https://wiki.archlinux.org/api.php?action=feedcontributions&user=Shmooooo&feedformat=atomArchWiki - User contributions [en]2024-03-29T06:19:18ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Jinzora&diff=167061Jinzora2011-10-22T22:57:26Z<p>Shmooooo: /* Run the installer */</p>
<hr />
<div>[[Category:Audio/Video (English)]] <br />
<br />
[http://en.jinzora.com/ Jinzora] is a GPL web based multimedia application. It serves as a streaming server as well as a media management platform. This article will show you how to install and configure Jinzora.<br />
<br />
==Installation==<br />
Jinzora can run in two modes, ''streaming'' and using ''mpd''. If you have not installed MPD already, follow the wiki guide: [[mpd]] (It is not required for the streaming mode to operate)<br />
<br />
===Setup the webserver===<br />
Follow the wiki tutorial for installing Apache, PHP and MySQL: [[LAMP]]<br />
<br />
(Note: Installing phpMyAdmin from the above guide is optional; if you are ever likely to make your own website that will use PHP and MySQL, I would suggest you install it. Otherwise you probably will not need it).<br />
<br />
===Configure PHP===<br />
Jinzora can make use of the GD and iconv library. It is recommend you enable these.<br />
Uncomment gd.so and iconv.so in {{filename|/etc/php/php.ini}}.<br />
extension=gd.so<br />
extension=iconv.so<br />
<br />
The PHP gd extension requires the gd library to be installed:<br />
# pacman -S php-gd<br />
<br />
Also take a look at the open_basedir setting. Your media directory should be or below the paths specified in this directory.<br />
<br />
===Download and extract Jinzora===<br />
Download the latest version of Jinzora2 from http://en.jinzora.com/download and extract the contents using [[tar]]:<br />
<pre><br />
# wget http://get.jinzora.com/jz2current.tar.gz<br />
# tar -xvf jz2current.tar.gz<br />
</pre><br />
<br />
==Configuring Jinzora==<br />
In the {{filename|~/httpd/html/jinzora2}} directory, run configure.sh<br />
# sh configure.sh<br />
<br />
===Run the installer===<br />
The installer will automatically configure Jinzora and create the database. Open up your web browser, go to http://localhost/jinzora2/index.php and follow the instructions<br />
<br />
* Pay attention to these setup steps:<br />
** '''Page 4 - Installation Type :''' Change from 'Streaming' to 'Streaming & Jukebox' if you wish to listen to the music on the computer you are installing Jinzora2 on (it is primarily a streaming application to allow remote access to, and control of, a streaming server running it).<br />
** '''Page 5 - Main Settings :''' If you hover over the boxes here they explain the settings, so choose whatever you want. It is best to choose 'Database' for Backend Type. Also consider using the 'Tag Data' option for 'Data Structure', unless your music is organized on your filesystem exactly the way you want it to be.<br />
** '''Page 6 - Backend Setup :''' Unless you have used Jinzora before, or for some reason wish to manually create a MySQL database for it to use, then select 'True' under 'Create Database'.<br />
** '''Page 7 - Import Media :''' This step may take a few minutes if you have got a few gigs of music; simply enter into the box the directory where your music is stored. When the installer's finished importing the music from this directory, you will have the option to import as many other directories as you want, one after the other. <br />
<br />
You can also import more files from the '''Settings''' interface when Jinzora is up and running. You do not have to do it while installing.<br />
<br />
'''Note:''' While Jinzora was importing my music collection, I had the following error appear twice on the page:<br />
<br />
<pre>Warning: strpos() [function.strpos]: Offset not contained in string. in /home/httpd/html/jinzora2/services/services/tagdata/getid3/module.tag.id3v2.php<br />
on line 1542</pre><br />
<br />
This seemed to have no adverse effect on the installation though, so if something similar happens to you, do not worry!<br />
<br />
===Save the configuration===<br />
When you have finished importing your music, click '''Proceed to save config''', then '''Proceed to launch Jinzora'''.<br />
<br />
===Setting up MPD to play your music===<br />
Edit {{filename|~/httpd/html/jinzora2/jukebox/settings.php}}: under 'Description', change 'Winamp Media Player' to 'Music Player Daemon' (or whatever you want), and under 'type' change 'winamp3' to 'mpd'.<br />
<br />
Change 'password' to be empty (so it just reads <nowiki>''</nowiki> rather than 'jinzora'), or change this to whatever password you have set in {{filename|/etc/mpd.conf}}.<br />
<br />
Also in this file, change the port from '4800' to '6600', or whatever port you have set MPD to accept connections on in {{filename|/etc/mpd.conf}}.<br />
<br />
If you wish to use Jinzora's streaming functionality, simply go back to your webbrowser, click refresh, select 'Music Player Daemon' from the 'Playback To' dropdown menu and Voila! Your own working copy of Jinzora !<br />
<br />
==Troubleshooting==<br />
* If you cannot get any sound despite all of the above, try testing mpd with another GUI client (Glurp is a nice simple one - do {{codeline|pacman -S glurp}}, add a track to its playlist and try to play it). If you have no sound in this either, you need to further edit {{filename|/etc/mpd.conf}}. Try uncommenting some of the ALSA settings in this file (assuming you use ALSA).<br />
<br />
* If you know that MPD ''is'' working, then try to match up the settings in Jinzora as closely to those in {{filename|/etc/mpd.conf}} as possible (the settings in Jinzora are accessed from the 4th small green button on the upper left of the 'Slick' interface).<br />
<br />
* If changes to your playlist are ignored, go to System Tools -> Settings Manager -> Main Settings/Playlist and set 'use_ext_playlists' to 'false'.<br />
<br />
* If when you click on the PLAY button of any song / album you are offered a 'playlist.m3u' download, then you have not changed the 'Playback To' option to 'Music Player Daemon'.</div>Shmooooohttps://wiki.archlinux.org/index.php?title=Jinzora&diff=167060Jinzora2011-10-22T22:55:30Z<p>Shmooooo: /* Run the installer */</p>
<hr />
<div>[[Category:Audio/Video (English)]] <br />
<br />
[http://en.jinzora.com/ Jinzora] is a GPL web based multimedia application. It serves as a streaming server as well as a media management platform. This article will show you how to install and configure Jinzora.<br />
<br />
==Installation==<br />
Jinzora can run in two modes, ''streaming'' and using ''mpd''. If you have not installed MPD already, follow the wiki guide: [[mpd]] (It is not required for the streaming mode to operate)<br />
<br />
===Setup the webserver===<br />
Follow the wiki tutorial for installing Apache, PHP and MySQL: [[LAMP]]<br />
<br />
(Note: Installing phpMyAdmin from the above guide is optional; if you are ever likely to make your own website that will use PHP and MySQL, I would suggest you install it. Otherwise you probably will not need it).<br />
<br />
===Configure PHP===<br />
Jinzora can make use of the GD and iconv library. It is recommend you enable these.<br />
Uncomment gd.so and iconv.so in {{filename|/etc/php/php.ini}}.<br />
extension=gd.so<br />
extension=iconv.so<br />
<br />
The PHP gd extension requires the gd library to be installed:<br />
# pacman -S php-gd<br />
<br />
Also take a look at the open_basedir setting. Your media directory should be or below the paths specified in this directory.<br />
<br />
===Download and extract Jinzora===<br />
Download the latest version of Jinzora2 from http://en.jinzora.com/download and extract the contents using [[tar]]:<br />
<pre><br />
# wget http://get.jinzora.com/jz2current.tar.gz<br />
# tar -xvf jz2current.tar.gz<br />
</pre><br />
<br />
==Configuring Jinzora==<br />
In the {{filename|~/httpd/html/jinzora2}} directory, run configure.sh<br />
# sh configure.sh<br />
<br />
===Run the installer===<br />
The installer will automatically configure Jinzora and create the database. Open up your web browser, go to http://localhost/jinzora2/index.php and follow the instructions<br />
<br />
* Pay attentions to these setup steps:<br />
** '''Page 4 - Installation Type :''' Change from 'Streaming' to 'Streaming & Jukebox' if you wish to listen to the music on the computer you are installing Jinzora2 on (it is primarily a streaming application to allow remote access to, and control of, a streaming server running it).<br />
** '''Page 5 - Main Settings :''' If you hover over the boxes here, they explain the settings, so choose whatever you want. It is best to choose 'Database' for Backend Type. I would also suggest using the 'Tag Data' option for 'Data Structure', unless your music is organized on your filesystem exactly the way you want it to be.<br />
** '''Page 6 - Backend Setup :''' Unless you have used Jinzora before, or for some reason wish to manually create a MySQL database for it to use, then select 'True' under 'Create Database'.<br />
** '''Page 7 - Import Media :''' This step may take a few minutes if you have got a few gigs of music; simply enter into the box the directory where your music is stored. When the installer's finished importing the music from this directory, you will have the option to import as many other directories as you want, one after the other. <br />
<br />
You can also import more files from the '''Settings''' interface when Jinzora is up and running. You do not have to do it while installing.<br />
<br />
'''Note:''' While Jinzora was importing my music collection, I had the following error appear twice on the page:<br />
<br />
