LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity
LDP/LDP/howto/linuxdoc/ISP-Setup-RedHat.sgml

1349 lines
56 KiB
Plaintext
Raw Blame History

<!doctype linuxdoc system>
<article>
<title>"Pocket" ISP based on RedHat Linux
<author>Anton Chuvakin, <tt>
<htmlurl url="mailto:anton@chuvakin.org" name="anton@chuvakin.org"></tt>
<date>v1.0.1 4 April 2000</date>
<abstract>
This document outlines the setup of a single RedHat box for dialins, virtual
web hosting, virtual email, POP3 and ftp servers. Why anybody might need
this in one box is beyond the scope of this document. The idea is a complete
ISP solution based on RedHat Linux. Any part of this setup can be
implemented separately though. I will try to emphasize all the commands so
one can just paste them to configure his own box. The list of documents
that I borrowed from and some further reading is below (see References section).
I will try to keep security in mind on all stages of the setup and to make
clear all the security limitations of this setup.
I should add that assets that are to be
protected in this case are considered not very valuable (e.g. personal pages etc) thus
efforts spent on securing the setup are allowed to be limited.
</abstract>
<toc>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect> Introduction
<p>
The guide assumes some familiarity with Linux functionality and general
Linux/UNIX setup procedure (although not very detailed). Fully functional
brain is also required for some stages of the procedure. All setup would
be done manually (without the use of <htmlurl
url="http://www.solucorp.qc.ca/linuxconf/" name="linuxconf"> or other
tools). Not that those are bad or that there is anything wrong with them. The
reasons for that are: 1) it is comparatively hard to give step by step directions
that produce predictable results as these tools pretend they are intelligent
and "know better" (Windows syndrome) 2) layout of tools changes with time and is different
in some distributions 3) manual setup gives better understanding of system works
(not that it is always required though) 4)some tools allow only limited
configuration of Linux system or do not keep up with updated features.
While many improvements are possible to this setup they might be
described in later editions of this document - I just outline one possible
way (accidentally, the one I used). The writeup is aimed at RedHat Linux,
but with trivial changes can be used on any modern Linux distribution.
The resulting configuration loosely follows
the setup of some particular machines built by the author..
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect> Changes from 1.0.0 to 1.0.1
<p>
<itemize>
<item>
<it>Many</it> errors corrected (both spelling and factual)
<item>
References section updated
<item>
Minor changes in wording and syntax to improve clarity
<item>
More security info added to several sections
<item>
Windows configuration for dialup added
</itemize>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect> TODO Tue Apr 4 15:23:11 EDT 2000
<p>
<itemize>
<item>
Finish ftp permission considerations and possible variations of the setup
(like, no uploads at all etc)
<item>
Add more meat to dialin section (troubleshooting is necessary) and describe
setup of Windows boxes to use it (really, nothing special) and investigate
variations of the setup (simplify?)
<item>
More on security of all the services we install (clear text password, DoS by
overflowing partition in mail and ftp, http access configs etc)
<item>
Add info on POP3 and ftp tunneling via ssh (just for fun)
<item>
Add troubleshooting subsections in various sections
</itemize>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1> New versions of this document
<p>
New versions of this document can be found at
<tt>
<htmlurl url="http://www.chuvakin.org/ispdoc" name="http://www.chuvakin.org/ispdoc">
</tt>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1> Feedback
<p>
All comments, error reports, additional information (very much appreciated!!!) and criticism
of all sorts should be directed to:
<tt>
<htmlurl url="mailto:anton@chuvakin.org" name="anton@chuvakin.org">
</tt>
<p>
<tt>
<htmlurl url="http://www.chuvakin.org/"
name="http://www.chuvakin.org/">
</tt>
<p>
My PGP key is located at <tt>
<htmlurl url="http://www.chuvakin.org/pgpkey" name="http://www.chuvakin.org/pgpkey"></tt>
<p>
Please direct spelling error comments to your friendly local spell checker.
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1> Standard disclaimer
<p>
No liability for the contents of this document can be accepted.
Use the concepts, examples and other content at your own risk.
Additionally, this is an early version, with many possibilities
for inaccuracies and errors.
<p>
One of many possible setups will be described. In the Linux
world, there is usually a number of ways in which to accomplish
things.
<p>
As far as I know, only programs that under certain terms may be
used or evaluated for personal purposes will be described. Most
of the programs will be available complete with source under
GNU-like terms.
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1> Copyright information
<p>
This document is copyrighted (c) 2000 Anton Chuvakin and
distributed under the following terms:
<p>
<itemize>
<item> Linux HOWTO documents may be reproduced and distributed in
whole or in part, in any medium physical or electronic, as long
as this copyright notice is retained on all copies. Commercial
redistribution is allowed and encouraged; however, the author
would like to be notified of any such distributions.
<item> All translations, derivative works, or aggregate works
incorporating any Linux HOWTO documents must be covered under
this copyright notice. That is, you may not produce a derivative
work from a HOWTO and impose additional restrictions on its
distribution. Exceptions to these rules may be granted under
certain conditions; please contact the Linux HOWTO coordinator at
the address given below.
<item> If you have questions, please contact Greg Hankins, the
Linux HOWTO coordinator, at
</itemize>
<tt>
<htmlurl url="mailto:gregh@sunsite.unc.edu"
name="gregh@sunsite.unc.edu">
</tt>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect> Step by step guide
<p>
Ingredients needed:
<itemize>
<item>
RedHat Linux distribution (the instructions are exactly applicable to RedHat
6.1 or 6.0 (I think, 6.2, as well, since there are no major changes)
and with some minor changes to 5.x versions)
<item>
<htmlurl url="http://www.redhat.com/support/hardware/"
name="compatible"> hardware (also known as a PC), that includes
network card and modem (at least one)
<item>
3-256 IP addresses (as the machine will give out some IP addresses for modem
callers and use others for virtual hosting more than 1 is needed, the upper
number is the maximum number of IP-based virtual hosts allowed without
recompiling the stock RedHat kernel, lower is one real IP, one modem and one virtual
IP).
<item>
some sort of permanent network connection (using some modems for dialin while
providing the Internet access via another modem is considered <it>weird</it>
and not recommended)
</itemize>
<p>
Here follows the procedure:
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Get RH
<p>
Purchase or otherwise procure the RedHat 6.1 (further referred as RH,
latest version number is 6.1 at the time of writing) distribution and
<htmlurl url="http://www.redhat.com/support/hardware/"
name="compatible"> hardware. One can get a full RH CDROM for about
$2.00 including shipping and handling at <htmlurl
url="http://www.cheapbytes.com"
name="http://www.cheapbytes.com">. This version will not contain such luxuries
as secure web server and extra software. For those you should turn to
<htmlurl url="http://www.redhat.com" name="RedHat website">.
