konfigurasi server debian lenny

Konfigurasi network# vi /etc/network/interfaces

# This file describes the network interfaces available on your system# and how to activate them. For more information, see interfaces(5).

# The loopback network interfaceauto loiface lo inet loopback

# The primary network interface#allow-hotplug eth0#iface eth0 inet dhcpauto eth0iface eth0 inet static address 192.168.0.100 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255

gateway 192.168.0.1

/etc/init.d/networking restart

vi /etc/hosts

127.0.0.1 localhost.localdomain localhost192.168.0.100 server1.example.com server1

# The following lines are desirable for IPv6 capable hosts::1 localhost ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allroutersff02::3 ip6-allhosts

run now

echo server1.example.com > /etc/hostname/etc/init.d/hostname.sh start

Afterwards, run

hostnamehostname -f

8 Synchronize the System ClockIt is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run

apt-get install ntp ntpdate

and your system time will always be in sync.

9 Install Postfix, Dovecot, MySQL, phpMyAdmin, rkhunter, binutilsWe can install Postfix, Dovecot, MySQL, phpMyAdmin, rkhunter, and binutils with a single command:

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d sudo

You will be asked the following questions:

New password for the MySQL "root" user: <-- yourrootsqlpasswordRepeat password for the MySQL "root" user: <-- yourrootsqlpasswordGeneral type of mail configuration: <-- Internet SiteSystem mail name: <-- server1.example.com

We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

vi /etc/mysql/my.cnf

[...]# Instead of skip-networking the default is now to listen only on# localhost which is more compatible and is not less secure.#bind-address = 127.0.0.1

[...]

Then we restart MySQL:

/etc/init.d/mysql restart

Now check that networking is enabled. Run

netstat -tap | grep mysql

The output should look like this:

server1:~# netstat -tap | grep mysql

tcp 0 0 *:mysql *:* LISTEN 7431/

mysqld

server1:~#

10 Install Amavisd-new, SpamAssassin, And ClamavTo install amavisd-new, SpamAssassin, and ClamAV, we run

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

11 Install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, And mcrypt Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt can be installed as follows:

apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libopenssl-ruby libapache2-mod-ruby

You will see the following question:

Web server to reconfigure automatically: <-- apache2

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include (plus dav, dav_fs, and auth_digest if you want to use WebDAV):

a2enmod suexec rewrite ssl actions include

a2enmod dav_fs dav auth_digest

Restart Apache afterwards:

/etc/init.d/apache2 restart

12 Install PureFTPd And Quota PureFTPd and quota can be installed with the following command:

apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit the file /etc/default/pure-ftpd-common...

vi /etc/default/pure-ftpd-common

... and change the start mode from inetd to standalone and set VIRTUALCHROOT=true:

[...]STANDALONE_OR_INETD=standalone[...]VIRTUALCHROOT=true[...]

Edit the file /etc/inetd.conf to prevent inetd from trying to start ftp:

vi /etc/inetd.conf

Comment out the line beginning with ftp stream tcp:

[...]

#:STANDARD: These are standard services.#ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/pure-ftpd-wrapper[...]

Restart inetd afterwards:

/etc/init.d/openbsd-inetd restart

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.Locality Name (eg, city) []: <-- Enter your City.Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").Email Address []: <-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.## <file system> <mount point> <type> <options> <dump> <pass>proc /proc proc defaults 0 0/dev/sda1 / ext3 errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 1/dev/sda5 none swap sw 0 0/dev/hda /media/cdrom0 udf,iso9660 user,noauto 0 0/dev/fd0 /media/floppy0 auto rw,user,noauto 0 0

To enable quota, run these commands:

touch /aquota.user /aquota.groupchmod 600 /aquota.*mount -o remount /

quotacheck -avugmquotaon -avug

13 Install BIND DNS Server

BIND can be installed as follows:

apt-get install bind9 dnsutils

14 Install Vlogger, Webalizer, And AWstatsVlogger, webalizer, and AWstats can be installed as follows:

apt-get install vlogger webalizer awstats

mkdir -p /usr/share/awstats/tools/cp -prf /usr/share/doc/awstats/examples/awstats_buildstaticpages.pl /usr/share/awstats/tools/awstats_buildstaticpages.pl

15 Install JailkitJailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper

cd /tmpwget http://olivier.sessink.nl/jailkit/jailkit-2.12.tar.gztar xvfz jailkit-2.12.tar.gzcd jailkit-2.12./debian/rules binarycd ..dpkg -i jailkit_2.12-1_*.debrm -rf jailkit-2.12*

16 Install fail2banThis is optional but recommended, because the ISPConfig monitor tries to show the log:

apt-get install fail2ban

17 Install SquirrelMailTo install the SquirrelMail webmail client, run

apt-get install squirrelmail

Then create the following symlink...

ln -s /usr/share/squirrelmail/ /var/www/webmail

... and configure SquirrelMail:

squirrelmail-configure

We must tell SquirrelMail that we are using Courier-IMAP/-POP3:

SquirrelMail Configuration : Read: config.php (1.4.0)

---------------------------------------------------------

Main Menu --

1. Organization Preferences

2. Server Settings

3. Folder Defaults

4. General Options

5. Themes

6. Address Books

7. Message of the Day (MOTD)

8. Plugins

9. Database

10. Languages

D. Set pre-defined settings for specific IMAP servers

C Turn color on

S Save data

Q Quit

Command >> <-- D

SquirrelMail Configuration : Read: config.php

---------------------------------------------------------

While we have been building SquirrelMail, we have discovered some

preferences that work better with some servers that don't work so

well with others. If you select your IMAP server, this option will

set some pre-defined settings for that server.

Please note that you will still need to go through and make sure

everything is correct. This does not change everything. There are

only a few settings that this will change.

Please select your IMAP server:

bincimap = Binc IMAP server

courier = Courier IMAP server

cyrus = Cyrus IMAP server

dovecot = Dovecot Secure IMAP server

exchange = Microsoft Exchange IMAP server

hmailserver = hMailServer

macosx = Mac OS X Mailserver

mercury32 = Mercury/32

uw = University of Washington's IMAP server

quit = Do not change anything

Command >> <-- dovecot


---------------------------------------------------------



















Command >> dovecot

imap_server_type = courier

default_folder_prefix = INBOX.

trash_folder = Trash

sent_folder = Sent

draft_folder = Drafts

show_prefix_option = false

default_sub_of_inbox = false

show_contain_subfolders_option = false

optional_delimiter = .

delete_folder = true

Press any key to continue... <-- press a key


---------------------------------------------------------

Main Menu --


2. Server Settings

3. Folder Defaults

4. General Options

5. Themes

6. Address Books


8. Plugins

9. Database

10. Languages


C Turn color on

S Save data

Q Quit

Command >> <-- S


---------------------------------------------------------

Main Menu --


2. Server Settings

3. Folder Defaults

4. General Options

5. Themes

6. Address Books


8. Plugins

9. Database

10. Languages


C Turn color on

S Save data

Q Quit

Command >> <-- Q

Afterwards you can access SquirrelMail under http://server1.example.com/webmail or http://192.168.0.100/webmail:

18 Install ISPConfig 3To install ISPConfig 3 from the latest released version, do this:

cd /tmpwget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gztar xfz ISPConfig-3-stable.tar.gzcd ispconfig3_install/install/

The next step is to run

php -q install.php

http://static.howtoforge.com/images/perfect_server_debian_lenny_ispconfig3_bind_dovecot/big/38.png


This will start the ISPConfig 3 installer. The installer will configure all services like Postfix, Dovecot, etc. for you. A manual setup as required for ISPConfig 2 (perfect setup guides) is not necessary.

server1:/tmp/ispconfig3_install/install# php -q install.php

--------------------------------------------------------------------------------

_____ ___________ _____ __ _ ____

|_ _/ ___| ___ \ / __ \ / _(_) /__ \

| | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ /

| | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ |

_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \

\___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/

__/ |

|___/

--------------------------------------------------------------------------------

>> Initial configuration

Operating System: Debian Lenny or compatible

Following will be a few questions for primary configuration so be careful.

Default values are in [brackets] and can be accepted with <ENTER>.

Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.

com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- yourrootsqlpassword

MySQL database to create [dbispconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Generating a 2048 bit RSA private key

.............................................................................+++

...............................................+++

writing new private key to 'smtpd.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]: <-- ENTER State or Province Name (full name) [Some-State]: <-- ENTER Locality Name (eg, city) []: <-- ENTER Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER Organizational Unit Name (eg, section) []: <-- ENTER Common Name (eg, YOUR name) []: <-- ENTER Email Address []: <-- ENTER Configuring Jailkit

Configuring Dovecot

Configuring Spamassassin

Configuring Amavisd

Configuring Getmail

Configuring Pureftpd

Configuring BIND

Configuring Apache

Configuring Vlogger

Configuring Apps vhost

Configuring Firewall

Installing ISPConfig

ISPConfig Port [8080]: <-- ENTER

Configuring DBServer

Installing ISPConfig crontab

no crontab for root

no crontab for getmail

Restarting services ...

Stopping MySQL database server: mysqld.

Starting MySQL database server: mysqld.

Checking for corrupt, not cleanly closed and upgrade needing tables..

Stopping Postfix Mail Transport Agent: postfix.

Starting Postfix Mail Transport Agent: postfix.

Stopping amavisd: amavisd-new.

Starting amavisd: amavisd-new.

Stopping ClamAV daemon: clamd.

Starting ClamAV daemon: clamd .

Restarting IMAP/POP3 mail server: dovecot.

Restarting web server: apache2 ... waiting .

Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/

etc/pure-ftpd/db/mysql.conf -l pam -Y 1 -E -A -D -H -u 1000 -O clf:/var/log/pure-

ftpd/transfer.log -b -B

Installation completed.

server1:/tmp/ispconfig3_install/install#

The installer automatically configures all underlying services, so no manual configuration is needed.

Afterwards you can access ISPConfig 3 under http://server1.example.com:8080/ or http://192.168.0.100:8080/. Log in with the username admin and the password admin (you should change the default password after your first login):



The system is now ready to be used.

18.1 ISPConfig 3 Manual

In order to learn how to use ISPConfig 3, I strongly recommend to download the ISPConfig 3 Manual.

On nearly 300 pages, it covers the concept behind ISPConfig (admin, resellers, clients), explains how to install and update ISPConfig 3, includes a reference for all forms and form fields in ISPConfig together with examples of valid inputs, and provides tutorials for the most common tasks in ISPConfig 3. It also lines out how to make your server more secure and comes with a troubleshooting section at the end.



19 Additional NotesIf the Debian server that you've just set up in this tutorial is an OpenVZ container (virtual machine), you should do this on the host system (I'm assuming that the ID of the OpenVZ container is 101 - replace it with the correct VPSID on your system):

VPSID=101for CAP in CHOWN DAC_READ_SEARCH SETGID SETUID NET_BIND_SERVICE NET_ADMIN SYS_CHROOT SYS_NICE CHOWN DAC_READ_SEARCH SETGID SETUID NET_BIND_SERVICE NET_ADMIN SYS_CHROOT SYS_NICEdo vzctl set $VPSID --capability ${CAP}:on --savedone

20 Links Debian: http://www.debian.org/ ISPConfig: http://www.ispconfig.org/

How To Configure PureFTPd To Accept TLS Sessions On Debian Lenny

Version 1.0 Author: Falko Timme <ft [at] falkotimme [dot] com>

Follow me on TwitterLast edited 10/06/2010

FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. This article explains how to configure PureFTPd to accept TLS sessions on a Debian Lenny server.

I do not issue any guarantee that this will work for you!

1 Preliminary NoteYou should have a working PureFTPd setup on your Debian Lenny server, e.g. as shown in this tutorial: Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Management) On Debian Lenny.

2 Installing OpenSSL OpenSSL is needed by TLS; to install OpenSSL, we simply run:

aptitude install openssl

3 Configuring PureFTPdIf you want to allow FTP and TLS sessions, run


If you want to accept TLS sessions only (no FTP), run


instead.

To not allow TLS at all (only FTP), either delete /etc/pure-ftpd/conf/TLS or run

http://twitter.com/falko


4 Creating The SSL Certificate For TLSIn order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.Locality Name (eg, city) []: <-- Enter your City.Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").Email Address []: <-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Finally restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS - see the next chapter how to do this with FileZilla.

5 Configuring FileZilla For TLSIn order to use FTP with TLS, you need an FTP client that supports TLS, such as FileZilla.

In FileZilla, open the Server Manager:

Select the server that uses PureFTPd with TLS; in the Server Type drop-down menu, select FTPES instead of normal FTP:

http://static.howtoforge.com/images/pureftpd_tls_debian_lenny/big/2.png


Now you can connect to the server. If you do this for the first time, you must accept the server's new SSL certificate:

If everything goes well, you should now be logged in on the server:



How To Integrate ClamAV (Through mod_clamav) Into ProFTPd For

Virus Scanning On Debian Lenny



This tutorial explains how you can integrate ClamAV into ProFTPd for virus scanning on a Debian Lenny system. This is achieved through mod_clamav. In the end, whenever a file gets uploaded through ProFTPd, ClamAV will check the file and delete it if it is malware.


1 Preliminary NoteYou should have a working ProFTPd setup on your Debian Lenny server.

2 Installing ClamAVClamAV can be installed as follows:

aptitude install clamav clamav-daemon libclamav-dev

Now we must reconfigure ClamAV so that Clamd uses TCP connections instead of a local Unix socket. It is highly recommended that Unix socket connections are avoided when using the Chroot feature of ProFTPd (DefaultRoot ~). The reason is that if mod_clamav needs to connect to Clamd, the Unix socket is not available in the chroot environment.

Run

dpkg-reconfigure clamav-base

... and answer these questions as follows (accept the default values for all other questions):

Socket type: <-- TCPTCP port clamd will listen on: <-- 3310IP address clamd will listen on: <-- 127.0.0.1


Then restart Clamd and freshclam:

/etc/init.d/clamav-daemon restart/etc/init.d/clamav-freshclam restart

Now run

netstat -tap | grep clamd

... and you should see that Clamd is listening on localhost through TCP:

server1:~# netstat -tap | grep clamd

tcp 0 0 localhost.localdom:3310 *:* LISTEN 29430/

clamd

server1:~#

3 Rebuilding ProFTPdUnfortunately mod_clamav isn't part of ProFTPd by default, and there's no Debian package for mod_clamav, so we have to rebuild ProFTPd with mod_clamav. I will use the Debian source package of ProFTPd and build new ProFTPd .deb packages with mod_clamav support.

First we install all packages that are needed to rebuild ProFTPd:

aptitude build-dep proftpd

We also need the following package (which doesn't get installed by the previous command for some reason...):

aptitude install libpam-dev

Now we download the ProFTPd source package to /usr/src:

cd /usr/srcapt-get source proftpd

Next we download mod_clamav to /usr/src and unpack it:

wget --no-check-certificate https://secure.thrallingpenguin.com/redmine/attachments/download/1/mod_clamav-0.11rc.tar.gztar xzvf mod_clamav-0.11rc.tar.gz

Then we copy the mod_clamav-0.11rc/mod_clamav.* files to the proftpd-dfsg-1.3.1/contrib directory...

cp mod_clamav-0.11rc/mod_clamav.* proftpd-dfsg-1.3.1/contrib

... and patch the ProFTPd sources:

cd proftpd-dfsg-1.3.1patch -p1 < ../mod_clamav-0.11rc/proftpd.patch

Next we must edit debian/rules:

vi debian/rules

Search the CONF_ARGS section and add --with-modules=mod_clamav to it:

[...]CONF_ARGS := --prefix=/usr \ --with-includes=$(shell pg_config --includedir):$(shell mysql_config --include|sed -e 's/-I//') \ --mandir=/usr/share/man --sysconfdir=/etc/$(NAME) --localstatedir=/var/run --libexecdir=/usr/lib/$(NAME) \ --enable-sendfile --enable-facl --enable-dso --enable-autoshadow --enable-ctrls --with-modules=mod_readme \ --enable-ipv6 --enable-nls --with-modules=mod_clamav[...]

Now we can rebuild ProFTPd:

dpkg-buildpackage

Now we go one directory up, that's where the new .deb packages have been created:

cd ..

The command

ls -l

shows you the available packages:

server1:/usr/src# ls -l

total 5472

drwxr-xr-x 2 501 501 4096 2009-04-20 10:22 mod_clamav-0.11rc

-rw-r--r-- 1 root src 5115 2010-10-01 03:28 mod_clamav-0.11rc.tar.gz

-rw-r--r-- 1 root src 195066 2010-10-01 03:32 proftpd_1.3.1-17lenny4_all.deb

-rw-r--r-- 1 root src 690228 2010-10-01 03:32 proftpd-basic_1.3.1-17lenny4_i386.deb

drwxr-xr-x 13 root root 4096 2010-10-01 03:32 proftpd-dfsg-1.3.1

-rw-r--r-- 1 root src 107998 2010-10-01 03:29 proftpd-dfsg_1.3.1-17lenny4.diff.gz

-rw-r--r-- 1 root src 1103 2010-10-01 03:29 proftpd-dfsg_1.3.1-17lenny4.dsc

-rw-r--r-- 1 root src 3305 2010-10-01 03:32 proftpd-dfsg_1.3.1-

17lenny4_i386.changes

-rw-r--r-- 1 root src 2662056 2007-10-16 01:02 proftpd-dfsg_1.3.1.orig.tar.gz

-rw-r--r-- 1 root src 1255660 2010-10-01 03:32 proftpd-doc_1.3.1-17lenny4_all.deb

-rw-r--r-- 1 root src 213004 2010-10-01 03:32 proftpd-mod-ldap_1.3.1-

17lenny4_i386.deb

-rw-r--r-- 1 root src 203562 2010-10-01 03:32 proftpd-mod-mysql_1.3.1-

17lenny4_i386.deb

-rw-r--r-- 1 root src 203512 2010-10-01 03:32 proftpd-mod-pgsql_1.3.1-

17lenny4_i386.deb

server1:/usr/src#

We can install the new ProFTPd .deb packages as follows:

dpkg -i proftpd*.deb

4 Configuring ProFTPdNow we must configure ProFTPd to use mod_clamav whenever a file is uploaded. Open /etc/proftpd/proftpd.conf...

vi /etc/proftpd/proftpd.conf

... and add the stanza

<IfModule mod_clamav.c>

ClamAV on

ClamServer 127.0.0.1

ClamPort 3310

</IfModule>

somewhere, e.g. below the

<IfModule mod_ctrls_admin.c>

AdminControlsEngine off

</IfModule>

section:

[...]<IfModule mod_ctrls_admin.c>AdminControlsEngine off</IfModule>

<IfModule mod_clamav.c> ClamAV on ClamServer 127.0.0.1 ClamPort 3310</IfModule>

## Alternative authentication frameworks##Include /etc/proftpd/ldap.confInclude /etc/proftpd/sql.conf[...]

Restart ProFTPd:

/etc/init.d/proftpd restart

Now check if mod_clamav is loaded by running:

proftpd -vv

mod_clamav should be listed in the output:

server1:~# proftpd -vv

- ProFTPD Version: 1.3.1 (stable)

- Scoreboard Version: 01040002

- Built: Fri Oct 1 03:31:03 CEST 2010

- Module: mod_core.c

- Module: mod_xfer.c

- Module: mod_auth_unix.c

- Module: mod_auth_file/0.8.3

- Module: mod_auth.c

- Module: mod_ls.c

- Module: mod_log.c

- Module: mod_site.c

- Module: mod_delay/0.6

- Module: mod_dso/0.4

- Module: mod_auth_pam/1.0.1

- Module: mod_clamav.c

- Module: mod_cap/1.0

- Module: mod_ctrls/0.9.4

- Module: mod_lang/0.8

server1:~#

That's it! Now whenever someone tries to upload malware to your server through ProFTPd, the "bad" file(s) will be deleted. You can test that by downloading the Eicar test virus from http://www.eicar.org/anti_virus_test_file.htm; try to upload it to your ProFTPd server, and if all goes well, it should be deleted:

http://static.howtoforge.com/images/proftpd_mod_clamav_debian_lenny/big/1.png

How To Set Up MySQL Database Replication With SSL Encryption On

Debian Lenny



This tutorial describes how to set up database replication in MySQL using an SSL connection for encryption (to make it impossible for hackers to sniff out passwords and data transferred between the master and slave). MySQL replication allows you to have an exact copy of a database from a master server on another server (slave), and all updates to the database on the master server are immediately replicated to the database on the slave server so that both databases are in sync. This is not a backup policy because an accidentally issued DELETE command will also be carried out on the slave; but replication can help protect against hardware failures though.


1 Preliminary NoteIn this tutorial I will show how to replicate the database exampledb from the server server1.example.com (master) with the IP address 192.168.0.100 to the server server2.example.com (slave) with the IP address 192.168.0.101. Both systems are running Debian Lenny; however, the configuration should apply to almost all distributions with little or no modifications. The database exampledb with tables and data is already existing on the master, but not on the slave.

I'm running all the steps in this tutorial with root privileges, so make sure you're logged in as root.

2 Installing MySQL 5 And Enabling SSL Support If MySQL 5 isn't already installed on server1 and server2, install it now:

server1/server2:

aptitude install mysql-server mysql-client


You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as [email protected] / [email protected], so we don't have to specify a MySQL root password manually later on:

New password for the MySQL "root" user: <-- yourrootsqlpasswordRepeat password for the MySQL "root" user: <-- yourrootsqlpassword

Now we must check if both MySQL server support SSL connections. Log into MySQL...

mysql -u root -p

... and run the following command on the MySQL shell:

show variables like '%ssl%';

If the output is as follows (both have_openssl and have_ssl show DISABLED)...

mysql> show variables like '%ssl%';

+---------------+----------+

| Variable_name | Value |

+---------------+----------+

| have_openssl | DISABLED |

| have_ssl | DISABLED |

| ssl_ca | |

| ssl_capath | |

| ssl_cert | |

| ssl_cipher | |

| ssl_key | |

+---------------+----------+

7 rows in set (0.00 sec)

mysql>

... it means that MySQL was compiled with SSL support, but it's currently not enabled. To enable it, leave the MySQL shell first...

quit;

... and open /etc/mysql/my.cnf:


Scroll down to the * Security Features section (within the [mysqld] section) and add a line with the word ssl to it:

[...]# * Security Features## Read the manual, too, if you want chroot!# chroot = /var/lib/mysql/## For generating SSL certificates I recommend the OpenSSL GUI "tinyca".ssl# ssl-ca=/etc/mysql/cacert.pem# ssl-cert=/etc/mysql/server-cert.pem# ssl-key=/etc/mysql/server-key.pem[...]