<pre>Warning: strpos() [function.strpos]: Offset not contained in string. in /home/httpd/html/jinzora2/services/services/tagdata/getid3/module.tag.id3v2.php<br />
on line 1542</pre><br />
<br />
This seemed to have no adverse effect on the installation though, so if something similar happens to you, do not worry!<br />
<br />
===Save the configuration===<br />
When you have finished importing your music, click '''Proceed to save config''', then '''Proceed to launch Jinzora'''.<br />
<br />
===Setting up MPD to play your music===<br />
Edit {{filename|~/httpd/html/jinzora2/jukebox/settings.php}}: under 'Description', change 'Winamp Media Player' to 'Music Player Daemon' (or whatever you want), and under 'type' change 'winamp3' to 'mpd'.<br />
<br />
Change 'password' to be empty (so it just reads <nowiki>''</nowiki> rather than 'jinzora'), or change this to whatever password you have set in {{filename|/etc/mpd.conf}}.<br />
<br />
Also in this file, change the port from '4800' to '6600', or whatever port you have set MPD to accept connections on in {{filename|/etc/mpd.conf}}.<br />
<br />
If you wish to use Jinzora's streaming functionality, simply go back to your webbrowser, click refresh, select 'Music Player Daemon' from the 'Playback To' dropdown menu and Voila! Your own working copy of Jinzora !<br />
<br />
==Troubleshooting==<br />
* If you cannot get any sound despite all of the above, try testing mpd with another GUI client (Glurp is a nice simple one - do {{codeline|pacman -S glurp}}, add a track to its playlist and try to play it). If you have no sound in this either, you need to further edit {{filename|/etc/mpd.conf}}. Try uncommenting some of the ALSA settings in this file (assuming you use ALSA).<br />
<br />
* If you know that MPD ''is'' working, then try to match up the settings in Jinzora as closely to those in {{filename|/etc/mpd.conf}} as possible (the settings in Jinzora are accessed from the 4th small green button on the upper left of the 'Slick' interface).<br />
<br />
* If changes to your playlist are ignored, go to System Tools -> Settings Manager -> Main Settings/Playlist and set 'use_ext_playlists' to 'false'.<br />
<br />
* If when you click on the PLAY button of any song / album you are offered a 'playlist.m3u' download, then you have not changed the 'Playback To' option to 'Music Player Daemon'.</div>Shmooooohttps://wiki.archlinux.org/index.php?title=SELinux&diff=167059SELinux2011-10-22T22:54:38Z<p>Shmooooo: /* Post-installation steps */</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:Kernel (English)]]<br />
[[Category:Networking (English)]]<br />
Security-Enhanced Linux (SELinux) is a Linux feature that provides a variety of security policies, including U.S. Department of Defense style mandatory access controls (MAC), through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating systems, such as Linux and BSD. Its architecture strives to streamline the volume of software charged with security policy enforcement, which is closely aligned with the Trusted Computer System Evaluation Criteria (TCSEC, referred to as Orange Book) requirement for trusted computing base (TCB) minimization (applicable to evaluation classes B3 and A1) but is quite unrelated to the least privilege requirement (B2, B3, A1) as is often claimed. The germinal concepts underlying SELinux can be traced to several earlier projects by the U.S. National Security Agency (NSA). [1]<br />
<br />
Running SELinux under a Linux distribution requires three things: An SELinux enabled kernel, SELinux Userspace tools and libraries, and SELinux Policies (mostly based on the Reference Policy). Some common Linux programs will also need to be patched/compiled with SELinux features.<br />
<br />
==Prerequisites==<br />
<br />
Only ext2, ext3, ext4, JFS and XFS filesystems are supported to use SELinux. <br />
<br />
{{Note| This is probably not needed anymore:}}<br />
<br />
XFS users should use 512 byte inodes (the default is 256). SELinux uses extended attributes for storing security labels in files. XFS stores this in the inode, and if the inode is too small, an extra block has to be used, which wastes a lot of space and incurs performace penalties.<br />
<br />
# mkfs.xfs -i size=512 /dev/sda1 (for example)<br />
<br />
==Installing needed packages==<br />
<br />
You should install at least {{Package AUR|linux-selinux}}, {{Package AUR|selinux-pam}}, {{Package AUR|selinux-usr-policycoreutils}} and {{Package AUR|selinux-refpolicy-src}} from the [[AUR]]. Installing all SELinux-related packages is recommended.<br />
<br />
When installing from the [[AUR]], you can use an [[AUR helper]] or download tarballs from the AUR manually and build with {{Codeline|makepkg}}. Especially when installing for the first time, take extreme caution when replacing the pam and coreutils packages, as they are vital to your system. Having the Arch Linux live CD or live USB drive ready to use is strongly encouraged.<br />
<br />
{{Warning| Do '''not''' remove {{Package Official|pam}} via sudo, as PAM is what takes care of authentication, and you just removed it. Instead first ''su'' to root and then do:<br />
pacman -Rdd pam<br />
pacman -U selinux-pam<br />
Doing {{Codeline|pacman -Rdd coreutils}}, {{Codeline|pacman -U selinux-coreutils}} may also cause you troubles, so maybe the best way is to install the {{Codeline|selinux-*}} packages from a live CD chroot to your system.}}<br />
<br />
{{Warning| Do '''not''' install {{Package AUR|selinux-sysvinit}} package unless everything is set up, as you may end up with an unbootable system. Or, do not reboot unless you have everything set up.}}<br />
<br />
===Package description===<br />
<br />
All SELinux related packages belong to the ''selinux'' group. Group ''selinux-system-utilities'' is used for modified packages from the {{Codeline|[core]}} repository. Group ''selinux-userspace'' contains packages from SELinux Userspace project. Security policies belong to ''selinux-policies'' group. Other packages are in ''selinux-extras'' group.<br />
<br />
====SELinux aware system utils====<br />
<br />
;{{Package AUR|linux-selinux}}<br />
:SELinux enabled kernel. Compiling custom modules like virtualbox works.<br />
<br />
;{{Package AUR|selinux-coreutils}}<br />
:Modified coreutils package compiled with SELinux support enabled.<br />
<br />
;{{Package AUR|selinux-flex}}<br />
:Flex version needed only to build checkpolicy. Current flex has error causing failure in checkmodule command.<br />
<br />
;{{Package AUR|selinux-pam}}<br />
:PAM package with pam_selinux.so.<br />
<br />
;{{Package AUR|selinux-sysvinit}}<br />
:Sysvinit which loads policy at startup. Be careful; it fails if SELinux policy cannot be loaded!<br />
<br />
;{{Package AUR|selinux-util-linux}}<br />
:Modified util-linux package compiled with SELinux support enabled.<br />
<br />
;{{Package AUR|selinux-udev}}<br />
:Modified [[udev]] package compiled with SELinux support enabled for labeling of files in {{Filename|/dev}} to work correctly.<br />
<br />
;{{Package AUR|selinux-findutils}}<br />
:Patched findutils package compiled with SELinux support to make searching of files with specified security context possible.<br />
<br />
;{{Package AUR|selinux-sudo}}<br />
:Modified [[sudo]] package compiled with SELinux support which sets security context correctly.<br />
<br />
;{{Package AUR|selinux-procps}}<br />
:Procps package with SELinux patch based on some Fedora patches.<br />
<br />
;{{Package AUR|selinux-psmisc}}<br />
:Psmisc package compiled with SELinux support; for example, it adds the {{Codeline|-Z}} option to {{Codeline|killall}}.<br />
<br />
;{{Package AUR|selinux-shadow}}<br />
:Shadow package compiled with SELinux support; contains a modified {{Filename|/etc/pam.d/login}} file to set correct security context for user after login.<br />
<br />
;{{Package AUR|selinux-cronie}}<br />
:Fedora fork of Vixie cron with SELinux enabled.<br />
<br />
;{{Package AUR|selinux-logrotate}}<br />
:Logrotate package compiled with SELinux support.<br />
<br />
;{{Package AUR|selinux-openssh}}<br />
:OpenSSH package compiled with SELinux support to set security context for user sessions.<br />
<br />
====SELinux userspace====<br />
;{{Package AUR|selinux-usr-checkpolicy}}<br />
:Tools to build SELinux policy<br />
<br />
;{{Package AUR|selinux-usr-libselinux}}<br />
:Library for security-aware applications. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{Package AUR|selinux-usr-libsemanage}}<br />
:Library for policy management. Python bindings needed for ''semanage'' and ''setools'' now included.<br />
<br />
;{{Package AUR|selinux-usr-libsepol}}<br />
:Library for binary policy manipulation.<br />
<br />
;{{Package AUR|selinux-usr-policycoreutils}}<br />
:SELinux core utils such as newrole, setfiles, etc.<br />
<br />
;{{Package AUR|selinux-usr-sepolgen}}<br />
:A Python library for parsing and modifying policy source.<br />
<br />
====SELinux policy====<br />
<br />
;{{Package AUR|selinux-refpolicy}}<br />
:Precompiled modular-otherways-vanilla Reference policy with headers and documentation but without sources.<br />
<br />
;{{Package AUR|selinux-refpolicy-src}}<br />
:Reference policy sources<br />
<br />
;{{Package AUR|selinux-refpolicy-arch}}<br />
:Precompiled modular Reference policy with headers and documentation but without sources. Development Arch Linux Refpolicy patch included, but for now [February 2011] it only fixes some isues with {{Filename|/etc/rc.d/*}} labeling.<br />
<br />
====Other SELinux tools====<br />
<br />
;{{Package AUR|selinux-setools}}<br />
:CLI and GUI tools to manage SELinux<br />
<br />
;{{Package AUR|audit}}<br />