Or probably buying the PC with Linux RH pre-installed is an option for some.
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1> Install RH
<p>
Install the RH following the *instructions on the package* (might be
added here later). CDROM install is very easy to perform. I suggest
using text-mode setup, in my case their new graphical one failed
miserably. When asked about the installation type
(Server/Workstation/Custom) choose Server or Custom (if you know what
you are doing)-you can always add software later. Some other important
installation decisions are outlined further.
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1> Some install tips
<p>
If you hardware really is <htmlurl url="http://www.redhat.com/support/hardware/"
name="compatible"> the installation
process will detect and configure it correctly. Otherwise, refer to
corresponding documentation for troubleshooting network card, modem,
video card, etc problems
(mostly HOWTOs and mini-HOWTOs, some are in References section below).
<p>
If you network card is detected properly you will be asked for an IP
address of your machine, gateway address and network mask and the
address of the DNS server (might be your own machine if you plan to
set it up this way). Have all this info handy.
Also you will be asked for a machine name and domain name.
We will use a sample domain name <bf>you.com</bf> and the machine will be
named <bf>ns</bf> (that gives us a fully qualified domain name (FQDN)
<bf>ns.you.com</bf>). You should use whatever domain you registered (see
Setting Up Your New Domain Mini-HOWTO, link in References section below)
and intend to use as you primary domain (not a virtual).
For the gateway address we will use a sample 111.222.333.111 address. Gateway
is likely the router that connects your machine (or your LAN) to the outside world.
<p>
Enable <bf>shadow</bf> and <bf>MD5</bf> passwords for greater security.
First of those makes the file that contains encrypted
passwords readable only to <tt>root</tt> user
and the second allows longer and harder to crack passwords.
As it will be a standalone machine do not enable NIS/NFS.
<p>
After installation finishes and machine reboots you will see the login
prompt.
Enter login and password (for the root account) and start configuring you
new Linux station.
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Some preliminary security configuration
<p>
First (and fast), add a line:
<tt>
ALL:ALL
</tt>
to your <it>/etc/hosts.deny</it> file. That would (to some known extent)
prevent other people from accessing your machine while you are doing the
configuration. That will also prevent you from doing the same. For
further configuration efforts (that can be done remotely, by the way)
<htmlurl url="http://www.ssh.com" name="secure shell"> is
recommended. Download the RPM package for RH from one of the many sites
and install it (as root) using: <bf> rpm -U ssh*rpm</bf> or similar
command (depends upon the version). You will have to get both client and
server packages (if you want to ssh from this machines as well as to
this machine). Upon installation all necessary post-installation commands
(like server key generation)
are run automatically by the RPM package. You will have to start server
manually using command <bf>/etc/rc.d/init.d/sshd start</bf>.Some early
versions of ssh-1 and also all versions of ssh-1 compiled with RSAREF library
contain a buffer-overflow bug. Use ssh-2 or the latest version of ssh-1
without RSAREF. If you do this you will have to allow access using ssh
from some trusted machine (described later) in <it>/etc/hosts.allow</it> file.
<p>
If you want to be really rigorous in you configuration pursuits go to single
use mode by giving the command <bf>init 1</bf>, in this case all work is to
be done locally and you would not be able to test you network-related
configuration as network is not available in this mode.
<p>To further enhance your security <bf>ipchains</bf> software (that is
usually part of your Linux distribution) can be
used (for that refer to IPCHAINS HOWTO, link in References).
It takes quite a bit more efforts to configure it than TCP wrappers,
although some automated tools are available for that too.
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Remove unnecessary services
<p>
Now lets deal with unnecessary services. Please note that my idea of
"unnecessary" might not be 100% same as yours.
<enum>
<item>
Services started from <it>/etc/inetd.conf</it>:<p>
comment out all the lines, but those
<tscreen><verb>
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -L -l -i -a
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
</verb></tscreen>
Check this by using the command: <bf>grep -v '\#' /etc/inetd.conf</bf>
<p>If you will be using the secure shell (ssh), telnet is also not necessary and can
be removed. Secure shell can either be started as a daemon on system startup
or as a service from <it>/etc/inetd.conf</it>. Default configuration (used by
the RPM package) is to start is as a daemon. Sshd can be compiled to refer to
<it>/etc/hosts.allow</it> file for access control. In this case, while you
will not have it in your <it>/etc/inetd.conf</it>, it will still use the
settings from <it>/etc/hosts.allow</it> and <it>/etc/hosts.deny</it>. The
advantages of this method is faster connection as the sshd will not have to
regenerate server key every time somebody connects. On the other hand, if you
start it from <it>/etc/inetd.conf</it> it will be more isolated from the
outside world.
More lines will be added to <it>/etc/inetd.conf</it> as necessary (POP3 is one of those).
<p>
<item>
Services started on system startup from <it>/etc/rc.d</it> directory:<p>
Check what services are running by using: <bf>ps ax</bf>. You will
get something similar to the <tt>sample</tt> output below:
<tscreen><verb>
PID TTY STAT TIME COMMAND
1 ? S 0:04 init
2 ? SW 0:30 [kflushd]
3 ? SW 0:32 [kupdate]
4 ? SW 0:00 [kpiod]
5 ? SW 0:03 [kswapd]
6 ? SW< 0:00 [mdrecoveryd]
296 ? SW 0:00 [apmd]
349 ? S 0:00 syslogd -m 0
360 ? S 0:00 klogd
376 ? S 0:00 /usr/sbin/atd
392 ? S 0:00 crond
412 ? S 0:00 inetd
454 ttyS0 S 0:00 gpm -t ms
533 tty2 SW 0:00 [mingetty]
534 tty3 SW 0:00 [mingetty]
535 tty4 SW 0:00 [mingetty]
536 tty5 SW 0:00 [mingetty]
537 tty6 SW 0:00 [mingetty]
667 tty1 SW 0:00 [mingetty]
4540 ? S 0:00 httpd
5176 ? S 0:00 httpd
5177 ? S 0:00 httpd
5178 ? S 0:00 httpd
5179 ? S 0:00 httpd
5180 ? S 0:00 httpd
5181 ? S 0:00 httpd
5182 ? S 0:00 httpd
5183 ? S 0:00 httpd
7321 ? S 0:00 /usr/sbin/sshd <<<<< only after you installed sshd to run on startup
7323 pts/0 S 0:00 -bash
7336 pts/0 R 0:00 ps ax
</verb></tscreen>
Lets concentrate on processes that listen to network, such as
lpd. Since we do not plan to use our server for printing (we sure
might, I just don't describe it here), I suggest we remove the
printer daemon by: <bf>rpm -e lpd </bf>. If rpm complains about any
dependencies (like, in my case, printfilter and rhprinttool), add
them to your <bf>rpm -e</bf> command and repeat it. Other services
that might be removed are NFS, NIS, samba etc, if they got installed
by mistake. Again, these are useful things, I am just following the
*golden rule* <bf>"remove the software you don't currently use"</bf>. And,
with RH RPM it is really easy to add it any time in the future.