Restart MySQL...


... and check again if SSL is now enabled:

mysql -u root -p

show variables like '%ssl%';

Output should be as follows which means that SSL is now enabled:

mysql> show variables like '%ssl%';

+---------------+-------+

| Variable_name | Value |

+---------------+-------+

| have_openssl | YES |

| have_ssl | YES |

| ssl_ca | |

| ssl_capath | |

| ssl_cert | |

| ssl_cipher | |

| ssl_key | |

+---------------+-------+

7 rows in set (0.00 sec)

mysql>

Type...

quit;

... to leave the MySQL shell.

3 Configuring The Master To make sure that the replication can work, we must make MySQL listen on all interfaces on the master (server1), therefore we comment out the line bind-address = 127.0.0.1 in /etc/mysql/my.cnf:

server1:


[...]# Instead of skip-networking the default is now to listen only on# localhost which is more compatible and is not less secure.#bind-address = 127.0.0.1[...]

Restart MySQL afterwards:


Then check with


that MySQL is really listening on all interfaces on the master:

server1:~# netstat -tap | grep mysql

tcp 0 0 *:mysql *:* LISTEN 3771/

mysqld

server1:~#

Now we create the CA, server, and client certificates that we need for the SSL connections. I create these certificates in the directory /etc/mysql/newcerts which I have to create first:

mkdir /etc/mysql/newcerts && cd /etc/mysql/newcerts

Make sure that openssl is installed:

aptitude install openssl

Create CA certificate:

openssl genrsa 2048 > ca-key.pemopenssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

Create server certificate:

openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pemopenssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

Create client certificate:

openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pemopenssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

The output of...

ls -l

... should now look as follows:

server1:/etc/mysql/newcerts# ls -l

total 32

-rw-r--r-- 1 root root 1346 2010-08-18 20:13 ca-cert.pem

-rw-r--r-- 1 root root 1675 2010-08-18 20:13 ca-key.pem

-rw-r--r-- 1 root root 1099 2010-08-18 20:14 client-cert.pem

-rw-r--r-- 1 root root 1675 2010-08-18 20:14 client-key.pem

-rw-r--r-- 1 root root 956 2010-08-18 20:14 client-req.pem

-rw-r--r-- 1 root root 1099 2010-08-18 20:14 server-cert.pem

-rw-r--r-- 1 root root 1679 2010-08-18 20:14 server-key.pem

-rw-r--r-- 1 root root 956 2010-08-18 20:14 server-req.pem

server1:/etc/mysql/newcerts#

We must now transfer ca-cert.pem, client-cert.pem, and client-key.pem to the slave (server2); before we do this, we create the directory /etc/mysql/newcerts on server2:

server2:

mkdir /etc/mysql/newcerts

Back on server1, we can transfer the three files to server2 as follows:

server1:

scp /etc/mysql/newcerts/ca-cert.pem [email protected]:/etc/mysql/newcerts

scp /etc/mysql/newcerts/client-cert.pem [email protected]:/etc/mysql/newcerts

scp /etc/mysql/newcerts/client-key.pem [email protected]:/etc/mysql/newcerts

Next, open /etc/mysql/my.cnf...


... and modify the * Security Features section; uncomment the ssl-ca, ssl-cert, and ssl-key lines and fill in the correct values:

[...]# * Security Features## Read the manual, too, if you want chroot!# chroot = /var/lib/mysql/## For generating SSL certificates I recommend the OpenSSL

GUI "tinyca".sslssl-ca=/etc/mysql/newcerts/ca-cert.pemssl-cert=/etc/mysql/newcerts/server-cert.pemssl-key=/etc/mysql/newcerts/server-key.pem[...]

Restart MySQL:


Now we set up a replication user slave_user that can be used by server2 to access the MySQL database on server1:

mysql -u root -p

On the MySQL shell, run the following commands:

GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'%' IDENTIFIED BY 'slave_password' REQUIRE SSL;

The REQUIRE SSL string is optional; if you leave it out, slave_user will be allowed to connect through encrypted and also unencrypted connections. If you use REQUIRE SSL, then only encrypted connections are allowed.

(If you've already set up a replication user, and now want to modify it so that it can only connect through SSL, you can modify the user as follows:

GRANT USAGE ON *.* TO 'slave_user'@'%' REQUIRE SSL;

)

FLUSH PRIVILEGES;quit;

Furthermore we have to tell MySQL for which database it should write logs (these logs are used by the slave to see what has changed on the master), which log file it should use, and we have to specify that this MySQL server is the master. We want to replicate the database exampledb, so we add/enable the following lines in /etc/mysql/my.cnf (in the [mysqld]section):


[...]# The following can be used as easy to replay backup logs or for replication.# note: if you are setting up a replication slave, see README.Debian about# other settings you may need to change.server-id = 1log_bin = /var/log/mysql/mysql-bin.logexpire_logs_days = 10max_binlog_size = 100Mbinlog_do_db = exampledb[...]

Then restart MySQL:


Next we lock the exampledb database on server1, find out about the master status of server1, create an SQL dump of exampledb (that we will import into exampledb on server2 so that both databases contain the same data), and unlock the database so that it can be used again:

mysql -u root -p

On the MySQL shell, run the following commands:

USE exampledb;FLUSH TABLES WITH READ LOCK;SHOW MASTER STATUS;

The last command should show something like this (please write it down, we'll need it later on):

mysql> SHOW MASTER STATUS;

+------------------+----------+--------------+------------------+

| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |

+------------------+----------+--------------+------------------+

| mysql-bin.000001 | 98 | exampledb | |

+------------------+----------+--------------+------------------+

1 row in set (0.00 sec)

mysql>

Now don't leave the MySQL shell, because if you leave it, the database lock will be removed, and this is not what we want right now because we must create a database dump now. While the MySQL shell is still open, we open a second command line window where we create the SQL dump snapshot.sql and transfer it to server2 (using scp; again, make sure that the root account is enabled on server2):

server1:

cd /tmpmysqldump -u root -pyourrootsqlpassword --opt exampledb > snapshot.sqlscp snapshot.sql [email protected]:/tmp

Afterwards, you can close the second command line window. On the first command line window, we can now unlock the database and leave the MySQL shell:

server1:

UNLOCK TABLES; quit;

4 Configuring The Slave Now we must configure the slave. Open /etc/mysql/my.cnf and make sure you have the following settings in the [mysqld] section:

server2:


[...]server-id=2master-connect-retry=60replicate-do-db=exampledb[...]

The value of server-id must be unique and thus different from the one on the master!

Restart MySQL afterwards:


Before we start setting up the replication, we create an empty database exampledb on server2:

mysql -u root -p

CREATE DATABASE exampledb;quit;

On server2, we can now import the SQL dump snapshot.sql like this:

/usr/bin/mysqladmin --user=root --password=yourrootsqlpassword stop-slavecd /tmpmysql -u root -pyourrootsqlpassword exampledb < snapshot.sql

Now connect to MySQL again...

mysql -u root -p

... and run the following command to make server2 a slave of server1 (it is important that you replace the values in the following command with the values you got from the SHOW MASTER STATUS; command that we ran on server1!):

CHANGE MASTER TO MASTER_HOST='192.168.0.100', MASTER_USER='slave_user', MASTER_PASSWORD='slave_password', MASTER_LOG_FILE='mysql-bin.000001', MASTER_LOG_POS=98, MASTER_SSL=1, MASTER_SSL_CA = '/etc/mysql/newcerts/ca-cert.pem', MASTER_SSL_CERT = '/etc/mysql/newcerts/client-cert.pem', MASTER_SSL_KEY = '/etc/mysql/newcerts/client-key.pem';

MASTER_HOST is the IP address or hostname of the master (in this example it is 192.168.0.100).

MASTER_USER is the user we granted replication privileges on the master. MASTER_PASSWORD is the password of MASTER_USER on the master. MASTER_LOG_FILE is the file MySQL gave back when you ran SHOW MASTER STATUS; on the

master. MASTER_LOG_POS is the position MySQL gave back when you ran SHOW MASTER STATUS; on the

master. MASTER_SSL makes the slave use an SSL connection to the master.

MASTER_SSL_CA is the path to the ca-cert.pem file on the slave. MASTER_SSL_CERT is the path to the client-cert.pem file on the slave. MASTER_SSL_KEY is the path to the client-key.pem file on the slave.

Finally start the slave:

START SLAVE;

Then check the slave status:

SHOW SLAVE STATUS \G

It is important that both Slave_IO_Running and Slave_SQL_Running have the value Yes in the output (otherwise something went wrong, and you should check your setup again and take a look at /var/log/syslog to find out about any errors); as you're using an SSL connection now, you should also find values in the fields Master_SSL_Allowed, Master_SSL_CA_File, Master_SSL_Cert, and Master_SSL_Key:

mysql> SHOW SLAVE STATUS \G

*************************** 1. row ***************************

Slave_IO_State: Waiting for master to send event

Master_Host: 192.168.0.100

Master_User: slave_user

Master_Port: 3306

Connect_Retry: 60

Master_Log_File: mysql-bin.000001

Read_Master_Log_Pos: 98

Relay_Log_File: mysqld-relay-bin.000002

Relay_Log_Pos: 235

Relay_Master_Log_File: mysql-bin.000001

Slave_IO_Running: Yes

Slave_SQL_Running: Yes

Replicate_Do_DB: exampledb

Replicate_Ignore_DB:

Replicate_Do_Table:

Replicate_Ignore_Table:

Replicate_Wild_Do_Table:

Replicate_Wild_Ignore_Table:

Last_Errno: 0

Last_Error:

Skip_Counter: 0

Exec_Master_Log_Pos: 98

Relay_Log_Space: 235

Until_Condition: None

Until_Log_File:

Until_Log_Pos: 0

Master_SSL_Allowed: Yes

Master_SSL_CA_File: /etc/mysql/newcerts/ca-cert.pem

Master_SSL_CA_Path:

Master_SSL_Cert: /etc/mysql/newcerts/client-cert.pem

Master_SSL_Cipher:

Master_SSL_Key: /etc/mysql/newcerts/client-key.pem

Seconds_Behind_Master: 0

1 row in set (0.00 sec)

mysql>

Afterwards, you can leave the MySQL shell on server2:

quit;

That's it! Now whenever exampledb is updated on the master, all changes will be replicated to exampledb on the slave. Test it!

Installing A Multiserver Setup With Dedicated Web, Email, DNS And

MySQL Database Servers On Debian 5.0 With ISPConfig 3

1 Installing The Five Debian Base Systems In this setup there will be one master server (which runs the web server and ISPConfig control panel interface) and four slave servers for database, email and DNS.

To install the clustered setup, we need five servers (or virtual servers) with a Debian 5.0 minimal install. The base setup is described in the following tutorial in the steps 1 - 6:

http://www.howtoforge.com/perfect-server-debian-lenny-ispconfig3

Install only steps 1 - 6 of the perfect server tutorial and not the other steps as they differ for a clustered setup!

In my example I use the following hostnames and IP addresses for the five servers:

Web Server

Hostname: web.example.tldIP address: 192.168.0.105

Mail Server

Hostname: mail.example.tldIP address: 192.168.0.106

DB Server

Hostname: db.example.tldIP address: 192.168.0.107

DNS Server (primary)

Hostname: ns1.example.tldIP address: 192.168.0.108

DNS Server (secondary)

Hostname: ns2.example.tldIP address: 192.168.0.109

Whereever these hostnames or IP addresses occur in the next installation steps you will have to change them to match the IP's and hostnames of your servers.

2 Installing The Web Server

Edit the hosts file and add the IP addresses and hostnames for all servers. The hostnames and IP addresses have to be adjusted to match your setup.

vi /etc/hosts

127.0.0.1 localhost

192.168.0.105 web.example.tld

192.168.0.106 mail.example.tld

192.168.0.107 db.example.tld

192.168.0.108 ns1.example.tld


# The following lines are desirable for IPv6 capable

hosts

::1 localhost ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

ff02::3 ip6-allhosts

Set the hostname of the server:

echo web.example.tld > /etc/hostname/etc/init.d/hostname.sh start

Edit the sources.list file...

vi /etc/apt/sources.list

... and ensure that it contains the following line to enable the volatile repository.

deb http://volatile.debian.org/debian-volatile

lenny/volatile main contrib non-free

Run...

apt-get update

... to update the apt package database; then run...

apt-get upgrade

... to install the latest updates (if there are any).

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run...

apt-get -y install ntp ntpdate

... and your system time will always be in sync.

Install the MySQL server. A MySQL server instance is necessary on every server as ISPConfig uses it to sync the configuration between the servers.

apt-get -y install mysql-client mysql-server

Enter the new password for MySQL when requested by the installer.

We want MySQL to listen on all interfaces on the master server, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:


[...]

# Instead of skip-networking the default is now to listen

only on

# localhost which is more compatible and is not less

secure.

#bind-address = 127.0.0.1

[...]

Then restart MySQL:


Now install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt as follows:

apt-get -y install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libopenssl-ruby libapache2-mod-ruby sudo



Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include:

a2enmod suexec rewrite ssl actions include ruby dav_fs dav auth_digest

PureFTPd and quota can be installed with the following command:

apt-get -y install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit /etc/fstab. Mine looks like this (I added ,usrquota,grpquota to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.

# # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults 0 0 /dev/sda1 / ext3 errors=remount-ro,usrquota,grpquota 0 1 /dev/sda5 none swap sw 0 0 /dev/hda /media/cdrom0 udf,iso9660 user,noauto 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto 0 0

To enable quota, run these commands:

touch /quota.user /quota.groupchmod 600 /quota.*mount -o remount /

quotacheck -avugmquotaon -avug

Install vlogger, webalizer, and awstats:

apt-get -y install vlogger webalizer awstats

Install Jailkit: Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

apt-get -y install build-essential autoconf automake1.9 libtool flex bison

cd /tmpwget http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gztar xvfz jailkit-2.11.tar.gzcd jailkit-2.11./configuremakemake installcd ..rm -rf jailkit-2.11*

Install fail2ban: This is optional but recommended, because the ISPConfig monitor tries to show the log:


Next we will install ISPConfig 3. To get the download URL of the latest ISPConfig 3 stable release, please visit the ISPConfig website: http://www.ispconfig.org/ispconfig-3/download/

This server is the master server in our setup which runs the ISPConfig control panel interface. To allow the other MySQL instances to connect to the MySQL database on this node during installation, we have to add MySQL root user records in the master database for every slave server hostname and IP address. The easiest way to do this is to use the web based phpmyadmin administration tool that we installed already. Open the URL http://192.168.0.105/phpmyadmin in a web browser, log in as MySQL root user and execute these MySQL queries:

CREATE USER 'root'@'192.168.0.106' IDENTIFIED BY 'myrootpassword';GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.106' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;




CREATE USER 'root'@'mail.example.tld' IDENTIFIED BY 'myrootpassword';GRANT ALL PRIVILEGES ON * . * TO 'root'@'mail.example.tld' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

CREATE USER 'root'@'db.example.tld' IDENTIFIED BY 'myrootpassword';GRANT ALL PRIVILEGES ON * . * TO 'root'@'db.example.tld' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

CREATE USER 'root'@'ns1.example.tld' IDENTIFIED BY 'myrootpassword';GRANT ALL PRIVILEGES ON * . * TO 'root'@'ns1.example.tld' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

CREATE USER 'root'@'ns2.example.tld' IDENTIFIED BY 'myrootpassword';GRANT ALL PRIVILEGES ON * . * TO 'root'@'ns2.example.tld' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

In the above sql commands, replace the IP adresses (192.168.0.106 - 192.168.0.109) with the IP addresses of your servers and replace mail.example.tld, db.example.tld, ns1.example.tld and ns2.example.tld with the hostnames of your servers and myrootpassword with the desired root password.

Click on the reload permissions button or restart MySQL. Then close phpmyadmin.

Go back to the shell of server1.example.tld and download the latest ISPConfig 3 stable release:


Then start the install script:

php -q install.php

Select language (en,de) [en]: <-- enInstallation mode (standard,expert) [standard]: <-- expert Full qualified hostname (FQDN) of the server, eg server2.domain.tld [web.example.tld]: <-- web.example.tldMySQL server hostname [localhost]: <-- localhostMySQL root username [root]: <-- rootMySQL root password []: <-- Enter your MySQL root password hereMySQL database to create [dbispconfig]: <-- dbispconfigMySQL charset [utf8]: <-- utf8Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- nConfigure Mail (y,n) [y]: <-- n Configure Jailkit (y,n) [y]: <-- yConfigure FTP Server (y,n) [y]: <-- yConfigure DNS Server (y,n) [y]: <-- n Configure Apache Server (y,n) [y]: <-- yConfigure Firewall Server (y,n) [y]: <--y

Install ISPConfig Web-Interface (y,n) [y]: <--yISPConfig Port [8080]: <-- 8080

Clean up the install directories:

rm -rf /tmp/ispconfig3_install/installrm -f /tmp/ISPConfig-3-stable.tar.gz

3 Installing The Mail Server Edit the hosts file and add the IP addresses and hostnames for all servers. The hostnames and IP addresses have to be adjusted to match your setup.

vi /etc/hosts

127.0.0.1 localhost







hosts








echo mail.example.tld > /etc/hostnameecho mail.example.tld > /etc/mailname/etc/init.d/hostname.sh start






Run...

apt-get update


apt-get upgrade





Install postfix, dovecot and MySQL with one single command:

apt-get -y install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d

Enter the new password for mysql when requested by the installer and answer the next questions as decsribed below:

Create directories for web-based administration ? <-- NoGeneral type of configuration? <-- Internet siteMail name? <-- mail.mydomain.tldSSL certificate required <-- Ok

To install amavisd-new, SpamAssassin, and ClamAV, we run:

apt-get -y install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

Then install install the commandline version of PHP to be able to run PHP-based shell scripts for ISPConfig:

apt-get -y install php5-cli php5-mysql php5-mcrypt mcrypt



Now I will install ISPConfig 3 on this server. To get the download URL of the latest ISPConfig 3 stable release, please visit the ISPConfig website: http://www.ispconfig.org/ispconfig-3/download/

Download the latest ISPConfig 3 stable release:


Then s tart the install script:

php -q install.php

Select language (en,de) [en]: <-- enInstallation mode (standard,expert) [standard]: <-- expert Full qualified hostname (FQDN) of the server, eg server1.domain.tld

[mail.example.tld]: <-- mail.example.tldMySQL server hostname [localhost]: <-- localhostMySQL root username [root]: <-- rootMySQL root password []: <-- Enter your MySQL root password hereMySQL database to create [dbispconfig]: <-- dbispconfigMySQL charset [utf8]: <-- utf8Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- yMySQL master server hostname []: <-- web.example.tldMySQL master server root username [root]: <-- rootMySQL master server root password []: <-- Enter the root password of the master server hereMySQL master server database name [dbispconfig]: <-- dbispconfigConfigure Mail (y,n) [y]: <-- y

Country Name (2 letter code) [AU]: <-- DE (Enter the ISO country code where you live here) State or Province Name (full name) [Some-State]: <-- Niedersachsen (Enter the state where you live here) Locality Name (eg, city) []: <-- Lueneburg (Enter the city here)Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER Organizational Unit Name (eg, section) []: <-- ENTER Common Name (eg, YOUR name) []: <-- ENTER Email Address []: <-- ENTER

Configure Jailkit (y,n) [y]: <-- n Configure FTP Server (y,n) [y]: <-- n Configure DNS Server (y,n) [y]: <-- n Configure Apache Server (y,n) [y]: <-- n Configure Firewall Server (y,n) [y]: <--yInstall ISPConfig Web-Interface (y,n) [y]: <--n

Run...

rm -f /var/www/ispconfig

... to remove the ISPConfig interface link in the /var/www directory.



4 Installing The MySQL Database Server Edit the hosts file and add the IP addresses and hostnames for all servers. The hostnames and IP addresses have to be adjusted to match your setup.

vi /etc/hosts

127.0.0.1 localhost







hosts








echo db.example.tld > /etc/hostname/etc/init.d/hostname.sh start






Run...

apt-get update


apt-get upgrade





Install MySQL client and server:



We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:


[...]

# Instead of skip-networking the default is now to listen

only on

# localhost which is more compatible and is not less

secure.

#bind-address = 127.0.0.1

[...]

Then restart MySQL:






Next install ISPConfig 3 on this server. To get the download URL of the latest ISPConfig 3 stable release, please visit the ISPConfig website: http://www.ispconfig.org/ispconfig-3/download/




php -q install.php

Select language (en,de) [en]: <-- enInstallation mode (standard,expert) [standard]: <-- expert Full qualified hostname (FQDN) of the server, eg server1.domain.tld [db.example.tld]: <-- db.example.tldMySQL server hostname [localhost]: <-- localhostMySQL root username [root]: <-- rootMySQL root password []: <-- Enter your MySQL root password hereMySQL database to create [dbispconfig]: <-- dbispconfigMySQL charset [utf8]: <-- utf8Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- yMySQL master server hostname []: <-- web.example.tldMySQL master server root username [root]: <-- rootMySQL master server root password []: <-- Enter the root password of the master server hereMySQL master server database name [dbispconfig]: <-- dbispconfigConfigure Mail (y,n) [y]: <-- nConfigure Jailkit (y,n) [y]: <-- n Configure FTP Server (y,n) [y]: <-- n Configure DNS Server (y,n) [y]: <-- n Configure Apache Server (y,n) [y]: <-- n Configure Firewall Server (y,n) [y]: <--yInstall ISPConfig Web-Interface (y,n) [y]: <--n

Run...





