Setting up pw on ubuntu server

[crydon13]

We lay out a simple disclaimer.
IF YOU ARE A NOOB AT LINUX DONT BOTHER READING THIS...

WE WILL NOT BE HELD RESPONSIBLE!!!

(Forgive the typos and grammar.)



The GamerzDen Dev Team.
ANARCHY SERVERS
&
VENDETTA SERVERS

Perfect World
Ubuntu
Jaunty
64-bit server edition

(single server setup)

(we recently found that KARMIC IS A POS to work with when it comes to server files. Many missing componets)
See Ubuntu bug: https://bugs.launchpad.net/bugs/431091

================================================================================================
Symax - note:

First off; I've done everything I can to make running a pwserver as secure as possible (except for setting up a chroot).
I've changed the vast majority of IPs in the game files to point to the localhost IP 127.0.0.1.
I went through all of the files and changed their ownership to user and group "games".
I also figured out which of those files need to be owned by the first unprivileged user "pwserver" that will start the game.
Of all of these files, there are only 2 that need to be run as set UID root/set GID adm: gamed/gs and gdeliveryd/gdeliveryd.
The gdelivery daemon takes care of the timer control and is the main interface to the game files via iWeb.
The gamed/gs program starts up the world areas and causes all of the heavy load on the server.
Without seeing the source code for these 2 programs, I have been unable to find out if your system can be compromised because of
pwserver.
So consider this your warning: RUNNING PWSERVER MAY INVITE UNWANTED GUESTS INTO YOUR COMPUTERS.
The pwserver is a 32-bit package, so only tomcat could benefit from running the OS as 64-bits.
I have not yet had the time to turn this process into a debian package.
I have yet to figure out the minimum rights pwserver needs for MySQL.

The following tutorial was written by 3ViL with the assistance of [B]asH
================================================================================================

1. Install Ubuntu as an OpenSSH server using "pwserver" as the first non-root user.
(howto is later in the walkthrough with vipw edit)


================================================================================================
if you are starting from a scratch ubuntu jaunty server follow these steps.
================================================================================================
ssh root@localhost
you will be prompted with your password which later we will be removing.
Copy authorized keys2 to ./ssh
chmod 600 .ssh/authorized_keys2
Configure /etc/ssh/ssh_config
Configure /etc/ssh/sshd_config

MORE ON ADDING USERS LATER IN THE WALKTHROUGH

================================================================================================
in the section below, I find that making this quick and painless I consolidated all of the needed apt repositories into one line.
so basically all you need to do is cut paste and answer yes
================================================================================================

2a. Log in as root and install the following packages for pwserver and their dependencies:

apt-get install ia32-libs libxml2 libstdc++5 libpcre3 libmysql-java xutils-dev sun-java5-jdk ia32-sun-java5-bin mysql-admin libtomcat5.5-java tomcat5.5 tomcat5.5-admin tomcat5.5-webapps mysql-query-browser screen zip unrar php5-suhosin php5-xcache php-pear php-db php-auth-http smarty

================================================================================================
note: optional: before continuing we suggest you install this user friendly shell type
================================================================================================

### Install zsh ###
cd
mkdir custom [on the Server your installing zsh to]
==
cd custom
scp -r bdeb PLACE IP HERE:custom
cd bdeb
IF 64 Bit (uname -m)
{
dpkg -i zsh30_3.0.8-15_amd64.deb zsh30-static_3.0.8-15_amd64.deb zsh30-doc_3.0.8-15_all.deb
}
IF 32 Bit
{
dpkg -i zsh30_3.0.8-15_i386.deb zsh30-static_3.0.8-15_i386.deb zsh30-doc_3.0.8-15_all.deb
}
cd /etc
tar -zxf /root/custom/bdeb/zsh30u.tar.gz


### Set up zsh ###
nano /etc/shells
ADD /bin/zsh30-static
ADD /bin/zsh
chsh -s /bin/zsh30-static
nano /etc/adduser.conf
EDIT DSHELL=/bin/zsh


================================================================================================
The following is for people who are used to using vim editor, unless you are familiar with this, skip to 2c.
================================================================================================
2b. Once you installed all those.

dpkg -P vim-tiny


2c. Install the following tasks with "tasksel install":

lamp-server

================================================================================================
be sure that when you are using the qui windows, when it ask you for a mysql root/admin password you do not . just tab and click the ok buttons
================================================================================================

================================================================================================
VERIFY THE /SERVER directory is present before proceeding
cd /server
================================================================================================

3a. Make it so that gacd and gfactiond can see libpcre:

cd /lib
ln -s libpcre.so.3 libpcre.so.0
cd /lib32
ln -s libpcre.so.3 libpcre.so.0

3b. Make it so that gamed/gs can see libtask:

cd /lib
ln /server/gamed/libtask.so
cd /lib32
ln /server/gamed/libtask.so


================================================================================================
note:
to continue below
you can obtain your ip by typing
ifconfig
look for
inet addr: XX.XX.XX.xx
================================================================================================

