StrongBox Linux Quickstart Guide

The StrongBox Quickstart Guide

or "How to build a secure web server in 20 minutes"

StrongBox is an implementation of a set of system design principles that I've outlined in my document entitled "The Partially Embedded Computing Manifesto". The purpose of that document is to explain why StrongBox has been designed the way it is.

This quickstart guide, on the other hand, is meant to provide an introduction to StrongBox, and to get you started using it quickly. The secondary purpose of this document is to help you to create a secure web server with about 20 minutes of concentrated effort.

Section 1: Initial Setup

Step one: Hardware Requirements and Recommendations

StrongBox has fairly light requirements for running. The most stringent requirement for running StrongBox is adequate RAM. For most situations, you won't be able to run it effectively with less that 128MB of RAM. It's possible to run it with less than that. 64MB is probably the practical minimum, however 32MB might be possible with a lot of prior tweaking: however, these configurations require a preconfigured swap partition, and will definitely be slower. For production systems with multiple virtual servers, I'd recommend 256MB to 1GB of RAM.

The only other requirement is some place to save configurations and patches for StrongBox. This requries at leaste 1MB of disk space, and it requires a unix-style filesystem that supports links (this could include ext2, ext3, xfs, reiserfs, reiserfs4, etc). This could be, for instance, a USB key with an ext2 partition, or an existing linux partition on a hard drive, etc. This partition does not necessarily need to be reformatted, and will have only 2 directories placed on it: /configs and /patches.

There are a few recommendations beyond that. If you have a monitor and video card that supports 800x600 at 16 bit, you'll get more screen real estate, and a pretty boot screen. If you have more disk space, then you can store more files. If you have a mouse and keyboard attached, then you can use the pretty web-based configuration interface from the console. But, it will work equally well with a simple serial console (115200,N81, VT100): the choice is up to you.

There is very little else that's required for simply running StrongBox. It can run entirely from RAM and CDROM with almost no effort, and without touching or destroying your disks. I can make absolutely no guarantees, but StrongBox has yet to destroy a running system by itself. You may, however, want more resources for storing things like web pages, temporary files, databases, etc, which would involve formatting disks, etc.

Step Two: Bootup

Insert the cdrom. Type in "nopatch" at the isolinux prompt. Wait until you're asked to log in. What does this mean?

The "nopatch" command runs a StrongBox boot script called "nopatch". This boot script tells StrongBox to look for the OS on a cdrom and not look for a patch. There's also a few other options in it, most of which simply constitue some sane defaults for StrongBox.

If you're having video problems with 800x600. Try running "nofb".

There's a lot of other options: F1 will show you boot commands, and F2 will show you boot options for specific hardware setups.

Step Three: Passwords and Keys

StrongBox has booted up. It's probably detected most of your hardware, loaded modules, sound video, telephony, ethernet, etc. And it will have attempted to get a DHCP address, and automatically launched ssh and created host keys for you. Your username and password are now "root" and "" (i.e. a blank password).

**IMPORTANT Once you log in, the root account is locked! You must now set up authentication for the box, or else you will have to start again from scratch if you log out. There are many forms of authentication supported by StrongBox. If you have a USB flash drive, here's how you set up 2 factor authentication (authentication that, in this case, requires a USB flash drive and a password), plus gets you a StrongBox signing key all in a few simple steps.

Whether or not you have a USB flash drive, you will need a StrongBox key. This key is your ticket to being able to sign patches for StrongBox. Keys for the public version of StrongBox are available for free using the "freecert". These keys will not work with the commercially supported version of StrongBox: you will have a key for that given to you when you purchase a copy.

To obtain a key/certificate, launch the "freecert" command. The email address you provide in this command must be unique (not shared by anyone else), and you will be denied if it is not. You can rest assured that the information that you enter will be kept secure. However, if you're leery of entering in real information here, you can always enter bogus information. The key will be granted to you regardless (there is no email verification scheme, etc).

Once you've obtained a key, you can automatically have it added to a usb flash drive. If you don't, you can always save it into your StrongBox system (defaulting to whatever directory you
were in when you created the key). Be warned: this is not as secure.

