Hey Harry,

I tried out your little walkthrough by got stuck on the firehol install. Going step by step with Debian on my linode, i got to the part where you start the shell script. I got the following error

(none):/downloads/firehol-1.191# ./firehol.sh start

ERROR:  Command 'less' not found in the system path.
        FireHOL requires this command for its operation.
        Please install the required package and retry.

So, i installed less via apt-get install less, then retried the install:

(none):/downloads/firehol-1.191# ./firehol.sh start                             
ERROR:  Command 'lsmod' not found in the system path.
        FireHOL requires this command for its operation.
        Please install the required package and retry.

At this point, there is no lsmod on my debian linode and I cant see where it exists in any apt-get package.

Any thoughts?

Thanks

Ron

It's in the modutils package.

more fun…

> IMPORTANT WARNING:

–----------------

FireHOL cannot find your current kernel configuration.

Please, either compile your kernel with /proc/config,

or make sure there is a valid kernel config in:

/usr/src/linux/.config

Because of this, FireHOL will simply attempt to load

all kernel modules for the services used, without

being able to detect failures.

FireHOL: Saving your old firewall to a temporary file: OK

FireHOL: Processing file /etc/firehol/firehol.conf: OK

FireHOL: Activating new firewall (167 rules):

---

WARNING : This might or might not affect the operation of your firewall.

WHAT : A runtime command failed to execute (returned error 255).

SOURCE : line FIN of /etc/firehol/firehol.conf

COMMAND : /sbin/modprobe ipconntrackftp -q

OUTPUT :

modprobe: Can't open dependencies file /lib/modules/2.4.26-linode29-1um/modules.dep (No such file or directory)

OK

You can find the most recent .config here:

http://www.linode.com/forums/viewtopic.php?p=2690#2690

It hasn't changed much at all since the linode21 kernel, and CONFIGIPNF_CONNTRACK is enabled.

Modules are disabled inside the Linode kernels for security reasons. You can ignore that warning message, most likely.

-Chris

sufehmi great info on your site thanks very helpful

@You_Wish:

sufehmi great info on your site thanks very helpful

You're welcome.

However please be advised that it's not ideal. My goal is to create a tutorial to setup a webhosting server (on Debian), however I'm still compiling some packages (instead of installing via apt-get)

This is a problem because everytime there's a new release for that package (eg: security patch), then you'll have to recompile again.

(while updating Debian packages is as simple as apt-get update then apt-get upgrade)

FYI.

Thanks,

Harry

any progress on this? :D

as in: I got several errors while trying to install this all… especially with OpenSSL - a lot of missing file errors :(

Ok, found a little mistake :)

apt-get install make

apt-get install gcc

apt-get install libgcrypt-dev

You need those - the first 2 are logical, but the last one isn't that obvious :p

@Moose:

Ok, found a little mistake :)

apt-get install make

apt-get install gcc

Sorry - now I've put those steps at the beginning of the guide.

> apt-get install libgcrypt-dev

Strange… I think if you have installed OpenSSL, then you shouldn't need to do that.

Anyway, I'm very busy at the moment, but I'll reinstall the server in a few weeks time. Then I'll use that opportunity to change as much of the install routine to use apt-get (instead of manual compile), get them in the right order, and add more stuff to that documentation.

I'll let you know when I do.

Thanks,

Harry

It might also be a good idea to edit out the additional OpenSSH instance, and remind users that they can just connect directly to their Linode's console through the host. This saves a few minutes of time setting up and removes the need to keep checking for updates :)

@Quik:

It might also be a good idea to edit out the additional OpenSSH instance, and remind users that they can just connect directly to their Linode's console through the host. This saves a few minutes of time setting up and removes the need to keep checking for updates :)

Excellent idea !

It's just that I'm used to installing at least 2 instances of sshd, because I've had enough of being locked out from my own server :)

Well that's very true for a dedicated server, but as you said, we don't need it for a Linode server :D

Thanks,

Harry

Great work Harry.

I've taken your page, and combined it with other information I've found and tried, to begin creating a similar tutorial. I'm no fan of forks - perhaps we can combine at some point?

I'm using .deb packages wherever possible to simplify and shorten the setup.

The downside is that a config from my tutorial will be behind the "latest and greatest" as much as the official Debian packages are.

http://wiki.gednet.com/DebianServerSetup

It's not complete (no web/db/email services yet), but I'm making progress. Commenting is enabled, so everyone feel free to let me know if I've missed - or messed up - any items.

Cheers,

ged

@ged:

Great work Harry.

I've taken your page, and combined it with other information I've found and tried, to begin creating a similar tutorial. I'm no fan of forks - perhaps we can combine at some point?

I have no problem at all with that, in fact I'll be happy to.

> I'm using .deb packages wherever possible to simplify and shorten the setup.

The downside is that a config from my tutorial will be behind the "latest and greatest" as much as the official Debian packages are.