5 Installing The Primary DNS Server Edit the hosts file and add the IP addresses and hostnames for all servers. The hostnames and IP addresses have to be adjusted to match your setup.

vi /etc/hosts

127.0.0.1 localhost







hosts








echo ns1.example.tld > /etc/hostname/etc/init.d/hostname.sh start






Run...

apt-get update


apt-get upgrade










Install BIND DNS Server:

apt-get -y install bind9 dnsutils

Next install ISPConfig 3 on the dns server. To get the download URL of the latest ISPConfig 3 stable release, please visit the ISPConfig website: http://www.ispconfig.org/ispconfig-3/download/




php -q install.php

Select language (en,de) [en]: <-- enInstallation mode (standard,expert) [standard]: <-- expert Full qualified hostname (FQDN) of the server, eg server2.domain.tld [ns1.example.tld]: <-- ns1.example.tldMySQL server hostname [localhost]: <-- localhostMySQL root username [root]: <-- rootMySQL root password []: <-- Enter your MySQL root password hereMySQL database to create [dbispconfig]: <-- dbispconfigMySQL charset [utf8]: <-- utf8Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- yMySQL master server hostname []: <-- web.example.tldMySQL master server root username [root]: <-- rootMySQL master server root password []: <-- Enter the root password of the master server hereMySQL master server database name [dbispconfig]: <-- dbispconfigConfigure Mail (y,n) [y]: <-- nConfigure Jailkit (y,n) [y]: <-- n Configure FTP Server (y,n) [y]: <-- n Configure DNS Server (y,n) [y]: <-- y Configure Apache Server (y,n) [y]: <-- n Configure Firewall Server (y,n) [y]: <--yInstall ISPConfig Web-Interface (y,n) [y]: <--n

Run...





6 Installing The Secondary DNS Server Edit the hosts file and add the IP addresses and hostnames for all servers. The hostnames and IP addresses have to be adjusted to match your setup.

vi /etc/hosts

127.0.0.1 localhost







hosts








echo ns2.example.tld > /etc/hostname/etc/init.d/hostname.sh start






Run...

apt-get update


apt-get upgrade










Install BIND DNS Server:

apt-get -y install bind9 dnsutils

Next install ISPConfig 3 on the dns server. To get the download URL of the latest ISPConfig 3 stable release, please visit the ISPConfig website: http://www.ispconfig.org/ispconfig-3/download/




php -q install.php

Select language (en,de) [en]: <-- enInstallation mode (standard,expert) [standard]: <-- expert Full qualified hostname (FQDN) of the server, eg server2.domain.tld [ns2.example.tld]: <-- ns2.example.tldMySQL server hostname [localhost]: <-- localhostMySQL root username [root]: <-- rootMySQL root password []: <-- Enter your MySQL root password hereMySQL database to create [dbispconfig]: <-- dbispconfigMySQL charset [utf8]: <-- utf8Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- yMySQL master server hostname []: <-- web.example.tldMySQL master server root username [root]: <-- rootMySQL master server root password []: <-- Enter the root password of the master server hereMySQL master server database name [dbispconfig]: <-- dbispconfigConfigure Mail (y,n) [y]: <-- nConfigure Jailkit (y,n) [y]: <-- n Configure FTP Server (y,n) [y]: <-- n Configure DNS Server (y,n) [y]: <-- y

Configure Apache Server (y,n) [y]: <-- n Configure Firewall Server (y,n) [y]: <--yInstall ISPConfig Web-Interface (y,n) [y]: <--n

Run...





7 Adjust The Server Settings In ISPConfigLog into ISPConfig on the master server with a web browser:

http://192.168.0.105:8080

Click on System > Server services > web.example.tld and disable all checkboxes except of the Webserver and Fileserver checkbox and click on Save.

Click on System > Server services > mail.example.tld and disable all checkboxes except of the Mailserver checkbox and click on Save.

Click on System > Server services > db.example.tld and disable all checkboxes except of the DB-Server checkbox and click on Save.

Click on System > Server services > ns1.example.tld and disable all checkboxes except of the DNS-Server checkbox and click on Save.

Click on System > Server services > ns2.example.tld and disable all checkboxes except of the DNS-Server checkbox and select ns1.example.com in the Is mirror of Server selectbox and click on Save.

8 Links

Caching With Apache's mod_cache On Debian Lenny



This article explains how you can cache your web site contents with Apache's mod_cache on Debian Lenny. If you have a high-traffic dynamic web site that generates lots of database queries on each request, you can decrease the server load dramatically by caching your content for a few minutes or more (that depends on how often you update your content).


1 Preliminary Note I'm assuming that you have a working Apache2 setup (Apache 2.2.x - prior to that version, mod_cache is considered experimental) from the Debian repositories - the Apache version in the Debian Lenny repositories is 2.2.9 so you should be good to go.

I'm using the document root /var/www here for my test vhost - you must adjust this if your document root differs.

2 Enabling mod_cachemod_cache has two submodules that manage the cache storage, mod_disk_cache (for storing contents on the hard drive) and mod_mem_cache (for storing contents in memory which is faster than disk caching). Decide which one you want to use and continue either with chapter 2.1 (mod_disk_cache) or 2.2 (mod_mem_cache).

2.1 mod_disk_cache

The mod_disk_cache configuration is stored in /etc/apache2/mods-available/disk_cache.conf, so let's edit that one:

vi /etc/apache2/mods-available/disk_cache.conf

Make sure you uncomment the CacheEnable disk / line, so that the minimal configuration looks as follows:


<IfModule mod_disk_cache.c># cache cleaning is done by htcacheclean, which can be configured in# /etc/default/apache2## For further information, see the comments in that file,# /usr/share/doc/apache2.2-common/README.Debian, and the htcacheclean(8)# man page.

# This path must be the same as the one in /etc/default/apache2 CacheRoot /var/cache/apache2/mod_disk_cache

# This will also cache local documents. It usually makes more sense to # put this into the configuration for just one virtual host.

CacheEnable disk /

CacheDirLevels 5 CacheDirLength 3</IfModule>

You can find explanations for these configuration options and further configuration options on http://httpd.apache.org/docs/2.2/mod/mod_disk_cache.html.

Now we can enable mod_cache and mod_disk_cache:

a2enmod cachea2enmod disk_cache


To make sure that our cache directory /var/cache/apache2/mod_disk_cache doesn't fill up over time, we have to clean it with the htcacheclean command. That command is part of the apache2-utils package which we install as follows:

aptitude install apache2-utils

Afterwards, we can start htcacheclean as a daemon like this:

htcacheclean -d30 -n -t -p /var/cache/apache2/mod_disk_cache -l 100M -i

This will clean our cache directory every 30 minutes and make sure that it will not get bigger than 100MB. To learn more about htcacheclean, take a look at

man htcacheclean

Of course, you don't want to start htcacheclean manually each time you reboot the server - therefore we edit /etc/rc.local...

vi /etc/rc.local

... and add the following line to it, right before the exit 0 line:

[...]/usr/sbin/htcacheclean -d30 -n -t -p /var/cache/apache2/mod_disk_cache -l 100M -i[...]

This will start htcacheclean automatically each time you start the server.

2.2 mod_mem_cache

The mod_mem_cache configuration is located in /etc/apache2/mods-available/mem_cache.conf:

vi /etc/apache2/mods-available/mem_cache.conf

<IfModule mod_mem_cache.c> CacheEnable mem / MCacheSize 4096 MCacheMaxObjectCount 100 MCacheMinObjectSize 1 MCacheMaxObjectSize 2048</IfModule>

This is the default configuration - if you like you can modify it. A list of configuration directives for mod_mem_cache is available here: http://httpd.apache.org/docs/2.2/mod/mod_mem_cache.html

Now let's enable mod_cache and mod_mem_cache as follows:

a2enmod cachea2enmod mem_cache


That's it already! With mod_mem_cache, you don't have to clean up any cache directories.

3 TestingUnfortunately mod_cache doesn't provide any logging functionalities which is bad if you want to know if logging is working. Therefore I create a small PHP test file, /var/www/cachetest.php, that sends out HTTP headers that tell mod_cache that it should cache the file for 300 seconds, and that simply prints the timestamp:

vi /var/www/cachetest.php

<?phpheader("Cache-Control: must-revalidate, max-age=300");header("Vary: Accept-Encoding");echo time()."<br>";?>

Now call that file in a browser - it should display the current time stamp. Then click in the browser's address bar and press ENTER so that the page gets loaded again (don't press F5 or the reload button - this will always fetch a fresh copy from the server instead of the cache!) - if all goes well, you should still see the old, cached timestamp. If you wait 300 seconds, you should get a fresh copy from the server instead of the cache.

4 HTTP HeadersCaching doesn't work out-of-the-box - you must modify your web application so that caching can work (it is possible that your web application already supports caching - please consult the documentation of your application to find out). mod_cache will cache web pages only if the HTTP headers sent out by your web application tell it to do so.

Here are some examples of headers that tell mod_cache not to cache:

Expires headers with a date in the past: "Expires: Sun, 19 Nov 1978 05:00:00 GMT"

Certain Cache-Control headers: "Cache-Control: no-store, no-cache, must-revalidate" or "Cache-Control: must-revalidate, max-age=0"

Set-Cookie headers: a page will not be cached if a cookie is set. So if you want mod_cache to cache your pages, modify your application to not send out such headers.

If you want mod_cache to cache your pages, you can set an Expires header with a date in the future, but the recommended way is to use max-age:

"Cache-Control: must-revalidate, max-age=300"

This tells mod_cache to cache the page for 300 seconds (max-age) - unfortunately mod_cache doesn't know the s-maxage option (see http://www.mnot.net/cache_docs/#CACHE-CONTROL), that's why we must use the max-age option (which also tells your browser to cache - please keep this in mind if you get unexpected results!). If mod_cache knew the s-maxage option, we could use "Cache-Control: must-revalidate, max-age=0, s-maxage=300" which would tell mod_cache, but not the browser, to cache the page.

Of course, this header is useless if you send out one of the non-caching headers (Expires in the past, Set-Cookie, etc.) from above at the same time!

Another very important header for caching is this one:

"Vary: Accept-Encoding"

This makes mod_cache keep two copies of each cached page, one compressed (gzip) and one uncompressed so that it can deliver the right version depending on the capabilities of the user-agent/browser. Some user-agents don't understand gzip compression, so they should get the uncompressed version.

So here's the summary: use the following two headers if you want mod_cache to cache:

"Cache-Control: must-revalidate, max-age=300"

"Vary: Accept-Encoding"

and make sure that no Expires with a date in the past, cookies, etc. are sent.

If your application is written in PHP, you can use PHP's header() function to send out HTTP headers, e.g. like this:

header("Cache-Control: must-revalidate, max-age=300");

header("Vary: Accept-Encoding");

This page is a must-read if you want to learn more about HTTP headers and caching: http://www.mnot.net/cache_docs/

Disk Backup With Amanda On Debian Lenny

1. Introduction Amanda is an open source client/server solution to back up filesystems. Backups are triggered by the backup server, backup definitions are located on the servers but exclusion lists are located on the client. Amanda is not yet to the level of backup solutions like IBM TSM/TDP or Legato Networker but it is the best open source solution I found so far.

2. Landscapebckserver.mydomain.com (Debian lenny): The backup server that hosts amanda server.

bckclient.mydomain.com (Debian lenny): The backup client is a web server with a MySQL version 5.0 database (no replication). The mysql backup is done with zrm version 2.2. I did not create a howto for zrm since the product is fairly easy to use and the zmanda Quick setup guide and user manual are really easy to follow. My biggest regret with zrm: it does not backup to amanda tapes.

An ISCSI SAN as a library. backup to virtual tapes (disks)

3. AMANDA

3.1 Backup Server

3.1.1 Installation

As user root install the amanda-server package and ... the amanda-client package or you will not be able to do restores from the bckclient.

# apt-get update

# apt-get install amanda-server amanda-client xinetd gawk gnuplot readline-common openssh-server

Accept the additional packages required when prompted.

3.1.2 (If Applicable) Comment Amanda Entries In Inetd Configuration File

The packages configure both inetd and xinetd. In this howto we only use xinetd.

Edit /etc/inetd.conf and comment amanda related lines:

#:OTHER: Other services

#amandaidx stream tcp nowait backup /usr/sbin/tcpd

/usr/lib/amanda/amindexd amindexd -auth=bsdtcp amdump

amindexd amidxtaped

#amidxtape stream tcp nowait backup /usr/sbin/tcpd

/usr/lib/amanda/amidxtaped amidxtaped -auth=bsdtcp amdump

amindexd amidxtaped

#amanda dgram udp wait backup /usr/sbin/tcpd

/usr/lib/amanda/amandad -auth=bsd amdump amindexd

amidxtaped

3.1.3 Modify Amanda Daemons To Use auth bsdtcp

For details check the wiki.

Edit amanda, amidxtape and amandaidx files in /etc/xinetd.d/ to match the following:

# cat /etc/xinetd.d/amanda| grep -v "^#"

service amanda

{

socket_type = stream protocol = tcp wait = no user = backup

group = backup

groups = yes

server = /usr/lib/amanda/amandad

server_args = -auth=bsdtcp amdump amindexd amidxtaped

disable = no

}

# cat /etc/xinetd.d/amidxtape | grep -v "^#"

service amidxtape

{


group = backup

groups = yes

server = /usr/lib/amanda/amidxtaped

server_args = -auth=bsdtcp amdump amindexd amidxtaped disable = no}

# cat /etc/xinetd.d/amandaidx | grep -v "^#"

service amandaidx

{


group = backup

groups = yes

server = /usr/lib/amanda/amindexd

server_args = -auth=bsdtcp amdump amindexd amidxtaped disable = no

}

Enable the changes:

# /etc/init.d/xinetd restart

3.1.4 Backup Configuration

We will define daily backups and the configuration will be called DailySet1.

The backup user configured by default at the installation is:

user name: backup

user group: backup

home dir: /var/backups

# su backup -c "mkdir /etc/amanda/DailySet1"

We create a minimum configuration file amanda.conf for DailySet1:

vi /etc/amanda/DailySet1/amanda.conf

org "DailySet1" # your organization name for

reports

mailto "[email protected]" # space

separated list of operators at your site

dumpuser "backup" # the user to run dumps under

logdir "/etc/amanda/DailySet1/logs" # log

directory

infofile "/etc/amanda/DailySet1/curinfo" #

database filename

indexdir "/etc/amanda/DailySet1/index" # index

directory

tapelist "/etc/amanda/DailySet1/tapelist" # list of

used tapes

tapecycle 9 tapes

tapetype DISK

tpchanger "chg-disk"

changerfile "/etc/amanda/DailySet1/changer" # needed by

amlabel

tapedev "file:/space/vtapes/DailySet1/slots"

define tapetype DISK {

comment "Backup to HD"

length 5 gbytes

}

# comment holding disk section if needed

holdingdisk hd1 {

directory "/dumps/"

}

# to be used by any other dumptype

define dumptype global {

comment "Global definitions"

index yes

record yes

auth "bsdtcp"

}

define dumptype daily {

global

comment "daily dumptype"

compress client fast

program "GNUTAR"

strategy standard

priority high

exclude list "/etc/amanda/DailySet1/global-debian-

exclude.list"

}

Quick explanation:

- we plan to use 9 tapes of 5 GigaBytes. We recycle tapes after 9 backups.

- we plan to back up everything on the bckclient with some exceptions (ref exclude list section 3.2.6).

Check the amanda.conf man page for details on syntax.

Create the database repository for DailySet1 as specified in amanda.conf.

# su backup -c "mkdir /etc/amanda/DailySet1/logs"

# su backup -c "mkdir /etc/amanda/DailySet1/index"

# touch /etc/amanda/DailySet1/tapelist

# su backup -c "mkdir /etc/amanda/DailySet1/curinfo"

3.1.5 (Optional) Configure Holding Disks

The holding disk is used as a cache to store backup data from all Amanda clients (ref).

If you do not intend to use holding disks, review the amanda.conf file.

# comment holding disk section if needed

#holdingdisk hd1 {

# directory "/dumps/"

#}

and skip this section.

If you plan to use holding disks:

# su backup -c "mkdir /dumps"

# chmod 750 /dumps

I use here a local disk. The details are not covered by this document.

# cat /etc/fstab | grep LABEL

LABEL=holdingdisk /dumps ext3

defaults 0

LABEL=backup /space xfs _netdev 0

0

3.1.6 Configure Virtual Tapes

# mkdir -p /space/

I use my ISCSI SAN disks here. Check this ISCSI howto for details.

# mkdir -p /space/vtapes/DailySet1/slots

# chown backup:backup -R /space/

# chmod 750 /space/vtapes

# su - backup

$ cd /space/vtapes/DailySet1/slots

Create the tapes:

$ for ((i=1; $i<=9; i++)); do mkdir slot$i;done

Initialize tape changer:

$ ln -s slot1 data

Test the virtual tapes:

$ ammt -f file:/space/vtapes/DailySet1/slots status

file:/space/vtapes/DailySet1/slots status: ONLINE

Label the tapes:

$ for ((i=1; $i<=9;i++)); do amlabel DailySet1 DailySet1-0$i slot $i; done

Note: If you plan to use more than nine tapes (say 25 for example), do run a second amlabel command:

$ for ((i=10; $i<=25;i++)); do amlabel DailySet1 DailySet1-$i slot $i; done

Reset the virtual tape changer back to the first slot.

$ amtape DailySet1 reset

amtape: changer is reset, slot 1 is loaded.

$ ls -l data

lrwxrwxrwx 1 backup backup 35 jun 7 02:27 data ->

/space/vtapes/DailySet1/slots/slot1

3.1.7 Backup Definition: Disklist

In this section you specify for each backup client, what disks you intend to back up.

On the backup client:

As user root issue mount on the backup client to list mounted disks:

# mount

/dev/mapper/debian-root on / type xfs

/dev/sda1 on /boot type ext2 (rw)

/dev/sdb1 on /var/www/www.mysite.com type ext3

On the backup server:

$ vi /etc/amanda/DailySet1/disklist

bckclient.mydomain.com /var/www/www.mysite.com/ daily

bckclient.mydomain.com / daily

bckclient.mydomain.com /boot/ daily

syntax: client.fqdn path dumptype (ref amanda.conf)

Note: Since we use fully qualified domain names, your name resolution (/etc/hosts or DNS and reverse DNS) must be correctly set up and tested. If you are unsure use IP addresses.

3.1.8 Authorization: amandahost

This file is used to authorize client or server connections:

$ vi /etc/amandahosts

bckserver.mydomain.com root amindexd amidxtaped

bckserver.mydomain.com backup amdump

bckclient.mydomain.com root amindexd amidxtaped

The line: "bckclient.mydomain.com root amindexd amidxtaped" allows user root from bckclient to perform restores.

The line "bckserver.mydomain.com backup amdump" allows user backup from bckserver to run backups on bckserver.

Details on file syntax and authentification here.


# ln -s /var/backups/.amandahosts /etc/amandahosts

# chmod 400 etc/amandahosts

# ls -l /etc/amandahosts

-r-------- 1 backup backup 157 mai 27 02:12 /etc/amandahosts

# ls -l /var/backups/.amandahosts

lrwxrwxrwx 1 root root 16 mai 17 00:41 /var/backups/.amandahosts -> /etc/amandahosts

3.2 Backup Client

3.2.1 Installation

As user root install the amanda-client package.

# apt-get update

# apt-get install amanda-client xinetd openssh-server

Accept the additional packages required when prompted.

3.2.2 (If Applicable) Comment Amanda Entries In Inetd Configuration File

The packages configure both inetd and xinetd. In this howto we only use xinetd.

Edit /etc/inetd.conf and comment amanda related lines:

#:OTHER: Other services

#amanda dgram udp wait backup /usr/sbin/tcpd

/usr/lib/amanda/amandad -auth=bsd amdump amindexd

amidxtaped

3.2.3 Modify Amanda Daemons To Use auth bsdtcp

For details check the wiki.

Edit amanda, amidxtape and amandaidx files in /etc/xinetd.d/ to match the following:

# cat /etc/xinetd.d/amanda| grep -v "^#"

service amanda

{


group = backup

groups = yes

server = /usr/lib/amanda/amandad

server_args = -auth=bsdtcp amdump amindexd amidxtaped disable = no

}

Enable changes:

# /etc/init.d/xinetd restart

3.2.4 Client Configuration: amanda-client.conf

# vi /etc/amanda/amanda-client.conf

conf "DailySet1" # your config name

index_server "bckserver.mydomain.com" # your amindexd

server

tape_server "bckserver.mdomain.com" # your amidxtaped

server

auth "bsdtcp"

3.2.5 Authorizations: amandahosts

Edit the amandahosts file to allow backups from bckserver:

# vi /etc/amanda/amandahosts

bckserver.mydomain.com backup amdump

The line "bckserver.mydomain.com backup amdump" allows user backup from bckserver to run backups on bckclient.

Details on file syntax and authentification here.


# ls -la /var/backups/.amandahosts

lrwxrwxrwx 1 root root 23 mai 25 11:19 /var/backups/.amandahosts ->

/etc/amanda/amandahosts

3.2.6 Exclude List

As user backup create an exclude list. Bare in mind paths are relative. More details here.

$ vi /etc/amanda/DailySet1/global-debian-exclude.list

./proc

./media

./mnt

./dev

chmod 644 /etc/amanda/DailySet1/global-debian-exclude.list

Note: in my example the exclude list applies to the 3 filesystems. If you want to avoid this, define different exclude lists related to differents dumptypes and modify disklist file accordingly.