:User space utilities for storing and searching the audit records generated by the audit subsystem in the Linux kernel. SELinux (AVC) will log all denials using audit. Very useful in troubleshooting SELinux. Also audit2allow use log from this program.<br />
<br />
{{Note|If using proprietary drivers, such as [[NVIDIA]] graphics drivers, you may need to [[NVIDIA#Alternate install: custom kernel|rebuild them]] for custom kernels.}}<br />
<br />
==Configuration==<br />
<br />
After the installation of needed packages, you have to set up a few things so that SELinux can be used.<br />
<br />
===Changing boot loader configuration===<br />
<br />
You have to manually change Grub's {{Filename|/boot/grub/menu.lst}} so that the custom kernel is booted, e.g.:<br />
<br />
# (1) Arch Linux<br />
title Arch Linux (SELinux)<br />
root (hd0,4)<br />
kernel /boot/'''vmlinuz-linux-selinux''' root=/dev/sda5 ro vga=775<br />
initrd /boot/'''initramfs-linux-selinux.img'''<br />
<br />
===Mounting selinuxfs===<br />
<br />
Add following to {{Filename|/etc/fstab}}:<br />
<br />
none /selinux selinuxfs noauto 0 0<br />
<br />
Do not forget to create the mountpoint:<br />
<br />
mkdir /selinux<br />
<br />
===Main SELinux configuration file===<br />
Main SELinux configuration file ({{Filename|/etc/selinux/config}}) is part of the {{Package AUR|selinux-refpolicy}} package currently in the AUR. It has default contents as follows:<br />
<br />
# This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# permissive - SELinux prints warnings <br />
# instead of enforcing.<br />
# disabled - No SELinux policy is loaded.<br />
SELINUX=permissive<br />
# SELINUXTYPE= takes the name of SELinux policy to<br />
# be used. Current options are:<br />
# refpolicy (vanilla reference policy)<br />
# refpolicy-arch (reference policy with <br />
# Arch Linux patch)<br />
SELINUXTYPE=refpolicy<br />
<br />
{{Note|Option {{Codeline|SELINUX<nowiki>=</nowiki>permissive}} is suitable only for testing. It gives no security. When everything is set up and working, you should change it to {{Codeline|SELINUX<nowiki>=</nowiki>enforcing}}. Option {{Codeline|SELINUXTYPE<nowiki>=</nowiki>refpolicy}} specifies the name of used policy. Change it if you choose another name for your policy. If you plan to compile policy from source, you have to create the file yourself.}}<br />
<br />
===Set up PAM===<br />
<br />
Correctly set-up PAM is important to get a proper security context after login. If you installed {{Package AUR|selinux-shadow}} from AUR, there should be the following lines in {{Filename|/etc/pam.d/login}}:<br />
<br />
# pam_selinux.so close should be the first session rule<br />
session required pam_selinux.so close<br />
# pam_selinux.so open should only be followed by sessions to be executed in the user context<br />
session required pam_selinux.so open<br />
<br />
If not, add them to the file. Similarly for logging in via SSH in {{Filename|/etc/pam.d/sshd}}, which is part of {{Package AUR|selinux-openssh}} package.<br />
<br />
If you want to use SELinux with GUI, you should add the aforementioned lines to other files such as {{Filename|/etc/pam.d/kde}}, {{Filename|/etc/pam.d/kde-np}}, ... depending on your login manager.<br />
<br />
{{Note|Running SELinux with GUI applications in Arch Linux is not much supported at the time being.}}<br />
<br />
==Reference policy==<br />
<br />
There are currently two possible ways of installing reference policy: From a precompiled package ({{Package AUR|selinux-refpolicy}}) or from a source package ({{Package AUR|selinux-refpolicy-src}}).<br />
<br />
{{Note| It is possible to have both the source and the binary package installed. If you plan to build from source in that case, you should probably change the name of policy in {{Filename|build.conf}} to avoid overwriting of selinux-refpolicy package files.}}<br />
<br />
===Installing a precompiled refpolicy===<br />
<br />
Install {{Package AUR|selinux-refpolicy}} from AUR. This is a modular-otherways-vanilla refpolicy. This package includes policy headers (you can therefore compile your own modules), policy documentation and an install script which will load the policy for you and relabel your filesystem (which will likely take some time). It does not include the sources though.<br />
<br />
This package also includes the main SELinux configuration file ({{Filename|/etc/selinux/config}}) defaulting to refpolicy and permissive SELinux enforcement for testing purposes.<br />
<br />
You should verify that the policy was correctly loaded, that is if the file {{Filename|/etc/selinux/refpolicy/policy/policy.24}} has non-zero size. If so and if you have installed {{Package AUR|selinux-sysvinit}} and other needed packages, you are ready to reboot and make sure that everything works.<br />
<br />
{{Warning| On newer kernels (eg. 3.0) policy in file {{Filename|/etc/selinux/refpolicy/policy/policy.24}} has zero bytes size, because it is used new version of policy from file: {{Filename|/etc/selinux/refpolicy/policy/policy.26}}}}<br />
<br />
<br />
In case the policy was not correctly loaded you can as root use the following command inside of the {{Filename|/usr/share/selinux/refpolicy}} directory to do so:<br />
<br />
/bin/ls *.pp | /bin/grep -Ev "base.pp|enableaudit.pp" | /usr/bin/xargs /usr/sbin/semodule -s refpolicy -b base.pp -i<br />
<br />
To manually relabel your filesystem you can as root use:<br />
<br />
/sbin/restorecon -r /<br />
<br />
===Installing refpolicy from a source package===<br />
<br />
Install {{Package AUR|selinux-refpolicy-src}} from AUR. Edit the file {{Filename|/etc/selinux/refpolicy/src/policy/build.conf}} to your liking. <br />
<br />
{{Note|Build configuration file {{Filename|build.conf}} is overwritten on every selinux-refpolicy-src package upgrade, so backup your configuration.}}<br />
<br />
To build, install and load policy from source do the following. (For other possibilities consult the README file located in {{Filename|/etc/selinux/refpolicy/src/policy/}}.)<br />
<br />
cd /etc/selinux/refpolicy/src/policy<br />
make bare<br />
make conf <br />
make load<br />
<br />
Copy or link the compiled binary policy to {{Filename|/etc/policy.bin}} for sysvinit to find and install selinux-sysvinit:<br />
<br />
ln -s /etc/selinux/refpolicy/policy/policy.21 /etc/policy.bin<br />
<br />
At this moment files do not have any context, so you should relabel the whole filesystem, which will take a while:<br />
<br />
make relabel<br />
<br />
Create the main SELinux configuration file ({{Filename|/etc/selinux/config}}) according to the example in related section.<br />
<br />
Now you are ready to reboot and make sure that everything works.<br />
<br />
==Post-installation steps==<br />
{{Warning| If you didn't install ''selinux-sysvinit'', then you will see SELinux in disabled mode, and {{Filename|/selinux}} won't be mounted.}}<br />
<br />
You can check that SELinux is working with ''sestatus''. You should get something like:<br />
<br />
SELinux status: enabled<br />
SELinuxfs mount: /selinux<br />
Current mode: permissive<br />
Mode from config file: enforcing<br />
Policy version: 24<br />
Policy from config file: refpolicy<br />
<br />
To maintain correct context, you can use ''restorecond'':<br />
<br />
touch /etc/rc.d/restorecond<br />
chmod ugo+x /etc/rc.d/restorecond<br />
<br />
Which should contain:<br />
<br />
#!/bin/sh<br />
restorecond<br />
<br />
{{Note|Do not forget to add {{Codeline|restorecond}} into your {{Codeline|DAEMONS}} array in {{Filename|/etc/rc.conf}}.}}<br />
<br />
To switch to enforcing mode without reboot, you can use:<br />
<br />
echo 1 >/selinux/enforce<br />
<br />
{{Note|If setting {{Codeline|SELINUX<nowiki>=</nowiki>enforcing}} in {{Filename|/etc/selinux/config}} does not work for you, create {{Filename|/etc/rc.d/selinux-enforce}} containing the preceding command similarly as with restorecond daemon.}}<br />
<br />
==Useful tools==<br />
<br />
There are some tools/commands that can greatly help with SELinux. <br />
<br />
*'''restorecon''': Restores the context of a file/directory (or recursively with -R) based on any policy rules <br />
*'''rlpkg''': Relabels any files belonging to that Gentoo package to their proper security context (if they have one) <br />
*'''chcon''': Change the context on a specific file <br />
*'''audit2allow''': Reads in log messages from the AVC log file and tells you what rules would fix the error. Do not just add these rules without looking at them though, they cannot detect errors in other places (e.g. the application is running in the wrong context in the first place), or sometimes things will generate error messages but may maintain functionality so it would be better to add dontaudit to just ignore the access attempts.<br />
<br />
==References==<br />
*[http://en.wikipedia.org/wiki/Security-Enhanced_Linux Security Enhanced Linux]<br />
*[http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml Gentoo SELinux Handbook]<br />
*[http://fedoraproject.org/wiki/SELinux Fedora Project's SELinux Wiki]<br />
*[http://www.nsa.gov/research/selinux/index.shtml NSA's Official SELinux Homepage]<br />
*[http://oss.tresys.com/projects/refpolicy Reference Policy Homepage]<br />
*[http://userspace.selinuxproject.org/trac/ SELinux Userspace Homepage]<br />
*[http://oss.tresys.com/projects/setools SETools Homepage]<br />
<br />
== See also ==<br />
* [[AppArmor]] (Similar to SELinux, much easier to configure, but not such complex)<br />
* [[DNSSEC]]</div>Shmooooohttps://wiki.archlinux.org/index.php?title=Sshguard&diff=167058Sshguard2011-10-22T22:52:29Z<p>Shmooooo: </p>
<hr />
<div>[[Category:Secure Shell (English)]]<br />
