In the first three parts of this series we were formally introduced to the amazing AstLinux, learned how to run it from a LiveCD without installing it to a hard drive, and learned how to install it to a Soekris 4801 single-board computer. Our mission today: basic server settings such as hostname, network configuration, setting the correct timezone, some security tweaks, and service management.
As we learned in parts 2 and 3, there are several different ways to run AstLinux: from a single storage drive, or from two different physical storage devices. Either way the best practice is the same: Put the root filesystem on a separate partition from the data files. The data partition or drive is called a keydisk, and it is always mounted at /mnt/kd/.
When you edit AstLinux configuration files directly, edit the files in /mnt/kd/. (AstLinux comes with the nano text editor.) You'll see the usual complement of files in the root filesystem under /etc, but using a keydisk supersedes these. /mnt/kd/ is mounted read/write, so you don't have to hassle with mount/remount like you do for the root filesystem, which defaults to read-only.
The Internet is full of crackbots that know the default passwords to every service that exists, so job one is to change the AstLinux root password and the Web admin password. Log into the AstLinux server with the default login of root, password astlinux. Change the root password in the usual way, with the password command:
pbx ~ # passwd
Remounting / ReadWrite for passwd
Changing password for root
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password:
Remounting / Readonly
This will not change the password permanently when you're running the LiveCD, but it will on any writeable storage drive. Note how the password command is actually a link to a wrapper script that mounts the filesystem read/write, then remounts it as read-only after the password changes. (Run stat /usr/bin/passwd to see for yourself.)
Change the Web admin password in the Web administration panel. Fire up the Web administration interface from a neighboring PC by going to https://[AstLinux IP address]. (If you don't know the IP address, run the ifconfig command on the AstLinux server.) Go to the General -> Setup tab. Again, the change is permanent only on writeable media.
/mnt/kd/rc.conf is the main configuration file for AstLinux. It replaces the usual large gaggle of individual configuration files you'll find on a typical Linux system, so you must resist the temptation to configure things in the way you are used to. There are two ways to edit this file: in the Web interface at General -> Setup, or directly with the nano editor. Start with setting your hostname and domain:
AstLinux defaults to UTC (Coordinated Universal Time). You might hear that it's the same as GMT, or Greenwich Mean Time, but it's not. (See Resources for more information.) Most folks prefer local time. To set AstLinux to your local time zone, first find your time zone options in /usr/share/zoneinfo, then enter the appropriate time zone like this:
This handles both daylight savings time and standard time.
AstLinux, by default, uses the time server at the University of Wisconsin-Madison. To be a good netizen it is better to use pool.ntp.org, like this:
However, you might wish to stick with the default, or to insert the IP address of your local time server, because if the domain name does not resolve OpenNTPD will hang indefinitely at startup, which means AstLinux will not boot.
If you want AstLinux to be the time server for your LAN, use this line:
Servers need static IP addresses. For the moment let's assume AstLinux has a single NIC and is behind a separate firewall; we'll get to more advanced networking configurations later. By default AstLinux activates an "external" interface, EXTIF=eth0. We'll go ahead and use this. Configure it in the usual way, using your own chosen IP address, netmask, gateway, and DNS server:
AstLinux installs with a number of services running:
pbx kd # netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:https *:* LISTEN
Unless you have a reason, don't have FTP servers running. Comment out the appropriate lines like this:
If you're not going to use the Web interface, turn it off by commenting out all lines starting with HTTP. Turn off SSH as well if you're not going to use it for remote logins.
If you edited /etc/rc.conf in the Web interface, be sure to click the "Submit Changes" button. Save all your changes and reboot. Next week we'll learn how to talk to the outside world,