</enum>
Some more basic security settings can be obtained from <htmlurl
url="http://www.enteract.com/~lspitz/linux.html" name="Armoring Linux">
paper. As suggested there, lets make a wheel group with trusted users
(in our case, only user <tt>you</tt>will be able to do <tt>/bin/su</tt> and to
run cron jobs (together with root).
<itemize>
<item>
wheel group for sensitive commands:<p>
<enum>
<item>
<tt>vi /etc/group</tt>, add a line (if it doesn't exist):
<verb>wheel:x:10:root,you</verb>. If line exists, just add <tt>you</tt> in the end
as shown.
You don't have to use vi (and I understand it very well), just use your favorite editor
(for a nice reasonably user-friendly editor try <tt>pico</tt>, distributed
together with mail program <tt>pine</tt>, the latter is part of most Linux distributions)
<item>
<verb>/bin/chgrp wheel /bin/su</verb> change group ownership to
<tt>wheel</tt> group on <tt>/bin/su</tt>
<item>
<verb>/bin/chmod 4750 /bin/su</verb> change mode on <tt>/bin/su</tt>
</enum>
<item>
restrict cron:<p>
To only allow <tt> root</tt> and <tt>you</tt> to submit cron jobs create a
file called <it>/etc/cron.allow</it> that contains usernames that you want to
be able to run cron jobs. This file might look like this:
<tscreen><verb>
root
you
</verb></tscreen>
</itemize>
<p>
I suggest you do not install X Windows as it will bring new concern that
you might not be prepared to deal with.
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Enable multiple IP addresses
<p>
Now we are ready to enable our machine to handle multiple IP addresses for
virtual hosting. At that point, the IP Aliasing HOWTO might come
handy (see link in References).
For several reasons, IP-based virtual hosting is better (if you have
enough IP addresses, that is). For instance, reverse lookups would succeed, if
done from the browser side. It might also be needed for hosting
cryptographically enabled websites (commonly known as "secure websites").
Older browsers (not supporting HTTP 1.1) will get unhappy too.
<p>
The changes would be concentrated in <it>/etc/rc.d/</it> directory.
To enable multiple IP addresses you kernel should support this. On a freshly
installed RH Linux it does. To verify it one should look into the config file
that was used to compile the kernel. In my case, it was
<it>/usr/src/linux/configs/kernel-2.2.12-i686.config</it> since the machine
has Pentium II processor. This file exists, if the <tt>kernel-source</tt> RPM
package was installed. If line <tt>CONFIG_IP_ALIAS=y</tt> is present in the
file than you are OK. While we are here, we can also confirm the ability to
forward IP packets (needed for dialup users PPP). This ability is present, but
not turned on by default. Also needed is the support for PPP protocol (line
<tt>CONFIG_PPP=m</tt>, this means PPP support is compiled as a kernel loadable
module, <tt>CONFIG_PPP=y</tt> is also OK)
<p>
The examples will use the ridiculous IP addresses
111.222.333.444-111.222.333.777 from C block 111.222.333.0. 111.222.333.444 is
a real host IP (that is configured during RH installation),
111.222.333.555-777 are virtual addresses and 111.222.333.888 is a dialin user address
(can be more of those).
<p> Lets assume we want to configure 3 virtual hosts.
Two sets of commands will be used:
<enum>
<item>
<tscreen><verb>
/sbin/ifconfig eth0:0 111.222.333.555
/sbin/ifconfig eth0:1 111.222.333.666
/sbin/ifconfig eth0:2 111.222.333.777
</verb></tscreen>
<p>
These will bind the IP addresses to (virtual) interfaces
<tt>eth0:0-eth0:2</tt>.
<p>
<item>
<tscreen><verb>
/sbin/route add -host 111.222.333.555 dev eth0
/sbin/route add -host 111.222.333.666 dev eth0
/sbin/route add -host 111.222.333.777 dev eth0
</verb></tscreen>
<p>
These commands will add routes for those addresses and connect those to real
interface <tt>eth0</tt> (ethernet card).
</enum>
After doing them the ifconfig command output (<tt>ifconfig</tt>) will look
like this:
<tscreen><verb>
eth0 Link encap:Ethernet HWaddr 02:60:8C:4D:24:CE
inet addr:111.222.333.444 Bcast:255.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:901597 errors:33 dropped:0 overruns:0 frame:823
TX packets:433589 errors:0 dropped:0 overruns:0 carrier:0
collisions:128327 txqueuelen:100
Interrupt:5 Base address:0x280
eth0:0 Link encap:Ethernet HWaddr 02:60:8C:4D:24:CE
inet addr:111.222.333.555 Bcast:111.222.333.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:5 Base address:0x280
eth0:1 Link encap:Ethernet HWaddr 02:60:8C:4D:24:CE
inet addr:111.222.333.666 Bcast:111.222.333.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:5 Base address:0x280
eth0:2 Link encap:Ethernet HWaddr 02:60:8C:4D:24:CE
inet addr:111.222.333.777 Bcast:111.222.333.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:5 Base address:0x280
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:26232 errors:0 dropped:0 overruns:0 frame:0
TX packets:26232 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
</verb></tscreen>
All commands can be added to the bottom of <it>/etc/rc.d/rc.local</it> so that
the changes are saved after reboot. Strictly speaking, rebooting machine is
not required for adding new IP addresses. Please, do document all changes
you do to your machines. Many a good sysadmin (or, should I say not-so-good?)
were burned on that at some point in their careers.
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Configure DNS
<p>
Now we are ready to configure DNS.
The easiest way would be to add the hostnames (real and all the virtual) that
we want to be seen by the world to the configuration of some machine that
already has bind (DNS daemon) running. But, since we are setting up
ISP-in-a-box we might not be able to avoid "DNS fun".
<p>
Now, let me
also try to defend the (well, questionable) choice of "outdated" version of bind 4.9.7
(last of the pre-8 series). I know that my arguments can be beaten, but
I consider bind 4.9.7 much more time-tested and stable. The arguments for
upgrading to 8.x
(provided <htmlurl url="http://www.acmebw.com/askmrdns/00444.htm" name="http://www.acmebw.com/askmrdns/00444.htm">
and
<htmlurl url="http://www.dns.net/dnsrd/servers.html" name="http://www.dns.net/dnsrd/servers.html">
and, I guess, at many other places)
still didn't seem to convince many people. And, lets not forget the "exploit of 1999" -
ADMROCKS, that gives remote root access to almost any Linux machine running bind prior to
8.1.2 patch 3. Judging by the INCIDENTS mailing list, this is still a very
popular way to attack RH versions 5.0-6.1 if no recommended upgrades are installed.
<p>
Here are the instructions, loosely following the DNS book from O'Reily (a good
one, highly recommended to all, but very casual DNS user).
<p>
<enum>
<item>
Find and install bind 4.9.7 either from RPM package (RH 4.2, if I am not
mistaken - for that you can use <htmlurl url="http://rpmfind.net/linux/RPM/" name="RPMFIND.net">,
personally I didn't try this and so I am somewhat skeptical
about installing RH 4.2 package on RH 6.1 system, but it might work)
or from source (<htmlurl url="ftp://ftp.isc.org/isc/bind/src/4.9.7/" name="bind 4.9.7">,
compiling it is a bit troublesome, but reading all the README files
in the archive will definitely help)
<item>
Create files and directories needed for bind:
<itemize>
<item>
<it>/etc/named.boot</it>
<item>
<it>/etc/namedb</it>
<item>
<it>/etc/namedb/db.you</it>
<item>
<it>/etc/namedb/db.111.222.333</it>
<item>
<it>/etc/namedb/db.127.0.0</it>
<item>
<it>/etc/namedb/db.yoursite1</it>
<item>
<it>/etc/namedb/db.yoursite2</it>
<item>
<it>/etc/namedb/db.yoursite3</it>
</itemize>
This will be used for 3 virtual domains: <bf>yoursite1.com</bf>,<bf>yoursite2.com</bf> and
<bf>yoursite3.com</bf>. One more important comment refers to secondary DNS issue.
As all your domains and all their services will be hosted on the same machine,
DNS backup in the form of secondary server doesn't make much sense:
if your primary DNS is down everything else (mail, www, ftp, pop, etc)
is down as well. But you do have to have a secondary DNS to register a domain.
Try to convince somebody to put you in as a secondary or use a free DNS service
(link is in Setting Up Your New Domain Mini-HOWTO).
<item>
<p>
That is how they look like (if you are unfamiliar with bind 4.x configuration
file format, please, do read either the O'Reily DNS book or any
of the HOWTOs or documents at
<htmlurl url="http://www.dns.net/dnsrd/" name="bind pages">, or, better, all of the above.
You also have an option of using them without understanding, but this is a bad idea in general):
<p>
<it>/etc/named.boot</it>
<p>
This is the main config file for bind 4.9.x.
<tscreen><verb>
directory /etc/namedb
;cache-obtained from internic, usually
cache . db.cache
;main config files
primary you.com db.you
;reverse lookups
primary 333.222.111.in-addr.arpa db.111.222.333
;localhost.localnet configs
primary 0.0.127.in-addr.arpa db.127.0.0
;virtual Domains
primary yoursite1.net db.yoursite1
primary yoursite2.net db.yoursite2
primary yoursite3.net db.yoursite3
</verb></tscreen>
<item>
<p>
<it>/etc/namedb/db.you</it>
<p>
<tscreen><verb>
; defines our local hosts at you.com, just one in our case, and its aliases
@ IN SOA ns.you.com. root.ns.you.com. (
2000012190 7200 1800 3600000 7200 )
;name servers and mail servers
IN NS ns.you.com.
IN MX 10 ns.you.com.
IN A 111.222.333.444
ns IN A 111.222.333.444
;address of the canonical names
localhost IN A 127.0.0.1
gateway IN A 111.222.333.111
;aliases (to use in ftp: ftp ftp.you.com etc, for clarity)
www CNAME ns
mail CNAME ns
ftp CNAME ns
pop3 CNAME ns
</verb></tscreen>
<item>
<p>
<it>/etc/namedb/db.111.222.333</it><p>
<tscreen><verb>
;reverse mapping of our IP addresses
.
;origin is 333.222.111.in-addr.arpa
333.222.111.in-addr.arpa. IN SOA ns.you.com. root.ns.you.com. (
1999121501 7200 1800 3600000 7200 )
;name Servers
IN NS ns.you.com.
;addresses point to canonical name
444.333.222.111.in-addr.arpa. IN PTR ns.you.com.
;dialups
888 IN PTR dialup.you.com.
;virtual hosts
555 IN PTR yoursite1.com.
666 IN PTR yoursite2.com.
777 IN PTR yoursite3.com.
</verb></tscreen>
<item>
<it>/etc/namedb/db.127.0.0</it><p>
<tscreen><verb>
;local loop config file
0.0.127.in-addr.arpa. IN SOA ns.you.com. root.ns.you.com. (
1997072200 7200 1800 3600000 7200 )
IN NS ns.you.com.
1 IN PTR localhost.
</verb></tscreen>
<item>
<it>/etc/namedb/db.yoursite1</it><p>
<tscreen><verb>
; yoursite1.com
@ IN SOA virtual root.virtual (
1999092201 ; Serial: update each time the file is changed
7200 ; refresh, sec
1800 ; retry, sec
3600000 ; expire, sec
7200 ) ; minimum TTL
;name Servers
IN NS ns.you.com.
IN MX 10 virtual
IN A 111.222.333.555
;address of the canonical names
localhost IN A 127.0.0.1
gateway IN A 111.222.333.111
virtual IN A 111.222.333.555
IN MX 10 virtual
;aliases
www CNAME virtual
mail CNAME virtual
ftp CNAME virtual
pop3 CNAME virtual
</verb></tscreen>
<item>
<it>/etc/namedb/db.yoursite2</it><p>
<tscreen><verb>
; yoursite2.com
@ IN SOA virtual root.virtual (
1999092201 ; Serial: update each time the file is changed
7200 ; refresh, sec
1800 ; retry, sec
3600000 ; expire, sec
7200 ) ; minimum TTL
;name Servers
IN NS ns.you.com.
IN MX 10 virtual
IN A 111.222.333.666
;address of the canonical names
localhost IN A 127.0.0.1
gateway IN A 111.222.333.111
virtual IN A 111.222.333.666
IN MX 10 virtual
;aliases
www CNAME virtual
mail CNAME virtual
ftp CNAME virtual
pop3 CNAME virtual
</verb></tscreen>
<item>
<it>/etc/namedb/db.yoursite3</it><p>
<tscreen><verb>
; yoursite3.com
@ IN SOA virtual root.virtual (
1999092201 ; Serial: update each time the file is changed
7200 ; refresh, sec
1800 ; retry, sec
3600000 ; expire, sec
7200 ) ; minimum TTL
;name Servers
IN NS ns.you.com.
IN MX 10 virtual
IN A 111.222.333.777
;address of the canonical names
localhost IN A 127.0.0.1
gateway IN A 111.222.333.111
virtual IN A 111.222.333.777
IN MX 10 virtual
;aliases
www CNAME virtual
mail CNAME virtual
ftp CNAME virtual
pop3 CNAME virtual
</verb></tscreen>
</enum>
These configuration files will allow you to host these three virtual domains
and you real domain <bf>you.com</bf>.
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Configure httpd
<p>
To server html pages httpd daemon is used. RH 6.1 comes with Apache
1.3.9 (latest version is currently 1.3.12).
At that point it is wise to check RH site or its mirrors
(<htmlurl url="http://www.redhat.com/mirrors.html" name="RH Mirrors">) for updates.
Most changes that we are about to make
concentrate in <it>/etc/httpd/httpd.conf</it> (RH standard
location for Apache configuration). Default location for html pages (shown
when you go to <bf>www.you.com</bf>) is <it>/home/httpd/html</it>. You can
allocate directories for virtual hosts within the same <it>/home/httpd</it>,
shown below are the following locations for them:
<it>/home/httpd/yoursite1</it>,
<it>/home/httpd/yoursite2</it> and
<it>/home/httpd/yoursite3</it>.
<p>
Below I provide the minimum necessary changes for your
<it>/etc/httpd/httpd.conf</it> file:
<p>
<tscreen><verb>
&lt;VirtualHost 111.222.333.555&gt;
ServerAdmin webmaster@you.com
DocumentRoot /home/httpd/yoursite1
ServerName www.yoursite1.com
ErrorLog yoursite1-error_log
TransferLog yoursite1-access_log
&lt/VirtualHost&gt;
&lt;VirtualHost 111.222.333.666&gt;
ServerAdmin webmaster@you.com
DocumentRoot /home/httpd/yoursite2
ServerName www.yoursite2.com
ErrorLog yoursite2-error_log
TransferLog yoursite2-access_log
&lt/VirtualHost&gt;
&lt;VirtualHost 111.222.333.777&gt;
ServerAdmin webmaster@you.com
DocumentRoot /home/httpd/yoursite3
ServerName www.yoursite3.com
ErrorLog yoursite3-error_log
TransferLog yoursite3-access_log
&lt/VirtualHost&gt;
</verb></tscreen>
That configuration will cause all logs to be stored in one directory (whatever
is specified as such) for all sites. If that is not desired the <bf>ErrorLog</bf> and
<bf>TransferLog</bf> directives can be changed to point to the proper
location separately for each virtual host. The pages for the "real"
<bf>www.you.com</bf> will be stored in default location <it>/home/httpd/html</it>.
<p>
For more information, look at <htmlurl url="http://www.apache.org"
name="http://www.apache.org">, Apache http server homepage. They have a lot of
support pages, including those for virtual hosting setup (both IP-based and
name-based [uses just 1 IP address]). Also useful is Linux WWW HOWTO (link in
References section), section on virtual hosting.
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Configure sendmail
<p>
Now we will deal with sendmail. Again, proposed are the minimum necessary
changes to the stock RH <it>/etc/sendmail.cf</it> and <it>/etc/sendmail.cw</it>.
<enum>
<item>
look for the lines that starts from <tt>Dj$w.foo.com</tt> and change it to
point to your main ("real", not virtual) server name (<bf>you.com</bf>, so it
will looks like this <tt>Dj$w.you.com</tt>).
<item>
locate file <it>/etc/sendmail.cw</it> and make it look like this
<tscreen><verb>
# sendmail.cw - include all aliases for your machine here.
you.com
ns.you.com
mail.you.com
yoursite1.com
mail.yoursite1.com
yoursite2.com
mail.yoursite2.com
yoursite3.com
mail.yoursite3.com
</verb></tscreen>
These are necessary so that sendmail accepts mail for these domains.
</enum>
<p>
This <bf>does not</bf> address the issue of <tt>user@yoursite1.com</tt> and
<tt>user@yoursite2.com</tt> mail getting to different mailboxes. For that
look into <tt>/etc/mail/virtusertable</tt> functionality
(appropriate line in <it>/etc/sendmail.cw</it> is <tt>Kvirtuser hash -o
/etc/mail/virtusertable</tt>, detailed info may be added here later).
Excellent documentation on that is on
<htmlurl url="http://www.sendmail.org/virtual"
name="http://www.sendmail.org/virtual">, sendmail reference on virtual
hosting.
<p>It is worthwhile to add that linuxconf proposes a somewhat different
scheme for virtual email with separate spool directories for all domains (that
cleanly solves the above "name-conflict" issue"), but
that requires a special virtual-aware POP/IMAP server (included with RH) and
is somewhat more complicated. It is recommended for bigger email volume sites
with many users within each domain.
<p>
A few words about sendmail, it is a good idea (good from a security
standpoint) to have sendmail run from
<it>inetd.conf</it> and not as a standalone daemon. For that we need to add it
to <it>/etc/inetd.conf</it>, remove it from <it>/etc/rc.d/init.d</it>, add the
sendmail queue processing to cron. Here is what you have to do:
<enum>
<item>
Add the following line to <it>/etc/inetd.conf</it>:
<verb>
smtp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sendmail -bs
</verb>
<item>
Edit <it>/etc/rc.d/init.d/sendmail</it> to have <tt> exit 0 </tt> somewhere in
the very beginning (might not be the best way, be sure to document the changes
you do to these files) so that this file does nothing instead of starting sendmail
<item>
By editing your (root's) crontab (to edit do <bf>crontab -e</bf>) add a line like this
<verb>
*/20 * * * * /usr/sbin/sendmail -q
</verb>
That would process sendmail queue every 20 min (if it exists).
