Date: 2-1-13

Goal: Create a secure production level wiki using Dokuwiki. I will be creating this server as a Virtual Machine using VirtualBox as my host software. This guide does not cover how to setup a virtualbox host. I am assuming that you already have a virtualbox host setup to place a virtual image on. Please use google to find a guide, if you dont have a VM host.

Requirements and Software

This section outlines the required software and host hardware for this build. Feel free to download and pre-stage the required software.

Base Host Requirements

This outlines the base host requirements before we start. The final server can live on a USB flash drive for storage, but should be run from a SATA connection.

Physical Host Hardware Requirements:
  • VirtualBox Host 1)
  • Hard Drive: Min 16GB
  • Memory: 512MB
  • Processor: 1
  • Internet Access
Base Software:
Base Expected skills

I use “vim” and “putty” alot when working with linux. I am going to include a very base vim guide but further reading would be recommended.

Base Vim Commands
Action Command
i Edit
esc Exits edit mode
: Activate Menu
w Write/Save
q Quit/Close
wq Save and Close
/ Search
Google Search and download:
  • VirtualBox
  • Virtualbox usb addon
  • Ubuntu Server ISO

Save those 3 files the the virtual host machine.

Install Base Server

  1. Open VirtualBox and Create a new Virtual Machine(VM)
  2. give it a name: LCARS
  3. Choose the Operating System Type: Linux
  4. Choose the version: Ubuntu
  5. Set the memory size for the VM: 768MB
  6. Create a new virtual hard drive.
  7. Set the type to Virtual Box(default)
  8. Change the size to 16GB(your choice)
  9. When prompted for the install media choose the Ubuntu ISO.
  10. (There will be a lot of message windows. Read then click the check box to ignore. Contunue)
  11. Leave the defaults for the language selection.
  12. Choose a hostname: LCARS(your choise)
  13. Enter your name: (John W. Smith)
  14. Create a username: jsmith
  15. Create a password for jsmith
  16. No directory encryption needed
  17. Verify that the time zone is correct
  18. for the next windows leave the settings at default unless you want to change them
  19. At the automatic update I choose “Install Security Updates Automatically”
  20. When you are prompted to pick your services only choose “OpenSSH Server”(we will add the others as needed)
  21. —lots of server thinking here—
  22. Choose yes to install the Boot loader
  23. Your base installation is finished!
  24. Reboot
    1. (Optional) – Shutdown server to take snapshot for future roll back if needed.
  25. Change the network adapter to bridged mode. machine>devices>Network Adapters> change NAT to Bridged.
  26. Login to server after reboot

Install Guest additions

  1. First check the update source lists for missing servers
    1. sudo apt-get update
  2. Then update the server:
    1. sudo apt-get upgrade
  3. Now install dkms
    1. sudo apt-get install dkms
  4. Then update the linux-headers
    1. sudo apt-get install linux-headers-3.2.0-29-generic-pae
  5. Insert the VBoxGuestAdditions.iso into the virtual CD drive.
    1. From host virtualbox computer highlight correct virtual server
    2. Select storage from the details window
    3. Under the IDE controller select the “cd” icon
    4. At the right of the Storage Tree under Attributes again click the “cd” icon.
    5. finally click “choose a virtual CD/DVD disk file…”
    6. Browse for the ISO image and then click ok
  6. In the Guest virtual machine change to the directory where the iso was mounted to(usally this is /media/cdrom)
    1. sudo mount /dev/cdrom /media/cdrom
    2. cd /media/cdrom
    3. sudo sh ./VboxLinuxAdditions.run
      1. The Windows Ststem drivers will fail because we are runing in headless mode

