LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity
LDP/LDP/guide/docbook/solrhe/Securing-Optimizing-Linux-R...

34846 lines
1.8 MiB
Raw Blame History

<?xml version='1.0' encoding="iso-8859-1" standalone='no'?>
<!DOCTYPE book PUBLIC '-//OASIS//DTD DocBook XML V4.1.2//EN'
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
<book id="solrhe"><!-- <?dbhtml filename="coverpage.html"?> -->
<bookinfo>
<mediaobject>
<imageobject><imagedata fileref="./resources/resources/Annimals/Chapter3.gif" format="GIF"/></imageobject>
<textobject><phrase>Wolf</phrase></textobject>
</mediaobject>
<mediaobject><imageobject><imagedata fileref="./images/OpenNA-NewLogo-Penguin.gif" format="GIF"/></imageobject>
<textobject><phrase>openNA logo</phrase></textobject>
</mediaobject>
<title>Securing and Optimizing Linux</title>
<subtitle>RedHat Edition -A Hands on Guide</subtitle>
<authorgroup>
<author>
<firstname>Gerhard</firstname>
<surname>Mourani</surname>
<affiliation>
<orgname>Open Network Architecture
<link linkend="rsrcofwbi1">www.openna.com</link>
</orgname>
<address>
<email>gmourani@openna.com</email>
<email>gmourani@netscape.net</email>
</address>
</affiliation>
</author>
<othercredit>
<firstname>Madhu</firstname>
<othername>"Maddy"</othername>
<contrib>Complete port of the Book to DocBook/XML source
and Editing</contrib>
</othercredit>
</authorgroup>
<edition>A hands on guide for Linux professionals.</edition>
<copyright>
<year>2000</year>
<holder>Gerhard Mourani and OpenDocs, LLC.</holder>
</copyright>
<copyright>
<year>2000</year>
<holder>
Madhusudan (Madhu "Maddy") XML Source
</holder>
</copyright>
<legalnotice id="binflgnrsr1">
<para>
This version and its subsequent outputs whether be it HTML, PDF or any other derivatives can be distributed under the same licensing terms and conditions as the orginal <link linkend="sc24obecfrs1">Securing and Optimizing Linux</link> i.e. as set forth in the
Open Publication License; V1.0 or later, the latest version is presently available at <link linkend="rsrclgnwbi2">www.opencontent.org/openpub/</link>.
</para>
<para>
Please note even if i madhusudan (Madhu "Maddy"),<email>needaguru@yahoo.com</email> hold the copyright for the XML source(Markup), you still need to get permission from Gerhard Mourani<email>gmourani@openna.com</email> the orginal author of <link linkend="sc24obecfrs1">Securing and Optmising Linux</link>,
to make any changes to the content of this book. Please do read the licensing terms and conditions detailed below for additional information
</para>
<para>This material may be distributed only subject to the terms and conditions
set forth in the Open Publication License; V1.0 or later, the latest version
is presently available at <link linkend="rsrclgnwbi2">www.opencontent.org/openpub/</link>.
</para>
<para>
Distribution of substantively modified versions of this document is
prohibited without the explicit permission of the copyright holder.
</para>
<para>
Distribution of the work or derivative of the work in any standard (paper)
book form for commercial purposes is prohibited unless prior permission
is obtained from the copyright holder.
</para>
<para>
Please note even if I, Gerhard Mourani have the copyright, I don't control
commercial printing of the book. Please contact <link linkend="rsrclgnwbi2">OpenDocs @www.opendocspublishing.com/</link>
if you have questions concerning such matters.
</para>
<para>
The logos, trademarks, symbols used in this book are properties of their respective compan(y)ies.
</para>
</legalnotice>
<keywordset>
<keyword>RedHat</keyword>
<keyword>redhat</keyword>
<keyword>maddy</keyword>
<keyword>linus</keyword>
<keyword>linux</keyword>
<keyword>Linux</keyword>
<keyword>Securing</keyword>
<keyword>Optimising</keyword>
<keyword>security</keyword>
<keyword>secure</keyword>
<keyword>openna</keyword>
<keyword>gerhard</keyword>
</keywordset>
</bookinfo>
<preface><?dbhtml filename="preface.html"?>
<title>Preface</title>
<section><?dbhtml filename="preface1.html"?>
<title>Why did i write this book?</title>
<para>
When I began writing this book, the first question I asked myself was how to
install Linux on a server, and be sure that no one from the outside, or
inside, could access it without authorization. Then I wondered if any method
similar to the one on <trademark class="registered">Windows</trademark> exists to improve the computers
performance. Subsequently, I began a search on the Internet and read several books
to get the most information on security and performance for my server. After many
years of research and studies I had finally found the answer to my questions.
These answers were found, all scattered throughout different documents, books,
articles, and Internet sites. I created documentation based on my research that
could help me through my daily activities. </para>
<para>Through the years, my documentation grew and started to look more like a book
and less like simple, scattered notes. I decide to publish it on the Internet so
that anyone could take advantage of it. By sharing this information, I felt that I
was doing my part for the community who answered so many of my computing needs with
one magical, reliable, strong, powerful, fast and free operating system named Linux.
I had received a lot of feedback and comments about my documentation, which helped to
improve it over time.
</para>
</section>
<section><?dbhtml filename="preface2.html"?>
<sectioninfo>
<authorgroup>
<author>
<firstname>Madhu</firstname>
<othername>"Maddy"</othername>
</author>
</authorgroup>
</sectioninfo>
<title>Why fiddle?</title>
<abstract><para>Is there a need to fiddle with what apparently is perfectly working and is serving the need. Well for one the i have choosen a format, <acronym>XML</acronym>, unlike the original manuscript which was written in word,
in this case has the advantage of source being one and output can be in various format. That is if the source is in <acronym>XML</acronym>, it is easier now to convert into <acronym>HTML, PDF, RTF</acronym> <abbrev>etc.</abbrev> Also to
prove to the sceptics that DocBook is very much suitable for large production quality projects, not that this is the first effort, in this case an entire book has been marked up in <acronym>XML</acronym>.
</para>
</abstract>
<para>Infact why <acronym>XML</acronym> indeed? <acronym>XML</acronym> -eXtensible Markup Language has been able to do justice to a large extent to the hype. Maybe having a watch body like w3.org to monitor
has been advantageous; unlike HTML which lacked a formal monitoring, ability to extend, a weak structure and no support for validation, <acronym>XML</acronym> has all these and more. It is a system-independant, vendor-independant and
has behind it the proven experience of SGML implementation, XML being a subset of SGML. I concur with Tim Bray's reported comment that it is ridiculous to use an application like MS Word, Quark Express <abbrev>etc.</abbrev>for writing text which will be stored as a binary
and proprietory format therby bloating it considerably. And unlike <acronym>HTML</acronym> which has about <abbrev>aprox.</abbrev> 50-60 pre-cooked tags, with <acronym>XML</acronym> one can make up one's own. Infact this facility of having one's own
tag will make it very, very useful in the long run. And the inherent factor that <acronym>XML</acronym> is all about content and nothing to do with presentation will be its greatest strength for years to come. The presentation part is taken care of by
Stylesheet or FO or some such thing.
</para>
</section>
<section>
<title>DocBook ! </title><?dbhtml filename="preface3.html"?>
<para>DocBook is a <acronym>DTD</acronym> - Document Type Definition. now what is this? well
say for example having said <acronym>XML</acronym> is in itself a rule set , suppose i use an
markup element tag &lt;author&gt; in my document and another author uses &lt;writer&gt; element
tag in his document, isn't it true we are trying to convey the same meaning .Imagine thousands of
pages are being written for the web, for the publishing industry and what a waste of enormous
time if people would like to convey similar meaning but use different elements with the core
language being same, this is where an <acronym>DTD</acronym> comes into picture.
</para>
<blockquote>
<attribution>-From the book <citetitle pubwork="book"> DocBook -
The Definitive Guide </citetitle> by Norman Walsh and Leonard Muellner.</attribution>
<literallayout class="monospaced">
Docbook <acronym>DTD</acronym> is a very popular set of tags for describing books,
articles and other prose documents, particularly technical documentation. Docbook
is defined using the native <acronym>DTD</acronym> syntax of <acronym>SGML</acronym>
and <acronym>XML.</acronym> Like <acronym>HTML</acronym>, DocBook is an example of
a markup language defined in <acronym>SGML/XML.</acronym>
</literallayout>
</blockquote>
</section>
<section><?dbhtml filename="preface4.html"?>
<title>DocBook/<acronym>XML</acronym></title>
<para>With the sole intent of making this book future proof, I have ported ( i am not sure this is the right term)
this entire book into DocBook/<acronym>XML</acronym>.That the source being Markedup in <acronym>XML</acronym>,
this ensures:
<itemizedlist mark="bullet">
<listitem>
<para>
It will become platform independant and the source is not in any proprietory format like word.
</para>
</listitem>
<listitem>
<para>
It will be easy to have different outputs like <acronym>HTML, PDF, RTF</acronym> <abbrev>etc.</abbrev>
With the never version of browsers supporting Raw <acronym>XML</acronym> as input with stylesheet
being a seperate component, that this remains ready for that day when it becomes possible to have it converted on the fly.
</para>
</listitem>
<listitem>
<para>
That in the eventuality of me not being involved in the project at a later date, with the
advent of professionals, there will be enough warm bodies to do this job.
</para>
</listitem>
</itemizedlist>
</para>
<para>My fond hope is that this should not turn out be just a futile excersize and it proves usefull to everybody;
atleast to some people even they are a small minority, the least of all to Gerhard Mourani, who is the author of
this splendid book.</para>
<section>
<title>Bouquets Brickbats <abbrev>Etc.</abbrev></title>
<para>
The idea behind this exercize primarily has been :
<itemizedlist>
<listitem><para>
To give back something to the Linux community which has been instrumental in
spearheading the spirit of sharing.
</para></listitem>
<listitem><para>
To create awareness about possibilities existing with the available tools set.
</para></listitem>
</itemizedlist>
</para>
<para>
But in the process some mistakes might have creeped in but there can be no excuse. Since this book has been looked at twice over; but still, i think the mistakes are entirely mine,
if at all and not Gerhard's. So if you spot some glaring mistakes whether be it in the form of wrong or mis-information, typos or grammatical mistakes please do inform me at
<email>needaguru@yahoo.com</email> or you can even inform gerhard at <email>gmourani@openna.com</email>. I am sure he will give a wallop on my backside( it is quite fragile!) so that such mistakes don't happen next time.
Also welcome are the suggestions on how we could improve on this, so that next time round it will much be better.
</para>
<para>
Here is hoping that this proves useful despite those already mentioned, creeped in mistakes, errors <abbrev>etc.</abbrev> and it kindles in you the same spirit which has embodied the growth of Linux as a powerful environement to work in.
And if that happens i would consider myself highly obliged and this will prove to be a satisfying endevour for me personally. I have a feeling that the orginal author of this book Gerhard Mourani shares this thought of
mine and probably agrees with me.
</para>
</section>
</section>
</preface>
<part label="1"><?dbhtml filename="get-start.html"?>
<title>Getting Started</title>
<partintro>
<mediaobject>
<imageobject>
<imagedata fileref="./resources/Annimals/Chapter12.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>Owl</phrase></textobject>
</mediaobject>
</partintro>
<chapter label="1" id="ch1gnif"><?dbhtml filename="intro.html"?>
<title>Introduction</title>
<abstract>
<para>
I realized that a lot of people wanted to see it published for its contents, to get
advantages out of it and see the power of this beautiful Linux system in action. A lot of
time and effort went into the making of this book, and to ensure that the results were as
accurate as possible. If you find any abnormalities, inconsistent results, errors, omissions
or anything else that doesn't look right, please let me know so I that can investigate the
problem or correct the error. Suggestions for future versions are also welcome and appreciated.
</para>
</abstract>
<section><?dbhtml filename="Audience.html"?>
<title>Audience</title>
<para>
This book is intended for a target audience of technical and system administrators who manage
Linux servers, but it also includes enough material for home users and others. It discusses
how to install and setup a Red Hat Linux Server with all the necessary security and
optimization for a high performance Linux specific machine. Since we speak of optimization
and security configuration, we have used only source distribution (tar.gz) programs; the most
available type for critical server software, like Apache, BIND/DNS, Samba, Squid, OpenSSL etc.
Source packages give us fast upgrades, security updates when necessary, and a better
compilation, customization, and optimization option for our specific machines that often we
can't have with RPM packages.
</para>
</section>
<section><?dbhtml filename="chap1sec2.html"?>
<title>Organization of This Book</title>
<para>
Depending of your level of knowledge in Linux, you can read this book from the start to finish
or each chapter which may be of interest to you. Each chapter and section of this book appears
in a manner that let you read only the relevant parts of your interest without the need to schedule
a couple of day's reading.
</para>
<para>
Too many books available as of now take two pages to explain something that
can be explained in two lines, I'm sure that many of you agree with my opinion. This book attempts a different
path, in the sense, only the essential and important information that the readers are interested in knowing are
explained in detail thereby eliminating all the nonsense. Though the fact that you can read this book in any
order you want, there is a particular order that you could follow if something seem to be confusing
for you. The steps shown below is what I recommend to facilitate a smooth reading.
</para>
<para>
<link linkend="ch1prt1">Chapter 2</link> through <link linkend="pr2ch4Pi">Chapter 4</link> will guide you to do these steps:
<orderedlist numeration="lowerroman">
<listitem><para>
Setup Linux in your computer
</para></listitem><listitem><para>
Remove all the unnecessary <acronym>RPM</acronym> package(s) during setup
</para></listitem><listitem><para>
Install the necessary <acronym>RPM</acronym> package(s) for compilation
</para></listitem>
</orderedlist>
</para>
<para>
<link linkend="prt2ch1gss">Chapter 5</link> through <link linkend="pr3ch7lnke">Chapter 7</link> will guide you with these additional steps:
<orderedlist numeration="lowerroman" continuation="continues">
<listitem><para>
Secure the system in general
</para></listitem><listitem><para>
Optimize the system in general
</para></listitem><listitem><para>
Install, recompile and customize the Kernel
</para></listitem>
</orderedlist>
</para>
<para>
<itemizedlist>
<listitem><para>
<link linkend="pr6ch24SoNE">Chapter 24</link> will guide you through this:
<orderedlist numeration="lowerroman" continuation="continues" inheritnum="inherit">
<listitem><para>
Install OpenSSL to be able to use encryption with the Linux server
</para></listitem>
</orderedlist>
</para></listitem>
<listitem><para>
<link linkend="prt6ch15ssh">Chapter 15</link> will guide you through this:
<orderedlist numeration="lowerroman" continuation="continues" inheritnum="inherit">
<listitem><para>
Install OpenSSH to be able to make remote administration tasks
</para></listitem>
</orderedlist>
</para></listitem>
<listitem><para>
<link linkend="pr6ch21Sonet">Chapter 21</link> will guide you through this:
<orderedlist numeration="lowerroman" continuation="continues" inheritnum="inherit"><listitem><para>
Install BIND/DNS as client or server depending of your needs
</para></listitem></orderedlist>
</para></listitem>
<listitem><para>
<link linkend="pr6ch22SSMn">Chapter 22</link> will guide you through this:
<orderedlist numeration="lowerroman" continuation="continues" inheritnum="inherit"><listitem><para>
Install Sendmail as client or server depending of your needs
</para></listitem></orderedlist>
</para></listitem>
<listitem><para>
<link linkend="pr4ch4nfl">Chapter 10</link> through <link linkend="pr4ch12nfmf">Chapter 12</link> will guide you through these steps:
<orderedlist numeration="lowerroman" continuation="continues" inheritnum="inherit"><listitem><para>
Install &amp; Configure the firewall script according to which services
are installed in your system
</para></listitem></orderedlist>
</para></listitem>
<listitem><para>
<link linkend="pr6ch17SSSI">Chapter 17</link> and <link linkend="pr6ch4sc1ltp">Chapter 18</link> should guide you through this step:
<orderedlist numeration="lowerroman" continuation="continues" inheritnum="inherit"><listitem><para>
Install Tripwire
</para></listitem></orderedlist>
</para></listitem>
</itemizedlist>
</para>
<para>
Now for this step you will need to go through the book section wise to choose what you want.
<orderedlist numeration="lowerroman" continuation="continues"><listitem><para>
Install any software you need later.
</para></listitem></orderedlist>
</para>
</section>
<section><?dbhtml filename="chap1sec3.html"?>
<title>Pre-requisites</title>
<para>
These installation instructions assume that:
You have a CD-ROM drive on your computer and the Official Red Hat Linux CD-ROM.
Installations were tested on the Official Red Hat Linux version 6.1 and 6.2.
You should understand the hardware system on which the operating system will be
installed. After examining the hardware, the rest of this document guides you,
step-by-step, though the installation process.
</para>
<sidebar>
<title>About products mentioned in this book:</title>
<para>
Many products, mentioned in this book; some commercial, but most are not commercial,
cost nothing and can be freely used or distributed. It is also important to say that
I'm not affiliated with any of them and if I mention a tool, because it is useful.
You will find that a lot of big companies in their daily use, use most of them.
</para>
</sidebar>
</section>
<section id="pr1ch2s4obefs"><?dbhtml filename="chap1sec4.html"?>
<title>Obtaining the book and example configuration files</title>
<para>Securing and Optimizing Linux: RedHat Edition is now also available to download
around the most popular Linux web sites. Free formatted versions of this book can be
found on the Internet via the following addresses listed below.
From the original web site
<simplelist type="vert">
<member>
<systemitem class="systemname">Open Network Architecture</systemitem><link linkend="sc24obecfrs1">www.openna.com</link>
</member>
<member>
<systemitem class="systemname">The Linux Documentation Project homepage:</systemitem>
<link linkend="sc24obecfrs1">www.linuxdoc.org</link>
</member>
<member>
<systemitem class="systemname">O'Reilly Network:</systemitem>
<link linkend="sc24obecfrs1">oreilly.linu.com/pub/d/25</link>
</member>
<member>
<systemitem class="systemname">Linux Security portal</systemitem>
<link linkend="sc24obecfrs1">linuxsecurity.com/docs</link>
</member>
</simplelist>
</para>
<para>On the other hand you like the nice feel of paper and would like to browse through
the pages at your convenience, you will have to purchase it.
<simplelist type="vert">
<member>
<link linkend="sc24obecfrs1">
By clicking here!
</link>
</member>
</simplelist>
<mediaobject>
<imageobject><imagedata align="center" format="GIF" fileref="./images/lcanim-1.gif"/></imageobject>
<textobject><phrase>
You can Buy here!
</phrase></textobject>
</mediaobject>
It also comes with an accompanying CD filled with some nice goodies and all the example configuration files.
</para>
<para>
Other related web sites may exist without my knowledge. If you host this book
Securing and Optimizing Linux: RedHat Edition and want to be included in the
list of the next release, please send me a message with your intentions.
If you receive this as part of a printed distribution or on a CD-ROM, please
check out the Linux Documentation home page <link linkend="sc24obecfrs1">www.linuxdoc.org/</link>
or the original website at <link linkend="sc24obecfrs1">www.openna.com</link> to see
if there is a more recent version. This could potentially save you a lot of trouble.
If you want to translate this book, please notify me so I can keep track of what
languages I have been published in.
</para>
<section id="pr1ch2s4obefs1">
<title>Example Configuration files</title>
<para>The example configuration files in this book are available
electronically via http from this website <link linkend="sc24obecfrs2">www.openna.com/books/floppy.tgz.</link>
In either case, be it from CDROM or if you have downloaded from the website extract the files from the
archive by typing:
<screen>
[root@deep ]/tmp#<command>tar</command> xzpf floppy.tgz
</screen>
this is assuming you have stored the <filename class="libraryfile">floppy.tgz</filename> in a directory called
<filename class="directory">tmp/ .</filename>
</para>
<para>
<important>
<title>Errata</title>
<para>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</mediaobject>
As i was giving the final look over on this book, Gerhard Mourani has released an errata for all firewall scripts
and it is available here <link linkend="prtinxfperrt1">http://www.openna.com/books/errata.htm</link>
</para>
</important>
If you cannot get the examples directly over the Internet, please contact the author
at these email addresses:
<simplelist type="horiz" columns="1">
<member>
<email>gmourani@openna.com</email>
</member>
<member>
<email>gmourani@netscape.net</email>
</member>
</simplelist>
</para>
</section>
</section>
<section><?dbhtml filename="chap1sec5.html"?>
<title>Acknowledgements from Gerhard</title>
<para>I would like to thank Michel M&#233;ral who has drawn all the beautiful animal drawing in
my book, Robert L. Ziegler for allowing me to include his Firewall software and all Linux
users around the world for their comments and suggestions.
</para>
<section id="pr1ch1ackn"><?dbhtml filename="chap1sec6"?>
<title>Acknowledgements from "Maddy"</title>
<para>The book has been orginally written by Gerhard Mourani <link linkend="rsrcofwbi1">www.openna.com</link> but i would like to thank him for collaborating
with me in porting ( for the want of a better word).To say he was co-operative will be an under statement he was always there with a helping hand
to answer my innumerable queries etc.
Also i would like to thank the following people,but not in any particular order;</para>
<para>
Norman Walsh, <link linkend="prtinxfp1acn">http://nwalsh.com/~ndw/</link> for his phenominal and brilliant contribution to DocBook. To me at times looks like only one man contributing to its growth, popularity and in the process as well making it a mature
product. Add to that he is a wonderful human being. My many many thanks to him.
</para>
<para>
Peter Graves, <link linkend="prtinxfp1acn">http://armedbear.org</link> for his Brilliant editor j, i do all my work using it and there are no words to describe it.
i am indebted to him. I doubt very much if i could have worked for long stretches without it.
</para>
<para>
Bryan Henderson, <link linkend="prtinxfp1acn">http://netpbm.sourceforge.net/</link> for his netpbm package and more than any thing for having the patience in dealing with my often persistent and idiotic queries. His software was mainly responsible for converting and manupilating
all the orginal images which were in some esoteric format.
</para>
<para>
Additionally i would also like to thank the following for releasing the right software at the right time:
<informaltable frame="none">
<tgroup cols="1">
<tbody valign="middle">
<row><entry>
James clark, <link linkend="prtinxfp1acn">http://www.jclark.com/</link> for his xt and xp
</entry></row>
<row><entry>
Michael Kay, <link linkend="prtinxfp1acn">http://users.iclway.co.uk/mhkay/saxon/</link> for Saxon
</entry></row>
<row><entry>
To each and everyone at OASIS, <link linkend="prtinxfp1acn">http://www.oasis-open.org/docbook/</link>
</entry></row>
<row><entry>
To each and everyone at Docbook.org, <link linkend="prtinxfp1acn">http://docbook.org/</link>
</entry></row>
<row><entry>
To Sebestain Rahtz, <link linkend="prtinxfp1acn">http://users.ox.ac.uk/~rahtz/passivetex/</link> for his contribution to DocBook
</entry></row>
<row><entry>
Mark Galassi for his brilliant Docbook Tutorial <link linkend="prtinxfp1acn">http://nis-www.lanl.gov/~rosalia/mydocs/</link> , My starting point!.
</entry></row>
</tbody>
</tgroup>
</informaltable>
The list would probably go on endlessly, and may be require a book for acknowledgements i guess.
</para>
</section>
</section>
</chapter>
</part>
<part label="2" id="prt1bint"><?dbhtml filename="install.html"?>
<title>Installation</title>
<partintro>
<mediaobject>
<imageobject>
<imagedata fileref="./resources/Annimals/Chapter7-8.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>Turtle!</phrase></textobject>
</mediaobject>
</partintro>
<chapter label="2" id="ch1prt1"><?dbhtml filename="overview.html"?>
<title>Overview of OS Linux</title>
<highlights>
<para>
This part of the book deals with all the basic knowledge required to properly install a
Linux OS, in our case a Redhat Linux on your system.
<simplelist type="vert" columns="1">
<member>Introduction to Linux</member>
<member> Steps to be taken prior to install</member>
<member>Steps to be taken post install </member>
</simplelist>
</para>
</highlights>
<section><?dbhtml filename="chap2sec7.html"?>
<title>What is Linux?</title>
<para>Linux is an <firstterm>Operating System</firstterm> that was first created at the
University of Helsinki in Finland by a young student named Linus Torvalds. At
this time the student was working on a UNIX system that was running on an
expensive platform. Because of his low budget, and his need to work at home, he
decided to create a copy of the UNIX system in order to run it on a less
expensive platform, such as an IBM PC. He began his work in 1991 when he
released version 0.02 and worked steadily until 1994 when version 1.0 of the
Linux Kernel was released. The current full-featured version at this time is
2.2.X; released January 25, 1999, and development continues.</para>
<sidebar>
<title><acronym>GNU</acronym> <acronym>GPL</acronym> and Linux</title>
<para>
The Linux operating system is developed under the <acronym>GNU</acronym> General Public License (also known as GNU GPL) and its
source code is freely available to everyone who downloads it via the Internet. The CD-ROM version of Linux is
also available in many stores, and companies that provide it will charge you for the cost of the media and support.
Linux may be used for a wide variety of purposes including networking, software development, and as an end-user
platform. Linux is often considered an excellent, low-cost alternative to other more expensive operating systems
because you can install it on multiple computers without paying more.
</para>
</sidebar>
</section>
<section><?dbhtml filename="chap2sec8.html"?>
<title> A Few good reasons to use Linux</title>
<para> There are no royalty or licensing fees for using Linux, and the source code can be modified
to fit your needs. The results can be sold for profit, but original authors retain copyright and
you must provide the source to your modifications.
</para>
<para>
Because it comes with source code to the kernel, it is quite portable. Linux runs on more CPUs and
platforms than any other computer operating system. The recent direction of the software and hardware
industry is to push consumers to purchase faster computers with more system memory and hard drive storage.
Linux systems are not affected by those industries orientation because of it capacity to run on any kind
of computers, even aging x486-based computers with limited amounts of RAM.
</para>
<para>
Linux is a true multi-tasking operating system similar to its brother UNIX. It uses sophisticated, state-of-the-art
memory management to control all system processes. That means that if a program crashes you can kill it and continue
working with confidence.
</para>
<para>
Another benefit is that Linux is practically immunized against all kinds of viruses that we find in other operating
systems. To date we have found only two viruses that were effective on Linux systems.
</para>
</section>
<section><?dbhtml filename="chap2sec9.html"?>
<title>Fears, Uncertainity and Doubts</title>
<bridgehead>Let's dispel some of the fear, uncertainty, and doubt about Linux:</bridgehead>
<formalpara><title> It's a toy operating system.</title>
<para>
Fortune 500 companies, governments, and consumers; more and more use, Linux as a cost-effective computing
solution. It has been used and is still used by big companies like IBM, Amtrak, NASA, and others.
</para>
</formalpara>
<formalpara><title> There's no support.</title>
<para>
Every Linux distribution comes with more than 12,000 pages of documentation. Commercial Linux distributions such
as Red Hat Linux, Caldera, SuSE, and OpenLinux offer initial support for registered users, and small business
and corporate accounts can get 24/7 supports through a number of commercial support companies. As an Open Source
operating system, there's no six-months to wait for a service release, and the online Linux community fixes many
serious bugs within hours.
</para>
</formalpara>
</section>
</chapter>
<chapter label="3" id="pr1ch2" ><?dbhtml filename="installlin.html"?>
<title>Installation of your Linux Server</title>
<highlights><para>The next two chapters is structured in a manner that follows the original installation of the Red Hat Linux <hardware>CD-ROM.</hardware>
Each section below refers to, and will guide you through, different screens that will appear during the setup of your
system after the insertion of the Red Hat boot diskette in your computer.
</para>
<para>
We promise that it will be interesting to have the machine you want to install Linux on, ready and near to you when you follow the steps described below.
From time to time Red Hat Linux updates its operating system to a new version and adds, changes or removes some packages
as well as changes some locations, content or features of files in its distribution.
</para>
<para>
Red Hat Recently has updated their version of operating system to 6.2 called <firstterm>Zoot</firstterm>, which is a minor upgrade of 6.1,
so to be as accurate as possible about all information contained in these early chapters, we'll comment upon installation of version 6.1 as well as version 6.2 for those who will upgrade
or install to it. Any sections in this chapter that refer to version 6.1 will be for the Red Hat Linux 6.1 <firstterm>(Cartman)</firstterm> distribution,
and any section where we talk about version 6.2 will be for the Red Hat Linux 6.2 (Zoot) distribution, respectively.
</para>
</highlights>
<para>
The following conventions will simplify the interpretations in these chapter:
<simplelist type="vert">
<member>
<inlinemediaobject>
<imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>
All versions
</phrase></textobject>
</inlinemediaobject> This icon applies to Red Hat Linux
version 6.1 and 6.2 respectively.
</member>
<member>
<inlinemediaobject>
<imageobject> <imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject>
<textobject><phrase>
Version 6.1 only
</phrase></textobject>
</inlinemediaobject> This icon applies to Red Hat Linux version 6.1 only.
</member>
<member>
<inlinemediaobject>
<imageobject> <imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>
Version 6.2 only
</phrase></textobject>
</inlinemediaobject> This icon applies to Red Hat Linux version 6.2 only.
</member>
</simplelist>
</para>
<para>
We know that many organizations and companies handle different versions of this operating system, and run a number of services on
them. Sometimes it may be difficult to upgrade to the latest version since clients use services on the server 24 hours a day. With
this simple convention, people who maintain and use version 6.1 of Red Hat Linux will always find exact information related to their
needs.
</para>
<section><?dbhtml filename="chap3sec10.html"?>
<title>Know your Hardware!</title>
<para>
Understanding the hardware of your computer is essential for a successful installation of Red Hat Linux. Therefore, you should take a
moment now and familiarize yourself with your computer hardware. Be prepared to answer the following questions:
</para>
<itemizedlist>
<listitem>
<para>
How many hard drives do you have?
</para>
</listitem>
<listitem>
<para>
What size is each hard drive? <abbrev>e.g.</abbrev> <literal>3.2GB</literal>.
</para>
</listitem>
<listitem>
<para>
If you have more than one hard drive, which is the primary one?
</para>
</listitem>
<listitem>
<para>
What kind of hard drive do you have? <abbrev>e.g.</abbrev> <acronym>IDE</acronym>, <acronym>SCSI</acronym>.
</para>
</listitem>
<listitem>
<para>
How much <acronym>RAM</acronym> do you have <abbrev>e.g.</abbrev> 256MB <acronym>RAM</acronym>.
</para>
</listitem>
<listitem>
<para>
Do you have a <acronym>SCSI</acronym> adapter? If so, who is the manufacturer and what model is it?
</para>
</listitem>
<listitem>
<para>
Do you have a <acronym>RAID</acronym> system? If so, who is the manufacturer and what model is it?
</para>
</listitem>
<listitem>
<para>
What type of mouse do you have <abbrev>e.g.</abbrev> <literal>PS/2</literal>, Microsoft, Logitech.
</para>
</listitem>
<listitem>
<para>
How many buttons does your mouse have? <literal>2/3</literal> buttons.
</para>
</listitem>
<listitem>
<para>
If you have a serial mouse, what <acronym>COM</acronym> port is it connected to? <abbrev>e.g.</abbrev> <literal>COM1.</literal>
</para>
</listitem>
<listitem>
<para>
What is the make and model of your video card? How much video <acronym>RAM</acronym> do you have? <abbrev>e.g.</abbrev> 4MB.
</para>
</listitem>
<listitem>
<para>
What kind of monitor do you have? <emphasis>Make and Model</emphasis>.
</para>
</listitem>
<listitem>
<para>
Will you be connected to a network? If so, what will be the following:
</para>
</listitem>
<listitem override="none">
<para>
<orderedlist numeration="loweralpha">
<listitem>
<para>
Your <acronym>IP</acronym> address?
</para>
</listitem>
<listitem>
<para>
Your netmask?
</para>
</listitem>
<listitem>
<para>
Your gateway address?
</para>
</listitem>
<listitem>
<para>
Your domain name server's <acronym>IP</acronym> address?
</para>
</listitem>
<listitem>
<para>
Your domain name?
</para>
</listitem>
<listitem>
<para>
Your hostname?
</para>
</listitem>
<listitem>
<para>
Your types of network(s) card(s)? <emphasis>Make and Model</emphasis>.
</para>
</listitem>
<listitem>
<para>
Your number of card(s)? <emphasis>Make and Model</emphasis>.
</para>
</listitem>
</orderedlist>
</para>
</listitem>
</itemizedlist>
</section>
<section id="prt2ch2sc2"><?dbhtml filename="chap3sec11.html"?>
<title>Creating the Boot Disk and Booting</title>
<para>
<informalfigure pgwide="0" float="0"><mediaobject><imageobject> <imagedata format="GIF" fileref="images/VersionAll.gif"/></imageobject></mediaobject></informalfigure>
The first thing to do is to create an installation diskette also known as a boot disk. If you have purchased the
official Red Hat Linux <hardware>CD-ROM</hardware>, you will find this floppy disk named Boot Diskette in the Red Hat Linux box and
you don't need to create it. From time to time, you may find that the installation will fail with the standard diskette
image that comes with the official Red Hat Linux CD-ROM. If this happens, a revised diskette is required in order for
the installation to work properly. In these cases, special images are available via the Red Hat Linux Errata web
page to solve the problem <link linkend="prtinxfp4">www.redhat.com/errata</link>. Since this, is a
relatively rare occurrence, you will save time if you try to use the standard diskette images first, and then review
the Errata only if you experience any problem completing the installation.
</para>
<formalpara>
<title>Step 1</title>
<para>
Before you make the boot disk, insert the Official <productname>Red Hat Linux</productname> <hardware>CD-ROM</hardware>
Part 1 in your computer that runs the <productname class="copyright">Windows</productname> operating system. When the program asks for the filename,
enter <filename>boot.img</filename> for the boot disk. To make the floppies under <productname class="copyright">MS-DOS</productname>, you need to use these
commands assuming your <hardware>CD-ROM</hardware> is drive <prompt>D:</prompt> and contain the Official <productname class="copyright">Red Hat Linux</productname>
<hardware>CD-ROM</hardware>.
</para>
</formalpara>
<para>Open the Command Prompt under Windows: <command><guimenu>Start</guimenu></command> | <command><guimenuitem>Programs</guimenuitem></command> | <command><guimenuitem>Command Prompt</guimenuitem></command></para>
<literallayout class="monospaced"><computeroutput>
C:\> d:
D:\> cd \dosutils
D:\dosutils> rawrite
Enter disk image source file name: ..\images\boot.img
Enter target diskette drive: a:
Please insert a formatted diskette into drive A: and press --ENTER-- :
D:\dosutils>
</computeroutput></literallayout>
<para>
The <application class="software">rawrite.exe</application> program asks for the filename of the disk image: Enter <filename>boot.img</filename> and insert a <hardware>floppy</hardware>
into drive A. It will then ask for a disk to write to: Enter <userinput>a:</userinput>, and when complete, label the disk; for example, Red Hat boot disk.
</para>
<formalpara>
<title>Step 2</title>
<para>
Since we'd start the installation directly off the <hardware>CD-ROM</hardware>, boot with the boot disk. Insert the boot diskette you create into the drive A: on the computer where you want to
install Linux and reboot the computer. At the <prompt>boot:</prompt>, press <command>Enter</command> to continue booting and follow the three simple steps below:
</para>
</formalpara>
<variablelist>
<varlistentry>
<term><command>Choose your language</command></term>
<listitem><para>You can choose your prefferd language for the Linux OS from a list. For example, English, Danish etc
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>Choose your keyboard type</command></term>
<listitem><para>You can choose your Keyboard type. For example <literal>US pc104</literal>, norwegian etc
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>Select your mouse type</command></term>
<listitem><para>You can choose your mouse type. For example Logitech two button, Microsoft three button mouse etc
</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section><?dbhtml filename="chap3sec12.html"?>
<title>Installation Class and Method (Install Type)</title>
<para>
Red Hat Linux 6.1 and 6.2 include four different classes, or type of installation. They are:
<simplelist type="vert" columns="1">
<member><command>
GNOME Workstation
</command>
</member>
<member><command>
KDE Workstation
</command>
</member>
<member><command>
Server
</command>
</member>
<member><command>
Custom
</command>
</member>
</simplelist>
</para>
<para>
The first three classes <command>GNOME Workstation, KDE Workstation, and Server</command> give you the option of simplifying
the installation process with a significant loss of configuration flexibility that we don't want to lose. For this
reason we highly recommend <command>Custom</command> installation, as this allows you to choose what services are added and how the system is
partitioned.The idea is to load the minimum number of packages, while maintaining maximum efficiency. The less software that resides
on the box, the fewer potential security exploits or holes may appear.Select <command>Custom</command> and click <command>Next</command>
</para>
</section>
<section><?dbhtml filename="chap3sec13.html"?>
<title>Disk Setup- Disk Druid</title>
<para>
<mediaobject><imageobject> <imagedata format="GIF" fileref="images/VersionAll.gif"/></imageobject><textobject><phrase>Versian All</phrase></textobject></mediaobject> We
assume that you are installing your new Linux server to a new hard drive, with no other existing file system or operating system previously
installed. A good partition strategy is to create a separate partition for each major file system. This enhances security and prevents accidental
denial of service or exploit of <acronym>SUID</acronym> programs.
</para>
<para>Creating multiple partitions offers you the following advantages:
<simplelist columns="1" type="horiz">
<member>
Protection against denial of service attack.
</member>
<member>
Protection against <acronym>SUID</acronym> programs.
</member>
<member>
Faster booting.
</member>
<member>
Easy backup and upgrade management.
</member>
<member>
Ability for better control of mounted file system.
</member>
<member>
Limit each file system's ability to grow.
</member>
</simplelist>
</para>
<warning>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Warning.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Warning</phrase></textobject>
</inlinemediaobject>
</title>
<para>
If previous file system or operating system exist on the hard drive and computer where you
want to install your Linux system, we highly recommend, that you make a backup of your current
system before proceeding with the disk partitioning.
</para>
</warning>
<formalpara>
<title>Step 1</title>
<para>
For performance, stability and security reasons you must create something like the following partitions
listed below on your computer. We suppose for this partition configuration the fact that you have a <acronym>SCSI</acronym>
hard drive of 3.2 GB. Of course you will need to adjust partition sizes according to your own needs and
disk size.
Partitions that must be created on your system:
<programlisting>
/boot 5MB <co id="boot"/>
/usr 512MB <co id="usr"/>
/home 1146MB <co id="home"/>
/chroot 256MB <co id="chroot"/>
/cache 256MB <co id="cache"/>
/var 256MB <co id="var"/>
&lt;Swap&gt; 128MB <co id="swap"/>
/tmp 256MB <co id="tmp"/>
/ 256MB <co id="root"/>
</programlisting>
<calloutlist>
<callout arearefs="boot">
<para>All Kernel images are kept here.
</para>
</callout>
<callout arearefs="usr">
<para>Must be large, since all Linux binaries programs are installed here.
</para>
</callout>
<callout arearefs="home">
<para>Proportional to the number of users you intend to host <abbrev>i.e.</abbrev> 10MB per users
multiplied by the number of users 114 = 1140MB.
</para>
</callout>
<callout arearefs="chroot">
<para>If you want to install programs in chroot jail environment <abbrev>i.e.</abbrev> DNS.
</para>
</callout>
<callout arearefs="cache">
<para>This is the cache partition of a proxy server <abbrev>i.e.</abbrev> Squid.
</para>
</callout>
<callout arearefs="var">
<para>Contains files that change when the system run normally <abbrev>i.e.</abbrev> Log files.
</para>
</callout>
<callout arearefs="var">
<para>Our swap partition. The virtual memory of the Linux operating system.
</para>
</callout>
<callout arearefs="tmp">
<para>Our temporary files partition.
</para>
</callout>
<callout arearefs="root">
<para>Our root partition.
</para>
</callout>
</calloutlist>
</para>
</formalpara>
<para>
We have made two more special partitions:
<variablelist><varlistentry>
<term><filename class="directory">/chroot</filename> </term>
<listitem><para>
The <filename>/chroot</filename> partition can be used for DNS server chrooted, Apache server chrooted and other chrooted future programs.
</para></listitem>
</varlistentry><varlistentry>
<term><filename class="directory">/cache</filename></term>
<listitem><para>
The <filename class="directory">/cache</filename> partition can be used for a Squid Proxy server.
</para></listitem>
</varlistentry>
</variablelist>
If you are not intending to install Squid Proxy server you don't need to create the <filename class="directory">/cache</filename> partition.
</para>
<para>
Keeping <filename class="directory">/tmp</filename> and <filename class="directory">/home</filename> on separate partitions is pretty much mandatory if users have shell access
to the server- protection against <envar>SUID</envar> programs; splitting these off into separate partitions also
prevent users from filling up any critical file system -denial of service attack.
The same applies to <filename class="directory">/var</filename>, and <filename class="directory">/usr</filename> on separate partitions is also a very good idea. By isolating the <filename class="directory">/var</filename> partition, you protect
your root partition from overfilling -denial of service attack.
</para>
<para>
In our partition configuration we'll reserve 256 MB of disk space for chrooted programs like Apache,
DNS and other software. This is necessary because Apache <filename>DocumentRoot</filename> files and other binaries, programs
related to Apache will be installed in this partition if you decide to run Apache web server in a chrooted
jail.
</para>
<para>
Take note that the size of the Apache chrooted directory on the chrooted partition is proportional
to the size of your <filename class="directory">DocumentRoot</filename> files. If you're not intending to install and use Apache on your server,
you can reduce the size of this partition to something like 10 MB for <acronym>DNS</acronym> server that you always need in
a chrooted jail environment for security reasons.
</para>
<note><title>
Minimum size of partitions
</title>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</mediaobject>
<para>
For information purposes only, this is the minimum size in megabytes, which a Linux installation must have to function properly. The sizes of partitions
listed below are really small. This configuration can fit into a very old hard disk of 512MB in size that you might find in old x486 computers. We show
you this partition just to get an idea of the minimum requirements.
<screen>
/ 35MB
/boot 5MB
/chroot 10MB
/home 100MB
/tmp 30MB
/usr 232MB
/var 25MB
</screen>
</para>
</note>
</section>
<section><?dbhtml filename="chap3sec14.html"?>
<title>Disk Druid</title>
<para>
Disk Druid Partitions is a program that partitions your hard drive for you. Choose <command>Add</command> to add a new partition, <command><guimenu>Edit</guimenu></command> to edit
a partition, <command><guimenu>Delete</guimenu></command> to delete a partition and <command><guimenu>Reset</guimenu></command> to reset the partitions to the original state. When you add a new
partition, a new window appears on your screen and gives you parameters to choose. Different parameters are:
<glosslist>
<glossentry>
<glossterm><command>
<guimenuitem>Mount Point:</guimenuitem></command></glossterm>
<glossdef><para>
for where you want to mount your new partition in the filesystem.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>
<command><guimenuitem>Size (Megs):</guimenuitem></command></glossterm>
<glossdef><para>
for the size of your new partition in megabytes.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>
<command><guimenuitem>Partition Type:</guimenuitem></command>
</glossterm>
<glossdef><para>
Linux native for Linux filesystem and Swap for Linux Swap Partition.
</para></glossdef>
</glossentry>
</glosslist>
</para>
<note id="ch2scp1">
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject>
</title>
<para>
If you have a <acronym>SCSI</acronym> disk the device name will be <filename class="directory">/dev/sda</filename>
and if you have an <acronym>IDE</acronym> disk it will be <filename class="directory">/dev/hda</filename>. If you're looking
for high performance and stability, a <acronym>SCSI</acronym> disk is highly recommended.
Linux refers to disk partitions using a combination of letters and numbers. It uses a naming scheme that
is more flexible and conveys more information than the approach used by other operating systems.
</para>
<para>
Here is a summary:
<variablelist><title>Disk naming convention</title>
<varlistentry><term>First Two Letters</term>
<listitem><para>
The first two letters of the partition name indicate the type of device on which the
partition resides. You'll normally see either <filename class="directory">hd</filename> (for <acronym><acronym>IDE</acronym></acronym>
disks), or <filename class="directory">sd</filename> (for <acronym><acronym>SCSI</acronym></acronym> disks).
</para></listitem>
</varlistentry>
<varlistentry><term>The Next Letter</term>
<listitem>
<para>
This letter indicates which device the partition is on. For example: <filename class="directory">/dev/hda</filename>
(the first <acronym>IDE</acronym> hard disk) and <filename class="directory">/dev/hdb</filename> (the second
<acronym><acronym>IDE</acronym></acronym> disk).
</para>
</listitem>
</varlistentry>
</variablelist>
Keep this information in mind, it will make things easier to understand when you're setting up the partitions
Linux requires.
</para>
<para>
Swap partitions are used to support virtual memory. If your computer has 16 MB of <acronym>RAM</acronym> or less, you must create
a swap partition. Even if you have more memory, a swap partition is still recommended. The minimum size of your
swap partition should be equal to your computer's <acronym>RAM</acronym> or 16 MB (whichever is larger). The
largest useable swap partition is roughly 1 GB, <emphasis>since 2.2 kernel, 1 GB swap file are supported</emphasis> so making a
swap partition larger than that will result in wasted space. Note, however, that you can create and use more than
one swap partition <emphasis>although this is usually only necessary for very large server installations</emphasis>.
</para>
<para id="pr1ch25lk1">
Try to put your swap partitions near the beginning of your drive. The beginning of the drive is physically
located on the outer portion of the cylinder, so the read/write head can cover much more ground per revolution.
<mediaobject><imageobject> <imagedata format="GIF" fileref="images/Linux-Partitions.gif"/></imageobject>
<textobject><phrase>Linux Partitions</phrase></textobject>
<caption><para>representation of linux partition</para></caption></mediaobject>
</para>
</note>
</section>
<section><?dbhtml filename="chap3sec15.html"?>
<title>An example</title>
<para>
To make the partitions listed below on your system; this is the partition we'll need for our server installation example;
the command will be under <application class="software"> Disk Druid:</application>
</para>
<para>
<simplelist type="vert">
<member>
<command><guimenuitem>Add</guimenuitem></command>
</member>
<member>
<command><guimenuitem>Mount Point:</guimenuitem></command> <userinput>/boot</userinput> <emphasis>our /boot directory.</emphasis>
</member>
<member>
<command><guimenuitem>Size (Megs):</guimenuitem></command> <userinput>5</userinput>
</member>
<member>
<command><guimenuitem>Partition Type:</guimenuitem></command> <userinput>Linux Native</userinput>
</member>
<member>
<userinput><guimenuitem>Ok</guimenuitem></userinput>
</member>
</simplelist>
</para>
<para>
<simplelist type="vert">
<member>
<command><guimenuitem>Add</guimenuitem></command>
</member>
<member>
<command><guimenuitem>Mount Point:</guimenuitem></command> <userinput>/usr</userinput> <emphasis>our /usr directory.</emphasis>
</member>
<member>
<command><guimenuitem>Size (Megs):</guimenuitem></command> <userinput>512</userinput>
</member>
<member>
<command><guimenuitem>Partition Type:</guimenuitem></command> <userinput>Linux Native</userinput>
</member>
<member>
<command><guimenuitem>Ok</guimenuitem></command>
</member>
</simplelist>
</para>
<para>
<simplelist type="vert">
<member>
<command><guimenuitem>Add</guimenuitem></command>
</member>
<member>
<command><guimenuitem>Mount Point:</guimenuitem></command> <userinput>/home</userinput> <emphasis>our /home directory.</emphasis>
</member>
<member>
<command><guimenuitem>Size (Megs):</guimenuitem></command> <userinput>1146</userinput>
</member>
<member>
<command><guimenuitem>Partition Type:</guimenuitem></command> <userinput>Linux Native</userinput>
</member>
<member>
<command><guimenuitem>Ok</guimenuitem></command>
</member>
</simplelist>
</para>
<para>
<simplelist type="vert">
<member>
<command><guimenuitem>Add</guimenuitem></command>
</member>
<member>
<command><guimenuitem>Mount Point:</guimenuitem></command> <userinput>/chroot</userinput> <emphasis>our /chroot directory.</emphasis>
</member>
<member>
<command><guimenuitem>Size (Megs):</guimenuitem></command> <userinput>256</userinput>
</member>
<member>
<command><guimenuitem>Partition Type:</guimenuitem></command> <userinput>Linux Native</userinput>
</member>
<member>
<command><guimenuitem>Ok</guimenuitem></command>
</member>
</simplelist>
</para>
<para>
<simplelist type="vert">
<member>
<command><guimenuitem>Add</guimenuitem></command>
</member>
<member>
<command><guimenuitem>Mount Point:</guimenuitem></command> <userinput>/cache</userinput> <emphasis>our /cache directory.</emphasis>
</member>
<member>
<command><guimenuitem>Size (Megs):</guimenuitem></command> <userinput>256</userinput>
</member>
<member>
<command><guimenuitem>Partition Type:</guimenuitem></command> <userinput>Linux Native</userinput>
</member>
<member>
<command><guimenuitem>Ok</guimenuitem></command>
</member>
</simplelist>
</para>
<para>
<simplelist type="vert">
<member>
<command><guimenuitem>Add</guimenuitem></command>
</member>
<member>
<command><guimenuitem>Mount Point:</guimenuitem></command> <userinput>/var</userinput> <emphasis>our /var directory.</emphasis>
</member>
<member>
<command><guimenuitem>Size (Megs):</guimenuitem></command> <userinput>256</userinput>
</member>
<member>
<command><guimenuitem>Partition Type:</guimenuitem></command> <userinput>Linux Native</userinput>
</member>
<member>
<command><guimenuitem>Ok</guimenuitem></command>
</member>
</simplelist>
</para>
<para>
<simplelist type="vert">
<member>
<command><guimenuitem>Add</guimenuitem></command>
</member>
<member>
<command><guimenuitem>Mount Point:</guimenuitem></command> our <userinput>/Swap</userinput> partition <emphasis>leave the Mount Point Blank.</emphasis>
</member>
<member>
<command><guimenuitem>Size (Megs):</guimenuitem></command> <userinput>128</userinput>
</member>
<member>
<command><guimenuitem>Partition Type:</guimenuitem></command> <userinput>Linux Swap</userinput>
</member>
<member>
<command><guimenuitem>Ok</guimenuitem></command> </member>
</simplelist>
</para>
<para>
<simplelist type="vert">
<member>
<command><guimenuitem>Add</guimenuitem></command>
</member>
<member>
<command><guimenuitem>Mount Point:</guimenuitem></command> <userinput>/tmp</userinput> <emphasis>our /tmp directory.</emphasis>
</member>
<member>
<command><guimenuitem>Size (Megs):</guimenuitem></command> <userinput>256</userinput>
</member>
<member>
<command><guimenuitem>Partition Type:</guimenuitem></command> <userinput>Linux Native</userinput>
</member>
<member>
<command><guimenuitem>Ok</guimenuitem></command>
</member>
</simplelist>
</para>
<para>
<simplelist type="vert">
<member>
<command><guimenuitem>Add</guimenuitem></command>
</member>
<member>
<command><guimenuitem>Mount Point:</guimenuitem></command> <userinput>/</userinput> <emphasis>our / directory. </emphasis>
</member>
<member>
<command><guimenuitem>Size (Megs):</guimenuitem></command> <userinput>256</userinput>
</member>
<member>
<command><guimenuitem>Partition Type:</guimenuitem></command> <userinput>Linux Native</userinput>
</member>
<member>
<command><guimenuitem>Ok</guimenuitem></command>
</member>
</simplelist>
</para>
<para>
After the partitions of your hard disk has been completed, you must see something like the following information on
your screen. Our mount points will look like this:
</para>
<para>
<table frame="none" pgwide="1"><title>Sample representaion of partitions</title>
<tgroup cols="5" align="left" colsep="0" rowsep="0">
<colspec colwidth="1in"/>
<colspec colwidth="1in"/>
<colspec colwidth="1in"/>
<colspec colwidth="1in"/>
<colspec colwidth="1in"/>
<thead>
<row>
<entry>Mount Point</entry>
<entry>Device</entry>
<entry>Requested</entry>
<entry> Actual</entry>
<entry> Type</entry>
</row>
</thead>
<tbody>
<row>
<entry>/boot</entry><entry>sda1</entry><entry>5M</entry><entry>5M</entry><entry> Linux Native</entry>
</row>
<row>
<entry>/usr</entry><entry>sda5</entry><entry>512M</entry><entry>1146M</entry><entry>Linux Native</entry>
</row>
<row>
<entry>/home</entry><entry>sda6</entry><entry>256M</entry><entry>256M</entry><entry>Linux Native</entry>
</row>
<row>
<entry>/chroot</entry><entry>sda7</entry><entry>256M</entry><entry>256M</entry><entry>Linux Native</entry>
</row>
<row>
<entry>/cache</entry><entry>sda8</entry><entry>256M</entry><entry>256M</entry><entry>Linux Native</entry>
</row>
<row>
<entry>/var</entry><entry>sda9</entry><entry>256M</entry><entry>256M</entry><entry>Linux Native</entry>
</row>
<row>
<entry>&lt;Swap&gt;</entry><entry>sda10</entry><entry>128M</entry><entry>128M</entry><entry>Linux Swap</entry>
</row>
<row>
<entry>/tmp</entry><entry>sda11</entry><entry>256M</entry><entry>256M</entry><entry>Linux Native</entry>
</row>
<row>
<entry>/</entry><entry>sda12</entry><entry>256M</entry><entry>256M</entry><entry>Linux Native</entry>
</row>
</tbody>
</tgroup>
</table>
</para>
<para>
<informaltable frame="all">
<tgroup cols="6" align="left" colsep="0" rowsep="0">
<thead>
<row>
<entry>
Drive</entry>
<entry>Geom [C/H/S]</entry>
<entry>Total (M)</entry>
<entry>Free (M)</entry>
<entry>Used (M)</entry>
<entry>Used (%)</entry>
</row>
</thead>
<tbody>
<row>
<entry>sda</entry><entry>[3079/64/32]</entry><entry>3079M</entry><entry>1M</entry><entry>3078M</entry><entry>99%</entry>
</row>
</tbody>
</tgroup>
</informaltable>
</para>
<note>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject>
</title>
<para> We are using a <acronym>SCSI</acronym> hard disk hence the first two letters of the
device are <filename>sd</filename>.
</para>
</note>
</section>
<section id="pr1ch2sc7"><?dbhtml filename="chap3sec16.html"?>
<title>Post-Partitioning</title>
<para>
Now that you are partitioning and choosing the mount point of your directories, select <command>Next</command> to continue. After
your partitions are created, the installation program will ask you to choose partitions to format. Choose the partitions you want
to initialize, check the (Check for bad blocks during format) box, and press <command>Next</command>. This formats the partitions
and makes them active so Linux can use them.
</para>
<para>
On the next screen you will see the LILO Configuration where you have the choice to install LILO boot record on:
<simplelist type="vert">
<member>
<command><guimenuitem>Master Boot Record (MBR)</guimenuitem></command>
</member>
</simplelist>
Or
<simplelist type="vert">
<member>
<command><guimenuitem>First Sector of Boot Partition</guimenuitem></command>
</member>
</simplelist>
</para>
<para>
Usually if Linux is the only OS on your machine you should choose the <command><guimenuitem>Master Boot Record (MBR)</guimenuitem></command> option. After that,
you need to configure your Network and Clock. After you finish configuring the clock, you need to give your system a root password and
authentication configuration.
For Authentication Configuration don't forget to select:
<simplelist type="vert">
<member>
<command><guimenuitem>Enable MD5 passwords</guimenuitem></command>
</member>
<member>
<command><guimenuitem>Enable Shadow passwords</guimenuitem></command>
</member>
</simplelist>
<command><guimenuitem>Enable NIS</guimenuitem></command> doesn't need to be selected since we are not configuring <acronym>NIS</acronym> services on this server.
</para>
</section>
<section><?dbhtml filename="chap3sec17.html"?>
<title>
Components to Install- Package Group Selection
</title>
<para>
After your partitions have been configured and selected for formatting, you are ready to select packages for installation. By
default, Linux is a powerful operating system that executes many useful services. However, many of these services are unneeded
and pose potential security risks.
</para>
<para>
Ideally, each network service should be on a dedicated, single-purpose host. Many Linux operating systems are configured by default
to provide a wider set of services and applications than are required to provide a particular network service, so you may need to configure
the server to eliminate unneeded services. Offering only essential services on a particular host can enhance your network security in
several ways:
<itemizedlist mark="bullet">
<listitem>
<para>
Other services cannot be used to attack the host and impair or remove desired network services.
</para>
</listitem>
<listitem>
<para>
Different individuals may administer different services. By isolating services so each host and service has a single administrator you will
minimize the possibility of conflicts between administrators.
</para>
</listitem>
<listitem>
<para>
The host can be configured to better suit the requirements of the particular service. Different services might require different hardware and
software configurations, which could lead to needless vulnerabilities or service restrictions.
</para>
</listitem>
</itemizedlist>
By reducing services, the number of logs and log entries is reduced so detecting unexpected behavior becomes easier.
</para>
<para>
A proper installation of your Linux server is the first step to a stable, secure system. You first have to choose which system components you
want to install. Choose the components, and then you can go through and select or deselect each individual package of each component by
selecting <userinput>Select individual packages</userinput> option on your Red Hat setup screen.
Since we are configuring a Linux Server, we don't need to install a graphical interface <literal>XFree86</literal> on our system, <emphasis>a graphical interface on a server
means less processes, less <acronym>CPU</acronym> availability, less memory, security risks, and so on</emphasis>. Graphical interfaces are usually used on workstations only.
</para>
<para>
Select the following packages for installation:
<simplelist type="vert">
<member>
<userinput>Networked Workstation</userinput>
</member>
<member>
<userinput>Network Management Workstation</userinput>
</member>
<member>
<userinput>Utilities</userinput>
</member>
</simplelist>
</para>
<para>
After selecting the components you wish to install, you may select or deselect packages.
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Select the <command>Select individual packages</command> options before continuing to have the option to select
and deselect packages.
</para>
</important>
</para>
</section>
<section><?dbhtml filename="chap3sec18.html"?>
<title>Select Individual Package - Part &apos;A&apos;</title>
<para>The installation program presents a list of the package groups available. Select a group to examine.
The components listed below must be deselected from the Menu Group for security; optimization and other reasons
described below:
</para>
<formalpara>
<title>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>All versions</phrase></textobject>
</inlinemediaobject> Applications/File:</title>
<para>
<glosslist>
<glossentry><glossterm>git</glossterm>
<glossdef><para>
The GIT package provides an extensible file system browser, an ASCII/hexadecimal file viewer, a process viewer/killer
and other related utilities and shell scripts. <emphasis>Unnecessary.</emphasis>
</para>
</glossdef>
</glossentry>
</glosslist>
</para>
</formalpara>
<formalpara><title>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>All versions</phrase></textobject>
</inlinemediaobject> Applications/Internet:</title>
<para>
<glosslist>
<glossentry><glossterm>finger</glossterm>
<glossdef><para>
The finger package is a client utility, which allows users to see information about system users. <emphasis>Security risks.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>ftp</glossterm>
<glossdef><para>
The ftp package provides the standard UNIX command-line FTP client. <emphasis>Security risks.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>fwhois</glossterm>
<glossdef><para>
The fwhois client program allows for querying whois databases. <emphasis>Security risks.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>ncftp</glossterm>
<glossdef><para>
The Ncftp package is an improved FTP client. [Security risks, <emphasis>Unnecessary.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>rsh</glossterm>
<glossdef><para>
The rsh package provides client programs, which allows users to run commands on remote machines, login
to other machines and copy files between machines (rsh, rlogin and rcp). <emphasis>Security risks.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>rsync</glossterm>
<glossdef><para>
rsync is very powerfull mirroring program, which brings very quickly remote and host files into sync. <emphasis>Unnecessary</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>talk</glossterm>
<glossdef><para>
The ntalk package provides client and daemon programs for the Internet talk protocol, which allows you
to chat with other users on different UNIX systems. <emphasis>Security risks.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>telnet</glossterm>
<glossdef><para>
Telnet is a popular protocol for logging into remote systems over the network but it is insecure (transfer password
in plain text). <emphasis>Security risks.</emphasis>
</para>
</glossdef>
</glossentry>
</glosslist>
</para>
</formalpara>
<formalpara><title>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>All versions</phrase></textobject>
</inlinemediaobject> Applications/Publishing:</title>
<para>
<glosslist>
<glossentry><glossterm>ghostscript</glossterm>
<glossdef><para>The GhostScript package is a set of software that provides a PostScript interpreter, and an interpreter
for Portable Document Format <acronym>PDF files</acronym>. <emphasis>Unnecessary</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>ghostscript-fonts</glossterm>
<glossdef><para>The GhostScript interpreter can use the Ghostscript-fonts package during text rendering. <emphasis>Unnecessary.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</inlinemediaobject> <application> groff-perl</application>
</glossterm>
<glossdef><para>The groff-perl package is a set of commands and print filter used in printer environment. <emphasis>Unnecessary,
no printer installed on the server.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</inlinemediaobject> <application> mpage</application>
</glossterm>
<glossdef><para>
The mpage package utility takes plain text files or PostScript documents as input, reduces the size of the text, and prints the
files on a PostScript printer with several pages on each sheet of paper. <emphasis>Unnecessary, no printer installed on the server</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</inlinemediaobject> <application> pnm2ppa</application>
</glossterm>
<glossdef><para>
The pnm2ppa package is a color driver for printing to HP PPA printers. <emphasis>Unnecessary, no printer installed on the server.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>rhs-printfilters</glossterm>
<glossdef><para>
The rhs-printfilters package contains a set of print filters, which is primarily meant to be use with the Red Hat printtool.
<emphasis>Unnecessary, no printer installed on the server</emphasis>
</para>
</glossdef>
</glossentry>
</glosslist>
</para>
</formalpara>
<formalpara><title><inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version all</phrase></textobject>
</inlinemediaobject> Applications/System:</title>
<para>
<glosslist>
<glossentry><glossterm>arpwatch</glossterm>
<glossdef><para>
The arpwatch package contains utilities to monitor Ethernet or FDDI network traffic and build databases of Ethernet/IP address
pairs. <emphasis>Unnecessary</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>bind-utils</glossterm>
<glossdef><para>
The bind-utils package contains a collection of utilities to find out information about Internet hosts. We will compile it later on
this book.
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</inlinemediaobject> <application> knfsd-clients</application>
</glossterm>
<glossdef><para>
The knfsd-clients package contains the showmount program that queries the mount daemon on a remote host for information about the NFS
server on the remote host. <emphasis>Security risks, and NFS services are not installed on this server.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</inlinemediaobject> <application> procinfo</application>
</glossterm>
<glossdef><para>
The procinfo package acquires information about your system from the kernel as it is running. <emphasis>Unnecessary, other methods exist.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>rdate</glossterm>
<glossdef><para>
The rdate package utility can retrieve the date and time from another machine on your network. <emphasis>Security risks.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>rdist</glossterm>
<glossdef><para>
The rdist package is a program that maintains identical copies of files on multiple hosts. <emphasis>Security risks.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>screen</glossterm>
<glossdef><para>
This screen package is a useful utility for users who telnet into a machine or are connected via a dumb terminal, but want to use more than just one
login. <emphasis>Unnecessary</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><application class="software">ucd-snmp-utils</application></glossterm>
<glossdef><para>
The <application class="software"> ucd-snmp-utils</application> package contains various utilities for use with the ucd-snmp network management project. <emphasis>Unnecessary, Security risks</emphasis>
</para>
</glossdef>
</glossentry>
</glosslist>
</para>
</formalpara>
<formalpara><title><inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject> Documentation:</title>
<para>
<glosslist>
<glossentry><glossterm><application class="software">indexhtml</application></glossterm>
<glossdef><para>
The indexhtml package contains the <acronym>HTML</acronym> page and graphics for a welcome page shown
by your Web browser into X Window Systems. <emphasis>Unnecessary,we don't use graphical interface.</emphasis>
</para>
</glossdef>
</glossentry>
</glosslist>
</para>
</formalpara>
</section>
<section><?dbhtml filename="chap3sec19.html"?>
<title>Select Individual Package -Part &apos;B&apos;</title>
<formalpara>
<title><inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject> System Environment/Base:</title>
<para>
<glosslist>
<glossentry><glossterm><application class="software">chkfontpath</application></glossterm>
<glossdef><para>
The chkfontpath package is a simple program for adding, removing and listing the directories contained in the X font server's
path. <emphasis>Unnecessary, we don't use graphical interface</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><application class="software">yp-tools</application></glossterm>
<glossdef><para>
The Network Information Service <acronym>NIS</acronym> is a system, which provides and centralizes network information; login names, passwords,
home directories, and group information, to all of the machines on a network. <emphasis>Security risks, we don't use it on our server</emphasis>
</para>
</glossdef>
</glossentry>
</glosslist>
</para>
</formalpara>
<formalpara>
<title>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject> System Environment/Daemons:
</title>
<para>
<glosslist>
<glossentry><glossterm><application class="software">XFree86-xfs</application></glossterm>
<glossdef><para>
The XFree86-xfs package is a font server for XFree86 that can also serve fonts to other X servers remotely. <emphasis>Unnecessary, we don't use graphical interface</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</inlinemediaobject><application class="software"> finger-server</application>
</glossterm>
<glossdef><para>
The finger-server package contain the finger daemon that runs from the <filename>/etc/inetd.conf,</filename> file and allows users to see information about system
users on the server. <emphasis>Security risks.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm> <application class="software"> lpr</application></glossterm>
<glossdef><para>
The lpr package provides the basic system utility for managing printing services. <emphasis>Unnecessary and no printer installed on the server</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</inlinemediaobject>
<application class="software"> nfs-utils</application>
</glossterm>
<glossdef><para>
The nfs-utils package provides the tools and daemon for the kernel <acronym>NFS</acronym> server. This package must be installed if you want to provide <acronym>NFS</acronym>
services on your server. <emphasis>Security risks, and <acronym>NFS</acronym> services are not installed on this server. </emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><application class="software">pidentd</application></glossterm>
<glossdef><para>
The pidentd package contains the identd, which looks up specific <acronym>TCP/IP</acronym> connections and returns either the user name or other information about the process that owns the
connection. <emphasis>Unnecessary, very few things on the net require the sender to be running identd, because many machines don't have it and because many people turn it off.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><application class="software">portmap</application></glossterm>
<glossdef><para>
The portmapper package manages RPC connections, which are used by protocols like <acronym>NFS</acronym> and <acronym>NIS.</acronym> <emphasis>Unnecessary, Security risks, and <acronym>NIS/NFS</acronym> services are
not installed on this server.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</inlinemediaobject> <application class="software"> rsh-server
</application></glossterm>
<glossdef><para>
The rsh-server package provides the servers needed for (rsh, rlogin, rcp) which allow users to run remote access commands on remote machines. <emphasis>Security risks</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><application class="software">rusers
</application></glossterm>
<glossdef><para>
The routed package routing daemon maintains current routing tables by handling incoming <acronym>RIP</acronym> traffic and broadcasts outgoing <acronym>RIP</acronym> traffic about network traffic routes.
Unnecessary, <emphasis>Security risks, and limited.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</inlinemediaobject> <application class="software"> rusers-server
</application></glossterm>
<glossdef><para>
The rusers package program allows users to find out who is logged into various machines on the local network. <emphasis>Security risks.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</inlinemediaobject> <application class="software"> rwall-server
</application></glossterm>
<glossdef><para>
The rwall-server package contains the daemon which allows receiving remote messages from users in remote hosts. <emphasis>Security risks</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><application class="software">rwho
</application></glossterm>
<glossdef><para>
The rwho package shows who is logged in for all machines on the local network running the rwho daemon. <emphasis>Security risks.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</inlinemediaobject> <application class="software"> talk-server </application>
</glossterm>
<glossdef><para>
The talk-server package provides the daemon program, which allows you to chat via terminal with other users on remote
<productname>UNIX systems.</productname> <emphasis>Security risks.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</inlinemediaobject> <application class="software"> telnet-server</application>
</glossterm>
<glossdef><para>
The telnet-server package provides the daemon, which allows telnet remote logins protocol to your server. <emphasis>Security risks, replace by SSH</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</inlinemediaobject> <application class="software"> tftp</application>
</glossterm>
<glossdef><para>
The tftp package or Trivial File Transfer Protocol <acronym>TFTP</acronym> allows users to transfer files to and from a remote machine. It is normally used
only for booting diskless workstations. <emphasis>Security risks, Unnecessary.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2.only</phrase></textobject>
</inlinemediaobject> <application class="software"> tftp-server</application>
</glossterm>
<glossdef><para>
The tftp-server package provides the server for (TFTP), which allows users to transfer files to and from a remote machine. <emphasis>Security risks, Unnecessary.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><application class="software">ucd-snmp</application></glossterm>
<glossdef><para>
The ucd-snmp package or <acronym>SNMP</acronym> -Simple Network Management Protocol is a protocol used for network management. <emphasis>Unnecessary, Security risks</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject> <application class="software"> ypbind</application>
</glossterm>
<glossdef><para>
The ypbind package is a daemon which binds <acronym>NIS</acronym> -Network Information Service server client to <acronym>NIS</acronym> server. <emphasis>Security risks, we don't use it on our server.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</inlinemediaobject> <application class="software"> ypserv</application>
</glossterm>
<glossdef><para>
The ypserv package is the <acronym>NIS</acronym> -Network Information Service server, which provides network information (NIS) to all of the machines on a network. <emphasis>Security risks, we don't use it on our server</emphasis>
</para>
</glossdef>
</glossentry>
</glosslist>
</para>
</formalpara>
<formalpara>
<title><inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject> System Environment/Libraries:</title>
<para>
<glosslist>
<glossentry><glossterm><application class="software">XFree86-libs</application></glossterm>
<glossdef><para>
The XFree86-libs package contains the shared libraries that most X programs need to run properly. <emphasis>Unnecessary, we dont use graphical interface.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><application class="software">libpng</application></glossterm>
<glossdef><para>
The libpng package contains a library of functions for creating and manipulating GIF image format files. GIF is a bit-mapped graphics format similar to the GIF
format. <emphasis>Unnecessary.</emphasis>
</para>
</glossdef>
</glossentry>
</glosslist>
</para>
</formalpara>
<formalpara>
<title>User Interface/X:</title>
<para>
<glosslist>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</inlinemediaobject> <application class="software"> XFree86-75dpi-fonts</application>
</glossterm>
<glossdef><para>
The XFree86-75dpi-fonts package contains the 75 dpi fonts (the standard fonts) used on most X Window Systems. <emphasis>Unnecessary, we don't use graphical interface.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</inlinemediaobject> <application class="software"> urw-fonts </application>
</glossterm>
<glossdef><para>
The urw-fonts package contain free versions of the 35 standard Type 1 PostScript fonts. <emphasis>Unnecessary, we don't use graphical interface.</emphasis>
</para>
</glossdef>
</glossentry>
</glosslist>
</para>
</formalpara>
</section>
<section><?dbhtml filename="chap3sec20.html"?>
<title>How to use RPM Commands</title>
<para>
This section contains an overview of principal modes using with <acronym>RPM</acronym> for installing, uninstalling, upgrading, querying, listing, and checking <acronym>RPM</acronym> packages on your Linux
system. You must be familiar with these <acronym>RPM</acronym> commands now because we'll use them often in the continuation of this book.
To install a RPM package, use the command:
<screen>
[root@deep] /#<command>rpm</command> -ivh foo-1.0-2.i386.rpm
</screen>
Take a note that <acronym>RPM</acronym> packages have a file of names like <filename>foo-1.0-2.i386.rpm,</filename> which include the package name (foo), version (1.0), release (2), and architecture (i386).
</para>
<para>
To uninstall a RPM package, use the command:
<screen>
[root@deep] /#<command>rpm</command> -e foo
</screen>
Notice that we used the package name <filename>foo,</filename> not the name of the original package file <filename>foo-1.0-2.i386.rpm.</filename>
</para>
<para>
To upgrade a RPM package, use the command:
<screen>
[root@deep] /#<command>rpm</command> -Uvh foo-1.0-2.i386.rpm
</screen>
With this command, <acronym>RPM</acronym> automatically uninstall the old version of <filename>foo</filename> package and install the new one. Always
use <userinput>rpm -Uvh</userinput> to install packages, since it works fine even when there are no previous versions of the package installed.
</para>
<para>
To query a RPM package, use the command:
<screen>
[root@deep] /#<command>rpm</command> -q foo
</screen>
This command will print the package name, version, and release number of installed package <filename>foo.</filename> Use this command to verify that a package is or is not installed on your system.
</para>
<para>
To display package information, use the command:
<screen>
[root@deep] /#<command>rpm</command> -qi foo
</screen>
This command display package information; includes name, version, and description of the installed program. Use this command to get information about the installed package.
</para>
<para>
To list files in package, use the command:
<screen>
[root@deep] /#<command>rpm</command> -qlfoo
</screen>
This command will list all files in a installed <acronym>RPM</acronym> package. It works only when the package is already installed on your system.
</para>
<para>
To check a RPM signature package, use the command:
<screen>
[root@deep] /#<command>rpm</command> --checksig foo
</screen>
This command checks the <acronym>PGP</acronym> signature of specified package to ensure its integrity and origin. Always use this command first before installing new
<acronym>RPM</acronym> package on your system. Also, <application class="software">GnuPG</application> or <application class="software">Pgp</application> software must be already installed on your system before you can use this command.
</para>
</section>
<section><?dbhtml filename="chap3sec21.html"?>
<title>Starting and stopping daemon services</title>
<para>The init program of Linux -also known as process control initialization, is in charge of starting all the normal and authorized processes that need to run at boot time on your system. These may include the APACHE daemons, NETWORK daemons,
and anything else that must be running when your machine boots. Each of these processes has a script under <filename class="directory">/etc/rc.d/init.d/</filename> directory written to accept an argument, which can be <command>start</command>,
<command>stop</command> and <command>restart.</command> You can execute those scripts by hand in fact with a command:
</para>
<example>
<title>Starting and Stopping various Daemon's</title>
<para>
To start the httpd Web Server manually under Linux.
<screen>
[root@deep] /# /etc/rc.d/init.d/httpd <command>start</command>
</screen>
<literallayout><computeroutput>
Starting httpd: [OK]
</computeroutput></literallayout>
</para>
<para>
To stop the httpd Web Server manually under Linux.
<screen>
[root@deep] /# /etc/rc.d/init.d/httpd <command>stop</command>
</screen>
<literallayout><computeroutput>
Shutting down http: [OK]
</computeroutput></literallayout>
</para>
<para>
To restart the httpd Web Server manually under Linux.
<screen>
[root@deep] /# /etc/rc.d/init.d/httpd <command>restart</command>
</screen>
<literallayout><computeroutput>
Shutting down http: [OK]
Starting httpd: [OK]
</computeroutput></literallayout>
</para>
<para>
Check inside your <filename class="directory">/etc/rc.d/init.d/</filename> directory for services available and use command <command>start | stop | restart</command>
to work around.
</para>
</example>
</section>
</chapter>
<chapter label="4" id="pr2ch4Pi"><?dbhtml filename="linpostinstall.html"?>
<title>Post-Install</title>
<highlights>
<para>This entire chapter deals with the steps to be taken after the installation of your server, for example, uninstallation of certain programs
which are going to compiled on your server using source tarballs, installation of certain programs required to compile these source tarballs etc
</para>
</highlights>
<section id="ch3sc3.1-1"><?dbhtml filename="chap4sec22.html"?>
<title>Software that must be uninstalled</title>
<para>
Red Hat Linux installs other pre-compiled binaries of programs on your system by default and doesn't give you the choice to uninstall them during the install setup. For this
reason, you must uninstall the following software on your system after the installation of your server.We must uninstall them for better security and to make space in our server.
</para>
<para>
For more information and explanation of their capabilities and uses, please see your Red Hat manual or install the package and make an <command>rpm</command> -qi <filename>foo</filename>
command to query and get a detailed description of the program, and then uninstall it again.
Below is the list of programs and a short description of their utilizations.
</para>
<para>
<glosslist>
<glossentry><glossterm>
<inlinemediaobject>
<imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software">pump</application>
</glossterm>
<glossdef><para>
The Pump DHCP package allows individual diskless clients on a network to get their own IP network configuration information from network servers. <emphasis>Unnecessary.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software">mt-st</application>
</glossterm>
<glossdef><para>
The <literal>mt</literal> -for magnetic tape drives and <literal>st</literal> -for <acronym><acronym>SCSI</acronym></acronym> tape devices tape drive management programs can control rewinding, ejecting, skipping files, blocks and more.
<emphasis>Necessary only if you have a tape backup on this server.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software">eject</application>
</glossterm>
<glossdef><para>
The eject package contains an eject program that allows the user to eject removable media typically <hardware>CD-ROMs, floppy disks, Iomega Jaz or Zip</hardware> disks using software control.
<emphasis>Necessary only if you have a tape backup on this server.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software">Metamail</application>
</glossterm>
<glossdef><para>
Metamail is a program that uses the mailcap file to determine how it should display non-text or multimedia material. <emphasis>Unnecessary.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software">apmd</application>
</glossterm>
<glossdef><para>
The <acronym>apmd</acronym> package, or advanced Power Management daemon utilities, can watch your notebook's battery and warn all users when the battery is low. <emphasis>Unnecessary for a server.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software">kernel-pcmcia-cs</application>
</glossterm>
<glossdef><para>
The kernel-pcmcia-cs package is for laptop machines and some non-laptops that support <acronym>PCMCIA</acronym> cards for expansion. <emphasis>Unnecessary for a server.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software">linuxconf</application>
</glossterm>
<glossdef><para>
The linuxconf package is a system configuration tool. <emphasis>Unnecessary, buggy program.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/></imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software"> getty_ps</application>
</glossterm>
<glossdef><para>
The getty_ps package contains programs that are used to accept logins on the console or a terminal on your system. <emphasis>Unnecessary.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</inlinemediaobject>
<application class="software">setconsole</application>
</glossterm>
<glossdef><para>
The setconsole package is a basic system utility for setting up the <filename>/etc/inittab, /dev/systty</filename> and <filename>/dev/console</filename> files to
handle a new console. <emphasis>Unnecessary.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software">isapnptools</application>
</glossterm>
<glossdef><para>
The isapnptools package contains utilities for configuring <acronym>ISA</acronym> Plug-and-Play (<acronym>PnP</acronym>) cards/boards. <emphasis>Unnecessary.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software">setserial</application>
</glossterm>
<glossdef><para>
The setserial package is a basic system utility for displaying or setting serial port information. <emphasis>Unnecessary.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software"> kudzu</application>
</glossterm>
<glossdef><para>
The kudzu package is a hardware-probing tool run at system boot time to determine what hardware has been added or removed from the system. <emphasis>Unnecessary.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>version All</phrase></textobject>
</inlinemediaobject>
<application class="software"> raidtools</application>
</glossterm>
<glossdef><para>
The raidtools package includes the tools you need to set up and maintain a software <acronym><acronym>RAID</acronym></acronym> device on a Linux system. <emphasis>Depending if you use Raid or not.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software">gnuPG</application>
</glossterm>
<glossdef><para>
The GnuPG package is a tool for secure communication and data storage. It is a replacement for the <acronym>PGP</acronym> software. It can also be used to encrypt data and to create digital
signatures. <emphasis>We will compile it later on our book.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software">redhat-logos</application>
</glossterm>
<glossdef><para>
The redhat-logos package contains files of the Red Hat "Shadow Man" logo and the <acronym>RPM</acronym> logo. <emphasis>Unnecessary on a server.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software">redhat-release</application>
</glossterm>
<glossdef><para>
The redhat-release package contains the Red Hat Linux release file. <emphasis>Unnecessary.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software">gd</application>
</glossterm>
<glossdef><para>
The gd package allows your code to quickly draw images and write out the result as a <filename>.gif</filename> file. <emphasis>Unnecessary.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software">pciutils</application>
</glossterm>
<glossdef><para>
The pciutils package contains various utilities for inspecting and setting devices connected to the <acronym>PCI</acronym> bus. <emphasis>We use other methods.</emphasis>
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
<application class="software">rmt</application>
</glossterm>
<glossdef><para>
The rmt utility provides remote network access to make backup. <emphasis>Security risks since rmt depends on rsh to work.</emphasis>
</para>
</glossdef>
</glossentry>
</glosslist>
</para>
</section>
<section><?dbhtml filename="chap4sec23.html"?>
<title>Use <acronym>RPM</acronym> command to uninstall.</title>
<para>
The command to uninstall software is:
<screen>
[root@deep] /#<command>rpm</command> -e &lt;softwarename(s)&gt;
</screen>
Where &lt;softwarename&gt; is the name of the software you want to uninstall e.g. (foo).
</para>
<para>
Since Programs like apmd, kudzu, and sendmail are daemons that run as process. It is better to stop those processes before uninstalling them from the
system.To stop those processes, use the following commands:
<screen>
[root@deep] /# /etc/rc.d/init.d/apmd <command>stop</command>
[root@deep] /# /etc/rc.d/init.d/sendmail <command>stop</command>
[root@deep] /# /etc/rc.d/init.d/kudzu <command>stop</command>
</screen>
</para>
<procedure>
<step>
<para>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</inlinemediaobject>
Now you can uninstall them safely, and all other packages, as shown below:
Remove the specified packages for Red Hat Linux version 6.1 (Cartman).
<screen>
[root@deep] /# <command>rpm</command> -e --nodeps pump mt-st eject mailcap apmd kernel-pcmcia-cs linuxconf getty_ps
setconsole isapnptools setserial kudzu raidtools gnupg redhat-logos redhat-release gd pciutils rmt</screen>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject><textobject><phrase>Version 6.2. only</phrase></textobject>
</inlinemediaobject> Remove the specified packages for Red Hat Linux version 6.2 (Zoot).
<screen>
[root@deep] /# <command>rpm</command> -e --nodeps pump mt-st eject mailcap apmd kernel-pcmcia-cs linuxconf getty_ps
isapnptools setserial kudzu raidtools gnupg redhat-logos redhat-release gd pciutils rmt</screen>
</para>
</step>
<step>
<para>
<inlinemediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/></imageobject>
<textobject><phrase>Version All</phrase></textobject>
</inlinemediaobject>
Remove the linux.conf-installed file manually.
<screen>
[root@deep] /# <command>rm</command> -f /etc/conf.linuxconf-installed
</screen>
</para>
</step>
</procedure>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
This is a configuration file related to linuxconf software that must be removed manually.
</para></note>
<para>
The program hdparm is needed by <acronym><acronym>IDE</acronym></acronym> hard disk but not <acronym><acronym>SCSI</acronym></acronym> hard disks. If you have an <acronym><acronym>IDE</acronym></acronym> disk on your system you must keep
this program (hdparm), but if you don't have an <acronym><acronym>IDE</acronym></acronym> hard disk you can remove it safely from your system.
To remove hdparm from your system, use the following command:
<screen>
[root@deep] /# <command>rpm</command> -e hdparm
</screen>
</para>
<para>
Use the programs <application class="software"> kbdconfig, mouseconfig, timeconfig, authconfig, ntsysv,</application> and <application class="software">setuptool</application> in order
to set your keyboard language and type, your mouse type, your default time zone, your <acronym>NIS</acronym> and shadow passwords, your numerous symbolic links in <filename class="directory">/etc/rc.d</filename>
directory, and text mode menu utility which allow you to access all of these features. After those configurations have been set during the installation stage
of your Linux server it's rare that you would need to change them again. So, you can uninstall them, and if in future you need to change your keyboard,
mouse, default time, etc again via test mode menu, all you have to do is to install the program with the <acronym>RPM</acronym> from your original <hardware>CD-ROM.</hardware>
To remove all the above programs from your system, use the following command:
<screen>
[root@deep] /# <command>rpm</command> -e kbdconfig mouseconfig timeconfig authconfig ntsysv setuptool
</screen>
</para>
<para>
Even if you are not intending to install a mail server on your Linux system, the program Sendmail is always needed on your servers for potential messages sent to the root user
by different software services installed on your machine.
</para>
<para>
Sendmail is a Mail Transport Agent -<acronym>MTA</acronym> program that sends mail from one machine to another. It can be configured in different manners; it can serve as an
internal delivery mail system to a Mail Hub Server, or can be configured to be a Central Mail Hub Server for all Sendmail machines on your network. So depending on what you
want to do with Sendmail, you must configure it to respond to your specific needs. For this reason you must uninstall Sendmail
and see the relevant sections in this book that is related to <link linkend="pr6ch22SSMn">Sendmail</link> configuration and installation.
</para>
<para>
To remove Sendmail from your system, use the following command:
<screen>
[root@deep] /# <command>rpm</command> -e sendmail
</screen>
</para>
</section>
<section><?dbhtml filename="chap4sec24.html"?>
<title id="ch3sec3.3-1">Software that must be installed</title>
<para>
There are certain programs required to be able to compile programs on your server, hence you must install the following <acronym>RPM</acronym> packages. This part of the installation is very important and
requires that you install all related packages described below. These are on your Red Hat Part 1 <hardware>CD-ROM</hardware> under RedHat/<acronym>RPMS</acronym> directory and represent the base
necessary software needed on Linux to compile and install programs.
</para>
<procedure>
<step>
<para>
First, we mount the <hardware>CD-ROM</hardware> drive and move to the <acronym>RPMS</acronym> subdirectory of the <hardware>CD-ROM.</hardware>
To mount the CD-ROM drive and move to RPM directory, use the following commands:
<screen format="linespecific">
[root@deep] /# <command>mount</command> /dev/cdrom /mnt/cdrom/
[root@deep] /# <command>cd</command> /mnt/cdrom/RedHat/RPMS/
</screen>
</para>
<para>
In the process of customizing our linux server, we will be using, most of the time source tarballs rather than pre-compiled RPMs hence
these are the packages that we need to be able to compile and install programs. Remember, this is the minimum package that will allow you
to compile most of the tarballs available for Linux. Other compiled binary packages exist on the Red Hat CD-ROM, so verify with the README
file that came with the tarballs program you want to install if you receive an error messages during compilation of the specific software.
</para>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/></imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</mediaobject>
<simplelist columns="2" type="vert">
<member><filename>m4-1.4-12.i386.rpm</filename></member>
<member><filename>dev86-0.14.9-1.i386.rpm</filename></member>
<member><filename>bison-1.28-1.i386.rpm</filename></member>
<member><filename>byacc-1.9-11.i386.rpm</filename></member>
<member><filename>cdecl-2.5-9.i386.rpm</filename></member>
<member><filename>cpp-1.1.2-24.i386.rpm</filename></member>
<member><filename>cproto-4.6-2.i386.rpm</filename></member>
<member><filename>ctags-3.2-1.i386.rpm</filename></member>
<member><filename>egcs-1.1.2-24.i386.rpm</filename></member>
<member><filename>ElectricFence-2.1-1.i386.rpm</filename></member>
<member><filename>flex-2.5.4a-7.i386.rpm</filename></member>
<member><filename>gdb-4.18-4.i386.rpm</filename></member>
<member><filename>kernel-headers-2.2.12-20.i386.rpm</filename></member>
<member><filename>glibc-devel-2.1.2-11.i386.rpm</filename></member>
<member><filename>make-3.77-6.i386.rpm</filename></member>
<member><filename>patch-2.5-9.i386.rpm</filename></member>
</simplelist>
</para>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/></imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</mediaobject>
<simplelist columns="2" type="vert">
<member><filename>m4-1.4-12.i386.rpm</filename></member>
<member><filename>dev86-0.15.0-2.i386.rpm</filename></member>
<member><filename>bison-1.28-2.i386.rpm</filename></member>
<member><filename>byacc-1.9-12.i386.rpm</filename></member>
<member><filename>cdecl-2.5-10.i386.rpm</filename></member>
<member><filename>cpp-1.1.2-30.i386.rpm</filename></member>
<member><filename>cproto-4.6-3.i386.rpm</filename></member>
<member><filename>ctags-3.4-1.i386.rpm</filename></member>
<member><filename>egcs-1.1.2-30.i386.rpm</filename></member>
<member><filename>ElectricFence-2.1-3.i386.rpm</filename></member>
<member><filename>flex-2.5.4a-9.i386.rpm</filename></member>
<member><filename>gdb-4.18-11.i386.rpm</filename></member>
<member><filename>kernel-headers-2.2.14-5.0.i386.rpm</filename></member>
<member><filename>glibc-devel-2.1.3-15.i386.rpm</filename></member>
<member><filename>make-3.78.1-4.i386.rpm</filename></member>
<member><filename>patch-2.5-10.i386.rpm</filename></member>
</simplelist>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
It is better to install software mentioned above in one shot, if you don't want to receive error message
regarding dependencies during <acronym>RPM</acronym> install.
</para>
</note>
</para>
</step>
<step>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject><textobject><phrase>Version 6.1 only</phrase></textobject></mediaobject>
Install all the needed software above with one RPM command.
The RPM command to install all software together is:
<screen>
[root@deep ] /RPMS#<command>rpm</command> -Uvh m4-1.4-12.i386.rpm dev86-0.14.9-1.i386.rpm bison-1.28-1.i386.rpm byacc-1.9-11.i386.rpm cdecl-2.5-9.i386.rpm cpp-1.1.2-24.i386.rpm
cproto-4.6-2.i386.rpm ctags-3.2-1.i386.rpm egcs-1.1.2-24.i386.rpm ElectricFence-2.1-1.i386.rpm flex-2.5.4a-7.i386.rpm gdb-4.18-4.i386.rpm kernel-headers-2.2.12-20.i386.rpm glibc-devel-2.1.2-11.i386.rpm
make-3.77-6.i386.rpm patch-2.5-9.i386.rpm
</screen>
</para>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject><textobject><phrase>Version 6.2 only</phrase></textobject></mediaobject>
Install all the needed software above with one RPM command.
The RPM command to install all software together is:
<screen>
[root@deep ] /RPMS#<command>rpm</command> -Uvh m4-1.4-12.i386.rpm dev86-0.15.0-2.i386.rpm bison-1.28-2.i386.rpm byacc-1.9-12.i386.rpm cdecl-2.5-10.i386.rpm cpp-1.1.2-30.i386.rpm
cproto-4.6-3.i386.rpm ctags-3.4-1.i386.rpm egcs-1.1.2-30.i386.rpm ElectricFence-2.1-3.i386.rpm flex-2.5.4a-9.i386.rpm gdb-4.18-11.i386.rpm kernel-headers-2.2.14-5.0.i386.rpm glibc-devel-2.1.3-15.i386.rpm
make-3.78.1-4.i386.rpm patch-2.5-10.i386.rpm
</screen>
</para>
</step>
</procedure>
<para>
The <acronym>RPM</acronym> package has many options, for example we have used the following sytax: <cmdsynopsis><command>rpm</command><arg>-Uvh</arg> <arg><replaceable>file</replaceable></arg></cmdsynopsis>
you might be curious to know what these arguments -Uvh means, why should it be given at all <abbrev>etc.</abbrev>Here is a brief description:
<glosslist>
<glossentry>
<glossterm><parameter class="option">-U</parameter></glossterm>
<glossdef><para>
-stands for Upgrade which will uninstall an older version of the package you are installing and install the new one, which will eliminate the error likely to occur
if in case the package being uninstalled has dependencies. It is generally recomded to use this argument even while you are obsolutely sure that there is no earlier version of the package you are trying to install is
existing on your machine.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><parameter class="option">v</parameter></glossterm>
<glossdef><para>
-stands for verbose, which is quite self explanatory. This argument ensures all messages are written to the stdout/console so you get to know what is happening.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><parameter class="option">h</parameter></glossterm>
<glossdef><para>
-this generates the hash mark <prompt>#</prompt> in a series, this will give a sense of visual progress with the install process .
