This commit is contained in:
gferg 2000-08-07 16:13:06 +00:00
parent 54a206a34e
commit 89781f578e
5 changed files with 385 additions and 66 deletions

View File

@ -203,7 +203,7 @@ ISP-Setup-RedHat</ULink>,
"Pocket" ISP based on RedHat Linux</CiteTitle>
</Para><Para>
<CiteTitle>
Updated: April 2000</CiteTitle>.
Updated: August 2000</CiteTitle>.
Outlines the setup of a single RedHat box for dial-ins, virtual web hosting,
virtual email, POP3 and ftp servers.</Para>
</ListItem>

View File

@ -839,7 +839,7 @@ establishment, email and news handling is covered). </Para>
ISP-Setup-RedHat</ULink>,
<CiteTitle>"Pocket" ISP based on RedHat Linux</CiteTitle>
</Para><Para>
<CiteTitle>Updated: April 2000</CiteTitle>.
<CiteTitle>Updated: August 2000</CiteTitle>.
Outlines the setup of a single RedHat box for dial-ins,virtual web hosting,
virtual email, POP3 and ftp servers. </Para>
</ListItem>
@ -1048,7 +1048,7 @@ under Linux. Primarily intended for administrators. </Para>
Mail-User-HOWTO</ULink>,
<CiteTitle>The Linux Mail User HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: May 1999</CiteTitle>.
<CiteTitle>Updated: August 2000</CiteTitle>.
An introduction to the world of electronic mail (email) under Linux.
Focuses on user-level issues and typical configurations for Linux
home and small-business machines connected to the net via an ISP. </Para>
@ -1244,6 +1244,17 @@ How to configure Linux as NIS(YP) or NIS+ client and how to install
as a NIS server. </Para>
</ListItem>
<ListItem>
<Para>
<ULINK URL="../NLM-HOWTO.html">
NLM-HOWTO</ULink>,
<CiteTitle>NetWare Loadable Module Programming HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: August 2000</CiteTitle>.
How to develop NetWare Loadable Modules under
Linux, using GNU CC and nlmconv(1) from GNU binutils. </Para>
</ListItem>
<ListItem>
<Para>
<ULINK URL="../Online-Troubleshooting-HOWTO/index.html">
@ -1891,11 +1902,11 @@ How to change your Linux system so it uses UTF-8 as text encoding. </Para>
<ListItem>
<Para>
<ULINK URL="../Unix-and-Internet-Fundamentals-HOWTO.html">
<ULINK URL="../Unix-and-Internet-Fundamentals-HOWTO/index.html">
Unix-and-Internet-Fundamentals-HOWTO</ULink>,
<CiteTitle>The Unix and Internet Fundamentals HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: July 2000</CiteTitle>.
<CiteTitle>Updated: August 2000</CiteTitle>.
Describes the working basics of PC-class computers, Unix-like
operating systems, and the Internet in non-technical language. </Para>
</ListItem>

View File

@ -160,7 +160,7 @@ under Linux. Primarily intended for administrators. </Para>
Mail-User-HOWTO</ULink>,
<CiteTitle>The Linux Mail User HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: May 1999</CiteTitle>.
<CiteTitle>Updated: August 2000</CiteTitle>.
An introduction to the world of electronic mail (email) under Linux. Focuses
on user-level issues and typical configurations for Linux home and
small-business machines connected to the net via an ISP. </Para>

View File

@ -178,6 +178,17 @@ Kerneld</ULink>,
Explains how you can use the kerneld function in the Linux kernels. </Para>
</ListItem>
<ListItem>
<Para>
<ULINK URL="../NLM-HOWTO.html">
NLM-HOWTO</ULink>,
<CiteTitle>NetWare Loadable Module Programming HOWTO</CiteTitle>
</Para><Para>
<CiteTitle>Updated: August 2000</CiteTitle>.