{{warning|Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing /var can become full, especially if an attacker is pounding on the server). Additionally, if the attacker knows your IP address, they can send packets with a spoofed source header and get you locked out of the server. [[SSH keys]] provide an elegant solution to the problem of brute forcing without these problems.}}<br />
{{i18n|Sshguard}}<br />
[http://www.sshguard.net sshguard] is a daemon that protects [[SSH]] and other services against brute-force attacts, similar to [[fail2ban]].<br />
<br />
sshguard is different from the other two in that it is written in C, is lighter and simpler to use with fewer features while performing its core function equally well.<br />
<br />
sshguard is not vulnerable to most (or maybe any) of the log analysis [http://www.ossec.net/main/attacking-log-analysis-tools vulnerabilities] that have caused problems for similar tools.<br />
<br />
==Installation==<br />
First, install [[iptables]] so sshguard can block remote hosts:<br />
# pacman -S iptables<br />
<br />
Then, install {{Package Official|sshguard}}:<br />
# pacman -S sshguard<br />
<br />
==Configuration==<br />
sshguard does not have a configuration file. All configuration that has to be done is creating a chain named "sshguard" in the INPUT chain of iptables where sshguard automatically inserts rules to drop packets coming from bad hosts:<br />
# iptables -N sshguard<br />
# iptables -A INPUT -j sshguard<br />
# /etc/rc.d/iptables save<br />
<br />
If you do not currently use iptables and just want to get sshguard up and running without any further impact on your system, these commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work:<br />
# iptables -F<br />
# iptables -X<br />
# iptables -P INPUT ACCEPT<br />
# iptables -P FORWARD ACCEPT<br />
# iptables -P OUTPUT ACCEPT<br />
# iptables -N sshguard<br />
# iptables -A INPUT -j sshguard<br />
# /etc/rc.d/iptables save<br />
<br />
For more information on using iptables to create powerfull firewalls, see [[Simple Stateful Firewall]].<br />
<br />
Finally, add iptables and sshguard to the DAEMONS array in {{Filename|/etc/rc.conf}}: <br />
DAEMONS=(... iptables sshguard ...)<br />
<br />
==General Information==<br />
sshguard works by watching {{Filename|/var/log/auth.log}} for changes to see if someone is failing to log in too many times. It can also be configured to get this information straight from syslog-ng. After too many login failures (default 4) the offending host is banned from further communication for a limited amount of time. The amount of time the offender is banned starts at 7 minutes and doubles each time he is banned again. By default in the archlinux package, at one point offenders become permanently banned.<br />
<br />
Bans are done by adding an entry into the "sshguard" chain in iptables that drops all packets from the offender. To make the ban only affect port 22, simply do not send packets going to other ports through the "sshguard" chain.<br />
<br />
When sshguard bans someone, the ban is logged to syslog and ends up in {{Filename|/var/log/auth.log}}.<br />
<br />
<br />
Since there is no configuration file, all configuration is done by command line switches where sshguard is started.<br />
In archlinux we can change these by modifying {{Filename|/etc/rc.d/sshguard}}. By default, the line where the program is started is:<br />
tail -n0 -F /var/log/auth.log | /usr/sbin/sshguard -b /var/db/sshguard/blacklist.db &> /dev/null &<br />
<br />
In this default configuration, ''tail'' reads log information and passes it to sshguard. Another thing to note is that the -b option is used, which makes some bans permanent. Records of permanent bans are then kept in {{Filename|/var/db/sshguard/blacklist.db}} to be remembered between restarts.<br />
<br />
This line will use the built-in log reader (called ''Log Sucker'') instead of ''tail'' to read the logs and will not keep permanent bans:<br />
/usr/sbin/sshguard -l /var/log/auth.log &> /dev/null &<br />
<br />
==See also==<br />
*[[fail2ban]]</div>Shmooooohttps://wiki.archlinux.org/index.php?title=Sshguard&diff=167057Sshguard2011-10-22T22:52:01Z<p>Shmooooo: </p>
<hr />
<div>[[Category:Secure Shell (English)]]<br />
{{warning|Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing /var can become full, especially if an attacker is pounding on the server). Additionally, if the attacker knows your IP address, they can send packets with a spoofed source header and get you locked out of the server. [[SSH keys]] provide an elegant solution to the problem of brute forcing without these problems.}}<br />
{{i18n|Sshguard}}<br />
[http://www.sshguard.net sshguard] is a daemon that protects [[SSH]] and other services against brute-force attacts, similar to [[fail2ban]].<br />
<br />
sshguard is different from the other two in that it is written in C, is lighter and simpler to use with fewer features while performing its core function equally well.<br />
<br />
sshguard is not vulnerable to most (or maybe any) of the log analysis [http://www.ossec.net/main/attacking-log-analysis-tools vulnerabilities] that have caused problems for some other similar tools.<br />
<br />
==Installation==<br />
First, install [[iptables]] so sshguard can block remote hosts:<br />
# pacman -S iptables<br />
<br />
Then, install {{Package Official|sshguard}}:<br />
# pacman -S sshguard<br />
<br />
==Configuration==<br />
sshguard does not have a configuration file. All configuration that has to be done is creating a chain named "sshguard" in the INPUT chain of iptables where sshguard automatically inserts rules to drop packets coming from bad hosts:<br />
# iptables -N sshguard<br />
# iptables -A INPUT -j sshguard<br />
# /etc/rc.d/iptables save<br />
<br />
If you do not currently use iptables and just want to get sshguard up and running without any further impact on your system, these commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work:<br />
# iptables -F<br />
# iptables -X<br />
# iptables -P INPUT ACCEPT<br />
# iptables -P FORWARD ACCEPT<br />
# iptables -P OUTPUT ACCEPT<br />
# iptables -N sshguard<br />
# iptables -A INPUT -j sshguard<br />
# /etc/rc.d/iptables save<br />
<br />
For more information on using iptables to create powerfull firewalls, see [[Simple Stateful Firewall]].<br />
<br />
Finally, add iptables and sshguard to the DAEMONS array in {{Filename|/etc/rc.conf}}: <br />
DAEMONS=(... iptables sshguard ...)<br />
<br />
==General Information==<br />
sshguard works by watching {{Filename|/var/log/auth.log}} for changes to see if someone is failing to log in too many times. It can also be configured to get this information straight from syslog-ng. After too many login failures (default 4) the offending host is banned from further communication for a limited amount of time. The amount of time the offender is banned starts at 7 minutes and doubles each time he is banned again. By default in the archlinux package, at one point offenders become permanently banned.<br />
<br />
Bans are done by adding an entry into the "sshguard" chain in iptables that drops all packets from the offender. To make the ban only affect port 22, simply do not send packets going to other ports through the "sshguard" chain.<br />
<br />
When sshguard bans someone, the ban is logged to syslog and ends up in {{Filename|/var/log/auth.log}}.<br />
<br />
<br />
Since there is no configuration file, all configuration is done by command line switches where sshguard is started.<br />
In archlinux we can change these by modifying {{Filename|/etc/rc.d/sshguard}}. By default, the line where the program is started is:<br />
tail -n0 -F /var/log/auth.log | /usr/sbin/sshguard -b /var/db/sshguard/blacklist.db &> /dev/null &<br />
<br />
In this default configuration, ''tail'' reads log information and passes it to sshguard. Another thing to note is that the -b option is used, which makes some bans permanent. Records of permanent bans are then kept in {{Filename|/var/db/sshguard/blacklist.db}} to be remembered between restarts.<br />
<br />
This line will use the built-in log reader (called ''Log Sucker'') instead of ''tail'' to read the logs and will not keep permanent bans:<br />
/usr/sbin/sshguard -l /var/log/auth.log &> /dev/null &<br />
<br />
==See also==<br />
*[[fail2ban]]</div>Shmooooohttps://wiki.archlinux.org/index.php?title=Server&diff=167056Server2011-10-22T22:49:05Z<p>Shmooooo: /* Requirements */</p>
<hr />
<div>{{i18n|Comprehensive Server Guide}}<br />
[[Category:Web Server (English)]]<br />
<br />
{{Box Note | This article is currently undergoing a complete rewrite. We are extending the article to include more than just web services and removing specific installation instructions with links to already available articles. We'll strive to make this article complete and explanatory in nature. '''What you currently see is a work in progress.'''}}<br />
<br />
== Preface ==<br />
<br />
==== What is a server? ====<br />
In essence, a server is a computer that runs services that involve clients working on remote locations. All computers run services of some kind, for example: when using Arch as a desktop you will have a network service running to connect to a network. A server will, however, run services that involve external clients, for example: a webserver will run a website to be viewed via the internet or elsewhere on a local network.<br />
<br />
==== Why would I want a server? ====<br />
There are various reasons you may want a server. You may want to create a website for a company or you may wish to have an internal database for your network. Maybe you need a central fileserver for your home-network? This guide will give you an overview for the most common server options in existence and will outline some administration and security guidelines.<br />
