(Historical Reference) EXPERIMENTAL OSCAR 15 on Debian Jessy

Owned by Marc Dumontier
Last updated: Oct 12, 2018 by Raymond Rusk

This page has been imported from http://www.oscarmanual.org and has not yet been reviewed by OSCAR EMR.

Preface

This basic install is adequate for a local install of OSCAR with scripted encrypted backups and Secure Socket Layer technology. 

Document Version History

  • v1.1 – initial OSCAR 15 version published to oscarmanual.org – July 4, 2016 
  • v1.2 – minor edits by PHC  – July 4, 2016 

 copyright © 2016 by Luiz Rufato under the Creative Commons Attribution-Share Alike 3.0 Unported License


 OSCAR McMaster Linux Server Guide

Many people feel that Debian's attention to stability makes it a better choice for production server than distributions such as Ubuntu that use more cutting edge tools.

Regardless of which distribution you use the production server setup is made with the least number of packages installed, minimal number of services running, and minimal number of ports open.  This is all undertaken to limit security vulnerabilities.

When I setup a Debian server, on package selection step, I only ask for standard system tools. All other options are left unchecked.

OPTIONAL: Encrypt the server:

Your data is stored in /usr/share/oscar-emr for Documents and in /var for the MariaDB database. In case of physical loss of the server encrypting the hard disk with LUKS will prevent sensitive data from being stolen/accessed. 

Details on how to do that are well documented on the web

one example is

http://www.tecmint.com/install-debian-8-with-luks-encrypted-home-var-lvm-partition


 NOTES

  1. The suggested sizes for the encrypted volume are too small.  Allocate 20 Gig plus
  2. In step 15 you will want to encrypt /usr as well as /home and /var


1.1 Getting root access:

Logging on system for the first time, we have to prepare the system:

user@jessie:~$ sudo su -
[sudo] password for user:
root@jessie:~#


1.2 Editing APT sources.list and getting your system updated:

Delete, adjust or comment out the contents of this file and leave only the lines below:

root@jessie:~# nano /etc/apt/sources.list
deb http://security.debian.org/ jessie/updates main contrib non-free
deb http://ftp.br.debian.org/debian/ jessie-updates main contrib non-free
deb http://ftp.br.debian.org/debian/ jessie-backports main contrib non-free

 

Close the editor with ctrl + x and save it.  And then, run:

root@jessie:~# aptitude update && aptitude full-upgrade && apt-get clean && apt-get autoclean && apt-get autoremove


OPTIONAL: Keep server updated:

An auto update will potentially patch your vulnerabilities in a timely fashion for you.  However, rarely, it can break your installation. 

Install unattended-upgrades:

root@jessie:~# aptitude install unattended-upgrades

And set it on selecting yes on on this screen:

root@jessiebase:~# dpkg-reconfigure unattended-upgrades

Basic server is now ready. Now lets start to implement important services to make it run fine and prevent issues.


1.3 Getting access to Server: OpenSSH:

Install ssh

root@jessie:~# aptitude install openssh-server

Now lets change a few settings on SSH Server file:

root@oscar:~# nano /etc/ssh/sshd_config
#PermitRootLogin without-password
PermitRootLogin no
#RSAAuthentication yes
RSAAuthentication no
AllowUsers yourusername

OPTIONAL: SSH on non standard port:

If your server is directly connected to the internet, port 22 will regularly be attacked by those who want to gain access to your box.  It is insufficient protection but SSH can be changed to receive on a non standard port.  However if your server is protected by an external router (eg pfsense) then you can leave your OSCAR server's SSH on the default port 22 and achieve the same external result of a blocked port 22 by forwarding an external non standard port to port 22 internally on your OSCAR server via the router.


OPTIONAL: Authenticating SSH with  keys:

To mitigate a lot of SSH attacks, like brute-force, connection hijacking, man in the middle, etc; I like to use keys to authenticate to server. Without your key AND password no one will be able to connect to your server. Even knowing your root password.

First things first, lets set your key locally:

localuser@localmachine:~$ ssh-keygen

You will be ok with the defaults, set an strong password or passphrase.

Now lets send it to your Server:

localuser@localmachine:~$ ssh-copy-id -i /home/localuser/.ssh/id_rsa.pub serveruser@serveripadresss

Now lets configure sshd_config to reflect new login auth standards:

root@jessie:~# nano /etc/ssh/sshd_config
PubkeyAuthentication yes
#PasswordAuthentication yes
PasswordAuthentication no
#UsePAM yes
UsePAM no

Close with ctrl + x and save the file.

Now, without disconnecting, reload SSH and try connect with your key.

root@jessie:~# service ssh restart

And try login again: 

localuser@localmachine:~$ ssh serveruser@serverip

If works, congratulations. No more attacks for you.

