My Debian Wheezy Web Hosting Image for the odroid u2

Printer-friendly versionPDF version
odroid u2

Introduction

I go by the alias "elemental" on the odroid forum. Following is the story of the conveneince base image I am using and now releasing to the odroid community for web hosting purposes.

So after my server got compromised by the shellshock vulnerability, I intially changed passwords like everyone else probably. But once your compromised that is not enough. You need a fresh install. And additionally the security of the web server needed to be up-ed now a notch so I don't find myself re-imaging again and again. I had a good image that I could revert to and get my blog up and running. And than add security on top of that and back up that image as my next good image.

But than I thought lets take it to the next level. Why not start with a fresh image and add all the customizations I have added for hosting my blog. Than add the new security measures to it. Than use this customized image

 

in the future as my starting point. Since this base image is generic, anyone choosing to do so, might take and use it for their hosting needs as well. Thus you'll be up and running quickly with a server and if you follow my blog ( or my page on facebook or google+  ), I will keep sharing my learnings and other customizations, that you can further profit from.

I am not claiming I have done or gotten everything correct. You need to be ever vigilant about security threats on the web. But if you set up this image correctly after downloading it, you could rest easier knowing that your protected atleast to some extent and not totally vulnerable like I started up. I knew the maxim, security first, but what I didn't know was the threats, their types and the level. Experience is a great teacher. So I just started my blog and figured I'll do things as I go along. And almost a year later, there have been great learning. 

So let me now tell you what all is configured for you on this image and how to start using it and configuring it further.

This image is based of the Debian Wheezy official image posted by mdrjr at the odroid.forum.com website found at this link.

Passwords

Below are the passwords that are set for this image. You need to change all of these. I have created a script for that I shortly will show you that will help you with this.

Application

Username Password
Base Image Passwords Table
OS User root

Wel+234+come+234

OS User odroid

Wel+234+come+234

OS User sftp

Wel+234+come+234

Monitorix browser 

http://localhost:8080/monitorix

 

root 12345678
Mysql

monitorix-sql

Wel+234+come+234

Mysql

root

Wel+234+come+234

x11vnc  

Wel+234+come+234

 

First Steps

Resize Partitions

After you burn this image to your sdcard or emmc module, resize the last partition with gparted or some other software. I have packed everything tightly. You will run out of space rather quickly if you fail to do this.

Change Keyboard Layout

If during login you discover that strangely your keyboard layout is not US_en than it probably is DE_de, which happens to be my leyboard layout. Anyways if you want to switch to any other keyboard layout or back to english than do the following after logging for the first time.

dpkg-reconfigure keyboard-configuration

Before proceeding to the next step, verify your keyboard layout is correct.

Changing the Passwords (and some security settings)

After you burn the image and start your server, you need to change all your passwords. Log-in first time off as "root". On the desktop is a folder "FirstTimeScript" which has a bash script to change all passwords. Make a note of all your passwords, they are too many to remember.

It also creates new ssh keys and mac address as provided by osterluk here.

Changing the hostname

Use the new odroid utility from mdrjr to do this. This can be found here : "/home/odroid/Desktop".

Update your packages

The image has the latest release of wheezy 7.8,  but do an update nevertheless. There is an update of webmin availiable in the iterim. The image is setup for automatic updates. I decided I preferred a broken server to a vulnerable one, in light of the shellschock fiasco. In 4-5 days window leading upto my manual update to patch shell shock, my server was exploited. You can choose otherwise if you want.  You can turn this off with synaptik manager if you don't want this. The unattended upgrade logs are written in "/var/log".

 

List of Installation and Configurations

Kernel 3.8.13.29

The kernel is updated to version "3.8.13.29". The most important fix there by mdrjr is that u2 runs silently. I asked for a fan fix that he graciously provided. So before when the u2 was unconnected to a display, the fan would always be running, now it does not run unless under load and that is seldom. The kernel update script is placed under "/home/kernelUpdateScript".

Use the odroid utility from mdrjr at your own risk to upgrade. I have been bitten by it twice. I probably don't understand in what order to run things. I like the old one-off utility, fire and forget. Always work. The new utility is left in the old place as provided by mdrjr under "/home/odroid/Desktop" if you prefer it.

Updated to Wheezy 7.8

Nothing more to be said here.

Webmin and VirtualMin

Use Webmin/Virtualmin to create your web hosting domains. It greatly simplfies the job of creating a domain. Just open Iceweasel and I have bookmarked the webmin url in the Bookmarks toolbar. You can find an installation guide about this here. Before creating any domains, goto the mysql server link in webmin and provide the root password for mysql. This is the password you should have noted down when running the password change script,

x11vnc

x11vnc is setup for all your vnc needs. You can vnc to your machine remotely and securely via ssh tunneling and work on it. More details about this here.

Firewall ( with Shorewall)

Your image is protected with a firewall setup with shorewall. For the how to and detail see this article here and to read up on the firewall test I ran, read this article here. Only ports 80 and 443 is exposed plus a few other services.

AIDE ( Advanced Intrusion Detection Environment)

AIDE helps you in verification of the integrity of your system. As a last step of the base image creation process I created a integrity database which I also provide as a seperate download at the end of this article. How to profit from aide you can read up here. If you follow my backup guide though, you can integrate intrusion/integrity detection as part of your server backup process. You can read about this here.