</para></glossdef>
</glossentry>
</glosslist>
</para>
<para>So, when you use <command>rpm <userinput>-Uvh</userinput></command>, whether it is Redhat ver 6.1 or ver 6.2, what you see on your console is shown below,Notice in the display
that the name of the package is seen but not the version number. Infact we have mentioned this earlier in this book that when you install or upgrade you have
to enter the package name with version name, for example <command>rpm <userinput>-ivh mnt-1.0.4.rpm</userinput></command> but while querying the same package using rpm command
the syntax is as follows: <command>rpm</command> <userinput>-qi mnt</userinput>, Please do keep this mind. Given below is a graphical representation of your screen when you
install the above mentioned rpm's :
</para>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/VersionAll.gif"/>
</imageobject><textobject><phrase>version all</phrase></textobject></mediaobject>
<literallayout class="monospaced"><computeroutput>
m4 ##################################################
dev86 ##################################################
bison ##################################################
byacc ##################################################
cdecl ##################################################
cpp ##################################################
cproto ##################################################
ctags ##################################################
egcs ##################################################
ElectricFence ##################################################
flex ##################################################
gdb ##################################################
kernel-headers ##################################################
glibc-devel ##################################################
make ##################################################
patch ##################################################
</computeroutput></literallayout>
</para>
<para>
You must exit and re-login for all the change to take effect.
To exit from your console, use the command:
<screen>
[root@deep] /# <command>exit</command>
</screen>
</para>
</section>
<section><?dbhtml filename="chap4sec25.html"?>
<title>Check,Re-confirm</title>
<para>
After installation and compilation of all programs you need on your server, it's a good idea to remove all unnecessary programs (compilers, etc) described above unless needed it is obsolutely needed by the system.
Few reasons are:
<itemizedlist mark="opencircle">
<listitem>
<para>
If a cracker gains access to your server he or she cannot compile or modify binary programs. Also, this will free a lot of space and will help to improve regular scanning of files on
your server for integrity checking.
</para>
</listitem>
<listitem>
<para>
When you run a server you will give it a special task to accomplish. You will never put all services you want to offer in one machine or you will lose speed - <emphasis>resources available divided by the
number of process running on the server</emphasis>.
</para>
</listitem>
<listitem>
<para>
Decrease your security with a lot of services running on the same machine, if a cracker accesses this server, he or she can attack directly all
the others available.
</para>
</listitem>
<listitem>
<para>
Having different servers doing different tasks will simplify the administration, management you know what task each server is supposed to do, what services should be available, which ports are
open to clients access and which one are closed, you know what you are supposed to see in the log files, etc, and give you more control and flexibility on each server dedicated for mail,
web pages, database, development, backup, etc.
</para>
</listitem>
<listitem>
<para>
For example, having one server specialized just for development and testing will permit you to not be compelled to install compiler programs
on a server each time you want to compile and install new software on it, and be obliged afterwards to uninstall the compilers, or other sharp objects.
</para>
</listitem>
</itemizedlist>
</para>
<para>
If you have followed each step exactly as described till now, Since we have chosen to customize the installation of our Linux system, this is the list of all installed programs that you must have on your
server after the complete installation of the Linux Server. This list must match exactly the install.log file located in your <filename>/tmp</filename> directory or you could run into a problem. Don't
forget to install all programs listed above in <link linkend="ch3sec3.3-1">Software that must be installed</link> after installation of the Server to be able to compile programd properly on your Server.
</para>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/></imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</mediaobject>
<simplelist columns="3" type="vert">
<member><filename>Installing setup.</filename></member>
<member><filename>Installing filesystem.</filename></member>
<member><filename>Installing basesystem.</filename></member>
<member><filename>Installing ldconfig.</filename></member>
<member><filename>Installing glibc.</filename></member>
<member><filename>Installing shadow-utils.</filename></member>
<member><filename>Installing mktemp.</filename></member>
<member><filename>Installing termcap.</filename></member>
<member><filename>Installing libtermcap.</filename></member>
<member><filename>Installing bash.</filename></member>
<member><filename>Installing MAKEDEV.</filename></member>
<member><filename>Installing SysVinit.</filename></member>
<member><filename>Installing XFree86-Mach64.</filename></member>
<member><filename>Installing chkconfig.</filename></member>
<member><filename>Installing apmd.</filename></member>
<member><filename>Installing ncurses.</filename></member>
<member><filename>Installing info.</filename></member>
<member><filename>Installing fileutils.</filename></member>
<member><filename>Installing grep.</filename></member>
<member><filename>Installing ash.</filename></member>
<member><filename>Installing at.</filename></member>
<member><filename>Installing authconfig.</filename></member>
<member><filename>Installing bc.</filename></member>
<member><filename>Installing bdflush.</filename></member>
<member><filename>Installing binutils.</filename></member>
<member><filename>Installing bzip2.</filename></member>
<member><filename>Installing sed.</filename></member>
<member><filename>Installing console-tools.</filename></member>
<member><filename>Installing e2fsprogs.</filename></member>
<member><filename>Installing rmt.</filename></member>
<member><filename>Installing cpio.</filename></member>
<member><filename>Installing cracklib.</filename></member>
<member><filename>Installing cracklib-dicts.</filename></member>
<member><filename>Installing crontabs.</filename></member>
<member><filename>Installing textutils.</filename></member>
<member><filename>Installing dev.</filename></member>
<member><filename>Installing diffutils.</filename></member>
<member><filename>Installing dump.</filename></member>
<member><filename>Installing ed.</filename></member>
<member><filename>Installing eject.</filename></member>
<member><filename>Installing etcskel.</filename></member>
<member><filename>Installing file.</filename></member>
<member><filename>Installing findutils.</filename></member>
<member><filename>Installing gawk.</filename></member>
<member><filename>Installing gd.</filename></member>
<member><filename>Installing gdbm.</filename></member>
<member><filename>Installing getty_ps.</filename></member>
<member><filename>Installing glib.</filename></member>
<member><filename>Installing gmp.</filename></member>
<member><filename>Installing gnupg.</filename></member>
<member><filename>Installing gpm.</filename></member>
<member><filename>Installing groff.</filename></member>
<member><filename>Installing gzip.</filename></member>
<member><filename>Installing hdparm.</filename></member>
<member><filename>Installing initscripts.</filename></member>
<member><filename>Installing ipchains.</filename></member>
<member><filename>Installing isapnptools.</filename></member>
<member><filename>Installing kbdconfig.</filename></member>
<member><filename>Installing kernel.</filename></member>
<member><filename>Installing kernel-pcmcia-cs.</filename></member>
<member><filename>Installing kudzu.</filename></member>
<member><filename>Installing ld.so.</filename></member>
<member><filename>Installing less.</filename></member>
<member><filename>Installing libc.</filename></member>
<member><filename>Installing libstdc++.</filename></member>
<member><filename>Installing lilo.</filename></member>
<member><filename>Installing pwdb.</filename></member>
<member><filename>Installing pam.</filename></member>
<member><filename>Installing sh-utils.</filename></member>
<member><filename>Installing redhat-release.</filename></member>
<member><filename>Installing linuxconf.</filename></member>
<member><filename>Installing logrotate.</filename></member>
<member><filename>Installing losetup.</filename></member>
<member><filename>Installing lsof.</filename></member>
<member><filename>Installing mailcap.</filename></member>
<member><filename>Installing mailx.</filename></member>
<member><filename>Installing man.</filename></member>
<member><filename>Installing mingetty.</filename></member>
<member><filename>Installing mkbootdisk.</filename></member>
<member><filename>Installing mkinitrd.</filename></member>
<member><filename>Installing modutils.</filename></member>
<member><filename>Installing mount.</filename></member>
<member><filename>Installing mouseconfig.</filename></member>
<member><filename>Installing mt-st.</filename></member>
<member><filename>Installing ncompress.</filename></member>
<member><filename>Installing net-tools.</filename></member>
<member><filename>Installing netkit-base.</filename></member>
<member><filename>Installing newt.</filename></member>
<member><filename>Installing ntsysv.</filename></member>
<member><filename>Installing passwd.</filename></member>
<member><filename>Installing pciutils.</filename></member>
<member><filename>Installing perl.</filename></member>
<member><filename>Installing procmail.</filename></member>
<member><filename>Installing procps.</filename></member>
<member><filename>Installing psmisc.</filename></member>
<member><filename>Installing pump.</filename></member>
<member><filename>Installing python.</filename></member>
<member><filename>Installing quota.</filename></member>
<member><filename>Installing raidtools.</filename></member>
<member><filename>Installing readline.</filename></member>
<member><filename>Installing redhat-logos.</filename></member>
<member><filename>Installing rootfiles.</filename></member>
<member><filename>Installing rpm.</filename></member>
<member><filename>Installing sash.</filename></member>
<member><filename>Installing sendmail.</filename></member>
<member><filename>Installing setconsole.</filename></member>
<member><filename>Installing setserial.</filename></member>
<member><filename>Installing setuptool.</filename></member>
<member><filename>Installing shapecfg.</filename></member>
<member><filename>Installing slang.</filename></member>
<member><filename>Installing slocate.</filename></member>
<member><filename>Installing stat.</filename></member>
<member><filename>Installing sysklogd.</filename></member>
<member><filename>Installing tar.</filename></member>
<member><filename>Installing tcp_wrappers.</filename></member>
<member><filename>Installing tcpdump.</filename></member>
<member><filename>Installing tcsh.</filename></member>
<member><filename>Installing time.</filename></member>
<member><filename>Installing timeconfig.</filename></member>
<member><filename>Installing timed.</filename></member>
<member><filename>Installing tmpwatch.</filename></member>
<member><filename>Installing traceroute.</filename></member>
<member><filename>Installing utempter.</filename></member>
<member><filename>Installing util-linux.</filename></member>
<member><filename>Installing vim-common.</filename></member>
<member><filename>Installing vim-minimal.</filename></member>
<member><filename>Installing vixie-cron.</filename></member>
<member><filename>Installing which.</filename></member>
<member><filename>Installing zlib.</filename></member>
</simplelist> </para>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/></imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</mediaobject>
<simplelist columns="3" type="vert">
<member><filename>Installing setup.</filename></member>
<member><filename>Installing filesystem.</filename></member>
<member><filename>Installing basesystem.</filename></member>
<member><filename>Installing ldconfig.</filename></member>
<member><filename>Installing glibc.</filename></member>
<member><filename>Installing shadow-utils.</filename></member>
<member><filename>Installing mktemp.</filename></member>
<member><filename>Installing termcap.</filename></member>
<member><filename>Installing libtermcap.</filename></member>
<member><filename>Installing bash.</filename></member>
<member><filename>Installing MAKEDEV.</filename></member>
<member><filename>Installing SysVinit.</filename></member>
<member><filename>Installing XFree86-Mach64.</filename></member>
<member><filename>Installing anacron.</filename></member>
<member><filename>Installing chkconfig.</filename></member>
<member><filename>Installing apmd.</filename></member>
<member><filename>Installing ncurses.</filename></member>
<member><filename>Installing info.</filename></member>
<member><filename>Installing fileutils.</filename></member>
<member><filename>Installing grep.</filename></member>
<member><filename>Installing ash.</filename></member>
<member><filename>Installing at.</filename></member>
<member><filename>Installing authconfig.</filename></member>
<member><filename>Installing bc.</filename></member>
<member><filename>Installing bdflush.</filename></member>
<member><filename>Installing binutils.</filename></member>
<member><filename>Installing bzip2.</filename></member>
<member><filename>Installing sed.</filename></member>
<member><filename>Installing console-tools.</filename></member>
<member><filename>Installing e2fsprogs.</filename></member>
<member><filename>Installing rmt.</filename></member>
<member><filename>Installing cpio.</filename></member>
<member><filename>Installing cracklib.</filename></member>
<member><filename>Installing cracklib-dicts.</filename></member>
<member><filename>Installing crontabs.</filename></member>
<member><filename>Installing textutils.</filename></member>
<member><filename>Installing dev.</filename></member>
<member><filename>Installing diffutils.</filename></member>
<member><filename>Installing dump.</filename></member>
<member><filename>Installing ed.</filename></member>
<member><filename>Installing eject.</filename></member>
<member><filename>Installing etcskel.</filename></member>
<member><filename>Installing file.</filename></member>
<member><filename>Installing findutils.</filename></member>
<member><filename>Installing gawk.</filename></member>
<member><filename>Installing gd.</filename></member>
<member><filename>Installing gdbm.</filename></member>
<member><filename>Installing getty_ps.</filename></member>
<member><filename>Installing glib.</filename></member>
<member><filename>Installing gmp.</filename></member>
<member><filename>Installing gnupg.</filename></member>
<member><filename>Installing gpm.</filename></member>
<member><filename>Installing groff.</filename></member>
<member><filename>Installing gzip.</filename></member>
<member><filename>Installing hdparm.</filename></member>
<member><filename>Installing inetd.</filename></member>
<member><filename>Installing initscripts.</filename></member>
<member><filename>Installing ipchains.</filename></member>
<member><filename>Installing iputils.</filename></member>
<member><filename>Installing isapnptools.</filename></member>
<member><filename>Installing kbdconfig.</filename></member>
<member><filename>Installing kernel.</filename></member>
<member><filename>Installing kernel-pcmcia-cs.</filename></member>
<member><filename>Installing kernel-utils.</filename></member>
<member><filename>Installing kudzu.</filename></member>
<member><filename>Installing ld.so.</filename></member>
<member><filename>Installing less.</filename></member>
<member><filename>Installing libc.</filename></member>
<member><filename>Installing libstdc++.</filename></member>
<member><filename>Installing lilo.</filename></member>
<member><filename>Installing pwdb.</filename></member>
<member><filename>Installing pam.</filename></member>
<member><filename>Installing sh-utils.</filename></member>
<member><filename>Installing redhat-release.</filename></member>
<member><filename>Installing linuxconf.</filename></member>
<member><filename>Installing logrotate.</filename></member>
<member><filename>Installing losetup.</filename></member>
<member><filename>Installing lsof.</filename></member>
<member><filename>Installing mailcap.</filename></member>
<member><filename>Installing mailx.</filename></member>
<member><filename>Installing man.</filename></member>
<member><filename>Installing mingetty.</filename></member>
<member><filename>Installing mkbootdisk.</filename></member>
<member><filename>Installing mkinitrd.</filename></member>
<member><filename>Installing modutils.</filename></member>
<member><filename>Installing mount.</filename></member>
<member><filename>Installing mouseconfig.</filename></member>
<member><filename>Installing mt-st.</filename></member>
<member><filename>Installing ncompress.</filename></member>
<member><filename>Installing net-tools.</filename></member>
<member><filename>Installing newt.</filename></member>
<member><filename>Installing ntsysv.</filename></member>
<member><filename>Installing passwd.</filename></member>
<member><filename>Installing pciutils.</filename></member>
<member><filename>Installing perl.</filename></member>
<member><filename>Installing popt.</filename></member>
<member><filename>Installing procmail.</filename></member>
<member><filename>Installing procps.</filename></member>
<member><filename>Installing psmisc.</filename></member>
<member><filename>Installing pump.</filename></member>
<member><filename>Installing quota.</filename></member>
<member><filename>Installing raidtools.</filename></member>
<member><filename>Installing readline.</filename></member>
<member><filename>Installing redhat-logos.</filename></member>
<member><filename>Installing rootfiles.</filename></member>
<member><filename>Installing rpm.</filename></member>
<member><filename>Installing sash.</filename></member>
<member><filename>Installing sendmail.</filename></member>
<member><filename>Installing setserial.</filename></member>
<member><filename>Installing setuptool.</filename></member>
<member><filename>Installing shapecfg.</filename></member>
<member><filename>Installing slang.</filename></member>
<member><filename>Installing slocate.</filename></member>
<member><filename>Installing stat.</filename></member>
<member><filename>Installing sysklogd.</filename></member>
<member><filename>Installing tar.</filename></member>
<member><filename>Installing tcp_wrappers.</filename></member>
<member><filename>Installing tcpdump.</filename></member>
<member><filename>Installing tcsh.</filename></member>
<member><filename>Installing time.</filename></member>
<member><filename>Installing timeconfig.</filename></member>
<member><filename>Installing tmpwatch.</filename></member>
<member><filename>Installing traceroute.</filename></member>
<member><filename>Installing utempter.</filename></member>
<member><filename>Installing util-linux.</filename></member>
<member><filename>Installing vim-common.</filename></member>
<member><filename>Installing vim-minimal.</filename></member>
<member><filename>Installing vixie-cron.</filename></member>
<member><filename>Installing which.</filename></member>
<member><filename>Installing zlib.</filename></member>
</simplelist>
</para>
</section>
<section><?dbhtml filename="./resources/chap4sec26"?>
<title>Verify,Cross-check</title>
<para>
After we have uninstalled all the software that must be uninstalled after the installation of our Linux server see <link linkend="ch3sc3.1-1">Software that must be uninstalled</link>
after installation of the Server and after the addition of the necessary <acronym>RPM</acronym> packages, so that we will able to compile programs on our server, we must verify
the list of all installed <acronym>RPM</acronym> programs again but this time with the following command:
</para>
<para>
To verify the list of all installed <acronym>RPM</acronym> package on your system, use the command:
<screen>
[root@deep] /#<command>rpm</command> -qa &gt; installed_rpm
</screen>
The <userinput>-qa</userinput> option will query all installed <acronym>RPM</acronym> packages on your system and the symbol &gt; will redirect the output to the file
named <filename>installed_rpm.</filename>
</para>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</mediaobject>
The content of the <filename>installed_rpm</filename> file must match exactly this:
</para>
<para>
<simplelist columns="3" type="vert">
<member><filename>setup-2.0.5-1</filename></member>
<member><filename>filesystem-1.3.5-1</filename></member>
<member><filename>basesystem-6.0-4</filename></member>
<member><filename>ldconfig-1.9.5-15</filename></member>
<member><filename>glibc-2.1.2-11</filename></member>
<member><filename>shadow-utils-19990827-2</filename></member>
<member><filename>mktemp-1.5-1</filename></member>
<member><filename>termcap-9.12.6-15</filename></member>
<member><filename>libtermcap-2.0.8-18</filename></member>
<member><filename>bash-1.14.7-16</filename></member>
<member><filename>MAKEDEV-2.5-2</filename></member>
<member><filename>SysVinit-2.77-2</filename></member>
<member><filename>chkconfig-1.0.7-2</filename></member>
<member><filename>ncurses-4.2-25</filename></member>
<member><filename>info-3.12h-2</filename></member>
<member><filename>fileutils-4.0-8</filename></member>
<member><filename>grep-2.3-2</filename></member>
<member><filename>ash-0.2-18</filename></member>
<member><filename>at-3.1.7-11</filename></member>
<member><filename>m4-1.4-12</filename></member>
<member><filename>bdflush-1.5-10</filename></member>
<member><filename>binutils-2.9.1.0.23-6</filename></member>
<member><filename>bzip2-0.9.5c-1</filename></member>
<member><filename>sed-3.02-4</filename></member>
<member><filename>console-tools-19990302-17</filename></member>
<member><filename>e2fsprogs-1.15-3</filename></member>
<member><filename>byacc-1.9-11</filename></member>
<member><filename>cpio-2.4.2-13</filename></member>
<member><filename>cracklib-2.7-5</filename></member>
<member><filename>cracklib-dicts-2.7-5</filename></member>
<member><filename>crontabs-1.7-7</filename></member>
<member><filename>textutils-2.0-2</filename></member>
<member><filename>dev-2.7.10-2</filename></member>
<member><filename>diffutils-2.7-16</filename></member>
<member><filename>dump-0.4b4-11</filename></member>
<member><filename>ed-0.2-12</filename></member>
<member><filename>bison-1.28-1</filename></member>
<member><filename>etcskel-2.0-1</filename></member>
<member><filename>file-3.27-3</filename></member>
<member><filename>findutils-4.1-32</filename></member>
<member><filename>gawk-3.0.4-1</filename></member>
<member><filename>cdecl-2.5-9</filename></member>
<member><filename>gdbm-1.8.0-2</filename></member>
<member><filename>glib-1.2.5-1</filename></member>
<member><filename>gmp-2.0.2-10</filename></member>
<member><filename>cpp-1.1.2-24</filename></member>
<member><filename>gpm-1.17.9-3</filename></member>
<member><filename>groff-1.11a-9</filename></member>
<member><filename>gzip-1.2.4-14</filename></member>
<member><filename>initscripts-4.48-1</filename></member>
<member><filename>ipchains-1.3.9-3</filename></member>
<member><filename>cproto-4.6-2</filename></member>
<member><filename>ElectricFence-2.1-1</filename></member>
<member><filename>kernel-2.2.12-20</filename></member>
<member><filename>patch-2.5-9</filename></member>
<member><filename>ld.so-1.9.5-11</filename></member>
<member><filename>less-340-1</filename></member>
<member><filename>libc-5.3.12-31</filename></member>
<member><filename>libstdc++-2.9.0-24</filename></member>
<member><filename>lilo-0.21-10</filename></member>
<member><filename>pwdb-0.60-1</filename></member>
<member><filename>pam-0.68-7</filename></member>
<member><filename>sh-utils-2.0-1</filename></member>
<member><filename>logrotate-3.3-1</filename></member>
<member><filename>losetup-2.9u-4</filename></member>
<member><filename>lsof-4.45-1</filename></member>
<member><filename>mailx-8.1.1-9</filename></member>
<member><filename>man-1.5g-6</filename></member>
<member><filename>mingetty-0.9.4-10</filename></member>
<member><filename>mkbootdisk-1.2.2-1</filename></member>
<member><filename>mkinitrd-2.3-1</filename></member>
<member><filename>modutils-2.1.121-14</filename></member>
<member><filename>mount-2.9u-4</filename></member>
<member><filename>ctags-3.2-1</filename></member>
<member><filename>ncompress-4.2.4-14</filename></member>
<member><filename>net-tools-1.53-1</filename></member>
<member><filename>netkit-base-0.10-37</filename></member>
<member><filename>newt-0.50-13</filename></member>
<member><filename>passwd-0.63-1</filename></member>
<member><filename>perl-5.00503-6</filename></member>
<member><filename>flex-2.5.4a-7</filename></member>
<member><filename>procps-2.0.4-2</filename></member>
<member><filename>psmisc-18-3</filename></member>
<member><filename>python-1.5.2-7</filename></member>
<member><filename>quota-1.66-8</filename></member>
<member><filename>gdb-4.18-4</filename></member>
<member><filename>readline-2.2.1-5</filename></member>
<member><filename>glibc-devel-2.1.2-11</filename></member>
<member><filename>rootfiles-5.2-5</filename></member>
<member><filename>rpm-3.0.3-2</filename></member>
<member><filename>sash-3.3-1</filename></member>
<member><filename>make-3.77-6</filename></member>
<member><filename>shapecfg-2.2.12-2</filename></member>
<member><filename>slang-1.2.2-4</filename></member>
<member><filename>slocate-2.0-3</filename></member>
<member><filename>stat-1.5-11</filename></member>
<member><filename>sysklogd-1.3.31-12</filename></member>
<member><filename>tar-1.13.11-1</filename></member>
<member><filename>tcp_wrappers-7.6-9</filename></member>
<member><filename>tcpdump-3.4-16</filename></member>
<member><filename>tcsh-6.08.00-6</filename></member>
<member><filename>time-1.7-9</filename></member>
<member><filename>timed-0.10-23</filename></member>
<member><filename>tmpwatch-2.0-1</filename></member>
<member><filename>traceroute-1.4a5-16</filename></member>
<member><filename>utempter-0.5.1-2</filename></member>
<member><filename>util-linux-2.9w-24</filename></member>
<member><filename>vim-common-5.4-2</filename></member>
<member><filename>vim-minimal-5.4-2</filename></member>
<member><filename>vixie-cron-3.0.1-39</filename></member>
<member><filename>which-2.8-1</filename></member>
<member><filename>zlib-1.1.3-5</filename></member>
<member><filename>dev86-0.14.9-1</filename></member>
<member><filename>egcs-1.1.2-24</filename></member>
<member><filename>kernel-headers-2.2.12-20</filename></member>
</simplelist>
</para>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</mediaobject>
The content of the <filename>installed_rpm </filename> file must look exactly like this:
</para>
<para>
<simplelist columns="3" type="vert">
<member><filename>setup-2.1.8-1</filename></member>
<member><filename>filesystem-1.3.5-1</filename></member>
<member><filename>basesystem-6.0-4</filename></member>
<member><filename>ldconfig-1.9.5-16</filename></member>
<member><filename>glibc-2.1.3-15</filename></member>
<member><filename>shadow-utils-19990827-10</filename></member>
<member><filename>mktemp-1.5-2</filename></member>
<member><filename>termcap-10.2.7-9</filename></member>
<member><filename>libtermcap-2.0.8-20</filename></member>
<member><filename>bash-1.14.7-22</filename></member>
<member><filename>MAKEDEV-2.5.2-1</filename></member>
<member><filename>SysVinit-2.78-5</filename></member>
<member><filename>anacron-2.1-6</filename></member>
<member><filename>chkconfig-1.1.2-1</filename></member>
<member><filename>m4-1.4-12</filename></member>
<member><filename>ncurses-5.0-11</filename></member>
<member><filename>info-4.0-5</filename></member>
<member><filename>fileutils-4.0-21</filename></member>
<member><filename>grep-2.4-3</filename></member>
<member><filename>ash-0.2-20</filename></member>
<member><filename>at-3.1.7-14</filename></member>
<member><filename>byacc-1.9-12</filename></member>
<member><filename>bc-1.05a-5</filename></member>
<member><filename>bdflush-1.5-11</filename></member>
<member><filename>binutils-2.9.5.0.22-6</filename></member>
<member><filename>bzip2-0.9.5d-2</filename></member>
<member><filename>sed-3.02-6</filename></member>
<member><filename>console-tools-19990829-10</filename></member>
<member><filename>e2fsprogs-1.18-5</filename></member>
<member><filename>cpio-2.4.2-16</filename></member>
<member><filename>cracklib-2.7-5</filename></member>
<member><filename>cracklib-dicts-2.7-5</filename></member>
<member><filename>crontabs-1.7-7</filename></member>
<member><filename>textutils-2.0a-2</filename></member>
<member><filename>dev-2.7.18-3</filename></member>
<member><filename>diffutils-2.7-17</filename></member>
<member><filename>dump-0.4b15-1</filename></member>
<member><filename>ed-0.2-13</filename></member>
<member><filename>cdecl-2.5-10</filename></member>
<member><filename>etcskel-2.3-1</filename></member>
<member><filename>file-3.28-2</filename></member>
<member><filename>findutils-4.1-34</filename></member>
<member><filename>gawk-3.0.4-2</filename></member>
<member><filename>patch-2.5-10</filename></member>
<member><filename>gdbm-1.8.0-3</filename></member>
<member><filename>bison-1.28-2</filename></member>
<member><filename>glib-1.2.6-3</filename></member>
<member><filename>gmp-2.0.2-13</filename></member>
<member><filename>gpm-1.18.1-7</filename></member>
<member><filename>groff-1.15-8</filename></member>
<member><filename>gzip-1.2.4a-2</filename></member>
<member><filename>inetd-0.16-4</filename></member>
<member><filename>initscripts-5.00-1</filename></member>
<member><filename>ipchains-1.3.9-5</filename></member>
<member><filename>iputils-20000121-2</filename></member>
<member><filename>cpp-1.1.2-30</filename></member>
<member><filename>cproto-4.6-3</filename></member>
<member><filename>kernel-2.2.14-5.0</filename></member>
<member><filename>ctags-3.4-1</filename></member>
<member><filename>kernel-utils-2.2.14-5.0</filename></member>
<member><filename>ElectricFence-2.1-3</filename></member>
<member><filename>ld.so-1.9.5-13</filename></member>
<member><filename>less-346-2</filename></member>
<member><filename>libc-5.3.12-31</filename></member>
<member><filename>libstdc++-2.9.0-30</filename></member>
<member><filename>lilo-0.21-15</filename></member>
<member><filename>pwdb-0.61-0</filename></member>
<member><filename>pam-0.72-6</filename></member>
<member><filename>sh-utils-2.0-5</filename></member>
<member><filename>logrotate-3.3.2-1</filename></member>
<member><filename>losetup-2.10f-1</filename></member>
<member><filename>lsof-4.47-2</filename></member>
<member><filename>mailx-8.1.1-10</filename></member>
<member><filename>man-1.5h1-1</filename></member>
<member><filename>mingetty-0.9.4-11</filename></member>
<member><filename>mkbootdisk-1.2.5-3</filename></member>
<member><filename>mkinitrd-2.4.1-2</filename></member>
<member><filename>modutils-2.3.9-6</filename></member>
<member><filename>mount-2.10f-1</filename></member>
<member><filename>flex-2.5.4a-9</filename></member>
<member><filename>ncompress-4.2.4-15</filename></member>
<member><filename>net-tools-1.54-4</filename></member>
<member><filename>newt-0.50.8-2</filename></member>
<member><filename>passwd-0.64.1-1</filename></member>
<member><filename>perl-5.00503-10</filename></member>
<member><filename>popt-1.5-0.48</filename></member>
<member><filename>procmail-3.14-2</filename></member>
<member><filename>procps-2.0.6-5</filename></member>
<member><filename>psmisc-19-2</filename></member>
<member><filename>quota-2.00pre3-2</filename></member>
<member><filename>gdb-4.18-11</filename></member>
<member><filename>readline-2.2.1-6</filename></member>
<member><filename>make-3.78.1-4</filename></member>
<member><filename>rootfiles-5.2-5</filename></member>
<member><filename>rpm-3.0.4-0.48</filename></member>
<member><filename>sash-3.4-2</filename></member>
<member><filename>shapecfg-2.2.12-2</filename></member>
<member><filename>slang-1.2.2-5</filename></member>
<member><filename>slocate-2.1-2</filename></member>
<member><filename>stat-1.5-12</filename></member>
<member><filename>sysklogd-1.3.31-16</filename></member>
<member><filename>tar-1.13.17-3</filename></member>
<member><filename>tcp_wrappers-7.6-10</filename></member>
<member><filename>tcpdump-3.4-19</filename></member>
<member><filename>tcsh-6.09-4</filename></member>
<member><filename>time-1.7-9</filename></member>
<member><filename>tmpwatch-2.2-1</filename></member>
<member><filename>traceroute-1.4a5-18</filename></member>
<member><filename>utempter-0.5.2-2</filename></member>
<member><filename>util-linux-2.10f-7</filename></member>
<member><filename>vim-common-5.6-11</filename></member>
<member><filename>vim-minimal-5.6-11</filename></member>
<member><filename>vixie-cron-3.0.1-40</filename></member>
<member><filename>which-2.9-2</filename></member>
<member><filename>zlib-1.1.3-6</filename></member>
<member><filename>dev86-0.15.0-2</filename></member>
<member><filename>egcs-1.1.2-30</filename></member>
<member><filename>kernel-headers-2.2.14-5.0</filename></member>
<member><filename>glibc-devel-2.1.3-15</filename></member>
</simplelist>
</para>
<para>
This step is required to make sure we have not forgotten to remove some unnecessary RPM or to add some important packages that permit us to compile programs on the system. If the result looks as our <filename>installed_rpm</filename> file above,
we are ready to play with our new Linux server.
</para>
</section>
<section><?dbhtml filename="chap4sec27.html"?>
<title>some colors for a change</title>
<para>
Putting some colors on your terminal can help you to distinguish folders, files, archives, devices, symbolic links and executable file from others. My opinion is that colors help to make less errors and fast navigation on your
system. It's important to note that this hack is necessary only for Red Hat Linux version 6.1 (Cartman) and older, since the new Red Hat Linux version 6.2 (Zoot) now enables and includes this feature by default.
Edit the profile file vi <filename>/etc/profile</filename> and add the following lines:
</para>
<para>
<programlisting>
# Enable Colour ls
eval `dircolors /etc/DIR_COLORS -b`
export LS_OPTIONS='-s -F -T 0 --color=yes'
</programlisting>
Edit the <filename>bashrc</filename> file <userinput>vi /etc/bashrc</userinput> and add the line:
<screen>
<userinput>alias ls='ls --color=auto' </userinput>
</screen>
Then log in and out. The new <envar>COLORS</envar>-environment variable should now be set, and your system will recognize that.
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Remember that this feature is only required for Red Hat Linux version 6.1 and older.
</para>
</note>
</para>
</section>
<section id="prt2ch3sc7uls"><?dbhtml filename="chap4sec28.html"?>
<title>Update of the latest software</title>
<para>
Keep and update all software especially network software up to date with the latest versions. Check the errata pages for the Red Hat Linux distribution, available at <link linkend="prtinxfp4">www.redhat.com/corp/support/errata/index.html</link>.
The errata pages are perhaps the best resource for fixing 90% of the common problems with Red Hat Linux. In addition, security holes for which a solution exists are generally on the errata page 24 hours after Red Hat has been notified. You should always check there first. Software that
must be updated at this time for your Red Hat Linux server are:
</para>
<para>
<simplelist columns="2" type="vert">
<member><filename>
groff-1_15-1_i386.rpm
</filename>
</member>
<member><filename>
sysklogd-1_3_31-14_i386.rpm
</filename>
</member>
<member><filename>
initscripts-4_70-1_i386.rpm
</filename>
</member>
<member><filename>
e2fsprogs-1.17-1.i386.rpm
</filename>
</member>
<member><filename>
pam-0_68-10_i386.rpm
</filename>
</member>
<member><filename>
gpm-1.19.1-1.i386.rpm
</filename>
</member>
<member><filename>
Linux kernel 2.2.14 -linux-2_2_14_tar.gz
</filename>
</member>
<member>
<filename>
gpm-1.19.1-1.i386.rpm
</filename>
</member>
</simplelist>
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
The Linux kernel is the most important, and always must be updated. See below for more information on building a custom kernel for your specific system.
</para>
</note>
<para>
You can verify that the RPM software above is installed on your system before make an update with the following command:
<screen>
[root@deep] /#<command>rpm</command> -q &lt;softwarename&gt;
</screen>
Where <filename>&lt;softwarename&gt;</filename> is the name of the software you want to verify like groff, sysklogd, etc.
</para>
</section>
</chapter>
</part>
<part label="3"><?dbhtml filename="Secure-optimize.html"?>
<title>Security, Optimization and Upgrade</title>
<partintro>
<mediaobject>
<imageobject>
<imagedata fileref="./resources/Annimals/Chapter15.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>Bat</phrase></textobject>
</mediaobject>
<abstract>
<para>Now that we have installed a base system, the next three chapters will concentrate on
<itemizedlist mark="opencircle">
<listitem><para>
How to tighten the security of our configured system.
</para></listitem>
<listitem><para>
Optimise our sytem to perform at its peak.
</para></listitem>
<listitem><para>
Upgrade our machine for the latest kernel.
</para></listitem>
</itemizedlist>
Please note when we talk of tightening the security we are referring to the features available within the base installed system and not to any new additional software. We will talk about that later
in this book.</para>
</abstract>
</partintro>
<chapter label="5" id="prt2ch1gss"><?dbhtml filename="gen-syssecured.html"?>
<title>General System Security</title>
<highlights>
<para>
A secure Linux server depends on how the administrator configures it to be. Once we have eliminated the potential securities risk by removing <acronym>RPM</acronym>
services not needed, we can start to secure our existing services and software on our server. In this chapter we will discuss some of the more general, basic techniques used
to secure your system. The following is a list of features that can be used to help prevent attacks from external and internal sources.
</para>
</highlights>
<section><?dbhtml filename="chap5sec29.html"?>
<title>BIOS</title>
<para>
It is recommended that you set a Boot password to disallow booting from floppy drives and set passwords on <acronym>BIOS</acronym> features. You can check
your <acronym>BIOS</acronym> manual or look it over thoroughly the next time you boot up your system to know how to do this. Disallowing the possibility to
boot from floppy drives and being able to set a password to access the <acronym>BIOS</acronym> features will improve the security of your system. This will
block undesired people from trying to boot your Linux system with a special boot disk and will protect you from people trying to change <acronym>BIOS</acronym>
feature like allowing boot from floppy drive or booting the server without prompt password.
</para>
</section>
<section><?dbhtml filename="chap5sec30.html"?>
<title>Security as a Policy</title>
<para>
It is important to point out that you cannot implement security if you have not decided what needs to be protected, and from whom. You need a security policy; a kind of
list of what you consider allowable and not allowable, upon which to base any decisions regarding security. The policy should also determine your
response to security violations. What you should consider while compiling a security policy will depend entirely on your definition of security. The answers to the
following questions should provide some general guidelines:
<itemizedlist mark="dash">
<listitem>
<para>
How do you classify confidential or sensitive information?
</para>
</listitem>
<listitem>
<para>
Does the system contain confidential or sensitive information?
</para>
</listitem>
<listitem>
<para>
Exactly whom do you want to guard against?
</para>
</listitem>
<listitem>
<para>
Do remote users really need access to your system?
</para>
</listitem>
<listitem>
<para>
Do passwords or encryption provide enough protection?
</para>
</listitem>
<listitem>
<para>
Do you need access to the Internet?
</para>
</listitem>
<listitem>
<para>
How much access do you want to allow to your system from the Internet?
</para>
</listitem>
<listitem>
<para>
What action will you take if you discover a breach in your security?
</para>
</listitem>
</itemizedlist>
This list is not very comprehensive, and your policy will probably encompass a lot more before it is completed. Any security policy must be based on some degree of paranoia; deciding
how much you trust people, both inside and outside your organization. The policy must, however, provide a balance between allowing your users reasonable access to the
information they require to do their work and totally disallowing access to your information. The point where this line is drawn will determine your policy.
</para>
</section>
<section><?dbhtml filename="chap5sec31.html"?>
<title>Choose a right Password</title>
<para>
The starting point of our Linux General Security tour is the password. Many people keep their valuable information and files on a computer, and the only thing preventing others from seeing
it is the eight-character string called a password. An unbreakable password, contrary to popular belief, does not exist. Given time and resources all passwords can be guessed either by social
engineering or by brute force.
</para>
<para>
Social engineering of server passwords and other access methods are still the easiest and most popular way to gain access to accounts and servers. Often, something as simple as acting as a
superior or executive in a company and yelling at the right person at the right time of the day yields terrific results.
</para>
<para>
Running a password cracker on a weekly basis on your system is a good idea. This helps to find and replace passwords that are easily guessed or weak. Also, a password checking mechanism
should be present to reject a weak password when first choosing a password or changing an old one. Character strings that are plain dictionary words, or are all in the same case, or do not
contain numbers or special characters should not be accepted as a new password.
We recommend the following rules to make passwords effective:
<itemizedlist mark="dash">
<listitem>
<para>
They should be at least six characters in length, preferably eight characters including at least one numeral or special character.
</para>
</listitem>
<listitem>
<para>
They must not be trivial; a trivial password is one that is easy to guess and is usually based on the user's name, family, occupation or some other personal characteristic.
</para>
</listitem>
<listitem>
<para>
They should have an aging period, requiring a new password to be chosen within a specific time frame.
</para>
</listitem>
<listitem>
<para>
They should be revoked and reset after a limited number of concurrent incorrect retries.
</para>
</listitem>
</itemizedlist>
</para>
<para>
The minimum acceptable password length by default when you install your Linux system is 5. This mean that when a new user is allowed to have a access on the server, his/her password
length will be at minimum 5 mixes of character strings, letter, number, special character etc.
This is not enough and must be 8.
</para>
<para>
To prevent non-security-minded people or administrators from being able to enter just 5 characters for the valuable password, edit the rather
important <filename>/etc/login.defs</filename> file and change the value of 5 to 8.
Edit the <filename>login.defs</filename> file vi <filename>/etc/login.defs</filename> and change the line that read:
<literallayout class="monospaced"><computeroutput>
PASS_MIN_LEN 5
</computeroutput></literallayout>
To read:
<literallayout class="monospaced"><computeroutput>
PASS_MIN_LEN 8
</computeroutput></literallayout>
The <filename>login.defs</filename> is the configuration file for the login program. You should review or make changes to this file for your particular system. This is where you set
other security policy settings like password expiration defaults or minimum acceptable password length.
</para>
</section>
<section><?dbhtml filename="chap5sec32.html"?>
<title>The root account</title>
<para>
The <emphasis>root</emphasis> account is the most privileged account on a Unix system. The <emphasis>root</emphasis> account has no security restrictions imposed upon it. This means the
system assumes you know what you are doing, and will do exactly what you request -- <emphasis>no questions asked</emphasis>. Therefore it is easy, with a mistyped command, to wipe out crucial system files. When
using this account it is important to be as careful as possible. For security reasons, never log in on your server as <emphasis>root</emphasis> unless it is absolutely an instance that
necessitates root access. Also, if you are not on your server, never sign in and leave yourself on as <emphasis>root</emphasis> <emphasis>--this is Very, Very, Very BAD practice</emphasis>.
</para>
<para>
<emphasis>Set login time out for the root account</emphasis>. Despite the notice to never, if they are not on the server sign in as <emphasis>root</emphasis> and leave it unattended, administrators
still stay on as <emphasis>root</emphasis> or forget to logout after finishing their work and leave their terminals unattended. The answer to solve this problem is to make the bash shell automatically
logout after not being used for a period of time. To do that, you must set the special variable of Linux named <envar>TMOUT</envar> to the time in seconds of no input before logout.
Edit your profile file <filename> /etc/profile</filename> and add the following line somewhere after the line that read <envar>HISTFILESIZE=</envar> on this file:
<screen>
TMOUT=7200
</screen>
The value we enter for the variable <envar>TMOUT=</envar> is in second and represent 2 hours (60 * 60 = 3600 * 2 = 7200 seconds). It is important to note that if you decide to put the above line
in your <filename>/etc/profile</filename> file, then the automatic logout after two hours of inactivity will apply for all users on the system. So, instead, if your prefer to control which users will be automatically
logged out and which ones not, you can set this variable in their individual <filename>.bashrc</filename> file.
After this parameter has been set on your system, you must logout and login again as root for the change to take effect.
</para>
</section>
<section><?dbhtml filename="chap5sec33.html"?>
<title>The <filename>/etc/exports</filename> file</title>
<para>
If you are exporting file systems using <acronym>NFS</acronym> service, be sure to configure the <filename>/etc/exports</filename> file with the most restrictive access possible. This means not using wildcards, not allowing root write access, and mounting read-only wherever possible.
<example>
<title>Export file systems using <acronym>NFS</acronym></title>
<para>
Edit the exports file vi <filename>/etc/exports</filename> and add:
<programlisting>
/dir/to/export host1.mydomain.com(ro,root_squash)
/dir/to/export host2.mydomain.com(ro,root_squash)
</programlisting>
Where:
<itemizedlist mark="opencircle">
<listitem><para>
<filename>/dir/to/export</filename> is the directory you want to export.
</para></listitem>
<listitem><para>
<literal>host<prompt>#</prompt>.mydomain.com</literal> is the machine allowed to log in this directory.
</para></listitem>
<listitem><para>
The <literal>ro</literal> option mean mounting read-only.
</para></listitem>
<listitem><para>
The <literal>root_squash</literal> option for not allowing root write access in this directory.
</para></listitem>
</itemizedlist>
</para>
</example>
For this change to take effect you will need to run the following command on your terminal:
<screen>
[root@deep]# /usr/sbin/exportfs -a
</screen>
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Please be aware that having an <acronym>NFS</acronym> service available on your system can be a security risk. Personally, I don't recommend using it.
</para>
</note>
</section>
<section id="p2ch1sct16"><?dbhtml filename="chap5sec34.html"?>
<title>Disable console program access</title>
<para>
In a safe environment where we are sure that console is secured because passwords for BIOS and LILO are set and all physical power and reset switches on the system are disabled it may be advantageous to entirely disable all
console-equivalent access to programs like shutdown, reboot, and halt for regular users on your server.
To do this, run the following command:
<screen>
[root@deep] /#<command>rm</command> -f /etc/security/console.apps/&lt;servicename&gt;
</screen>
Where &lt;servicename&gt; is the name of the program to which you wish to disable console-equivalent access. Unless you use xdm, however, be careful not to remove the xserver file or no one but root will be able to start the <literal>X server</literal>.
If you always use xdm to start the <literal>X server</literal>, root is the only user that needs to start X, in which case you might actually want to remove the xserver file.
</para>
<example>
<title>Disable console-equivalent access</title>
<para>
<screen>
[root@deep] /# <command>rm</command> -f /etc/security/console.apps/halt
[root@deep] /# <command>rm</command> -f /etc/security/console.apps/poweroff
[root@deep] /# <command>rm</command> -f /etc/security/console.apps/reboot
[root@deep] /# <command>rm</command> -f /etc/security/console.apps/shutdown
[root@deep] /# <command>rm</command> -f /etc/security/console.apps/xserver <co id="prt2c012sc15"/>
</screen>
<calloutlist>
<callout arearefs="prt2c012sc15"><para>
if removed, root will be the only user able to start <literal>X</literal>.
</para>
</callout>
</calloutlist>
This will disable console-equivalent access to programs halt, poweroff, reboot, and shutdown. Once again, the program xserver apply only is you are installed the Xwindow interface on your system.
</para>
</example>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
If you are following our setup installation, the Xwindow interface is not installed on your server and all the files described above will not appear in the <filename>/etc/security</filename> directory, so
can safely ignore the above steps.
</para>
</note>
</section>
<section><?dbhtml filename="chap5sec35.html"?>
<title>Disable all console access</title>
<para>
The Linux-PAM library installed by default on your system allows the system administrator to choose how applications authenticate users, such as for console access, program and file access. In order to disable all these accesses for the
users, you must comment out all lines that refer to <filename>pam_console.so</filename> in the <filename class="directory">/etc/pam.d/</filename> directory. This step is a continuation of the above hack <link linkend="p2ch1sct16"> Disable console program access.</link>
The following script will do the trick automatically for you. As root creates the <filename>disabling.sh</filename> script file, <command>touch</command> <filename>disabling.sh</filename> and add the following lines inside:
<programlisting>
# !/bin/sh
cd /etc/pam.d
for i in * ; do
sed '/[^#].*pam_console.so/s/^/#/' &lt; $i &gt; foo &amp;&amp; mv foo $i
done
</programlisting>
Make this script executable with the following command and execute it:
<screen>
[root@deep] /# <command>chmod</command> 700 disabling.sh
[root@deep] /# <command>./disabling.sh</command>
</screen>
This will comment out all lines that refer to <filename>pam_console.so</filename> for all files located under <filename class="directory">/etc/pam.d</filename> directory. Once the script has been executed, you can remove it from your system.
</para>
</section>
<section><?dbhtml filename="chap5sec36.html"?>
<title>The inetd - <filename>/etc/inetd.conf</filename> file</title>
<para>
inetd, called also the <emphasis>super server</emphasis>, will load a network program based upon a request from the network. The <filename>inetd.conf</filename> file tells inetd which ports to listen to and what server to start for each port.
</para>
<para>
The first thing to look at as soon as you put your Linux system on ANY network is what services you need to offer. Services that you do not need to offer should be disabled and uninstalled so that you have one less thing to worry about, and
attackers have one less place to look for a hole. Look at your <filename>/etc/inetd.conf</filename> file to see what services are being offered by your inetd program. Disable what you do not need by commenting them out by adding a <prompt>#</prompt> at
the beginning of the line, and then sending your inetd process a <command>SIGHUP</command> command to update it to the current <filename>inetd.conf</filename> file.
</para>
<procedure>
<step>
<para>
Change the permissions on this file to 600.
<screen>
[root@deep] /#<command>chmod</command> 600 /etc/inetd.conf
</screen>
</para>
</step>
<step>
<para>
Ensure that the owner is root.
<screen>
[root@deep] /# <command>stat</command> /etc/inetd.conf
</screen>
<literallayout class="monospaced"><computeroutput>
File: &quot;/etc/inetd.conf"
Size: 2869 Filetype: Regular File
Mode: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Device: 8,6 Inode: 18219 Links: 1
Access: Wed Sep 22 16:24:16 1999(00000.00:10:44)
Modify: Mon Sep 20 10:22:44 1999(00002.06:12:16)
Change: Mon Sep 20 10:22:44 1999(00002.06:12:16)
</computeroutput></literallayout>
</para>
</step>
<step>
<para>
Edit the <filename>inetd.conf</filename> file vi <filename>/etc/inetd.conf</filename> and disable services like: ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger,
auth, etc. unless you plan to use it. If it's turned off, it's much less of a risk.
<programlisting>
# To re-read this file after changes, just do a 'killall -HUP inetd'
#
#echo stream tcp nowait root internal
#echo dgram udp wait root internal
#discard stream tcp nowait root internal
#discard dgram udp wait root internal
#daytime stream tcp nowait root internal
#daytime dgram udp wait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
#time stream tcp nowait root internal
#time dgram udp wait root internal
#
# These are standard services.
#
#ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
#shell stream tcp nowait root /usr/sbin/tcpd in.rshd
#login stream tcp nowait root /usr/sbin/tcpd in.rlogind
#exec stream tcp nowait root /usr/sbin/tcpd in.rexecd
#comsat dgram udp wait root /usr/sbin/tcpd in.comsat
#talk dgram udp wait root /usr/sbin/tcpd in.talkd
#ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd
#dtalk stream tcp wait nobody /usr/sbin/tcpd in.dtalkd
#
# Pop and imap mail services et al
#
#pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d
#pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
#imap stream tcp nowait root /usr/sbin/tcpd imapd
#
# The Internet UUCP service.
#
#uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l
#
# Tftp service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers.&quot; Do not uncomment
# this unless you *need* it.
#
#tftp dgram udp wait root /usr/sbin/tcpd in.tftpd
#bootps dgram udp wait root /usr/sbin/tcpd bootpd
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers.&quot; Many sites choose to disable
# some or all of these services to improve security.
#
#finger stream tcp nowait root /usr/sbin/tcpd in.fingerd
#cfinger stream tcp nowait root /usr/sbin/tcpd in.cfingerd
#systat stream tcp nowait guest /usr/sbin/tcpd /bin/ps -auwwx
#netstat stream tcp nowait guest /usr/sbin/tcpd /bin/netstat -f inet
#
# Authentication
#
#auth stream tcp nowait nobody /usr/sbin/in.identd in.identd -l -e -o
#
# End of inetd.conf
</programlisting>
</para>
</step>
<step>
<para>
<screen>
[root@deep] /# <command>killall</command> -HUP inetd
</screen>
</para>
</step>
<step>
<para>
One more security measure you can take to secure the <filename>inetd.conf</filename> file is to set it immutable, using the chattr command.
To set the file immutable simply, execute the following command:
<screen>
[root@deep] /# <command>chattr</command> +i /etc/inetd.conf
</screen>
This will prevent any changes accidental or otherwise to the <filename>inetd.conf</filename> file. A file with the immutable attribute set i cannot be modified,
deleted or renamed, no link can be created to this file and no data can be written to it. The only person that can set or clear this attribute
is the super-user root. If you wish later to modify the inetd.conf file you will need to unset the immutable flag:
To unset the immutable flag, simply execute the following command:
<screen>
[root@deep] /# <command>chattr</command> -i /etc/inetd.conf
</screen>
</para>
</step>
</procedure>
<note>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject>
</title>
<para>
Don't forget to send your inetd process a <command>SIGHUP</command> signal <userinput>killall -HUP inetd</userinput> after making change to your <filename>inetd.conf</filename> file. The services you enable on a selected
host depend on the functions you want the host to provide. Functions could support the selected network service, other services hosted on this computer, or development and maintenance
of the operating system and applications.
</para>
</note>
</section>
<section><?dbhtml filename="chap5sec37.html"?>
<title>TCP_WRAPPERS</title>
<para>
By default Red Hat Linux allows all service requests. Using TCP_WRAPPERS makes securing your servers against outside intrusion is a lot simpler and painless then you would expect. Deny all hosts by
putting <envar>ALL: ALL@ALL, PARANOID</envar> in the <filename>/etc/hosts.deny</filename> file and explicitly list trusted hosts who are allowed to your machine in the <filename>/etc/hosts.allow</filename> file. This
is the safest and the best configuration. TCP_WRAPPERS is controlled from two files and the search stops at the first match.
<simplelist>
<member><filename>
/etc/hosts.allow
</filename></member>
<member><filename>
/etc/hosts.deny
</filename></member>
</simplelist>
</para>
<para>
Access will be granted when a daemon, client pair matches an entry in the <filename>/etc/hosts.allow</filename> file.
Otherwise, access will be denied when a daemon, client pair matches an entry in the <filename>/etc/hosts.deny</filename> file.
Otherwise, access will be granted.
</para>
<procedure>
<step>
<para>
Edit the <filename>hosts.deny</filename> file vi <filename>/etc/hosts.deny</filename> and add the following lines:
<emphasis>Access is denied by default</emphasis>.
<programlisting>
# Deny access to everyone.
ALL: ALL@ALL, PARANOID # Matches any host whose name does not match its address, see below.
</programlisting>
Which means all services, all locations, so any service not explicitly allowed is then blocked, unless they are permitted access by entries in the allow file.
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
<emphasis>
With the parameter</emphasis> PARANOID; <emphasis>If you intend to run telnet or ftp services on your server, dont forget to add the client's machine name and IP address in
your <filename>/etc/hosts</filename> file on the server or you can expect to wait several minutes for the DNS lookup to time out, before you get a</emphasis>
login: prompt.
</para>
</note>
</para>
</step>
<step>
<para>
Edit the <filename>hosts.allow</filename> file <command>vi</command> <filename>/etc/hosts.allow</filename> and add for example, the following line:
The explicitly authorized host are listed in the allow file.
As an example:<envar>sshd:</envar> <literal>208.164.186.1 gate.openna.com</literal>, For your client machine: <literal>208.164.186.1</literal> is the <acronym>IP</acronym> address and <literal>gate.openna.com</literal> the host
name of one of your client allowed using sshd.
</para>
</step>
<step>
<para>
The tcpdchk program is the <literal>tcpd wrapper</literal> configuration checker. It examines your <literal>tcp wrapper</literal> configuration and reports all potential and real problems it can find.
After your configuration is done, run the program tcpdchk.
<screen>
[root@deep] /# <command>tcpdchk</command>
</screen>
</para>
</step>
</procedure>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Error messages may look like this:
<literallayout class="monospaced"><computeroutput>
warning: /etc/hosts.allow,
line 6: can't verify hostname: gethostbyname(win.openna.com) failed.
</computeroutput>
</literallayout>
If you receive this kind of error message, check in your <acronym>DNS</acronym> configuration file
for the existence of this hostname.
</para></note>
<section><?dbhtml filename="chap5sec38"?>
<title>Don't display system issue file</title>
<para>
If you don't want your systems issue file to be displayed when people log in remotely, you can change the telnet option in your <filename>/etc/inetd.conf</filename> file to look like:
<screen>
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -h
</screen>
Adding the <literal>-h</literal> flag on the end will cause the daemon to not display any system information and just hit the user with a login: prompt. This hack is only necessary if you are using a telnet daemon on
your server instead I recommend you use SSH.
</para>
</section>
</section>
<section><?dbhtml filename="chap5sec39.html"?>
<title>The <filename>/etc/host.conf</filename> file</title>
<para>
Linux uses a resolver library to obtain the <acronym>IP</acronym> address corresponding to a host name. The <filename>/etc/host.conf</filename> file specifies how names are resolved. The entries in the <filename>etc/host.conf</filename>
file tell the resolver library what services to use, and in what order, to resolve names. Edit the <filename>host.conf</filename> file vi <filename>/etc/host.conf</filename> and add the following lines:
<programlisting>
# Lookup names via DNS first then fall back to /etc/hosts.
order bind,hosts
# We have machines with multiple <acronym>IP</acronym> addresses.
multi on
# Check for <acronym>IP</acronym> address spoofing.
nospoof on
</programlisting>
</para>
<para>
The <parameter class="option">order</parameter> option indicates the order of services. The sample entry specifies that the resolver library should first consult the name server to resolve a name and then check the <filename>/etc/hosts</filename> file. It is
recommended to set the resolver library to first check the name server, <literal>bind</literal> and then the hosts file (hosts) for better performance and security on all your servers. Of course you must have the <acronym>DNS/BIND</acronym> software installed
or this configuration will not work.
</para>
<para>
The <parameter class="option">multi</parameter> option determines whether a host in the <filename>/etc/hosts</filename> file can have multiple <acronym>IP</acronym> addresses <abbrev>i.e.</abbrev>multiple interface <literal>ethN</literal>. Hosts that have more than one <acronym>IP</acronym>
address are said to be multiomed, because the presence of multiple <acronym>IP</acronym> addresses implies that host has several network interfaces. As an example, a Gateway Server will always have multiple <acronym>IP</acronym> address and must have this
option set to <userinput>ON</userinput>.
</para>
<para>
The <parameter class="option">nospoof</parameter> option indicates to take care of not permitting spoofing on this machine. <acronym>IP</acronym>-Spoofing is a security exploit that works by tricking computers in a trust relationship that you are someone that you really
aren't. In this type of attack, a machine is set up to look like a legitimate server and then issue connections and other types of network activities to legitimate end systems, other servers or large data repository
systems. This option must be set <userinput>ON</userinput> for all types of servers.
</para>
</section>
<section><?dbhtml filename="chap5sec40.html"?>
<title>The /etc/services file</title>
<para>
The port numbers on which certain <emphasis>standard</emphasis> services are offered are defined in the RFC 1700 <emphasis>Assigned Numbers</emphasis>. The <filename>/etc/services</filename> file enables server and client programs to convert service names to these
numbers -<literal>ports</literal>. The list is kept on each host and it is stored in the file <filename>/etc/services</filename>. Only the "root" user is allowed to make modification in this file and it is rare to edit the <filename>/etc/services</filename>
file to make change since it already contains the more common service names to port numbers. To improve security, we can immunize this file to prevent unauthorized deletion or addition of services.
To immunize the <filename>/etc/services</filename> file, use the command:
<screen>
[root@deep] /#<command>chattr</command> +i /etc/services
</screen>
</para>
</section>
<section><?dbhtml filename="chap5sec41.html"?>
<title>The <filename>/etc/securetty</filename> file</title>
<para>
The <filename>/etc/securetty</filename> file allows you to specify which TTY devices the root user is allowed to login on. The <filename>/etc/securetty</filename> file is read by the login program usually <filename>/bin/login</filename>. Its format is a list of the
tty devices names allowed, and for all others that are commented out or do not appear in this file, root login is disallowed. Disable any tty that you do not need by commenting them out <prompt>#</prompt> at the beginning of the line.
Edit the securetty file <command>vi</command>, <filename>/etc/securetty</filename> and comment out the following lines:
<programlisting>
tty1
#tty2
#tty3
#tty4
#tty5
#tty6
#tty7
#tty8
</programlisting>
Which means only root is allowed to login on <prompt>tty1</prompt>. This is my recommendation, allowing root to log in only on one tty device and use the <command>su</command> command to switch to root if you need more. devices to log in as root.
</para>
</section>
<section><?dbhtml filename="chap5sec42.html"?>
<title>Special accounts</title>
<para>
It is important to <envar>DISABLE ALL</envar> default vendor accounts that you don't use on your system, some accounts exist by default even if you have not installed the related services on your server. This
should be checked after each upgrade or new software installation. Linux provides these accounts for various system activities, which you may not need if the services are not installed on your
server. If you do not need the accounts, remove them. The more accounts you have, the easier it is to access your system.
</para>
<para>
We assume you are using the Shadow password suite on your Linux system. If you are not, you should consider doing so, as it helps to tighten up security somewhat. This must already be set if
you've followed our instructions till now and selected under the <link linkend="pr1ch2sc7"> Authentication Configuration</link> the option to <command>Enable Shadow Passwords</command> see
<link linkend="pr1ch2sc7">Post Partitioning</link> for more information.
To delete user on your system, use the command:
<screen>
[root@deep] /# <command>userdel</command> username
</screen>
To delete group on your system, use the command:
<screen>
[root@deep] /# <command>groupdel</command> username
</screen>
</para>
<procedure>
<step>
<para>
Type the following commands on your terminal to delete users listed below:
<screen>
[root@deep] /# <command>userdel</command> adm
[root@deep] /# <command>userdel</command> lp
[root@deep] /# <command>userdel</command> sync
[root@deep] /# <command>userdel</command> shutdown
[root@deep] /# <command>userdel</command> halt
[root@deep] /# <command>userdel</command> news
[root@deep] /# <command>userdel</command> uucp
[root@deep] /# <command>userdel</command> operator
[root@deep] /# <command>userdel</command> games <co id="pr2ch1s22co1"/>
[root@deep] /# <command>userdel</command> gopher
[root@deep] /# <command>userdel</command> ftp <co id="pr2ch1s22co2"/>
</screen>
<calloutlist>
<callout arearefs="pr2ch1s22co1"><para>
Delete this user if you don't use X Window Server.
</para></callout>
<callout arearefs="pr2ch1s22co2"><para>
Delete this user if you don't use ftp anonymous server.
</para></callout>
</calloutlist>
<emphasis>
By default, the <command>userdel</command> command will not delete a user's home directory. If you want the home directories of accounts to be deleted too, then
add the <literal>-r</literal> option to the userdel command.
</emphasis>
</para>
</step>
<step>
<para>
Type the following commands on your terminal to delete the usersgroups listed below:
<screen>
[root@deep] /# <command>groupdel</command> adm
[root@deep] /# <command>groupdel</command> lp
[root@deep] /# <command>groupdel</command> news
[root@deep] /# <command>groupdel</command> uucp
[root@deep] /# <command>groupdel</command> games <co id="pr2ch1s22co3"/>
[root@deep] /# <command>groupdel</command> dip
[root@deep] /# <command>groupdel</command> pppusers
[root@deep] /# <command>groupdel</command> popusers <co id="pr2ch1s22co4"/>
[root@deep] /# <command>groupdel</command> slipusers
</screen>
<calloutlist><callout arearefs="pr2ch1s22co3"><para>
Delete this group if you don't use X Window Server.
</para></callout>
<callout arearefs="pr2ch1s22co4"><para>
Delete this group if you don't use pop server for email.
</para></callout>
</calloutlist>
</para>
</step>
<step>
<para>
Add the necessary user to the system, to add a new user on your system, use the command:
<screen>
[root@deep] /# <command>useradd</command> username
</screen>
To add or change password for user on your system, use the command:
<screen>
[root@deep] /# <command>passwd</command> username
</screen>
For example:
<screen>
[root@deep] /# <command>useradd</command> admin
[root@deep] /# <command>passwd</command> admin
</screen>
The output should look something like this.
<literallayout class="monospaced"><computeroutput>
Changing password for user admin
New UNIX password: somepasswd
passwd: all authentication tokens updated successfully
</computeroutput></literallayout>
</para>
</step>
<step>
<para>
The immutable bit can be used to prevent accidentally deleting or overwriting a file that must be protected. It also prevents someone from creating a symbolic link to this file, which has been the source of attacks involving the deletion
of <filename>/etc/passwd</filename>, <filename>/etc/shadow</filename>, <filename>/etc/group</filename> or <filename>/etc/gshadow</filename>.
To set the immutable bit on the passwords and groups files, use the command:
<screen>
[root@deep] /# <command>chattr</command> +i /etc/passwd
[root@deep] /# <command>chattr</command> +i /etc/shadow
[root@deep] /# <command>chattr</command> +i /etc/group
[root@deep] /# <command>chattr</command> +i /etc/gshadow
</screen>
</para>
</step>
</procedure>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
In future, if you intend to add or delete users, passwords, usergroups, or group files, you must unset the immutable bit on all those files or you will not be able to make your changes. Also if you intend to install an RPM program that will automatically add a new user to the different
immunized passwd and group files, then you will receive an error message during the install if you have not unset the immutable bit from those files.
</para>
</note>
</section>
<section><?dbhtml filename="chap5sec43.html"?>
<title>Blocking; <command>su</command> to root, by one and sundry</title>
<para>
The <command>su</command> Substitute User command allows you to become other existing users on the system. For example you can temporarily become root and execute commands as the super-user root. If you don't want anyone to su to root or restrict <command>su</command> command to
certain users then add the following two lines to the top of your <command>su</command> configuration file in the <filename class="directory">/etc/pam.d/</filename> directory. We highly recommend that you limit the person
allowed to <command>su</command> to the root account.
</para>
<procedure>
<step>
<para>
Edit the su file vi <filename>/etc/pam.d/su</filename> and add the following two lines to the top of the file:
<programlisting>
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group=wheel
</programlisting>
After adding the two lines above, the <filename>/etc/pam.d/su</filename> file should look like this:
<programlisting>
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so debug
auth required /lib/security/pam_wheel.so group=wheel
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow use_authtok nullok
session required /lib/security/pam_pwdb.so
session optional /lib/security/pam_xauth.so
</programlisting>
Which mean only those who are a member of the wheel group can su to root; it also includes
logging. Note that the wheel group is a special account on your system that can be used for this purpose. You cannot
use any group name you want to make this hack. This hack combined with specifying which TTY devices root is allowed to
login on will improve your security a lot on the system.
</para>
</step>
<step>
<para>
Now that we have defined the wheel group in our <filename>/etc/pam.d/su</filename> file configuration, it is time to add some users allowed to su to
root account. If you want to make, for example, the user admin a member of the wheel group, and thus be able to su to root, use the following command:
<screen>
[root@deep] /# <command>usermod</command> -G10 admin
</screen>
<itemizedlist>
<listitem><para>
Which means <literal>G</literal> is a list of supplementary groups,
</para></listitem>
<listitem><para>
Where the user is also a member of, <literal>10</literal> is the numeric value of the user's <acronym>ID</acronym> wheel,
</para></listitem>
<listitem><para>
admin is the user we want to add to wheel group.
</para></listitem>
</itemizedlist>
Use the same command above for all users on your system you want to be able to su to
root account.
<emphasis>
If you can't <command>su</command> in a <acronym>GNOME</acronym> terminal, it's because you've used the wrong terminal. So don't think that this advice simply doesn't work because of a terminal problem!.
</emphasis>
</para>
</step>
</procedure>
</section>
<section><?dbhtml filename="chap5sec44.html"?>
<title>Put limits on resource</title>
<para>
The <filename>limits.conf</filename> file located under the <filename>/etc/security</filename> directory can be used to control and limit resources for the users on your system. It is important to set resource limits on all your
users so they can't perform denial of service attacks number of processes, amount of memory, etc). These limits will have to be set up for the user when he or she logs in. For example, limits
for all users on your system might look like this.
</para>
<procedure>
<step>
<para>
Edit the <filename>limits.conf</filename> file vi <filename>/etc/security/limits.conf</filename> and add or change the lines to read:
<programlisting>
* hard core 0
* hard rss 5000
* hard nproc 20
</programlisting>
This says to prohibit the creation of core files - <emphasis>core 0</emphasis>, restrict the number of processes to 20 - <emphasis>nproc 20</emphasis>, and restrict memory usage to 5M - <emphasis>rss 5000</emphasis> for everyone except the
super user root. All of the above only concern users who have entered through the login prompt on your system. With this kind of quota, you have more control on the processes, core files, and memory usage that users
may have on your system. The asterisk * mean: all users that logs in on the server.
</para>
</step>
<step>
<para>
You must also edit the <filename>/etc/pam.d/login</filename> file and add the following line to the bottom of the file:
<screen>
session required /lib/security/pam_limits.so
</screen>
After adding the line above, the <filename>/etc/pam.d/login</filename> file should look like this:
<programlisting>
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
session required /lib/security/pam_pwdb.so
session required /lib/security/pam_limits.so
#session optional /lib/security/pam_console.so
</programlisting>
</para>
</step>
<step><para>
Finally edit the <filename>/etc/profile</filename> file and change the following line:
<programlisting>
ulimit -c 1000000
</programlisting>
to read:
<programlisting>
ulimit -S -c 1000000 &gt; /dev/null 2&lt;&amp;1
</programlisting>
This modification is required so as to avoid getting error messages like this <computeroutput>Unable to reach limit</computeroutput> during <prompt>login:</prompt>.
</para></step>
</procedure>
</section>
<section><?dbhtml filename="chap5sec45.html"?>
<title>Control mounting a file system</title>
<para>
You can have more control on mounting a file system like <filename class="directory">/home</filename> and <filename class="directory">/tmp</filename> partitions with some nifty options like noexec, nodev, and nosuid. This can be
setup in the <filename>/etc/fstab</filename> text file. The fstab file contains descriptive information about the various file systems mount options; each line addresses one file system.
Details regarding to security options in the fstab text file are:
<segmentedlist>
<segtitle>defaults</segtitle>
<segtitle>noquota</segtitle>
<segtitle>nosuid</segtitle>
<segtitle>nodev</segtitle>
<segtitle>noexec</segtitle>
<segtitle>quota</segtitle>
<segtitle>ro</segtitle>
<segtitle>rw</segtitle>
<segtitle>suid</segtitle>
<seglistitem>
<seg>Allow everything quota, read-write, and suid on this partition.</seg>
<seg>Do not set users quotas on this partition.</seg>
<seg>Do not set <acronym>SUID/SGID</acronym> access on this partition.</seg>
<seg>Do not set character or special devices access on this partition.</seg>
<seg>Do not set execution of any binaries on this partition.</seg>
<seg>Allow users quotas on this partition.</seg>
<seg>Allow read-only on this partition.</seg>
<seg>Allow read-write on this partition.</seg>
<seg>Allow <acronym>SUID/SGID</acronym> access on this partition.</seg>
</seglistitem>
</segmentedlist>
For more information on options that you can set in this file fstab, see the man pages about <citerefentry><refentrytitle>mount</refentrytitle> <manvolnum>8</manvolnum></citerefentry>.
</para>
<para>
Edit the fstab file vi <filename>/etc/fstab</filename> and change it depending on your needs. For example:
<programlisting>
/dev/sda11 /tmp ext2 defaults 1 2
/dev/sda6 /home ext2 defaults 1 2
</programlisting>
To read:
<programlisting>
/dev/sda11 /tmp ext2 defaults,rw,nosuid,nodev,noexec 1 2
/dev/sda6 /home ext2 defaults,rw,nosuid,nodev 1 2
</programlisting>
<simplelist>
<member>
<literal>nosuid</literal>, Meaning do not allow set-user-identifier or set-group-identifier bits to take effect,
</member>
<member>
<literal>nodev</literal>, do not interpret character or block special devices on this file system partition,
</member>
<member>
<literal>noexec</literal>, do not allow execution of any binaries on the mounted file system.
</member>
</simplelist>
Take a note that we have added the <literal>rw</literal> option to the modified lines above. This is because the default options for these lines are defaults, which means to set quota, read-write, and suid, so we must
add the <literal>rw</literal> option to continue having read-write access on these modified file systems.
For our example above, the <filename class="directory">/dev/sda11</filename> represent our <filename class="directory">/tmp</filename> directory partition on the system, and <filename class="directory">/dev/sda6</filename>
the <filename class="directory">/home</filename> directory partition. Of course this will be not the same for you, depending on how you have partitioned your hard disk and what kind of disks are installed on your system, <acronym><acronym>IDE</acronym></acronym> -hda, hdb, etc
or <acronym>SCSI</acronym> -<literal>sda</literal>, <literal>sdb</literal>, etc.
</para>
<para>
Once you have made the necessary adjustments to the <filename>/etc/fstab</filename> file, it is time to makethe Linux system aware about the modification. This can be accomplished with the following commands:
<screen>
[root@deep] /#<command>mount</command> -oremount /home/
[root@deep] /#<command>mount</command> -oremount /tmp/
</screen>
</para>
<para>
Each file system that has been modified must be remounted with the command show above. In our example we have modified the <filename class="directory">/home/</filename>,
and <filename class="directory">/tmp/</filename> file system and it is for this reason that we remount these file system with the above commands.
</para>
</section>
<section><?dbhtml filename="chap5sec46.html"?>
<title>Conceal binary <acronym>RPM</acronym> </title>
<para>
Once you have installed all the software that you need on yo42ur Linux server with the <acronym>RPM</acronym> command, it's a good idea for better security to move it to a safe
place like a floppy disk or other safe place of your choice. With this method if some one accesses your server and has the intention to install software like trojan horses, password
thieves etc. with <acronym>RPM</acronym> command, he shouldn't be able to do so. Of course, if in the future you want to install or upgrade new software via <acronym>RPM</acronym>, all
you have to do is to replace the <acronym>RPM</acronym> binary to its original directory again. To move the <acronym>RPM</acronym> binary on the floppy disk, use the command:
<screen>
[root@deep] /# <command>mount</command> /dev/fd0 /mnt/floppy/
[root@deep] /# <command>mv</command> /bin/rpm /mnt/floppy/
[root@deep] /# <command>umount</command> /mnt/floppy
</screen>
</para>
<para>
Never uninstall the <acronym>RPM</acronym> program completely from your system or you will be unable to reinstall it again later, since to install <acronym>RPM</acronym> or other software you need to have <acronym>RPM</acronym> commands available.
Another thing you can do is change the default permission of the rpm command from 755 to 700. With this modification, non-root users can't use the rpm program to query, install etc; in case
you forget to move it to a safe place after installation of new programs.
To change the default permission of <filename>/bin/rpm</filename>, use the command:
<screen>
[root@deep] /# <command>chmod</command> 700 /bin/rpm
</screen>
</para>
</section>
<section><?dbhtml filename="chap5sec47.html"?>
<title>Shell logging</title>
<para>
To make it easy for you to repeat long commands, the bash shell stores up to 500 old commands in the <filename>~/.bash_history</filename> file where <filename class="directory">~/</filename> is your home directory. Each
user that has an account on the system will have this file <filename>.bash_history</filename> in their home directory. Reducing the number of old commands the <filename>.bash_history</filename> files can
hold may protect users on the server who enter by mistake their password on the screen in plain text and have their password stored for a long time in the <filename>.bash_history</filename> file.
</para>
<procedure>
<step>
<para>
The <envar>HISTFILESIZE</envar> and <envar>HISTSIZE</envar> lines in the <filename>/etc/profile</filename> file determine the size of old commands the <filename>.bash_history</filename> file for all users on your system can
hold. For all accounts I would highly recommend setting the HISTFILESIZE and HISTSIZE in <filename>/etc/profile</filename> file to a low value such as 20.
Edit the profile file vi <filename>/etc/profile</filename> and change the lines to:
<screen>
HISTFILESIZE=20
HISTSIZE=20
</screen>
Which mean, the <filename>.bash_history</filename> file in each users home directory can store 20 old commands and no more. Now, if a cracker tries to see the <filename>~/.bash_history</filename> file of users on your server to find
some password typed by mistake in plain text, he or she has less chance to find one.
</para>
</step>
<step>
<para>
The administrator should also add into the /etc/skel/.bash_logout file the <command>rm</command> -f <filename>$HOME/.bash_history</filename> line, so that each time a user logs out, its <filename>.bash_history</filename>
file will be deleted so crackers will not be able to use <filename>.bash_history</filename> file of users who are not presently logged into the system.
Edit the <filename>.bash_logout</filename> file vi <filename>/etc/skel/.bash_logout</filename> and add the following line:
<screen>
<command>rm</command> -f $HOME/.bash_history
</screen>
</para>
</step>
</procedure>
<para>
<emphasis>
The above hack will only work for future users you'll add in the server. If you already have existing users in the <filename>/etc/passwd</filename> file, you must edit and add the above line into their <filename>.bash_logout</filename> files manually.
</emphasis>
</para>
</section>
<section><?dbhtml filename="chap5sec48.html"?>
<title>The LILO and <filename>lilo.conf</filename> file</title>
<para>
LILO is the most commonly used boot loader for Linux. It manages the boot process and can boot Linux kernel images from floppy disks, hard disks or can even act as a boot manager for other operating systems. LILO is very important in the Linux system and
for this reason, we must protect it the best we can. The most important configuration file of LILO is the <filename>lilo.conf</filename> file, which resides under the <filename class="directory">/etc</filename> directory. It is with this file that we can
configure and improve the security of our LILO program and Linux system. Following are three important options that will improve the security of our valuable LILO program.
<glosslist>
<glossentry>
<glossterm><envar>Adding: timeout=00</envar></glossterm>
<glossdef><para>
This option controls how long in seconds LILO waits for user input before booting to the default selection. One of the requirements of C2 security is that this interval be set to 0 unless the system dual boots something else.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><envar>Adding: restricted</envar></glossterm>
<glossdef><para>
This option asks for a password only, if parameters are specified on the command line (e.g. linux single). The option restricted can only be used together with the password option. Make sure you use this one on each image.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><envar>Adding: password=&lt;password&gt;</envar></glossterm>
<glossdef><para>
This option asks the user for a password when trying to load the Linux system in single mode. Passwords are always case-sensitive, also make sure the <filename>/etc/lilo.conf</filename> file is no longer world readable, or any user will be able
to read the password.
</para></glossdef>
</glossentry>
</glosslist>
</para>
<procedure>
<title>An example of protected <filename>lilo.conf</filename> file.</title>
<step>
<para>
Edit the lilo.conf file vi <filename>/etc/lilo.conf</filename> and add or change the above three options as show:
<programlisting>
boot=/dev/sda
map=/boot/map
install=/boot/boot.b
prompt
timeout=00 <20> change this line to 00.
Default=linux
restricted <20> add this line.
password=&lt;password&gt; <co id="llcnf1"/>
image=/boot/vmlinuz-2.2.12-20
label=linux
initrd=/boot/initrd-2.2.12-10.img
root=/dev/sda6
read-only
</programlisting>
<calloutlist>
<callout arearefs="llcnf1">
<para><emphasis>add this line and put your password.</emphasis></para>
</callout>
</calloutlist>
</para>
</step>
<step>
<para>
Because the configuration file <filename>/etc/lilo.conf</filename> now contains unencrypted passwords, it should only be readable for the super-user root.
<screen>
[root@deep] /# <command>chmod</command> 600 /etc/lilo.conf <emphasis>will be no longer world readable.</emphasis>
</screen>
</para>
</step>
<step>
<para>
Now we must update our configuration file <filename>/etc/lilo.conf</filename> for the change to take effect.
<screen>
[root@deep] /# <command>/sbin/lilo</command> -v <emphasis>to update the lilo.conf file.</emphasis>
</screen>
</para>
</step>
<step>
<para>
One more security measure you can take to secure the <filename>lilo.conf</filename> file is to set it immutable, using the chattr command.
To set the file immutable simply, use the command:
<screen>
[root@deep] /# <command>chattr</command> +i <filename>/etc/lilo.conf</filename>
</screen>
And this will prevent any changes accidental or otherwise to the <filename>lilo.conf</filename> file. If you wish to modify the <filename>lilo.conf</filename> file you
will need to unset the immutable flag:
To unset the immutable flag, use the command:
<screen>
[root@deep] /# <command>chattr</command> -i <filename>/etc/lilo.conf</filename>
</screen>
</para>
</step>
</procedure>
</section>
<section><?dbhtml filename="chap5sec49.html"?>
<title>Disable <keycap>Ctrl-Alt-Delete</keycap> keyboard shutdown command</title>
<para>
Commenting out the line with a <prompt>#</prompt> listed below in your <filename>/etc/inittab</filename> file will disable the possibility of using
the <keycap>Ctrl-Alt-Delete</keycap> command to shutdown your computer. This is pretty important if you don't have the best physical security on the box.
To do this, edit the inittab file vi <filename>/etc/inittab</filename> and change the line:
<screen>
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
</screen>
To read:
<screen>
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
</screen>
Now, for the change to take effect type in the following at a prompt:
<screen>
[root@deep] /#<command>/sbin/init</command> q
</screen>
</para>
</section>
<section><?dbhtml filename="chap5sec50.html"?>
<title>
Physical hard copies of all-important logs
</title>
<para>
One of the most important security considerations is the integrity of the different log files under the <filename class="directory">/var/log</filename> directory on your server. If despite each of the
security functions put in place on our server a cracker can gain access to it, our last defense is the log file system, so it is very important to consider a method of being sure of the integrity of our log files.
</para>
<para>
If you have a printer installed on your server, or on a machine on your network, a good idea would be to have actual physical hard copies of all-important logs. This can be easily accomplished by using a continuous
feed printer and having the syslog program sending all logs you seem important out to <filename>/dev/lp0</filename> the printer device. Cracker can change the files, programs, etc on your server, but can do nothing when
you have a printer that prints a real paper copy of all of your important logs.
</para>
<example>
<title>Print log reports </title>
<para>
For logging of all telnet, mail, boot messages and ssh connections from your server to the printer attached to this server, you would want to add the following line to the &quot;/etc/syslog.conf" file:
Edit the syslog.conf file vi <filename>/etc/syslog.conf</filename> and add at the end of this file the following line:
<screen>
authpriv.*;mail.*;local7.*;auth.*;daemon.info /dev/lp0
</screen>
Now restart your syslog daemon for the change to take effect:
<screen>
[root@deep] /# /etc/rc.d/init.d/syslog <command>restart</command>
</screen>
</para>
<para>
For logging of all telnet, mail, boot messages and ssh connections from your server to the printer attached to a remote server in your local network, then you would want to add the following line
to <filename>/etc/syslog.conf</filename> file on the remote server.
If you don't have a printer in your network, you can also copy all the log files to another machine; simply omit the first step below of adding <filename>/dev/lp0</filename> to your <filename>syslog.conf</filename> file
on remote and go directly to the <literal>-r</literal> option step on remote. Using the feature of copying all the log files to another machine will give you the possibility to control all syslog messages on one
host and will tear down administration needs.
Edit the <filename>syslog.conf</filename> file vi <filename>/etc/syslog.conf</filename> on the remote server for example: <literal>mail.openna.com</literal> and add at the end of this file the following line:
<screen>
authpriv.*;mail.*;local7.*;auth.*;daemon.info <filename>/dev/lp0</filename>
</screen>
Since the default configuration of the syslog daemon is to not receive any messages from the network, we must enable on the remote server the facility to receive messages from the network. To enable the facility
to receive messages from the network on the remote server, add the following option <literal>-r</literal> to your syslog daemon script file <emphasis>only on the remote host</emphasis>:
Edit the syslog daemon <command>vi</command> +24 <filename>/etc/rc.d/init.d/syslog</filename> and change:
<programlisting>
<command>daemon</command> syslogd -m 0
</programlisting>
To read:
<programlisting>
<command>daemon</command> syslogd -r -m 0
</programlisting>
Now restart your syslog daemon on the remote host for the change to take effect:
<screen>
[root@mail /]# /etc/rc.d/init.d/syslog <command>restart</command>
</screen>
</para>
</example>
<para>
Now, if we have a firewall on the remote server you are supposed to have one), we must add or verify the existence
of the following lines:
<programlisting>
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ <co id="exin1"/>
-s $SYSLOG_CLIENT \ <co id="ipd1"/>
-d $IPADDR 514 -j ACCEPT <co id="syse1"/>
</programlisting>
<calloutlist>
<callout arearefs="exin1">
<para>
Where EXTERNAL_INTERFACE="eth0" in the firewall file.
</para>
</callout>
<callout arearefs="ipd1">
<para>
Where IPADDR="208.164.186.2" in the firewall file.
</para>
</callout>
<callout arearefs="syse1">
<para>
Where SYSLOG_CLIENT="208.164.168.0/24" in the firewall file.
</para>
</callout>
</calloutlist>
</para>
<para>
Now restart your firewall on the remote host for the change to take effect:
<screen>
[root@mail /]# /etc/rc.d/init.d/firewall <command>restart</command>
</screen>
This firewall rule will allow incoming UDP packet on port 514 (syslog port) on the remote server that come from our internal client to
be accepted. For more information on Firewall see Chapter 7 <filename>Networking firewall</filename>.
</para>
<para>
Finally, edit the syslog.conf file <filename>vi /etc/syslog.conf</filename> on the local server, and add at the end of this file the following line:
<programlisting>
authpriv.*;mail.*;local7.*;auth.*;daemon.info @mail
</programlisting>
Where mail is the hostname of the remote server. Now if anyone ever hacks your box and menaces to erase vital system logs, you still
have a hard copy of everything. It should then be fairly simple to trace where they came from and deal with it accordingly.
Now restart your syslog daemon for the change to take effect:
<screen>
[root@deep] /# /etc/rc.d/init.d/syslog <command>restart</command>
</screen>
Same as on the remote host, we must add or verify the existence of the following lines in our firewall script file on the local host:
<programlisting>
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ <co id="exin2"/>
-s $IPADDR 514 \ <co id="ipd2"/>
-d $SYSLOG_SERVER 514 -j ACCEPT <co id="syse2"/>
</programlisting>
<calloutlist>
<callout arearefs="exin2">
<para>
Where EXTERNAL_INTERFACE="eth0" in the firewall file.
</para>
</callout>
<callout arearefs="ipd2">
<para>
Where IPADDR="208.164.186.1" in the firewall file.
</para>
</callout>
<callout arearefs="syse2">
<para>
Where SYSLOG_SERVER="mail.openna.com" in the firewall file.
</para>
</callout>
</calloutlist>
</para>
<para>
Now restart your firewall for the change to take effect:
<screen>
[root@deep] /# /etc/rc.d/init.d/firewall <command>restart</command>
</screen>
This firewall rule will allow outgoing UDP packet on port 514 syslog port on the local server destined to the remote syslog server to be accepted. For more information on
Firewall see chapter 7 Networking firewall.
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Never use your Gateway Server as a host to control all syslog messages; this is a very bad idea. More options and strategies exist with the sysklogd program, see
the man pages about <citerefentry><refentrytitle>sysklogd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
and <citerefentry><refentrytitle>syslog.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more information.
</para>
</important>
</section>
<section><?dbhtml filename="chap5sec51.html"?>
<title>Tighten scripts under <filename class="directory">/etc/rc.d/</filename></title>
<para>
Fix the permissions of the script files that are responsible for starting and stopping all your normal processes that need to run at boot time.
<screen>
[root@deep] /# <command>chmod</command> -R 700 /etc/rc.d/init.d/*
</screen>
Which means just root is allowed to Read, Write, and Execute scripts files on this directory. I don't think regular users need to know what is inside those script files.
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
If you install a new program or update a program that use the init system V script located under <filename class="directory">/etc/rc.d/init.d/</filename> directory, don't
forget to change or verify the permission of this script file again.
</para>
</important>
<section>
<title>The <filename>/etc/rc.d/rc.local</filename> file</title>
<para>
By default, when you login to a Linux box, it tells you the Linux distribution name, version, kernel version, and the name of the server. This is giving away too
much info. We'd rather just prompt users with a <prompt>Login:</prompt>
</para>
<procedure>
<step>
<para>
To do this, Edit the <filename>/etc/rc.d/rc.local</filename> file and Place <prompt>#</prompt> in front of the following
lines as shown:
<programlisting>
# This will overwrite /etc/issue at every boot. So, make any changes you
# want to make to /etc/issue here or you will lose them when you reboot.
#echo &quot;&quot; &gt; /etc/issue
#echo "$R" &gt;&gt; /etc/issue
#echo "Kernel $(uname -r) on $a $(uname -m)&quot; &gt;&gt; /etc/issue
#
#cp -f /etc/issue /etc/issue.net
#echo &gt;&gt; /etc/issue
</programlisting>
</para>
</step>
<step>
<para>
Then, remove the following files: <filename>issue.net</filename> and <filename>issue</filename> under <filename class="directory">/etc</filename> directory:
<screen>
[root@deep] /# <command>rm</command> -f /etc/issue
[root@deep] /# <command>rm</command> -f /etc/issue.net
</screen>
</para>
</step>
</procedure>
<para>
The <filename>/etc/issue.net</filename> file is the login banner that users will see when they make a networked <abbrev>i.e.</abbrev> telnet, SSH connection to
your machine. You will find it in the <filename class="directory">/etc</filename> directory, along with a similar file called <filename>issue</filename>, which is the login banner
that gets displayed to local users. It is simply a text file and can be customized to your own taste, but be aware that as noted above, if you do change it or
remove it like we do, you'll also need to modify the <filename>/etc/rc.d/rc.local</filename> shell script, which re-creates both the <filename>issue</filename> and <filename>issue.net</filename> files
every time the system boots.
</para>
</section>
</section>
<section><?dbhtml filename="chap5sec52.html"?>
<title>
Bits from root-owned programs
</title>
<para>
A regular user will be able to run a program as root if it is set to SUID root. All programs and files on your computer with the <literal>s</literal> bits appearing on its mode, have
the <acronym>SUID</acronym> <computeroutput>-rwsr-xr-x</computeroutput> or <acronym>SGID</acronym> <computeroutput>-r-xr-sr-x</computeroutput> bit enabled. Because these programs grant special privileges
to the user who is executing them, it is important to remove the <literal>s</literal> bits from root-owned programs that won't absolutely require such privilege. This can be accomplished by executing the
command <command>chmod</command> <literal>a-s</literal> with the name(s) of the <acronym>SUID/SGID</acronym> files as its arguments.
Such programs include, but aren't limited to:
<itemizedlist mark="bullet" spacing="compact">
<listitem>
<para>
Programs you never use.
</para>
</listitem>
<listitem>
<para>
Programs that you don't want any non-root users to run.
</para>
</listitem>
<listitem>
<para>
Programs you use occasionally, and don't mind having to <command>su</command> to root to run.
</para>
</listitem>
</itemizedlist>
</para>
<para>
We've placed an asterisk * next to each program we personally might disable and consider to be not absolutely required for the working of our
server. Remember that your system needs some suid root programs to work properly, so be careful. make your choices based on your requirements.