<br />
==== Arch Linux as a server OS ====<br />
You may have seen the comments or claims: ''Arch Linux was never intended as a server operating system!'' This is correct: The basic installation includes very few server features and there is no server installation disc available. This does not mean it's not possible, '''quite the contrary'''. Arch's core installation is a secure and capable foundation. Since only a small number of features come pre-installed, this core installation can easily be used as a basis for a Linux Server. Many applications and services you would want on a server (such as Apache, SQL and Samba) are available in the repository and are well documented on the wiki.<br />
<br />
{{Note | Add note about users using Arch as server.}}<br />
<br />
== Requirements ==<br />
For using Arch Linux on a server you will need to have an Arch Linux installation ready.<br />
<br />
In most Linux server Operating Systems you have two options:<br />
* A 'text' version of the OS (where everything is done from the command line)<br />
* A GUI version of the OS (where you get a desktop interface such as GNOME/KDE etc). <br />
<br />
{{Note | If you have services on your server that need to be administered using a gui and cannot be done remotely you must choose the second option.}} <br />
<br />
For the installation of Arch Linux, please refer to [[Beginners_Guide|the Beginner's Guide]], but do not go any further [[Beginners_Guide#Part_III:_Install_X_and_configure_ALSA|than this section]] unless you require a GUI.<br />
<br />
== Basic set-up ==<br />
So what is a "basic" set-up:<br />
* Remote access to the server.<br />
We want to be able to remotely log-on to our server to perform several administrative tasks. When your server is located elsewhere or does not have a monitor attached: removing or adding files, changing configuration options and server rebooting are all tasks which are impossible to do without a way to log on to your server remotely. SSH nicely provides this functionality.<br />
<br />
* Your '''L'''inux server.<br />
* A http server ('''A'''pache), required for serving webpages.<br />
* A database server ('''M'''ySql), often required for storing data of address book-, forum- or blog scripts.<br />
* The '''P'''HP scripting language, a highly popular internet scripting language used in blogs, forums, content management systems and many other web-scripts.<br />
As the bold letters suggest, there is a name for this combination of applications: LAMP.<br />
<br />
The following sections will guide you through the installation and configuration of the above mentioned basic set-up features.<br />
<br />
==== SSH ====<br />
SSH stands for '''S'''ecure '''Sh'''ell. SSH enables you to log on to your server through an SSH client, presenting you with a recognizable terminal-like interface.Users available on the system can be given access to log on remotely though SSH, thereby enabeling remote administration of your server.<br />
<br />
The [[SSH|Arch wiki SSH page]] covers Installation and Configuration nicely.<br />
<br />
==== LAMP ====<br />
A [http://en.wikipedia.org/wiki/LAMP_(software_bundle) LAMP] server is a reasonably standard webserver. <br><br />
There are often disputes as to what the 'P' stands for, some people say it is [http://www.php.net/ PHP] some people say it is [http://www.perl.org/ Perl] while others say it's [http://www.python.org/ python]. For the purposes of this guide I am going to make it PHP, although there are some nice Perl modules for Linux so you may wish to install Perl as well. <br><br />
Having said that, LAMP is a reasonably standard webserver, it is by no means simple so there may be a lot to take in here. <br />
<br />
<br />
Please refer to the [[LAMP]] wiki page for instructions on installation and configuration.<br />
<br />
== Additional web-services ==<br />
<br />
=== E-Mail ===<br />
<br />
{{Note | TODO: Add postfix and add introduction to E-Mail and describe the options}}<br />
<br />
Please refer to the [[Exim with a remote SMTP server | EXIM]] wiki page for instructions on installation and configuration.<br />
<br />
=== FTP ===<br />
<br />
FTP stands for '''F'''ile '''T'''ransfer '''P'''rotocol. FTP is a service that can provide access to the filesystem from a remote location through an FTP client (FileZilla, gftp etc.) or FTP-capable browser. Through FTP, you are able to add or remove files from a remote location, as well as apply some chmod commands to these files to set certain permissions. <br />
<br />
FTP access will be related to user accounts available on the system, allowing simple rights management. FTP is a much used tool for adding files to a webserver from a remote locations.<br />
<br />
There are several FTP daemons available, here follows a list of Arch Linux Wiki pages on a few:<br />
* [[Vsftpd|vsFTPd]]: Very Secure FTP Daemon (oftend the standard)<br />
* [[Glftpd|glFTPd]]: GreyLine FTP daemon (highly configurable, no system accounts required)<br />
* [[Proftpd|proFTPd]]: Article is incomplete.<br />
<br />
There is also the option of FTP over SSH, or [[SFTP]]<br />
<br />
== Local Network Services ==<br />
<br />
=== CUPS (printing) ===<br />
<br />
CUPS, or '''C'''ommon '''U'''NIX '''P'''rinting '''S'''ystem, can provide a central point via which a number of users can print. For instance, you have several (say 3) printers and several people on a local network that wish to print. You can either add all these printers to every user's pc, or add all printers to a server running CUPS, and then simply adding the server to all clients. This allows for a central printing system that can be online 24/7, especially nice for printers that do not have networking capabilities.<br />
<br />
Please refer to the [[CUPS]] wiki page for instructions on installation and configuration.<br />
<br />
=== DHCP ===<br />
{{Note | dhcp v4 does not currently work due to ipv6 issues, this guide part of the guide will be written when that issue is resolved.}}<br />
<br />
=== Samba (windows compatible file- and printer sharing) ===<br />
Samba is an open source implementation of SBM/CIFS networking protocols, effectively allowing you to share files and printers between Linux and Windows systems. Samba can provide public shares or require several forms of authentication.<br />
<br />
Please refer to the [[Samba]] wiki page for instructions on installation and configuration.<br />
<br />
== Security ==<br />
<br />
=== Firewall ===<br />
====Iptables====<br />
The Linux kernel includes [[iptables]] as a built-in firewall solution. Configuration may be managed directly through the userspace utilities or by installing one of several GUI configuration tools. As a minimum, you will want to install the userspace programs:<br />
<br />
# pacman -S iptables<br />
<br />
In addition, you should add the iptables [[daemon]] to start on boot to your rc.conf<br />
<br />
DAEMONS=(... '''iptables''' network ...)<br />
<br />
====UFW====<br />
The Uncomplicated FireWall is a simple frontend to iptables for the command line. It is available in the {{Codeline|community}} repository. One way to allow [[SSH]] and [[Apache|HTTP]] access after installation would be:<br />
<br />
# ufw allow SSH/tcp<br />
# ufw allow WWW/tcp<br />
# ufw enable<br />
<br />
To view other preconfigured services and apps run<br />
<br />
# ufw app list<br />
<br />
=====GUFW=====<br />
A GUI frontend to UFW is available providing simple management of your iptables rules and settings. It is available in the {{Codeline|community}} repository. To install and run use the following commands:<br />
<br />
# pacman -S gufw<br />
# gufw<br />
<br />
=== Protecting SSH ===<br />
Allowing remote log-on through SSH is good for administrative purposes, but can pose a threat to your server's security. Often the target of brute force attacks, SSH access needs to be limited properly to prevent third parties gaining access to your server.<br />
* Use non-standard account names and passwords<br />
* Only allow incoming SSH connections from trusted locations<br />
* Use [[fail2ban]] or [[sshguard]] to monitor for brute force attacks, and ban brute forcing IPs accordingly<br />
<br />
===== Protecting against brute force attacks =====<br />
Brute forcing is a simple concept: One continuously tries to log in to a webpage or server log-in prompt like SSH with a high number of random username and password combinations. You can protect yourself from brute force attacks by using an automated script that blocks anybody trying to brute force their way in, for example [[fail2ban]] or [[sshguard]].<br />
<br />
===== Deny root login =====<br />
It is generally considered bad practice to allow the user '''root''' to log in over SSH: The '''root''' account will exist on nearly any Linux system and grants full access to the system, once login has been achieved. Sudo provides root rights for actions requiring these and is the more secure solution, third parties would have to find a username present on the system, the matching password and the matching password for sudo to get root rights on your system. More barriers to be breached before full access to the system is reached.<br />
<br />
Configure SSH to deny remote logins with the root user by editing (as root) ''/etc/sshd/sshd_config'' and look for this section:<br />
# Authentication:<br />
<br />
#LoginGraceTime 2m<br />
''#PermitRootLogin yes''<br />
#StrictModes yes<br />
#MaxAuthTries 6<br />
#MaxSessions 10<br />
<br />
Now simply change ''#PermitRootLogin yes'' to no, uncomment the line and restart the SSH daemon:<br />