3.3 Tests

3.3.1 Config Test

Log on as user backup on bckserver and issue the following command:

$ amcheck DailySet1

Amanda Tape Server Host Check ----------------------------- Holding disk /dumps/: 48800396 kB disk space available, using 48800396 kB slot 2: read label `DailySet1-02', date `20100607' cannot overwrite active tape DailySet1-02 slot 3: read label `DailySet1-03', date `X' NOTE: skipping tape-writable test Tape DailySet1-03 label ok NOTE: host info dir /etc/amanda/DailySet1/curinfo/bckclient.mydomain.com does not

exist NOTE: it will be created on the next run. NOTE: index dir /etc/amanda/DailySet1/index/bckclient.mydomainman .com does not exist NOTE: it will be created on the next run. Server check took 0.115 seconds

Amanda Backup Client Hosts Check -------------------------------- Client check: 1 host checked in 0.132 seconds, 0 problems found

(brought to you by Amanda 2.5.2p1)

3.3.2 Backup Test

Log on as user backup on bckserver and issue the following command:

$ amdump DailySet1

Note: to force a full backup issue the follwing command before the amdump:

$ amadmin DailySet1 force bckclient.mydomain.com

On completion check [email protected] mails for a backup notification.

Hostname: bckserver

Org : DailySet1

Config : DailySet1

Date : June 7, 2010

These dumps were to tape DailySet1-03.

The

next tape Amanda expects to use is: a new tape.

The next new tape

already labelled is: DailySet1-04.

STATISTICS:

Total Full Incr.

-------- -------- --------

Estimate Time (hrs:min) 0:00

Run Time (hrs:min) 0:06

Dump Time (hrs:min) 0:05 0:05 0:00

Output Size (meg) 766.7 766.7 0.0

Original Size (meg) 1363.0 1363.0 0.0

Avg Compressed Size 56.3 56.3 --

Filesystems Dumped 1 1 0

Avg Dump Rate (k/s) 2730.3 2730.3 --

Tape Time (hrs:min) 0:01 0:01 0:00

Tape Size (meg) 766.8 766.8 0.0

Tape Used 15.0 15.0 0.0

Filesystems Taped 1 1 0

Chunks Taped 0 0 0

Avg Tp Write Rate (k/s) 9490.5 9490.5 --

USAGE BY TAPE:

Label Time Size % Nb Nc

DailySet1-03 0:01 785152k 15.0 1 0

NOTES:

planner: tapecycle (9) <= runspercycle (10)

planner: Adding new disk bckclient.mydomain.com:/.

driver: WARNING: This is not the first amdump run

today. Enable the usetimestamps option in the

configuration file if you want to run amdump more than

once per calendar

day.

taper: tape DailySet1-03 kb 785184 fm 1 [OK]

small estimate: bckclient.mydomain.com / 0

est: 697920k out 785152k

DUMP SUMMARY:

DUMPER STATS TAPER STATS

HOSTNAME DISK L ORIG-kB OUT-kB COMP% MMM:SS

KB/s MMM:SS KB/s

--------------------------

------------------------------------- -------------

bckclient / 0 1395720 785152 56.3 4:48

2730.3 1:23 9490.4

bckclient /boot 0 16320 15520 95.1 0:04

4324.4 0:00 98858.5

bckclient -mysite.com 0 34750 11488 33.1 0:09

1228.3 0:01 16425.6

(brought to you by Amanda version 2.5.2p1)

$ amadmin DailySet1 find

date host disk

lv tape or file file part status

2010-06-07 bckclient.mydomain.com /

1 DailySet1-04 1 -- OK






0 DailySet1-01 0 -- FAILED (dumper) [port open:

Connection timed out]
















2010-06-07 bckclient.mydomain.com /boot


2010-06-07 bckclient.mydomain.com

/var/www/www.mysite.com 0 DailySet1-08 2 -- OK

3.4 Backup Scheduling

Daily backup every day at 1:00AM:

# su backup -c "crontab -e"

0 1 * * 1-7 /usr/sbin/amdump DailySet1

3.5 Restore

3.5.1 Backup Client Configuration

Log on as user root on the bckclient.

Create an amanda-client.conf file:

# su backup -c "mkdir /etc/amanda"

# vi /etc/amanda/amanda-client.conf

conf "DailySet1" # your config name (used for restore)

index_server "bckserver.mydomain.com" # your amindexd

server

tape_server "bckserver.mydomain.com" # your amidxtaped

server

auth "bsdtcp"

# ls -ltr /etc/amanda/DailySet1/amanda-client.conf

lrwxrwxrwx 1 root root 30 mai 25 17:50 /etc/amanda/DailySet1/amanda-client.conf ->

/etc/amanda/amanda-client.conf

Note: If you mix weekly (long retention) and daily backups (short retention) for the same backup client you will have to specify the right conf (WeeklySet1 or DailySet1) for restore.

3.5.2 Recover

As user root on bckclient cd to a suitable place for restore (/tmp for example) and issue the following command:

# amrecover

AMRECOVER Version 2.5.2p1. Contacting server on bckserver.mydomain.com ...

220 bckserver AMANDA index server (2.5.2p1) ready.

Setting restore date to today (2010-06-07)

200 Working date set to 2010-06-07.

200 Config set to DailySet1.

501 Host bckclient is not in your disklist.

Trying host bckclient.mydomain.com ...

200 Dump host set to bckclient.mydomain.com.

Use the setdisk command to choose dump disk to recover

amrecover> listdisk

200- List of disk for host bckclient.mydomain.com

201- /

201- /var/www/www.mysite.com201- /boot

amrecover> setdisk /var/www/www.mysite.com

200 Disk set to /var/www/www.mysite.com.

amrecover> ls

2010-06-07 xmlrpc/ 2010-06-07 tmp/ 2010-06-07 templates/ 2010-06-07 robots.txt 2010-06-07 plugins/ 2010-06-07 modules/ 2010-06-07 logs/ 2010-06-07 libraries/ 2010-06-07 language/ 2010-06-07 index2.php 2010-06-07 index.php 2010-06-07 includes/ 2010-06-07 images/ 2010-06-07 htaccess.txt 2010-06-07 configuration.php-dist 2010-06-07 configuration.php 2010-06-07 components/ 2010-06-07 cache/ 2010-06-07 aicontactsafe/ 2010-06-07 administrator/ 2010-06-07 LICENSES.php 2010-06-07 LICENSE.php 2010-06-07 INSTALL.php 2010-06-07 CREDITS.php

2010-06-07 COPYRIGHT.php 2010-06-07 CHANGELOG.php 2010-06-07 .htaccess 2010-06-07 .

amrecover> add *

Added dir /xmlrpc/ at date 2010-06-07

Added dir /tmp/ at date 2010-06-07

Added dir /templates/ at date 2010-06-07

Added file /robots.txt

Added dir /plugins/ at date 2010-06-07

Added dir /modules/ at date 2010-06-07

Added dir /logs/ at date 2010-06-07

Added dir /libraries/ at date 2010-06-07

Added dir /language/ at date 2010-06-07

Added file /index2.php

Added file /index.php

Added dir /includes/ at date 2010-06-07

Added dir /images/ at date 2010-06-07

Added file /htaccess.txt

Added file /configuration.php-dist

Added file /configuration.php

Added dir /components/ at date 2010-06-07

Added dir /cache/ at date 2010-06-07

Added dir /aicontactsafe/ at date 2010-06-07

Added dir /administrator/ at date 2010-06-07

Added file /LICENSES.php

Added file /LICENSE.php

Added file /INSTALL.php

Added file /CREDITS.php

Added file /COPYRIGHT.php

Added file /CHANGELOG.php

Added file /.htaccess

amrecover> extract

Extracting files using tape drive chg-disk on host bckserver.mydomain.com. The following tapes are needed: DailySet1-08

Restoring files into directory /tmp

Continue [?/Y/n]? y

Extracting files using tape drive chg-disk on host bckserver.mydomain.com. Load tape DailySet1-08 now

Continue [?/Y/n/s/t]? y

./administrator/

./administrator/backups/

Note:

tree navigation with cd

time navigation with setdate.

restore to another host with sethost

How To Set Up An SSL Vhost Under Apache2 On Ubuntu 9.10/Debian

Lenny

Version 1.0Author: Falko Timme <ft [at] falkotimme [dot] com>


This article explains how you can set up an SSL vhost under Apache2 on Ubuntu 9.10 and Debian Lenny so that you can access the vhost over HTTPS (port 443). SSL is short for Secure Sockets Layer and is a cryptographic protocol that provides security for communications over networks by encrypting segments of network connections at the transport layer end-to-end. We use the mod_ssl Apache module here to provide strong cryptography for Apache2 via SSL by the help of the Open Source SSL toolkit OpenSSL.

This document comes without warranty of any kind! I do not issue any guarantee that this will work for you!

1 Preliminary NoteI'm assuming that you have a working LAMP setup on your Ubuntu 9.10 or Debian Lenny box, as shown in these tutorials:

Installing Apache2 With PHP5 And MySQL Support On Debian Lenny (LAMP) Installing Apache2 With PHP5 And MySQL Support On Ubuntu 9.10 (LAMP)

I will set up SSL for my vhost www.hostmauritius.com in this tutorial - hostmauritius.com is a domain that I own - replace it with your own domain. I will show how to use a self-signed certificate (this will result in a browser warning when you access https://www.hostmauritius.com) and how to


get a certificate from a trusted certificate authority (CA) such as Verisign, Thawte, Comodo, etc. - with a certificate from a trusted CA, your visitors won't see any browser warnings, as is the case with a self-signed certificate. I will use a certificate from CAcert.org - these certificates are free, but are not recognized by all browsers, but it should give you the idea how to install a certificate from a trusted CA.

It is important to know that you can have just one SSL vhost per IP address - if you want to host multiple SSL vhost, you need multiple IP addresses!

I'm running all the steps in this tutorial with root privileges, so make sure you're logged in as root. On Ubuntu, run

sudo su

to become the root user.

2 Enabling mod_sslTo enable apache's SSL module, run...

a2enmod ssl

... and restart Apache:


Apache should now be listening on port 443 (HTTPS):

netstat -tap | grep https

root@server1:~# netstat -tap | grep https

tcp6 0 0 [::]:https [::]:* LISTEN 1238/

apache2

root@server1:~#

3 Setting Up The VhostI will now create the vhost www.hostmauritius.com with the document root /var/www/www.hostmauritius.com. First I create that directory:

mkdir /var/www/www.hostmauritius.com

Apache comes with a default SSL vhost configuration in the file /etc/apache2/sites-available/default-ssl. We use that file as a template for the www.hostmauritius.com vhost...

cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/www.hostmauritius.com-ssl

... and open /etc/apache2/sites-available/www.hostmauritius.com-ssl:

vi /etc/apache2/sites-available/www.hostmauritius.com-ssl

Make sure you use the correct IP address in the <VirtualHost xxx.xxx.xxx.xxx:443> line (192.168.0.100 in this example); Also fill in the correct ServerAdmin email address and add the ServerName line. Adjust the paths in the DocumentRoot line and in the <Directory > directives, if necessary:

<IfModule mod_ssl.c><VirtualHost 192.168.0.100:443> ServerAdmin [email protected] ServerName www.hostmauritius.com:443 DocumentRoot /var/www/www.hostmauritius.com <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/www.hostmauritius.com/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all

</Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/ssl_access.log combined Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt # Certificate Authority (CA):

# Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/ssl/certs/ #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl/ #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server

# variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. #<Location /> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive

operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl

waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0</VirtualHost></IfModule>

As you see, this vhost uses the default self-signed snakeoil certificate that comes with Ubuntu/Debian:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem

SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Now disable the default SSL vhost (if it is enabled), enable the www.hostmauritius.com vhost and reload apache:

a2dissite default-ssla2ensite www.hostmauritius.com-ssl/etc/init.d/apache2 reload

Now open a browser and go to your new SSL vhost (https://www.hostmauritius.com in this case). Because we are using Debian's/Ubuntu's default self-signed certificates, we should get a warning that the connection is untrusted (to use that web site anyway, click on I Understand the Risks and follow the instructions in your browser):

4 Creating A Self-Signed CertificateUntil now, we've used Debian's/Ubuntu's default self-signed certificate. I will now show you how to create your own self-signed certificate. With this certificate, you will still get browser warnings, but this certificate is required to get a trusted certificate from a trusted CA later on.

Make sure that the package ssl-cert is installed:

aptitude install ssl-cert

You can now create a self-signed certificate for www.hostmauritius.com as follows:

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/www.hostmauritius.com.crt

You will be asked for the hostname:

http://static.howtoforge.com/images/apache2_mod_ssl_ubuntu_9.10/big/1.png

http://static.howtoforge.com/images/apache2_mod_ssl_ubuntu_9.10/big/1.png

Host name: <-- www.hostmauritius.com

This will create the self-signed certificate and the private key in one file, /etc/ssl/private/www.hostmauritius.com.crt:

cat /etc/ssl/private/www.hostmauritius.com.crt

-----BEGIN RSA PRIVATE KEY-----MIICXgIBAAKBgQDWuQUCXjDucCdKnowwclux0Tb392+I/KSLkqp4bY577U4EcS0VJ28eWIYOTiA38UDteLMXZSFyzWtq1QREzU0sPeQXWjJ/r6sDGSNlOFxnBJlg/ll22JHTeMZQZ4QoLejaS8SBU2v8mQFIZrvT+/RUsAyFNVvfVA+dm5bQS9dH5QIDAQABAoGBAMBwsfydTl1kRtKpphsFYwjK6Ojz6hJr20z79axZBAotdG6mwDDlVsFrtTm860M4BWjPdDLTgFbTpCHrKBhBp5cJqgSXntd2i2JjOFpIQSlinGJ6HncFEC3AAxeEPVTH77k2sVckwQ5tnOVX6gGuYt5E5wd3J43mLyyHCpFXz4dBAkEA/O4q2CpCXlT0Mklt/8rlzzIhxyoOuPI3WH+lr5tO3LSNpLbzW74l/lTvFhCbQCKsb3eyZVhzE+f+9ZJM+ao5kwJBANlUJPyc2bYpY2124c83rYtK6Xth9c+sxxUdWbkkyEdaF1ixlR+r8Qoze+ISHBr9DCZWbQGZirwoX/+qufvFA6cCQHECcT44U4MWbi1xxaY+n8Od4J2+Wumjv7rY/cyile/i9E6eN8nMAenLRTAUp2lWlLkRQDIr/O7t/2r1vVLoDeUCQQCO5R+opS0U9CO27srMZ+yIwMnB4Ygxc4Y24OSEsqWpHJhrLeBCQdir/2v+GjA2oplhf8QOoDkzPEzamxPMch7TAkEAyLke88CR1awZQQnTGKho6g5npdGgntjBVO+ZEl18PfCIyGk5bsLrAsprgS+Xp5SSQfAG2fUatpXqsYGBO8q2dA==-----END RSA PRIVATE KEY----------BEGIN CERTIFICATE-----MIIBqzCCARQCCQDDCFjQ7Ii1gjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wHhcNMTAwMTEyMTY1NDI2WhcNMjAwMTEwMTY1NDI2WjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANa5BQJeMO5wJ0qejDByW7HRNvf3b4j8pIuSqnhtjnvtTgRxLRUnbx5Yhg5OIDfxQO14sxdlIXLNa2rVBETNTSw95BdaMn+vqwMZI2U4XGcEmWD+WX

bYkdN4xlBnhCgt6NpLxIFTa/yZAUhmu9P79FSwDIU1W99UD52bltBL10flAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAJ/tYRc3CImo2c4FyG+UJTUIgu+p8IcMH9egGaMc335a5IwA2BBsiS3YAux8mteE2N03Nae6wTVbgEl8J68z1XyzklGtC/EG7ygtnOlfFTJWnU5HMaGOGBvOnFViF4e/DuBs7VPePKzqF2mmKIeAvoMA5GTH/iA4yJIFlgHhCMU8=-----END CERTIFICATE-----

I will now split up that file in two, the private key /etc/ssl/private/www.hostmauritius.com.key and the self-signed certificate /etc/ssl/certs/www.hostmauritius.com.pem:

vi /etc/ssl/private/www.hostmauritius.com.key

This file must contain the part beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY-----:

-----BEGIN RSA PRIVATE KEY-----MIICXgIBAAKBgQDWuQUCXjDucCdKnowwclux0Tb392+I/KSLkqp4bY577U4EcS0VJ28eWIYOTiA38UDteLMXZSFyzWtq1QREzU0sPeQXWjJ/r6sDGSNlOFxnBJlg/ll22JHTeMZQZ4QoLejaS8SBU2v8mQFIZrvT+/RUsAyFNVvfVA+dm5bQS9dH5QIDAQABAoGBAMBwsfydTl1kRtKpphsFYwjK6Ojz6hJr20z79axZBAotdG6mwDDlVsFrtTm860M4BWjPdDLTgFbTpCHrKBhBp5cJqgSXntd2i2JjOFpIQSlinGJ6HncFEC3AAxeEPVTH77k2sVckwQ5tnOVX6gGuYt5E5wd3J43mLyyHCpFXz4dBAkEA/O4q2CpCXlT0Mklt/8rlzzIhxyoOuPI3WH+lr5tO3LSNpLbzW74l/lTvFhCbQCKsb3eyZVhzE+f+9ZJM+ao5kwJBANlUJPyc2bYpY2124c83rYtK6Xth9c+sxxUdWbkkyEdaF1ixlR+r8Qoze+ISHBr9DCZWbQGZirwoX/+qufvFA6cCQHECcT44U4MWbi1xxaY+n8Od4J2+Wumjv7rY/cyile/i9E6eN8nMAenLRTAUp2lWlLkRQDIr/O7t/2r1vVLoDeUCQQCO5R+opS0U9CO27srMZ+yIwMnB4Ygxc4Y24OSEsqWpHJhrLeBCQdir/2v+GjA2oplhf8QOoDkzPEzamxPMch7TAkEAyLke88CR1awZQQnTGKho6g5npdGgntjBVO+ZEl18

PfCIyGk5bsLrAsprgS+Xp5SSQfAG2fUatpXqsYGBO8q2dA==-----END RSA PRIVATE KEY-----

The key must be readable and writable by root only:

chmod 600 /etc/ssl/private/www.hostmauritius.com.key

vi /etc/ssl/certs/www.hostmauritius.com.pem

This file must contain the part beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----:

-----BEGIN CERTIFICATE-----MIIBqzCCARQCCQDDCFjQ7Ii1gjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wHhcNMTAwMTEyMTY1NDI2WhcNMjAwMTEwMTY1NDI2WjAaMRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANa5BQJeMO5wJ0qejDByW7HRNvf3b4j8pIuSqnhtjnvtTgRxLRUnbx5Yhg5OIDfxQO14sxdlIXLNa2rVBETNTSw95BdaMn+vqwMZI2U4XGcEmWD+WXbYkdN4xlBnhCgt6NpLxIFTa/yZAUhmu9P79FSwDIU1W99UD52bltBL10flAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAJ/tYRc3CImo2c4FyG+UJTUIgu+p8IcMH9egGaMc335a5IwA2BBsiS3YAux8mteE2N03Nae6wTVbgEl8J68z1XyzklGtC/EG7ygtnOlfFTJWnU5HMaGOGBvOnFViF4e/DuBs7VPePKzqF2mmKIeAvoMA5GTH/iA4yJIFlgHhCMU8=-----END CERTIFICATE-----

Now we can delete the /etc/ssl/private/www.hostmauritius.com.crt file:

rm -f /etc/ssl/private/www.hostmauritius.com.crt

Next we adjust our SSL vhost to use the new private key and the self-signed certificate:

vi /etc/apache2/sites-available/www.hostmauritius.com-ssl

[...] # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/ssl/certs/www.hostmauritius.com.pem SSLCertificateKeyFile /etc/ssl/private/www.hostmauritius.com.key[...]

Reload Apache:

/etc/init.d/apache2 reload

The SSL vhost will now use your new private key and self-signed certificate for encryption (but because it is a self-signed certificate, you will still get the browser warning when you access https://www.hostmauritius.com).

5 Creating A Certificate Signing Request (CSR) To request a trusted certificate from a trusted CA such as Verisign, Thawte or Comodo, we must generate a certificate signing request (CSR) from our private key and send it to the CA which then creates a trusted certificate from it with which we replace our self-signed certificate.