To find all files with the <literal>s</literal> bits from root-owned programs, use the command:
<screen>
[root@deep]#<command>find</command> / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls 'lg {} \;
</screen>
</para>
<para>
<programlisting>
*-rwsr-xr-x 1 root root 35168 Sep 22 23:35 /usr/bin/chage
*-rwsr-xr-x 1 root root 36756 Sep 22 23:35 /usr/bin/gpasswd
*-r-xr-sr-x 1 root tty 6788 Sep 6 18:17 /usr/bin/wall
-rwsr-xr-x 1 root root 33152 Aug 16 16:35 /usr/bin/at
-rwxr-sr-x 1 root man 34656 Sep 13 20:26 /usr/bin/man
-r-s--x--x 1 root root 22312 Sep 25 11:52 /usr/bin/passwd
-rws--x--x 2 root root 518140 Aug 30 23:12 /usr/bin/suidperl
-rws--x--x 2 root root 518140 Aug 30 23:12 /usr/bin/sperl5.00503
-rwxr-sr-x 1 root slocate 24744 Sep 20 10:29 /usr/bin/slocate
*-rws--x--x 1 root root 14024 Sep 9 01:01 /usr/bin/chfn
*-rws--x--x 1 root root 13768 Sep 9 01:01 /usr/bin/chsh
*-rws--x--x 1 root root 5576 Sep 9 01:01 /usr/bin/newgrp
*-rwxr-sr-x 1 root tty 8328 Sep 9 01:01 /usr/bin/write
-rwsr-xr-x 1 root root 21816 Sep 10 16:03 /usr/bin/crontab
*-rwsr-xr-x 1 root root 5896 Nov 23 21:59 /usr/sbin/usernetctl
*-rwsr-xr-x 1 root bin 16488 Jul 2 10:21 /usr/sbin/traceroute
-rwxr-sr-x 1 root utmp 6096 Sep 13 20:11 /usr/sbin/utempter
-rwsr-xr-x 1 root root 14124 Aug 17 22:31 /bin/su
*-rwsr-xr-x 1 root root 53620 Sep 13 20:26 /bin/mount
*-rwsr-xr-x 1 root root 26700 Sep 13 20:26 /bin/umount
*-rwsr-xr-x 1 root root 18228 Sep 10 16:04 /bin/ping
*-rwxr-sr-x 1 root root 3860 Nov 23 21:59 /sbin/netreport
-r-sr-xr-x 1 root root 26309 Oct 11 20:48 /sbin/pwdb_chkpwd
</programlisting>
</para>
<para>
To disable the suid bits on selected programs above, type the following commands:
<screen>
[root@deep] /# <command>chmod</command> a-s /usr/bin/chage
[root@deep] /# <command>chmod</command> a-s /usr/bin/gpasswd
[root@deep] /# <command>chmod</command> a-s /usr/bin/wall
[root@deep] /# <command>chmod</command> a-s /usr/bin/chfn
[root@deep] /# <command>chmod</command> a-s /usr/bin/chsh
[root@deep] /# <command>chmod</command> a-s /usr/bin/newgrp
[root@deep] /# <command>chmod</command> a-s /usr/bin/write
[root@deep] /# <command>chmod</command> a-s /usr/sbin/usernetctl
[root@deep] /# <command>chmod</command> a-s /usr/sbin/traceroute
[root@deep] /# <command>chmod</command> a-s /bin/mount
[root@deep] /# <command>chmod</command> a-s /bin/umount
[root@deep] /# <command>chmod</command> a-s /bin/ping
[root@deep] /# <command>chmod</command> a-s /sbin/netreport
</screen>
</para>
<example>
<title>Use man pages</title>
<para>
If you want to know what those programs do, type <userinput>man program-name</userinput> and read the man page.
<screen>
[root@deep] /# <command>man</command> netreport
</screen>
</para>
</example>
</section>
<section><?dbhtml filename="chap5sec53.html"?>
<title>
The kernel tunable parameters</title>
<para>
With the new version of Red Hat Linux 6.2 all kernel parameters available under the /proc/sys subdirectory of Linux can be configured at runtime. You can now use the
new <filename>/etc/sysctl.conf</filename> file under Red Hat Linux 6.2 to modify and set kernel parameters at runtime. The sysctl.conf file is read and loaded each time the system reboots. All
settings are now stored in the <filename>/etc/sysctl.conf</filename> file. All modifications to /proc/sys should be made through /etc/sysctl.conf, because they offer better for control, and
are executed before rc.local or any other users scripts. We have shown you the networking security options that you must configure on your server for both Red Hat Linux
version 6.1 and 6.2 below.
</para>
<section><?dbhtml filename="chap5sec54.html"?>
<title>Prevent your system responding to Ping</title>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</mediaobject>
Preventing your system for responding to ping request can be a big improvement in your network security since no one can ping on your server and receive an answer. The TCP/IP
protocol suite has a number of loopholes that allows an attacker to leverage techniques in the form of covert channels to surreptitiously pass data in otherwise benign
packets. Preventing your server from responding to ping requests can help to minimize this problem.
An...
<screen>
[root@deep] /#<command>echo</command> 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_all
</screen>
... should do the job such that your system won't respond to ping on any interface. You can add this line in your /etc/rc.d/rc.local file so the command will be automatically set if your system reboots. Not responding to pings would at least keep most "crackers" out because they would never even know it's there.
To turn it backs on, simply do this:
<screen>
[root@deep] /#<command>echo</command> 0 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_all
</screen>
You can add this line in your <filename>/etc/rc.d/rc.local</filename> file so the command will be automatically set if your system reboots.
</para>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</mediaobject>
Edit the /etc/sysctl.conf file and add the following line:
<programlisting>
# Enable ignoring ping request
net.ipv4.icmp_echo_ignore_all = 1
</programlisting>
You must restart your network for the change to take effect. The command to restart the network is the following:
To restart all network devices manually on your system, use the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/network restart
</screen>
<literallayout><computeroutput>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</computeroutput></literallayout>
</para>
</section>
</section>
<section><?dbhtml filename="chap5sec54.html"?>
<title>Refuse responding to broadcasts request</title>
<para>
As for the ping request, it's also important to disable broadcast request. When a packet is sent to an <acronym>IP</acronym> broadcast address (i.e. 192.168.1.255) from a machine on the
local network, that packet is delivered to all machines on that network. Then all the machines on a network respond to this ICMP echo request and the result can be
severe network congestion or outages <emphasis>-denial-of-service</emphasis> attacks. See the <acronym>RFC</acronym> 2644 for more information.
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</mediaobject>
<screen>
[root@deep] /# <command>echo</command> 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
</screen>
You can add this line in your <filename>/etc/rc.d/rc.local</filename> file so the command will be automatically set
if your system reboots.
</para>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</mediaobject>
Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<programlisting>
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
</programlisting>
You must restart your network for the change to take effect. The command to restart the network is the following:
</para>
<para>
To restart all networks devices manually on your system, use the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
</screen>
<literallayout><computeroutput>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</computeroutput></literallayout>
</para>
</section>
<section><?dbhtml filename="chap5sec55.html"?>
<title>Routing Protocols</title>
<para>
Routing and routing protocols can create several problems. The <acronym>IP</acronym> source routing, where an <acronym>IP</acronym> packet contains details of the path to its intended destination, is dangerous because
according to <acronym>RFC</acronym> 1122 the destination host must respond along the same path. If an attacker was able to send a source routed packet into your network, then he would be able to
intercept the replies and fool your host into thinking it is communicating with a trusted host. I strongly recommend that you disable IP source routing to protect your server from this hole.
</para>
<para>
To disable IP source routing on your server, type the following command in your terminal:
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</mediaobject>
<programlisting>
[root@deep] /# for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
&gt; echo 0 &gt; $f
&gt; done
</programlisting>
<screen>
[root@deep] /#
</screen>
Add the above commands to the <filename>/etc/rc.d/rc.local</filename> script file and you'll not have to type it again the next time you reboot your system.
</para>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</mediaobject>
Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<programlisting>
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
</programlisting>
You must restart your network for the change to take effect. The command to restart the network is the following:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
</screen>
<literallayout><computeroutput>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</computeroutput> </literallayout>
Take Note that the above command for Red Hat Linux 6.1 or 6.2 will disable Source Routed Packets on
all your interfaces lo, ethN, pppN etc.
</para>
</section>
<section><?dbhtml filename="chap5sec56.html"?>
<title>Enable TCP SYN Cookie Protection</title>
<para>
A <acronym>SYN</acronym> Attack is a denial of service <acronym>DoS</acronym> attack that consumes all the resources on your machine, forcing you to reboot. Denial of service attacks -attacks which incapacitate a server due to high
traffic volume or ones that tie-up system resources enough that the server cannot respond to a legitimate connection request from a remote system) are easily achievable from internal resources
or external connections via extranets and Internet. To enable it, you have to do:
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject>
<textobject><phrase>Version 6.1.only</phrase></textobject>
</mediaobject>
<screen>
[root@deep] /# echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
</screen>
Add the above commands to the <filename>/etc/rc.d/rc.local</filename> script file and you'll not have to type it again the next time you reboot your system.
</para>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</mediaobject>
Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<programlisting>
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
</programlisting>
You must restart your network for the change to take effect. The command to restart the network is the following:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</screen>
If you receive an error message during execution of the above command, check that you have enabled the <acronym>TCP</acronym> syncookies option in your kernel configuration:
<computeroutput>IP: TCP syncookie support</computeroutput> <emphasis>not enabled per default</emphasis> <command>CONFIG_SYN_COOKIES</command> <literal>Y/n/?</literal>.
</para>
</section>
<section><?dbhtml filename="chap5sec57.html"?>
<title>Disable ICMP Redirect Acceptance</title>
<para>
When hosts use a non-optimal or defunct route to a particular destination, an ICMP redirect packet is used by routers to inform the hosts what the correct route
should be. If an attacker is able to forge <acronym>ICMP</acronym> redirect packets, he or she can alter the routing tables on the host and possibly subvert the
security of the host by causing traffic to flow via a path you didn't intend. It's strongly recommended to disable <acronym>ICMP</acronym> Redirect Acceptance to
protect your server from this hole.
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject><textobject><phrase>version 6.1 only</phrase></textobject></mediaobject>
<programlisting>
[root@deep] /# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> echo 0 &gt; $f
> done
</programlisting>
<screen>
[root@deep] /#
</screen>
Add the above commands to the <filename>/etc/rc.d/rc.local</filename> script file and you'll not have to type it again the next time you reboot your system.
</para>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject><textobject><phrase>Version 6.2 only</phrase></textobject></mediaobject>
Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<programlisting>
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
</programlisting>
You must restart your network for the change to take effect. The command to restart manually the network is the following:
<screen>
[root@deep] /# /etc/rc.d/init.d/network restart
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</screen>
Take Note that the above command for Red Hat Linux 6.1 or 6.2 will disable Redirect Acceptance Packets on all
your interfaces lo, ethN, pppN etc.
</para>
</section>
<section><?dbhtml filename="chap5sec58.html"?>
<title>Enable always-defragging Protection</title>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject><textobject><phrase>Version 6.1 only</phrase></textobject></mediaobject>
This protection must be enabled if you use your Linux server as a gateway to masquerade internal traffic to the Internet <acronym>IP</acronym> Masquerading.
<screen>
[root@deep] /#<command>echo</command> 1 &gt; /proc/sys/net/ipv4/ip_always_defrag
</screen>
Add the above commands to the <filename>/etc/rc.d/rc.local</filename> script file and you'll not have to type it again the next time you reboot your system.
</para>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject><textobject><phrase>Version 6.2 only</phrase></textobject></mediaobject>
Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<programlisting>
# Enable always defragging Protection
net.ipv4.ip_always_defrag = 1
</programlisting>
You must restart your network for the change to take effect. The command to manually restart the network is the following:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</screen>
</para>
</section>
<section><?dbhtml filename="chap5sec59.html"?>
<title>Enable bad error message Protection</title>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject><textobject><phrase>Version 6.1 only</phrase></textobject></mediaobject>
This option will alert you to all bad error messages in your network.
<screen>
[root@deep] /#<command>echo</command> 1 &gt; /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
</screen>
Add the above commands to the <filename>/etc/rc.d/rc.local</filename> script file and you'll not have to type it again the next time you
reboot your system.
</para>
<para>
Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject><textobject><phrase>Version 6.2 only</phrase></textobject></mediaobject>
<programlisting>
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
</programlisting>
You must restart your network for the change to take effect. The command to manually restart the network is the following:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</screen>
</para>
</section>
<section><?dbhtml filename="chap5sec60.html"?>
<title>Enable <acronym>IP</acronym> spoofing protection</title>
<para>
The spoofing protection prevents your network from being the source of spoofed <abbrev>i.e.</abbrev> forged communications that are
often used in <acronym>DoS</acronym> attacks.
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject><textobject><phrase>Version 6.1 only</phrase></textobject></mediaobject>
<programlisting>
[root@deep] /# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
&gt; echo 1 &gt; $f
&gt; done
</programlisting>
<screen>
[root@deep] /#
</screen>
Add the above commands to the <filename>/etc/rc.d/rc.local</filename> script file and you'll not have to type it again the next time
you reboot your system.
</para>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject><textobject><phrase>Version 6.2 only</phrase></textobject></mediaobject>
Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<programlisting>
# Enable <acronym>IP</acronym> spoofing protection, turn on Source Address Verification
net.ipv4.conf.all.rp_filter = 1
</programlisting>
You must <command>restart</command> your network for the change to take effect. The command to manually restart the network
is the following:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</screen>
</para>
</section>
<section><?dbhtml filename="chap5sec61.html"?>
<title>Log Spoofed, Source Routed and Redirect Packets</title>
<para>
This protection will log all Spoofed Packets, Source Routed Packets, and Redirect Packets to your log files.
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject><textobject><phrase>Version 6.1 only</phrase></textobject></mediaobject>
<programlisting>
[root@deep] /# for f in /proc/sys/net/ipv4/conf/*/log_martians; do
&gt; echo 1 &gt; $f
&gt; done
</programlisting>
<screen>
[root@deep] /#
</screen>
Add the above commands to the <filename>/etc/rc.d/rc.local</filename> script file and you'll not have to type it again the next time
you reboot your system.
</para>
<para>
<mediaobject><imageobject>
<imagedata format="GIF" fileref="images/Version6.2.gif"/>
</imageobject><textobject><phrase>Version 6.2 only</phrase></textobject></mediaobject>
Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<programlisting>
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
</programlisting>
You must restart your network for the change to take effect. The command to manually restart the network is the following:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</screen>
</para>
</section>
<section><?dbhtml filename="chap5sec62.html"?>
<title>Unusual or hidden files</title>
<para>
It is important to not forget to look everywhere on the system for unusual or hidden files -files that start with a period and are normally not shown by
the <command>ls</command> command, as these can be used to hide tools and information password cracking programs, password files from other systems, etc..
A common technique on UNIX systems is to put a hidden directory or file in a user's account with an unusual name, something like '...' or '.. ' -dot dot space
or <keycombo><keycap>..</keycap><keycap>^G</keycap></keycombo> -dot dot ctrl-G.
The find program can be used to look for hidden files.
</para>
<example>
<title>Use find to find</title>
<para>
<screen>
[root@deep] /# <command>find</command> / -name &quot;.. &quot; -print -xdev
[root@deep] /# <command>find</command> / -name &quot;.*&quot; -print -xdev | cat -v
</screen>
</para>
</example>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Files with names such as <literal>.xx</literal> and <literal>.mail</literal> have been used that is, files that might appear to be normal.
</para>
</note>
<para>
All <acronym>SUID</acronym> and <acronym>SGID</acronym> files that still exist on your system after we have removed those that won't absolutely require such privilege
are a potential security risk, and should be monitored closely. Because these programs grant special privileges to the user who is executing them, it is necessary to
ensure that insecure programs are not installed.
</para>
<para>
A favorite trick of crackers is to exploit <acronym>SUID</acronym> root programs, and leave a <acronym>SUID</acronym> program as a backdoor to get in the next time. Find all <acronym>SUID</acronym>
and <acronym>SGID</acronym> programs on your system, and keep track of what they are so that you are aware of any changes, which could indicate a potential intruder.
Use the following command to find all <acronym>SUID/SGID</acronym> programs on your system:
<screen>
[root@deep] /# <command>find</command> / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;
</screen>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
See in this book under <link linkend="prt5ch2ssmt">Securities Software/Monitoring Tools</link> for more information about the software <xref linkend="prt5ch2s1Xd"/>that will do the job for you automatically each day and report the results via mail.
</para>
</tip>
<para>
Group and world writable files and directories particularly system files partitions, can be a security hole if a cracker gains access to your system and modifies them. Additionally, world-writable
directories are dangerous, since they allow a cracker to add or delete files as he or she wishes in these directories. In the normal course of operation, several files will be writable, including
some from the <filename class="directory">/dev, /var/catman</filename> directories, and all symbolic links on your system.
To locate all group &amp; world-writable files on your system, use the command:
<screen>
[root@deep] /# <command>find</command> / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \;
</screen>
To locate all group &amp; world-writable directories on your system, use the command:
<screen>
[root@deep] /# <command>find</command> / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \;
</screen>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
A file and directory integrity checker like Tripwire software can be used regularly to scan, manage and find modified group or world writable files and directories easily. See in this book under <link linkend="prt5ch2ssmt">Securities Software/Monitoring Tools</link>
for more information about Tripwire.
</para>
</tip>
<para>
Don't permit any unowned file. Unowned files may also be an indication that an intruder has accessed your system. If you find unowned file or directory on your system, verify its integrity, and
if all looks fine, give it an owner name. Some time you may uninstall a program and get an unowned file or directory related to this software; in this case you can remove the file or directory safely.
To locate files on your system that do not have an owner, use the following command:
<screen>
[root@deep] /#<command>find</command> / -nouser -o -nogroup
</screen>
Please Note Once again, files reported under <filename class="directory">/dev</filename> directory don't count.
</para>
<para>
Finding all the <filename>.rhosts</filename> files that could exist on your server should be a part of your regular system administration duties, as these files should not be permitted on your system. Remember that a cracker
only needs one insecure account to potentially gain access to your entire network.
You can locate all <filename>.rhosts</filename> files on your system with the following command:
<screen>
[root@deep] /#<command>find</command> /home -name .rhosts
</screen>
You can also use a cron job to periodically check for, report the contents of, and delete <filename class="directory">$HOME/.rhosts</filename> files. Also, users should be made aware that you regularly perform this type
of audit, as directed by policy.
</para>
<para>
To use a cron job to periodically check and report via mail all <filename>.rhosts</filename> files, do the following:
Create as root the <filename>find_rhosts_files</filename> script file under <filename class="directory">/etc/cron.daily</filename> directory <userinput>touch</userinput> <filename>/etc/cron.daily/find_rhosts_files</filename> and add the following
lines in this script file:
<programlisting>
#!/bin/sh
/usr/bin/find /home -name .rhosts | (cat &lt;&lt;EOF
This is an automated report of possible existent .rhosts files on the server
deep.openna.com, generated by the find utility command.
New detected <filename>.rhosts</filename> files under the <filename class="directory">/home</filename> directory include:
EOF
cat
) | /bin/mail -s "Content of .rhosts file audit report" root
</programlisting>
Now make this script file executable, verify the owner, and change the group to root.
<screen>
[root@deep] /#<command>chmod</command> 755 /etc/cron.daily/find_rhosts_files
[root@deep] /#<command>chown</command> 0.0 /etc/cron.daily/find_rhosts_files
</screen>
Each day mail will be sent to root with a subject: Content of .rhosts file audit report containing potential new <filename>.rhosts</filename> files.
</para>
</section>
<section><?dbhtml filename="chap5sec63.html"?>
<title>System is compromised !</title>
<para>
If you believe that your system has been compromised, contact <acronym>CERT</acronym> Coordination Center or your representative in <acronym>FIRST</acronym> -Forum of Incident Response and Security Teams.
<address>
Internet Email: <email>cert@cert.org</email>
CERT Hotline:<phone>(+1) 412-268-7090</phone>
Facsimile: <fax>(+1) 412-268-6989</fax>
</address>
<emphasis>
CERT/CC personnel answer 8:00 a.m. to 8:00 p.m. EST (GMT 5)/EDT (GMT 4))
on working days; they are on call for emergencies during other hours and on weekends and
holidays.
</emphasis>
</para>
</section>
</chapter>
<chapter label="6" id="pr3ch6lglc"><?dbhtml filename="gen-optim.html"?>
<title>Linux General Optimization</title>
<highlights>
<para>
At this stage of your configuration, you should now have a Linux server optimally configured and secured. Our server contains the most essential package and programs installed to be able to work properly and the most essential
general security configuration. Before we continue and begin to install the services we want to share with our clients/users, it is important to now tune our Linux server. The tuning we will perform in the
following chapter will be applied to the whole system. It also applies to present as well as future programs, such as services that we will later install.
</para>
<para>
Generally, if you don't use a x386 Intel processor, Red Hat Linux out
of the box is not optimized for your specific CPU architecture, most people now run Linux on a Pentium processor. The sections below will guide you through different steps to optimize your Linux server for your specific
processor, memory, and network, as well as your file system.
</para>
</highlights>
<section><?dbhtml filename="chap6sec64.html"?>
<title>The /etc/profile file</title>
<para>
The <filename>/etc/profile</filename> file contains system wide environment stuff and startup programs. All customizations that you put in this file will apply for the entire environment variable on your system, so putting optimization
flags in this file is a good choice. To squeeze the most performance from your x86 programs, you can use full optimization when compiling with the <literal>-O9</literal> flag. Many programs contain <literal>-O2</literal> in
the Makefile. <literal>-O9</literal> is the highest level of optimization. It will increase the size of what it produces, but it runs faster.
</para>
<para>
Please Note it is not always true that the <literal>-O9</literal> flag will make the best performance for your processor. If you have an x686 and above processor, surely, but below x686, not necessarily.
</para>
<para>
When compiling, use the <envar>-fomit-frame-pointer</envar> switch for any kind of processor you may have. This will use the stack for accessing variables. Unfortunately, debugging is almost impossible with this option. You can also use
the <envar>-mcpu=cpu_type</envar> and <envar>-march=cpu_type</envar> switch to optimize the program for the <acronym>CPU</acronym> listed to the best of <acronym>GCC's</acronym> ability. However, the resulting code will only be run able on
the indicated <acronym>CPU</acronym> or higher.
</para>
<para>
The optimization options apply only when we compile and install a new program in our server. These
optimizations don't play any role in our Linux base system; it just tells our compiler to optimize the new programs that we will install with the optimization flags we have specified in the <filename>/etc/profile</filename> file.
</para>
<para>
Below are the optimization flags that we recommend you put in your <filename>/etc/profile</filename> file depending on your <acronym>CPU</acronym> architecture.
</para>
<procedure>
<title>Recommended optimization flags</title>
<step><para>
For <acronym>CPU</acronym> i686 or <hardware>PentiumPro, Pentium II, Pentium III</hardware>
In the <filename>/etc/profile</filename> file, put this line for a PentiumPro, Pentium II and III Pro Processor family:
<screen>
<envar>CFLAGS=-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions</envar>
</screen>
</para>
<para>
For <acronym>CPU</acronym> <hardware>i586</hardware> or Pentium:
In the <filename>/etc/profile</filename> file, put this line for a Pentium Processor family:
<screen>
<envar>CFLAGS=-O3 -march=pentium -mcpu=pentium -ffast-math -funroll-loops -fomit-frame-pointer -fforce-mem -fforce-addr -malign-double -fno-exceptions</envar>
</screen>
</para>
<para>
For <acronym>CPU</acronym> <hardware>i486</hardware>:
In the <filename>/etc/profile</filename> file, put this line for a <hardware>i486</hardware> Processor family:
<screen>
<envar>CFLAGS=-O3 -funroll-all-loops -malign-double -mcpu=i486 -march=i486 -fomit-frame-pointer -fno-exceptions</envar>
</screen>
</para>
</step>
<step>
<para>
Now after the selection of your <acronym><acronym>CPU</acronym></acronym> settings <hardware>-i686, i586, or i486</hardware> a bit further down in the <filename>/etc/profile</filename> file,
add <envar>CFLAGS LANG LESSCHARSET</envar> to the export line:
<screen>
<command>export</command> <envar>PATH PS1 HOSTNAME HISTSIZE HISTFILESIZE USER LOGNAME MAIL INPUTRC CFLAGS LANG LESSCHARSET</envar>
</screen>
</para>
</step>
<step><para>
Log out and log back in; after this, the new <envar>CFLAGS</envar> environment variable is set, and software and other configure tool will recognize that.
Pentium Pro/II/III optimizations will only work with egcs or pgcc compilers. The egcs compiler is already installed on your Server by default
so you don't need to worry about it.
</para>
</step>
</procedure>
<para>
Below is the explanation of the different optimization options we use:
<glosslist>
<glossentry><glossterm>
<envar>-funroll-loops</envar>
</glossterm>
<glossdef><para>
The <envar>-funroll-loops</envar> optimization option will perform the optimization of loop unrolling and will do it only for loops whose number of iterations can be
determined at compile time or run time.
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><envar>-funroll-all-loops</envar>
</glossterm>
<glossdef><para>
The <envar>-funroll-all-loops</envar> optimization option will also perform the optimization of loop unrolling and is done for all loops.
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><envar>-ffast-math</envar>
</glossterm>
<glossdef><para>
The <envar>-ffast-math</envar> optimization option will allow the GCC compiler, in the interest of optimizing code for speed, to violate
some <acronym>ANSI</acronym> or <acronym>IEEE</acronym> rules/specifications.
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><envar>-malign-double</envar>
</glossterm>
<glossdef><para>
The <envar>-malign-double</envar> optimization option will control whether the <acronym>GCC</acronym> compiler aligns double, long double, and long long variables on a two-word boundary or a one-word
boundary. This will produce code that runs somewhat faster on a Pentium at the expense of more memory.
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><envar>-mcpu=cpu_type</envar>
</glossterm>
<glossdef><para>
The <envar>-mcpu=cpu_type</envar> optimization option will set the default <acronym><acronym>CPU</acronym></acronym> to use for the machine type when scheduling instructions.
</para>
</glossdef>
</glossentry>
<glossentry>
<glossterm><envar>-fforce-mem</envar>
</glossterm>
<glossdef><para>
The <envar>-fforce-mem</envar> optimization option will produce better code by forcing memory operands to be copied into registers before doing arithmetic on them and by making
all memory references potential common subexpressions.
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><envar>-fforce-addr</envar>
</glossterm>
<glossdef><para>
The <envar>-fforce-addr</envar> optimization option will produce better code by forcing memory address constants to be copied into registers before doing arithmetic on them.
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><envar>-fomit-frame-pointer</envar>
</glossterm>
<glossdef><para>
The <envar>-fomit-frame-pointer</envar> optimization option, one of the most interesting, will allow the program to not keep the frame pointer in a register for functions that don't need one. This
avoids the instructions to save, set up and restores frame pointers; it also makes an extra register available in many functions and makes debugging impossible on most machines.
</para>
</glossdef>
</glossentry>
</glosslist>
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
All future optimizations that we will describe in this book refer by default to a Pentium II/III <acronym>CPU</acronym> family. So you must, if required, adjust the compilation flags for your specific <acronym><acronym>CPU</acronym></acronym> processor type in
the <filename>/etc/profile</filename> file and also during your compilation time.
</para>
</important>
</section>
<section id="prt3ch2sc2br"><?dbhtml filename="chap6sec65.html"?>
<title>Benchmark Results</title>
<para>
Summaries by Architecture:
Depending on your processor architecture and the version of your compiler <acronym>GCC/EGCS</acronym>, optimization results may vary. The charts below will help you to choose
the best compilation flags for your compiler/<acronym><acronym>CPU</acronym></acronym> architecture.
The compiler version installed on your Red Hat Linux version 6.1 and 6.2 is egcs 2.91.66, but be sure to check it even so before choosing your compiler
optimization options.
</para>
<para>
To verify the compiler version installed on your system, use the command:
<screen>
[root@deep] /# egcs --version
egcs-2.91.66
</screen>
All benchmark results, and future results, can be retrieved from the <acronym>GCC</acronym> home page at the following address: <link linkend="prtinxfp6">http://egcs.cygnus.com/</link>
</para>
<para>
For a Pentium II/III <acronym><acronym>CPU</acronym></acronym> <hardware>i686</hardware> with compiler version egcs-2.91.66, the best optimization options
would be:
<screen>
<envar>CFLAGS=-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions</envar>
</screen>
<mediaobject>
<imageobject><imagedata fileref="images/i686.gif" format="GIF"/> </imageobject>
<textobject>
<phrase>Otimization chart for i686</phrase>
</textobject>
<caption>
<para>
Comparitive analysis chart with the above mentioned flags
</para>
</caption>
</mediaobject>
</para>
</section>
<section><?dbhtml filename="chap6sec66.html"?>
<title>Benchmark results-i586</title>
<para>
For a Pentium <acronym><acronym>CPU</acronym></acronym> <hardware>i586</hardware> with compiler version egcs-2.91.66, the best optimization options
would be:
<screen>
<envar>CFLAGS=-O3 -march=pentium -mcpu=pentium -ffast-math -funroll-loops -fomit-frame-pointer -fforce-mem -fforce-addr -malign-double -fno-exceptions</envar>
</screen>
<mediaobject>
<imageobject><imagedata fileref="images/i586.gif" format="GIF"/> </imageobject>
<textobject>
<phrase>Otimization chart for i586</phrase>
</textobject>
<caption>
<para>
Comparitive analysis chart with the above mentioned flags
</para>
</caption>
</mediaobject>
</para>
</section>
<section><?dbhtml filename="chap6sec67.html"?>
<title>Benchmark results -i486
</title>
<para>
For a <hardware>i486</hardware> <acronym><acronym>CPU</acronym></acronym> with compiler version egcs-2.91.66, the best optimization options
would be:
<screen>
<envar>CFLAGS=-O3 -funroll-all-loops -malign-double -mcpu=i486 -march=i486 -fomit-frame-pointer -fno-exceptions</envar>
</screen>
<mediaobject>
<imageobject><imagedata fileref="images/i486.gif" format="GIF"/> </imageobject>
<textobject>
<phrase>Otimization chart for i486</phrase>
</textobject>
<caption>
<para>
Comparitive analysis chart with the above mentioned flags
</para>
</caption>
</mediaobject>
</para>
</section>
<section><?dbhtml filename="chap6sec68.html"?>
<title>The bdflush parameters</title>
<para>
The bdflush file is closely related to the operation of the virtual memory <acronym>VM</acronym> subsystem of the Linux kernel and has a little influence on disk usage. This
file <filename>/proc/sys/vm/bdflush</filename> controls the operation of the bdflush kernel daemon. We generally tune this file to improve file system performance. By changing some
values from the default as shown below, the system seems more responsive; e.g. it waits a little more to write to disk and thus avoids some disk access contention.
</para>
<para>
The default setup for the bdflush parameters under Red Hat Linux is:
<computeroutput>"40 500 64 256 500 3000 500 1884 2"</computeroutput>
To change the values of bdflush, type the following command on your terminal:
<mediaobject>
<imageobject>
<imagedata fileref="images/Version6.1.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</mediaobject>
<screen>
[root@deep] /# <command>echo</command> "100 1200 128 512 15 5000 500 1884 2"&gt;/proc/sys/vm/bdflush
</screen>
You may add the above commands to the <filename>/etc/rc.d/rc.local</filename> script file and you'll not have to type it again the
next time you reboot your system.
</para>
<para>
<mediaobject>
<imageobject>
<imagedata fileref="images/Version6.2.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</mediaobject>
Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<programlisting>
# Improve file system performance
vm.bdflush = 100 1200 128 512 15 5000 500 1884 2
</programlisting>
You must restart your network for the change to take effect. The command to manually restart the network is the following:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
</screen>
<literallayout><computeroutput>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</computeroutput></literallayout>
</para>
<para>
In our example above, according to <filename>the/usr/src/linux/Documentation/sysctl/vm.txt</filename> file-
<glosslist>
<glossentry><glossterm>The first parameter 100 %</glossterm>
<glossdef><para>
governs the maximum number of
dirty buffers in the buffer cache. Dirty means that the contents of the buffer still have to be written to disk as opposed to a clean buffer, which can just be
forgotten about. Setting this to a high value means that Linux can delay disk writes for a long time, but it also means that it will have to do a lot of I/O at once
when memory becomes short. A low value will spread out disk I/O more evenly.
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>The second parameter 1200 <emphasis>ndirty</emphasis></glossterm>
<glossdef><para>
This gives the maximum number of dirty buffers that bdflush can write to the disk in one time. A high value will mean delayed, bursty I/O, while a small value can
lead to memory shortage when bdflush isn't woken up often enough.
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>The third parameter 128 <emphasis>nrefill</emphasis></glossterm>
<glossdef><para>
This is the number of buffers that bdflush will add to the list of free buffers when refill_freelist() is called. It is necessary to allocate free buffers
beforehand, since the buffers often are of a different size than memory pages and some bookkeeping needs to be done beforehand. The higher the number, the
more memory will be wasted and the less often refill_freelist() will need to run.
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><emphasis>refill_freelist()</emphasis> 512</glossterm>
<glossdef><para>
When this comes across more than nref_dirt dirty buffers, it will wake up bdflush.
</para>
</glossdef>
</glossentry>
<glossentry><glossterm><emphasis>age_buffer</emphasis> <literal>50*HZ</literal>, <emphasis>age_super</emphasis> parameters <literal>5*HZ</literal></glossterm>
<glossdef><para>
Finally, the <emphasis>age_buffer</emphasis> <literal>50*HZ</literal> and <emphasis>age_super</emphasis> parameters <literal>5*HZ</literal> govern the maximum time Linux waits before writing out a dirty buffer to disk. The value is expressed
in jiffies (clockticks); the number of jiffies per second is 100. <emphasis>Age_buffer</emphasis> is the maximum age for data blocks, while <emphasis>age_super</emphasis> is for file system metadata.
</para>
</glossdef>
</glossentry>
<glossentry><glossterm>
The fifth 15 and the last two parameters 1884 and 2
</glossterm>
<glossdef><para>
These are unused by the system so we don't need to change the default ones.
</para>
</glossdef>
</glossentry>
</glosslist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Look at <filename>/usr/src/linux/Documentation/sysctl/vm.txt</filename> for more information on how to improve kernel parameters related to virtual memory.
</para>
</tip>
</section>
<section><?dbhtml filename="chap6sec69.html"?>
<title>The buffermem parameters</title>
<para>
The buffermem file is also closely related to the operation of the virtual memory <acronym>VM</acronym> subsystem of the Linux kernel. The value in this
file <filename>/proc/sys/vm/buffermem</filename> controls how much memory should be used for buffer memory in percentage. It is important to note that the percentage
is calculated as a percentage of total system memory.
</para>
<para>
The default setup for the buffermem parameters under Red Hat Linux is:
<computeroutput>"2 10 60"</computeroutput>
<mediaobject>
<imageobject>
<imagedata fileref="images/Version6.1.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</mediaobject>
To change the values of buffermem, type the following command on your terminal:
<screen>
[root@deep] /# <command>echo</command> "70 10 60" &gt;/proc/sys/vm/buffermem
</screen>
You may add the above commands to the <filename>/etc/rc.d/rc.local</filename> script file and you'll not have to type it again the next time you reboot your system.
</para>
<para>
<mediaobject>
<imageobject>
<imagedata fileref="images/Version6.2.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</mediaobject>
Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<screen>
# Improve virtual memory performance
vm.buffermem = 70 10 60
</screen>
You must restart your network for the change to take effect. The command to manually restart the network is the following:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
</screen>
<literallayout><computeroutput>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</computeroutput></literallayout>
According to the <filename>/usr/src/linux/Documentation/sysctl/vm.txt</filename> file, the first parameter 80 % means to use a minimum of 80 percent of memory for the buffer cache; the minimum percentage
of memory that should be spent on buffer memory.The last two parameters 10 and 60 are unused by the system so we dont need to change the defaults.
</para>
<para>
Depending of the amount of RAM you have in the server the value of 80% may vary. When your server is highly loaded and when all application are used, you can know in detail how much memory are required and
used by the system. 80 % for the buffermem parameters seem to be too much for systems under 256 MB of RAM. Doing a <command>free</command> <literal>-m</literal> command on the prompt your system will
display amount of free and used memory in the system. Once you have executed this command <command>free</command> -m, check for <computeroutput>-/+ buffers/cache:</computeroutput>values
and get the one related to the minimal (-) to set your value for buffermem.
</para>
<example>
<title>For 128 MB of RAM</title>
<para>
<programlisting>
128 * 80% = 102.4 MB
128 - 102.4 = 25.6 MB
</programlisting>
<screen>
[root@deep] /#<command>free</command> -m
</screen>
<literallayout class="monospaced"><computeroutput>
total used free shared buffers cached
Mem: 124 121 3 30 43 48
-/+ buffers/cache: 29 95
Swap: 128 2 126
</computeroutput></literallayout>
The result shows us that the <computeroutput>-/+ buffers/cache:</computeroutput> need 29 MB at minimum to run the system properly and with 128 MB of RAM set at 80% we have only 25.6 MB available. Hmmm! problem, i guess.
so we go back to the calculator again and do this:
<programlisting>
128 * 70% = 89.6
128 - 89.6 = 38.4 MB
</programlisting>
well solved good!.
</para></example>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Look at <filename>/usr/src/linux/Documentation/sysctl/vm.txt</filename> for more information on how to improve kernel parameters related to virtual memory.
</para>
</tip>
</section>
<section><?dbhtml filename="chap6sec70.html"?>
<title>The ip_local_port_range parameters</title>
<para>
The <filename>/proc/sys/net/ipv4/ip_local_port_range</filename> defines the local port range that is used by <acronym>TCP</acronym> and <acronym>UDP</acronym> traffic to choose the local
port. You will see in the parameters of this file two numbers: The first number is the first local port allowed for <acronym>TCP</acronym> and <acronym>UDP</acronym> traffic on the server, the
second is the last local port number. For high-usage systems you may change its default parameters to 32768-61000 -first-last.
</para>
<para>
The default setup for the ip_local_port_range parameters under Red Hat Linux is:
<computeroutput>"1024 4999"</computeroutput>
<mediaobject>
<imageobject>
<imagedata fileref="images/Version6.1.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</mediaobject>
To change the values of ip_local_port_range, type the following command on your terminal:
<screen>
[root@deep] /# <command>echo</command> "32768 61000" &gt;/proc/sys/net/ipv4/ip_local_port_range
</screen>
Add the above commands to the <filename>/etc/rc.d/rc.local</filename> script file and you'll not have to type it again the next time you reboot your system.
</para>
<para>
<mediaobject>
<imageobject>
<imagedata fileref="images/Version6.2.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</mediaobject>
Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<screen>
# Allowed local port range
net.ipv4.ip_local_port_range = 32768 61000
</screen>
You must restart your network for the change to take effect. The command to manually restart the network is the following:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
</screen>
<literallayout><computeroutput>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</computeroutput> </literallayout>
</para>
</section>
<section><?dbhtml filename="chap6sec71.html"?>
<title>The <filename>/etc/nsswitch.conf</filename> file</title>
<para>
The <filename>/etc/nsswitch.conf</filename> file is used to configure which services are to be used to determine information such
as hostnames, password files, and group files. The last two ones, <filename>password</filename> files, and <filename>group</filename>
files in our case are not used, since we don't use <acronym>NIS</acronym> services on our server. Thus, we will focus on the hosts line in this file.
</para>
<para>
Edit the <filename>nsswitch.conf</filename> file vi <filename>/etc/nsswitch.conf</filename> and change the hosts line to read:
<screen>
"hosts: dns files"
</screen>
Which means, for programs that want to resolve an address. They should use the dns feature first, and the <filename>/etc/hosts</filename>
file if the <acronym>DNS</acronym> servers are not available or can't resolve the address.
</para>
<para>
Also, we would recommend deleting all instances of <acronym>NIS</acronym> services from each line of this file unless you are
using <acronym>NIS!</acronym> The result should look like this:
<programlisting>
passwd:files
shadow:files
group:files
hosts:dns files
bootparams:files
ethers:files
netmasks:files
networks:files
protocols:files
rpc:files
services:files
automount:files
aliases:files
</programlisting>
</para>
</section>
<section><?dbhtml filename="chap6sec72.html"?>
<title>
The file-max parameter
</title>
<para>
The file-max file <filename>/proc/sys/fs/file-max</filename> sets the maximum number of file-handles that the Linux kernel will allocate. We generally
tune this file to improve the number of open files by increasing the value of <filename>/proc/sys/fs/file-max</filename> to something reasonable
like 256 for every 4M of <acronym><acronym>RAM</acronym></acronym> we have: i.e. for a machine with 128 MB of <acronym><acronym>RAM</acronym></acronym>, set it to 8192 - 128/4=32 32*256=8192.
</para>
<para>
The default setup for the file-max parameter under Red Hat Linux is:
<computeroutput> "4096"</computeroutput>
To adjust the value of file-max to 128 MB of <acronym><acronym>RAM</acronym></acronym>, type the following on your terminal:
<mediaobject>
<imageobject>
<imagedata fileref="images/Version6.1.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</mediaobject>
<screen>
[root@deep] /# <command>echo</command> "8192" &gt;/proc/sys/fs/file-max
</screen>
Add the above commands to the <filename>/etc/rc.d/rc.local</filename> script file and you'll not have to type it again the next time your server reboots.
</para>
<para>
<mediaobject>
<imageobject>
<imagedata fileref="images/Version6.2.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</mediaobject>
Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<screen>
# Improve the number of open files
fs.file-max = 8192
</screen>
You must restart your network for the change to take effect. The command to manually restart the network is the following:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
</screen>
<literallayout><computeroutput>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</computeroutput></literallayout>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
When you regularly receive from your server a lot of messages with errors about running out of open files, you might want to raise this
limit. The default value is 4096. A file server or web server needs a lot of open files.
</para>
</tip>
</section>
<section>
<title>The ulimit parameter</title>
<para>
Linux itself has a Max Processes per user limit. This feature allows us to control the number of processes an existing user on the server may be authorized
to have. To improve performance, we can safely set the limit of processes for the super-user root to be unlimited.
Edit the <filename>.bashrc</filename> file vi <filename>/root/.bashrc</filename> and add the following line:
<screen>
<command>ulimit</command> -u unlimited
</screen>
You must exit and re-login from your terminal for the change to take effect.
<informalexample>
<screen>
[root@deep] /# <command>ulimit</command> -a
</screen>
<programlisting>
core file size (blocks) 1000000
data seg size (kbytes) unlimited
file size (blocks) unlimited
max memory size (kbytes) unlimited
stack size (kbytes) 8192
cpu time (seconds) unlimited
max user processes unlimited <co id="rhomp1"/>
pipe size (512 bytes) 8
open files 1024
virtual memory (kbytes) 2105343
</programlisting>
<calloutlist>
<callout arearefs="rhomp1">
<para>
Make sure that when you type as root the command <command>ulimit</command> <literal>-a</literal> on your terminal, it shows <envar>unlimited</envar> next to
max user processes.
</para>
</callout>
</calloutlist>
</informalexample>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You may also do <command>ulimit</command> <literal>-u</literal> unlimited at the command prompt instead of adding it to the <filename>/root/.bashrc</filename> file.
</para>
</tip>
<para>
Increases the system limit on open files for instance a process on Red Hat 6.0 with kernel 2.2.5 could open at least 31000 file descriptors this way and a process on kernel 2.2.12 can open at
least 90000 file descriptors this way. The upper bound seems to be available memory. To increases the number of open files to 90000 for the root account do the following:
Edit the <filename>.bashrc file</filename> vi <filename>/root/.bashrc</filename> and add the following line:
<screen>
<command>ulimit</command> -n 90000
</screen>
You must exit from your terminal and re-login for the change to take effect.
</para>
<para>
<screen>
[root@deep] /# <command>ulimit</command> -a
</screen>
<programlisting>
core file size (blocks) 1000000
data seg size (kbytes) unlimited
file size (blocks) unlimited
max memory size (kbytes) unlimited
stack size (kbytes) 8192
cpu time (seconds) unlimited
max user processes unlimited
pipe size (512 bytes) 8
open files 90000 <co id="rhopf1"/>
virtual memory (kbytes) 2105343
</programlisting>
<calloutlist>
<callout arearefs="rhopf1">
<para>
Make sure that when you type as root the command ulimit -a on your terminal, it
shows 90000 next to open files.
</para>
</callout>
</calloutlist>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
In older 2.2 kernels, though, the number of open files per process is still limited to 1024, even with the above changes.
</para>
</note>
</para>
</section>
<section id="pr2ch6scntm"><?dbhtml filename="chap6sec73.html"?>
<title>The atime and noatime attribute</title>
<para>
Linux records information about when files were created and last modified as well as when it was last accessed. There is a cost associated with recording the last access
time. The ext2 file system of Linux has an attribute that allows the super-user to mark individual files such that their last access time is not recorded. This may lead
to significant performance improvements on often accessed frequently changing files such as the contents of the <filename class="directory">/var/spool/news</filename> directory.
</para>
<para>
To set the attribute to a file, use:
<screen>
[root@deep] /#<command>chattr</command> +A filename <co id="sctult1"/>
</screen>
<calloutlist><callout arearefs="sctult1"><para>
<emphasis>For a specific file</emphasis>
</para></callout></calloutlist>
</para>
<para>
For a whole directory tree, do something like:
<screen>
[root@deep /root]#<command>chattr</command> -R +A /var/spool/ <co id="sctult2"/>
[root@deep /root]#<command>chattr</command> -R +A /cache/ <co id="sctult3"/>
[root@deep /root]#<command>chattr</command> -R +A /home/httpd/ona/ <co id="sctult4"/>
</screen>
<calloutlist>
<callout arearefs="sctult2"><para>
<emphasis>For a news and mail</emphasis>
</para></callout>
<callout arearefs="sctult3"><para>
<emphasis>For a proxy caches</emphasis>
</para></callout>
<callout arearefs="sctult4"><para>
<emphasis>For a web pages</emphasis>
</para></callout>
</calloutlist>
</para>
<para>
Linux has a special mount option for file systems called <emphasis>noatime</emphasis> that can be added to each line that addresses one file system in the <filename>/etc/fstab</filename> file. If
a file system has been mounted with this option, reading accesses to the file system will no longer result in an update to the atime information associated with the file like
we have explained above. The importance of the noatime setting is that it eliminates the need by the system to make writes to the file system for files which are simply
being read. Since writes can be somewhat expensive, this can result in measurable performance gains. Note that the write time information to a file will continue to be updated
anytime the file is written to. In our example below, we will set the noatime option to our <filename class="directory">/chroot</filename> file system.
</para>
<para>
Edit the <filename>fstab</filename> file vi <filename>/etc/fstab</filename> and add in the line that refer to <filename class="directory">/chroot</filename>file system the noatime option after the
defaults option as show below:
<screen>
/dev/sda7 /chroot ext2 defaults,noatime 1 2
</screen>
</para>
<para>
You need not reboot your system for the change to take effect, just make the Linux system aware about the modification you have made to the <filename>/etc/fstab</filename> file. This can be accomplished
with the following commands:
<screen>
[root@deep] /#<command>mount</command> -oremount /chroot/
</screen>
</para>
<para>
Then test your results with the flowing command:
<screen>
[root@deep]# <command>cat</command> /proc/mounts
</screen>
<literallayout><computeroutput>
/dev/root / ext2 rw 0 0
/proc /proc proc rw 0 0
/dev/sda1 /boot ext2 rw 0 0
/dev/sda8 /cache ext2 rw 0 0
/dev/sda7 /chroot ext2 rw,noatime 0 0
/dev/sda6 /home ext2 rw 0 0
/dev/sda11 /tmp ext2 rw 0 0
/dev/sda5 /usr ext2 rw 0 0
/dev/sda9 /var ext2 rw 0 0
none /dev/pts devpts rw 0 0
</computeroutput></literallayout>
If you see something like:<computeroutput> /dev/sda7 /chroot ext2 rw,noatime 0 0</computeroutput>, congratulations!
</para>
</section>
<section><?dbhtml filename="chap6sec74.html"?>
<title>Tuning <acronym>IDE</acronym> Hard Disk Performance</title>
<para>
Putting your swap partitions near the beginning of your drive, see <link linkend="pr1ch25lk1">This chart to get a better idea,</link> may give you some acceptable improvement. The beginning of the drive is physically located on the outer portion of the
cylinder, and the read/write head can cover much more ground per revolution. We typically see partitions placed at the end of the drive work 3MB/s slower using the <userinput>hdparm -t</userinput> command.
</para>
<para>
Performance increases have been reported on massive disk I/O operations by setting the <acronym><acronym>IDE</acronym></acronym> drivers to use DMA, 32-bit transfers and multiple sector modes. The kernel seems to use more conservative settings
unless told otherwise. The magic command to change the setting of your drive is <command>hdparm</command>.
To enable 32-bit I/O over the <acronym>PCI</acronym> buses, use the command:
<screen>
[root@deep] /#<command> /sbin/hdparm</command> -c1 /dev/hda <emphasis>or hdb, hdc etc</emphasis>.
</screen>
This will usually, depending on your <acronym>IDE</acronym> Disk Drive model, cut the timing buffered disk reads time by 2. The <citerefentry><refentrytitle>hdparm</refentrytitle><manvolnum>8</manvolnum></citerefentry> manpage says that you may need to use -c 3 for some chipsets. All (E)<acronym>IDE</acronym>
drives still have only a 16-bit connection over the ribbon cable from the interface card.
To enable <acronym>DMA</acronym>, use the command:
<screen>
[root@deep] /#<command> /sbin/hdparm</command> -d1 /dev/hda <emphasis>or hdb, hdc etc</emphasis>.
</screen>
This may depend on support for your motherboard chipset being compiled into your kernel. Also, this command will enable <acronym>DMA</acronym> support for your hard drive, it will cut the timing buffered disk reads time and
will improve the performance by 2.
To enable multiword <acronym>DMA</acronym> mode 2 transfers, use the command:
<screen>
[root@deep] /#<command>/sbin/hdparm</command> -d1 -X34 /dev/hda <emphasis>or hdb, hdc etc</emphasis>.
</screen>
This sets the <acronym><acronym>IDE</acronym></acronym> transfer mode for newer <acronym>(E)<acronym>IDE</acronym>/ATA2</acronym> drives. check your hardware manual to see if you have it.
To enable Ultra<acronym>DMA</acronym> mode2 transfers, use the command:
<screen>
[root@deep] /#<command> /sbin/hdparm</command> -d1 -X66 /dev/hda <emphasis>or hdb, hdc etc</emphasis>.
</screen>
</para>
<para>
You'll need to prepare the chipset for Ultra<acronym>DMA</acronym> beforehand. Also, see your manual page about hdparm for more information. Use this with extreme caution!
To set multiple sector mode I/O, use the command:
<screen>
[root@deep] /#<command>/sbin/hdparm</command> -m XX /dev/hda <emphasis>or hdb, hdc etc</emphasis>.
</screen>
Where XX is the maximum setting supported by your drive. The -i flag can be used to find the maximum setting supported by an installed drive: look for MaxMultSect in the output.
<screen>
[root@deep] /#<command>/sbin/hdparm</command> -i /dev/hda <emphasis>or hdb, hdc etc</emphasis>.
</screen>
</para>
<para>
<informalexample>
<literallayout class="monospaced"><computeroutput>
/dev/hda:
Model=Maxtor 7540 AV, FwRev=GA7X4647, SerialNo=L1007YZS
Config={ HardSect NotMFM HdSw>15uSec Fixed DTR>5Mbs FmtGapReq }
RawCHS=1046/16/63, TrkSize=0, SectSize=0, ECCbytes=11
BuffType=3(DualPortCache), BuffSize=32kB, MaxMultSect=8, MultSect=8
DblWordIO=yes, maxPIO=2(fast), DMA=yes, maxDMA=1(medium)
CurCHS=523/32/63, CurSects=379584528, LBA=yes, LBA=yes, LBAsects=1054368
tDMA={min:150,rec:150}, DMA modes: sword0 sword1 *sword2 *mword0
IORDY=on/off, tPIO={min:240,w/IORDY:180}, PIO modes: mode3
</computeroutput>
</literallayout>
</informalexample>
</para>
<para>
Multiple sector mode aka <acronym>IDE</acronym> Block Mode, is a feature of most modern <acronym>IDE</acronym> hard drives, permitting the transfer of multiple sectors per I/O
interrupt, rather than the usual one sector per interrupt. When this feature is enabled, it typically reduces operating system overhead for disk I/O by 30-50%. On many systems
it also provides increased data throughput of anywhere from 5% to 50%.
You can test the results of your changes by running hdparm in performance test mode:
<screen>
[root@deep] /#<command>/sbin/hdparm</command> -t /dev/hda <emphasis>or hdb, hdc etc</emphasis>.
</screen>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Once you have a set of hdparm options, you can put the commands in your <filename>/etc/rc.d/rc.local</filename> file to run it every time you reboot the machine.
</para>
</tip>
</section>
<section><?dbhtml filename="chap6sec75.html"?>
<title>Better manage your <acronym>TCP/IP</acronym> resources</title>
<para>
This hack just make the time default values for <acronym>TCP/IP</acronym> connection lower so that more connections can be handled by time on your TCP/IP protocol. The following
will decrease the amount of time your Linux box will try take to finish closing a connection and the amount of time before it will kill a stale connection.
This will also turn off some <acronym>IP</acronym> extensions that aren't needed.
The default setup for the <acronym>TCP/IP</acronym> parameters we'll change under Red Hat Linux are:
<itemizedlist>
<listitem><para>
For the tcp_fin_timeout <literal>180</literal>
</para></listitem>
<listitem><para>
For the tcp_keepalive_time <literal>7200</literal>
</para></listitem>
<listitem><para>
For the tcp_window_scaling <literal>1</literal>
</para></listitem>
<listitem><para>
For the tcp_sack <literal>1</literal>
</para></listitem>
<listitem><para>
For the tcp_timestamps <literal>1</literal>
</para></listitem>
</itemizedlist>
</para>
<para>
To adjust the new <acronym>TCP/IP</acronym> values, type the following commands on your terminal:
<mediaobject>
<imageobject>
<imagedata fileref="images/Version6.1.gif" format="GIF"/>
</imageobject>
<textobject><phrase></phrase></textobject>
</mediaobject>
<screen>
[root@deep] /#<command>echo</command> 30 &gt;/proc/sys/net/ipv4/tcp_fin_timeout
[root@deep] /#<command>echo</command> 1800 &gt;/proc/sys/net/ipv4/tcp_keepalive_time
[root@deep] /#<command>echo</command> 0 &gt;/proc/sys/net/ipv4/tcp_window_scaling
[root@deep] /#<command>echo</command> 0 &gt;/proc/sys/net/ipv4/tcp_sack
[root@deep] /#<command>echo</command> 0 &gt;/proc/sys/net/ipv4/tcp_timestamps
</screen>
Execute the above commands and put them in your <filename>/etc/rc.d/rc.local</filename> file so you don't need to type them again each time your system reboots.
</para>
<para>
<mediaobject>
<imageobject>
<imagedata fileref="images/Version6.2.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</mediaobject>
Edit the <filename>/etc/sysctl.conf</filename> file and add the following lines:
<programlisting>
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 30
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
</programlisting>
You must restart your network for the change to take effect. The command to manually restart the network is the following:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
</screen>
<literallayout><computeroutput>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</computeroutput></literallayout>
</para>
</section>
</chapter>
<chapter label="7" id="pr3ch7lnke"><?dbhtml filename="secopt-kernel.html"?>
<title>Configuring and Building a Secure, Optimized Kernel</title>
<highlights>
<para>
Well, our Linux server seems to be getting in shape now! But wait, what is the most important part of our server? Yes, it's the kernel. The Linux kernel is the core of our operating
system, and without it there is no Linux at all. So we must take care of our kernel and configure it to fit our needs and compile just features we really need. The first thing to do
next is to build a kernel that best suits your system. It's very simple to do but, in any case, refer to the README file in the /usr/src/linux/ directory. When configuring your kernel
only compile in code that you need and use. Few main reasons that come to mind are;
<itemizedlist>
<listitem><para>
The Kernel will be faster less code to run,
</para>
</listitem>
<listitem><para>
You will have more memory, Kernel parts are NEVER swapped to the virtual memory,
</para>
</listitem>
<listitem><para>
More stable. Try probing for a non-existent card?,
</para>
</listitem>
<listitem><para>
Unnecessary parts can be used by an attacker to gain access to the
machine or other machines on the network.
</para>
</listitem>
<listitem><para>
Modules are also slower than support compiled directly in the kernel.
</para>
</listitem>
</itemizedlist>
</para>
</highlights>
<section id="prt3ch3sc1pi"><?dbhtml filename="chap7sec76.html"?>
<title>Pre-Install</title>
<para>
In our configuration and compilation we will build a monolithic kernel. Monolithic kernel means to only answer <userinput>Yes</userinput> or <userinput>No</userinput> to the
questions, <emphasis>don't make anything modular and omit the steps</emphasis>:
<itemizedlist spacing="compact" mark="bullet">
<listitem><para>
make_modules
</para>
</listitem>
<listitem><para>
make_modules_install.
</para>
</listitem>
</itemizedlist>
Also, we will patch our new kernel with the buffer overflow protection from kernel patches. Patches for the Linux kernel exist, like Solar Designer's non-executable stack patch, which disallows the execution of
code on the stack, making a number of buffer overflow attacks harder - and defeating completely a number of current exploits used by "script kiddies" worldwide.
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Remember to only answer <userinput>Yes</userinput> or <userinput>No</userinput> to the questions when configuring your new kernel if you're intending to build a monolithic kernel. If you intend to use firewall masquerading functions or a dial-up ppp connection, you
cannot build a monolithic kernel, since these function require the build of some modules, by default. Build, instead, a modularized kernel.
</para>
</important>
</para>
<para>
A new kernel is very specific to your computer hardware, in the kernel configuration part; <emphasis>we are using the following hardware for our example</emphasis>. Of course you must change them to fit your system components.
<simplelist type="vert" columns="1">
<member>
1 Pentium II 400 MHz (i686) processor</member>
<member>
1 Motherboard <acronym>SCSI</acronym></member>
<member>
1 Hard Disk <acronym>SCSI</acronym></member>
<member>
1 <acronym>SCSI</acronym> Controler Adaptec AIC 7xxx</member>
<member>
1 CD-ROM ATAPI <acronym>IDE</acronym></member>
<member>
1 Floppy Disk</member>
<member>
2 Ethernet Cards Intel EtherExpressPro 10/100</member>
<member>
1 Mouse PS/2</member>
</simplelist>
</para>
<para>
These installation instructions assume
<simplelist type="vert" columns="1">
<member>
Commands are Unix-compatible.</member>
<member>
The source path is <filename class="directory">/usr/src.</filename></member>
<member>
Installations were tested on Red Hat Linux 6.1 and 6.2.</member>
<member>
All steps in the installation will happen in super-user account root.</member>
<member>
Latest Kernel version number is 2.2.14</member>
<member>
Latest Secure Linux Kernel Patches version number is 2_2_14-ow2</member>
</simplelist>
</para>
<para>
All these below mentioned Packages were available in the following sites as of this writing but we suggest you can get additional information regarding mirror
sites by searching on their respective home pages.
<itemizedlist>
<listitem><para>
Kernel Homepage:<link linkend="prtinxfp7">http://www.kernelnotes.org/</link>
</para>
<para>
Be sure to download: linux-2_2_14_tar.gz
</para>
<para>
Kernel <acronym>FTP</acronym> Site: 139.142.90.113
</para>
</listitem><listitem>
<para>
Secure Linux Kernel Patches Homepage:<link linkend="prtinxfp71">http://www.openwall.com/linux/</link>
</para>
<para>
You must be sure to download: linux-2_2_14-ow2_tar.gz
</para>
<para>
Secure Linux Kernel Patches <acronym>FTP</acronym> Site: 195.42.162.180
</para>
</listitem>
</itemizedlist>
</para>
<section>
<title>Make an emergency boot floppy</title>
<para>
The first of the pre-install step is to make an emergency boot floppy. Linux has a small utility named mkbootdisk to simply do this. The first step is to find out what kernel version, you are currently using. Check
out your <filename>/etc/lilo.conf</filename> file and see which image was booted from and from this image, we can find the kernel version we need to make our emergency boot floppy.
<screen>
[root@deep] /#<command>cat</command> /etc/lilo.conf
</screen>
</para>
<para>
In
my example, I have the following in the <filename>lilo.conf</filename> file:
<informalexample>
<programlisting>
boot=/dev/sda
map=/boot/map
install=/boot/boot.b
prompt
timeout=50
image=/boot/vmlinuz-2.2.12-20 <co id="lilcnf1"/>
label=linux <co id="lilcnf2"/>
root=/dev/sda6
initrd=/boot/initrd-2.2.12-20.img
read-only
</programlisting>
<calloutlist>
<callout arearefs="lilcnf1"><para>
<emphasis>the kernel version</emphasis>
</para></callout>
<callout arearefs="lilcnf2"><para>
<emphasis>the image we booted from</emphasis>
</para></callout>
</calloutlist>
</informalexample>
</para>
<para>
Now you'll need to find the image that you booted from. On a standard new first install, it will be the one-labeled linux. In the above example we show that the machine booted using
the <filename>/boot/vmlinuz-2.2.12-20</filename> original kernel version of the system. Now we simply need to put a formatted 1.44 floppy in our system and execute the following command as root:
<screen>
[root@deep] /#<command>mkbootdisk</command> --device /dev/fd0 2.2.12-20
</screen>
<literallayout class="normal">
<computeroutput>
Insert a disk in /dev/fd0. Any information on the disk will be lost.
Press &lt;Enter&gt; to continue or <keycombo action="press"><keycap>^C</keycap></keycombo> to abort:
</computeroutput>
</literallayout>
Following these guidelines, you will now have a boot floppy with a known working kernel in case of problems with the upgrade. I recommend rebooting the system with the floppy to
make sure that the floppy works correctly.
</para>
</section>
</section>
<section><?dbhtml filename="chap7sec77.html"?>
<title> Uninstallation and Optimization</title>
<procedure>
<step>
<para>
We must copy the archive file of the Kernel to the <filename class="directory">/usr/src</filename> directory and move to this directory.
<screen>
[root@deep] /#<command>cp</command> linux-version_tar.gz /usr/src/
[root@deep] /#<command>cd</command> /usr/src/
</screen>
These steps are required only if you already have installed a Linux kernel with a tar archive before. If it is a first, fresh install of Linux kernel, then instead uninstall
the kernel-headers-version.i386.rpm, kernel-version.i386.rpm package that are on your system.
Remove the Linux symbolic link with the following command:
<screen>
[root@deep ] /src#<command>rm</command> -rf linux
</screen>
Remove the Linux kernel headers directory with the following command:
<screen>
[root@deep ] /src#<command>rm</command> -rf linux-2.2.xx
</screen>
Remove the Linux kernel modules directory with the following command:
<screen>
[root@deep ] /src#<command>rm</command> -rf /lib/modules/2.2.xx
</screen>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Removing the old kernel modules is required only if you have installed a modularized kernel version before. If the modules directory doesn't exist under
the <filename>/lib</filename> directory it's because your old kernel version is not a modularized kernel.
</para>
</important>
If the original kernels <acronym>RPM</acronym> package are installed on your system instead of the Linux kernel tar archive, because you have just finished installing your new Linux system, or
have used an <acronym>RPM</acronym> package before to upgrade your Linux system, then use the following command to uninstall the Linux kernel:
You can verify that a kernel <acronym>RPM</acronym> package is installed on your system with the following command:
<screen>
[root@deep ] /src#<command>rpm</command> -qa |<command>grep</command> kernel
</screen>
<literallayout><computeroutput>
kernel-headers-2.2.xx.i386.rpm
kernel-2.2.xx.i386.rpm
</computeroutput>
</literallayout>
To uninstall the linux kernel <acronym>RPM</acronym>, use the following command:
<screen>
[root@deep ] /src#<command>rpm</command> -e --nodeps kernel-headers kernel
</screen>
<literallayout>
<computeroutput>
cannot remove /usr/src/linux-2.2.xx - directory not empty
cannot remove /lib/modules/2.2.xx - directory not empty
</computeroutput>
</literallayout>
<screen>
[root@deep ] /src#<command>rm</command> -rf /usr/src/linux-2.2.xx/
[root@deep ] /src#<command>rm</command> -rf /lib/modules/2.2.xx/
</screen>
In the steps below, we remove manually the empty <filename class="directory">/usr/src/linux-2.2.xx</filename> and <filename class="directory">/lib/modules/2.2.xx</filename> directories
after the uninstallation of the kernels <acronym>RPM</acronym>, the <acronym>RPM</acronym> uninstall program will not completely remove those directories.
</para>
</step>
<step>
<para>
Now, we must decompress the tar archive of the kernel and remove the Linux tar archive from the system.
<screen>
[root@deep ] /src#<command>tar</command> xzpf linux-version_tar.gz
[root@deep ] /src#<command>rm</command> -f linux-version_tar.gz
</screen>
</para>
</step>
<step>
<para>
To increase the number of tasks allowed the maximum number of processes per user, you may need to edit the <filename>/usr/src/linux/include/linux/tasks.h</filename> file and
change the following parameters.
Edit the tasks.h file, vi +14 <filename>/usr/src/linux/include/linux/tasks.h</filename> and change the following parameters:
<envar>NR_TASKS</envar> from <userinput>512</userinput> to <userinput>3072</userinput> and <envar>MIN_TASKS_LEFT_FOR_ROOT</envar> from <userinput>4</userinput> to <userinput>24</userinput>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The value in the <envar>NR_TASKS</envar> line denotes the maximum number of tasks (processes) handles that the Linux kernel will allocate per users. Increasing this number will allow you to handle more connections from clients
on your server, example: an <acronym>HTTP</acronym> web server will be able to serve more client connections.
Please don't forget, Linux is protected from allocation of all process slots for normal users. There is a special parameter
line <envar>MIN_TASKS_LEFT_FOR_ROOT</envar> reserved especially for the super-user root that you may set for the number of process reserved to root <literal>-24</literal> is a good value.
</para>
</important>
</para>
</step>
<step>
<para>
To optimize the Linux kernel to fit your specific <acronym><acronym>CPU</acronym></acronym> architecture and optimization flags you may need to edit the <filename>/usr/src/linux/Makefile</filename> file and change the following parameters.
</para>
<substeps performance="required">
<step>
<para>
Edit the Makefile file (vi +18 /usr/src/linux/Makefile) and change the line:
<envar>HOSTCC =gcc </envar> to read:
<screen>
<envar>HOSTCC =egcs</envar>.
</screen>
</para>
</step>
<step>
<para>
Edit the Makefile file, vi +25 <filename>/usr/src/linux/Makefile</filename> and change the line:
<envar>CC =$(CROSS_COMPILE)gcc D__KERNEL__ -I$(HPATH) </envar> to read:
<screen>
<envar>CC =$(CROSS_COMPILE)egcs D__KERNEL__ -I$(HPATH)</envar>.
</screen>
</para>
</step>
<step>
<para>
Edit the Makefile file vi +90 <filename>/usr/src/linux/Makefile</filename> and change the line:
<envar>CFLAGS = -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer</envar> to read:
<screen>
<envar>CFLAGS = -Wall -Wstrict-prototypes -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions</envar>
</screen>
</para>
</step>
<step>
<para>
Edit the Makefile file vi +19 <filename>/usr/src/linux/Makefile</filename> and change the line:
<envar>HOSTCFLAGS =-Wall -Wstrict-prototypes -O2 -fomit-frame-pointer</envar> to read:
<screen>
<envar>HOSTCFLAGS =-Wall -Wstrict-prototypes -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions</envar>
</screen>
</para>
</step>
</substeps>
</step>
</procedure>
<para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
These changes turn on aggressive optimization tricks that may or may not work with all kernels. Please, if the optimization flags above, or the ones you have chosen for your <acronym>CPU</acronym> architecture do not
work for you, don't try to absolutely force it to work. I wouldn't want to make your system unstable like Microsoft Windows.
</para>
</tip>
</para>
</section>
<section><?dbhtml filename="chap7sec78.html"?>
<title>Securing the kernel</title>
<para>
The secure Linux kernel patches from the Openwall Project are a great way to prevent attacks like Stack Buffer Overflows, and others. The Openwall patch is a collection of security-related features
for the Linux kernel, all configurable via the new Security options configuration section that will be added to your new Linux kernel. This patch may change from version to version, and some may
contain various other security fixes.
</para>
<para>
New features of patch version linux-2_2_14-ow2_tar.gz are:
<itemizedlist>
<listitem><para>
Non-executable user stack area
</para>
</listitem>
<listitem>
<para>
Restricted links in <filename class="directory">/tmp</filename>
</para>
</listitem>
<listitem>
<para>
Restricted FIFOs in <filename class="directory">/tmp</filename>
</para>
</listitem>
<listitem>
<para>
Restricted <filename>/proc</filename>
</para>
</listitem>
<listitem>
<para>
Special handling of fd 0, 1, and 2
</para>
</listitem>
<listitem>
<para>
Enforce <envar>RLIMIT_NPROC</envar> on execve(2)
</para>
</listitem>
<listitem>
<para>
Destroy shared memory segments not in use
</para>
</listitem>
</itemizedlist>
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
When applying the linux-2_2_14-ow2 patch, a new Security options section will be added at the end of your kernel configuration. For more information and description of the different features
available with this patch, see the README file that come with the source code of the patch.
</para>
</important>
<para>
Applying the patch
<screen>
[root@deep] /#<command>cp</command> linux-2_2_14-ow2_tar.gz /usr/src/ <co id="copy"/>
[root@deep] /#<command>cd</command> /usr/src/ <co id="cdir"/>
[root@deep ]/src#<command>tar</command> xzpf linux.2_2_14-ow2_tar.gz <co id="dcprss"/>
[root@deep ]/src#<command>cd</command> linux-2.2.14-ow2/ <co id="rbck"/>
[root@deep ] /linux-2.2.14-ow2#<command>mv</command> linux-2.2.14-ow2.diff /usr/src/ <co id="mvsrc"/>
[root@deep ] /linux-2.2.14-ow2#<command>cd ..</command> <co id="cdir2"/>
[root@deep ]/src#<command>patch</command> -p0 &lt;linux-2.2.14-ow2.diff <co id="aptch"/>
[root@deep ]/src#<command>rm</command> -rf linux-2.2.14-ow2 <co id="rmasrc1"/>
[root@deep ]/src#<command>rm</command> -f linux-2.2.14-ow2.diff <co id="rmasrc2"/>
[root@deep ]/src#<command>rm</command> -f linux-2_2_14-ow2_tar.gz <co id="rmasrc3"/>
</screen>
<calloutlist>
<callout arearefs="copy">
<para>First we copy the program archive to the <filename class="directory">/usr/src</filename> directory</para>
</callout>
<callout arearefs="cdir">
<para>then we move to the <filename class="directory">/usr/src</filename> directory</para>
</callout>
<callout arearefs="dcprss">
<para> decompress the linux-2_2_14ow2_tar.gz archive</para>
</callout>
<callout arearefs="rbck mvsrc">
<para>We then move to the new uncompressed Linux patch, move the file linux-2.2.14-ow2.diff containing
the patch to the <filename class="directory">/usr/src</filename></para>
</callout>
<callout arearefs="cdir2 aptch">
<para>return to <filename class="directory">/usr/src</filename> and patch our kernel with the file linux-2.2.14-ow2.diff</para>
</callout>
<callout arearefs="rmasrc1 rmasrc2 rmasrc3">
<para> Afterwards, we remove all files related to the patch.</para>
</callout>
</calloutlist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
All security messages related to the linux-2.2.14-ow2 patch, like the non-executable stack part, should be logged to the log file <filename>/var/log/messages</filename>.
</para>
</tip>
<para>
The step of patching your new kernel is completed. Now follow the rest of this installation to build the Linux kernel and reboot.
</para>
</section>
<section><?dbhtml filename="chap7sec79.html"?>
<title>Compilation</title>
<para>
It is important to be sure that your <filename class="symlink">/usr/include/asm</filename>, and <filename class="symlink">/usr/include/linux</filename> subdirectories are just symlinks to the kernel sources.
</para>
<procedure>
<step><para>
The asm, and linux subdirectories are a soft link to the real include kernel source header directories needed for our Linux architecture, for example <filename>/usr/src/linux/include/asm-i386</filename> for asm. Type the following
commands on your terminal:
<screen>
[root@deep ]/src#<command>cd</command> /usr/include/
[root@deep ] /include#<command>rm</command> -rf asm linux
[root@deep ] /include#<command>ln</command> -s /usr/src/linux/include/asm-i386 asm
[root@deep ] /include#<command>ln</command> -s /usr/src/linux/include/linux linux
</screen>
This is a very important part of the configuration; we remove the asm, and linux directories under <filename class="directory"></filename>/usr/include then build a new links that point to the same name directories
under the new Linux kernel source version directory. The include directory contains important header files needed by your Linux kernel and programs to be able to compile on your system.
</para>
</step>
<step><para>
Make sure you have no stale .o files and dependencies lying around.
Type the following commands on your terminal:
<screen>
[root@deep ] /include#<command>cd</command> /usr/src/linux/
[root@deep ] /linux#<command>make</command> mrproper
</screen>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
These two steps above simply clean up anything that might have accidentally been left in the source tree by the development team.
</para>
</note>
You should now have the sources correctly installed. You can configure the Linux kernel in one of three ways.
<itemizedlist>
<listitem><para>
The first method is to use the <command>make config</command> command. It provides you with a text-based interface for answering all the
configuration options. You are prompted for all the options you need to set up your kernel.
</para>
</listitem>
<listitem><para>
The second method is to use the <command>make menuconfig</command> command, which provides all the kernel options in an easy-to-use menu.
</para>
</listitem>
<listitem><para>
The third is to use the <command>make xconfig</command> command, which provides a full graphical interface to all the kernel options.
</para>
</listitem>
</itemizedlist>
</para>
</step>
<step><para>
For configuration, you will use the <command>make config</command> command because we have not installed the XFree86 window Interface on our Linux server.
Type the following commands on your terminal to load the kernel configuration:
<screen>
[root@deep] /#<command>cd</command> /usr/src/linux/ (if you are not already in this directory).
[root@deep ] /linux#<command>make</command> config
rm -f include/asm
( cd include ; ln -sf asm-i386 asm)
/bin/sh scripts/Configure arch/i386/config.in
#
# Using defaults found in arch/i386/defconfig
#
</screen>
</para>
</step>
</procedure>
</section>
<section id="prt2sct35kcon"><?dbhtml filename="chap7sec80.html"?>
<title>Kernel configuration -Part "A"</title>
<para>These are the options available for you to choose from the list of Kernel Configurable options as soon as you enter <command>make config</command> at the prompt as described in the previous section.As
soon as you enter make config at the prompt as described in the previous step, a list of Kernel configurable options will be displayed for you to choose to configure the Kernel, you must indicate what
features and devices drivers you want to include in your Linux system and select how to include support for specific devices. Typically, for each configuration option, you have to respond with one of the following
choices: We have used a simple convention for our example configuration:
<example>
<title>SMP support</title>
<para>
<screen>
Symmetric multi-processing support <envar>(CONFIG_SMP)</envar> <literal>Y/M/N</literal> <userinput>N</userinput>
</screen>
where
<itemizedlist>
<listitem><para>
<programlisting>
Symmetric multi-processing support <envar>(CONFIG_SMP)</envar> -is one of the choice
</programlisting>
<emphasis>We have choosen to say <userinput>N</userinput> in this case. </emphasis>
</para></listitem>
<listitem><para>
<literal>Y/M/N</literal> - are the options you have i.e. you can say yes or no or choose as module.
</para></listitem>
<listitem><para>
<userinput>[Y]</userinput> -To compile into the kernel and always be loaded
</para></listitem>
<listitem><para>
<userinput>[M]</userinput> -To use a module for that feature and load that segment of code on demand
</para></listitem>
<listitem><para>
<userinput>[N]</userinput> -To skip and excludes the support for that specific device from the Kernel
</para></listitem>
</itemizedlist>
</para>
</example>
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
It is important to note that majuscule letter of <userinput>n</userinput> or <userinput>y</userinput> mean the default choice. If a device does not have a modular device driver, you will not see the <userinput>[M]</userinput> option. Some
time an <userinput>[?]</userinput> option will appear in the choices. This mean that you can get more information about the feature when you type <keycombo action="press"><keycap>?</keycap></keycombo> + <keycombo><keycap>ENTER</keycap></keycombo> key. Choosing the <userinput>[?]</userinput>
help option will opens another terminal describing the option.
</para>
</important>
<formalpara>
<title>Code maturity level options</title>
<para>
<screen>
Prompt for development and/or incomplete code/drivers <envar>(CONFIG_EXPERIMENTAL)</envar> <literal>N/y/?</literal>
</screen>
</para>
</formalpara>
<formalpara>
<title>Processor type and features</title>
<para>
<screen>
Processor family (386, 486/Cx486, 586/K5/5x86/6x86, Pentium/K6/TSC, PPro/6x86MX) <userinput>[PPro/6x86MX]</userinput>
Maximum Physical Memory (1GB, 2GB) <userinput>[1GB]</userinput>
Math emulation (CONFIG_MATH_EMULATION) <literal>N/y/?</literal>
<acronym>MTRR</acronym> (Memory Type Range Register) support (CONFIG_MTRR) N/y/?
Symmetric multi-processing support (CONFIG_SMP) Y/n/? <userinput>N</userinput>
</screen>
</para>
</formalpara>
<formalpara>
<title>Loadable module support</title>
<para>
<screen>
Enable loadable module support (CONFIG_MODULES) Y/n/? <userinput>N</userinput>
</screen>
</para>
</formalpara>
<formalpara>
<title>General setup</title>
<para>
<screen>
Networking support (CONFIG_NET) Y/n/?
PCI support (CONFIG_PCI) Y/n/?
<acronym>PCI</acronym> access mode (<acronym>BIOS,</acronym> Direct, Any <userinput>[Any]</userinput>
<acronym>PCI</acronym> quirks (CONFIG_PCI_QUIRKS) Y/n/? <userinput>N</userinput>
Backward-compatible /proc/pci (CONFIG_PCI_OLD_PROC) Y/n/? <userinput>N</userinput>
<acronym>MCA</acronym> support (CONFIG_MCA) N/y/?
<acronym>SGI</acronym> Visual Workstation support (CONFIG_VISWS) N/y/?
System V <acronym>IPC</acronym> (CONFIG_SYSVIPC) Y/n/?
<acronym>BSD</acronym> Process Accounting (CONFIG_BSD_PROCESS_ACCT) N/y/?
Sysctl support (CONFIG_SYSCTL) Y/n/?
Kernel support for a.out binaries (CONFIG_BINFMT_AOUT) Y/n/?
Kernel support for <acronym>ELF</acronym> binaries (CONFIG_BINFMT_ELF) Y/n/?
Kernel support for <abbrev>MISC.</abbrev> binaries (CONFIG_BINFMT_MISC) Y/n/?
Parallel port support (CONFIG_PARPORT) N/y/?
Advanced Power Management <acronym>BIOS</acronym> support (CONFIG_APM) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title>Plug and Play support</title>
<para>
<screen>
Plug and Play support (CONFIG_PNP) [N/y/?]
</screen>
</para>
</formalpara>
<formalpara>
<title>Block devices</title>
<para>
<screen>
Normal <acronym>PC</acronym> floppy disk support (CONFIG_BLK_DEV_FD) Y/n/?
Enhanced <acronym>IDE/MFM/RLL</acronym> disk/cdrom/tape/floppy support (CONFIG_BLK_DEV_IDE) Y/n/?
Use old disk-only driver on primary interface (CONFIG_BLK_DEV_HD_IDE) N/y/?
Include <acronym>IDE/ATA-2</acronym> DISK support (CONFIG_BLK_DEV_IDEDISK) Y/n/?
Include <acronym>IDE/ATAPI</acronym> CDROM support (CONFIG_BLK_DEV_IDECD) Y/n/?
Include <acronym>IDE/ATAPI</acronym> TAPE support (CONFIG_BLK_DEV_IDETAPE) N/y/?
Include <acronym>IDE/ATAPI</acronym> FLOPPY support (CONFIG_BLK_DEV_IDEFLOPPY) N/y/?
<acronym>SCSI</acronym> emulation support (CONFIG_BLK_DEV_IDESCSI) N/y/?
CMD640 chipset bugfix/support (CONFIG_BLK_DEV_CMD640) Y/n/? <userinput>N</userinput>
RZ1000 chipset bugfix/support (CONFIG_BLK_DEV_RZ1000) Y/n/? <userinput>N</userinput>
Generic <acronym>PCI</acronym> <acronym>IDE</acronym> chipset support (CONFIG_BLK_DEV_IDEPCI) Y/n/?
Generic <acronym>PCI</acronym> bus-master <acronym>DMA</acronym> support (CONFIG_BLK_DEV_IDEDMA) Y/n/?
Boot off-board chipsets first support (CONFIG_BLK_DEV_OFFBOARD) N/y/?
Use DMA by default when available (CONFIG_IDEDMA_AUTO) Y/n/?
Other <acronym>IDE</acronym> chipset support (CONFIG_IDE_CHIPSETS) N/y/?
Loopback device support (CONFIG_BLK_DEV_LOOP) N/y/?
Network block device support (CONFIG_BLK_DEV_NBD) N/y/?
Multiple devices driver support (CONFIG_BLK_DEV_MD) N/y/?
<acronym>RAM</acronym> disk support (CONFIG_BLK_DEV_RAM) N/y/?
<acronym>XT</acronym> hard disk support (CONFIG_BLK_DEV_XD) N/y/?
Mylex DAC960/DAC1100 <acronym>PCI</acronym> <acronym>RAID</acronym> Controller support (CONFIG_BLK_DEV_DAC960) N/y/? (NEW)
Parallel port <acronym>IDE</acronym> device support (CONFIG_PARIDE) N/y/?
Compaq SMART2 support (CONFIG_BLK_CPQ_DA) [N/y/?] (NEW)
</screen>
</para>
</formalpara>
</section>
<section><?dbhtml filename="chap7sec81.html"?>
<title>Kernel configuration -Part "B"</title>
<formalpara>
<title> Networking options</title>
<para>
<screen>
Packet socket (CONFIG_PACKET) Y/n/?
Kernel/User netlink socket (CONFIG_NETLINK) N/y/?
Network firewalls (CONFIG_FIREWALL) N/y/? <userinput>Y</userinput>
Socket Filtering (CONFIG_FILTER) N/y/?
Unix domain sockets (CONFIG_UNIX) Y/n/?
<acronym>TCP/IP</acronym> networking (CONFIG_INET) Y/n/?
<acronym>IP:</acronym> multicasting (CONFIG_IP_MULTICAST) N/y/?
<acronym>IP</acronym>: advanced router (CONFIG_IP_ADVANCED_ROUTER) N/y/?
<acronym>IP</acronym>: kernel level autoconfiguration (CONFIG_IP_PNP) N/y/?
<acronym>IP</acronym>: firewalling (CONFIG_IP_FIREWALL) N/y/? (NEW) <userinput>Y</userinput>
<acronym>IP</acronym>: transparent proxy support (CONFIG_IP_TRANSPARENT_PROXY) N/y/? (NEW)
<acronym>IP</acronym>: masquerading (CONFIG_IP_MASQUERADE) N/y/? (NEW)
<acronym>IP</acronym>: optimize as router not host (CONFIG_IP_ROUTER) N/y/?
<acronym>IP</acronym>: tunneling (CONFIG_NET_IPIP) N/y/?
<acronym>IP</acronym>: GRE tunnels over <acronym>IP</acronym> (CONFIG_NET_IPGRE) N/y/?
<acronym>IP</acronym>: aliasing support (CONFIG_IP_ALIAS) N/y/?
<acronym>IP</acronym>: <acronym>TCP</acronym> syncookie support (not enabled per default) (CONFIG_SYN_COOKIES) N/y/? <userinput>Y</userinput>
<acronym>IP</acronym>: Reverse <acronym>ARP</acronym> (CONFIG_INET_RARP) N/y/?
<acronym><acronym>IP</acronym></acronym>: Allow large windows (not recommended if &gt;16Mb of memory) (CONFIG_SKB_LARGE) Y/n/?
The <acronym>IPX</acronym> protocol (CONFIG_IPX) N/y/?
Appletalk <acronym>DDP</acronym> (CONFIG_ATALK) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title>Telephony support</title>
<para>
<screen>
Linux telephony support (CONFIG_PHONE) N/y/? (NEW)
</screen>
</para>
</formalpara>
<formalpara>
<title><acronym><acronym>SCSI</acronym></acronym> support</title>
<para>
<screen>
<acronym>SCSI</acronym> support (CONFIG_SCSI) Y/n/?
<acronym>SCSI</acronym> disk support (CONFIG_BLK_DEV_SD) Y/n/?
<acronym>SCSI</acronym> tape support (CONFIG_CHR_DEV_ST) N/y/?
<acronym>SCSI</acronym> CD-ROM support (CONFIG_BLK_DEV_SR) N/y/?
<acronym>SCSI</acronym> generic support (CONFIG_CHR_DEV_SG) N/y/?
Probe all LUNs on each <acronym>SCSI</acronym> device (CONFIG_SCSI_MULTI_LUN) Y/n/? N
Verbose <acronym>SCSI</acronym> error reporting (kernel size +=12K) (CONFIG_SCSI_CONSTANTS) Y/n/? N
<acronym>SCSI</acronym> logging facility (CONFIG_SCSI_LOGGING) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title><acronym>SCSI</acronym> low-level drivers</title>
<para>
<screen>
7000FASST <acronym>SCSI</acronym> support (CONFIG_SCSI_7000FASST) N/y/?
ACARD <acronym>SCSI</acronym> support (CONFIG_SCSI_ACARD) N/y/?
Adaptec AHA152X/2825 support (CONFIG_SCSI_AHA152X) N/y/?
Adaptec AHA1542 support (CONFIG_SCSI_AHA1542) N/y/?
Adaptec AHA1740 support (CONFIG_SCSI_AHA1740) N/y/?
Adaptec AIC7xxx support (CONFIG_SCSI_AIC7XXX) N/y/? <userinput>Y</userinput>
Enable Tagged Command Queueing <acronym>TCQ</acronym> by default N/y/? (NEW) <userinput>Y</userinput>
Maximum number of TCQ commands per device (CONFIG_AIC7XXX_CMDS_PER_DEVICE) [8] (NEW)
Collect statistics to report in /proc (CONFIG_AIC7XXX_PROC_STATS) N/y/? (NEW)
Delay in seconds after <acronym>SCSI</acronym> bus reset (CONFIG_AIC7XXX_RESET_DELAY) [5] (NEW)
IBM ServeRAID support (CONFIG_SCSI_IPS) N/y/? (NEW)
AdvanSys <acronym>SCSI</acronym> support (CONFIG_SCSI_ADVANSYS) N/y/?
Always IN2000 <acronym>SCSI</acronym> support (CONFIG_SCSI_IN2000) N/y/?
AM53/79C974 PCI <acronym>SCSI</acronym> support (CONFIG_SCSI_AM53C974) N/y/?
AMI MegaRAID support (CONFIG_SCSI_MEGARAID) N/y/?
BusLogic <acronym>SCSI</acronym> support (CONFIG_SCSI_BUSLOGIC) N/y/?
DTC3180/3280 <acronym>SCSI</acronym> support (CONFIG_SCSI_DTC3280) N/y/?
EATA ISA/EISA/PCI (DPT and generic <acronym>EATA/DMA</acronym>) support (CONFIG_SCSI_EATA) N/y/?
EATA-DMA [Obsolete] (DPT, NEC, AT&amp;T, SNI, AST, Olivetti, Alphatronix) support (CONFIG_SCSI_EATA_DMA) N/y/?
EATA-PIO (old DPT PM2001, PM2012A) support (CONFIG_SCSI_EATA_PIO) N/y/?
Future Domain 16xx <acronym>SCSI</acronym>/AHA-2920A support (CONFIG_SCSI_FUTURE_DOMAIN) N/y/?
GDT <acronym>SCSI</acronym> Disk Array Controller support (CONFIG_SCSI_GDTH) N/y/?
Generic NCR5380/53c400 <acronym>SCSI</acronym> support (CONFIG_SCSI_GENERIC_NCR5380) N/y/?
Initio 9100U(W) support (CONFIG_SCSI_INITIO) N/y/?
Initio INI-A100U2W support (CONFIG_SCSI_INIA100) N/y/?
NCR53c406a <acronym>SCSI</acronym> support (CONFIG_SCSI_NCR53C406A) N/y/?
symbios 53c416 <acronym>SCSI</acronym> support (CONFIG_SCSI_SYM53C416) N/y/?
Simple 53c710 <acronym>SCSI</acronym> support (Compaq, NCR machines) (CONFIG_SCSI_SIM710) N/y/? (NEW)
NCR53c7,8xx <acronym>SCSI</acronym> support (CONFIG_SCSI_NCR53C7xx) N/y/?
NCR53C8XX <acronym>SCSI</acronym> support (CONFIG_SCSI_NCR53C8XX) N/y/?
SYM53C8XX <acronym>SCSI</acronym> support (CONFIG_SCSI_SYM53C8XX) Y/n/? N
PAS16 <acronym>SCSI</acronym> support (CONFIG_SCSI_PAS16) N/y/?
PCI2000 support (CONFIG_SCSI_PCI2000) N/y/?
PCI2220i support (CONFIG_SCSI_PCI2220I) N/y/?
PSI240i support (CONFIG_SCSI_PSI240I) N/y/?
Qlogic FAS <acronym>SCSI</acronym> support (CONFIG_SCSI_QLOGIC_FAS) N/y/?
Qlogic ISP <acronym>SCSI</acronym> support (CONFIG_SCSI_QLOGIC_ISP) N/y/?
Qlogic ISP FC <acronym>SCSI</acronym> support (CONFIG_SCSI_QLOGIC_FC) N/y/?
Seagate ST-02 and Future Domain TMC-8xx <acronym>SCSI</acronym> support (CONFIG_SCSI_SEAGATE) N/y/?
Tekram DC390(T) and Am53/79C974 <acronym>SCSI</acronym> support (CONFIG_SCSI_DC390T) N/y/?
Trantor T128/T128F/T228 <acronym>SCSI</acronym> support (CONFIG_SCSI_T128) N/y/?
UltraStor 14F/34F support (CONFIG_SCSI_U14_34F) N/y/?
UltraStor <acronym>SCSI</acronym> support (CONFIG_SCSI_ULTRASTOR) N/y/?
</screen>
</para>
</formalpara>
</section>
<section><?dbhtml filename="chap7sec82.html"?>
<title>Kernel configuration -Part "C"</title>
<formalpara>
<title>Network device support</title>
<para>
<screen>
Network device support (CONFIG_NETDEVICES) Y/n/?
</screen>
</para>
</formalpara>
<formalpara>
<title>ARCnet devices</title>
<para>
<screen>
ARCnet support (CONFIG_ARCNET) N/y/?
Dummy net driver support (CONFIG_DUMMY) Y/n/?
EQL -serial line load balancing support (CONFIG_EQUALIZER) N/y/?
General Instruments Surfboard 1000 (CONFIG_NET_SB1000) N/y/? (NEW)
</screen>
</para>
</formalpara>
<formalpara>
<title>Ethernet (10 or 100Mbit)</title>
<para>
<screen>
Ethernet (10 or 100Mbit) (CONFIG_NET_ETHERNET) Y/n/?
3COM cards (CONFIG_NET_VENDOR_3COM) N/y/?
AMD LANCE and PCnet (AT1500 and NE2100) support (CONFIG_LANCE) N/y/?
Western Digital/SMC cards (CONFIG_NET_VENDOR_SMC) N/y/?
Racal-Interlan (Micom) NI cards (CONFIG_NET_VENDOR_RACAL) N/y/?
Other ISA cards (CONFIG_NET_ISA) N/y/?
<acronym>EISA</acronym>, VLB, <acronym>PCI</acronym> and on board controllers (CONFIG_NET_EISA) Y/n/?
AMD PCnet32 (VLB and <acronym>PCI</acronym>) support (CONFIG_PCNET32) N/y/?
Apricot Xen-II on board Ethernet (CONFIG_APRICOT) N/y/?
CS89x0 support (CONFIG_CS89x0) N/y/?
