Summary for Configuring Linode & Tomcat7 + Oracle Java

This is a summary on how to secure your freshly booted Linode Debian distro and install Tomcat7 on top of oracle JVM.

Note: this is mostly a remainder to myself on how to do this, it contains information from multiple sources. Perhaps I have mixed up the order of some commands. If you have any suggestions or comments, feel free to do so =)

1) Setting you hostname

At your first login, you should ssh as root. Let’s define a beautiful hostname for us

# echo "plato" > /etc/hostname
# hostname -F /etc/hostname

The second command tells the system to read the hosname from the -(F)ile.

2) Add you hostname to the list of know host in

# nano /etc/hosts

Add the following line

127.0.0.1 plato

3) Set your timezone with

# dpkg-reconfigure tzdata

4) Check for upgrades

# apt-get update
# apt-get upgrade --show-upgraded

5) Create user alternative to root

It’s good practice to use the system with another user, but root. Let’s add it with the following command (it should prompt for additional information):

# adduser example_user

Let’s add the sudo application, so we can apply root commands while logged as the alternative user:

# apt-get install sudo

Not let’s (a)ppend the user to the sudoers (G)roup, so he can use sudo :

usermod -a -G sudo example_user

Now let’s

# logout 

and ssh back in with new user.

6) Configure SSH with key authentication

SSH with key is much more secure, for it drastically reduces the risk of having your system invaded by brute-force. So let’s create a key on your local machine:

$ ssh-keygen

It generated the keys in the ~/.ssh folder, let’s send our public key to the server with:

$ scp ~/.ssh/id_rsa.pub example_user@123.456.78.90:

Now ssh back into the server and set your key as authorized keys:

$ mkdir .ssh
$ mv id_rsa.pub .ssh/authorized_keys

Your key must have specific and secure permissions: be yours and read-only for you:

$ chown -R example_user:example_user .ssh
$ chmod 700 .ssh
$ chmod 600 .ssh/authorized_keys

7) Disable ssh with password

Now that we stored our key, let’s disable password login:

$ sudo nano /etc/ssh/sshd_config

by setting

PasswordAuthentication no
PermitRootLogin no

Finally, let’s restart the service:

$ sudo service ssh restart

8) Creating firewall rules

Ok, we’ve set login only with priv-pub-keys, now let’s setup the firewall. First let’s (L)ist the current rules:

$ sudo iptables -L

Let’s create a file with the rules

$ sudo nano /etc/iptables.firewall.rules

and add the following basic rules:

*filter

# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
-A INPUT -p icmp -j ACCEPT

# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

Notice that I’ve opened port 8080, which is Tomcat’s default. Let’s active the rules

$ sudo iptables-restore < /etc/iptables.firewall.rules

and double check by (L)isting them again:

$ sudo iptables -L

Let’s create script to recover iptable when system restarts

$ sudo nano /etc/network/if-pre-up.d/firewall

and add script

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

and install Fail2ban, which will block recurrent failed logins from the same IP:

$ sudo apt-get install fail2ban

9) Installing Oracle Java 7

If you want to replace openjdk by the Oracle Java, I recommend using webupd8team repo – it’s easier to update. First remove the jdk you’ve got:

$ sudo apt-get remove openjdk-7-jdk

There is this small tool I like for managing repos. It set up the /etc/apt/sources.list correctly and downloads the key:

$ sudo apt-get install python-software-properties

So let’s add webupd8team repo, update the packages and install Oracle Java:

$ sudo add-apt-repository "deb http://ppa.launchpad.net/webupd8team/java/ubuntu precise main"
$ sudo apt-get-update
$ sudo apt-get install oracle-{java7,jdk}-installer

10) Installing Tomcat

So, at last, let’s install Tomcat and start the service!

$ sudo apt-get install tomcat7 tomcat7-{examples,docs,admin}
$ /etc/init.d/tomcat7 start

If it misses the JAVA_HOME, edit

$ sudo nano /etc/default/tomcat

and modify the line

PATH_HOME=/usr/lib/jvm/java-7-oracle/

Add yourself an admin user for the tomcat

$ sudo nano /etc/tomcat7/tomcat-users.xml

by adding inside the node

<tomcat-users>
...
<role rolename="manager-gui">
<user username="...youruser..." password="...yourpassword..." roles="manager-gui" />
</tomcat-users>

and restart your engines!

$ /etc/init.d/tomcat7 restart

You can now watch tomcat at work on your http://123.456.789.123:8080/ and configure it at http://123.456.789.123:8080/manager/html

If you need to increase tomcat7 memory size:

$ sudo nano /etc/default/tomcat

and change the line for mx memory

JAVA_OPTS="-Djava.awt.headless=true -Xmx630m -XX:+UseConcMarkSweepGC"

And that’s it! I hope this was useful to you!

Advertisements

Bitcoin market in Brazil – slowly spreading

Abstract: my experience trying to buy Bitcoins in Brazil and some references on where to buy’em without having to resort to expensive bank transfers — use them at your own risk.

About six months ago the Bitcoin slowly started entering mainstream journals headlines. It has been around for years, but the buzz on this technology started getting louder and it caught my attention. I decided to buy some Bitcoins, just in case it would get traction in the coming years, but I wanted cheap options that wouldn’t involve sending my money internationally through expensive banks mechanisms.

At the time, few options were available, one was Mercado Bitcoin, but I had the misfortune of finding it around March 2013,  just before it got hacked and all operations were suspended. Today this website is already back on, but I was disappointed a missed the big BTC rally.

As there were no easy alternatives, it meant that there are probably important things to happen in this market. Other options I found were

  • Bitcoin-OTC – over the counter trades in which users are free to negotiate how they want to proceed their exchanges. It’s well organized, has an order book and a web of trust in which users are rated. Negotiations takes place in a mIRC channel on FreeNode.
  • Local Bitcoins – provides a trading environment between users. It has a nice escrow system in which the website is the trusted third party that holds and releases the Bitcoins while the trade occurs. It is also the last instance judge in case of dispute between users.

Another alternative that worked for some time was BitInstant, in which you could transfer money to a brazilian bank and it would credit directly into a MtGox account. But since a few months ago, it stopped working in Brazil.

Just today I found two new websites that I haven’t yet tried out (use at your own risk), but it could be a sign the at last Bitcoin is entering brazilian territory:

Considering the trend that some places are considering it a legal tender, Brazil could follow suit (as usual) their peers. This would be great news for the currency in this part of the world.

Clojure variadic map

When begining with Clojure, little by little you find out some snipets of code that enlighten and clean your code. One example I’ve encountered is when using map in function parameters, e.g.

(defn say-hi [{:keys [first-name last-name title]}]
   (print (str "Hello, " title " " last-name "!\n"
               "May I call you '" first-name "'?\n")))

So that it’s invocation is

=> (say-hi {:first-name "Murray" :last-name "Rothbard"
            :title "Mr."})
Hello, Mr. Rothbard!
May I call you 'Murray'?
;=> nil

But there is a cleaner way of doing it so, with just one “&” away:

(defn say-cleaner-hi [& {:keys [first-name last-name title]}]
   (print (str "Hello, " title " " last-name "!\n"
               "May I call you '" first-name "'?\n")))

Now the function call will be

(say-cleaner-hi :first-name "Murray" :last-name "Rothbard"
                :title "Mr.")
Hello, Mr. Rothbard!
May I call you 'Murray'?
;=> nil

Ain’t that pretty?