How to develop NetWare Loadable Modules under
Linux, using GNU CC and nlmconv(1) from GNU binutils. </Para>
</ListItem>
<ListItem>
<Para>
<ULINK URL="../Oracle-7-HOWTO.html">

View File

@ -5,7 +5,7 @@
<title>"Pocket" ISP based on RedHat Linux
<author>Anton Chuvakin, <tt>
<htmlurl url="mailto:anton@chuvakin.org" name="anton@chuvakin.org"></tt>
<date>v1.0.1 4 April 2000</date>
<date>v1.1.0 1 August 2000</date>
<abstract>
This document outlines the setup of a single RedHat box for dialins, virtual
web hosting, virtual email, POP3 and ftp servers. Why anybody might need
@ -13,7 +13,7 @@
ISP solution based on RedHat Linux. Any part of this setup can be
implemented separately though. I will try to emphasize all the commands so
one can just paste them to configure his own box. The list of documents
that I borrowed from and some further reading is below (see References section).
that I borrowed from and some further reading is provided below (see References section).
I will try to keep security in mind on all stages of the setup and to make
clear all the security limitations of this setup.
I should add that assets that are to be
@ -27,24 +27,89 @@ efforts spent on securing the setup are allowed to be limited.
The guide assumes some familiarity with Linux functionality and general
Linux/UNIX setup procedure (although not very detailed). Fully functional
brain is also required for some stages of the procedure. All setup would
be done manually (without the use of <htmlurl
url="http://www.solucorp.qc.ca/linuxconf/" name="linuxconf"> or other
be done manually (without the use of <htmlurl url="http://www.solucorp.qc.ca/linuxconf/" name="linuxconf">,
<htmlurl url="http://www.webmin.com/webmin/" name="Webmin"> or other
tools). Not that those are bad or that there is anything wrong with them. The
reasons for that are: 1) it is comparatively hard to give step by step directions
that produce predictable results as these tools pretend they are intelligent
and "know better" (Windows syndrome) 2) layout of tools changes with time and is different
and "know better" (also known as "Windows syndrome") 2) layout of tools changes with time and is different
in some distributions 3) manual setup gives better understanding of system works
(not that it is always required though) 4)some tools allow only limited
configuration of Linux system or do not keep up with updated features.
While many improvements are possible to this setup they might be
configuration of Linux system or do not keep up with updated features of
services they try to configure.
<p>
Another solution seems to be very promising. It is
<htmlurl url="http://www.prongs.org/virtfs" name="virtfs">
developed by
<htmlurl url="mailto:afra@prongs.org" name="Afra Ahmad">. Its main part is a
perl script so it does not suffer from being a "black box". It will
automatically configure all virtual services in a highly customizable fashion.
It is based on taking
advantage of the chroot environment. A separate and smaller filesystem is
created for each virtual server, and when a service is requested, the main
server will chroot to the desired virtual server.
This method may take up more disk space, but it is much more flexible,
especially when dealing with the services. For example, it is possible to have
two different email accounts bob@vdomain1.com and bob@vdomain2.com (as you are
dealing with two different passwd files). It might be essential for a bigger
hosting site.
For more information please visit the Virtfs page at
<htmlurl url="http://www.prongs.org/virtfs" name="http://www.prongs.org/virtfs">.
While many improvements are possible to the setup described in this HOWTO they might be
described in later editions of this document - I just outline one possible
way (accidentally, the one I used). The writeup is aimed at RedHat Linux,
but with trivial changes can be used on any modern Linux distribution.
The resulting configuration loosely follows
the setup of some particular machines built by the author..
the setup of some particular machines built by the author.
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect> Changes from 1.0.0 to 1.0.1
<sect> Changes<p>
<bf>from 1.0.3 to 1.1.0</bf>
<p>
<itemize>
<item>
Description of virtfs added
<item>
Qpopper and WUftpd bugs described
<item>
Double connections issue mentioned as requested by one of the readers
<item>
POP-only accounts described
<item>
References added
</itemize>
<bf>from 1.0.2 to 1.0.3</bf>
<p>
<itemize>
<item>
Some spelling errors corrected (thanks to Eugene Shishkin for that)
</itemize>
<bf>from 1.0.1 to 1.0.2</bf>
<p>
<itemize>
<item>
<it>Some</it> errors corrected (spelling)
<item>
Method to chroot non-anonymous ftp users ("guest" users; those with password
and usernames, but with access only to their home directories;
used for <it>easy</it> web updates)
<item>
References section updated
<item>
Troubleshooting subsections added to two sections
<item>
Qpopper update
</itemize>
<bf>from 1.0.0 to 1.0.1</bf>
<p>
<itemize>
<item>
@ -58,25 +123,27 @@ More security info added to several sections
<item>
Windows configuration for dialup added
</itemize>
<p>
<bf>Next update planned at:</bf> upon request or when new program versions are released
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect> TODO Tue Apr 4 15:23:11 EDT 2000
<sect> TODO Mon Aug 7 03:39:28 EDT 2000
<p>
<itemize>
<item>
Finish ftp permission considerations and possible variations of the setup
(like, no uploads at all etc)
<item>
Add more meat to dialin section (troubleshooting is necessary) and describe
setup of Windows boxes to use it (really, nothing special) and investigate
variations of the setup (simplify?)
<item>
More on security of all the services we install (clear text password, DoS by
overflowing partition in mail and ftp, http access configs etc)
overflowing partition in mail and ftp, http access configs etc), including
maybe the very basic ipchains setup (ipchains as safer alternative to tcp wrappers)
<item>
Add info on POP3 and ftp tunneling via ssh (just for fun)
<item>
Add troubleshooting subsections in various sections
Add troubleshooting subsections to various sections
<item>
Add SSL-enabled Apache install and basic configuration
<item>
PDF version is available on all linuxdoc mirror sites
<item>
Add news server setup
</itemize>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
@ -106,7 +173,9 @@ name="http://www.chuvakin.org/">
My PGP key is located at <tt>
<htmlurl url="http://www.chuvakin.org/pgpkey" name="http://www.chuvakin.org/pgpkey"></tt>
<p>
Please direct spelling error comments to your friendly local spell checker.
Please direct spelling error comments to your friendly local spell checker.<p>
If you plan to ask for <bf>help</bf>, see support section first.
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1> Standard disclaimer
<p>
@ -124,6 +193,20 @@ used or evaluated for personal purposes will be described. Most
of the programs will be available complete with source under
GNU-like terms.
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1> Support
<p>
This is ridiculous, right? Who may ask for support after seeing such a
comprehensive doc ;-) ? <p>
Anyhow, if you are curious about some particular aspect of this setup or some
of my writing is unclear, just drop me an email and I <it>might</it> answer it
(at least, be assured that I will read it).
<p>
Now, if you require a phone, hand-holding style support or <bf>my</bf> work on
<bf>your</bf> system, I <it>might</it> be able to provide it on certain terms
(if I have time and your case seems interesting enough ;-) )
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1> Copyright information
<p>
@ -147,8 +230,7 @@ the address given below.
Linux HOWTO coordinator, at
</itemize>
<tt>
<htmlurl url="mailto:gregh@sunsite.unc.edu"
name="gregh@sunsite.unc.edu">
<htmlurl url="mailto:gregh@sunsite.unc.edu" name="gregh@sunsite.unc.edu">
</tt>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
@ -202,19 +284,22 @@ Or probably buying the PC with Linux RH pre-installed is an option for some.
miserably. When asked about the installation type
(Server/Workstation/Custom) choose Server or Custom (if you know what
you are doing)-you can always add software later. Some other important
installation decisions are outlined further.
installation decisions are outlined further. For RH 6.0 and 6.1 you
might be able to add packages to Workstation setup as well, but in RH 6.2 all
the server services are disabled and significant amount of tweaking is
required-so only Server or Custom is strongly recommended.
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1> Some install tips
<p>
If you hardware really is <htmlurl url="http://www.redhat.com/support/hardware/"
If your hardware really is <htmlurl url="http://www.redhat.com/support/hardware/"
name="compatible"> the installation
process will detect and configure it correctly. Otherwise, refer to
corresponding documentation for troubleshooting network card, modem,
video card, etc problems
(mostly HOWTOs and mini-HOWTOs, some are in References section below).
<p>
If you network card is detected properly you will be asked for an IP
If your network card is detected properly you will be asked for an IP
address of your machine, gateway address and network mask and the
address of the DNS server (might be your own machine if you plan to
set it up this way). Have all this info handy.
