I want to install Nginx on an Ubuntu 10.04 64-bit server. Luckily, someone named Sam Kleinman put together a great tutorial (“Host Websites with nginx on Ubuntu 10.04 LTS (Lucid)“) over on Linode’s site. Following his instructions, I was able install Nginx without a hitch. That was easy. Thanks, Sam!
To keep things light, I like to wrap up tech posts w/ non-tech content. Here’s a video of one of my favorite artists, El Mac, painting a mural freehand(!) with another artist, Kofie.
I found what appears to be a nice tutorial for installing Node on Ubuntu 10.4, so I’ll start with that.
To keep things simple, I’m going to skip the dependencies, grab the tgz file, and just try running it. Why not? Thing’s could’ve changed w/ Node and/or Ubuntu since that post was written, and I love it when packages are designed well enough to provide irrational users with informative feedback, so let’s see.
/home/erik/node-v0.2.3/wscript:132: error: could not configure a cxx compiler!
Nice! I need g++:
sudo apt-get install g++
/home/erik/node-v0.2.3/wscript:188: error: Could not autodetect OpenSSL support. Make sure OpenSSL development packages are installed. Use configure --without-ssl to disable this message.
Looks like I need ssl too:
sudo apt-get install libssl-dev
Configuration now passes, but I see this in the output:
... Checking for openssl : not found Checking for function SSL_library_init : yes Checking for header openssl/crypto.h : yes Checking for library rt : yes --- libeio --- Checking for library pthread : yes Checking for function pthread_create : yes Checking for function pthread_atfork : yes Checking for futimes(2) : yes Checking for readahead(2) : yes Checking for fdatasync(2) : yes Checking for pread(2) and pwrite(2) : yes Checking for sendfile(2) : yes Checking for sync_file_range(2) : yes --- libev --- Checking for header sys/inotify.h : yes Checking for function inotify_init : yes Checking for header sys/epoll.h : yes Checking for function epoll_ctl : yes Checking for header port.h : not found Checking for header poll.h : yes Checking for function poll : yes Checking for header sys/event.h : not found Checking for header sys/queue.h : yes Checking for function kqueue : not found ...
Rather than run into mysterious errors later, I’ll go ahead and install all the dependencies mentioned in the post:
sudo apt-get install g++ curl libssl-dev apache2-utils
But it doesn’t correct the problem. Doh! Oh, well. I’ll deal with any errors later.
Continuing on, I run make (it’s been a while since I watched C compile), and then sudo make install:
'install' finished successfully (0.239s)
🙂
Rather than starting with the tutorial’s translation example, I opt for the hello world example on the Node site:
var http = require('http');
http.createServer(function (req, res) {
res.writeHead(200, {'Content-Type': 'text/plain'});
res.end('Hello World\n');
}).listen(8124, "127.0.0.1");
console.log('Server running at http://127.0.0.1:8124/');
I tried loading this, but no response. However, I grappled with my vm’s firewall recently enough to remember that I hadn’t opened port 8124, so I update the code to use port 80, and re-launch, but still get no response. Undaunted, I tell ufw to take a break:
sudo ufw disable && sudo shutdown -r now
Upon trying again, I noticed that I had the address wrong earlier – pilot error – but before enabling ufw, let’s see if we can get a response.
Curling http://127.0.0.1:8124/ returns “hello world”, but I’m not able to see this server from my laptop, i.e., curl http://172.16.83.133:8124/ doesn’t work.
Update (11/22/10): check out Padraig’s comment below about binding to 0.0.0.0.
It’s getting late, so this is a race against mental mutiny. Desparate, I stumble across another node.js + Ubuntu tutorial, and blindly install everything. I launch socket.io as per the instructions, bounce over to the browser, and … it works. Awesome. To the author of that post, nice job.
Ok. That’s enough for tonight. I’ll revisit this again later and try to understand what just happened.
In parting: Cats! In 3D! Don’t think. Just stare.
I’ve been playing around with an Ubuntu 10.10 64-bit server vm for the past couple days. My previous post ended with me unable to ssh into the vm. Today, I read a post on serverfault that got me thinking about trying to ping the vm. For whatever reason, I might have more success with that than ssh.
The post also mentioned turning off the firewall, which seems like a logical step, though I’ve been paranoid for so long, I’m uncomfortable doing so, even on a vm. Nevertheless, I turned off the firewall: sudo ufw disable
Restarted the vm: sudo shutdown -r now
Ran ifconfig to confirm that the ip hadn’t changed: ifconfig
But it had. It was now something like 0.0.0.255, which looked off. It didn’t seem like something I could ssh into. When I was hacking around the other day, I had tried configuring the vm to use a bridged network. I now switched back to the default NAT setting: Virtual Machine > settings > Network > Share the Mac’s network connection
I restarted the machine, and ran ifconfig again. Now it was back to an ip that looked more familiar:
… inet addr:172.16.83.133 …
From my Mac, I tried pinging the vm: ping 172.16.83.133
To my surprise, it responded. Amazing. I tried ssh’ing in and was rejected with
ssh: connect to host 172.16.83.133 port 22: Connection refused.
Then I remembered I had set the ssh port to 2222, and tried again:
ssh erik@172.16.83.133 -p 2222
Success! Amazing again. Then I went overboard and turned the firewall back on, sudo ufw enable, and restarted, but it still worked(!). I checked the status of the firewall just to make sure I wasn’t delusional: sudo ufw status
Status: active To Action From -- ------ ---- 2222 ALLOW Anywhere 22 ALLOW Anywhere 80/tcp ALLOW Anywhere
This is madness, but it’s working, so I’m not complaining.
