Anda di halaman 1dari 78

Setting Linux Server Bagian I

Sistem operasi linux memang keren kalo dimanfaatkan untuk kepentingan jaringan dan security.
Pada artikel ini saya akan membocorkan sedikit. dan mungkin artikel ini sudah basi di internet
tapi gk ada salahnya saya ikut-ikutan basi. gk apa-apa basi kalo bisa bermanfaat bagi mereka
yang masih newbie dalam menggunakan linux sebagai server. Pada bahasan kali ini, saya akan
menjelaskan tentang bagai mana mengeset linux server sebagai router ‘asal bisa konek’ dulu.
masalah setting server yang lain dan masalah security akan saya bahas pada artikel berikutnya.
Ok. skenarionya begini…. perusahaan saya ato warnet saya berlangganan kepada ISP dan sang
ISP memberikan data seperti di bawah ini :

IP addresss : 202.169.234.159 / 24
IP gateway ISP : 202.169.234.1
IP DNS 1 : 202.169.224.3
IP DNS 2 : 202.169.224.4
IP DNS 3 : 202.169.224.11

data - data di atas tadi saya dapatkan dari ISP tempat perusahaan saya berlangganan.
kemudian saya menginstall sebuah komputer dengan Sistem Operasi Linux Redhat9 dengan
memasangkan 2 buah Ethernet Card. sebut saja linux memberikan nama Ethernet Card tersebut
dengan nama eth0 untuk Ethernet ke 0 dan eth1 untuk ethernet yang ke 1.

kemudian di kantor saya ada komputer lain yang terhubung jaringan komputer juga dengan
mengunakan IP lokal. kira - kira datanya seperti ini

IP Address Range : 192.168.0.1 - 192.168.0.254


ato Net ID nya: 192.168.0.0 / 24
ya.. begitulah.. nanti contoh ip komputernya kira2 begini. ada yang 192.168.0.2, 192.168.0.3, dst.

nah.. saya ingin supaya semua komputer yang ada di kantor saya ato warnet saya bisa menikmati
koneksi internet. nah.. itulah yang akan saya bahas sekarang

MEMULAI SETTING LINUX SERVER

Linux server akan mempunyai dua buah IP address. IP address pubic yang dari ISP, yang akan
dipasangkan pada eth1 dan IP address Lokal yang sama net IDnya sama dengan komputer lain di
kantor saya yang akan dipasangkan pada eth0

Setting IP

#ifconfig eth0 192.168.0.1 netmask 255.255.255.0 up

setting di atas untuk memberikan ip 192.168.0.1 eth0. langkah selanjutnya adalah memberikan
eth1 dengan ip public yang didapatkan dari ISP

#ifconfig eth1 202.169.234.159 netmask 255.255.255.0 up


nah.. kira - kira begitulah cara mengeset ip pada sistem operasi linux. tapi , ooppsss. … tunggu
dulu… cara ini bersifat temporer. settingan ini akan hilang ketika network di restart ato ketika
komputer di restart. untuk membuat setting ini permanen, lakukan hal - hal di bawah ini

Setting ip untuk setiap ethernet, disimpan pada masing - masing file yang terpisah. ini pada
sistem operasi linux redhat 9. dan berbeda dengan distro yang lain. seperti slackware, hanya satu
file saja. karena dari awal saya membahas redhat9, mari kita lanjutkan kembali dengan RedHat9.
setting IP untuk eth0 disimpan di file

/etc/sysconfig/network-scripts/ifcfg-eth0
silahkan edit file tadi dengan editor kesayangan anda :

DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.0.1
NETMASK=255.255.255.0
ONBOOT=yes
NETWORK=192.168.0.0

parameter yang perlu diperhatikan adalah DEVICE yang diisikan sesuai dengan nama device.
yaitu eth0. dan IP address. dan jangan lupa ONBOOT=yes juga penting supaya konfigurasi ini
direload ketika komputer restart

kemudiah untuk eth1, ada di file :


/etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
IPADDR=202.169.234.159
NETMASK=255.255.255.0
USERCTL=no
PEERDNS=no
GATEWAY=202.169.234.1
TYPE=Ethernet
NETWORK=202.169.234.0
BROADCAST=202.169.234.255

hmm….. ya..kira - kira dari settingan tadi, bisalah dimengerti maksudnya apa. loh…. koq yang
eth1 lebih banyak sih ? lah gak apa apa kan ?. yang eth0 tidak saya copy kan semua. hanya yang
penting2 saja. tapi di eth1, ada satu lagi yang penting yaitu GATEWAY=202.169.234.1 artinya,
di eth1, saya mendefinisikan IP gateway ke alamat gateway ISP.

setting gateway juga bisa dilakukan dengan perintah seperti ini :

#route add default gw 202.169.234.1


tetapi settingan ini bersifat temporer atau sementara. karena akan hilang ketika komputer restart.
supaya settingan tadi tetap tersimpan, ya.. di simpan di file tadi yang di eth1.

melihat configurasi IP apakan sudah beres atau belum..

[root@internet-server root]# ifconfig


eth0 Link encap:Ethernet HWaddr 00:0F:3D:CB:33:E9
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:434841 errors:0 dropped:0 overruns:0 frame:0
TX packets:384599 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:66983693 (63.8 Mb) TX bytes:315709918 (301.0 Mb)
Interrupt:12 Base address:0xe400

eth1 Link encap:Ethernet HWaddr 00:E0:4C:2C:25:02


inet addr:202.169.234.159 Bcast:202.169.234.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1116005 errors:0 dropped:0 overruns:0 frame:0
TX packets:381163 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:360724801 (344.0 Mb) TX bytes:62134502 (59.2 Mb)
Interrupt:10 Base address:0xe000

lo Link encap:Local Loopback


inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:28 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3841 (3.7 Kb) TX bytes:3841 (3.7 Kb)

wah wah wah .. apa itu.. biasa aja lagi… perhatikan saja. ada beberapa blok yaitu eth0, eth1 dah
lo. eth0 itu itu untuk konfigurasi eth0, eth1 untuk eth1 dan lo adalah untuk loopback. loopback
pasti akan ada. jadi gk usah di pusingkan… yang penting pada masing2 blok(eth0 dan
eth1),perhatikan pada bagian inet addr . pastikan isinya sesuai dengan konfigurasi yang kita
maksudkan.

DNS CLIENT / DNS RESOLVER


selanjutnya adalah mendefinisikan DNS server. setting DNS server tersimpan dalam sebuah file
yang diletakkan di /etc/resolv.conf isikan data-data IP DNS yang didapatkan dari ISP.

nameserver 202.169.224.3
nameserver 202.169.224.4
nameserver 202.169.224.11
ROUTING

routing ? apaan tuh… gampangnya gini aja deh… ceritanya komputer linux yang sedang saya
Konfigurasi ini akan jadi gerbang buat komputer lain yang di kantor saya untuk bisa koneksi ke
internet. kenapa demikian ? ya karena kantor saya menyewa cuman 1 IP public. sedangkan ada
banyak komputer. jadi IP public yang cuman 1 ini dimanfaatkan ato dibagi-bagiakan ke
komputer yang lain di kantor saya. nah.. begitu ceritanya. sekarang pertanyaannya adalah apakah
komputer linux yang sekarang lagi saya konfigurasi ini sudah menjalankan tugasnya untuk
routing atau belum ? ato istilah kerennya ip forwarding dah aktif ato blum?. kita bisa check
dengan melihat isi file /proc/sys/net/ipv4/ip_forward . lengkaplnya begini perintahnya

#cat /proc/sys/net/ipv4/ip_forward

Jika hasilnya adalah 0, maka fungsi ip forwarding belum dijalankan. Ini adalah default dari
Linux Redhat. kemudian kita harus menulikan angka 1 ke dalam file tadi. Caranya seperti ini :

#echo 1 > /proc/sys/net/ipv4/ip_forward

TAPI…. lagi - lagi ini bersifat temporer/ sementara. Karena file terserbut akan diset kembali ke 0
ketika komputer restart ato network direstart. Trus ? ya.. supaya terus bernilai 1, bisa dengan
menambahkan script yang tadi (mengeset atau menulis angka 1) di startup script ato dengan cara
mengedit file : /etc/sysctl.conf

net.ipv4.ip_forward = 1

Di dalam file tersebut berikan nilai 1 pada parameter net.ipv4.ip_forward.

MEMERIKSA DAN MENAMBAHKAN ROUTING TABLE

Untuk melihat routing table yang sudah ada, bisa dilakukan dengan perintah seperti ini :

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
202.169.234.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 202.169.234.1 0.0.0.0 UG 0 0 0 eth1

jika hasilnya sudah serperti di atas, maka gk perlu menambahkan lagi. berarti sudah beres. Jika
bermaksud menambahkan lagi ato belum ada, bisa dilakukan dengan perintah sebagai berikut :

#route add -net 192.168.0.0 netmask 255.255.255.0 dev eth0

#route add -net 202.169.234.0 netmask 255.255.255.0 dev eth1


Tapi perintah di atas gk perlu dilaksanakan karena linux secara otomatis sudah melakukannya.

NETWORK ADDRESS TRANSLATION (NAT)


Apa lagi ini ? hehe eeh mari kita bahas lagi….
Skenarionya kan begini. Sebenarnya untuk bisa mengakses internet, setiap komputer harus
mempunyai IP Public. lah.. kalo gitu repot dong. di kantor saya ada 100 komputer. masa kantor
saya harus menyewa 100 IP public, kan bisa bangkrutzzzz… ya gk gitulah. nah. solusinya adalah
dengan menggunakan NAT. kalo ada 100 Komputer, gk semua harus punya IP Public. pakek IP
Private saja. oppss.. apa itu IP Pubic, apa itu IP Private ?

IP public adalah IP yang digunakan di internet. Gak boleh sembarangan menggunakan IP ini
karena sudah ada penjatahan dari badan khusus. misalnya di wilayah Asia ada namanya IDNIC
yang mengatur pembagian IP.

IP Private adalah IP yang digunakan di dalam area lokal saja. dan IP ini sudah disepakati tidak
akan digunakan di Internet. Dengan konsekweksi, gk bisa langsung koneksi ke internet secara
langsung dengan IP ini. harus ‘bersembunyi’ di belakang IP Public. COntoh IP Private

10.x.x.x Untuk kelas A


172.16.x.x Untuk kelas B
192.168.x.x Untuk Kelas C

Ok kita kembali ke NAT….. (kalo tukul biasanya kembali ke laptop…. he he he )

Kantor saya cukup memiliki 1 IP Public saja. nah. .. tugas linux server yang kita konfigurasi ini,
mengganti IP komputer kantor yang menggunakan IP lokal menjadi IP Public ketika mau
mengakses sistus di internet. mekanisme ini disebut dengan
mentranslate/menerjemahkan/mengganti IP ato istilah kerennya adalah NETWORK ADDRESS
TRANSLATION (NAT). Untuk melakukan NAT, kita membutuhkan sebuah program tambahan
yang sudah ada di linux redhat. namanya IPTABLES

perintahnya seperti ini :

#iptables -t nat -A POSTROUTING -o eth1 -j SNAT –to-source 202.169.234.159

jadi ceritanya begini. dengan menggunakan IPTABLES, kita mengganti ip apa saja yang dari
jaringan lokal, yang keluar melewati interface eth1 ato dalam baris perintah di atas
disimbolkan dengan -o eth1 menerapkan sebuah policy atau disimbolkan dengan -j dengan
kebijakan SNAT (SOURCE NAT). diganti menjadi IP public 202.169.234.159. dan jangan lupa
disimpan dengan perintah :

#iptables-save

Untuk sementara ini, bisa dikatakan server sudah beres. sudah bisa digunakan oleh komputer lain
untuk koneksi ke internet. Tapi ini belum selesai. karena masih ada yang belum. yang InsyaAllah
akan saya lanjutkan pada artikel berikutnya
KONFIGURASI KLIENT

untuk konfiguras klient, cukup sedernaha sekali, tinggal buka properti network card, kemudian
set ip address yang satu net ID dengan ip server linux. dan gateaway ke ip address server linux:
berikut adalah data- data lengkapnya :
IP Address : 192.168.1.2
Gateway : 192.168.1.1
DNS : 202.169.234.3
DNS : 202.169.234.4

Untuk sementara DNS masih harus ke DNS public. sebenarnya linux server bisa diinstallkan
DNS server tetapi hanya sebagai Chace DNS. Untuk sementara ini dulu ya ? saya akan lanjutkan
dengan bahasan selanjutnya yang lebih menarik tentunya.

Setting Up a Server
So it will be assumed that the idea is to host websites that use certain technologies
such as a scripting language and a database (for dynamic sites), and also to act as
a mailing tool, for sending and receiving email.

Consider that this article only shows some of the basic features for configuring these services,
each program has much more in depth options. Entire books have been written just about Apache
or MySQL. So, don't just stay with what you learn here, play around, read, learn; system
administration is all about security and performance, so there's a lot more to discover.

I have also decided to show some optimization (tuning) techniques for a better performance. We
will use only free/open source software in this article, thus,it is not necessary to buy commercial
licenses. The software we will use is Debian GNU/Linux, Apache, MySQL, PHP and Postfix.
The first three are what is called LAMP, where the P can stand for various server side scripting
languages such as PHP, Perl and Python. In general, it represents the open source web platform
(both for developing and using it). I have been using LAMP and Postfix for years and must say
that, after trying lots of other programs of the same sort, it is the wisest choice if you want a
powerful, easy to use/configure/maintain and secure server environment.

Why use Debian? I have always liked this distribution because it's easy to manage packages
(programs) and system services. It is also very secure and stable, making it perfect for servers
and any system that must run 24/7. It's huge package repository (over 15490) is more than
enough to get the best use out of any computer system.

Why use Apache? Simple - it's currently the best, most secure and most used HTTP server. It
also supports a huge amount of modules and extensions. Here are some specific benefits of
Apache: support, efficiency, portability and customizability.

Why use MySQL? It's logo says it all: The world's most popular open source database. This
DBMS is reliable, powerful and easy to manage and use. Also, we will use it with Postfix for
better integration and performance.
Why use Postfix? If you ask any systems administrator why he/she uses Postfix as a Mail
Transport Agent (MTA) the answer will be it's easy and fast. Another great feature is it's security
and the wide amount of operating systems it can run on (BSD, Linux, AIX, Solaris, OSX, etc.)

