http://wiki.boochtek.com/ 2010-09-07T02:23:11-05:00 http://wiki.boochtek.com/ http://wiki.boochtek.com/lib/images/favicon.ico text/html 2010-08-01T15:04:56-05:00 http://wiki.boochtek.com/build/apache?rev=1280693096&do=diff These instructions document the installation and configuration of Apache 2.2 on our Debian 4.0 system. We chose Apache 2 primarily due to its simpler SSL configuration. It also seems to be the preferred version in Debian now. Requirements Apache doesn't need much itself. However, the configuration we plan to use does require several components. We're assuming that some of our web pages will require Perl, PHP, Python, MySQL, and possibly PostgreSQL. text/html 2010-08-02T22:07:18-05:00 http://wiki.boochtek.com/build/backups?rev=1280804838&do=diff Like any system admins, we need to ensure that we have good backups. Our systems do not have tape backup devices, and it's easy to rebuild the OS, so we're just backing up our data and config files across the network via rsync tunneled through SSH. text/html 2010-08-01T23:35:49-05:00 http://wiki.boochtek.com/build/cms?rev=1280723749&do=diff Nothing here yet. text/html 2010-08-01T13:00:12-05:00 http://wiki.boochtek.com/build/debian?rev=1280685612&do=diff These instructions document the configuration of Debian 5.0 on our servers. Since this is a SliceHost image, the base OS comes pre-installed. These docs consider the configuration required after the base installation. Package Selection We started with a minimal ("netinst") installation, with only a few packages installed. We will install all the required packages manually. This provides some added security, as we've minimized our attack surface to only the applications we actually need. text/html 2010-08-10T17:01:09-05:00 http://wiki.boochtek.com/build/dns?rev=1281477669&do=diff We are running a caching name server on the server, bound to the loopback interface only. We decided to use bind 9, as it is well supported now. (Note that Debian's default is bind 8, if you just say "bind".) We also decided to put it into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most bind and DNS exploits. text/html 2010-08-01T23:31:33-05:00 http://wiki.boochtek.com/build/firewall?rev=1280723493&do=diff I decided to go with Shorewall, which is fairly standard. Shorewall also has the advantage that we don't need to provide the IP addresses of the system -- it determines them dynamically. So when we change IP addresses, we don't have to re-configure the firewall. text/html 2010-08-01T23:04:07-05:00 http://wiki.boochtek.com/build/logging?rev=1280721847&do=diff Log configuration, reports, etc. Configuration /etc/default/klogd Turn off console messages for lower priority messages. (This method is deprecated; we're also using the sysctl method.) sed -i -e 's/^KLOGD.*$/KLOGD="-x -c 5"/' /etc/default/klogd text/html 2010-08-02T10:03:32-05:00 http://wiki.boochtek.com/build/misc?rev=1280761412&do=diff Here's where we'll document the installation of miscellaneous small software packages. Note that some of these packages may get installed during the installation of the OS, depending on the revision and the options selected. Packages that we've seen get installed include mailx, lsof, less, w3m, telnet, bc, file, nano, and at. text/html 2010-03-03T15:08:15-05:00 http://wiki.boochtek.com/build/monitoring?rev=1267650495&do=diff This page documents our monitoring and alerting scripts. Munin Munin does not do any alerting, but pulls system data periodically and displays it in RRDTools graphs. Munin comes in 2 pieces: munin and munin-node. The munin-node part is a daemon that gathers the data, and the munin part runs via cron, and aggregates the data from multiple munin daemons running on various systems. text/html 2010-08-01T12:07:17-05:00 http://wiki.boochtek.com/build/mysql?rev=1280682437&do=diff These instructions are for MySQL 5.0 on our Debian 5.0 system. Installation Install MySQL along with its pre-requisites: sudo apt-get install mysql-common