Installing Nginx on Ubuntu 10.04

I want to install Nginx on an Ubuntu 10.04 64-bit server. Luckily, someone named Sam Kleinman put together a great tutorial (“Host Websites with nginx on Ubuntu 10.04 LTS (Lucid)“) over on Linode’s site.  Following his instructions, I was able install Nginx without a hitch.  That was easy.  Thanks, Sam!

To keep things light, I like to wrap up tech posts w/ non-tech content.  Here’s a video of one of my favorite artists, El Mac, painting a mural freehand(!) with another artist, Kofie.

getting started with Node.js

I found what appears to be a nice tutorial for installing Node on Ubuntu 10.4, so I’ll start with that.

To keep things simple, I’m going to skip the dependencies, grab the tgz file, and just try running it. Why not? Thing’s could’ve changed w/ Node and/or Ubuntu since that post was written, and I love it when packages are designed well enough to provide irrational users with informative feedback, so let’s see.

  1. wget
  2. tar -xf node-v0.2.3.tar.gz
  3. cd node
  4. ./configure
  5. make
  6. sudo make install
/home/erik/node-v0.2.3/wscript:132: error: could not configure a cxx compiler!

Nice! I need g++:
sudo apt-get install g++

/home/erik/node-v0.2.3/wscript:188: error: Could not autodetect OpenSSL support. Make sure OpenSSL development packages are installed. Use configure --without-ssl to disable this message.

Looks like I need ssl too:
sudo apt-get install libssl-dev

Configuration now passes, but I see this in the output:

Checking for openssl                     : not found
Checking for function SSL_library_init   : yes
Checking for header openssl/crypto.h     : yes
Checking for library rt                  : yes
--- libeio ---
Checking for library pthread             : yes
Checking for function pthread_create     : yes
Checking for function pthread_atfork     : yes
Checking for futimes(2)                  : yes
Checking for readahead(2)                : yes
Checking for fdatasync(2)                : yes
Checking for pread(2) and pwrite(2)      : yes
Checking for sendfile(2)                 : yes
Checking for sync_file_range(2)          : yes
--- libev ---
Checking for header sys/inotify.h        : yes
Checking for function inotify_init       : yes
Checking for header sys/epoll.h          : yes
Checking for function epoll_ctl          : yes
Checking for header port.h               : not found
Checking for header poll.h               : yes
Checking for function poll               : yes
Checking for header sys/event.h          : not found
Checking for header sys/queue.h          : yes
Checking for function kqueue             : not found

Rather than run into mysterious errors later, I’ll go ahead and install all the dependencies mentioned in the post:
sudo apt-get install g++ curl libssl-dev apache2-utils

But it doesn’t correct the problem. Doh! Oh, well. I’ll deal with any errors later.

Continuing on, I run make (it’s been a while since I watched C compile), and then sudo make install:

'install' finished successfully (0.239s)


Rather than starting with the tutorial’s translation example, I opt for the hello world example on the Node site:

var http = require('http');
http.createServer(function (req, res) {
  res.writeHead(200, {'Content-Type': 'text/plain'});
  res.end('Hello World\n');
}).listen(8124, "");
console.log('Server running at');

I tried loading this, but no response. However, I grappled with my vm’s firewall recently enough to remember that I hadn’t opened port 8124, so I update the code to use port 80, and re-launch, but still get no response. Undaunted, I tell ufw to take a break:
sudo ufw disable && sudo shutdown -r now

Upon trying again, I noticed that I had the address wrong earlier – pilot error – but before enabling ufw, let’s see if we can get a response.

Curling returns “hello world”, but I’m not able to see this server from my laptop, i.e., curl doesn’t work.

Update (11/22/10): check out Padraig’s comment below about binding to

It’s getting late, so this is a race against mental mutiny. Desparate, I stumble across another node.js + Ubuntu tutorial, and blindly install everything. I launch as per the instructions, bounce over to the browser, and … it works. Awesome. To the author of that post, nice job.