Note: using free certificates for a production system is not recommended. Because these keys are easily obtainable, they cannot be trusted 100%. You should be adding your own organizational CA to StrongBox, or using a commercial version of StrongBox with a secure CA. See www.strongboxlinux.com for more details.

The command to change user authentication is admuser, and to change it for root, use
"admuser root". I recommend setting up 2 kinds of authentication: such as usb
and ssh key, or password and ssh key. The choice, however, remains up to you. If you want to
set up authentication for USB, type "usb" at the prompt. If you want to set up
authentication for a certificate that is on the filesystem, choose "cert" at the prompt. If
you want to set up passwords or ssh authentication (using x509 certificates, or public keys
in openssh format) then use those options.

Next, you should set up an administrative user account. This will be the account that you
use for day-to-day use. The reasons for using a specific administrator account, instead of
root, for administering your box are the following:

1) Logging of who excecuted what command
2) Increased security of consoles and terminals that are left unattended
3) The ability for each administrator to personalize their own settings.

Administrator accounts in StrongBox have privileges essentially equivalent to root in terms
of ease of use. The only difference is that there are more checks and balances, and it's
harder to accidentally make changes that could destroy your system.

To add a user, simply type "admuser". You will be prompted for user information. Note that
usernames are case sensitive! Set up authentication for the user the same was as you did for
root. There is no difference in the setup, and usb logins should work the same.

Important note for USB users with unix formatted USBb keys (this doesn't apply to keys that are prepartitioned with "fat" or "vfat" filesystems): If you have both "root" and a user on the system authenticating with the same usb key, then you must change the ownership of the files, or the authentication subsystem will refuse to authenticate you. Excecute the following:

chown -R admins:<username> /mnt/usb/keys

Where "username" is the name of the administrative user account that will log in. This
limitation is there for your own safety.

When you're done, if you want to create a full administrative user (i.e. one that is able to
access all root commands) then excecute the following after entering in the user's
information:

usermod -G wheel,admins <username>

This puts the user into the "wheel" group, which is able to switch to root privileges
easily. Next, if you're on the console, you can switch consoles (alt-F2) and test the
information you entered. If you're successful, you're done. Now log in your main console
with your administrative user (not root!) and get ready to play.

If you're on StrongBox, and aren't running the Quickstart guide there, you can do so by
typing "quickstart". You can then switch to a second console (Consoles 1 through 6 are
available using alt-F1 through alt-F6) where you can excecute all the commands you need to
use.

Section 2: Basic Setup

You may or may not realize it, but, you're now running StrongBox. Congradulations! StrongBox doesn't have an initial install procedure, simply because the OS doesn't require one. However, if you want to do something useful with this computer (other than log into it and look at the pretty pictures) you'll have to set up resources for StrongBox to use. In StrongBox computer resources are a more useful term than an installation.

The StrongBox OS is entirely modular. Nearly all services are run in what are called "bundles". A bundle is merely a set of software that is launched from the base StrongBox OS (which always resides in RAM) and generally resides in it's own environment. The bundles can be based on a disk, or a network filesystem, or out of RAM as well.

If you're reading this on StrongBox (which you can do on recent versions by running the "quickstart" command), then you're already running a bundle. It's called the "docs" bundle, and it's sole purpose is to provide documenation, and a few nifty utilities. These include "man", "info", links (a console-based web-browser), and, if you're a little handy, directvnc, ghostscript and cups (which aren't fully supported yet).

Bundles can run off of the CD, or they can run off of the hard disk or out of RAM. If you want to create a complete install of StrongBox on one ore more hard disks, then run the "Installation Walkthrough", which will be covered in the manual in more detail. This guide will only cover a very basic form of StrongBox: with just a CD-ROM, a USB key or a small hard drive partition, and, if you have less than 256 MB of RAM, a swap partition.

Step One: Creating a Swap Partition

StrongBox may have already detected and activated an existing swap partition. You can check
if this is the case by running:

swapon -s

If anything comes up in the list ( such as /dev/hdb2\040deleted ) then you've got a swap
partition already loaded, and can go to the next step.