DM9102 <acronym>PCI</acronym> Fast Ethernet Adapter support (EXPERIMENTAL) (CONFIG_DM9102) N/y/? (NEW)
Generic DECchip &amp; DIGITAL EtherWORKS <acronym>PCI</acronym>/<acronym>EISA</acronym> (CONFIG_DE4X5) N/y/?
DECchip Tulip (dc21x4x) <acronym>PCI</acronym> support (CONFIG_DEC_ELCP) N/y/?
Old DECchip Tulip (dc21x4x) <acronym>PCI</acronym> support (CONFIG_DEC_ELCP_OLD) N/y/? (NEW)
Digi Intl. RightSwitch SE-X support (CONFIG_DGRS) N/y/?
EtherExpressPro/100 support (CONFIG_EEXPRESS_PRO100) Y/n/?
<acronym>PCI</acronym> NE2000 support (CONFIG_NE2K_PCI) N/y/?
TI ThunderLAN support (CONFIG_TLAN) N/y/?
VIA Rhine support (CONFIG_VIA_RHINE) N/y/?
SiS 900/7016 <acronym>PCI</acronym> Fast Ethernet Adapter support (CONFIG_SIS900) N/y/? (NEW)
Pocket and portable adaptors (CONFIG_NET_POCKET) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title>Ethernet (1000 Mbit)</title>
<para>
<screen>
SysKonnect SK-98xx support (CONFIG_SK98LIN) N/y/? (NEW)
<literal>FDDI</literal> driver support (CONFIG_FDDI) N/y/?
<literal>PPP</literal> (point-to-point) support (CONFIG_PPP) N/y/?
<literal>SLIP</literal> (serial line) support (CONFIG_SLIP) N/y/?
Wireless <literal>LAN</literal> (non-hamradio) (CONFIG_NET_RADIO) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title>Token ring devices</title>
<para>
<screen>
Token Ring driver support (CONFIG_TR) N/y/?
Fibre Channel driver support (CONFIG_NET_FC) N/y/? (NEW)
</screen>
</para>
</formalpara>
<formalpara>
<title>Wan interfaces</title>
<para>
<screen>
MultiGate (COMX) synchronous serial boards support (CONFIG_COMX) N/y/? (NEW)
Frame relay DLCI support (CONFIG_DLCI) N/y/?
WAN drivers (CONFIG_WAN_DRIVERS) N/y/?
SBNI12-xx support (CONFIG_SBNI) N/y/? (NEW)
</screen>
</para>
</formalpara>
<formalpara>
<title>Amateur Radio support</title>
<para>
<screen>
Amateur Radio support (CONFIG_HAMRADIO) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title>IrDA subsystem support</title>
<para>
<screen>
IrDA subsystem support (CONFIG_IRDA) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title><acronym>ISDN</acronym> subsystem</title>
<para>
<screen>
<acronym>ISDN</acronym> support (CONFIG_ISDN) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title>Old CD-ROM drivers (not <acronym>SCSI</acronym>, not <acronym>IDE</acronym>)</title>
<para>
<screen>
Support non-<acronym>SCSI</acronym>/<acronym>IDE</acronym>/ATAPI CDROM drives (CONFIG_CD_NO_IDESCSI) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title>Character devices</title>
<para>
<screen>
Virtual terminal (CONFIG_VT) Y/n/?
Support for console on virtual terminal (CONFIG_VT_CONSOLE) Y/n/?
Standard/generic (dumb) serial support (CONFIG_SERIAL) Y/n/?
Support for console on serial port (CONFIG_SERIAL_CONSOLE) N/y/?
Extended dumb serial driver options (CONFIG_SERIAL_EXTENDED) N/y/?
Non-standard serial port support (CONFIG_SERIAL_NONSTANDARD) N/y/?
Unix98 <acronym>PTY</acronym> support (CONFIG_UNIX98_PTYS) Y/n/?
Maximum number of Unix98 PTYs in use (0-2048) (CONFIG_UNIX98_PTY_COUNT) [256] 128
Mouse Support (not serial mice) (CONFIG_MOUSE) Y/n/?
</screen>
</para>
</formalpara>
</section>
<section><?dbhtml filename="chap7sec83.html"?>
<title>Kernel configuration -Part "D"</title>
<formalpara>
<title> Mice</title>
<para>
<screen>
ATIXL busmouse support (CONFIG_ATIXL_BUSMOUSE) N/y/?
Logitech busmouse support (CONFIG_BUSMOUSE) N/y/?
Microsoft busmouse support (CONFIG_MS_BUSMOUSE) N/y/?
PS/2 mouse (aka "auxiliary device") support (CONFIG_PSMOUSE) N/y/?
C&amp;T 82C710 mouse port support (as on TI Travelmate) (CONFIG_82C710_MOUSE) Y/n/? N
PC110 digitizer pad support (CONFIG_PC110_PAD) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title>Joystick support</title>
<para>
<screen>
Joystick support (CONFIG_JOYSTICK) N/y/?
QIC-02 tape support (CONFIG_QIC02_TAPE) N/y/?
Watchdog Timer Support (CONFIG_WATCHDOG) N/y/?
<filename class="symlink">/dev/nvram</filename> support (CONFIG_NVRAM) N/y/?
Enhanced Real Time Clock Support (CONFIG_RTC) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title> Video for Linux</title>
<para>
<screen>
Video For Linux (CONFIG_VIDEO_DEV) N/y/?
Double Talk PC internal speech card support (CONFIG_DTLK) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title> Ftape, the floppy tape device driver</title>
<para>
<screen>
Ftape (QIC-80/Travan) support (CONFIG_FTAPE) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title>Filesystems</title>
<para>
<screen>
Quota support (CONFIG_QUOTA) N/y/? Y
Kernel automounter support (CONFIG_AUTOFS_FS) Y/n/? N
Amiga <acronym>FFS</acronym> filesystem support (CONFIG_AFFS_FS) N/y/?
Apple Macintosh filesystem support (experimental) (CONFIG_HFS_FS) N/y/?
<acronym>DOS</acronym> FAT fs support (CONFIG_FAT_FS) N/y/?
ISO 9660 CDROM filesystem support (CONFIG_ISO9660_FS) Y/n/?
Microsoft Joliet CDROM extensions (CONFIG_JOLIET) N/y/?
Minix fs support (CONFIG_MINIX_FS) N/y/?
<acronym>NTFS</acronym> filesystem support (read only) (CONFIG_NTFS_FS) N/y/?
OS/2 <acronym>HPFS</acronym> filesystem support (read only) (CONFIG_HPFS_FS) N/y/?
<filename>/proc</filename> filesystem support (CONFIG_PROC_FS) Y/n/?
<filename>/dev/p</filename>ts filesystem for Unix98 PTYs (CONFIG_DEVPTS_FS) Y/n/?
<acronym>ROM</acronym> filesystem support (CONFIG_ROMFS_FS) N/y/?
Second extended fs support (CONFIG_EXT2_FS) Y/n/?
System V and Coherent filesystem support (CONFIG_SYSV_FS) N/y/?
<acronym>UFS</acronym> filesystem support (CONFIG_UFS_FS) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title>Network File Systems</title>
<para>
<screen>
Coda filesystem support (advanced network fs) (CONFIG_CODA_FS) N/y/?
<acronym>NFS</acronym> filesystem support (CONFIG_NFS_FS) Y/n/? N
<acronym>SMB</acronym> filesystem support (to mount WfW shares etc.) (CONFIG_SMB_FS) N/y/?
NCP filesystem support (to mount NetWare volumes) (CONFIG_NCP_FS) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title>Partition Types</title>
<para>
<screen>
<acronym>BSD</acronym> disklabel (<acronym>BSD</acronym> partition tables) support (CONFIG_BSD_DISKLABEL) N/y/?
Macintosh partition map support (CONFIG_MAC_PARTITION) N/y/?
SMD disklabel (Sun partition tables) support (CONFIG_SMD_DISKLABEL) N/y/?
Solaris (x86) partition table support (CONFIG_SOLARIS_X86_PARTITION) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title>Console drivers</title>
<para>
<screen>
<acronym>VGA</acronym> text console (CONFIG_VGA_CONSOLE) Y/n/?
Video mode selection support (CONFIG_VIDEO_SELECT) N/y/?
</screen>
</para>
</formalpara>
<formalpara>
<title>
Sound
</title>
<para>
<screen>
Sound card support (CONFIG_SOUND) N/y/?
</screen>
</para>
</formalpara>
</section>
<section><?dbhtml filename="chap7sec84.html"?>
<title>Kernel configuration -Part "E"</title>
<formalpara>
<title>Security options</title>
<para><emphasis>
Security options will appear only if you have patched your kernel with the Openwall Project patch.
</emphasis>
<screen>
Non-executable user stack area (CONFIG_SECURE_STACK) <userinput>Y</userinput>
Autodetect and emulate GCC trampolines (CONFIG_SECURE_STACK_SMART) <userinput>Y</userinput>
Restricted links in /tmp (CONFIG_SECURE_LINK) <userinput>Y</userinput>
Restricted FIFOs in /tmp (CONFIG_SECURE_FIFO) <userinput>Y</userinput>
Restricted <filename>/proc</filename> (CONFIG_SECURE_PROC) N <userinput>Y</userinput>
Special handling of fd 0, 1, and 2 (CONFIG_SECURE_FD_0_1_2) <userinput>Y</userinput>
Enforce RLIMIT_NPROC on execve(2) (CONFIG_SECURE_RLIMIT_NPROC) <userinput>Y</userinput>
Destroy shared memory segments not in use (CONFIG_SECURE_SHM) N <userinput>Y</userinput>
</screen>
</para>
</formalpara>
<formalpara>
<title>
Kernel hacking</title>
<para>
<screen>
Magic SysRq key (CONFIG_MAGIC_SYSRQ) N/y/?
</screen>
</para>
</formalpara>
<para>
Now, return to the <filename class="directory">/usr/src/linux/</filename> directory, if you are not already in it. You need to compile the new kernel. You do so by using the following command:
<screen>
[root@deep ] /linux# <command>make dep</command>; <command>make clean</command>; <command>make bzImage</command>
</screen>
This line contains three commands in one.
<itemizedlist>
<listitem><para>
The first one, <command>make dep</command>, actually takes your configuration and builds the corresponding dependency tree. This process determines what gets compiled and what doesn't.
</para></listitem>
<listitem><para>
The next step, <command>make clean</command>, erase all previous traces of a compilation so as to avoid any mistakes in which version of a feature gets tied into the kernel.
</para></listitem>
<listitem><para>
Finally, <command>make bzImage</command> does the full compilation of the kernel.
</para></listitem>
</itemizedlist>
</para>
<para>
After the process is complete, the kernel is compressed and ready to be installed on your system. Before we can install the new kernel, we must know if we need to compile the
corresponding modules. This is required only if you said <userinput>Yes</userinput> to Enable loadable module support <envar>CONFIG_MODULES</envar> and have compiled some options in the kernel configuration above
as a module. In this case, you must execute the following commands:
<screen>
[root@deep ] /linux#<command>make modules</command>
[root@deep ] /linux#<command>make modules_install</command>
</screen>
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
The <command>make modules</command> and <command>make modules_install</command> commands are required only if you say Yes to Enable loadable module support <envar>CONFIG_MODULES</envar> in your kernel configuration above.
</para>
</note>
</section>
<section><?dbhtml filename="chap7sec85.html"?>
<title>Installing the new kernel</title>
<procedure>
<step>
<para>
Copy the file <filename>/usr/src/linux/arch/i386/boot/bzImage</filename> from the kernel source tree to the <filename>/boot</filename> directory, and give it an
appropriate new name.
<screen>
[root@deep ] /linux#<command>cp</command> /usr/src/linux/arch/i386/boot/bzImage /boot/vmlinuz-kernel.version.number
</screen>
An appropriated or recommended new name is something like vmlinuz-2.2.14, this is important if you want a new rescue floppy or emergency boot floppy using the mkbootdisk program
that require some specific needs like for example: vmlinuz-2.2.14 instead of vmlinuz-2.2.14.a
</para>
</step>
<step>
<para>
Copy the file <filename>/usr/src/linux/System.map</filename> from the kernel source tree to the <filename>/boot</filename> directory, and give it an appropriate new name.
<screen>
[root@deep ] /linux#<command>cp</command> /usr/src/linux/System.map /boot/System.map-kernel.version.number
</screen>
</para>
</step>
<step>
<para>
Move into the <filename class="directory">/boot</filename> directory and rebuild the links to <filename>vmlinuz</filename> and <filename>System.map</filename> with the following commands:
<screen>
[root@deep ] /linux#<command>cd</command> /boot
[root@deep ] /boot#<command>ln</command> -fs vmlinuz-kernel.version.number vmlinuz
[root@deep ] /boot#<command>ln</command> -fs System.map-kernel.version.number System.map
</screen>
We must rebuild the links of <filename class="symlink">vmlinuz</filename> and <filename class="symlink">System.map</filename> to point them to the new kernel version installed. Without
the new links <acronym>LILO</acronym> program will look by default for the old version of your Linux kernel.
</para>
</step>
<step>
<para>
Remove obsolete and unnecessary files under the <filename>/boot</filename> directory to make space:
<screen>
[root@deep ] /boot#<command>rm</command> -f module-info
[root@deep ] /boot#<command>rm</command> -f initrd-2.2.xx.img
</screen>
The <filename>module-info</filename> link point to the old modules directory of your original kernel. Since we have installed a brand new kernel, we don't need to keep this
broken link. The <filename>initrd-2.2.xx</filename> is a file that contains an initial <acronym>RAM</acronym> disk image that serves as a system before the disk is available. This file is only
available and is installed from the Linux setup installation if your system has a <acronym><acronym><acronym>SCSI</acronym></acronym></acronym> adapter present. If we use and have a <acronym><acronym><acronym><acronym>SCSI</acronym></acronym></acronym></acronym> system, the driver now will be incorporated
into our new Linux kernel since we have build a monolithic kernel, so we can remove this file <filename>initrd-2.2.xx.img</filename> safely.
</para>
</step>
<step>
<para>
Create a new Linux kernel directory that will handle all header files related to Linux kernel for future compilation of other programs on your system. Recall, we had created two symlinks under the <filename class="symlink"></filename>/usr/include
directory that point to the Linux kernel to be able to compile it without receiving error and also be able to compile future programs.
The <filename class="directory">/usr/include</filename> directory is where all header files of your Linux system are kept for reference and dependencies when you compile and install new programs. The asm, and linux links
are used when program need to know some functions from compile-time specific to the kernel installed on your system. Programs call other headers in the include directory when they must know specific information, dependencies,
<abbrev>etc.</abbrev> of your system.
<screen>
[root@deep] /#<command>mkdir</command> -p /usr/src/linux-2.2.14/include
[root@deep] /#<command>cp</command> -r /usr/src/linux/include/asm-generic /usr/src/linux-2.2.14/include
[root@deep] /#<command>cp</command> -r /usr/src/linux/include/asm-i386 /usr/src/linux-2.2.14/include
[root@deep] /#<command>cp</command> -r /usr/src/linux/include/linux /usr/src/linux-2.2.14/include
[root@deep] /#<command>cp</command> -r /usr/src/linux/include/net /usr/src/linux-2.2.14/include
[root@deep] /#<command>cp</command> -r /usr/src/linux/include/video /usr/src/linux-2.2.14/include
[root@deep] /#<command>cp</command> -r /usr/src/linux/include/scsi /usr/src/linux-2.2.14/include
[root@deep] /#<command>rm</command> -rf /usr/src/linux
[root@deep] /#<command>cd</command> /usr/src
[root@deep ] /src#<command>ln</command> -s /usr/src/linux-2.2.14 linux
</screen>
First we create a new directory named <filename class="directory">linux-2.2.14</filename> based on the version of the kernel we have installed for easy interpretation, then we copy directories
asm-generic, asm-i386, linux, net, video, and scsi from <filename class="directory">/usr/linux/include</filename> to our new place <filename class="directory">/usr/src/linux-2.2.14/include</filename>. After
We remove the entire source directory where we had compiled the new kernel, create a new symbolic link named <filename class="symlink">linux</filename> under <filename class="directory">/usr/src</filename> that
points to our new <filename class="directory">/usr/src/linux-2.2.14/include</filename> directory. With these steps, future compiled programs will know where to look for headers related to the kernel on your server.
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
This step will allow us to gain space on our hard drive and will reduce the risk of security. The Linux kernel source directory handles a of lot files and is about 75 MB in size when uncompressed. With the
procedure described above, our Linux kernel directory began approximately 3 MB in size so we save 72 MB for the same functionalities.
</para>
</note>
</para>
</step>
<step>
<para>
Finally, you need to edit the <filename>/etc/lilo.conf</filename> file to make your new kernel one of the boot time options:
</para>
<substeps>
<step>
<para>
Edit the <filename>lilo.conf</filename> file - vi <filename>/etc/lilo.conf</filename> and make the appropriated change on the line that read <envar>image=/boot/</envar>.
<screen>
[root@deep] /#<command>vi</command> /etc/lilo.conf
</screen>
<literallayout class="normal">
<computeroutput>
boot=/dev/sda
map=/boot/map
install=/boot/boot.b
prompt
timeout=00
restricted
password=somepasswd
image=/boot/vmlinuz-kernel.version.number #add your new kernel name file here.
label=linux
root=/dev/sda6
read-only
</computeroutput>
</literallayout>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Don't forget to remove the line that read <envar>initrd=/boot/initrd-2.2.12-20.img</envar> in the <filename>lilo.conf</filename> file, since this line is not necessary now monolithic kernel doesn't need an initrd file.
</para>
</important>
</para>
</step>
<step>
<para>
Once the name of the new kernel version has been put in the <filename>lilo.conf</filename> file as shown above, we update our <filename>lilo.conf</filename> file for the change to take effect
with the following command:
<screen>
[root@deep] /#<command>/sbin/lilo</command> -v
</screen>
<literallayout class="normal">
<computeroutput>
LILO version 21, [Copyright 1992-1998 Werner Almesberger
Reading boot sector from /dev/sda
Merging with /boot/boot.b
Boot image: /boot/vmlinuz-2.2.14
Added linux *
/boot/boot.0800 exits no backup copy made.
Writing boot sector.
</computeroutput>
</literallayout>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
If you say <userinput>NO</userinput> to the configuration option Unix98 <acronym>PTY</acronym> support <envar>CONFIG_UNIX98_PTYS</envar> during your kernel configuration, you must edit the <filename>/etc/fstab</filename> file and remove the line that read:
<screen>
none /dev/pts devpts gid=5,mode=620 0 0
</screen>
</para>
</important>
</para>
</step>
</substeps>
</step>
</procedure>
</section>
<section><?dbhtml filename="chap7sec86.html"?>
<title>Delete programs, Edit files pertaining to modules</title>
<para>
By default when you install Red Hat Linux for the first time like we do, the kernel is built as a modularized kernel. This means that each device or function we need exists as modules and is controlled by
the Kernel Daemon program named kmod, which automatically loads some modules and functions support into memory as it is needed, and unloads it when it's no longer being used.
</para>
<procedure>
<step>
<para>
kmod and other module management programs included in the modutils <acronym>RPM</acronym> package use the <filename>conf.modules</filename> file located in the <filename>/etc</filename> directory to know, for example which Ethernet card you
have, if your Ethernet card requires special configuration and so on. Since we are not using any modules in our new compiled kernel, we can remove the <filename>conf.modules</filename> file and uninstall completely the
modutils package program.
To remove the <filename>conf.modules</filename> file, use the command:
<screen>
[root@deep] /#<command>rm</command> -f /etc/conf.modules
</screen>
To uninstall the modutils package, use the following command:
<screen>
[root@deep] /#<command>rpm</command> -e --nodeps modutils
</screen>
</para>
</step>
<step>
<para>
One last thing to do is to edit the file <filename>rc.sysinit</filename> and comment out all the lines related to <command>depmod</command> -a by inserting a <prompt>#</prompt> at
the beginning of the lines. This is needed since at boot time the system read the <filename>rc.sysinit</filename> script to find module dependencies in the kernel by default.
<mediaobject>
<imageobject>
<imagedata fileref="images/Version6.2.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</mediaobject>
Comment out the line 260 in the <filename>rc.sysinit</filename> file vi +260 <filename>/etc/rc.d/rc.sysinit</filename>:
<userinput>
if [ -x /sbin/depmod -a -n "$USEMODULES" ]; then</userinput>,
To read:
<screen>
#if [ -x /sbin/depmod -a -n "$USEMODULES" ]; then
</screen>
Comment out the lines 272 to 277 in the <filename>rc.sysinit</filename> file vi +272 <filename>/etc/rc.d/rc.sysinit</filename>:
<screen>
if [ -L /lib/modules/default ]; then
INITLOG_ARGS= action "Finding module dependencies" depmod -a default
else
INITLOG_ARGS= action "Finding module dependencies" depmod -a
fi
fi
</screen>
<screen>
To read:
# if [ -L /lib/modules/default ]; then
# INITLOG_ARGS= action "Finding module dependencies" depmod -a default
# else
# INITLOG_ARGS= action "Finding module dependencies" depmod -a
# fi
#fi
</screen>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The procedure described above relates to initscripts-4_70-1 package under Red Hat Linux version 6.1.
</para>
</important>
<mediaobject>
<imageobject>
<imagedata fileref="images/Version6.2.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</mediaobject>
Comment out the line 243 in the <filename>rc.sysinit</filename> file vi +243 <filename>/etc/rc.d/rc.sysinit</filename>:
<userinput>if [ -x /sbin/depmod -a -n "$USEMODULES" ]; then</userinput>,
To read:
<screen>
#if [ -x /sbin/depmod -a -n "$USEMODULES" ]; then
</screen>
Comment out the lines 255 to 260 in the <filename>rc.sysinit</filename> file vi +255 <filename>/etc/rc.d/rc.sysinit</filename>:
<screen>
if [ -L /lib/modules/default ]; then
INITLOG_ARGS= action "Finding module dependencies" depmod -a default
else
INITLOG_ARGS= action "Finding module dependencies" depmod -a
fi
fi
</screen>
To read:
<screen>
# if [ -L /lib/modules/default ]; then
# INITLOG_ARGS= action "Finding module dependencies" depmod -a default
# else
# INITLOG_ARGS= action "Finding module dependencies" depmod -a
# fi
#fi
</screen>
Once again, all of this part Delete program, file and lines related to modules is required only if you said No to <userinput>Enable loadable</userinput> module support <envar>CONFIG_MODULES</envar> in your kernel configuration above.
</para>
</step>
<step>
<para>
Now you must Reboot your system and test your results.
<screen>
[root@deep] /#<command>reboot</command>
</screen>
When the system is rebooted and you are logged in, verify the new version of your kernel with the following command:
To verify the version of your new kernel, use the following command:
<screen>
[root@deep] /#<command>uname</command> -a
</screen>
<literallayout class="normal">
<computeroutput>
Linux deep.openna.com 2.2.14 #1 Mon Jan 10 10:40:35 EDT 2000 i686 unknown
[root@deep]#
</computeroutput>
</literallayout>
</para>
</step>
</procedure>
<para>
<emphasis>
Congratulation !.
</emphasis>
</para>
</section>
<section><?dbhtml filename="chap7sec87.html"?>
<title>Create a emergency Rescue and Boot floppy disk</title>
<para>
After the reboot of your Linux server, you should have now a system with an upgraded kernel. Therefore, it's time is to make a new rescue image with the new kernel in case of future emergencies. To do this, follow
the simple step below;
Login as root, and insert a new floppy, then execute the following command:
<screen>
[root@deep] /#<command>mkbootdisk</command> --device /dev/fd0 2.2.14
</screen>
<literallayout >
<computeroutput>
Insert a disk in <filename>/dev/fd0</filename>. Any information on the disk will be lost.
Press &lt;Enter&gt; --device <keycombo><keycap>^C</keycap></keycombo> to abort:
</computeroutput>
</literallayout>
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The mkbootdisk program runs only on modularized kernel. So you can't use it on a monolithic kernel; instead create an emergency boot floppy as shown below if you have a problem with your system in the future.
</para>
</important>
<para>
Because it is possible to create a rescue floppy only on modularized kernel, we must find another way to boot our Linux system if the Linux kernel on the hard disk is damaged. This is possible with a Linux emergency
boot floppy disk. You should immediately create it after you successfully start your system and log in as root.
</para>
<procedure>
<step><para>
To create the emergency boot floppy disk, follow these steps:
</para>
<substeps><step><para>
Insert a floppy disk and format it with the following command:
<screen>
[root@deep] /#<command>fdformat</command> /dev/fd0H1440
</screen>
<literallayout>
<computeroutput>
Double-sided, 80 tracks, 18 sec/track. Total capacity 1440 kB.
Formatting ... done
Verifying ... done
</computeroutput>
</literallayout>
</para>
</step>
<step><para>
Copy the file vmlinuz from the <filename>/boot</filename> directory to the floppy disk:
<screen>
[root@deep] /#<command>cp</command> /boot/vmlinuz /dev/fd0
</screen>
<literallayout>
<computeroutput>
cp: overwrite '/dev/fd0'? y
</computeroutput>
</literallayout>
The <filename>vmlinuz</filename> file is a symbolic link that point to the real Linux kernel.
</para>
</step>
<step><para>
Determine the kernel's root device with the following command:
<screen>
[root@deep] /#<command>rdev</command>
/dev/sda12 /
</screen>
The kernel's root device is the disk partition where the root file system is located. In this example, the root device is <filename>dev/sda12</filename>; the device name may be different on your system.
</para>
</step>
<step><para>
Set the kernel's root device with the following command:
<screen>
[root@deep] /#<command>rdev</command> /dev/fd0 /dev/sda12
</screen>
To set the kernel's root device, use the device reported by the rdev command utility in the previous step.
</para>
</step>
<step><para>
5.Mark the root device as read-only with the following command:
<screen>
[root@deep] /#<command>rdev</command> -R /dev/fd0 1
</screen>
This causes Linux initially to mount the root file system as read-only. By setting the root device as read-only, you avoid several warning and error messages.
</para>
</step>
<step><para>
Now put the boot floppy in the drive A: and reboot your system with the following command:
<screen>
[root@deep] /#<command>reboot</command>
</screen>
</para>
</step>
</substeps>
</step>
<step><para>
Update your /dev entries:If you have added new devices to your system or have done recently a major kernel upgrade (a major kernel upgrade is for example when you pass from kernel version 2.2.9 to 2.2.15 directly), it may be
important to update your <filename class="directory">/dev</filename> entries to avoid problems related to missing devices.
We can accomplish this task with the <filename>MAKEDEV</filename> script utility that scan the <filename>/dev</filename>
directory where all devices that interfaces with drivers in the kernel are kept. A special option named update allow the MAKEDEV utility to create new devices that you have configured in your kernel and delete those which
are no longer configured.To update your <filename class="directory">/dev</filename> entries, execute the following commands:
<screen>
[root@deep] /#<command>cd</command> /dev
[root@deep ] /dev#<command>./MAKEDEV</command> update
</screen>
</para>
</step>
</procedure>
</section>
</chapter>
</part>
<part label="4"><?dbhtml filename="net-manage.html"?>
<title>Networking -Management, Firewall, Masquerading and Forwarding</title>
<partintro>
<mediaobject>
<imageobject>
<imagedata fileref="./resources/Annimals/Chapter10.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>PIG</phrase></textobject>
</mediaobject>
<abstract>
<para>
Until now, we have not tinkered with the networking capabilities of Linux. Linux is one of the best existing operating systems in the world for networking features. Most Internet sites around the world already know this, and have used it for
quite some time. Understanding your hardware network and all files related to it is very important if you want to have a full control of what happens on your server. Good knowledge of primary networking commands is vital. Network management
covers a wide variety of topics. In general, it includes gathering statistical data and status of parts of your network, and taking action as necessary to deal with failures and other changes.
</para>
</abstract></partintro>
<chapter label="8"><?dbhtml filename="tcp-ip.html"?>
<title><acronym>TCP/IP</acronym> -Network Management</title>
<highlights>
<para>
The most primitive technique for network monitoring is periodic pinging of critical hosts. More sophisticated network monitoring requires the ability to get specific status and statistical information from various devices on the network. These should
include various sorts of data gram counts, as well as counts of errors of various kinds. For these reasons, in this part we will try to answer fundamental questions about networking devices, files related to networking functionality, and essential
networking commands.
</para>
</highlights>
<section><?dbhtml filename="chap8sec88.html"?>
<title>Multiple Ethernet Card per Machine</title>
<para>
You can use Linux as a gateway between two Ethernet networks. In that case, you might have two Ethernet cards on your server. To eliminate problems at boot time, the Linux kernel doesn't detect multiple cards
automatically. If you happen to have two or more cards, you should specify the parameters of the cards in the <filename>lilo.conf</filename> file for a monolithic kernel or in the <filename>conf.modules</filename> file
for a modularized kernel. The following are problems you may encounter with your network cards.
</para>
<formalpara>
<title>Problem 1</title>
<para>
If the driver(s) of the card(s) is/are being used as a loadable module <emphasis>modularized kernel</emphasis>, in the case of <acronym>PCI</acronym> drivers, the module will typically detect all of the installed cards
automatically. For <acronym><acronym>ISA</acronym></acronym> cards, you need to supply the <literal>I/O</literal> base address of the card so the module knows where to look. This information is stored in the file <filename>/etc/conf.modules</filename>.
<example>
<title>Two ISA ethernet cards</title>
<para>
Consider we have two <acronym>ISA</acronym> <literal>3c509</literal> cards, one at <literal>I/O</literal> <literal>0x300</literal> and one at <literal>I/O</literal> <literal>0x320</literal>.
For <acronym>ISA</acronym> cards, edit the <filename>conf.modules</filename> file, <command>vi</command> <filename>/etc/conf.modules</filename> and add:
<programlisting>
alias eth0 3c509
alias eth1 3c509
options 3c509 io=0x300,0x320
</programlisting>
This says that the <literal>3c509</literal> driver should be loaded for either <literal>eth0</literal> or <literal>eth1</literal> alias <literal>eth0</literal>, <literal>eth1</literal> and it should be loaded with
the options <literal>io=0x300,0x320</literal> so that the drivers knows where to look for the cards. Note that <literal>0x</literal> is important, things like <literal>300h</literal> as commonly used in the <acronym>DOS</acronym> world wont work.
</para>
<para>
For <acronym>PCI</acronym> cards, you typically only need the alias lines to correlate the <literal>ethN</literal> interfaces with the appropriate driver name, since the <literal>I/O</literal> base of a <acronym>PCI</acronym> card can be safely
detected.
For <acronym>PCI</acronym> cards, edit the <filename>conf.modules</filename> file <command>vi</command> <filename>/etc/conf.modules</filename> and add:
<programlisting>
alias eth0 3c509
alias eth1 3c509
</programlisting>
</para>
</example>
</para>
</formalpara>
<formalpara>
<title>Problem 2</title>
<para>
If the drivers(s) of the card(s) is/are compiled into the kernel -<emphasis>monolithic kernel</emphasis>, the <acronym>PCI</acronym> probes will find all related cards automatically. <acronym>ISA</acronym> cards
will also find all related cards automatically, but in some circumstance <acronym>ISA</acronym> cards still need to do the following. This information is stored in the file <filename>/etc/lilo.conf</filename>. The method
is to pass boot-time arguments to the kernel, which is usually done by <literal>LILO</literal>.
For <acronym>ISA</acronym> cards, edit the <filename>lilo.conf</filename> file, <command>vi</command> <filename>/etc/lilo.conf</filename> and add:
<programlisting>
append=ether=0,0,eth1
</programlisting>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
First test your <acronym>ISA</acronym> cards without the boot-time arguments in the <filename>lilo.conf</filename> file, and if this fails, use the boot-time arguments.
</para>
</important>
In this case <literal>eth0</literal> and <literal>eth1</literal> will be assigned in the order that the cards are found at boot. Since we have recompiled the kernel, we must use the
second method. If the drivers(s) is/are compiled into the kernel to install our second Ethernet card on the system. Remember that this is required only in some circumstance
for <acronym>ISA</acronym> cards, <acronym>PCI</acronym> cards will be found automatically.
</para>
</formalpara>
</section>
</chapter>
<chapter label="9"><?dbhtml filename="file-netfunc.html"?>
<title>Files -Networking Functionality</title>
<highlights>
<para>This chapter deals with all the basic files usually text files related to <acronym>TCP/IP</acronym> networking.It's very important to know the configurations files related to <acronym>TCP/IP</acronym> networking, so that you can
edit and configure the files if necessary. Remember that our server doesn't have an <literal>Xwindow</literal> interface to configure files via graphical interface. Even if you use a <acronym>GUI</acronym> in your daily activities it
is important to know how to configure network in text mode. The following sections describe the basic <acronym>TCP/IP</acronym> configuration files.
</para>
</highlights>
<section><?dbhtml filename="chap9sec89.html"?>
<title>The <filename>/etc/HOSTNAME</filename> file</title>
<para>
This file stores your system's host name, your system's fully qualified domain name <acronym>-FQDN,</acronym> such as <literal>deep.openna.com</literal>.
Following is a sample <filename>/etc/HOSTNAME</filename> file:
</para>
<programlisting>
deep.openna.com
</programlisting>
</section>
<section><?dbhtml filename="chap9sec90.html"?>
<title>The <filename>/etc/sysconfig/network-scripts/ifcfg-ethN</filename> files</title>
<para>
File configurations for each network device you may have or want to add on your system are located in the <filename class="directory">/etc/sysconfig/network-scripts/</filename> directory with Red Hat Linux 6.1 or 6.2 and
are named <literal>ifcfg-eth0</literal> for the first interface and <literal>ifcfg-eth1</literal> for the second, etc.
Following is a example <filename>/etc/sysconfig/network-scripts/ifcfg-eth0</filename> file:
</para>
<informalexample>
<programlisting>
DEVICE=eth0
IPADDR=208.164.186.1
NETMASK=255.255.255.0
NETWORK=208.164.186.0
BROADCAST=208.164.186.255
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
</programlisting>
</informalexample>
<para>
If you want to modify your network address manually, or add a new network on a new interface, edit this file -<literal>ifcfg-ethN</literal>, or create a new one and make the appropriate changes.
<itemizedlist>
<listitem>
<para>
DEVICE=devicename, where devicename is the name of the physical network device.
</para>
</listitem>
<listitem>
<para>
IPADDR=ipaddr, where ipaddr is the IP address.
</para>
</listitem>
<listitem>
<para>
NETMASK=netmask, where netmask is the netmask IP value.
</para>
</listitem>
<listitem>
<para>
NETWORK=network, where network is the network IP address.
</para>
</listitem>
<listitem>
<para>
BROADCAST=broadcast, where broadcast is the broadcast IP address.
</para>
</listitem>
<listitem>
<para>
ONBOOT=answer, where answer is yes or no. <emphasis>Do the interface need to be active or inactive at boot time</emphasis>.
</para>
</listitem>
<listitem>
<para>
BOOTPROTO=proto, where proto is one of the following :
<orderedlist numeration="lowerroman">
<listitem><para>
none - No boot-time protocol should be used.
</para></listitem>
<listitem><para>
bootp - The bootp <emphasis>now pump</emphasis> protocol should be used.
</para></listitem>
<listitem><para>
dhcp - The dhcp protocol should be used.
</para></listitem>
</orderedlist>
</para>
</listitem>
<listitem>
<para>
USERCTL=answer, where answer is one of the following:
<orderedlist>
<listitem><para>
yes <emphasis>- Non-root users are allowed to control this device</emphasis>.
</para></listitem>
<listitem><para>
no <emphasis>- Only the super-user root is allowed to control this device</emphasis>.
</para></listitem>
</orderedlist>
</para>
</listitem>
</itemizedlist>
</para>
</section>
<section><?dbhtml filename="chap9sec91.html"?>
<title>The <filename>/etc/resolv.conf</filename> file</title>
<para>
This file is another text file, used by the resolver a library that determines the <acronym>IP</acronym> address for a host name.
Following is a sample <filename>/etc/resolv.conf</filename> file:
</para>
<programlisting>
search openna.com
nameserver 208.164.186.1
nameserver 208.164.186.2
</programlisting>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Name servers are queried in the order they appear in the file <literal>primary, secondary</literal>.
</para>
</note>
</section>
<section><?dbhtml filename="chap9sec92.html"?>
<title>The <filename>/etc/host.conf</filename> file</title>
<para>
This file specifies how names are resolved. Linux uses a resolver library to obtain the <acronym>IP</acronym> address corresponding to a host name.
Following is a sample <filename>/etc/host.conf</filename> file:
</para>
<programlisting>
# Lookup names via DNS first then fall back to /etc/hosts.
order bind,hosts <co id="hs.cnf.co1"/>
# We have machines with multiple addresses.
multi on <co id="hs.cnf.co2"/>
# Check for <acronym>IP</acronym> address spoofing.
nospoof on <co id="hs.cnf.co3"/>
</programlisting>
<calloutlist>
<callout arearefs="hs.cnf.co1"><para>
The order option indicates the order of services. The sample entry specifies that the resolver library should first consult the name server (DNS) to resolve a name and then check the <filename>/etc/hosts</filename> file.
</para>
</callout>
<callout arearefs="hs.cnf.co2"><para>
The multi option determines whether a host in the <filename>/etc/hosts</filename> file can have multiple <acronym>IP</acronym> addresses multiple interface <literal>ethN.</literal> Hosts that have more than one <acronym>IP</acronym> address are said to be multiomed, because the presence of multiple <acronym><acronym>IP</acronym></acronym> addresses implies that host has several network interfaces.
</para></callout>
<callout arearefs="hs.cnf.co3"><para>
The nospoof option indicates to take care of not permitting spoofing on this machine. <acronym>IP</acronym>-Spoofing is a security exploit that works by tricking computers in a trust relationship that you are someone that you really aren't.
</para></callout>
</calloutlist>
</section>
<section><?dbhtml filename="chap9sec93.html"?>
<title>The <filename>/etc/sysconfig/network</filename> file</title>
<para>
The <filename>/etc/sysconfig/network</filename> file is used to specify information about the desired network configuration on your server.
Following is a example <filename>/etc/sysconfig/network</filename> file:
<informalexample>
<programlisting>
NETWORKING=yes
FORWARD_IPV4=yes
HOSTNAME=deep. openna.com
GATEWAY=0.0.0.0
GATEWAYDEV=
</programlisting>
</informalexample>
</para>
<para>
The following values may be used:
<itemizedlist>
<listitem><para>
<envar>NETWORKING=answer</envar>, where answer is yes or no -<emphasis>Configure networking or not to configure networking</emphasis>.
</para>
</listitem>
<listitem><para>
<envar>FORWARD_IPV4=answer</envar>, where answer is yes or no -<emphasis>Perform <acronym>IP</acronym> forwarding or not to perform <acronym>IP</acronym> forwarding</emphasis>.
</para>
</listitem>
<listitem><para>
<envar>HOSTNAME=hostname</envar>, where hostname is the hostname of your server.
</para>
</listitem>
<listitem><para>
<envar>GATEWAY=gwip</envar>, where gwip is the <acronym>IP</acronym> address of the remote network gateway -<emphasis>if available</emphasis>.
</para>
</listitem>
<listitem><para>
<envar>GATEWAYDEV=gwdev</envar>, where gwdev is the device name <literal>eth#</literal> you use to access the remote gateway.
</para></listitem>
</itemizedlist>
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
For compatibility with older software, the /etc/HOSTNAME file should contain the same value as <envar>HOSTNAME= hostname</envar> above. With the new version of Red Hat Linux 6.2 the <envar>FORWARD_IPV4= parameter</envar> is now
specified in the <filename>/etc/sysctl.conf</filename> file instead of the <filename>/etc/sysconfig/network</filename> file.
</para>
</important>
</section>
<section><?dbhtml filename="chap9sec94.html"?>
<title>The <filename>/etc/sysctl.conf</filename> file</title>
<para>
In Red Hat Linux 6.2, many kernel options related to networking security such as dropping packets that come in over interfaces they shouldn't or ignoring <literal>ping/broadcasts</literal> request, <abbrev>etc.</abbrev> can
be set in the new <filename>/etc/sysctl.conf</filename> file instead of the <filename>/etc/rc.d/rc.local</filename> file. One important consideration is the <literal>IPv4</literal> forwarding parameter which is now done via
the sysctl program, as opposed to being controlled by the contents of the file in <filename>/etc/sysconfig/network</filename>. The sysctl settings are stored in <filename>/etc/sysctl.conf</filename>, and are loaded at each
boot before the <filename>/etc/rc.d/rc.local</filename> file is loaded. We've already talked about all networking security parameters that we must set into the
server in <link linkend="prt2ch1gss">General System Security</link>, and for this reason we'll focus only on the kernel option for <literal>IPv4</literal> forwarding.
</para>
<para>
To enable IPv4 forwarding on your RH 6.2 system, use the following command:
Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<programlisting>
# Enable packet forwarding
net.ipv4.ip_forward = 1
</programlisting>
You must restart your network for the change to take effect. The command to restart the network is the following:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
</screen>
<literallayout class="monospaced">
<computeroutput>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</computeroutput>
</literallayout>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Enabling IPv4 forwarding via the <filename>sysctl.conf</filename> file is only valid for Red Hat Linux 6.2 users. Users with version 6.1 of Red Hat must set this parameter into the <filename>/etc/sysconfig/network</filename> file as
explained above.
</para>
</tip>
</section>
<section><?dbhtml filename="chap9sec95.html"?>
<title>The <filename>/etc/hosts</filename> file</title>
<para>
As your machine gets started, it will need to know the mapping of some hostnames to <acronym>IP</acronym> addresses before <acronym>DNS</acronym> can be referenced. This mapping is kept in the <filename>/etc/hosts</filename> file. In the absence of a name server, any
network program on your system consults this file to determine the <acronym>IP</acronym> address that corresponds to a host name.
</para>
<para>
Following is a sample <filename>/etc/hosts</filename> file:
<programlisting>
<acronym>IP</acronym>Address Hostname Alias
127.0.0.1 localhost deep.openna.com
208.164.186.1 deep.openna.com deep
208.164.186.2 mail.openna.com mail
208.164.186.3 web.openna.com web
</programlisting>
The leftmost column is the <acronym>IP</acronym> address to be resolved. The next column is that host's name. Any subsequent columns are alias for that host. In the second line, for example, the <acronym>IP</acronym> address <literal>208.164.186.1</literal> is for
the host <literal>deep.openna.com</literal>. Another name for <literal>deep.openna.com</literal> is deep.
</para>
<para>
After you are finished configuring your networking files, don't forget to restart your network for the changes to take effect.
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
</screen>
<literallayout class="monospaced">
<computeroutput>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</computeroutput>
</literallayout>
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Time out problems for telnet or ftp connection are often caused by the server trying to resolve the client <acronym>IP</acronym> address to a <acronym>DNS</acronym> name. Either <acronym>DNS</acronym> isn't configured properly on your server or the client machines aren't known to <acronym>DNS</acronym>. If you intend to run telnet or ftp services
on your server, and aren't using <acronym>DNS</acronym>, don't forget to add the client machine name and <acronym>IP</acronym> in your <filename>/etc/hosts</filename> file on the server or you can expect to wait several minutes for the <acronym>DNS</acronym> lookup to time out, before you get a <prompt>login:</prompt> prompt.
</para>
</important>
</section>
<section><?dbhtml filename="chap9sec96.html"?>
<title>Config <acronym>TCP/IP</acronym> Networking manually -command line</title>
<para>
The ifconfig utility is the tool used to set up and configure your network card. You should understand this command in the event you need to configure the network by hand. An important note to take care with is when using ifconfig to configure your network devices; the settings will not survive a reboot.
To assign the <literal>eth0</literal> interface the <acronym>IP</acronym>-address of <literal>208.164.186.2</literal> use the command:
<screen>
[root@deep] /#<command>ifconfig</command> eth0 208.164.186.2 netmask 255.255.255.0
</screen>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Usually, the pratice is to configure or change the <acronym>TCP/IP</acronym> networking manually only to make some test on the server. If you want to keep your <acronym>TCP/IP</acronym> values, it's preferable to set them in the files related to networking functionality.
</para>
</tip>
</para>
<para>
To display all the interfaces you have on your server, use the command:
<screen>
[root@deep] /#<command>ifconfig</command>
</screen>
The output should look something like this:
<literallayout class="monospaced">
<computeroutput>
eth0 Link encap:Ethernet HWaddr 00:E0:18:90:1B:56
inet addr:208.164.186.2 Bcast:208.164.186.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1295 errors:0 dropped:0 overruns:0 frame:0
TX packets:1163 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:11 Base address:0xa800
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:139 errors:0 dropped:0 overruns:0 frame:0
TX packets:139 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
</computeroutput>
</literallayout>
If the ifconfig tool is invoked without any parameters, it displays all interfaces you have configured. An option of -a shows the inactive one as well.
</para>
<para>
To display all interfaces as well as inactive interfaces you may have, use the command:
<screen>
[root@deep] /#<command>ifconfig</command> -a
</screen>
The output should look something like this:
<literallayout class="monospaced">
<computeroutput>
eth0 Link encap:Ethernet HWaddr 00:E0:18:90:1B:56
inet addr:208.164.186.2 Bcast:208.164.186.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1295 errors:0 dropped:0 overruns:0 frame:0
TX packets:1163 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:11 Base address:0xa800
eth1 Link encap:Ethernet HWaddr 00:E0:18:90:1B:56
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1295 errors:0 dropped:0 overruns:0 frame:0
TX packets:1163 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:5 Base address:0xa320
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:139 errors:0 dropped:0 overruns:0 frame:0
TX packets:139 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
</computeroutput>
</literallayout>
It is important to note that the settings configured with the ifconfig toll for your network devices will not survive a reboot.
</para>
<para>
To assign the default gateway for <literal>208.164.186.12</literal> use the command:
<screen>
[root@deep] /#<command>route</command> add default gw 208.164.186.1
</screen>
In this example, the default route is set up to go to <literal>208.164.186.12</literal>, your router. Once again, if you want to keep your default gateway value, it's preferable to set in it the files related
to networking functionality -<filename>/etc/sysconfig/network</filename>.
</para>
<para>
Verify that you can reach your hosts. Choose a host from your network, for instance <literal>208.164.186.1</literal>. Use the command:
<screen>
[root@deep] /#<command>ping</command> 208.164.186.1
</screen>
The output should look something like this:
<literallayout class="monospaced"><computeroutput>
[root@deep networking]# ping 208.164.186.1
PING 208.164.186.1 (208.164.186.1) from 208.164.186.2 : 56 data bytes
64 bytes from 208.164.186.2: icmp_seq=0 ttl=128 time=1.0 ms
64 bytes from 208.164.186.2: icmp_seq=1 ttl=128 time=1.0 ms
64 bytes from 208.164.186.2: icmp_seq=2 ttl=128 time=1.0 ms
64 bytes from 208.164.186.2: icmp_seq=3 ttl=128 time=1.0 ms
--- 208.164.186.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1.0/1.0/1.0 ms
</computeroutput>
</literallayout>
</para>
<para>
You should now display the routing information with the command route to see if both hosts have the correct routing entry. Use the command:
<screen>
[root@deep] /#<command>route</command> -n
</screen>
The output should look something like this:
<literallayout class="monospaced"><computeroutput>
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
208.164.186.2 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
208.164.186.0 208.164.186.2 255.255.255.0 UG 0 0 0 eth0
208.164.186.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
</computeroutput>
</literallayout>
</para>
<para>
To check the status of the interfaces quickly, use the <command>netstat</command> -i command, as follows:
<screen>
[root@deep] /#<command>netstat</command> -i
</screen>
The output should look something like this:
<literallayout class="monospaced"><computeroutput>
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 4236 0 0 0 3700 0 0 0 BRU
lo 3924 0 13300 0 0 0 13300 0 0 0 LRU
ppp0 1500 0 14 1 0 0 16 0 0 0 PRU
</computeroutput>
</literallayout>
</para>
<para>
Another useful netstat option is <literal>-t</literal>, which shows all active <acronym>TCP</acronym> connections. Following is a typical result of netstat -t:
<screen>
[root@deep] /#<command>netstat</command> -t
</screen>
The output should look something like this:
<literallayout class="monospaced"><computeroutput>
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
Tcp 0 0 deep.openar:netbios-ssn gate.openna.com:1045 ESTABLISHED
Tcp 0 0 localhost:1032 localhost:1033 ESTABLISHED
Tcp 0 0 localhost:1033 localhost:1032 ESTABLISHED
Tcp 0 0 localhost:1030 localhost:1034 ESTABLISHED
Tcp 0 0 localhost:1031 localhost:1030 ESTABLISHED
Tcp 0 0 localhost:1028 localhost:1029 ESTABLISHED
Tcp 0 0 localhost:1029 localhost:1028 ESTABLISHED
Tcp 0 0 localhost:1026 localhost:1027 ESTABLISHED
Tcp 0 0 localhost:1027 localhost:1026 ESTABLISHED
Tcp 0 0 localhost:1024 localhost:1025 ESTABLISHED
Tcp 0 0 localhost:1025 localhost:1024 ESTABLISHED
</computeroutput>
</literallayout>
</para>
<para>
To shows all active and listen TCP connections, use the command:
<screen>
[root@deep] /#<command>netstat</command> -vat
</screen>
The output should look something like this:
<literallayout class="monospaced"><computeroutput>
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 deep.openna.co:domain *:* LISTEN
tcp 0 0 localhost:domain *:* LISTEN
tcp 0 0 deep.openna.com:ssh gate.openna.com:1682 ESTABLISHED
tcp 0 0 *:webcache *:* LISTEN
tcp 0 0 deep.openar:netbios-ssn *:* LISTEN
tcp 0 0 localhost:netbios-ssn *:* LISTEN
tcp 0 0 localhost:1032 localhost:1033 ESTABLISHED
tcp 0 0 localhost:1033 localhost:1032 ESTABLISHED
tcp 0 0 localhost:1030 localhost:1031 ESTABLISHED
tcp 0 0 localhost:1031 localhost:1030 ESTABLISHED
tcp 0 0 localhost:1028 localhost:1029 ESTABLISHED
tcp 0 0 localhost:1029 localhost:1028 ESTABLISHED
tcp 0 0 localhost:1026 localhost:1027 ESTABLISHED
tcp 0 0 localhost:1027 localhost:1026 ESTABLISHED
tcp 0 0 localhost:1024 localhost:1025 ESTABLISHED
tcp 0 0 localhost:1025 localhost:1024 ESTABLISHED
tcp 0 0 deep.openna.com:www *:* LISTEN
tcp 0 0 deep.openna.com:https *:* LISTEN
tcp 0 0 *:389 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
</computeroutput></literallayout>
</para>
<para>
To stop all network devices manually on your system, use the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>stop</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Shutting down interface eth0 [ OK ]
Disabling IPv4 packet forwarding [ OK ]
</computeroutput></literallayout>
</para>
<para>
To start all network devices manually on your system, use the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>start</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Enabling IPv4 packet forwarding [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
</computeroutput></literallayout>
</para>
</section>
</chapter>
<chapter label="10" id="pr4ch4nfl"><?dbhtml filename="soft-netfirew.html"?>
<title>Networking -Firewall</title><?dbhtml filename="netw-firewall.html"?>
<highlights>
<para>
Can someone tell me why I might want something like a commercial firewall product rather than simply using <literal>Ipchains</literal> and restricting certain packets? What am I losing by using <literal>Ipchains</literal>? Now, there is undoubtedly room
for debate on this-
</para>
<para>
<literal>Ipchains</literal> is as good, and most of the time better, than commercial firewall packages from a functionality and support standpoint. You will probably have more insight into what's going on in your
network using <literal>Ipchains</literal> than a commercial solution. That said, a lot of corporate types want to tell their shareholders, <acronym>CEO,CTO</acronym> etc. that they have the backing of reputable security Software Company. The firewall
could be doing nothing more than passing through all traffic, and still the corporate type would be more comfortable than having to rely on the geeky guy in the corner cube who gets grumpy if you turn the light on before noon.
</para>
<para>
In the end, a lot of companies want to be able to turn around and demand some sort of restitution from a vendor if the network is breached, whether or not they'd actually get anything or even try. All they can typically
do with an open source solution is fire the guy that implemented it. At least some of the commercial firewalls are based on Linux or something similar.
</para>
<para>
It's quite probable that <literal>Ipchains</literal> is secure enough for you but not
those engaging in serious amounts of high stakes bond trading. Doing a cost/benefit analysis and asking a lot of pertinent questions is recommended before spending serious money on a commercial firewall---otherwise you may
end up with something inferior to your <literal>Ipchains</literal> tool. Quite a few of the NT firewalls are likely to be no better than <literal>Ipchains</literal> and the general consensus on bugtraq and NT bugtraq are that <emphasis>NT is far too insecure to run a serious firewall</emphasis>.
</para>
</highlights>
<section><?dbhtml filename="chap10sec97.html"?>
<title>Policy, Guidelines <abbrev>etc.</abbrev></title>
<para>
<emphasis>What is a Network Firewall Security Policy?</emphasis>
Network firewall security policy defines those services that will be explicitly allowed or denied, how these services will be used and the exceptions to these rules. An organization's overall
security policy must be determined according to security and business-need analysis. Since a firewall relates to network security alone, a firewall has little value unless the overall security
policy is properly defined. Every rule in the network firewall security policy should be implemented on a firewall. Generally, a firewall uses one of the following methods.
</para>
<para>
<emphasis>Everything not specifically permitted is denied.</emphasis>
This approach blocks all traffic between two networks except for those services and applications that are permitted. Therefore, each desired service and application should be implemented one
by one. No service or application that might be a potential hole on the firewall should be permitted. This is the most secure method, denying services and applications unless explicitly allowed
by the administrator. On the other hand, from the point of users, it might be more restrictive and less convenient. This is the method we will use in our Firewall configuration files in this book.
</para>
<para><emphasis>
Everything not specifically denied is permitted</emphasis>
This approach allows all traffic between two networks except for those services and applications that are denied. Therefore, each untrusted or potentially harmful service or application should be
denied one by one. Although this is a flexible and convenient method for the users, it could potentially cause some serious security problems.
</para>
<para>
<emphasis>What is Packet Filtering?</emphasis>
Packet Filtering is the type of firewall built into the Linux kernel. A filtering firewall works at the network level. Data is only allowed to leave the system if the firewall rules allow it. As
packets arrive they are filtered by their type, source address, destination address, and port information contained in each packet.
Most of the time, packet filtering is accomplished by using a router that can forward packets according to filtering rules. When a packet arrives at the packet-filtering router, the router extracts
certain information from the packet header and makes decisions according to the filter rules as to whether the packet will pass through or be discarded.
</para>
<para>
The following information can be extracted from the packet header:
<programlisting>
Source IP address
Destination IP address
<acronym>TCP/UDP</acronym> source port
<acronym>TCP/UDP</acronym> destination port
<acronym>ICMP</acronym> message type
Encapsulated protocol information (TCP, UDP, ICMP or IP tunnel)
</programlisting>
Because very little data is analyzed and logged, filtering firewalls take less <acronym>CPU</acronym> power and create less latency in your network. There are lots of ways to structure your network to protect your systems
using a firewall.
</para>
</section>
<section><?dbhtml filename="chap10sec98.html"?>
<title>The topology</title>
<para>
All servers should be configured to block at least the unused ports, even if there are not a firewall server. This is required for more security. Imagine someone gains access to your firewall gateway server: if
your neighborhoods servers are not configured to block unused ports, this is a serious network risk. The same is true for local connections; unauthorized employees can gain access from the inside to your other
servers in this manner.
</para>
<para>
In our configuration we will give you three different examples that can help you to configure your firewall rules depending on the type of the server you want to protect and the placement of these servers on your
network architecture.
<simplelist columns="1" type="vert"><member>
The first example firewall rules file will be for a <literal>Web Server</literal>.
</member>
<member>
The second for a <literal>Mail Server</literal>.
</member><member>
The last for a <literal>Gateway Server</literal> that acts as proxy for the inside Wins, Workstations and Servers machines.
</member>
</simplelist>
</para>
<para>
See the graph below to get an idea:
<mediaobject>
<imageobject>
<imagedata fileref="./images/Firewall-Schema.gif" format="GIF"/>
</imageobject>
<imageobject>
<imagedata fileref="./images2/Firewall-Schema-1.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Firewall schematic representaion</phrase>
</textobject>
<caption>
<para>
The graph above shows you the ports that I enable on the different servers by default in my firewall scripts file in this book
</para>
</caption>
</mediaobject>
</para>
<formalpara>
<title>
www.openna.com
Caching Only DNS
208.164.186.3
</title>
<para>
<orderedlist numeration="lowerroman">
<listitem><para>
Unlimited traffic on the loopback interface allowed
</para></listitem>
<listitem><para>
<acronym>ICMP</acronym> traffic allowed
</para></listitem>
<listitem><para>
<acronym>DNS</acronym> Caching and Client Server on port 53 allowed
</para></listitem>
<listitem><para>
<acronym>SSH</acronym> Server on port 22 allowed
</para></listitem>
<listitem><para>
<acronym>HTTP</acronym> Server on port 80 allowed
</para></listitem>
<listitem><para>
<acronym>HTTPS</acronym> Server on port 443 allowed
</para></listitem>
<listitem><para>
<acronym>SMTP</acronym> Client on port 25 allowed
</para></listitem>
<listitem><para>
<acronym>FTP</acronym> Server on ports 20, 21 allowed
</para></listitem>
<listitem><para>
Outgoing traceroute request allowed
</para></listitem>
</orderedlist>
</para>
</formalpara>
<formalpara>
<title>
deep.openna.com
Master DNS Server
208.164.186.1
</title>
<para>
<orderedlist numeration="lowerroman">
<listitem><para>
Unlimited traffic on the loopback interface allowed
</para></listitem>
<listitem><para>
<acronym>ICMP</acronym> traffic allowed
</para></listitem>
<listitem><para>
<acronym>DNS</acronym> Server and Client on port 53 allowed
</para></listitem>
<listitem><para>
<acronym>SSH</acronym> Server and Client on port 22 allowed
</para></listitem>
<listitem><para>
<acronym>HTTP</acronym> Server and Client on port 80 allowed
</para></listitem>
<listitem><para>
<acronym>HTTPS</acronym> Server and Client on port 443 allowed
</para></listitem>
<listitem><para>
<acronym>WWW</acronym>-CACHE Client on port 8080 allowed
</para></listitem>
<listitem><para>
External <acronym>POP</acronym> Client on port 110 allowed
</para></listitem>
<listitem><para>
External <acronym>NNTP</acronym> NEWS Client on port 119 allowed
</para></listitem>
<listitem><para>
<acronym>SMTP</acronym> Server and Client on port 25 allowed
</para></listitem>
<listitem><para>
<acronym>IMAP</acronym> Server on port 143 allowed
</para></listitem>
<listitem><para>
<acronym>IRC</acronym> Client on port 6667 allowed
</para></listitem>
<listitem><para>
<acronym>ICQ</acronym> Client on port 4000 allowed
</para></listitem>
<listitem><para>
<acronym>FTP</acronym> Client on port 20, 21 allowed
</para></listitem>
<listitem><para>
RealAudio / QuickTime Client allowed
</para></listitem>
<listitem><para>
Outgoing traceroute request allowed
</para></listitem>
</orderedlist>
</para>
</formalpara>
<formalpara>
<title>
mail.openna.com
Slave DNS Server
208.164.186.2
</title>
<para>
<orderedlist numeration="lowerroman">
<listitem><para>
Unlimited traffic on the loopback interface allowed
</para></listitem>
<listitem><para>
<acronym>ICMP</acronym> traffic allowed
</para></listitem>
<listitem><para>
<acronym>DNS</acronym> Server and Client on port 53 allowed
</para></listitem>
<listitem><para>
<acronym>SSH</acronym> Server on port 22 allowed
</para></listitem>
<listitem><para>
<acronym>SMTP</acronym> Server and Client on port 25 allowed
</para></listitem>
<listitem><para>
<acronym>IMAP</acronym> Server on port 143 allowed
</para></listitem>
<listitem><para>
Outgoing traceroute request allowed
</para></listitem>
</orderedlist>
</para>
</formalpara>
<para>
The list above shows you the ports that I enable on the different servers by default in my firewall scripts file in this book. Depending on what services must be available in the server for the outside, you
must configure your firewall script file to allow the traffic on the specified ports.
<itemizedlist>
<listitem><para>
<literal>www.openna.com</literal> is our Web Server,
</para></listitem>
<listitem><para>
<literal>mail.openna.com</literal> is our Mail Hub Server for all the internal network,
</para></listitem>
<listitem><para>
<literal>deep.openna.com </literal> is our Gateway Server
</para></listitem>
</itemizedlist>
for all the examples explained later in this chapter.
</para>
</section>
<section><?dbhtml filename="chap10sec99.html"?>
<title>Build a kernel with <literal>IPCHAINS</literal> Firewall support</title>
<para>
The first thing you need to do is ensure that your kernel has been built with Network Firewall support enabled and Firewalling. Remember, all servers should be configured to block unused ports, even if
there are no firewall server. In the 2.2.14 kernel version you need to be sure that you have answered <userinput>Y</userinput> to the following questions:
<programlisting>
<userinput>Networking options:</userinput>
Network firewalls (CONFIG_FIREFALL) [N] Y
IP:Firewalling (CONFIG_IP_FIREWALL) [N] Y
IP:TCP syncookie support (CONFIG_SYN_COOKIES) [N] Y
</programlisting>
If you have followed the Linux Kernel section and have recompiled your kernel, the options Network firewalls, <acronym>IP</acronym>:Firewalling, and <acronym>IP:TCP</acronym> syncookie support shown above are already set.
</para>
</section>
<section><?dbhtml filename="chap10sec100.html"?>
<title>Rules used in the Firewall script files</title>
<para>
The following is an explanation of a few of the rules that will be used in the Firewalling examples below. This is shown just as a reference, the firewall scripts are well commented and very easy to modify.
Constants are used, in the firewall scripts files for most values. The most basic constants are:
<glosslist>
<glossentry><glossterm>
<literal>EXTERNAL_INTERFACE</literal></glossterm>
<glossdef><para>
This is the name of the external network interface to the Internet. It's defined as eth0 in the examples.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<literal>LOCAL_INTERFACE_1</literal>
</glossterm>
<glossdef><para>
This is the name of the internal network interface to the LAN, if any. It's defined as eth1 in the examples.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<literal>LOOPBACK_INTERFACE</literal>
</glossterm>
<glossdef><para>
This is the name of the loopback interface. It's defined as lo in the examples.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<literal>IPADDR</literal></glossterm>
<glossdef><para>
This is the <acronym>IP</acronym> address of your external interface. It's either a static <acronym>IP</acronym> address registered with InterNIC, or else a dynamically assigned address from your <acronym>ISP</acronym> (usually via DHCP).
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<literal>LOCALNET_1</literal></glossterm>
<glossdef><para>
This is your LAN network address, if any - the entire range of <acronym>IP</acronym> addresses used by the machines on your LAN. These may be statically assigned, or you might run a local DHCP server to assign them. In these examples, the range is 192.168.1.0/24, part of the Class C private address range.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<literal>ANYWHERE</literal></glossterm>
<glossdef><para>
Anywhere is a label for an address used by ipchains to match any (non-broadcast) address. Both programs provide any/0 as a label for this address, which is 0.0.0.0/0.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<literal>NAMESERVER_1</literal></glossterm>
<glossdef><para>
This is the <acronym>IP</acronym> address of your Primary <acronym>DNS</acronym> Server from your network or your <acronym>ISP</acronym>.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<literal>NAMESERVER_2</literal></glossterm>
<glossdef><para>
This is the <acronym>IP</acronym> address of your Secondary <acronym>DNS</acronym> Server from your network or your <acronym>ISP</acronym>.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<literal>MY_ISP</literal></glossterm>
<glossdef><para>
This is your <acronym>ISP</acronym> &amp; <acronym>NOC</acronym> address range. The value you specify here is used by the firewall to allow <acronym>ICMP</acronym> ping request and traceroute. If you don't specify an <acronym>IP</acronym> address
range, then you will not be able to ping the Internet from your internal network.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<literal>LOOPBACK</literal></glossterm>
<glossdef><para>
The loopback address range is <literal>127.0.0.0/8</literal>. The interface itself is addressed as <literal>127.0.0.1</literal> in <filename>/etc/hosts</filename>.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<literal>PRIVPORTS</literal></glossterm>
<glossdef><para>
The privileged ports, 0 through 1023, are usually referenced in total.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<literal>UNPRIVPORTS</literal></glossterm>
<glossdef><para>
The unprivileged ports, 1024 through 65535, are usually referenced in total. They are addresses dynamically assigned to the client side of a connection.
</para></glossdef>
</glossentry>
</glosslist>
Please Note a firewall has a default policy and a collection of actions to take in response to specific message types. This means that if a given packet has not been selected by any other rule, then the default policy rule will be applied.
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
People with dynamically assigned IPs from an <acronym>ISP</acronym> may include the following two lines in their declarations for the firewall. The lines will determine the ppp0 <acronym>IP</acronym> address, and the network of the remote ppp server.
<programlisting>
IPADDR=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/inet/ { print $2 } ' | sed -e s/addr://`
MY_ISP=`/sbin/ifconfig | grep -A 4 ppp0 | awk '/P-t-P/ { print $3 } ' | sed -e s/P-t-P:// | cut -d '.' -f 1-3`.0/24
</programlisting>
</para>
</tip>
<para>
You need to Enable Local Traffic since the default policies for all example firewall rule script files in this book are to deny everything, some of these rules must be unset. Local network services do not
go through the external network interface. They go through a special, private interface called the loopback interface. None of your local network programs will work until loopback traffic is allowed.
</para>
<programlisting>
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
</programlisting>
</section>
<section><?dbhtml filename="chap10sec101.html"?>
<title>Source Address Filtering</title>
<para>
All <acronym>IP</acronym> packet headers contain the source and destination <acronym>IP</acronym> addresses and the type of <acronym>IP</acronym> protocol message; <acronym>ICMP</acronym>, <acronym>UDP</acronym> or <acronym>TCP</acronym> this
packet contains. The only means of identification under the Internet Protocol - <acronym>IP</acronym>) is the source address in the <acronym>IP</acronym> packet header. This is a problem that opens the door to source address spoofing, where the
sender may replaces its address with either a nonexistent address, or the address of some other site.
<programlisting>
# Refuse spoofed packets pretending to be from the external address.
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -l -j DENY
</programlisting>
</para>
<para>
Also, there are at least seven sets of source addresses you should refuse on your external interface in all cases.
These are incoming packets claiming to be from:
<orderedlist numeration="lowerroman">
<listitem><para>
Your external <acronym>IP</acronym> address
</para></listitem>
<listitem><para>
<literal>Class A</literal> private <acronym>IP</acronym> addresses
</para></listitem>
<listitem><para>
<literal>Class B</literal> private <acronym>IP</acronym> addresses
</para></listitem>
<listitem><para>
<literal>Class C</literal> private <acronym>IP</acronym> addresses
</para></listitem>
<listitem><para>
<literal>Class D</literal> multicast addresses
</para></listitem>
<listitem><para>
<literal>Class E</literal> reserved addresses
</para></listitem>
<listitem><para>
The loopback interface
</para></listitem>
</orderedlist>
With the exception of your own <acronym>IP</acronym> address, blocking outgoing packets containing these source addresses protects you from possible configuration errors on your part.
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Don't forget to exclude your own <acronym>IP</acronym> address from outgoing packets blocked. By default I choose to exclude the <literal>Class C</literal> private <acronym>IP</acronym> addresses since it's the most used by the
majority of people at this time. If you used another class instead of the <literal>Class C</literal>, then you must comment out the lines that refer to your class under the SPOOFING &amp; BAD ADDRESSES section of the firewall.
script file.
</para>
</important>
<para>
The rest of the rules used in the firewall scripts files are:
<itemizedlist><listitem><para>
Accessing a Service from the Outside World
</para></listitem>
<listitem><para>
Offering a Service to the Outside World
</para></listitem>
<listitem><para>
Masquerading the Internal Machines
</para></listitem>
</itemizedlist>
</para>
</section>
</chapter>
<chapter label="11" id="prt3chp4fscf"><?dbhtml filename="fwall-scripts.html"?>
<title>The firewall scripts files</title>
<highlights><para>
The tool <literal>ipchains</literal> allows you to set up firewalls, IP masquerading, etc. <literal>Ipchains</literal> talks to the kernel and tells it what packets to filter. Therefore all your firewall setups are stored in the kernel, and thus
will be lost on reboot. To avoid this, we recommend using the System <literal>V</literal> init scripts to make your rules permanent. To do this, create a firewall script file like shown over the next three sections in your
<filename class="directory">/etc/rc.d/init.d/</filename> directory for each servers you have. Of course, each server has different services to offer and needs a different firewall setup. For this reason, we
provide you three different firewall settings, which you can play with, and examine to fit your needs. Also I assume that you have a minimum knowledge on how filtering firewalls and firewall rules works.
</para>
</highlights>
<section id="pr3ch4fsfsc41" xreflabel="Web Server"><?dbhtml filename="chap11sec102.html"?>
<title>
Config <filename>/etc/rc.d/init.d/firewall</filename> script file -Web Server</title>
<important>
<title>Errata</title>
<para>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</mediaobject>
As i was giving the final look over on this book, Gerhard Mourani has released an errata for all firewall scripts
and it is available here <link linkend="prtinxfperrt1">http://www.openna.com/books/errata.htm</link>
</para>
</important>
<para>
This is the configuration script file for our Web Server. This configuration allows unlimited traffic on the Loopback interface, <acronym>ICMP</acronym>, <acronym>DNS</acronym> Caching and Client Server (53), <acronym>SSH</acronym> Server (22), <acronym>HTTP</acronym> Server (80),
<acronym>HTTPS</acronym> Server (443), <acronym>SMTP</acronym> Client (25), <acronym>FTP</acronym> Server (20, 21), and OUTGOING TRACEROUTE requests by default.
</para>
<para>
If you don't want some services listed in the firewall rules files for the Web Server that I make <userinput>ON</userinput> by default, comment them out with a &quot;#&quot; at the beginning of the line. If you want some other services
that I commented out with a &quot;#&quot;, then remove the &quot;#&quot; at the beginning of those lines.
Create the firewall script file, touch <filename>/etc/rc.d/init.d/firewall</filename> on your Web Server and add:
</para>
<programlisting>
#!/bin/sh
#
# ----------------------------------------------------------------------------
# Last modified by Gerhard Mourani: 04-25-2000
# ----------------------------------------------------------------------------
# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# This software is provided as an example and basis for individual firewall
# development. This software is provided without warranty.
#
# Any material furnished by Robert L. Ziegler is furnished on an
# "as is" basis. He makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
# ----------------------------------------------------------------------------
#
# Invoked from /etc/rc.d/init.d/firewall.
# chkconfig: - 60 95
# description: Starts and stops the IPCHAINS Firewall \
# used to provide Firewall network services.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/ipchains ]; then
exit 0
fi
# See how we were called.
case "$1" in
start)
echo -n "Starting Firewalling Services: &quot;
# Some definitions for easy maintenance.
# ----------------------------------------------------------------------------
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
EXTERNAL_INTERFACE="eth0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # Your local naming convention
IPADDR="my.ip.address" # Your IP address
ANYWHERE="any/0" # Match any IP address
NAMESERVER_1="my.name.server.1" # Everyone must have at least one
NAMESERVER_2="my.name.server.2" # Your secondary name server
MY_ISP="my.isp.address.range/24" # ISP &amp; NOC address range
SMTP_SERVER="my.smtp.server" # Your Mail Hub Server.
SYSLOG_SERVER="syslog.internal.server" # Your syslog internal server
SYSLOG_CLIENT="sys.int.client.range/24" # Your syslog internal client range
LOOPBACK="127.0.0.0/8" # Reserved loopback address range
CLASS_A="10.0.0.0/8" # Class A private networks
CLASS_B="172.16.0.0/12" # Class B private networks
CLASS_C="192.168.0.0/16" # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addresses
BROADCAST_SRC="0.0.0.0" # Broadcast source address
BROADCAST_DEST="255.255.255.255" # Broadcast destination address
PRIVPORTS="0:1023" # Well known, privileged port range
UNPRIVPORTS="1024:65535" # Unprivileged port range
# ----------------------------------------------------------------------------
# SSH starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
SSH_PORTS="1022:1023" # range for SSH privileged ports
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING &amp; OUTGOING connections
# Remove all existing rules belonging to this filter
ipchains -F
# Clearing all current rules and user defined chains
ipchains -X
# Set the default policy of the filter to deny.
# Don't even bother sending an error message back.
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
# ----------------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------
# Network Ghouls
# Deny access to jerks
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
# rules to block from any access.
# Refuse any connection from problem sites
#if [ -f /etc/rc.d/rc.firewall.blocked ]; then
# . /etc/rc.d/rc.firewall.blocked
#fi
# ----------------------------------------------------------------------------
# SPOOFING &amp; BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse spoofed packets pretending to be from the external address.
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l
# Refuse packets claiming to be to or from a Class A private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l
# Refuse packets claiming to be to or from a Class B private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l
# Refuse packets claiming to be to or from a Class C private network
# ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l
# ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l
# ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l
# ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l
# Refuse packets claiming to be from the loopback interface
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l
# Refuse broadcast address SOURCE packets
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
# Refuse Class D multicast addresses (in.h) (NET-3-HOWTO)
# Multicast is illegal as a source address.
# Multicast uses UDP.
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l
# Refuse Class E reserved IP addresses
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l
# refuse addresses defined as reserved by the IANA
# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
# 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l
#65: 01000001 - /3 includes 64 - need 65-79 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l
#80: 01010000 - /4 masks 80-95
ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l
# 96: 01100000 - /4 makses 96-111
ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l
#126: 01111110 - /3 includes 127 - need 112-126 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l
#217: 11011001 - /5 includes 216 - need 217-219 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l
#223: 11011111 - /6 masks 220-223
ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l
# ----------------------------------------------------------------------------
# ICMP
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 0 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 3 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 4 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 11 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 12 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $MY_ISP 8 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 0 -d $MY_ISP -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 3 -d $MY_ISP -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 4 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 8 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 12 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 11 -d $MY_ISP -j ACCEPT
# ----------------------------------------------------------------------------
# UDP INCOMING TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $MY_ISP $TRACEROUTE_SRC_PORTS \
-d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE $TRACEROUTE_SRC_PORTS \
-d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l
# ----------------------------------------------------------------------------
# DNS forwarding, caching only nameserver (53)
# --------------------------------------------
# server to server query or response
# Caching only name server only requires UDP, not TCP
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_2 53 \
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
-d $NAMESERVER_2 53 -j ACCEPT
# DNS client (53)
# ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT
# TCP client to server requests are allowed by the protocol
# if UDP requests fail. This is rarely seen. Usually, clients
# use TCP as a secondary nameserver for zone transfers from
# their primary nameservers, and as hackers.
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT
# ----------------------------------------------------------------------------
# TCP accept only on selected ports
# ---------------------------------
# ------------------------------------------------------------------
# SSH server (22)
# ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $SSH_PORTS \
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
-d $ANYWHERE $SSH_PORTS -j ACCEPT
# ------------------------------------------------------------------
# HTTP server (80)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 80 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 80 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# HTTPS server (443)
# ------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 443 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 443 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# SYSLOG server (514)
# -----------------
# Provides full remote logging. Using this feature you're able to
# control all syslog messages on one host.
# ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
# -s $SYSLOG_CLIENT \
# -d $IPADDR 514 -j ACCEPT
# SYSLOG client (514)
# -----------------
# ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
# -s $IPADDR 514 \
# -d $SYSLOG_SERVER 514 -j ACCEPT
# ------------------------------------------------------------------
# AUTH server (113)
# -----------------
# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE \
-d $IPADDR 113 -j REJECT
# ------------------------------------------------------------------
# SMTP client (25)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $SMTP_SERVER 25 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $SMTP_SERVER 25 -j ACCEPT
# ------------------------------------------------------------------
# FTP server (20, 21)
# -------------------
# incoming request
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 21 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 21 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# PORT MODE data channel responses
#
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 20 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR 20 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# PASSIVE MODE data channel responses
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# OUTGOING TRACEROUTE
# -------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $TRACEROUTE_SRC_PORTS \
-d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT
# ----------------------------------------------------------------------------
# Enable logging for selected denied packets
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-d $IPADDR -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-d $IPADDR $PRIVPORTS -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-d $IPADDR $UNPRIVPORTS -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 5 -d $IPADDR -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 13:255 -d $IPADDR -j DENY -l
# ----------------------------------------------------------------------------
;;
stop)
echo -n "Shutting Firewalling Services: &quot;
# Remove all existing rules belonging to this filter
ipchains -F
# Delete all user-defined chain to this filter
ipchains -X
# Reset the default policy of the filter to accept.
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
;;
status)
status firewall
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: firewall {start|stop|status|restart|reload}&quot;
exit 1
esac
exit 0
</programlisting>
<para>
Now, make this script executable and change its default permissions:
<screen>
[root@deep] /# <command>chmod</command> 700 /etc/rc.d/init.d/firewall
[root@deep] /# <command>chown</command> 0.0 /etc/rc.d/init.d/firewall
</screen>
</para>
<para>
Create the symbolic rc.d links for your Firewall with the following command:
<screen>
[root@deep] /# <command>chkconfig</command> --add firewall
[root@deep] /# <command>chkconfig</command> --level 345 firewall on
</screen>
</para>
<para>
Now, your firewall rules are configured to use System V init (System V init is in charge of starting all the normal processes that need to run at boot time) and it will be automatically started each time your server reboots.
To manually stop the firewall on your system, use the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/firewall <command>stop</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Shutting Firewalling Services: [ OK ]
</computeroutput></literallayout>
</para>
<para>
To manually start the firewall on your system, use the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/firewall <command>start</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Starting Firewalling Services: [ OK ]
</computeroutput></literallayout>
</para>
</section>
<section id="pr3ch4fsfsc42" xreflabel="Mail Server"><?dbhtml filename="chap11sec103.html"?>
<title>Config <filename>/etc/rc.d/init.d/firewall</filename> script file - Mail Server</title>
<para>
This is the configuration script file for our Mail Server. This is configured to allows unlimited traffic on the Loopback interface, <acronym>ICMP</acronym>, <acronym>DNS</acronym> Server and Client (53), <acronym>SSH</acronym> Server (22), SMTP Server and Client (25), <acronym>IMAP</acronym>
server (143), and OUTGOING TRACEROUTE requests by default.
If you don't want some services listed in the firewall rules files for the Mail Server that I make <userinput>ON</userinput> by default, comment them out with a &quot;#&quot; at the beginning of the line. If you want some other
services that I commented out with a &quot;#&quot;, then remove the &quot;#&quot; at the beginning of their lines.
Create the firewall script file, <command>touch</command> <filename>/etc/rc.d/init.d/firewall</filename> on your Mail Server and add:
</para>
<programlisting>
#!/bin/sh
#
# ----------------------------------------------------------------------------
# Last modified by Gerhard Mourani: 04-25-2000
# ----------------------------------------------------------------------------
# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# This software is provided as an example and basis for individual firewall
# development. This software is provided without warranty.
#
# Any material furnished by Robert L. Ziegler is furnished on an
# "as is" basis. He makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
# ----------------------------------------------------------------------------
#
# Invoked from /etc/rc.d/init.d/firewall.
# chkconfig: - 60 95
# description: Starts and stops the IPCHAINS Firewall \
# used to provide Firewall network services.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/ipchains ]; then
exit 0
fi
# See how we were called.
case "$1" in
start)
echo -n "Starting Firewalling Services: &quot;
# Some definitions for easy maintenance.
# ----------------------------------------------------------------------------
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
EXTERNAL_INTERFACE="eth0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # Your local naming convention
IPADDR="my.ip.address" # Your IP address
ANYWHERE="any/0" # Match any IP address
NAMESERVER_1="my.name.server.1" # Everyone must have at least one
NAMESERVER_2="my.name.server.2" # Your secondary name server
MY_ISP="my.isp.address.range/24" # ISP &amp; NOC address range
SMTP_SERVER="my.smtp.server" # Your Mail Hub Server.
SYSLOG_SERVER="syslog.internal.server" # Your syslog internal server
SYSLOG_CLIENT="sys.int.client.range/24" # Your syslog internal client range
LOOPBACK="127.0.0.0/8" # Reserved loopback address range
CLASS_A="10.0.0.0/8" # Class A private networks
CLASS_B="172.16.0.0/12" # Class B private networks
CLASS_C="192.168.0.0/16" # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addresses
BROADCAST_SRC="0.0.0.0" # Broadcast source address
BROADCAST_DEST="255.255.255.255" # Broadcast destination address
PRIVPORTS="0:1023" # Well known, privileged port range
UNPRIVPORTS="1024:65535" # Unprivileged port range
# ----------------------------------------------------------------------------
# SSH starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
SSH_PORTS="1022:1023" # range for SSH privileged ports
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING &amp; OUTGOING connections
# Remove all existing rules belonging to this filter
ipchains -F
# Clearing all current rules and user defined chains
ipchains -X
# Set the default policy of the filter to deny.
# Don't even bother sending an error message back.
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
# ----------------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------
# Network Ghouls
# Deny access to jerks
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
# rules to block from any access.
# Refuse any connection from problem sites
#if [ -f /etc/rc.d/rc.firewall.blocked ]; then
# . /etc/rc.d/rc.firewall.blocked
#fi
# ----------------------------------------------------------------------------
# SPOOFING &amp; BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse spoofed packets pretending to be from the external address.
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l
# Refuse packets claiming to be to or from a Class A private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l
# Refuse packets claiming to be to or from a Class B private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l
# Refuse packets claiming to be to or from a Class C private network
# ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l
# ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l
# ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l
# ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l
# Refuse packets claiming to be from the loopback interface
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l
# Refuse broadcast address SOURCE packets
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
# Refuse Class D multicast addresses (in.h) (NET-3-HOWTO)
# Multicast is illegal as a source address.
# Multicast uses UDP.
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l
# Refuse Class E reserved IP addresses
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l
# refuse addresses defined as reserved by the IANA
# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
# 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l
#65: 01000001 - /3 includes 64 - need 65-79 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l
#80: 01010000 - /4 masks 80-95
ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l
# 96: 01100000 - /4 makses 96-111
ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l
#126: 01111110 - /3 includes 127 - need 112-126 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l
#217: 11011001 - /5 includes 216 - need 217-219 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l
#223: 11011111 - /6 masks 220-223
ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l
# ----------------------------------------------------------------------------
# ICMP
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 0 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 3 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 4 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 11 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 12 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $MY_ISP 8 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 0 -d $MY_ISP -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 3 -d $MY_ISP -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 4 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 8 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 12 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 11 -d $MY_ISP -j ACCEPT
# ----------------------------------------------------------------------------
# UDP INCOMING TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $MY_ISP $TRACEROUTE_SRC_PORTS \
-d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE $TRACEROUTE_SRC_PORTS \
-d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l
# ----------------------------------------------------------------------------
# DNS server
# ----------
# DNS: full server
# server/client to server query or response
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# DNS client &amp; Zone Transfers (53)
# ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
# ----------------------------------------------------------------------------
# TCP accept only on selected ports
# ---------------------------------
# ------------------------------------------------------------------
# SSH server (22)
# ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $SSH_PORTS \
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
-d $ANYWHERE $SSH_PORTS -j ACCEPT
# ------------------------------------------------------------------
# AUTH server (113)
# -----------------
# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE \
-d $IPADDR 113 -j REJECT
# ------------------------------------------------------------------
# SYSLOG server (514)
# -----------------
# Provides full remote logging. Using this feature you're able to
# control all syslog messages on one host.
# ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
# -s $SYSLOG_CLIENT \
# -d $IPADDR 514 -j ACCEPT
# SYSLOG client (514)
# -----------------
# ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
# -s $IPADDR 514 \
# -d $SYSLOG_SERVER 514 -j ACCEPT
# ------------------------------------------------------------------
# SMTP server (25)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 25 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 25 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# SMTP client (25)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 25 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 25 -j ACCEPT
# ------------------------------------------------------------------
# IMAP server (143)
# -----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 143 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 143 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# POP server (110)
# -----------------
# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# -s $ANYWHERE $UNPRIVPORTS \
# -d $IPADDR 110 -j ACCEPT
# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR 110 \
# -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# OUTGOING TRACEROUTE
# -------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $TRACEROUTE_SRC_PORTS \
-d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT
# ----------------------------------------------------------------------------
# Enable logging for selected denied packets
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-d $IPADDR -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-d $IPADDR $PRIVPORTS -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-d $IPADDR $UNPRIVPORTS -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 5 -d $IPADDR -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 13:255 -d $IPADDR -j DENY -l
# ----------------------------------------------------------------------------
;;
stop)
echo -n "Shutting Firewalling Services: &quot;
# Remove all existing rules belonging to this filter
ipchains -F
# Delete all user-defined chain to this filter
ipchains -X
# Reset the default policy of the filter to accept.
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
;;
status)
status firewall
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: firewall {start|stop|status|restart|reload}&quot;
exit 1
esac
exit 0
</programlisting>
<para>
Now, make this script executable and change its default permissions:
<screen>
[root@deep] /#<command>chmod</command> 700 /etc/rc.d/init.d/firewall
[root@deep] /#<command>chown</command> 0.0 /etc/rc.d/init.d/firewall
</screen>
</para>
<para>
Create the symbolic rc.d links for your Firewall with the command:
<screen>
[root@deep] /#<command>chkconfig</command> --add firewall
[root@deep] /#<command>chkconfig</command> --level 345 firewall on
</screen>
Now, your firewall rules are configured to use System <literal>V</literal> init (System V init is in charge of starting all the normal processes that need to run at boot time) and it will be automatically started each time if your server reboot.
</para>
<para>
To manually stop the firewall on your system, use the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/firewall <command>stop</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Shutting Firewalling Services: [ OK ]
</computeroutput>
</literallayout>
</para>
<para>
To manually start the firewall on your system, use the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/firewall <command>start</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Starting Firewalling Services: [ OK ]
</computeroutput>
</literallayout>
</para>
</section>
</chapter>
<chapter label="12" id="pr4ch12nfmf"><?dbhtml filename="Masq-forward.html"?>
<title>Networking Firewall -Masquerading and Forwarding</title>
<highlights><para>
Unlike the example configurations in <link linkend="prt3chp4fscf">The firewall scripts files</link>, configuring a Linux Server to masquerade and forward traffic generally from the inside private network that has unregistered <acronym>IP</acronym> addresses
<abbrev>i.e.</abbrev> <literal>192.168.1.0/24</literal> to the outside network <abbrev>i.e.</abbrev> the Internet require a special setup of your kernel and of your firewall configuration scripts file. This kind
of setting is also known as a Gateway Server, <emphasis>a machine that serves as a gateway for internal traffic to external traffic</emphasis>. This configuration must only be set if you have the intentions and the needs for this
kind of service and it's for this reason that the configuration of the script file for the Gateway Server is in its own chapter.
</para></highlights>
<section><?dbhtml filename="chap12sec104.html"?>
<title>Build a kernel with Firewall Masquerading and Forwarding support</title>
<para>
Once again, the first thing you need to do is ensuring that your kernel has been built with Network Firewall support enabled and Firewalling. In the 2.2.14 kernel version you need to ensure that you have answered <userinput>Y</userinput> to the following questions:
<programlisting>
<userinput>Networking options:</userinput>
Network firewalls (CONFIG_FIREFALL) [N] Y
<acronym>IP</acronym>:Firewalling (CONFIG_IP_FIREWALL) [N] Y
<acronym>IP</acronym>:<acronym>TCP</acronym> syncookie support (CONFIG_SYN_COOKIES) [N] Y
</programlisting>
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
If you followed the Linux Kernel section and have recompiled your kernel, the options Network firewalls, <acronym>IP</acronym>:Firewalling, and <acronym>IP</acronym>:<acronym>TCP</acronym> syncookies supports shown above are already set.
</para></note>
<para>
<acronym>IP</acronym> Masquerading and <acronym>IP</acronym> <acronym>ICMP</acronym> Masquerading are requiring only for a Gateway Server.
<programlisting>
<acronym>IP</acronym>:Masquerading (CONFIG_IP_MASQUERADE) [N] Y
<acronym>IP</acronym>:<acronym>ICMP</acronym> Masquerading (CONFIG_IP_MASQUERADE_ICMP) [N] Y
</programlisting>
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Only your Gateway Server needs to have <acronym>IP</acronym>:Masquerading and <acronym>IP</acronym>:<acronym>ICMP</acronym> Masquerading kernel options enabled. This is required to masquerade your Internal Network to the outside.
</para></important>
<para>
Masquerade means that if one of the computers on your local network for which your Linux box (or gateway) acts as a firewall wants to send something to the outside, your box can <literal>masquerade</literal> as that
computer. In other words it forwards the traffic to the intended outside destination, but makes it look like it came from the firewall box itself.
</para>
<para>
It works both ways: if the outside host replies, the Linux firewall will silently forward the traffic to the corresponding local computer. This way, the computers on your local net are completely invisible to the outside world, even
though they can reach the outside and can receive replies. This makes it possible to have the computers on the local network participate on the Internet even if they don't have officially registered <acronym>IP</acronym> addresses.
</para>
<para>
The <acronym>IP</acronym> masquerading code will only work if <acronym>IP</acronym> forwarding is enabled on your system. This feature is by default disabled and you can enable it with the following command:
</para>
<para>
Under <mediaobject><imageobject> <imagedata format="GIF" fileref="./images/Version6.1.gif"/></imageobject><textobject><phrase>Version 6.1 only</phrase></textobject></mediaobject>
To enable <acronym>IP</acronym> forwarding feature on your server, execute the following command:
<screen>
[root@deep] /#<command>echo</command> 1 &gt; /proc/sys/net/ipv4/ip_forward
</screen>
You can add the above line in your <filename>/etc/rc.d/rc.local</filename> script file so <acronym>IP</acronym> forwarding is enabled automatically for you even if your server is rebooted. In Red Hat Linux 6.1 this can also be
accomplished by changing the line in <filename>/etc/sysconfig/network</filename> file from:
<screen>
FORWARD_IPV4="false"
</screen>
To read:
<screen>
FORWARD_IPV4="yes"
</screen>
</para>
<para>
You must restart your network for the change to take effect:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</computeroutput></literallayout>
So you can either add the echo 1 &gt; /proc/sys/net/ipv4/ip_forward command line to your <filename>rc.local</filename> script file or you change the value of the line <envar>FORWARD_IPV4=false</envar> to <userinput>yes</userinput> in the network file to set this
feature to <literal>ON</literal>. Personally I prefer the second choice.
</para>
<para>
Under <mediaobject><imageobject> <imagedata format="GIF" fileref="./images/Version6.2.gif"/></imageobject><textobject><phrase>Version 6.2 only</phrase></textobject></mediaobject>
To enable IPv4 forwarding on your RH 6.2 system, Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<programlisting>
# Enable packet forwarding
net.ipv4.ip_forward = 1
</programlisting>
You must restart your network for the change to take effect. The command to restart the network is the following:
</para>
<para>
To restart all network devices manually on your system, use the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</computeroutput></literallayout>
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The <acronym>IP</acronym> forwarding line above is only required if you answered <userinput>Yes</userinput> to the kernel option IP:Masquerading (CONFIG_IP_MASQUERADE) and choose to have a server act as
a Gateway and masquerade for your inside network.