Ok. That’s enough for tonight. I’ll revisit this again later and try to understand what just happened.

In parting: Cats! In 3D! Don’t think. Just stare.

Cats Anaglyph 3D اناگلیف
Photo credit: Shahrokh Dabiri

getting started with Ubuntu server, continued

I’ve been playing around with an Ubuntu 10.10 64-bit server vm for the past couple days. My previous post ended with me unable to ssh into the vm. Today, I read a post on serverfault that got me thinking about trying to ping the vm. For whatever reason, I might have more success with that than ssh.

The post also mentioned turning off the firewall, which seems like a logical step, though I’ve been paranoid for so long, I’m uncomfortable doing so, even on a vm. Nevertheless, I turned off the firewall: sudo ufw disable

Restarted the vm: sudo shutdown -r now

Ran ifconfig to confirm that the ip hadn’t changed: ifconfig

But it had. It was now something like, which looked off. It didn’t seem like something I could ssh into. When I was hacking around the other day, I had tried configuring the vm to use a bridged network. I now switched back to the default NAT setting: Virtual Machine > settings > Network > Share the Mac’s network connection

I restarted the machine, and ran ifconfig again. Now it was back to an ip that looked more familiar:
… inet addr: …

From my Mac, I tried pinging the vm: ping

To my surprise, it responded. Amazing. I tried ssh’ing in and was rejected with
ssh: connect to host port 22: Connection refused.

Then I remembered I had set the ssh port to 2222, and tried again:
ssh erik@ -p 2222

Success! Amazing again. Then I went overboard and turned the firewall back on, sudo ufw enable, and restarted, but it still worked(!). I checked the status of the firewall just to make sure I wasn’t delusional: sudo ufw status

Status: active

To                         Action      From
--                         ------      ----
2222                       ALLOW       Anywhere
22                          ALLOW        Anywhere
80/tcp                     ALLOW       Anywhere

This is madness, but it’s working, so I’m not complaining.

To wrap up the ssh piece, I want to configure ssh to use a public key instead of a password. I’ll follow the SSH/OpenSSH keys tutorial on the Ubuntu wiki.

I created a new ssh key, ssh-keygen -t rsa, and save it in a file called ~/.ssh/erik_rsa.

Then I copied the key to the vm:
scp -P 2222 ~/.ssh/ erik@

Ideally (for me), the vm would now just automagically prefer public key authentication. I gave it a shot and immediately tried ssh’ing into the vm, but it still prompted me for a password. Oh well.

I edited the sshd_config file to uncomment the line AuthorizedKeysFile %h/.ssh/authorized_keys and set PasswordAuthentication to “no”, and then restarted sshd: sudo /etc/init.d/ssh restart

I exited the vm, and tried ssh’ing in again, this time specifying the location of my shiny new ssh key: ssh erik@ -p 2222 -i ~/.ssh/erik_rsa

Wow. It worked. I’m always astounded when things like this actually work. Mac prompted me to enter my passphrase, and then I was in.

Now that I can ssh and I have a firewall, it’s time to move on to the next step of the security wiki … hmm … well, before I dive into denyhosts and fail2ban, I think I’ll play around with the real reason I wanted to get an OS up and running, to install node.js.

getting started with ufw on Ubuntu server

Rather than read the entrails of iptables syntax, I’d prefer to continue respecting myself, and use something more user-friendly, something like the Uncomplicated Firewall (ufw). I just learned about this, but it’s the Ubuntu default. I’d like to have faith, but for now I just hope it doesn’t suck.

The UFW wiki page linked above states “Setting the default mode of ufw is recommended before turning it on …”: sudo ufw default deny

That was easy. Next, I’ll enable it: sudo ufw enable

Now, I’ll allow port 2222 for ssh: sudo ufw allow 2222

And allow port 80 for tcp: sudo ufw allow 80/tcp

Check the current settings: sudo ufw status

Turn on logging: sudo ufw logging on

Ubuntu’s saying I need to restart in order for the changes to take effect. Fingers-crossed. Holding breath: sudo shutdown -r now …

As an aside, why does it have to be this way? Why can’t we just know that it will work? To be fair, UFW does seem pretty simple, and UFW’s –dry-run might be exactly what I’m looking for. Hopefully, UFW keeps me safe. Once I figure out how to automate deployment, things might be ok.