Installing and Configuring Apache


We will use Apache 2 because it has been rewritten for better performance and security. It brings
more out of the box optimizations for scalability and throughput, as opposed to version 1.3
(which is not even being maintained anymore). So let's get to it, we first download and install the
essential software:

apt-get install apache2

This will also install the following packages: apache2, apache2-common,apache2-mpm-worker


and apache2-utils. Now, try connecting to localhost:80 and you should see a page saying that
Apache as been configured correctly. If not,you might have something wrong with the network
settings, but that's a whole different ball game. By default, when installing services in Debian it
leaves them configured to start when you boot GNU/Linux so you don't have to worry about
further system configuration. For controlling the daemon we have apache2clt or we can use
Debian's init utilities:

/etc/init.d/apache2 start|stop|restart|reload|force-reload
apacheclt start|stop|restart|...

Apache2's configuration files, by default, are in /etc/apache2/. Whenever a configuration is


modified, the server must be restarted. Here is a description of some of the more important files
and directories:

• apache2.conf is where the main configuration is, it used to be httpd.conf, so


don't be fooled.
• mods-available/ is the directory with all the modules that are available. The
.load contain the Apache directives that are needed to load the modules. And
the .conf are the configuration directives for each module.
• mods-enabled/ is the directory that contains the symbolic links to the
modules that we want to enable from mod-available/. At least the .load file
must be there, so we will have: /etc/apache2/mod-enabled/modulex.load
-> /etc/apache2/mod-available/modulex.load

Let's take this to practice, say we want to enable user directories:

(www.myurl.com/~someuser/). First uncomment the following in apache2.conf:

Next, we create the symbolic links for this module and restart the server:

cd /etc/apache2
ln -s mods-available/userdir.* /etc/apache2/mods-enabled/
/etc/init.d/apache restart
This works for all the modules you want to load. Now let's try some optimization methods.
Apache uses a great deal of resources, specially RAM, because it accumulates whatever is
necessary to accommodate what it's serving and this process never decreases until it is complete.
This takes up as much RAM as the largest dynamic script.

To help reduce this problem, edit apache2.conf and enable KeepAlive (increases time) and set a
low value for KeepAliveTimout (this will reduce the time the process waits without doing
anything). Also, set the value for MaxRequestsPerChild around 20, depending on the amount of
dynamic sites the server is hosting. The idea behind this is that when the process ends, it makes it
start over again, but with lower RAM usage. However, by doing this, you might have to increase
MaxClients around 50%.

Installing and Configuring MySQL


MySQL 5 introduces a number of new features, compared to older versions, such as new data
types, precision math, better performance for storage, faster queries and better handling of
certain types. The list goes on, so I recommend checking out the official documentation to see
how you can take advantage of the latest version. To get it:

apt-get install mysql-server-5.0

libdbd-mysql-perl, libmysqlclient15off, mysql-client-5.0 and mysql-common will also be


installed. Debian will also make sure MySQL starts at boot time. To control the daemon, I use
the init script and voila!:

/etc/init.d/mysql start|stop|restart|reload|force-reload|status

To first start working with this database, the root password must be set. The word root does not
apply to the system's root, but to the database administrator, however, it can be the same person.
So let's set it and log in:

mysqladmin -u root password 'thepassword'


mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 10 to server version: 5.0.20a-Debian_1-log

Type 'help;' or 'h' for help. Type 'c' to clear the buffer.

mysql>

If you don't like using the command line system (lazy sysadmins), there a couple graphical user
interfaces for MySQL, such as MySQLCC (QT), gMySQLCC (GTK+), etc. Since everything is
running fine (or should be) it's time to optimize. MySQL uses algorithms that let you run it with
little memory, but you can give it options to increase the memory usage if you have more, and
therefore increase performance. To lower the amount of time MySQL sits waiting, edit the
configuration file: /etc/mysql/my.cnf and add/change the following (values may vary depending
on your specific needs):
wait_timeout=60
connect_timeout=10
interactive_timeout=100
join_buffer_size=1M
query_cache_size=128M
query_cache_limit=2M
max_allowed_packet=16M
table_cache=1024

Installing and Configuring PHP


Now that we have our httpd server up and running we can setup PHP. Debian includes PHP5 in
the official package repository, not too long ago only up to version 4 was supported. So let's get
it:

apt-get install php5

Just like for Apache and MySQL, extra packages will have to be install as well: apache2-mpm-
prefork, libapache2-mod-php5 and php5-common.

Now, add support for MySQL:

apt-get install php5-mysql

I also like to add some more packages for PHP, such as CLI, Pear, LDAP, IMAP, GD, mhash,
ODBC and PostScript:

apt-get install php5-cli php-pear php5-ldap php5-imap php5-gd


php5-mhash php5-odbc php5-ps

The configuration file for PHP is located in /etc/php5/apache2/php.ini, every time you modify it,
Apache must be restarted. So let's see if everything is working. First let's create a simple script,
called information.php, in Apache's DocumentRoot, that is /var/www/information.php and inside
it should go:

<? phpinfo(); ?>

Now, fireup a browser and open www.mycompany.com/information.php. You should see a page
with information about the PHP version that is installed. Also it provides some details about
Apache, and all the PHP modules. Last, but not least, let's make sure MySQL and PHP are
working well together. First, log in to MySQL and create a new database:

mysql> create database test;


Query OK, 1 row affected (0.00 sec)

mysql> exit
Bye

'
Create a new file, db.php, in the same directory and write:

<?
if(mysql_connect("localhost", "root", "rootpassword"))
echo("connection success");
?>

Check your browser and you should see: connection success. Now for a little optimization.
Usually compiling PHP scripts on the fly uses a lot of memory, so if your hosting several big
web sites and have lots of users visiting, you might want to do something about this resource
abuse. The solution is to use a program that keeps the scripts precompiled. The most popular
include Zend Accelerator, Turck MMCache and PHP Accelerator. Performance can increase up
to 200%.

Finally LAMP is up, running and optimized. You can also provide further services, such as more
databases (PosgreSQL, Oracle, Informix, etc) and more server side languages (Perl, JSP, Python,
etc).

Installing and Configuring Postfix


Postfix was originally written as an alternative to Sendmail, which is used in most mail servers
around the world. Unfortunately, Sendmail is hard to use (and manage) and very bug prone,
therefore securing it can be quite a task. This is why Postfix is a fantastic option. Just like with
the rest of the software, we download and install it, with support with MySQL:

apt-get install postfix postfix-mysql

Leave the values dpkg suggests when configuring. The default configuration files are in
/etc/postfix, we will only use main.cf. Once done, we create the postfix user for MySQL and the
database for the emails:

mysql -A -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 4 to server version: 5.0.20a-Debian_2-log

Type 'help;' or 'h' for help. Type 'c' to clear the buffer.

mysql> use mysql;


Database changed
mysql> insert into user (host, user, password) values ('localhost',
'postfix', password('thepostfixpass'));
Query OK, 1 row affected, 3 warnings (0.00 sec)

mysql> insert into db (host, db, user, select_priv) values ('localhost',


'mail', 'postfix', 'Y');
Query OK, 1 row affected (0.00 sec)

mysql> create database mail;


Query OK, 1 row affected (0.01 sec)
Afterward, MySQL must be restarted to use the new user and database. If everything worked
correctly, then there shouldn't be any problem logging in as postfix using the mail database. So
now we create our tables, as root:

mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 3 to server version: 5.0.20a-Debian_2-log

Type 'help;' or 'h' for help. Type 'c' to clear the buffer.

mysql> use mail;


Database changed
mysql> create table transport (
-> domain varchar(255) primary key,
-> transport char(8),
-> access varchar(2)
-> default 'OK');
Query OK, 0 rows affected (0.01 sec)

mysql> create table aliases (


-> id int(6),
-> alias varchar(255) primary key,
-> maildir varchar(255) not null,
-> access varchar(2)
-> default 'OK');
Query OK, 0 rows affected (0.00 sec)

mysql> create table remote_alias (


-> alias varchar(255) primary key,
-> rcpt varchar(255) not null);
Query OK, 0 rows affected (0.01 sec)

mysql> create table domain1 (


-> user varchar(255) primary key,
-> pass varchar(255) not null,
-> maildir varchar(255) not null,
-> active int(8)
-> default 1);
Query OK, 0 rows affected (0.00 sec)

The next step is configuring Postfix to support MySQL, so edit the configuration file and add:

transport_maps=mysql:/etc/postfix/transport.cf
virtual_mailbox_base=/home/postfix
virtual_uid_maps=mysql:/etc/postfix/ids.cf
virtual_gid_maps=mysql:/etc/postfix/ids.cf
virtual_mailbox_maps=mysql:/etc/postfix/aliases.cf
virtual_maps=mysql:/etc/postfix/remote_aliases.cf

Since we are specifying files that don't exist, we must create them. In transport.cf write:

user=postfix
password=thepostfixpass # the password used in MySQL
dbname=mail
table=transport
select_field=transport
where_field=domain
hosts=localhost
user=postfix
password=thepostfixpass # the password used in MySQL
dbname=mail
table=aliases
select_field=maildir
where_field=alias
hosts=localhost

In ids.cf:

user=postfix
password=thepostfixpass # the password used in MySQL
dbname=mail
table=aliases
select_field=id
where_field=alias
hosts=localhost

And for the final file, remote_aliases.cf:

user=postfix
password=thepostfixpass # the password used in MySQL
dbname=mail
table=remote_aliases
select_field=rcpt
where_field=alias
hosts=localhost

Lets now create the information for the domain1 example in MySQL:

mysql -A -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 8 to server version: 5.0.20a-Debian_2-log

Type 'help;' or 'h' for help. Type 'c' to clear the buffer.

mysql> use mail;


Database changed
mysql> insert into transport(domain, transport) values ('domain1.com',
'virtual:');
Query OK, 1 row affected (0.00 sec)

To add users to that domain, simply insert into the aliases table the data (you can get postfix's
userid from /etc/passwd, for example:

mysql>insert into aliases values


(postfix_uid,'user@domain1.com','domain1/user', 'OK');
Finally everything should be working smoothly. Make sure you constantly check the logs
(/var/log/mail.log), even if everything is normal, because the first place you might detect an
attack is there.

Web Site Prerequisites:

This tutorial assumes that a computer has Linux installed and running. See RedHat Installation
for the basics. A connection to the internet is also assumed. A connection of 128 Mbits/sec or
greater will yield the best results. ISDN, DSL, cable modem or better are all suitable. A 56k
modem will work but the results will be mediocre at best. The tasks must also be performed with
the root user login and password.

No single distribution seems to have an advantage. A Ubuntu, SuSe, Fedora, Red Hat or CentOS
distribution will include all of the software you will need to configure a web server. If using Red
Hat Enterprise Linux, both the Workstation or the Server edition will support your needs except
that the Workstation edition will not include the vsFTP package. It will have to be compiled
from source or use sftp.

Software Prerequisites: The Apache web server (httpd), FTP (requires xinetd or inetd) and
Bind (named) software packages with their dependencies are all required. One can use the rpm
command to verify installation:

• Fedora Core 1+, Red Hat Enterprise 4/5, CentOS 4/5:


• rpm -q httpd bind bind-chroot bind-utils system-config-bind xinetd
vsftpd

RPMs added FC2+: system-config-httpd


RPMs added FC3+: httpd-suexec

• Red Hat 9.0

rpm -q httpd bind xinetd vsftpd

A Red Hat 8.0 wu-ftpd RPM may be installed (Newer version 2.6.2 or later
with security fix wu-ftpd-2.6.2-11+) or install from source.

• Red Hat 8.0

rpm -q httpd bind xinetd wu-ftpd

• Red Hat 7.x:

rpm -q apache bind inetd wu-ftpd

Use wu-ftpd version 2.6.2 or later to avoid security problems.


• SuSE 9.3:

rpm -ivh apache2 apache2-prefork bind bind-chrootenv bind-utils


vsftpd

Note: The apache2-MPM is a generic term for Apache installation options for
"Multi-Processing Modules (MPM)s "prefork" or "worker". If you try and only
install apache2 you will get the following error:

apache2-MPM is needed by apache2-2.0.53-9

Also see Apache.org: MPMs

• Ubuntu (dapper 6.06/hardy 8.04) / Debian:

apt-get install apache2


apt-get install apache2-common
apt-get install apache2-mpm-prefork
apt-get install apache2-utils
apt-get install bind9
apt-get install vsftpd

One should also have a working knowledge of the Linux init process so that these services are
initiated upon system boot. See the YoLinux init process tutorial for more info.

Apache HTTP Web server configuration:

This tutorial is for the Apache HTTP web server (Version 1.3 and 2.0). See the YoLinux list of
Linux HTTP servers for a list of other web servers for the Hyper Text Transport Protocol.

The Apache web server configuration file is: /etc/httpd/conf/httpd.conf

Web pages are served from the directory as configured by the DocumentRoot directive. The
default directory location is:

Apache web server


Linux distribution
"DocumentRoot"

Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4/5,


/var/www/html/
CentOS 4/5

Red Hat 6.x and older /home/httpd/html/

Suse 9.x /srv/www/htdocs/


Ubuntu (dapper 6.06/hardy 8.04) / Debian /var/www/html

The default home page for the default configuration is index.html. Note the pages
should not be owned by user apache as this is the process owner of the httpd web
server daemon. If the web server process is comprimised, it should not be allowed
to alter the files. The files should of course be readable by user apache.

Apache may be configured to run as a host for one web site in this fashion or it may be
configured to serve for multiple domains. Serving for multiple domains may be achieved in two
ways:

• Virtual hosts: One IP address but multiple domains - "Name based" virtual
hosting.
• Multiple IP based virtual hosts: One IP address for each domain - "IP based"
virtual hosting.

The default configuration will allow one to have multiple user accounts under one
domain by using a reference to the user account: http://www.domain.com/~user1/. If
no domain is registered or configured, the IP address may also be used:
http://XXX.XXX.XXX.XXX/~user1/.

[Potential Pitfall] The default umask for directory creation is correct by default but if not use:
chmod 755 /home/user1/public_html

[Potential Pitfall] When creating new "Directory" configuration directives, I found that placing
them by the existing "Directory" directives to be a bad idea. It would not use the .htaccess
file. This was because the statement defining the use of the .htaccess file was after the
"Directory" statement. Previously in RH 6.x the files were separated and the order was defined
a little different. I now place new "Directory" statements near the end of the file just before the
"VirtualHost" statements.

For users of Red Hat 7.1, the GUI configuration tool apacheconf was introduced for the crowd
who like to use pretty point and click tools.