If you don't, and you have less that 256 MB of RAM, then you'll need to either start one, or make one. To do this, type:

strongbox

This will bring up the StrongBox console, where you can configure a number of things about
your StrongBox installation. From here, choose "Manage Installation", and then choose "Make
Swap Partition".

This will bring up a list of partitions for you. If you want to use an existing partition,
then choose it. If you'd rather repartition your hard drive, then choose "cfdisk". StrongBox
supports partition resizing: ntfsresize, resize2fs, resize_reiserfs, resize.reiserfs4, xfs_growfs, lvreduce, evms, and parted -> these are all available, and have manual pages covering each of them. If you're making a StrongBox swap partition, I'd recommend allocating 1 GB of swap.

If you need help resizing partitions, you can try using "qtparted", which is included on the CD-ROM.

Once you've chosen a partition, allow strongbox to activate it. Then, quit the StrongBox
console. You can verify that it's working by running "swapon -s". You should then see the
partition you just assigned in the list.

*** Advanced users: if you're assigning a non-standard swap partition (such as a loop
device, encrypted swap, etc), then you should add an entry for it into fstab to have it re-activated
on reboot.

Step two: Assigning a patch device and a key

For this step, you simply have to choose where you want to store your configuration
information for StrongBox. If you don't have a filesystem already available for this (such
as an ext2 formatted usb key, or a linux disk that's running another distribution), then
you'll need to create one. To create one, type in "strongbox install" at the command prompt.
From there, choose "Select Install Source", and then "Make StrongBox Partition" (Note: if you don't have a log of disk space, you can type in "none" when it's asking you what versions of the StrongBox os to copy over). Or, you can simply run "cfdisk" at the command prompt, and run mke2fs /dev/<device> on the partition you create. Warning: any of these commands, used improperly, could damage your system.

Once you have a partition, type "strongbox" at the prompt. Run "Change StrongBox Patch
Volume". This will bring up a list for you. The only limitation is that it cannot be a filesystem
that doesn't support symlinks (such as fat12, fat32, or ntfs). Any unix filesystem should do
the trick. This can be an ext2 usb key as well: it will show up as "sda1" or anything that says "sd<letter> <number>.

Then, you need to select a key for signing configurations. If you have the certificate on a
USB key, you should insert it now. Then choose "Security Settings" and select the key. If
you don't have it on the usb key, then specify it's filename or the directory it's in, or type "home" to look in your home directory. Once you've selected a valid key, it will ask you for the key's password. If you enter it, it will be loaded into memory for all the operations the StrongBox Console performs until you quit.

Run "save current configuration". If you've completed the other steps successfully, then this
will save all your changes to the volume you've selected. Then, choose "Add To Boot
Configuration". This will first ask you to add comments about the patch that you
created. This is the start of a changelog that will follow all your changes to the
system. After you hit exit, and save the comments, you will be asked to accept the boot
script that StrongBox has created for you. Choose "Accept Boot Script"

*** Advanced Users: StrongBox supports a myriad of boot options, which are listed in the
StrongBox manual (type "manual" at the command prompt). This can help you customize your
ramdisk for a larger size, or for different security settings. The defaults are quite sane,
flexible, and are the best for low memory situuations.

You now have a fully working StrongBox system. If you were to reboot, and let the system
boot unattended, you will always be back to where you were the last time that you
saved your configuration. This is an important principle in StrongBox: all changes must be saved,

or else they will be erased on reboot. This means that all changes to your system must be

both saved and signed with your StrongBox key or it's like they never really happened. This
is one way that StrongBox safeguards your data.

Step 3: Installing Bundles

Almost all applications that run on StrongBox (web servers, database servers, etc). run in
bundles. Bundles are a generic term that is used to describe a collection of programs,

libraries, and files that are used run services in a secure environment on your box. They
fufill the following needs in StrongBox:

1) Isolation: All bundles are isolated from eachother, as well as the main host, for greater
security

2) Immutability: Bundles generally use read-only filesystems. Only files that must be
written to during the course of operation can be written to. That means that other files
(such as libraries, binaries, etc) cannot be changed during normal operation

3) Manageability and auditability: Because bundles have an immutable base, it's easy to see what's changed when it does change. And, with the use of digital certificates, it's easy to trace who changed them as well.

