Posts tagged Server
VirtualBox Guest Additions on Real Machine – PXE Boot
Apr 10th
VirtualBox guest additions installs a video driver called vboxvideo. It allows for the machine to adjust its resolution to the dimensions of the application windows. It also allows for seamless mouse movement between the host machine and the virtual window. I manage a server that runs VirtualBox to host several machines. The host is located in an air conditioned server room separated from the main office by some distance. In the office I have a windows machine that typically boots to a Windows XP desktop. VirtualBox is installed with a guest configured to pxe boot from the server host.
I would like to boot an interface, using pxe, with guest additions functional. Apparently guest additions does not play nicely with the various VirtualBox kernel modules required for actual machines. I have enabled the vboxvideo module in lts.conf (/var/lib/tftpboot/ltsp/i386/lts.conf) and it does configure xorg.conf of the pxe client properly, but it does not seem to work. Maybe its because the host server uses the nvidia driver? The main /etc/X11/xorg.conf is configured with nvidia; I have tried it with vboxvideo, but that did not make sense to me so I quickly reverted the change.
How else would ltsp clients be configured; other than lts.conf?
SSL Implementation – StartSSL
Mar 23rd
Implementing SSL on your server is relatively straight forward. Its funny how things always seem relatively straight forward after you finally get it implemented. Apahce2, in Debian, starts with the ports.conf file. Add NameVirtualHost *:80 to support regular virtual hosts, and also a *:443.
Enable mod ssl:
sudo a2enmod ssl
Then for your regular virtual hosts change:
<VirtualHost *:80>
Without ssl you need not distinguish between ports and can just use a wildcard (*).
In the ssl virtual host block add the parameters to reference the certs and keys and the document root:
DocumentRoot /var/www/html2
ServerName www.yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
For this website the document root is the same that is defined in the non ssl virtual host block. The cert was created using StartSSL and is just a regular cert. The EV certs are pretty interesting being that they turn the address bar green in modern browsers; they cost some money though and required a business entity. While this entire website can be accessed using ssl, there are many links in the code that point only to http, which break ssl encryption requirements. The admin area, on the other hand, is fully ssl encrypted. You can force wordpress to use ssl for the entire admin area using (in your wp-config.php file):
define('FORCE_SSL_ADMIN', true);
Place the above code underneath the already existing ‘define’ parameters. Now when you navigate to wp-admin it will automatically load the login page as https. Just remember to configure port forwarding of 443 to your server. You should also implement a plugin called user locker. Yes the admin area may be encrypted, but this does not handle brute force attacks. User locker is kind of like fail2ban at the server level. I recommend fail2ban use always!! Especially to handle ssh brute force attacks on systems that require password login to be enabled.
Working Locally from a Remote Location
Mar 2nd
Yes, I know it sounds funny. You can work locally from a remote location. I am specifically referring to use of LTSP. I am managing a server for a company, and I will be placing the server in an air conditioned server room; and I don’t want to sit in that room all day long. I installed an LTSP server so I can sit in the main office and boot a PXE enabled computer from the system. LTSP allows you to login directly to the server from a remote location. The desktop environment will be exactly the same as if you were sitting in front of the machine. The only difference is the LDM login screen, which technically you can change to anything including GDM.
I want to take the graphics card out of the server; its a nice Nvidia card; in the end I will not being doing what I want because I cannot leave the server completely without local video capabilities. I will be relying on the motherboard integrated Intel video chipset on the PXE enabled computer. It will server its purpose. I will be taking the 1080p capable monitor from the server, to use on the client; this I can get away with. Its a nice system and a pleasure to manage.
Remote Server Management in Local Facility – LTSP
Feb 13th
I’m using LTSP to manage a server remotely in a local facility. I setup an LTSP server on the host machine, and will place it in an air-conditioned room to preserve longevity. I configured a machine, of much lower power, to PXE boot from the server. There are several nuances to setting up an LTSP server. Once all is done you realize that it is less complicated that is can or needs to be. When things go right there is essentially three step in total. First:
sudo apt-get install ltsp-server-standalone
This installs the works. Then configured dhcp.
sudo nano /etc/ltsp/dhcpd.conf
Config the subnet to the same that you are using on your router. Clearly if your routers local ip is 192.168.0.1 your subnet would be 192.168.0.0. Then set a range. Make sure you turn off the dhcp servers in any and all routers connected to the network. You need the dhcp server on the machine to be the sole and only. Set the “next-server” option to the came local ip address of the server. Then set the rest of the options; domain, default gateway, dns…. Then reboot the server:
sudo /etc/init.d/dhcp3-server restart
Build the clients:
sudo ltsp-build-client
Thats really all there is to it. I’ve found that problems do arise, and instead of trying to fix them just purge all the installed applications and start over.
sudo apt-get remove --purge ltsp-server-standalone ltsp-server xinetd
One time I was stuck because there were two tftp inet servers, openbsd-inetd and inetd-hpa. They were conflicting. Then purge the autoremove function:
sudo apt-get --purge autoremove
Then start over installing ltsp-server-standalone. You can test your ltsp server using VirtualBox. Just like a real machine set the boot sequence to network as the first option. Now hook up a fancy monitor that can support 1920×1080 to the relatively low powered machine in the other room, and remotely manage your server from a pseudo local desktop environment.
Web Based SSH Clients
Dec 25th
If you want to connect to your server in an encrypted and secure fashion, but do not want to or cannot install a binary on your local system, you can use a web based ssh client. The original software, that I have heard of, is Anyterm. It has since been replaced by Sjax Term, and subsequently Web Shell. I have played with Ajax Term a bit, but could never get everything working as I wanted. I’m going to take a second crack as Ajax Term, and then Web Shell. I would like a secure means of connecting to my server, but there is a hitch. The most secure means is to use rsa keypairs. Which means the key must be transportable on a usb drive or the like. I wonder how well Ajax Term or Web Shell function using a rsa key. Conveniently you can install ajax term directly from the Ubuntu repos. A simple:
sudo apt-get install ajaxterm
Ajax Term will be installed as a system server complete with an init.d script. In Karmic you will issue:
sudo service ajaxterm start
Configure Ajax Term in /etc/default/ajaxterm. Ajax Term does not do encryption, therefore for security you would do ssl, and connect to your server with https. Refer to the Ubuntu documentation for more information about ssl setup for Ajax Term. As per Ubuntu documentation there is also Shell in a Box. There are various choices and wants to get a secure connection to your home machine.
The main reason I recommend, and prefer rsa keypairs is to completely disable password authentication on the server. This eliminates the possibility of a brute force attach, or a ssh DOS. The server rejects are password attempts no matter what. It is a sweet configuration, and as a server administrator you can walk around with a usb drive with your rsa key to connect to the server securely.