4. Add the following lines to /etc/hosts, using your public IP from 'ifconfig' for the first one:

<ENTER YOUR IP HERE> auth
127.0.0.1 aumanager
127.0.0.1 audb
127.0.0.1 manager
127.0.0.1 link1
127.0.0.1 game1
127.0.0.1 game2
127.0.0.1 game3
127.0.0.1 delivery
127.0.0.1 database
127.0.0.1 backup
127.0.0.1 gmserver
127.0.0.1 dbserver
127.0.0.1 gamedbserver
127.0.0.1 GAuth
127.0.0.1 gdelivery
127.0.0.1 GameDB
127.0.0.1 GameDBClient
127.0.0.1 providerserver6
127.0.0.1 providerserver7
127.0.0.1 providerserver8
127.0.0.1 providerserver9
127.0.0.1 linkip1
127.0.0.1 linkip2
127.0.0.1 linkip3
127.0.0.1 linkip4



also for a little trick the trade fact, the line that says
localhost add an l after it.
127.0.0.1 localhost l

so if you try to ssh localhost all you have to do is type
ssh (user)@l



================================================================================================
now one of the more important parts of Ubuntu OS
THE FIREWALL
if you are unfamiliar with how to use the following refer to the ubuntu forums and read the man pages on UFW
================================================================================================

### Firewall Permissions ###
ufw allow from 127.0.0.1 to 127.0.0.1
ufw deny from any to any app OpenSSH
ufw allow from any to any app "Apache Full"

### Insert UFW ###
ufw status numbered
ufw insert [Num] "Rule"


================================================================================================
DO NOT ENABLE THE FIREWALL YET OR YOU MAY FIND YOURSELF UNABLE TO GET BACK IN!!
================================================================================================


================================================================================================
lets add users
================================================================================================

#### Add User to Server ####

================================================================================================
make sure that user slot
1000 or 1001 is occupied by
pwserver
you can see this by

type in
vipw

so rule of thumb add pwserver FIRST
================================================================================================

adduser [username]
(optional) adduser [username] [group]
sudo -i -u [username]
ssh root@localhost
say yes to accepting the key, and when prompted for a password, Ctrl+C to break out
touch .ssh/authorized_keys2
chmod 600 .ssh/authorized_keys2
Now you need to copy over keys from the dev server into the respective [username]/.ssh/authorized_keys2 files.


now....
to add firewall rules to these users you can obtain their information by having them
give you their ip addresses manually
and type in whois (their ip)

you will get something at looks like

XX.XX.0.0

#### Open Ports ####
ufw allow from any to any port 29000 proto tcp
ufw allow from <ip> to any app openssh

<ip> from the whois printout.


================================================================================================
ALMOST FINISHED
ok this is a bit of hassle but getting these keys in place are essential to restricting who you want access to your server. This literally is one of the best ways to audit the traffic in your server.
================================================================================================
First for some necessary editing before you can do any other type of action regarding users.

vim /etc/ssh/sshd_config

now you will want to type i and edit the following lines to resemble the ones below

PermitRootLogin without-password
RSAAuthentication no
PasswordAuthentication no (you will need to remove the hash #)


now you need to:

vim /etc/ssh/ssh_config

and you want to uncomment and change permissions of the following

ForwardAgent yes
ForwardX11 yes (you will need to remove the hash #)
ForwardX11Trusted yes (you will need to remove the hash #)
StrictHostKeyChecking no (you will need to remove the hash #)
HashKnownHosts no

================================================================================================


now you want to restart the ssh server so you can continue:

/etc/init.d/ssh restart


one of the other things you will need to edit or check in on and to make sure everything is in proper order is:

vipw (this will edit the /etc/password file)

now the way we have this set up for the pwserver to be secure it is important that you pay attention to how the structure is.
in the list you will see something that looks like this

root:x:0:0:Charlie Root:/root:/bin/bash

the first is the name of the user and than you will see thre numbers. The third set is the one you have to worry about.
And the very end is going to tell what the default shell is going to start in when the person logs in.

Now the user slots 1000 - 2000 are reserved for new users and groups.
it is important that the user pwserver has the following slot

pwserver:x:1001:1001::/home/pwserver:/bin/zsh

because this is how it is set up in the other parts of the system. So to ensure this. you want to check this section out first.

make sure someone one else is in 1000 slot Like the original user.

================================================================================================


Before creating new users, make zsh everyone's default shell:

vim /etc/adduser.conf

about the 4th line down change it to resemble:

DSHELL=/bin/zsh

================================================================================================

now to actually add in the user

First you want to add a user into your server type:

adduser (name_of_user)

When prompted for a password, just keep hitting [Enter]
you will be prompted to retry say no

================================================================================================
we suggest you put the names of your trustees for personal records
================================================================================================

And then enter the rest of the account information as normal.

You do not want anyone to have a password. Passwords are passwords can be hard to remember.