The described steps will simplify sendmail access control and will let you
regulate who can talk to you 25 port, not just who can send email through you.
The lines in <it>/etc/hosts.allow</it>
that let all machines from .com and .org domains send you email are as follows
<verb>
sendmail: .com .org
</verb>
Please, note, that the daemon name, not protocol name is used here (sendmail,
NOT smtp).
</enum>
<p>
That would allow your system to handle email for all those domains.
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Configure POP3
<p>
POP3 configuration is easy (no "virtualization" is required for this setup). RH comes
equipped with imapd IMAP server. If you do not want to use IMAP functionality
or do not like this particular implementation (buffer overflow bugs were discovered in it at
some point) the good idea is to use
<tt>qpopper</tt>, free POP3 daemon from Eudora
<htmlurl url="http://www.eudora.com/freeware/qpop.html"
name="http://www.eudora.com/freeware/qpop.html">. At the time of writing they
release the "stable" version (qpopper 2.53) and "public beta" ( qpopper 3.0,
release 34, now called "final beta").
It is important to note that versions earlier than 2.5 contain a
buffer overflow error that allows remote root exploit to be executed. Same
problem plagues "public betas" up to 3.0 release 21. Use either 2.53 or the
latest 3.0 beta (the former is better audited and the latter is better suited
for RH - seamlessly works with PAM authentication). I suggest using 3.0, so
the instructions below apply to that case.
<p>
<enum>
<item>
<tt>wget ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper3.0b34.tar.Z</tt>
<p>Retrieve the archive from Eudora site.
<item>
<tt>tar zxvf qpopper3.0b34.tar.Z</tt>
<p>Uncompress and untar the contents.
<item>
<tt>cd qpopper</tt>
<p>If you need explanation for this step, please, discontinue reading the document.
<item>
<tt>./configure --enable-specialauth --with-pam --enable-log-login --enable-shy</tt>
<p>The options here are:
<p><tt>--enable-specialauth</tt> : allows MD5 and shadow passwords
<p><tt>--with-pam</tt>: allows the use of RH Pluggable Authentication Modules (PAM) technology
<p><tt>--enable-log-login</tt>: log successful logins, not only failures (not really that
useful as it will use tcpd wrappers logging anyway)
<p><tt>--enable-shy</tt>: conceal version number (yeah, a little pesky
manifestation of "security through obscurity")
<item>
<tt>make</tt>
<p>That compiles the popper
<item>
<verb>
/bon/cp popper/popper /usr/local/bin
</verb>
<p>Now copy it to <it>/usr/local/bin</it>
and set the mode to
<verb>
-rwx------ 1 root root 297008 Feb 16 15:41 /usr/local/lib/popper
</verb>
by using the command:
<verb>
chmod 700 /usr/local/bin/popper
</verb>
<item>
Add a line to <it>/etc/inetd.conf</it>
<verb>
pop3 stream tcp nowait root /usr/sbin/tcpd /usr/local/bin/popper -s
</verb>
That would cause the tcpd wrapper to control access to popper.
The lines to add in <it>/etc/hosts.allow</it> are
<verb>
popper: .good.com .nice.org
</verb>
That will allow people from domains good.com and nice.org to read email via
POP3 client from your machine.
<p>
To cause qpopper to use PAM authentication one must create a file for POP3
service in <tt>/etc/pam.d/</tt> directory. File should be named "pop3" (same as line in
<tt>/etc/services</tt> and qpopper compile-time option). The file looks like
this:
<tscreen><verb>
auth required /lib/security/pam_pwdb.so shadow
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
session required /lib/security/pam_pwdb.so
</verb></tscreen>
<item>
For whatever reason stock RH lists line in <it>/etc/services</it>
file for POP3 protocol as "pop-3". And since qpopper prefers to see "pop3",
it should be edited to be:
<verb>
pop3 110/tcp # pop3 service
</verb>
</enum>
That would allow all user to get their email via any reasonable mail client.
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Configure FTP server
<p>
We will use only anonymous ftp and will not allow any non-anonymous user any
access. Here we describe the anonymous ftp server setup that allows anonymous
uploads. Any self-respecting guide on the subject will tell you that "this is
a bad thing". But how is it worse than allowing users to ftp from untrusted
location and transfer their passwords in clear text? Not everybody
(especially, using Windows) can easily setup an ftp tunnel via ssh.
<p>
I suggest using the stock RH wu-ftpd (version 2.6.0 at the time of
writing). While it is rumored that there are "more secure" ftp daemons
(Pro-FTP?), wu-ftp appears to be one most commonly used.
<p>
RH installs the wu-ftpd (package wu-ftpd-2.6.0-1) by default in server
configuration. You are encouraged to check for updates as running ftp is an important
security concern. There is also a separate rpm package that creates a separate
directory for anonymous ftp home (anonftp-2.8-1).
As anonymous ftp always does a <tt>chroot()</tt>
system call (puts the user in the restricted file system) all necessary
binaries and libraries are required. The typical directory looks like this
(output of <bf>ls -lRa</bf> in <it>/home/ftp</it>):
<tscreen><verb>
.:
total 20
d--x--x--x 2 root root 4096 Feb 15 06:22 bin
d--x--x--x 2 root root 4096 Feb 15 06:22 etc
drwxrws-wt 2 root wheel 4096 Feb 18 19:51 incoming
drwxr-xr-x 2 root root 4096 Feb 15 06:22 lib
drwxr-sr-x 3 root ftp 4096 Feb 15 23:34 pub
bin:
total 344
---x--x--x 1 root root 15204 Mar 21 1999 compress
---x--x--x 1 root root 52388 Mar 21 1999 cpio
---x--x--x 1 root root 50384 Mar 21 1999 gzip
---x--x--x 1 root root 29308 Mar 21 1999 ls
---------- 1 root root 62660 Mar 21 1999 sh
---x--x--x 1 root root 110668 Mar 21 1999 tar
lrwxrwxrwx 1 root root 4 Feb 15 06:22 zcat -> gzip
etc:
total 40
-r--r--r-- 1 root root 53 Mar 21 1999 group
-rw-r--r-- 1 root root 31940 Mar 21 1999 ld.so.cache
-r--r--r-- 1 root root 79 Mar 21 1999 passwd
incoming:
total 0
lib:
total 1212
-rwxr-xr-x 1 root root 77968 Mar 21 1999 ld-2.1.1.so
lrwxrwxrwx 1 root root 11 Feb 15 06:22 ld-linux.so.2 -> ld-2.1.1.so
-rwxr-xr-x 1 root root 1031004 Mar 21 1999 libc-2.1.1.so
lrwxrwxrwx 1 root root 13 Feb 15 06:22 libc.so.6 -> libc-2.1.1.so
-rwxr-xr-x 1 root root 77196 Mar 21 1999 libnsl-2.1.1.so
lrwxrwxrwx 1 root root 15 Feb 15 06:22 libnsl.so.1 -> libnsl-2.1.1.so
-rwxr-xr-x 1 root root 33596 Mar 21 1999 libnss_files-2.1.1.so
lrwxrwxrwx 1 root root 21 Feb 15 06:22 libnss_files.so.2 -> libnss_fi
les-2.1.1.so
pub:
total 0
</verb></tscreen>
<p>
Notice though, that for whatever reason, RH puts a copy of <it>/bin/sh</it> in
<it>/home/ftp/bin</it>.
