Introduction
This is the second part of my LEMP virtual server setup. This portion involves configuring various virtual machine settings. I'll also go over the basic setup for SSH and SAMBA access.
Host network setup
Hopefully at this point we should have a Ubuntu Server installed. The next step is to setup the network configurations. Go ahead and power down and close your virtual machine so we can setup the host network.
Virtual Box/Host machine configurations
First thing we need to do is setup a Virtual Box host network. Host networks can be shared between virtual machines and the host machine. The IETF (one of the internet regulating bodies) created RFC 1918 so we know which addresses are safe to use for private networks. Unfortunately, between the 3 available private address spaces there aren't any guarantees for how IP addresses are assigned. The only rough recommendation is that the vast majority of commercial and home networking equipment use the 192.168.0.0/24 exclusively. This leaves the 172.16.0.0/12 and 10.0.0.0/8 spaces. If you know how (and have the permissions), you can manually limit the DHCP address space assigned by a router. The network equipment I'm working with does appear to only assign to the 192.168.0.0/24 space, so I decided to use the 10.0.0.0/8 space for my static IP addresses. This is not guaranteed to work everytime.
Startup your virtual machine and login to configure the client side.
Virtual Machine configurations
The first step is to setup our network settings. In the terminal, type in the following commands:
cd /etc/network/ sudo vi interfaces
This opens up the network configurations file. I'm using the vim editor in super user mode, if you're more familiar with another editor feel free to use it. Here's what I modified the network configurations file to:
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet dhcp # This is an autoconfigured IPv6 interface iface eth0 inet6 auto # Host direct connection auto eth1 iface eth1 inet static address 10.0.0.2 netmask 255.255.255.0 network 10.0.0.0 broadcast 10.0.0.255
This sets up a static IP for the client. The client's IP address is 10.0.0.2.
Limiting SSH access
At this point we should be able to SSH tunnel into our server. You can verify this by starting up putty and trying to connect to your server. You're still required to login with a valid username and password, and communication is encrypted. For added security, if you feel so inclined, you can further limit what computers can SSH tunnel to your client.
To do this modify the /etc/hosts.allow file. For example, here's a configuration which only allows the host and the virtual machine itself to ssh tunnel into itself.
# /etc/hosts.allow: list of hosts that are allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # # Example: ALL: LOCAL @some_netgroup # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu # # If you're going to protect the portmapper use the name "portmap" for the # daemon name. Remember that you can only use the keyword "ALL" and IP # addresses (NOT host or domain names) for the portmapper, as well as for # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8) # for further information. # sshd : localhost : allow sshd : 10.0.0.1 : allow sshd : ALL : deny
SAMBA Filesystem Setup
Up to this point all the management we've been able to do in or virtual server has been in the terminal. However, for easier file management we can install a SAMBA file server. This allows us to connect a network drive to our system. I'm not positive if this is necessary if your host machine runs a Unix-type operating system, this portion is primarily for those who use the Windows operating system. If you haven't installed SAMBA yet, the first step is to do so. In the console, type in the following command:
sudo apt-get install samba
Now that we have SAMBA installed we need to configure it. The configuration file is /etc/samba/smb.conf. The file is organized to a few different sections. The main global section defines settings inheritted by all other configurations. This section is further organized into sub-sections:
- Browsing/Identification
- Networking
- Debugging/Accounting
- Authentication
- Domains
- Printing
- Misc
The first step I'm going to do is create a share folder which can access the virtual machine's filesystem. Add the following section to the end.
[share] comment = LEMP Server Share path = / delete readonly = yes writable = yes force directory load = 777 force create mode = 777 hide dot files = no create mode = 777 directory mode = 777
The above configuration allows all users on any machine access to the file. This is NOT what I want. There are a few different things we can do to limit access to the server filesystem. The first one is to limit access only to the host machine. This is possible because of the host-only network I have setup. The second method is to use user-restricted access. This allows a user to sign in from any other computer so long as they can be authenticated. You can also use a combination of the two.
Restricting machine access
To ensure that only my host machine can access the filesystem I changed the Networking section.
#### Networking #### # The specific set of interfaces / networks to bind to # This can be either the interface name or an IP address/netmask; # interface names are normally preferred # 10.0.0.1 is my host machine's IP address on the host-only network interfaces = 127.0.0.1, 10.0.0.1 eth1 # Only bind to the named interfaces and/or networks; you must use the # 'interfaces' option above to use this. # It is recommended that you enable this feature if your Samba machine is # not protected by a firewall or is a firewall itself. However, this # option cannot handle dynamic or non-broadcast interfaces correctly. bind interfaces only = yes hosts allow = 127.0.0.1, 10.0.0.1 hosts deny = 0.0.0.0/0
Restricting User access
Restricting user access is also fairly simple. The first step is to enable user authentication in the Authentication section. Uncomment the line so security is set to user.
####### Authentication ####### # "security = user" is always a good idea. This will require a Unix account # in this server for every user accessing the server. See # /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html # in the samba-doc package for details. security = user
Then in the folder sections you can add what valid users/groups can access.
[share] comment = LEMP Server Share path = / delete readonly = yes writable = yes force directory load = 777 force create mode = 777 hide dot files = no create mode = 777 directory mode = 777 # allow the user helloworld922 access, as well as any user in the group helloworld922 valid users = helloworld922 @helloworld922
The @ symbol is used to denote a group. You can include multiple users/groups, and there are also shared and domain-level access settings. Check out the SAMBA documentation for more information.
Connecting to a Ubuntu virtual filesystem from Windows
Now that we have SAMBA configured we're ready to create a network drive from Windows. First things first, ensure SAMBA is enabled. This command will try to start the SAMBA service if it's not running already.
sudo service smbd start
We can now map a network drive. The network folder is \\hostname\folder. You can use either the client IP address or the client name. If you're using the configuration I used above, the folder is share.
Conclusion
Keep tuned for part 3 in which we install the NginX web server software, MySQL, and PHP-FPM.
No comments :
Post a Comment