Secure the Server

  1. Enable setup firewall
    sudo apt-get install ufw
    sudo ufw enable
    sudo ufw ufw status verbose
    sudo ufw allow ssh
    sudo ufw allow http
  2. Protect shared memory
    sudo vim /etc/fstab
    1. Add the following line to the document.
      tmpfs	/dev/shm	tmpfs	defaults,noexec,nosuid	0	0 
  3. Protect SSH
    sudo vim /etc/sshd/sshd_config
    1. Change PermitRootLogin to NO
      PermitRootLogin	no
  4. Only allow admin users to use “su”
    1. Create an admin group
      sudo groupadd admin
  5. Add your self to the admin group
    sudo usermod -a -G admin jsmith
  6. Restrict access to /bin/su to admin group members
    sudo dpkg-statoverride –-update –add root admin 4750 /bin/su
  7. Check changed permissions
    ls -lh /bin/su
  8. Do not permit source routing of incoming packets
    sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
    sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
  9. Install DenyHosts to avoid ssh attacks
    sudo apt-get install denyhosts

Install Software

  1. Install Apache2, PHP5, and then restart Apache2
    sudo apt-get install apache2
    sudo apt-get install php5
    sudo service apache2 restart
  2. Check that server is up by going to different computer and navigate to http://%serverIPaddress%
    1. web files are at /var/www/

Configure Apache2

  1. In terminal:
    cd /etc/apache2/
    sudo vim httpd.conf
  2. In vim add the following line:
DirectoryIndex /dokuwiki/doku.php
  1. Save and Restart Apache.
sudo service apache2 restart

Configure PHP

Set Max file Upload Size
  1. Modify the following php settings:
    1. upload_max_filesize = 800M
    2. post_max_size = 800M
  2. In terminal enter:
    sudo vim /etc/php5/apache2php.ini
  3. In vim search for “post_max_size”
    :
    /post_max_size = 800M
    :
    /upload_max_filesize = 800M
  4. Edit that line to desired file size.
  5. Save and Restart Apache.
    sudo service apache2 restart

For more info read this:

Install Dokuwiki

  1. First google dokuwiki web site. Locate and copy the download link to the latest version
  2. Now in putty run the following:
    cd /var/www
    sudo wget http://www.splitbrain.org/_media/projects/dokuwiki/dokuwiki-2012-10-13.tgz
  3. Unpack the archive
    sudo tar xvf dokuwiki-2012-10-13.tgz
    sudo mv dokuwiki-2012-10-13 dokuwiki
  4. Set permissions to wiki folders
    sudo chown -R www-data:www-data /var/www/dokuwiki

Move the old tgz file to safe place on computer

sudo mv dokuwiki-2012-10-13.tgz /home/jsmith
sudo service apache2 restart

Now is a great time to take another VM snapshot

Setup Wiki

  1. Open web browser
  2. Give wiki a name: “Knowledge Base”
  3. Fill out the rest of the fields.
  4. Change Initial ACL policy to Desired setting. I chose “Closed”
  5. Pick your content license. I chose “None”
  6. Create the wiki admin account: sudokuwiki
    1. (su is linux admin command and dokuwiki is well this wiki. So su+dokuwiki= cool word pun)
  7. Review settings and click save.
  8. Continue to main Wiki site.
  9. In putty type the following
sudo rm /var/www/dokuwiki/install.php
sudo vim /etc/apache2/sites-availiable/default
  1. For the root directories set AllowOverride all
DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride all
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                allow from all
        </Directory>
  1. Sign into wiki as super user
  2. You should now see the start page. It is blank. Click the “pencil” on the right side of the page to Create the page.
  3. Give the start page a title.
  4. Save it

Congratulations You now have a fully working Dokuwiki!!!

Secure Dokuwiki

The next step is to secure the dokuwiki.

Enable HTTPS/SSL

  • Install and enable SSL:
    • sudo a2enmod ssl
    • sudo service apache2 restart
  • Create the server encryption keys:
    • cd /etc/apache2
    • sudo openssl genrsa -des3 -out server.key 1024
  • Use this set of keys to create a certificate request:
    • sudo openssl req -new -key server.key -out server.csr
    • When asked to input data, use your imagination to create something appropriate.

Be sure to write down your passphrase.