</para></important>
<para>
If you enabled <acronym>IP</acronym> Masquerading, then the modules <filename>ip_masq_ftp.o</filename> for ftp file transfers, <filename>ip_masq_irc.o</filename> for irc chats, <filename>ip_masq_quake.o</filename>
<emphasis>you guessed it!</emphasis>, <filename>ip_masq_vdolive.o</filename> for VDOLive video connections, <filename>ip_masq_cuseeme.o</filename> for CU-SeeMe broadcasts and <filename>ip_masq_raudio.o</filename> for RealAudio downloads
will automatically be compiled. They are needed to make masquerading for these protocols work.
</para>
<para>
Also, don't forget that you'll need to build a modularized kernel and answer <userinput>Yes</userinput> to the Enable loadable module support (CONFIG_MODULES)
option instead of a monolithic kernel to be able to use masquerading functions and modules like <filename>ip_masq_ftp.o</filename> on your Gateway server <emphasis>see the <link linkend="prt2sct35kcon">Linux Kernel section</link> above in this book for more information</emphasis>.
</para>
<para>
The basic masquerade code described for <acronym>IP</acronym>: masquerading above only handles <acronym>TCP</acronym> or <acronym>UDP</acronym> packets and <acronym>ICMP</acronym> errors for existing
connections. The <acronym>IP</acronym>:<acronym>ICMP</acronym> Masquerading option adds additional support for masquerading <acronym>ICMP</acronym> packets, such as ping or the probes used by the
<trademark>Windows 95</trademark> tracer program.
</para>
<para>
Remember that other servers like the <xref linkend="pr3ch4fsfsc41"/> and <xref linkend="pr3ch4fsfsc42"/> examples don't need to have these options enabled since they either have a real <acronym>IP</acronym> address assigned or don't act as a Gateway
for the inside network.
</para>
</section>
<section><?dbhtml filename="chap12sec105.html"?>
<title>Config <filename>/etc/rc.d/init.d/firewall</filename> script file -Gateway Server</title>
<sidebar>
<title>Some Points to Consider</title>
<para>
You can safely assume that you are potentially at risk if you connect your system to the Internet. Your gateway to the Internet is your greatest exposure, so we recommend the following:
<itemizedlist mark="opencircle">
<listitem><para>
The gateway should not run any more applications than are absolutely necessary.
</para></listitem>
<listitem><para>
The gateway should strictly limit the type and number of protocols allowed to flow through it (protocols potentially provide security holes, such as <acronym>FTP</acronym> and telnet).
</para></listitem>
<listitem><para>
Any system containing confidential or sensitive information should not be directly accessible from the Internet.
</para></listitem>
</itemizedlist>
</para>
</sidebar>
</section>
<section><?dbhtml filename="chap12sec106.html"?>
<title>Configure script for Example Gateway Server</title>
<para>
This is the configuration script file for our Gateway Server. This configuration allows unlimited traffic on the Loopback interface, <acronym>ICMP</acronym>, <acronym>DNS</acronym> Server and Client (53),
<acronym>SSH</acronym> Server and Client (22), <acronym>HTTP</acronym> Server and Client (80), <acronym>HTTPS</acronym> Server and Client (443), <acronym>POP</acronym> Client (110), <acronym>NNTP</acronym> NEWS
Client (119), <acronym>SMTP</acronym> Server and Client (25), <acronym>IMAP</acronym> Server (143), <acronym>IRC</acronym> Client (6667), <acronym>ICQ</acronym> Client (4000), <acronym>FTP</acronym> Client (20, 21),
RealAudio / QuickTime Client, and OUTGOING TRACEROUTE requests by default.
</para>
<para>
If you don't want some services listed in the firewall rules files for the Gateway Server that I make ON by default, comment them out with a &quot;#&quot; at the beginning of the line. If you want some other services
that I commented out with a &quot;#&quot;, then remove the &quot;#&quot; at the beginning of their lines. If you have configured Masquerading on your server, don't forget to uncomment the modules necessary to masquerade their
respective services that you need like <filename>ip_masq_irc.o</filename>, <filename>ip_masq_raudio.o</filename>, etc under the MODULES MASQUERADING section of the firewall script file.
</para>
<para>
Create the firewall script file <command>touch</command> <filename>/etc/rc.d/init.d/firewall</filename>, on your Gateway Server and add:
<programlisting>
#!/bin/sh
#
# ----------------------------------------------------------------------------
# Last modified by Gerhard Mourani: 04-25-2000
# ----------------------------------------------------------------------------
# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# This software is provided as an example and basis for individual firewall
# development. This software is provided without warranty.
#
# Any material furnished by Robert L. Ziegler is furnished on an
# "as is" basis. He makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
# ----------------------------------------------------------------------------
#
# Invoked from /etc/rc.d/init.d/firewall.
# chkconfig: - 60 95
# description: Starts and stops the IPCHAINS Firewall \
# used to provide Firewall network services.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/ipchains ]; then
exit 0
fi
# See how we were called.
case "$1" in
start)
echo -n "Starting Firewalling Services: &quot;
# Some definitions for easy maintenance.
# ----------------------------------------------------------------------------
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
EXTERNAL_INTERFACE="eth0" # Internet connected interface
LOCAL_INTERFACE_1="eth1" # Internal LAN interface
LOOPBACK_INTERFACE="lo" # Your local naming convention
IPADDR="my.ip.address" # Your <acronym>IP</acronym> address
LOCALNET_1="192.168.1.0/24" # Whatever private range you use
IPSECSG="my.ipsecsg.address" # Space separated list of remote VPN gateways
FREESWANVI="ipsec0" # Space separated list of virtual interfaces
ANYWHERE="any/0" # Match any <acronym>IP</acronym> address
NAMESERVER_1="my.name.server.1" # Everyone must have at least one
NAMESERVER_2="my.name.server.2" # Your secondary name server
MY_ISP="my.isp.address.range/24" # ISP <acronym>&amp;</acronym> NOC address range
SMTP_SERVER="my.smtp.server" # Your Mail Hub Server.
POP_SERVER="my.pop.server" # External pop server, if any
NEWS_SERVER="my.news.server" # External news server, if any
SYSLOG_SERVER="syslog.internal.server" # Your syslog internal server
LOOPBACK="127.0.0.0/8" # Reserved loopback address range
CLASS_A="10.0.0.0/8" # Class A private networks
CLASS_B="172.16.0.0/12" # Class B private networks
CLASS_C="192.168.0.0/16" # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addresses
BROADCAST_SRC="0.0.0.0" # Broadcast source address
BROADCAST_DEST="255.255.255.255" # Broadcast destination address
PRIVPORTS="0:1023" # Well known, privileged port range
UNPRIVPORTS="1024:65535" # Unprivileged port range
# ----------------------------------------------------------------------------
# <acronym>SSH</acronym> starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
SSH_PORTS="1022:1023" # range for <acronym>SSH</acronym> privileged ports
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING <acronym>&amp;</acronym> OUTGOING connections
# Remove all existing rules belonging to this filter
ipchains -F
# Clearing all current rules and user defined chains
ipchains -X
# Set the default policy of the filter to deny.
# Don't even bother sending an error message back.
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
# set masquerade timeout to 10 hours for tcp connections
ipchains -M -S 36000 0 0
# Don't forward fragments. Assemble before forwarding.
ipchains -A output -f -i $LOCAL_INTERFACE_1 -j DENY
# ----------------------------------------------------------------------------
# MODULES MASQUERADING
# Uncomment bellow all modules lines that you need
# These modules are necessary to masquerade their respective services.
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio ports=554,7070,7071,6970,6971
/sbin/modprobe ip_masq_irc
#/sbin/modprobe ip_masq_vdolive
#/sbin/modprobe ip_masq_cuseeme
#/sbin/modprobe ip_masq_quake
# ----------------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------
# Network Ghouls
# Deny access to jerks
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
# rules to block from any access.
# Refuse any connection from problem sites
#if [ -f /etc/rc.d/rc.firewall.blocked ]; then
# . /etc/rc.d/rc.firewall.blocked
#fi
# ----------------------------------------------------------------------------
# SPOOFING <acronym>&amp;</acronym> BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse spoofed packets pretending to be from the external address.
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l
# Refuse packets claiming to be to or from a Class A private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l
# Refuse packets claiming to be to or from a Class B private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l
# Refuse packets claiming to be to or from a Class C private network
# ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l
# ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l
# ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l
# ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l
# Refuse packets claiming to be from the loopback interface
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l
# Refuse broadcast address SOURCE packets
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l
# Refuse Class D multicast addresses (in.h) (NET-3-HOWTO)
# Multicast is illegal as a source address.
# Multicast uses UDP.
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l
# Refuse Class E reserved <acronym>IP</acronym> addresses
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l
# refuse addresses defined as reserved by the IANA
# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
# 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l
#65: 01000001 - /3 includes 64 - need 65-79 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l
#80: 01010000 - /4 masks 80-95
ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l
# 96: 01100000 - /4 makses 96-111
ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l
#126: 01111110 - /3 includes 127 - need 112-126 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l
#217: 11011001 - /5 includes 216 - need 217-219 spelled out
ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l
#223: 11011111 - /6 masks 220-223
ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l
# ----------------------------------------------------------------------------
# <acronym>ICMP</acronym>
# To prevent denial of service attacks based on <acronym>ICMP</acronym> bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 0 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 3 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 4 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 11 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 12 -d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $MY_ISP 8 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 0 -d $MY_ISP -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 3 -d $MY_ISP -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 4 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 8 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 12 -d $ANYWHERE -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 11 -d $MY_ISP -j ACCEPT
# ----------------------------------------------------------------------------
# UDP INCOMING TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $MY_ISP $TRACEROUTE_SRC_PORTS \
-d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE $TRACEROUTE_SRC_PORTS \
-d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l
# ----------------------------------------------------------------------------
# <acronym>DNS</acronym> server
# ----------
# <acronym>DNS</acronym>: full server
# server/client to server query or response
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# <acronym>DNS</acronym> client (53)
# ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT
# TCP client to server requests are allowed by the protocol
# if UDP requests fail. This is rarely seen. Usually, clients
# use TCP as a secondary nameserver for zone transfers from
# their primary nameservers, and as hackers.
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT
# ----------------------------------------------------------------------------
# TCP accept only on selected ports
# ---------------------------------
# ------------------------------------------------------------------
# <acronym>SSH</acronym> server (22)
# ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $SSH_PORTS \
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
-d $ANYWHERE $SSH_PORTS -j ACCEPT
# <acronym>SSH</acronym> client (22)
# ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 22 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 22 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 22 \
-d $IPADDR $SSH_PORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $SSH_PORTS \
-d $ANYWHERE 22 -j ACCEPT
# ------------------------------------------------------------------
# <acronym>HTTP</acronym> client (80)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 80 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 80 -j ACCEPT
# ------------------------------------------------------------------
# <acronym>HTTPS</acronym> client (443)
# ------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 443 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 443 -j ACCEPT
# ------------------------------------------------------------------
# POP client (110)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $POP_SERVER 110 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $POP_SERVER 110 -j ACCEPT
# ------------------------------------------------------------------
# NNTP NEWS client (119)
# ----------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NEWS_SERVER 119 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NEWS_SERVER 119 -j ACCEPT
# ------------------------------------------------------------------
# FINGER client (79)
# ------------------
# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $ANYWHERE 79 \
# -d $IPADDR $UNPRIVPORTS -j ACCEPT
# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR $UNPRIVPORTS \
# -d $ANYWHERE 79 -j ACCEPT
# ------------------------------------------------------------------
# SYSLOG client (514)
# -----------------
# ipchains -A output -i $LOCAL_INTERFACE_1 -p udp \
# -s $IPADDR 514 \
# -d $SYSLOG_SERVER 514 -j ACCEPT
# ------------------------------------------------------------------
# AUTH server (113)
# -----------------
# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE \
-d $IPADDR 113 -j REJECT
# AUTH client (113)
# -----------------
# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $ANYWHERE 113 \
# -d $IPADDR $UNPRIVPORTS -j ACCEPT
# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR $UNPRIVPORTS \
# -d $ANYWHERE 113 -j ACCEPT
# ------------------------------------------------------------------
# SMTP client (25)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 25 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 25 -j ACCEPT
# ------------------------------------------------------------------
# IRC client (6667)
# -----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 6667 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 6667 -j ACCEPT
# ------------------------------------------------------------------
# ICQ client (4000)
# -----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 2000:4000 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 2000:4000 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE 4000 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 4000 -j ACCEPT
# ------------------------------------------------------------------
# FTP client (20, 21)
# -------------------
# outgoing request
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 21 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 21 -j ACCEPT
# NORMAL mode data channel
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE 20 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# NORMAL mode data channel responses
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 20 -j ACCEPT
# PASSIVE mode data channel creation
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# PASSIVE mode data channel responses
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# RealAudio / QuickTime client
# ----------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 554 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 554 -j ACCEPT
# TCP is a more secure method: 7070:7071
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 7070:7071 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 7070:7071 -j ACCEPT
# UDP is the preferred method: 6970:6999
# For LAN machines, UDP requires the RealAudio masquerading module and
# the ipmasqadm third-party software.
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 6970:6999 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# WHOIS client (43)
# -----------------
# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $ANYWHERE 43 \
# -d $IPADDR $UNPRIVPORTS -j ACCEPT
# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR $UNPRIVPORTS \
# -d $ANYWHERE 43 -j ACCEPT
# ------------------------------------------------------------------
# OUTGOING TRACEROUTE
# -------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $TRACEROUTE_SRC_PORTS \
-d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT
# ----------------------------------------------------------------------------
# Unlimited traffic within the local network.
# All internal machines have access to the firewall machine.
ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT
ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT
# ----------------------------------------------------------------------------
# FreeS/WAN IPSec VPN
# -------------------
# If you are using the FreeSWAN IPSec VPN, you will need to fill in the
# addresses of the gateways in the IPSECSG and the virtual interfaces for
# FreeS/Wan IPSEC in the FREESWANVI parameters. Look at the beginning of
# this firewall script rules file to set the parameters.
# IPSECSG is a Space separated list of remote gateways. FREESWANVI is a
# Space separated list of virtual interfaces for FreeS/Wan IPSEC
# implementation. Only include those that are actually used.
# Allow IPSEC protocol from remote gateways on external interface
# IPSEC uses three main types of packet:
# IKE uses the UDP protocol and port 500,
# ESP use the protocol number 50, and
# AH use the protocol number 51
# ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
# -s $IPSECSG -j ACCEPT
# ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
# -d $IPSECSG -j ACCEPT
# ipchains -A input -i $EXTERNAL_INTERFACE -p 50 \
# -s $IPSECSG -j ACCEPT
# ipchains -A output -i $EXTERNAL_INTERFACE -p 50 \
# -d $IPSECSG -j ACCEPT
# ipchains -A input -i $EXTERNAL_INTERFACE -p 51 \
# -s $IPSECSG -j ACCEPT
# ipchains -A output -i $EXTERNAL_INTERFACE -p 51 \
# -d $IPSECSG -j ACCEPT
# Allow all traffic to FreeS/WAN Virtual Interface
# ipchains -A input -i $FREESWANVI \
# -s $ANYWHERE \
# -d $ANYWHERE -j ACCEPT
# ipchains -A output -i $FREESWANVI \
# -s $ANYWHERE \
# -d $ANYWHERE -j ACCEPT
# Forward anything from the FreeS/WAN virtual interface IPSEC tunnel
# ipchains -A forward -i $FREESWANVI \
# -s $ANYWHERE \
# -d $ANYWHERE -j ACCEPT
# Disable <acronym>IP</acronym> spoofing protection to allow IPSEC to work properly
# echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
# ----------------------------------------------------------------------------
# Masquerade internal traffic.
# All internal traffic is masqueraded externally.
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ
# ----------------------------------------------------------------------------
# Enable logging for selected denied packets
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-d $IPADDR -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-d $IPADDR $PRIVPORTS -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-d $IPADDR $UNPRIVPORTS -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 5 -d $IPADDR -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 13:255 -d $IPADDR -j DENY -l
# ----------------------------------------------------------------------------
;;
stop)
echo -n "Shutting Firewalling Services: &quot;
# Remove all existing rules belonging to this filter
ipchains -F
# Delete all user-defined chain to this filter
ipchains -X
# Reset the default policy of the filter to accept.
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
;;
status)
status firewall
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: firewall {start|stop|status|restart|reload}&quot;
exit 1
esac
exit 0
</programlisting>
</para>
<para>
Now, make this script executable and change its default permissions:
<screen>
[root@deep] /#<command>chmod</command> 700 /etc/rc.d/init.d/firewall
[root@deep] /#<command>chown</command> 0.0 /etc/rc.d/init.d/firewall
</screen>
</para>
<para>
Create the symbolic <filename class="directory">rc.d</filename> links for your Firewall with the command:
<screen>
[root@deep] /#<command>chkconfig</command> --add firewall
[root@deep] /#<command>chkconfig</command> --level 345 firewall on
</screen>
Now, your firewall rules are configured to use System <literal>V</literal> init -System <literal>V</literal> <emphasis>init is in charge of starting all the normal processes that need to run at boot time</emphasis> and it will
be automatically started each time your server reboots.
</para>
<para>
To manually stop the firewall on your system, use the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/firewall <command>stop</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Shutting Firewalling Services: [ OK ]
</computeroutput></literallayout>
</para>
<para>
To manually start the firewall on your system, use the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/firewall <command>start</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Starting Firewalling Services: [ OK ]
</computeroutput></literallayout>
</para>
</section>
<section><?dbhtml filename="chap12sec107.html"?>
<title>Deny access to some address</title>
<para>
Sometimes you'll know an address that you would like to block from having any access at all to your server. You can do that by creating
the <filename>rc.firewall.blocked</filename> file under <filename class="directory">/etc/rc.d/</filename> directory and uncomment the following
lines in your firewall rules scripts file:
</para>
<para>
Edit your firewall scripts file <command>vi</command> <filename>/etc/rc.d/init.d/firewall</filename> and uncomment the following lines:
<programlisting>
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
. /etc/rc.d/rc.firewall.blocked
fi
</programlisting>
</para>
<para>
Create the rc.firewall.blocked file <command>touch</command> /etc/rc.d/rc.firewall.blocked and add inside this file all the <acronym>IP</acronym> addresses that you want to block from having any access to your
server at all:
For example, I put the following IP addresses in this file:
</para>
<example>
<title><filename>rc.firewall.blocked</filename></title>
<para>
<programlisting>
204.254.45.9
187.231.11.5
</programlisting>
</para>
</example>
<para>
Further documentation, more details, there are several man pages you can read:
<itemizedlist mark="open circle">
<listitem><para>
<citerefentry><refentrytitle>ipchains</refentrytitle><manvolnum>8</manvolnum></citerefentry> - <acronym>IP</acronym> firewall administration
</para></listitem>
<listitem><para>
<citerefentry><refentrytitle>ipchains-restore</refentrytitle> <manvolnum>8</manvolnum></citerefentry> - restore <acronym>IP</acronym> firewall chains from stdin
</para></listitem>
<listitem><para>
<citerefentry><refentrytitle>ipchains-save</refentrytitle><manvolnum>8</manvolnum></citerefentry> - save <acronym>IP</acronym> firewall chains to stdout
</para></listitem>
</itemizedlist>
</para>
</section>
<section><?dbhtml filename="chap12sec108.html"?>
<title><literal>IPCHAINS</literal> Administrative Tools</title>
<para>
The commands listed below are some tools that we use often, but many more exist, and you should check the man page and documentation for more details and information. The ipchains tool is used for
the firewall administration of the Linux system. We can use it to set up a firewall rules file, as we are doing in this book. Once firewall rules have been created we can play
with its many commands to maintain, and inspect its rules in the Linux kernel.
</para>
<para>
To list all rules in the selected chain, use the command:
<screen>
[root@deep] /# <command>ipchains</command> -L
</screen>
This command will list all rules in the selected chain. If no chain is selected, all chains are listed.
</para>
<para>
To list all input rules in the selected chain, use the command:
<screen>
[root@deep] /# <command>ipchains</command> -L input
</screen>
This command will list all input rules we have configured in the selected chain.
</para>
<para>
To list all output rules in the selected chain, use the command:
<screen>
[root@deep] /# <command>ipchains</command> -L output
</screen>
This command will list all output rules we have configured in the selected chain.
</para>
<para>
To list all forward rules in the selected chain, use the command:
<screen>
[root@deep] /# <command>ipchains</command> -L forward
</screen>
This command will list all forward rules in the selected chain. This of course works only if you have configured Masquerading on your server. <emphasis>for gateway servers in general</emphasis>.
</para>
<para>
To list all masquerades rules in the selected chain, use the command:
<screen>
[root@deep] /# <command>ipchains</command> -ML
</screen>
This option allows viewing of the currently masqueraded connections. You must have configured Masquerading on your server for this command to work, <emphasis>once again, only for gateway servers</emphasis>.
</para>
<para>
To list all rules in numeric output in the selected chain, use the command:
<screen>
[root@deep] /# <command>ipchains</command> -nL
</screen>
This command will list all rules in numeric output. All the <acronym>IP</acronym> addresses and port numbers will be printed in numeric format.
</para>
</section>
</chapter>
</part>
<part label="5"><?dbhtml filename="soft-secure.html"?>
<title>Software -Security</title>
<partintro>
<mediaobject>
<imageobject>
<imagedata fileref="./resources/Annimals/Chapter21.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>Spoonbill</phrase></textobject>
</mediaobject>
<abstract><para>
The next Two parts will exclusively deal with the Software other than the one's which the Linux distribution, <emphasis>in our case Redhat Linux,</emphasis> may or may not provide as a part of its core distribution. In
some cases it may be provided as an extra but may come as pre-compiled binary which may not exactly suit your purpose. Hence we have in most cases used source packages usually packed as tar gzipped -<literal>*.tar.gz</literal>
or in some recent case in tar bzipped -<literal>*.tar.bz2</literal> format. This gives us the maximum available choices to tweak, choose and delete the options within these Softwares. Just a word about the <literal>*.tar.gz</literal>
and <literal>*.tar.bz2</literal>, the contents are same except that the compression used is different and the <literal>bz2</literal> extention is smaller in size as compressed format.
</para></abstract></partintro>
<chapter label="13"><?dbhtml filename="lin-compiler.html"?>
<title>Linux -The Compiler functionality</title>
<highlights>
<para>
We are, now at one of the most interesting point, here we will compile and install all the services that we wish to offer in our Linux server. Before we begin to explain how to compile and install server software
with all the necessary securities and optimizations that we will need on our server, it is important to know the commands and programs we'll use often to do the job. First of all, we must ensure that we have the
necessary packages needed to make compilations on our system. These packages must be installed on your server or you'll not be able to compile programs.
</para>
</highlights>
<section><?dbhtml filename="chap13sec109.html"?>
<title>The necessary packages</title>
<para>
The following are the necessary packages needed to be able to compile the other software programs on your system after recompilation of your kernel. This software is on your Red Hat Linux 6.1 or 6.2 Part 1 CD-ROM under RedHat/RPMS directory if they
are not already installed.
<screen>
[root@deep] /#<command>mount</command> /dev/cdrom /mnt/cdrom/
[root@deep] /#<command>cd</command> /mnt/cdrom/RedHat/RPMS/
</screen>
</para>
<para>
<mediaobject><imageobject> <imagedata format="GIF" fileref="./images/Version6.1.gif"/></imageobject><textobject><phrase>Version 6.1 only</phrase></textobject></mediaobject>
<simplelist type="vert" columns="2">
<member><filename>autoconf-2.13-5.noarch.rpm</filename></member>
<member><filename>m4-1.4-12.i386.rpm</filename></member>
<member><filename>automake-1.4-5.noarch.rpm</filename></member>
<member><filename>dev86-0.14.9-1.i386.rpm</filename></member>
<member><filename>bison-1.28-1.i386.rpm</filename></member>
<member><filename>byacc-1.9-11.i386.rpm</filename></member>
<member><filename>cdecl-2.5-9.i386.rpm</filename></member>
<member><filename>cpp-1.1.2-24.i386.rpm</filename></member>
<member><filename>cproto-4.6-2.i386.rpm</filename></member>
<member><filename>ctags-3.2-1.i386.rpm</filename></member>
<member><filename>egcs-1.1.2-24.i386.rpm</filename></member>
<member><filename>ElectricFence-2.1-1.i386.rpm</filename></member>
<member><filename>flex-2.5.4a-7.i386.rpm</filename></member>
<member><filename>gdb-4.18-4.i386.rpm</filename></member>
<member><filename>kernel-headers-2.2.12-20.i386.rpm</filename></member>
<member><filename>glibc-devel-2.1.2-11.i386.rpm</filename></member>
<member><filename>make-3.77-6.i386.rpm</filename></member>
<member><filename>patch-2.5-9.i386.rpm</filename></member>
</simplelist>
</para>
<para>
<mediaobject><imageobject> <imagedata format="GIF" fileref="./images/Version6.2.gif"/></imageobject><textobject><phrase>Version 6.2 only</phrase></textobject></mediaobject>
<simplelist type="vert" columns="2">
<member><filename>autoconf-2.13-5.noarch.rpm</filename></member>
<member><filename>m4-1.4-12.i386.rpm</filename></member>
<member><filename>automake-1.4-6.noarch.rpm</filename></member>
<member><filename>dev86-0.15.0-2.i386.rpm</filename></member>
<member><filename>bison-1.28-2.i386.rpm</filename></member>
<member><filename>byacc-1.9-12.i386.rpm</filename></member>
<member><filename>cdecl-2.5-10.i386.rpm</filename></member>
<member><filename>cpp-1.1.2-30.i386.rpm</filename></member>
<member><filename>cproto-4.6-3.i386.rpm</filename></member>
<member><filename>ctags-3.4-1.i386.rpm</filename></member>
<member><filename>egcs-1.1.2-30.i386.rpm</filename></member>
<member><filename>ElectricFence-2.1-3.i386.rpm</filename></member>
<member><filename>flex-2.5.4a-9.i386.rpm</filename></member>
<member><filename>gdb-4.18-11.i386.rpm</filename></member>
<member><filename>kernel-headers-2.2.14-5.0.i386.rpm</filename></member>
<member><filename>glibc-devel-2.1.3-15.i386.rpm</filename></member>
<member><filename>make-3.78.1-4.i386.rpm</filename></member>
<member><filename>patch-2.5-10.i386.rpm</filename></member>
</simplelist>
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
It is better to install the software described above all together if you don't want to receive dependency error messages during <acronym>RPM</acronym> install. If you have followed all the steps
in <link linkend="pr1ch2">Installation of your Linux Server</link>, then all of these packages are already installed on your system and you don't need to reinstall them again.
</para>
</important>
<para>
The <acronym>RPM</acronym> command to install a <acronym>RPM</acronym> package on your system is:
<screen>
[root@deep] /#<command>rpm</command> -Uvh foo-1.0-2.i386.rpm
</screen>
The <acronym>RPM</acronym> command to verify that a package is or is not installed on your system is:
<screen>
[root@deep] /#<command>rpm</command> -q foo
</screen>
</para>
<para>
Once again, after installation and compilation of all programs that you need on your server, its important to uninstall all sharp objects compilers, <abbrev>etc.</abbrev> describe above. This will protect your system from unauthorized users trying to compile programs on your server without authorization.
</para>
<para>
Another thing to do is to move the rpm binary program to a safe place like a floppy disk for the same reasons listed above. Imagine somebody with dark intentions trying to compile programs on your server and realizing that compilers are not available. They will switch to import programs RPM on the server
and install it with the <acronym>RPM</acronym> commands. Whoops, Heh! Heh! surprised! <acronym>RPM</acronym> commands are not available either.
</para>
<para>
Of course, in future if you need to install new software on your server, all you have to do is to replace it from the floppy disk.
To move the <acronym>RPM</acronym> binary in the floppy disk, use the command:
<screen>
[root@deep] /#<command>mount</command> /dev/fd0 /mnt/floppy/
[root@deep] /#<command>mv</command> /bin/rpm /mnt/floppy
[root@deep] /#<command>umount</command> /mnt/floppy/
</screen>
To put the <acronym>RPM</acronym> binary to its original directory, use the command:
<screen>
[root@deep] /#<command>mount</command> /dev/fd0 /mnt/floppy/
[root@deep] /#<command>cp</command> /mnt/floppy/rpm /bin/
[root@deep] /#<command>umount</command> /mnt/floppy/
</screen>
</para>
<warning>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Warning.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Warning</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Never uninstall the <acronym>RPM</acronym> program completely from your system or you will be unable to reinstall it again later since to install RPM or other software you need to have RPM commands available.
</para>
</warning>
</section>
<section><?dbhtml filename="chap13sec110.html"?>
<title>Why choose <literal>tarballs</literal>?</title>
<para>
All the programs in Red Hat distributions of Linux are provided as <acronym>RPM</acronym> files. An <acronym>RPM</acronym> file, also known, as a package, is a way of distributing software so that it can be easily installed, upgraded, queried, and deleted.
However, in Unix world, the defacto-standard for package distribution continues to be by way of so-called <literal>tarballs</literal>. Tarballs are simply compressed files that can be readable and uncompressed with the tar utility. Installing
from tar is usually significantly more tedious than using <acronym>RPM</acronym>. So why would we choose to do so?
</para>
<orderedlist numeration="arabic" spacing="compact">
<listitem><para>
Unfortunately, it takes a few weeks for developers and coders to get the latest version of a package converted to <acronym>RPM</acronym>s because many developers first release them as <literal>tarballs</literal>.
</para></listitem>
<listitem><para>
When developers and vendors release a new <acronym>RPM</acronym>, they include a lot of options that often are not necessary. Those organization and companies don't know what options you will need and what you will not, so they include the most used to fit the needs of everyone.
</para></listitem>
<listitem><para>
Often <acronym>RPM</acronym>s are not optimized for your specific processors; companies like Red Hat Linux build <acronym>RPM</acronym>s based on a standard PC. This permit their <acronym>RPM</acronym> packages to be installed on all sorts of computers since compiling programs for an i386 machine can fit on all systems.
</para></listitem>
<listitem><para>
Sometimes you download and install <acronym>RPM</acronym>, which other people around the world are building and make available for your purposes. This can pose conflicts in certain cases depending how this individual built the package, such as errors, security and all the other problems described above.
</para></listitem>
</orderedlist>
<section>
<title>Compiling software on your system</title>
<para>
A program is something a computer can execute. Originally, somebody wrote the source code in a programming language he/she could understand <abbrev>e.g.</abbrev>, C, C++. The program source code also makes sense to a compiler that converts the instructions into a binary file suited to whatever processor is
wanted <abbrev>e.g.</abbrev> a 386 or similar. A modern file format for these executable programs is Elf. The programmer compiles his source using the compiler and gets a result of some sort. It's not at all uncommon that early attempts fail to compile, or having compiled, fail to act as expected. Half of programming
is tracking down and fixing these problems debugging.
</para>
<para>
For the beginners there are more aspect and new words relating to compilation of a source code that you must know, these includes but are not limited to:
<glosslist>
<glossentry><glossterm>
The Multiple Files
</glossterm>
<glossdef><para>
One-file programs are quite rare. Usually there are a number of files say <literal>*.c</literal>, <literal>*.cpp</literal>, <abbrev>etc.</abbrev> that are each compiled into object files <literal>*.o</literal> and then linked into an executable. The compiler is usually used to perform the linking and calls the ld program behind the scenes.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
The Makefiles
</glossterm>
<glossdef><para>
The Makefiles are intended to aid you in building your program the same way each time. They also often help with speed. The make program uses dependencies in the Makefile to decide what parts of the program need to be recompiled. If you change one source file out of fifty
you hope to get away with one compile and one link step, instead of starting from scratch.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
The Libraries
</glossterm>
<glossdef><para>
Programs can be linked not only to object files <literal>*.o</literal> but also to libraries that are collections of object files. There are two forms of linking to libraries:
static, where the code goes in the executable file, and dynamic, where the code is collected when the program starts to run.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
The Patches
</glossterm>
<glossdef><para>
It was common before for executable files to be given corrections without recompiling them. Now this practice has died out; in modern days, people changes a small proportion of the whole source code, putting a change into a file called a patch. Where different versions of a
program are required, small changes to code can be released this way, saving the trouble of having two large distributions.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>
The Errors in Compilation and Linking
</glossterm>
<glossdef><para>
Errors in compilation and linking are often typos, omissions, and misuse of the language. Check that the right includes files are used for the functions you are calling. Unreferenced symbols are the sign of an incomplete link step. Also checks if the necessary development
libraries GLIBC or tools GCC, DEV86, AUTOMAKE, <abbrev>etc.</abbrev> are installed on your system.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
The Debugging
</glossterm>
<glossdef><para>
Debugging is a large topic. It usually helps to have statements in the code that inform you of what is happening. To avoid drowning in output you might sometimes get them to print out only the first 3 passes in a loop. Checking that variables have passed correctly between
modules often helps. Get familiar with your debugging tools.
</para></glossdef>
</glossentry>
</glosslist>
</para>
</section>
</section>
<section><?dbhtml filename="chap13sec111.html"?>
<title>Build, Install software on your system</title>
<para>
You will see from the next chapter right through Part 6 that we use many different compile commands to build and install programs on the server. These commands are UNIX compatible and are used on all variant
off <literal>*nix</literal> machines to compile and install software.
</para>
<para>
The procedures to compile and install software tarballs on your server follow:
</para>
<procedure>
<step><para>
First of all, you must download the tarball from your trusted software archive site. Usually from the main site of the software you hope to install.
</para></step>
<step><para>
After downloading the tarball change to the <filename class="directory">/var/tmp/</filename> directory, note that other paths are possible, as personal discretion and untar the archive by typing the commands as root as in the
following example:
<example>
<title>Using tar</title>
<para>
<screen>
[root@deep] /#<command>tar</command> xzpf foo.tar.gz
</screen>
The above command will extract all files from the example foo.tar.gz compressed archive and will create a new directory for them with the name of this software from the path where you are executing the command.
<variablelist>
<varlistentry><term>The <literal>x</literal> option</term>
<listitem><para>
tells tar to extract all files from the archive.
</para></listitem>
</varlistentry>
<varlistentry><term>The <literal>z</literal> option</term>
<listitem><para>
tells tar that the archive is compressed with gzip.
</para></listitem>
</varlistentry>
<varlistentry><term>The <literal>p</literal> option</term>
<listitem><para>
maintains the original and permissions the files had as the archive was created.
</para></listitem>
</varlistentry>
<varlistentry><term>The <literal>f</literal> option</term>
<listitem><para>
tells tar that the very next argument is the file name.
</para></listitem>
</varlistentry>
</variablelist>
</para>
</example>
</para></step>
</procedure>
<para>
Once the tarball has been decompressed into the appropriate directory, you will almost certainly find a <filename>README</filename> and/or an <filename>INSTALL</filename> file included with the newly decompressed
files, with further instructions on how to build and compile the software package for use. You will need to enter commands similar to the following example:
<programlisting>
<command>./configure</command>
<command>make</command>
<command>make install</command>
</programlisting>
</para>
<para>
The above commands;
<simplelist type="vert">
<member>
<command>./configure</command> will configure the software to ensure your system has the necessary functionality and libraries to successfully compile the package
</member><member>
<command>make</command> will compile all the source files into executable binaries.
</member><member>
Finally, <command>make install</command> will install the binaries and any supporting files into the appropriate locations.
</member>
</simplelist>
Other specifics commands that you'll see in our book for compilation and installation procedure will be:
</para>
<programlisting>
<command>make depend</command>
<command>strip</command>
<command>chown</command>
</programlisting>
<variablelist>
<varlistentry><term>
<command>make depend</command></term>
<listitem><para>
command will build and make the necessary dependencies for different files.
</para></listitem>
</varlistentry>
<varlistentry><term>
<command>strip</command></term>
<listitem><para>
command will discard all symbols from the object files. This means that our binary file will be smaller in size, will improve a bit the performance hit to the program since there will be fewer lines to read
by the system when it executes the binary.
</para></listitem>
</varlistentry>
<varlistentry><term>
<command>chown</command> </term>
<listitem><para>
command will set the correct files owner and group permission for the binaries.
</para></listitem>
</varlistentry>
</variablelist>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
More commands when necessary will be explained in the concerned installation procedure.
</para>
</note>
<section>
<title>Edit files with the vi editor</title>
<para>
The vi program is a text editor that you can use to edit any text and particularly programs. During installation of software, the user will often have to edit text files like <filename>Makefiles</filename> or
configuration files to make and fit they changes. The following are some of the most important keystroke commands to get around in vi.
</para>
<glosslist>
<glossentry>
<glossterm><command>i</command></glossterm>
<glossdef><para>
To insert text before the cursor.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><command>a</command></glossterm>
<glossdef><para>
To append text after the cursor.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><command>dd</command></glossterm>
<glossdef><para>
To delete the current line.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><command>x</command></glossterm>
<glossdef><para>
To delete the current character.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><command>Esc</command></glossterm>
<glossdef><para>
To end the insert or append mode.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><command>u</command></glossterm>
<glossdef><para>
To undo the last command.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><command><keycombo>
<keycap>Ctrl</keycap></keycombo>+<keycombo><keycap>f</keycap>
</keycombo></command></glossterm>
<glossdef><para>
Scroll up one page.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><command><keycombo>
<keycap>Ctrl</keycap></keycombo>+<keycombo><keycap>b</keycap>
</keycombo></command></glossterm>
<glossdef><para>
Scroll down one page.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><command>/string</command></glossterm>
<glossdef><para>
Search forward for string.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><command>:f</command></glossterm>
<glossdef><para>
Display filename and current line nmber.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><command>:q</command></glossterm>
<glossdef><para>
Quit editor.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><command>:q!</command></glossterm>
<glossdef><para>
Quit editor without saving changes.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><command>:wq</command></glossterm>
<glossdef><para>
Save changes and exit editor.
</para></glossdef>
</glossentry>
</glosslist>
<warning>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Warning.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Warning</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Before proceeding to read the rest of this book, it should be noted that the text assumes that certain files are placed in certain directories. Where they have been specified, the conventions we adopt here for
locating these files are those of the Red Hat Linux distribution. If you are using a distribution of Linux or some other operating system that chooses to distribute these files in a different way, you should be
careful when copying examples directly from the text.
</para>
</warning>
</section>
</section>
</chapter>
<chapter label="14" id="prt5ch2ssmt"><?dbhtml filename="soft-secmonitor.html"?>
<title>Software -Security/Monitoring</title>
<highlights><para>
At this part of our book, all software-listed on chapter 14 through chapter 32 are optional and depends on what you want to install or do on your server. e.g., What kind of tasks will your server do, and for
which part of your network Intranet/Internet? In other parts it may be important for you to replace the Telnet program with SSH for secure remote administration. Another interesting program is Tripwire that
aids system administrators and users in monitoring a designated set of files for any changes.
</para></highlights>
<section xreflabel="sXid" id="prt5ch2s1Xd"><?dbhtml filename="chap14sec112.html"?>
<title>sXid</title>
<para>
<abbrev>SUID/SGID</abbrev> files can be a security hazard. To reduce the risks, we have previously already removed the <literal>s</literal> bits from root-owned programs that won't absolutely require such privilege, but future and existing
files may be set with these <literal>s</literal> bits enabled without your notification.
</para>
<para>
sXid is an all in one <literal>suid/sgid</literal> monitoring program designed to be run from cron on a regular basis. Basically it tracks any changes in
your <literal>s[ug]id</literal> files and folders. If there are any new ones, ones that aren't set any more, or they have changed bits or other modes then it reports the changes in an easy to read format via email or on the
command line. sXid will automate the task to find all <abbrev>SUID/SGID</abbrev> on your server and report them to you. Once installed you can forget it and it will do the job for you.
</para>
<para>
These installation instructions assume the following:
<itemizedlist>
<listitem><para>
Commands are Unix-compatible.
</para>
</listitem>
<listitem><para>
The source path is <filename>/var/tmp</filename> other paths are possible.
</para></listitem>
<listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem>
<listitem><para>
All steps in the installation will happen in super-user account <literal>root</literal>.
</para></listitem>
<listitem><para>
sXid version number as of this writing is <literal>4.0.1</literal>
</para></listitem>
</itemizedlist>
Packages can be dowloaded from the sXid <acronym>FTP</acronym> Site:<link linkend="prtinxfp8">ftp://marcus.seva.net/pub/sxid/</link> and You must be sure to download: sxid_4.0.1.tar.gz or whatever the latest version is.
</para>
<warning>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Warning.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Warning</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The instructions explained here in this book are applicable to the version number mentioned and you need to consult the <filename>README</filename> and/or <filename>INSTALL</filename> with in the tarball of the version you have downloaded for any changes, additions and deletions <abbrev>etc.</abbrev>.
</para>
</warning>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
It is a good idea to make a list of files on the system before you install sXid, and one afterwards, and then compare them using diff to find out what file it placed where. Simply run <command>find</command> <userinput>/* &gt; sXid1</userinput> before
and <command>find</command> <userinput>/* &gt; sXid2</userinput> after you install the software, and use <userinput>diff sXid1 sXid2 &gt; sXid-Installed</userinput> to get a list of what changed.
</para></important>
<para>
Decompress the tarball <literal>tar.gz</literal>.
<screen>
[root@deep] /#<command>cp</command> sxid_version.tar.gz /var/tmp/
[root@deep] /#<command>cd</command> /var/tmp
[root@deep ] /tmp#<command>tar</command> xzpf sxid_version.tar.gz
</screen>
</para>
<para>
To Compile and Optimize move into the new sXid directory and type the following commands on your terminal:
<screen>
[root@deep tmp]#<command>cd</command> sxid-4.0.1
[root@deep ] /sxid-4.0.1#<command>make install</command>
</screen>
The above commands will configure the software to ensure your system has the necessary functionality and libraries to successfully compile the package, compile all source files into executable binaries, and then install the binaries and any
supporting files into the appropriate locations. Please do a cleanup later:
<screen>
[root@deep] /#<command>cd</command> /var/tmp
[root@deep ] /tmp#<command>rm</command> -rf sxid-version/ sxid_version_tar.gz
</screen>
The <command>rm</command> command as used above will remove all the source files we have used to compile and install sXid. It will also remove the sXid compressed archive from the <filename>/var/tmp</filename> directory.
</para>
</section>
<section><?dbhtml filename="chap14sec113.html"?>
<title>Configure and Optimize sXid</title>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>sXid</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 4
-rw-r--r-- 1 harrypotter harrypotter 1586 Jun 8 13:00 sxid.conf
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
To run sXid, the following file from the floppy.tgz archive is required and must be created or copied to the appropriate directory on your server. Copy the sxid.conf file to the <filename class="directory">/etc/</filename> directory.
or alternatively you can copy and paste directly from this book to the concerned file.
</para></tip>
<section>
<title>Configure the <filename>/etc/sxid.conf</filename> file</title>
<para>
The configuration file for sXid <filename>/etc/sxid.conf</filename> allows you to set options that modify the operation of the program. It is well commented and very basic.
</para>
<procedure>
<step><para>
Edit the sxid.conf file <command>vi</command> <filename>/etc/sxid.conf</filename> and set your needs:
<programlisting>
# Configuration file for sXid
# Note that all directories must be absolute with no trailing /'s
# Where to begin our file search
SEARCH = &quot;/&quot;
# Which subdirectories to exclude from searching
EXCLUDE = &quot;/proc /mnt /cdrom /floppy"
# Who to send reports to
EMAIL = "root"
# Always send reports, even when there are no changes?
ALWAYS_NOTIFY = "no"
# Where to keep interim logs. This will rotate 'x' number of
# times based on KEEP_LOGS below
LOG_FILE = &quot;/var/log/sxid.log"
# How many logs to keep
KEEP_LOGS = "5"
# Rotate the logs even when there are no changes?
ALWAYS_ROTATE = "no"
# Directories where +s is forbidden (these are searched
# even if not explicitly in SEARCH), EXCLUDE rules apply
FORBIDDEN = &quot;/home /tmp"
# Remove (-s) files found in forbidden directories?
ENFORCE = "yes"
# This implies ALWAYS_NOTIFY. It will send a full list of
# entries along with the changes
LISTALL = "no"
# Ignore entries for directories in these paths
# (this means that only files will be recorded, you
# can effectively ignore all directory entries by
# setting this to &quot;/&quot;). The default is /home since
# some systems have /home g+s.
IGNORE_DIRS = &quot;/home"
# File that contains a list of (each on it's own line)
# of other files that sxid should monitor. This is useful
# for files that aren't +s, but relate to system
# integrity (tcpd, inetd, apache...).
# EXTRA_LIST = &quot;/etc/sxid.list"
# Mail program. This changes the default compiled in
# mailer for reports. You only need this if you have changed
# it's location and don't want to recompile sxid.
# MAIL_PROG = &quot;/usr/bin/mail"
</programlisting>
</para></step>
<step><para>
Place an entry into root's crontabs to make sXid run as a cronjob. sXid will run from crond; basically it tracks any changes in your <literal>s[ug]id</literal> files and folders. If there are any new
ones, ones that aren't set any more, or they have changed bits or other modes then it reports the changes. To add sxid in your cronjob you must edit the crontab and add the following line:
To edit the crontab, use the command <emphasis>as root</emphasis>:
<screen>
[root@deep] /#<command>crontab</command> -e
</screen>
<programlisting>
# Sample crontab entry to run every day at 4am
0 4 * * * /usr/bin/sxid
</programlisting>
</para></step>
</procedure>
<para>
Further documentation for more details, there are some man pages you can read <citerefentry><refentrytitle>sxid.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> -<emphasis>configuration settings for sxid</emphasis>
and <citerefentry><refentrytitle>sxid</refentrytitle><manvolnum>1</manvolnum></citerefentry> - <emphasis>check for changes in s[ug]id files and directories</emphasis>
</para>
<para>
sXid as administrative tool is meant to run as a cronjob. It must run once a day, but busy shell boxes may want to run it twice a day. You can also run this manually for spot-checking.
To run sxid manually, use the command:
<screen>
[root@deep] /#<command>sxid</command> -k
</screen>
<literallayout><computeroutput>
sXid Vers : 4.0.1
Check run : Wed Dec 29 12:40:32 1999
This host : mail.openna.com
Spotcheck : /home/admin
Excluding : /proc /mnt /cdrom /floppy
Ignore Dirs: /home
Forbidden : /home /tmp
</computeroutput></literallayout>
<emphasis>No changes found!</emphasis>
This checks for changes by recursing the current working directory. Log files will not be rotated
and no email sent. All output will go to stdout.
</para>
<para>
These are the Installed files on your system by the program sXid.
<simplelist type="vert">
<member><filename>
/etc/sxid.conf
</filename>
</member><member>
<filename>
/usr/bin/sxid
</filename>
</member><member>
<filename>
/usr/man/man1/sxid.1
</filename>
</member><member>
<filename>
/usr/man/man5/sxid.conf.5
</filename>
</member>
</simplelist>
</para>
</section>
</section>
<section id="pr5ch2sc3lc"><?dbhtml filename="chap14sec114.html"?>
<title>Logcheck</title>
<para>
One important task in the security world is to regularly check the log files. Often the daily activities of an administrator don't allow him the time to do this task and this can bring about problems.
</para>
<sidebar>
<title>Extracted from <citation>Logcheck abstract</citation>:</title>
<para>
Auditing and logging system events is important! What is more important is that system administrators be aware of these events so they can prevent problems that will inevitably occur if you have a system
connected to the Internet. Unfortunately for most Unices it doesn't matter how much you log activity if nobody ever checks the logs, which is often the case. This is where logcheck will help. Logcheck automates
the auditing process and weeds out <emphasis>normal</emphasis> log information to give you a condensed look at problems and potential troublemakers mailed to wherever you please. Logcheck is a software package
that is designed to automatically run and check system log files for security violations and unusual activity. Logcheck utilizes a program called logtail that remembers the last position it read from in a log
file and uses this position on subsequent runs to process new information.
</para></sidebar>
<para>
These installation instructions assume
<itemizedlist>
<listitem><para>
Commands are Unix-compatible.
</para></listitem>
<listitem><para>
The source path is <filename>/var/tmp</filename> <emphasis>other paths are possible</emphasis>.
</para></listitem>
<listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem>
<listitem><para>
All steps in the installation will happen in super-user account root.
</para></listitem>
<listitem><para>
Logcheck version number is <literal>1.1.1</literal>
</para></listitem>
</itemizedlist>
</para>
<para>
These are the packages available at Logcheck Homepage Site: <link linkend="prtinxfp8">http://www.psionic.com/abacus/logcheck/</link>,
and you must be sure to download: logcheck-1.1.1.tar.gz available as of this writing.
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Please do not forget to read the <filename>README</filename> and/or <filename>INSTALL</filename> with in the tarball you have downloaded if the version number is not the same as we have suggested and follow the instructions
since there are chances of some changes either bythe way of additions or deletions are likely to be there.
</para>
</important>
<para>
Before you uncompress and install from the tarballs it is a good idea to make a list of files on the system before you install Logcheck, and one afterwards, and then compare them using diff to find out what files
were placed where. Simply run <command>find</command> <userinput>/* &gt; Logcheck1</userinput> before and <command>find</command> <userinput>/* &gt; Logcheck2</userinput> after you install the software, and
use <command>diff</command> <userinput>Logcheck1 Logcheck2 &gt; Logcheck-Installed</userinput> to get a list of what changed.
</para>
<para>
To compile, you need to decompress the tarball (tar.gz).
<screen>
[root@deep] /#<command>cp</command> logcheck-version.tar.gz /var/tmp/
[root@deep] /#<command>cd</command> /var/tmp
[root@deep ]/tmp#<command>tar</command> xzpf logcheck-version.tar.gz
</screen>
</para>
<para>
To Compile and Optimize you must modify the <filename>Makefile</filename> file of Logcheck to specify installation paths, compilation flags, and optimizations for your system. We must modify this file to be compliant with Red Hat's file
system structure and install Logcheck script files under our <envar>PATH</envar> Environment variable.
</para>
<procedure>
<step><para>
Move into the new Logcheck directory and edit the <filename>Makefile</filename>, <command>vi</command> <filename>Makefile</filename> and change the following lines by type the following commands on your terminal:
</para>
<substeps><step><para>
<programlisting>
CC = cc
</programlisting>
To read:
<programlisting>
CC = egcs
</programlisting>
</para></step>
<step><para>
<programlisting>
CFLAGS = -O
</programlisting>
To read:
<programlisting>
CFLAGS = -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions
</programlisting>
</para></step>
<step><para>
<programlisting>
INSTALLDIR = /usr/local/etc
</programlisting>
To read:
<programlisting>
INSTALLDIR = /etc/logcheck
</programlisting>
</para></step>
<step><para>
<programlisting>
INSTALLDIR_BIN = /usr/local/bin
</programlisting>
To read:
<programlisting>
INSTALLDIR_BIN = /usr/bin
</programlisting>
</para></step>
<step><para>
<programlisting>
INSTALLDIR_SH = /usr/local/etc
</programlisting>
To read:
<programlisting>
INSTALLDIR_SH = /usr/bin
</programlisting>
</para></step>
<step><para>
<programlisting>
TMPDIR = /usr/local/etc/tmp
</programlisting>
To read:
<programlisting>
TMPDIR = /etc/logcheck/tmp
</programlisting>
</para></step>
<step><para>
The above changes will configure the software to use <application class="software">egcs</application> compiler, optimization flags specific to our system, and locate all files related to Logcheck software to
the destination target directories we have chosen to be compliant with the Red Hat file system structure.
</para></step>
</substeps>
</step>
<step><para>
Edit the Makefile file <command>vi</command> +67 <filename>Makefile</filename> and change the following line:
<programlisting>
@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
</programlisting>
To read:
<programlisting>
@if [ ! -d $(TMPDIR) ]; then /bin/mkdir -p $(TMPDIR); fi
</programlisting>
The above change -p will allow the installation program to create parent directories as needed.
</para></step>
<step><para>
Install Logcheck on your system.
<screen>
[root@deep ]/logcheck-1.1.1#<command>make</command> linux
</screen>
The above command will configure the software for the Linux operating system, compile all source files into executable binaries, and then install the binaries and any supporting
files into the appropriate locations. Please don't forget to cleanup later:
<screen>
[root@deep] /#<command>cd</command> /var/tmp
[root@deep ]/tmp#<command>rm</command> -rf logcheck-version/ logcheck-version_tar.gz
</screen>
The <command>rm</command> command as used above will remove all the source files we have used to compile and install Logcheck. It will also remove the Logcheck compressed archive from
the <filename class="directory">/var/tmp</filename> directory.
</para></step>
</procedure>
</section>
<section><?dbhtml filename="chap14sec115.html"?>
<title>Configure and Optimize Logcheck</title>
<para>
You need to configure the <filename>/usr/bin/logcheck.sh</filename> script file, Since we are using an alternate path for the files <abbrev>i.e.</abbrev> <emphasis>not</emphasis> <filename>/usr/local/etc</filename>, we need to change the path
entries for <filename>logcheck.hacking</filename>, <filename>logcheck.violations</filename>, <filename>logcheck.ignore</filename>, <filename>logcheck.violations.ignore</filename>, and <filename>logtail</filename> in the main <filename>logcheck.sh</filename>
script. The script file for Logcheck <filename>/usr/bin/logcheck.sh</filename> allows you to set these options that modify the path entries and operation of the program. It is well commented and very basic.
</para>
<procedure>
<step><para>
Edit the logcheck.sh file <command>vi</command> <filename>/usr/bin/logcheck.sh</filename> and change the following:
</para>
<substeps>
<step><para>
<programlisting>
LOGTAIL=/usr/local/bin/logtail
</programlisting>
To read:
<programlisting>
LOGTAIL=/usr/bin/logtail
</programlisting>
</para></step>
<step><para>
<programlisting>
TMPDIR=/usr/local/etc/tmp
</programlisting>
To read:
<programlisting>
TMPDIR=/etc/logcheck/tmp
</programlisting>
</para></step>
<step><para>
<programlisting>
HACKING_FILE=/usr/local/etc/logcheck.hacking
</programlisting>
To read:
<programlisting>
HACKING_FILE=/etc/logcheck/logcheck.hacking
</programlisting>
</para></step>
<step><para>
<programlisting>
VIOLATIONS_FILE=/usr/local/etc/logcheck.violations
</programlisting>
To read:
<programlisting>
VIOLATIONS_FILE=/etc/logcheck/logcheck.violations
</programlisting>
</para></step>
<step><para>
<programlisting>
VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore
</programlisting>
To read:
<programlisting>
VIOLATIONS_IGNORE_FILE=/etc/logcheck/logcheck.violations.ignore
</programlisting>
</para></step>
<step><para>
<programlisting>
IGNORE_FILE=/usr/local/etc/logcheck.ignore
</programlisting>
To read:
<programlisting>
IGNORE_FILE=/etc/logcheck/logcheck.ignore
</programlisting>
</para></step>
</substeps>
</step>
<step><para>
After installing Logcheck, place an entry into root's crontabs to make Logcheck run as a cronjob, you should edit your local crontab file for root and set Logcheck to run once per hour recommended, although you
can do it more frequently, or less frequently. To add Logcheck in your cronjob you must edit the crontab and add the following line as root:
<screen>
[root@deep] /#<command>crontab</command> -e
</screen>
<programlisting>
# Hourly check Log files for security violations and unusual activity.
00 * * * * /usr/bin/logcheck.sh
</programlisting>
</para></step>
</procedure>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Remember, Logcheck does not report anything via email if it has nothing useful to say.
</para></note>
<para>
These are the files Installed by the program Logcheck on your sytem, for your future referance.
<simplelist type="vert" columns="2">
<member><filename>
/etc/logcheck
</filename></member>
<member><filename>
/etc/logcheck/tmp
</filename></member>
<member><filename>
/etc/logcheck/logcheck.hacking
</filename></member>
<member><filename>
/etc/logcheck/logcheck.violations
</filename></member>
<member><filename>
/etc/logcheck/logcheck.violations.ignore
</filename></member>
<member><filename>
/etc/logcheck/logcheck.ignore
</filename></member>
<member><filename>
/usr/bin/logcheck.sh
</filename></member>
<member><filename>
/usr/bin/logtail
</filename></member>
<member><filename>
/var/log/messages.offset
</filename></member>
<member><filename>
/var/log/secure.offset
</filename></member>
<member><filename>
/var/log/maillog.offset
</filename></member>
</simplelist>
</para>
</section>
<section xreflabel="PortSentry" id="prt5ch2sc5PS"><?dbhtml filename="chap14sec116.html"?>
<title>PortSentry</title>
<para>
Firewalls help us to protect our network from unsolicited intrusions. Using them we can choose which ports we want to be open and which one's we dont. Information is kept private by your organization and responsibility of individuals asociated.
Nobody from the outside implicitly knows this information, but attackers know as well as spammers, that for some kind of attacks you can use a special program to scan all the ports on a server to glean this valuable information <abbrev>i.e.</abbrev> what is open and what is not.
</para>
<sidebar>
<title>From the <citation>PortSentry introduction</citation>:</title>
<para>
A port scan is a symptom of a larger problem coming your way. It is often the pre-cursor for an attack and is a critical piece of information for properly defending your information resources. PortSentry is a program designed
to detect and respond to port scans against a target host in real-time and has a number of options to detect port scans. When it finds one it can react in the following ways:
<simplelist>
<member>
A log indicating the incident is made via syslog().
</member><member>
The target host is automatically dropped into <filename>/etc/hosts.deny</filename> for <acronym>TCP</acronym> Wrappers.
</member><member>
The local host is automatically re-configured to route all traffic to the target to a dead host to make the target system disappear.
</member><member>
The local host is automatically re-configured to drop all packets from the target via a local packet filter.
</member><member>
The purpose of this is to give an admin a heads up that their host is being probed.
</member>
</simplelist>
</para>
</sidebar>
<para>
These installation instructions assume:
<itemizedlist>
<listitem><para>
Commands are Unix-compatible.
</para></listitem>
<listitem><para>
The source path is <filename class="directory">/var/tmp</filename> <emphasis>other paths are possible</emphasis>.
</para></listitem>
<listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem>
<listitem><para>
All steps in the installation will happen in super-user account root.
</para></listitem>
<listitem><para>
Portsentry version number is <literal>1.0</literal>
</para></listitem>
</itemizedlist>
</para>
<para>
These are the Package(s) you have to download and Portsentry Homepage:<link linkend="prtinxfp10">http://www.psionic.com/abacus/portsentry/</link>
You must be sure to download: portsentry-1.0.tar.gz
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Please do not forget to read the <filename>README</filename> and/or <filename>INSTALL</filename> with in the tarball you have downloaded if the version number is not the same as we have suggested and follow the instructions
since there are chances of some changes either by the way of additions or deletions are likely to be there.
</para></important>
<para>
When you install from Tarball(s), it is always better to make a list of files on the system before you install Portsentry, and one afterwards, and then compare them using diff to find out what file is placed
where.A Simple step <userinput><command>find</command> /* &gt; Portsentry1</userinput> before and <userinput><command>find</command> /* &gt; Portsentry2</userinput> after you install the software, and
use <userinput><command>diff</command> Portsentry1 Portsentry2 &gt; PortSentry-Installed</userinput> to get a list of what changed.
</para>
<para>
You need to Compile so Decompress the tarball <literal>*.tar.gz</literal>.
<screen>
[root@deep] /#<command>cp</command> portsentry-version.tar.gz /var/tmp/
[root@deep] /#<command>cd</command> /var/tmp
[root@deep ]/tmp#<command>tar</command> xzpf portsentry-version.tar.gz
</screen>
</para>
<procedure>
<title>Optimize to compile</title>
<step><para>
You must modify the <filename>Makefile</filename> file for Portsentry to specify installation paths, compilation flags, and optimizations for your system. We must also modify this file to be compliant with Red Hat file's system structure.
Move into the new Portsentry directory and with the following commands on your terminal edit the <filename>Makefile</filename> file <command>vi</command> <filename>Makefile</filename> and change the following lines:
</para>
<substeps>
<step><para>
<programlisting>
CC = cc
</programlisting>
To read:
<programlisting>
CC = egcs
</programlisting>
</para></step>
<step><para>
<programlisting>
CFLAGS = -O -Wall
</programlisting>
To read:
<programlisting>
CFLAGS = -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions -Wall
</programlisting>
</para></step>
<step><para>
<programlisting>
INSTALLDIR = /usr/local/psionic
</programlisting>
To read:
<programlisting>
INSTALLDIR = /usr/psionic
</programlisting>
</para></step>
<step><para>
The above changes will configure the software to use egcs compiler, optimization flags specific to our system, and locate all files related to Portsentry software to the target directories we have chosen.
</para></step>
</substeps>
</step>
<step><para>
Since we are using an alternate path for the files <abbrev>i.e.</abbrev> <emphasis>not</emphasis> <filename class="directory">/usr/local/psionic</filename>, we need to change the path to the PortSentry configuration file in the main portsentry_config.h header file. Move into the new
PortSentry directory and edit the portsentry_config.h file <command>vi</command> <filename class="headerfile">portsentry_config.h</filename> and change the following line:
<programlisting>
#define CONFIG_FILE &quot;/usr/local/psionic/portsentry/portsentry.conf"
</programlisting>
To read:
<programlisting>
#define CONFIG_FILE &quot;/usr/psionic/portsentry/portsentry.conf"
</programlisting>
</para></step>
<step><para>
Step 3
Install Portsentry on your system.
<screen>
[root@deep ]/portsentry-1.0#<command>make</command> linux
[root@deep ]/portsentry-1.0#<command>make install</command>
</screen>
The above commands will configure the software to the Linux operating system, compile, build, and then finally install files into the appropriate locations.
</para></step>
</procedure>
<para>
Please do a cleanup later:
<screen>
[root@deep] /# cd /var/tmp
[root@deep ]/tmp#<command>rm</command> -rf portsentry-version/ portsentry-version_tar.gz
</screen>
The <command>rm</command> command will remove all the source files we have used to compile and install PortSentry. It will also remove the PortSentry compressed archive from the <filename class="directory">/var/tmp</filename> directory.
</para>
</section>
<section><?dbhtml filename="chap14sec117.html"?>
<title>Configure and Optimise Portsentry</title>
<para>
You have to configure the the <filename>/usr/psionic/portsentry/portsentry.conf</filename> file which is the main configuration file for the PortSentry Software; you can specify which ports you want to listen
to, which <acronym>IP</acronym> addresses are denied, monitor, ignore, disable automatic responses, and so on. For more information read the <filename>README.install</filename> file under the PortSentry source directory.
Edit the <filename>portsentry.conf file</filename>, <command>vi</command> <filename>/usr/psionic/portsentry.conf</filename> and check/change the following options to fit your needs:
</para>
<programlisting>
# PortSentry Configuration
#
# $Id$
#
# IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
#
# The default ports will catch a large number of common probes
#
# All entries must be in quotes.
#######################
# Port Configurations #
#######################
#
#
# Some example port configs for classic and basic Stealth modes
#
# I like to always keep some ports at the "low" end of the spectrum.
# This will detect a sequential port sweep really quickly and usually
# these ports are not in use (i.e. tcpmux port 1)
#
# ** X-Windows Users **: If you are running X on your box, you need to be sure
# you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users).
# Doing so will prevent the X-client from starting properly.
#
# These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
#
# Un-comment these if you are really anal:
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,32770,32771,32772,32773,32774,31337,54321"
#
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,31337,32771,32772,32773,32774,40421,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774,31337,54321"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
###########################################
# Advanced Stealth Scan Detection Options #
###########################################
#
# This is the number of ports you want PortSentry to monitor in Advanced mode.
# Any port *below* this number will be monitored. Right now it watches
# everything below 1023.
#
# On many Linux systems you cannot bind above port 61000. This is because
# these ports are used as part of IP masquerading. I don't recommend you
# bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR
# OVER 1023 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been
# warned! Don't write me if you have have a problem because I'll only tell
# you to RTFM and don't run above the first 1023 ports.
#
#
ADVANCED_PORTS_TCP="1023"
ADVANCED_PORTS_UDP="1023"
#
# This field tells PortSentry what ports (besides listening daemons) to
# ignore. This is helpful for services like ident that services such
# as FTP, SMTP, and wrappers look for but you may not run (and probably
# *shouldn't* IMHO).
#
# By specifying ports here PortSentry will simply not respond to
# incoming requests, in effect PortSentry treats them as if they are
# actual bound daemons. The default ports are ones reported as
# problematic false alarms and should probably be left alone for
# all but the most isolated systems/networks.
#
# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="113,139"
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP="520,138,137,67"
######################
# Configuration Files#
######################
#
# Hosts to ignore
IGNORE_FILE=&quot;/usr/psionic/portsentry/portsentry.ignore"
# Hosts that have been denied (running history)
HISTORY_FILE=&quot;/usr/psionic/portsentry/portsentry.history"
# Hosts that have been denied this session only (temporary until next restart)
BLOCKED_FILE=&quot;/usr/psionic/portsentry/portsentry.blocked"
###################
# Response Options#
###################
# Options to dispose of attacker. Each is an action that will
# be run if an attack is detected. If you don't want a particular
# option then comment it out and it will be skipped.
#
# The variable $TARGET$ will be substituted with the target attacking
# host when an attack is detected. The variable $PORT$ will be substituted
# with the port that was scanned.
#
##################
# Ignore Options #
##################
# These options allow you to enable automatic response
# options for UDP/TCP. This is useful if you just want
# warnings for connections, but don't want to react for
# a particular protocol (i.e. you want to block TCP, but
# not UDP). To prevent a possible Denial of service attack
# against UDP and stealth scan detection for TCP, you may
# want to disable blocking, but leave the warning enabled.
# I personally would wait for this to become a problem before
# doing though as most attackers really aren't doing this.
# The third option allows you to run just the external command
# in case of a scan to have a pager script or such execute
# but not drop the route. This may be useful for some admins
# who want to block TCP, but only want pager/e-mail warnings
# on UDP, etc.
#
#
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)
BLOCK_UDP="1"
BLOCK_TCP="1"
###################
# Dropping Routes:#
###################
# This command is used to drop the route or add the host into
# a local filter table.
#
# The gateway (333.444.555.666) should ideally be a dead host on
# the *local* subnet. On some hosts you can also point this at
# localhost (127.0.0.1) and get the same effect. NOTE THAT
# 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
#
# All KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
# uncomment the correct line for your OS. If you OS is not listed
# here and you have a route drop command that works then please
# mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
# CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES.
#
# NOTE: The route commands are the least optimal way of blocking
# and do not provide complete protection against UDP attacks and
# will still generate alarms for both UDP and stealth scans. I
# always recommend you use a packet filter because they are made
# for this purpose.
#
# Generic
#KILL_ROUTE=&quot;/sbin/route add $TARGET$ 333.444.555.666"
# Generic Linux
#KILL_ROUTE=&quot;/sbin/route add -host $TARGET$ gw 333.444.555.666"
# Newer versions of Linux support the reject flag now. This
# is cleaner than the above option.
KILL_ROUTE=&quot;/sbin/route add -host $TARGET$ reject"
# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
#KILL_ROUTE=&quot;/sbin/route add $TARGET$ 333.444.555.666"
# Generic Sun
#KILL_ROUTE=&quot;/usr/sbin/route add $TARGET$ 333.444.555.666 1"
# NEXTSTEP
#KILL_ROUTE=&quot;/usr/etc/route add $TARGET$ 127.0.0.1 1"
# FreeBSD (Not well tested.)
#KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
# Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
#KILL_ROUTE=&quot;/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
# Generic HP-UX
#KILL_ROUTE=&quot;/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"
##
# Using a packet filter is the preferred method. The below lines
# work well on many OS's. Remember, you can only uncomment *one*
# KILL_ROUTE option.
##
###############
# TCP Wrappers#
###############
# This text will be dropped into the hosts.deny file for wrappers
# to use. There are two formats for TCP wrappers:
#
# Format One: Old Style - The default when extended host processing
# options are not enabled.
#
KILL_HOSTS_DENY="ALL: $TARGET$"
#
# Format Two: New Style - The format used when extended option
# processing is enabled. You can drop in extended processing
# options, but be sure you escape all '%' symbols with a backslash
# to prevent problems writing out (i.e. \%c \%h )
#
#KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
###################
# External Command#
###################
# This is a command that is run when a host connects, it can be whatever
# you want it to be (pager, etc.). This command is executed before the
# route is dropped. I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS
# AGAINST THE HOST SCANNING YOU. TCP/IP is an *unauthenticated protocol*
# and people can make scans appear out of thin air. The only time it
# is reasonably safe (and I *never* think it is reasonable) to run
# reverse probe scripts is when using the "classic" -tcp mode. This
# mode requires a full connect and is very hard to spoof.
#
#KILL_RUN_CMD=&quot;/some/path/here/script $TARGET$ $PORT$"
#####################
# Scan trigger value#
#####################
# Enter in the number of port connects you will allow before an
# alarm is given. The default is 0 which will react immediately.
# A value of 1 or 2 will reduce false alarms. Anything higher is
# probably not necessary. This value must always be specified, but
# generally can be left at 0.
#
# NOTE: If you are using the advanced detection option you need to
# be careful that you don't make a hair trigger situation. Because
# Advanced mode will react for *any* host connecting to a non-used
# below your specified range, you have the opportunity to really
# break things. (i.e someone innocently tries to connect to you via
# SSL [TCP port 443] and you immediately block them). Some of you
# may even want this though. Just be careful.
#
SCAN_TRIGGER="0"
######################
# Port Banner Section#
######################
#
# Enter text in here you want displayed to a person tripping the PortSentry.
# I *don't* recommend taunting the person as this will aggravate them.
# Leave this commented out to disable the feature
#
# Stealth scan detection modes don't use this feature
#
PORT_BANNER=&quot;** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY.&quot;
# EOF
</programlisting>
<para>
Now, we must check/change its default permission for security reasons:
<screen>
[root@deep] /#<command>chmod</command> 600 /usr/psionic/portsentry/portsentry.conf
</screen>
</para>
<para>
You need to configure the <filename>/usr/psionic/portsentry/portsentry.ignore</filename> file, where you add in any host you want to have ignored if it connects to a tripwired port. This should always contain at least the
localhost <literal>127.0.0.1</literal> and the <acronym>IP</acronym>'s of the local interfaces <literal>lo</literal>. It is not recommend that you put in every <acronym>IP</acronym> on your network.
Edit the <filename>portsentry.ignore file</filename>, <command>vi</command> <filename>/usr/psionic/portsentry.ignore</filename> and add in any host you want to have ignored if it connects to a tripwired port:
</para>
<programlisting>
# Put hosts in here you never want blocked. This includes the IP addresses
# of all local interfaces on the protected host (i.e virtual host, mult-home)
# Keep 127.0.0.1 and 0.0.0.0 to keep people from playing games.
127.0.0.1
0.0.0.0
</programlisting>
<para>
Now, we must check/change its default permission for security reasons:
<screen>
[root@deep] /#<command>chmod</command> 600 /usr/psionic/portsentry/portsentry.ignore
</screen>
</para>
</section>
<section><?dbhtml filename="chap14sec118.html"?>
<title>Test fire your PortSentry</title>
<para>
The PortSentry program can be configured in six different modes of operation, but be aware that only one protocol mode type can be started at a time. To be more accurate, you can start one <acronym>TCP</acronym> mode and one <acronym>UDP</acronym> mode, so
two <acronym>TCP</acronym> modes and one <acronym>UDP</acronym> modes, for example, doesn't work. The available modes are:
<variablelist>
<varlistentry><term>
<command>portsentry</command> -tcp</term>
<listitem><para>
basic port-bound <acronym>TCP</acronym> mode
</para></listitem>
</varlistentry>
<varlistentry><term>
<command>portsentry</command> -udp</term>
<listitem><para>
basic port-bound <acronym>UDP</acronym> mode
</para></listitem>
</varlistentry>
<varlistentry><term>
<command>portsentry</command> -stcp</term>
<listitem><para>
Stealth <acronym>TCP</acronym> scan detection
</para></listitem>
</varlistentry>
<varlistentry><term>
<command>portsentry</command> -atcp</term>
<listitem><para>
Advanced <acronym>TCP</acronym> stealth scan detection
</para></listitem>
</varlistentry>
<varlistentry><term>
<command>portsentry</command> -sudp</term>
<listitem><para>
Stealth <acronym>UDP</acronym> scan detection
</para></listitem>
</varlistentry>
<varlistentry><term>
<command>portsentry</command> -audp</term>
<listitem><para>
Advanced Stealth <acronym>UDP</acronym> scan detection
</para></listitem>
</varlistentry>
</variablelist>
</para>
<para>
In my case I prefer to start <acronym>TCP</acronym> in Advanced <acronym>TCP</acronym> stealth scan detection protocol mode and <acronym>UDP</acronym> in Stealth <acronym>UDP</acronym> scan detection protocol
mode. For information about the other protocol modes, please refer to the <filename>README.install</filename> and <filename>README.stealth</filename> file under the PortSentry source directory.
For <acronym>TCP</acronym> mode I choose:
<glosslist>
<glossentry><glossterm>
-atcp
</glossterm>
<glossdef><para>
Advanced <acronym>TCP</acronym> stealth scan detection mode
</para></glossdef>
</glossentry>
</glosslist>
With the Advanced <acronym>TCP</acronym> stealth scan detection mode -atcp protocol mode type, PortSentry will first check to see what ports you have running on your server, then remove
these ports from monitoring and will begin watching the remaining ports. This is very powerful and reacts exceedingly quickly for port scanners. It also uses very little <acronym>CPU</acronym> time.
</para>
<para>
For <acronym>UDP</acronym> mode I choose:
<glosslist><glossentry>
<glossterm>
-sudp
</glossterm>
<glossdef><para>
Stealth <acronym>UDP</acronym> scan detection mode
</para></glossdef>
</glossentry>
</glosslist>
With the Stealth <acronym>UDP</acronym> scan detection mode -sudp protocol mode type, the <acronym>UDP</acronym> ports will be listed and then monitored.
</para>
<para>
To start PortSentry in the two modes selected above, use the commands:
<screen>
[root@deep] /# /usr/psionic/portsentry/portsentry -atcp
[root@deep] /# /usr/psionic/portsentry/portsentry -sudp
</screen>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You can add the above lines to your <filename>/etc/rc.d/rc.local</filename> script file and PortSentry software will be automatically started if you reboot your system.
</para></tip>
<para>
These are the files Installed by Portsentry on your system:
<simplelist>
<member><filename>
/usr/psionic
</filename></member>
<member><filename>
/usr/psionic/portsentry
</filename></member>
<member><filename>
/usr/psionic/portsentry/portsentry.conf
</filename></member>
<member><filename>
/usr/psionic/portsentry/portsentry.ignore
</filename></member>
<member><filename>
/usr/psionic/portsentry/portsentry
</filename></member>
</simplelist>
</para>
</section>
</chapter>
</part>
<part label="6"><?dbhtml filename="soft-net.html"?>
<title>Software -Networking</title>
<partintro>
<mediaobject>
<imageobject>
<imagedata fileref="./resources/Annimals/Chapter16.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>Two ducks!</phrase></textobject>
</mediaobject>
<abstract><para>
Linux being a product of the net revolution is a natural choice for a web server, mail server, a file and print server; if it is a part of your intranet environement, among various other roles it can perform superbly well.
In this part we take a look at various avatars it can assume and serve your organisation for a long time to come. All distributions of linux whether be it RedHat or SuSe do provide in binary format tools/software for your linux to
act as a Web server or a Mail server to mention a few, but the amount of advancements which happen in linux world are beyond the grasp of these companies for it to catch up. The situation is if something can be achieved, it will be done
in shortest possible time hence we have used always source tarballs downloaded from the respective websites of the software(s) used as example in this book. This affords us the capability to configure, choose and optimise according
to our needs. This part attempts to highlight the capablities of linux to act as a full fledged Web server, Mail server, a file and print server, as a B2B e-commerce point where the need of the hour is secure environement, <abbrev>etc.</abbrev> <emphasis>Enjoy!</emphasis>
</para></abstract></partintro>
<chapter label="15" id="prt6ch15ssh"><?dbhtml filename="soft-netsecured.html"?>
<title>Software -Securities</title>
<highlights><para>
As illustrated in <link linkend="pr1ch2">Installation of your Linux Server</link>, many network services including, but not limited, to telnet, rsh, rlogin, or rexec are vulnerable to electronic eavesdropping. As a consequence, anyone
who has access to any machine connected to the network can listen in on their communication and get your password, as well as any other private information that goes over the network in plain text. Currently the Telnet
program is indispensable for daily administration task, but is insecure since it transmits your password in plain text over the network and allows any listener to thereby use your account to do anything he likes. To
solve this problem we must find another way, or program, to replace it. Fortunately OpenSSH is a truly seamless and secure replacement of old, insecure and obsolete remote login programs such as telnet, rlogin, rsh, rdist,
or rcp.
</para></highlights>
<section id="prt6ch1sc1ossh"><?dbhtml filename="chap15sec119.html"?>
<title>OpenSSH</title>
<sidebar>
<title>The official <citation>OpenSSH README</citation> file says:</title>
<para>
Ssh <wordasword>Secure Shell</wordasword> is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and
secure communications over insecure channels. It is intended as a replacement for rlogin, rsh, rcp, and rdist.
</para></sidebar>
<para>
In our configuration we have configured OpenSSH to support tcp-wrappers; the inetd super server, to improve the security of this already secure program and to avoid always running its daemon in the background of the server. This
way, the program will run only when client connections arrive and will redirect them through the <acronym>TCP</acronym>-WRAPPERS daemon for authentication and authorization before allowing the connection in the server.
</para>
<para>
OpenSSH is a free replacement and improvement of SSH1 with all patent-encumbered algorithms removed to external libraries, all known security bugs fixed, new features reintroduced and many other clean-ups. It
is recommended that you use OpenSSH <emphasis>free and security bug fixed</emphasis> instead of SSH1 <emphasis>free, buggy, and old</emphasis> or SSH2 that was originally free but now under a commercial
license. For peoples that use SSH2 from Datafellows Company, we'll provide in this book both versions, beginning with OpenSSH, since it is the new SSH program which everyone, we suggest, must move to in the future.
</para>
<para>
These installation instructions assume:
<itemizedlist>
<listitem><para>
Commands are Unix-compatible.
</para></listitem>
<listitem><para>
The source path is <filename>/var/tmp</filename> -<emphasis>other paths are possible</emphasis>.
</para></listitem>
<listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem>
<listitem><para>
All steps in the installation will happen in super-user account root.
</para></listitem>
<listitem><para>
OpenSSH version number is 1.2.3
</para></listitem>
</itemizedlist>
</para>
<para>
These are the Packages you can download from OpenSSH Homepage:<link linkend="prtinxfp11">http://www.openssh.com</link> and be sure to download: openssh-1.2.3.tar.gz <emphasis>as of this writing</emphasis>
</para>
<para>
There are some Prerequisites you need to take care of before installing OpenSSH since it requires that the zlib-devel package, which contains the header files and libraries needed to
develop programs that use the zlib compression and decompression library, be already installed on your system. If this is not the case, you must install it from your Red Hat Linux 6.1
or 6.2 CD-ROM.
To verify that the zlib-devel package is installed on your Linux system, use the following command:
<screen>
[root@deep] /#<command>rpm</command> -qi zlib-devel
</screen>
<literallayout><computeroutput>
package zlib-devel is not installed
</computeroutput></literallayout>
</para>
<para>
To install the zlib-devel package on your Linux system, use the following command:
<screen>
[root@deep] /#<command>mount</command> /dev/cdrom /mnt/cdrom/
[root@deep] /#<command>cd</command> /mnt/cdrom/RedHat/RPMS/
[root@deep ]/RPMS#<command>rpm</command> -Uvh zlib-devel-version.i386.rpm
</screen>
<literallayout><computeroutput>
gd ##################################################
</computeroutput></literallayout>
<screen>
[root@deep ]/RPMS#<command>rpm</command> -Uvh gd-devel-version.i386.rpm
</screen>
<literallayout><computeroutput>
zlib-devel ##################################################
</computeroutput></literallayout>
<screen>
[root@deep ]/RPMS# cd /; umount /mnt/cdrom/
</screen>
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
OpenSSL, which enables support for SSL functionality, must already be installed on your system to be able to use the OpenSSH software.For more information on OpenSSL server, see its related chapter in this book. Even if you don't
need to use OpenSSL software to create or hold encrypted key files, it's important to note that OpenSSH program require its libraries files to be able to work properly on your system.
</para></important>
<para>
you need to decompress and unpack the Tarballs but it is a good idea to make a list of files on the system before you install OpenSSH, and one afterwards, and then compare them using diff to find out what files it placed where. Simply
run <command>find</command><userinput>/* &gt; OpenSSH1</userinput> before and <command>find</command><userinput>/* &gt; OpenSSH2</userinput> after you install the software, and use <command>diff</command> <userinput>OpenSSH1 OpenSSH2 &gt; OpenSSH-Installed</userinput>
to get a list of what changed.
</para>
<para>
To Compile,Decompress the tarball <literal>tar.gz</literal> and:
<screen>
[root@deep] /#<command>cp</command> openssh-version.tar.gz /var/tmp
[root@deep] /#<command>cd</command> /var/tmp
[root@deep ]/tmp#<command>tar</command> <userinput>xzpf</userinput> openssh-version.tar.gz
</screen>
</para>
<para>
You need to Compile and Optimize:
</para>
<procedure>
<step><para>
Move into the new OpenSSH directory and type the following commands on your terminal:
<screen>
CC="egcs" \
CFLAGS=&quot;-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions" \
./configure \
--prefix=/usr \
--sysconfdir=/etc/ssh \
--with-tcp-wrappers \
--with-ipv4-default \
--with-ssl-dir=/usr/include/openssl
</screen>
This tells OpenSSH to set itself up for this particular hardware setup with:
<simplelist>
<member>
- Compiled-in libwrap and enabled <acronym>TCP</acronym> Wrappers <filename>/etc/hosts.allow|deny</filename> support.
</member><member>
- Disabled long delays in name resolution under Linux/glibc-2.1.2 to improve connection time.
</member><member>
- Specified locations of OpenSSL libraries required by OpenSSH program to work.
</member>
</simplelist>
</para></step>
<step><para>
Now, we must compile and install OpenSSH on the Server:
<screen>
[root@deep ]/openssh-1.2.3#<command>make</command>
[root@deep ]/openssh-1.2.3#<command>make install</command>
[root@deep ]/openssh-1.2.3#<command>make</command> host-key
[root@deep ]/openssh-1.2.3#<command>install</command> -m644 contrib/redhat/sshd.pam /etc/pam.d/sshd
</screen>
<variablelist><varlistentry>
<term><command>make</command></term>
<listitem><para>
command will compile all source files into executable binaries,
</para></listitem>
</varlistentry>
<varlistentry>
<term><command>make install</command></term>
<listitem><para>
will install the binaries and any supporting files into the appropriate locations.
</para></listitem>
</varlistentry>
<varlistentry><term>
<command>make</command> host-key </term>
<listitem><para>
command will generate a host key.
</para></listitem>
</varlistentry>
<varlistentry>
<term><command>install</command></term>
<listitem><para>
command will install the PAM support for Red Hat Linux, which is now more functional than the popular packages of commercial ssh-1.2.x.
</para></listitem>
</varlistentry>
</variablelist>
</para></step>
<step><para>
please do a Cleanup later:
<screen>
[root@deep] /#<command>cd</command> /var/tmp
[root@deep ]/tmp#<command>rm</command> -rf openssh-version/ openssh-version.tar.gz
</screen>
The <command>rm</command> command as used above will remove all the source files we have used to compile and install OpenSSH. It will also remove the OpenSSH compressed archive from the <filename class="directory">/var/tmp</filename> directory.
</para></step>
</procedure>
</section>
<section><?dbhtml filename="chap15sec120.html"?>
<title>Configure and optimise Openssh</title>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>Openssh</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 16
-rw-r--r-- 1 harrypotter harrypotter 275 Jun 8 13:00 Compile-OpenSSH
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 pam.d/
-rw-r--r-- 1 harrypotter harrypotter 372 Jun 8 13:00 ssh_config
-rw-r--r-- 1 harrypotter harrypotter 467 Jun 8 13:00 sshd_config
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<para>
To run OpenSSH Client/Server, the following files are required and must be created or copied to the appropriate directories on your server.
<itemizedlist>
<listitem><para>
Copy the ssh_config file to the <filename class="directory">/etc/ssh/</filename> directory.
</para></listitem><listitem><para>
Copy the sshd_config file to the <filename class="directory">/etc/ssh/</filename> directory.
</para></listitem><listitem><para>
Copy the sshd file to the <filename class="directory">/etc/pam.d/</filename> directory.
</para></listitem>
</itemizedlist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You can obtain the configuration files listed in the next sections on our <filename class="directory">floppy.tgz</filename> archive. Copy the following files from the decompressed
<filename class="directory">floppy.tgz</filename> archive to the appropriate places, or copy them directly from this book to the concerned file.
</para></tip>
</section>
<section><?dbhtml filename="chap15sec121.html"?>
<title>Configure the <filename>/etc/ssh/ssh_config file</filename></title>
<para>
The <filename>/etc/ssh/ssh_config</filename> file is the system-wide configuration file for OpenSSH which allows you to set options that modify the operation of the client programs. The file
contains keyword-value pairs, one per line, with keywords being case insensitive. Here are the most important keywords to configure your ssh for top security; a complete listing and/or special
requirements are available in the man page for <citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></citerefentry>.
</para>
<para>
Edit <filename>the ssh_config</filename> file, <command>vi</command> <filename>/etc/ssh/ssh_config</filename> and add/or change, if necessary the following parameters:
<programlisting>
# Site-wide defaults for various options
Host *
ForwardAgent no
ForwardX11 no
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
FallBackToRsh no
UseRsh no
BatchMode no
CheckHostIP yes
StrictHostKeyChecking no
IdentityFile ~/.ssh/identity
Port 22
Cipher blowfish
EscapeChar ~
</programlisting>
This tells ssh_config file to set itself up for this particular configuration setup with:
</para>
<glosslist>
<glossentry><glossterm>
<envar>Host *</envar></glossterm>
<glossdef><para>
The option <envar>Host</envar> restricts all forwarded declarations and options in the configuration file to be only for those hosts that match one of the patterns given after the keyword. The
pattern <literal>*</literal> means for all hosts up to the next Host keyword. With this option you can set different declarations for different hosts in the same <filename>ssh_config</filename> file.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>ForwardAgent no</envar></glossterm>
<glossdef><para>
The option <envar>ForwardAgent</envar> specifies which connection authentication agent <emphasis>if any</emphasis> should be forwarded to the remote machine.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>ForwardX11 no</envar></glossterm>
<glossdef><para>
The option <envar>ForwardX11</envar> is for people that use the <literal>Xwindow</literal> <acronym>GUI</acronym> and want to automatically redirect <literal>X11</literal> sessions to the remote machine. Since we setup a server
and don't have <acronym>GUI</acronym> installed on it, we can safely turn this option off.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>RhostsAuthentication no</envar></glossterm>
<glossdef><para>
The option <envar>RhostsAuthentication</envar> specifies whether we can try to use rhosts based authentication. Because rhosts authentication is insecure you shouldn't use this option.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>RhostsRSAAuthentication no</envar></glossterm>
<glossdef><para>
The option <envar>RhostsRSAAuthentication</envar> specifies whether or not to try rhosts authentication in concert with <acronym>RSA</acronym> host authentication.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>RSAAuthentication yes</envar></glossterm>
<glossdef><para>
The option <envar>RSAAuthentication</envar> specifies whether to try <acronym>RSA</acronym> authentication. This option must be set to <userinput>yes</userinput> for better security on your sessions. <acronym>RSA</acronym> uses public and private keys pair created with
the ssh-keygen1utility for authentication purposes.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>PasswordAuthentication yes</envar></glossterm>
<glossdef><para>
The option <envar>PasswordAuthentication</envar> specifies whether we should use password-based authentication. For strong security, this option must always be set to <userinput>yes</userinput>.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>FallBackToRsh no</envar></glossterm>
<glossdef><para>
The option <envar>FallBackToRsh</envar> specifies that if a connection with ssh daemon fails rsh should automatically be used instead. Recalling that rsh service is insecure, this option must always be set to <userinput>no</userinput>.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>UseRsh no</envar></glossterm>
<glossdef><para>
The option <envar>UseRsh</envar> specifies that rlogin/rsh services should be used on this host. As with the <envar>FallBackToRsh</envar> option, it must be set to <userinput>no</userinput> for obvious reasons.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>BatchMode no</envar></glossterm>
<glossdef><para>
The option <envar>BatchMode</envar> specifies whether a username and password querying on connect will be disabled. This option is useful when you create scripts and dont want to supply the password. <abbrev>e.g.</abbrev> Scripts
that use the scp command to make backups over the network.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>CheckHostIP yes</envar></glossterm>
<glossdef><para>
The option <envar>CheckHostIP</envar> specifies whether or not ssh will additionally check the host <acronym>IP</acronym> address that connect to the server to detect <acronym>DNS</acronym> spoofing. It's recommended that you set this option
to <userinput>yes</userinput>.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm><envar>StrictHostKeyChecking no</envar></glossterm>
<glossdef><para>
The option <envar>StrictHostKeyChecking</envar> specifies whether or not ssh will automatically add new host keys to the <prompt>$</prompt><filename>HOME/.ssh/known_hosts</filename> file, or never automatically add new
host keys to the host file. This option, when set to <userinput>yes</userinput>, provides maximum protection against Trojan horse attacks. One interesting procedure with this option is to set it to <userinput>no</userinput>
at the beginning, allow ssh to add automatically all common hosts to the host file as they are connected to, and then return to set it to <userinput>yes</userinput> to take advantage of this feature.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>IdentityFile ~/.ssh/identity</envar></glossterm>
<glossdef><para>
The option <envar>IdentityFile</envar> specifies an alternate <acronym>RSA</acronym> authentication identity file to read. Also, multiple identity files may be specified in the configuration file <filename>ssh_config</filename>.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>Port 22</envar></glossterm>
<glossdef><para>
The option <envar>Port</envar> specifies on which port number ssh connects to on the remote host. The default port is 22.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>Cipher blowfish</envar></glossterm>
<glossdef><para>
The option <envar>Cipher</envar> specifies what cipher should be used for encrypting sessios. The blowfish use 64-bit blocks and keys of up to 448 bits.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>EscapeChar ~</envar></glossterm>
<glossdef><para>
The option <envar>EscapeChar</envar> specifies the session escape character for suspension.
</para></glossdef>
</glossentry>
</glosslist>
</section>
<section><?dbhtml filename="chap15sec122.html"?>
<title>Configure the <filename>/etc/ssh/sshd_config file</filename></title>
<para>
The <filename>/etc/ssh/sshd_config</filename> file is the system-wide configuration file for OpenSSH which allows you to set options that modify the operation of the daemon. This file contains keyword-value pairs, one
per line, with keywords being case insensitive. Here are the most important keywords to configure your sshd for top security; a complete listing and/or special requirements are available in the man page
for <citerefentry><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
</para>
<para>
Edit the <filename>sshd_config</filename> file, vi <filename>/etc/ssh/sshd_config</filename> and add/or change, if necessary, the following parameters:
<programlisting>
# This is ssh server systemwide configuration file.
Port 22
ListenAddress 192.168.1.1
HostKey /etc/ssh/ssh_host_key
ServerKeyBits 1024
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
PrintMotd yes
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
AllowUsers admin
</programlisting>
</para>
<para>
This tells sshd_config file to set itself up for this particular configuration setup with:
<glosslist>
<glossentry><glossterm>
<envar>Port 22</envar></glossterm>
<glossdef><para>
The option <envar>Port</envar> specifies on which port number ssh daemon listens for incoming connections. The default port is 22.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>ListenAddress 192.168.1.1</envar></glossterm>
<glossdef><para>
The option <envar>ListenAddress</envar> specifies the <acronym>IP</acronym> address of the interface network on which the ssh daemon server socket is bind. The default is <literal>0.0.0.0</literal>; to improve security you may specify only the required ones to limit possible addresses.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>HostKey /etc/ssh/ssh_host_key</envar></glossterm>
<glossdef><para>
The option <envar>HostKey</envar> specifies the location containing the private host key.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>ServerKeyBits 1024</envar></glossterm>
<glossdef><para>
The option <envar>ServerKeyBits</envar> specifies how many bits to use in the server key. These bits are used when the daemon starts to generate its <acronym>RSA</acronym> key.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>LoginGraceTime 600</envar></glossterm>
<glossdef><para>
The option <envar>LoginGraceTime</envar> specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>KeyRegenerationInterval 3600</envar></glossterm>
<glossdef><para>
The option <envar>KeyRegenerationInterval</envar> specifies how long in seconds the server should wait before automatically regenerated its key. This is a security feature to prevent decrypting captured sessions.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>PermitRootLogin no</envar></glossterm>
<glossdef><para>
The option <envar>PermitRootLogin</envar> specifies whether root can log in using ssh. Never say <filename>yes</filename> to this option.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>IgnoreRhosts yes</envar></glossterm>
<glossdef><para>
The option <envar>IgnoreRhosts</envar> specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is <emphasis>recommended to no use rhosts or shosts files for authentication</emphasis>.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>IgnoreUserKnownHosts yes</envar></glossterm>
<glossdef><para>
The option <envar>IgnoreUserKnownHosts</envar> specifies whether the ssh daemon should ignore the user's <prompt>$</prompt><filename>HOME/.ssh/known_hosts</filename> during RhostsRSAAuthentication.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>StrictModes yes</envar></glossterm>
<glossdef><para>
The option <envar>StrictModes</envar> specifies whether ssh should check user's permissions in their home directory and rhosts files before accepting login. This option must always be set to <userinput>yes</userinput> because sometimes users may accidentally leave their directory or files world-writable.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>X11Forwarding no</envar></glossterm>
<glossdef><para>
The option <envar>X11Forwarding</envar> specifies whether <literal>X11</literal> forwarding should be enabled or not on this server. Since we setup a server without <acronym>GUI</acronym> installed on it, we can safely turn this option off.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>PrintMotd yes</envar></glossterm>
<glossdef><para>
The option <envar>PrintMotd</envar> specifies whether the ssh daemon should print the contents of the <filename>/etc/motd</filename> file when a user logs in interactively. The <filename>/etc/motd</filename> file is also known as the <wordasword>message of the day</wordasword>.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>SyslogFacility AUTH</envar></glossterm>
<glossdef><para>
The option <envar>SyslogFacility</envar> specifies the facility code used when logging messages from sshd. The facility specifies the subsystem that produced the message--in our case, AUTH.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>LogLevel INFO</envar></glossterm>
<glossdef><para>
The option <envar>LogLevel</envar> specifies the level that is used when logging messages from sshd. INFO is a good choice. See the man page for sshd for more information on other possibilities.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>RhostsAuthentication no</envar></glossterm>
<glossdef><para>
The option <envar>RhostsAuthentication</envar> specifies whether sshd can try to use rhosts based authentication. Because rhosts authentication is insecure you shouldn't use this option.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>RhostsRSAAuthentication no</envar></glossterm>
<glossdef><para>
The option <envar>RhostsRSAAuthentication</envar> specifies whether to try rhosts authentication in concert with <acronym>RSA</acronym> host authentication.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>RSAAuthentication yes</envar></glossterm>
<glossdef><para>
The option <envar>RSAAuthentication</envar> specifies whether to try <acronym>RSA</acronym> authentication. This option must be set to <userinput>yes</userinput> for better security in your sessions. <acronym>RSA</acronym> use
public and private key pairs created with the ssh-keygen1utility for authentication purposes.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>PasswordAuthentication yes</envar></glossterm>
<glossdef><para>
The option <envar>PasswordAuthentication</envar> specifies whether we should use password-based authentication. For strong security, this option must always be set to <userinput>yes</userinput>.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>PermitEmptyPasswords no</envar></glossterm>
<glossdef><para>
The option <envar>PermitEmptyPasswords</envar> specifies whether the server allows logging in to accounts with a null password. If you intend to use the scp utility to make automatic backups over the network, you must set this option to <userinput>yes</userinput>.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>AllowUsers admin</envar></glossterm>
<glossdef><para>
The option <envar>AllowUsers</envar> specifies and controls which users can access ssh services. Multiple users can be specified, separated by spaces.
</para></glossdef>
</glossentry>
</glosslist>
</para>
</section>
<section><?dbhtml filename="chap15sec123.html"?>
<title>Configure OpenSSH to use TCP-Wrappers/inetd super server</title>
<para>
Tcp-Wrappers should be enabled to start and stop our OpenSSH server. Upon execution, inetd reads its configuration information from a configuration file which, by default, is <filename>/etc/inetd.conf</filename>. There must
be an entry for each field of the configuration file, with entries for each field separated by a tab or a space.
</para>
<procedure>
<step><para>
Edit the <filename>inetd.conf</filename> file <command>vi</command> <filename>/etc/inetd.conf</filename> and add the line:
<programlisting>
ssh stream tcp nowait root /usr/sbin/tcpd sshd -i
</programlisting>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The -i parameter is important since it's specifies that sshd is being run from inetd. Also, update your <filename>inetd.conf</filename> file by sending a <command>SIGHUP</command> signal <command>killall</command><userinput>-HUP inetd</userinput> after
adding the above line to the file.
</para></important>
To update your <filename>inetd.conf file</filename>, use the following command:
<screen>
[root@deep] /#<command>killall</command> -HUP inetd
</screen>
</para></step>
<step><para>
Edit the <filename>hosts.allow</filename> file, <command>vi</command> <filename>/etc/hosts.allow</filename> and add the line:
<programlisting>
sshd: 192.168.1.4 win.openna.com
</programlisting>
Which mean client <acronym>IP</acronym> <literal>192.168.1.4</literal> with host name <literal>win.openna.com</literal> is allowed to ssh in to the server.
</para></step>
</procedure>
<para>
These daemon strings for tcp-wrappers are in use by sshd:
<variablelist>
<varlistentry><term>
sshdfwd-X11</term>
<listitem><para>
if you want to allow/deny X11-forwarding
</para></listitem>
</varlistentry>
<varlistentry><term>
sshdfwd-&lt;port-number&gt;</term>
<listitem><para>for tcp-forwarding</para></listitem>
</varlistentry>
<varlistentry><term>
sshdfwd-&lt;port-name&gt;</term>
<listitem><para>port-name defined in <filename>/etc/services</filename>. Used in tcp-forwarding</para></listitem>
</varlistentry>
</variablelist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
If you do decide to switch to using ssh, make sure you install and use it on all your servers. Having ten secure servers and one insecure is a waste of time.
</para></tip>
<para>
For more details, there are several man pages you can read:
<variablelist>
<varlistentry><term>
<citerefentry><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>OpenSSH secure shell client <emphasis>remote login program</emphasis></para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>ssh [slogin]</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>OpenSSH secure shell client <emphasis>remote login program</emphasis></para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>ssh-add</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>adds identities for the authentication agent</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>ssh-agent</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>authentication agent</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>authentication key generation</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>secure shell daemon</para></listitem>
</varlistentry>
</variablelist>
</para>
</section>
<section><?dbhtml filename="chap15sec124.html"?>
<title>OpenSSH Per-User Configuration</title>
<procedure>
<step><para>
Create your private &amp; public keys of local, by executing:
<screen>
[root@deep] /#<command>su</command> admin
[admin@deep /]$<command>ssh-keygen</command>
</screen>
The result should look like the following example:
<literallayout class="monospaced"><computeroutput>
Initializing random number generator...
Generating p: ............................++ (distance 430)
Generating q: ......................++ (distance 456)
Computing the keys...
Testing the keys...
Key generation complete.
Enter file in which to save the key (<filename>/home/admin/.ssh/identity</filename>): [Press <keycap>Enter</keycap>]
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in /home/admin/.ssh/identity.
Your public key is:
1024 37 14937757511251955533691120318477293862290049394715136511145806108870001764378494676831297577843158532
2723612061006231460440536487184367748423324091941848098890786099717524446977589647127757030728779973708569993
017043141563536333068888944038178461608592483844590202154102756903055846534063365635584899765402181
</computeroutput></literallayout>
<screen>
admin@deep.openna.com
Your public key has been saved in /home/admin/.ssh/identity.pub
</screen>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
If you have multiple accounts you might want to create a separate key on each of them. You may want to have separate keys for:
<itemizedlist>
<listitem><para>
Your Mail server
</para></listitem>
<listitem><para>
Your Web server
</para></listitem>
<listitem><para>
Your GW server
</para></listitem>
</itemizedlist>
This allows you to limit access between these servers, e.g. not allowing the Mail account to access your Web account or the machines in the GW. This enhances the overall security in the case any of your authentication
keys are compromised for any reason.
</para></note>
</para></step>
<step><para>
Copy your local public keys <filename>identity.pub</filename> to the <filename class="directory">/home/admin/.ssh</filename> directory remotely under the name, say, <filename>authorized_keys</filename>.
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
One way to copy the file is to use the ftp command or you might need to send your public key in electronic mail to the administrator of the system. Just include the contents of the <filename>~/.ssh/identity.pub</filename> file
in the message.
</para></tip>
</para></step>
</procedure>
<para>
You might feel the need to Change your pass-phrase for various reason and can do so at any time by using the -p option of ssh-keygen.
To change the pass-phrase, use the command:
<screen>
[root@deep] /#<command>su</command> admin
[admin@deep /]$<command>ssh-keygen</command> -p
</screen>
<literallayout class="monospaced"><computeroutput>
Enter file key is in <filename>/home/admin/.ssh/identity</filename>: [Press <keycap>ENTER</keycap>]
Enter old passphrase:
Key has comment 'admin@deep.openna.com'
Enter new passphrase:
Enter the same passphrase again:
Your identification has been saved with the new passphrase.
</computeroutput>
</literallayout>
</para>
</section>
<section><?dbhtml filename="chap15sec125.html"?>
<title>OpenSSH Users Tools</title>
<para>
The commands listed belows are some that we use often in our regular use, but many more exist, and you should check the man page and documentation for more details. The <literal>ssh</literal> Secure Shell command
provides secure encrypted communications between two untrusted hosts over an insecure network. It is a program for logging securely into a remote machine and executing commands from there. It is a suitable replacement
for insecure programs like telnet, rlogin, rcp, rdist, and rsh.
</para>
<para>
To login to a remote machine, use the command:
<screen>
[root@deep] /#<command>ssh</command> -l &lt;login_name&gt; &lt;hostname&gt;
</screen>
</para>
<example>
<title>Remote login using ssh</title>
<para>
<screen>
[root@deep] /#<command>ssh</command> -l admin www.openna.com
</screen>
<literallayout class="monospaced"><computeroutput>
admin@deep.openna.coms password:
Last login: Tue Oct 19 1999 18:13:00 -0400 from deep.openna.com
No mail.
</computeroutput>
</literallayout>
<screen>
[admin@www ]/admin$
</screen>
Where &lt;login_name&gt; is the name you use to connect to the ssh server and &lt;hostname&gt; is the remote address of your ssh server.
</para></example>
<section>
<title>scp</title>
<para>
The scp Secure Copy utility copies files from the local system to a remote system or vice versa, or even between two remote systems using the scp command. To copy files from remote to local system, use
the following command:
<screen>
[root@deep] /#<command>su</command> admin
[admin@deep /]$<command>scp</command> -p &lt;login_name@hostname&gt;:/dir/for/file localdir/to/filelocation
</screen>
</para>
<example>
<title>scp Secure Copy utility</title>
<para>
<screen>
[admin@deep /]$ scp1 -p admin@mail:/etc/test1 /tmp
</screen>
<literallayout><computeroutput>
Enter passphrase for RSA key 'admin@mail.openna.com':
test1 | 2 KB | 2.0 kB/s | ETA: 00:00:00 | 100%
</computeroutput></literallayout>
</para></example>
<para>
To copy files from local to remote system, use the following command:
<screen>
[root@deep] /#<command>su</command> admin
[admin@deep /]$<command>scp</command> -p localdir/to/filelocation &lt;username@hostname&gt;:/dir/for/file
</screen>
</para>
<example>
<title>local to remote</title>
<para>
<screen>
[admin@deep /]$<command>scp1</command> -p /usr/bin/test2 admin@mail:/var/tmp
</screen>
<literallayout><computeroutput>
admin@mail's password:
test2 | 7 KB | 7.9 kB/s | ETA: 00:00:00 | 100%
</computeroutput></literallayout>
</para></example>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The -p option indicates that the modification and access times, as well as modes of the source file, should be preserved on the copy. This is usually desirable.
</para></tip>
<para>
Some possible uses of OpenSSH softwareare:
<orderedlist numeration="arabic" spacing="compact">
<listitem><para>
Replace telnet, rlogin, rsh, rdist, and rcp.
</para></listitem>
<listitem><para>
Make secure backups over the network.
</para></listitem>
<listitem><para>
Execute remote commands.
</para></listitem>
<listitem><para>
Access to corporate resources over the Internet.
</para></listitem>
</orderedlist>
</para>
</section>
</section>
<section><?dbhtml filename="chap15sec126.html"?>
<title>Installed files</title>
<para>
These are files Installed by the software program Openssh:
<simplelist columns="2" type ="vert">
<member><filename>
/etc/ssh
</filename></member>
<member><filename>
/etc/ssh/ssh_config
</filename></member>
<member><filename>
/etc/ssh/sshd_config
</filename></member>
<member><filename>
/etc/ssh_host_key
</filename></member>
<member><filename>
/etc/ssh_host_key.pub
</filename></member>
<member><filename>
/usr/bin/ssh
</filename></member>
<member><filename>
/usr/bin/scp
</filename></member>
<member><filename>
/usr/bin/ssh-add
</filename></member>
<member><filename>
/usr/bin/ssh-agent
</filename></member>
<member><filename>
/usr/bin/ssh-keygen
</filename></member>
<member><filename>
/usr/bin/slogin
</filename></member>
<member><filename>
/usr/man/man1/ssh.1
</filename></member>
<member><filename>
/usr/man/man1/scp.1
</filename></member>
<member><filename>
/usr/man/man1/ssh-add.1
</filename></member>
<member><filename>
/usr/man/man1/ssh-agent.1
</filename></member>
<member><filename>
/usr/man/man1/ssh-keygen.1
</filename></member>
<member><filename>
/usr/man/man1/slogin.1
</filename></member>
<member><filename>
/usr/man/man8/sshd.8
</filename></member>
<member><filename>
/usr/sbin/sshd
</filename></member>
</simplelist>
</para>
<section>
<title>Free SSH clients for Windows</title>
<para>
Check out this free SSH clients for windows; so that you can provide the same services on your windows machine, if your networked environement is likely to have windows indtalled machines.
</para>
<formalpara xreflabel="Putty" id="prt6ch1sc8pty"><title>
Putty</title>
<para>
And this is Putty Homepage:<link linkend="prtinxfp12">http://www.chiark.greenend.org.uk/~sgtatham/putty.html</link>
</para>
</formalpara>
<formalpara id="prt6ch1sc8ttsh">
<title>Tera Term Pro and TTSSH</title>
<para>
The Tera Term Pro can be found here on its Homepage:<link linkend="prtinxfp13">http://hp.vector.co.jp/authors/VA002416/teraterm.html</link>,
and TTSSH Homepage is:<link linkend="prtinxfp13">http://www.zip.com.au/~roca/download.html</link>.
</para>
</formalpara>
</section>
</section>
</chapter>
<chapter label="16"><?dbhtml filename="softsec-com.html"?>
<title>Software -Securties(commercial)</title>
<highlights>
<para>
Its now clear that all Linux users must use OpenSSH instead of SSH2 from Datafellows Company. However, for the users or organizations that want to use the non-free version of this software, we provide
here steps to follow. This is the SSH2 commercial version of SSH software. In our configuration we have also configured sshd2 to support tcp-wrappers <emphasis>the inetd super server</emphasis> for security reason.
</para></highlights>
<section id="prt6ch2sc1ssh"><?dbhtml filename="chap16sec127.html"?>
<title>Linux SSH2 Client/Server</title>
<para>
Since Linux is all about choices we have provided as an alternative the commercial verion of OpenSSH, The SSH2 and these installation instructions assume
<itemizedlist>
<listitem><para>
Commands are Unix-compatible.
</para></listitem>
<listitem><para>
The source path is <filename>/var/tmp</filename>, <emphasis>other paths are possible</emphasis>.
</para></listitem>
<listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem>
<listitem><para>
All steps in the installation will happen in super-user account root.
</para></listitem>
<listitem><para>
SSH2 version number is <literal>2.0.13</literal>
</para></listitem>
</itemizedlist>
</para>
<para>
Packages that you need can be downloaded from:
<simplelist type="vert">
<member>
SSH2 Homepage:<link linkend="prtinxfp14">http://www.ssh.org/</link>
</member><member>
You must be sure to download: <literal>ssh-2.0.13.tar.gz</literal>
</member>
</simplelist>
</para>
<para>
once you have got the Tarballs, It is a good idea to make a list of files on the system before you install ssh2, and one afterwards, and then compare them using diff to find out what file it placed where. Simply run
<command>find</command> <userinput>/* &gt; SSH1</userinput> before and <command>find</command> <userinput>/* &gt; SSH2</userinput> after you install the software, and use <command>diff</command> <userinput>SSH1 SSH2 &gt; SSH-Installed</userinput>
to get a list of what changed.
</para>
<para>
Before you Compile, you need to decompress the tarball <literal>tar.gz</literal>.
<screen>
[root@deep] /#<command>cp</command> ssh-version.tar.gz /var/tmp
[root@deep] /#<command>cd</command> /var/tmp
[root@deep ]/tmp#<command>tar</command> xzpf ssh-version.tar.gz
</screen>
</para>
<para>
You need to Compile and Optimize so move into the new SSH2 directory and type the following commands on your terminal:
<programlisting>
CC="egcs" \
CFLAGS=&quot;-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions" \
./configure \
--prefix=/usr \
--without-ssh-agent1-compat \
--disable-suid-ssh-signer \
--disable-tcp-port-forwarding \
--disable-X11-forwarding \
--enable-tcp-nodelay \
--with-libwrap
</programlisting>
</para>
<para>
This tells SSH2 to set itself up for this particular hardware setup as follows:
<itemizedlist>
<listitem><para>
Leave out ssh-agent1 compatibility.
</para></listitem><listitem><para>
Install ssh-signer without suid bit.
</para></listitem><listitem><para>
Disable port forwarding support.
</para></listitem><listitem><para>
Disable <literal>X11</literal> forwarding support.
</para></listitem><listitem><para>
Enable <envar>TCP_NODELAY</envar> socket option.
</para></listitem><listitem><para>
Compile in libwrap <literal>tcp_wrappers</literal> support.
</para></listitem>
</itemizedlist>
</para>
<para>
<screen>
[root@deep ]/ssh-2.0.13#<command>make clean</command>
[root@deep ]/ssh-2.0.13#<command> make</command>
[root@deep ]/ssh-2.0.13#<command> make install</command>
[root@deep ]/ssh-2.0.13#<command>rm</command> -f /usr/bin/ssh-askpass
</screen>
<simplelist type="vert">
<member>
The <command>make clean</command>, command erase all previous traces of a compilation so as to avoid any mistakes,
</member><member>
The <command>make</command> command compiles all source files into executable binaries,
</member><member>
The <command>make install</command> command installs the binaries and any supporting files into the appropriate locations.
</member>
</simplelist>
</para>
<para>
Please don't forget to cleanup after work:
<screen>
[root@deep] /#<command>cd</command> /var/tmp
[root@deep ]/tmp#<command>rm</command> -rf ssh-version/ ssh-version.tar.gz
</screen>
The <command>rm</command> command as used above will remove all the source files we have used to compile and install SSH2. It will also remove the SSH2 compressed archive from
the <filename class="directory">/var/tmp</filename> directory.
</para>
</section>
<section><?dbhtml filename="chap16sec128.html"?>
<title>Configure and Optimise SSH2</title>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>SSH2</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 16
-rw-r--r-- 1 harrypotter harrypotter 326 Jun 8 13:00 Compile-SSH2
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 pam.d/
-rw-r--r-- 1 harrypotter harrypotter 462 Jun 8 13:00 ssh2_config
-rw-r--r-- 1 harrypotter harrypotter 799 Jun 8 13:00 sshd2_config
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<para>
To run the SSH2 Client/Server, the following files are required, and must be created or copied to the appropriate directories on your server.
<itemizedlist>
<listitem><para>
Copy the sshd2_config file to the <filename class="directory">/etc/ssh2/</filename> directory.
</para></listitem>
<listitem><para>
Copy the ssh2_config file to the <filename class="directory">/etc/ssh2/</filename> directory.
</para></listitem>
<listitem><para>
Copy the ssh file to the <filename class="directory">/etc/pam.d/</filename> directory.
</para></listitem>
</itemizedlist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You can obtain the configuration files listed in the following section on our <filename>floppy.tgz</filename> archive. Copy the following files from the decompressed floppy.tgz archive to the appropriate places, or copy them directly from this book to the concerned file.
</para></tip>
</section>
<section><?dbhtml filename="chap16sec129.html"?>
<title>Configure the <filename>/etc/ssh2/ssh2_config</filename> file</title>
<para>
The configuration file for ssh2 <filename>/etc/ssh2/ssh2_config</filename> allows you to set options that modify the operation of the client programs. The files contain keyword-value pairs, one per line, with keywords
being case insensitive. Here are the more important keywords; a complete listing is available in the man page for <citerefentry><refentrytitle>ssh2</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
</para>
<para>
Edit the <filename>ssh2_config</filename> file, <command>vi</command> <filename>/etc/ssh2/ssh2_config</filename> and add or change, if necessary:
<programlisting>
# ssh2_config
# SSH 2.0 Client Configuration File
*:Port 22
Ciphers blowfish
Compression yes
IdentityFile identification
AuthorizationFile authorization
RandomSeedFile random_seed
VerboseMode no
ForwardAgent no
ForwardX11 no
PasswordPrompt &quot;%U's password: &quot;
Ssh1Compatibility no
Ssh1AgentCompatibility none
NoDelay yes
KeepAlive yes
QuietMode no
</programlisting>
This tells ssh2_config file to set itself up for this particular configuration setup with:
</para>
<glosslist><glossentry><glossterm>
<envar>Port 22</envar></glossterm>
<glossdef><para>
The option <envar>Port</envar> specifies on which port number ssh connects to on the remote host. The default port is 22.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>Ciphers blowfish</envar></glossterm>
<glossdef><para>
The option <envar>Ciphers</envar> specifies what cipher should be used for encrypting sessions. The blowfish uses 64-bit blocks and keys of up to 448 bits.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>Compression yes</envar></glossterm>
<glossdef><para>
The option <envar>Compression</envar> specifies whether to use compression during sessions. Compression will improve communication speed and files transfers.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>IdentityFile identification</envar></glossterm>
<glossdef><para>
The option <envar>IdentityFile</envar> specifies an alternate name for the user's identification file.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>AuthorizationFile authorization</envar></glossterm>
<glossdef><para>
The option <envar>AuthorizationFile</envar> specifies an alternate name for the user's authorization file.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>RandomSeedFile random_seed</envar></glossterm>
<glossdef><para>
The option <envar>RandomSeedFile</envar> specifies an alternate name for the user's random seed file.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>VerboseMode no</envar></glossterm>
<glossdef><para>
The option <envar>VerboseMode</envar> instructs ssh2 to print debugging messages about its progress. This option is helpful in debugging connection, authentication, and configuration problems.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>ForwardAgent no</envar></glossterm>
<glossdef><para>
The option <envar>ForwardAgent</envar> specifies which connection authentication agent <emphasis>if any</emphasis> should be forwarded to the remote machine.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>ForwardX11 no</envar></glossterm>
<glossdef><para>
The option <envar>ForwardX11</envar> is for people that use the <literal>Xwindow</literal> <acronym>GUI</acronym> and want to automatically redirect <literal>X11</literal> sessions to the remote machine. Since
we've set up a server and do not have a <acronym>GUI</acronym> installed on it, we can safely turn this option off.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>PasswordPrompt &quot;%U's password: &quot;</envar></glossterm>
<glossdef><para>
The option <envar>PasswordPrompt</envar> specifies the password prompt that will be displayed for the user when connecting to a host. Variables <prompt>%</prompt>U and <prompt>%</prompt>H give the user's login name and host, respectively.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>Ssh1Compatibility no</envar></glossterm>
<glossdef><para>
The option <envar>Ssh1Compatibility</envar> specifies whether or not to use SSH1 compatibility code with SSH2 for ssh1 users.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>Ssh1AgentCompatibility none</envar></glossterm>
<glossdef><para>
The option <envar>Ssh1AgentCompatibility</envar> specifies whether or not to also forward SSH1 agent connections with SSH2 for ssh1 users.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>NoDelay yes</envar></glossterm>
<glossdef><para>
The option <envar>NoDelay</envar> specifies if the socket option <envar>TCP_NODELAY</envar> should be enabled. It is recommended that you set this option to <userinput>yes</userinput> to improve network performance.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>KeepAlive yes</envar></glossterm>
<glossdef><para>
The option <envar>KeepAlive</envar> specifies whether the system should send keep alive messages to the remote server. If set to <userinput>yes</userinput> then the death of the connection or crash of remote machines will be properly noticed.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>QuietMode no</envar></glossterm>
<glossdef><para>
The option <envar>QuietMode</envar> specifies whether the system runs in quiet mode. This option must be set to <userinput>no</userinput> because in quiet mode, nothing is logged in the system log except for fatal errors. Since we
want to have information about users sessions it is preferable to disable this option.
</para></glossdef>
</glossentry>
</glosslist>
</section>
<section><?dbhtml filename="chap16sec130.html"?>
<title>Configure the <filename>/etc/ssh2/sshd2_config</filename> file</title>
<para>
The configuration file for sshd2 <filename>/etc/ssh2/sshd2_config</filename> allows you to set options that modify the operation of the daemon. The files contain keyword-value pairs, one per line, with keywords
being case insensitive. Here are the more important keywords; a complete listing is available in the man page for <citerefentry><refentrytitle>sshd2</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
</para>
<para>
Edit the <filename>sshd2_config</filename> file (vi <filename>/etc/ssh2/sshs2_config</filename> and add or change, if necessary:
<programlisting>
# sshd2_config
# SSH 2.0 Server Configuration File
*:Port 22
ListenAddress 192.168.1.1
Ciphers blowfish
IdentityFile identification
AuthorizationFile authorization
HostKeyFile hostkey
PublicHostKeyFile hostkey.pub
RandomSeedFile random_seed
ForwardAgent no
ForwardX11 no
PasswordGuesses 3
MaxConnections 5
PermitRootLogin no
AllowedAuthentications publickey,password
RequiredAuthentications publickey,password
VerboseMode no
PrintMotd yes
CheckMail yes
UserConfigDirectory &quot;%D/.ssh2"
SyslogFacility DAEMON
Ssh1Compatibility no
NoDelay yes
KeepAlive yes
UserKnownHosts yes
AllowHosts 192.168.1.4
DenyHosts *
QuietMode no
# subsystem definitions
subsystem-sftp sftp-server
</programlisting>
This tells sshd2_config file to set itself up for this particular configuration setup with:
</para>
<glosslist>
<glossentry><glossterm>
<envar>Port 22</envar></glossterm>
<glossdef><para>
The option <envar>Port</envar> specifies which port number the ssh2 daemon listens to for ssh incoming connection. The default port is 22.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>ListenAddress 192.168.1.1</envar></glossterm>
<glossdef><para>
The option <envar>ListenAddress</envar> specifies the <acronym>IP</acronym> address of the interface network on which the ssh2 daemon server socket is bound. The default is <literal>0.0.0.0</literal>; to improve security you may
specify only the required ones to limit possible addresses.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>Ciphers blowfish</envar></glossterm>
<glossdef><para>
The option <envar>Ciphers</envar> specifies what cipher should be used for encrypting sessions. The blowfish uses 64-bit blocks and keys of up to 448 bits.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>IdentityFile identification</envar></glossterm>
<glossdef><para>
The option <envar>IdentityFile</envar> specifies an alternate name for the user's identification file.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>AuthorizationFile authorization</envar></glossterm>
<glossdef><para>
The option <envar>AuthorizationFile</envar> specifies an alternate name for the user's authorization file.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>HostKeyFile hostkey</envar></glossterm>
<glossdef><para>
The option <envar>HostKeyFile</envar> specifies an alternate file containing the private host key. The default is <filename>/etc/ssh2/hostkey</filename>.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>PublicHostKeyFile hostkey.pub</envar></glossterm>
<glossdef><para>
The option <envar>PublicHostKeyFile</envar> specifies an alternate file containing the public host key. The default is <filename>/etc/ssh2/hostkey.pub</filename>.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>RandomSeedFile random_seed</envar></glossterm>
<glossdef><para>
The option <envar>RandomSeedFile</envar> specifies an alternate name for the user's random seed file.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>ForwardAgent no</envar></glossterm>
<glossdef><para>
The option <envar>ForwardAgent</envar> specifies which connection authentication agent <emphasis>if any</emphasis> should be forwarded to the remote machine.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>ForwardX11 no</envar></glossterm>
<glossdef><para>
The option <envar>ForwardX11</envar> is for people that use the <literal>Xwindow</literal> <acronym>GUI</acronym> and want to automatically redirect <literal>X11</literal> sessions to the remote machine. Since we set up a server and don't have
a <acronym>GUI</acronym> installed on it, we can safely turn this option off.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>PasswordGuesses 3</envar></glossterm>
<glossdef><para>
The option <envar>PasswordGuesses</envar> specifies how many tries the user has when using password authentication.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>MaxConnections 5</envar></glossterm>
<glossdef><para>
The option <envar>MaxConnections</envar> specifies what the maximum number of connections that ssh2 daemon will handle simultaneously is.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>PermitRootLogin no</envar></glossterm>
<glossdef><para>
The option <envar>PermitRootLogin</envar> specifies whether root can log in using ssh. Never say, <userinput>yes</userinput> to this option.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>AllowedAuthentications publickey,password</envar></glossterm>
<glossdef><para>
The option <envar>AllowedAuthentications</envar> specifies which authentication methods are allowed to be used. With this option the administrator can force users to complete several authentications before
they are considered authenticated.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>RequiredAuthentications publickey,password</envar></glossterm>
<glossdef><para>
The option <envar>RequiredAuthentications</envar> related to <envar>AllowedAuthentications</envar>, specifies which authentication methods the users must complete before continuing. This parameter must be the same as
for the <envar>AllowedAuthentications</envar> option or the server will denies connection every time.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>VerboseMode no</envar></glossterm>
<glossdef><para>
The option <envar>VerboseMode</envar> instructs the ssh2 daemon to print debugging messages about its progress. This option is helpful in debugging connection, authentication, and configuration problems.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>PrintMotd yes</envar></glossterm>
<glossdef><para>
The option <envar>PrintMotd</envar> specifies whether the ssh2 daemon should print the content of the <filename>/etc/motd</filename> file when a user logs in interactively. The <filename>/etc/motd</filename> file is also
know as the <emphasis>message of the day</emphasis>.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>CheckMail yes</envar></glossterm>
<glossdef><para>
The option <envar>CheckMail</envar> specifies whether the ssh2 daemon should print information about new mail you may have.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>UserConfigDirectory &quot;%D/.ssh2"</envar></glossterm>
<glossdef><para>
The option <envar>UserConfigDirectory</envar> specifies the default location for user-specific configuration data.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>SyslogFacility DAEMON</envar></glossterm>
<glossdef><para>
The option <envar>SyslogFacility</envar> specifies the facility code used when logging messages from the ssh2 daemon. The facility specifies the subsystem that produced the message, in our case <envar>DAEMON</envar>.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>Ssh1Compatibility no</envar></glossterm>
<glossdef><para>
The option <envar>Ssh1Compatibility</envar> specifies whether or not to use SSH1 compatibility code with SSH2 for ssh1 users.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>NoDelay yes</envar></glossterm>
<glossdef><para>
The option <envar>NoDelay</envar> specifies if the socket option TCP_NODELAY should be enabled. It is recommended that you set this option to <userinput>yes</userinput> to improve network performance.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>KeepAlive yes</envar></glossterm>
<glossdef><para>
The option <envar>KeepAlive</envar> specifies whether the system should send keep alive messages to the remote server. If set to <userinput>yes</userinput> then the death of the connection or crash of
remote machines will be properly noticed.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>UserKnownHosts yes</envar></glossterm>
<glossdef><para>
The option <envar>UserKnownHosts</envar> specifies whether the default user's home directory <prompt>$</prompt><filename>HOME/.ssh2/knownhosts/</filename> can be used to get hosts public keys when using <wordasword>hostbased-authentication</wordasword>.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>AllowHosts 192.168.1.4</envar></glossterm>
<glossdef><para>
The option <envar>AllowHosts</envar> specifies and control which hosts can access ssh2 services. Multiple hosts can be specified separated by spaces.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>DenyHosts *</envar></glossterm>
<glossdef><para>
The option <envar>DenyHosts</envar> specifies and controls which hosts cannot access ssh2 services. Multiple hosts can be specified separated by spaces. The default pattern <literal>*</literal> mean all hosts.
</para></glossdef>
</glossentry>
<glossentry><glossterm>
<envar>QuietMode no</envar>
</glossterm>
<glossdef><para>
The option <envar>QuietMode</envar> specifies whether the system runs in quiet mode. This option must be set to <userinput>no</userinput>, because in quiet mode nothing is logged in the system log except for fatal
errors. Since we want to have information about user sessions it is preferable to disable this option.
</para></glossdef>
</glossentry>
</glosslist>
</section>
<section><?dbhtml filename="chap16sec131.html"?>
<title>Configure sshd2 to use tcp-wrappers/inetd super server</title>
<para>
Tcp-wrappers shoud be enabled to start and stop the sshd2 server. Upon execution, inetd reads its configuration information from a configuration file which, by default, is <filename>/etc/inetd.conf</filename>. There
must be an entry for each field of the configuration file, with entries for each field separated by a tab or a space.
</para>
<procedure>
<step><para>
Edit the <filename>inetd.conf</filename> file, <command>vi</command> <filename>/etc/inetd.conf</filename> and add the line:
<programlisting>
ssh stream tcp nowait root /usr/sbin/tcpd sshd -i
</programlisting>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The -i parameter is important since it specifies that sshd is being run from inetd. Also, update your <filename>inetd.conf</filename> file by sending a SIGHUP signal, <command>killall</command> -HUP inetd
after adding the above line into the file.
</para></important>
To update your <filename>inetd.conf</filename> file, use the following command:
<screen>
[root@deep] /#<command>killall</command> -HUP inetd
</screen>
</para></step>
<step><para>
Edit the <filename>hosts.allow file</filename>, <command>vi</command> <filename>/etc/hosts.allow</filename> and add the line:
<programlisting>
sshd: 192.168.1.4 win.openna.com
</programlisting>
Which means client <literal>192.168.1.4</literal> with host name <literal>win.openna.com</literal> is allowed to ssh on the server.
<note><para>
These <literal>daemon</literal> strings for tcp-wrappers are in use by sshd2:
<variablelist>
<varlistentry><term>
sshd, sshd2</term>
<listitem><para>
The name sshd2 was called with usually <wordasword>sshd</wordasword>.
</para></listitem>
</varlistentry>
<varlistentry><term>
sshdfwd-X11</term>
<listitem><para>
if you want to allow/deny X11-forwarding.
</para></listitem>
</varlistentry>
<varlistentry><term>
sshdfwd-&lt;port-number&gt;</term>
<listitem><para>
for tcp-forwarding.
</para></listitem>
</varlistentry>
<varlistentry><term>
sshdfwd-&lt;port-name&gt;</term>
<listitem><para>
port-name defined in <filename>/etc/services</filename>. Used in tcp-forwarding.
</para></listitem>
</varlistentry>
</variablelist>
</para></note>
</para></step>
</procedure>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
If you do decide to switch to using ssh, make sure you install and use it on all your servers. Having ten secure servers and one insecure is a waste of time.
</para></tip>
</section>
<section><?dbhtml filename="chap16sec132.html"?>
<title>Configuration of the <filename>/etc/pam.d/ssh</filename> file</title>
<para>
For better security of your ssh2 server, you can configure it to use pam authentication. To do that, you must create the <filename>/etc/pam.d/ssh</filename> file.
</para>
<para>
Create the ssh file <command>touch</command> <filename>/etc/pam.d/ssh</filename> and add or change, if necessary:
<programlisting>
#<prompt>%</prompt>PAM-1.0
auth required /lib/security/pam_pwdb.so shadow
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so use_authtok nullok md5 shadow
session required /lib/security/pam_pwdb.so
</programlisting>
</para>
<para>
For Further documentation and more details, there are several man pages you can read:
<variablelist>
<varlistentry><term>
<citerefentry><refentrytitle>ssh-add2</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
- adds identities for the authentication agent
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ssh-agent2</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
- authentication agent
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>ssh-keygen2</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
- authentication key pair generation
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>ssh2</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
- secure shell client <emphasis>remote login program</emphasis>
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>sshd2</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- secure shell daemon
</para></listitem>
</varlistentry>
</variablelist>
</para>
</section>
<section><?dbhtml filename="chap16sec133.html"?>
<title>Ssh2 Per-User Configuration</title>
<procedure>
<step><para>
Create your private &amp; public keys of local, by executing:
<screen>
[root@deep] /#<command>su</command> admin
[admin@deep /]$ ssh-keygen2
</screen>
<programlisting>
Generating 1024-bit dsa key pair
6 Oo..oOo.oOo.
Key generated.
1024-bit dsa, admin@deep.openna.com, Sun Feb 13 2000 05:33:38 -0500
Passphrase :
Again :
Private key saved to /home/admin/.ssh2/id_dsa_1024_a
Public key saved to /home/admin/.ssh2/id_dsa_1024_a.pub
</programlisting>
</para></step>
<step><para>
Create an <filename>identification</filename> file in your <filename class="directory">~/.ssh2</filename> home directory on local:
<screen>
[admin@deep]$<command>cd</command> ~/.ssh2
[admin@deep ]/.ssh2$<command>echo</command> &quot;IdKey id_dsa_1024_a&quot; &gt; identification
</screen>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
It's optional to create an identification file on Remote. The identification file contains the name of the private key that is to be used in authentication.
</para></note>
</para></step>
<step><para>
Copy your public key of Local <wordasword>id_dsa_1024_a.pub</wordasword> to <filename class="directory">~/.ssh2</filename> home directory of remote under the name, say, <filename>Local.pub</filename>.
</para></step>
<step><para>
Create an <filename>authorization file</filename> in your <filename class="directory">~/.ssh2</filename> home directory on remote:
<screen>
[admin@remote ]/.ssh2$<command>touch</command> authorization
</screen>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
The <filename class="directory">~/</filename> means the user home directory.
</para></note>
</para></step>
<step><para>
Add the following one line to the <filename>authorization</filename> file on the remote host:
<screen>
[admin@remote ]/.ssh2$<command>vi</command> authorization
</screen>
<programlisting>
key Local.pub
</programlisting>
</para></step>
</procedure>
</section>
<section><?dbhtml filename="chap16sec134.html"?>
<title>SSH2 Users Tools</title>
<para>
The commands listed below are some that we use often in our regular use, but many more exist, and you should check the man page and documentation for more details.
</para>
<formalpara>
<title>ssh2</title>
<para>
Ssh2, Secure Shell provides secure encrypted communications between two untrusted hosts over an insecure network. It is a program for logging securely into a remote machine and executing commands from there. It
is a suitable replacement for insecure program like telnet, rlogin, rcp, rdist, and rsh.
To login to a remote machine, use the command:
<screen>
[root@deep] /#<command>ssh2</command> -l &lt;login_name&gt; &lt;hostname&gt;
</screen>
<example>
<title>login to a remote using ssh2</title>
<para>
<screen>
[root@deep] /#<command>ssh2</command> -l admin www.openna.com
</screen>
<literallayout class="monospaced"><computeroutput>
Passphrase for key &quot;/home/admin/.ssh2/id_dsa_1024_a&quot; with comment &quot;1024-bit dsa, admin@deep.openna.com, Tue Oct 19 1999 14:31:40 -0400&quot;:
admin's password:
Last login: Tue Oct 19 1999 18:13:00 -0400 from deep.openna.com
No mail.
</computeroutput></literallayout>
<screen>
[admin@www ]/admin$
</screen>
</para></example>
Where &lt;login_name&gt; is the name you use to connect to the ssh2 remote server and &lt;hostname&gt; is the address of your ssh2 remote server.
</para>
</formalpara>
<formalpara>
<title>sftp2</title>
<para>
The sftp2, Secure File Transfer utility is an ftp-like client that provides file transfers over the network. You must already be connected with ssh2 before using the sftp2 utility.
To ftp over ssh2, use the following command:
<screen>
[admin@deep /]$<command>sftp2</command> &lt;hostname&gt;
</screen>
<example>
<title>sftp2, Secure File Transfer</title>
<para>
<screen>
[admin@deep /]$<command>sftp2</command> www.openna.com
</screen>
<literallayout class="monospaced"><computeroutput>
local path : /home/admin
Passphrase for key &quot;/home/admin/.ssh2/id_dsa_1024_a&quot; with comment &quot;1024-bit dsa, admin@deep.openna.com, Tue Oct 19 1999 14:31:40 -0400&quot;:
admin's password:
admin's password:
remote path : /home/admin
</computeroutput></literallayout>
<screen>
sftp&gt;
</screen>
</para></example>
Where &lt;hostname&gt; is the name of the remote server you want to sftp.
</para>
</formalpara>
</section>
<section><?dbhtml filename="chap16sec135.html"?>
<title>Installed files</title>
<para>These are the files Installed by Ssh2 software on your machine:</para>
<simplelist type="vert" columns="3">
<member><filename>/etc/pam.d/ssh</filename></member>
<member><filename>/etc/ssh2</filename></member>
<member><filename>
/etc/ssh2/hostkey
</filename></member>
<member><filename>
/etc/ssh2/hostkey.pub
</filename></member>
<member><filename>
/etc/ssh2/sshd2_config
</filename></member>
<member><filename>
/etc/ssh2/ssh2_config
</filename></member>
<member><filename>
/root/.ssh2
</filename></member>
<member><filename>
/root/.ssh2/random_seed
</filename></member>
<member><filename>
/root/ssh2
</filename></member>
<member><filename>
/usr/man/man1/ssh2.1
</filename></member>
<member><filename>
/usr/man/man1/ssh-keygen2.1
</filename></member>
<member><filename>
/usr/man/man1/ssh-add2.1
</filename></member>
<member><filename>
/usr/man/man1/ssh-agent2.1
</filename></member>
<member><filename>
/usr/man/man1/scp2.1
</filename></member>
<member><filename>
/usr/man/man1/sftp2.1
</filename></member>
<member><filename>
/usr/man/man1/ssh.1
</filename></member>
<member><filename>
/usr/man/man1/ssh-add.1
</filename></member>
<member><filename>
/usr/man/man1/ssh-agent.1
</filename></member>
<member><filename>
/usr/man/man1/ssh-keygen.1
</filename></member>
<member><filename>
/usr/man/man1/scp.1
</filename></member>
<member><filename>
/usr/man/man1/sftp.1
</filename></member>
<member><filename>
/usr/man/man8/sshd2.8
</filename></member>
<member><filename>
/usr/man/man8/sshd.8
</filename></member>
<member><filename>
/usr/bin/ssh2
</filename></member>
<member><filename>
/usr/bin/scp2
</filename></member>
<member><filename>
/usr/bin/sftp2
</filename></member>
<member><filename>
/usr/bin/sftp-server2
</filename></member>
<member><filename>
/usr/bin/ssh-agent2
</filename></member>
<member><filename>
/usr/bin/ssh-keygen2
</filename></member>
<member><filename>
/usr/bin/ssh-signer2
</filename></member>
<member><filename>
/usr/bin/ssh-add2
</filename></member>
<member><filename>
/usr/bin/ssh
</filename></member>
<member><filename>
/usr/bin/ssh-agent
</filename></member>
<member><filename>
/usr/bin/ssh-add
</filename></member>
<member><filename>
/usr/bin/ssh-askpass
</filename></member>
<member><filename>
/usr/bin/ssh-keygen
</filename></member>
<member><filename>
/usr/bin/scp
</filename></member>
<member><filename>
/usr/bin/sftp
</filename></member>
<member><filename>
/usr/bin/sftp-server
</filename></member>
<member><filename>
/usr/bin/ssh-signer
</filename></member>
<member><filename>
/usr/sbin/sshd2
</filename></member>
<member><filename>
/usr/sbin/sshd
</filename></member>
</simplelist>
</section>
</chapter>
<chapter label="17" id="pr6ch17SSSI"><?dbhtml filename="sysintegrity.html"?>
<title>Software -Securities/System Integrity</title>
<highlights>
<para>
A typical Red Hat Linux server installation handles approximately 30,400 files. At their busiest times, administrators can't check the integrity of all system files, and if a cracker has accessed your
server, he or she can install or modify files without your knowledge with some effort. Since such a possibility exists a few programs have been created to respond to this kind of activity.
</para></highlights>
<section id="prt6ch3sc1trwr"><?dbhtml filename="chap17sec136.html"?>
<title>Linux Tripwire 2.2.1</title>
<sidebar>
<title>According to the official <citation>Tripwire site</citation>:</title>
<para>
Tripwire works at the most fundamental layer, protecting the servers and workstations that make up the corporate network. Tripwire works by first scanning a computer and creating a database of system files, a compact
digital <wordasword>snapshot</wordasword> of the system in a known secure state. The user can configure Tripwire very precisely, specifying individual files and directories on each machine to monitor, or creating a
standard template that can be used on all machines in an enterprisewide environement.
</para>
<para>
Once this baseline database is created, a system administrator can use Tripwire to check the integrity of a system at any time. By scanning the current system and comparing that information with the data stored
in the database, Tripwire detects and reports any additions, deletions, or changes to the system outside of the specified boundaries. If these changes are valid, the administrator can update the baseline database
with the new information. If malicious changes are found, the system administrator will instantly know exactly which part, which component <abbrev>etc.</abbrev> of the network have been affected.
</para>
</sidebar>
<para>
This version of Tripwire has significant product enhancements over previous versions of Tripwire. Some of the enhancements include:
<itemizedlist>
<listitem><para>
Multiple levels of reporting allow you to choose different levels of report detail.
</para></listitem>
<listitem><para>
Syslog option sends information about database initialization, database update, policy update and integrity check to the syslog.
</para></listitem>
<listitem><para>
Database performance has been optimized to increase the efficiency of integrity checks.
</para></listitem>
<listitem><para>
Individual email recipients can be sent certain sections of a report.
</para></listitem>
<listitem><para>
SMTP email reporting support.
</para></listitem>
<listitem><para>
Email test mode enables you to verify that the email settings are correct.
</para></listitem>
<listitem><para>
Ability to create multiple sections within a policy file to be executed separately.
</para></listitem>
</itemizedlist>
</para>
<para>
These installation instructions assume:
<itemizedlist><listitem><para>
Commands are Unix-compatible.
</para></listitem>
<listitem><para>
The source path is <filename>/var/tmp</filename> -<emphasis>other paths are possible</emphasis>.
</para></listitem>
<listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem>
<listitem><para>
All steps in the installation will happen in super-user account root.
</para></listitem>
<listitem><para>
Tripwire version number is <literal>2.2.1</literal>
</para></listitem>
</itemizedlist>
</para>
<para>
These are the Package(s) you need to install:
<simplelist><member>
Tripwire Homepage: <link linkend="prtinxfp15">http://www.tripwiresecurity.com/</link>
</member>
<member>
You must be sure to download: Tripwire_221_for_Linux_x86_tar.gz
</member>
</simplelist>
</para>
<para>
To Compile Tripwire-2.2.1, you do need to Decompress the tarball <literal>tar.gz</literal>.:
<screen>
[root@deep] /#<command>cp</command> Tripwire_version_for_Linux_x86_tar.gz /var/tmp
[root@deep] /#<command>cd</command> /var/tmp
[root@deep ]/tmp# <command>tar</command> xzpf Tripwire_version_for_Linux_x86_tar.gz
</screen>
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
After the decompression of Tripwire you will see the following files in your <filename>/var/tmp</filename> directory related to Tripwire software:
<simplelist>
<member>
License.txt
</member>
<member>
README
</member>
<member>
Release_Notes
</member>
<member>
install.cfg
</member>
<member>
install.sh
</member>
<member>
package directory
</member>
<member>
Tripwire tar.gz file Tripwire_version_for_Linux_x86_tar.gz.
</member>
</simplelist>
</para></note>
</section>
<section><?dbhtml filename="chap17sec137.html"?>
<title>Configure the <filename>/var/tmp/install.cfg</filename> file</title>
<para>
Recall that Tripwire version <literal>2.2.1</literal> is not open source, so you cannot compile and install it like other archives source files, instead you must modify the <filename>install.cfg</filename> file of tripwire that will install
automatically Tripwire software for you to specify installation paths for your system. We must modify this file to be compliant with Red Hats file system structure and install Tripwire binaries under
our <envar>PATH</envar> Environment Variable.
</para>
<procedure>
<step><para>
Edit the <filename>install.cfg</filename> file, <command>vi</command> <filename>install.cfg</filename> and change this file to look like:
<programlisting>
#
# install.cfg
#
# default install.cfg for:
# Tripwire(R) 2.2.1 for Unix
#
# NOTE: This is a Bourne shell script that stores installation
# parameters for your installation. The installer will
# execute this file to generate your config file and also to
# locate any special configuration needs for your install.
# Protect this file, because it is possible for
# malicious code to be inserted here
#
# To set your Root directory for install, set TWROOT= to something
# other than /usr/TSS as necessary.
#
#=======================================================
# If CLOBBER is true, then existing files are overwritten.
# If CLOBBER is false, existing files are not overwritten.
CLOBBER=false
# The root of the TSS directory tree.
TWROOT="/usr"
# Tripwire binaries are stored in TWBIN.
TWBIN="${TWROOT}/bin"
# Tripwire policy files are stored in TWPOLICY.
TWPOLICY="${TWROOT}/TSS/policy"
# Tripwire manual pages are stored in TWMAN.
TWMAN="${TWROOT}/man"
# Tripwire database files are stored in TWDB.
TWDB="${TWROOT}/TSS/db"
# The Tripwire site key files are stored in TWSITEKEYDIR.
TWSITEKEYDIR="${TWROOT}/TSS/key"
# The Tripwire local key files are stored in TWLOCALKEYDIR.
TWLOCALKEYDIR="${TWROOT}/TSS/key"
# Tripwire report files are stored in TWREPORT.
TWREPORT="${TWROOT}/TSS/report"
# This sets the default text editor for Tripwire.
TWEDITOR="/bin/vi"
# TWLATEPROMTING controls the point when tripwire asks for a password.
TWLATEPROMPTING=false
# TWLOOSEDIRCHK selects whether the directory should be monitored for
# properties that change when files in the directory are monitored.
TWLOOSEDIRCHK=false
# TWMAILNOVIOLATIONS determines whether Tripwire sends a no violation
# report when integrity check is run with --email-report but no rule
# violations are found. This lets the admin know that the integrity
# was run, as opposed to having failed for some reason.
TWMAILNOVIOLATIONS=true
# TWEMAILREPORTLEVEL determines the verbosity of e-mail reports.
TWEMAILREPORTLEVEL=3
# TWREPORTLEVEL determines the verbosity of report printouts.
TWREPORTLEVEL=3
# TWSYSLOG determines whether Tripwire will log events to the system log
TWSYSLOG=false
#####################################
# Mail Options - Choose the appropriate
# method and comment the other section
#####################################
#####################################
# SENDMAIL options - DEFAULT
#
# Either SENDMAIL or SMTP can be used to send reports via TWMAILMETHOD.
# Specifies which sendmail program to use.
#####################################
TWMAILMETHOD=SENDMAIL
TWMAILPROGRAM="/usr/lib/sendmail -oi -t"
#####################################
# SMTP options
#
# TWSMTPHOST selects the SMTP host to be used to send reports.
# SMTPPORT selects the SMTP port for the SMTP mail program to use.
#####################################
# TWMAILMETHOD=SMTP
# TWSMTPHOST="mail.domain.com"
# TWSMTPPORT=25
################################################################################
# Copyright (C) 1998-2000 Tripwire (R) Security Systems, Inc. Tripwire (R) is a
# registered trademark of the Purdue Research Foundation and is licensed
# exclusively to Tripwire (R) Security Systems, Inc.
################################################################################
</programlisting>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
The file <filename>install.cfg</filename> is a Bourne shell script used by the installer to set configuration variables. These variables specify the target directories where the installer will copy files and what the
installer should do if the installation process would overwrite existing Tripwire software files.
</para></note>
</para></step>
<step><para>
Now we must run the installation script to install Tripwire binaries and related files on to our system according to whether you are using default or custom configuration values. To run the installation
script and install Tripwire, use the following command:
<screen>
[root@deep ]/tmp#<command>./install.sh</command>
</screen>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The install.sh file is the installation script which you run to begin installation of Tripwire. During the installation procedure, you will:
<orderedlist><listitem><para>
Answer some questions related to the installation.
</para></listitem>
<listitem><para>
Specify two pass phrases to be assigned for your site and local keys.
</para></listitem>
</orderedlist>
</para></important>
</para></step>
<step><para>
When Tripwire is installed in our system it will copy <filename>License.txt</filename>, <filename>README</filename>, and <filename>Release_Notes</filename> files under <filename class="directory">/usr</filename> directory. Of
course after finishing reading those files you can safely remove them from your <filename class="directory">/usr</filename> directory with the following command:
To remove these files from your system, use the following command:
<screen>
[root@deep ]/usr# <command>rm</command> -f /usr/License.txt README Release_Notes
</screen>
</para></step>
</procedure>
<para>
Dont forget to clean up later:
<screen>
[root@deep] /#<command>cd</command> /var/tmp
[root@deep ]/tmp# <command>rm</command> -rf License.txt README Release-Notes install.cfg install.sh pkg/ Tripwire_version_for_Linux_x86_tar.gz
</screen>
The <command>rm</command> command as used above will remove all related files and directories we have used to install Tripwire for Linux. It will also remove the Tripwire for Linux compressed archive
from the <filename class="directory">/var/tmp</filename> directory.
</para>
</section>
<section><?dbhtml filename="chap17sec138.html"?>
<title>Configuration files</title>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>Tripwire-2.2.1</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 16
-rw-r--r-- 1 harrypotter harrypotter 3312 Jun 8 13:00 install.cfg
-rw-r--r-- 1 harrypotter harrypotter 10152 Jun 8 13:00 twpol.txt
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<para>
To run Tripwire for Linux, the following file is required and must be created or copied to the appropriate directory on your server.
Copy the <filename>twpol.txt</filename> file to the <filename class="directory">/usr/TSS/policy</filename> directory.
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You can obtain the configuration file listed below on our <filename>floppy.tgz</filename> archive. Copy the following file from the decompressed <filename>floppy.tgz</filename> archive to the appropriate place, or
copy and paste it directly from this book to the concerned file.
</para></tip>
</section>
<section><?dbhtml filename="chap17sec139.html"?>
<title>Configure the <filename>/usr/TSS/policy/twpol.txt</filename> file</title>
<para>
The <filename>/usr/TSS/policy/twpol.txt</filename> is the text policy file of Tripwire where you specify what files and directories, to check. Note that extensive testing and experience are necessary when editing this policy file
before you get a working file report. The following is a working example from where you can start your own customization.
</para>
<procedure>
<step><para>
You must modify the default policy file, or create your own. The <filename>policyguide.txt</filename> file under <filename class="directory">/usr/TSS/policy</filename> directory can help you. Open the policy
file <filename>twpol.txt</filename> with a text editor, <command>vi</command> <filename>/usr/TSS/policy/twpol.txt</filename> and change it to fit your needs:
<programlisting>
@@section GLOBAL
TWROOT="/usr";
TWBIN="/usr/bin";
TWPOL="/usr/TSS/policy";
TWDB="/usr/TSS/db";
TWSKEY="/usr/TSS/key";
TWLKEY="/usr/TSS/key";
TWREPORT="/usr/TSS/report";
HOSTNAME=deep.openna.com;
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa; # Critical files - we can't afford to miss any changes.
SEC_SUID = $(IgnoreNone)-SHa; # Binaries with the SUID or SGID flags set.
SEC_TCB = $(ReadOnly); # Members of the Trusted Computing Base.
SEC_BIN = $(ReadOnly); # Binaries that shouldn't change
SEC_CONFIG = $(Dynamic); # Config files that are changed infrequently but accessed often.
SEC_LOG = $(Growing); # Files that grow, but that should never change ownership.
SEC_INVARIANT = +pug; # Directories that should never change permission or ownership.
SIG_LOW = 33; # Non-critical files that are of minimal security impact
SIG_MED = 66; # Non-critical files that are of significant security impact
SIG_HI = 100; # Critical files that are significant points of vulnerability
# Tripwire Binaries
(emailto = admin@openna.com, rulename = "Tripwire Binaries", severity = $(SIG_HI))
{
$(TWBIN)/siggen -> $(ReadOnly);
$(TWBIN)/tripwire -> $(ReadOnly);
$(TWBIN)/twadmin -> $(ReadOnly);
$(TWBIN)/twprint -> $(ReadOnly);
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(emailto = admin@openna.com, rulename = "Tripwire Data Files", severity = $(SIG_HI))
{
# NOTE: Removing the inode attribute because when Tripwire creates a backup
# it does so by renaming the old file and creating a new one (which will
# have a new inode number). Leaving inode turned on for keys, which shouldn't
# ever change.
# NOTE: this rule will trigger on the first integrity check after database
# initialization, and each integrity check afterward until a database update
# is run, since the database file will not exist before that point.
$(TWDB) -> $(Dynamic) -i;
$(TWPOL)/tw.pol -> $(SEC_BIN) -i;
$(TWBIN)/tw.cfg -> $(SEC_BIN) -i;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWSKEY)/site.key -> $(SEC_BIN) ;
#don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0);
}
# These files are critical to a correct system boot.
(emailto = admin@openna.com, rulename = "Critical system boot files", severity = 100)
{
/boot -> $(SEC_CRIT) ;
!/boot/System.map ;
!/boot/module-info ;
}
# These files change the behavior of the root account
(emailto = admin@openna.com, rulename = "Root config files", severity = 100)
{
/root -> $(SEC_CRIT) ;
/root/.bash_history -> $(SEC_LOG) ;
}
# Commonly accessed directories that should remain static with regards to owner and group
(emailto = admin@openna.com, rulename = "Invariant Directories", severity = $(SIG_MED))
{
/ -> $(SEC_INVARIANT) (recurse = 0);
/home -> $(SEC_INVARIANT) (recurse = 0);
/etc -> $(SEC_INVARIANT) (recurse = 0);
/chroot -> $(SEC_INVARIANT) (recurse = 0);
/cache -> $(SEC_INVARIANT) (recurse = 0);
}
(emailto = admin@openna.com, rulename = "Shell Binaries")
{
/bin/bsh -> $(SEC_BIN);
/bin/csh -> $(SEC_BIN);
/bin/sh -> $(SEC_BIN);
}
# Rest of critical system binaries
(emailto = admin@openna.com, rulename = "OS executables and libraries", severity = $(SIG_HI))
{
/bin -> $(ReadOnly) ;
/lib -> $(ReadOnly) ;
}
# Local files
(emailto = admin@openna.com, rulename = "User binaries", severity = $(SIG_MED))
{
/sbin -> $(SEC_BIN) (recurse = 1);
/usr/sbin -> $(SEC_BIN) (recurse = 1);
/usr/bin -> $(SEC_BIN) (recurse = 1);
}
# Temporary directories
(emailto = admin@openna.com, rulename = "Temporary directories", recurse = false, severity = $(SIG_LOW))
{
/usr/tmp -> $(SEC_INVARIANT);
/var/tmp -> $(SEC_INVARIANT);
/tmp -> $(SEC_INVARIANT);
}
# Libraries
(emailto = admin@openna.com, rulename = "Libraries", severity = $(SIG_MED))
{
/usr/lib -> $(SEC_BIN);
}
# Include
(emailto = admin@openna.com, rulename = "OS Development Files", severity = $(SIG_MED))
{
/usr/include -> $(SEC_BIN);
}
# Shared
(emailto = admin@openna.com, rulename = "OS Shared Files", severity = $(SIG_MED))
{
/usr/share -> $(SEC_BIN);
}
# Kernel headers files
(emailto = admin@openna.com, rulename = "Kernel Headers Files", severity = $( SIG_HI))
{
/usr/src/linux-2.2.14 -> $(SEC_BIN);
}
# setuid/setgid root programs
(emailto = admin@openna.com, rulename = "setuid/setgid", severity = $(SIG_HI))
{
/bin/su -> $(SEC_SUID);
/sbin/pwdb_chkpwd -> $(SEC_SUID);
/sbin/dump -> $(SEC_SUID);
/sbin/restore -> $(SEC_SUID);
/usr/bin/at -> $(SEC_SUID);
/usr/bin/passwd -> $(SEC_SUID);
/usr/bin/suidperl -> $(SEC_SUID);
/usr/bin/crontab -> $(SEC_SUID);
/usr/sbin/sendmail -> $(SEC_SUID);
/usr/bin/man -> $(SEC_SUID);
/usr/bin/sperl5.00503 -> $(SEC_SUID);
/usr/bin/slocate -> $(SEC_SUID);
/usr/sbin/utempter -> $(SEC_SUID);
/sbin/netreport -> $(SEC_SUID);
}
(emailto = admin@openna.com, rulename = "Configuration Files")
{
/etc/hosts -> $(SEC_CONFIG);
/etc/inetd.conf -> $(SEC_CONFIG);
/etc/initlog.conf -> $(SEC_CONFIG);
/etc/inittab -> $(SEC_CONFIG);
/etc/resolv.conf -> $(SEC_CONFIG);
/etc/syslog.conf -> $(SEC_CONFIG);
}
(emailto = admin@openna.com, rulename = "Security Control")
{
/etc/group -> $(SEC_CRIT);
/etc/security/ -> $(SEC_CRIT);
/lib/security/ -> $(SEC_CRIT);
/var/spool/cron -> $(SEC_CRIT);
}
(emailto = admin@openna.com, rulename = "Login Scripts")
{
/etc/csh.login -> $(SEC_CONFIG);
/etc/profile -> $(SEC_CONFIG);
}
# These files change every time the system boots
(emailto = admin@openna.com, rulename = "System boot changes", severity = $(SIG_HI))
{
/dev/log -> $(Dynamic) ;
/dev/cua0 -> $(Dynamic) ;
/dev/console -> $(Dynamic) ;
/dev/tty2 -> $(Dynamic) ; # tty devices
/dev/tty3 -> $(Dynamic) ; # are extremely
/dev/tty4 -> $(Dynamic) ; # variable
/dev/tty5 -> $(Dynamic) ;
/dev/tty6 -> $(Dynamic) ;
/dev/urandom -> $(Dynamic) ;
/dev/initctl -> $(Dynamic) ;
/var/lock/subsys -> $(Dynamic) ;
/var/run -> $(Dynamic) ; # daemon PIDs
/var/log -> $(Dynamic) ;
/etc/ioctl.save -> $(Dynamic) ;
/etc/.pwd.lock -> $(Dynamic) ;
/etc/mtab -> $(Dynamic) ;
/lib/modules -> $(Dynamic) ;
}
# Critical configuration files
(emailto = admin@openna.com, rulename = "Critical configuration files", severity = $(SIG_HI))
{
/etc/conf.modules -> $(ReadOnly) ;
/etc/crontab -> $(ReadOnly) ;
/etc/cron.hourly -> $(ReadOnly) ;
/etc/cron.daily -> $(ReadOnly) ;
/etc/cron.weekly -> $(ReadOnly) ;
/etc/cron.monthly -> $(ReadOnly) ;
/etc/default -> $(ReadOnly) ;
/etc/fstab -> $(ReadOnly) ;
/etc/group- -> $(ReadOnly) ; # changes should be infrequent
/etc/host.conf -> $(ReadOnly) ;
/etc/hosts.allow -> $(ReadOnly) ;
/etc/hosts.deny -> $(ReadOnly) ;
/etc/lilo.conf -> $(ReadOnly) ;
/etc/logrotate.conf -> $(ReadOnly) ;
/etc/pwdb.conf -> $(ReadOnly) ;
/etc/securetty -> $(ReadOnly) ;
/etc/sendmail.cf -> $(ReadOnly) ;
/etc/protocols -> $(ReadOnly) ;
/etc/services -> $(ReadOnly) ;
/etc/rc.d/init.d -> $(ReadOnly) ;
/etc/rc.d -> $(ReadOnly) ;
/etc/motd -> $(ReadOnly) ;
/etc/passwd -> $(ReadOnly) ;
/etc/passwd- -> $(ReadOnly) ;
/etc/profile.d -> $(ReadOnly) ;
/etc/rpc -> $(ReadOnly) ;
/etc/sysconfig -> $(ReadOnly) ;
/etc/shells -> $(ReadOnly) ;
/etc/nsswitch.conf -> $(ReadOnly) ;
}
# Critical devices
(emailto = admin@openna.com, rulename = "Critical devices", severity = $(SIG_HI), recurse = false)
{
/dev/kmem -> $(Device) ;
/dev/mem -> $(Device) ;
/dev/null -> $(Device) ;
/dev/zero -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/tty -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/modules -> $(Device) ;
/proc/mounts -> $(Device) ;
/proc/dma -> $(Device) ;
/proc/filesystems -> $(Device) ;
/proc/ide -> $(Device) ;
/proc/interrupts -> $(Device) ;
/proc/ioports -> $(Device) ;
/proc/scsi -> $(Device) ;
/proc/kcore -> $(Device) ;
/proc/self -> $(Device) ;
/proc/kmsg -> $(Device) ;
/proc/stat -> $(Device) ;
/proc/ksyms -> $(Device) ;
/proc/loadavg -> $(Device) ;
/proc/uptime -> $(Device) ;
/proc/locks -> $(Device) ;
/proc/version -> $(Device) ;
/proc/meminfo -> $(Device) ;
/proc/cmdline -> $(Device) ;
/proc/misc -> $(Device) ;
}
</programlisting>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
This is an example policy file we provide you; of course, you must modify this file to fit your system files and specific needs.
</para></tip>
</para></step>
<step><para>
Once you are ready to use your policy file for the first time, install it with the following command:
<screen>
[root@deep] /#<command>twadmin</command> --create-polfile /usr/TSS/policy/twpol.txt
</screen>
<literallayout class="monospaced"><computeroutput>
Please enter your site passphrase:
Wrote policy file: /usr/TSS/policy/tw.pol
</computeroutput></literallayout>
</para></step>
</procedure>
</section>
<section><?dbhtml filename="chap17sec140.html"?>
<title>Securing Tripwire for Linux</title>
<para>
It is important to make sure that the integrity of the system you are running has not been already compromised. For maximum confidence in your baseline database, you should generate operating system and application
files from a clean installation and original media. Also, it is recommended that you delete the plain text copy of the Tripwire configuration file named <filename>twcfg.txt</filename> located under the <filename class="directory">/usr/bin</filename>
directory to hide the location of Tripwire's files and prevent anyone from creating a second, or alternate, configuration file.
To delete the plain text copy of the tripwire configuration file, use the following command:
<screen>
[root@deep] /#<command>rm</command> -f /usr/bin/twcfg.txt
</screen>
</para>
<para>
Further documentation for more details, there are several man pages you can read:
<variablelist><varlistentry><term>
<citerefentry><refentrytitle>siggen</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- signature gathering routine for Tripwire
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>tripwire</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- a file integrity checker for UNIX systems
</para></listitem>
</varlistentry>
<varlistentry>
<term><citerefentry><refentrytitle>twadmin</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- Tripwire administrative and utility tool
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>twconfig</refentrytitle><manvolnum>4</manvolnum></citerefentry></term>
<listitem><para>
- Tripwire configuration file reference
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>twfiles</refentrytitle><manvolnum>5</manvolnum></citerefentry></term>
<listitem><para>
- overview of files used by Tripwire and file backup process
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>twintro</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- introduction to Tripwire software
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>twpolicy</refentrytitle><manvolnum>4</manvolnum></citerefentry></term>
<listitem><para>
- Tripwire policy file reference
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>twprint</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- Tripwire database and report printer
</para></listitem>
</varlistentry>
</variablelist>
</para>
<section>
<title>Often used Commands</title>
<para>
The commands listed below are some that we use often in our regular use, but many more exist. Check the man page for more details.
Creating the database for the first time; once your policy file has been installed, it is time to build and initialize your database
of file system objects, based on the rules from your policy file. This database will serve as the baseline for later integrity checks.
</para>
<para>
The syntax for Database Initialization mode is:
<screen>
[root@deep] /#<command>tripwire</command> --init
</screen>
</para>
<para>
To initialize your database file, use the following command:
<screen>
[root@deep] /#<command>tripwire</command> --init
</screen>
<literallayout class="monospaced"><computeroutput>
Please enter your local passphrase:
Parsing policy file: /usr/TSS/policy/tw.pol
Generating the database...
*** Processing Unix File System ***
Wrote database file: /usr/TSS/db/deep.openna.com.twd
The database was successfully generated.
</computeroutput></literallayout>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
When this command has executed, the database is ready and you can check system integrity and review the report file.
</para></tip>
</section>
</section>
<section><?dbhtml filename="chap17sec141.html"?>
<title>Integrity or Interactive Check Mode</title>
<para>
Tripwire has a feature called <wordasword>Integrity Check Mode</wordasword>. Now that our database has been built, we can run this feature to compare the current file system objects with their properties as recorded
in the Tripwire database. All violations of files will be printed to <literal>stdout</literal>, the report-generated file will be saved and can later be accessed by the twprint utility.
The syntax for integrity check mode is:
<screen>
[root@deep] /#<command>tripwire</command> --check
</screen>
To run the integrity check mode, use the command:
<screen>
[root@deep] /#<command>tripwire</command> --check
</screen>
</para>
<para>
Tripwire can also be run in <wordasword>Interactive Check Mode</wordasword>. In this mode you can automatically update your changes via the terminal.
To run in interactive check mode, use the command:
<screen>
[root@deep] /#<command>tripwire</command> --check --interactive
</screen>
</para>
<para>
An email option exists with Tripwire and allows you to send email. This option will specify that reports be emailed to the recipients designated in the policy file.
To run in integrity check mode and send email to the recipient, use the command:
<screen>
[root@deep] /#<command>tripwire</command> --check --email-report
</screen>
</para>
<para>
Updating the database after an integrity check
If you have decided to use the <wordasword>Integrity Check Mode</wordasword> of Tripwire instead of the <wordasword>Interactive Check Mode</wordasword>, you must update the Tripwire database with
the <wordasword>Database Update Mode</wordasword> feature. This update process allows you to save time by updating the database without having to regenerate it, and it also enables selective
updating, which cannot be done through regeneration.
The syntax for database update mode is:
<screen>
[root@deep] /# tripwire --update -r
</screen>
To update the database, use the command:
<screen>
[root@deep] /#<command>tripwire</command> --update -r /usr/TSS/report/deep.openna.com-200001-021854.twr
</screen>
Where -r read the specified report file <filename>deep.openna.com-200001-021854.twr</filename>. This option is required since the <envar>REPORTFILE</envar> variable in the current
configuration file uses <prompt>$</prompt>(DATE).
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
In Database Update Mode or Interactive Check Mode, Tripwire software displays the report in your terminal with a ballot box next to each policy violation. You can approve a change to the file system by
leaving the x next to each policy violation or remove the x from the ballot box and the database will not be updated with the new value(s) for that object. After you exit the editor and provide the local pass
phrase, Tripwire software will update and save your changes.
</para></important>
<para>
Updating the policy file
Some times you want to change the rules in your policy file to reflect new file locations or policy rules. A special command exists to do the work and update the database without requiring a complete
re-initialization of the policy file. This can save a significant amount of time and preserves security by keeping the policy file synchronized with the database it uses.
The syntax for policy update mode is:
<screen>
[root@deep] /#<command>tripwire</command> --update-policy /path/to/new/policy/file
</screen>
To update the policy file, use the command:
<screen>
[root@deep] /#<command>tripwire</command> --update-policy /usr/TSS/policy/newtwpol.txt
</screen>
</para>
<para>
The policy Update mode runs with the --secure-mode high option by default. You may encounter errors when running with this option if the file system has changed since the last database update, and
if the changes cause a violation in the new policy. After determining that all of the violations reported in high security mode are authorized, you can update the policy file in low security mode to solve this situation:
To update the policy file in low security mode, use the command:
<screen>
[root@deep] /#<command>tripwire</command> --update-policy --secure-mode low /usr/TSS/policy/newtwpol.txt
</screen>
</para>
</section>
<section><?dbhtml filename="chap17sec142.html"?>
<title>Installed files</title>
<para>
These are the files Installed by Tripwire:
</para>
<simplelist type="vert" columns="3">
<member><filename>
/usr/TSS
</filename></member>
<member><filename>
/usr/bin
</filename></member>
<member><filename>
/usr/bin/siggen
</filename></member>
<member><filename>
/usr/bin/twprint
</filename></member>
<member><filename>
/usr/bin/twadmin
</filename></member>
<member><filename>
/usr/bin/tripwire
</filename></member>
<member><filename>
/usr/bin/twcfg.txt
</filename></member>
<member><filename>
/usr/bin/tw.cfg
</filename></member>
<member><filename>
/usr/TSS/policy
</filename></member>
<member><filename>
/usr/TSS/policy/policyguide.txt
</filename></member>
<member><filename>
/usr/TSS/policy/twpol.txt
</filename></member>
<member><filename>
/usr/TSS/policy/tw.pol
</filename></member>
<member><filename>
/usr/TSS/policy/twpol.txt.bak
</filename></member>
<member><filename>
/usr/TSS/report
</filename></member>
<member><filename>
/usr/TSS/db
</filename></member>
<member><filename>
/usr/TSS/key
</filename></member>
<member><filename>
/usr/TSS/key/site.key
</filename></member>
<member><filename>
/usr/TSS/key/deep.openna.com-local.key
</filename></member>
<member><filename>
/usr/man
</filename></member>
<member><filename>
/usr/man/man4
</filename></member>
<member><filename>
/usr/man/man4/twconfig.4
</filename></member>
<member><filename>
/usr/man/man4/twpolicy.4
</filename></member>
<member><filename>
/usr/man/man5
</filename></member>
<member><filename>
/usr/man/man5/twfiles.5
</filename></member>
<member><filename>
/usr/man/man8
</filename></member>
<member><filename>
/usr/man/man8/siggen.8
</filename></member>
<member><filename>
/usr/man/man8/tripwire.8
</filename></member>
<member><filename>
/usr/man/man8/twadmin.8
</filename></member>
<member><filename>
/usr/man/man8/twintro.8
</filename></member>
<member><filename>
/usr/man/man8/twprint.8
</filename></member>
<member><filename>
/usr/README
</filename></member>
<member><filename>
/usr/Release_Notes
</filename></member>
<member><filename>
/usr/License.txt
</filename></member>
</simplelist>
</section>
</chapter>
<chapter label="18" id="pr6ch4sc1ltp"><?dbhtml filename="tripwireASR.html"?>
<title>Linux Tripwire ASR 1.3.1</title>
<highlights>
<para>
Tripwire ASR 1.3.1 is the Academic Source Release (ASR) of Tripwire software. Personally, I prefer the 1.3.1 version of the software rather than the 2.2.1 version because it can compile and be installed without any
compatibility problems on all versions of Linux systems.
</para></highlights>
<section><?dbhtml filename="chap18sec143.html"?>
<title>Install, Compile and Optimize</title>
<sidebar>
<title>As explained in the <citation>Tripwire ASR goals</citation>:</title>
<para>
With the advent of increasingly sophisticated and subtle account break-ins on Unix systems, the need for tools to aid in the detection of unauthorized modification of files becomes clear. Tripwire is a tool that
aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or
tampered files, so damage control measures can be taken in a timely manner.
</para>
</sidebar>
<para>
Tripwire is a file and directory integrity checker, a utility that compares a designated set of files and directories against information stored in a previously generated database. Any differences are flagged
and logged, including added or deleted entries. When run against system files on a regular basis, any changes in critical system files will be spotted -- and appropriate damage control measures can be taken
immediately. With Tripwire, system administrators can conclude with a high degree of certainty that a given set of files remain free of unauthorized modifications if Tripwire reports no changes.
</para>
<para>
These installation instructions assume:
<itemizedlist><listitem><para>
Commands are Unix-compatible.
</para></listitem>
<listitem><para>
The source path is <filename>/var/tmp</filename> <emphasis>-other paths are possible</emphasis>.
</para></listitem>
<listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem>
<listitem><para>
All steps in the installation will happen in super-user account root.
</para></listitem>
<listitem><para>
Tripwire version number is <literal>1.3.1-1</literal>
</para></listitem>
</itemizedlist>
</para>
<para>
These are the package(s) required and Tripwire Homepage:
<simplelist><member>
<link linkend="prtinxfp16">http://www.tripwiresecurity.com/</link>
</member></simplelist>
You must be sure to download: Tripwire-1.3.1-1.tar.gz
</para>
<para>
You need to decompress the Tarballs, It is a good idea to make a list of files on the system before you install it, and one afterwards, and then compare them using diff to find out what file it placed where. Simply
run <command>find</command> <userinput>/* &gt; Tripwire1</userinput> before and <command>find</command> <userinput>/* &gt; Tripwire2</userinput> after you install the tarball, and use <command>diff</command> <userinput>Tripwire1 Tripwire2 &gt; Tripwire-Installed</userinput>
to get a list of what changed.
<screen>
[root@deep] /# <command>cp</command> Tripwire-version.tar.gz /var/tmp
[root@deep] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>tar</command> xzpf Tripwire-version.tar.gz
</screen>
</para>
<para>
Move into the new Tripwire directory and Edit the utils.c file (vi +462 src/utils.c) and change the line:
</para>
<para>
<programlisting>
else if (iscntrl(*pcin)) {
</programlisting>
To read:
<programlisting>
else if (!(*pcin &amp; 0x80) &amp;&amp; iscntrl(*pcin)) {
</programlisting>
</para>
<para>
Edit the <filename>config.parse.c</filename> file, <command>vi</command> +356 <filename>src/config.parse.c</filename> and change the line:
<programlisting>
rewind(fpout);
</programlisting>
To read:
<programlisting>
else {
rewind(fpin);
}
</programlisting>
</para>
<para>
Edit the <filename class="headerfile">config.h</filename> file, <command>vi</command> +106 <filename class="headerfile">include/config.h</filename> and change the line:
<programlisting>
#define CONFIG_PATH &quot;/usr/local/bin/tw"
#define DATABASE_PATH &quot;/var/tripwire"
</programlisting>
To read:
<programlisting>
#define CONFIG_PATH &quot;/etc"
#define DATABASE_PATH &quot;/var/spool/tripwire"
</programlisting>
</para>
<para>
Edit the <filename class="headerfile">config.h</filename> file, <command>vi</command> +165 <filename>include/config.h</filename> and change the line:
<programlisting>
#define TEMPFILE_TEMPLATE &quot;/tmp/twzXXXXXX"
</programlisting>
To read:
<programlisting>
#define TEMPFILE_TEMPLATE &quot;/var/tmp/.twzXXXXXX"
</programlisting>
</para>
<para>
Edit the <filename>config.pre.y</filename> file <command>vi</command> +66 <filename>src/config.pre.y</filename> and change the line:
<programlisting>
#ifdef TW_LINUX
</programlisting>
To read:
<programlisting>
#ifdef TW_LINUX_UNDEF
</programlisting>
</para>
<para>
Edit the <filename>Makefile</filename>, <command>vi</command> +13 <filename>Makefile</filename> and change the line:
<programlisting>
DESTDIR = /usr/local/bin/tw
</programlisting>
To read:
<programlisting>
DESTDIR = /usr/sbin
</programlisting>
<programlisting>
DATADIR = /var/tripwire
</programlisting>
To read:
<programlisting>
DATADIR = /var/spool/tripwire
</programlisting>
<programlisting>
LEX = lex
</programlisting>
To read:
<programlisting>
LEX = flex
</programlisting>
<programlisting>
CC=gcc
</programlisting>
To read:
<programlisting>
CC=egcs
</programlisting>
<programlisting>
CFLAGS = -O
</programlisting>
To read:
<programlisting>
CFLAGS = -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions
</programlisting>
</para>
<para>
<screen>
[root@deep ]/tw_ASR_1.3.1_src# <command>make</command>
[root@deep ]/tw_ASR_1.3.1_src# <command>make install</command>
</screen>
<screen>
[root@deep ]/tw_ASR_1.3.1_src# <command>chmod</command> 700 /var/spool/tripwire/
[root@deep ]/tw_ASR_1.3.1_src# <command>chmod</command> 500 /usr/sbin/tripwire
[root@deep ]/tw_ASR_1.3.1_src# <command>chmod</command> 500 /usr/sbin/siggen
[root@deep ]/tw_ASR_1.3.1_src# <command>rm</command> -f /usr/sbin/tw.config
</screen>
</para>
<para>
<itemizedlist><listitem><para>
The above commands <command>make</command> and <command>make install</command> will configure the software to ensure your system has the necessary functionality and libraries to successfully compile the package, compile all source files into
executable binaries, and then install the binaries and any supporting files into the appropriate locations.
</para></listitem>
<listitem><para>
The <command>chmod</command> command will change the default mode of <filename class="directory">tripwire</filename> directory to be <literal>700 drwx------</literal> only readable, writable, and executable by the super-user root. It will make
the binary <filename>/usr/sbin/tripwire</filename> only readable, and executable by the super-user <literal>root -r-x------</literal> and finally make the siggen program under <filename class="directory">/usr/sbin</filename> directory only executable
and readable by root.
</para></listitem>
<listitem><para>
The <command>rm</command> command as used above will remove the file <filename>tw.config</filename> under <filename class="directory">/usr/sbin</filename>. We don't need this file since we will create a new one under <filename class="directory">/etc</filename>
directory later.
</para></listitem>
</itemizedlist>
</para>
<para>
Do Cleanup later:
<screen>
[root@deep] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>rm</command> -rf tw_ASR_version/ Tripwire-version.tar.gz
</screen>
The <command>rm</command> command as used above will remove all the source files we have used to compile and install Tripwire. It will also remove the Tripwire compressed archive from the <filename class="directory">/var/tmp</filename> directory.
</para>
</section>
<section><?dbhtml filename="chap18sec145.html"?>
<title>Configurations</title>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>Tripwire-1.3.1.</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 8
-rwx------ 1 harrypotter harrypotter 504 Jun 8 13:00 tripwire.verify*
-rw------- 1 harrypotter harrypotter 611 Jun 8 13:00 tw.config
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<para>
To run Tripwire, the following files are required and must be created or copied to their appropriate directories on your server.
<orderedlist>
<listitem><para>
Copy the <filename>tw.config</filename> file to the <filename class="directory">/etc</filename> directory.
</para></listitem>
<listitem><para>
Copy the <filename>tripwire.verify</filename> script to the <filename class="directory">/etc/cron.daily</filename> directory.
</para></listitem>
</orderedlist>
</para>
</section>
<section><?dbhtml filename="chap18sec146.html"?>
<title>Configure the <filename>/etc/tw.config</filename> file</title>
<para>
The <filename>/etc/tw.config</filename> file is the Tripwire configuration file where you decide and set which system files and directories that you want monitored. Note that extensive testing and experience
are necessary when editing this file before you get working file reports. The following is a working example from where you can start you own customization.
</para>
<procedure>
<step><para>
Create the <filename>tw.config</filename> file, <command>touch</command> <filename>/etc/tw.config</filename> and add in this file all files and directories that you want monitored. The format of the configuration
file is described in its header and in the man page <citerefentry><refentrytitle>tw.config</refentrytitle><manvolnum>5</manvolnum></citerefentry>:
<programlisting>
# Gerhard Mourani: gmourani@videotron.ca
# last updated: 1999/11/12
# First, root's "home"
/root R
!/root/.bash_history
/ R
# OS itself
/boot/vmlinuz R
# critical boot resources
/boot R
# Critical directories and files
/chroot R
/etc R
/etc/inetd.conf R
/etc/nsswitch.conf R
/etc/rc.d R
/etc/mtab L
/etc/motd L
/etc/group R
/etc/passwd L
# other popular filesystems
/usr R
/usr/local R
/dev L-am
/usr/etc R
# truncate home
=/home R
# var tree
=/var/spool L
/var/log L
/var/lib L
/var/spool/cron L
!/var/lock
# unusual directories
=/proc E
=/tmp
=/mnt/cdrom
=/mnt/floppy
</programlisting>
</para></step>
<step><para>
Now, for security reasons, change the mode of this file to be <literal>0600</literal> with the following command:
<screen>
[root@deep] /# <command>chmod</command> 600 /etc/tw.config
</screen>
</para></step>
</procedure>
</section>
<section><?dbhtml filename="chap18sec147.html"?>
<title>Configure the <filename>/etc/cron.daily/tripwire.verify</filename> script</title>
<para>
The <filename>tripwire.verify</filename> file is a small script executed by the crond program of your server each day to scan your hard disk for possible changed files or directories and mail the results to
the system administrator. This script will automate the procedure of integrity checking for you. If you intend to automate this task, follow the simple steps below.
</para>
<procedure>
<step><para>
Create the <filename>tripwire.verify</filename> script file, <command>touch</command> <filename>/etc/cron.daily/tripwire.verify</filename> and add in this script:
<programlisting>
#!/bin/sh
/usr/sbin/tripwire -loosedir -q | (cat &lt;&lt;EOF
This is an automated report of possible file integrity changes, generated by
the Tripwire integrity checker. To tell Tripwire that a file or entire
directory tree is valid, as root run:
/usr/sbin/tripwire -update [pathname|entry]
If you wish to enter an interactive integrity checking and verification
session, as root run:
/usr/sbin/tripwire -interactive
Changed files/directories include:
EOF
cat
) | /bin/mail -s "File integrity report" root
</programlisting>
</para></step>
<step><para>
Now, make this script executable and change its mode to be 0700 with the following command:
<screen>
[root@deep] /# <command>chmod</command> 700 /etc/cron.daily/tripwire.verify
</screen>
</para></step>
</procedure>
<section>
<title>Security Issue</title>
<para>
It is recommended for better security that the database <filename>tw.db_[hostname]</filename> file of Tripwire be moved someplace <abbrev>e.g.</abbrev> floppy, where it cannot be modified. This is important
because data from Tripwire is only as trustworthy as its database.
It is also recommend that you make a hardcopy printout of the database contents right away. In the event that you become suspicious of the integrity of the database, you will be able to manually compare
information against this hardcopy.
</para>
<para>
For more details, Further documentation, there are several man pages you can read:
<variablelist>
<varlistentry><term>
<citerefentry><refentrytitle>siggen</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- signature generation routine for Tripwire
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>tripwire</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- a file integrity checker for UNIX systems
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>tw.config</refentrytitle><manvolnum>5</manvolnum></citerefentry></term>
<listitem><para>
- configuration file for Tripwire
</para></listitem>
</varlistentry>
</variablelist>
</para>
<para>
The commands listed in the next section are some that we use often in regular use, but many more exist. Check the man pages for more details.
</para>
</section>
</section>
<section><?dbhtml filename="chap18sec148.html"?>
<title>Tripwire in <literal>Interactive Checking Mode</literal></title>
<para>
In <literal>Interactive Checking Mode</literal> feature, Tripwire verifies files or directories that have been added, deleted, or changed from the original database and asks the user whether the database entry
should be updated. This mode is the most convenient way of keeping your database up-to-date, but it requires that the user be <wordasword>at the console</wordasword>. If you intend to use this mode, then follow
the simple steps below.
</para>
<procedure>
<step><para>
Tripwire must have a database to compare against so we first create the file information database. This action will create a file called <filename>tw.db_[hostname]</filename> in the directory you specified to hold your
databases where <literal>[hostname]</literal> will be replaced with your machine hostname.
To create the file information database for Tripwire, use the command:
<screen>
[root@deep] /# <command>cd</command> /var/spool/tripwire/
[root@deep ]/tripwire# /usr/sbin/tripwire --initialize
</screen>
We move to the directory we specified to hold our database, and then we create the file information database, which is used for all subsequent Integrity Checking.
</para></step>
<step><para>
Once the file information database of Tripwire has been created, we can now run Tripwire in <literal>Interactive Checking Mode</literal>. This mode will prompt the user for whether or not each changed entry on the
system should be updated to reflect the current state of the file.
To run in Interactive Checking Mode, use the command:
<screen>
[root@deep] /# <command>cd</command> /var/spool/tripwire/database/
[root@deep ]/database# <command>cp</command> tw.db_myserverhostname /var/spool/tripwire/
[root@deep ]/database# <command>cd ..</command>
[root@deep ]/tripwire# <command>/usr/sbin/tripwire</command> --interactive
</screen>
<literallayout class="monospaced"><computeroutput>
Tripwire(tm) ASR (Academic Source Release) 1.3.1
File Integrity Assessment Software
(c) 1992, Purdue Research Foundation, (c) 1997, 1999 Tripwire
Security Systems, Inc. All Rights Reserved. Use Restricted to
Authorized Licensees.
### Phase 1: Reading configuration file
### Phase 2: Generating file list
### Phase 3: Creating file information database
### Phase 4: Searching for inconsistencies
###
### Total files scanned: 15722
### Files added: 34
### Files deleted: 42
### Files changed: 321
###
### Total file violations: 397
### added: -rwx------ root 22706 Dec 31 06:25:02 1999 /root/tmp/firewall
---> File: '/root/tmp/firewall'
---> Update entry? [YN(y)nh?]
</computeroutput>
</literallayout>
</para></step>
</procedure>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
In interactive mode, Tripwire first reports all added, deleted, and changed files, then allows the user to update the entry in the database.