Files used by Apache:

• Start/stop/restart script:
o Red Hat/Fedora/CentOS: /etc/rc.d/init.d/httpd
o SuSE 9.3: /etc/init.d/apache2
o Ubuntu (dapper 6.06/hardy 8.04) / Debian: /etc/init.d/apache2
• Apache main configuration file:
o Red Hat/Fedora/CentOS: /etc/httpd/conf/httpd.conf
o SuSE: /etc/apache2/httpd.conf
(Need to add directive: ServerName host-name)
o Ubuntu (dapper 6.06/hardy 8.04) / Debian: /etc/apache2/apache2.conf
• Apache suplementary configuration files:
o Red Hat/Fedora/CentOS: /etc/httpd/conf.d/component.conf
o SuSE: /etc/apache2/conf.d/component.conf
o Ubuntu (dapper 6.06/hardy 8.04) / Debian:
 Virtual domains: /etc/apache2/sites-enabled/domain
(Create soft link from /etc/apache2/sites-enabled/domain to
/etc/apache2/sites-available/domain to turn on. Use command
a2ensite)
 Additional configuration directives: /etc/apache2/conf.d/
 Modules to load: /etc/apache2/mods-available/
(Soft link to /etc/apache2/mods-enabled/ to turn on)
 Ports to listen to: /etc/apache2/ports.conf
• /var/log/httpd/access_log and error_log - Red Hat/Fedora Core Apache log
files
(Suse: /var/log/apache2/)

Start/Stop/Restart scripts: The script is to be run with the qualifiers start, stop, restart or
status.
i.e. /etc/rc.d/init.d/httpd restart. A restart allows the web server to start again and read
the configuration files to pick up any changes. To have this script invoked upon system boot
issue the command chkconfig --add httpd. See Linux Init Process Tutorial for a more
complete discussion.

Also Apache control tool: /usr/sbin/apachectl start

Apache Control Command: apachectl:

Red Hat / Fedora Core / CentOS: apachectl directive


Ubuntu dapper 6.06 / hardy 8.04 / Debian: apache2ctl directive

Directi
Description
ve

start Start the Apache httpd daemon. Gives an error if it is already running.

stop Stops the Apache httpd daemon.

graceful Gracefully restarts the Apache httpd daemon. If the daemon is not
running, it is started. This differs from a normal restart in that
currently open connections are not aborted.

restart Restarts the Apache httpd daemon. If the daemon is not running, it is
started. This command automatically checks the configuration files as
in configtest before initiating the restart to make sure the daemon
doesn't die.

status Displays a brief status report.


fullstatu Displays a full status report from mod_status. Requires mod_status
s enabled on your server and a text-based browser such as lynx
available on your system. The URL used to access the status report
can be set by editing the STATUSURL variable in the script.

configte Run a configuration file syntax test.


st
-t

Apache Configuration Files:

• /etc/httpd/conf/httpd.conf: is used to configure Apache. In the past it was


broken down into three files. These may now be all concatenated into one
file. See Apache online documentation for the full manual.
• /etc/httpd/conf.d/application.conf: All configuration files in this directory
are included during Apache start-up. Used to store application specific
configurations.
• /etc/sysconfig/httpd: Holds environment variables used when starting
Apache.

Basic settings: Change the default value for ServerName www.<your-domain.com>

Giving Apache access to the file system: It is prudent to limit Apache's view of the file system
to only those directories necessary. This is done with the directory statement. Start by denying
access to everything, then grant access to the necessary directories.

Deny access completely to file system root ("/") as the default:

Deny first, then grant permissions:

<Directory />
Options None
AllowOverride None
</Directory>
Set default location of system web pages and allow access: (Red
Hat/Fedora/CentOS)

DocumentRoot "/var/www/html"

<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Grant access to a user's web directory: public_html

• Enabling Red Hat / Fedora Linux, Apache public_html user directory


access:

This will allow users to serve content from their home directories under the subdirectory
"/home/userid/public_html/" by accessing the URL http://hostname/~userid/

File: /etc/httpd/conf/httpd.conf

LoadModule userdir_module modules/mod_userdir.so

...
...

<IfModule mod_userdir.c>
#UserDir disable - Add comment to this line
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disable" line above, and uncomment
# the following line instead:
UserDir public_html # Uncomment this line
</IfModule>

...
...

<Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>

Change to a comment (add "#" at beginning of line) from Fedora Core default
UserDir disable and assign the directory public_html as a web server
accessible directory.
OR
Assign a single user the specific ability to share their directory:

<Directory /home/user1/public_html>
AllowOverride None
order allow,deny
allow from all
Options Indexes Includes FollowSymLinks
</Directory>
Allows the specific user, "user1" only, the ability to serve the directory
/home/user1/public_html/

Also use SELinux command to set the security context: setsebool


httpd_enable_homedirs true

Directory permissions: The Apache web server daemon must be able to read your web
pages in order to feed their contents to the network. Use an appropriate umask and file
protection. Allow access to web directory: chmod ugo+rx -R public_html.
Note that the user's directory also has to have the appropriate permissions as it is the
parent of public_html.
Default permissions on user directory: ls -l /home
drwx------ 20 user1 user1 4096 Mar 5 12:16 user1
Allow the web server access to operate the parent directory: chmod ugo+x /home/user1
d-wx--x--x 20 user1 user1 4096 Mar 5 12:16 user1

One may also use groups to control permisions. See the YoLinux tutorial on managing
groups.

• Enabling Ubuntu's Apache public_html user directory access:

Ubuntu has broken out the Apache loadable module directives into the directory
/etc/apache2/mods-available/. To enable an Apache module, generate soft links to
the directory /etc/apache2/sites-enabled/ by using the commands
a2enmod/a2dismod to enable/disable Apache modules.

Example:

o [root@node2]# a2enmod
A list of available modules is displayed. Enter "userdir" as the module
to enable.
o Restart Apache with the following command: /etc/init.d/apache2
force-reload

Note: This is the same as manually generating the following two soft links:

o ln -s /etc/apache2/mods-available/userdir.conf /etc/apache2/mods-
enabled/userdir.conf
o ln -s /etc/apache2/mods-available/userdir.load /etc/apache2/mods-
enabled/userdir.load

Man page: a2enmod/a2dismod

[Potential Pitfall]: If the Apache web server can not access the file you will get the error
"403 Forbidden" "You don't have permission to access file-name on this server." Note the
default permissions on a user directory when first created with "useradd" are:
drwx------ 3 userx userx

You must allow the web server running as user "apache" to access the
directory if it is to display pages held there.
Fix with command: chmod ugo+rx /home/userx

drwxr-xr-x 3 userx userx

SELinux security contexts:

Fedora Core 3 and Red Hat Enterprise Linux 4 introduced SELinux (Security
Enhanced Linux) security policies and context labels.
To view the security context labels applied to your web page files use the
command: ls -Z

The system enables/disables SELinux policies in the file /etc/selinux/config


SELinux can be turned off by setting the directive SELINUX. (Then reboot the system):

SELINUX=disabled
or using the command setenforce 0 to temporarily disable SELinux until the
next reboot.

When using SELinux security features, the security context labels must be added so that
Apache can read your files. The default security context label used is inherited from the
directory for newly created files. Thus a copy (cp) must be used and not a move (mv)
when placing files in the content directory. Move does not create a new file and thus the
file does not recieve the directory security context label. The context labels used for the
default Apache directories can be viewed with the command: ls -Z /var/www
The web directories of users (i.e. public_html) should be set with the appropriate
context label (httpd_sys_content_t).

Assign a security context for web pages: chcon -R -h -t httpd_sys_content_t


/home/user1/public_html
Options:

• -R: Recursive. Files and directories in current directory and all


subdirectories.
• -h: Affect symbolic links.
• -t: Specify type of security context.

Use the following security contexts:

Context Type Description

httpd_sys_content_t Used for static web content. i.e. HTML web


pages.

Use for executable CGI scripts or binary


httpd_sys_script_exec_t
executables.

CGI is allowed to alter/delete files of this


httpd_sys_script_rw_t
context.

CGI is allowed to read or append files of this


httpd_sys_script_ra_t
context.

CGI is allowed to read files and directories of


httpd_sys_script_ro_t
this context.

Set the following options: setsebool httpd-option true


(or set to false)

Policy Description

httpd_enable_cgi Allow httpd cgi support.

httpd_enable_homedirs Allow httpd to read home directories.

Allow httpd to run SSI executables in the same domain


httpd_ssi_exec
as system CGI scripts.

Then restart Apache:

• Red Hat/Fedora/Suse and all System V init script based Linux


systems: /etc/init.d/httpd restart
• Red Hat/Fedora: service httpd restart

The default SE boolean values are specified in the file:


/etc/selinux/targeted/booleans

For more on SELinux see the YoLinux Systems Administration tutorial.

Virtual Hosts:

The Apache web server allows one to configure a single computer to represent
multiple websites as if they were on separate hosts. There are two methods
available and we describe the configuration of each. Choose one method for your
domain:
• Name based virtual host: (most common) A single computer with a single IP
adress supporting multiple web domains. The web browser using the http
protocol, identifies the domain being addressed.
• IP based virtual host: The virtual hosts can be configured as a single multi-
homed computer with multiple IP addresses on a single network card, with
each IP address representing a different web domain. This has the
appearance of a web domain supported by a dedicated computer because it
has a dedicated IP address.

Configuring a "name based" virtual host:

A virtual host configuration allows one to host multiple web site domains on
one server. (This is not required for a dedicated linux server which hosts a
single web site.)

NameVirtualHost XXX.XXX.XXX.XXX

<VirtualHost XXX.XXX.XXX.XXX>
ServerName www.your-domain.com - CNAME (bind DNS alias www)
specified in Bind configuration file (/var/named/...)
ServerAlias your-domain.com - Allows requests by domain name
without the "www" prefix.
ServerAdmin user1@your-domain.com
DocumentRoot /home/user1/public_html
ErrorLog logs/your-domain.com-error_log
TransferLog logs/your-domain.com-access_log
</VirtualHost>

Notes:

• You can specify more than one IP address. i.e. if web server is
also being used as a firewall/gateway and you have an external
internet IP address as well as a local network IP address.

NameVirtualHost XXX.XXX.XXX.XXX
NameVirtualHost 192.168.XXX.XXX

<VirtualHost XXX.XXX.XXX.XXX 192.168.XXX.XXX>


...
..

See the YoLinux Tutorial on configuring a network gateway/firewall


using iptables and NAT.

• Use your IP address for XXX.XXX.XXX.XXX, actual domain name


and e-mail address.
One can use DNS views to provide different local network DNS results.
• Note that I configure Apache for both requests
http://www.domain-name.com and http://domain-name.com.
• Once virtual hosts are configured, your default system domain
(/var/www/html) will stop working. Your default domain now must be
configured as a virtual domain.

<Directory "/var/www/html">

... This part remains the same


..

</Directory>

# Default for when no domain name is given (i.e. access by IP address)

<VirtualHost *:80>
ServerAdmin user1@your-domain.com
DocumentRoot /var/www/html
ErrorLog logs/error_log
TransferLog logs/access_log
</VirtualHost>

# Add a VirtualHost definition for your domain which was once the system
default.

<VirtualHost XXX.XXX.XXX.XXX>
ServerName www.your-domain.com
ServerAlias your-domain.com
ServerAdmin user1@your-domain.com
DocumentRoot /var/www/html
ErrorLog logs/error_log
TransferLog logs/access_log
</VirtualHost>

...
..

• Forwarding to a primary URL. It is best to avoid the appearance


of duplicated web content from two URLs such as http://www.your-
domain.com and http://your-domain.com. Supply a forwarding Apache
"Redirect".

<VirtualHost XXX.XXX.XXX.XXX>
ServerName www.your-domain.com - Note that no aliases are listed
...
...
</VirtualHost>

# Add a VirtualHost definition to forward to your primary URL

<VirtualHost XXX.XXX.XXX.XXX>
ServerName your-domain.com
ServerAlias other-domain.com
ServerAlias www.other-domain.com
Redirect permanent / http://www.your-domain.com.com/
</VirtualHost>

...
..

• Note:
o See the YoLinux.com Apache "Redirect" Tutorial
• More virtual host examples.

When specifying more domains, they may all use the same IP address or some/all may use their
own unique IP address. Specify a "NameVirtualHost" for each IP address.

After the Apache configuration files have been edited, restart the httpd daemon:
/etc/rc.d/init.d/httpd restart (Red Hat) or /etc/init.d/apache2 restart (Ubuntu /
Debian)

Apache virtual domain configuration with Ubuntu


Dapper/Hardy:
Ububntu separates out each virtual domain into a separate configuration file held in
the directory /etc/apache2/sites-available/. When the site domain is to become
active, a soft link is created to the directory /etc/apache2/sites-enabled/.

Example: /etc/apache2/sites-available/supercorp

<VirtualHost XXX.XXX.XXX.XXX>
ServerName supercorp.com
ServerAlias www.supercorp.com
ServerAdmin webmaster@localhost

DocumentRoot /home/supercorp/public_html/home
<Directory "/">
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /home/supercorp/public_html/home>
Options Indexes FollowSymLinks MultiViews
IndexOptions SuppressLastModified SuppressDescription
AllowOverride All
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /home/supercorp/cgi-bin/


<Directory "/home/supercorp/cgi-bin/">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog /var/log/apache2/supercorp.com-error.log

# Possible values include: debug, info, notice, warn, error,


# crit, alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/supercorp.com-access.log combined
ServerSignature On
</VirtualHost>
Enable domain:

• Create soft link:


o Manually: ln -s /etc/apache2/sites-available/supercorp
/etc/apache2/sites-enabled/supercorp
o Use Ubuntu scripts a2ensite/a2dissite. Type command
and it will prompt you as to which site you would like to enable
or disable.
• Restart Apache:
o apache2ctl graceful
or
o /etc/init.d/apache2 restart
or
o /etc/init.d/apache2 reload

Also note that Apache modules can also be enabled/disabled with scripts
a2enmod/a2dismod.

Man pages:

• a2ensite/a2dissite (Ubuntu: Apache 2 enable/disable site)


• apache2ctl

Configuring an "IP based" virtual host:

One may assign multiple IP addresse to a single network interface. See the
YoLinux networking tutorial: Network Aliasing. Each IP address may then be
it's own virtual server and individual domain. The downside of the "IP based"
virtual host method is that you have to possess multiple/extra IP addresses.
This usually costs more. The standard name based virtual hosting method
above is more popular for this reason.

NameVirtualHost * - Indicates all IP addresses

<VirtualHost *>
ServerAdmin user0@default-domain.com
DocumentRoot /home/user0/public_html
</VirtualHost>

<VirtualHost XXX.XXX.XXX.101>
ServerAdmin user1@domain-1.com
DocumentRoot /home/user1/public_html
</VirtualHost>

<VirtualHost XXX.XXX.XXX.102>
ServerAdmin user1@domain-2.com
DocumentRoot /home/user2/public_html
</VirtualHost>
The default <VirtualHost *> block will be used as the default for all IP
addresses not specified explicitly. This default IP (*) may not work for https
URL's.

