In a previous post, I wrote about Olinuxino modules, the computer boards from Olimex.
Now let’s configure, step by step, an A10/A20 Lime to act as a server with Debian. The goal is to leave it working 24×7 unattended. The model in my case is an A10 Lime, with 512MB RAM and without Flash memory.
1. Flashing microSD
Well, let’s get into flour (I don’t know if this expression exists in English,…) We will use the official Olimex image, we can download here. The official image comes with, maybe, too much extras, also, the kernel comes with graphic subprocessor activated, so we will have a little less power available. In next posts I will explain how to create a minimal image, with a minimal kernel compiled. If we are working from Windows, we will need Win32Imager to flash the micro SD. The process is very easy, just decompress the image (in .7z) and flash the microSD with, at least, 4GB capacity. If we have Linux, we’ll use dd:
$sudo dd if=a10_Lime_debian_second_release.img of=/dev/sdX
/dev/sdX will be the volume representing our SD reader. It’s recommended to use a Class10 card, so the system will be faster.
2. First Boot
Once the microSD is flashed, we can put in the Olinuxino slot and power up the unit. Pressing the power button will boot up the unit. Connect a monitor via HDMI and a mouse and keyboard using the USB ports. The official image comes with eternet deactivated, so we can open a terminal and write the following:
#dhclient eth0
The network will power up and will ask for an IP from our DHCP server (usually the router). To know the assigned IP, just ask the router (will apear as «a10lime») or enter the following command:
# ifconfig
eth0 Link encap:Ethernet HWaddr 02:43:0a:00:00:00
inet addr:192.168.0.5 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:535825 errors:0 dropped:159452 overruns:0 frame:0
TX packets:443622 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:107560919 (102.5 MiB) TX bytes:174534351 (166.4 MiB)
Interrupt:55 Base address:0xb000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:19510603 errors:0 dropped:0 overruns:0 frame:0
TX packets:19510603 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1861165201 (1.7 GiB) TX bytes:1861165201 (1.7 GiB)
#
3. Remote Connection
In the «eth0» information we will get the assigned IP («inet addr» field), in our case it’s 192.168.0.5. Once we know the IP address, we can put our «miniserver» in the place we want, and manage it remotely. We will connect by SSH. From windows the usual application to connect by SSH is PuTTY.
Putty hasn’t got any mistery: just enter the IP address from our Lime, and click «Open». A black window will appear asking for an user and a password: root / olimex.
The very first step is to change the root password. Just need to enter this command:
# passwd
It will ask for a new password and a confirmation. Once finished, let’s…
4. Network Configuration
Next step will be configure the network from our server. As if we leave it configured by DHCP, maybe our router can change the IP in the future, and we don’t want to lose the contact with our lime!. We can configure an static IP from two different ways: configuring DHCP to reserve an address or configuring manually an static IP in our Lime.
For the first option, search for your router’s manual, but it is usually called «Address Reservations», you will need the MAC address from the Lime’s network interface. The last command told us:
eth0 Link encap:Ethernet HWaddr 02:43:0a:00:00:00
If we want to manually configure an static address in our Lime, we will need to edit the file /etc/network/interfaces
# nano /etc/network/interfaces
This is how I have the file configured, just change the values according to your network:
auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.0.220 netmask 255.255.255.0 gateway 192.168.0.1 dns-nameservers 8.8.8.8 8.8.4.4
After that, press Ctrl+X, nano (the editor) will ask for a confirmation to write the file, just press «Y» and enter, then reboot the service with the following command:
# service networking restart
If we’ve changed the IP address, Putty will disconnect. Once we have the network configuration ready, let’s go to the next step:
5. Securing SSH
In the sixth step, Lime will access the Internet, but it’s convenient to secure SSH first in order to avoid attackers to access our little server. It’s an own decision to allow SSH from Internet, I don’t think it’s unsecure, but you must take care about it and follow a few steps:
- Disable remote root login: any sysadmin who have read the first steps will have the «blood boiling» (another spanish phrase…) when login in SSH with root user. It’s a very unsafe practice, and should be avoided as possible. To solve this, first we will need to create another user:
# useradd fulanito # passwd fulanito
This will create the user «fulanito» and will ask for a password for him. Now we need fulanito to have the ability to «invoke root». For that, we will use «sudo» so, let’s include fulanito in the sudoers group:
# usermod -a -G sudo fulanito
This command will add sudo as an additional group for fulanito. Next, let’s disallow root to login from SSH, editing the file /etc/ssh/sshd_config
# nano /etc/ssh/sshd_config
Just need to find (Ctrl+w) the line «PermitRootLogin» and change it into «no». Restart the service and putty will disconnect:
# service ssh restart
Just need to reopen Putty and log in again. But this time with fulanito as user.
- Changing default ports: This habit will stop the 60% of the attack attempts to SSH. Most of the attacks to a machine are automated, and doesn’t have your device as main target. They are just trying random devices to control. All this attacks scan for open ports and, of course, one of this ports is the 22, the SSH. If we change the default ports in common services, we will have a first line of defence towards this kind of attacks. This is really easy and cheap to do:
# nano /etc/ssh/sshd_config
And search, in the first lines, the option Port. Let’s change 22 for another random number > 30000, in order to not interfere in other services, for example 32109. In the NAT configuration from our router, we will need to open this port to access SSH from the Internet.
- Complicate the things in the login process in case of wrong password: Maybe we receive a directed attack, and maybe they scan all our ports and discover SSH in our ultra secret port. Let’s suppose also, they know our user fulanito and they are trying to attack SSH login with a dictionary. A good defence from this it’s to limit the maximum login attempts. This can be easily configured: search or create the line MaxAuthTries and assign a value of 3 (default value is 7). Then reload configuration in ssh service:
$ sudo service ssh reload
Take note that now we need to run the commands with sudo, as we have logged in with fulanito, not with root. Sudo will ask for the fulanito‘s password to confirm the order.
6. Installing first service
Well, our little server is more secure than 15 minutes ago (we will complicate the things more with iptables and fail2ban). Now let’s start our first service in our Lime: a web server. Modern Linux distributions come with their own «package manager» to install things on it. Debian uses «apt». Until now we haven’t used it, so let’s get into the mess (another spanish phrase…):
$ sudo apt-get update && sudo apt-get upgrade
This will execute first apt-get update (update apt repositories) and then apt-get upgrade (update all installed applications). After a few connections, it will ask for confirmation to install the upgrades. Just answer yes. Sit down and relax while they install, probably there will be a lot of them… Once finished, let’s install our web server. It will be nginx:
$ sudo apt-get install nginx
«Hey man, I use Apache»: say thanks to not install μhttpd. The available resources in the Lime are very limited, and we need a very lightweight server. One could write rivers of ink on which is better, Apache or Nginx, in fact, it depends on the funcionality, but it’s not the subject of this post… Well, while we were arguing nginx has been installed. Let’s start it:
$ sudo service nginx start
Now we can open a web browser and access the URL http://ip-lime/, should appear an image like this:
Well, our web server is up and running. The next is to open the 80 port in our router to make our web available to the world. In next posts will explain how to configure a server to host a php site like WordPress. Also, will add a mail server to our Lime, to have the electronic mail on it.