</para>
</note>
</section>
<section id="pr6ch4sc5trp"><?dbhtml filename="chap18sec149.html"?>
<title>Run Tripwire in <wordasword>Database Update Mode</wordasword></title>
<para>
Running Tripwire in <wordasword>Database Update Mode</wordasword> mixed with the <filename>tripwire.verify</filename> script file that mails the results to the system administrator, will reduce the time of
scanning the system. Instead of running Tripwire in <wordasword>Interactive Checking Mode</wordasword> and waiting for the long scan to finish, the script file <filename>tripwire.verify</filename> will scan
the system and report via mail the result, then you run Tripwire in <wordasword>Database Update Mode</wordasword> and update only single files or directories that has changed.
</para>
<example>
<title>Usage of Tripwire</title>
<para>
If a single file has changed, you can:
<screen>
[root@deep] /# <command>tripwire</command> -update /etc/newly.installed.file
</screen>
</para>
<para>
Or, if an entire set of files or directories has changed, you can run:
<screen>
[root@deep] /# <command>tripwire</command> -update /usr/lib/Package_Dir
</screen>
In either case, Tripwire regenerates the database entries for every specified file. A backup of the old database is created in the <filename class="directory">./databases</filename> directory.
</para></example>
<para>
These are Some possible uses of Tripwire software
<orderedlist>
<listitem ><para>
Check the integrity of your files system.
</para></listitem>
<listitem ><para>
Get a list of new installed or removed files on your system.
</para></listitem>
</orderedlist>
</para>
<section id="pr6ch4sc51tri"><?dbhtml filename="chap18sec150.html"?>
<title>Installed Files</title>
<para>
These are the files Installed by the software TripWire ASR on your system:
<simplelist type="vert">
<member><filename>
/etc/cron.daily/tripwire.verify
</filename></member>
<member><filename>
/etc/tw.config
</filename></member>
<member><filename>
/usr/man/man5/tw.config.5
</filename></member>
<member><filename>
/usr/man/man8/siggen.8
</filename></member>
<member><filename>
/usr/man/man8/tripwire.8
</filename></member>
<member><filename>
/usr/sbin/tripwire
</filename></member>
<member><filename>
/usr/sbin/siggen
</filename></member>
<member><filename>
/var/spool/tripwire
</filename></member>
<member><filename>
/var/spool/tripwire/tw.db_TEST
</filename></member>
</simplelist>
</para>
<section id="pr6ch4sc52tri"><?dbhtml filename="chap18sec151.html"?>
<title>Alternatives to Tripwire</title>
<para>
These are some of the alternatives to Tripwire:
<variablelist>
<varlistentry>
<term>ViperDB</term>
<listitem><para>
ViperDB Homepage: <link linkend="prtinxfp17">http://www.resentment.org/projects/viperdb/</link>
</para></listitem>
</varlistentry>
<varlistentry>
<term>FCHECK</term>
<listitem><para>
FCHECK Homepage:<link linkend="prtinxfp17">http://sites.netscape.net/fcheck/fcheck.html</link>
</para></listitem>
</varlistentry>
<varlistentry>
<term>Sentinel</term>
<listitem><para>
Sentinel Homepage:<link linkend="prtinxfp17">http://zurk.netpedia.net/zfile.html</link>
</para></listitem>
</varlistentry>
</variablelist>
</para>
</section>
</section>
</section>
</chapter>
<chapter label="19"><?dbhtml filename="soft-limits.html"?>
<title>Software -Securities/Management &amp; Limitation</title>
<highlights><para>
Encryption of data sources is an invaluable feature that gives us a high degree of confidentiality for our work. A tool like GnuPG does much more than just encryption of mail messages. It can be used for all kinds
of data encryptions, and its utilization can only be stopped by the imagination. GnuPG <acronym>RPM</acronym> package comes already installed on you computer, but this version is not up to date and it is recommended
to install the latest release available to fit our needs and <acronym>CPU</acronym> architecture.
</para></highlights>
<section id="pr6ch19sgpgp"><?dbhtml filename="chap19sec152.html"?>
<title>Linux GnuPG</title>
<sidebar>
<title>According to the <citation>official GnuPG README</citation> file:</title>
<para>
GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP
Internet standard as described in RFC2440.
Because GnuPG does not use any patented algorithm it cannot be compatible with PGP2 versions. PGP 2.x uses only <acronym>IDEA</acronym> (which is patented worldwide) and <acronym> RSA</acronym> (which is patented in the United
States until Sep 20, 2000).
</para>
</sidebar>
<para>
These installation instructions assume:
<itemizedlist><listitem><para>
Commands are Unix-compatible.
</para></listitem>
<listitem><para>
The source path is <filename>/var/tmp</filename> -<emphasis>other paths are possible</emphasis>.
</para></listitem>
<listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem>
<listitem><para>
All steps in the installation will happen in super-user account root.
</para></listitem>
<listitem><para>
GnuPG version number is 1.0.1
</para></listitem>
</itemizedlist>
</para>
<para>
These are the Package(s) you must be sure to download:
<simplelist><member>
GnuPG Homepage:<link linkend="prtinxfp19er"> http://www.gnupg.org/</link>
</member><member>
Package to download: gnupg-1.0.1.tar.gz
</member>
</simplelist>
</para>
<para>
You must decompress the tarball to compile, it is a good idea to make a list of files on the system before you install it, and one afterwards, and then compare them using diff to find out what file it placed where. Simply
run <command>find</command> <userinput>/* &gt; GnuPG1</userinput> before and <command>find</command> <userinput>/* &gt; GnuPG2</userinput> after you install the tarball, and use <command>diff</command> <userinput>GnuPG1 GnuPG2 &gt; GnuPG-Installed</userinput>
to get a list of what changed.
Decompress the tarball (tar.gz):
<screen>
[root@deep] /# <command>cp</command> gnupg-version.tar.gz /var/tmp
[root@deep] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>tar</command> xzpf gnupg-version.tar.gz
</screen>
</para>
<para>
You need to Compile and Optimize, move into the new GnuPG dir and type the following on your terminal:
<programlisting>
CC="egcs" \
CFLAGS="-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions" \
./configure \
--prefix=/usr \
--enable-shared
</programlisting>
<screen>
[root@deep ]/gnupg-1.0.1# <command>make</command>
[root@deep ]/gnupg-1.0.1# <command>make check</command>
[root@deep ]/gnupg-1.0.1# <command>make install</command>
[root@deep ]/gnupg-1.0.1# <command>strip</command> /usr/bin/gpg
</screen>
</para>
<para>
<simplelist><member>
The <command>make</command> command compiles all source files into executable binaries,
</member><member>
The <command>make check</command> will run any self-tests that come with the package
</member><member>
finally, the <command>make install</command> command installs the binaries and any supporting files into the appropriate locations.
</member><member>
The <command>strip</command> command will reduce the size of the gpg binary for better performance.
</member>
</simplelist>
</para>
<para>
Cleanup after work
<screen>
[root@deep] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>rm</command> -rf gnupg-version/ gnupg-version.tar.gz
</screen>
The <command>rm</command> command as used above will remove all the source files we have used to compile and install GnuPG. It will also remove the GnuPG compressed archive from the <filename class="directory">/var/tmp</filename> directory.
</para>
</section>
<section><?dbhtml filename="chap19sec153.html"?>
<title>Often used Commands</title>
<para>
The commands listed below are some that we use often, but many more exist. Check the man page for more details and information.
</para>
<para>
First of all, we must create a new key-pair (public and private) if this is a first use of the GnuPG software to be able to use its encryption features.
</para>
<procedure>
<step><para>
To create a new key-pair, use the following command:
<screen>
[root@deep] /# <command>gpg</command> --gen-key
</screen>
<literallayout class="monospaced"><computeroutput>
gpg (GnuPG) 1.0.1; Copyright (C) 1999 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: /root/.gnupg: directory created
gpg: /root/.gnupg/options: new options file created
gpg: you have to start GnuPG again, so it can read the new options file
This asks some questions and then starts key generation.
</computeroutput></literallayout>
</para></step>
<step><para>
We start GnuPG again with the following command:
<screen>
[root@deep] /# <command>gpg</command> --gen-key
</screen>
<literallayout class="monospaced"><computeroutput>
gpg (GnuPG) 1.0.1; Copyright (C) 1999 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: /root/.gnupg/secring.gpg: keyring created
gpg: /root/.gnupg/pubring.gpg: keyring created
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
Your selection? 1
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024) 2048
Do you really need such a large keysize? y
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
&lt;n&gt; = key expires in n days
&lt;n&gt;w = key expires in n weeks
&lt;n&gt;m = key expires in n months
&lt;n&gt;y = key expires in n years
Key is valid for? (0) 0
correct (y/n)? y
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) &lt;heinrichh@duesseldorf.de&gt;"
Real name: Gerhard Mourani
Email address: gmourani@videotron.ca
Comment: [Press Enter]
You selected this USER-ID:
"Gerhard Mourani &lt;gmourani@videotron.ca&gt;"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++..+++++++++++++++..+++++.++++++++++++++++++++++++++++++++++++++++..+++++++
+++.+++++++++++++++++++++++++.+++++++++++++++...+++++++++++++++++++++++++.+++++
..+++++&gt;+++++...+++++++++++++++&gt;+++++.......&gt;+++++.......&gt;+++++................
..........+++++^^^^
public and secret key created and signed.
</computeroutput></literallayout>
</para></step>
</procedure>
<para>
A new key-pair is created (secret and public key) in the root home directory <filename class="directory">~/root</filename>.
</para>
</section>
<section><?dbhtml filename="chap19sec154.html"?>
<title>Importing keys</title>
<para>
Once our own key-pair is created, we can begin to put into our public keyring database of all keys we have from some trusted third partly in order to be able to use his/her keys for future encryption and authentication
communication. To import Public Keys to your keyring, use the following command:
<screen>
[root@deep] /# <command>gpg</command> --import &lt;file&gt;
</screen>
</para>
<example>
<title>Importing using gpg</title>
<para>
<screen>
[root@deep] /# <command>gpg</command> --import redhat2.asc
</screen>
<literallayout class="monospaced"><computeroutput>
gpg: key DB42A60E: public key imported
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: Total number processed: 1
gpg: imported: 1
</computeroutput></literallayout>
The above command will append all new keys to our keyring database and will update all already existing keys. It is important to note that GnuPG does not import keys that are not self-signed. In the above example
we import the Public Key file <filename>redhat2.asc</filename> from the company Red Hat Linux, downloadable from the Red Hat Internet site, into our keyring.
</para></example>
<section>
<title>Key signing</title>
<para>
When you import keys into your public keyring database and are sure that trusted third party is really the person they claim, you can start signing his/her keys. Signing a key certifies that you know the owner of the keys.
To sign a key for the company RedHat that we have added on our keyring above, use the following command:
<screen>
[root@deep] /# <command>gpg</command> --sign-key &lt;UID&gt;
</screen>
</para>
<example>
<title>Signing key</title>
<para>
[root@deep] /# <command>gpg</command> --sign-key RedHat
<literallayout class="monospaced"><computeroutput>
pub 1024D/DB42A60E created: 1999-09-23 expires: never trust: -/q
sub 2048g/961630A2 created: 1999-09-23 expires: never
(1) Red Hat, Inc &lt;security@redhat.com&gt;
pub 1024D/DB42A60E created: 1999-09-23 expires: never trust: -/q
Fingerprint: CA20 8686 2BD6 9DFC 65F6 ECC4 2191 80CD DB42 A60E
Red Hat, Inc &lt;security@redhat.com&gt;
Are you really sure that you want to sign this key
with your key: "Gerhard Mourani &lt;gmourani@videotron.ca&gt;"
Really sign? y
You need a passphrase to unlock the secret key for
user: "Gerhard Mourani &lt;gmourani@videotron.ca&gt;"
1024-bit DSA key, ID E92D6C97, created 1999-12-30
Enter passphrase:
</computeroutput></literallayout>
</para></example>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
You should only sign a key as being authentic when you are <emphasis>Absolutely sure</emphasis> that the key is really authentic! You should never sign a key based on any assumption.
</para></note>
</section>
</section>
<section><?dbhtml filename="chap19sec155.html"?>
<title>Encrypt and decrypt</title>
<para>
After installing, importing, signing and configuring everything in the way that we want, we can start on encrypting and decrypting our work.
To encrypt and sign data for the user RedHat that we have added on our keyring above, use the following command:
<screen>
[root@deep] /# <command>gpg</command> -sear RedHat &lt;file&gt;
</screen>
</para>
<example>
<title>Encrypting</title>
<para>
<screen>
[root@deep] /# <command>gpg</command> -sear RedHat message-to-RedHat.txt
</screen>
<literallayout class="monospaced"><computeroutput>
You need a passphrase to unlock the secret key for
user: "Gerhard Mourani (Open Network Architecture) &lt;gmourani@videotron.ca&gt;"
1024-bit DSA key, ID BBB4BA9B, created 1999-10-26
Enter passphrase:
</computeroutput></literallayout>
Of the arguments passed,
<simplelist><member>
The <literal>s</literal> is for signing
</member></simplelist>
To avoid the risk that somebody else claims to be you, it is very useful to sign everything you encrypt,
<itemizedlist><listitem><para>
e for encrypting,
</para></listitem><listitem><para>
a to create <acronym>ASCII</acronym> armored output .asc ready for sending by mail,
</para></listitem><listitem><para>
r to encrypt the user id name
</para></listitem><listitem><para>
&lt;file&gt; is the message you want to encrypt.
</para></listitem>
</itemizedlist>
</para></example>
<para>
To decrypt data, use the following command:
<screen>
[root@deep] /# <command>gpg</command> -d &lt;file&gt;
</screen>
</para>
<example>
<title>Decrypting</title>
<para>
<screen>
[root@deep] /# <command>gpg</command> -d message-to-Gerhard.asc
</screen>
<literallayout class="monospaced"><computeroutput>
You need a passphrase to unlock the secret key for
user: "Gerhard Mourani (Open Network Architecture) &lt;gmourani@videotron.ca&gt;"
2048-bit ELG-E key, ID 71D4CC44, created 1999-10-26 (main key ID BBB4BA9B)
Enter passphrase:
</computeroutput></literallayout>
Where
<itemizedlist>
<listitem><para>
-d is for decrypting
</para></listitem>
<listitem><para>
&lt;file&gt; is the message you want to decrypt.
</para></listitem>
</itemizedlist>
It is important that the public key of the sender of the message we want to decrypt be in our public keyring
database. or of course nothing will work.
</para></example>
<section>
<title>Exporting your public key</title>
<para>
You can spread your wings by exporting and distributing your public key to the world. This can be done by publishing it on your homepage, through an available key server on the Internet, or any other available
method. GnuPG has some useful options to help you publish your public keys.
To extract your public key in ASCII armored output, use the following command:
<screen>
[root@deep] /# <command>gpg</command> --export --armor &gt; Public-key.asc
</screen>
where
<itemizedlist><listitem><para>
--export is for extracting your Public-key from your pubring encrypted file,
</para></listitem>
<listitem><para>
--armor is to create ASCII armored output that you can mail, publish or put it on a web page
</para></listitem>
<listitem><para>
&gt; <filename>Public-key.asc</filename> is to put the result in a file that you've named <filename>Public-key.asc</filename>.
</para></listitem>
</itemizedlist>
</para>
<para>
You need to Check the signature, once you have extracted your public key and exported it, everyone who knows or gets your public key should be able to check whether encrypted data from you is also really signed by you.
To check the signature of encrypted data, use the following command:
<screen>
[root@deep] /# <command>gpg</command> --verify &lt;Data&gt;
</screen>
The --verify option will check the signature where &lt;Data&gt; is the encrypted data/file you want to verify.
</para>
<para>
Some possible uses of GnuPG software
<orderedlist>
<listitem><para>
Send encrypted mail massage.
</para></listitem>
<listitem><para>
Encrypt backup files before transmission over the network.
</para></listitem>
<listitem><para>
Encrypt individual sensitive files <abbrev>i.e.</abbrev> a file that handle all your passwords.
</para></listitem>
</orderedlist>
</para>
<sidebar><title>
Installed files </title>
<para><simplelist>
<member><filename>
/usr/bin/gpg
</filename></member><member><filename>
/usr/lib/gnupg
</filename></member><member><filename>
/usr/lib/gnupg/rndunix
</filename></member><member><filename>
/usr/lib/gnupg/rndegd
</filename></member><member><filename>
/usr/lib/gnupg/tiger
</filename></member><member><filename>
/usr/man/man1/gpg.1
</filename></member><member><filename>
/usr/share/gnupg
</filename></member><member><filename>
/usr/share/gnupg/options.skel
</filename></member>
</simplelist>
</para>
</sidebar>
</section>
</section>
</chapter>
<chapter label="20"><?dbhtml filename="quota.html"?>
<title>Set Limits using Qouta</title>
<section><?dbhtml filename="chap20sec156.html"?>
<title>Qouta</title>
<highlights><para>
Quota is a system administration tools for monitoring and limiting users and/or groups disk usage, per file system. Two features of disk storage with quota are available to set limits:
<itemizedlist><listitem><para>
The first is the number of inodes number of files a user or a group of users may possess.
</para></listitem><listitem><para>
The second is the number of disk blocks amount of space in kilobytes that may be allocated to a user or a group of users.
</para></listitem>
</itemizedlist>
With quota, the users are forced by the system administrator to not consume unlimited disk space on a system. This program is handled on per user, per file system basis and must be set for each file system
separately.
</para></highlights>
<para>
The first thing you need to do is ensure that your kernel has been built with Quota support enabled. In the 2.2.14 kernel version you need ensure that you have answered <userinput>Y</userinput> to the following questions:
<programlisting>
<command>Filesystems</command>
Quota support (CONFIG_QUOTA) [N/y/?] <userinput>Y</userinput>
</programlisting>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
If you have followed the Linux Kernel chapter in this book and have recompiled your kernel, the option Quota support shown above is already set.
</para></tip>
<section>
<title>Modify the <filename>/etc/fstab</filename> file</title>
<para>
The <filename>/etc/fstab</filename> file contains information about the various file systems installed on your Linux server. Quota must be enabled in the fstab file before you can use it. Since Quota must be set
for each file system separately, and because in the fstab file, each file system is described on a separate line, quota must be set on each of the separate lines in the fstab for which you want to enable quota support.
</para>
<para>
With the program quota, depending on your intentions, needs, etc, you can enable quota only for <token>users</token>, <token>groups</token> or both <token>users</token> and <token>groups</token>. For all examples below, we'll
use the <filename class="directory">/home</filename> directory on the <filename>/dev/sda6</filename> partition and shows you the three possibilities.
</para>
<sidebar>
<title>Possibility 1</title>
<para>
To enable user quota support on a specific file system, edit your fstab file <command>vi</command> <filename>/etc/fstab</filename> and add the <literal>usrquota</literal> option to the fourth field after
the word <wordasword>defaults</wordasword> or any other options you may have set for this specific file system.
<example>
<title><literal>usrquota</literal></title>
<para>
change:
<programlisting>
/dev/sda6 /home ext2 defaults 1 2 <co id="dflts1"/>
/dev/sda6 /home ext2 nosuid,nodev 1 2 <co id="dflts2"/>
</programlisting>
<calloutlist>
<callout arearefs="dflts1">
<para>as an example: the word defaults</para>
</callout>
<callout arearefs="dflts2">
<para>as an example: any other options you have set</para>
</callout>
</calloutlist>
To read:
<programlisting>
/dev/sda6 /home ext2 defaults,usrquota 1 2
/dev/sda6 /home ext2 nosuid,nodev,usrquota 1 2
</programlisting>
</para></example>
</para>
</sidebar>
<sidebar>
<title>Possibility 2</title>
<para>
To enable group quota support on a file system, edit your fstab file <command>vi</command> <filename>/etc/fstab</filename> and add <literal>grpquota</literal> to the fourth field after the
word <literal>defaults</literal> or any other options you may have set for this specific file system.
<example>
<title><literal>grpquota</literal></title>
<para>
change:
<programlisting>
/dev/sda6 /home ext2 defaults 1 2 <co id="dflts3"/>
/dev/sda6 /home ext2 nosuid,nodev 1 2 <co id="dflts4"/>
</programlisting>
<calloutlist>
<callout arearefs="dflts3">
<para>as an example: the word defaults</para>
</callout>
<callout arearefs="dflts4">
<para>as an example: any other options you have set</para>
</callout>
</calloutlist>
To read:
<programlisting>
/dev/sda6 /home ext2 defaults,grpquota 1 2
/dev/sda6 /home ext2 nosuid,nodev,grpquota 1 2
</programlisting>
</para></example>
</para></sidebar>
<sidebar>
<title>Possibility 3</title>
<para>
To enable both users quota and group quota support on a file system, edit your fstab file <command>vi</command> <filename>/etc/fstab</filename> and add <literal>usrquota,grpquota</literal> to the
fourth field after the word <literal>defaults</literal> or any other options you may have set for this specific file system.
Change:
<programlisting>
/dev/sda6 /home ext2 defaults 1 2 <co id="dflts5"/>
/dev/sda6 /home ext2 nosuid,nodev 1 2 <co id="dflts6"/>
</programlisting>
<calloutlist>
<callout arearefs="dflts5">
<para>as an example: the word <literal>defaults</literal></para>
</callout>
<callout arearefs="dflts6">
<para>as an example: any other options you have set</para>
</callout>
</calloutlist>
To read:
<programlisting>
/dev/sda6 /home ext2 defaults,usrquota,grpquota 1 2
/dev/sda6 /home ext2 nosuid,nodev,usrquota,grpquota 1 2
</programlisting>
</para>
</sidebar>
</section>
</section>
<section><?dbhtml filename="chap20sec157.html"?>
<title>Create of the <filename>quota.user</filename> and <filename>quota.group</filename> </title>
<para>
After the modification of your <filename>/etc/fstab</filename> file, in order for quotas to be established on a file system, the root directory of the file system <abbrev>i.e.</abbrev> <filename class="directory">/home</filename> in
our example must contain a file, owned by root, called <filename>quota.user</filename> if you want to use user quota, <filename>quota.group</filename> if you want to use group quota, or both if you want to use users and group quota.
</para>
<procedure>
<step><para>
Create the <filename>quota.user</filename> and/or <filename>quota.group</filename> files, as root go to the root of the partition you wish to enable quota <abbrev>i.e.</abbrev> <filename class="directory">/home</filename> doing:
<screen>
[root@deep] /# <command>touch</command> /home/quota.user
[root@deep] /# <command>touch</command> /home/quota.group
[root@deep] /# <command>chmod</command> 600 /home/quota.user
[root@deep] /# <command>chmod</command> 600 /home/quota.group
</screen>
The <command>touch</command> command will create new empty files under the <filename class="directory">home</filename> directory named <filename>quota.user</filename> and <filename>quota.group</filename>. The <command>chmod</command>
command will set the mode of these files to be read-write only by the super-user root.
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Both quota record files, <filename>quota.user</filename> and <filename>quota.group</filename>, should be owned by root, with read-write permission for root and none for anybody else.
</para></important>
</para></step>
<step><para>
Now we must initialize the files <filename>quota.user</filename> and <filename>quota.group</filename> in the root directory of the file system in order to not receive an error messages about quota
during the reboot of our server.
To initialize <filename>quota.user</filename> and/or <filename>quota.group</filename> files, use the following commands:
<screen>
[root@deep] /# <command>edquota</command> -u wahib
[root@deep] /# <command>edquota</command> -g wahib
</screen>
The steps above are necessary just to initialize the files <filename>quota.user</filename> and/or <filename>quota.group</filename>; the command <command>edquota</command> -u will edit
the quota for the user wahib and -g will edit the quota for the group wahib. Note that you must edit an existing <acronym>UID/GID</acronym> on your system to initialize the files successfully.
</para></step>
<step><para>
After you have finished setting the appropriate options for your quota program in the <filename>/etc/fstab</filename> file, and created and initialized the <filename>quota.users</filename>,
and/or <filename>quota.group</filename> files, you must reboot the system for the changes you have made in the <filename>/etc/fstab</filename> file and/or the
files <filename>quota.user</filename>, <filename>quota.group</filename> to take effect.
To reboot your system, use the following command:
<screen>
[root@deep] /# <command>reboot </command>
</screen>
</para></step>
</procedure>
<para>
After your system has been rebooted you can assign quotas to users or groups of users on your system. This operation is performed with the <command>edquota</command>
command. See man page <citerefentry><refentrytitle>edquota</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
</section>
<section><?dbhtml filename="chap20sec158.html"?>
<title>edquota </title>
<para>
The edquota program is a quota editor that creates a temporary file of the current disk quotas used by the super-user root to set quotas for users or group of users in the system. The example below shows
you how to setup quotas for users or groups on your system.
</para>
<para>
Consider, for example, that you have a user with the login id <wordasword>wahib</wordasword> on your system. The following command opens the editor vi to edit and set quotas for user wahib on each partition that has quotas enabled:
</para>
<procedure>
<step><para>
To edit and modify quota for user <wordasword>wahib</wordasword>, use the following command:
<screen>
[root@deep] /# <command>edquota</command> -u wahib
</screen>
<literallayout class="monospaced"><computeroutput>
Quotas for user wahib:
/dev/sda6: blocks in use: 6, limits (soft = 0, hard = 0)
inodes in use: 5, limits (soft = 0, hard = 0)
</computeroutput></literallayout>
After the execution of the above command, you will see the following lines related to the user <wordasword>wahib</wordasword> appear on the screen.
<variablelist><varlistentry><term>
The blocks in use:</term>
<listitem><para>
display the total number of blocks in kilobytes the user has consumed on a partition.
</para></listitem>
</varlistentry>
<varlistentry><term>
The inodes in use:</term>
<listitem><para>
display the total number of files the user has on a partition.
</para></listitem>
</varlistentry>
</variablelist>
These parameters <literal>blocks in use</literal>, and <literal>inodes in use</literal> are controlled and set automatically by the system and you don't need to set or change them.
</para></step>
<step><para>
To assign 5<acronym>MB</acronym> of quota for user <wordasword>wahib</wordasword>, change the following parameters in the vi editor:
<programlisting>
Quotas for user wahib:
/dev/sda6: blocks in use: 6, limits (soft = 0, hard = 0)
inodes in use: 5, limits (soft = 0, hard = 0)
</programlisting>
To read:
<programlisting>
Quotas for user wahib:
/dev/sda6: blocks in use: 6, limits (soft = 5000, hard = 0)
inodes in use: 5, limits (soft = 0, hard = 0)
</programlisting>
</para></step>
</procedure>
<simplelist><member>
The soft limit (soft =) specifies the maximum amount of disk usage a quota user is allowed to have.
</member><member>
The hard limit (hard =) specifies the absolute limit on the disk usage a quota user can't go beyond it.
</member>
</simplelist>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Take a note that the hard limit value works only when the grace period parameter is set.
</para></tip>
<section>
<title>The <literal>grace period</literal> parameter</title>
<para>
The <literal>grace period</literal> parameter allow you to set a time limit before the soft limit value is enforced on a file system with quota enabled, <emphasis>see the soft limit above for more information</emphasis>. For example
this parameter can be used to warn your users about a new policy that will set a quota of 5<acronym>MB</acronym> of disk space in their home directory in 7 days. You can set the 0 days default part of this parameter to any length of
time you feel reasonable.
</para>
<para>
The changes of this setting require two steps as follows, in my example I assume 7 days.
</para>
<procedure>
<step><para>
Edit the default grace period parameter, by using the following command:
<screen>
[root@deep] /# <command>edquota</command> -t
</screen>
<literallayout class="monospaced"><computeroutput>
Time units may be: days, hours, minutes, or seconds
Grace period before enforcing soft limits for users:
/dev/sda6: block grace period: 0 days, file grace period: 0 days
</computeroutput>
</literallayout>
</para></step>
<step><para>
Modify the grace period to 7 days. Change or set the following parameters in the vi editor:
<programlisting>
Time units may be: days, hours, minutes, or seconds
Grace period before enforcing soft limits for users:
/dev/sda6: block grace period: 0 days, file grace period: 0 days
</programlisting>
To read:
<programlisting>
Time units may be: days, hours, minutes, or seconds
Grace period before enforcing soft limits for users:
/dev/sda6: block grace period: 7 days, file grace period: 7 days
</programlisting>
</para></step>
</procedure>
<para>
The command <command>edquota</command> -t edits the soft time limits for each file system with quotas enabled.
</para>
</section>
</section>
<section><?dbhtml filename="chap20sec159.html"?>
<title>Assign quota for a particular group</title>
<para>
Consider, for example, you have a group with the <token>group id webusers</token> on your system. The following command takes you into the vi editor to edit quotas for the <token>group webusers</token> on each partition that has
quotas enabled:
To edit and modify quota for group webusers, use the following command:
<screen>
[root@deep] /# <command>edquota</command> -g webusers
</screen>
<literallayout class="monospaced"><computeroutput>
Quotas for group webusers:
/dev/sda6: blocks in use: 6, limits (soft = 0, hard = 0)
inodes in use: 6, limits (soft = 0, hard = 0)
</computeroutput></literallayout>
The procedure is the same as for assigning quotas for a particular user; as described above, you must modify the parameter of <literal>soft =</literal> and save your change.
</para>
<section><?dbhtml filename="chap20sec160.html"?>
<title>Assign quota for groups of users with the same value</title>
<para>
The edquota program has a special option -p that assign quotas for groups of users with the same value assigned to an initial user. Assuming that you want to assign users starting
at <literal>UID 500</literal> on the system the same value as the user <wordasword>wahib</wordasword>, we would first edit and set wahib's quota information, then execute:
To assign quota for group of users with the same value, use the following command:
<screen>
[root@deep] /# <command>edquota</command> -p wahib `awk -F: '$3 > 499 {print $1}' /etc/passwd`
</screen>
The edquota program will duplicate the quota that we have set for the user wahib to all users in the <filename>/etc/passwd</filename> file that begin after <literal>UID 499</literal>.
</para>
<para>
Further documentation for more details, please consult man pages:
<variablelist><varlistentry><term>
<citerefentry><refentrytitle>edquota</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- edit user quotas
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>quota</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
- display disk usage and limits
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>quotacheck</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- scan a file system for disk usages
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>quotactl</refentrytitle><manvolnum>2</manvolnum></citerefentry></term>
<listitem><para>
- manipulate disk quotas
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>quotaon, quotaoff</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- turn file system quotas on and off
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>repquota</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- summarize quotas for a file system
</para></listitem>
</varlistentry>
<varlistentry><term>
<citerefentry><refentrytitle>rquota</refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- implement quotas on remote machines
</para></listitem>
</varlistentry>
</variablelist>
</para>
</section>
</section>
<section><?dbhtml filename="chap20sec161.html"?>
<title>Often used Commands</title>
<para>
The commands listed below are some that we use often, but many more exist. Check the man page for more details and information.
</para>
<formalpara>
<title>Quota</title>
<para>
Quota displays users' disk usage and limits on a file system.
To display user disk usage and limits, use the command:
<screen>
[root@deep] /# <command>quota</command> -u wahib
</screen>
<literallayout class="monospaced"><computeroutput>
Disk quotas for user wahib (uid 501):
Filesystem blocks quota limit grace files quota limit grace
/dev/sda6 6001* 6000 0 none 7 0 0
</computeroutput></literallayout>
</para>
</formalpara>
<para>
To display group quotas for the group of which the user is a member, use the command:
<screen>
[root@deep] /# <command>quota</command> -g wahib
</screen>
<literallayout class="monospaced"><computeroutput>
Disk quotas for group wahib (gid 501):
Filesystem blocks quota limit grace files quota limit grace
/dev/sda6 5995* 5000 0 none 1 0 0
</computeroutput></literallayout>
If the group quota is not set for the user specified, you will receive the following message:
<literallayout class="monospaced"><computeroutput>
Disk quotas for group wahib (gid 501): none
</computeroutput></literallayout>
</para>
<formalpara>
<title>Repquota </title>
<para>
Repquota produces summarized quota information of the disk usage and quotas for the specified file systems. Also, it prints for each user the current number of files and amount of space used (in kilobytes).
Here is a sample output repquota gives <emphasis>you results may vary</emphasis>:
<screen>
[root@deep] /# <command>repquota</command> -a
</screen>
<literallayout class="monospaced"><computeroutput>
Block limits File limits
User used soft hard grace used soft hard grace
Roo -- 21 0 0 4 0 0
Named -- 6 0 0 5 0 0
Admin -- 388657 0 0 21 21 0 0
Wahib -- 6001 0 0 7 0 0
Block limits File limits
User used soft hard grace used soft hard grace
root -- 21 0 0 4 0 0
named -- 6 0 0 5 0 0
admin -- 388657 0 0 2121 0 0
wahib -- 6001 6000 0 none 7 0 0
</computeroutput></literallayout>
</para>
</formalpara>
</section>
</chapter>
<chapter label="21" id="pr6ch21Sonet"><?dbhtml filename="soft-netwrkng.html"?>
<title>Software -Networking</title>
<highlights><para>
Once we have installed all the necessary security software in our Linux server, it's time to finetune the network part of our server. <acronym>DNS</acronym> is the MOST important network service for <acronym>IP</acronym> networks communication, and for
this reason, all Linux client machines should be configured to perform caching functions as a minimum.
</para></highlights>
<section id="pr6ch7sc1dbs"><?dbhtml filename="chap21sec162.html"?>
<title>Linux <acronym>DNS</acronym> and <acronym>BIND</acronym> Server</title>
<highlights><para>
Setting up a caching server for client local machines will reduce the load on the site's primary server. A caching only name server will find the answer to name queries and remember the answer the next time we
need it. This will shorten the waiting time the next time significantly. For security reasons, it is very important that <acronym>DNS</acronym> doesn't exist between hosts on the corporate network and external hosts; it is far
safer to simply use <acronym>IP</acronym> addresses to connect to external machines from the corporate network and vice-versa.
</para></highlights>
<para>
In our configuration and installation we'll run <acronym>BIND</acronym>/<acronym>DNS</acronym> as non root-user and in a chrooted environment. We also provide you three different configurations;
<itemizedlist>
<listitem><para>
one for a simple caching name server only <wordasword>client</wordasword>
</para></listitem>
<listitem><para>
one for a slave <wordasword>secondary server</wordasword>
</para></listitem>
<listitem><para>
one for a master name server <wordasword>primary server</wordasword>.
</para></listitem>
</itemizedlist>
</para>
<para>
The simple <literal>caching</literal> name server configuration will be used for your servers that don't act as a <token>master</token> or <token>slave</token> name server, and the <token>slave</token> and <token>master</token> configurations
will be used for your servers that act as a <token>master</token> name server and <token>slave</token> name server. Usually one of your servers acts as <token>master</token>, another one acts as <token>slave</token> and the rest act as simple <literal>caching</literal> client
name server.
</para>
<para>
This is a graphical representation of the <acronym>DNS</acronym> configuration we use in this book. We try to show you different settings
<mediaobject><imageobject><imagedata fileref="./images/DNS-Schema.gif" format="GIF"/></imageobject>
<textobject><phrase><acronym>DNS</acronym> caching name server</phrase></textobject>
</mediaobject>
<itemizedlist>
<listitem><para>
Caching Only <acronym>DNS</acronym>
</para></listitem><listitem><para>
Master <acronym>DNS</acronym>
</para></listitem><listitem><para>
Slave <acronym>DNS</acronym>
</para></listitem>
</itemizedlist>
on different servers. A lot of possibilities exist, and depend on your needs, and network architecture.
</para>
<para>
These installation instructions assume
<itemizedlist>
<listitem><para>
Commands are Unix-compatible.
</para></listitem>
<listitem><para>
The source path is <filename class="directory">/var/tmp</filename>. <emphasis>other paths are possible</emphasis>.
</para></listitem>
<listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem>
<listitem><para>
All steps in the installation will happen in super-user account root.
</para></listitem><listitem><para>
ISC <acronym>BIND</acronym> version number is 8.2.2-patchlevel5
</para></listitem>
</itemizedlist>
</para>
<para>
These are the Package(s) required:
<simplelist><member>
ISC <acronym>BIND</acronym> Homepage:<link linkend="prtinxfp18">http://www.isc.org/</link>
</member><member>
ISC <acronym>BIND</acronym> FTP Site: <link linkend="prtinxfp18"><literal>204.152.184.27</literal></link>
</member>
</simplelist>
You must be sure to download: <filename>bind-contrib.tar.gz, bind-doc.tar.gz, bind-src.tar.gz</filename>
</para>
<para>
Before you decompress Tarballs and install, it is a good idea to make a list of files on the system before you install <acronym>BIND</acronym>, and one afterwards, and then compare them using diff to find out what file it placed where. Simply
run <command>find</command> <userinput>/* &gt; DNS1</userinput> before and <command>find</command> <userinput>/* &gt; DNS2</userinput> after you install the software, and use <command>diff</command> <userinput>DNS1 DNS2 &gt; DNS-Installed</userinput> to
get a list of what changed.
</para>
<para>
Compile and Decompress the tarball (tar.gz).
<screen>
[root@deep] /# <command>mkdir</command> /var/tmp/bind
[root@deep] /# <command>cp</command> bind-contrib.tar.gz /var/tmp/bind/
[root@deep] /# <command>cp</command> bind-doc.tar.gz /var/tmp/bind/
[root@deep] /# <command>cp</command> bind-src.tar.gz /var/tmp/bind/
</screen>
We create a directory named bind to handle the tar archives and copy them to this new directory.
</para>
<para>
Move into the new bind directory <command>cd</command> <filename class="directory">/var/tmp/bind</filename> and decompress the tar files:
<screen>
[root@deep ]/bind# <command>tar</command> xzpf bind-contrib.tar.gz
[root@deep ]/bind# <command>tar</command> xzpf bind-doc.tar.gz
[root@deep ]/bind# <command>tar</command> xzpf bind-src.tar.gz
</screen>
</para>
</section>
<section><?dbhtml filename="chap21sec163.html"?>
<title>Configure</title>
<para>
Configuration files for different services are very specific depending on your needs and your network architecture. People can install <acronym>DNS</acronym> Servers at home as a <literal>caching-only</literal> server, though companies may install it
with <literal>primary</literal>, <literal>secondary</literal> and <literal>caching</literal> <acronym>DNS</acronym> servers.
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>BIND-DNS</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 24
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 Caching-Only-DNS/
-rw-r--r-- 1 harrypotter harrypotter 484 Jun 8 13:00 Compile-BIND
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 Primary-Master-DNS/
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 Secondary-Slave-DNS/
-rwx------ 1 harrypotter harrypotter 300 Jun 8 13:00 bind.sh*
drwxr-xr-x 3 harrypotter harrypotter 4096 Jun 8 13:00 init.d/
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<para>
To run a <literal>caching-only</literal> name server, the following files are required and must be created or copied to the appropriate directories on your server.
<orderedlist numeration="lowerroman">
<listitem><para>
Copy the <filename>named.conf</filename> file to the <filename class="directory">/etc/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>db.127.0.0</filename> file to the <filename class="directory">/var/named/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>db.cache</filename> file to the <filename class="directory">/var/named/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>named</filename> script file to the <filename class="directory">/etc/rc.d/init.d/</filename> directory.
</para></listitem>
</orderedlist>
</para>
<para>
To run a <literal>master</literal> name server, the following files are required and must be created or copied to the appropriate directories on your server.
<orderedlist numeration="lowerroman">
<listitem><para>
Copy the <filename>named.conf</filename> file to the <filename class="directory">/etc/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>db.127.0.0</filename> file to the <filename class="directory">/var/named/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>db.cache</filename> file to the <filename class="directory">/var/named/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>db.208.164.186</filename> file to the <filename class="directory">/var/named/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>db.openna</filename> file to the <filename class="directory">/var/named/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>named</filename> script file to the <filename class="directory">/etc/rc.d/init.d/</filename> directory.
</para></listitem>
</orderedlist>
</para>
<para>
To run a slave name server, the following files are required and must be created or copied to the appropriate directories on your server.
<orderedlist numeration="lowerroman">
<listitem><para>
Copy the <filename>named.conf</filename> file to the <filename class="directory">/etc/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>db.127.0.0</filename> file to the <filename class="directory">/var/named/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>db.cache</filename> file to the <filename class="directory">/var/named/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>named</filename> script file to the <filename class="directory">/etc/rc.d/init.d/</filename> directory.
</para></listitem>
</orderedlist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You can obtain the configuration files listed over the next few sections on the <filename>floppy.tgz</filename> archive. Copy the following files from the decompressed <filename>floppy.tgz</filename> archive to the
appropriate places, or copy them directly from this book to the concerned file.
</para></tip>
</section>
<section><?dbhtml filename="chap21sec164.html"?>
<title><literal>Caching-only</literal> name Server</title>
<para>
Caching-only name servers are servers not authoritative for any domains except <literal>0.0.127.in-addr.arpa</literal>, the localhost. A <literal>caching-only</literal> name server can look up names inside and outside
your zone, as can <token>primary</token> and <token>slave</token> name servers. The difference is that when a <literal>caching-only</literal> name server initially looks up a name within your zone, it ends up asking one
of the <token>primary</token> or <token>slave</token> names servers for your zone for the answer.
</para>
<para>
The necessary files to setup a simple caching name server are:
<orderedlist numeration="arabic">
<listitem> <para>
<filename>named.conf</filename>
</para></listitem><listitem><para>
<filename>db.127.0.0</filename>
</para></listitem><listitem><para>
<filename>db.cache</filename>
</para></listitem><listitem><para>
<filename>named script</filename>
</para></listitem>
</orderedlist>
</para>
<para>
To configure the <filename>/etc/named.conf</filename> file for a simple caching name server, use this for all servers that dont act as a <literal>master</literal> or <literal>slave</literal> name server. Setting up
a simple caching server for local client machines will reduce the load on the network's primary server. Many users on dialup connections may use this configuration along with bind for such a purpose.
Create the <filename>named.conf</filename> file, <command>touch</command> <filename>/etc/named.conf</filename> and add the following lines to the file:
<programlisting>
options {
directory "/var/named";
forwarders { 208.164.186.1; 208.164.186.2; };<co id="frwdrs1"/>
forward only;
};
//
// a caching only nameserver config
zone "." in {
type hint;
file "db.cache";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};
</programlisting>
<calloutlist>
<callout arearefs="frwdrs1">
<para>
In the forwarders line, <literal>208.164.186.1</literal> and <literal>208.164.186.2</literal> are the <acronym>IP</acronym> addresses of your <literal>Primary</literal> <emphasis>Master</emphasis> and <literal>Secondary</literal> <emphasis>Slave</emphasis>
<acronym><acronym>DNS</acronym></acronym> server. They can also be the <acronym>IP</acronym> addresses of your <acronym>ISP</acronym>s <acronym>DNS</acronym> server and another <acronym>DNS</acronym> server, respectively.
</para>
</callout>
</calloutlist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
To improve the security of your BIND/<acronym>DNS</acronym> server you can stop it from even trying to contact an off-site server if their forwarder is down or doesn't respond. With the
<envar>forward only</envar> option set in your <filename>named.conf</filename> file, the name server doesn't try to contact other servers to find out information if the forwarder doesn't give
it an answer.
</para>
</tip>
<para>
To configure the <filename>/var/named/db.127.0.0</filename> file for a simple caching name server,you can use this configuration for all machines on your network that don't act as a <token>master</token> or <token>slave</token> name server.
The <filename>db.127.0.0</filename> file covers the loopback network. Create the following files in <filename class="directory">/var/named/</filename>, <command>touch</command> <filename>/var/named/db.127.0.0</filename> and
add the following lines in the file:
<programlisting>
$TTL 345600
@ IN SOA localhost. root.localhost. (
00 ; Serial
86400 ; Refresh
7200 ; Retry
2592000 ; Expire
345600 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.
</programlisting>
</para>
<para>
Configure the <filename>/var/named/db.cache</filename> file for a simple caching name server before starting your <acronym>DNS</acronym> server. You must take a copy of <filename>db.cache</filename> file
and copy this file to the <filename class="directory">/var/named/</filename> directory. The <filename>db.cache</filename> tells your server where the servers for the <token>root</token> zone are.
</para>
<para>
Use the following commands on another Unix computer in your organization to query a new <filename>db.cache</filename> file for your <acronym>DNS</acronym> Server or pick one from your
Red Hat Linux <hardware>CD-ROM</hardware> source distribution:
<screen>
[root@deep]# <command>dig</command> @.aroot-servers.net . ns &gt; db.cache
</screen>
Don't forget to copy the <filename>db.cache</filename> file to the <filename class="directory">/var/named/</filename> directory on your server where you're installing <acronym>DNS</acronym> server
after retrieving it over the Internet.
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Internal addresses like <literal>192.168.1/24</literal> are not included in the <acronym>DNS</acronym> configuration files for security reasons. It is very important that <acronym>DNS</acronym> doesn't exist between hosts on the corporate network and external hosts.
</para></tip>
</section>
<section><?dbhtml filename="chap21sec165.html"?>
<title>Primary <literal>master</literal> name Server</title>
<para>
A primary <literal>master</literal> name server for a zone reads the data for the zone from a file on it's host and are authoritative for that zone.The necessary files to setup a primary master name server are:
<orderedlist numeration="loweralpha">
<listitem><para>
<filename>named.conf</filename>
</para></listitem><listitem><para>
<filename>db.127.0.0</filename>
</para></listitem><listitem><para>
<filename>db.208.164.186</filename>
</para></listitem><listitem><para>
<filename>db.openna</filename>
</para></listitem><listitem><para>
<filename>db.cache</filename>
</para></listitem><listitem><para>
<filename>named script</filename>
</para></listitem>
</orderedlist>
</para>
<para>
To configure the <filename>/etc/named.conf</filename> file for a <literal>master</literal> name server, use this configuration for the server on your network that acts as a <token>master</token> name server. After compiling
<acronym>DNS</acronym>, you need to set up a <literal>primary</literal> domain name for your server. We'll use <literal>openna.com</literal> as an example domain, and assume you are using <acronym>IP</acronym> network address
of <literal>208.164.186.0.</literal> To do this, add the following lines to your <filename>/etc/named.conf</filename>.
Create the <filename>named.conf</filename> file <command>touch</command> <filename>/etc/named.conf</filename> and add:
<programlisting>
options {
directory "/var/named";
fetch-glue no; <co id="ftgl1"/>
recursion no; <co id="rcsn1"/>
allow-query { 208.164.186/24; 127.0.0/8; }; <co id="alqr1"/>
allow-transfer { 208.164.186.2; }; <co id="altr1"/>
transfer-format many-answers;
};
// These files are not specific to any zone
zone "." in {
type hint;
file "db.cache";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};
// These are our primary zone files
zone "openna.com" in {
type master;
file "db.openna ";
};
zone "186.164.208.in-addr.arpa" in {
type master;
file "db.208.164.186";
};
</programlisting>
<calloutlist><callout arearefs="ftgl1 rcsn1"><para>
The <envar>fetch-glue</envar> no option can be used in conjunction with the option <envar>recursion no</envar> to prevent the server's cache from growing or becoming corrupted. Also, disabling recursion puts your name servers
into a passive mode, telling it never to send queries on behalf of other name servers or resolvers. A non-recursive name server is very difficult to spoof, since it doesn't send queries, and hence doesn't cache any data.
</para></callout><callout arearefs="alqr1"><para>
In the allow-query line, 208.164.186/24 and 127.0.0/8 are the <acronym>IP</acronym> addresses allowed to ask ordinary questions to the server.
</para></callout><callout arearefs="altr1"><para>
In the allow-transfer line, 208.164.186.2 is the <acronym>IP</acronym> address allowed to receive zone transfers from the server. You must ensure that only your real slave name servers can transfer zones from your name serve,
as the information provided is often used by spammers and <acronym>IP</acronym> spoofers.
</para></callout>
</calloutlist>
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
The options <envar>recursion no</envar>, <envar>allow-query</envar>, and <envar>allow-transfer</envar> in the <filename>named.conf</filename> file above are security features.
</para></note>
<para>
To configure the <filename>/var/named/db.127.0.0</filename> file for a <token>master</token> and <token>slave</token> name server, you can use this configuration file by both a master name server and a slave name server.
The <filename>db.127.0.0</filename> file covers the loopback network. Create the following files in <filename class="directory">/var/named/</filename>.
</para>
<para>
Create the <filename>db.127.0.0</filename> file, <command>touch</command> <filename>/var/named/db.127.0.0</filename> and add:
<programlisting>
; Revision History: April 22, 1999 - admin@mail.openna.com
; Start of Authority (SOA) records.
$TTL 345600
@ IN SOA deep.openna.com. admin.mail.openna.com. (
00 ; Serial
86400 ; Refresh
7200 ; Retry
2592000 ; Expire
345600 ) ; Minimum
; Name Server (NS) records.
NS deep.openna.com.
NS mail.openna.com.
; only One PTR record.
1 PTR localhost.
</programlisting>
</para>
<para>
To configure the <filename>/var/named/db.208.164.186</filename> file for a master name server, Use this configuration for the server on your network that acts as a master name server. The file <filename>db.208.164.186</filename> maps
host names to addresses. Create the following files in <filename class="directory">/var/named/</filename>.
</para>
<para>
Create the <filename>db.208.164.186</filename> file, <command>touch</command> <filename>/var/named/db.208.164.186</filename> and add:
<programlisting>
; Revision History: April 22, 1999 - admin@mail.openna.com
; Start of Authority (SOA) records.
$TTL 345600
@ IN SOA deep.openna.com. admin.mail.openna.com. (
00 ; Serial
86400 ; Refresh
7200 ; Retry
2592000 ; Expire
345600 ) ; Minimum
; Name Server (NS) records.
NS deep.openna.com.
NS mail.openna.com.
; Addresses Point to Canonical Names (PTR) for Reverse lookups
1 PTR deep.openna.com.
2 PTR mail.openna.com.
3 PTR www.openna.com.
</programlisting>
</para>
<para>
To configure of the <filename>/var/named/db.openna</filename> file for a master name server, use this configuration for the server on your network that acts as a master name server. The file <filename>db.openna</filename> maps
addresses to host names. Create the following file in <filename>/var/named/</filename>.
</para>
<para>
Create the <filename>db.openna</filename> file <command>touch</command> <filename>/var/named/db.openna</filename> and add:
<programlisting>
; Revision History: April 22, 1999 - admin@mail.openna.com
; Start of Authority (SOA) records.
$TTL 345600
@ IN SOA deep.openna.com. admin.mail.openna.com. (
00 ; Serial
86400 ; Refresh
7200 ; Retry
2592000 ; Expire
345600 ) ; Minimum
; Name Server (NS) records.
NS deep.openna.com.
NS mail.openna.com.
; Mail Exchange (MX) records.
MX 0 mail.openna.com.
; Address (A) records.
localhost A 127.0.0.1
deep A 208.164.186.1
mail A 208.164.186.2
www A 208.164.186.3
; Aliases in Canonical Name (CNAME) records.
;www CNAME deep.openna.com.
</programlisting>
</para>
<para>
To configure the <filename>/var/named/db.cache</filename> file for a master and slave name servers Before starting your <acronym>DNS</acronym> server you must take a copy of the <filename>db.cache</filename> file and copy it into
the <filename class="directory">/var/named/</filename> directory. The <filename>db.cache</filename> tells your server where the servers for the root zone are.
</para>
<para>
Use the following command on another Unix computer in your organization to query a new <filename>db.cache</filename> file for your <acronym>DNS</acronym> Server or pick one from your Red Hat Linux CD-ROM source distribution:
<screen>
[root@deep] /# <command>dig</command> @.aroot-servers.net . ns &gt; db.cache
</screen>
Don't forget to copy the <filename>db.cache</filename> file to the <filename class="directory">/var/named/</filename> directory on your server where you're installing <acronym>DNS</acronym> server after retrieving it over the Internet.
</para>
</section>
<section><?dbhtml filename="chap21sec166.html"?>
<title><literal>Secondary</literal> slave name Server</title>
<para>
The purpose of a <literal>slave</literal> name server is to share the load with the <literal>master</literal> server, or handle the entire load if the <literal>master</literal> server is down. A <literal>slave</literal> name server loads its data over the network from another name
server <emphasis>usually the <literal>master</literal> name server, but it can load from another <literal>slave</literal> name server too</emphasis>. This process is called a <token>zone</token> transfer.
Necessary files to setup a secondary slave name server are:
</para>
<orderedlist numeration="lowerroman">
<listitem><para>
named.conf
</para></listitem><listitem><para>
db.127.0.0
</para></listitem><listitem><para>
db.cache
</para></listitem><listitem><para>
named script
</para></listitem>
</orderedlist>
<para>
To configure the <filename>/etc/named.conf</filename> file for a <literal>slave</literal> name server, use this configuration for the server on your network that acts as a <token>slave</token> name server. You must modify the <filename>named.conf</filename>
file on the <token>slave</token> name server host. Change every occurrence of primary to secondary except for <filename>0.0.127.in-addr.arpa</filename> and add a masters line with the <acronym>IP</acronym> address of the <literal>master</literal> server as shown below.
</para>
<para>
Create the named.conf file (touch /etc/named.conf) and add:
<programlisting>
options {
directory "/var/named";
fetch-glue no;
recursion no;
allow-query { 208.164.186/24; 127.0.0/8; };
allow-transfer { 208.164.186.1; };
transfer-format many-answers;
};
// These files are not specific to any zone
zone "." in {
type hint;
file "db.cache";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};
// These are our slave zone files
zone "openna.com" in {
type slave;
file "db.openna";
masters { 208.164.186.1; };
};
zone "186.164.208.in-addr.arpa" in {
type slave;
file "db.208.164.186";
masters { 208.164.186.1; };
};
</programlisting>
This tells the name server that it is a <token>slave</token> for the zone <literal>openna.com</literal> and should track the version of this zone that is being kept on the host <literal>208.164.186.1</literal>.
</para>
<para>
A <literal>slave</literal> name server doesn't need to retrieve all of its database (db) files over the network because these db files <filename>db.127.0.0</filename> and <filename>db.cache</filename> are the same as
on a <literal>primary</literal> master, so you can keep a local copy of these files on the slave name server.
<orderedlist numeration="lowerroman">
<listitem><para>
Copy the <filename>db.127.0.0</filename>file from <literal>master</literal> name server to <literal>slave</literal> name server.
</para></listitem><listitem><para>
Copy the <filename>db.cache</filename> file from <literal>master</literal> name server to <literal>slave</literal> name server.
</para></listitem>
</orderedlist>
</para>
<section>
<title><filename>/etc/rc.d/init.d/named script </filename></title>
<para>
Configure your <filename>/etc/rc.d/init.d/named</filename> script file to start and stop the <acronym>BIND</acronym>/<acronym>DNS</acronym> daemon on your Server. This configuration script file can
by used for all type of name server <literal>caching</literal>, <literal>master</literal> or <literal>slave</literal>.
</para>
<para>
Create the named script file <command>touch</command> <filename>/etc/rc.d/init.d/named</filename> and add:
<programlisting>
#!/bin/sh
#
# named This shell script takes care of starting and stopping
# named (BIND <acronym>DNS</acronym> server).
#
# chkconfig: - 55 45
# description: named (BIND) is a Domain Name Server (<acronym>DNS</acronym>) \
# that is used to resolve host names to <acronym>IP</acronym> addresses.
# probe: true
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] &amp;&amp; exit 0
[ -f /usr/sbin/named ] || exit 0
[ -f /etc/named.conf ] || exit 0
RETVAL=0
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting named: "
daemon named
RETVAL=$?
[ $RETVAL -eq 0 ] &amp;&amp; touch /var/lock/subsys/named
echo
;;
stop)
# Stop daemons.
echo -n "Shutting down named: "
killproc named
RETVAL=$?
[ $RETVAL -eq 0 ] &amp;&amp; rm -f /var/lock/subsys/named
echo
;;
status)
/usr/sbin/ndc status
exit $?
;;
restart)
$0 stop
$0 start
;;
reload)
/usr/sbin/ndc reload
exit $?
;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/sbin/ndc reload &gt;/dev/null 2&gt;&amp;1 || echo start
exit 0
;;
*)
echo "Usage: named {start|stop|status|restart}"
exit 1
esac
exit $RETVAL
</programlisting>
</para>
<para>
Now, make this script executable and change its default permissions:
<screen>
[root@deep]# <command>chmod</command> 700 /etc/rc.d/init.d/named
</screen>
Create the symbolic <filename class="symlink">rc.d</filename> links for <acronym>BIND</acronym>/<acronym>DNS</acronym> with the command:
<screen>
[root@deep]# <command>chkconfig</command> --add named
</screen>
</para>
<para>
The <acronym>BIND</acronym>/<acronym>DNS</acronym> script will not automatically start the named daemon when you reboot the server. You can change its default by executing the following command:
<screen>
[root@deep]# <command>chkconfig</command> --level 345 named on
</screen>
Start your <acronym>DNS</acronym> Server manually with the following command:
<screen>
[root@deep]# /etc/rc.d/init.d/named <command>start</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Starting named: [ OK ]
</computeroutput></literallayout>
</para>
</section>
</section>
<section><?dbhtml filename="chap21sec167.html"?>
<title>Run <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym> in a chroot jail</title>
<highlights><para>
The main benefit of a chroot jail is that the jail will limit the portion of the file system the <acronym>DNS</acronym> daemon program can see to the root directory of the jail. Additionally, since the jail only needs to support <acronym>DNS</acronym>, the programs related
to <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym> available in the jail can be extremely limited. Most importantly, there is no need for setuid-root programs, which can be used to gain root access and break out of the jail.
</para></highlights>
<sidebar>
<title>Securing <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym></title>
<para>
This part focuses on preventing <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym> from being used as a point of break-in to the system hosting it. Since <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym>
performs a relatively large and complex function, the potential for bugs that affect security is rather high with this software. In fact, there have been exploitable bugs in the past that allowed a remote attacker to obtain root access to hosts
running <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym>. To minimize this risk, <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym> can be run as a non-root user, which will limit any damage to what can
be done as a normal user with a local shell. Of course, this is not enough for the security requirements of most <acronym>DNS</acronym> servers, so an additional step can be taken - that is, running <acronym>ISC</acronym> <acronym>BIND</acronym>
in a chroot jail.
<mediaobject>
<imageobject><imagedata fileref="./images/DNS-Chroot.gif" format="GIF" /></imageobject>
<textobject><phrase>DNS in chroot</phrase></textobject>
</mediaobject>
</para>
</sidebar>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The named binary program must be in a directory listed within your <envar>PATH</envar> environment variable for this to work. For the rest of the documentation, I'll assume the path of your original named program
is <filename>/usr/sbin/named</filename>.
</para></important>
<para>
The following are the necessary steps to run <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym> software in a chroot jail:
</para>
<para>
We must find the shared library dependencies of named, <emphasis>named is the <acronym>DNS</acronym> daemon</emphasis>. These will need to be copied into the chroot jail later.
</para>
<procedure><step><para>
To find the shared library dependencies of named, execute the following command:
<screen>
[root@deep] /# <command>ldd</command> /usr/sbin/named
libc.so.6 =&gt; /lib/libc.so.6 (0x40017000)
/lib/ld-linux.so.2 =&gt; /lib/ld-linux.so.2 (0x40000000)
</screen>
</para></step>
<step><para>
Make a note of the files listed above; you will need these later in our steps.
</para></step>
</procedure>
<para>
Now we must set up the chroot environment, and create the root directory of the jail. We've chosen <filename class="directory">/chroot/named</filename> because we want to put this on its own separate file system to prevent file system attacks. Early
in our Linux installation procedure we created a special partition <filename class="directory">/chroot</filename> for this purpose.
</para>
<procedure><step><para>
<screen>
[root@deep] /# /etc/rc.d/init.d/named stop <co id="nmd1"/>
</screen>
<calloutlist>
<callout arearefs="nmd1"><para>
Require only if an existing named daemon is running.
</para>
</callout>
</calloutlist>
<literallayout class="monospaced"><computeroutput>
Shutting down named: [ OK ]
</computeroutput></literallayout>
<screen>
[root@deep] /# <command>mkdir</command> -p /chroot/named
</screen>
</para></step>
<step><para>
Next, create the rest of directories as follows:
<screen>
[root@deep] /# <command>mkdir</command> /chroot/named/dev
[root@deep] /# <command>mkdir</command> /chroot/named/lib
[root@deep] /# <command>mkdir</command> /chroot/named/etc
[root@deep] /# <command>mkdir</command> -p /chroot/named/usr/sbin
[root@deep] /# <command>mkdir</command> -p /chroot/named/var/run
[root@deep] /# <command>mkdir</command> /chroot/named/var/named
</screen>
</para></step>
<step><para>
Now copy the main configuration file, the zone files, the <symbol class="limit">named</symbol> and the named-xfer programs into the appropriate places in the chroot jail directory:
<screen>
[root@deep] /# <command>cp</command> /etc/named.conf /chroot/named/etc/
[root@deep] /# <command>cd</command> /var/named ; cp -a . /chroot/named/var/named/
[root@deep] /# <command>mknod</command> /chroot/named/dev/null c 1 3
[root@deep] /# <command>chmod</command> 666 /chroot/named/dev/null
[root@deep] /# <command>cp</command> /usr/sbin/named /chroot/named/usr/sbin/
[root@deep] /# <command>cp</command> /usr/sbin/named-xfer /chroot/named/usr/sbin/
</screen>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The owner of the <filename class="directory">/chroot/named/var/named</filename> directory and all files in this directory must be the process name <symbol class="limit">named</symbol> under the <literal>slave</literal> server and only
the <literal>slave</literal> server or you wouldn't be able to make a <literal>zone</literal> transfer.
</para>
</important>
</para></step>
<step><para>
To make the <filename class="directory">named</filename> directory and all its files own by the <symbol class="limit">named</symbol> process name under the <literal>slave</literal> server, use the command:
<screen>
[root@deep] /# <command>chown</command> -R named.named /chroot/named/var/named/
</screen>
</para></step>
</procedure>
<para>
Copy the shared libraries identified above to the chrooted lib directory:
<screen>
[root@deep] /# <command>cp</command> /lib/libc.so.6 /chroot/named/lib/
[root@deep] /# <command>cp</command> /lib/ld-linux.so.2 /chroot/named/lib/
</screen>
</para>
<para>
Copy the <filename>localtime</filename> and <filename>nsswitch.conf</filename> files to the chrooted <filename class="directory">etc</filename> directory so that log entries are adjusted for your local
timezone properly:
<screen>
[root@deep] /# <command>cp</command> /etc/localtime /chroot/named/etc/
[root@deep] /# <command>cp</command> /etc/nsswitch.conf /chroot/named/etc/
</screen>
</para>
<para>
We must set some files under the <filename class="directory">/chroot/named/etc</filename> directory with the immutable bit enabled for better security:
</para>
<procedure><step><para>
Set the immutable bit on <filename>nsswitch.conf</filename> file:
<screen>
[root@deep] /# <command>cd</command> /chroot/named/etc/
[root@deep etc]# <command>chattr</command> +i nsswitch.conf
</screen>
</para></step>
<step><para>
Set the immutable bit on <filename>named.conf</filename> file:
<screen>
[root@deep] /# <command>cd</command> /chroot/named/etc/
[root@deep etc]# <command>chattr</command> +i named.conf
</screen>
A file with the +i attribute cannot be modified, deleted or renamed; no link can be created to this file and no data can be written to it. Only the superuser can set or clear this attribute.
</para></step>
</procedure>
<para>
Add a new <symbol class="limit">UID</symbol> and a new <symbol class="limit">GID</symbol> for running the daemon <literal>named</literal> if this is not already set. This is important because running it as root defeats
the purpose of the jail, and using a different user id that already exists on the system can allow your services to access each others' resources.
Check the <filename>/etc/passwd</filename> and <filename>/etc/group</filename> files for a free UID/GID number available. In our example we'll use the number <symbol class="limit">53</symbol> and the name <symbol class="limit">named</symbol>.
<screen>
[root@deep] /#<command>useradd</command> -c DNS Server -u 53 -s /bin/false -r -d /chroot/named named 2&gt;/dev/null || :
</screen>
</para>
</section>
<section><?dbhtml filename="chap21sec168.html"?>
<title>The syslog daemon</title>
<para>
We must tell syslogd <emphasis>the syslog daemon program</emphasis> about the new chrooted service, since normally, processes talk to syslogd through <filename class="directory">/dev/log</filename>. As a result of the chroot
jail, this won't be possible, so syslogd needs to be told to listen to <filename>/chroot/named/dev/log</filename> instead of the default <filename>dev/log</filename>. To do this, edit the syslog startup script file to specify
additional places to listen.
</para>
<para>
Edit the <filename>syslog</filename> script file <command>vi</command> +24 <filename>/etc/rc.d/init.d/syslog</filename> and change the line:
<programlisting>
daemon syslogd -m 0
</programlisting>
To read:
<programlisting>
daemon syslogd -m 0 -a /chroot/named/dev/log
</programlisting>
</para>
<para>
The default named script file of <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym> starts the daemon <literal>named</literal> outside the chroot jail. We must change it to start named from the
chroot jail. Edit the named script file <command>vi</command> <filename>/etc/rc.d/init.d/named</filename> and change the lines:
</para>
<procedure>
<step><para>
<programlisting>
[ -f /usr/sbin/named ] || exit 0
</programlisting>
To read:
<programlisting>
[ -f /chroot/named/usr/sbin/named ] || exit 0
</programlisting>
</para></step>
<step><para>
<programlisting>
[ -f /etc/named.conf ] || exit 0
</programlisting>
To read:
<programlisting>
[ -f /chroot/named/etc/named.conf ] || exit 0
</programlisting>
</para></step>
<step><para>
<programlisting>
daemon named
</programlisting>
To read:
<programlisting>
daemon /chroot/named/usr/sbin/named -t /chroot/named/ -unamed -gnamed
</programlisting>
</para></step>
</procedure>
<variablelist><varlistentry>
<term>The -t </term>
<listitem><para>
option tells <literal>named</literal> to start up using the new chroot environment.
</para></listitem>
</varlistentry>
<varlistentry>
<term>The -u </term>
<listitem><para>
option specifies the user to run as.
</para></listitem>
</varlistentry>
<varlistentry>
<term>The -g </term>
<listitem><para>
option specifies the group to run as.
</para></listitem>
</varlistentry>
</variablelist>
<para>
In <acronym>BIND</acronym> 8.2 version, the <command>ndc</command> command of <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym> software became a binary file; before, it was a script file, which
renders the shipped <command>ndc</command> useless in this setting. To fix it, the <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym> package must be compiled again from source.
To do this, in the top level of <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym> source directory.
</para>
<procedure><step><para>
For ndc utility:
<screen>
[root@deep] /# <command>cp</command> bind-src.tar.gz /vat/tmp
[root@deep] /# <command>cd</command> /var/tmp/
[root@deep ]/tmp# <command>tar</command> xzpf bind-src.tar.gz
[root@deep ]/tmp# <command>cd</command> src
[root@deep ]/src# <command>cp</command> port/linux/Makefile.set port/linux/Makefile.set-orig
</screen>
</para></step>
<step><para>
Edit the <filename>Makefile.set file</filename>, <command>vi</command> <filename>port/linux/Makefile.set</filename> to make the changes listed below:
<programlisting>
'CC=egcs -D_GNU_SOURCE'
'CDEBUG=-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions -g
'DESTBIN=/usr/bin'
'DESTSBIN=/chroot/named/usr/sbin'
'DESTEXEC=/chroot/named/usr/sbin'
'DESTMAN=/usr/man'
'DESTHELP=/usr/lib'
'DESTETC=/etc'
'DESTRUN=/chroot/named/var/run'
'DESTLIB=/usr/lib/bind/lib'
'DESTINC=/usr/lib/bind/include'
'LEX=flex -8 -I'
'YACC=yacc -d'
'SYSLIBS=-lfl'
'INSTALL=install'
'MANDIR=man'
'MANROFF=cat'
'CATEXT=$$N'
'PS=ps p'
'AR=ar crus'
'RANLIB=:'
</programlisting>
</para></step>
<step><para>
The difference between the Makefile we used before and this one is that we modify the <envar>DESTSBIN=</envar>, <envar>DESTEXEC=</envar>, and <envar>DESTRUN=</envar> lines to point to the chrooted directory
of <acronym>BIND</acronym>/<acronym>DNS</acronym>. With this modification, the <command>ndc</command> program knows where to find <literal>named</literal>.
<screen>
[root@deep ]/src# <command>make clean</command>
[root@deep ]/src# <command>make</command>
[root@deep ]/src# <command>cp</command> bin/ndc/ndc /usr/sbin/
[root@deep ]/src# <command>cp</command>: overwrite `/usr/sbin/ndc'? y
[root@deep ]/src# <command>strip</command> /usr/sbin/ndc
</screen>
We build the binary file, then copy the result of ndc program to <filename>/usr/sbin</filename> and overwrite the old one. We dont forget to strip our new ndc binary for better performance.
</para></step>
</procedure>
</section>
<section><?dbhtml filename="chap21sec169.html"?>
<title>Clean-up and Test the new chrooted jail</title>
<para>
Remove the unnecessary files and directory.
<screen>
[root@deep] /# <command>rm</command> -f /usr/sbin/named
[root@deep] /# <command>rm</command> -f /usr/sbin/named-xfer
[root@deep] /# <command>rm</command> -f /etc/named.conf
[root@deep] /# <command>rm</command> -rf /var/named/
</screen>
We remove the <literal>named</literal> and <literal>named-xfer</literal> binaries from the <filename>/usr/sbin</filename> directory, since the ones we'll work with now on a daily basis are located under the
chroot directory. The same applies for the <filename>named.conf</filename> file and <filename class="directory">/var/named</filename> directory.
</para>
<para>
We must test the new chrooted jail configuration of our <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym> software.
</para>
<procedure><step><para>
The first thing to do is to restart our syslogd daemon with the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/syslog <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
</computeroutput></literallayout>
</para></step>
<step><para>
Now, start the new chrooted jail <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym> with the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/named start
</screen>
<literallayout class="monospaced"><computeroutput>
Starting named: [ OK ]
</computeroutput></literallayout>
</para></step>
<step><para>
Make sure it's running as user <literal>named</literal> and with the new arguments.
To verify that <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym> is running as user <literal>named</literal> with the new arguments, use the following command:
<screen>
[root@deep] /# <command>ps</command> auxw | <command>grep</command> named
</screen>
<literallayout class="monospaced"><computeroutput>
named 11446 0.0 1.2 2444 1580 ? S 23:09 0:00 /chroot/named/usr/sbin/named -t /chroot/named/ -unamed -gnamed
</computeroutput></literallayout>
The first column should be <literal>named</literal>, which is the <acronym>UID</acronym> named daemon is running under. The end of the line should be <command>named</command> -t /chroot/named/ -unamed -gnamed, which
are the new arguments.
</para></step>
<step><para>
Please dont forget to cleanup:
<screen>
[root@deep] /# <command>rm</command> -rf /var/tmp/src bind-src.tar.gz
</screen>
This will remove the source file and tar archive we used to compile and install <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym>.
</para></step>
</procedure>
<para>
Further documentation, for more details there are several man pages you can read:
<variablelist><varlistentry>
<term><citerefentry><refentrytitle>dnsdomainname</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
- show the system's <acronym>DNS</acronym> domain name
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>dnskeygen</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
- generate public, private, and shared secret keys for <acronym>DNS</acronym> Security
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>dnsquery</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
- query domain name servers using resolver
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>named</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- Internet domain name server <acronym>DNS</acronym>
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>hesiod_to_bind [hesiod]</refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- Hesiod name server interface library
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ldconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- determine run-time link bindings
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>lesskey</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
- specify key bindings for less
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>raw</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- bind a Linux raw character device
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>mkfifo</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
- make FIFOs <emphasis>named pipes</emphasis>
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>named-bootconf</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- convert name server configuration files
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>named-xfer</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- ancillary agent for inbound zone transfers
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>named.conf [named]</refentrytitle><manvolnum>5</manvolnum></citerefentry></term>
<listitem><para>
- configuration file for
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>Opcode</refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- Disable named opcodes when compiling perl code
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
- send domain name query packets to name servers
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>nslookup</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- query Internet name servers interactively
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ndc</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- name daemon control program
</para></listitem>
</varlistentry>
</variablelist>
</para>
</section>
<section><?dbhtml filename="chap21sec170.html"?>
<title>DNS Administrative Tools</title>
<para>
The commands listed belows are some that we use often, but many more exist. Check the man pages and documentation for more details and information.
</para>
<formalpara>
<title>dig</title>
<para>
The <command>dig</command> command utility <emphasis>domain information groper</emphasis> can be used to update your <filename>db.cache</filename> file by telling your server where the servers for the <literal>root zone</literal>
are. When the server knows about the location of these zones, it queries a new db.cache from it. The root name servers do not change very often, but they do change. A good practice is to update your <filename>db.cache</filename>
file every month or two.
</para>
</formalpara>
<para>
Use the following command to query a new <filename>db.cache</filename> file for your <acronym>DNS</acronym> Server:
<screen>
[root@deep] /# <command>dig</command> @.aroot-servers.net . ns &gt; db.cache
</screen>
Copy the db.cache file to /var/named/ after retrieving it.
<screen>
[root@deep] /# <command>cp</command> db.cache /var/named/
</screen>
Where @a.root-servers.net is the address of the root server for querying the new <filename>db.cache</filename> file and <filename>db.cache</filename> file is the name of your new <filename>db.cache</filename> file.
</para>
<formalpara>
<title>ndc</title>
<para>
The <command>ndc</command> command utility of <acronym>ISC</acronym> <acronym>BIND</acronym>/<acronym>DNS</acronym> allows the system administrator to control interactively via a terminal the operation of a name server.
Type <command>ndc</command> on your terminal and then help to see help on different command.
<screen>
[root@deep] /# <command>ndc</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Type help -or- /h if you need help.
ndc&gt; help
getpid
status
stop
exec
reload [zone] ...
reconfig (just sees new/gone zones)
dumpdb
stats
trace [level]
notrace
querylog
qrylog
help
quit
ndc&gt; /e
</computeroutput></literallayout>
</para>
</formalpara>
</section>
<section><?dbhtml filename="chap21sec171.html"?>
<title><acronym>DNS</acronym> Users Tools</title>
<para>
The commands listed belows are some that we use often, but many more exist. Check the man pages and documentation for more details and information.
</para>
<formalpara>
<title>nslookup</title>
<para>
The <command>nslookup</command> program allows the user to query Internet domain name servers interactively or non-interactively. In interactive mode the user can query name servers for information about various hosts
and domains, and print a list of hosts in a domain. In non-interactive mode the user can just print the name and request information for a host or domain.
Interactive mode has a lot of options and commands; it is recommended that you see the man page for nslookup, or the help under nslookup Interactive mode.
</para>
</formalpara>
<para>
To enter under nslookup Interactive mode, use the command:
<screen>
[root@deep] /# <command>nslookup</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Default Server: deep.openna.com
Address: 208.164.186.1
&gt; help
$Id$
Commands: (identifiers are shown in uppercase, [] means optional)
NAME - print info about the host/domain NAME using default server
NAME1 NAME2 - as above, but use NAME2 as server
help or ? - print info on common commands; see nslookup(1) for details
set OPTION - set an option
all - print options, current server and host
[no]debug - print debugging information
[no]d2 - print exhaustive debugging information
</computeroutput></literallayout>
</para>
<para>
To run in non-interactive mode, use the command:
<screen>
[root@deep] /# <command>nslookup</command> www.redhat.com
</screen>
<literallayout class="monospaced"><computeroutput>
Server: deep.openna.com
Address: 208.164.186.1
Non-authoritative answer:
Name: www.portal.redhat.com
Addresses: 206.132.41.202, 206.132.41.203
Aliases: www.redhat.com
</computeroutput></literallayout>
Where <literal>www.redhat.com</literal> is the host name or Internet address of the name server to be looked up.
</para>
<formalpara>
<title>dnsquery</title>
<para>
The dnsquery program queries domain name servers via the resolver library calls <filename>/etc/resolv.conf</filename>.
To query domain name servers using resolver, use the command:
<screen>
[root@deep] /# <command>dnsquery</command> &lt;host&gt;
</screen>
</para>
</formalpara>
<example>
<title>dnsquery</title>
<para>
<screen>
[root@deep] /# <command>dnsquery</command> www.redhat.com
</screen>
<literallayout class="monospaced"><computeroutput>
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 40803
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; www.redhat.com, type = ANY, class = IN
www.redhat.com. 2h19m46s IN CNAME www.portal.redhat.com.
redhat.com. 2h18m13s IN NS ns.redhat.com.
redhat.com. 2h18m13s IN NS ns2.redhat.com.
redhat.com. 2h18m13s IN NS ns3.redhat.com.
redhat.com. 2h18m13s IN NS speedy.redhat.com.
ns.redhat.com. 1d2h18m8s IN A 207.175.42.153
ns2.redhat.com. 1d2h18m8s IN A 208.178.165.229
ns3.redhat.com. 1d2h18m8s IN A 206.132.41.213
speedy.redhat.com. 2h18m13s IN A 199.183.24.251
</computeroutput></literallayout>
Where &lt;host&gt; is the name of the host you want to query.
</para></example>
<formalpara>
<title>host</title>
<para>
The host program looks up host names using <acronym>DNS</acronym>.
To look up host names using domain server, use the command:
<screen>
[root@deep] /# <command>host</command> &lt;FQDN, domain names, host names, or host numbers&gt;
</screen>
</para>
</formalpara>
<example>
<title>Look up host names</title>
<para>
<screen>
[root@deep] /# <command>host</command> redhat.com
</screen>
<literallayout class="monospaced"><computeroutput>
redhat.com has address 207.175.42.154
</computeroutput></literallayout>
Where &lt;FQDN, domain names, host names, or host numbers&gt; is either FDQN <literal>www.redhat.com</literal>, domain names <literal>redhat.com</literal>, host names <literal>www</literal> or host numbers <literal>207.175.42.154</literal>.
</para></example>
<para>
To find all of the information about a host maintained by the <acronym>DNS</acronym>, use the command:
<screen>
[root@deep] /# <command>host</command> -a &lt;domain names &gt;
</screen>
</para>
<example>
<title>Using host</title>
<para>
<screen>
[root@deep] /# <command>host</command> -a redhat.com
</screen>
<literallayout class="monospaced"><computeroutput>
Trying null domain
rcode = 0 (Success), ancount=6
The following answer is not authoritative:
The following answer is not verified as authentic by the server:
redhat.com 8112 IN NS ns.redhat.com
redhat.com 8112 IN NS ns2.redhat.com
redhat.com 8112 IN NS ns3.redhat.com
redhat.com 8112 IN NS speedy.redhat.com
redhat.com 8112 IN A 207.175.42.154
redhat.com 11891 IN SOA ns.redhat.com noc.redhat.com(
2000021402 ;serial (version)
3600 ;refresh period
1800 ;retry refresh this often
604800 ;expiration period
86400 ;minimum TTL
)
For authoritative answers, see:
redhat.com 8112 IN NS ns.redhat.com
redhat.com 8112 IN NS ns2.redhat.com
redhat.com 8112 IN NS ns3.redhat.com
redhat.com 8112 IN NS speedy.redhat.com
Additional information:
ns.redhat.com 94507 IN A 207.175.42.153
ns2.redhat.com 94507 IN A 208.178.165.229
ns3.redhat.com 94507 IN A 206.132.41.213
speedy.redhat.com 8112 IN A 199.183.24.251
</computeroutput></literallayout>
This option can be used to find all of the information that is maintained by the domain server about this host, in our example <literal>redhat.com</literal>.
</para></example>
<para>
To list a complete domain, use the command:
<screen>
[root@deep] /# <command>host</command> -l &lt;domain names &gt;
</screen>
</para>
<example>
<title>List a complete domain</title>
<para>
<screen>
[root@deep] /# <command>host</command> -l openna.com
</screen>
<literallayout class="monospaced"><computeroutput>
openna.com name server deep.openna.com
openna.com name server mail.openna.com
localhost.openna.com has address 127.0.0.1
deep.openna.com has address 208.164.186.1
mail.openna.com has address 208.164.186.2
www.openna.com has address 208.164.186.3
</computeroutput></literallayout>
This option, in the official master file format, will give a complete download of the zone data for the domain name <literal>openna.com</literal>. This command should be used only if it is absolutely necessary.
</para></example>
</section>
<section><?dbhtml filename="chap21sec172.html"?>
<title>Installed files</title>
<simplelist type="vert" columns="2">
<member><filename>/etc/rc.d/init.d/named</filename></member>
<member><filename>/etc/rc.d/rc0.d/K45named</filename></member>
<member><filename>/etc/rc.d/rc1.d/K45named</filename></member>
<member><filename>/etc/rc.d/rc2.d/K45named</filename></member>
<member><filename>/etc/rc.d/rc3.d/K45named</filename></member>
<member><filename>/etc/rc.d/rc4.d/K45named</filename></member>
<member><filename>/etc/rc.d/rc5.d/K45named</filename></member>
<member><filename>/etc/rc.d/rc6.d/K45named</filename></member>
<member><filename>/etc/named.conf</filename></member>
<member><filename>/usr/bin/addr</filename></member>
<member><filename>/usr/bin/nslookup</filename></member>
<member><filename>/usr/bin/dig</filename></member>
<member><filename>/usr/bin/dnsquery</filename></member>
<member><filename>/usr/bin/host</filename></member>
<member><filename>/usr/bin/nsupdate</filename></member>
<member><filename>/usr/bin/mkservdb</filename></member>
<member><filename>/usr/lib/bind</filename></member>
<member><filename>/usr/lib/bind/include</filename></member>
<member><filename>/usr/lib/bind/include/arpa</filename></member>
<member><filename>/usr/lib/bind/include/arpa/inet.h</filename></member>
<member><filename>/usr/lib/bind/include/arpa/nameser.h</filename></member>
<member><filename>/usr/lib/bind/include/arpa/nameser_compat.h</filename></member>
<member><filename>/usr/lib/bind/include/isc</filename></member>
<member><filename>/usr/lib/bind/include/isc/eventlib.h</filename></member>
<member><filename>/usr/lib/bind/include/isc/misc.h</filename></member>
<member><filename>/usr/lib/bind/include/isc/tree.h</filename></member>
<member><filename>/usr/lib/bind/include/isc/logging.h</filename></member>
<member><filename>/usr/lib/bind/include/isc/heap.h</filename></member>
<member><filename>/usr/lib/bind/include/isc/memcluster.h</filename></member>
<member><filename>/usr/lib/bind/include/isc/assertions.h</filename></member>
<member><filename>/usr/lib/bind/include/isc/list.h</filename></member>
<member><filename>/usr/lib/bind/include/isc/dst.h</filename></member>
<member><filename>/usr/lib/bind/include/isc/irpmarshall.h</filename></member>
<member><filename>/usr/lib/bind/include/netdb.h</filename></member>
<member><filename>/usr/lib/bind/include/resolv.h</filename></member>
<member><filename>/usr/lib/bind/include/res_update.h</filename></member>
<member><filename>/usr/lib/bind/include/irs.h</filename></member>
<member><filename>/usr/lib/bind/include/irp.h</filename></member>
<member><filename>/usr/lib/bind/include/hesiod.h</filename></member>
<member><filename>/usr/lib/bind/include/sys</filename></member>
<member><filename>/usr/lib/bind/include/net</filename></member>
<member><filename>/usr/lib/bind/lib</filename></member>
<member><filename>/usr/lib/bind/lib/libbind.a</filename></member>
<member><filename>/usr/lib/bind/lib/libbind_r.a</filename></member>
<member><filename>/usr/lib/nslookup.help</filename></member>
<member><filename>/usr/man/man1/dig.1</filename></member>
<member><filename>/usr/man/man1/host.1</filename></member>
<member><filename>/usr/man/man1/dnsquery.1</filename></member>
<member><filename>/usr/man/man1/dnskeygen.1</filename></member>
<member><filename>/usr/man/man3/hesiod.3</filename></member>
<member><filename>/usr/man/man3/gethostbyname.3</filename></member>
<member><filename>/usr/man/man3/inet_cidr.3</filename></member>
<member><filename>/usr/man/man3/resolver.3</filename></member>
<member><filename>/usr/man/man3/getnetent.3</filename></member>
<member><filename>/usr/man/man3/tsig.3</filename></member>
<member><filename>/usr/man/man3/getaddrinfo.3</filename></member>
<member><filename>/usr/man/man3/getipnodebyname.3</filename></member>
<member><filename>/usr/man/man5/resolver.5</filename></member>
<member><filename>/usr/man/man5/irs.conf.5</filename></member>
<member><filename>/usr/man/man5/named.conf.5</filename> </member>
<member><filename>/usr/man/man7/hostname.7</filename> </member>
<member><filename>/usr/man/man7/mailaddr.7</filename> </member>
<member><filename>/usr/man/man8/named.8</filename> </member>
<member><filename>/usr/man/man8/ndc.8</filename> </member>
<member><filename>/usr/man/man8/named-xfer.8</filename> </member>
<member><filename>/usr/man/man8/named-bootconf.8</filename> </member>
<member><filename>/usr/man/man8/nslookup.8</filename> </member>
<member><filename>/usr/man/man8/nsupdate.8</filename> </member>
<member><filename>/usr/sbin/ndc</filename> </member>
<member><filename>/usr/sbin/named</filename> </member>
<member><filename>/usr/sbin/named-xfer</filename> </member>
<member><filename>/usr/sbin/irpd</filename> </member>
<member><filename>/usr/sbin/dnskeygen</filename> </member>
<member><filename>/usr/sbin/named-bootconf</filename></member>
<member><filename>/var/named</filename></member>
</simplelist>
</section>
</chapter>
<chapter label="22" id="pr6ch22SSMn"><?dbhtml filename="soser-mailn.html"?>
<title>Software -Server/Mail Network</title>
<highlights><para>
The Sendmail program is one of the most widely used Internet Mail Transport Agents <acronym>-MTA</acronym>s in the world. The purpose of an <acronym>MTA</acronym> is to send mail from one machine to another, and nothing
else. Sendmail is not a client program, which you use to read your e-mail. Instead, it actually moves your email over networks, or the Internet, to where you want it to go. Sendmail has been an easy target for system
crackers to exploit in the past, but with the advent of Sendmail version 8, this has become much more difficult.
</para></highlights>
<section><?dbhtml filename="chap22sec173.html"?>
<title>Linux Sendmail Server</title>
<para>
In our configuration and installation we'll provide you two different configurations that you can set up for Sendmail;
<variablelist><varlistentry>
<term>Central Mail Hub Relay, </term>
<listitem><para>
The Central Mail Hub Relay Server configuration will be used for your server where the assigned task is to send, receive and relay all mail for all local or neighbor client and server mail machines you may have on your network.
</para></listitem>
</varlistentry>
<varlistentry>
<term>local or neighbor clients and servers.</term>
<listitem><para>
A local or neighbor client and server refer to all other local server or client machines on your network that run Sendmail and send all outgoing mail to the Central Mail Hub for future delivery.
This kind of internal client never receives mail directly via the Internet; Instead, all mail from the Internet for those computers is kept on the Mail Hub server.
</para></listitem>
</varlistentry>
</variablelist>
It is a good idea to run one Central Mail Hub Server for all computers on your network; this architecture will limit the task managements on the server and client machines, and improve the security of your site.
</para>
<para>
You can configure the neighbor Sendmail so that it accepts only mail that is generated locally, thus insulating neighbor machines for easier security. The Gateway server outside the firewall, or part of it acts as a
proxy and accepts external mail via its Firewall rules file that is destined for internal delivery from the outside, and forwards it to the Central Mail Hub Server. Also note that the Gateway server is configured like
a neighbor Sendmail server to never accept incoming mail from the outside the <literal>Internet</literal>.
</para>
<para>
Here is a graphical representation of the Sendmail configuration used in this book, with different settings:
<itemizedlist>
<listitem><para>
Central Mail Hub Relay,
</para></listitem><listitem><para>
local or neighbor <emphasis>client and servers</emphasis> on different servers.
</para></listitem>
</itemizedlist>
Lots of possibilities exist, and depends on your need and network architecture.
<mediaobject><imageobject><imagedata fileref="./images/Sendmail-Schema.gif" format="GIF"/></imageobject>
<textobject><phrase>
Sendmail configuration examples
</phrase></textobject>
</mediaobject>
</para>
<para>
These installation instructions assume
<itemizedlist>
<listitem><para>
Commands are Unix-compatible.
</para></listitem><listitem><para>
The source path is <filename class="directory">/var/tmp</filename>, <emphasis>other paths are possible</emphasis>.
</para></listitem><listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem><listitem><para>
All steps in the installation will happen in super-user account root.
</para></listitem><listitem><para>
Sendmail version number is 8.10.1
</para></listitem>
</itemizedlist>
</para>
<para id="pr6ch22sc1snml">
These are the package(s) you need to download and they are available here
<simplelist>
<member>
Sendmail Homepage: <link linkend="prtinxfp19">http://www.sendmail.org/</link>
</member><member>
Sendmail FTP Sire: <link linkend="prtinxfp19">204.152.184.34</link>
</member><member>
You must be sure to download: sendmail.8.10.1.tar.gz
</member>
</simplelist>
</para>
<para>
Before you decompress the tarballs, it is a good idea to make a list of files on the system before you install Sendmail, and one afterwards, and then compare them using diff to find out what file it placed
where. Simply run <command>find</command> <userinput>/* &gt; Sendmail1</userinput> before and <command>find</command> <userinput>/* &gt; Sendmail2</userinput> after you install the software, and
use <command>diff</command> <userinput>Sendmail1 Sendmail2 &gt; Sendmail-Installed</userinput> to get a list of what changed.
</para>
<para>
You need to compile, so decompress the tarball (tar.gz). which you have downloaded:d
<screen>
[root@deep] /# <command>cp</command> sendmail.version.tar.gz /var/tmp
[root@deep] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>tar</command> xzpf sendmail.version.tar.gz
</screen>
</para>
<para>
Before you compile it is always better to configure to your needs, move into the new Sendmail directory and edit the <filename>smrsh.c</filename> file <command>vi</command> +77 <filename>smrsh/smrsh.c</filename> and change the line:
<programlisting>
# define CMDDIR "/usr/adm/sm.bin"
</programlisting>
To read:
<programlisting>
# define CMDDIR "/etc/smrsh"
</programlisting>
This modification specifies the default search path for commands runs by smrsh program. It allows us to limit the location where these programs may reside.
</para>
</section>
<section><?dbhtml filename="chap22sec174.html"?>
<title>Compile and optimize</title>
<para>
The Build script of Sendmail uses by default a site configuration file that correspond to your operating system type to get information about definitions for system installation and various compilation values. This
file is located under the subdirectory named <filename class="directory">devtools/OS</filename> and if you're running a Linux system, it'll be named <literal>Linux</literal>. We'll rebuild this site configuration file
to suit our Linux system installation and put it in the default <filename class="directory">devtools/OS</filename> sub-directory of the Sendmail source distribution since the Build script will look for the default
site configuration file in this directory during compile time of Sendmail.