PermitRootLogin no<br />
<br />
/etc/rc.d/sshd restart<br />
<br />
You will now be unable to log in through SSH under root, but will still be able to log in with your normal user and use ''su'' - or ''sudo'' to do system administration.<br />
<br />
=== SE Linux ===<br />
<br />
{{Note | SELinux is extremely intensive and can cause big problems, I would suggest not using it unless you absolutely require it.}}<br />
Please refer to the [[SELinux]] wiki page for instructions on installation and configuration, the page is only a stub, if you use SELinux you are on your own.<br />
<br />
== Administration and maintenance ==<br />
<br />
==== Accessibility ====<br />
'''[[SSH]]'''<br />
is the '''S'''ecure '''SH'''ell, it allows you to remotely connect to your server and administer commands as if you were physically at the computer. Combined with [[Screen]], SSH can become an invaluable tool for remote maintenance and administration while on-the-move. Please note that a standard SSH install is not very secure and some configuration is needed before the server can be considered locked-down. This configuration includes disabling root login, disabling password based login and setting up firewall rules. In addition, you may supplement the security of your SSH daemon by utilizing daemons such as [[sshguard]] or [[fail2ban]] which constantly monitor the log files for any suspicious activity and ban IP addresses with too many failed logins.<br />
<br />
<br />
'''X Forwarding'''<br />
is forwarding your X session via SSH so you can login to the desktop GUI remotely. Use of this feature will require SSH and an X server to be installed on the server. You will also need to have a working X server installed on the client system you will be using to connect to the server with. More information can be found in the [[SSH#X11_Forwarding|X Forwarding]] section of the [[SSH]] guide.<br />
<br />
== Extras ==<br />
<br />
=== phpMyAdmin ===<br />
"[[phpMyAdmin]] is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement." http://www.phpmyadmin.net/home_page/index.php<br />
<br />
== More Resources ==<br />
* [[LAMP]]<br />
* [[MySQL]] - Arch wiki article for MySQL<br />
* http://www.mysql.com/<br />
* http://www.apache.org/<br />
* http://www.php.net/</div>Shmooooohttps://wiki.archlinux.org/index.php?title=Server&diff=167055Server2011-10-22T22:46:45Z<p>Shmooooo: /* Arch Linux as a server OS */</p>
<hr />
<div>{{i18n|Comprehensive Server Guide}}<br />
[[Category:Web Server (English)]]<br />
<br />
{{Box Note | This article is currently undergoing a complete rewrite. We are extending the article to include more than just web services and removing specific installation instructions with links to already available articles. We'll strive to make this article complete and explanatory in nature. '''What you currently see is a work in progress.'''}}<br />
<br />
== Preface ==<br />
<br />
==== What is a server? ====<br />
In essence, a server is a computer that runs services that involve clients working on remote locations. All computers run services of some kind, for example: when using Arch as a desktop you will have a network service running to connect to a network. A server will, however, run services that involve external clients, for example: a webserver will run a website to be viewed via the internet or elsewhere on a local network.<br />
<br />
==== Why would I want a server? ====<br />
There are various reasons you may want a server. You may want to create a website for a company or you may wish to have an internal database for your network. Maybe you need a central fileserver for your home-network? This guide will give you an overview for the most common server options in existence and will outline some administration and security guidelines.<br />
<br />
==== Arch Linux as a server OS ====<br />
You may have seen the comments or claims: ''Arch Linux was never intended as a server operating system!'' This is correct: The basic installation includes very few server features and there is no server installation disc available. This does not mean it's not possible, '''quite the contrary'''. Arch's core installation is a secure and capable foundation. Since only a small number of features come pre-installed, this core installation can easily be used as a basis for a Linux Server. Many applications and services you would want on a server (such as Apache, SQL and Samba) are available in the repository and are well documented on the wiki.<br />
<br />
{{Note | Add note about users using Arch as server.}}<br />
<br />
== Requirements ==<br />
For using Arch Linux on a server you will need to have an Arch Linux installation ready.<br />
<br />
In most Linux server Operating Systems you have 2 options:<br />
* A 'text' version of the OS (where everything is done from the command line)<br />
* A GUI version of the OS (where you get a desktop interface such as GNOME/KDE etc). <br />
<br />
{{Note | If you have services on your server that need to be administered using a gui and cannot be done remotely you must choose the second option.}} <br />
<br />
For the installation of Arch Linux, please refer to [[Beginners_Guide|the Beginner's Guide]], but do not go any further [[Beginners_Guide#Part_III:_Install_X_and_configure_ALSA|than this section]] unless you require a GUI.<br />
<br />
== Basic set-up ==<br />
So what is a "basic" set-up:<br />
* Remote access to the server.<br />
We want to be able to remotely log-on to our server to perform several administrative tasks. When your server is located elsewhere or does not have a monitor attached: removing or adding files, changing configuration options and server rebooting are all tasks which are impossible to do without a way to log on to your server remotely. SSH nicely provides this functionality.<br />
<br />
* Your '''L'''inux server.<br />
* A http server ('''A'''pache), required for serving webpages.<br />
* A database server ('''M'''ySql), often required for storing data of address book-, forum- or blog scripts.<br />
* The '''P'''HP scripting language, a highly popular internet scripting language used in blogs, forums, content management systems and many other web-scripts.<br />
As the bold letters suggest, there is a name for this combination of applications: LAMP.<br />
<br />
The following sections will guide you through the installation and configuration of the above mentioned basic set-up features.<br />
<br />
==== SSH ====<br />
SSH stands for '''S'''ecure '''Sh'''ell. SSH enables you to log on to your server through an SSH client, presenting you with a recognizable terminal-like interface.Users available on the system can be given access to log on remotely though SSH, thereby enabeling remote administration of your server.<br />
<br />
The [[SSH|Arch wiki SSH page]] covers Installation and Configuration nicely.<br />
<br />
==== LAMP ====<br />
A [http://en.wikipedia.org/wiki/LAMP_(software_bundle) LAMP] server is a reasonably standard webserver. <br><br />
There are often disputes as to what the 'P' stands for, some people say it is [http://www.php.net/ PHP] some people say it is [http://www.perl.org/ Perl] while others say it's [http://www.python.org/ python]. For the purposes of this guide I am going to make it PHP, although there are some nice Perl modules for Linux so you may wish to install Perl as well. <br><br />
Having said that, LAMP is a reasonably standard webserver, it is by no means simple so there may be a lot to take in here. <br />
<br />
<br />
Please refer to the [[LAMP]] wiki page for instructions on installation and configuration.<br />
<br />
== Additional web-services ==<br />
<br />
=== E-Mail ===<br />
<br />
{{Note | TODO: Add postfix and add introduction to E-Mail and describe the options}}<br />
<br />
Please refer to the [[Exim with a remote SMTP server | EXIM]] wiki page for instructions on installation and configuration.<br />
<br />
=== FTP ===<br />
<br />
FTP stands for '''F'''ile '''T'''ransfer '''P'''rotocol. FTP is a service that can provide access to the filesystem from a remote location through an FTP client (FileZilla, gftp etc.) or FTP-capable browser. Through FTP, you are able to add or remove files from a remote location, as well as apply some chmod commands to these files to set certain permissions. <br />
<br />
FTP access will be related to user accounts available on the system, allowing simple rights management. FTP is a much used tool for adding files to a webserver from a remote locations.<br />
<br />
There are several FTP daemons available, here follows a list of Arch Linux Wiki pages on a few:<br />
* [[Vsftpd|vsFTPd]]: Very Secure FTP Daemon (oftend the standard)<br />
* [[Glftpd|glFTPd]]: GreyLine FTP daemon (highly configurable, no system accounts required)<br />
* [[Proftpd|proFTPd]]: Article is incomplete.<br />
<br />
There is also the option of FTP over SSH, or [[SFTP]]<br />
<br />
== Local Network Services ==<br />
<br />
=== CUPS (printing) ===<br />
<br />
CUPS, or '''C'''ommon '''U'''NIX '''P'''rinting '''S'''ystem, can provide a central point via which a number of users can print. For instance, you have several (say 3) printers and several people on a local network that wish to print. You can either add all these printers to every user's pc, or add all printers to a server running CUPS, and then simply adding the server to all clients. This allows for a central printing system that can be online 24/7, especially nice for printers that do not have networking capabilities.<br />
<br />
Please refer to the [[CUPS]] wiki page for instructions on installation and configuration.<br />
<br />
=== DHCP ===<br />