CGI: (Common Gateway Interface)

CGI is a program executable which dynamically generates a web page by writing to


stdout. CGI is permitted by either of two configuration file directives:

• ScriptAlias:
o Red Hat 7.x-9, Fedora core: ScriptAlias /cgi-bin/ "/var/www/cgi-
bin/"
o Red Hat 6.x and older: ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"
o Suse 9.x: ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
o Ubuntu (dapper/hardy) / Debian: ScriptAlias /cgi-bin/
"/usr/lib/cgi-bin/"

or

• Options +ExecCGI:

<Directory /var/www/cgi-bin>
Options +ExecCGI
</Directory>

The executable program files must have execute privileges, executable by the
process owner (Red Hat 7+/Fedora Core: apache. Older use nobody) under which the
httpd daemon is being run.

Configuring CGI To Run With User Privileges:

The suEXEC feature provides Apache users the ability to run CGI and SSI programs
under user IDs different from the user ID of the calling web-server. Normally, when
a CGI or SSI program executes, it runs as the same user who is running the web
server.
NameVirtualHost XXX.XXX.XXX.XXX

<VirtualHost XXX.XXX.XXX.XXX>
ServerName node1.your-domain.com - Allows requests
by domain name without the "www" prefix.
ServerAlias your-domain.com www.your-domain.com - CNAME (alias
www) specified in Bind configuration file (/var/named/...)
ServerAdmin user1@your-domain.com
DocumentRoot /home/user1/public_html/your-domain.com
ErrorLog logs/your-domain.com-error_log
TransferLog logs/your-domain.com-access_log

SuexecUserGroup user1 user1


<Directory /home/user1/public_html/your-domain.com/>
Options +ExecCGI +Indexes
AddHandler cgi-script .cgi
</Directory>
</VirtualHost>

ERROR Pages:

You can specify your own web pages instead of the default Apache error pages:

ErrorDocument 404 /Error404-missing.html


Create the file Error404-missing.html in your "DocumentRoot" directory.

Handle all errors with a forwarding page:

ErrorDocument 400 /error.shtml


ErrorDocument 401 /error.shtml
ErrorDocument 403 /error.shtml
ErrorDocument 404 /error.shtml
ErrorDocument 500 /error.shtml
Sample file error.shtml (in your "DocumentRoot" directory).

<!--#echo var="REQUEST_URI" -->


<!--#echo var="REDIRECT_STATUS" -->
<h2>Page does not found!</h2>
<!-- Redirect to home page -->
<META HTTP-EQUIV="Refresh" Content="1; URL=http://www.megacorp.com/">

PHP:

If the appropriate php, perl and httpd RPM's are installed, the default Red Hat Apache
configuration and modules will support PHP content. RPM Packages (RHEL4):

• php: HTML-embedded scripting language


• php-pear: PEAR is a framework and distribution system for reusable PHP
components.
• php-mysql: MySQL database support.
• php-ldap: Lightweight Directory Access Protocol (LDAP) support

Apache configuration:

Add php default page index.php to apache config file:


/etc/httpd/conf/httpd.conf

...

DirectoryIndex index.html index.htm index.php

...
PHP Configuration File:

• RHEL4 - PHP 4.3: /etc/php.ini


• Ubuntu Daper 6.06/6.11: /etc/php5/apache2/php.ini

[PHP]
engine = On
...
...
display_errors = Off
include_path = ".:/php/includes"
...
...
memory_limit = 32M ; Default is typically 8MB which is too low.
...
...

[MySQL]
...
...
mysql.default_host = superserver ; Hostname of the computer
mysql.default_user = dbuser
...
Small portion of file shown.
Note that changes will not take effect until the apache web server daemon is
restarted.

Test you PHP capabilities with this test file: /home/user1/public_html/test.php

<?php
phpinfo();
?>
OR (older format)
<?
phpinfo();
?>
Test: http://localhost/~user1/test.php

For more info see YoLinux list of PHP information web sites.

Running Multiple instances of httpd:

The Apache web server daemon (httpd) can be started with the command line option "-f" to
specify a unique configuration file for each instance. Configure a unique IP address for each
instance of Apache. See the YoLinux Networking Tutorial to specify multiple IP addresses for
one NIC (Network Interface Card). Use the Apache configuration file directive Listen
XXX.XXX.XXX.XXX, where the IP address is unique for each instance of Apache.

Apache Man Pages:

• httpd - Apache Hypertext Transfer Protocol Server


• apachectl - Apache HTTP Server Control Interface
• ab - Apache HTTP server benchmarking tool
• htdigest - manage user files for digest authentication
• htpasswd - Manage user files for basic authentication
• logresolve - Resolve IP-addresses to hostnames in Apache log files
• rotatelogs - Piped logging program to rotate Apache logs

Also see the local online Apache configuration manual: http://localhost/manual/.

Apache Red Hat / Fedora Core GUI configuration:

GUI configuration tool:

• Red Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-httpd


• Red Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-httpd
Adding web site login and password protection: See the YoLinux tutorial on web site
password protection.

Log file analysis:

Scanning the Apache web log files will not provide meaningfull statistics unless they are graphed
or presented in an easy to read fashion. The following packages to a good job of presenting site
statistics.

• Analog - Also see Report Magic for Analog


• Webalizer
• AWStats - (requires PERL)

Web site statistic services:

• eXTReMe Tracking

Load testing your server:

• PureLoad - JAVA load testing and reporting tool.


• WebPerformance Trainer - Load Testing Tools.

Apache Links:
• CgiWrap - setuid wrapper that allows users to install and execute their own
cgi scripts that get executed as their own userid
• Thumbprint - CGI for viewing a directory of images as thumbnails
• WWWThreads.org - Commercial product - Advanced Web Conferencing
Software
• Configuring https (mod_ssl):
o Mod_SSL.org: Home Page
o Mod_SSL.org: Mod_SSL HowTo
o Mod_SSL.org: Steps to create SSL server certificate
o https configuration

Log file analysis using Analog:

Installation:

• Red Hat / Fedora: yum install analog


• Ubuntu / Debian: apt-get install analog

Installation packages also available from the Analog downloads page.


Configuration file: /etc/analog.cfg

LOGFILE /var/log/httpd/your-domain.com-access_log* http://www.your-domain.com


UNCOMPRESS *.gz,*.Z "gzip -cd"
SUBTYPE *.gz,*.Z
#
OUTFILE /home/user1/public_html/analog/Report.html
#
HOSTNAME "YourDomain.com"
HOSTURL http://www.your-domain.com

....
...
..

REQINCLUDE pages # Request page stats only


ALL ON
LANGUAGE US-ENGLISH
One can view the settings which be used with your configuration file (also
good for debugging): analog -settings

Make Analog images available to the users report: ln -s


/usr/share/analog/images/* /home/user1/public_html/analog

Log file location:

• Red Hat / Fedora: /var/log/httpd/


• Ubuntu / Debian: /var/log/apache2/
The Directive ALL ON turns on all of the following:
Analog
Description
Directive

MONTHLY ON one line for each month

WEEKLY ON one line for each week

DAILYREP ON one line for each day

DAILYSUM ON one line for each day of the week

HOURLYREP ON one line for each hour of the day

GENERAL ON the General Summary at the top

REQUEST ON which files were requested

FAILURE ON which files were not found

DIRECTORY ON Directory Report

HOST ON which computers requested files

ORGANISATION ON which organisations they were from

DOMAIN ON which countries they were in

REFERRER ON where people followed links from

where people followed broken links


FAILREF ON
from

SEARCHQUERY ON the phrases and words they used...

SEARCHWORD ON ...to find you from search engines

which browser types people were


BROWSERSUM ON
using

OSREP ON and which operating systems

FILETYPE ON types of file requested

SIZE ON sizes of files requested

STATUS ON number of each type of success


and failure

Cron job to handle multiple domains: /etc/cron.daily/analog

#!/bin/sh
cp /opt/etc/analog-domain1.com.cfg /etc/analog.cfg
/usr/bin/analog
cp /opt/etc/analog-domain2.com.cfg /etc/analog.cfg
/usr/bin/analog

...
Links:

• Analog home page


• Analog command reference

Measuring Web Server Performance:

See the YoLinux.com web server benchmarking tutorial.

FTPd and FTP user account configuration:

Many FTP programs exist. This example covers the popular vsftpd (Red Hat default 9.0, Fedora
Core, Suse) and wu-ftpd (Washington University) program which comes standard with RedHat
(last shipped with RedHat 8.0 but can be installed on any Linux system). (RPM: wu-ftpd) There
are other FTP programs including proFtpd (supports LDAP authentication, Apache like
directives, full featured ftp server software), bftpd, pure-ftpd (free BSD and optional on Suse),
etc ...

For hostile environments set up a chrooted environment for an sftp encrypted connection and
the rssh restricted shell for OpenSSH. See the YoLinux.com internet security tutorial for Linux
sftp and rssh configuration

FTPd and SELinux: To allow FTPd daemon access and FTP access to users home directories:

• setsebool -P allow_ftpd_full_access=1
Other wise you will get an error in /var/log/messages:
SELinux is preventing the ftp daemon from writing files outside the home
directory (./public_html).

• setsebool -P ftp_home_dir 1
Follow with the command service vsftpd restart

FTPd configuration tutorials:

• # vsFTPd: Configuration
• # WU-FTPd: Configuration
• # FTP Clients: Links

vsFTPd and FTP user account configuration:

The vsFTPd ftp server was first made available in Red Hat 9.0. It has been adopted by Suse and
OpenBSD as well. This is currently the recomended FTP daemon for use on FTP servers.

Enable vsftpd:

• Red Hat/Fedora Core/CentOS: VsFTPd is a stand alone service and by the


default Fedora Core installation, not controlled by xinetd as is the wu-ftpd
default installation.
Thus start service: service vsftpd start (or: /etc/init.d/vsftpd start)
Configure vsftpd to start upon system boot: chkconfig --add vsftpd
• SuSE: By default, the vsftpd is an xinetd controlled service. To enable FTP
server services edit the file /etc/xinetd.d/vsftpd and change:
disable = yes
to:
disable = no
Restart the xinetd daemon: /etc/init.d/xinetd restart
Note: vsftpd can also be run as a stand-alone service to achieve a faster
response time.
• Ubuntu (dapper/hardy) / Debian:
o Install: apt-get install vsftpd
o VsFTPd is a stand alone service.
 Start: /etc/init.d/vsftpd start
 Stop: /etc/init.d/vsftpd stop
 Restart: /etc/init.d/vsftpd restart
(Use this command after making configuration file changes)

For more on starting/stopping/configuring Linux services, see the YoLinux tutorial on the Linux
init process and service activation.

Configuration files:

• vsFTPd configuration file:


o Fedora Core / Red Hat: /etc/vsftpd/vsftpd.conf
o S.u.S.e. / Ubuntu (dapper/hardy) / Debian: /etc/vsftpd.conf
Default for Fedora Core 3:

anonymous_enable=YES - Anonymous FTP allowed by default if you


comment this out. Default directory used: /var/ftp

local_enable=YES - Uncomment this to allow local users to log


in with FTP.
Must also set SELinux boolean: setsebool -P
ftp_home_dir 1

write_enable=YES - Uncomment this to enable any form of FTP


write or upload command.

local_umask=022 - Default is 077. Umask 022 is used by most


other ftpd's.

#anon_upload_enable=YES - Uncomment to allow the anonymous FTP user to


upload files.
Requires the above global write enabled.
Directory must also be writable by user.
#anon_mkdir_write_enable=YES - Uncomment this to allow the anonymous FTP
user to be able to create new directories.

dirmessage_enable=YES - Activate directory messages.


Messages given to remote users when they
enter certain directories
xferlog_enable=YES - Activate logging of uploads/downloads.

connect_from_port_20=YES - PORT transfer connections originate from


port 20 (ftp-data)

#chown_uploads=YES - Uploaded anonymous files set to a specified


owner. (not root)
#chown_username=whoever

#xferlog_file=/var/log/vsftpd.log - Specify logfile explicitly. Default is


/var/log/vsftpd.log

xferlog_std_format=YES - Output to log file in standard ftpd xferlog


format

#idle_session_timeout=600 - Set timing out for an idle session.

#data_connection_timeout=120 - Set timing out for an idle data connection.


Port 20

#nopriv_user=ftpsecure - Run ftp server as an isolated and


unprivileged user.

# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it, may
confuse older FTP clients.
#async_abor_enable=YES

#ascii_upload_enable=YES - Improve performance by disabling ASCII mode.


Disables command "ascii" and "SIZE /big/file".
#ascii_download_enable=YES

#ftpd_banner=Welcome to YoLinux - Customize the login banner string.

#deny_email_enable=YES - Disallow specified anonymous e-mail


addresses. Used to combat certain DoS attacks.
#banned_email_file=/etc/vsftpd.banned_emails (Ubuntu default. Red Hat:
/etc/vsftpd/banned_emails)

#chroot_list_enable=YES - List users chroot()'d to their home


directory. If "NO", list users not chroot()'d.
#chroot_list_file=/etc/vsftpd.chroot_list (Ubuntu default. Red Hat:
/etc/vsftpd/chroot_list)

ls_recurse_enable=YES - Allow "ls -R" recursive directory list.


Default is disabled.

pam_service_name=vsftpd

userlist_enable=YES - (Ubuntu Default) Deny users specified in


file /etc/vsftpd.user_list
If "userlist_enable=NO" then allow specified
users.
Red Hat: /etc/vsftpd/user_list
#deny_email_enable=YES - Disallow specified anonymous e-mail
addresses. Used to combat certain DoS attacks.

listen=YES - Enable for standalone mode as opposed to an


xinetd service.
Must set SELinux boolean: setsebool -P
ftpd_is_daemon 1
tcp_wrappers=YES

Restart the FTP service if the config file is changed: service vsftpd restart
(or: /etc/init.d/vsftpd restart)

[Potential Pitfall]: vsftp does NOT support comments on the same line as a directive. i.e.:

directive=XXX # comment

vsftp.conf man page

• Specify list of local users chrooted to their home directories:


o Red Hat: /etc/vsftpd/vsftpd/chroot_list
o Ubuntu: /etc/vsftpd/vsftpd.chroot_list

(Requires: chroot_list_enable=YES)

user1
user2
...
user-n

If userlist_enable=NO, then specify users not to be chroot'd..