I will create the CSR in the directory /etc/ssl/csr, so we have to create it first:

mkdir /etc/ssl/csr

Now we can create the CSR /etc/ssl/csr/www.hostmauritius.com.csr from our private key /etc/ssl/private/www.hostmauritius.com.key as follows:

openssl req -new -key /etc/ssl/private/www.hostmauritius.com.key -out /etc/ssl/csr/www.hostmauritius.com.csr

You will be asked a few questions. Please fill in your details, they will be used for creating the trusted certificate and can be seen by your visitors when they choose to view the details of your certificate in

their browsers. The most important thing is the Common Name - this must be the domain or hostname of your SSL vhost (www.hostmauritius.com in this case)!

root@server1:~# openssl req -new -key /etc/ssl/private/www.hostmauritius.com.key -

out /etc/ssl/csr/www.hostmauritius.com.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]: <-- DEState or Province Name (full name) [Some-State]: <-- Lower SaxonyLocality Name (eg, city) []: <-- LueneburgOrganization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Example LtdOrganizational Unit Name (eg, section) []: <-- ITCommon Name (eg, YOUR name) []: <-- www.hostmauritius.comEmail Address []: <-- [email protected]

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: <-- ENTER An optional company name []: <-- ENTER root@server1:~#

Afterwards, you should have a CSR in /etc/ssl/csr/www.hostmauritius.com.csr, e.g. as follows:

cat /etc/ssl/csr/www.hostmauritius.com.csr

-----BEGIN CERTIFICATE REQUEST-----MIIB9jCCAV8CAQAwgbUxCzAJBgNVBAYTAkRFMRUwEwYDVQQIEwxMb3dlciBTYXhvbnkxEjAQBgNVBAcTCUx1ZW5lYnVyZzEtMCsGA1UEChMkSW50ZXJuZXRkaWVuc3RsZWlzdHVuZ2VuIEZhbGtvIFRpbW1lMQswCQYDVQQLEwJJVDEeMBwGA1UEAxMVd3d3Lmhvc3RtYXVyaXRpdXMuY29tMR8wHQYJKoZIhvcNAQkBFhBmdEBmYWxrb3RpbW1lLmRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1A0hAy/N/hw637BCBRqhf

ngcxrulgFQJ5ftlWv2wBuouRILQtUZAeJCNMn6d0JS+sXxP60AFEBzLsdkV/OqeFvD/vZlvUM39Qg/98yWwkvFIvz4qtJz/N0IO/KrER2+mUSfgAtFuqZWVwKLrwcVcp/bsGwkp5TqJuQs9NbuQMEQIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEADzJWSOyakJ5ccQ2TlB3SxUBXtCAZ0aomlqdjkvBu2L1yAAOT4Xv/eKoYlSHjF1vyjtN36ERfcklyFmtS64xxerGSqdW+wxjLyicK5sTplsea2F6yROaj7zxQ+By033HO/QEozU80Ox/Kx1hc+K31wsor35pz8qxVFRegn2cgCYc=-----END CERTIFICATE REQUEST-----

6 Getting A Trusted CertificateTo get a trusted certificate, you have to take your certificate signing request (CSR) to a certificate authority (CA) such as Verisign, Thawte, or Comodo (please note that you have to pay for a trusted certificate). Certificates issued by such a CA are trusted by all browsers which means you won't see any browser warnings anymore.

Setting Up An NFS Server And Client On Debian Lenny

Version 1.0 Author: Falko Timme <ft [at] falkotimme [dot] com> Last edited 03/12/2009

This guide explains how to set up an NFS server and an NFS client on Debian Lenny. NFS stands for Network File System; through NFS, a client can access (read, write) a remote share on an NFS server as if it was on the local hard disk.


1 Preliminary NoteI'm using two Debian systems here:

NFS Server: server.example.com, IP address: 192.168.0.100 NFS Client: client.example.com, IP address: 192.168.0.101

2 Installing NFSserver:

On the NFS server we run:

apt-get install nfs-kernel-server nfs-common portmap

client:

On the client we can install NFS as follows:

apt-get install nfs-common portmap

3 Exporting Directories On The Serverserver:

I'd like to make the directories /home and /var/nfs accessible to the client; therefore we must "export" them on the server.

When a client accesses an NFS share, this normally happens as the user nobody. Usually the /home directory isn't owned by nobody (and I don't recommend to change its ownership to nobody!), and because we want to read and write on /home, we tell NFS that accesses should be made as root (if our /home share was read-only, this wouldn't be necessary). The /var/nfs directory doesn't exist, so we can create it and change its ownership to nobody and nogroup:

mkdir /var/nfschown nobody:nogroup /var/nfs

Now we must modify /etc/exports where we "export" our NFS shares. We specify /home and /var/nfs as NFS shares and tell NFS to make accesses to /home as root (to learn more about /etc/exports, its format and available options, take a look at

man 5 exports

)

vi /etc/exports

# /etc/exports: the access control list for filesystems which may be exported# to NFS clients. See exports(5).## Example for NFSv2 and NFSv3:# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)

## Example for NFSv4:# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)#/home 192.168.0.101(rw,sync,no_root_squash,no_subtree_check)/var/nfs 192.168.0.101(rw,sync,no_subtree_check)

(The no_root_squash option makes that /home will be accessed as root.)

Whenever we modify /etc/exports, we must run

exportfs -a

afterwards to make the changes effective.

4 Mounting The NFS Shares On The Clientclient:

First we create the directories where we want to mount the NFS shares, e.g.:

mkdir -p /mnt/nfs/homemkdir -p /mnt/nfs/var/nfs

Afterwards, we can mount them as follows:

mount 192.168.0.100:/home /mnt/nfs/homemount 192.168.0.100:/var/nfs /mnt/nfs/var/nfs

You should now see the two NFS shares in the outputs of

df -h

client:~# df -h

Filesystem Size Used Avail Use% Mounted on

/dev/mapper/vg0-root 19G 676M 17G 4% /

tmpfs 253M 0 253M 0% /lib/init/rw

udev 10M 80K 10M 1% /dev

tmpfs 253M 0 253M 0% /dev/shm

/dev/sda1 471M 20M 427M 5% /boot

192.168.0.100:/home 29G 684M 27G 3% /mnt/nfs/home

192.168.0.100:/var/nfs

29G 684M 27G 3% /mnt/nfs/var/nfs

client:~#

and

mount

client:~# mount

/dev/mapper/vg0-root on / type ext3 (rw,errors=remount-ro)

tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)

proc on /proc type proc (rw,noexec,nosuid,nodev)

sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)

udev on /dev type tmpfs (rw,mode=0755)

tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)

devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)


192.168.0.100:/home on /mnt/nfs/home type nfs (rw,addr=192.168.0.100)

192.168.0.100:/var/nfs on /mnt/nfs/var/nfs type nfs (rw,addr=192.168.0.100)

client:~#

5 TestingOn the client, you can now try to create test files on the NFS shares:

client:

touch /mnt/nfs/home/test.txttouch /mnt/nfs/var/nfs/test.txt

Now go to the server and check if you can see both test files:

server:

ls -l /home/

server:~# ls -l /home/

total 4

drwxr-xr-x 2 administrator administrator 4096 2009-02-16 13:18 administrator

-rw-r--r-- 1 root root 0 2009-03-12 17:08 test.txt

server:~#

ls -l /var/nfs

server:~# ls -l /var/nfs

total 0

-rw-r--r-- 1 nobody nogroup 0 2009-03-12 17:08 test.txt

server:~#

(Please note the different ownerships of the test files: the /home NFS share gets accessed as root, therefore /home/test.txt is owned by root; the /var/nfs share gets accessed as nobody, therefore /var/nfs/test.txt is owned by nobody.)

6 Mounting NFS Shares At Boot TimeInstead of mounting the NFS shares manually on the client, you could modify /etc/fstab so that the NFS shares get mounted automatically when the client boots.

client:

Open /etc/fstab and append the following lines:

vi /etc/fstab

[...]192.168.0.100:/home /mnt/nfs/home nfs rw,sync,hard,intr 0 0192.168.0.100:/var/nfs /mnt/nfs/var/nfs nfs rw,sync,hard,intr 0 0

Instead of rw,sync,hard,intr you can use different mount options. To learn more about available options, take a look at

man nfs

To test if your modified /etc/fstab is working, reboot the client:

reboot

After the reboot, you should find the two NFS shares in the outputs of

df -h

client:~# df -h

Filesystem Size Used Avail Use% Mounted on

/dev/mapper/vg0-root 19G 676M 17G 4% /

tmpfs 253M 0 253M 0% /lib/init/rw

udev 10M 80K 10M 1% /dev

tmpfs 253M 0 253M 0% /dev/shm

/dev/sda1 471M 20M 427M 5% /boot

192.168.0.100:/home 29G 684M 27G 3% /mnt/nfs/home

192.168.0.100:/var/nfs

29G 684M 27G 3% /mnt/nfs/var/nfs

client:~#

and

mount

client:~# mount

/dev/mapper/vg0-root on / type ext3 (rw,errors=remount-ro)

tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)

proc on /proc type proc (rw,noexec,nosuid,nodev)

sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)

udev on /dev type tmpfs (rw,mode=0755)

tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)

devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)


192.168.0.100:/home on /mnt/nfs/home type nfs (rw,sync,hard,intr,addr=192.168.0.100)

192.168.0.100:/var/nfs on /mnt/nfs/var/nfs type nfs

(rw,sync,hard,intr,addr=192.168.0.100)

client:~#

Installing MyDNS-NG & MyDNSConfig 3 On Debian Lenny


In this tutorial I will describe how to install and configure MyDNS-NG and MyDNSConfig 3 on Debian Lenny. MyDNS-NG (based on MyDNS originally writen by Don Moore - http://mydns.bboy.net/) is a DNS server that uses a MySQL database as backend instead of configuration files like, for example, Bind or djbdns. The advantage is that MyDNS simply reads the records from the database, and it does not have to be restarted/reloaded when DNS records change or zones are created/edited/deleted. A secondary nameserver can be easily set up by installing a second instance of MyDNS that accesses the same database or, to be more redundant, uses the MySQL master / slave replication features to replicate the data to the secondary nameserver.

MyDNSConfig is an easy to use web-based interface to MyDNS-NG. MyDNSConfig can create all types of DNS records that are available in MyDNS and adds features like user management and access privileges.


1 Preliminary NoteIn this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100. These settings might differ for you, so you have to replace them where appropriate.

2 Installing MySQL

We can install MySQL as follows:

aptitude install mysql-client mysql-server

You will be asked the following questions:

New password for the MySQL "root" user: <-- yourrootsqlpasswordRepeat password for the MySQL "root" user: <-- yourrootsqlpassword

3 Installing Apache2, PHP, phpMyAdminMyDNSConfig needs a web server with PHP support; therefore I install Apache2. I also install phpMyAdmin so that I can access the database later on over a web interface (although this is optional):

aptitude install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick vlogger



Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include:

a2enmod suexec rewrite ssl actions include

Secure phpMyAdmin by deleting the /etc/phpmyadmin/htpasswd.setup file...

rm -f /etc/phpmyadmin/htpasswd.setup

... and remove or comment out the following section in /etc/phpmyadmin/apache.conf:

vi /etc/phpmyadmin/apache.conf

[...]# # Authorize for setup# <Files setup.php># # For Apache 1.3 and 2.0# <IfModule mod_auth.c># AuthType Basic# AuthName "phpMyAdmin Setup"# AuthUserFile /etc/phpmyadmin/htpasswd.setup# </IfModule># # For Apache 2.2# <IfModule mod_authn_file.c># AuthType Basic# AuthName "phpMyAdmin Setup"# AuthUserFile /etc/phpmyadmin/htpasswd.setup# </IfModule># Require valid-user# </Files>[...]

Restart Apache afterwards:


You can now access phpMyAdmin under http://server1.example.com/phpmyadmin/ or http://192.168.0.100/phpmyadmin/.

4 Installing MyDNSBefore we install MyDNS, we need to install a few prerequisites:

aptitude install g++ libc6 gcc gawk make texinfo libmysqlclient15-dev

MyDNS is not available in the Debian Lenny repositories, therefore we have to build it ourselves as follows:

cd /tmpwget http://heanet.dl.sourceforge.net/sourceforge/mydns-ng/mydns-1.2.8.27.tar.gztar xvfz mydns-1.2.8.27.tar.gz

cd mydns-1.2.8./configuremakemake install

Next we create the start/stop script for MyDNS:

vi /etc/init.d/mydns

#! /bin/sh## mydns Start the MyDNS server## Author: Philipp Kern <[email protected]>.# Based upon skeleton 1.9.4 by Miquel van Smoorenburg# <[email protected]> and Ian Murdock <[email protected]>.#

set -e

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/binDAEMON=/usr/local/sbin/mydnsNAME=mydnsDESC="DNS server"

SCRIPTNAME=/etc/init.d/$NAME

# Gracefully exit if the package has been removed.test -x $DAEMON || exit 0

case "$1" in start) echo -n "Starting $DESC: $NAME" start-stop-daemon --start --quiet \ --exec $DAEMON -- -b echo "." ;; stop) echo -n "Stopping $DESC: $NAME" start-stop-daemon --stop --oknodo --quiet \

--exec $DAEMON echo "." ;; reload|force-reload) echo -n "Reloading $DESC configuration..." start-stop-daemon --stop --signal HUP --quiet \ --exec $DAEMON echo "done." ;; restart) echo -n "Restarting $DESC: $NAME" start-stop-daemon --stop --quiet --oknodo \ --exec $DAEMON sleep 1 start-stop-daemon --start --quiet \ --exec $DAEMON -- -b echo "." ;; *) echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 exit 1 ;;esac

exit 0

Then we make the script executable and create the system startup links for it:

chmod +x /etc/init.d/mydnsupdate-rc.d mydns defaults

5 Installing MyDNSConfig 3 We can install MyDNSConfig 3 as follows:

cd /tmpwget http://downloads.sourceforge.net/mydnsconfig/MyDNSConfig-3.0.1.tar.gz?use_mirror=tar xvfz MyDNSConfig-3.0.1.tar.gzcd mydnsconfig/install/php -q install.php

This will start the MyDNSConfig 3 installer:

server1:/tmp/mydnsconfig/install# php -q install.php

--------------------------------------------------------------------------------

__ __ _____ _ _ _____ _____ __ _

| \/ | | __ \| \ | |/ ____|/ ____| / _(_)

| \ / |_ _| | | | \| | (___ | | ___ _ __ | |_ _ __ _

| |\/| | | | | | | | . ` |\___ \| | / _ \| '_ \| _| |/ _` |

| | | | |_| | |__| | |\ |____) | |___| (_) | | | | | | | (_| |

|_| |_|\__, |_____/|_| \_|_____/ \_____\___/|_| |_|_| |_|\__, |

__/ | __/ |

|___/ |___/

--------------------------------------------------------------------------------

>> Initial configuration

Operating System: Debian Lenny/Sid or compatible

Following will be a few questions for primary configuration so be careful.

Default values are in [brackets] and can be accepted with <ENTER>.

Tap in "quit" (without the quotes) to stop the installer.

Select language (en,de) [en]: <-- ENTER

Installation mode (standard,expert) [standard]: <-- ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld [server1.example.

com]: <-- ENTER

MySQL server hostname [localhost]: <-- ENTER

MySQL root username [root]: <-- ENTER

MySQL root password []: <-- yourrootsqlpassword

MySQL database to create [dbmydnsconfig]: <-- ENTER

MySQL charset [utf8]: <-- ENTER

Configuring MyDNS

Configuring Apache

Configuring Firewall

Installing MyDNSConfig

MyDNSConfig Port [8080]: <-- ENTER

Installing Crontab

no crontab for root

Restarting services ...

Restarting web server: apache2 ... waiting .

Installation completed.

server1:/tmp/mydnsconfig/install#

The installer automatically configures all underlying services, so no manual configuration is needed.

Afterwards you can access MyDNSConfig 3 under http://server1.example.com:8080/ or http://192.168.0.100:8080/. Log in with the username admin and the password admin (you should change the default password after your first login):

http://static.howtoforge.com/images/mydns_ng_mydnsconfig_debian_lenny/big/1.png


6 Using MyDNSConfig 3 The DNS tab is the most important part of MyDNSConfig because that's where you can create zones and records, so I will focus on that tab.

To create a new zone, click on the Add new DNS Zone (SOA) button:

Now you can fill in the details of the zone, e.g. the domain name, the primary nameserver, and the email address of the zone administrator (please note that you must replace the @ sign with a dot!); these three details must end with a dot! You can leave the other details as they are. You can now save the zone or go directly to the Records tab (this will save the zone details automatically):



On the records tab, you can now create all kinds of DNS records (A, CNAME, MX, NS, TXT, etc.) - just click on the appropriate button:



For example, here's the form for creating NS records (please keep in mind that if you write full hostnames, they must end with a dot!):



Here's the overview - as you see, I've created some more records:



7 Updating MyDNSConfig 3Whenever there's a newer MyDNSConfig 3 release, you can update your MyDNSConfig 3 installation as follows:

mydnsconfig_update.sh

This will bring up the update wizard. PLEASE NOTE: you can upgrade to the latest stable version and to the svn version. It is highly recommended to upgrade to the latest stable version as the svn version is used for development and might contain bugs. YOU HAVE BEEN WARNED!!!

8 Upgrading From MyDNSConfig 1.x To MyDNSConfig 3.xThere's no direct upgrade path from MyDNSConfig 1.x to MyDNSConfig 3.x, however it is easy to import the DNS records from MyDNSConfig 1.x into MyDNSConfig 3.x.



In this chapter I assume that your old MyDNSConfig 1.x uses the database table mydns, and that your new MyDNSConfig 3 installation uses the database dbmydnsconfig.

First install MyDNSConfig 3 as follows:

cd /tmpwget http://downloads.sourceforge.net/mydnsconfig/MyDNSConfig-3.0.1.tar.gz?use_mirror=tar xvfz MyDNSConfig-3.0.1.tar.gzcd mydnsconfig/install/php -q install.php

Follow the installation wizard. After the installation has finished (and BEFORE you create any records in the MyDNSConfig 3 web interface!!!), open phpMyAdmin or a MySQL shell and execute the following MySQL queries (as the MySQL root user) to import the DNS records from your old MyDNSConfig 1.x installation into MyDNSConfig 3 (make sure you use the correct database names - you must replace `mydns` and `dbmydnsconfig` if your database names differ!):

ALTER TABLE `mydns`.`rr` ADD `server_id` int(11) NOT NULL default '1',ADD àctive` enum('N','Y') NOT NULL default 'Y',ADD `stamp` timestamp NOT NULL default CURRENT_TIMESTAMP,ADD `serial` int(10) unsigned default NULL;

ALTER TABLE `mydns`.`rr` MODIFY `sys_userid` int(11) unsigned NOT NULL AFTER ìd`,MODIFY `sys_groupid` int(11) unsigned NOT NULL AFTER `sys_userid`,MODIFY `sys_perm_user` varchar(5) NOT NULL AFTER `sys_groupid`,MODIFY `sys_perm_group` varchar(5) NOT NULL AFTER `sys_perm_user`,MODIFY `sys_perm_other` varchar(5) NOT NULL AFTER `sys_perm_group`,MODIFY `server_id` int(11) NOT NULL default '1' AFTER `sys_perm_other`;

INSERT INTO `dbmydnsconfig`.`dns_rr`SELECT *FROM `mydns`.`rr`;

UPDATE `dbmydnsconfig`.`dns_rr` SET `sys_userid` = 1,`sys_groupid` = 0,`sys_perm_user` = 'riud',`sys_perm_group` = 'riud',`sys_perm_other` = '',`server_id` = 1;

ALTER TABLE `mydns`.`soa` ADD `server_id` int(11) NOT NULL default '1';

ALTER TABLE `mydns`.`soa` MODIFY `sys_userid` int(11) unsigned NOT NULL AFTER ìd`,MODIFY `sys_groupid` int(11) unsigned NOT NULL AFTER `sys_userid`,MODIFY `sys_perm_user` varchar(5) NOT NULL AFTER `sys_groupid`,MODIFY `sys_perm_group` varchar(5) NOT NULL AFTER `sys_perm_user`,

MODIFY `sys_perm_other` varchar(5) NOT NULL AFTER `sys_perm_group`,MODIFY `server_id` int(11) NOT NULL default '1' AFTER `sys_perm_other`;

INSERT INTO `dbmydnsconfig`.`dns_soa`SELECT *FROM `mydns`.`soa`;

UPDATE `dbmydnsconfig`.`dns_soa` SET `sys_userid` = 1,`sys_groupid` = 0,`sys_perm_user` = 'riud',`sys_perm_group` = 'riud',`sys_perm_other` = '',`server_id` = 1;

Afterwards, you can access MyDNSConfig 3 on port 8080 (e.g. http://server1.example.com:8080 or http://192.168.0.100:8080); the default login is username admin and password admin.

Please note that these MySQL queries make that all zones are owned by admin. If you have zones that should be owned by someone else, create a client for each user in MyDNSConfig 3 and go to the DNS tab and select the correct client for the zones.

Virtual Users And Domains With Postfix, Courier, MySQL And

SquirrelMail (Debian Lenny)


This tutorial is Copyright (c) 2009 by Falko Timme. It is derived from a tutorial from Christoph Haas which you can find at http://workaround.org. You are free to use this tutorial under the Creative Commons license 2.5 or any later version.

This document describes how to install a Postfix mail server that is based on virtual users and domains, i.e. users and domains that are in a MySQL database. I'll also demonstrate the installation and configuration of Courier (Courier-POP3, Courier-IMAP), so that Courier can authenticate against the same MySQL database Postfix uses.

The resulting Postfix server is capable of SMTP-AUTH and TLS and quota (quota is not built into Postfix by default, I'll show how to patch your Postfix appropriately). Passwords are stored in encrypted form in the database (most documents I found were dealing with plain text passwords which is a security risk). In addition to that, this tutorial covers the installation of Amavisd, SpamAssassin and ClamAV so that emails will be scanned for spam and viruses. I will also show how to install SquirrelMail as a webmail interface so that users can read and send emails and change their passwords.

The advantage of such a "virtual" setup (virtual users and domains in a MySQL database) is that it is far more performant than a setup that is based on "real" system users. With this virtual setup your mail server can handle thousands of domains and users. Besides, it is easier to administrate because you only have to deal with the MySQL database when you add new users/domains or edit existing ones. No more postmap commands to create db files, no more reloading of Postfix, etc. For the administration of the MySQL database you can use web based tools like phpMyAdmin which will also be installed in this howto. The third advantage is that users have an email address as user name (instead of a user name + an email address) which is easier to understand and keep in mind.

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.

This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Preliminary NoteThis tutorial is based on Debian Lenny, so you should set up a basic Debian Lenny server installation before you continue with this tutorial (e.g. as shown in the chapters 1 -7 of this tutorial: The Perfect Server - Debian Lenny (Debian 5.0) [ISPConfig 2]). The system should have a static IP address. I use 192.168.0.100 as my IP address in this tutorial and server1.example.com as the hostname.

