Setting Up A Cloud Server - Part One!
This is the first entry to our very own development blog.
Over the next few months we will be focusing mainly upon iOS development as we begin giving life to a few game ideas we have.
But first, let's take a look at how this website was created!
We created a new server instance using Rackspace's brilliant cloud hosting facility - opting for a 256mb RAM, 10GB HDD Ubuntu 10.04 Lucid Lynx starter image. At a cost of $0.015 per hour - and a GBP exchange rate of about $1.66 to £1 - it is fairly cheap, oh and some small bandwidth costs too - check out their offering.
With such as small amount of ram, and the primary use of this 'cloud slice' being the hosting of this blog, we didn't want to install the full blown wordpress or [insert other blog cms] software, but rather create our own lightweight blog front and backend - something that has just the right amount of features. Not only that, but we can also take pride that as an application development company, we created our own software for our website!
When you sign up to rackspace and create your first server instance you are given and later emailed the IP for the server and root passwords.
If you want to you a domain name to access the server, you have the ability to edit DNS settings from within your control panel. At time of writing, all you need to do with your domain provider is change the nameservers for the domain to the following:
Then in rackspace go to cloud servers overview screen and from the dns tab for each domain
- add an A record - name: domain.com content: ip address ttl: 300 type: A
- (if mailserver) add an MX record - name: domain.com content: domain.com priority: first record 10, next 20 etc ttl: 300 type: MX
- add a CNAME record - name: www.domain.com content: domain.com ttl: 300 type: CNAME
- for any intended subdomains add a CNAME record for them too (cname as they are on same ip, otherwise A record)
- set the reverse dns as the hostname of the server ---> eg. mainserver.domain.com. (dot at end too)
The linux based server had the normal configuration done as per usual barebones installations:
Changing root password and create a new user
SSH into the cloud server instance, logging in as root - we are using an Apple computer so can use the terminal application - on windows you can use a program such as putty.
# ssh firstname.lastname@example.org
As you are now logged in as root, using the below command you can change the password from the one Rackspace gave you when creating the server instance.
Still logged in as root, you create a new user (the user you will work as). You will be prompted by the operating system for a new password for this user as well as other information such as name and contact details.
You should avoid logging in as root, in order to prevent opportunities where the cloud server could be compromised.
# adduser mynewusername
Using the newly created user 'mynewusername' for all tasks will require you to have sudo (Super User) privileges - this means that this user could, with a password, have full root access.
# usermod -a -G sudo mynewusername
The previous command will bring up the configuration file for the sudo program. Toward the bottom of the file you will see the following:
# Uncomment to allow members of group sudo to not need a password # (Note that later entries override this, so you might need to move # it further down) # %sudo ALL=NOPASSWD: ALL
Add the following under it:
## Allows people in group to run all commands %sudo ALL=(ALL) ALL
Save the file by pressing CTRL-X, Y and then ENTER - this allows the sudo group to have full sudo (Super User) privileges, a group of which 'mynewusername' is now a member of.
From now on you can login as follows:
# ssh email@example.com
Once logged in, by type sudo su and pressing Enter will prompt you for your password - after which you have root/super user privileges.
Basic Server Security
Linux distributions such as Ubuntu can use package managers to install/upgrade sofware - packages such as 'apt-get' and 'aptitude'.
Firstly update the sources repository for these by editing the follwing file:
# sudo nano /etc/apt/sources.list
Add the following lines to it:
deb http://ppa.launchpad.net/brianmercer/php/ubuntu lucid main
deb-src http://ppa.launchpad.net/brianmercer/php/ubuntu lucid main
Now run the following command to add the signed key for these sources:
# sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8D0DC64F
You can now update the package manager caches:
# apt-get update # apt-get upgrade # aptitude update # aptitude upgrade
When upgrading you will be prompted to confirm, enter Y and press ENTER.
The Linux firewall system is controlled by the configuration of iptables application. This can be viewed by running the following command:
# iptables -L
This would provide the following output:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
You now need to add additional rules to the iptables in order to control the flow in and out of the cloud server instance. Start by adding the following rules line by line:
Allowing established connections:
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allowing SSH traffic:
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT
Allowing HTTP traffic:
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Allowing FTP traffic:
# iptables -A INPUT -p tcp --dport 20 -j ACCEPT
Allowing FTP traffic:
# iptables -A INPUT -p tcp --dport 21 -j ACCEPT
Allowing SMTP traffic:
# iptables -A INPUT -p tcp --dport 25 -j ACCEPT
Drop remaining traffic:
# iptables -A INPUT -j DROP
Allowing loopback traffic:
# iptables -I INPUT 1 -i lo -j ACCEPT
Now with all these rules input, you can view the tables again by typing:
# iptbles -L -v
Save the rules by following these commands:
# iptables-save > /etc/iptables.rules
Make sure the iptables.rules is run at every boot up:
# nano /etc/network/if-pre-up.d/iptaload
The text editor will load, paste in the following:
#!/bin/sh iptables-restore < /etc/iptables.rules exit 0
Save the file by pressing CTRL-X, then Y and Enter.
You will also need to create a script to run if the server is shutdown:
# nano /etc/network/if-post-down.d/iptasave
In the text editor, paste the following:
#!/bin/sh if [ -f /etc/iptables.downrules ]; then iptables-restore < /etc/iptables.downrules fi iptables-save -c > /etc/iptables.save exit 0
Save the file.
Set permissions on these two scripts to make them executable:
# chmod +x /etc/network/if-post-down.d/iptasave # chmod +x /etc/network/if-pre-up.d/iptaload
Now the basic server is set up, you have created users, allowed super user privileges using the sudo command, updated application repositories and set up firewalls.
In the next article, we will do a run through on installing and setting up FTP, setting time zones and installing postfix to enable outgoing email from this server.