The base StrongBox CD comes with a bundle that's geared towards web hosting. It includes postfix, postgres, mysql, apache, cyrus imap... all the services that a web hosting company would need to function. This section will show you how to set up that bundle. StrongBox bundles can easily be run off of a cdrom. If you want to learn how to install them to a hard drive, that's covered in the "Installation Walkthrough" section.

First, make sure that the CD-ROM is inserted. Then run "strongbox install" or choose "mange installation" in the strongbox console. Then, run "scan bundles". This should automatically load the bundles that you have available on cdrom. Note: StrongBox verifies the digital signatures on all of them, so this will take a minute:

At this point, choose quit to go back to the main console. Then choose "Install Bundles",
and "Setup new bundle". The list should contain "debmail" (with a version number after it),
which is the one you want. Choose this, and type in a name for the bundle installation. This
creates an instance of the bundle under that name.

Once it's done, it will ask you if you'd like to configure the bundle now. Choose yes. This brings you to the bundle configuration screen.

At this screen, choose "Save/edit configuration". This brings up the configuration for the bundle (very much
like the boot configuration window) and asks you to approve it. First, however, you
should choos "Edit Port Forwarding". Since this will be a web server that we want
other people to be able to access, type in "80" at the prompt. Then, accept the
configuration, choose "start bundle".

*** Advanced users: You will note a) that the bundle has been automatically assigned an unrouteable IP address, b) the box is automatically using the box's main IP address, and c) there are a lot of other configuration parameters that are available. They're all described in the StrongBox Manual. The automatic configuration parameters are all contained in /etc/strongbox.conf. The comments in that file cover most of what these settings do, and how they're used in StrongBox, as well as a number of other options that are available to you.

Step Four: Using Bundles

At this point, you'll see the services starting up in the bundle. Two of the services, cyrus and mysql, will compain that they have no storage assigned to them, and so won't start. This is normal, as you haven't assigned any storage to them. You can do that after running the "Installation Walkthrough" by choosing "Edit mount information".

Once the bundle has started, you can
enter it simply using "enter bundle". This brings you to a command prompt, that is distinctive as
it shows you the name of the bundle and the hostname, so you know where you are in the
system. You'll now notice, if you do "ip addr ls", that you can only see the virtual ip
address and the virtual interface for the ubndle, not the real ip address of the box. Also,
you'll notice something else: try "touch /etc/test". It will complain that it's a read-only
filesystem. This is also normal, as this bundle comes shipped with an option called
'LOCK_CONFIG". This option can be changed, but, you don't need to right now. Type "exit" to
get back to the bundle configuration screen, and then type in "Enter Configuration Mode".
This will bring up the bundle again. You'll also find that if you run "touch /etc/test" it
will now work.

OK, exit out now, as you should try out the web server and make sure that it's working. Exit
out of the StrongBox consle and type: "links http://<bundlename>" or "links
http://172.30.30.1". This should bring up the apache start page.

You now have a functioning web server. You should probably save your configuration. Instead
of navigating the menus, you can now run: strongbox quicksave. This will save everything
that you've done so far. After you've saved, you can reboot. StrongBox will automatically
start the webserver you've configured when it's rebooted.

Step Five (optional): Configuring webmin

Webmin has been included by default with StrongBox, and will be automatically installed if you create a partition for your bundles. There are a couple of caveats, however, with some solutions that StrongBox has to help you.

webmin-shorewall

To use webmin in strongbox, simply type "webmin". Log in as an administrative user (using the username and password that you set up in the last section), and you should have privileges for everything that you need. Note that strongbox uses webmin in an "on-demand" way: the webmin server is brought up when you're using it, and is shut down when you're not using it. This allows you to have all the benefits of the webmin interface, without the related security holes.

