What is Lemonstand
If you have ever trawled the interwebs for a half decent Ecommerce solution chances are you have encountered PHP based solutions like Magento, OSCommerce, OpenCart etc. These are quite well established players but a recent addition to the gang has really impressed us and a bunch of other like minded people too. Lemonstand feels lightweight yet powerful, the core covers the shop fundamentals very well and it is supported by a growing community. Check out the video.
This is the first part in a multi part post that will hopefully finish up with a production ready virtual machine running Lemonstand for your online store.
Ubuntu and VMWare Fusion
First things first, you have to run up a new virtual machine. Eventually you will do this with some cloud provider (OrionVM, RackSpace etc) but for development or testing your configuration a local VM is all you need. Note that there are VMWare alternatives and in this case you could use the excellent VirtualBox from Sun/Oracle http://www.virtualbox.org.
After Ubuntu is installed in Fusion
Depending on what route you took with installing Ubuntu on a local VM (simple or manual) theres a chance SSH might not be installed. If this is the case just work directly in the console for now. First thing you need to do is login with the username and password you configured.
Keyboard
I had to reset the keyboard as command repeat didn’t work on Fusion/Ubuntu 10.04
Type the following and accept the defaults.
sudo dpkg-reconfigure console-setupPasswords
Reset your password if either logging in as root or you accepted some default password
passwdyou can also change another users password by appending their username to the command
passwd devuserEven though we won’t be allowing root to login via SSH, we want to make sure it has a strong password.
Type this command and enter your new strong password twice.
sudo passwd rootRemove non essential accounts from etc/passwd, you likely don’t require games,news,list,irc,gnats
Shell
Also set the users shell to /bin/false
You could also change the shell like this (for the user ‘list’)
chsh -s /usr/sbin/nologin listVerify No Accounts Have Empty Passwords
sudo awk -F: '($2 == "") {print}' /etc/shadowLock all empty password accounts
passwd -l account_nameMake Sure No Non-Root Accounts Have UID Set To 0
sudo awk -F: '($3 == "0") {print}' /etc/passwdYou should see a single line like this:
root:x:0:0:root:/root:/bin/bash
Timezone
Set the correct timezone for your location.
dpkg-reconfigure tzdataor
echo "Australia/Adelaide" | sudo tee /etc/timezone. sudo dpkg-reconfigure --frontend noninteractive tzdataHostname and hosts file
Set the correct hostname by editing the “hostname” file.
sudoedit /etc/hostnameCheck hosts file as default can sometimes be Ubuntu depending on how you installed the OS.
You should have a line that contains your IP address and then your long hostname separated by a space then your hostname on its own.
Running “hostname –f” should return the long version.
sudoedit /etc/hosts
…
127.0.0.1 localhost
172.16.16.10 cortina.example.com cortinaConfigure admin group
Check that your part of the admin group
cat /etc/groupor
grep devuser /etc/groupyou should see a line like this (the number 109 may differ), this means the user ‘devuser’ is a member of the admin group.
admin:x:109:devuserIf the admin group doesn’t exist or your not a member of it follow these steps.
sudo groupadd admin sudo usermod -a -G admin devuserConfigure sudo
Edit the sudo configuration
sudo /usr/sbin/visudoCheck that the admin group has full sudo privileges, add this line if it doesn’t exist.
%admin ALL=(ALL) ALLRestrict access to /bin/su to admin group members
sudo dpkg-statoverride --update --add root admin 4750 /bin/suSecure shared memory
/dev/shm can be used in an attack against a running service, such as httpd. Modify /etc/fstab to make it more secure.
sudo nano /etc/fstabAdd this line
tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0Remount /dev/shm or reboot
sudo mount -o remount /dev/shmSetup SSH server
Install SSH server & client
sudo apt-get install openssh-client sudo apt-get install openssh-serverBackup original config file and make read only
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig sudo chmod a-w /etc/ssh/sshd_config.origEdit SSH server config file and make the following changes:
sudoedit /etc/ssh/sshd_configDisable root login but allow forced commands
PermitRootLogin forced-commands-onlyReduce the login grace time
LoginGraceTime 20The SSH daemon will allow a message to be displayed to users attempting to log in to the SSH server. To enable login messages, remove the pound sign from this line:
Banner /etc/issue.netHide “Ubuntu” from the OpenSSH headers
DebianBanner noAdd line for allowed users
AllowUsers devuserUpdate the login warning in the file “/etc/issue.net”
sudoedit /etc/issue.netRestart SSH
sudo /etc/init.d/ssh restartYou can now login to the server using Putty on Windows or the built-in SSH client on OSX and Linux.
Harden TCP/IP Stack
Some of these will be set by default anyway but it doesn’t hurt to check.
These commands change the current runtime variables only, to make them persist edit the following file
sudoedit /etc/sysctl.confDisable ICMP broadcast echo activity.
sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 Disable ICMP routing redirects. Otherwise, your system could have its routing table misadjusted by an attacker.
sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 sudo sysctl -w net.ipv4.conf.all.send_redirects=0 Disable IP source routing. The only use of IP source routing these days is by attackers trying to spoof IP addresses that you would trust as internal hosts.
sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 sudo sysctl -w net.ipv4.conf.all.forwarding=0 Enforce sanity checking, also called ingress filtering or egress filtering.
sudo sysctl -w net.ipv4.conf.all.rp_filter=1Log and drop “Martian” packets.
sudo sysctl -w net.ipv4.conf.all.log_martians=1Randomize your address space
sudo sysctl -w kernel.randomize_va_space = 1Setup NTP
Install NTP support
sudo apt-get install ntpChange the contents of /etc/ntp.conf to include additional server lines. Use a different pool if not in Australia.
server 0.au.pool.ntp.org server 1.au.pool.ntp.org server 2.au.pool.ntp.org server 3.au.pool.ntp.org Restart ntp process
sudo /etc/init.d/ntp restartYou can check the status of peers by running
/usr/bin/ntpq -npFile security
Check for World-Writable files and investigate.
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -printFind any files not owned by any user or group.
find / -xdev \( -nouser -o -nogroup \) -printEnable and configure firewall
UFW is Ubuntu’s “uncomplicated firewall”, it just simplifies the setup of iptables rules.
Install UFW and set the default mode to deny.
sudo apt-get install ufw sudo ufw default denyAllow SSH, HTTP, HTTPS
sudo ufw allow 22 sudo ufw allow 80 sudo ufw allow 443 Enable UFW
sudo ufw enableSwitch on logging.
sudo ufw logging onBy default, UFW allows ping requests. To disable You need to edit /etc/ufw/before.rules and remove or edit the following lines: Change ‘ACCEPT’ to ‘DROP’
# ok icmp codes -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT