mirror of https://github.com/tLDP/LDP
1349 lines
56 KiB
Plaintext
1349 lines
56 KiB
Plaintext
<!doctype linuxdoc system>
|
|
|
|
<article>
|
|
|
|
<title>"Pocket" ISP based on RedHat Linux
|
|
<author>Anton Chuvakin, <tt>
|
|
<htmlurl url="mailto:anton@chuvakin.org" name="anton@chuvakin.org"></tt>
|
|
<date>v1.0.1 4 April 2000</date>
|
|
<abstract>
|
|
This document outlines the setup of a single RedHat box for dialins, virtual
|
|
web hosting, virtual email, POP3 and ftp servers. Why anybody might need
|
|
this in one box is beyond the scope of this document. The idea is a complete
|
|
ISP solution based on RedHat Linux. Any part of this setup can be
|
|
implemented separately though. I will try to emphasize all the commands so
|
|
one can just paste them to configure his own box. The list of documents
|
|
that I borrowed from and some further reading is below (see References section).
|
|
I will try to keep security in mind on all stages of the setup and to make
|
|
clear all the security limitations of this setup.
|
|
I should add that assets that are to be
|
|
protected in this case are considered not very valuable (e.g. personal pages etc) thus
|
|
efforts spent on securing the setup are allowed to be limited.
|
|
</abstract>
|
|
<toc>
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect> Introduction
|
|
<p>
|
|
The guide assumes some familiarity with Linux functionality and general
|
|
Linux/UNIX setup procedure (although not very detailed). Fully functional
|
|
brain is also required for some stages of the procedure. All setup would
|
|
be done manually (without the use of <htmlurl
|
|
url="http://www.solucorp.qc.ca/linuxconf/" name="linuxconf"> or other
|
|
tools). Not that those are bad or that there is anything wrong with them. The
|
|
reasons for that are: 1) it is comparatively hard to give step by step directions
|
|
that produce predictable results as these tools pretend they are intelligent
|
|
and "know better" (Windows syndrome) 2) layout of tools changes with time and is different
|
|
in some distributions 3) manual setup gives better understanding of system works
|
|
(not that it is always required though) 4)some tools allow only limited
|
|
configuration of Linux system or do not keep up with updated features.
|
|
While many improvements are possible to this setup they might be
|
|
described in later editions of this document - I just outline one possible
|
|
way (accidentally, the one I used). The writeup is aimed at RedHat Linux,
|
|
but with trivial changes can be used on any modern Linux distribution.
|
|
The resulting configuration loosely follows
|
|
the setup of some particular machines built by the author..
|
|
<p>
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect> Changes from 1.0.0 to 1.0.1
|
|
<p>
|
|
<itemize>
|
|
<item>
|
|
<it>Many</it> errors corrected (both spelling and factual)
|
|
<item>
|
|
References section updated
|
|
<item>
|
|
Minor changes in wording and syntax to improve clarity
|
|
<item>
|
|
More security info added to several sections
|
|
<item>
|
|
Windows configuration for dialup added
|
|
</itemize>
|
|
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect> TODO Tue Apr 4 15:23:11 EDT 2000
|
|
<p>
|
|
<itemize>
|
|
<item>
|
|
Finish ftp permission considerations and possible variations of the setup
|
|
(like, no uploads at all etc)
|
|
<item>
|
|
Add more meat to dialin section (troubleshooting is necessary) and describe
|
|
setup of Windows boxes to use it (really, nothing special) and investigate
|
|
variations of the setup (simplify?)
|
|
<item>
|
|
More on security of all the services we install (clear text password, DoS by
|
|
overflowing partition in mail and ftp, http access configs etc)
|
|
<item>
|
|
Add info on POP3 and ftp tunneling via ssh (just for fun)
|
|
<item>
|
|
Add troubleshooting subsections in various sections
|
|
</itemize>
|
|
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
|
|
<sect1> New versions of this document
|
|
<p>
|
|
New versions of this document can be found at
|
|
|
|
<tt>
|
|
<htmlurl url="http://www.chuvakin.org/ispdoc" name="http://www.chuvakin.org/ispdoc">
|
|
</tt>
|
|
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect1> Feedback
|
|
<p>
|
|
All comments, error reports, additional information (very much appreciated!!!) and criticism
|
|
of all sorts should be directed to:
|
|
<tt>
|
|
<htmlurl url="mailto:anton@chuvakin.org" name="anton@chuvakin.org">
|
|
</tt>
|
|
<p>
|
|
<tt>
|
|
<htmlurl url="http://www.chuvakin.org/"
|
|
name="http://www.chuvakin.org/">
|
|
</tt>
|
|
<p>
|
|
My PGP key is located at <tt>
|
|
<htmlurl url="http://www.chuvakin.org/pgpkey" name="http://www.chuvakin.org/pgpkey"></tt>
|
|
<p>
|
|
Please direct spelling error comments to your friendly local spell checker.
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect1> Standard disclaimer
|
|
<p>
|
|
No liability for the contents of this document can be accepted.
|
|
Use the concepts, examples and other content at your own risk.
|
|
Additionally, this is an early version, with many possibilities
|
|
for inaccuracies and errors.
|
|
<p>
|
|
One of many possible setups will be described. In the Linux
|
|
world, there is usually a number of ways in which to accomplish
|
|
things.
|
|
<p>
|
|
As far as I know, only programs that under certain terms may be
|
|
used or evaluated for personal purposes will be described. Most
|
|
of the programs will be available complete with source under
|
|
GNU-like terms.
|
|
<p>
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect1> Copyright information
|
|
<p>
|
|
This document is copyrighted (c) 2000 Anton Chuvakin and
|
|
distributed under the following terms:
|
|
<p>
|
|
<itemize>
|
|
<item> Linux HOWTO documents may be reproduced and distributed in
|
|
whole or in part, in any medium physical or electronic, as long
|
|
as this copyright notice is retained on all copies. Commercial
|
|
redistribution is allowed and encouraged; however, the author
|
|
would like to be notified of any such distributions.
|
|
<item> All translations, derivative works, or aggregate works
|
|
incorporating any Linux HOWTO documents must be covered under
|
|
this copyright notice. That is, you may not produce a derivative
|
|
work from a HOWTO and impose additional restrictions on its
|
|
distribution. Exceptions to these rules may be granted under
|
|
certain conditions; please contact the Linux HOWTO coordinator at
|
|
the address given below.
|
|
<item> If you have questions, please contact Greg Hankins, the
|
|
Linux HOWTO coordinator, at
|
|
</itemize>
|
|
<tt>
|
|
<htmlurl url="mailto:gregh@sunsite.unc.edu"
|
|
name="gregh@sunsite.unc.edu">
|
|
</tt>
|
|
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect> Step by step guide
|
|
<p>
|
|
|
|
Ingredients needed:
|
|
<itemize>
|
|
<item>
|
|
RedHat Linux distribution (the instructions are exactly applicable to RedHat
|
|
6.1 or 6.0 (I think, 6.2, as well, since there are no major changes)
|
|
and with some minor changes to 5.x versions)
|
|
<item>
|
|
<htmlurl url="http://www.redhat.com/support/hardware/"
|
|
name="compatible"> hardware (also known as a PC), that includes
|
|
network card and modem (at least one)
|
|
<item>
|
|
3-256 IP addresses (as the machine will give out some IP addresses for modem
|
|
callers and use others for virtual hosting more than 1 is needed, the upper
|
|
number is the maximum number of IP-based virtual hosts allowed without
|
|
recompiling the stock RedHat kernel, lower is one real IP, one modem and one virtual
|
|
IP).
|
|
<item>
|
|
some sort of permanent network connection (using some modems for dialin while
|
|
providing the Internet access via another modem is considered <it>weird</it>
|
|
and not recommended)
|
|
</itemize>
|
|
<p>
|
|
Here follows the procedure:
|
|
<p>
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect1>Get RH
|
|
<p>
|
|
Purchase or otherwise procure the RedHat 6.1 (further referred as RH,
|
|
latest version number is 6.1 at the time of writing) distribution and
|
|
<htmlurl url="http://www.redhat.com/support/hardware/"
|
|
name="compatible"> hardware. One can get a full RH CDROM for about
|
|
$2.00 including shipping and handling at <htmlurl
|
|
url="http://www.cheapbytes.com"
|
|
name="http://www.cheapbytes.com">. This version will not contain such luxuries
|
|
as secure web server and extra software. For those you should turn to
|
|
<htmlurl url="http://www.redhat.com" name="RedHat website">.
|
|
Or probably buying the PC with Linux RH pre-installed is an option for some.
|
|
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect1> Install RH
|
|
<p>
|
|
Install the RH following the *instructions on the package* (might be
|
|
added here later). CDROM install is very easy to perform. I suggest
|
|
using text-mode setup, in my case their new graphical one failed
|
|
miserably. When asked about the installation type
|
|
(Server/Workstation/Custom) choose Server or Custom (if you know what
|
|
you are doing)-you can always add software later. Some other important
|
|
installation decisions are outlined further.
|
|
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect1> Some install tips
|
|
<p>
|
|
If you hardware really is <htmlurl url="http://www.redhat.com/support/hardware/"
|
|
name="compatible"> the installation
|
|
process will detect and configure it correctly. Otherwise, refer to
|
|
corresponding documentation for troubleshooting network card, modem,
|
|
video card, etc problems
|
|
(mostly HOWTOs and mini-HOWTOs, some are in References section below).
|
|
<p>
|
|
If you network card is detected properly you will be asked for an IP
|
|
address of your machine, gateway address and network mask and the
|
|
address of the DNS server (might be your own machine if you plan to
|
|
set it up this way). Have all this info handy.
|
|
Also you will be asked for a machine name and domain name.
|
|
We will use a sample domain name <bf>you.com</bf> and the machine will be
|
|
named <bf>ns</bf> (that gives us a fully qualified domain name (FQDN)
|
|
<bf>ns.you.com</bf>). You should use whatever domain you registered (see
|
|
Setting Up Your New Domain Mini-HOWTO, link in References section below)
|
|
and intend to use as you primary domain (not a virtual).
|
|
For the gateway address we will use a sample 111.222.333.111 address. Gateway
|
|
is likely the router that connects your machine (or your LAN) to the outside world.
|
|
<p>
|
|
Enable <bf>shadow</bf> and <bf>MD5</bf> passwords for greater security.
|
|
First of those makes the file that contains encrypted
|
|
passwords readable only to <tt>root</tt> user
|
|
and the second allows longer and harder to crack passwords.
|
|
As it will be a standalone machine do not enable NIS/NFS.
|
|
<p>
|
|
After installation finishes and machine reboots you will see the login
|
|
prompt.
|
|
Enter login and password (for the root account) and start configuring you
|
|
new Linux station.
|
|
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect1>Some preliminary security configuration
|
|
<p>
|
|
First (and fast), add a line:
|
|
<tt>
|
|
ALL:ALL
|
|
</tt>
|
|
to your <it>/etc/hosts.deny</it> file. That would (to some known extent)
|
|
prevent other people from accessing your machine while you are doing the
|
|
configuration. That will also prevent you from doing the same. For
|
|
further configuration efforts (that can be done remotely, by the way)
|
|
<htmlurl url="http://www.ssh.com" name="secure shell"> is
|
|
recommended. Download the RPM package for RH from one of the many sites
|
|
and install it (as root) using: <bf> rpm -U ssh*rpm</bf> or similar
|
|
command (depends upon the version). You will have to get both client and
|
|
server packages (if you want to ssh from this machines as well as to
|
|
this machine). Upon installation all necessary post-installation commands
|
|
(like server key generation)
|
|
are run automatically by the RPM package. You will have to start server
|
|
manually using command <bf>/etc/rc.d/init.d/sshd start</bf>.Some early
|
|
versions of ssh-1 and also all versions of ssh-1 compiled with RSAREF library
|
|
contain a buffer-overflow bug. Use ssh-2 or the latest version of ssh-1
|
|
without RSAREF. If you do this you will have to allow access using ssh
|
|
from some trusted machine (described later) in <it>/etc/hosts.allow</it> file.
|
|
<p>
|
|
If you want to be really rigorous in you configuration pursuits go to single
|
|
use mode by giving the command <bf>init 1</bf>, in this case all work is to
|
|
be done locally and you would not be able to test you network-related
|
|
configuration as network is not available in this mode.
|
|
<p>To further enhance your security <bf>ipchains</bf> software (that is
|
|
usually part of your Linux distribution) can be
|
|
used (for that refer to IPCHAINS HOWTO, link in References).
|
|
It takes quite a bit more efforts to configure it than TCP wrappers,
|
|
although some automated tools are available for that too.
|
|
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect1>Remove unnecessary services
|
|
<p>
|
|
Now lets deal with unnecessary services. Please note that my idea of
|
|
"unnecessary" might not be 100% same as yours.
|
|
<enum>
|
|
<item>
|
|
Services started from <it>/etc/inetd.conf</it>:<p>
|
|
comment out all the lines, but those
|
|
<tscreen><verb>
|
|
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -L -l -i -a
|
|
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
|
|
</verb></tscreen>
|
|
Check this by using the command: <bf>grep -v '\#' /etc/inetd.conf</bf>
|
|
<p>If you will be using the secure shell (ssh), telnet is also not necessary and can
|
|
be removed. Secure shell can either be started as a daemon on system startup
|
|
or as a service from <it>/etc/inetd.conf</it>. Default configuration (used by
|
|
the RPM package) is to start is as a daemon. Sshd can be compiled to refer to
|
|
<it>/etc/hosts.allow</it> file for access control. In this case, while you
|
|
will not have it in your <it>/etc/inetd.conf</it>, it will still use the
|
|
settings from <it>/etc/hosts.allow</it> and <it>/etc/hosts.deny</it>. The
|
|
advantages of this method is faster connection as the sshd will not have to
|
|
regenerate server key every time somebody connects. On the other hand, if you
|
|
start it from <it>/etc/inetd.conf</it> it will be more isolated from the
|
|
outside world.
|
|
More lines will be added to <it>/etc/inetd.conf</it> as necessary (POP3 is one of those).
|
|
<p>
|
|
<item>
|
|
Services started on system startup from <it>/etc/rc.d</it> directory:<p>
|
|
Check what services are running by using: <bf>ps ax</bf>. You will
|
|
get something similar to the <tt>sample</tt> output below:
|
|
<tscreen><verb>
|
|
PID TTY STAT TIME COMMAND
|
|
1 ? S 0:04 init
|
|
2 ? SW 0:30 [kflushd]
|
|
3 ? SW 0:32 [kupdate]
|
|
4 ? SW 0:00 [kpiod]
|
|
5 ? SW 0:03 [kswapd]
|
|
6 ? SW< 0:00 [mdrecoveryd]
|
|
296 ? SW 0:00 [apmd]
|
|
349 ? S 0:00 syslogd -m 0
|
|
360 ? S 0:00 klogd
|
|
376 ? S 0:00 /usr/sbin/atd
|
|
392 ? S 0:00 crond
|
|
412 ? S 0:00 inetd
|
|
454 ttyS0 S 0:00 gpm -t ms
|
|
533 tty2 SW 0:00 [mingetty]
|
|
534 tty3 SW 0:00 [mingetty]
|
|
535 tty4 SW 0:00 [mingetty]
|
|
536 tty5 SW 0:00 [mingetty]
|
|
537 tty6 SW 0:00 [mingetty]
|
|
667 tty1 SW 0:00 [mingetty]
|
|
4540 ? S 0:00 httpd
|
|
5176 ? S 0:00 httpd
|
|
5177 ? S 0:00 httpd
|
|
5178 ? S 0:00 httpd
|
|
5179 ? S 0:00 httpd
|
|
5180 ? S 0:00 httpd
|
|
5181 ? S 0:00 httpd
|
|
5182 ? S 0:00 httpd
|
|
5183 ? S 0:00 httpd
|
|
7321 ? S 0:00 /usr/sbin/sshd <<<<< only after you installed sshd to run on startup
|
|
7323 pts/0 S 0:00 -bash
|
|
7336 pts/0 R 0:00 ps ax
|
|
</verb></tscreen>
|
|
|
|
Lets concentrate on processes that listen to network, such as
|
|
lpd. Since we do not plan to use our server for printing (we sure
|
|
might, I just don't describe it here), I suggest we remove the
|
|
printer daemon by: <bf>rpm -e lpd </bf>. If rpm complains about any
|
|
dependencies (like, in my case, printfilter and rhprinttool), add
|
|
them to your <bf>rpm -e</bf> command and repeat it. Other services
|
|
that might be removed are NFS, NIS, samba etc, if they got installed
|
|
by mistake. Again, these are useful things, I am just following the
|
|
*golden rule* <bf>"remove the software you don't currently use"</bf>. And,
|
|
with RH RPM it is really easy to add it any time in the future.
|
|
|
|
</enum>
|
|
|
|
|
|
Some more basic security settings can be obtained from <htmlurl
|
|
url="http://www.enteract.com/~lspitz/linux.html" name="Armoring Linux">
|
|
paper. As suggested there, lets make a wheel group with trusted users
|
|
(in our case, only user <tt>you</tt>will be able to do <tt>/bin/su</tt> and to
|
|
run cron jobs (together with root).
|
|
<itemize>
|
|
<item>
|
|
wheel group for sensitive commands:<p>
|
|
<enum>
|
|
<item>
|
|
<tt>vi /etc/group</tt>, add a line (if it doesn't exist):
|
|
<verb>wheel:x:10:root,you</verb>. If line exists, just add <tt>you</tt> in the end
|
|
as shown.
|
|
You don't have to use vi (and I understand it very well), just use your favorite editor
|
|
(for a nice reasonably user-friendly editor try <tt>pico</tt>, distributed
|
|
together with mail program <tt>pine</tt>, the latter is part of most Linux distributions)
|
|
<item>
|
|
<verb>/bin/chgrp wheel /bin/su</verb> change group ownership to
|
|
<tt>wheel</tt> group on <tt>/bin/su</tt>
|
|
<item>
|
|
<verb>/bin/chmod 4750 /bin/su</verb> change mode on <tt>/bin/su</tt>
|
|
</enum>
|
|
<item>
|
|
restrict cron:<p>
|
|
To only allow <tt> root</tt> and <tt>you</tt> to submit cron jobs create a
|
|
file called <it>/etc/cron.allow</it> that contains usernames that you want to
|
|
be able to run cron jobs. This file might look like this:
|
|
<tscreen><verb>
|
|
root
|
|
you
|
|
</verb></tscreen>
|
|
</itemize>
|
|
<p>
|
|
I suggest you do not install X Windows as it will bring new concern that
|
|
you might not be prepared to deal with.
|
|
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect1>Enable multiple IP addresses
|
|
<p>
|
|
Now we are ready to enable our machine to handle multiple IP addresses for
|
|
virtual hosting. At that point, the IP Aliasing HOWTO might come
|
|
handy (see link in References).
|
|
For several reasons, IP-based virtual hosting is better (if you have
|
|
enough IP addresses, that is). For instance, reverse lookups would succeed, if
|
|
done from the browser side. It might also be needed for hosting
|
|
cryptographically enabled websites (commonly known as "secure websites").
|
|
Older browsers (not supporting HTTP 1.1) will get unhappy too.
|
|
<p>
|
|
The changes would be concentrated in <it>/etc/rc.d/</it> directory.
|
|
To enable multiple IP addresses you kernel should support this. On a freshly
|
|
installed RH Linux it does. To verify it one should look into the config file
|
|
that was used to compile the kernel. In my case, it was
|
|
<it>/usr/src/linux/configs/kernel-2.2.12-i686.config</it> since the machine
|
|
has Pentium II processor. This file exists, if the <tt>kernel-source</tt> RPM
|
|
package was installed. If line <tt>CONFIG_IP_ALIAS=y</tt> is present in the
|
|
file than you are OK. While we are here, we can also confirm the ability to
|
|
forward IP packets (needed for dialup users PPP). This ability is present, but
|
|
not turned on by default. Also needed is the support for PPP protocol (line
|
|
<tt>CONFIG_PPP=m</tt>, this means PPP support is compiled as a kernel loadable
|
|
module, <tt>CONFIG_PPP=y</tt> is also OK)
|
|
<p>
|
|
The examples will use the ridiculous IP addresses
|
|
111.222.333.444-111.222.333.777 from C block 111.222.333.0. 111.222.333.444 is
|
|
a real host IP (that is configured during RH installation),
|
|
111.222.333.555-777 are virtual addresses and 111.222.333.888 is a dialin user address
|
|
(can be more of those).
|
|
|
|
<p> Lets assume we want to configure 3 virtual hosts.
|
|
|
|
Two sets of commands will be used:
|
|
<enum>
|
|
<item>
|
|
<tscreen><verb>
|
|
/sbin/ifconfig eth0:0 111.222.333.555
|
|
/sbin/ifconfig eth0:1 111.222.333.666
|
|
/sbin/ifconfig eth0:2 111.222.333.777
|
|
</verb></tscreen>
|
|
<p>
|
|
These will bind the IP addresses to (virtual) interfaces
|
|
<tt>eth0:0-eth0:2</tt>.
|
|
<p>
|
|
<item>
|
|
<tscreen><verb>
|
|
/sbin/route add -host 111.222.333.555 dev eth0
|
|
/sbin/route add -host 111.222.333.666 dev eth0
|
|
/sbin/route add -host 111.222.333.777 dev eth0
|
|
</verb></tscreen>
|
|
<p>
|
|
These commands will add routes for those addresses and connect those to real
|
|
interface <tt>eth0</tt> (ethernet card).
|
|
</enum>
|
|
After doing them the ifconfig command output (<tt>ifconfig</tt>) will look
|
|
like this:
|
|
<tscreen><verb>
|
|
eth0 Link encap:Ethernet HWaddr 02:60:8C:4D:24:CE
|
|
inet addr:111.222.333.444 Bcast:255.255.255.255 Mask:255.255.255.0
|
|
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
|
RX packets:901597 errors:33 dropped:0 overruns:0 frame:823
|
|
TX packets:433589 errors:0 dropped:0 overruns:0 carrier:0
|
|
collisions:128327 txqueuelen:100
|
|
Interrupt:5 Base address:0x280
|
|
|
|
eth0:0 Link encap:Ethernet HWaddr 02:60:8C:4D:24:CE
|
|
inet addr:111.222.333.555 Bcast:111.222.333.255 Mask:255.255.255.0
|
|
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
|
Interrupt:5 Base address:0x280
|
|
|
|
eth0:1 Link encap:Ethernet HWaddr 02:60:8C:4D:24:CE
|
|
inet addr:111.222.333.666 Bcast:111.222.333.255 Mask:255.255.255.0
|
|
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
|
Interrupt:5 Base address:0x280
|
|
|
|
eth0:2 Link encap:Ethernet HWaddr 02:60:8C:4D:24:CE
|
|
inet addr:111.222.333.777 Bcast:111.222.333.255 Mask:255.255.255.0
|
|
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
|
|
Interrupt:5 Base address:0x280
|
|
|
|
lo Link encap:Local Loopback
|
|
inet addr:127.0.0.1 Mask:255.0.0.0
|
|
UP LOOPBACK RUNNING MTU:3924 Metric:1
|
|
RX packets:26232 errors:0 dropped:0 overruns:0 frame:0
|
|
TX packets:26232 errors:0 dropped:0 overruns:0 carrier:0
|
|
collisions:0 txqueuelen:0
|
|
|
|
</verb></tscreen>
|
|
All commands can be added to the bottom of <it>/etc/rc.d/rc.local</it> so that
|
|
the changes are saved after reboot. Strictly speaking, rebooting machine is
|
|
not required for adding new IP addresses. Please, do document all changes
|
|
you do to your machines. Many a good sysadmin (or, should I say not-so-good?)
|
|
were burned on that at some point in their careers.
|
|
<p>
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect1>Configure DNS
|
|
<p>
|
|
Now we are ready to configure DNS.
|
|
The easiest way would be to add the hostnames (real and all the virtual) that
|
|
we want to be seen by the world to the configuration of some machine that
|
|
already has bind (DNS daemon) running. But, since we are setting up
|
|
ISP-in-a-box we might not be able to avoid "DNS fun".
|
|
<p>
|
|
Now, let me
|
|
also try to defend the (well, questionable) choice of "outdated" version of bind 4.9.7
|
|
(last of the pre-8 series). I know that my arguments can be beaten, but
|
|
I consider bind 4.9.7 much more time-tested and stable. The arguments for
|
|
upgrading to 8.x
|
|
(provided <htmlurl url="http://www.acmebw.com/askmrdns/00444.htm" name="http://www.acmebw.com/askmrdns/00444.htm">
|
|
and
|
|
<htmlurl url="http://www.dns.net/dnsrd/servers.html" name="http://www.dns.net/dnsrd/servers.html">
|
|
and, I guess, at many other places)
|
|
still didn't seem to convince many people. And, lets not forget the "exploit of 1999" -
|
|
ADMROCKS, that gives remote root access to almost any Linux machine running bind prior to
|
|
8.1.2 patch 3. Judging by the INCIDENTS mailing list, this is still a very
|
|
popular way to attack RH versions 5.0-6.1 if no recommended upgrades are installed.
|
|
<p>
|
|
Here are the instructions, loosely following the DNS book from O'Reily (a good
|
|
one, highly recommended to all, but very casual DNS user).
|
|
<p>
|
|
<enum>
|
|
<item>
|
|
Find and install bind 4.9.7 either from RPM package (RH 4.2, if I am not
|
|
mistaken - for that you can use <htmlurl url="http://rpmfind.net/linux/RPM/" name="RPMFIND.net">,
|
|
personally I didn't try this and so I am somewhat skeptical
|
|
about installing RH 4.2 package on RH 6.1 system, but it might work)
|
|
or from source (<htmlurl url="ftp://ftp.isc.org/isc/bind/src/4.9.7/" name="bind 4.9.7">,
|
|
compiling it is a bit troublesome, but reading all the README files
|
|
in the archive will definitely help)
|
|
<item>
|
|
Create files and directories needed for bind:
|
|
<itemize>
|
|
<item>
|
|
<it>/etc/named.boot</it>
|
|
<item>
|
|
<it>/etc/namedb</it>
|
|
<item>
|
|
<it>/etc/namedb/db.you</it>
|
|
<item>
|
|
<it>/etc/namedb/db.111.222.333</it>
|
|
<item>
|
|
<it>/etc/namedb/db.127.0.0</it>
|
|
<item>
|
|
<it>/etc/namedb/db.yoursite1</it>
|
|
<item>
|
|
<it>/etc/namedb/db.yoursite2</it>
|
|
<item>
|
|
<it>/etc/namedb/db.yoursite3</it>
|
|
</itemize>
|
|
This will be used for 3 virtual domains: <bf>yoursite1.com</bf>,<bf>yoursite2.com</bf> and
|
|
<bf>yoursite3.com</bf>. One more important comment refers to secondary DNS issue.
|
|
As all your domains and all their services will be hosted on the same machine,
|
|
DNS backup in the form of secondary server doesn't make much sense:
|
|
if your primary DNS is down everything else (mail, www, ftp, pop, etc)
|
|
is down as well. But you do have to have a secondary DNS to register a domain.
|
|
Try to convince somebody to put you in as a secondary or use a free DNS service
|
|
(link is in Setting Up Your New Domain Mini-HOWTO).
|
|
|
|
<item>
|
|
<p>
|
|
That is how they look like (if you are unfamiliar with bind 4.x configuration
|
|
file format, please, do read either the O'Reily DNS book or any
|
|
of the HOWTOs or documents at
|
|
<htmlurl url="http://www.dns.net/dnsrd/" name="bind pages">, or, better, all of the above.
|
|
You also have an option of using them without understanding, but this is a bad idea in general):
|
|
<p>
|
|
<it>/etc/named.boot</it>
|
|
<p>
|
|
This is the main config file for bind 4.9.x.
|
|
<tscreen><verb>
|
|
directory /etc/namedb
|
|
|
|
;cache-obtained from internic, usually
|
|
cache . db.cache
|
|
|
|
;main config files
|
|
primary you.com db.you
|
|
;reverse lookups
|
|
primary 333.222.111.in-addr.arpa db.111.222.333
|
|
;localhost.localnet configs
|
|
primary 0.0.127.in-addr.arpa db.127.0.0
|
|
|
|
;virtual Domains
|
|
primary yoursite1.net db.yoursite1
|
|
primary yoursite2.net db.yoursite2
|
|
primary yoursite3.net db.yoursite3
|
|
|
|
</verb></tscreen>
|
|
<item>
|
|
<p>
|
|
<it>/etc/namedb/db.you</it>
|
|
<p>
|
|
<tscreen><verb>
|
|
; defines our local hosts at you.com, just one in our case, and its aliases
|
|
@ IN SOA ns.you.com. root.ns.you.com. (
|
|
2000012190 7200 1800 3600000 7200 )
|
|
;name servers and mail servers
|
|
IN NS ns.you.com.
|
|
IN MX 10 ns.you.com.
|
|
IN A 111.222.333.444
|
|
ns IN A 111.222.333.444
|
|
|
|
;address of the canonical names
|
|
localhost IN A 127.0.0.1
|
|
gateway IN A 111.222.333.111
|
|
|
|
;aliases (to use in ftp: ftp ftp.you.com etc, for clarity)
|
|
www CNAME ns
|
|
mail CNAME ns
|
|
ftp CNAME ns
|
|
pop3 CNAME ns
|
|
|
|
</verb></tscreen>
|
|
<item>
|
|
<p>
|
|
<it>/etc/namedb/db.111.222.333</it><p>
|
|
<tscreen><verb>
|
|
;reverse mapping of our IP addresses
|
|
.
|
|
;origin is 333.222.111.in-addr.arpa
|
|
333.222.111.in-addr.arpa. IN SOA ns.you.com. root.ns.you.com. (
|
|
1999121501 7200 1800 3600000 7200 )
|
|
;name Servers
|
|
IN NS ns.you.com.
|
|
|
|
;addresses point to canonical name
|
|
444.333.222.111.in-addr.arpa. IN PTR ns.you.com.
|
|
;dialups
|
|
888 IN PTR dialup.you.com.
|
|
|
|
;virtual hosts
|
|
555 IN PTR yoursite1.com.
|
|
666 IN PTR yoursite2.com.
|
|
777 IN PTR yoursite3.com.
|
|
|
|
</verb></tscreen>
|
|
<item>
|
|
<it>/etc/namedb/db.127.0.0</it><p>
|
|
<tscreen><verb>
|
|
;local loop config file
|
|
0.0.127.in-addr.arpa. IN SOA ns.you.com. root.ns.you.com. (
|
|
1997072200 7200 1800 3600000 7200 )
|
|
IN NS ns.you.com.
|
|
1 IN PTR localhost.
|
|
</verb></tscreen>
|
|
<item>
|
|
<it>/etc/namedb/db.yoursite1</it><p>
|
|
<tscreen><verb>
|
|
; yoursite1.com
|
|
@ IN SOA virtual root.virtual (
|
|
1999092201 ; Serial: update each time the file is changed
|
|
7200 ; refresh, sec
|
|
1800 ; retry, sec
|
|
3600000 ; expire, sec
|
|
7200 ) ; minimum TTL
|
|
;name Servers
|
|
IN NS ns.you.com.
|
|
IN MX 10 virtual
|
|
IN A 111.222.333.555
|
|
;address of the canonical names
|
|
localhost IN A 127.0.0.1
|
|
gateway IN A 111.222.333.111
|
|
virtual IN A 111.222.333.555
|
|
IN MX 10 virtual
|
|
;aliases
|
|
www CNAME virtual
|
|
mail CNAME virtual
|
|
ftp CNAME virtual
|
|
pop3 CNAME virtual
|
|
</verb></tscreen>
|
|
<item>
|
|
<it>/etc/namedb/db.yoursite2</it><p>
|
|
<tscreen><verb>
|
|
; yoursite2.com
|
|
@ IN SOA virtual root.virtual (
|
|
1999092201 ; Serial: update each time the file is changed
|
|
7200 ; refresh, sec
|
|
1800 ; retry, sec
|
|
3600000 ; expire, sec
|
|
7200 ) ; minimum TTL
|
|
;name Servers
|
|
IN NS ns.you.com.
|
|
IN MX 10 virtual
|
|
IN A 111.222.333.666
|
|
;address of the canonical names
|
|
localhost IN A 127.0.0.1
|
|
gateway IN A 111.222.333.111
|
|
virtual IN A 111.222.333.666
|
|
IN MX 10 virtual
|
|
;aliases
|
|
www CNAME virtual
|
|
mail CNAME virtual
|
|
ftp CNAME virtual
|
|
pop3 CNAME virtual
|
|
</verb></tscreen>
|
|
<item>
|
|
<it>/etc/namedb/db.yoursite3</it><p>
|
|
<tscreen><verb>
|
|
; yoursite3.com
|
|
@ IN SOA virtual root.virtual (
|
|
1999092201 ; Serial: update each time the file is changed
|
|
7200 ; refresh, sec
|
|
1800 ; retry, sec
|
|
3600000 ; expire, sec
|
|
7200 ) ; minimum TTL
|
|
;name Servers
|
|
IN NS ns.you.com.
|
|
IN MX 10 virtual
|
|
IN A 111.222.333.777
|
|
;address of the canonical names
|
|
localhost IN A 127.0.0.1
|
|
gateway IN A 111.222.333.111
|
|
virtual IN A 111.222.333.777
|
|
IN MX 10 virtual
|
|
;aliases
|
|
www CNAME virtual
|
|
mail CNAME virtual
|
|
ftp CNAME virtual
|
|
pop3 CNAME virtual
|
|
</verb></tscreen>
|
|
</enum>
|
|
These configuration files will allow you to host these three virtual domains
|
|
and you real domain <bf>you.com</bf>.
|
|
|
|
<p>
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect1>Configure httpd
|
|
<p>
|
|
To server html pages httpd daemon is used. RH 6.1 comes with Apache
|
|
1.3.9 (latest version is currently 1.3.12).
|
|
At that point it is wise to check RH site or its mirrors
|
|
(<htmlurl url="http://www.redhat.com/mirrors.html" name="RH Mirrors">) for updates.
|
|
|
|
Most changes that we are about to make
|
|
concentrate in <it>/etc/httpd/httpd.conf</it> (RH standard
|
|
location for Apache configuration). Default location for html pages (shown
|
|
when you go to <bf>www.you.com</bf>) is <it>/home/httpd/html</it>. You can
|
|
allocate directories for virtual hosts within the same <it>/home/httpd</it>,
|
|
shown below are the following locations for them:
|
|
<it>/home/httpd/yoursite1</it>,
|
|
<it>/home/httpd/yoursite2</it> and
|
|
<it>/home/httpd/yoursite3</it>.
|
|
<p>
|
|
Below I provide the minimum necessary changes for your
|
|
<it>/etc/httpd/httpd.conf</it> file:
|
|
<p>
|
|
<tscreen><verb>
|
|
<VirtualHost 111.222.333.555>
|
|
ServerAdmin webmaster@you.com
|
|
DocumentRoot /home/httpd/yoursite1
|
|
ServerName www.yoursite1.com
|
|
ErrorLog yoursite1-error_log
|
|
TransferLog yoursite1-access_log
|
|
</VirtualHost>
|
|
|
|
|
|
<VirtualHost 111.222.333.666>
|
|
ServerAdmin webmaster@you.com
|
|
DocumentRoot /home/httpd/yoursite2
|
|
ServerName www.yoursite2.com
|
|
ErrorLog yoursite2-error_log
|
|
TransferLog yoursite2-access_log
|
|
</VirtualHost>
|
|
|
|
<VirtualHost 111.222.333.777>
|
|
ServerAdmin webmaster@you.com
|
|
DocumentRoot /home/httpd/yoursite3
|
|
ServerName www.yoursite3.com
|
|
ErrorLog yoursite3-error_log
|
|
TransferLog yoursite3-access_log
|
|
</VirtualHost>
|
|
</verb></tscreen>
|
|
|
|
That configuration will cause all logs to be stored in one directory (whatever
|
|
is specified as such) for all sites. If that is not desired the <bf>ErrorLog</bf> and
|
|
<bf>TransferLog</bf> directives can be changed to point to the proper
|
|
location separately for each virtual host. The pages for the "real"
|
|
<bf>www.you.com</bf> will be stored in default location <it>/home/httpd/html</it>.
|
|
|
|
<p>
|
|
For more information, look at <htmlurl url="http://www.apache.org"
|
|
name="http://www.apache.org">, Apache http server homepage. They have a lot of
|
|
support pages, including those for virtual hosting setup (both IP-based and
|
|
name-based [uses just 1 IP address]). Also useful is Linux WWW HOWTO (link in
|
|
References section), section on virtual hosting.
|
|
<p>
|
|
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect1>Configure sendmail
|
|
<p>
|
|
Now we will deal with sendmail. Again, proposed are the minimum necessary
|
|
changes to the stock RH <it>/etc/sendmail.cf</it> and <it>/etc/sendmail.cw</it>.
|
|
<enum>
|
|
<item>
|
|
look for the lines that starts from <tt>Dj$w.foo.com</tt> and change it to
|
|
point to your main ("real", not virtual) server name (<bf>you.com</bf>, so it
|
|
will looks like this <tt>Dj$w.you.com</tt>).
|
|
<item>
|
|
locate file <it>/etc/sendmail.cw</it> and make it look like this
|
|
<tscreen><verb>
|
|
# sendmail.cw - include all aliases for your machine here.
|
|
you.com
|
|
ns.you.com
|
|
mail.you.com
|
|
yoursite1.com
|
|
mail.yoursite1.com
|
|
yoursite2.com
|
|
mail.yoursite2.com
|
|
yoursite3.com
|
|
mail.yoursite3.com
|
|
</verb></tscreen>
|
|
These are necessary so that sendmail accepts mail for these domains.
|
|
</enum>
|
|
<p>
|
|
This <bf>does not</bf> address the issue of <tt>user@yoursite1.com</tt> and
|
|
<tt>user@yoursite2.com</tt> mail getting to different mailboxes. For that
|
|
look into <tt>/etc/mail/virtusertable</tt> functionality
|
|
(appropriate line in <it>/etc/sendmail.cw</it> is <tt>Kvirtuser hash -o
|
|
/etc/mail/virtusertable</tt>, detailed info may be added here later).
|
|
Excellent documentation on that is on
|
|
<htmlurl url="http://www.sendmail.org/virtual"
|
|
name="http://www.sendmail.org/virtual">, sendmail reference on virtual
|
|
hosting.
|
|
<p>It is worthwhile to add that linuxconf proposes a somewhat different
|
|
scheme for virtual email with separate spool directories for all domains (that
|
|
cleanly solves the above "name-conflict" issue"), but
|
|
that requires a special virtual-aware POP/IMAP server (included with RH) and
|
|
is somewhat more complicated. It is recommended for bigger email volume sites
|
|
with many users within each domain.
|
|
<p>
|
|
A few words about sendmail, it is a good idea (good from a security
|
|
standpoint) to have sendmail run from
|
|
<it>inetd.conf</it> and not as a standalone daemon. For that we need to add it
|
|
to <it>/etc/inetd.conf</it>, remove it from <it>/etc/rc.d/init.d</it>, add the
|
|
sendmail queue processing to cron. Here is what you have to do:
|
|
<enum>
|
|
<item>
|
|
Add the following line to <it>/etc/inetd.conf</it>:
|
|
<verb>
|
|
smtp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sendmail -bs
|
|
</verb>
|
|
|
|
<item>
|
|
|
|
Edit <it>/etc/rc.d/init.d/sendmail</it> to have <tt> exit 0 </tt> somewhere in
|
|
the very beginning (might not be the best way, be sure to document the changes
|
|
you do to these files) so that this file does nothing instead of starting sendmail
|
|
|
|
<item>
|
|
|
|
By editing your (root's) crontab (to edit do <bf>crontab -e</bf>) add a line like this
|
|
|
|
<verb>
|
|
*/20 * * * * /usr/sbin/sendmail -q
|
|
</verb>
|
|
|
|
That would process sendmail queue every 20 min (if it exists).
|
|
The described steps will simplify sendmail access control and will let you
|
|
regulate who can talk to you 25 port, not just who can send email through you.
|
|
The lines in <it>/etc/hosts.allow</it>
|
|
that let all machines from .com and .org domains send you email are as follows
|
|
<verb>
|
|
sendmail: .com .org
|
|
</verb>
|
|
Please, note, that the daemon name, not protocol name is used here (sendmail,
|
|
NOT smtp).
|
|
|
|
</enum>
|
|
<p>
|
|
That would allow your system to handle email for all those domains.
|
|
<p>
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect1>Configure POP3
|
|
<p>
|
|
POP3 configuration is easy (no "virtualization" is required for this setup). RH comes
|
|
equipped with imapd IMAP server. If you do not want to use IMAP functionality
|
|
or do not like this particular implementation (buffer overflow bugs were discovered in it at
|
|
some point) the good idea is to use
|
|
<tt>qpopper</tt>, free POP3 daemon from Eudora
|
|
<htmlurl url="http://www.eudora.com/freeware/qpop.html"
|
|
name="http://www.eudora.com/freeware/qpop.html">. At the time of writing they
|
|
release the "stable" version (qpopper 2.53) and "public beta" ( qpopper 3.0,
|
|
release 34, now called "final beta").
|
|
It is important to note that versions earlier than 2.5 contain a
|
|
buffer overflow error that allows remote root exploit to be executed. Same
|
|
problem plagues "public betas" up to 3.0 release 21. Use either 2.53 or the
|
|
latest 3.0 beta (the former is better audited and the latter is better suited
|
|
for RH - seamlessly works with PAM authentication). I suggest using 3.0, so
|
|
the instructions below apply to that case.
|
|
<p>
|
|
<enum>
|
|
<item>
|
|
<tt>wget ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper3.0b34.tar.Z</tt>
|
|
<p>Retrieve the archive from Eudora site.
|
|
<item>
|
|
<tt>tar zxvf qpopper3.0b34.tar.Z</tt>
|
|
<p>Uncompress and untar the contents.
|
|
<item>
|
|
<tt>cd qpopper</tt>
|
|
<p>If you need explanation for this step, please, discontinue reading the document.
|
|
<item>
|
|
<tt>./configure --enable-specialauth --with-pam --enable-log-login --enable-shy</tt>
|
|
<p>The options here are:
|
|
<p><tt>--enable-specialauth</tt> : allows MD5 and shadow passwords
|
|
<p><tt>--with-pam</tt>: allows the use of RH Pluggable Authentication Modules (PAM) technology
|
|
<p><tt>--enable-log-login</tt>: log successful logins, not only failures (not really that
|
|
useful as it will use tcpd wrappers logging anyway)
|
|
<p><tt>--enable-shy</tt>: conceal version number (yeah, a little pesky
|
|
manifestation of "security through obscurity")
|
|
<item>
|
|
<tt>make</tt>
|
|
<p>That compiles the popper
|
|
<item>
|
|
<verb>
|
|
/bon/cp popper/popper /usr/local/bin
|
|
</verb>
|
|
<p>Now copy it to <it>/usr/local/bin</it>
|
|
and set the mode to
|
|
<verb>
|
|
-rwx------ 1 root root 297008 Feb 16 15:41 /usr/local/lib/popper
|
|
</verb>
|
|
by using the command:
|
|
<verb>
|
|
chmod 700 /usr/local/bin/popper
|
|
</verb>
|
|
<item>
|
|
Add a line to <it>/etc/inetd.conf</it>
|
|
<verb>
|
|
pop3 stream tcp nowait root /usr/sbin/tcpd /usr/local/bin/popper -s
|
|
</verb>
|
|
That would cause the tcpd wrapper to control access to popper.
|
|
|
|
The lines to add in <it>/etc/hosts.allow</it> are
|
|
<verb>
|
|
popper: .good.com .nice.org
|
|
</verb>
|
|
That will allow people from domains good.com and nice.org to read email via
|
|
POP3 client from your machine.
|
|
<p>
|
|
To cause qpopper to use PAM authentication one must create a file for POP3
|
|
service in <tt>/etc/pam.d/</tt> directory. File should be named "pop3" (same as line in
|
|
<tt>/etc/services</tt> and qpopper compile-time option). The file looks like
|
|
this:
|
|
|
|
<tscreen><verb>
|
|
auth required /lib/security/pam_pwdb.so shadow
|
|
account required /lib/security/pam_pwdb.so
|
|
password required /lib/security/pam_cracklib.so
|
|
password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
|
|
session required /lib/security/pam_pwdb.so
|
|
</verb></tscreen>
|
|
|
|
<item>
|
|
For whatever reason stock RH lists line in <it>/etc/services</it>
|
|
file for POP3 protocol as "pop-3". And since qpopper prefers to see "pop3",
|
|
it should be edited to be:
|
|
<verb>
|
|
pop3 110/tcp # pop3 service
|
|
</verb>
|
|
</enum>
|
|
That would allow all user to get their email via any reasonable mail client.
|
|
<p>
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect1>Configure FTP server
|
|
<p>
|
|
We will use only anonymous ftp and will not allow any non-anonymous user any
|
|
access. Here we describe the anonymous ftp server setup that allows anonymous
|
|
uploads. Any self-respecting guide on the subject will tell you that "this is
|
|
a bad thing". But how is it worse than allowing users to ftp from untrusted
|
|
location and transfer their passwords in clear text? Not everybody
|
|
(especially, using Windows) can easily setup an ftp tunnel via ssh.
|
|
<p>
|
|
I suggest using the stock RH wu-ftpd (version 2.6.0 at the time of
|
|
writing). While it is rumored that there are "more secure" ftp daemons
|
|
(Pro-FTP?), wu-ftp appears to be one most commonly used.
|
|
<p>
|
|
RH installs the wu-ftpd (package wu-ftpd-2.6.0-1) by default in server
|
|
configuration. You are encouraged to check for updates as running ftp is an important
|
|
security concern. There is also a separate rpm package that creates a separate
|
|
directory for anonymous ftp home (anonftp-2.8-1).
|
|
As anonymous ftp always does a <tt>chroot()</tt>
|
|
system call (puts the user in the restricted file system) all necessary
|
|
binaries and libraries are required. The typical directory looks like this
|
|
(output of <bf>ls -lRa</bf> in <it>/home/ftp</it>):
|
|
|
|
<tscreen><verb>
|
|
.:
|
|
total 20
|
|
d--x--x--x 2 root root 4096 Feb 15 06:22 bin
|
|
d--x--x--x 2 root root 4096 Feb 15 06:22 etc
|
|
drwxrws-wt 2 root wheel 4096 Feb 18 19:51 incoming
|
|
drwxr-xr-x 2 root root 4096 Feb 15 06:22 lib
|
|
drwxr-sr-x 3 root ftp 4096 Feb 15 23:34 pub
|
|
|
|
bin:
|
|
total 344
|
|
---x--x--x 1 root root 15204 Mar 21 1999 compress
|
|
---x--x--x 1 root root 52388 Mar 21 1999 cpio
|
|
---x--x--x 1 root root 50384 Mar 21 1999 gzip
|
|
---x--x--x 1 root root 29308 Mar 21 1999 ls
|
|
---------- 1 root root 62660 Mar 21 1999 sh
|
|
---x--x--x 1 root root 110668 Mar 21 1999 tar
|
|
lrwxrwxrwx 1 root root 4 Feb 15 06:22 zcat -> gzip
|
|
|
|
etc:
|
|
total 40
|
|
-r--r--r-- 1 root root 53 Mar 21 1999 group
|
|
-rw-r--r-- 1 root root 31940 Mar 21 1999 ld.so.cache
|
|
-r--r--r-- 1 root root 79 Mar 21 1999 passwd
|
|
|
|
incoming:
|
|
total 0
|
|
|
|
lib:
|
|
total 1212
|
|
-rwxr-xr-x 1 root root 77968 Mar 21 1999 ld-2.1.1.so
|
|
lrwxrwxrwx 1 root root 11 Feb 15 06:22 ld-linux.so.2 -> ld-2.1.1.so
|
|
-rwxr-xr-x 1 root root 1031004 Mar 21 1999 libc-2.1.1.so
|
|
lrwxrwxrwx 1 root root 13 Feb 15 06:22 libc.so.6 -> libc-2.1.1.so
|
|
-rwxr-xr-x 1 root root 77196 Mar 21 1999 libnsl-2.1.1.so
|
|
lrwxrwxrwx 1 root root 15 Feb 15 06:22 libnsl.so.1 -> libnsl-2.1.1.so
|
|
-rwxr-xr-x 1 root root 33596 Mar 21 1999 libnss_files-2.1.1.so
|
|
lrwxrwxrwx 1 root root 21 Feb 15 06:22 libnss_files.so.2 -> libnss_fi
|
|
les-2.1.1.so
|
|
|
|
pub:
|
|
total 0
|
|
|
|
</verb></tscreen>
|
|
<p>
|
|
Notice though, that for whatever reason, RH puts a copy of <it>/bin/sh</it> in
|
|
<it>/home/ftp/bin</it>.
|
|
I do not feel good about having it there, so it is chmoded to 0 by
|
|
<bf>chmod 0 sh</bf> (can also be removed completely, but RPM might be slightly
|
|
unhappy if you attempt to remove the package afterwards).
|
|
<p>
|
|
Permissions on <it>/home/ftp</it> directories and files should be carefully
|
|
considered. In the above example, all of the system files are owned by root
|
|
and are only readable (executable where necessary) by all. Files in
|
|
<it>bin</it> are only executable (as is the directory itself to prevent
|
|
listing of its contents).
|
|
<p>The interesting part is permissions on <it>pub</it> and <it>incoming</it>.
|
|
|
|
<p>
|
|
Below follows the configuration file for ftp daemon
|
|
(<it>/etc/ftpaccess</it>). It is well commented to the degree of being self-explanatory:
|
|
<tscreen><verb>
|
|
#ideas from <htmlurl url="ftp://ftp.wu-ftpd.org/pub/wu-ftpd/upload.configuration.HOWTO" name="ftp://ftp.wu-ftpd.org/pub/wu-ftpd/upload.configuration.HOWTO">
|
|
#only allow anonymous users-no other classes defined
|
|
class anonftp anonymous *
|
|
|
|
#number of users restriction with message shown when too many
|
|
limit remote 10 Any /toomany.msg
|
|
|
|
#prevent uploads everywhere (for now)
|
|
upload /home/ftp * no
|
|
|
|
#display the contents of some files upon login/cd
|
|
readme README* login
|
|
readme README* cwd=*
|
|
message /welcome.msg login
|
|
message .message cwd=*
|
|
|
|
#log all file transfers DISABLED
|
|
#log transfers anonymous
|
|
|
|
#prevent these file operations for anon users
|
|
delete no anonymous
|
|
overwrite no anonymous
|
|
|
|
#fast cd and aliasing for the same reason (not really necessary, but convenient)
|
|
alias inc: /incoming
|
|
cdpath /incoming
|
|
cdpath /pub
|
|
cdpath /
|
|
|
|
#what is allowed in paths
|
|
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
|
|
|
|
#prevent the retrieval of some file
|
|
noretrieve .notar
|
|
|
|
#allow upload with NO subdirectory creation by anon users
|
|
upload /home/ftp /incoming yes root wheel 0400 nodirs
|
|
|
|
#allow upload with subdirectory creation by anon users DISABLED
|
|
#upload /home/ftp /incoming yes root wheel 0400 dirs
|
|
|
|
#prevent anon users to GET files from incoming (you might not like it, but it
|
|
#is a good idea-to prevent some people from using you ftp server to store
|
|
#their own stuff, pics, warez etc)
|
|
noretrieve /home/ftp/incoming
|
|
|
|
</verb></tscreen>
|
|
That would allow only anonymous users to do downloads and uploads in somewhat (<bf>!</bf>)
|
|
controlled manner.
|
|
<p>
|
|
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect1>Configure dialin
|
|
<p>
|
|
Now the fun part starts. We want the machine to allow dial-in access via
|
|
attached (inserted?) modem or modems. It will provide either regular shell or
|
|
restricted shell (that only executes pppd daemon). Windows 95/98 users should be
|
|
able to effortlessly dial in using all default settings of their computers.
|
|
|
|
<sect2>Linux setup
|
|
<p>
|
|
To handle login via serial line some version of <tt>getty</tt> program is
|
|
needed. This program monitors the serial line (<it>/dev/ttyS1</it> will be used
|
|
throughout the document, see serial HOWTO for details) and upon connection
|
|
shown the login prompt or starts a program.
|
|
<p>
|
|
I suggest using the mgetty program (as it has more features and is easier to
|
|
setup than some of the competitors).
|
|
<p>RH comes with <tt>mgetty-1.1.21-2</tt>, that also has extensions to receive
|
|
faxes and voice mail (if the modem supports this). Check whether mgetty is
|
|
installed by doing: <bf>rpm -qa | grep mgetty</bf>.
|
|
|
|
After installing mgetty some reconfiguration is necessary.
|
|
The files that should be changed and the details follow:
|
|
|
|
<enum>
|
|
<item>
|
|
<it>/etc/inittab</it><p>
|
|
That enables mgetty to start when system is booted and be respawned accordingly.
|
|
These lines should be added in the end.
|
|
|
|
<tscreen><verb>
|
|
#for dialins use mgetty
|
|
#note this S1 in the beginning of the line and ttyS1 in the end
|
|
S1:2345:respawn:/sbin/mgetty ttyS1
|
|
</verb></tscreen>
|
|
|
|
<item>
|
|
<it>/etc/ppp/options</it><p>
|
|
This file controls the pppd daemon whenever it is started.
|
|
Some of the options here are optional (hey, that why they are called options, right?).
|
|
|
|
<tscreen><verb>
|
|
auth -chap +pap login modem crtscts debug proxyarp lock
|
|
ms-dns 111.222.333.444
|
|
</verb></tscreen>
|
|
|
|
Here is their brief meaning:
|
|
|
|
<itemize>
|
|
<item>
|
|
<bf>auth </bf>: use some sort of authentication for dialin clients
|
|
<item>
|
|
<bf>-chap</bf>: not CHAP
|
|
<item>
|
|
<bf> +pap</bf>: use PAP
|
|
<item>
|
|
<bf> login </bf>: use the system password file for authenticating the client
|
|
using PAP and record the user in the system wtmp file, <it>/etc/ppp/pap-secrets</it> should
|
|
still be present (see below)
|
|
<item>
|
|
<bf>modem </bf>: use the modem control lines (for carrier detection and other stuff)
|
|
<item>
|
|
<bf> crtscts </bf>: use hardware flow control
|
|
<item>
|
|
<bf>debug </bf>: log extra info (might be removed after everything is fine)
|
|
<item>
|
|
<bf> proxyarp </bf>: this is needed to connect from the client to the
|
|
Internet, not just to the LAN you dialed into
|
|
<item>
|
|
<bf>lock</bf>: pppd should create a lock file for the serial device
|
|
<item>
|
|
<bf>ms-dns 111.222.333.444</bf>: this info is provided to Windows box as a default
|
|
DNS server
|
|
</itemize>
|
|
Look at pppd man page for all the juicy details (parts of the above info is
|
|
adapted from there)
|
|
|
|
<item>
|
|
<it>/etc/ppp/options.ttyS1</it><p>
|
|
This file serves purpose similar to the previous one, but only applies to
|
|
particular modem line. It specifies the IP address given to the remote machine
|
|
(dynamic, in some sense, if you have more than one line) and the local IP as well.
|
|
|
|
<tscreen><verb>
|
|
111.222.333.444:111.222.333.888
|
|
</verb></tscreen>
|
|
|
|
<item>
|
|
<it>/etc/mgetty+sendfax/login.config</it><p>
|
|
|
|
This file is the main mgetty control file. Mgetty is Windows-PPP-aware, so it
|
|
has provisions to start pppd automatically upon receiving connect from the Windows machine.
|
|
|
|
These lines should be present:
|
|
|
|
<tscreen><verb>
|
|
/AutoPPP/ - - /usr/sbin/pppd
|
|
</verb></tscreen>
|
|
|
|
Before adding them, check that some other version of similar command is absent
|
|
there (commented out by default).
|
|
|
|
<item>
|
|
<it>/etc/ppp/pap-secrets</it><p>
|
|
This is similar to <it>/etc/password</it> file, but only used for dialins and
|
|
contains <bf>plain text passwords</bf> (apparently, only visible to root). All users
|
|
that you want to be able to dialin must have their usernames and password
|
|
listed in this file. They should enter the same username and password into
|
|
Windows Dial Up Networking configuration.
|
|
|
|
<tscreen><verb>
|
|
# Secrets for authentication using PAP
|
|
# these two users below can use dialin
|
|
# client server secret pword remote IP addresses
|
|
dialinuser1 * b1ab1a!? 111.222.333.888
|
|
dialinuser2 * p8sSw0rD 111.222.333.888
|
|
</verb></tscreen>
|
|
</enum>
|
|
|
|
<p>
|
|
|
|
Check that mgetty is running by looking for similar line in the output of
|
|
<tt>ps ax</tt> command.
|
|
|
|
<tscreen><verb>
|
|
4625 ? S 0:00 /sbin/mgetty ttyS1
|
|
</verb></tscreen>
|
|
|
|
Now this machine will allow modem calls from any Windows 95/98 box.
|
|
<sect2>Windows setup
|
|
<p>
|
|
This is <bf>really</bf> straightforward.
|
|
<enum>
|
|
<item>
|
|
Click on <bf>My Computer</bf>
|
|
<item>
|
|
Click on <bf>Dial Up networking</bf>
|
|
<item>
|
|
Click on <bf>Make New Connection</bf>
|
|
<item>
|
|
Proceed according to directions, enter the phone number etc
|
|
<item>
|
|
After a new connection is created click on it and enter the username and
|
|
password (same as mentioned in <it>/etc/passwd</it> and
|
|
<it>/etc/ppp/pap-secrets</it>)
|
|
<item>
|
|
Click <bf>Connect</bf> and it should work (it did in my case ;-) )
|
|
</enum>
|
|
<p>
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect1>Open access
|
|
<p>
|
|
|
|
Now, after testing all the services, we are ready to open the access to this
|
|
machine. The main access control facility in our case is TCP wrappers
|
|
(tcpd). Their behavior is controlled by 2 files <it>/etc/hosts.allow</it> and
|
|
<it>/etc/hosts.deny</it>, as was mentioned in the sections devoted to various
|
|
network services. TCP wrappers configuration can be done in 2 distinct
|
|
ways and we will employ the simplest.
|
|
<p>Let our <it>/etc/hosts.deny</it> contain <tt>ALL:ALL</tt> clause, thus
|
|
denying the access to all services (started from <it>/etc/inetd.conf</it> ) for
|
|
all hosts and all users on them. Now we can allow what we need explicitly in
|
|
<it>/etc/hosts.allow</it>, thus following the philosophy <bf>"what is not
|
|
expressly allowed is denied"</bf>.
|
|
<p>Lets assume we want to allow people to read and send email, we want some
|
|
trusted hosts to update contents of the web pages and we want admin
|
|
workstation to have full access. So we arrive at the following
|
|
<it>/etc/hosts.allow</it>:
|
|
<tscreen><verb>
|
|
#
|
|
# hosts.allow This file describes the names of the hosts which are
|
|
# allowed to use the local INET services, as decided
|
|
# by the '/usr/sbin/tcpd' server.
|
|
#
|
|
ALL: 127.0.0.1 adminbox.some.net
|
|
#we rely on anti-relaying features of sendmail 8.9.x to fight spam
|
|
#and also restrict some sites that we don't want to see email from
|
|
sendmail: ALL EXCEPT .kr
|
|
popper: .com .edu .gov .mil
|
|
#these people can upload/download stuff
|
|
in.ftpd: .this.net .that.net
|
|
</verb></tscreen>
|
|
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect>
|
|
Conclusion
|
|
<p>
|
|
There must be the conclusion, right?
|
|
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
<sect>
|
|
References
|
|
<p>
|
|
Useful LDP HOWTOs (well, actually, all others are useful too)
|
|
<enum>
|
|
<htmlurl url="http://www.linuxdoc.org/HOWTO/mini/Domain.html" name="Setting Up Your New Domain Mini-HOWTO.">, really good guide of DNS setup and general network setup (recommended reading)
|
|
<item>
|
|
<htmlurl url="http://www.linuxdoc.org/HOWTO/WWW-HOWTO.html" name="Linux WWW HOWTO">, provides more details on Apache setup, including virtual hosting
|
|
<item>
|
|
<htmlurl url="http://www.linuxdoc.org/HOWTO/mini/Home-Network-mini-HOWTO.html" name="Red Hat Linux 6.X as an Internet Gateway for a Home Network">, some hints on network setup
|
|
<item>
|
|
<htmlurl url="http://www.linuxdoc.org/HOWTO/mini/IP-Alias.html" name="IP Aliasing On A Linux Machine">, used for multiple IP on the same interface
|
|
<item>
|
|
<htmlurl url="http://www.linuxdoc.org/HOWTO/Ethernet-HOWTO.html" name="Ethernet HOWTO">, look here in case of network card trouble
|
|
<item>
|
|
<htmlurl url="http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html" name="IPCHAINS HOWTO">, turn to this if more security is desired
|
|
<item>
|
|
<htmlurl url="http://www.linuxdoc.org/HOWTO/Serial-HOWTO.html" name="Serial HOWTO">, serial ports, lines, modems and related stuff
|
|
<item>
|
|
<htmlurl url="http://www.linuxdoc.org/HOWTO/PPP-HOWTO.html" name="PPP HOWTO">,some notes on PPP server setup
|
|
</enum>
|
|
<p>
|
|
Software (used or mentioned) websites
|
|
<p>
|
|
<enum>
|
|
<htmlurl url="http://www.eudora.com/qpopper/" name="Eudora POP3 server">
|
|
<item>
|
|
<htmlurl url="http://www.wu-ftpd.org/" name="WU-FPTD ftp server">
|
|
<item>
|
|
<htmlurl url="http://www.sendmail.org" name="Sendmail MTA">
|
|
<item>
|
|
<htmlurl url="http://alpha.greenie.net/mgetty/" name="Mgetty pages">
|
|
<item>
|
|
<htmlurl url="http://www.apache.org/httpd.html" name="Apache httpd server">
|
|
</enum>
|
|
<p>
|
|
Other documents
|
|
<enum>
|
|
<item>
|
|
<htmlurl url="http://www.enteract.com/~lspitz/linux.html" name="Armoring Linux">
|
|
<item>
|
|
<htmlurl url="http://www.linuxgazette.com/issue36/ali.html" name="Setting Up
|
|
POP/PPP server">
|
|
<item>
|
|
<htmlurl url="http://www.buoy.com/isp/mgetty.html" name="Mgetty and Windows
|
|
dialin info">
|
|
<item>
|
|
<htmlurl url="http://www.best.com/~aturner/RedHat-FAQ/DOCS/tips4.html"
|
|
name="Using RedHat 5.1 to Start an ISP">, the short article on how to start an
|
|
ISP if all you have is a Linux RH ;-)
|
|
</enum>
|
|
<p>
|
|
Resources, not related to the topic of the document ;-)
|
|
<p>
|
|
<enum>
|
|
<item>
|
|
I also maintain a list of computer/network security related books with
|
|
(where available) reviews and online availability. It is posted at
|
|
<htmlurl url="http://www.chuvakin.org/books" name="http://www.chuvakin.org/books">.
|
|
If you have a book that I don't list please use the form on the page and I will add it to the list and maybe review
|
|
it later.
|
|
</enum>
|
|
<p>
|
|
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
|
|
</article>
|
|
|
|
|
|
|