@ -223,7 +308,7 @@ We will use a sample domain name <bf>you.com</bf> and the machine will be
named <bf>ns</bf> (that gives us a fully qualified domain name (FQDN)
<bf>ns.you.com</bf>). You should use whatever domain you registered (see
Setting Up Your New Domain Mini-HOWTO, link in References section below)
and intend to use as you primary domain (not a virtual).
and intend to use as your primary domain (not a virtual).
For the gateway address we will use a sample 111.222.333.111 address. Gateway
is likely the router that connects your machine (or your LAN) to the outside world.
<p>
@ -334,7 +419,7 @@ get something similar to the <tt>sample</tt> output below:
5181 ? S 0:00 httpd
5182 ? S 0:00 httpd
5183 ? S 0:00 httpd
7321 ? S 0:00 /usr/sbin/sshd <<<<< only after you installed sshd to run on startup
7321 ? S 0:00 /usr/sbin/sshd <<< only after you installed sshd to run on startup
7323 pts/0 S 0:00 -bash
7336 pts/0 R 0:00 ps ax
</verb></tscreen>
@ -345,14 +430,12 @@ get something similar to the <tt>sample</tt> output below:
printer daemon by: <bf>rpm -e lpd </bf>. If rpm complains about any
dependencies (like, in my case, printfilter and rhprinttool), add
them to your <bf>rpm -e</bf> command and repeat it. Other services
that might be removed are NFS, NIS, samba etc, if they got installed
that should be removed are NFS, NIS, samba etc, if they got installed
by mistake. Again, these are useful things, I am just following the
*golden rule* <bf>"remove the software you don't currently use"</bf>. And,
with RH RPM it is really easy to add it any time in the future.
</enum>
Some more basic security settings can be obtained from <htmlurl
url="http://www.enteract.com/~lspitz/linux.html" name="Armoring Linux">
paper. As suggested there, lets make a wheel group with trusted users
@ -364,10 +447,10 @@ wheel group for sensitive commands:<p>
<enum>
<item>
<tt>vi /etc/group</tt>, add a line (if it doesn't exist):
<verb>wheel:x:10:root,you</verb>. If line exists, just add <tt>you</tt> in the end
<verb>wheel:x:10:root,you</verb> If line exists, just add <tt>you</tt> in the end
as shown.
You don't have to use vi (and I understand it very well), just use your favorite editor
(for a nice reasonably user-friendly editor try <tt>pico</tt>, distributed
(for a nice reasonably user-friendly non-X editor try <tt>pico</tt>, distributed
together with mail program <tt>pine</tt>, the latter is part of most Linux distributions)
<item>
<verb>/bin/chgrp wheel /bin/su</verb> change group ownership to
@ -384,6 +467,8 @@ be able to run cron jobs. This file might look like this:
root
you
</verb></tscreen>
Why should one restrict cron jobs? Local exploits to elevate privileges to <tt>root</tt>
from, say, <tt>nobody</tt>, exist for some versions of cron.
</itemize>
<p>
I suggest you do not install X Windows as it will bring new concern that
@ -402,7 +487,7 @@ cryptographically enabled websites (commonly known as "secure websites").
Older browsers (not supporting HTTP 1.1) will get unhappy too.
<p>
The changes would be concentrated in <it>/etc/rc.d/</it> directory.
To enable multiple IP addresses you kernel should support this. On a freshly
To enable multiple IP addresses your kernel should support this. On a freshly
installed RH Linux it does. To verify it one should look into the config file
that was used to compile the kernel. In my case, it was
<it>/usr/src/linux/configs/kernel-2.2.12-i686.config</it> since the machine
@ -507,7 +592,7 @@ ADMROCKS, that gives remote root access to almost any Linux machine running bind
8.1.2 patch 3. Judging by the INCIDENTS mailing list, this is still a very
popular way to attack RH versions 5.0-6.1 if no recommended upgrades are installed.
<p>
Here are the instructions, loosely following the DNS book from O'Reily (a good
Here are the instructions, loosely following the DNS book from O'Reilly (a good
one, highly recommended to all, but very casual DNS user).
