Linux service configuration

Service configurations

Run levels and targets

  • 0 - power system off (poweroff.target)
  • 1 - single user mode (rescue.trarget)
  • 2 - Multi user mode (multi-user.target)
  • 3 - Multi user mode (multi-user.target)
  • 4 - Multi user mode (multi-user.target)
  • 5 - Multi user graphics mode (graphical.target)
  • 6 - Reboot system (reboot.target)

Check current target "systemctl get-default".

Check available targets "systemctl list-units —type target".

Isolate target "systemctl isolate graphical.target".

Checking system logs "cat /lib/systemd/system/rsyslog.service".

Checking target wants "cat /etc/systemd/system/multi-user.target.wants".

Configure SSH servers and clients

  • Access systems remotely with a text interface
  • OpenSSH provides server and client packages

Installing open ssh "sudo apt install openssh-server".

Configuration for ssh server "cat /etc/ssh/sshd_config".

Controlling access by user:

  • AllowUsers name1 name2
  • DenyUsers name1 name2
  • AllowGroups name1 name2
  • DenyGroups name1 name2

Controlling access by host:

  • We use "/etc/hosts.deny"
  • sshd: 10.0.2.0/8
  • Or we could use firewall rule

Restarting ssh "systemctl restart sshd".

Installing open ssh client "sudo apt install openssh-client".

Connecting to the server "ssh root@10.0.2.5".

Local config for user in file ".ssh/config":

Host myserver
HostName 10.0.2.5
Port 22
User name

After providing such configuration we can write "ssh myserver" and connect.

Using Keys with SSH

  • Key pair instead of password
  • Kay pair: public key and private key
  • Usually generated by a user, who the shares a public key with others
  • Tool for generating key "ssh-keygen" (default: RSA algorithm, 2048 bits)

Generating key pair "ssh-keygen". Checking public key "cat .ssh/id_rsa.pub". Adding ssh public keys to ".ssh/authorized_keys" gives ssh access. Configuring ssh server in "/etc/ssh/sshd_config" might be needed, including setting "PublicKeyAuthentication yes" and "PasswordAuthentication no" option. Reloading ssh server demon "systemctl restart sshd". Login using ssh public key "ssh root@host -i .ssh/id_rsa". Setting ssh public key permanently possible in ".ssh/config" by adding "IdentityFile ~/.ssh/id_rsa".

Configure an HTTP server

Installing apache "apt install apache2". Configuration file "/etc/apache2/apache2.conf". Checking installed module "apachectl -M". Enabling and disabling modules "a2enmod|a2dismod". Checking available modules "apt list libapache2-mod*".

Set up name-based virtual web hosts

  • Host are than one site on one server
  • Internet-facing sites will need suitable DNS

Creating a Virtual Host:

  1. Create .conf file in /etc/apache2/sites-available
  2. Edit .conf file with the site’s name and other configs
  3. Enable the new site (a2ensite)
  4. Restart Apache

Configure SSL on and HTTP server

Encrypting a web connection:

  • HTTPS/SSl/TLS
  • An encrypted connection is essential on the modern web
  • Browsers will indicate the security of a connection to viewers
  • To configure : get a certificate and configure Apache

Certificates:

  • Get a certificate from a certificate authority (CA) or generate your own
  • Comodo, IdenTrust, Symantec or Let’s Encrypt
  • To get a certificate from a CA, you need a domain name
  • Generating certificate "openssl req -x509 -newkey rsa:2048 -keyout mykey.key -out mycert.pem -days 365 -nodes"
  • pem => Privacy enhanced mail

Seeing up certificates:

  • Certificates must be copied into corresponding directories
  • "cp mycert.pem /etc/ssl/certs"
  • "cp mike.key /etc/ssl/private"
  • Enabling ssl for apache2 "sudo a2enmod ssl"

Configure HTTP server log files

Apache logs:

  • Logs track important activity
  • Apache2 has access and error logs
  • access.log - requests from clients and server response
  • error.log - problems the server itself has (not client errors)
  • Located in /var/log/apache2/

Restrict access to a webpage

Host-based access:

  • /etc/site-available/sitename.conf

Using allow rules:

<VirtualHost *:80>
	Require ip 10.0.2.0/24
	Require host example.com
</VirtualHost>

Or using deny rules:

<VirtualHost *:80>
	<RequireAll>
		Require all granted
		Require not ip 10.0.2.0/24
	</RequireAll>
</VirtualHost>

Configure a database server

  • Installing mysql "apt install mysql-server"
  • Secure mysql installation "mysql_secure_installation"
  • Connecting to mysql "mysql -u root -p"

Configure a time synchronization server

Network time:

  • Network time protocol (NTP)
  • NTP servers are organized in strata
  • Computers’s clocks need to be constantly nudged
  • The chrony software can act as an NTP client and server
  • Installing chrony "apt install chrony"
  • Configuration "/etc/chrony/chrony.conf"

Configure a client to communicate with an NTP server

  • Adding self hosted time server
  • In chrony config "server 10.0.2.5 iburst prefer"
  • Restart crony "systemctl restart chrony"

Configure remote logging

  • Log config file is located in "/etc/rsyslog.conf"
  • Restarting log service "systemctl restart rsyslog"