After a few problems in the past, my primary concerns now are security, maintainability, and reliability; that's why I stick to Debian stable :

They're maintained by Debian's security team

Using Debian packages enable Webmin to pick them up automatically (I've tried getting Webmin to recognise manually-installed package - it's very time consuming at least)

Upgrading / updating is a snap

Some people may say you're lame for using Webmin - but my concern is to manage as many servers using as little time as possible (including time needed to learn each software packages)

> http://wiki.gednet.com/DebianServerSetup

It's not complete (no web/db/email services yet), but I'm making progress. Commenting is enabled, so everyone feel free to let me know if I've missed - or messed up - any items.

Great stuff ged… finally I found some info on setting up Apache+SSL using Debian packages (still messes this one up) - thanks. Also some other very interesting information.

One question - why installing qmail from source ? (the link to qmail install tutorial)

I've tried it, and it's still painful even after using easy to follow guide such as qmailrocks.org; I ended up using postfix (it's a one-page config using webmin). My friend uses ezmlm-qmail and he installed the Debian package.

Let me know if I'm missing something obvious here.

cheers,

Harry

@sufehmi:

I have no problem at all with that, in fact I'll be happy to.
Great!

@sufehmi:

After a few problems in the past, my primary concerns now are security, maintainability, and reliability; that's why I stick to Debian stable
I agree. I've only made a couple of exceptions so far: webmin and phpMyAdmin are installed from source (easy though). And the Apache/MySQL/PHP-related packages come from http://dotdeb.org's .deb repository which gets updates as well, but they're not official.

I'd prefer the stable packages rather than dotdeb, if stable is debugged/secure enough. What do you think?

I'm nixing qmail, actually, though I haven't updated the tutorial. I'm looking at a Postfix solution instead. I have been reviewing a few different tutorials to try to find a Debian-stable solution, and I am leaning toward something like this one (which is part of the install docs for PHPMyWebHosting). I think it might work well, and it uses standard packages.

@sufehmi:

Some people may say you're lame for using Webmin - but my concern is to manage as many servers using as little time as possible (including time needed to learn each software packages)

Well, whatever. :? Hey, I'm open to other ideas. :)

Update:

I've been searching around for a good virtual mail howto that is simple to set up. No dice. The one I mentioned above is fairly complicated, and none of the howtos I saw using Postfix+Courier+MySQL talked about how to use the system once it's in place. Go figure.

So I'm on the fence between qmail+vmailmgr and Postfix+etc. Vmailmgr has a command-line interface which would work well for me, but it's not part of the Debian distribution.

Sorry for the late reply, just returned from a week's holiday in Scotland. I've forgotten how nice a holiday can be :shock: highly recommended !

@ged:

@sufehmi:

I have no problem at all with that, in fact I'll be happy to.
Great!

I just finished installing a plain Debian server at home. I'll use it to make my guide better, also utilising information in yours.

I just updated my guide to reflect this, also have started to incorporate some bits and pieces from your guide.

> @sufehmi:

After a few problems in the past, my primary concerns now are security, maintainability, and reliability; that's why I stick to Debian stable
I agree. I've only made a couple of exceptions so far: webmin and phpMyAdmin are installed from source (easy though). And the Apache/MySQL/PHP-related packages come from http://dotdeb.org's .deb repository which gets updates as well, but they're not official.

I'd prefer the stable packages rather than dotdeb, if stable is debugged/secure enough. What do you think?

Agree, I'd prefer that as well.

> I'm nixing qmail, actually, though I haven't updated the tutorial. I'm looking at a Postfix solution instead. I have been reviewing a few different tutorials to try to find a Debian-stable solution, and I am leaning toward something like this one (which is part of the install docs for PHPMyWebHosting). I think it might work well, and it uses standard packages.

Thanks for the info, I'll use it when installing Postfix in this test server.

> Update:

I've been searching around for a good virtual mail howto that is simple to set up. No dice. The one I mentioned above is fairly complicated, and none of the howtos I saw using Postfix+Courier+MySQL talked about how to use the system once it's in place. Go figure.

I noticed that too…. well, it seems that our guide will be filling a lot of holes once finished.

> So I'm on the fence between qmail+vmailmgr and Postfix+etc. Vmailmgr has a command-line interface which would work well for me, but it's not part of the Debian distribution.

Fortunately, we have quite supportive Postfix community in Indonesia - so fingers crossed, I'll be able to set it up for virtual mail.

I'll keep you posted.

cheers,

Harry

Yes, I'll be on holiday soon myself (Maine here in the US), which is a good thing. I will hopefully go before I lose it and yell at my boss' boss. It's been one of those months.

:D -> :) -> :? -> :( -> :x -> :evil:

In any case, I'm glad to let someone else piece through the Postfix virtual mail puzzle - it's gives me a headache. What I'm hoping to generate is a secure virtual mailhosting setup with IMAP support, where the domain & mailuser can be configured via mySQL. (Kind of like using the mysql-include module for Apache.) Add a domain and mail users to the DB, restart the appropriate services (if necessary), and voila. That's my hope anyway.

Since there seem to be so many manual changes that need to be made to support it, perhaps we can put together something like this tutorial for qmail on Debian, but for Postfix:

http://www.qmailrocks.org/install_db.htm

They make the process simpler by scripting many of the manual changes.