If you want to use webmin remotely, you should ssh to StrongBox, and use port forwarding to forward from your local machine to the StrongBox webmin interface. The first time you run webmin on StrongBox, it chooses a random high port to run it on. If you want to set this port, you can change it by typing: edit /etc/webmin/miniserv.conf, and changing the "port" line (the default for webmin is normally 10000). Then, once you're happy with it, ssh to the server you've built with your local port 10000 forwarded to the remotee webmin port. If you're using openssh, the command would look something like:

ssh -l <username> -L 10000:localhost:<webmin port> my.server.name

This gets you access to webmin from your remote machine.

However, you may also want to use webmin for the bundles as well as the main StrongBox machine. The recommended way to do this is by using the main StrongBox machine's webmin installation to control all the bundles. To do this, type the following:

webmin takeover <bundlename>

This does the following:
a) creates a random, difficult to guess webmin root password for the bundle
b) creates a webmin server configuration for that bundle in /etc/webmin
c) unlocks the configuration for the StrongBox bundle
d) launches webmin in that bundle, and in strongbox
e) launches a links session for webmin to that bundle through the main StrongBox bundle.
f) stops webmin in the bundle
g) waits for the user to hit enter, and then re-locks the configuration for the bundle, and stops webmin servers

Once you've done the "takeover" (and saved your strongbox configuration), you can automatically connect to the bundle without re-setting the password by simply using:

webmin <bundlename>

If you're using this over a remote connection, you should connect using port forwarding the same way. Then, simply browse to: webmin -> webmin servers index, and choose the appropriate server from the list. You may want to pay particular attention to the "Virtualmin Virtual Servers" module, which gives you most of the features that you'd want for doing webhosting with multiple users.

Note: if you're running the system off of CDRom, and you have more than 128MB of RAM available, you probably want to run "webmin install" first. This loads webmin into your ramdisk, so that the number of different processes that have to access the cdrom at one time is reduced. This will speed up your
interface considerably, at the cost of around 20MB of RAM.

Also: links is a very simple framebuffer web browser. Although it does a very good job for the footprint that it has, it is not a full-featured web browser. I don't recommend using it for very extensive configuration using webmin, it's more meant as a handy tool that allows you to do some work right on the console. In particular, it doesn't always refresh the data promptly: you may need to choose "reload" from the file menu (or CTRL-R) to get it to see changes that you've made.

Step Six (optional): Save your changes

Remember to always save your changes when you're done configuring your StrongBox system! And, use the handy changelog system to enter in real information about what you did and why you did it. It takes an extra 30 seconds now, but it'll save you hours when you're trying to track down configuration bugs. So, at the end of configuring your box, type:

strongbox quicksave

This saves your configuration based on the parameters you entered in earlier, and does it as quickly and unobnoxiously as possible.

You now have a working StrongBox Linux system. Congradulations.

Section 3: Where to go from here?

There are a number of advanced features of StrongBox that you can access. More and more are
being integrated every day. Also, more and more bundles are being created for StrongBox. For
the latest information on this, visit www.strongboxlinux.com.

Here are some of the features in the default install of StrongBox:

Documentation:

There is a bundle of documentation that comes with StrongBox. Run "manual" for the StrongBox
manual. Run "docs" to view a piece of documentation. Run "finddoc <something>" to look for a
document who's name you know. And man and info should work normally with the CD inserted (or
the bundles installed to disc).

Also, a number of guides and other miscellaneous information is included. If you run "docs'
the first few things are:
00-StrongBox   The StrongBox documentation (which is ever growing)
01-HOWTOS   English Language Howtos from the LDP Project
02-guides   Several Guides, both from the LDP project, and other projects on the net
10-DiveIntoPython   A great book that's available about the Python language

And much, much more, including some of the default files and documentation from all the
packages used to build strongbox. Note that, when the docs bundle is running, all these
files are located at /vservers/docs.

Installation Walkthrough:

The installation walkthrough is what you should use for a first time setup of StrongBox.
Think about how much resources you need beforehand. If you use LVM and reiserfs, then you
want to estimate low: it's very easy to resize reiserfs volumes on LVM, so you have a
maximum of flexibility. All of the normal rules apply: mirrored raid or raid 5 is desirable,
and backups are good. StrongBox 1.0 should have an automatic backup feature available for
net backups, tape backups, and periodic disc mirroring for changes.