<p>
<enum>
@ -518,7 +603,7 @@ personally I didn't try this and so I am somewhat skeptical
about installing RH 4.2 package on RH 6.1 system, but it might work)
or from source (<htmlurl url="ftp://ftp.isc.org/isc/bind/src/4.9.7/" name="bind 4.9.7">,
compiling it is a bit troublesome, but reading all the README files
in the archive will definitely help)
in the archive will definitely help).
<item>
Create files and directories needed for bind:
<itemize>
@ -551,7 +636,7 @@ Try to convince somebody to put you in as a secondary or use a free DNS service
<item>
<p>
That is how they look like (if you are unfamiliar with bind 4.x configuration
file format, please, do read either the O'Reily DNS book or any
file format, please, do read either the O'Reilly DNS book or any
of the HOWTOs or documents at
<htmlurl url="http://www.dns.net/dnsrd/" name="bind pages">, or, better, all of the above.
You also have an option of using them without understanding, but this is a bad idea in general):
@ -617,7 +702,7 @@ pop3 CNAME ns
;addresses point to canonical name
444.333.222.111.in-addr.arpa. IN PTR ns.you.com.
;dialups
;dialins
888 IN PTR dialup.you.com.
;virtual hosts
@ -645,7 +730,7 @@ pop3 CNAME ns
1800 ; retry, sec
3600000 ; expire, sec
7200 ) ; minimum TTL
;name Servers
;name servers
IN NS ns.you.com.
IN MX 10 virtual
IN A 111.222.333.555
@ -670,7 +755,7 @@ pop3 CNAME virtual
1800 ; retry, sec
3600000 ; expire, sec
7200 ) ; minimum TTL
;name Servers
;name servers
IN NS ns.you.com.
IN MX 10 virtual
IN A 111.222.333.666
@ -695,7 +780,7 @@ pop3 CNAME virtual
1800 ; retry, sec
3600000 ; expire, sec
7200 ) ; minimum TTL
;name Servers
;name servers
IN NS ns.you.com.
IN MX 10 virtual
IN A 111.222.333.777
@ -712,7 +797,7 @@ pop3 CNAME virtual
</verb></tscreen>
</enum>
These configuration files will allow you to host these three virtual domains
and you real domain <bf>you.com</bf>.
and your real domain <bf>you.com</bf>.
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
@ -779,6 +864,8 @@ References section), section on virtual hosting.
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Configure sendmail
<p>
<sect2>Setup
<p>
Now we will deal with sendmail. Again, proposed are the minimum necessary
changes to the stock RH <it>/etc/sendmail.cf</it> and <it>/etc/sendmail.cw</it>.
@ -820,7 +907,7 @@ that requires a special virtual-aware POP/IMAP server (included with RH) and
is somewhat more complicated. It is recommended for bigger email volume sites
with many users within each domain.
<p>
A few words about sendmail, it is a good idea (good from a security
A few words about sendmail, it is a good idea (good from the security
standpoint) to have sendmail run from
<it>inetd.conf</it> and not as a standalone daemon. For that we need to add it
to <it>/etc/inetd.conf</it>, remove it from <it>/etc/rc.d/init.d</it>, add the
@ -848,7 +935,7 @@ By editing your (root's) crontab (to edit do <bf>crontab -e</bf>) add a line lik
That would process sendmail queue every 20 min (if it exists).
The described steps will simplify sendmail access control and will let you
regulate who can talk to you 25 port, not just who can send email through you.
regulate who can talk to your 25 port, not just who can send email through you.
The lines in <it>/etc/hosts.allow</it>
that let all machines from .com and .org domains send you email are as follows
<verb>
@ -861,9 +948,20 @@ NOT smtp).
<p>
That would allow your system to handle email for all those domains.
<p>
<sect2>Troubleshooting
<p>
<bf>PROBLEM:</bf> mail that you are trying to send is denied with a message
<tt>Relaying denied</tt><p>
<bf>SOLUTION:</bf>Look into your <it>/etc/sendmail.cw</it>. Are you sure all
possible variations of your hostname and of your virtual hostnames are here?
Look in the message headers and see from what machine it was rejected from: does it
look like another name of yours that you missed?