To wrap up the ssh piece, I want to configure ssh to use a public key instead of a password. I’ll follow the SSH/OpenSSH keys tutorial on the Ubuntu wiki.
I created a new ssh key, ssh-keygen -t rsa, and save it in a file called ~/.ssh/erik_rsa.
Then I copied the key to the vm:
scp -P 2222 ~/.ssh/erik_rsa.pub erik@172.16.83.133:.ssh/authorized_keys
Ideally (for me), the vm would now just automagically prefer public key authentication. I gave it a shot and immediately tried ssh’ing into the vm, but it still prompted me for a password. Oh well.
I edited the sshd_config file to uncomment the line AuthorizedKeysFile %h/.ssh/authorized_keys and set PasswordAuthentication to “no”, and then restarted sshd: sudo /etc/init.d/ssh restart
I exited the vm, and tried ssh’ing in again, this time specifying the location of my shiny new ssh key: ssh erik@172.16.83.133 -p 2222 -i ~/.ssh/erik_rsa
Wow. It worked. I’m always astounded when things like this actually work. Mac prompted me to enter my passphrase, and then I was in.
Now that I can ssh and I have a firewall, it’s time to move on to the next step of the security wiki … hmm … well, before I dive into denyhosts and fail2ban, I think I’ll play around with the real reason I wanted to get an OS up and running, to install node.js.
Rather than read the entrails of iptables syntax, I’d prefer to continue respecting myself, and use something more user-friendly, something like the Uncomplicated Firewall (ufw). I just learned about this, but it’s the Ubuntu default. I’d like to have faith, but for now I just hope it doesn’t suck.
The UFW wiki page linked above states “Setting the default mode of ufw is recommended before turning it on …”: sudo ufw default deny
That was easy. Next, I’ll enable it: sudo ufw enable
Now, I’ll allow port 2222 for ssh: sudo ufw allow 2222
And allow port 80 for tcp: sudo ufw allow 80/tcp
Check the current settings: sudo ufw status
Turn on logging: sudo ufw logging on
Ubuntu’s saying I need to restart in order for the changes to take effect. Fingers-crossed. Holding breath: sudo shutdown -r now …
As an aside, why does it have to be this way? Why can’t we just know that it will work? To be fair, UFW does seem pretty simple, and UFW’s –dry-run might be exactly what I’m looking for. Hopefully, UFW keeps me safe. Once I figure out how to automate deployment, things might be ok.
Ok, let’s check on the our ability to log in locally …
Good. I can still log in locally, so I didn’t lock myself out utterly. Checking local ssh as a sanity check: ssh -v localhost -p 2222
That works. Checking remote log in: ssh erik@172.16.83.133 -p 2222
Hmm. That still doesn’t work, and nothing is showing up in either /var/logs/auth.log or /var/logs/messages. Lemme try viewing the iptables directly:
sudo iptables -L
Wow. UFW knows how to generate iptables. The list goes on forever. Let’s try again w/ less: sudo iptables -L | less
I can see 2222, www, and ssh allowed, so it’s not obvious why I can’t ssh in. Following a couple suggestions on the vmware forums, I set /etc/hosts.allow to “SSHD:ALL”, and set networking to “bridged”, but still no luck.
Ok. I’ll hang it up for now. Here’s a nice, soothing picture of a kelp forrest to chill out to:
In preparation for playing around with a VPS, I’d like to get familiar with Ubuntu 10.10 64-bit server. I grabbed the iso from their download page and installed it on vmware. Please pause with me and feel gratitude for Ubuntu. Thank you, Ubuntu, for being awesome. I was going to pick a more commercially popular OS, but I value my life, and Ubuntu was made with humans in mind.
The first thing I want to look at is security. Ubuntu’s forum has a sticky for general, intro-level security.
Ubuntu Wiki configure SSH seems like as good a place as any to get started.
This wiki page leads with “Once you have installed an OpenSSH server…”, so I set off to install openssh-server: sudo apt-get install openssh-server
But that gave me an error about openssh-server not being available for my system. After some digging, I got the impression that I might just need to update my system:
sudo apt-get update
Yup, that was it. Whew! I’m grateful it wasn’t a multi-hour quest for some random config setting.
Allegedly, after installing openssh, I should be able to ssh in right away. I ran ifconfig to get my vm’s ip address, and then tried it: ssh erik@172.16.83.255
ssh: connect to host 172.16.83.255 port 22: Permission denied.
Well, at least it’s talking to me. I think we’re ready to move on with the wiki.
I was able to make a backup of the default ssd_config file and set permissions on it without issue. On to customizing my sshd_config file: sudo vi /etc/ssh/sshd_config
As a sanity check, I ran ps -A | grep sshd to confirm sshd is running. As a second sanity check, I tried logging in via the local machine: ssh -v localhost. Amazingly, this also worked.
Ok. Moment of truth. Restarting sshd: sudo /etc/init.d/ssh restart.
Doh! I forgot to add my ssh key before disabling password login. Quick edit to restore PasswordAuthentication. Trying again … Connection refused on port 22. Oh, yeah. I changed it to 2222. Trying again … success! – from the local machine. Still can’t ssh in from a remote host. Time to check the ssh log: tail -f /var/log/auth.log
My ssh requests aren’t showing up in the logs. Time to look into the iptables settings. I’m guessing there’s a rule in there to ignore ssh, or no rule to allow ssh. I’ll continue this in another post.
A software engineering toolkit 🛠 