webserver/www
chmod 0755 /raid/webserver/www

Edit the SMB config file to add the webserver as a share which can be mapped from other machines. Change the valid users section to whoever you want to be able to map it, make sure and include the ‘apache’ user.
vi /etc/samba/smb.conf.master

Add to shares section:
[webserver]
comment = Webserver
path = /raid/webserver/www
read only = Yes
guest ok = No
browseable = No
create mask = 0644
directory mask = 0755
valid users = John, Jane, apache
write list = John, Jane, apache
force group = apache
force user = apache

Test your SMB config file and write the master to the ‘real’ file, then reload smb.
testparm /etc/samba/smb.conf.master
testparm -s /etc/samba/smb.conf.master > /etc/samba/smb.conf
service smbd reload

>>>>> PHP security <<<<<
The steps I followed are below. But I followed a good guide on this site: www.symantec.com/connect/articles/securing-php-step-step

Edit the php.ini config file.
cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.original
vi /etc/php5/apache2/php.ini

Make sure the following parameters are correctly set:
safe_mode = On
safe_mode_gid = Off
expose_php = Off
register_globals = Off
display_errors = Off
log_errors = On

-> Stop CSS and SQL Injection attacks using modsecurity (http://blog.bodhizazen.net/linux/how-to-mod_security-ubuntu-904/)
apt-get install libapache-mod-security

vi /etc/apache2/conf.d/modsecurity2.conf
Add:
<ifmodule mod_security2.c>
Include conf.d/modsecurity/*.conf
</ifmodule>

mkdir /var/log/apache2/mod_security
ln -s /var/log/apache2/mod_security/ /etc/apache2/log

Download modsecurity rule filename. Make sure and visit this website to find the latest rule filename update in the commands below:www.modsecurity.org/download/index.html

mkdir /etc/apache2/conf.d/modsecurity
cd /etc/apache2/conf.d/modsecurity
wget www.modsecurity.org/download/modsecurity-apache_2.5.13.tar.gz
tar xzvf modsecurity-apache_2.5.13.tar.gz
rm CHANGELOG LICENSE README modsecurity-apache_2.5.13.tar.gz

Update apache configuration
vi /etc/apache2/apache2.conf

Find “Include /etc/apache2/conf.d/” (line 233 in my file) and change it to:
Include /etc/apache2/conf.d/*.conf

Add these lines below it:
Include /etc/apache2/conf.d/security
Include /etc/apache2/conf.d/localized-error-pages
Include /etc/apache2/conf.d/charset

Save file and run this command to enable modsecurity module:
a2enmod mod-security


>>>>> Restart apache <<<<<
/etc/init.d/apache2 restart
apache2ctl -t 
apache2ctl restart 







#—– VPN Server – PPTP —–# 

Useful links:
www.ubuntugeek.com/howto-pptp-vpn-server-with-ubuntu-10-04-lucid-lynx.html


This is easier to configure than Open VPM but less secure, an OpenVPN guide is below. Also Windows already has a built in client for PPTP VPNs but you need to install a new one for OpenVPN. I’d stick to this if your not too concerned about security and are just a regular home user.

>>>>> Install and configure your VPN server <<<<<
apt-get install pptpd
vi /etc/pptpd.conf
edit settings at bottom to:
localip 192.168.0.3 #this is the fixed IP of the NAS
remoteip 192.168.0.60-65 #this is the IP range the remote connection will be assigned

vi /etc/ppp/chap-secrets
Add:
# client server secret IP addresses
<yourusername> pptpd <yourpassword> * 

>>>>> Hardening your VPN <<<<<
vi /etc/rc.local
Add these lines above ‘exit 0’:
# PPTP IP forwarding
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# SSH Brute Force Protection
iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH
iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 8 –rttl –name SSH -j DROP

vi /etc/sysctl.conf
Uncomment line:
net.ipv4.ip_forward=1

reboot





#—– VPN Server – OpenVPN —–# 

Useful links:
www.ossramblings.com/configuring_openvpn_ubuntu_hardy


To be honest, I struggled to get this working and it was more bother than it was worth. I think in future I’ll stick to PPTP.

>>>>> Install VPN packages <<<<<
apt-get install openvpn dnsmasq openssl

Install OpenVPN, the previous step only really downloaded it.
mkdir /etc/openvpn
cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/
cd /etc/openvpn/
mkdir keys
touch /etc/openvpn/keys/index.txt 
echo 01 > /etc/openvpn/keys/serial

Save the index.txt file completely empty.

Edit vars file to configure OpenVPN
vi vars
Now amend the details at the end of this file for own locale. Then save file.

>>>>> Certificates & keys <<<<<
Add certificate information, just answer the questions when you run this:
source ./vars
./build-ca

Build server key
./build-key-server server

Build client certificate. If you are planning on using a certificate per client make sure you change the name of client to make it identifiable. You can use the same certificate across all remote clients.
./build-key <client-name> 

NOTE: if you close the console and come back later to generate more keys, you’ll need to run “source ./vars” before running build-key again.

Build DH key, could take a few minutes so don’t panic if it looks like it stops working.
./build-dh

Once completed, copy the “client-name.key” “client-name.crt” and “ca.crt” files securely to the client machine.

>>>>> Setup the server configuration file <<<<<
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gunzip /etc/openvpn/server.conf.gz
vi /etc/openvpn/server.conf
Edit these lines:
;local 1.2.3.4 -> local <server’s IP address>
port 1194 -> port <whatever you want to listen on, also config firewall to let this through to server’s IP>
proto udp -> proto tcp [tcp is more reliable]
dev tun [leave uncommented, this is the one we want]

Further down in the file we need to tell the config file where the keys are:
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem

Later in the file we need to specify the subnet for adding client IPs to. This example will give all connections an IP address of 10.8.0.*
server 10.8.0.0 255.255.255.0 
We need to specify what local network IP addresses are available to the clients. This example allows IP addresses 192.168.0.* to be accessed by the clients.
push “route 192.168.0.0 255.255.255.0” 

Now change the user and group to the ‘nobody’ user to make the VPN server run with least privileges. You can recheck your users by looking in /etc/passwd 
user nobody 
group nogroup

>>>>> Start the server to check for errors <<<<<
openvpn /etc/openvpn/server.conf

>>>>> Configure to run on startup <<<<<
vi /etc/default/openvpn
Uncomment: AUTOSTART=”all”

/etc/init.d/openvpn start

Now install a client your remote OS (google for instructions) and point it to the key files created earlier, OpenVPN GUI is the Windows client.





#—– WEBMIN —–# 

Useful links:
doxfer.webmin.com/Webmin


Webmin is a really hand web interface for configuring your server. Saves a lot of command line work and can help when tweaking settings especially if your not certain what the commands are.

>>>> Install Webmin dependencies <<<<
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl

>>>>> Add Webmin repository to sources list <<<<<
vi /etc/apt/sources.list
Add these at the bottom of the file:
#Webmin source
deb download.webmin.com/download/repository sarge contrib
deb webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

>>>>> Download and install GPG key which Webmin is signed with <<<<<
cd /root
wget www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
rm jcameron-key.asc

>>>>> Update repository list and install Webmin <<<<<
apt-get update
apt-get install webmin

Access Webmin on <serverIP>:10000 


And that is your server set up complete. Read on for some additional services which I installed…

Leave a Reply

(email optional)