• Specify list of users:


o Red Hat: /etc/vsftpd/user_list
o Ubuntu: /etc/vsftpd.user_list

(Deny list of users requires: userlist_enable=YES)


Also see PAM configuration below.

root
bin
daemon
adm
lp
sync
shutdown
halt
...
If userlist_enable=NO, then specify valid users.

• PAM configuration file Fedora Core 3: /etc/pam.d/vsftpd

#%PAM-1.0
auth required pam_listfile.so item=user sense=deny
file=/etc/vsftpd.ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth

• This causes PAM to check /etc/vsftpd.ftpusers for users who are denied.
This duplicates /etc/vsftpd.user_list. Speciy user in both files as PAM is
independent of vsftpd configuration.
• PAM authentication configuration file: ftpusers
o Red Hat: /etc/vsftpd/ftpusers
o Ubuntu: /etc/vsftpd.ftpusers

root
bin
daemon
adm
lp
sync
shutdown
halt
...
...
...
user6 - Users to deny
user8
...
...

• Logrotate configuration file: /etc/logrotate.d/vsftpd.log

/var/log/xferlog {
# ftpd doesn't handle SIGHUP properly
nocompress
missingok
}

Sample vsFTPd configurations:

• Anonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf

# Access rights
anonymous_enable=YES - Turn on anonymous FTP
chown_uploads=YES - Uploaded files owned by an assigned user
chown_username=ftp - Uploaded files owned by this assigned user
local_enable=NO
write_enable=NO - No upload of files system changes allowed
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
anon_world_readable_only=YES
connect_from_port_20=YES
force_dot_files=NO
guest_enable=NO
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
anon_max_rate=50000
pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
Anonymous logins use the login name "anonymous" and then the user
supplies their email address as a password. Any password will be accepted.
Used to allow the public to download files from an ftp server. Generally, no
upload is permitted.

• Web hosting configuration: /etc/vsftpd/vsftpd.conf

# Access rights
anonymous_enable=NO
local_enable=YES - Allow users to ftp to their
home directories
write_enable=YES - Allow users to STOR, DELE,
RNFR, RNTO, MKD, RMD, APPE and SITE
local_umask=022
# Security
connect_from_port_20=YES
force_dot_files=NO
guest_enable=NO - Don't remap user name
ftpd_banner=Welcome to Super Duper Hosting - Customize the login banner
string.
chroot_local_user=YES - Limit user to browse their own
directory only
chroot_list_enable=YES - Enable list of system / power
users
chroot_list_file=/etc/vsftpd.chroot_list - Actual list of system / power
users
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
dirmessage_enable=YES - Message greeting held in
file .message or specify with message_file=...
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
#
pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES

Specify list of local users chrooted to their home directories:


/etc/vsftpd/vsftpd.chroot_list
Ubuntu typically: /etc/vsftpd.chroot_list
(Requires: chroot_list_enable=YES)

user1
user2
...
user-n
If userlist_enable=NO, then specify users not to be chroot'd..

[Potential Pitfall]: Mispelling a directive will cause vsftpd to fail with little warning.

File: .message

A NOTE TO USERS UPLOADING FILES:


File names may consist of letters (a-z, A-Z), numbers (0-9),
an under score ("_"), dash ("-") or period (".") only.
The file name may not begin with a period or dash.

Test if vsftp is listening: netstat -a | grep ftp

[root]# netstat -a | grep ftp


tcp 0 0 *:ftp *:*
LISTEN

Links:

• vsFTPd Home Page


• Sample configurations
• vsftp.conf Man page

WU-FTPd and FTP user account configuration:

The wu-ftpd FTP server can be downloaded (binary or source) from it's home page at http://wu-
ftpd.org.

There are three kinds of FTP logins that wu-ftpd provides:

• anonymous FTP - one logs in with the username 'anonymous'


• real FTP - log in with a real username and password and has access to the
entire disk structure.
• guest FTP - one logs in with a real user name and password, but the user is
chroot'ed to his home directory and cannot escape from it. They are
constrained to their home directory which also means that they don't have
access to /bin/ls and other commands on the server. Thus a local minimalist
environment must be set up.

This tutorial covers "guest" FTP configuration.

The file /etc/ftpaccess controls the configuration of ftp.

# Don't allow system accounts to log in over ftp


deny-uid %-99 %65534-
deny-gid %-99 %65534-

class all real,guest *


email webmaster@your-domain.com
loginfails 5

readme README* login


readme README* cwd=*
message /welcome.msg login
message .message cwd=*

compress yes all


tar yes all
chmod no guest,anonymous
delete no anonymous # delete files permission?
overwrite no anonymous # overwrite files permission?
rename no anonymous # rename files permission?
delete yes guest # delete files permission?
overwrite yes guest # overwrite files permission?
rename yes guest # rename files permission?
umask no guest # umask permission?

log transfers anonymous,real inbound,outbound

shutdown /etc/shutmsg

passwd-check rfc822 warn

# Must also create message file /etc/pathmsg of the guest directory.


# In this case it refers to /home/user1/public_html/etc/pathmsg.
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
limit all 2
noretrieve passwd .htaccess core - Do not allow users to download files
of these names
limit-time * 20
byte-limit in 5000 - Limit file size
guestuser * - Set system user default to be categorized as a "guest".
A "real" user can roam the system. Guestuser is chrooted.
realgroup regularuserx regularusery - Assign real user privileges to
members of groups "regularuserx" and "regularusery".
Visibility of the whole file system
and subject to regular UNIX file permissions
realuser user4 - Assign real user privileges to user
id "user4".

restricted-uid user1 user2 user3 - Restricts FTP to the specified


directories
guest-root /home/user1/public_html user1
guest-root /home/user2/public_html user2
guest-root /home/user3/public_html user3

Note:

• user1, user2 and user3 refer to login accounts. Use the appropriate login
name.
• The above configuration disables anonymous FTP which allows anyone to
perform an FTP login with the id anonymous and an email address as a
password. To enable anonymous FTP, change the class directive to:

class all real,guest,anonymous *

• GUI FTP configuration tools:


o /usr/bin/kwuftpd
o /sbin/linuxconf
(Note: Linuxconf is no longer included with Red Hat 7.3 and later)
• Red Hat Linux assigns users a user id and group id which is the same. This
means that it does not matter if you use a realuser or realgroup directive as
they will act the same.
• Red Hat Linux 7.1 and later uses the xinet daemon to manage ftp
connections. Thus xinetd must be running and configured to support ftp. The
configuration file is /etc/xinetd.d/wu-ftpd. The command chkconfig wu-ftpd
on will make the ftp server available. See xinet configuration for more info.
• Allow overide of deny-uid and/or deny-gid:
• allow-uid user-to-allow
• allow-gid group-to-allow

• Optional configuration:
o Create a group ftpchroot
o Add users to this group
o Use directive: guestgroup ftpchroot

[Potential Pitfall]: Flakey ftp behavior, timeouts, etc?? FTP works best with name resolution of
the computer it is communicating with. This requires proper /etc/resolve.conf and name
server (bind) configuration, /etc/hosts or NIS/NFS configuration.
File /home/user1/public_html/etc/pathmsg:

A NOTE TO USERS UPLOADING FILES:


File names may consist of letters (a-z, A-Z), numbers (0-9),
an under score ("_"), dash ("-") or period (".") only.
The file name may not begin with a period or dash.
You have tried to upload a file with an inappropriate name.

The whole point of the chroot directory is to make the user's home directory appear to be the root
of the filesystem (/) so one could not wander around the filesystem. Configuration of
/etc/ftpaccess will limit the user to their respective directories while still offering access to
/bin/ls and other system commands used in FTP operation.

As root:

cd /home/user1
mkdir public_html
chown $1.$1 public_html
touch .rhosts - Security protection
chmod ugo-xrw .rhosts

Man Pages:
Server:

• ftpd - Internet File Transfer Protocol server

File Formats:

• /etc/ftpaccess - Configuration file for ftpd


• /etc/ftpservers - ftpd virtual hosting configuration file. (optional)
• /etc/ftphosts - allow or deny access to certain accounts from
various hosts. (optional)
• /etc/ftpconversions - ftpd conversions database (for tar and
compression)
• /var/log/xferlog - FTP server logfile
• ftp - File Transfer Client program

Configuration files: (RH 8.0+)

• PAM configuration file: /etc/pam.d/ftp

#%PAM-1.0
auth required pam_listfile.so item=user sense=deny
file=/etc/ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth

• Xinetd configuration file: /etc/xinetd.d/wu-ftpd


service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.ftpd
server_args = -l -a
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
}
• Note: wu-FTPd is controlled by xinetd and not a stand alone service like
vsFTPd.
• Logrotate configuration file: /etc/logrotate.d/ftpd

/var/log/xferlog {
nocompress
}

More information:

• WU-FTPD Development Group Home Page


• More resources
• Academ Consulting
• FTP FAQ - Koos van den Hout's
• dkftpbench - FTP benchmark program to give you an idea as to how many
simultaneous dialup clients a server can support.
• FTP and text file type conversions: End Of Line Characters - by Peter
Benjamin
• Chrooted sftp (ssl) project

Man pages on related FTP commands and files:

• chroot - Run with a special root directory


• ftpcount - Show number of concurrent users.
• ftpshut - close down the ftp servers at a given time
• ftprestart - Restart previously shutdown ftp servers
• ftpwho - show current process information for each ftp user
• privatepw - Change WU-FTPD Group Access File Information (admin
command)
Other FTP daemons:

• FTP4All
• CrushFTP - Java/cross platform
• WS_FTP

FTP Pitfalls:

If you get the following error:

ftp> ls
227 Entering Passive Mode (208,188,34,109,208,89)
ftp: connect: No route to host
This means you have firewall issues most probably on the FTP server itself. Start by
removing the firewall "iptables" rules: iptables -F Add rules until you discover what
is causing the problem.

Passive mode:
Passive mode can also help one past the rules:

ftp> passive
Passive mode on.
This toggles passive mode on and off. When on, FTP will be limited to ports
specified in the vsftpd configuration file: vsftpd.conf with the parameters
pasv_min_port and pasv_max_port

Firewall connection tracking module:


# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp
IPTABLES_MODULES="ip_conntrack_ftp"

NAT firewall modules:


You can also try adding ip_nat_ftp to the list of autoloaded modules: (This will also
load the dependancy: ip_conntrack_ftp.)

# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp


IPTABLES_MODULES="ip_nat_ftp"
Then restart the firewall: /etc/init.d/iptables condrestart

FTP will change ports during use. The ip_conntrack_ftp module will consider each
connection "RELATED". If iptables allows RELATED and ESTABLISHED connections then
FTP will work. i.e. rule: /etc/sysconfig/iptables

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


FTP fails because it can not change to the users home
directory:
Error:

[user1@nodex ~]$ ftp node.domain.com


Connected to XXX.XXX.XXX.XXX.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (XXX.XXX.XXX.XXX:user1):
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/user1
Login failed.
ftp> bye

This is often a result of SELinux preventing the vsftpd process from accesing the user's
home directory. As root, grant access with the following command:
setsebool -P ftp_home_dir 1
Followed by: service vsftpd restart

Test your vsftpd SELinux settings: getsebool -a | grep ftp

allow_ftpd_anon_write --> off


allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_tftp_anon_write --> off
ftp_home_dir --> on
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off

FTPd SELinux man page

FTP Linux clients:

• kbear: GUI KDE based client. Connect to multiple servers, transfer files,
directory browsing, file content browsing. Comes with S.U.S.e. Linux.
• gftp: GUI GTK+ Multithreaded client. File transfer directory browsing and
compare. Multiple protocols: FTP, FTPS (control connection only), HTTP,
HTTPS, SSH and FSP protocols. Proxy support. Comes with Red Hat / Fedora
Core.
• ftp: (/usr/kerberos/bin/ftp) kerberos enabled console ftp client. (RPM
package FC3: krb5-workstation)
Basic user security:

When hosting web sites, there is no need to grant a shell account which only allows the server to
have more potential security holes. Current systems can specify the user to have only FTP access
with no shell by granting them the "shell" /sbin/nologin provided with the system or the
"ftponly" shell described below. The shell can be specified in the file /etc/passwd of when
creting a user with the command adduser -s /sbin/nologin user-id

[Potential Pitfall]: Red Hat 7.3 server with wu-ftp server 2.6.2-5 does not support this
configuration to prevent shell access. It requires users to have a real user shell. i.e. /bin/bash It
works great in older and current Red Hat versions. If it works for you, use it, as it is more secure
to deny the user shell access. You can always deny telnet access. You should NOT be using this
problem ridden version of ftpd. Use the latest wu-ftpd-2.6.2-11 which supports users with shell
/opt/bin/ftponly

[Potential Pitfall]: Ubuntu Dapper/Hardy - Setting the shell to the preconfigured shell
/bin/false will NOT allow vsftp access. One must create the shell "ftponly" as defined below
to allow vsftp access with no shell.

1. Disable remote telnet login access allowing FTP access only:

Change the shell for the user in /etc/passwd from /bin/bash to be /opt/bin/ftponly.

...
user1:x:502:503::/home/user1:/opt/bin/ftponly
...

Create file: /opt/bin/ftponly.


Protection set to -rwxr-xr-x 1 root root
with the command: chmod ugo+x /opt/bin/ftponly
Contents of file:

#!/bin/sh
#
# ftponly shell
#
trap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15
#
Admin=root@your-domain.com
#System=`/bin/hostname`@`/bin/domainname`
#
/bin/echo
/bin/echo
"********************************************************************"
/bin/echo " You are NOT allowed interactive access."
/bin/echo
/bin/echo " User accounts are restricted to ftp and web access."
/bin/echo
/bin/echo " Direct questions concerning this policy to $Admin."
/bin/echo
"********************************************************************"
/bin/echo
#
# C'ya
#
exit 0

The last step is to add this to the list of valid shells on the system.
Add the line /opt/bin/ftponly to /etc/shells.

Sample file contents: /etc/shells

/bin/bash
/bin/bash1
/bin/tcsh
/bin/csh
/opt/bin/ftponly

See man page on /etc/shells.

An alternative would be to assign the shell /bin/false or /sbin/nologin which


became available in later releases of Red Hat, Debian and Ubuntu. In this case the shell
/bin/false or /sbin/nologin would have to be added to /etc/shells to allow them
to be used as a valid shell for FTP while disabling ssh or telnet access.