  • Use this request to create your self-signed certificate:
  • sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
  • Install the key and certificate:
  • sudo cp server.crt /etc/ssl/certs/
  • sudo cp server.key /etc/ssl/private/
  • Open the “defaults” file for editing:
  • cd /etc/apache2/sites-available
  • sudo vim default-ssl
  • This file is basically set up but you will want to uncomment the SSLOptions line and also change the SSLCertificate lines to reflect the location and name of your new information.
SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
  • The port 443 is enabled when you use SSL so that is ready to go.
  • Enable the default SSL site:
    • sudo a2ensite default-ssl
    • If you do not enable the default-ssl you will get this error: “ssl_error_rx_record_too_long apache”
  • Restart Apache.
    • sudo service apache2 restart

Test HTTPS access: https://lcars/dokuwiki/doku.php

Source

Enable Rewrite

  1. First is to enable apache2 mod “rewrite” by typing: sudo a2enmod rewrite
  2. Then modify the .htaccess.dist file found in the root of the dokuwiki directory
    1. cd /var/www/dokuwiki
    2. ls -a
    3. sudo vim .htaccess.dist
    4. Make sure the following lines are uncommented.
      1. Code:
        RewriteEngine on
         
        RewriteBase /dokuwiki
         
        RewriteRule ^_media/(.*)              lib/exe/fetch.php?media=$1  [QSA,L]
        RewriteRule ^_detail/(.*)             lib/exe/detail.php?media=$1  [QSA,L]
        RewriteRule ^_export/([^/]+)/(.*)     doku.php?do=export_$1&id=$2  [QSA,L]
        RewriteRule ^$                        doku.php  [L]
        RewriteCond %{REQUEST_FILENAME}       !-f
        RewriteCond %{REQUEST_FILENAME}       !-d
        RewriteRule (.*)                      doku.php?id=$1  [QSA,L]
        RewriteRule ^index.php$               doku.php

Manage Wiki

Logical Volume Manager

One of the great things about LVM is that you never run out of space. If it seems as if you are about to do so, you just add a new “physical volume” to your “volume group”, add that to your “logical volume”, and resize the file system. In effect, it's as if you have a partition that spans multiple drives.

It would of course be a good idea to back things up before you do this. But sometimes we don't have that option, do we?

Our existing volume group is “lcars”, and our existing logical volume is “root”. All of this of course needs to be done using the “sudo” command.

A little hint first: You can (and probably should) give the “-t” (test) option to each LVM command first, to make sure it's going to do what you want. Then I hit up arow (history) and delete the “-t” option, so I make sure I'm running that same command.


Presumend Assumptions

  • The previous parts of this guide have been followed
  • A Brand New Hard Drive is being added to the system
  • All commands require sudo.
Expand the LVM
  1. Add the new disk to the machine
  2. Locate the new disk by entering the following command
    sudo fdisk -l
  1. This will display the availiable disks. Mine is /dev/sdb
  2. Now to format and activate the disk
  3. Enter the following line to select the correct disk:
sudo fdisk /dev/sdb
  1. A special prompt has appeared and we will enter the following commands:
    1. n = create new partition
    2. p = creates primary partition
    3. 1 = makes partition the first on the disk
    4. Push enter twice to accept the default first cylinder and last cylinder.
    5. To prepare the partition to be used by LVM use the following two commands.
      1. t = change partition type
      2. 8e = changes to LVM partition type
    6. Verify and write the information to the hard drive.
      1. p = view partition setup so we can review before writing changes to disk
      2. w = write changes to disk
  2. Enter the code below to create a LVM physical volume on the partition we just created.
sudo pvcreate /dev/sdb1
  1. Add the physical volume to the volume group:
sudo vgextend lcars /dev/sdb1
  1. Check your work:
sudo vgdisplay lcars
  1. Note the free space we now have.
  2. Extend the logical volume:
sudo lvresize -l 99%VG /dev/lcars/root
  1. The “-l 99%VG” says to resize to use all of the space in the volume group assigned to this logical volume. The argument can be given many ways. See “man lvcreate”.
  2. Check our work:
sudo lvdisplay
  1. Now we are ready to resize the filesystem:
sudo resize2fs /dev/lcars/root
  1. To confirm the expansion, enter:
df -ls
  1. The top line should display the added free space.
  2. Done!

Sources:

Sources

1)
Search Google for Host install guides
2)
See below the VirtualBox packages list for the USB Extension Pack