SELinux in Ubuntu
SELinux is a Mandatory Access Control (MAC) system which is a kernel (LSM) enhancement to confine programs to a limited set of resources. SELinux can be enabled in Ubuntu by installing the “selinux” meta-package, which will make the needed changes to the system, and install the Tresys policies for Ubuntu:
sudo apt-get install selinux
After installation, you will be prompted to reboot the system to label and activate SELinux.
When using SELinux, files, including directories and devices, are referred to as objects. Processes, such as a user running a command or the Mozilla® Firefox® application, are referred to as subjects.
The following is an example of the labels containing security-relevant information that are used on processes, Linux users, and files, on Linux operating systems that run SELinux. This information is called the SELinux context, and is viewed using the ls -Z command:
$ ls -Z file1
-rw-rw-r–. user1 group1 unconfined_u:object_r:user_home_t:s0 file1
In this example, SELinux provides a user (unconfined_u), a role (object_r), a type (user_home_t), and a level (s0). This information is used to make access control decisions. With DAC, access is controlled based only on Linux user and group IDs. It is important to remember that SELinux policy rules are checked after DAC rules. SELinux policy rules are not used if DAC rules deny access first.
Apache configuration on Ubuntu
Apache Default Timeout
Timeout: The number of seconds before receives and sends time out.
This sets (in simple terms) the maximum time, in seconds, to wait for a request, action it and the response to the request.
The default is deliberately set high to allow for varied situations. You can reduce this to something more sane, to 30 seconds or even lower. A decrease may also help in reducing the effects of a DOS attack.
KeepAlive: Whether or not to allow persistent connections (more than one request per connection).
You should generally have KeepAlive “On” as it allows for persistent connections to a client so each file, image, etc. that gets requested. Without keepalives, the apache server and web client will need to establish new connections for every element needed to display a web page. Keeping a single connection going that the client can reuse allows your server to manage clients more efficiently.
MaxKeepAliveRequests
MaxKeepAliveRequests: The maximum number of requests to allow during a persistent connection. Set to 0 to allow an unlimited amount. We recommend you leave this number high, for maximum performance.
Since we have our persistent connection, set the maximum number of requests per connection. Keep this high for maximum performance. You might want to experiment with this setting a bit, but if you have a site with lots of images, javascript, etc, try increasing MaxKeepAliveRequests to as much as 500.
OpenLDAP server daemon slapd Installation in Ubuntu
First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:
sudo apt-get install slapd ldap-utils
By default slapd is configured with minimal options needed to run the slapd daemon.
The configuration example in the following sections will match the domain name of the server. For example, if the machine’s Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will be dc=example,dc=com.
Populating LDAP
OpenLDAP uses a separate directory which contains the cn=config Directory Information Tree (DIT). The cn=config DIT is used to dynamically configure the slapd daemon, allowing the modification of schema definitions, indexes, ACLs, etc without stopping the service.
Downloading and using kernel source on Ubuntu
There may come a time when you need the kernel source code, usually to build kernel headers, compile a module etc. To work with the kernel source once you have it, you’ll want some development tools installed on your server.
sudo aptitude update
sudo aptitude install build-essential
To check the version right on the server. Just run:
root@laptop:~# uname -r
2.6.28-11-generic
Searching for kernel source.
# apt-cache search linux-source
linux-ports-source-2.6.28 - Linux kernel source for version 2.6.28 with Ubuntu patches
linux-source - Linux kernel source with Ubuntu patches
linux-source-2.6.28 - Linux kernel source for version 2.6.28 with Ubuntu patches
Preparing Ubuntu System before Webmin Install.
You can install webmin for your server web interface to configure apache2,mysql,FTp servers and many more.
Preparing your system
First you need to install the following packages
sudo aptitude install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl libmd5-perl
Now download the latest webmin using the following command or from
http://www.webmin.com/download.html