2. Set file quotas to limit user account.

For more on Linux security see the: YoLinux.com Internet web site Linux server security
tutorial

Domain Name Server (DNS) configuration using Bind version


8 or 9:

Two of the most popular ways to configure the program Bind (Berkeley Internet Domain
software) to perform DNS services is in the role of (1) ISP or (2) Web Host.
1. In an ISP configuration for clients (web surfers) conected to the internet, the
DNS server must resolve IP addresses for any URL the user wishes to visit.
(See DNS caching server)
2. In a purely web hosting configuration, Bind will only resolve for the IP
addresses of the domains which are being hosted. This is the configuration
which will be discussed and is often called an "Authoritative-only
Nameserver".

When resolving IP addresses for a domain, Internic is expecting a "Primary" and a "Secondary"
DNS name server. (Sometimes called Master and Slave) Each DNS name server requires the
file /etc/named.conf and the files it points to. This is typically two separate computer systems
hosted on two different IP addresses. It is not necesary that the Linux servers be dedicated to
DNS as they may run a web server, mail server, etc.

Note on Bind versions: Red Hat versions 6.x used Bind version 8. Release 7.1 of Red Hat began
using Bind version 9 and the GUI configuration tool bindconf was introduced for those of you
that like a pretty point and click interface for configuration.

Installation Packages:

• Red Hat / Fedora Core / CentOS: bind, bind-chroot, bind-libs, bind-utils,


system-config-bind
o bind-chroot: Security jail for operation of bind.
o bind-utils: Utility commands like nslookup, host, dig
o system-config-bind: GUI config tool system-config-bind and related
configuration files (/etc/security/console.apps/bindconf).
o caching-nameserver: We will not be covering this as it is not required
for web hosting. This is used by internet providers so their clients can
cache the DNS entries of the sites they are visiting.
• Ubuntu (dapper/hardy) / Debian: bind9

Configuration files:

Red Hat / Fedora / CentOS:

File Description Directory Chrooted Directory

named.conf Primary/Secondary DNS server /etc/ /var/named/chroot/etc/


configuration.
(See default file
/usr/share/doc/bind-
9.X.X/sample/etc/named.conf)

named.root.hi Configuration for recursive service. /etc/ /var/named/chroot/etc/


nts Required for all zones.
(See default file
/usr/share/doc/bind-
9.X.X/sample/etc/named.root.hints)

named Red Hat system variables. / no change


etc/sysconfi
g/

rndc.key Primary/Secondary DNS server /etc/ /var/named/chroot/etc/


configuration.

Zone files Configuration files for each domain. /var/named/ /


Create this file to resolve host name var/named/chroot/var/nam
internet queries i.e. define IP ed/
address of web (www) and mail
servers in the domain.

Debian / Ubuntu:

File Description Directory Chrooted Directory

named.conf Primary/Secondary DNS /etc/bind/ /var/bind/chroot/etc/bind/


named.conf.opti server configuration.
ons
named.conf.loca
l

rndc.key Primary/Secondary DNS /etc/ /var/bind/chroot/etc/


server configuration.

Zone files Configuration files for each / /


domain. var/bind/dat var/bind/chroot/var/bind/da
a/ ta/

Primary server (master):

File: named.conf

Red Hat / Fedora Core / CentOS: /etc/named.conf (chroot dir:


/var/named/chroot/etc/named.conf) and /etc/sysconfig/named for system
variables.
Ubuntu / Debian: /etc/bind/named.conf Place local definitions in
/etc/bind/named.conf.options and /etc/bind/named.conf.local

Simple example: (no views)


options { - Ubuntu stores options in
/etc/bind/named.conf.options
version "Bind"; - Don't disclose real version to
hackers
directory "/var/named"; - Specified so relative path
names can be used. Full path names still allowed.
allow-transfer { XXX.XXX.XXX.XXX; }; - IP address of secondary DNS
recursion no;
auth-nxdomain no; - conform to RFC1035. (default)
fetch-glue no; - Bind 8 only! Not used by version 9
};

zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};

zone "your-domain.com"{ - Ubuntu separates the zone


definitions into /etc/bind/named.conf.local
type master; - Specify master, slave, forward or
hint
file "data/named.your-domain.com";
notify yes; - slave servers are notified when the
zone is updated.
allow-update { none; }; - deny updates from other hosts
(default: none)
allow-query { any; }; - allow clients to query this server
(default: any)
};
zone "your-domain-2.com"{
type master;
file "data/named.your-domain-2.com";
notify yes;
};
Note:

• The omission of zone ".". Required if providing a recursive


service.
• Ubuntu includes the separated file of zone directives using the
directive:
include "/etc/bind/named.conf.local";

BIND Views: The BIND naming service can support "views" which allow
various sub-networks (i.e. private internal or public external networks) to
have a different domain name resolution result.

• If no views are specified then use the configuration shown


above.
• The match-up between the "view" and the view client which
receives the DNS information is specified by the match-clients
statement.
• If even one view is specified, then ALL zones MUST be
associated with a "view".
• Bind 9 allows for views which allow different zones to be served
to different types of clients, localhost, private networks and public
networks. This maps to the three view names "localhost_resolver",
"internal" and "external":
o localhost_resolver: Supports name resolution for the
system (localhost) using BIND. Support for use of bind also has
to be configured in /etc/nsswitch.conf
o internal: User specified Local Area Network (LAN). If not
used to support a local private LAN, remove (or comment out)
this view.
o external: The general public internet defined as client
"any".
• If you are only setting up a caching name server, then only
specify the view "localhost_resolver" (delete all other views).
• In order to support a DNS for internet domains using views, one
will have to configure an "external" view

Typical Red Hat Enterprise 5 example: (Bind 9.3.4 with three "views")

options
{
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";

};
logging
{
// By default, SELinux policy does not allow named to modify the
/var/named
// directory, so put the default debug log file in data/ :

channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view "localhost_resolver"
{
// This view sets up named to be a localhost resolver ( caching only
nameserver ).
// If all you want is a caching-only nameserver, then you need only
define this view:
match-clients { localhost; };
...
};
view "internal"
{
// This view will contain zones you want to serve only to "internal"
clients
// that connect via your directly attached LAN interfaces - "localnets" .
// For local private LAN. Not covered in this tutorial.
// Delete this view if web hosting with no local LAN.
match-clients { localnets; };
...
};
key ddns_key
{
algorithm hmac-md5;
secret "use /usr/sbin/dns-keygen to generate TSIG keys";
};
view "external"
{
// This view will contain zones you want to serve only to "external"
// public internet clients. This is covered below.
match-clients { any; };
...
..
};

Default configuration files: Red Hat may supply the default configuration
in: /usr/share/doc/bind-9.X.X/sample/etc/named.conf

• cp /usr/share/doc/bind-9.X.X/sample/etc/named.conf
/var/named/chroot/etc
• cp /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints
/var/named/chroot/etc
• chcon -u system_u -r object_r -t named_conf_t
/var/named/chroot/etc/named.conf
/var/named/chroot/etc/named.root.hints

view "localhost_resolver": If supporting a caching DNS server (not required


to support a web domain) you will also need the files:

• cp /usr/share/doc/bind-9.X.X/sample/etc/named.rfc1912.zones
/var/named/chroot/etc
• cp /usr/share/doc/bind-
9.X.X/sample/var/named/localdomain.zones
/var/named/chroot/var/named
also from /usr/share/doc/bind-9.X.X/sample/var/named/:
localhost.zones, named.local, named.zero, named.broadcast,
named.ip6.local, named.root

view "external": (master) - details -

view "external"
{
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not on your directly attached LAN interface
subnets:
*/
match-clients { any; };
match-destinations { any; };
allow-transfer { XXX.XXX.XXX.XXX; }; - IP address of secondary DNS

recursion no;
// you'd probably want to deny recursion to external clients, so you
don't
// end up providing free DNS service to all takers

// all views must contain the root hints zone:


include "/etc/named.root.hints";

// These are your "authoritative" external zones, and would probably


// contain entries for just your web and mail servers:

zone "your-domain.com" {
type master;
file "/var/named/data/external/named.your-domain.com";
notify yes;
allow-update { none; };
};

// You can also add the zones as a separate file like they do in
Ubuntu by adding the following statement
include "/etc/named.conf.local";
};

DNS key:

Use the following command /usr/sbin/dns-keygen to create a key. Add this


key to the "secret" statement as follows:

key ddns_key
{
algorithm hmac-md5;
secret "XlYKYLF5Y7YOYFFFY6YiYYXyFFFFBYYYYFfYYYJiYFYFYYLVrnrWrrrqrrrq";
};
Man Pages:

• named.conf

Forward Zone File: /var/named/named.your-domain.com

Red Hat 9 / CentOS 3: /var/named/named.your-domain.com


Red Hat EL4/5, Fedora 3+, CentOS 4/5: [Chrooted]
/var/named/chroot/var/named/data/named.your-domain.com
Red Hat EL4/5, Fedora 3+, CentOS 4/5: /var/named/data/named.your-
domain.com
Ubuntu / Debian: /etc/bind/data/named.your-domain.com

$TTL 604800 - Bind 9 (and some of the later versions of Bind 8)


requires $TTL statement. Measured in seconds. This value is 7 days.
your-domain.com. IN SOA ns1.your-domain.com. hostmaster.your-
domain.com. (
2000021600 ; serial - Many people use year+month+day+integer as a
system. Never greater than 2147483647 for a 32 bit processor.
86400 ; refresh - How often secondary servers (in seconds) should
check in for changes in serial number. (86400 sec = 24 hrs)
7200 ; retry - How long secondary server should wait for a retry
if contact failed.
1209600 ; expire - Secondary server to purge info after this length
of time.
86400 ) ; default_ttl - How long data is held in cache by remote servers.
IN A XXX.XXX.XXX.XXX - Note that this is the default IP address
of the domain.
I put the web server IP address here so
that domain.com points to the same servers as www.domain.com
;
; Name servers for the domain
;
IN NS ns1.your-domain.com.
IN NS ns2.your-domain.com.
;
; Mail server for domain
;
IN MX 5 mail - Identify "mail" as the node handling
mail for the domain. Do NOT specify an IP address!
;
; Nodes in domain
;
node1 IN A XXX.XXX.XXX.XXX - Note that this is the IP address of
node1
ns1 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own
primary name server. Note that this is the IP address of ns1
ns2 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own
secondary name server. Note that this is the IP address of ns2
mail IN A XXX.XXX.XXX.XXX - Identify the IP address for node
mail.
IN MX 5 XXX.XXX.XXX.XXX - Identify the IP address for mail
server named "mail".
;
; Aliases to existing nodes in domain
;
www IN CNAME node1 - Define the webserver "www" to be
node1.
ftp IN CNAME node1 - Define the ftp server to be node1.

MX records for 3rd party off-site mail servers:

your-domain.com. IN MX 10 mail1.offsitemail.com.
your-domain.com. IN MX 20 mail2.offsitemail.com.

Append to the above file.

Initial configuration: Note that Red Hat may supply the default zone configuration
in: /usr/share/doc/bind-9.X.X/sample/var/named/

• cp /usr/share/doc/bind-9.X.X/sample/var/named/localhost.zone
/var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zone
/var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/named.broadcast
/var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/named.ip6.local
/var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/named.zero
/var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/named.local
/var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/named.root
/var/named/chroot/var/named/data/
• cd /var/named/chroot/var/named/data/
• chcon -u system_u -r object_r -t named_cache_t localhost.zone
localdomain.zone named.broadcast named.ip6.local named.zero named.root
named.local

A file suffix of "zone" is also common i.e. your-domain.com.zone

Secondary server (slave):

File: named.conf

Red Hat / Fedora Core / CentOS: /etc/named.conf


Ubuntu / Debian: /etc/bind/named.conf
Simple example with no views:

options { - Ubuntu stores options in


/etc/bind/named.conf.options
version "Bind"; - Don't disclose real version to
hackers
directory "/var/named";
allow-transfer { none; }; - Slave is not transfering updates to
anyone else
recursion no;
auth-nxdomain no; - conform to RFC1035. (default)
fetch-glue no; - Bind 8 only! Not used by version 9
};
zone "localhost" {
type master;
file "/etc/bind/db.local"; - Ubutu: /etc/bind/db.local, Red Hat:
/var/named/named.local
};
zone "0.0.127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};

zone "your-domain.com"{
type slave;
file "named.your-domain.com"; - Specify slaves/named.your-domain.com
for RHEL4/5 chrooted bind
masters { XXX.XXX.XXX.XXX; }; - IP address of primary DNS
};
zone "your-domain-2.com"{
type slave;
file "named.your-domain-2.com";
masters { XXX.XXX.XXX.XXX; };
};

view "external": (slave)

view "external"
{
match-clients { any; };
match-destinations { any; };
allow-transfer { none; }; - Slave does not transfer to anyone, slave
receives
recursion no;
include "/etc/named.root.hints";

zone "your-domain.com" {
type slave;
file "/var/named/slaves/external/named.your-domain.com";
notify no; - Slave does not notify, slave is
notified by master
masters { XXX.XXX.XXX.XXX; }; - State IP of master server
};
};
Note: RHEL4/5, CentOS 4/5, Fedora 3+ use chrooted directory structure
permissions which require the use of the slaves subdirectory
/var/named/slaves

Slave Zone Files: These are transfered from master to slave and chached by
slave. There is no need to generate a zone file on the slave.

Additional Information:

• Man page on named.conf


• Man page on named DNS server
• Full DNS manual
[Potential Pitfall]: Ubuntu dapper/hardy - Path names used can not violate Apparmor security
rules as defined in /etc/apparmor.d/usr.sbin.named. Note that the slave files are typically
named "/var/lib/bind/named.your-domain.com" as permitted by the security configuration.

[Potential Pitfall]: Ubuntu dapper/hardy - Create log file and set ownership and permission for
file not created by installation:

• touch /var/log/bindlog
• chown root.bind /var/log/bindlog
• chmod 664 /var/log/bindlog

[Potential Pitfall]: Error in /var/log/messages:

transfer of 'yolinux.com/IN' from XXX.XXX.XXX.XXX#53: failed while receiving


responses: permission denied

Named needs write permission on the directory containing the file. This
condition often occurs for a new "slave" or "secondary" name server where
the zone files do not yet exist.
The default (RHEL4/5, CentOS 4/5, Fedora Core 3+, ...):

• drwxr-x--- 4 root named 4096 Aug 25 2004 named


• drwxrwx--- 2 named named 4096 Sep 17 20:37 slaves

Fix: In named.conf specify that the slaves to go to slaves directory


/var/named/chroot/var/named/slaves with the directive:
file "slaves/named.your-domain.com";

Bind Defaults:

• Uses port 53 if none is specified with the listen-on port statement.