The debmail bundle takes up 350MB in read-only, compressed format. If you want to uncompress
it to use it as a vserver, you should see www.linux-vserver.com for more information about
the linux-vserver subsystem that is responsible for a lot of the manageability of StrongBox.
You should also read-up on the vmount subsystem in the StrongBox Manual -> you can really use
it to your advantage in a vserver-based system design.

Firewalling:

For a bundle of obvious reasons, including that it can run entirely from RAM, StrongBox makes an ideal firewall system. Included in StrongBox is the shorewall firewall, which is an advanced firewall configuration utility, that just happens to be integrated with the firewalling on the StrongBox bundles. Run "man shorewall" for information on example setups, etc. The information there is taken from http://www.shorewall.net, which will have even more information for you. Also, there's a webmin interface for shorewall installed in StrongBox.

Other advanced firewalling features included in StrongBox:

ipvs: allows for virtual services routing to multiple hosts (Layer 4 routing)
pound: a simple, secure, reverse proxy that handles layer 7 content switching for web
services
openswan: an advanced ipsec vpn solution that supports site-to-site VPN, client-to-site
VPN and opportunistic encryption
poptop: a client-to-site vpn solution for windows pptp/l2tp clients
vconfig: Handles vlans (supported by most modern managed switches to virtualize network
connectivity)

Logging:

StrongBox supports, nay, encourages logging to mysql servers. Version 1.0 will have an easy
switch to do it. For now, several howtos exist online that describe the process.

Syslog-ng, which shorewall uses, is a very flexible logging program. It allows automatic
classification of logs based on any parameter you wish, and can easily be configured to call
another program to parse information for it. By default, however, all logs are directed to RAM: you should create a log partition (such as /dev/data/logs) to store these on at the very least.

Usermode Linux:

StrongBox supports usermode linux out of the box. Eventually, usermode linux bundles will be
available just as easily as the StrongBox static vserver bundles. You'll see this after
version 1.0. Also, QEMU support is under active development, and will show up in later
versions.

Clustering:

StrongBox supports clustering through heartbeat and ldirectord. More information can be obtained on the linux-cluster project website. Stay tuned, version 1.0 should also have ENDB support (enhanced network block devices). Versions of StrongBox with GFS support are also in the works. StrongBox's modular design makes it an ideal platform for keeping a cluster working together. Also, if you have your bundle configurations on a redundant nfs or endb partition, you can easily have bundles that migrate between servers, by simply running bundle <name> stop on one server, and bundle <name> start on the other. (assuming that data files are being kept in sync).

Directory Services:

If you want a box to perform domain authentication, then you should look no further. There's
built-in support in StrongBox for ldap, kerberos, and NIS authentication, allowing for full
integration into company domain systems. StrongBox makes an ideal directory services
server: it's secure, and can be locked down so that no remote access to the core system
is possible.

There is a bundle in development that can provide samba/LDAP integration as well, to act as
a very secure domain controller for windows boxes.

PBX and Asterisk:

StrongBox has built-in support for Digium hardware. An asterisk bundle will be coming in
early 2005. As a secure system that's built for reliability and low maintenance, StrongBox
makes an ideal platform for building phone systems.

Kioks and Desktop systems:

StrongBox customized desktop and kiosk bundles are available for paying customers. Knoppix-like hardware detection and a high level of security mean that your system can be made virtually unbreakeable by your users/customers. Talk to us today about your needs, and we can have you up and running quickly.

In short, StrongBox is an ideal platform for many kinds of deployments. The very small core OS provides a solid underpinning on which reliable services can be deployed. The state of the art digital security gives you extra peace of mind.

If you're interested in supporting StrongBox, whether through development, evangellism, or buying our commercial product, please contact us at http://www.strongboxlinux.com or info@strongboxlinux.com.

Thanks!
Liam Helmer
Helmer Computing Corporation
Vancouver, Canada