I do not feel good about having it there, so it is chmoded to 0 by
<bf>chmod 0 sh</bf> (can also be removed completely, but RPM might be slightly
unhappy if you attempt to remove the package afterwards).
<p>
Permissions on <it>/home/ftp</it> directories and files should be carefully
considered. In the above example, all of the system files are owned by root
and are only readable (executable where necessary) by all. Files in
<it>bin</it> are only executable (as is the directory itself to prevent
listing of its contents).
<p>The interesting part is permissions on <it>pub</it> and <it>incoming</it>.
<p>
Below follows the configuration file for ftp daemon
(<it>/etc/ftpaccess</it>). It is well commented to the degree of being self-explanatory:
<tscreen><verb>
#ideas from <htmlurl url="ftp://ftp.wu-ftpd.org/pub/wu-ftpd/upload.configuration.HOWTO" name="ftp://ftp.wu-ftpd.org/pub/wu-ftpd/upload.configuration.HOWTO">
#only allow anonymous users-no other classes defined
class anonftp anonymous *
#number of users restriction with message shown when too many
limit remote 10 Any /toomany.msg
#prevent uploads everywhere (for now)
upload /home/ftp * no
#display the contents of some files upon login/cd
readme README* login
readme README* cwd=*
message /welcome.msg login
message .message cwd=*
#log all file transfers DISABLED
#log transfers anonymous
#prevent these file operations for anon users
delete no anonymous
overwrite no anonymous
#fast cd and aliasing for the same reason (not really necessary, but convenient)
alias inc: /incoming
cdpath /incoming
cdpath /pub
cdpath /
#what is allowed in paths
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
#prevent the retrieval of some file
noretrieve .notar
#allow upload with NO subdirectory creation by anon users
upload /home/ftp /incoming yes root wheel 0400 nodirs
#allow upload with subdirectory creation by anon users DISABLED
#upload /home/ftp /incoming yes root wheel 0400 dirs
#prevent anon users to GET files from incoming (you might not like it, but it
#is a good idea-to prevent some people from using you ftp server to store
#their own stuff, pics, warez etc)
noretrieve /home/ftp/incoming
</verb></tscreen>
That would allow only anonymous users to do downloads and uploads in somewhat (<bf>!</bf>)
controlled manner.
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Configure dialin
<p>
Now the fun part starts. We want the machine to allow dial-in access via
attached (inserted?) modem or modems. It will provide either regular shell or
restricted shell (that only executes pppd daemon). Windows 95/98 users should be
able to effortlessly dial in using all default settings of their computers.
<sect2>Linux setup
<p>
To handle login via serial line some version of <tt>getty</tt> program is
needed. This program monitors the serial line (<it>/dev/ttyS1</it> will be used
throughout the document, see serial HOWTO for details) and upon connection
shown the login prompt or starts a program.
<p>
I suggest using the mgetty program (as it has more features and is easier to
setup than some of the competitors).
<p>RH comes with <tt>mgetty-1.1.21-2</tt>, that also has extensions to receive
faxes and voice mail (if the modem supports this). Check whether mgetty is
installed by doing: <bf>rpm -qa | grep mgetty</bf>.
After installing mgetty some reconfiguration is necessary.
The files that should be changed and the details follow:
<enum>
<item>
<it>/etc/inittab</it><p>
That enables mgetty to start when system is booted and be respawned accordingly.
These lines should be added in the end.
<tscreen><verb>
#for dialins use mgetty
#note this S1 in the beginning of the line and ttyS1 in the end
S1:2345:respawn:/sbin/mgetty ttyS1
</verb></tscreen>
<item>
<it>/etc/ppp/options</it><p>
This file controls the pppd daemon whenever it is started.
Some of the options here are optional (hey, that why they are called options, right?).
<tscreen><verb>
auth -chap +pap login modem crtscts debug proxyarp lock
ms-dns 111.222.333.444
</verb></tscreen>
Here is their brief meaning:
<itemize>
<item>
<bf>auth </bf>: use some sort of authentication for dialin clients
<item>
<bf>-chap</bf>: not CHAP
<item>
<bf> +pap</bf>: use PAP
<item>
<bf> login </bf>: use the system password file for authenticating the client
using PAP and record the user in the system wtmp file, <it>/etc/ppp/pap-secrets</it> should
still be present (see below)
<item>
<bf>modem </bf>: use the modem control lines (for carrier detection and other stuff)
<item>
<bf> crtscts </bf>: use hardware flow control
<item>
<bf>debug </bf>: log extra info (might be removed after everything is fine)
<item>
<bf> proxyarp </bf>: this is needed to connect from the client to the
Internet, not just to the LAN you dialed into
<item>
<bf>lock</bf>: pppd should create a lock file for the serial device
<item>
<bf>ms-dns 111.222.333.444</bf>: this info is provided to Windows box as a default
DNS server
</itemize>
Look at pppd man page for all the juicy details (parts of the above info is
adapted from there)
<item>
<it>/etc/ppp/options.ttyS1</it><p>
This file serves purpose similar to the previous one, but only applies to
particular modem line. It specifies the IP address given to the remote machine
(dynamic, in some sense, if you have more than one line) and the local IP as well.