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Configure POP3
<p>
<sect2>Setup
<p>
POP3 configuration is easy (no "virtualization" is required for this setup). RH comes
equipped with imapd IMAP server. If you do not want to use IMAP functionality
or do not like this particular implementation (buffer overflow bugs were discovered in it at
@ -871,21 +969,25 @@ some point) the good idea is to use
<tt>qpopper</tt>, free POP3 daemon from Eudora
<htmlurl url="http://www.eudora.com/freeware/qpop.html"
name="http://www.eudora.com/freeware/qpop.html">. At the time of writing they
release the "stable" version (qpopper 2.53) and "public beta" ( qpopper 3.0,
release 34, now called "final beta").
release the "old" version (qpopper 2.53) and "new" (qpopper 3.0).
It is important to note that versions earlier than 2.5 contain a
buffer overflow error that allows remote root exploit to be executed. Same
problem plagues "public betas" up to 3.0 release 21. Use either 2.53 or the
latest 3.0 beta (the former is better audited and the latter is better suited
latest 3.0 (the former is better audited and the latter is better suited
for RH - seamlessly works with PAM authentication). I suggest using 3.0, so
the instructions below apply to that case.
the instructions below apply to that case. As of April 13, Qpopper 3.0 is no
longer beta, but a regular software. As of recently, the bug was discovered in
Qpopper 2.53 that allows the attacker to
obtain a shell with group-id 'mail', potentially allowing read/write
access to all mail.
<p>
<enum>
<item>
<tt>wget ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper3.0b34.tar.Z</tt>
<tt>wget ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper3.0.tar.Z</tt>
<p>Retrieve the archive from Eudora site.
<item>
<tt>tar zxvf qpopper3.0b34.tar.Z</tt>
<tt>tar zxvf qpopper3.0.tar.Z</tt>
<p>Uncompress and untar the contents.
<item>
<tt>cd qpopper</tt>
@ -904,12 +1006,13 @@ manifestation of "security through obscurity")
<p>That compiles the popper
<item>
<verb>
/bon/cp popper/popper /usr/local/bin
/bin/cp popper/popper /usr/local/bin
</verb>
<p>Now copy it to <it>/usr/local/bin</it>
and set the mode to
<p>Copies the binary to <it>/usr/local/bin</it>
<item>
Now set the mode to
<verb>
-rwx------ 1 root root 297008 Feb 16 15:41 /usr/local/lib/popper
-rwx------ 1 root root 297008 Feb 16 15:41 /usr/local/bin/popper
</verb>
by using the command:
<verb>
@ -926,8 +1029,8 @@ That would cause the tcpd wrapper to control access to popper.
<verb>
popper: .good.com .nice.org
</verb>
That will allow people from domains good.com and nice.org to read email via
POP3 client from your machine.
That will allow people from domains <tt>good.com</tt> and <tt>nice.org</tt>
to read email via POP3 client from your machine.
<p>
To cause qpopper to use PAM authentication one must create a file for POP3
service in <tt>/etc/pam.d/</tt> directory. File should be named "pop3" (same as line in
@ -952,9 +1055,20 @@ pop3 110/tcp # pop3 service
</enum>
That would allow all user to get their email via any reasonable mail client.
<p>
<sect2>Troubleshooting
<p>
<bf>PROBLEM:</bf> you are connecting to your POP server with valid password
and username and they are rejected with a message <tt>Password incorrect</tt>.
<p>
<bf>SOLUTION:</bf> PAM doesn't like your setup. This message is common for
qpopper 2.53, use 3.0 and it should disappear. Otherwise, look into
<tt>/etc/pam.d/pop3</tt> that you created. Is it OK?
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Configure FTP server
<p>
<sect2>Anonymous FTP setup
<p>
We will use only anonymous ftp and will not allow any non-anonymous user any
access. Here we describe the anonymous ftp server setup that allows anonymous
uploads. Any self-respecting guide on the subject will tell you that "this is
@ -964,7 +1078,10 @@ location and transfer their passwords in clear text? Not everybody
<p>
I suggest using the stock RH wu-ftpd (version 2.6.0 at the time of
writing). While it is rumored that there are "more secure" ftp daemons
(Pro-FTP?), wu-ftp appears to be one most commonly used.