mysql-client mysql-server NOTE: The MySQL documentation is non-free, and not included with Debian. Use the online documentation provided at MySQL's site. text/html 2010-08-02T22:07:48-05:00 http://wiki.boochtek.com/build/ntp?rev=1280804868&do=diff We are running NTP to keep the clock accurate. Installation sudo apt-get install ntp ntp-doc ntpdate Configuration We are using the default configuration that Debian ships with. This is primarily a client configuration -- we allow other systems only to get the current time; they may not query any further information. (This is limited via the restrict keyword.) The daemon runs primarily in order to sync the system's time with the upstream NTP servers. text/html 2010-03-10T19:50:39-05:00 http://wiki.boochtek.com/build/postfix?rev=1268272239&do=diff We chose Postfix due to its modern design and security record. It also has a license that we can live with more easily than qmail. Installation The default MTA in Debian is EXIM. In the default install the log rotation is already configured in /etc/cron.daily for EXIM, so remove the script text/html 2010-07-29T23:41:42-05:00 http://wiki.boochtek.com/build/rails?rev=1280464902&do=diff Ruby apt-get install ruby irb ruby1.8 irb1.8 libreadline-ruby1.8 libruby1.8 apt-get install ruby1.8-examples rdoc ri rdoc1.8 ri1.8 apt-get install ruby1.8-dev apt-get install liberuby apt-get install libapache2-mod-ruby libapache-ruby1.8 apt-get install ruby libopenssl-ruby libopenssl-ruby1.8 apt-get install sqlite3 sqlite3-doc libsqlite3-dev libsqlite3-ruby libsqlite3-ruby1.8 libsqlite3-0 text/html 2010-08-01T13:26:58-05:00 http://wiki.boochtek.com/build/security?rev=1280687218&do=diff Nothing here yet. text/html 2010-08-02T10:11:24-05:00 http://wiki.boochtek.com/build/ssh?rev=1280761884&do=diff SSH is the Secure Shell, a secure replacement for telnet. The OpenSSH client comes in the default Debian install. We've installed the OpenSSH server to provide for remote access to our systems. Installation Install the SSH client and server packages: text/html 2010-08-01T23:03:34-05:00 http://wiki.boochtek.com/build/sudo?rev=1280721814&do=diff The sudo command allows a user to run a command as root (or some other user). It has several benefits over su. It has a configuration file that can be used to restrict who has access, and what commands they have access to. It can be configured to not require (certain) users to enter root's password. It is also used to run individual commands, instead of giving the person a full shell command-line environment. text/html 2010-03-03T15:09:21-05:00 http://wiki.boochtek.com/build/todo?rev=1267650561&do=diff * Backup scripts * Verify * Copy off-site * Delete old backups on some set schedule * Perhaps move to some backup package * Config files * Make sure everything is in place. * Make them web accessible -- probably on dotfiles.org site. text/html 2010-08-01T23:01:50-05:00 http://wiki.boochtek.com/build/webmail?rev=1280721710&do=diff We chose RoundCube after trying a bunch of other webmail applications. Here are some that we tried: * Bongo (formerly Hula) - could not get it to install * SquirrelMail - old UI is hard to work with * Horde (IMP) - complicated setup, does too much * Zimbra - too integrated with email servers text/html 2010-08-02T22:49:26-05:00 http://wiki.boochtek.com/build/wiki?rev=1280807366&do=diff These instructions detail how to install DokuWiki on our Debian GNU/Linux system. We're currently running the 2009-12-25 version of DokuWiki. Requirements * Apache * PHP 5.1.2+ * PHP's GD extension with libGD 2 is recommended but not required text/html 2010-08-02T23:01:26-05:00 http://wiki.boochtek.com/build/wordpress?rev=1280808086&do=diff WordPress is an excellent choice for blogging software. It's simple to set up and use, has a pretty good security record, and has lots of plugins. If you're hosting your own blog on GNU/Linux, WordPress is pretty much the way to go. This is how we built WordPress to host several blogs.