Ok, let’s check on the our ability to log in locally …

Good. I can still log in locally, so I didn’t lock myself out utterly. Checking local ssh as a sanity check: ssh -v localhost -p 2222

That works. Checking remote log in: ssh erik@ -p 2222

Hmm. That still doesn’t work, and nothing is showing up in either /var/logs/auth.log or /var/logs/messages. Lemme try viewing the iptables directly:
sudo iptables -L

Wow. UFW knows how to generate iptables. The list goes on forever. Let’s try again w/ less: sudo iptables -L | less

I can see 2222, www, and ssh allowed, so it’s not obvious why I can’t ssh in. Following a couple suggestions on the vmware forums, I set /etc/hosts.allow to “SSHD:ALL”, and set networking to “bridged”, but still no luck.

Ok. I’ll hang it up for now. Here’s a nice, soothing picture of a kelp forrest to chill out to:

Kelp Forrest at Monterey Bay Aquarium
Photo credit: Moral Threat

getting started with Ubuntu server security

In preparation for playing around with a VPS, I’d like to get familiar with Ubuntu 10.10 64-bit server. I grabbed the iso from their download page and installed it on vmware. Please pause with me and feel gratitude for Ubuntu. Thank you, Ubuntu, for being awesome. I was going to pick a more commercially popular OS, but I value my life, and Ubuntu was made with humans in mind.

The first thing I want to look at is security. Ubuntu’s forum has a sticky for general, intro-level security.

Ubuntu Wiki configure SSH seems like as good a place as any to get started.

This wiki page leads with “Once you have installed an OpenSSH server…”, so I set off to install openssh-server: sudo apt-get install openssh-server

But that gave me an error about openssh-server not being available for my system. After some digging, I got the impression that I might just need to update my system:
sudo apt-get update

Yup, that was it. Whew! I’m grateful it wasn’t a multi-hour quest for some random config setting.

Allegedly, after installing openssh, I should be able to ssh in right away. I ran ifconfig to get my vm’s ip address, and then tried it: ssh erik@

ssh: connect to host port 22: Permission denied.

Well, at least it’s talking to me. I think we’re ready to move on with the wiki.

I was able to make a backup of the default ssd_config file and set permissions on it without issue. On to customizing my sshd_config file: sudo vi /etc/ssh/sshd_config

  • Change PasswordAuthentication to “no”
  • I didn’t see a default setting for AllowTcpForwarding an X11Forwarding, so I added entries to turn each of these off
  • I added an AllowUsers entry for my username
  • Changed LoginGraceTime from 120 to 20
  • Changes the LogLevel from “INFO” to “VERBOSE”
  • Uncommented the Banner entry, and changed the file name from “” to “issue” for simplicity. I’ll defer setting the contents of this file.
  • I also changed PermitRootLogin to “no”

As a sanity check, I ran ps -A | grep sshd to confirm sshd is running. As a second sanity check, I tried logging in via the local machine: ssh -v localhost. Amazingly, this also worked.

Ok. Moment of truth. Restarting sshd: sudo /etc/init.d/ssh restart.

Doh! I forgot to add my ssh key before disabling password login. Quick edit to restore PasswordAuthentication. Trying again … Connection refused on port 22. Oh, yeah. I changed it to 2222. Trying again … success! – from the local machine. Still can’t ssh in from a remote host. Time to check the ssh log: tail -f /var/log/auth.log

My ssh requests aren’t showing up in the logs. Time to look into the iptables settings. I’m guessing there’s a rule in there to ignore ssh, or no rule to allow ssh. I’ll continue this in another post.