Skip to content

server installation

Jump to bottom
Nelson Loyola edited this page Jan 23, 2020 · 20 revisions

WikiServer Installation

Biobank server installation

The server can be deployed on computers running Linux or MS Windows. However, up to now the server has only been tested and installed on computers running Linux (Ubuntu Server 16.04.3 LTS is recommended). The Biobank server is distributed as an Ubuntu package or as a tar archive. It should be installed under a special user account for better security.

For Biobank version 3.12.0, the application runs under Tomcat version 8.5.30. Some precautions, listed below, should be taken when running the server.

Requirements

A minimum of 2 GB or RAM memory is required to run the server. Up to now the server has been installed on stand alone servers and also on Virtual Machines.

Prior to deploying a server, the following software packages have to be installed:

  1. Oracle Java SE Development Kit 7. Please see the instructions given below on how to configure Java on your Ubuntu. For other distributions please refer to it's documentation. Please do not use OpenJDK as the application will not work correctly.

  2. Install the required packages with the following command:

    sudo apt-get install mysql-server apache2 libapache2-mod-jk \
                     libapache2-mod-security2 perl zip unzip \
                     libterm-readkey-perl openssl gettext

    The Apache Web Server is required to isolate the Tomcat server from attacks.

Installation

  1. Install Java by following the instructions on this page: Installing Java.

  2. For security reasons, it is better to run Tomcat as a non root user. To do this, create a tomcat user account:

    sudo mkdir /opt/tomcat
sudo useradd --system -d /opt/tomcat -s /bin/bash tomcat

    Please use /opt/tomcat as the home directory since the prebuilt package installs the files to this directory.

    You may wish to add the tomcat user to the sudoers file:

    sudo usermod -aG sudo tomcat

  3. Download and install the Biobank server package:

    It can be downloded from here: https://biobank.cbsr.ualberta.ca/server/BioBank-3.12.0/

    sudo dpkg -i biobank-server-<version>.deb

    where <version> matches the version of the file you downloaded.

    After the command completes your /opt/tomcat directory will be populated with new files. Some of these files are scripts that need to be run to configure the server for your installation. More details are given below.

  4. Required environment variables to run Apache Tomcat are defined in /opt/tomcat/.bash_profile. Ensure these variables have been defined in your shell instance.

  5. Move the Tomcat startup script so that the server can be started as a service.

    cd /opt/tomcat
sudo mv tomcat.service /etc/systemd/system/
sudo chown root:root /etc/systemd/system/tomcat.service
sudo systemctl daemon-reload

  6. Enable the service to start on system startup:

    sudo systemctl enable tomcat.service

  7. Configure the MySQL server by following the instructions on this page: MySQL configuration.

  8. Create a database on the MySQL server to be used by the Biobank server and create a user to access to the database. Grant all privileges on the biobank database to this user.

    For example, these commands create the database named biobank. Start the MySQL command line tool with this command:

    mysql -h <hostname> -uroot -p<password> mysql

    and create the database and add a user that can access the database.

    CREATE DATABASE biobank;
CREATE USER 'biobank_user'@'localhost' IDENTIFIED BY 'biobank_password';
GRANT ALL PRIVILEGES ON biobank.* TO 'biobank_user'@'localhost' WITH GRANT OPTION;

    biobank_user and biobank_password should be replaced with the username and password you would like to use in your configuration.

  9. Configure time zone information on the MySQL server:

    mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -uroot -p mysql
sudo service mysql restart

  10. To create an SSL certificate see these instructions: SSL Certificate. To create a temporary certificate for testing see here: Temporary SSL Certificate.

  11. Run the /opt/tomcat/configure and you will be prompted with values to configure your server. You will be asked for the following:

    1. The host name for the MySQL server.

    2. The name of the database to be used by the Biobank server on the MySQL server. In the example given above the name of the database was biobank.

    3. The user name the Biobank server should use to communicate with the MySQL server.

    4. The password for the user name.

    5. If the database has not been initialized you will prompted to do so.

  12. Run the /opt/tomcat/chkconfig script to test your configuration. The script runs a series of tests and outputs the results. Ensure all the tests pass. Once all the tests pass you can start the server.

  13. Install and configure the Apache Web Server to front Tomcat using these instructions.

  14. Use iptables to limit the ports open to the world.

    First install the iptables-persistent Ubuntu package:

    sudo apt-get install iptables-persistent

    Then open port 443:

    sudo iptables -I INPUT 1 -p tcp --dport 443 -j ACCEPT
sudo iptables-save > /etc/iptables/rules.v4
sudo service netfilter-persistent start

#Add to startup
sudo invoke-rc.d netfilter-persistent save

Start the biobank server with the command:

sudo systemctl start tomcat.service

Optional

The installation of the following packages is optional, but makes the server more secure if it's open to the world.

Chkrootkit

chkrootkit is a tool to locally check for signs of a rootkit. Type the following command to install chkrootkit

$ sudo apt-get install chkrootkit

To look for rootkits, enter:

$ sudo chkrootkit

rkhunter

rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications. Type the following command to install rkhunter:

$ sudo apt-get install rkhunter

Apply any updates:

$ sudo rkhunter --update

The following command option tells rkhunter to perform various checks on the local system:

$ sudo rkhunter --check

Lynis

Lynis is a security auditing for UNIX derivatives like Linux, macOS, BSD, and others. It performs an in-depth security scan and runs on the system itself.

See the installation instructions here: https://github.com/CISOfy/lynis

fail2ban

fail2ban is a great package that actively blocks suspicious activity as it occurs. From their wiki Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc... It does this by adding rules to iptables.

sudo apt-get install fail2ban

Logwatch

Log management is an area consisting mostly of search, log rotation / retention and reporting. Logwatch is an application that helps with simple log management by daily analyzing and reporting a short digest from activities taking place on your machine.

sudo apt-get install -y logwatch

Follow the instructions here to install.

The following entry can be used as a cron job:

00 02 * * * /usr/sbin/logwatch --output mail --mailto you@example.com --detail high

Main Page

Clone this wiki locally