{{Note | dhcp v4 does not currently work due to ipv6 issues, this guide part of the guide will be written when that issue is resolved.}}<br />
<br />
=== Samba (windows compatible file- and printer sharing) ===<br />
Samba is an open source implementation of SBM/CIFS networking protocols, effectively allowing you to share files and printers between Linux and Windows systems. Samba can provide public shares or require several forms of authentication.<br />
<br />
Please refer to the [[Samba]] wiki page for instructions on installation and configuration.<br />
<br />
== Security ==<br />
<br />
=== Firewall ===<br />
====Iptables====<br />
The Linux kernel includes [[iptables]] as a built-in firewall solution. Configuration may be managed directly through the userspace utilities or by installing one of several GUI configuration tools. As a minimum, you will want to install the userspace programs:<br />
<br />
# pacman -S iptables<br />
<br />
In addition, you should add the iptables [[daemon]] to start on boot to your rc.conf<br />
<br />
DAEMONS=(... '''iptables''' network ...)<br />
<br />
====UFW====<br />
The Uncomplicated FireWall is a simple frontend to iptables for the command line. It is available in the {{Codeline|community}} repository. One way to allow [[SSH]] and [[Apache|HTTP]] access after installation would be:<br />
<br />
# ufw allow SSH/tcp<br />
# ufw allow WWW/tcp<br />
# ufw enable<br />
<br />
To view other preconfigured services and apps run<br />
<br />
# ufw app list<br />
<br />
=====GUFW=====<br />
A GUI frontend to UFW is available providing simple management of your iptables rules and settings. It is available in the {{Codeline|community}} repository. To install and run use the following commands:<br />
<br />
# pacman -S gufw<br />
# gufw<br />
<br />
=== Protecting SSH ===<br />
Allowing remote log-on through SSH is good for administrative purposes, but can pose a threat to your server's security. Often the target of brute force attacks, SSH access needs to be limited properly to prevent third parties gaining access to your server.<br />
* Use non-standard account names and passwords<br />
* Only allow incoming SSH connections from trusted locations<br />
* Use [[fail2ban]] or [[sshguard]] to monitor for brute force attacks, and ban brute forcing IPs accordingly<br />
<br />
===== Protecting against brute force attacks =====<br />
Brute forcing is a simple concept: One continuously tries to log in to a webpage or server log-in prompt like SSH with a high number of random username and password combinations. You can protect yourself from brute force attacks by using an automated script that blocks anybody trying to brute force their way in, for example [[fail2ban]] or [[sshguard]].<br />
<br />
===== Deny root login =====<br />
It is generally considered bad practice to allow the user '''root''' to log in over SSH: The '''root''' account will exist on nearly any Linux system and grants full access to the system, once login has been achieved. Sudo provides root rights for actions requiring these and is the more secure solution, third parties would have to find a username present on the system, the matching password and the matching password for sudo to get root rights on your system. More barriers to be breached before full access to the system is reached.<br />
<br />
Configure SSH to deny remote logins with the root user by editing (as root) ''/etc/sshd/sshd_config'' and look for this section:<br />
# Authentication:<br />
<br />
#LoginGraceTime 2m<br />
''#PermitRootLogin yes''<br />
#StrictModes yes<br />
#MaxAuthTries 6<br />
#MaxSessions 10<br />
<br />
Now simply change ''#PermitRootLogin yes'' to no, uncomment the line and restart the SSH daemon:<br />
PermitRootLogin no<br />
<br />
/etc/rc.d/sshd restart<br />
<br />
You will now be unable to log in through SSH under root, but will still be able to log in with your normal user and use ''su'' - or ''sudo'' to do system administration.<br />
<br />
=== SE Linux ===<br />
<br />
{{Note | SELinux is extremely intensive and can cause big problems, I would suggest not using it unless you absolutely require it.}}<br />
Please refer to the [[SELinux]] wiki page for instructions on installation and configuration, the page is only a stub, if you use SELinux you are on your own.<br />
<br />
== Administration and maintenance ==<br />
<br />
==== Accessibility ====<br />
'''[[SSH]]'''<br />
is the '''S'''ecure '''SH'''ell, it allows you to remotely connect to your server and administer commands as if you were physically at the computer. Combined with [[Screen]], SSH can become an invaluable tool for remote maintenance and administration while on-the-move. Please note that a standard SSH install is not very secure and some configuration is needed before the server can be considered locked-down. This configuration includes disabling root login, disabling password based login and setting up firewall rules. In addition, you may supplement the security of your SSH daemon by utilizing daemons such as [[sshguard]] or [[fail2ban]] which constantly monitor the log files for any suspicious activity and ban IP addresses with too many failed logins.<br />
<br />
<br />
'''X Forwarding'''<br />
is forwarding your X session via SSH so you can login to the desktop GUI remotely. Use of this feature will require SSH and an X server to be installed on the server. You will also need to have a working X server installed on the client system you will be using to connect to the server with. More information can be found in the [[SSH#X11_Forwarding|X Forwarding]] section of the [[SSH]] guide.<br />
<br />
== Extras ==<br />
<br />
=== phpMyAdmin ===<br />
"[[phpMyAdmin]] is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement." http://www.phpmyadmin.net/home_page/index.php<br />
<br />
== More Resources ==<br />
* [[LAMP]]<br />
* [[MySQL]] - Arch wiki article for MySQL<br />
* http://www.mysql.com/<br />
* http://www.apache.org/<br />
* http://www.php.net/</div>Shmooooohttps://wiki.archlinux.org/index.php?title=Server&diff=167054Server2011-10-22T22:46:34Z<p>Shmooooo: Stylistic/grammatical change</p>
<hr />
<div>{{i18n|Comprehensive Server Guide}}<br />
[[Category:Web Server (English)]]<br />
<br />
{{Box Note | This article is currently undergoing a complete rewrite. We are extending the article to include more than just web services and removing specific installation instructions with links to already available articles. We'll strive to make this article complete and explanatory in nature. '''What you currently see is a work in progress.'''}}<br />
<br />
== Preface ==<br />
<br />
==== What is a server? ====<br />
In essence, a server is a computer that runs services that involve clients working on remote locations. All computers run services of some kind, for example: when using Arch as a desktop you will have a network service running to connect to a network. A server will, however, run services that involve external clients, for example: a webserver will run a website to be viewed via the internet or elsewhere on a local network.<br />
<br />
==== Why would I want a server? ====<br />
There are various reasons you may want a server. You may want to create a website for a company or you may wish to have an internal database for your network. Maybe you need a central fileserver for your home-network? This guide will give you an overview for the most common server options in existence and will outline some administration and security guidelines.<br />
<br />
==== Arch Linux as a server OS ====<br />
You may have seen the comments or claims: ''Arch Linux was never intended as a server operating system!'' This is correct: The basic installation includes very few server features and there is no server installation disc available. This does not mean it's not possible, '''quite the contrary'''. Arch's core installation is a secure and capable foundation. Since on a small number of features come pre-installed, this core installation can easily be used as a basis for a Linux Server. Many applications and services you would want on a server (such as Apache, SQL and Samba) are available in the repository and are well documented on the wiki.<br />
<br />
{{Note | Add note about users using Arch as server.}}<br />
<br />
== Requirements ==<br />
For using Arch Linux on a server you will need to have an Arch Linux installation ready.<br />
<br />
In most Linux server Operating Systems you have 2 options:<br />
* A 'text' version of the OS (where everything is done from the command line)<br />
* A GUI version of the OS (where you get a desktop interface such as GNOME/KDE etc). <br />
<br />
{{Note | If you have services on your server that need to be administered using a gui and cannot be done remotely you must choose the second option.}} <br />
<br />
For the installation of Arch Linux, please refer to [[Beginners_Guide|the Beginner's Guide]], but do not go any further [[Beginners_Guide#Part_III:_Install_X_and_configure_ALSA|than this section]] unless you require a GUI.<br />
<br />
== Basic set-up ==<br />
So what is a "basic" set-up:<br />
* Remote access to the server.<br />
We want to be able to remotely log-on to our server to perform several administrative tasks. When your server is located elsewhere or does not have a monitor attached: removing or adding files, changing configuration options and server rebooting are all tasks which are impossible to do without a way to log on to your server remotely. SSH nicely provides this functionality.<br />
<br />
* Your '''L'''inux server.<br />
* A http server ('''A'''pache), required for serving webpages.<br />