Let me know what you think.

ged

@ged:

What I'm hoping to generate is a secure virtual mailhosting setup with IMAP support, where the domain & mailuser can be configured via mySQL. (Kind of like using the mysql-include module for Apache.) Add a domain and mail users to the DB, restart the appropriate services (if necessary), and voila. That's my hope anyway.

Since there seem to be so many manual changes that need to be made to support it, perhaps we can put together something like this tutorial for qmail on Debian, but for Postfix

Hi Ged,

Sorry, been busy with life & office in the past few weeks - anyway, looks like someone has beat us to it :

http://www.workaround.org/articles/ispmail/

I'm gonna give it a try as soon as possible, then I'll let you know.

cheers,

Harry

A few updates:

A bit extra information on how to avoid logcheck from sending huge report to you (hint: specify entries that can be safely ignored)

Firehol config updated- example to blacklist IP addresses (useful in case of DoS/DDoS), avoiding dhclient from filling logs with junk

Information to setup postfix ala ISPs (database-based virtual domain, anti-virus/spam, webmail, etc)

~~[http://www.harrysufehmi.com/phpwiki/index.php/SettingUpLinuxServer" target="_blank">](http://www.harrysufehmi.com/phpwiki/ind … inuxServer">http://www.harrysufehmi.com/phpwiki/index.php/SettingUpLinuxServer](

cheers,

Harry

@caker:

Modules are disabled inside the Linode kernels for security reasons. You can ignore that warning message, most likely.

-Chris
Ok, I'm ignoring it – but Firehol does say specifically: "FireHOL requires this command for its operation".

And in http://www.harrysufehmi.com/phpwiki/ind … r#firewall">http://www.harrysufehmi.com/phpwiki/index.php/SettingUpLinuxServer#firewall

(just above http://www.harrysufehmi.com/phpwiki/ind … rhardening">http://www.harrysufehmi.com/phpwiki/index.php/SettingUpLinuxServer#serverhardening ) we read "If you see that your 7-lines firehol.conf becomes 150-lines of iptables commands, …"

That hasn't happened!

How do we know if Firehol is working or not?

@SunZoomSpark:

How do we know if Firehol is working or not?

Try accessing the ports of the server which has been blocked by Firehol, see if it's REALLY blocked.

btw; wow, an ancient thread :)

or:

sudo firehol status

will produce the output of /sbin/iptables -nxvL | /usr/bin/pager.

Cliff

Right now any command (eg: start, stop, explain, debug, status, helpme) to firehol.sh generates this message:
> ERROR: Command 'lsmod' not found in the system path.

FireHOL requires this command for its operation.

Please install the required package and retry.

Note that you need an operational 'which' command

for FireHOL to find all the external programs it

needs. Check it yourself. Run:

which lsmod

Output from /sbin/iptables -nxvL is
> Chain INPUT (policy ACCEPT 77661 packets, 45148429 bytes)

pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 60343 packets, 7237447 bytes)

pkts bytes target prot opt in out source destination

I don't think firehol is working yet.

Hi,

You are right – firehol did not create a firewall (iptables).

To resolve this you can either hack on firehol (so it doesn't require lsmod as a dependency) or you can install /bin/lsmod.

Debian:````
apt-get install module-init-tools

Even though we can't use kernel modules on a Linode, having that package installed causes no harm.

Another thing you might want to do to appease firehol's environment checks, is this (as root):

mkdir /usr/src/linux-fake
ln -s /usr/src/linux-fake /usr/src/linux
zcat /proc/config.gz > /usr/src/linux/.config

````

That will kill the warning message firehol exudes when it can't find the non-existent kconfig file.

Cliff

Forever in your debt c1i77 …
@c1i77:

… you can install /bin/lsmod
So that is what I did and all I had to do!

I haven't looked at iptables closely yet, but output from /sbin/iptables -nxvL | wc -l is 223 lines.

Attempted connections to rejected ports get closed immediately, so I guess firehol is now set up.

Thanks++

It would appear the wiki pages mentioned through out this thread all no longer work, anyone know where they moved too.

Thanks

@purana:

It would appear the wiki pages mentioned through out this thread all no longer work, anyone know where they moved too.

Thanks

thank you for bumping a 4 year old thread. No, most likely not.

@purana:

It would appear the wiki pages mentioned through out this thread all no longer work, anyone know where they moved too.

Thanks

Purana, might I suggest:

http://www.howtoforge.com/perfectsetupdebian_etch

It's a good tutorial for the initial setup, there are also howto's for other apps afterward, good luck.

@ged:

I've taken your page, and combined it with other information I've found and tried, to begin creating a similar tutorial. I'm no fan of forks - perhaps we can combine at some point?

.

http://wiki.gednet.com/DebianServerSetup
404

Zombie thread, no like.

Check out howtoforge.com instead, much better tutorials..

Maybe a good idea to replace this sticky thread with mine, since the guide in the opening post doesn't work anymore:

http://www.linode.com/forums/viewtopic.php?t=3808