NOTE: Your public and private key are kept in hidden /home/youruser/.ssh/ directory. Save it on a secret, safe place. Without your private key, you will not be able to login on your Server.


1.4 Firewall:

Simple basic rule: block out everything you will not use. In our case, only ports 22 and 8443 are needed. Lets open them:

root@jessie:~# aptitude install ufw
root@jessie:~# ufw allow OpenSSH
root@jessie:~# ufw allow 8443
root@jessie:~# ufw enable
root@jessie:~# ufw status

1.5 Date and time:

Its important to keep your system clock updated, but I don't like to relay on ntpd for this; I prefer run a simple script daily. One less daemon running on system.

Lets setup timezone:

root@jessie:~# dpkg-reconfigure tzdata

 Take care of ntpdate:

root@jessie:~# aptitude install ntpdate

And set it to run daily:

root@jessie:~# nano /etc/cron.daily/ntpdate
#!/bin/bash
# Script to make the server clock always updated. Useful for server with stable uptime.
ntpdate pool.ntp.org
#EOF

Close with ctrl + x and save the file.

Give them execute permissions:

root@jessie:~# chmod +x /etc/cron.daily/ntpdate

Run it to make sure everything is set:

root@jessie:~# /etc/cron.daily/ntpdate

Your Server is now done. On next section we will setup OSCAR and its dependencies.


2.1 Required packages for OSCAR environment:

Lets install the required packages and dependencies.


Oracle Java:

Details on Oracle Java PPA approach: http://www.webupd8.org/2014/03/how-to-install-oracle-java-8-in-debian.html


Paste this lines on your root prompt and accept the Oracle License terms:

root@jessie:~# echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee /etc/apt/sources.list.d/webupd8team-java.list
root@jessie:~# echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
root@jessie:~# apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886
root@jessie:~# apt-get update
root@jessie:~# apt-get install oracle-java8-installer

And that's it, Oracle Java 8 should now be installed and you should get automatic updates for future Oracle Java 8 versions, under Debian.


Test it if needed:

root@jessie~# java -version
java version "1.8.0_91"
Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.91-b14, mixed mode)


MariaDB, tomcat and misc stuff.

Lets install the other dependencies

root@jessie:~# aptitude install tomcat7 mariadb-server libmysql-java curl wkhtmltopdf unzip

A MariaDB password should be entered. Make sure you will choose a strong one.

IMPORTANT  use numbers and letters in the root password but do not use any of the symbols "#,!, &,*, (, ), / , \ and $" .

The tomcat7 install might fail because of oracle java. The best workaround for this is edit the the defaults for tomcat and add java path:

root@jessie:~# nano /etc/default/tomcat7
# The home directory of the Java development kit (JDK). You need at least
# JDK version 6. If JAVA_HOME is not set, some common directories for
# OpenJDK, the Oracle JDK, and various Java SE 6+ versions are tried.
#JAVA_HOME=/usr/lib/jvm/openjdk-6-jdk
JAVA_HOME=/usr/lib/jvm/java-8-oracle

then save and exit.

Just in case:

root@jessie:~# aptitude reinstall tomcat7


Next step is harden your setup a bit:

If you have a good mariadb password, there is no need to change it. If not, now is the time. The script defaults might serve you well

IMPORTANT  use numbers and letters in the root password but do not use any of the symbols "#,!, &,*, (, ), / , \ and $" .

root@jessie:~# mysql_secure_installation


2.2 OPTIONAL: Harden Tomcat:

Since we are behind a firewall, this port will not be exposed to network, but I would change it nonetheless. Replace port for 8005 and set a good random password for it.

root@jessie:~# nano /etc/tomcat7/server.xml
<Server port="8005" shutdown="SHUTDOWN">
<Server port="-1" shutdown="somethingverybigandrandom">

 Get rid of unneeded packages (shouldn't be installed anyway...):

root@jessie:~# aptitude remove tomcat7-admin tomcat7-docs tomcat7-examples tomcat7-user 

2.3 OSCAR McMaster EMR package and installation:

Obtaining latest beta (the following is tested with this guide, you should check to see if there is a newer version on sourceforge.net):

root@jessie:~# wget https://sourceforge.net/projects/oscarmcmaster/files/Oscar%20Debian%2BUbuntu%20deb%20Package/oscar_emr15-41~432.deb

When it finishes, install it. Everything should be automatic by now:

root@jessie:~# dpkg -i oscar_emr15-41~432.deb 

If you haven't opened Tomcat port yet, the time is now:

root@jessie:~# ufw allow 8443

Now, connect to you new OSCAR box and you are set to go:

https://serveripaddress:8443/oscar

Defaults:

Username: oscardoc

Password: mac2002

Second level passcode:1117


I hope this guide is of help to the OSCAR Community.


Luiz Rufato – July 2016