The image contains an already computed "/var/lib/aide/aide.db.new" file that was computed more or less towards the end of all customizations. The following changes were though necessary post aide integrity computation after I thought the image was final.

  • shorewall firewall rules fix for ntp and dns rules.
  • sshd_config file change to disallow root login
  • Changed monitorix to fix an accidental line break from my side
  • And lastly a new script to create new sftp users for convenience.

fail2ban

Your server is going to be bombarded in all directions once you go online. This module keeps the badies out. It can work with iptables but I configured it to work with the "/etc/hosts.deny" file option. You get a huge list of hosts.deny entries for free from me accumalated by my server over the past few months. I have employed a zero tolerance strategy and probably block innocent users as well as a result, but you can do it differently. This is described here.

Apache Security

Following 2 important modules are installed for you and configurations and reasoning are explained here. Verify these are both activated from webmin under Apache modules before you plug in your server.

  • mod_evasise : for simple ddos attacks.
  • mod_security : for rules that block unusual behaviour on your web server. Very Very Very important. I added a couple of generic rules for some attacks I was seeing, plus the bash shell shock vulnerability rule (although bash is patched, can't hurt).

Apache Security : The Core rule set for mod_security

mod_security on its own will not do much, but combined with the "crs" package it can fend off a huge number of badies. This is installed for you but I have not activate any rules for you. You have to do this manually. Since you have to experiment and find what works for you and what need modification. How to go about these activating these rules can be seen here. DONOT I repeat DONOT plug in your server without activating the basic rules atleast. Try to get as many rules activated as you can before starting your hosting.

Apache Parameter Configurations

I have put in my apache.conf file for you, having already done some calculations for the optimal parameters. This is described here. You might still need to evaluate your usecases and again adjust the values here, if your apache worker threads are bigger in size than what the size of my workers are. And the size depends on number of activated apache modules.

Monitorix

This will help you monitor your server. More details on this can be found in this article here. SSH tunnel to your machine and monitor conveniently remotely or on your server. You can see server load, memory load, fail2ban, ssh activity, network activity and much much more.

Webalizer

Webalizer is installed and working. Once you have created your hosting domains via virtualmin, you can use the interface there to also schedule reports generation. This provides a rich source of access information for your server. It is generally safer to place these reports outside of the "public_html" directory, though the "stats" directory is configured to be not accessible by virtualmin anyways. "awstats" is also installed but I am using webalizer and havent used it yet. But you could use that if it suits you.

Secure ftp user

So if you want to access you server via ftp over SSH, there is a "sftp" user under "sftp" group already setup for you with the home directory placed under "/home/sftp/public_html". If your not lazy, I recommend deleting this user and hoping over this article here and executing the script in step #2 to create a user named by your own choice. This is script is also copied to the Desktop of the root user as "createSftpUser.sh". See article mentioned previously to see how to execute this.

Backupninja

This simple program could be used to satisfy you backup needs. Again I provide a guide to what I am doing. But you could plan to do it differently. My guide can be found here.

Modified SSH settings

I have disabled ssh access for root user. If you don't do this you will constantly see cracking attempts in your ssh logs for the root user. This is done by the following setting in "/etc/ssh/sshd_config" file. Although another module fail2ban will continually keep banning those ips, to avoid these relentless cracking attempts, this is necessary:

PermitRootLogin no

Additionally almost towards the end you will find 2 more properties that read like below:

AllowUsers odroid sftp
AllowGroups odroid sftp

When you create your first hosting container using Virtualmin ( installed and configured for you already as follows), you can add the username here for ssh access. Also my recommendation is to disable both odroid and sftp users and use your own custom usernames. Offers some level of added protection if usernames are not publicly known for your server.

Fix to open synaptik as root instead of odroid user

So to fix this the following has been done for you. In the file "/usr/share/applications/synaptic.desktop" the line "Exec=synaptic-pkexec" has been changed to "Exec=gksu synaptic".

Fix to change root as owner of rootfs

This I noted when the sftp access was just not starting. ssh would just disallow it becuase of this fact.

 

Before downloading this image please read this disclaimer in addition to my main disclaimer and impressum.

DISCLAIMER

THIS IMAGE AVAILABLE ON THIS SITE AHSANSCORNER.COM IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL I BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS IMAGE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

In no event shall I be liable to you or any third parties for any special, punitive, incidental, indirect or consequential damages of any kind, or any damages whatsoever, including, without limitation, those resulting from loss of use, data or profits, whether or not I have been advised of the possibility of such damages, and on any theory of liability, arising out of or in connection with the use of this software.

The use of the software downloaded through the this site is done at your own discretion and risk and with agreement that you will be solely responsible for any damage to your computer system or loss of data that results from such activities. No advice or information, whether oral or written, obtained by you from me, this website, users of this image or from any other source discussing this image shall create any warranty for the software.

The image for me is solely an educational exercise and a hobbyist activity.

The md5sum of the extracted img file is "dc861c2a16f979f67bdcd0bfef28c7d9".

 

The md5 checksum file — Downloaded 333 times

Top level category:

Add new comment