After you create the user, use:


sudo -i -u username

first you want to ssh in as root

ssh root@localhost

You should see something like the following:

username@yourserverdns:~>ssh root@l

Warning: Permanently added 'l' (RSA) to the list of known hosts.

root@l's password:


you will be prompted for a password type

cntrl+c


this will cancel it as you do not really want to log in as root

Create SSH keys using DSA with PuttyGen

now you are going to add user keys to .ssh/authorized_keys2


touch .ssh/authorized_keys2
chmod 600 .ssh/authorized_keys2
vim .ssh/authorized_keys2
================================================================================================
Now add in keys from root's authorized_keys file and any user keys that need to be here.
================================================================================================
"Only put users keys in user shells and for account pwserver if you trust them. NEVER IN THE ROOT LEVEL SSH. "
The only DSA keys that should be entered at the root .ssh are the SUPER GM's you absolutley trust. Because it only takes on douche
to screw it up.

and voila, you ahve your keys in place for your users. Now they can putty into your server directly with out having to use passwords thus making access to the servier directly virtually impossible.


NOW TEST login using your keys if they work fine. You are good to go.
Double check your firewall rules

ufw status

makesure the ips are in place

once you verify everything is in order
type

ufw enable

services ssh restart
================================================================================================
edit this quik

vim /etc/mysql/my.cnf
bind-address = 0.0.0.0


mysql>
create database dbo;
exit


cd /server/sql

now type in at the prompt
mysql < /server/sql/dbo.sql
mysql < /server/sql/dbo.original.sql
mysql < /server/sql/dbo-v2.sql
mysql < /server/sql/dbo-v2.3.sql

dont worry about error message its basically telling you tables exist

this will ensure you have all the tables
================================================================================================

note:
you may want to download mysql gui tools like mysql administrator and mysql browser so you can set admins and permissions and check databases and write up scripts for later on with webhosting

================================================================================================

# Link in server files in such a way so as to not clutter up /etc on removal of pwserver files.

cd /etc
lndir /server/etc

# Pass in the mysql database script.

================================================================================================
IWEB TIME WOOT
================================================================================================

get started on the iweb
apt-get install sysv-rc-conf

now you are going to make sure that the tomcat is unchecked for start up
rehash
sysv-rc-conf

scroll to the line that has tomcat5.5 near bottom and uncheck all the boxes using your arrow keys and spacebar than use q to quit when done.
================================================================================================
Now we are going to need to make sure the java enviro is present
================================================================================================


echo 'export JAVA_HOME=/usr/lib/jvm/java-1.5.0-sun'>> /etc/zsh30/zprofile



================================================================================================
for editing your server specs
================================================================================================
##to edit flying in dungeons etc you edit##
/server/gamed/gs.conf
remove the no-fly in the are you choose

We would also suggest adding in no-drop
to prevent the cheaters from duping items and ripping the server to shreds.

##to edit server gold/level/sp amounts##
/server/gamed/ptemplate.conf

set your rates on the
exp_bonus = 500
DROP_bonus = 500
MONEY_bonus = 500
sp_bonus = 500


================================================================================================
NOW YOU ARE READY TO START THE SERVER!!!!
================================================================================================
ssh pwvserver@l

cd /server

./start.sh

and voila

note: if you are failing to launch you should check your logs and fix the errors


================================================================================================
After starting up the iweb and making changes and making them stick
================================================================================================

IWEB CHANGES TO STICK
cd /home/gamedbd
./gamedbd gamesys.conf exportclsconfig


================================================================================================
NOw for important server maintaining information
================================================================================================

##GAME BACKUP##
REMEMBER BEFORE DOING THE REMOVE OF LOGS SERVER MUST BE DOWN
mv /server/logs/* /root/logs/
rm -rf /root/logs/*

tar -zcf - /server > /root/backup/pw.tar.gz

##SQL BACKUP##
mysqldump --skip-extended-insert --disable-keys --add-drop-table --complete-insert --databases dbo > /root/backup/pwv.sql

##REPLACE THE CURRENT SERVER WITH A BACKUP##
tar -C / -zxf /root/backup/pw.tar.gz
mysql < /root/backup/pw.sql

##UPDATES##
apt-get update
apt-get upgrade

DO THIS UPDATE WEEKLY TO MAKE SURE YOU ARE CURRENT WITH NEEDED REPOSITORIES




================================================================================================
NOTE TO USER!!!

We put this disclaimer in for one purpose only.

WE ARE NOT RESPONSIBLE FOR YOUR MESS UPS!!!
THIS IS YOUR SERVER, AND YOU ARE THE CONTROLLER.
WE MERELY PROVIDED THIS WALKTHROUGH AS AN ASSISTANCE.



================================================================================================
if you are experiencing difficulties with getting your server started
contact us at gamerz@gamerzden.org

We will help you get your server up and running.
There is a one time $125 service fee for any work we do.
We guarantee our work or your money back

the guarantee is limited to operating system functions, and INITIAL server launch
this does not cover game functions.

Editing or changing of server or game files made by the user will void our work guarantee.

================================================================================================

http://gamerz@gamerzden.org

We have a custom server build that can be downloaded via apt-get archives.
EMAIL US FOR INFORMATION!

[MentaL]

[macnew]

good,Thanks!
I USE red hat as5!

[crydon13]

We are almost finished with the redhat/fedora walk through. We will be compositing a working rpm for /server files.