• Bind will use random ports above port 1024 for queries. For use with firewalls
expecting all DNS traffic on port 53, specify the following option statement in
/etc/named.conf

query-source address * port 53;


query-source-v6 port 53;

• Logging is to /var/log/messages

After the configuration files have been edited, restart the name daemon.
/etc/init.d/named restart

(Note: Ubuntu / Debian restart: /etc/init.d/bind9 restart)

Bind zone transfers work best if the clocks of the two systems are synchronised. See the
YoLinux SysAdmin Tutorial: Time and ntpd

File: /var/named/named.your-domain.com This is created for you by Bind on the slave


(secondary) server when it replicates from Primary server.

DNS GUI configuration:

• Red Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-bind


• Red Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-bind
Test DNS:

Must install packages:

• Red Hat / Fedora Core / SuSE: bind-utils


• Ubuntu (dapper/hardy) / Debian: bind9-host

Test the name server with the host command in interactive mode:
host node.domain-to-test.com your-nameserver-to-test.domain.com

Note: The name server may also be specified by IP address.

or

Test the name server with the nslookup command in interactive mode:
nslookup
> server your-nameserver-to-test.domain.com
> node.domain-to-test.com
> exit

Test the MX record if appropriate:

nslookup -querytype=mx domain-to-test.com

OR

host -t mx domain-to-test.com

Test using the dig command:

dig @name-server domain-to-query

OR

dig @IP-address-of-name-server domain-to-query

Test your DNS with the following DNS diagnostics web site: DnsStuff.com

Extra logging to monitor Bind:

Add the following to your /etc/named.conf file.

logging {
channel bindlog {
file "/var/log/bindlog" versions 5 size 1m; -
Keep five old versions of the log-file (rotates logs)
print-time yes;
print-category yes;
print-severity yes;
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory
(/var/named).
* By default, SELinux policy does not allow named to modify the
/var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
category xfer-out { bindlog; }; - Zone transfers
category xfer-in { bindlog; }; - Zone transfers
category security { bindlog; }; - Approved/unapproved requests

// The following logging statements, panic, insist and response-checks


are valid for Bind 8 only. Do not user for version 9.
category panic { bindlog; }; - System shutdowns
category insist { bindlog; }; - Internal consistency check
failures
category response-checks { bindlog; }; - Messages
};

Chroot Bind for extra security:

Note: Most modern Linux distributions default to a "chrooted" installation.


This technique runs the Bind name service with a view of the filesystem
which changes the definition of the root directory "/" to a directory in which
Bind will operate. i.e. /var/named/chroot.

The following example uses the Red Hat RPM bind-8.2.3-0.6.x.i386.rpm. Applies
to Bind version 9 as well.

The latest RedHat bind updates run the named as user "named" to avoid a lot of earlier
hacker exploits. To chroot the process is to create an even more secure environment by
limiting the view of the system that the process can access. The process is limited to the
chrooted directory assigned.

The chroot of the named process to a directory under a given user will prevent the
possibility of an exploit which at one time would result in root access. The original
default RedHat configuration (6.2) ran the named process as root, thus if an exploit was
found, the named process will allow the hacker to use the privileges of the root user. (no
longer true)

Named Command Sytax:

named -u user -g group -t directory-to-chroot-to

Example:

named -u named -g named -t /opt/named

When chrooted, the process does not have access to system libraries thus a local lib
directory is required with the appropriate library files - theoretically. This does not seem
to be the case here and as noted above in chrooted FTP. It's a mystery to me but it
works???? Another method to handle libraries is to re-compile the named binary with
everything statically linked. Add -static to the compile options. The chrooted process
should also require a local /etc/named.conf etc... but doesn't seem to???
Script to create a chrooted bind environment:

#!/bin/sh
cd /opt
mkdir named
cd named
mkdir etc
mkdir bin
mkdir var
cd var
mkdir named
mkdir run
cd ..
chown -R named.named bin etc var

You can probably stop here. If your system acts like a chrooted system
should, then continue with the following:

cp -p /etc/named.conf etc
cp -p /etc/localtime etc
cp -p /bin/false bin
echo "named:x:25:25:Named:/var/named:/bin/false" > etc/passwd
echo "named:x:25:" > etc/group
touch var/run/named.pid

if [ -f /etc/namedb ]
then
cp -p /etc/namedb etc/namedb
fi

mkdir dev
cd dev

# Create a character unbuffered file.


mknod -m ugo+rw null c 1 3

cd ..
chown -R named.named bin etc var

Add changes to the init script: /etc/rc.d/init.d/named

#!/bin/bash
#
# named This shell script takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: - 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true

# Source function library.


. /etc/rc.d/init.d/functions

# Source networking configuration.


. /etc/sysconfig/network

# Check that networking is up.


[ ${NETWORKING} = "no" ] && exit 0

[ -f /etc/sysconfig/named ] && . /etc/sysconfig/named - Added in Red Hat version 7.1

[ -f /usr/sbin/named ] || exit 0

[ -f /etc/named.conf ] || exit 0

RETVAL=0

start() {
# Start daemons.
echo -n "Starting named: "
daemon named -u named -g named -t /opt/named - Change made here
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named
echo
return $RETVAL
}
stop() {
# Stop daemons.
echo -n "Shutting down named: "
killproc named
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named
echo
return $RETVAL
}
rhstatus() {
/usr/sbin/ndc status
return $?
}
restart() {
stop
start
}
reload() {
/usr/sbin/ndc reload
return $?
}
probe() {
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/sbin/ndc reload >/dev/null 2>&1 || echo start
return $?
}

# See how we were called.


case "$1" in
start)
start
;;
stop)
stop
;;
status)
rhstatus
;;
restart)
restart
;;
condrestart)
[ -f /var/lock/subsys/named ] && restart || :
;;
reload)
reload
;;
probe)
probe
;;
*)
echo "Usage: named {start|stop|status|restart|condrestart|reload|probe}"
exit 1
esac

exit $?

Note: The current version of bind from the RedHat errata updates and security fixes
(http://www.redhat.com/support/errata/) runs the named process as user "named" in the
home (not chrooted) directory /var/named with no shell available. (named -u named)
This should be secure enough. Proceed with a chrooted installation if your are paranoid.

See:

• Securing DNS: How to use chroot bind features

Chrooted DNS configuration:

Modern releases of Linux (i.e. Fedore Core 3, Red Hat Enterprise Linux 4) come preconfigured
to use "chrooted" bind. This security feature forces even an exploited version of bind to only
operate within the "chrooted" jail /var/named/chroot which contains the familiar directories:

• /var/named/chroot/etc: Configuration files


• /var/named/chroot/dev: devices used by bind:
o /dev/null
o /dev/random
o /dev/zero

(Real devices created with the mknod command.)

• /var/named/chroot/var: Zone files and configuration information.

These directories are generated and configured by the Red Hat/Fedora RPM
package "bind-chroot".

If building from source you will have to generate this configuration manually:

• mkdir -p /var/named/chroot
• mkdir /var/named/chroot/dev
• mknod /var/named/chroot/dev/null c 1 3
• mknod /var/named/chroot/dev/zero c 1 5
• mknod /var/named/chroot/dev/random c 1 8
• chmod 666 -R /var/named/chroot/dev
• mkdir -p /var/named/chroot/etc
• ln -s /var/named/chroot/etc/named.conf /etc/named.conf
• mkdir -p /var/named/chroot/var/named
• ln -s /var/named/chroot/var/named/named.XXXX /var/named/named.XXXX
• ln -s /var/named/chroot/var/named/named.YYYY /var/named/named.YYYY
• ...
• mkdir -p /var/named/chroot/var/named/slaves
• mkdir -p /var/named/chroot/var/named/data
• mkdir -p /var/named/chroot/var/run
• mkdir -p /var/named/chroot/var/tmp
• chown -R named:named /var/named/chroot
• chown -R root:named /var/named/chroot/var/named

Load Balancing of servers using Bind: DNS Round-Robin

This will populate name servers around the world with different IP addresses for
your web server www.your-domain.com

www0 IN A XXX.XXX.XXX.1
www1 IN A XXX.XXX.XXX.2
www2 IN A XXX.XXX.XXX.3
www3 IN A XXX.XXX.XXX.4
www4 IN A XXX.XXX.XXX.5
www5 IN A XXX.XXX.XXX.6

www IN CNAME www0.your-domain.com.


IN CNAME www1.your-domain.com.
IN CNAME www2.your-domain.com.
IN CNAME www3.your-domain.com.
IN CNAME www4.your-domain.com.
IN CNAME www5.your-domain.com.
IN CNAME www6.your-domain.com.

Also see lbnamed: lbnamed load balancing named

Bind/DNS Links:

• Internet Software Consortium (ISC) Home Page - ISC Bind Home


• Bind FAQ, pitfalls and answers
• Zytrax Bind 9 manual - Bind for rocket scientists
• comp.protocols.tcp-ip.domains FAQ - HTML version
• More on load balancing and round robin schemes
• LDP DNS-HOWTO
• ACME: DNS resources
• DNS Security presentation - Cricket Liu (coauthor of DNS and Bind)
• DNS Security Paper - Craig Rowland
• GraniteCanyon.com: Free DNS hosting - If you don't want to set it up, have
someone do it for you.
• EveryDNS.net - Free DNS
• DNS2GO - Domain hosting for DHCP clients.
• Secondary.com - Free secondary names server hosting (five or fewer
domains)
• TZO.com - Dynamic, secondary DNS services.
• UltraDNS.com - Outsourced DNS management and service
• OpenDNS.com - Can allow forwarding to OpenDNS servers.
Add to "options" section: forwarders { 208.67.222.222; 208.67.222.220; };
• DynDNS.org
Command: ipcheck.py -i eth0 DynDNS-user-id password node.dnsalias.net
Then add script update.dyndns.ip to directory /etc/cron.daily/ to update IP.
This host must also be allowed access through any firewall rules.
• DynDNS/TODD - Dynamic DNS for those with dynamic IP addresses. (i.e. dial-
up game servers etc.)

Domain name registration:

• Domain Name Registrars:


o NetworkSolutions.com
o Register.com
o Registrar.GoDaddy.com - Domain name registration for only
$8.95/year!!!
o Dotster.com - Domain name registration for only $14.95/year
o DomainsNext.com - $11.95/year
o EasyDNS.com - $25.00/year
o Aplus.net - Domain Registration $7.95/year - Not good
o Gandi.net - European
• AfterNic.com - Domain name exchange and auction.
• BuyDomains.com - Buy a domain name that a squatter is holding.

Note that the Name registrations policies for the registrars are stated at ICANN.org.

• You must renew with the same registrar within five days BEFORE the
expiration date. There is no rule for afterwards.
• Most free a domain name 30 days after it expires.

Web Server Load Balancing:


Load balancing becomes important if your traffic volume becomes too great for
either your server or network connection or both. Multiple options are available for
load balancing.

• DNS round-robin: Discussed above, this uses DNS to point users to random
server in a list of appropriate servers. This spreads the load among the
servers in the list.
• Use a Linux Virtual Server to Create a Load Balance Cluster. See next section
below.
• Run a reverse proxy. See nginx ("engine X"). From a single external internet
network connection, route http, smtp, imap or pop3 traffic to various servers
on an internal network. Results are pushed back to the nginx proxy for
routing to the internet (no caching).
• Run the Apache httpd web server module "mod_proxy" to offload processing
of dynamic content to another web server. This acts as a reverse proxy,
routing external traffic to various servers on an internal network.

Using a Linux Virtual Server to Create a Load Balance


Cluster:

You can use a single Linux server to forward requests to a cluster of servers using iptables for IP
masquerading and IPVsadm to scale your load. The load balancing server receiving and routing
the requests is called the "Linux Virtual Server" (LVS). The LVS receives the requests which are
passed to the real servers which process and reply to the request. This reply is forwarded to the
client by the LVS.

This feature is available with the Linux 2.4/2.6 kernel. (If compiling kernel: Networking Options
+ IP: Virtual Server Configuration)

Configuration: This example will load balance http traffic to three web servers and ftp traffic to a
fourth server.

• Enable Forwarding: (Also see YoLinux Networking Tutorial: Enable


Forwarding)
• echo "1" > /proc/sys/net/ipv4/ip_forward

• Enable IP Masquerading:

iptables -t nat -P POSTROUTING DROP


iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

For more on IP Masquerading, iptables and subnet addresses, see the YoLinux
network gateway tutorial.

• Enable virtual server:


o Create virtual service and choose scheduler for http (80) and ftp (21):

ipvsadm -A -t 66.218.88.103:80 -s wlc


ipvsadm -A -t 66.218.88.103:21 -s wrr

Command directives:
 A: Add a virtual service defined by IP address, port number, and
protocol.
 -t: Use TCP service host:port
 -s: scheduler:
 rr: Robin Robin: distributes jobs equally amongst the
avail- able real servers.
 wrr: Weighted Round Robin.
 lc: Least-Connection: assigns more jobs to real servers
with fewer active jobs.
 wlc: (Default) Weighted Least-Connection: assigns more
jobs to servers with fewer jobs and relative to the real server's
weight.
 lblc, lblcr, dh, sh, sed, nq. See man page.
o Configure load balancing cluser.

ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.1:80 -m


ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.2:80 -m -w 2
ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.3:80 -m
ipvsadm -a -t 66.218.88.103:21 -r 176.168.1.4:21 -m

Command directives:

 -r: Real server.


 -m: Use masquerading also known as network address
translation (NAT)
 -w: Weight is an integer specifying the capacity of a server rela-
tive to the others in the pool. The valid values of weight are 0 through
to 65535. The default is 1.

Links:

• LinuxVirtualServer.org
• iptables - Administration tool for IPv4 packet filtering and NAT
• ipvsadm - Administer the routing table on a Linux Virtual Server.

Managing Web Server Daemons:

To view if these services are running, type ps -aux and look for the httpd, inetd and named
services (daemons). These are background processes necessary to perform the server tasks.

root 681 0.0 0.5 2304 744 ? S Sep09 0:01 named


nobody 28123 0.0 1.1 3036 1420 ? S Oct06 0:00 httpd
nobody 28186 0.0 0.7 3044 896 ? S Oct06 0:00 httpd
root 385 0.0 0.1 1136 232 ? S Sep09 0:00 inetd
A new installation will most likely NOT start the named background process which
may be started manually after configuration.
See the YoLinux Init Process Tutorial for more information.
The inetd (or xinetd) background process is the Internet daemon which starts FTP
when an ftp request is made.