2 Install Postfix, Courier, Saslauthd, MySQL, phpMyAdminTo install Postfix, Courier, Saslauthd, MySQL, and phpMyAdmin, we simply run

apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl postfix-tls libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl phpmyadmin apache2 libapache2-mod-php5 php5 php5-mysql libpam-smbpass

You will be asked a few questions:

New password for the MySQL "root" user: <-- yourrootsqlpasswordRepeat password for the MySQL "root" user: <-- yourrootsqlpasswordCreate directories for web-based administration? <-- NoGeneral type of mail configuration: <-- Internet SiteSystem mail name: <-- server1.example.comSSL certificate required <-- OkWorkgroup/Domain Name: <-- WORKGROUPModify smb.conf to use WINS settings from DHCP? <-- NoWeb server to reconfigure automatically: <-- apache2

3 Apply The Quota Patch To PostfixWe have to get the Postfix sources, patch it with the quota patch, build new Postfix .deb packages and install those .deb packages:

apt-get build-dep postfix

cd /usr/srcapt-get source postfix

(Make sure you use the correct Postfix version in the following commands. I have Postfix 2.5.5 installed. You can find out your Postfix version by running

postconf -d | grep mail_version

The output should look like this:

server1:/usr/src# postconf -d | grep mail_version

mail_version = 2.5.5

milter_macro_v = $mail_name $mail_version

server1:/usr/src#

)

wget http://vda.sourceforge.net/VDA/postfix-2.5.5-vda-ng.patch.gzgunzip postfix-2.5.5-vda-ng.patch.gzcd postfix-2.5.5patch -p1 < ../postfix-2.5.5-vda-ng.patchdpkg-buildpackage

You might see a warning like this at the end of the dpkg-buildpackage command:

dpkg-buildpackage: warning: Failed to sign .dsc and .changes file

You can ignore this message.

Now we go one directory up, that's where the new .deb packages have been created:

cd ..

The command

ls -l

shows you the available packages:

server1:/usr/src# ls -l

total 5880

drwxr-xr-x 19 root root 4096 2009-02-20 14:15 postfix-2.5.5

-rw-r--r-- 1 root src 236910 2009-02-20 14:12 postfix_2.5.5-1.1.diff.gz

-rw-r--r-- 1 root src 1178 2009-02-20 14:12 postfix_2.5.5-1.1.dsc

-rw-r--r-- 1 root src 3695 2009-02-20 14:17 postfix_2.5.5-1.1_i386.changes

-rw-r--r-- 1 root src 1233138 2009-02-20 14:17 postfix_2.5.5-1.1_i386.deb

-rw-r--r-- 1 root src 3157877 2008-09-02 23:18 postfix_2.5.5.orig.tar.gz

-rw-r--r-- 1 root src 58389 2008-09-06 05:02 postfix-2.5.5-vda-ng.patch

-rw-r--r-- 1 root src 41572 2009-02-20 14:17 postfix-cdb_2.5.5-1.1_i386.deb

-rw-r--r-- 1 root src 141394 2009-02-20 14:17 postfix-dev_2.5.5-1.1_all.deb

-rw-r--r-- 1 root src 915978 2009-02-20 14:17 postfix-doc_2.5.5-1.1_all.deb

-rw-r--r-- 1 root src 48934 2009-02-20 14:17 postfix-ldap_2.5.5-1.1_i386.deb

-rw-r--r-- 1 root src 43512 2009-02-20 14:17 postfix-mysql_2.5.5-1.1_i386.deb

-rw-r--r-- 1 root src 43448 2009-02-20 14:17 postfix-pcre_2.5.5-1.1_i386.deb

-rw-r--r-- 1 root src 43586 2009-02-20 14:17 postfix-pgsql_2.5.5-1.1_i386.deb

server1:/usr/src#

Pick the postfix and postfix-mysql packages and install them like this:

dpkg -i postfix_2.5.5-1.1_i386.deb postfix-mysql_2.5.5-1.1_i386.deb

4 Create The MySQL Database For Postfix/CourierNow we create a database called mail:

mysqladmin -u root -p create mail

Next, we go to the MySQL shell:

mysql -u root -p

On the MySQL shell, we create the user mail_admin with the passwort mail_admin_password (replace it with your own password) who has SELECT,INSERT,UPDATE,DELETE privileges on the mail database. This user will be used by Postfix and Courier to connect to the mail database:

GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost' IDENTIFIED BY 'mail_admin_password';GRANT SELECT, INSERT, UPDATE, DELETE ON mail.* TO 'mail_admin'@'localhost.localdomain' IDENTIFIED BY 'mail_admin_password';FLUSH PRIVILEGES;

Still on the MySQL shell, we create the tables needed by Postfix and Courier:

USE mail;

CREATE TABLE domains (domain varchar(50) NOT NULL,PRIMARY KEY (domain) )TYPE=MyISAM;

CREATE TABLE forwardings (source varchar(80) NOT NULL,destination TEXT NOT NULL,PRIMARY KEY (source) )TYPE=MyISAM;

CREATE TABLE users (email varchar(80) NOT NULL,password varchar(20) NOT NULL,quota bigint(20) DEFAULT '10485760',PRIMARY KEY (email)) TYPE=MyISAM;

CREATE TABLE transport (domain varchar(128) NOT NULL default '',transport varchar(128) NOT NULL default '',UNIQUE KEY domain (domain)) TYPE=MyISAM;

quit;

As you may have noticed, with the quit; command we have left the MySQL shell and are back on the Linux shell.

The domains table will store each virtual domain that Postfix should receive emails for (e.g. example.com).

domain example.com The forwardings table is for aliasing one email address to another, e.g. forward emails for [email protected] to [email protected].

source destination [email protected]

[email protected]

The users table stores all virtual users (i.e. email addresses, because the email address and user name is the same) and passwords (in encrypted form!) and a quota value for each mail box (in this example the default value is 10485760 bytes which means 10MB).

email password quota

[email protected]

No9.E4skNvGa. ("secret" in encrypted form)

10485760

The transport table is optional, it is for advanced users. It allows to forward mails for single users, whole domains or all mails to another server. For example,

domain transport example.com smtp:[1.2.3.4] would forward all emails for example.com via the smtp protocol to the server with the IP address 1.2.3.4 (the square brackets [] mean "do not make a lookup of the MX DNS record" (which makes sense for IP addresses...). If you use a fully qualified domain name (FQDN) instead you would not use the square brackets.).

BTW, (I'm assuming that the IP address of your mail server system is 192.168.0.100) you can access phpMyAdmin over http://192.168.0.100/phpmyadmin/ in a browser and log in as mail_admin. Then you can have a look at the database. Later on you can use phpMyAdmin to administrate your mail server.

5 Configure PostfixNow we have to tell Postfix where it can find all the information in the database. Therefore we have to create six text files. You will notice that I tell Postfix to connect to MySQL on the IP address 127.0.0.1 instead of localhost. This is because Postfix is running in a chroot jail and does not have access to the MySQL socket which it would try to connect if I told Postfix to use localhost. If I use 127.0.0.1 Postfix uses TCP networking to connect to MySQL which is no problem even in a chroot jail (the alternative would be to move the MySQL socket into the chroot jail which causes some other problems).

Please make sure that /etc/mysql/my.cnf contains the following line:


[...]bind-address = 127.0.0.1[...]

If you had to modify /etc/mysql/my.cnf, please restart MySQL now:


Run


to make sure that MySQL is listening on 127.0.0.1 (localhost.localdomain):

server1:/usr/src# netstat -tap | grep mysql

tcp 0 0 localhost.localdo:mysql *:* LISTEN 4559/

mysqld

server1:/usr/src#

Now let's create our six text files.

vi /etc/postfix/mysql-virtual_domains.cf

user = mail_adminpassword = mail_admin_passworddbname = mailquery = SELECT domain AS virtual FROM domains WHERE domain='%s'hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_forwardings.cf

user = mail_adminpassword = mail_admin_passworddbname = mailquery = SELECT destination FROM forwardings WHERE source='%s'hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_mailboxes.cf

user = mail_adminpassword = mail_admin_passworddbname = mailquery = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email='%s'hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_email2email.cf

user = mail_adminpassword = mail_admin_passworddbname = mailquery = SELECT email FROM users WHERE email='%s'hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_transports.cf

user = mail_adminpassword = mail_admin_passworddbname = mailquery = SELECT transport FROM transport WHERE domain='%s'hosts = 127.0.0.1

vi /etc/postfix/mysql-virtual_mailbox_limit_maps.cf

user = mail_adminpassword = mail_admin_passworddbname = mailquery = SELECT quota FROM users WHERE email='%s'hosts = 127.0.0.1

Then change the permissions and the group of these files:

chmod o= /etc/postfix/mysql-virtual_*.cfchgrp postfix /etc/postfix/mysql-virtual_*.cf

Now we create a user and group called vmail with the home directory /home/vmail. This is where all mail boxes will be stored.

groupadd -g 5000 vmailuseradd -g vmail -u 5000 vmail -d /home/vmail -m

Next we do some Postfix configuration. Go sure that you replace server1.example.com with a valid FQDN, otherwise your Postfix might not work properly!

postconf -e 'myhostname = server1.example.com'postconf -e 'mydestination = server1.example.com, localhost, localhost.localdomain'postconf -e 'mynetworks = 127.0.0.0/8'postconf -e 'message_size_limit = 30720000'postconf -e 'virtual_alias_domains ='postconf -e 'virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf'postconf -e 'virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf'postconf -e 'virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf'postconf -e 'virtual_mailbox_base = /home/vmail'postconf -e 'virtual_uid_maps = static:5000'postconf -e 'virtual_gid_maps = static:5000'postconf -e 'smtpd_sasl_auth_enable = yes'postconf -e 'broken_sasl_auth_clients = yes'postconf -e 'smtpd_sasl_authenticated_header = yes'postconf -e 'smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination'postconf -e 'smtpd_use_tls = yes'postconf -e 'smtpd_tls_cert_file = /etc/postfix/smtpd.cert'postconf -e 'smtpd_tls_key_file = /etc/postfix/smtpd.key'postconf -e 'transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf'postconf -e 'virtual_create_maildirsize = yes'postconf -e 'virtual_maildir_extended = yes'postconf -e 'virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf'postconf -e 'virtual_mailbox_limit_override = yes'postconf -e 'virtual_maildir_limit_message = "The user you are trying to reach is over quota."'postconf -e 'virtual_overquota_bounce = yes'postconf -e 'proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps'

Afterwards we create the SSL certificate that is needed for TLS:

cd /etc/postfixopenssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.

Locality Name (eg, city) []: <-- Enter your City.Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").Email Address []: <-- Enter your Email Address.

Then change the permissions of the smtpd.key:

chmod o= /etc/postfix/smtpd.key

6 Configure SaslauthdFirst run

mkdir -p /var/spool/postfix/var/run/saslauthd

Then edit /etc/default/saslauthd. Set START to yes and change the line OPTIONS="-c -m /var/run/saslauthd" to OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r":

vi /etc/default/saslauthd

## Settings for saslauthd daemon# Please read /usr/share/doc/sasl2-bin/README.Debian for details.#

# Should saslauthd run automatically on startup? (default: no)START=yes

# Description of this saslauthd instance. Recommended.# (suggestion: SASL Authentication Daemon)DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.# (suggestion: saslauthd)NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)## Available options in this Debian package:# getpwent -- use the getpwent() library function# kerberos5 -- use Kerberos 5# pam -- use PAM# rimap -- use a remote IMAP server# shadow -- use the local shadow password file# sasldb -- use the local sasldb database file# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)## Only one option may be used at a time. See the saslauthd man page# for more information.## Example: MECHANISMS="pam"MECHANISMS="pam"

# Additional options for this mechanism. (default: none)# See the saslauthd man page for information about mech-specific options.MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)# A value of 0 will fork a new process for each connection.THREADS=5

# Other options (default: -c -m /var/run/saslauthd)# Note: You MUST specify the -m option or saslauthd won't run!## WARNING: DO NOT SPECIFY THE -d OPTION.# The -d option will cause saslauthd to run in the foreground instead of as# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish# to run saslauthd in debug mode, please run it by hand to be safe.

## See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.# See the saslauthd man page and the output of 'saslauthd -h' for general# information about these options.## Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"#OPTIONS="-c -m /var/run/saslauthd"OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Then create the file /etc/pam.d/smtp. It should contain only the following two lines (go sure to fill in your correct database details):

vi /etc/pam.d/smtp

auth required pam_mysql.so user=mail_admin passwd=mail_admin_password host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1account sufficient pam_mysql.so user=mail_admin passwd=mail_admin_password host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1

Next create the file /etc/postfix/sasl/smtpd.conf. It should look like this:

vi /etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthdmech_list: plain loginallow_plaintext: trueauxprop_plugin: mysqlsql_hostnames: 127.0.0.1sql_user: mail_adminsql_passwd: mail_admin_passwordsql_database: mailsql_select: select password from users where email = '%u'

Next add the postfix user to the sasl group (this makes sure that Postfix has the permission to access saslauthd):

adduser postfix sasl

Then restart Postfix and Saslauthd:

/etc/init.d/postfix restart/etc/init.d/saslauthd restart

7 Configure CourierNow we have to tell Courier that it should authenticate against our MySQL database. First, edit /etc/courier/authdaemonrc and change the value of authmodulelist so that it reads:

vi /etc/courier/authdaemonrc

[...]authmodulelist="authmysql"[...]

Then make a backup of /etc/courier/authmysqlrc and empty the old file:

cp /etc/courier/authmysqlrc /etc/courier/authmysqlrc_origcat /dev/null > /etc/courier/authmysqlrc

Then open /etc/courier/authmysqlrc and put the following lines into it:

vi /etc/courier/authmysqlrc

MYSQL_SERVER localhostMYSQL_USERNAME mail_adminMYSQL_PASSWORD mail_admin_passwordMYSQL_PORT 0MYSQL_DATABASE mailMYSQL_USER_TABLE usersMYSQL_CRYPT_PWFIELD password#MYSQL_CLEAR_PWFIELD passwordMYSQL_UID_FIELD 5000

MYSQL_GID_FIELD 5000MYSQL_LOGIN_FIELD emailMYSQL_HOME_FIELD "/home/vmail"MYSQL_MAILDIR_FIELD CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/')#MYSQL_NAME_FIELDMYSQL_QUOTA_FIELD quota

During the installation, the SSL certificates for IMAP-SSL and POP3-SSL are created with the hostname localhost. To change this to the correct hostname (server1.example.com in this tutorial), delete the certificates...

cd /etc/courierrm -f /etc/courier/imapd.pemrm -f /etc/courier/pop3d.pem

... and modify the following two files; replace CN=localhost with CN=server1.example.com (you can also modify the other values, if necessary):

vi /etc/courier/imapd.cnf

[...]CN=server1.example.com[...]

vi /etc/courier/pop3d.cnf

[...]CN=server1.example.com[...]

Then recreate the certificates...

mkimapdcertmkpop3dcert

... and restart Courier:

/etc/init.d/courier-authdaemon restart/etc/init.d/courier-imap restart/etc/init.d/courier-imap-ssl restart/etc/init.d/courier-pop restart/etc/init.d/courier-pop-ssl restart

By running

telnet localhost pop3

you can see if your POP3 server is working correctly. It should give back +OK Hello there. (Type quit to get back to the Linux shell.)

server1:/etc/courier# telnet localhost pop3

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

+OK Hello there.

quit

+OK Better luck next time.

Connection closed by foreign host.

server1:/etc/courier#

8 Modify /etc/aliasesNow we should open /etc/aliases. Make sure that postmaster points to root and root to your own username or your email address, e.g. like this:

vi /etc/aliases

[...]postmaster: rootroot: [email protected][...]

or like this (if administrator is your own username):

[...]

postmaster: rootroot: administrator[...]

Whenever you modify /etc/aliases, you must run

newaliases

afterwards and restart Postfix:

/etc/init.d/postfix restart

9 Install amavisd-new, SpamAssassin, And ClamAVTo install amavisd-new, spamassassin and clamav, run the following command:

apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 libnet-ph-perl libnet-snpp-perl libnet-telnet-perl nomarch lzop pax

Afterwards we must configure amavisd-new. The configuration is split up in various files which reside in the /etc/amavis/conf.d directory. Take a look at each of them to become familiar with the configuration. Most settings are fine, however we must modify three files:

First we must enable ClamAV and SpamAssassin in /etc/amavis/conf.d/15-content_filter_mode by uncommenting the @bypass_virus_checks_maps and the @bypass_spam_checks_maps lines:

vi /etc/amavis/conf.d/15-content_filter_mode

The file should look like this:

use strict;

# You can modify this file to re-enable SPAM checking through spamassassin# and to re-enable antivirus checking.

## Default antivirus checking mode# Uncomment the two lines below to enable it back

#

@bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

## Default SPAM checking mode# Uncomment the two lines below to enable it back#

@bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);

1; # ensure a defined return

And then you should take a look at the spam settings and the actions for spam-/virus-mails in /etc/amavis/conf.d/20-debian_defaults. There's no need to change anything if the default settings are ok for you. The file contains many explanations so there's no need to explain the settings here:

vi /etc/amavis/conf.d/20-debian_defaults

[...]$QUARANTINEDIR = "$MYHOME/virusmails";$quarantine_subdir_levels = 1; # enable quarantine dir hashing

$log_recip_templ = undef; # disable by-recipient level-0 log entries$DO_SYSLOG = 1; # log via syslogd (preferred)$syslog_ident = 'amavis'; # syslog ident tag, prepended to all messages$syslog_facility = 'mail';$syslog_priority = 'debug'; # switch to info to drop debug output, etc

$enable_db = 1; # enable use of BerkeleyDB/libdb (SNMP and nanny)$enable_global_cache = 1; # enable use of libdb-based cache if $enable_db=1

$inet_socket_port = 10024; # default listening socket

$sa_spam_subject_tag = '***SPAM*** ';$sa_tag_level_deflt = 2.0; # add spam info headers if at, or above that level$sa_tag2_level_deflt = 6.31; # add 'spam detected' headers at that level$sa_kill_level_deflt = 6.31; # triggers spam evasive actions$sa_dsn_cutoff_level = 10; # spam level beyond which a DSN is not sent[...]$final_virus_destiny = D_DISCARD; # (data not lost, see virus quarantine)$final_banned_destiny = D_BOUNCE; # D_REJECT when front-end MTA$final_spam_destiny = D_BOUNCE;$final_bad_header_destiny = D_PASS; # False-positive prone (for spam)[...]

Finally, edit /etc/amavis/conf.d/50-user and add the line $pax='pax'; in the middle:

vi /etc/amavis/conf.d/50-user

use strict;

## Place your configuration directives here. They will override those in# earlier files.## See /usr/share/doc/amavisd-new/ for documentation and examples of# the directives you can use in this file#

$pax='pax';

#------------ Do not modify anything below this line -------------1; # ensure a defined return

Afterwards, run these commands to add the clamav user to the amavis group and to restart amavisd-new and ClamAV:

adduser clamav amavis/etc/init.d/amavis restart/etc/init.d/clamav-daemon restart/etc/init.d/clamav-freshclam restart

Now we have to configure Postfix to pipe incoming email through amavisd-new:

postconf -e 'content_filter = amavis:[127.0.0.1]:10024'postconf -e 'receive_override_options = no_address_mappings'

Afterwards append the following lines to /etc/postfix/master.cf:

vi /etc/postfix/master.cf

[...]amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_bind_address=127.0.0.1

Then restart Postfix:

/etc/init.d/postfix restart

Now run

netstat -tap

and you should see Postfix (master) listening on port 25 (smtp) and 10025, and amavisd-new on port 10024:

server1:/etc/courier# netstat -tap

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/

Program name

tcp 0 0 localhost.localdoma:800 *:* LISTEN 5288/

famd

tcp 0 0 localhost.localdo:10024 *:* LISTEN 20746/

amavisd (mast

tcp 0 0 localhost.localdo:10025 *:* LISTEN 21718/

master

tcp 0 0 localhost.localdo:mysql *:* LISTEN 4559/

mysqld

tcp 0 0 *:58219 *:* LISTEN 1486/

rpc.statd

tcp 0 0 *:sunrpc *:* LISTEN 1475/

portmap

tcp 0 0 *:ssh *:* LISTEN 1709/

sshd

tcp 0 0 *:smtp *:* LISTEN 21718/

master

tcp 0 148 server1.example.com:ssh localhost:3389 ESTABLISHED 2055/0

tcp6 0 0 [::]:imaps [::]:* LISTEN 18254/

couriertcpd

tcp6 0 0 [::]:pop3s [::]:* LISTEN 18282/

couriertcpd

tcp6 0 0 [::]:pop3 [::]:* LISTEN 18265/

couriertcpd

tcp6 0 0 [::]:imap2 [::]:* LISTEN 18237/

couriertcpd

tcp6 0 0 [::]:www [::]:* LISTEN 4818/

apache2

tcp6 0 0 [::]:ssh [::]:* LISTEN 1709/

sshd

server1:/etc/courier#

10 Install Razor, Pyzor And DCC And Configure SpamAssassinRazor, Pyzor and DCC are spamfilters that use a collaborative filtering network. To install Razor and Pyzor, run

apt-get install razor pyzor

DCC isn't available in the Debian Lenny repositories, so we install it as follows:

cd /tmpwget http://www.dcc-servers.net/dcc/source/dcc-dccproc.tar.Ztar xzvf dcc-dccproc.tar.Zcd dcc-dccproc-1.3.102./configure --with-uid=amavismakemake installchown -R amavis:amavis /var/dccln -s /var/dcc/libexec/dccifd /usr/local/bin/dccifd

Now we have to tell SpamAssassin to use these three programs. Edit /etc/spamassassin/local.cf and add the following lines to it:

vi /etc/spamassassin/local.cf

[...]#dccuse_dcc 1dcc_path /usr/local/bin/dccproc

#pyzoruse_pyzor 1pyzor_path /usr/bin/pyzor

#razoruse_razor2 1razor_config /etc/razor/razor-agent.conf

#bayesuse_bayes 1use_bayes_rules 1bayes_auto_learn 1

Then we must enable the DCC plugin in SpamAssassin. Open /etc/spamassassin/v310.pre and uncomment the loadplugin Mail::SpamAssassin::Plugin::DCC line:

vi /etc/spamassassin/v310.pre

[...]# DCC - perform DCC message checks.## DCC is disabled here because it is not open source. See the DCC# license for more details.#loadplugin Mail::SpamAssassin::Plugin::DCC[...]