(Pro-FTP?), wu-ftp appears to be one most commonly used. Recenly a series of
bug was again discovered in wu-ftp and its reputation as the most popular ftp
daemon seem to be dwindling. CERT has issued an advisory concerning WU-FTPD and all ftp daemons derived
from BSD's final release.
<p>
RH installs the wu-ftpd (package wu-ftpd-2.6.0-1) by default in server
configuration. You are encouraged to check for updates as running ftp is an important
@ -1079,7 +1196,7 @@ upload /home/ftp /incoming yes root wheel 0400 nodirs
#upload /home/ftp /incoming yes root wheel 0400 dirs
#prevent anon users to GET files from incoming (you might not like it, but it
#is a good idea-to prevent some people from using you ftp server to store
#is a good idea-to prevent some people from using your ftp server to store
#their own stuff, pics, warez etc)
noretrieve /home/ftp/incoming
@ -1087,7 +1204,170 @@ noretrieve /home/ftp/incoming
That would allow only anonymous users to do downloads and uploads in somewhat (<bf>!</bf>)
controlled manner.
<p>
<sect2>Guest FTP setup
<p>
Guest FTP users are those that have valid usernames and passwords (unlike
anonymous), but do not have access to the whole directory structure (unlike
real ones). So they are chrooted after authentication. Guest users can do
uploads in this configuration.
<p>
Easy <bf>21-step</bf> directions for that are provided below ;-)
<p>
Software used: <tt>wu-ftpd-2.6.0-3</tt><p>
Sample username will be created: <bf>ftpguy</bf>, user ID=505.<p>
Her group will be: <bf>lusers</bf>, group ID=701.<p>
If you want more users of the same sort, they should be the members of the
same group. For that it might be good to change the directory structure
somewhat so that all of them use the same <it>passwd</it> file and the same
static <tt>ls</tt>. But, for better separation you can give each of them their
own files.
<p>
<enum>
<item>
<tt>adduser ftpguy</tt>
<p>creates an entry in <it>/etc/passwd</it>
<item>
<tt>passwd ftpguy</tt>
change password to whatever
<item>Edit file <it>/etc/passwd</it>, last line (that contains our new user)
should look like this
<verb>
ftpguy:x:505:701::/home/ftpguy/./:/etc/ftponly
</verb>
yes, that is "slash"-"dot"-"slash" after his home directory.
<item>Edit file <it>/etc/shells</it>, add line, below
<verb>/etc/ftponly</verb>
This file doesn't have to actually exist.
<item>Edit file <it>/etc/group</it>, add line, below
<verb>
lusers:x:701:ftpguy
</verb>
<item>
<tt>cd /home</tt>
<item>
<verb>chown ftpguy.lusers ftpguy</verb>
this directory is created by adduser command
<item>
<verb>cd ftpguy; mkdir etc bin ; chown root.daemon etc bin</verb>
this creates a directory tree for chroot
<item>
<verb>chmod 111 etc bin</verb>
this sets <bf>very</bf> conservative permissions on directories within the
chrooted tree
<item>
<verb>cp ~/static_ls /home/ftpguy/bin/ls</verb>
obtaining static (not calling any libraries) version of <it>/bin/ls</it>:
this directory
(<htmlurl url="http://www.stanford.edu/group/itss-ccs/security/binaries/linux/redhat/" name="http://www.stanford.edu/group/itss-ccs/security/binaries/linux/redhat/">)
contains static version of many RH 6.1-compatible utilities, including ls
(local copy is
<htmlurl url="http://www.chuvakin.org/ispdoc/ls.gz"
name="http://www.chuvakin.org/ispdoc/ls.gz"> here, <tt>gunzip ls.gz</tt> to run)
<item>
<verb>cd bin ; chown root.bin ls</verb>
<item>
<verb>chmod 111 ls</verb>
this sets <bf>very</bf> conservative permissions on binaries within chroot
<item>
<verb>cd ../etc</verb>
<item>
Create file <it>/home/ftpguy/etc/passwd</it> as follows
<tscreen><verb>
root:*:0:0::/:/etc/ftponly
ftpguy:*:505:701::/home/ftpguy/./:/etc/ftponly
</verb></tscreen>
<item>
Create file <it>/home/ftpguy/etc/group</it>, contents follow
<tscreen><verb>
root::0:root
lusers::701:ftpguy
</verb></tscreen>
<item>
<verb>chown root.daemon passwd group</verb>
this sets proper ownership of these files
<item>
<verb>chmod 444 passwd group</verb>
this sets minimum necessary permission on that file
<item>
<verb>cd ~ftpguy; touch .forward</verb>
this creates <it>.forward</it> file
<item>
<verb>chown root.root .forward ; chmod 400 .forward</verb>
and locks it for security reasons
<item>
<verb>cd /etc</verb>
<item>
Add the facilities for handling guest users into <it>/etc/ftpaccess</it>
<tscreen><verb>
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
class anonftp guest,anonymous *
delete no anonymous,guest # delete permission?