Sys Admin Script:

Script to prepare an account: (Red Hat/Fedora)

#!/bin/sh
# Author Greg Ippolito
# Requires: /opt/etc/AccountDefaults/pathmsg favicon.ico mwh-mini_tr.gif etc.
# /opt/bin/ftponly
# You must be root to run this script.
#
if [ $# -eq 0 ]
then
echo "Enter user id as a command argument"
else if [ -r /home/$1 ]
then
echo "User's home directory already exists"
else
echo "1) Create user."
adduser -m $1

echo "2) Set user Password."


passwd $1

echo "3) Add read access to user directory so apache can read it."
cd /home
chmod ugo+rx $1
cd $1

echo "4) Create web directories."


mkdir public_html
chown $1.$1 public_html
chcon -R -h -u system_u -r object_r -t httpd_sys_content_t public_html
cd public_html
mkdir images
chown $1.$1 images
chcon -R -h -u system_u -r object_r -t httpd_sys_content_t images

# Block potential for unauthenticated logins


cd ../
touch .rhosts
chmod ugo-xrw .rhosts

echo "5) Create default web page"


sed "/HEADING/s!HEADING!$1!" /opt/etc/AccountDefaults/default-index.html >
index.html
cp -p /opt/etc/AccountDefaults/favicon.ico .
cp -p /opt/etc/AccountDefaults/default-logo.gif ./images
cp -p /opt/etc/AccountDefaults/robots.txt .
chown $1.$1 index.html favicon.ico robots.txt
chcon -R -h -t httpd_sys_content_t index.html favicon.ico robots.txt
chcon -R -h -t httpd_sys_content_t images/default-logo.gif

echo "6) Edit /etc/passwd file - change user shell to /opt/bin/ftponly"


cp -p /etc/passwd /etc/passwd-`date +%m%d%y`
sed "/^$1/s!/bin/bash!/opt/bin/ftponly!" /etc/passwd-`date +%m%d%y` >
/etc/passwd

#wu-ftp# Requires: /etc/ftpaccess guestuser restrict-uid


#wu-ftp# echo "7) Add user to /etc/ftpaccess file"
#wu-ftp# cp -p /etc/ftpaccess /etc/ftpaccess-`date +%m%d%y`
#wu-ftp# sed "/^guestuser/s!guestuser !guestuser $1 !" /etc/ftpaccess-`date
+%m%d%y` > /etc/ftpaccess
#wu-ftp# sed "/^restricted-uid/s!restricted-uid !restricted-uid $1 !"
/etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess
#wu-ftp# echo "guest-root /home/$1/public_html $1" >> /etc/ftpaccess

echo "7) Add user to vsftpd chroot list


cat `echo $1` >> /etc/vsftpd/vsftpd.chroot_list

echo "8) Setting Disk Quotas to default 50Mb limit:"


# Use user johndoe as a prototype.
edquota -p johndoe $1

echo "9) Admin Follow-up:"


echo " Modify quota.user if different than default"
echo " Make changes to Bind names services on dns1 and dns2 if
necessary"
echo " Change /etc/http/conf/httpd.conf or
echo " add config to /etc/http/conf.d/ if using a new domain name"
echo " Add e-mail aliases to mail server if necessary"
fi
fi

Using Linux iptables or ipchains to set up an


internet gateway / firewall / router for home or
office
Methods of connecting your network to the internet:

• Use Linux ipchains / iptables and IP forwarding to configure Linux as a firewall and
router. This is the method covered in this tutorial.
• The Linux router project has produced a specialized version of Linux just to run
ipchains / iptables and IP masquerading.
See LinuxRouter.org.
• Use SOCKS gateway proxy software running on Linux.
For more information see the SOCKS5/e-Border home page.
• Use a CISCO router - Configuration tutorial. (Note: PIX series are preferred for firewall
use.)

This tutorial will cover using a linux computer as a gateway between a private network and the
internet. Any internet connection whether it be a dial-up PPP, DSL, cable modem or a T1 line
can be used. In the case of most dial-up PPP connections and cable modem connections, only a
single IP address is issued allowing only one computer to connect to the internet at a time. Using
Linux and iptables / ipchains one can configure a gateway which will allow all computers on a
private network to connect to the internet via the gateway and one external IP address, using a
technology called "Network Address Translation" (NAT) or masquerading and private subnets.
Iptables/ipchains can also be configured so that the Linux computer acts as a firewall, providing
protection to the internal network.

Firewall versions vs Linux versions:

Note: References to ipfwadm and ipchains refer to older deprecated software.

Firewall Command Linux Kernel Version Red Hat Version


iptables 2.4.x, 2.6.x 7.1 - 9.0, Fedora 1,2,3
ipchains 2.2.x 6.x, 7.0
ipfwadm 2.0.x 5.x

Note: Red Hat 7.1-9.0 and the default Linux 2.4 kernel may use ipchains or iptables but not both.
Iptables is the preferred firewall as it supports "state" and can recognize if a network connection
has already been "ESTABLISHED" or if the connection is related to the previous connection
(required for ftp which makes multiple connections on different ports). Ipchains can not. Ipchain
rules take precedence over iptables rules. During system boot, the kernel attempts to activate
ipchains, then attempts to activate iptables. If ipchain rules have been activated, the kernel will
not start iptables.

Red Hat 7.1 will not support ipchains unless that option is configured (during install or later). If
during install you select "Disable Firewall - no protection" then ipchains will not be available
and you must rely upon iptables for a manual firewall configuration. (iptables only. ipchains will
be unavailable)

GUI configuration:

• iptables: The GUI configuration tool /usr/bin/redhat-config-securitylevel can


be used to choose a preconfigured firewall (High, Medium or no firewall) or it can be
used to manually configure rules based on the network services your server will offer.
The init script /etc/rc.d/init.d/iptables will use rules stored in
/etc/sysconfig/iptables.
• ipchains: The tool that does this is lokkit (or /usr/bin/gnome-lokkit), which uses
ipchains to configure firewall options for High and Low security options. To support
ipchains after install, run /usr/bin/gnome-lokkit and configure a firewall. It will
configure ipchains to activate the firewall. Lokkit will generate the file
/etc/sysconfig/ipchains. (Used by init script /etc/rc.d/init.d/ipchains which
calls /sbin/ipchains-restore)

To see if ipchains and the Lokkit configuration is invoked during system boot, use the
command:

chkconfig --list | grep ipchains

The default Red Hat 7.1+ Linux 2.4 kernel is compiled to support both iptables and ipchains.
Kernel support for ipchains is available during a kernel configuration and compilation. During
make xconfig or make menuconfig turn on the feature: "IP: Netfilter Configuration" +
"ipchains (2.2-style) support".

Check your installation by using the command: rpm -q iptables ipchains


These packages must be installed. The commands iptables and ipchains are the command
interfaces to configure kernel firewall rules. The default Red Hat 7.1 kernel supports iptables and
ipchains. (But not both at the same time.)

[Potential Pitfall]: When performing an upgrade instead of a new install, the upgrade software
will not install iptables as did not exist on the system previously. It will perform an upgrade to a
newer version of ipchains. If you wish to use iptables, you must manually install the iptables
RPM.
i.e.: rpm -ivh iptables-XXX.i386.rpm

[Potential Pitfall]: The Linux operating system kernel may load or not load what you had
expected. Use the command lsmod to see if ip_tables or ip_chains were loaded.

Switching a running system from ipchains to iptables: (Red Hat 7.1-9.0 - Linux kernel 2.4
specific)

Sequence Command Description


chkconfig --del
1 Remove ipchains from system boot/initialization process
ipchains
chkconfig --add
2 Add iptables to system boot/initialization process
iptables
3 ipchains -F Flush ipchains rules
service ipchains
4 Stop ipchains. Also: /etc/init.d/ipchains stop
stop
Unload ipchains kernel module. Iptables kernel module can
5 rmmod ipchains
not be loaded if the ipchains module is loaded
service iptables Load iptables kernel module. Also: /etc/init.d/iptables
6
start stop

Network Address Translation (NAT):

An individual on a computer on the private network may point their web browser to a site on the
internet. This request is recognized to be beyond the local network so it is routed to the Linux
gateway using the private network address. The request for the web page is sent to the web site
using the external internet IP address of the gateway. The request is returned to the gateway
which then translates the IP address to computer on the private network which made the request.
This is often called IP masquerading. The software interface which enables one to configure the
kernel for masquerading is iptables (Linux kernel 2.4) or ipchains (Linux kernel 2.2)

The gateway computer will need two IP addresses and network connections, one to the private
internal network and another to the external public internet.

A note on private network IP addresses: A set of IP addresses has been reserved by IANA for
private networks. They range from 192.168.0.1 to 192.168.254.254 for a typical small business
or home network and are often referred to as CIDR private network addresses. Most private
networks conform to this scheme.

Default Subnet Number of


Block Range CIDR Notation
Mask hosts
24 bit block in
10.0.0.0 10.255.255.255 10.0.0.0/8 255.0.0.0 16,777,216
class A

20 bit block in
172.16.0.0 172.31.255.255 172.16.0.0/12 255.240.0.0 1,048,576
class B

16 bit block in
192.168.0.0 192.168.255.255 192.168.0.0/16 255.255.0.0 65,536
class C

The actual number of hosts will be fewer that listed because addresses on each subnet will be
reserved as a broadcast address, etc.

This is detailed in RFC 1918 - Address Allocation for Private Internets. For a description of class
A, B, and C networks see the YoLinux Networking Tutorial class description.

The private networks may be subdivided into various subnets as desired. Examples:

Range CIDR Notation Default Subnet Mask Number of hosts


10.2.3.0 10.2.4.255 10.2.3.0/23 255.255.254.0 512
172.16.0.0 172.17.255.255 172.16.0.0/15 255.254.0.0 132608

192.168.5.128 192.168.5.255 192.168.5.128/25 255.255.255.128 128

CertGuide.com: Network Subnets

Example 1: Linux connected via PPP

This example uses a Linux computer connected to the internet using a dial-up line and modem
(PPP). The Linux gateway is connected to the internal network using an ethernet card. The
internal network consists of Windows PC's.

The Linux box must be configured for the private internal network and PPP for the dial-up
connection. See the PPP tutorial to configure the dial-up connection. Use the ifconfig command
to configure the private network. i.e. (as root)

/sbin/ifconfig eth1 192.168.10.101 netmask 255.255.255.0 broadcast


192.168.10.255

This is often configured during install or can be configured using the Gnome tool neat (or the
admin tool Linuxconf or netcfg for older Red Hat systems). System changes made with the
ifconfig or route commands are NOT permanent and are lost upon system reboot. Permanent
settings are held in configuration scripts executed during system boot. (i.e.
/etc/sysconfig/...) See the YoLinux Networking tutorial for more information on assigning
network addresses.

Run one of the following scripts on the Linux gateway computer:

iptables:

iptables --flush - Flush all the rules in filter


and nat tables
iptables --table nat --flush
iptables --delete-chain - Delete all chains that are not
in default filter and nat table
iptables --table nat --delete-chain

# Set up IP FORWARDing and Masquerading


iptables --table nat --append POSTROUTING --out-interface ppp0 -j
MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT - Assuming
one NIC to local LAN

echo 1 > /proc/sys/net/ipv4/ip_forward - Enables packet forwarding by


kernel
ipchains:

#!/bin/sh
ipchains -F forward - Flush all previous
rules and settings
ipchains -P forward DENY - Default set to deny
packet forwarding
ipchains -A forward -s 192.168.10.0/24 -j MASQ - Use IP address of
gateway for private network
ipchains -A forward -i ppp0 -j MASQ - Sets up external
internet connection
echo 1 > /proc/sys/net/ipv4/ip_forward - Enables packet
forwarding by kernel

A PPP connection as described by the YoLinux PPP tutorial will create the PPP network
connection as the default route.

Example 2: Linux connected via DSL, Cable, T1

High speed connections to the internet result in an ethernet connection to the gateway. Thus the
gateway is required to possess two ethernet Network Interface Cards (NICs), one for the
connection to the private internal network and another to the public internet. The ethernet cards
are named eth and are numbered uniquely from 0 upward.

Use the ifconfig command to configure both network interfaces.

/sbin/ifconfig eth0 XXX.XXX.XXX.XXX netmask 255.255.255.0 broadcast


XXX.XXX.XXX.255 - Internet
/sbin/ifconfig eth1 192.168.10.101 netmask 255.255.255.0 broadcast
192.168.10.255 - Private LAN

Also see notes on adding a second NIC.

This is often configured during install or can be configured using the Gnome tool neat (or the
admin tool Linuxconf or netcfg for older Red Hat systems). System changes made with the
ifconfig or route commands are NOT permanent and are lost upon system reboot. Permanent
settings are held in configuration scripts executed during system boot. (i.e.
/etc/sysconfig/...) See the YoLinux Networking tutorial for more information on assigning
network addresses.

Run the appropriate script on the linux computer where eth0 is connected to the internet and eth1
is connected to a private LAN:

iptables:

# Delete and flush. Default table is "filter". Others like "nat" must be
explicitly stated.
iptables --flush - Flush all the rules in filter and nat tables
iptables --table nat --flush
iptables --delete-chain - Delete all chains that are not in default
filter and nat table
iptables --table nat --delete-chain

# Set up IP FORWARDing and Masquerading


iptables --table nat --append POSTROUTING --out-interface eth0 -j
MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward - Enables packet


forwarding by kernel

ipchains:

#!/bin/sh
ipchains -F forward - Flush rules
ipchains -P forward DENY - Default set to deny
packet forwarding
ipchains -A forward -s 192.168.10.0/24 -j MASQ - Use IP address of
gateway for private network
ipchains -A forward -i eth1 -j MASQ - Sets up external
internet connection
echo 1 > /proc/sys/net/ipv4/ip_forward

Create a route for internal packets:

route add -net 192.168.10.0 netmask 255.255.255.0 gw XXX.XXX.XXX.XXX


dev eth1
Where XXX.XXX.XXX.XXX is the internet gateway defined by your ISP. For more information on
routing see the YoLinux networking tutorial

Note: While this configuration requires that the Linux gateway computer have two network
cards, if you only have one PCI slot available you may use a card such as the Intel Pro 100 or Pro
1000 Dual Port which has two ethernet connections which reside on a single card. (This is what I
use) Yolinux Hardware tutorial: More on Network interface cards

Intel PCI Dual Pro 100 or Pro 1000 NIC card supports two
physical ethernet connections (eth0, eth1) on one card.
Compliant Standards: IEEE 802.3-LAN, IEEE 802.3U-LAN ,
Plug and Play
Connectivity Technology: Cable - 10Base-T, 100Base-TX
Data Link Protocol: Ethernet, Fast Ethernet
Processor: 82550 - Intel