Server Administration Notes

This page has some specific notes/links to more advanced configuration instructions. We have a beginner server administration cheat-sheet for our clients over at Ubuntu VPS Administration.

Apache

There's plenty of stuff out there about Apache configuration.

We're currently learning the Debian way, with its tools a2enmod and a2ensite for enabling sites and modules.

For quite some time we've been using mod_authmysql for authentication, a simple module we've compiled for Apache 1 and 2. Now Debian/Apache comes with a similar but different mod_auth_mysql (note the extra underscore in the name).

Here's a helpful site explaining the (slightly different) directives: http://www.cgi101.com/class/password/mod_auth_mysql.html

Asterisk @ Home

Our latest venture: Asterisk

Certificate Authority

Running a CA

Backup removable drives

Udev removable drives

DNS

Email

Postfix relayhost with SMTP authentication
Dspam configuration

Firewall

Mandriva MNF2 Firewall beta needs a bit of handholding...

Shell/Screen

We make great use of the Screen command to keep track of a shell session, even after being disconnected. Here's a command to add to the .screenrc file, to allow the scrollbar to work when you're in a screen:

Q: My xterm scrollbar does not work with screen.

A: The problem is that xterm will not allow scrolling if the alternate text buffer is selected. The standard definitions of the termcap initialize capabilities ti and te switch to and from the alternate text buffer. (The scrollbar also does not work when you start e.g. 'vi'). You can tell screen not to use these initialisations by adding the line
termcapinfo xterm ti@:te@
to your ~/.screenrc file.

Multi-user screen

setuid root /usr/bin/screen
chmod 755 /var/run/screen
Start a screen
Hit Ctrl-a, type ":multiuser on" and press enter.
Hit Ctrl-a, type ":addacl " and press enter.

Then the other user can connect with syntax like:

screen -r john/13544.pts-1.sahale

(the actual stuff to put after the slash can be found with screen -list)

Shared screen

This technique is useful for allowing temporary access to untrusted users. Instructions are Ubuntu-focused...

sudo passwd # you need to have a root password, because we'll be using su instead of sudo
sudo adduser tempuser # set password
From another machine, ssh tempuser@host # need to be logged in as the same user to share screen
screen
(provide username/pw to user)
(instruct user to type "screen -x" to join your screen

Now you're in a shared screen and can use su to grant temporary root access.

SSH Keygen

We manage servers using SSH keys, because we've seen people hack into machines protected only with a password. Here's how to create an SSH keypair:

Generally, you create it on the machine you're connecting from, and then copy the key to the machine(s) you want to connect to.

Open a shell on your client machine (should work on a Mac...)
Type: ssh-keygen -t rsa ... and press enter.
It should tell you where it's going to save the private key, named id_rsa. Use the default for easiest operation...
If the client machine is a laptop, use a passphrase to protect it. Otherwise anyone gaining access to the key file can log in as you. For home machines/secure machines/automatic processes (such as network backups) leave the passphrase blank.
You'll end up with two files: ~/.ssh/id_rsa (your private key) and ~/.ssh/id_rsa.pub (your public key).

Put both keys on your client machines. Copy the contents of id_rsa.pub into your ~/.ssh/authorized_keys file (create it if it doesn't exist) on each server. Voila, secure, password-free logins!

You may be able to add it to your Mac keychain to really simplify logging in--type your passphrase once, and have access to the machines until you log out.

In Windows, the popular PuTTY program has a key generation function built in.

I often use USB thumbdrives to transfer keys, but you should be able to copy them over using Samba or any other way you can log in... Your id_rsa.pub file is public, and is not at all sensitive--but protect the id_rsa file, and only put it on machines you know you'll need to use for logging in!

LTSP

See LTSP notes.

Nagios

Samba

Auto-configure printers using RAW print spool

edit smb.conf to make sure print$ share is there... change default print command to version for server-side drivers.
add smbpasswd -a root so that you can use rpcclient and configure from Windows.
copy generic postscript drivers to /var/lib/samba/printers/W32X86 :

PS5UI.DLL A 129024 Fri Mar 10 13:33:37 2006
PSCRIPT.HLP A 26038 Fri Mar 10 13:33:37 2006
PSCRIPT.NTF A 792644 Fri Mar 10 13:33:37 2006
PSCRIPT5.DLL A 455168 Fri Mar 10 13:33:37 2006

Run cupsaddsmb -a to add already configured ppd file for your printers. This doesn't finish successfully on Mandriva.
Do not copy drivers into 3/ folder--the rpcclient command does that. Run this to check drivers:

smbclient //foraker/print\$ -U root -c 'cd W32X86; pwd; dir; cd 3; pwd; dir'

Run rpcclient adddriver as follows:

rpcclient localhost -U root -c 'adddriver "Windows NT x86" "HPPhotoSmart2600:PSCRIPT5.DLL:HPPhotoSmart2600.PPD:PS5UI.DLL:PSCRIPT.HLP:NULL:RAW:PSCRIPT.NTF" SAMBA-CUPS'
(that's drivername:PSCRIPT5.DLL:driver.PPD:PS5UI.DLL:PSCRIPT.HLP:Driver language:RAW:PSCRIPT.NTF for the long string)

Associate printer with driver:

rpcclient localhost -U root -c 'setdriver HPPhotoSmart2600 HPPhotoSmart2600'

On Windows client, connect to print$ as root:

net use \\servername\print$ /user:root

Install driver by going to \\servername\printername.
Edit the driver properties: change page rotation to landscape, apply, then go back. This finishes setting up the driver correctly, and sets the defaults for future installations.

Done!

Samba as domain controller

Add a machine account

useradd -d /dev/null -s /dev/null machinename\$

smbpasswd ?a ?m machinename

Site Monitoring Script

The chkdomains script is a basic site monitoring script that we use on our sites. It is ran automatically every few minutes and will alert the system administrators of a server outage.

We run it with the command line PHP interpretor called from a cron job.

we store it at /var/www/conf/chkdomains.php

chkdomains.php
basic site monitoring script
sends an email when status is different than previous running of the script

installation instructions
create a /var/www/conf directory to store this
/var/www/conf/satus contains the cache result
this must be writable by the user running the job
add a URL to the $site array for each site to check
set $mailto to appropriate email addresses, comma seporated
schedual the cron job (php command line package required php_cli)

The status file needs to be writiable by the script ( a user accont
that runs the script)

on your server that is to be checked, create a textfile called "FILENAME" with your success string, this must match exactly, newlines and whitespace matter.

Testing instructions
delete the domain_uptime.txt
run the script
check the contents of the new domain_uptime.txt file
check your email

files,
on each server, uptime.txt
on monitoring system
/var/www/conf/chkdomains.php (this file)
/var/www/conf/status/domain_uptime.txt conists of 1's and 0's and newlines

Jabber Server

http://jabberd.jabberstudio.org/1.4/doc/adminguide
(I finally found some documentation from a link in /usr/share/doc/jabberd/)

What We've Done

City of Federal WaySite Description

The federalwaywa.gov website is the main site for the City of Federal Way in Washington State. This site is a resource for residents, visitors, businesses, and people interacting…