overwrite no anonymous,guest # overwrite permission?
rename no anonymous,guest # rename permission?
chmod no anonymous,guest # chmod permission?
umask no anonymous,guest # umask permission?
guestgroup lusers
limit remote 10 Any /toomany.msg
upload /home/ftp * no
readme README* login
readme README* cwd=*
message /welcome.msg login
message .message cwd=*
alias inc: /incoming
cdpath /incoming
cdpath /pub
cdpath /
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
noretrieve .notar
upload /home/ftp /incoming yes root wheel 0400 nodirs
noretrieve /home/ftp/incoming
</verb></tscreen>
</enum>
<p>
Lets test this beast:
<tscreen><verb>
localhost[anton]#1008: ftp localhost
Connected to anton.
220 anton FTP server (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000) ready.
Name (localhost:anton): ftpguy
331 Password required for ftpguy.
Password:
230 User ftpguy logged in. Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
total 4
drwx------ 4 505 701 1024 Apr 8 02:16 .
drwx------ 4 505 701 1024 Apr 8 02:16 ..
-r-------- 1 0 0 0 Apr 8 02:16 .forward
d--x--x--x 2 0 2 1024 Apr 8 02:09 bin
d--x--x--x 2 0 2 1024 Apr 8 02:15 etc
226 Transfer complete.
ftp> mkdir TEST
257 "/TEST" new directory created.
ftp> ls -l
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
total 3
-r-------- 1 0 0 0 Apr 8 02:16 .forward
drwxr-xr-x 2 505 701 1024 Apr 8 02:32 TEST
d--x--x--x 2 0 2 1024 Apr 8 02:09 bin
d--x--x--x 2 0 2 1024 Apr 8 02:15 etc
226 Transfer complete.
ftp>
</verb></tscreen>
and so on.
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Configure dialin
<p>
@ -1217,6 +1497,13 @@ Check that mgetty is running by looking for similar line in the output of
</verb></tscreen>
Now this machine will allow modem calls from any Windows 95/98 box.
<p>
As was noted by one of the readers some steps are to be taken to prevent users
from sharing their dialin password with others. A simple perl/shell script
will do the job by killing and logging connections that use the same
username.
<p>Also, if it is desirable to prevent users from using dialing in their
usernames should not be put into <it>/etc/ppp/pap-secrets </it>.
<sect2>Windows setup
<p>
This is <bf>really</bf> straightforward.
@ -1328,6 +1615,19 @@ dialin info">
<htmlurl url="http://www.best.com/~aturner/RedHat-FAQ/DOCS/tips4.html"
name="Using RedHat 5.1 to Start an ISP">, the short article on how to start an
ISP if all you have is a Linux RH ;-)
<item>
<htmlurl url="ftp://ftp.fni.com/pub/wu-ftpd/guest-howto" name="Guest FTP
server setup">
<item>
<htmlurl url="http://www.swcp.com/~jgentry/pers.html" name="Linux Dialin
Server Setup Guide"> Yet Another Guide about that
<item>
<htmlurl url="http://www.prongs.org/virtfs" name="virtfs"> a nice automatic
tool for configuring virtual services based on Perl script
<item>
<htmlurl url="http://www.linuxisp.com/Linux-ISP.HOWTO"
name="Linux Public Access HOWTO">an old and not updated for 5 years document
describing Linux-based ISP, some nice hints on equipment (serial boards) and performance
</enum>
<p>
Resources, not related to the topic of the document ;-)
@ -1343,6 +1643,3 @@ it later.
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
</article>