You can check your SpamAssassin configuration by executing:

spamassassin --lint

It shouldn't show any errors.

Restart amavisd-new afterwards:

/etc/init.d/amavis restart

Now we update our SpamAssassin rulesets as follows:

sa-update --no-gpg

(Next we are going to create a cron job. By default, the crontab -e command launches the nano editor on Debian Lenny. If you are used to vi, you might want to change this:

update-alternatives --config editor

Select your favourite editor:

server1:/tmp/dcc-dccproc-1.3.102# update-alternatives --config editor

There are 4 alternatives which provide `editor'.

Selection Alternative

-----------------------------------------------

1 /bin/ed

*+ 2 /bin/nano

3 /usr/bin/vim.tiny

4 /usr/bin/vim.nox

Press enter to keep the default[*], or type selection number: <-- 4Using '/usr/bin/vim.nox' to provide 'editor'.

server1:/tmp/dcc-dccproc-1.3.102#

)

We create a cron job so that the rulesets will be updated regularly. Run

crontab -e

to open the cron job editor. Create the following cron job:

23 4 */2 * * /usr/bin/sa-update --no-gpg &> /dev/null

This will update the rulesets every second day at 4.23h.

11 Quota Exceedance NotificationsIf you want to get notifications about all the email accounts that are over quota, then do this:

cd /usr/local/sbin/wget http://puuhis.net/vhcs/quota.txtmv quota.txt quota_notifychmod 755 quota_notify

Open /usr/local/sbin/quota_notify and edit the variables at the top. Further down in the file (towards the end) there are two lines where you should add a % sign:

vi /usr/local/sbin/quota_notify

[...]my $POSTFIX_CF = "/etc/postfix/main.cf";my $MAILPROG = "/usr/sbin/sendmail -t";my $WARNPERCENT = 80;my @POSTMASTERS = ('[email protected]');my $CONAME = 'My Company';my $COADDR = '[email protected]';my $SUADDR = '[email protected]';my $MAIL_REPORT = 1;my $MAIL_WARNING = 1;[...] print "Subject: WARNING: Your mailbox is $lusers{$luser}% full.\n";[...] print "Your mailbox: $luser is $lusers{$luser}% full.\n\n";[...]

Run

crontab -e

to create a cron job for that script:

0 0 * * * /usr/local/sbin/quota_notify &> /dev/null

12 Test PostfixTo see if Postfix is ready for SMTP-AUTH and TLS, run

telnet localhost 25

After you have established the connection to your Postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH LOGIN PLAIN

everything is fine:

server1:~# telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 server1.example.com ESMTP Postfix (Debian/GNU)

ehlo localhost

250-server1.example.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

quit

221 2.0.0 Bye

Connection closed by foreign host.

server1:~#

Type

quit

to return to the system shell.

13 Populate The Database And TestTo populate the database you can use the MySQL shell:

mysql -u root -p

USE mail;

At least you have to create entries in the tables domains and users:

INSERT INTO `domains` (`domain`) VALUES ('example.com');INSERT INTO `users` (`email`, `password`, `quota`) VALUES ('[email protected]', ENCRYPT('secret'), 10485760);

(Please take care that you use the ENCRYPT syntax in the second INSERT statement in order to encrypt the password!)

If you want to make entries in the other two tables, that would look like this:

INSERT INTO `forwardings` (`source`, `destination`) VALUES ('[email protected]', '[email protected]');INSERT INTO `transport` (`domain`, `transport`) VALUES ('example.com', 'smtp:mail.example.com');

To leave the MySQL shell, type

quit;

For most people it is easier if they have a graphical front-end to MySQL; therefore you can also use phpMyAdmin (in this example under http://192.168.0.100/phpmyadmin/ or http://server1.example.com/phpmyadmin/) to administrate the mail database. Again, when you create a user, go sure that you use the ENCRYPT function to encrypt the password:

I do not think I have to explain the domains and users table further.

The forwardings table can have entries like the following:

source destination [email protected]

[email protected] Redirects emails for [email protected] to [email protected]

@example.com [email protected] Creates a Catch-All account for

[email protected]. All emails to example.com will arrive at [email protected], except those that exist in the users table (i.e., if [email protected] exists in the users table, mails to [email protected] will still arrive at [email protected]).

@example.com @anotherdomain.tld This redirects all emails to example.com to the same user at anotherdomain.tld. E.g., emails to [email protected] will be forwarded to [email protected].

[email protected]

[email protected], [email protected]

Forward emails for [email protected] to two or more email addresses. All listed email addresses under destination receive a copy of the email.

The transport table can have entries like these:

domain transport example.com : Delivers emails for example.com locally. This is

as if this record would not exist in this table at all.

example.com smtp:mail.anotherdomain.tld Delivers all emails for example.com via smtp to the server mail.anotherdomain.com.

example.com smtp:mail.anotherdomain.tld:2025 Delivers all emails for example.com via smtp to the server mail.anotherdomain.com, but on port 2025, not 25 which is the default port for smtp.

example.com smtp:[1.2.3.4] smtp:[1.2.3.4]:2025 smtp:[mail.anotherdomain.tld]

The square brackets prevent Postfix from doing lookups of the MX DNS record for the address in square brackets. Makes sense for IP addresses.

.example.com smtp:mail.anotherdomain.tld Mail for any subdomain of example.com is delivered to mail.anotherdomain.tld.

* smtp:mail.anotherdomain.tld All emails are delivered to mail.anotherdomain.tld.

[email protected]

smtp:mail.anotherdomain.tld Emails for [email protected] are delivered to mail.anotherdomain.tld.

See

man transport

for more details.

Please keep in mind that the order of entries in the transport table is important! The entries will be followed from the top to the bottom.

Important: Postfix uses a caching mechanism for the transports, therefore it might take a while until you changes in the transport table take effect. If you want them to take effect immediately, run

postfix reload

after you have made your changes in the transport table.

14 Send A Welcome Email For Creating MaildirWhen you create a new email account and try to fetch emails from it (with POP3/IMAP) you will probably get error messages saying that the Maildir doesn't exist. The Maildir is created automatically when the first email arrives for the new account. Therefore it's a good idea to send a welcome email to a new account.

First, we install the mailx package:

apt-get install mailx

To send a welcome email to [email protected], we do this:

mailx [email protected]

You will be prompted for the subject. Type in the subject (e.g. Welcome), then press ENTER, and in the next line type your message. When the message is finished, press ENTER again so that you are in a new line, then press CTRL+D; if you don't want to cc the mail, press ENTER again:

root@server1:/usr/local/sbin# mailx [email protected]

Subject: Welcome <-- ENTERWelcome! Have fun with your new mail account. <-- ENTER<-- CTRL+DCc: <-- ENTERroot@server1:/usr/local/sbin#

15 Installing SquirrelMailSquirrelMail is a webmail interface that will let your users send and receive emails in a browser. This chapter shows how to install it and adjust it to our setup so that users can even change their email account password from the SquirrelMail interface.

To install SquirrelMail, we run:

apt-get install squirrelmail php-pear

Next we copy the Apache configuration that comes with the SquirrelMail package to the /etc/apache2/conf.d directory and restart Apache:

cp /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf/etc/init.d/apache2 restart

SquirrelMail comes with some pre-installed plugins, unfortunately none of them is capable of letting us change our email password in our MySQL database. But there's the Change SQL Password plugin which we can install manually:

The plugin depends on the Pear-DB package so we install it:

pear install DB

Then we install the Change SQL Password plugin itself:

cd /usr/share/squirrelmail/pluginswget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fchange_sqlpass-3.3-1.2.tar.gztar xvfz change_sqlpass-3.3-1.2.tar.gzcd change_sqlpasscp config.php.sample config.php

Now we must edit config.php and adjust it to our setup. Please adjust the $csp_dsn, $lookup_password_query, $password_update_queries, $password_encryption, $csp_salt_static, and $csp_delimiter variables as follows and comment out $csp_salt_query (please make sure to make no syntax error while you edit the file - if you do, you will get a blank page after the SquirrelMail login!):

vi config.php

[...]$csp_dsn = 'mysql://mail_admin:mail_admin_password@localhost/mail';[...]$lookup_password_query = 'SELECT count(*) FROM users WHERE email = "%1" AND password = %4';[...]$password_update_queries = array('UPDATE users SET password = %4 WHERE email = "%1"');[...]$password_encryption = 'MYSQLENCRYPT';

[...]$csp_salt_static = 'LEFT(password, 2)';[...]//$csp_salt_query = 'SELECT salt FROM users WHERE username = "%1"';[...]$csp_delimiter = '@';[...]

The complete file looks as follows:

<?php

/** * SquirrelMail Change SQL Password Plugin * Copyright (C) 2001-2002 Tyler Akins * 2002 Thijs Kinkhorst <[email protected]> * 2002-2005 Paul Lesneiwski <[email protected]> * This program is licensed under GPL. See COPYING for details * * @package plugins * @subpackage Change SQL Password * */

// Global Variables, don't touch these unless you want to break the plugin // global $csp_dsn, $password_update_queries, $lookup_password_query, $force_change_password_check_query, $password_encryption, $csp_salt_query, $csp_salt_static, $csp_secure_port, $csp_non_standard_http_port, $csp_delimiter, $csp_debug, $min_password_length, $max_password_length, $include_digit_in_password, $include_uppercase_letter_in_password, $include_lowercase_letter_in_password, $include_nonalphanumeric_in_password;

// csp_dsn // // Theoretically, any SQL database supported by Pear should be supported // here. The DSN (data source name) must contain the information needed // to connect to your database backend. A MySQL example is included below. // For more details about DSN syntax and list of supported database types, // please see: // http://pear.php.net/manual/en/package.database.db.intro-dsn.php // //$csp_dsn = 'mysql://user:password@localhost/email_users'; $csp_dsn = 'mysql://mail_admin:mail_admin_password@localhost/mail';

// lookup_password_query // // This plugin will always verify the user's old password // against their login password, but an extra check can also // be done against the database for more security if you // desire. If you do not need the extra password check, // make sure this setting is empty. // // This is a query that returns a positive value if a user // and password pair are found in the database. // // This query should return one value (one row, one column), the // value being ideally a one or a zero, simply indicating that // the user/password pair does in fact exist in the

database. // // %1 in this query will be replaced with the full username // (including domain), such as "[email protected]" // %2 in this query will be replaced with the username (without // any domain portion), such as "jose" // %3 in this query will be replaced with the domain name, // such as "example.com" // %4 in this query will be replaced with the current (old) // password in whatever encryption format is needed per other // plugin configuration settings (Note that the syntax of // the password will be provided depending on your encryption // choices, so you NEVER need to provide quotes around this // value in the query here.) // %5 in this query will be replaced with the current (old) // password in unencrypted plain text. If you do not use any // password encryption, %4 and %5 will be the same values, // except %4 will have double quotes around it and %5 will not. // //$lookup_password_query = ''; // TERRIBLE SECURITY: $lookup_password_query = 'SELECT count(*) FROM users WHERE username = "%1" AND plain_password = "%5"'; //$lookup_password_query = 'SELECT count(*) FROM users WHERE username = "%1" AND crypt_password = %4'; $lookup_password_query = 'SELECT count(*) FROM users WHERE email = "%1" AND password = %4';

// password_update_queries // // An array of SQL queries that will all be executed // whenever a password change attempt is made.

// // Any number of queries may be included here. // The queries will be executed in the order given here. // // %1 in all queries will be replaced with the full username // (including domain), such as "[email protected]" // %2 in all queries will be replaced with the username (without // any domain portion), such as "jose" // %3 in all queries will be replaced with the domain name, // such as "example.com" // %4 in all queries will be replaced with the new password // in whatever encryption format is needed per other // plugin configuration settings (Note that the syntax of // the password will be provided depending on your // encryption choices, so you NEVER need to provide quotes // around this value in the queries here.) // %5 in all queries will be replaced with the new password // in unencrypted plain text - BEWARE! If you do not use // any password encryption, %4 and %5 will be the same // values, except %4 will have double quotes around it // and %5 will not. //// $password_update_queries = array(// 'UPDATE users SET crypt_password = %4 WHERE username = "%1"',// 'UPDATE user_flags SET force_change_pwd = 0 WHERE username = "%1"',// 'UPDATE users SET crypt_password = %4, force_change_pwd = 0 WHERE username = "%1"',// ); $password_update_queries = array('UPDATE users SET password = %4 WHERE email = "%1"');

// force_change_password_check_query // // A query that checks for a flag that indicates if a user // should be forced to change their password. This query // should return one value (one row, one column) which is // zero if the user does NOT need to change their password, // or one if the user should be forced to change it now. // // This setting should be an empty string if you do not wish // to enable this functionality. // // %1 in this query will be replaced with the full username // (including domain), such as "[email protected]" // %2 in this query will be replaced with the username (without // any domain portion), such as "jose" // %3 in this query will be replaced with the domain name, // such as "example.com" // //$force_change_password_check_query = 'SELECT IF(force_change_pwd = "yes", 1, 0) FROM users WHERE username = "%1"'; //$force_change_password_check_query = 'SELECT force_change_pwd FROM users WHERE username = "%1"'; $force_change_password_check_query = '';

// password_encryption // // What encryption method do you use to store passwords // in your database? Please use one of the following, // exactly as you see it: // // NONE Passwords are stored as plain text only // MYSQLPWD Passwords are stored using the MySQL

password() function // MYSQLENCRYPT Passwords are stored using the MySQL encrypt() function // PHPCRYPT Passwords are stored using the PHP crypt() function // MD5CRYPT Passwords are stored using encrypted MD5 algorithm // MD5 Passwords are stored as MD5 hash // //$password_encryption = 'MYSQLPWD'; $password_encryption = 'MYSQLENCRYPT';

// csp_salt_query // csp_salt_static // // Encryption types that need a salt need to know where to get // that salt. If you have a constant, known salt value, you // should define it in $csp_salt_static. Otherwise, leave that // value empty and define a value for the $csp_salt_query. // // Leave both values empty if you do not need (or use) salts // to encrypt your passwords. // // The query should return one value (one row, one column) which // is the salt value for the current user's password. This // query is ignored if $csp_salt_static is anything but empty. // // %1 in this query will be replaced with the full username // (including domain), such as "[email protected]" // %2 in this query will be replaced with the username (without // any domain portion), such as "jose" // %3 in this query will be replaced with the domain name, // such as "example.com" //

//$csp_salt_static = 'LEFT(crypt_password, 2)'; //$csp_salt_static = '"a4"'; // use this format with MYSQLENCRYPT //$csp_salt_static = '$2$blowsomefish$'; // use this format with PHPCRYPT //$csp_salt_static = ''; $csp_salt_static = 'LEFT(password, 2)';

//$csp_salt_query = 'SELECT SUBSTRING_INDEX(crypt_password, '$', 1) FROM users WHERE username = "%1"'; //$csp_salt_query = 'SELECT SUBSTRING(crypt_password, (LENGTH(SUBSTRING_INDEX(crypt_password, '$', 2)) + 2)) FROM users WHERE username = "%1"'; //$csp_salt_query = 'SELECT salt FROM users WHERE username = "%1"'; //$csp_salt_query = '';

// csp_secure_port // // You may ensure that SSL encryption is used during password // change by setting this to the port that your HTTPS is served // on (443 is typical). Set to zero if you do not wish to force // an HTTPS connection when users are changing their passwords. // // You may override this value for certain domains, users, or // service levels through the Virtual Host Login (vlogin) plugin // by setting a value(s) for $vlogin_csp_secure_port in the vlogin // configuration. // $csp_secure_port = 0; //$csp_secure_port = 443;

// csp_non_standard_http_port //

// If you serve standard HTTP web requests on a non-standard // port (anything other than port 80), you should specify that // port number here. Set to zero otherwise. // // You may override this value for certain domains, users, or // service levels through the Virtual Host Login (vlogin) plugin // by setting a value(s) for $vlogin_csp_non_standard_http_port // in the vlogin configuration. // //$csp_non_standard_http_port = 8080; $csp_non_standard_http_port = 0;

// min_password_length // max_password_length // include_digit_in_password // include_uppercase_letter_in_password // include_lowercase_letter_in_password // include_nonalphanumeric_in_password // // You can set the minimum and maximum password lengths that // you accept or leave those settings as zero to indicate that // no limit should be applied. // // Turn on any of the other settings here to check that the // new password contains at least one digit, upper case letter, // lower case letter and/or one non-alphanumeric character. // $min_password_length = 6; $max_password_length = 0; $include_digit_in_password = 0; $include_uppercase_letter_in_password = 0; $include_lowercase_letter_in_password = 0; $include_nonalphanumeric_in_password = 0;

// csp_delimiter // // if your system has usernames with something other than // an "@" sign separating the user and domain portion, // specify that character here // //$csp_delimiter = '|'; $csp_delimiter = '@';

// debug mode // $csp_debug = 0;

?>

The Change SQL Password plugin also depends on the Compatibility plugin which we install as follows:

15 Installing SquirrelMailSquirrelMail is a webmail interface that will let your users send and receive emails in a browser. This chapter shows how to install it and adjust it to our setup so that users can even change their email account password from the SquirrelMail interface.

To install SquirrelMail, we run:

apt-get install squirrelmail php-pear

Next we copy the Apache configuration that comes with the SquirrelMail package to the /etc/apache2/conf.d directory and restart Apache:

cp /etc/squirrelmail/apache.conf /etc/apache2/conf.d/squirrelmail.conf/etc/init.d/apache2 restart

SquirrelMail comes with some pre-installed plugins, unfortunately none of them is capable of letting us change our email password in our MySQL database. But there's the Change SQL Password plugin which we can install manually:

The plugin depends on the Pear-DB package so we install it:

pear install DB

Then we install the Change SQL Password plugin itself:

cd /usr/share/squirrelmail/pluginswget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fchange_sqlpass-3.3-1.2.tar.gztar xvfz change_sqlpass-3.3-1.2.tar.gzcd change_sqlpasscp config.php.sample config.php

Now we must edit config.php and adjust it to our setup. Please adjust the $csp_dsn, $lookup_password_query, $password_update_queries, $password_encryption, $csp_salt_static, and $csp_delimiter variables as follows and comment out $csp_salt_query (please make sure to make no syntax error while you edit the file - if you do, you will get a blank page after the SquirrelMail login!):

vi config.php

[...]$csp_dsn = 'mysql://mail_admin:mail_admin_password@localhost/mail';[...]$lookup_password_query = 'SELECT count(*) FROM users WHERE email = "%1" AND password = %4';[...]$password_update_queries = array('UPDATE users SET password = %4 WHERE email = "%1"');[...]$password_encryption = 'MYSQLENCRYPT';[...]$csp_salt_static = 'LEFT(password, 2)';[...]//$csp_salt_query = 'SELECT salt FROM users WHERE username = "%1"';[...]$csp_delimiter = '@';[...]