<tscreen><verb>
111.222.333.444:111.222.333.888
</verb></tscreen>
<item>
<it>/etc/mgetty+sendfax/login.config</it><p>
This file is the main mgetty control file. Mgetty is Windows-PPP-aware, so it
has provisions to start pppd automatically upon receiving connect from the Windows machine.
These lines should be present:
<tscreen><verb>
/AutoPPP/ - - /usr/sbin/pppd
</verb></tscreen>
Before adding them, check that some other version of similar command is absent
there (commented out by default).
<item>
<it>/etc/ppp/pap-secrets</it><p>
This is similar to <it>/etc/password</it> file, but only used for dialins and
contains <bf>plain text passwords</bf> (apparently, only visible to root). All users
that you want to be able to dialin must have their usernames and password
listed in this file. They should enter the same username and password into
Windows Dial Up Networking configuration.
<tscreen><verb>
# Secrets for authentication using PAP
# these two users below can use dialin
# client server secret pword remote IP addresses
dialinuser1 * b1ab1a!? 111.222.333.888
dialinuser2 * p8sSw0rD 111.222.333.888
</verb></tscreen>
</enum>
<p>
Check that mgetty is running by looking for similar line in the output of
<tt>ps ax</tt> command.
<tscreen><verb>
4625 ? S 0:00 /sbin/mgetty ttyS1
</verb></tscreen>
Now this machine will allow modem calls from any Windows 95/98 box.
<sect2>Windows setup
<p>
This is <bf>really</bf> straightforward.
<enum>
<item>
Click on <bf>My Computer</bf>
<item>
Click on <bf>Dial Up networking</bf>
<item>
Click on <bf>Make New Connection</bf>
<item>
Proceed according to directions, enter the phone number etc
<item>
After a new connection is created click on it and enter the username and
password (same as mentioned in <it>/etc/passwd</it> and
<it>/etc/ppp/pap-secrets</it>)
<item>
Click <bf>Connect</bf> and it should work (it did in my case ;-) )
</enum>
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect1>Open access
<p>
Now, after testing all the services, we are ready to open the access to this
machine. The main access control facility in our case is TCP wrappers
(tcpd). Their behavior is controlled by 2 files <it>/etc/hosts.allow</it> and
<it>/etc/hosts.deny</it>, as was mentioned in the sections devoted to various
network services. TCP wrappers configuration can be done in 2 distinct
ways and we will employ the simplest.
<p>Let our <it>/etc/hosts.deny</it> contain <tt>ALL:ALL</tt> clause, thus
denying the access to all services (started from <it>/etc/inetd.conf</it> ) for
all hosts and all users on them. Now we can allow what we need explicitly in
<it>/etc/hosts.allow</it>, thus following the philosophy <bf>"what is not
expressly allowed is denied"</bf>.
<p>Lets assume we want to allow people to read and send email, we want some
trusted hosts to update contents of the web pages and we want admin
workstation to have full access. So we arrive at the following
<it>/etc/hosts.allow</it>:
<tscreen><verb>
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
ALL: 127.0.0.1 adminbox.some.net
#we rely on anti-relaying features of sendmail 8.9.x to fight spam
#and also restrict some sites that we don't want to see email from
sendmail: ALL EXCEPT .kr
popper: .com .edu .gov .mil
#these people can upload/download stuff
in.ftpd: .this.net .that.net
</verb></tscreen>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect>
Conclusion
<p>
There must be the conclusion, right?
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect>
References
<p>
Useful LDP HOWTOs (well, actually, all others are useful too)
<enum>
<htmlurl url="http://www.linuxdoc.org/HOWTO/mini/Domain.html" name="Setting Up Your New Domain Mini-HOWTO.">, really good guide of DNS setup and general network setup (recommended reading)
<item>
<htmlurl url="http://www.linuxdoc.org/HOWTO/WWW-HOWTO.html" name="Linux WWW HOWTO">, provides more details on Apache setup, including virtual hosting
<item>
<htmlurl url="http://www.linuxdoc.org/HOWTO/mini/Home-Network-mini-HOWTO.html" name="Red Hat Linux 6.X as an Internet Gateway for a Home Network">, some hints on network setup
<item>
<htmlurl url="http://www.linuxdoc.org/HOWTO/mini/IP-Alias.html" name="IP Aliasing On A Linux Machine">, used for multiple IP on the same interface
<item>
<htmlurl url="http://www.linuxdoc.org/HOWTO/Ethernet-HOWTO.html" name="Ethernet HOWTO">, look here in case of network card trouble
<item>
<htmlurl url="http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html" name="IPCHAINS HOWTO">, turn to this if more security is desired
<item>
<htmlurl url="http://www.linuxdoc.org/HOWTO/Serial-HOWTO.html" name="Serial HOWTO">, serial ports, lines, modems and related stuff
<item>
<htmlurl url="http://www.linuxdoc.org/HOWTO/PPP-HOWTO.html" name="PPP HOWTO">,some notes on PPP server setup
</enum>
<p>
Software (used or mentioned) websites
<p>
<enum>
<htmlurl url="http://www.eudora.com/qpopper/" name="Eudora POP3 server">
<item>
<htmlurl url="http://www.wu-ftpd.org/" name="WU-FPTD ftp server">
<item>
<htmlurl url="http://www.sendmail.org" name="Sendmail MTA">
<item>
<htmlurl url="http://alpha.greenie.net/mgetty/" name="Mgetty pages">
<item>
<htmlurl url="http://www.apache.org/httpd.html" name="Apache httpd server">
</enum>
<p>
Other documents
<enum>
<item>
<htmlurl url="http://www.enteract.com/~lspitz/linux.html" name="Armoring Linux">
<item>
<htmlurl url="http://www.linuxgazette.com/issue36/ali.html" name="Setting Up
POP/PPP server">
<item>
<htmlurl url="http://www.buoy.com/isp/mgetty.html" name="Mgetty and Windows
dialin info">
<item>
<htmlurl url="http://www.best.com/~aturner/RedHat-FAQ/DOCS/tips4.html"
name="Using RedHat 5.1 to Start an ISP">, the short article on how to start an
ISP if all you have is a Linux RH ;-)
</enum>
<p>
Resources, not related to the topic of the document ;-)
<p>
<enum>
<item>
I also maintain a list of computer/network security related books with
(where available) reviews and online availability. It is posted at
<htmlurl url="http://www.chuvakin.org/books" name="http://www.chuvakin.org/books">.
If you have a book that I don't list please use the form on the page and I will add it to the list and maybe review
it later.
</enum>
<p>
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
</article>
View Git Blame Copy Permalink