* A database server ('''M'''ySql), often required for storing data of address book-, forum- or blog scripts.<br />
* The '''P'''HP scripting language, a highly popular internet scripting language used in blogs, forums, content management systems and many other web-scripts.<br />
As the bold letters suggest, there is a name for this combination of applications: LAMP.<br />
<br />
The following sections will guide you through the installation and configuration of the above mentioned basic set-up features.<br />
<br />
==== SSH ====<br />
SSH stands for '''S'''ecure '''Sh'''ell. SSH enables you to log on to your server through an SSH client, presenting you with a recognizable terminal-like interface.Users available on the system can be given access to log on remotely though SSH, thereby enabeling remote administration of your server.<br />
<br />
The [[SSH|Arch wiki SSH page]] covers Installation and Configuration nicely.<br />
<br />
==== LAMP ====<br />
A [http://en.wikipedia.org/wiki/LAMP_(software_bundle) LAMP] server is a reasonably standard webserver. <br><br />
There are often disputes as to what the 'P' stands for, some people say it is [http://www.php.net/ PHP] some people say it is [http://www.perl.org/ Perl] while others say it's [http://www.python.org/ python]. For the purposes of this guide I am going to make it PHP, although there are some nice Perl modules for Linux so you may wish to install Perl as well. <br><br />
Having said that, LAMP is a reasonably standard webserver, it is by no means simple so there may be a lot to take in here. <br />
<br />
<br />
Please refer to the [[LAMP]] wiki page for instructions on installation and configuration.<br />
<br />
== Additional web-services ==<br />
<br />
=== E-Mail ===<br />
<br />
{{Note | TODO: Add postfix and add introduction to E-Mail and describe the options}}<br />
<br />
Please refer to the [[Exim with a remote SMTP server | EXIM]] wiki page for instructions on installation and configuration.<br />
<br />
=== FTP ===<br />
<br />
FTP stands for '''F'''ile '''T'''ransfer '''P'''rotocol. FTP is a service that can provide access to the filesystem from a remote location through an FTP client (FileZilla, gftp etc.) or FTP-capable browser. Through FTP, you are able to add or remove files from a remote location, as well as apply some chmod commands to these files to set certain permissions. <br />
<br />
FTP access will be related to user accounts available on the system, allowing simple rights management. FTP is a much used tool for adding files to a webserver from a remote locations.<br />
<br />
There are several FTP daemons available, here follows a list of Arch Linux Wiki pages on a few:<br />
* [[Vsftpd|vsFTPd]]: Very Secure FTP Daemon (oftend the standard)<br />
* [[Glftpd|glFTPd]]: GreyLine FTP daemon (highly configurable, no system accounts required)<br />
* [[Proftpd|proFTPd]]: Article is incomplete.<br />
<br />
There is also the option of FTP over SSH, or [[SFTP]]<br />
<br />
== Local Network Services ==<br />
<br />
=== CUPS (printing) ===<br />
<br />
CUPS, or '''C'''ommon '''U'''NIX '''P'''rinting '''S'''ystem, can provide a central point via which a number of users can print. For instance, you have several (say 3) printers and several people on a local network that wish to print. You can either add all these printers to every user's pc, or add all printers to a server running CUPS, and then simply adding the server to all clients. This allows for a central printing system that can be online 24/7, especially nice for printers that do not have networking capabilities.<br />
<br />
Please refer to the [[CUPS]] wiki page for instructions on installation and configuration.<br />
<br />
=== DHCP ===<br />
{{Note | dhcp v4 does not currently work due to ipv6 issues, this guide part of the guide will be written when that issue is resolved.}}<br />
<br />
=== Samba (windows compatible file- and printer sharing) ===<br />
Samba is an open source implementation of SBM/CIFS networking protocols, effectively allowing you to share files and printers between Linux and Windows systems. Samba can provide public shares or require several forms of authentication.<br />
<br />
Please refer to the [[Samba]] wiki page for instructions on installation and configuration.<br />
<br />
== Security ==<br />
<br />
=== Firewall ===<br />
====Iptables====<br />
The Linux kernel includes [[iptables]] as a built-in firewall solution. Configuration may be managed directly through the userspace utilities or by installing one of several GUI configuration tools. As a minimum, you will want to install the userspace programs:<br />
<br />
# pacman -S iptables<br />
<br />
In addition, you should add the iptables [[daemon]] to start on boot to your rc.conf<br />
<br />
DAEMONS=(... '''iptables''' network ...)<br />
<br />
====UFW====<br />
The Uncomplicated FireWall is a simple frontend to iptables for the command line. It is available in the {{Codeline|community}} repository. One way to allow [[SSH]] and [[Apache|HTTP]] access after installation would be:<br />
<br />
# ufw allow SSH/tcp<br />
# ufw allow WWW/tcp<br />
# ufw enable<br />
<br />
To view other preconfigured services and apps run<br />
<br />
# ufw app list<br />
<br />
=====GUFW=====<br />
A GUI frontend to UFW is available providing simple management of your iptables rules and settings. It is available in the {{Codeline|community}} repository. To install and run use the following commands:<br />
<br />
# pacman -S gufw<br />
# gufw<br />
<br />
=== Protecting SSH ===<br />
Allowing remote log-on through SSH is good for administrative purposes, but can pose a threat to your server's security. Often the target of brute force attacks, SSH access needs to be limited properly to prevent third parties gaining access to your server.<br />
* Use non-standard account names and passwords<br />
* Only allow incoming SSH connections from trusted locations<br />
* Use [[fail2ban]] or [[sshguard]] to monitor for brute force attacks, and ban brute forcing IPs accordingly<br />
<br />
===== Protecting against brute force attacks =====<br />
Brute forcing is a simple concept: One continuously tries to log in to a webpage or server log-in prompt like SSH with a high number of random username and password combinations. You can protect yourself from brute force attacks by using an automated script that blocks anybody trying to brute force their way in, for example [[fail2ban]] or [[sshguard]].<br />
<br />
===== Deny root login =====<br />
It is generally considered bad practice to allow the user '''root''' to log in over SSH: The '''root''' account will exist on nearly any Linux system and grants full access to the system, once login has been achieved. Sudo provides root rights for actions requiring these and is the more secure solution, third parties would have to find a username present on the system, the matching password and the matching password for sudo to get root rights on your system. More barriers to be breached before full access to the system is reached.<br />
<br />
Configure SSH to deny remote logins with the root user by editing (as root) ''/etc/sshd/sshd_config'' and look for this section:<br />
# Authentication:<br />
<br />
#LoginGraceTime 2m<br />
''#PermitRootLogin yes''<br />
#StrictModes yes<br />
#MaxAuthTries 6<br />
#MaxSessions 10<br />
<br />
Now simply change ''#PermitRootLogin yes'' to no, uncomment the line and restart the SSH daemon:<br />
PermitRootLogin no<br />
<br />
/etc/rc.d/sshd restart<br />
<br />
You will now be unable to log in through SSH under root, but will still be able to log in with your normal user and use ''su'' - or ''sudo'' to do system administration.<br />
<br />
=== SE Linux ===<br />
<br />
{{Note | SELinux is extremely intensive and can cause big problems, I would suggest not using it unless you absolutely require it.}}<br />
Please refer to the [[SELinux]] wiki page for instructions on installation and configuration, the page is only a stub, if you use SELinux you are on your own.<br />
<br />
== Administration and maintenance ==<br />
<br />
==== Accessibility ====<br />
'''[[SSH]]'''<br />
is the '''S'''ecure '''SH'''ell, it allows you to remotely connect to your server and administer commands as if you were physically at the computer. Combined with [[Screen]], SSH can become an invaluable tool for remote maintenance and administration while on-the-move. Please note that a standard SSH install is not very secure and some configuration is needed before the server can be considered locked-down. This configuration includes disabling root login, disabling password based login and setting up firewall rules. In addition, you may supplement the security of your SSH daemon by utilizing daemons such as [[sshguard]] or [[fail2ban]] which constantly monitor the log files for any suspicious activity and ban IP addresses with too many failed logins.<br />
<br />
<br />
'''X Forwarding'''<br />
is forwarding your X session via SSH so you can login to the desktop GUI remotely. Use of this feature will require SSH and an X server to be installed on the server. You will also need to have a working X server installed on the client system you will be using to connect to the server with. More information can be found in the [[SSH#X11_Forwarding|X Forwarding]] section of the [[SSH]] guide.<br />
<br />
== Extras ==<br />
<br />
=== phpMyAdmin ===<br />
"[[phpMyAdmin]] is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement." http://www.phpmyadmin.net/home_page/index.php<br />
<br />
== More Resources ==<br />
* [[LAMP]]<br />
* [[MySQL]] - Arch wiki article for MySQL<br />
* http://www.mysql.com/<br />
* http://www.apache.org/<br />
* http://www.php.net/</div>Shmooooo