The complete file looks as follows:

<?php

/** * SquirrelMail Change SQL Password Plugin * Copyright (C) 2001-2002 Tyler Akins * 2002 Thijs Kinkhorst <[email protected]> * 2002-2005 Paul Lesneiwski <[email protected]> * This program is licensed under GPL. See COPYING for details * * @package plugins * @subpackage Change SQL Password * */

// Global Variables, don't touch these unless you want to break the plugin // global $csp_dsn, $password_update_queries, $lookup_password_query, $force_change_password_check_query, $password_encryption, $csp_salt_query, $csp_salt_static, $csp_secure_port, $csp_non_standard_http_port, $csp_delimiter, $csp_debug, $min_password_length, $max_password_length, $include_digit_in_password, $include_uppercase_letter_in_password, $include_lowercase_letter_in_password, $include_nonalphanumeric_in_password;

// csp_dsn // // Theoretically, any SQL database supported by Pear should be supported // here. The DSN (data source name) must contain the information needed // to connect to your database backend. A MySQL example is included below. // For more details about DSN syntax and list of

supported database types, // please see: // http://pear.php.net/manual/en/package.database.db.intro-dsn.php // //$csp_dsn = 'mysql://user:password@localhost/email_users'; $csp_dsn = 'mysql://mail_admin:mail_admin_password@localhost/mail';

// lookup_password_query // // This plugin will always verify the user's old password // against their login password, but an extra check can also // be done against the database for more security if you // desire. If you do not need the extra password check, // make sure this setting is empty. // // This is a query that returns a positive value if a user // and password pair are found in the database. // // This query should return one value (one row, one column), the // value being ideally a one or a zero, simply indicating that // the user/password pair does in fact exist in the database. // // %1 in this query will be replaced with the full username // (including domain), such as "[email protected]" // %2 in this query will be replaced with the username (without // any domain portion), such as "jose" // %3 in this query will be replaced with the domain name, // such as "example.com" // %4 in this query will be replaced with the current

(old) // password in whatever encryption format is needed per other // plugin configuration settings (Note that the syntax of // the password will be provided depending on your encryption // choices, so you NEVER need to provide quotes around this // value in the query here.) // %5 in this query will be replaced with the current (old) // password in unencrypted plain text. If you do not use any // password encryption, %4 and %5 will be the same values, // except %4 will have double quotes around it and %5 will not. // //$lookup_password_query = ''; // TERRIBLE SECURITY: $lookup_password_query = 'SELECT count(*) FROM users WHERE username = "%1" AND plain_password = "%5"'; //$lookup_password_query = 'SELECT count(*) FROM users WHERE username = "%1" AND crypt_password = %4'; $lookup_password_query = 'SELECT count(*) FROM users WHERE email = "%1" AND password = %4';

// password_update_queries // // An array of SQL queries that will all be executed // whenever a password change attempt is made. // // Any number of queries may be included here. // The queries will be executed in the order given here. // // %1 in all queries will be replaced with the full username // (including domain), such as "[email protected]" // %2 in all queries will be replaced with the username (without // any domain portion), such as "jose" // %3 in all queries will be replaced with the domain

name, // such as "example.com" // %4 in all queries will be replaced with the new password // in whatever encryption format is needed per other // plugin configuration settings (Note that the syntax of // the password will be provided depending on your // encryption choices, so you NEVER need to provide quotes // around this value in the queries here.) // %5 in all queries will be replaced with the new password // in unencrypted plain text - BEWARE! If you do not use // any password encryption, %4 and %5 will be the same // values, except %4 will have double quotes around it // and %5 will not. //// $password_update_queries = array(// 'UPDATE users SET crypt_password = %4 WHERE username = "%1"',// 'UPDATE user_flags SET force_change_pwd = 0 WHERE username = "%1"',// 'UPDATE users SET crypt_password = %4, force_change_pwd = 0 WHERE username = "%1"',// ); $password_update_queries = array('UPDATE users SET password = %4 WHERE email = "%1"');

// force_change_password_check_query // // A query that checks for a flag that indicates if a user // should be forced to change their password. This query // should return one value (one row, one column) which is // zero if the user does NOT need to change their password, // or one if the user should be forced to change it

now. // // This setting should be an empty string if you do not wish // to enable this functionality. // // %1 in this query will be replaced with the full username // (including domain), such as "[email protected]" // %2 in this query will be replaced with the username (without // any domain portion), such as "jose" // %3 in this query will be replaced with the domain name, // such as "example.com" // //$force_change_password_check_query = 'SELECT IF(force_change_pwd = "yes", 1, 0) FROM users WHERE username = "%1"'; //$force_change_password_check_query = 'SELECT force_change_pwd FROM users WHERE username = "%1"'; $force_change_password_check_query = '';

// password_encryption // // What encryption method do you use to store passwords // in your database? Please use one of the following, // exactly as you see it: // // NONE Passwords are stored as plain text only // MYSQLPWD Passwords are stored using the MySQL password() function // MYSQLENCRYPT Passwords are stored using the MySQL encrypt() function // PHPCRYPT Passwords are stored using the PHP crypt() function // MD5CRYPT Passwords are stored using encrypted MD5 algorithm // MD5 Passwords are stored as MD5 hash // //$password_encryption = 'MYSQLPWD'; $password_encryption = 'MYSQLENCRYPT';

// csp_salt_query // csp_salt_static // // Encryption types that need a salt need to know where to get // that salt. If you have a constant, known salt value, you // should define it in $csp_salt_static. Otherwise, leave that // value empty and define a value for the $csp_salt_query. // // Leave both values empty if you do not need (or use) salts // to encrypt your passwords. // // The query should return one value (one row, one column) which // is the salt value for the current user's password. This // query is ignored if $csp_salt_static is anything but empty. // // %1 in this query will be replaced with the full username // (including domain), such as "[email protected]" // %2 in this query will be replaced with the username (without // any domain portion), such as "jose" // %3 in this query will be replaced with the domain name, // such as "example.com" // //$csp_salt_static = 'LEFT(crypt_password, 2)'; //$csp_salt_static = '"a4"'; // use this format with MYSQLENCRYPT //$csp_salt_static = '$2$blowsomefish$'; // use this format with PHPCRYPT //$csp_salt_static = ''; $csp_salt_static = 'LEFT(password, 2)';

//$csp_salt_query = 'SELECT SUBSTRING_INDEX(crypt_password, '$', 1) FROM users WHERE username = "%1"'; //$csp_salt_query = 'SELECT SUBSTRING(crypt_password,

(LENGTH(SUBSTRING_INDEX(crypt_password, '$', 2)) + 2)) FROM users WHERE username = "%1"'; //$csp_salt_query = 'SELECT salt FROM users WHERE username = "%1"'; //$csp_salt_query = '';

// csp_secure_port // // You may ensure that SSL encryption is used during password // change by setting this to the port that your HTTPS is served // on (443 is typical). Set to zero if you do not wish to force // an HTTPS connection when users are changing their passwords. // // You may override this value for certain domains, users, or // service levels through the Virtual Host Login (vlogin) plugin // by setting a value(s) for $vlogin_csp_secure_port in the vlogin // configuration. // $csp_secure_port = 0; //$csp_secure_port = 443;

// csp_non_standard_http_port // // If you serve standard HTTP web requests on a non-standard // port (anything other than port 80), you should specify that // port number here. Set to zero otherwise. // // You may override this value for certain domains, users, or // service levels through the Virtual Host Login (vlogin) plugin // by setting a value(s) for $vlogin_csp_non_standard_http_port

// in the vlogin configuration. // //$csp_non_standard_http_port = 8080; $csp_non_standard_http_port = 0;

// min_password_length // max_password_length // include_digit_in_password // include_uppercase_letter_in_password // include_lowercase_letter_in_password // include_nonalphanumeric_in_password // // You can set the minimum and maximum password lengths that // you accept or leave those settings as zero to indicate that // no limit should be applied. // // Turn on any of the other settings here to check that the // new password contains at least one digit, upper case letter, // lower case letter and/or one non-alphanumeric character. // $min_password_length = 6; $max_password_length = 0; $include_digit_in_password = 0; $include_uppercase_letter_in_password = 0; $include_lowercase_letter_in_password = 0; $include_nonalphanumeric_in_password = 0;

// csp_delimiter // // if your system has usernames with something other than // an "@" sign separating the user and domain portion, // specify that character here // //$csp_delimiter = '|'; $csp_delimiter = '@';

// debug mode // $csp_debug = 0;

?>

The Change SQL Password plugin also depends on the Compatibility plugin which we install as follows:

cd /usr/share/squirrelmail/pluginswget http://www.squirrelmail.org/countdl.php?fileurl=http%3A%2F%2Fwww.squirrelmail.org%2Fplugins%2Fcompatibility-2.0.14-1.0.tar.gztar xvfz compatibility-2.0.14-1.0.tar.gz

Now we must go into the SquirrelMail configuration and tell SquirrelMail that we use Courier as our POP3 and IMAP server and enable the Change SQL Password and the Compatibility plugins:

/usr/sbin/squirrelmail-configure

You'll see the following menu. Navigate through it as indicated:


---------------------------------------------------------

Main Menu --


2. Server Settings

3. Folder Defaults

4. General Options

5. Themes

6. Address Books


8. Plugins

9. Database

10. Languages


C Turn color on

S Save data

Q Quit

Command >> <-- D


---------------------------------------------------------



















Command >> <-- courier


---------------------------------------------------------



















Command >> courier

imap_server_type = courier

default_folder_prefix = INBOX.

trash_folder = Trash

sent_folder = Sent

draft_folder = Drafts

show_prefix_option = false

default_sub_of_inbox = false

show_contain_subfolders_option = false

optional_delimiter = .

delete_folder = true

Press any key to continue... <-- press a key


---------------------------------------------------------

Main Menu --


2. Server Settings

3. Folder Defaults

4. General Options

5. Themes

6. Address Books


8. Plugins

9. Database

10. Languages


C Turn color on

S Save data

Q Quit

Command >> <-- 8


---------------------------------------------------------

Plugins

Installed Plugins

Available Plugins:

1. abook_take

2. administrator

3. bug_report

4. calendar

5. change_sqlpass

6. compatibility

7. delete_move_next

8. demo

9. filters

10. fortune

11. info

12. listcommands

13. mail_fetch

14. message_details

15. newmail

16. sent_subfolders

17. spamcop

18. squirrelspell

19. test

20. translate

R Return to Main Menu

C Turn color on

S Save data

Q Quit

Command >> <-- 6 (or whatever number the compatibility plugin has - it's needed by the change_sqlpa

ss plugin)


---------------------------------------------------------

Plugins

Installed Plugins

1. compatibility

Available Plugins:

2. abook_take

3. administrator

4. bug_report

5. calendar

6. change_sqlpass

7. delete_move_next

8. demo

9. filters

10. fortune

11. info

12. listcommands

13. mail_fetch

14. message_details

15. newmail

16. sent_subfolders

17. spamcop

18. squirrelspell

19. test

20. translate


C Turn color on

S Save data

Q Quit

Command >> <-- 6 (the number of the change_sqlpass plugin)


---------------------------------------------------------

Plugins

Installed Plugins

1. compatibility

2. change_sqlpass

Available Plugins:

3. abook_take

4. administrator

5. bug_report

6. calendar

7. delete_move_next

8. demo

9. filters

10. fortune

11. info

12. listcommands

13. mail_fetch

14. message_details

15. newmail

16. sent_subfolders

17. spamcop

18. squirrelspell

19. test

20. translate


C Turn color on

S Save data

Q Quit

Command >> <-- S


---------------------------------------------------------

Plugins

Installed Plugins

1. compatibility

2. change_sqlpass

Available Plugins:

3. abook_take

4. administrator

5. bug_report

6. calendar

7. delete_move_next

8. demo

9. filters

10. fortune

11. info

12. listcommands

13. mail_fetch

14. message_details

15. newmail

16. sent_subfolders

17. spamcop

18. squirrelspell

19. test

20. translate


C Turn color on

S Save data

Q Quit

Command >> S

Data saved in config.php

Press enter to continue... <-- ENTER


---------------------------------------------------------

Plugins

Installed Plugins

1. compatibility

2. change_sqlpass

Available Plugins:

3. abook_take

4. administrator

5. bug_report

6. calendar

7. delete_move_next

8. demo

9. filters

10. fortune

11. info

12. listcommands

13. mail_fetch

14. message_details

15. newmail

16. sent_subfolders

17. spamcop

18. squirrelspell

19. test

20. translate


C Turn color on

S Save data

Q Quit

Command >> <-- Q

Now you can type in http://server1.example.com/squirrelmail or http://192.168.0.100/squirrelmail in your browser to access SquirrelMail.

Log in with your email address (e.g. [email protected]) and your password:

http://static.howtoforge.com/images/virtual_users_and_domains_with_postfix_on_debian_lenny/big/2.png

You should find the welcome email in your inbox:




To change your password, go to Options and then select Change Password:




Type in your current password and then your new password twice:

SquirrelMail will tell you if the password has been changed successfully:


http://static.howtoforge.com/images/virtual_users_and_domains_with_postfix_on_debian_lenny/big/6.jpg

http://static.howtoforge.com/images/virtual_users_and_domains_with_postfix_on_debian_lenny/big/6.jpg

How To Block Spammers/Hackers With Apache2's mod_spamhaus

(Debian Etch)


mod_spamhaus is an Apache module that uses DNSBL in order to block spam relay via web forms, preventing URL injection, block http DDoS attacks from bots and generally protecting your web service denying access to a known bad IP address.

1. InstallationIn order to compile mod_spamhaus, you must have apxs2 (APache eXtenSion tool) tool installed.

The follow command will install it:

apt-get install apache2-prefork-dev

Now we need to download the source package present at http://sourceforge.net/projects/mod-spamhaus/ or download it using wget application and this direct link to the repository:

wget http://kent.dl.sourceforge.net/sourceforge/mod-spamhaus/mod_spamhaus05.tar.gz

Next open archive, compile and install module with those commands:

tar zxvf mod_spamhaus05.tar.gzcd mod-spamhausmakemake install

You must add LoadModule directive to the main config file of you're web server to load mod_spamhaus module.

vi /etc/apache2/httpd.conf

[...]LoadModule spamhaus_module /usr/lib/apache2/modules/mod_spamhaus.so

2. ConfigurationBefore we are able to write our configuration, we should known what directives are supported by mod_spamhaus:

MS_Methods - If the httpd's method used by the visitor match, module verify user's ip

address

MS_WhiteList - A simple whitelist file where you can put ip address to bypass

MS_DNS - DNSBL to use. Usefull if you want make a local rbldnsd instance

MS_CacheSize - Number of cached addresses

Now we open config file of our web server in order to write a basic configuration:

vi /etc/apache2/apache2.conf

[...]<IfModule mod_spamhaus.c>MS_METHODS POST,PUT,OPTIONS,CONNECTMS_WhiteList /etc/spamhaus.wlMS_CacheSize 256</IfModule>[...]

Next we create an empty whitelist file:

touch /etc/spamhaus.wl

Finally we restart Apache2:


That's all!

Installing ISP-fw (Firewall) On Linux

ISP-fW is a firewall script that provides port forwarding, packet filtering, stateful packet inspection, port redirection, masquerading, SNAT/ DNAT, TOS, and never the last it generates htb rules for bandwidth management. With ISP-fw, you can turn a PC into a gateway with shaping capabilities.

Let's begin:

I will assume that you have installed Linux on your box. I use a Debian machine so this tutorial will be for Debian Linux but should not differ much from the rest of the distros.

1. Requirements:

- GNU/Linux distribution; - GCC 3.4.6 compiler; - Iproute2 (the latest version is recommended (http://linux-net.osdl.org/index.php/Iproute2); - Linux Kernel 2.4.32 or 2.6.16 (www.kernel.org); - dialog (the latest version from http://invisible-island.net/dialog/); - flex version 2.5.4a; (not above) - iptables v1.2.11 or above; - DHCP (the latest version from ftp://ftp.isc.org/isc/dhcp/); - Apache and php (required for webISP); - ZendOptimizer 3.x (required for webISP); - mySQL 4.x (required for webISP); - MRTG (required for webISP); - IPFM (required for webISP).

For shaping you have to enable QoS for your kernel; this the list for 2.4.x and 2.6.x:

Linux Kernel 2.4.32 ( http://www.kernel.org )----------------------------------------------

If you compile the Kernel from the sources, you will need to select the following options:

#

# QoS and/or fair queuing

#

CONFIG_NET_SCHED=y

CONFIG_NET_SCH_CBQ=m

CONFIG_NET_SCH_HTB=m

CONFIG_NET_SCH_CSZ=m

CONFIG_NET_SCH_HFSC=m

CONFIG_NET_SCH_PRIO=m

CONFIG_NET_SCH_RED=m

CONFIG_NET_SCH_SFQ=m

CONFIG_NET_SCH_TEQL=m

CONFIG_NET_SCH_TBF=m

CONFIG_NET_SCH_GRED=m

CONFIG_NET_SCH_NETEM=m

CONFIG_NET_SCH_DSMARK=m

CONFIG_NET_SCH_INGRESS=m

CONFIG_NET_QOS=y

CONFIG_NET_ESTIMATOR=y

CONFIG_NET_CLS=y

CONFIG_NET_CLS_TCINDEX=m

CONFIG_NET_CLS_ROUTE4=m

CONFIG_NET_CLS_ROUTE=y

CONFIG_NET_CLS_FW=m

CONFIG_NET_CLS_U32=m

CONFIG_NET_CLS_RSVP=m

CONFIG_NET_CLS_RSVP6=m

CONFIG_NET_CLS_POLICE=y

Linux Kernel 2.6.16 ( http://www.kernel.org )------------------------------------------------

If you compile the kernel from the sources, you will need to select the following options:

#

# QoS and/or fair queuing

#

CONFIG_NET_SCHED=y

CONFIG_NET_SCH_CLK_JIFFIES=y

# CONFIG_NET_SCH_CLK_GETTIMEOFDAY is not set

# CONFIG_NET_SCH_CLK_CPU is not set

#

# Queuing/Scheduling

#

CONFIG_NET_SCH_CBQ=m

CONFIG_NET_SCH_HTB=m

CONFIG_NET_SCH_HFSC=m

CONFIG_NET_SCH_PRIO=m

CONFIG_NET_SCH_RED=m

CONFIG_NET_SCH_SFQ=m

CONFIG_NET_SCH_TEQL=m

CONFIG_NET_SCH_TBF=m

CONFIG_NET_SCH_GRED=m

CONFIG_NET_SCH_DSMARK=m

CONFIG_NET_SCH_NETEM=m

CONFIG_NET_SCH_INGRESS=m

#

# Classification

#

CONFIG_NET_CLS=y

CONFIG_NET_CLS_BASIC=m

CONFIG_NET_CLS_TCINDEX=m

CONFIG_NET_CLS_ROUTE4=y

CONFIG_NET_CLS_ROUTE=y

CONFIG_NET_CLS_FW=m

CONFIG_NET_CLS_U32=m

CONFIG_CLS_U32_PERF=y

CONFIG_CLS_U32_MARK=y

CONFIG_NET_CLS_RSVP=m

CONFIG_NET_CLS_RSVP6=m

CONFIG_NET_EMATCH=y

CONFIG_NET_EMATCH_STACK=32

CONFIG_NET_EMATCH_CMP=m

CONFIG_NET_EMATCH_NBYTE=m

CONFIG_NET_EMATCH_U32=m

CONFIG_NET_EMATCH_META=m

CONFIG_NET_EMATCH_TEXT=m

CONFIG_NET_CLS_ACT=y

CONFIG_NET_ACT_POLICE=m

CONFIG_NET_ACT_GACT=y

CONFIG_GACT_PROB=y

CONFIG_NET_ACT_MIRRED=m

CONFIG_NET_ACT_IPT=m

CONFIG_NET_ACT_PEDIT=m

CONFIG_NET_ACT_SIMP=m

CONFIG_NET_CLS_IND=y

CONFIG_NET_ESTIMATOR=y

!!! NOTE !!! To successfully use mark_in_u32 you MUST use at least the kernel 2.6.16.

2. Download and install isp-fw from http://isp-fw.sourceforge.net

root@htb:~# wget http://kent.dl.sourceforge.net/sourceforge/isp-fw/ispfw-9.5-rc1.deb

root@htb:~# mysql -u user -p passwordType 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create database ispfw;Query OK, 1 row affected (0.00 sec)

mysql> quitBye

root@htb:~# dpkg -i ispfw-9.5-rc1.deb

SQL host [localhost]:

SQL user [root]: ispfw

SQL pass [changeme]: ****

SQL db [ispfw]: ispfw

Admin user for webpage [admin]: admin

Admin password for webpage [changeme]: ****

Installation successful.

Edit /var/www/webisp/include/config.php.

Change in php.ini session.auto_start to 1

Note that you need to install zendOptimizer

http://www.zend.com/free_download/optimizer

You're done installing ISP-fW. Let's go to the configuration.

3. Configure ISP-fW

Edit /etc/isp-fw/firewall.conf to your needs (you can use isped fireconfig from the console to trigger the file). A more explained example can be found in the docs or http://isp-fw.wiki.sourceforge.net/Config-Examples.

#generated by setup, see docs/cfg/

network_name = Example

domain = example.com

default_editor = vi

default_ipt_policy = ACCEPT

net_interface = eth0

lan_interface = eth1

net_ip = 45.93.203.4

clone_mac = no

gateway = 45.93.203.1

subnet = 255.255.255.0

fake_mac = 00:0D:A1:D9:D2:DA

download = start

upload = start

bandwith = 2048 kbps

burst = 0

qdisc = sfq

bgp_file = none

htb_mode = none

ssh_all = no

#I set ssh_all to no, if so you have to enter a list of

ips in /etc/isp-fw/ssh.allow

ssh_port = 22

use_squid = no

squid_port = 3128

load_custom = no

masquerade = yes

update_hosts = yes

optimize = yes

opt_conntrack = auto

mac_filter = no

auto_redirect = no

my_web = 1234

block_traceroute = no

flood = no

no_port_scan = no

ping_protection = yes

max_conn_per_port =

use_dhcp = yes

#DHCP section

class = 10.10.10.0/255.255.255.0

router = 10.10.10.1

range = 10.10.10.1 10.10.10.254

broadcast = 10.10.10.255

dns = 10.10.10.1, 10.10.10.2

wins = 10.10.10.2

/etc/isp-fw/spam.conf - here you enter blacklisted IP(s)/etc/isp-fw/badports.conf - here you enter blacklisted port(s)/etc/isp-fw/port.allow - here you enter port(s) that you want to accept/etc/isp-fw/ssh.allow - here you enter ip(s) that you want to allow to ssh

4. Adding clients to ISP-fW

You can add files by using the command isped clienti:

root@htb:~# isped clienti

Now if you have NAT on your network be sure to have the option masquerade = yes, here's how the file looks:

#CAUTION dont leave blank fields! See docs/cfg/clienti.*

for more info

#MAC IP-LAN IP-NET MINE/MAXE/MINM/MAXM

NAME

00:0E:2E:1F:E7:FA 10.10.10.2 0.0.0.0

16/128/1024/1024 Tom

00:0E:2E:1F:E1:AA 10.10.10.3 0.0.0.0

16/512/1024/1024 Britney

#00:01:1A:1A:AA:AA 10.10.10.4 0.0.0.0

16/512/1024/1024 Alice

#END

If have your own class of IPs from arin or any other registrant be sure to set masquerade = no.

For this example will assume that we have the class 9.10.11.0/24 allocated.

#CAUTION dont leave blank fields! See docs/cfg/clienti.*

for more info

00:0E:2E:1F:E7:FA 0.0.0.0 9.10.11.2 16/32/128/1024 Tom

00:02:AA:11:B2:AC 0.0.0.0 9.10.11.3 16/32/256/2048

Britney

#00:01:AA:03:04:05 0.0.0.0 9.10.11.4 16/32/256/2048 Alice

#END

Tips

The "16/32/128/1024" means that Tom has for external bandwidth 16 kbps minimum guaranteed and 32 kbps maximum; for metropolitan networks 128kbps minimum and 1024 kbps maximum.

The "#" sign means that the client is disabled, therefore it doesn't have internet access.

The "#>" sign means that the client is redirected to your customized suspended web page

Now to start the program just type

ispfw start

konfigurasi server debian lenny

Documents

user master

y master

password of master

change master

event master

fields master

master status command

file mysql