</para>
<para>
Move into the new Sendmail directory, edit the Linux file, <command>vi</command> <filename>devtools/OS/Linux</filename>, and remove all predefined lines then add the following lines inside the file:
<programlisting>
define(`confENVDEF', `-DPICKY_QF_NAME_CHECK -DXDEBUG=0')
define(`confCC', `egcs')
define(`confOPTIMIZE', `-O9 -funroll-loops -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions')
define(`confLIBS', `-lnsl')
define(`confLDOPTS', `-s')
define(`confMANROOT', `/usr/man/man')
define(`confMANOWN', `root')
define(`confMANGRP', `root')
define(`confMANMODE', `644')
define(`confMAN1SRC', `1')
define(`confMAN5SRC', `5')
define(`confMAN8SRC', `8')
define(`confDEPEND_TYPE', `CC-M')
define(`confNO_HELPFILE_INSTALL)
define(`confSBINGRP', `root')
define(`confSBINMODE', `6755')
define(`confUBINOWN', `root')
define(`confUBINGRP', `root')
define(`confEBINDIR', `/usr/sbin')
</programlisting>
</para>
<para>
This tells Linux file to set itself up for this particular configuration setup with:
<glosslist><glossentry>
<glossterm>define(`confENVDEF', `-DPICKY_QF_NAME_CHECK -DXDEBUG=0')</glossterm>
<glossdef><para>
This macro option is used primarily to specify code that should either be specially included or excluded. With <envar>-DPICKY_QF_NAME_CHECK</envar> defined, Sendmail will log an error if the name of the <filename>qf</filename> file
is incorrectly formed and will rename the <filename>qf</filename> file into a <filename>Qf</filename> file. The <literal>-DXDEBUG=0</literal> argument disables the step of additional internal checking during compile time.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confCC', `egcs')</glossterm>
<glossdef><para>
This macro option defines the C compiler to use for compilation of Sendmail. In our case we use the egcs C compiler for better optimization.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confOPTIMIZE', `-O9 -funroll-loops -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions')</glossterm>
<glossdef><para>
This macro option defines the flags passed to CC for optimization related to our specific CPU architecture.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confLIBS', `-lnsl')</glossterm>
<glossdef><para>
This macro option defines the -l flags passed to ld.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confLDOPTS', `-s')</glossterm>
<glossdef><para>
This macro option defines the linker options passed to ld.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confMANROOT', `/usr/man/man')</glossterm>
<glossdef><para>
This macro option defines the location to install the Sendmail man pages.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confMANOWN', `root')</glossterm>
<glossdef><para>
This macro option defines the owner for all Sendmail installed man pages.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confMANGRP', `root')</glossterm>
<glossdef><para>
This macro option defines the group for all Sendmail installed man pages.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confMANMODE', `644')</glossterm>
<glossdef><para>
This macro option defines the mode for all Sendmail installed man pages.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confMAN1SRC', `1')</glossterm>
<glossdef><para>
This macro option defines the source for man pages installed in confMAN1.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confMAN5SRC', `5')</glossterm>
<glossdef><para>
This macro option defines the source for man pages installed in confMAN5.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confMAN8SRC', `8')</glossterm>
<glossdef><para>
This macro option defines the source for man pages installed in confMAN8.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confDEPEND_TYPE', `CC-M')</glossterm>
<glossdef><para>
This macro option specifies how to build dependencies with Sendmail.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confNO_HELPFILE_INSTALL')</glossterm>
<glossdef><para>
This macro option specifies to not install the Sendmail help file by default. Some experienced administrators recommend it, for better security.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confSBINGRP', `root')</glossterm>
<glossdef><para>
This macro option defines the group for all Sendmail setuid binaries.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confSBINMODE', `6755')</glossterm>
<glossdef><para>
This macro option defines the mode for all Sendmail setuid binaries.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confUBINOWN', `root')</glossterm>
<glossdef><para>
This macro option defines the owner for Sendmail binaries.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confUBINGRP', `root')</glossterm>
<glossdef><para>
This macro option defines the group for Sendmail binaries.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`confEBINDIR', `/usr/sbin')</glossterm>
<glossdef><para>
This macro option defines where to install binaries executed from other binaries. On Red Hat Linux the path must be set to the <filename>/usr/sbin</filename> directory.
</para></glossdef>
</glossentry>
</glosslist>
</para>
<para>
Now we must compile and install Sendmail in the server:
<screen>
[root@deep ]/sendmail-8.10.1# <command>cd</command> sendmail
[root@deep ]/sendmail# <command>sh Build</command>
[root@deep ]/sendmail# <command>sh Build install</command>
[root@deep ]/sendmail# <command>cd</command> ..
[root@deep ]/sendmail-8.10.1# <command>cd</command> mailstats
[root@deep ]/mailstats# <command>sh Build install</command>
[root@deep ]/mailstats# <command>cd</command> ..
[root@deep ]/sendmail-8.10.1# <command>cd</command> smrsh
[root@deep ]/smrsh# <command>sh Build install</command>
[root@deep ]/smrsh# <command>cd</command> ..
[root@deep ]/sendmail-8.10.1# <command>cd</command> makemap <co id="sndmmp"/>
[root@deep ]/makemap# <command>sh Build install</command> <co id="sndmmpbi"/>
[root@deep ]/makemap# <command>cd</command> ..
[root@deep ]/sendmail-8.10.1# <command>cd</command> praliases <co id="sndpral"/>
[root@deep ]/praliases# <command>sh Build install</command> <co id="sndpralbi"/>
[root@deep ]/praliases# <command>cd</command> ..
[root@deep ]/sendmail-8.10.1# <command>ln</command> -fs /usr/sbin/sendmail /usr/lib/sendmail
[root@deep ]/sendmail-8.10.1# <command>chmod</command> 511 /usr/sbin/smrsh
[root@deep ]/sendmail-8.10.1# <command>install</command> -d -m 755 /var/spool/mqueue
[root@deep ]/sendmail-8.10.1# <command>chown</command> root.mail /var/spool/mqueue
[root@deep ]/sendmail-8.10.1# <command>mkdir</command> /etc/smrsh
</screen>
<calloutlist>
<callout arearefs="sndmmp"><para>
Required only for Mail Hub configuration
</para></callout>
<callout arearefs="sndmmpbi"><para>
Required only for Mail Hub configuration
</para></callout>
<callout arearefs="sndpral"><para>
Required only for Mail Hub configuration
</para></callout>
<callout arearefs="sndpralbi"><para>
Required only for Mail Hub configuration
</para></callout>
</calloutlist>
</para>
<para>
<itemizedlist>
<listitem><para>
The <command>sh Build</command> command would build and make the necessary dependencies for the different binary files required by Sendmail before installation on your system.
</para></listitem><listitem><para>
The <command>sh Build install</command> command would install sendmail, mailstats, makemap, praliases, smrsh binaries as well as the corresponding man pages on your system if compiled with this command.
</para></listitem><listitem><para>
The <command>ln</command> -fs command would make a symbolic link of the sendmail binary to the <filename class="directory">/usr/lib</filename> directory. This is required, since
some programs hope to find the sendmail binary in this directory <filename class="directory">/usr/lib</filename>.
</para></listitem><listitem><para>
The <command>install</command> command would create the directory <filename class="directory">mqueue</filename> with permission 755 under <filename class="directory">/var/spool</filename>. A mail message
can be temporarily undeliverable for a wide variety of reasons. To ensure that such messages are eventually delivered, Sendmail stores them in its queue directory until they can be delivered successfully.
</para></listitem><listitem><para>
The <command>chown</command> command would set <acronym>UID</acronym> root and <acronym>GID</acronym> mail for the <filename class="directory">mqueue</filename> directory.
</para></listitem><listitem><para>
The <command>mkdir</command> command would create the <filename class="directory">/etc/smrsh</filename> directory on your system. This directory is where we'll put all program mailers that we allow Sendmail
to be able to run.
</para></listitem>
</itemizedlist>
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
The programs <command>makemap</command>, and <command>praliases</command> must only be installed on the Central Mail Hub Server. makemap permits you to create a database map like the <filename>/etc/mail/aliases.db</filename>
or <filename>/etc/mail/access.db</filename> files, for Sendmail. The praliases display the system mail aliases, the content of <filename>/etc/mail/aliases file</filename>. Since it is better to only have one
place like our Central Mail Hub to handle and manage all the <filename>db</filename> files in our network, then it is not necessary to use the makemap, and praliases programs and build <filename>db</filename> files
on your other hosts in the network.
</para></note>
</section>
<section><?dbhtml filename="chap22sec175.html"?>
<title>Configurations</title>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>Sendmail</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 32
-rw-r--r-- 1 harrypotter harrypotter 684 Jun 8 13:00 Linux
-rw-r--r-- 1 harrypotter harrypotter 3648 Jun 8 13:00 access
-rw-r--r-- 1 harrypotter harrypotter 547 Jun 8 13:00 aliases
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 init.d/
-rw-r--r-- 1 harrypotter harrypotter 137 Jun 8 13:00 local-host-names
-rw-r--r-- 1 harrypotter harrypotter 109 Jun 8 13:00 null.mc
-rw-r--r-- 1 harrypotter harrypotter 685 Jun 8 13:00 sendmail.mc
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 sysconfig/
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<para>
To run a Central Mail Hub Server, the following files are required and must be created or copied to the appropriate directories on your server.
<itemizedlist>
<listitem><para>
Copy the sendmail file in the <filename class="directory">/etc/sysconfig</filename> directory.
</para></listitem><listitem><para>
Copy the sendmail script file in the <filename class="directory">/etc/rc.d/init.d/</filename> directory.
</para></listitem><listitem><para>
Copy the local-host-names file in the <filename class="directory">/etc/mail</filename> directory.
</para></listitem><listitem><para>
Copy the access file in the <filename class="directory">/etc/mail</filename> directory.
</para></listitem><listitem><para>
Copy the aliases file in the <filename class="directory">/etc/mail</filename> directory.
</para></listitem>
</itemizedlist>
Create the <filename>virtusertable</filename>, <filename>domaintable</filename>, <filename>mailertable</filename> and <filename>.db</filename> files in <filename class="directory">/etc/mail</filename> directory.
</para>
<para>
To run a Local or Neighbor Client, Server, the following files are required and must be created or copied to the appropriate directories on your server.
<itemizedlist>
<listitem><para>
Copy the sendmail file in the <filename class="directory">/etc/sysconfig</filename> directory.
</para></listitem><listitem><para>
Copy the sendmail script file in the <filename class="directory">/etc/rc.d/init.d/</filename> directory.
</para></listitem><listitem><para>
Copy the local-host-names file in the <filename class="directory">/etc/mail</filename> directory.
</para></listitem>
</itemizedlist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You can obtain the configuration files listed below on our <filename>floppy.tgz</filename> archive. Copy the following files from the decompressed <filename>floppy.tgz</filename> archive to the appropriate places or copy and paste them directly from this book to the concerned file.
</para></tip>
</section>
<section><?dbhtml filename="chap22sec176.html"?>
<title>The <filename>/etc/sendmail.mc</filename> file /Central Mail Hub</title>
<para>
The <filename>/etc/sendmail.mc</filename> file for the Central Mail Hub, instead of having each individual server or workstation in a network handle its own mail, it can be advantageous to have powerful central server that handles
all mail. Such a server is called a Mail Hub. The advantage of a Central Mail Hub is:
<orderedlist numeration="lowerroman">
<listitem><para>
All incoming mail is sent to the hub, and no mail is sent directly to a client machine.
</para></listitem><listitem><para>
All outgoing mail from clients is sent to the Hub, and the Hub then forwards that mail to its ultimate destination.
</para></listitem><listitem><para>
All outgoing mail appears to come from a single server and no client's name needs to be known to the outside world.
</para></listitem><listitem><para>
No client needs to run a sendmail daemon to listen for mail.
</para></listitem>
</orderedlist>
</para>
<para>
The sendmail.cf is the first file reading by Sendmail when it runs and one of the most important for Sendmail. Among the many items contained in that file are the locations of all the other files, the default permissions for those files and
directories that Sendmail needs. The m4 macro preprocessor program of Linux is used by Sendmail V8 to produce a Sendmail configuration file. This macro program will produce the <filename>/etc/mail/sendmail.cf</filename> configuration file
by processing a file whose name ends in <filename>.mc</filename>.
</para>
<para>
For this reason, we'll create this file <filename>sendmail.mc</filename> and put the necessary macro values in it to allow the m4 program to process, <emphasis>read</emphasis> its
input and gathers definitions of macros, and then replaces those macros with their values and output the result to create our <filename>sendmail.cf</filename> file. Please refer to the Sendmail documentation and README file under the
<filename class="directory">cf</filename> subdirectory of the V8 Sendmail source distribution for more information.
</para>
<para>
Create the sendmail.mc file, <command>touch</command> <filename>/var/tmp/sendmail-version/cf/cf/sendmail.mc</filename> and add the following lines:
<programlisting>
define(`confDEF_USER_ID',``8:12'')dnl
OSTYPE(`linux')dnl
DOMAIN(`generic')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`LOCAL_MAILER_FLAGS', `ShPfn')dnl
define(`LOCAL_MAILER_ARGS', `procmail -a $h -d $u')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')dnl
FEATURE(`redirect')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`local_procmail')dnl
FEATURE(`access_db')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`dnsbl')dnl
MAILER(`local')dnl
MAILER(`smtp')dnl
MAILER(`procmail')dnl
</programlisting>
</para>
<para>
This tells the sendmail.mc file to set itself up for this particular configuration with:
<glosslist id="pr6ch22sc3gls"><glossentry>
<glossterm>define(`confDEF_USER_ID',``8:12'')dnl</glossterm>
<glossdef><para>
This configuration option specifies the default user id. In our case the <literal>user mail</literal> and <literal>group mail</literal>, which correspond to ID number <literal>8:12</literal> <emphasis>see
the <filename>/etc/passwd</filename> and <filename>/etc/group</filename> file</emphasis>.
</para></glossdef>
</glossentry><glossentry>
<glossterm>OSTYPE(`linux')dnl</glossterm>
<glossdef><para>
This configuration option specifies the default operating system Sendmail wil bel running on; in our case the <literal>linux</literal> system. This item is one of the minimal pieces of information required by the <filename>mc</filename> file.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>DOMAIN(`generic')dnl</glossterm>
<glossdef><para>
This configuration option will specify and describe a particular domain appropriated for your environment.
</para></glossdef>
</glossentry><glossentry>
<glossterm>define(`confTRY_NULL_MX_LIST',true)dnl</glossterm>
<glossdef><para>
This configuration option specifies whether the receiving server is the best <literal>MX</literal> for a host and if so, try connecting to that host directly.
</para></glossdef>
</glossentry><glossentry>
<glossterm>define(`confDONT_PROBE_INTERFACES',true)dnl</glossterm>
<glossdef><para>
This configuration option, if set to true, means Sendmail will _not_insert the names and addresses of any local interfaces into the <envar>$=w</envar> class, <emphasis>list of known equivalent addresses</emphasis>.
</para></glossdef>
</glossentry><glossentry>
<glossterm>define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl</glossterm>
<glossdef><para>
This configuration option sets the path to the procmail program installed in your server. Since the path in Red Hat Linux differs from other Linux versions, we must specify the new path with this macro. It's important
to note that this macro is also used by <envar>FEATURE(`local_procmail')</envar> as defined later in this file.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>define(`LOCAL_MAILER_FLAGS', `ShPfn')dnl</glossterm>
<glossdef><para>
This configuration option defines the flags that must be used by the local mailer (procmail). See your Sendmail documentation for more information of each one.
</para></glossdef>
</glossentry><glossentry>
<glossterm>define(`LOCAL_MAILER_ARGS', `procmail -a $h -d $u')dnl</glossterm>
<glossdef><para>
This configuration option defines the arguments that must be passed to the local mailer (procmail). See your Sendmail documentation for more information on each one.
</para></glossdef>
</glossentry><glossentry>
<glossterm>FEATURE(`smrsh',`/usr/sbin/smrsh')dnl</glossterm>
<glossdef><para>
This m4 macro enables the use of <command>smrsh</command>, <emphasis>the sendmail restricted shell</emphasis>, instead of the default <filename class="directory">/bin/sh</filename> for mailing programs. With this feature
you can control what program gets run via e-mail through the <filename>/etc/mail/aliases</filename> and <filename>~/.forward</filename> files. The default location for the <command>smrsh</command> program is <filename>/usr/libexec/smrsh</filename>.
Since we have installed <command>smrsh</command> in another location, we need to add an argument to the smrsh feature to indicate the new placement <filename class="directory">/usr/sbin/smrsh</filename>. The use of <command>smrsh</command> is recommended
by <acronym>CERT</acronym>, so you are encouraged to use this feature as often as possible.
</para></glossdef>
</glossentry><glossentry>
<glossterm>FEATURE(`mailertable')dnl</glossterm>
<glossdef><para>
This m4 macro enables the use of <literal>mailertable</literal> <emphasis>database selects new delivery agents</emphasis>. A mailertable is a database that maps <literal>host.domain</literal> names to special delivery agent and new
domain name pairs. With this feature, mail can be delivered through the use of a specified or particular delivery agent to a new domain name. Usually, this feature must be available only on a Central Mail Hub server.
</para></glossdef>
</glossentry><glossentry>
<glossterm>FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable')dnl</glossterm>
<glossdef><para>
This m4 macro enables the use of <literal>virtusertable</literal>, <emphasis>support for virtual domains</emphasis>, which allow multiple virtual domains to be hosted on one machine. A virtusertable is a database that maps virtual domains into new
addresses. With this feature, mail for virtual domains can be delivered to a local, remote, or single user address. Usually this feature must be available only on a Central Mail Hub server.
</para></glossdef>
</glossentry><glossentry>
<glossterm>FEATURE(`redirect')dnl</glossterm>
<glossdef><para>
This m4 macro enables the use of <literal>redirect</literal> <emphasis>support for</emphasis> <literal>address.REDIRECT</literal>. With this feature, mail addressed to a retired user account <literal>wahib</literal>, for example, will be bounced with an indication of the new forwarding address. The retired
accounts must be set up in the aliases file on the mail server. Usually this feature must be available only on a Central Mail Hub server.
</para></glossdef>
</glossentry><glossentry>
<glossterm>FEATURE(`always_add_domain')dnl</glossterm>
<glossdef><para>
This m4 macro enables the use of <envar>always_add_domain</envar>, <emphasis>add the local domain even on local mail</emphasis>. With this feature, all addresses that are locally delivered will be fully qualified. It is safe and recommended to set this feature for security reasons.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>FEATURE(`use_cw_file')dnl</glossterm>
<glossdef><para>
This m4 macro enables the use of <envar>use_cw_file</envar>, use <filename>/etc/mail/local-host-names</filename> file for local hostnames. With this feature you can declare a list of hosts in the <filename>/etc/mail/local-host-names</filename> file for
which the local host is acting as the <literal>MX</literal> recipient. In other word this feature causes the file <filename>/etc/mail/local-host-names</filename> to be read to obtain alternative names for the local host.
</para></glossdef>
</glossentry><glossentry>
<glossterm>FEATURE(`local_procmail')dnl</glossterm>
<glossdef><para>
This m4 macro enables the use of <envar>local_procmail</envar> <emphasis>use procmail as local delivery agent</emphasis>. With this feature you can use procmail as a Sendmail delivery agent.
</para></glossdef>
</glossentry><glossentry>
<glossterm>FEATURE(`access_db')dnl</glossterm>
<glossdef><para>
This m4 macro enables the access database feature. With this feature you have the ability through the access db to allow or refuse to accept mail from specified domains. Usually this feature must be available
only in a Central Mail Hub server.
</para></glossdef>
</glossentry><glossentry>
<glossterm>FEATURE(`blacklist_recipients')dnl</glossterm>
<glossdef><para>
This m4 macro enables the ability to block incoming mail for certain recipient usernames, hostnames, or addresses. With this feature you can, for example, block incoming mail
to <literal>user nobody</literal>, <literal>host foo.mydomain.com</literal>, or <literal>guest@bar.mydomain.com.</literal>
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>FEATURE(`dnsbl')dnl</glossterm>
<glossdef><para>
This m4 macro enables Sendmail to reject mail from any site in the Realtime Blackhole List database <literal>rbl.maps.vix.com</literal>. The <acronym>DNS</acronym> based rejection is a database maintained
in <acronym>DNS</acronym> of spammers. For details, see <link linkend="prtinxfp19">http://maps.vix.com/rbl/</link>.
</para></glossdef>
</glossentry><glossentry>
<glossterm>MAILER(`local'), MAILER(`smtp'), and MAILER(`procmail')dnl</glossterm>
<glossdef><para>
This m4 macro enables the use of local, smtp, and procmail as delivery agents <emphasis>in Sendmail by default, delivery agents are not automatically declared</emphasis>. With this feature, you can specify which ones you want to support
and which ones to ignore. The MAILER(`local'), MAILER(`smtp'), and MAILER(`procmail') options cause support for local, smtp, esmtp, smtp8, relay delivery agents and procmail to be included. It's important to note that MAILER(`smtp') should
always precede MAILER(`procmail').
</para></glossdef>
</glossentry>
</glosslist>
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Sometimes, a domain with which you wish to continue communications may end up in the <acronym>RBL</acronym> list. In this case, Sendmail allows you to override these domains to allow their e-mail to be received. To do this, simply
edit the <filename>/etc/mail/access</filename> file and add the appropriate domain information.
</para></note>
<example>
<title>Overriding <acronym>RBL</acronym></title>
<para>
<programlisting>
blacklisted.domain OK
</programlisting>
</para></example>
</section>
<section><?dbhtml filename="chap22sec177.html"?>
<title>Build and Tweak Sendmail</title>
<para>
Now that our macro configuration file <filename>sendmail.mc</filename> is created, we can build the sendmail configuration file <filename>sendmail.cf</filename> from these statements with the following commands:
<screen>
[root@deep] /# <command>cd</command> /var/tmp/sendmail-version/cf/cf/
[root@deep ]/cf# <command>m4</command> ../m4/cf.m4 sendmail.mc &gt; /etc/mail/sendmail.cf
</screen>
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Here, the <filename>../m4/cf.m4</filename> tells m4 program where to look for its default configuration file information.
</para></note>
<section>
<title>The <filename>null.mc</filename> file</title>
<para>
Since our local clients machines never receive mail directly from the outside world, and relay, <emphasis>send</emphasis> all their mail through the Mail Hub server, we will create a special file
called <filename>null.mc</filename> which, when later processed, will create a customized <filename>sendmail.cf</filename> configuration file that responds to this special setup for our neighbour
or local server client machines. This m4 macro file is simple to create and configure because it doesn't need a lot of features, as the configuration file <filename>-sendmail.mc,</filename> for
the Central Mail Hub server did.</para>
<caution>
<title>
<inlinemediaobject><imageobject>
<imagedata fileref="./images/Caution.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Caution</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The <filename>null.mc</filename> file is for the local or neighbour client and server machines only
</para></caution>
<procedure>
<step><para>
Create the <filename>null.mc</filename> file, <command>touch</command> <filename>/var/tmp/sendmail-version/cf/cf/null.mc</filename> and add the following lines:
<programlisting>
OSTYPE(`linux')dnl <co id="ostln"/>
DOMAIN(`generic')dnl <co id="dmgen"/>
FEATURE(`nullclient',`mail.openna.com')dnl <co id="fnlclt"/>
undefine(`ALIAS_FILE')dnl <co id="undalf"/>
</programlisting>
<calloutlist>
<callout arearefs="ostln">
<para>
This configuration option specifies the default operating system Sendmail will be running on, in our case, the <literal>linux</literal> system. This item is one of the minimal pieces of information
required by the <filename>mc</filename> file.
</para>
</callout>
<callout arearefs="dmgen">
<para>
This configuration option will specify and describe a particular domain appropriated for your environment.
</para>
</callout>
<callout arearefs="fnlclt">
<para>
This m4 macro sets your clients machines to never receive mail directly, to send their mail to a Central Mail Hub, and relay all mail through that server rather than sending directly. This feature creates a
stripped down configuration file containing nothing but support for forwarding all mail to a Mail Hub via a local SMTP-based network. The argument <envar>`mail.openna.com'</envar> included in this feature is the canonical
name of that Mail Hub. You should, of course, change this canonical name to reflect your Mail Hub Server for example: <envar>FEATURE(`nullclient',` my.mailhub.com')</envar>.
</para>
</callout>
<callout arearefs="undalf">
<para>
This configuration option prevents the nullclient version of Sendmail from trying to access <filename>/etc/mail/aliases</filename> and <filename>/etc/mail/aliases.db</filename> files. With the adding of this
line in the <filename>.mc</filename> file, you don't need to have an <filename>aliases</filename> file on all your internal neighbor client Sendmail machines. Aliases files are required only on the Mail Hub Server
for all server and client aliases on the network.</para>
</callout>
</calloutlist>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
We advice that with this kind of configuration, no mailers should be defined, and no aliasing or forwarding is done.
</para></tip>
</para></step>
<step><para>
Now that our macro configuration file <filename>null.mc</filename> is created, we can build the Sendmail configuration file <filename>sendmail.cf</filename> from these statements in all our neighbor servers, and client
machines with the following commands:
<screen>
[root@deep] /# <command>cd</command> /var/tmp/sendmail-version/cf/cf/
[root@deep ]/cf# <command>m4</command> ../m4/cf.m4 null.mc &gt; /etc/mail/sendmail.cf
</screen>
</para></step>
<step><para>
No mail should ever again be delivered to your local machine. Since there will be no incoming mail connections, you no longer needed to run a Sendmail daemon on your neighbor or local server, client machines.
To stop the Sendmail daemon from running on your neighbor or local server, or client machines, edit or create the <filename>/etc/sysconfig/sendmail</filename> file and change/add the lines that read:
<programlisting>
DAEMON=yes
To read:
DAEMON=no
And:
QUEUE=1h
</programlisting>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
The <envar>QUEUE=1h</envar> under <filename>/etc/sysconfig/sendmail</filename> file causes Sendmail to process the queue once every 1 hour. We leave that line in place because Sendmail still needs to process
the queue periodically in case the Mail Hub is down.
</para></note>
</para></step>
<step><para>
Remove the following files from your system, use the following command:
<screen>
[root@client /]# <command>rm</command> -f /usr/bin/newaliases
[root@client /]# <command>rm</command> -f /usr/man/man1/newaliases.1
[root@client /]# <command>rm</command> -f /usr/man/man5/aliases.5
</screen>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Local machines never use aliases, access, or other maps database. Since all map file databases are located and used on the Central Mail Hub Server for all local machines we may have on the network, we can safety remove the following commands and man pages from all our local machines.
<itemizedlist>
<listitem><para>
/usr/bin/newaliases
</para></listitem><listitem><para>
/usr/man/man1/newaliases.1
</para></listitem><listitem><para>
/usr/man/man5/aliases.5
</para></listitem>
</itemizedlist>
</para></note>
</para></step>
<step><para>
Remove the unnecessary Procmail program from your entire local Sendmail server or client. Since local machines send all internal and outgoing mail to the mail Hub Server for future delivery, we don't need to use a complex local delivery agent program like Procmail to do the job. Instead we
can use the default <filename>/bin/mail</filename> program.
To remove Procmail from your system, use the following command:
<screen>
[root@client ]# <command>rpm</command> -e procmail
</screen>
</para></step>
</procedure>
</section>
</section>
<section><?dbhtml filename="chap22sec178.html"?>
<title>The <filename>/etc/mail/access</filename> and <filename>access.db</filename> files </title>
<para>
The <filename>access</filename> database file can be created to accept or reject mail from selected domains. For example, you may choose to reject all mail originating from known spammers, or to accept to
relay all mail from your local network since now relaying is denied by default with Sendmail -<emphasis>this is an Anti-Spam feature</emphasis>. In the <filename>access</filename> file example below, we'll
allow relaying from localhost and all local network addresses beginning with the <acronym>IP</acronym> address <literal>192.168.1</literal>.
</para>
<para>
The files <filename>access</filename> and <filename>access.db</filename> are not required for Local or Neighbor Client setups. It is required only if you decide to set up a Central Mail Hub to handle all your mail. Also note
that the use of a Central Mail Hub will improve the security and the management of other servers and clients on your network that run Sendmail.
</para>
<procedure>
<step><para>
Create the access file <command>touch</command> <filename>/etc/mail/access</filename> and add the following lines:
<programlisting>
# Description showing bellow for the format of this file comes from
# the Sendmail source distribution under "cf/README" file.
#
# The table itself uses e-mail addresses, domain names, and network
# numbers as keys. For example,
#
# spammer@aol.com REJECT
# cyberspammer.com REJECT
# 192.168.212 REJECT
#
# would refuse mail from spammer@aol.com, any user from cyberspammer.com
# (or any host within the cyberspammer.com domain), and any host on the
# 192.168.212.* network.
#
# The value part of the map can contain:
#
# OK Accept mail even if other rules in the
# running ruleset would reject it, for example,
# if the domain name is unresolvable.
# RELAY Accept mail addressed to the indicated domain or
# received from the indicated domain for relaying
# through your SMTP server. RELAY also serves as
# an implicit OK for the other checks.
# REJECT Reject the sender or recipient with a general
# purpose message.
# DISCARD Discard the message completely using the
# $#discard mailer. This only works for sender
# addresses (i.e., it indicates that you should
# discard anything received from the indicated
# domain).
# ### any text where ### is an RFC 821 compliant error code
# and "any text" is a message to return for
# the command.
#
# For example:
#
# cyberspammer.com 550 We don't accept mail from spammers
# okay.cyberspammer.com OK
# sendmail.org OK
# 128.32 RELAY
#
# would accept mail from okay.cyberspammer.com, but would reject mail
# from all other hosts at cyberspammer.com with the indicated message.
# It would allow accept mail from any hosts in the sendmail.org domain,
# and allow relaying for the 128.32.*.* network.
#
# You can also use the access database to block sender addresses based on
# the username portion of the address. For example:
#
# FREE.STEALTH.MAILER@ 550 Spam not accepted
#
# Note that you must include the @ after the username to signify that
# this database entry is for checking only the username portion of the
# sender address.
#
# If you use like we do in our "sendmail.mc macro configuration:
#
# FEATURE(`blacklist_recipients')
#
# then you can add entries to the map for local users, hosts in your
# domains, or addresses in your domain which should not receive mail:
#
# badlocaluser 550 Mailbox disabled for this username
# host.mydomain.com 550 That host does not accept mail
# user@otherhost.mydomain.com 550 Mailbox disabled for this recipient
#
# This would prevent a recipient of badlocaluser@mydomain.com, any
# user at host.mydomain.com, and the single address
# user@otherhost.mydomain.com from receiving mail. Enabling this
# feature will keep you from sending mails to all addresses that
# have an error message or REJECT as value part in the access map.
# Taking the example from above:
#
# spammer@aol.com REJECT
# cyberspammer.com REJECT
#
# Mail can't be sent to spammer@aol.com or anyone at cyberspammer.com.
#
# Now our configuration of access file,
# by default we allow relaying from localhost...
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
192.168.1 RELAY
</programlisting>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Don't forget to specify in this file <literal>access</literal> your private <acronym>IP</acronym> address range you want to relay or you'll be unable to send mail from your internal network.
</para></note>
</para></step>
<step><para>
Create the access.db file, remember, since <filename>/etc/mail/access</filename> is a database, after creating the text file as described above, you must use the <command>makemap</command> utility
program to create the database map.
To create the <filename>access database map</filename>, use the following command:
<screen>
[root@deep] /# <command>makemap</command> hash /etc/mail/access.db &lt; /etc/mail/access
</screen>
</para></step>
</procedure>
</section>
<section><?dbhtml filename="chap22sec179.html"?>
<title>The <filename>/etc/mail/aliases</filename> and <filename>aliases.db</filename> files</title>
<para>
Aliasing is the process of converting one local recipient name on the system into another -<emphasis>aliasing occurs only on local names</emphasis>. Example uses are to convert a generic name -such as root, into a
real username on the system, or to convert one name into a list of many names -<emphasis>for mailing lists</emphasis>. For every envelope that lists a local user as a recipient, Sendmail looks up that recipient's name
in the <filename>aliases</filename> file. Because Sendmail may have to search through thousands of names in the <filename>aliases</filename> file, a copy of the file is stored in a separate <literal>db</literal> database
format file to significantly improve lookup speed. If you configure your Sendmail to use a Central Server <literal>Mail Hub</literal> to handles all mail, you don't need to install the <filename>aliases</filename> and <filename>aliases.db</filename>
files on the neighbor server or client machines.
</para>
<procedure>
<step><para>
Create the <literal>aliases</literal> file <command>touch</command> <filename>/etc/mail/aliases</filename> and add the following lines by default:
<programlisting>
#
# @(#)aliases 8.2 (Berkeley) 3/5/94
#
# Aliases in this file will NOT be expanded in the header from
# Mail, but WILL be visible over networks or from /bin/mail.
#
# &gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt; The program "newaliases" must be run after
# &gt;&gt; NOTE &gt;&gt; this file is updated for any changes to
# &gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt;&gt; show through to sendmail.
#
# Basic system aliases -- these MUST be present.
MAILER-DAEMON: postmaster
postmaster: root
# General redirections for pseudo accounts.
bin: root
daemon: root
nobody: root
# Person who should get root's mail
#root: admin
</programlisting>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Your aliases file will be probably far more complex, but even so, note how the example shows the minimum form of aliases.
</para></note>
</para></step>
<step><para>
Since <filename>/etc/mail/aliases</filename> is a database, after creating the text file as described above, you must use the <command>makemap</command> program to create the database map.
To create the <filename>aliases database map</filename>, use the following command:
<screen>
[root@deep] /# <command>makemap</command> hash /etc/mail/aliases.db &lt; /etc/mail/aliases
</screen>
</para></step>
</procedure>
<section>
<title>The <filename class="directory">/etc/mail/</filename> Directory</title>
<para>
The
<itemizedlist>
<listitem><para>
<filename>/etc/mail/virtusertable, </filename>
</para></listitem><listitem><para>
<filename>domaintable</filename>
</para></listitem><listitem><para>
<filename>mailertable</filename>
</para></listitem>
</itemizedlist>
and
<itemizedlist><listitem><para>
<filename>virtusertable.db, </filename>
</para></listitem><listitem><para>
<filename>domaintable.db, </filename>
</para></listitem><listitem><para>
<filename>mailertable.db</filename>
</para></listitem>
</itemizedlist>
All of these files relate to particular features of Sendmail that can be tuned by the system administrator. Once again, these features are usually required only in the Central Mail Hub server. The following is the explanation of each one.
</para>
<glosslist><glossentry>
<glossterm>The <filename>virtusertable</filename> &amp; <filename>virtusertable.db</filename> files</glossterm>
<glossdef><para>
A virtusertable is a database that maps virtual domains into news addresses. With this feature, mail for virtual domain on your network can be delivered to local, remote, or a single user address.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>The <filename>domaintable</filename> &amp; <filename>domaintable.db</filename> files</glossterm>
<glossdef><para>
A domaintable is a database that maps old domain to a new one. With this feature, multiple domain names on your network can be rewritten from the old domain to the new.
</para></glossdef>
</glossentry>
<glossentry>
<glossterm>The <filename>mailertable</filename> &amp; <filename>mailertable.db</filename> files</glossterm>
<glossdef><para>
A mailertable is a database that maps <literal>host.domain</literal> names to special delivery agent and new domain name pairs. With this feature mail on your network can be delivered through the use of a particular
delivery agent to a new local or remote domain name.
</para></glossdef>
</glossentry>
</glosslist>
<para>
To create the <filename>virtusertable, domaintable, mailertable</filename>, and their corresponding <filename>.db</filename> files into <filename class="directory">/etc/mail</filename> directory, use the following commands:
<screen>
[root@deep] /# for map in virtusertable domaintable mailertable
</screen>
<literallayout class="monospaced"><computeroutput>
&gt; do
&gt; touch /etc/mail/${map}
&gt; chmod 0644 /etc/mail/${map}
&gt; makemap hash /etc/mail/${map}.db &lt; /etc/mail/${map}
&gt; chmod 0644 /etc/mail/${map}.db
&gt; done
</computeroutput></literallayout>
</para>
</section>
</section>
<section><?dbhtml filename="chap22sec180.html"?>
<title>The <filename>/etc/mail/local-host-names</filename> file </title>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Please note that the <filename>/etc/mail/local-host-names</filename> file is for all type of configuration.
</para></note>
<para>
The <filename>/etc/mail/local-host-names</filename> file is read to obtain alternative names for the local host. One use for such a file might be to declare a list of hosts in your network for which the
local host is acting as the <literal>MX</literal> recipient. On that machine we simply need to add the names of machines for which it i.e. <literal>mail.openna.com</literal>, will handle mail to <filename>/etc/mail/local-host-names</filename>.
Here is an example:
</para>
<example>
<title>Alternative names</title>
<para>
Create the local-host-names file, <command>touch</command> <filename>/etc/mail/local-host-names</filename> and add the following line:
<programlisting>
# local-host-names - include all aliases for your machine here.
openna.com
deep.openna.com
www.openna.com
win.openna.com
mail.openna.com
</programlisting>
With this type of configuration, all mail sent will appear as if it were sent from <literal>openna.com</literal>, and any mail sent to <literal>www.openna.com</literal> or the other hosts will be delivered to <literal>mail.openna.com</literal> our mail Hub.
</para></example>
<caution>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Caution.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Caution</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Please be aware that if you configure your system to masquerade as another, any e-mail sent from your system to your system will be sent to the machine you are masquerading as. For example, in the above illustration, log
files that are periodically sent to <email>root@www.openna.com</email> by the cron daemon of Linux would be sent to <email>root@mail.openna.com</email> our Mail Hub.
</para></caution>
<section>
<title>Configure the <filename>/etc/sysconfig/sendmail</filename> file </title>
<para>
The <filename>/etc/sysconfig/sendmail</filename> file is used to specify <literal>SENDMAIL</literal> configuration information, such as if sendmail should run as a daemon, if it should listen for mail or not, and how much time
to wait before sending a warning if messages in the queue directory have not been delivered.
</para>
<para>
Create the sendmail file <command>touch</command> <filename>/etc/sysconfig/sendmail</filename> and add in this file:
<programlisting>
DAEMON=yes <co id="dmys"/>
QUEUE=1h <co id="qeys"/>
</programlisting>
<calloutlist>
<callout arearefs="dmys"><para>
The <envar>DAEMON=yes</envar> option instructs Sendmail to run as a daemon. This line is useful when Sendmail client machines are configured to not accept mail directly from outside in favor of forwarding all local mail to a
Central Hub, <emphasis>not running a daemon also improves security</emphasis>. If you have configured your server or client machines in this way, all you have to do is to replace the <envar>DAEMON=yes</envar> to <envar>DAEMON=no</envar>.
</para></callout>
<callout arearefs="qeys"><para>
Mail is usually placed into the queue because it could not be transmitted immediately. The <envar>QUEUE=1h</envar> sets the time interval before sends a warning to the sender if the messages has not been delivered.
</para></callout>
</calloutlist>
</para>
</section>
</section>
<section><?dbhtml filename="chap22sec181.html"?>
<title>The <filename>/etc/rc.d/init.d/sendmail</filename> script file</title>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Please note that the <filename>/etc/rc.d/init.d/sendmail</filename> file is for all type of configuration.
</para></note>
<para>
To configure your <filename>/etc/rc.d/init.d/sendmail</filename> script file to start and stop the Sendmail daemon, You have to create the sendmail script file, <command>touch</command> <filename>/etc/rc.d/init.d/sendmail</filename> and add:
</para>
<para>
<programlisting>
#!/bin/sh
#
# sendmail This shell script takes care of starting and stopping
# sendmail.
#
# chkconfig: 2345 80 30
# description: Sendmail is a Mail Transport Agent, which is the program \
# that moves mail from one machine to another.
# processname: sendmail
# config: /etc/sendmail.cf
# pidfile: /var/run/sendmail.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Source sendmail configuration.
if [ -f /etc/sysconfig/sendmail ] ; then
. /etc/sysconfig/sendmail
else
DAEMON=yes
QUEUE=1h
fi
# Check that networking is up.
[ ${NETWORKING} = "no" ] &amp;&amp; exit 0
[ -f /usr/sbin/sendmail ] || exit 0
RETVAL=0
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting sendmail: "
/usr/bin/newaliases &gt; /dev/null 2&gt;&amp;1
for i in virtusertable access domaintable mailertable ; do
if [ -f /etc/mail/$i ] ; then
makemap hash /etc/mail/$i &lt; /etc/mail/$i
fi
done
daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] &amp;&amp; echo -bd) \
$([ -n "$QUEUE" ] &amp;&amp; echo -q$QUEUE)
RETVAL=$?
echo
[ $RETVAL -eq 0 ] &amp;&amp; touch /var/lock/subsys/sendmail
;;
stop)
# Stop daemons.
echo -n "Shutting down sendmail: "
killproc sendmail
RETVAL=$?
echo
[ $RETVAL -eq 0 ] &amp;&amp; rm -f /var/lock/subsys/sendmail
;;
restart|reload)
$0 stop
$0 start
RETVAL=$?
;;
status)
status sendmail
RETVAL=$?
;;
*)
echo "Usage: sendmail {start|stop|restart|status}"
exit 1
esac
exit $RETVAL
</programlisting>
</para>
<para>
Now, make this script executable and change its default permissions:
<screen>
[root@deep] /# <command>chmod</command> 700 /etc/rc.d/init.d/sendmail
</screen>
Create the symbolic rc.d links for Sendmail with the command:
<screen>
[root@deep] /# <command>chkconfig</command> --add sendmail
</screen>
Start your Sendmail Server manually with the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/sendmail start
</screen>
<literallayout class="monospaced"><computeroutput>
Starting sendmail: [ OK ]
</computeroutput></literallayout>
</para>
<para>
Please do a cleanup as always later:
<screen>
[root@deep] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>rm</command> -rf sendmail-version/ sendmail.version.tar.gz
</screen>
The <command>rm</command> command as used above will remove all the source files we have used to compile and install Sendmail. It will also remove the Sendmail compressed archive from
the <filename class="directory">/var/tmp</filename> directory.
</para>
</section>
<section><?dbhtml filename="chap22sec182.html"?>
<title>Secure Sendmail using <command>smrsh</command></title>
<para>
The <command>smrsh</command> program is intended as a replacement for <filename>/bin/sh</filename> in the program mailer definition of Sendmail. It's a restricted shell utility that provides the ability
to specify, through the <filename class="directory">/etc/smrsh</filename> directory, an explicit list of executable programs available to Sendmail. To be more accurate, even if somebody with malicious intentions
can get Sendmail to run a program without going through an aliases or forward file, smrsh limits the set of programs that he or she can execute. When used in conjunction with Sendmail, smrsh effectively limits Sendmail's
scope of program execution to only those programs specified in smrsh's directory. If you have followed what we did above, smrsh program is already compiled and installed on your computer under <filename class="directory">/usr/sbin/smrsh</filename>.
</para>
<procedure>
<step><para>
The first thing we need to do is to determine the list of commands that <command>smrsh</command> should allow Sendmail to run.
By default we include, but are not limited to:
<itemizedlist>
<listitem><para>
<filename>/bin/mail</filename> -<emphasis>if you have it installed on your system</emphasis>
</para></listitem><listitem><para>
<filename>/usr/bin/procmail</filename> -<emphasis>if you have it installed on your system</emphasis>
</para></listitem>
</itemizedlist>
<warning>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Warning.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Warning</phrase></textobject>
</inlinemediaobject>
</title>
<para>
<emphasis>You should not include interpreter programs</emphasis> such as <citerefentry><refentrytitle>sh</refentrytitle><manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>csh</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>perl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, <citerefentry><refentrytitle>uudecode</refentrytitle><manvolnum>1</manvolnum></citerefentry> or <citerefentry><refentrytitle>sed</refentrytitle><manvolnum>1</manvolnum></citerefentry> -the stream editor, in your list of acceptable commands.
</para></warning>
</para></step>
<step>
<para>
You will next need to populate the <filename class="directory">/etc/smrsh</filename> directory with the programs that are allowable for Sendmail to execute. To prevent duplicate programs, and do a nice job, it is better
to establish links to the allowable programs from <filename class="directory">/etc/smrsh</filename> rather than copy programs to this directory.
To allow the mail program <filename>/bin/mail</filename>, use the following commands:
<screen>
[root@deep] /# <command>cd</command> /etc/smrsh
[root@deep ]/smrsh# <command>ln</command> -s /bin/mail mail
</screen>
To allow the procmail program <filename>/usr/bin/procmail</filename>, use the following commands:
<screen>
[root@deep] /# <command>cd</command> /etc/smrsh
[root@deep ]/smrsh# <command>ln</command> -s /usr/bin/procmail procmail
</screen>
This will allow the mail and procmail programs to be run from a user's <filename>.forward</filename> file or an <filename>aliases</filename> file which uses the program syntax.
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Procmail is required only in Mail Hub Server and not in Local Client Mail Server. If you've configured your system like a Mail Hub Server then make the link with procmail as explained above, if you've configured
your system as a Local Client Server then skip the procmail step above.
</para></important>
</para>
</step>
<step><para>
We can now configure Sendmail to use the restricted shell. The program mailer is defined by a single line in the Sendmail configuration file, <filename>/etc/mail/sendmail.cf</filename>. You must modify this single
line Mprog definition in the <filename>sendmail.cf</filename> file, by replacing the /bin/sh specification with <filename class="directory">/usr/sbin/smrsh</filename>.
Edit the <filename>sendmail.cf</filename> file, <command>vi</command> <filename>/etc/mail/sendmail.cf</filename> and change the line:
<example>
<title><filename>sendmail.cf</filename></title>
<para>
<programlisting>
Mprog, P=/bin/sh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/, T=X-Unix, A=sh -c $u
</programlisting>
Which should be changed to:
<programlisting>
Mprog, P=/usr/sbin/smrsh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/, T=X-Unix, A=sh -c $u
</programlisting>
</para></example>
</para></step>
<step><para>
Now re-start the sendmail process manually with the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/sendmail <command>restart</command>
</screen>
</para></step>
</procedure>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
In our <filename>sendmail.mc</filename> configuration file for the Mail Hub Server above, we have already configured this line Mprog to use the restricted shell <filename class="directory">/usr/sbin/smrsh</filename>
with the m4 macro <envar>FEATURE(`smrsh',`/usr/sbin/smrsh')</envar>, so don't be surprised if the <filename class="directory">/usr/sbin/smrsh</filename>specification is already set in your <filename>/etc/mail/sendmail.cf</filename>
file for the Mail Hub relay.
</para>
<para>
Instead, use the technique shown above for other <filename>/etc/mail/sendmail.cf</filename> files in your network like the <emphasis>one for the nullclient local or neighbor client and servers</emphasis> that use the <filename>null.mc</filename> macro configuration file to generate the <filename>/etc/mail/sendmail.cf</filename> file.
</para></note>
</section>
<section><?dbhtml filename="chap22sec183.html"?>
<title>The <filename>/etc/mail/aliases</filename> file</title>
<para>
A poorly or carelessly administered <filename>aliases</filename> file can easily be used to gain privileged status. For example, many vendors ship systems with a <literal>decode</literal> alias in the <filename>/etc/mail/aliases</filename>
file. The intention is to provide an easy way for users to transfer binary files using mail. At the sending site the user converts the binary to <acronym>ASCII</acronym> with <literal>uuencode</literal>, then mails the result to the <literal>decode</literal>
alias at the receiving site. That alias pipes the mail message through the <filename>/usr/bin/uuencode</filename> program, which converts the <acronym>ASCII</acronym> back into the original binary file.
</para>
<para>
Remove the <envar>decode</envar> alias line from your <filename>/etc/mail/aliases</filename> file. Similarly, every alias that executes a program that you did not place there yourself and check completely should be
questioned and probably removed.
Edit the <filename>aliases</filename> file <command>vi</command> <filename>/etc/mail/aliases</filename> and remove the following lines:
<programlisting>
# Basic system aliases -- these MUST be present.
MAILER-DAEMON: postmaster
postmaster: root
# General redirections for pseudo accounts.
bin: root
daemon: root
games: root <co id="gmsrt"/>
ingres: root <co id="inrt"/>
nobody: root
system: root <co id="sysrt"/>
toor: root <co id="trtgr"/>
uucp: root <co id="uugr"/>
# Well-known aliases.
manager: root <co id="mngr"/>
dumper: root <co id="dmgr"/>
operator: root <co id="opgr"/>
# trap decode to catch security attacks
decode: root <co id="dcgr"/>
# Person who should get root's mail
#root: marc
</programlisting>
<calloutlist>
<callout arearefs="gmsrt inrt sysrt trtgr uugr mngr dmgr opgr dcgr">
<para>Remove all these lines</para>
</callout>
</calloutlist>
</para>
<para>
For the changes to take effect you will need to run:
<screen>
[root@deep] /# /usr/bin/newaliases
</screen>
</para>
<para>
You need to prevent your Sendmail being abused by unauthorized users, Sendmail now includes powerful Anti-Spam features, which can help prevent your mail server from being abused by unauthorized users. To do
this, make a change to the configuration file to block off spammers. Edit the <filename>sendmail.cf</filename> file, <command>vi</command> <filename>/etc/mail/sendmail.cf</filename> and change the line:
<programlisting>
O PrivacyOptions=authwarnings
</programlisting>
To read:
<programlisting>
O PrivacyOptions=authwarnings,goaway
</programlisting>
Setting the <envar>goaway</envar> option causes Sendmail to disallow all <acronym>SMTP</acronym> <command>EXPN</command> commands, it also causes it to reject all <acronym>SMTP</acronym> <command>VERB</command> commands and to
disallow all <acronym>SMTP</acronym> <command>VRFY</command> commands. These changes prevent spammers from using the <command>EXPN</command> and <command>VRFY</command> commands in Sendmail.
</para>
<para>
You have to restrict who can examine the queues contents, ordinarily, anyone may examine the mail queue's contents by using the <command>mailq</command> command. To restrict who may examine the queues contents, you
must specify the <envar>restrictmailq</envar> option in the <filename>/etc/mail/sendmail.cf</filename> file. With this option, Sendmail allows only users who are in the same group as the group ownership of the queue
directory <literal>root</literal> to examine the contents. This allows the queue directory to be fully protected with mode <literal>0700</literal>, while selected users are still able to see the contents.
</para>
<para>
Edit the <filename>sendmail.cf</filename> file, <command>vi</command> <filename>/etc/mail/sendmail.cf</filename> and change the line:
<programlisting>
O PrivacyOptions=authwarnings,goaway
</programlisting>
To read:
<programlisting>
O PrivacyOptions=authwarnings,goaway,restrictmailq
</programlisting>
Now we change the mode of our queue directory to be fully protected:
<screen>
[root@deep] /# <command>chmod</command> 0700 /var/spool/mqueue
</screen>
</para>
<para>
Now re-start the sendmail process manually for the change to take effect:
<screen>
[root@deep] /# /etc/rc.d/init.d/sendmail <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Shutting down sendmail: [ OK ]
Starting sendmail: [ OK ]
</computeroutput></literallayout>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
We have already added the <envar>goaway</envar> option to the line <envar>PrivacyOptions=</envar> in <filename>sendmail.cf</filename> file. Now we can just add the <envar>restrictmailq</envar> option to this line.
</para></tip>
<para>
Any non-privileged user who attempts to examine the mail queue content will get this message:
<screen>
[user@deep /]$ /usr/bin/mailq
</screen>
<literallayout class="monospaced"><computeroutput>
You are not permitted to see the queue
</computeroutput></literallayout>
</para>
</section>
<section><?dbhtml filename="chap22sec184.html"?>
<title>Limit queue processing to <literal>root</literal></title>
<para>
Ordinarily, anyone may process the queue with the -q switch. To limit queue processing to <literal>root</literal> and the owner of the queue directory, you must specify
the <envar>restrictqrun</envar> option in the <filename>/etc/mail/sendmail.cf</filename> file.
</para>
<para>
Edit the <filename>sendmail.cf</filename> file, <command>vi</command> <filename>/etc/mail/sendmail.cf</filename> and change the line:
<programlisting>
O PrivacyOptions=authwarnings,goaway,restrictmailq
</programlisting>
To read:
<programlisting>
O PrivacyOptions=authwarnings,goaway,restrictmailq,restrictqrun
</programlisting>
</para>
<para>
Now re-start the sendmail process manually for the change to take effect:
<screen>
[root@deep] /# /etc/rc.d/init.d/sendmail <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Shutting down sendmail: [ OK ]
Starting sendmail: [ OK ]
</computeroutput></literallayout>
Any non-privileged user who attempts to process the queue will get this message:
<screen>
[user@deep /]$ /usr/sbin/sendmail -q
</screen>
<literallayout class="monospaced"><computeroutput>
You do not have permission to process the queue
</computeroutput></literallayout>
</para>
<section>
<title>The <acronym>SMTP</acronym> greeting message</title>
<para>
When Sendmail accepts an incoming <acronym>SMTP</acronym> connection it sends a greeting message to the other host. This message identifies the local machine and is the first thing it sends to say it is ready.
</para>
<para>
Edit the <filename>sendmail.cf</filename> file, <command>vi</command> <filename>/etc/mail/sendmail.cf</filename> and change the line:
<programlisting>
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
</programlisting>
To read:
<programlisting>
O SmtpGreetingMessage=$j
</programlisting>
Now re-start the sendmail process manually for the change to take effect:
<screen>
[root@deep] /# /etc/rc.d/init.d/sendmail <command>restart</command>
</screen>
<literallayout class="monospaced">
Shutting down sendmail: [ OK ]
Starting sendmail: [ OK ]
<computeroutput></computeroutput></literallayout>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
This change doesn't actually affect anything, but was recommended by folks in the <literal>news.admin.net-abuse.email</literal> newsgroup as a legal precaution. It modifies the banner, which Sendmail displays upon receiving a connection.
</para></tip>
<para>
Do set the immutable bit on important Sendmail files, important Sendmail files can be set immutable for better security with the <command>chattr</command> command of Linux. A file with the <literal>+i</literal> attribute
cannot be modified, deleted or renamed. No link can be created to this file, and no data can be written to the file. Only the super-user can set or clear this attribute.
</para>
<procedure>
<step><para>
Set the immutable bit on the <filename>sendmail.cf</filename> file:
<screen>
[root@deep] /# <command>chattr</command> +i /etc/mail/sendmail.cf
</screen>
</para></step><step><para>
Set the immutable bit on the <filename>local-host-names</filename> file:
<screen>
[root@deep] /# <command>chattr</command> +i /etc/mail/local-host-names
</screen>
</para></step><step><para>
Set the immutable bit on the <filename>aliases</filename> file:
<screen>
[root@deep] /# <command>chattr</command> +i /etc/mail/aliases
</screen>
</para></step><step><para>
Set the immutable bit on the <filename>access</filename> file:
<screen>
[root@deep] /# <command>chattr</command> +i /etc/mail/access
</screen>
</para></step>
</procedure>
<para>
Further documentation and for more details, there are several man pages you can read:
<variablelist><varlistentry>
<term><citerefentry><refentrytitle>aliases</refentrytitle><manvolnum>5</manvolnum></citerefentry></term>
<listitem><para>
- aliases file for sendmail
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>makemap</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- create database maps for sendmail
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>sendmail</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- an electronic mail transport agent
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>mailq</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
- print the mail queue
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>newaliases</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
- rebuild the data base for the mail aliases file
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>mailstats</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- display mail statistics
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>praliases</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- display system mail aliases
</para></listitem>
</varlistentry>
</variablelist>
</para>
</section>
</section>
<section><?dbhtml filename="chap22sec185.html"?>
<title>Sendmail Administrative Tools</title>
<para>
The commands listed below are some that we use often, but many more exist. Check the man page and documentation for more details and information.
</para>
<formalpara>
<title>newaliases</title>
<para>
The purpose of the <filename>newaliases</filename> program utility of Sendmail is to rebuild and update the random access database for the mail aliases file <filename>/etc/mail/aliases</filename>. It must be
run each time you change the contents of this file in order for the changes to take effect.
To update the aliases file with the <filename>newaliases</filename> utility, use the following command:
<screen>
[root@deep] /# /usr/bin/newaliases
</screen>
</para>
</formalpara>
<formalpara>
<title>makemap</title>
<para>
The purpose of the <command>makemap</command> program utility is to create the database maps in Sendmail. The <command>makemap</command> command must be used only when you need to create a new database for file like
<filename>aliases, access</filename>, or <filename>domaintable, mailertable</filename>, and <filename>virtusertable</filename>.
To run makemap to create a new database for access, use the following command:
<screen>
[root@deep] /# makemap hash /etc/mail/access.db &lt; /etc/mail/access
</screen>
<itemizedlist><listitem><para>
Where &lt;hash&gt; is the database format, makemap can handles up to three different database formats; they may be <literal>hash</literal>, <literal>btree</literal> or <literal>dbm</literal>.
</para></listitem><listitem><para>
The <filename class="directory">/etc/mail/access.db</filename> is the location and the name of the new database that will be created.
</para></listitem><listitem><para>
The <filename class="directory">/etc/mail/access</filename> is the location of the file from where makemap will read from the standard input file.
</para></listitem>
</itemizedlist>
In our example, we have created a new <filename>access.db</filename> file with the makemap command above. To create a database for other files like <filename>aliases, domaintable, mailertable</filename>, and <filename>virtusertable</filename>,
you must indicate the location and name of the corresponding file in the <command>makemap</command> command.
</para>
</formalpara>
<formalpara>
<title>mailq</title>
<para>
The purpose of the <command>mailq</command> program utility is to print a summary of the mail messages queued for future delivery.
To print a summary of the mail messages queued, use the following command:
<screen>
[root@deep] /# <command>mailq</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Mail queue is empty
</computeroutput></literallayout>
</para>
</formalpara>
<section>
<title>Sendmail Users Tools</title>
<para>
The commands listed below are some that we use often, but many more exist. Check the man page and documentation for more details and information.
</para>
<formalpara>
<title>mailstats</title>
<para>
The purpose of the <command>mailstats</command> program utility is to displays contents of the current mail statistics.
To displays the current mail statistics, use the following command:
<screen>
[root@deep] /# <command>mailstats</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Statistics from Tue Dec 14 20:31:48 1999
M msgsfr bytes_from msgsto bytes_to msgsrej msgsdis Mailer
5 0 0K 1 3K 0 0 esmtp
8 1259 19618K 1259 19278K 0 0 local
=============================================================
T 1259 19618K 1260 19281K 0 0
</computeroutput></literallayout>
</para>
</formalpara>
<formalpara>
<title>praliases</title>
<para>
The purpose of the <command>praliases</command> program utility is to display one per line, in no particular order the contents of the current system mail aliases.
To displays the current system aliases, use the following command:
<screen>
[root@deep] /# <command>praliases</command>
</screen>
<literallayout class="monospaced"><computeroutput>
postmaster:root
daemon:root
root:admin
@:@
mailer-daemon:postmaster
bin:root
nobody:root
webadmin:admin
www:root
</computeroutput></literallayout>
</para>
</formalpara>
</section>
</section>
<section><?dbhtml filename="chap22sec186.html"?>
<title>Installed files: Sendmail -Central Mail Hub</title>
<para>
Files Installed for Sendmail Central Mail Hub configuration are:
</para>
<simplelist type="vert" columns="2">
<member><filename>/etc/rc.d/init.d/sendmail</filename></member>
<member><filename>/etc/rc.d/rc0.d/K30sendmail</filename></member>
<member><filename>/etc/rc.d/rc1.d/K30sendmail</filename></member>
<member><filename>/etc/rc.d/rc2.d/S80sendmail</filename></member>
<member><filename>/etc/rc.d/rc3.d/S80sendmail</filename></member>
<member><filename>/etc/rc.d/rc4.d/S80sendmail</filename></member>
<member><filename>/etc/rc.d/rc5.d/S80sendmail</filename></member>
<member><filename>/etc/rc.d/rc6.d/K30sendmail</filename></member>
<member><filename>/etc/sysconfig/sendmail</filename></member>
<member><filename>/etc/mail</filename></member>
<member><filename>/etc/mail/statistics</filename></member>
<member><filename>/etc/mail/sendmail.cf</filename></member>
<member><filename>/etc/mail/access</filename></member>
<member><filename>/etc/mail/access.db</filename></member>
<member><filename>/etc/mail/aliases</filename></member>
<member><filename>/etc/mail/aliases.db</filename></member>
<member><filename>/etc/mail/virtusertable</filename></member>
<member><filename>/etc/mail/virtusertable.db</filename></member>
<member><filename>/etc/mail/domaintable</filename></member>
<member><filename>/etc/mail/domaintable.db</filename></member>
<member><filename>/etc/mail/mailertable</filename></member>
<member><filename>/etc/mail/mailertable.db</filename></member>
<member><filename>/etc/mail/local-host-names</filename></member>
<member><filename>/etc/smrsh</filename></member>
<member><filename>/usr/bin/newaliases</filename></member>
<member><filename>/usr/bin/mailq</filename></member>
<member><filename>/usr/bin/hoststat</filename></member>
<member><filename>/usr/bin/purgestat</filename></member>
<member><filename>/usr/lib/sendmail</filename></member>
<member><filename>/usr/man/man1/mailq.1</filename></member>
<member><filename>/usr/man/man1/newaliases.1</filename></member>
<member><filename>/usr/man/man5/aliases.5</filename></member>
<member><filename>/usr/man/man8/sendmail.8</filename></member>
<member><filename>/usr/man/man8/mailstats.8</filename></member>
<member><filename>/usr/man/man8/makemap.8</filename></member>
<member><filename>/usr/man/man8/praliases.8</filename></member>
<member><filename>/usr/man/man8/smrsh.8</filename></member>
<member><filename>/usr/sbin/sendmail</filename></member>
<member><filename>/usr/sbin/mailstats</filename></member>
<member><filename>/usr/sbin/makemap</filename></member>
<member><filename>/usr/sbin/praliases</filename></member>
<member><filename>/usr/sbin/smrsh</filename></member>
<member><filename>/var/spool/mqueue</filename></member>
</simplelist>
</section>
<section><?dbhtml filename="chap22sec187.html"?>
<title>Installed files: Sendmail -Local server/client</title>
<para>
Files installed for Sendmail local server or client configuration:
</para>
<simplelist type="vert" columns="2">
<member><filename>/etc/rc.d/init.d/sendmail</filename></member>
<member><filename>/etc/rc.d/rc0.d/K30sendmail</filename></member>
<member><filename>/etc/rc.d/rc1.d/K30sendmail</filename></member>
<member><filename>/etc/rc.d/rc2.d/S80sendmail</filename></member>
<member><filename>/etc/rc.d/rc3.d/S80sendmail</filename></member>
<member><filename>/etc/rc.d/rc4.d/S80sendmail</filename></member>
<member><filename>/etc/rc.d/rc5.d/S80sendmail</filename></member>
<member><filename>/etc/rc.d/rc6.d/K30sendmail</filename></member>
<member><filename>/etc/sysconfig/sendmail</filename></member>
<member><filename>/etc/mail</filename></member>
<member><filename>/etc/mail/statistics</filename></member>
<member><filename>/etc/mail/sendmail.cf</filename></member>
<member><filename>/etc/mail/local-host-names</filename></member>
<member><filename>/etc/smrsh</filename></member>
<member><filename>/usr/bin/mailq</filename></member>
<member><filename>/usr/bin/hoststat</filename></member>
<member><filename>/usr/bin/purgestat</filename></member>
<member><filename>/usr/lib/sendmail</filename></member>
<member><filename>/usr/man/man1/mailq.1</filename></member>
<member><filename>/usr/man/man8/sendmail.8</filename></member>
<member><filename>/usr/man/man8/mailstats.8</filename></member>
<member><filename>/usr/man/man8/smrsh.8</filename></member>
<member><filename>/usr/sbin/sendmail</filename></member>
<member><filename>/usr/sbin/mailstats</filename></member>
<member><filename>/usr/sbin/smrsh</filename></member>
<member><filename> /var/spool/mqueue</filename></member>
</simplelist>
</section>
</chapter>
<chapter label="23"><?dbhtml filename="imapop.html"?>
<title>Linux <acronym>IMAP</acronym> &amp; <acronym>POP</acronym> Server</title>
<highlights><para>
If you have configured Sendmail as a Central Mail Hub Server, you must install <acronym>IMAP</acronym>/<acronym>POP</acronym> software or you'll not be able to take advantage of your Linux Mail server since Sendmail
is just software that sends mail from one machine to another, and nothing else. A mail server is a server that is running one or more of the following:
<simplelist type="vert">
<member>
An <acronym>IMAP</acronym> server
</member><member>
A <acronym>POP3</acronym> server
</member><member>
A <acronym>POP2</acronym> server
</member><member>
or an <acronym>SMTP</acronym> server.
</member>
</simplelist>
An example of <acronym>SMTP</acronym> server is Sendmail that must be already installed on your Linux server as a Central Mail Hub before you continue reading this part of the book. For now, we are going to cover installing
<acronym>IMAP4</acronym>, <acronym>POP3</acronym>, and <acronym>POP2</acronym>, which all come in a single package.
</para></highlights>
<section id="pr6ch23sc1ip"><?dbhtml filename="chap23sec188.html"?>
<title>Configure and Compile</title>
<para>
With <acronym>IMAP</acronym> &amp; <acronym>POP</acronym> software, a remote <literal>client</literal> email program can access message stores on the Linux mail server as if they were local. For example, email received and
stored on an <acronym>IMAP</acronym> server for a user can be manipulated from his/her computer at home, office, etc, without the need to transfer messages or files back and forth between these computers.
</para>
<para>
<acronym>POP</acronym> stands for <literal>Post Office Protocol</literal> and simply allows you to list messages, retrieve them, and delete them. <acronym>IMAP</acronym> is <acronym>POP</acronym> on steroids. It allows you to
easily maintain multiple accounts, have multiple people access one account, leave mail on the server, just download the headers, or bodies, no attachments, and so on. <acronym>IMAP</acronym> is ideal for anyone on the go, or
with serious email needs. The default <acronym>POP</acronym> and <acronym>IMAP</acronym> servers that most distributions ship fulfill most needs.
<mediaobject>
<imageobject><imagedata fileref="./images/IMAP-Client-Schema.gif" format="GIF"/></imageobject>
<textobject><phrase>IMAP client</phrase></textobject>
</mediaobject>
</para>
<para>
These installation instructions assume:
<itemizedlist>
<listitem><para>
Commands are Unix-compatible.
</para></listitem><listitem><para>
The source path is <filename>/var/tmp</filename> -<emphasis>other paths are possible</emphasis>.
</para></listitem><listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem><listitem><para>
All steps in the installation will happen in super-user account root.
</para></listitem><listitem><para>
<acronym>IMAP</acronym> version number is 4.7c
</para></listitem>
</itemizedlist>
</para>
<para>
These are the Package(s) needed and should be available here:
<simplelist type="vert">
<member>
<acronym>IMAP</acronym>/<acronym>POP</acronym> Homepage: <link linkend="prtinxfp20">http://www.washington.edu/imap/</link>
</member><member>
<acronym>IMAP</acronym>/<acronym>POP</acronym> FTP Site: <link linkend="prtinxfp20">140.142.3.227</link> or <link linkend="prtinxfp20">140.142.4.227</link>
</member><member>
You must be sure to download: imap.tar.Z
</member>
</simplelist>
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
These are a few Prerequisites you have to keep in mind, sendmail server should be already installed on your system to be able to use <acronym>IMAP</acronym> &amp; <acronym>POP</acronym> software.
For more information on the required software, see the related chapters in this book.
</para></note>
<para>
You need to decompress the tarballs to compile, so it is a good idea to make a list of files on the system before you install Imap, and one afterwards, and then compare them using diff to find out what
file it placed where. Simply run <command>find</command> <userinput>/* &gt; Imap1</userinput> before and <command>find</command> <userinput>/* &gt; Imap2</userinput> after you install the software, and
use <command>diff</command> <userinput>Imap1 Imap2 &gt; Imap-Installed</userinput> to get a list of what changed.
</para>
<para>
Before Compilation you need to decompress the tarball (tar.Z).:
<screen>
[root@deep] /# <command>cp</command> imap.tar.Z /var/tmp
[root@deep] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>tar</command> xzpf imap.tar.Z
</screen>
</para>
<para>
Optimize before you Compile, move into the new <acronym>IMAP</acronym>/<acronym>POP</acronym> directory and edit the <filename>Makefile</filename> file <command>vi</command> <filename>src/osdep/unix/Makefile</filename>
and change these lines:</para>
<procedure>
<step><para>
<programlisting>
sh -c '(test -f /usr/include/sys/statvfs.h -a $(OS) != sc5 -a $(OS) != sco) &amp;&amp; $(LN) flocksun.c flockbsd.c || $(LN) flocksv4.c flockbsd.c'
</programlisting>
To read:
<programlisting>
sh -c '(test -f /usr/include/sys/statvfs.h -a $(OS) != sc5 -a $(OS) != sco -a $(OS) != lnx) &amp;&amp; $(LN) flocksun.c flockbsd.c || $(LN) flocksv4.c flockbsd.c'
</programlisting>
This modification will change the <filename>sys/stavfs</filename> file. This file, with the new glibc 2.1 of Linux, is different from what is available on Sun.
</para></step>
<step><para>
<programlisting>
BASECFLAGS="-g -fno-omit-frame-pointer -O6 -DNFSKLUDGE" \
</programlisting>
To read:
<programlisting>
BASECFLAGS="-g -fno-omit-frame-pointer -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions -DNFSKLUDGE" \
</programlisting>
These are our optimization flags for the compilation of <acronym>IMAP</acronym>/<acronym>POP</acronym> software on the server.
</para></step>
<step><para>
<programlisting>
ACTIVEFILE=/usr/lib/news/active
</programlisting>
To read:
<programlisting>
ACTIVEFILE=/var/lib/news/active
</programlisting>
<programlisting>
SPOOLDIR=/usr/spool
</programlisting>
To read:
<programlisting>
SPOOLDIR=/var/spool
</programlisting>
<programlisting>
RSHPATH=/usr/ucb/rsh
</programlisting>
To read:
<programlisting>
RSHPATH=/usr/bin/rsh
</programlisting>
<programlisting>
LOCKPGM=/etc/mlock
</programlisting>
To read:
<programlisting>
#LOCKPGM=/etc/mlock
</programlisting>
The <envar>ACTIVEFILE=</envar> line specifies the path of the <filename class="directory">active</filename> directory for <acronym>IMAP</acronym>/<acronym>POP</acronym>, the <envar>SPOOLDIR=</envar> is where we put
the <filename class="directory">spool</filename> directory of Linux <acronym>IMAP</acronym>/<acronym>POP</acronym>, and the <envar>RSHPATH=</envar> specify the path of <filename class="directory">rsh</filename> directory
on our system. It's important to note that we don't use rsh services on our server, but even so, we specify the right directory to <filename class="directory">rsh</filename>.
</para></step>
<step><para>
<programlisting>
CC=cc
</programlisting>
To read:
<programlisting>
CC=egcs
</programlisting>
This line represents the name of our <acronym>GCC</acronym> compiler we will use to compile <acronym>IMAP</acronym>/<acronym>POP</acronym> software, in our case, egcs).
</para></step>
</procedure>
<para>
Now, we must compile and <command>install</command> <acronym>IMAP</acronym> &amp; <acronym>POP</acronym> on the Mail Server:
<screen>
[root@deep ]/imap-4.7c# <command>make</command> lnp
[root@deep ]/imap-4.7c# <command>install</command> -m 644 ./src/ipopd/ipopd.8c /usr/man/man8/ipopd.8c
[root@deep ]/imap-4.7c# <command>install</command> -m 644 ./src/imapd/imapd.8c /usr/man/man8/imapd.8c
[root@deep ]/imap-4.7c# <command>install</command> -s -m 755 ./ipopd/ipop2d /usr/sbin
[root@deep ]/imap-4.7c# <command>install</command> -s -m 755 ./ipopd/ipop3d /usr/sbin
[root@deep ]/imap-4.7c# <command>install</command> -s -m 755 ./imapd/imapd /usr/sbin
[root@deep ]/imap-4.7c# <command>install</command> -m 644 ./c-client/c-client.a /usr/lib
[root@deep ]/imap-4.7c# <command>ln</command> -fs /usr/lib/c-client.a /usr/lib/libimap.a
[root@deep ]/imap-4.7c# <command>mkdir</command> -p /usr/include/imap
[root@deep ]/imap-4.7c# <command>install</command> -m 644 ./c-client/*.h /usr/include/imap
[root@deep ]/imap-4.7c# <command>install</command> -m 644 ./src/osdep/tops-20/shortsym.h /usr/include/imap
[root@deep ]/imap-4.7c# <command>chown</command> root.mail /usr/sbin/ipop2d
[root@deep ]/imap-4.7c# <command>chown</command> root.mail /usr/sbin/ipop3d
[root@deep ]/imap-4.7c# <command>chown</command> root.mail /usr/sbin/imapd
</screen>
</para>
<para>
The above commands will configure the software to ensure your system has the necessary functionality and libraries to successfully compile the package, compile all source files into executable binaries, and
then <command>install</command> the binaries and any supporting files into the appropriate locations.
<itemizedlist>
<listitem><para>
Note that the <command>make lnp</command> command above will configure your Linux system with Pluggable Authentication Modules -<acronym>PAM</acronym> capability for better security.
</para></listitem><listitem><para>
The <command>mkdir</command> command will create a new directory named <filename class="directory">imap</filename> under <filename class="directory">/usr/include</filename>. This new directory <filename class="directory">imap</filename>
will keep all header files related to the imapd program <filename>c-client/*</filename>, and <filename class="headerfile">shortsym.h</filename> files.
</para></listitem><listitem><para>
The <command>chown</command> command will change the ownership of the binary programs ipop2d, ipop3d, and imapd to be owned by the super-user <literal>root</literal>, be group owner by the user <literal>mail</literal>.
</para></listitem><listitem><para>
The <command>ln</command> -fs command would create a symbolic link from <filename>c-client.a</filename> file to <filename>libimap.a</filename> link which may be require by some third party program you may install in the future.
</para></listitem>
</itemizedlist>
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
For security reasons, if you use only imapd services, remove the ipop2d and ipop3d binaries from your mail server. The same applies for ipopd; if you use only ipopd services, remove the imapd binary from your mail server. If you intend to
use imapd and ipopd services then keep both binaries.
</para></important>
<para>
Please do cleanup later:
<screen>
[root@deep] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>rm</command> -rf imap-version/ imap.tar.Z
</screen>
The <command>rm</command> command as used above will remove all the source files we have used to compile and install <acronym>IMAP</acronym>/<acronym>POP</acronym>. It will also remove the <acronym>IMAP</acronym>/<acronym>POP</acronym>
compressed archive from the <filename class="directory">/var/tmp</filename> directory.
</para>
</section>
<section><?dbhtml filename="chap23sec189.html"?>
<title>Configure to tweak</title>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>IMAP/POP</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 8
-rwx------ 1 harrypotter harrypotter 685 Jun 8 13:00 imap.sh*
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 pam.d/
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<para>
To run the <acronym>IMAP</acronym>/<acronym>POP</acronym> server, the following files are required and must be created or copied to the appropriate directories on your server.
<itemizedlist><listitem><para>
Copy the imap file to the <filename class="directory">/etc/pam.d/</filename> directory if you intend to use imapd service.
</para></listitem><listitem><para>
Copy the pop file to the <filename class="directory">/etc/pam.d/</filename> directory if you intend to use popd service.
</para></listitem>
</itemizedlist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You can obtain the configuration files listed below on our <literal>floppy.tgz</literal> archive. Copy the following files from the decompressed <literal>floppy.tgz</literal> archive to the appropriate places or copy and paste them
directly from this book to the concerned file.
</para></tip>
<section>
<title>The <filename>/etc/pam.d/imap</filename> file</title>
<para>
Configure your <filename>/etc/pam.d/imap</filename> file to use pam authentication, create the imap file <command>touch</command> <filename>/etc/pam.d/imap</filename> and add:
<programlisting>
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
</programlisting>
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
This file is only required if you intend to use <acronym>IMAP</acronym> services.
</para></note>
<section>
<title>The <filename>/etc/pam.d/pop</filename> file</title>
<para>
Configure your <filename>/etc/pam.d/pop</filename> file to use pam authentication, create the pop file <command>touch</command> <filename>/etc/pam.d/pop</filename> and add:
<programlisting>
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nullok
account required /lib/security/pam_pwdb.so
</programlisting>
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
This file is only required if you intend to use <acronym>POP</acronym> services.
</para></note>
</section>
</section>
</section>
<section><?dbhtml filename="chap23sec190.html"?>
<title>Enable <acronym>IMAP</acronym> or <acronym>POP</acronym> via the tcp-wrappers inetd super server</title>
<para>
Tcp-wrappers take cares to start and stop <acronym>IMAP</acronym> or <acronym>POP</acronym> server. Upon execution, inetd reads its configuration information from a configuration file which, by
default, is <filename>/etc/inetd.conf</filename>. There must be an entry for each field of the configuration file, with entries for each field separated by a <keycap>tab</keycap> or a <keycap>space</keycap>.
</para>
<procedure>
<step><para>
Edit the <filename>inetd.conf</filename> file, <command>vi</command> <filename>/etc/inetd.conf</filename> and add or uncomment the line related to the service you want to enable. If you want to use <acronym>IMAP</acronym> then
uncomment the line related to it, if is <acronym>POP</acronym> that you want to use in your server, then uncomment it instead of <acronym>IMAP</acronym>. In our example below we'll use <acronym>IMAP</acronym> service.
<programlisting>
#pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d
#pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
imap stream tcp nowait root /usr/sbin/tcpd imapd
</programlisting>
</para></step>
<step><para>
Don't forget to update your <filename>inetd.conf</filename> file by sending a <envar>SIGHUP</envar> signal <command>killall</command> -HUP inetd after adding or uncommenting the corresponding
line.
<screen>
[root@deep /root]# <command>killall</command> -HUP inetd
</screen>
</para></step>
<step><para>
If the <acronym>IMAP</acronym>/<acronym>POP</acronym> server you want to install is a private and limited server for wheel knows real <acronym>IP</acronym> address clients, you can use the security feature of tcp-wrappers
to control, which can connect, to your server and from where. If you intended to offer mail service to a dial-up clients or a Webmail service for example, then you cannot use this feature.
Edit the <filename>hosts.deny</filename> file, <command>vi</command> <filename>/etc/hosts.deny</filename> and add the line:
<programlisting>
ALL: ALL@ALL, PARANOID
</programlisting>
Which means all services, all locations, so any service not explicitly allowed is then blocked, unless they are permitted access by entries in the <filename>hosts.allow</filename> file.
</para></step>
<step><para>
Edit the <filename>hosts.allow</filename> file, <command>vi</command> <filename>/etc/hosts.allow</filename> and add the line:
<programlisting>
imapd: 216.209.228.34 my.domain.com
</programlisting>
Which mean only client <acronym>IP</acronym> <literal>216.209.228.34</literal> with host name <literal>my.domain.com</literal> is allowed to connect and use <acronym>IMAP</acronym> service on the server.
</para></step>
</procedure>
<section>
<title>Securing <acronym>IMAP</acronym>/<acronym>POP</acronym></title>
<!--
xsltproc-20903 and docbook-xsl-stylesheets-1.78.1+svn9743 manage to
generate FO that confuses xmlgraphics-fop-1.1; but commenting
out just this one attribute makes it possible to build the
entire document
-->
<!-- <qandaset defaultlabel="none"> -->
<qandaset>
<qandaentry><question><para>
Do you really need <acronym>IMAP</acronym>/<acronym>POP</acronym> service?
</para></question><answer><para>
Be aware that <acronym>IMAP</acronym>/<acronym>POP</acronym> programs use plain text passwords by default. Anyone running a sniffer program along your network path can grab your username/password and use them
to log in as you. It's not because you use an <acronym>IMAP</acronym>/<acronym>POP</acronym> mail reader on your LINUX system that you need to run an <acronym>IMAP</acronym>/<acronym>POP</acronym> server locally.
Check your configuration, and if you use a remote/external <acronym>IMAP</acronym>/<acronym>POP</acronym> server then uninstall <acronym>IMAP</acronym>/<acronym>POP</acronym> on your system.
<mediaobject><imageobject><imagedata fileref="./images/IMAP-Sniffer-Schema.gif" format="GIF" /></imageobject>
<textobject><phrase>Sniffer attack?</phrase></textobject>
</mediaobject>
</para></answer>
</qandaentry>
</qandaset>
<sidebar>
<title>Using <acronym>SSL</acronym> capabilities over <acronym>IMAP</acronym>/<acronym>POP</acronym></title>
<para>
Unfortunately, due to US government export restrictions, the <acronym>IMAP</acronym> toolkit with <acronym>SSL</acronym> capability is
currently not available. There are packages available from third parties that allow <acronym>IMAP</acronym> and POP3 sessions through SSL. One of these packages is WebMail IMP, a web interface that permits you to read your mail via
the Internet with a web browser. WebMail IMP uses the <acronym>SSL</acronym> protocol to encrypt the communication with the <acronym>IMAP</acronym>/<acronym>POP</acronym> server. See part IV, Software's-Related Reference, in Chapter 19,
Servers Software (Web Network Services) for more information on the topic.
<mediaobject>
<imageobject><imagedata fileref="./images/Webmail-IMP.gif" format="GIF"/></imageobject>
<textobject><phrase>Webmail-IMP web browser interface</phrase></textobject>
</mediaobject>
</para>
</sidebar>
<para>
With WebMail IMP, communications from the mail server through to the client machine are encrypted with the SSL protocol using a web browser.
</para>
<para>
Further documentation, for more details, there are several man pages you can read:
<variablelist><varlistentry>
<term><citerefentry><refentrytitle>imapd</refentrytitle><manvolnum>8C</manvolnum></citerefentry></term>
<listitem><para>
- Internet Message Access Protocol server
</para></listitem>
</varlistentry>
<varlistentry>
<term><citerefentry><refentrytitle>ipopd</refentrytitle><manvolnum>8C</manvolnum></citerefentry></term>
<listitem><para>
- Post Office Protocol server
</para></listitem>
</varlistentry>
</variablelist>
</para>
</section>
</section>
<section><?dbhtml filename="chap23sec191.html"?>
<title>Installed files</title>
<para>
These are the files installed by <acronym>IMAP/POP</acronym> software:
</para>
<simplelist type="horiz" columns="3">
<member><filename>/etc/pam.d/imap</filename></member>
<member><filename>/etc/pam.d/pop</filename></member>
<member><filename>/usr/include/imap</filename></member>
<member><filename>/usr/include/imap/dummy.h</filename></member>
<member><filename>/usr/include/imap/env.h</filename></member>
<member><filename>/usr/include/imap/env_unix.h</filename></member>
<member><filename>/usr/include/imap/fdstring.h</filename></member>
<member><filename>/usr/include/imap/flstring.h</filename></member>
<member><filename>/usr/include/imap/fs.h</filename></member>
<member><filename>/usr/include/imap/ftl.h</filename></member>
<member><filename>/usr/include/imap/imap4r1.h</filename></member>
<member><filename>/usr/include/imap/linkage.h</filename></member>
<member><filename>/usr/include/imap/lockfix.h</filename></member>
<member><filename>/usr/include/imap/mail.h</filename></member>
<member><filename>/usr/include/imap/mbox.h</filename></member>
<member><filename>/usr/include/imap/mbx.h</filename></member>
<member><filename>/usr/include/imap/mh.h</filename></member>
<member><filename>/usr/include/imap/misc.h</filename></member>
<member><filename>/usr/include/imap/mmdf.h</filename></member>
<member><filename>/usr/include/imap/mtx.h</filename></member>
<member><filename>/usr/include/imap/mx.h</filename></member>
<member><filename>/usr/include/imap/netmsg.h</filename></member>
<member><filename>/usr/include/imap/news.h</filename></member>
<member><filename>/usr/include/imap/newsrc.h</filename></member>
<member><filename>/usr/include/imap/nl.h</filename></member>
<member><filename>/usr/include/imap/nntp.h</filename></member>
<member><filename>/usr/include/imap/os_a32.h</filename></member>
<member><filename>/usr/include/imap/os_a41.h</filename></member>
<member><filename>/usr/include/imap/os_aix.h</filename></member>
<member><filename>/usr/include/imap/os_aos.h</filename></member>
<member><filename>/usr/include/imap/os_art.h</filename></member>
<member><filename>/usr/include/imap/os_asv.h</filename></member>
<member><filename>/usr/include/imap/os_aux.h</filename></member>
<member><filename>/usr/include/imap/os_bsd.h</filename></member>
<member><filename>/usr/include/imap/os_bsi.h</filename></member>
<member><filename>/usr/include/imap/os_cvx.h</filename></member>
<member><filename>/usr/include/imap/os_d-g.h</filename></member>
<member><filename>/usr/include/imap/os_do4.h</filename></member>
<member><filename>/usr/include/imap/os_drs.h</filename></member>
<member><filename>/usr/include/imap/os_dyn.h</filename></member>
<member><filename>/usr/include/imap/os_hpp.h</filename></member>
<member><filename>/usr/include/imap/os_isc.h</filename></member>
<member><filename>/usr/include/imap/os_lnx.h</filename></member>
<member><filename>/usr/include/imap/os_lyn.h</filename></member>
<member><filename>/usr/include/imap/os_mct.h</filename></member>
<member><filename>/usr/include/imap/os_mnt.h</filename></member>
<member><filename>/usr/include/imap/os_nxt.h</filename></member>
<member><filename>/usr/include/imap/os_os4.h</filename></member>
<member><filename>/usr/include/imap/os_osf.h</filename></member>
<member><filename>/usr/include/imap/os_ptx.h</filename></member>
<member><filename>/usr/include/imap/os_pyr.h</filename></member>
<member><filename>/usr/include/imap/os_qnx.h</filename></member>
<member><filename>/usr/include/imap/os_s40.h</filename></member>
<member><filename>/usr/include/imap/os_sc5.h</filename></member>
<member><filename>/usr/include/imap/os_sco.h</filename></member>
<member><filename>/usr/include/imap/os_sgi.h</filename></member>
<member><filename>/usr/include/imap/os_shp.h</filename></member>
<member><filename>/usr/include/imap/os_slx.h</filename></member>
<member><filename>/usr/include/imap/os_sol.h</filename></member>
<member><filename>/usr/include/imap/os_sos.h</filename></member>
<member><filename>/usr/include/imap/os_sun.h</filename></member>
<member><filename>/usr/include/imap/os_sv2.h</filename></member>
<member><filename>/usr/include/imap/os_sv4.h</filename></member>
<member><filename>/usr/include/imap/os_ult.h</filename></member>
<member><filename>/usr/include/imap/os_vu2.h</filename></member>
<member><filename>/usr/include/imap/osdep.h</filename></member>
<member><filename>/usr/include/imap/phile.h</filename></member>
<member><filename>/usr/include/imap/pop3.h</filename></member>
<member><filename>/usr/include/imap/pseudo.h</filename></member>
<member><filename>/usr/include/imap/rfc822.h</filename></member>
<member><filename>/usr/include/imap/smtp.h</filename></member>
<member><filename>/usr/include/imap/tcp.h</filename></member>
<member><filename>/usr/include/imap/tcp_unix.h</filename></member>
<member><filename>/usr/include/imap/tenex.h</filename></member>
<member><filename>/usr/include/imap/unix.h</filename></member>
<member><filename>/usr/include/imap/utf8.h</filename></member>
<member><filename>/usr/include/imap/shortsym.h</filename></member>
<member><filename>/usr/lib/c-client.a</filename></member>
<member><filename>/usr/lib/libimap.a</filename></member>
<member><filename>/usr/man/man8/ipopd.8c</filename></member>
<member><filename>/usr/man/man8/imapd.8c</filename></member>
<member><filename>/usr/sbin/ipop2d</filename></member>
<member><filename>/usr/sbin/ipop3d</filename></member>
<member><filename>/usr/sbin/imapd</filename></member>
</simplelist>
</section>
</chapter>
<chapter label="24" id="pr6ch24SoNE"><?dbhtml filename="netencrypt.html"?>
<title>Software -Networking/Encryption</title>
<highlights><para>
Most server software like <acronym>IMAP</acronym> &amp; <acronym>POP</acronym>, Samba, OpenLDAP, <acronym>FTP</acronym>, Apache, and others that ask for users authentication before allowing services, by default transmit the user's
identification and password in plain text. Alternatively, encryption mechanisms like <acronym>SSL</acronym> ensure safe and secure transactions. With this technology, data going over the network is point-to-point encrypted. Once OpenSSL
has been installed on your Linux server you can use it as a third party tool to enable other applications with <acronym>SSL</acronym> functionality.
</para></highlights>
<section id="pr6ch24sc1ossl" xreflabel="OPENSSL"><?dbhtml filename="opssl.html"?>
<title>Linux OPENSSL Server</title>
<epigraph>
<attribution>From the <citation>OpenSSL web site</citation></attribution>
<para>
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer; <acronym>SSL</acronym> v2/v3, and Transport Layer Security -<acronym>TLS</acronym> v1
protocols with full-strength cryptography. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.
<mediaobject><imageobject><imagedata fileref="./images/SSL-Schema.gif" format="GIF" /></imageobject>
<textobject><phrase>
Cryptographic Technology
</phrase></textobject>
</mediaobject>
</para>
</epigraph>
<para>
The main advantages gained by using encryption technology follow:
<variablelist>
<title>Cryptography Advantages</title>
<varlistentry>
<term>Data Confidentiality</term>
<listitem><para>
When a message is encrypted, the input plain text is transformed by an algorithm into enciphered text that hides the meaning of the message and can be sent via any public mechanism. This process involves a secret
key that is used to encrypt and later decrypt the data. Without the secret key, the encrypted data is meaningless.
</para></listitem>
</varlistentry>
<varlistentry>
<term>Data Integrity</term>
<listitem><para>
A cryptographic checksum, called a message authentication code -<acronym>MAC</acronym>, can be calculated on arbitrarily user-supplied text to protect the integrity of data. The result, text and <acronym>MAC</acronym>
are then sent to the receiver which can verify the trial <acronym>MAC</acronym> appended to a message by recalculating the <acronym>MAC</acronym> for the message, using the appropriate secret key and verifying that
it exactly equals the trial <acronym>MAC</acronym>.
</para></listitem>
</varlistentry>
<varlistentry>
<term>Authentication</term>
<listitem><para>
Personal identification is another use of cryptography, where the user/sender knows a secret, which can serve to authenticate his/her identity.
</para></listitem>
</varlistentry>
<varlistentry>
<term>Electronic Signature</term>
<listitem><para>
A digital signature assures the sender and receiver that the message is authentic and that only the owner of the key could have generated the digital signature.
</para></listitem>
</varlistentry>
</variablelist>
</para>
<warning id="pr6ch24sc1wr">
<title>Patents</title>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Warning.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Warning</phrase></textobject>
</mediaobject>
<para>
Several legal issues exist for <acronym>SSL</acronym> technology. If you intend to use OpenSSL for commercial purpose, you may need to obtain a license from <acronym>RSA</acronym> regarding use of <acronym>RSA</acronym> libraries.
</para>
<para>
Here's an excerpt from the README file of OpenSSL:
Various companies hold various patents for various algorithms in various locations around the world. _YOU_ are responsible for ensuring that your use of any algorithms is legal by checking if there are any patents
in your country. This file contains some of the patents that we know about or are rumored to exist. This is not a definitive list.
<itemizedlist>
<listitem><para>
<acronym>RSA</acronym> Data Security holds software patents on the <acronym>RSA</acronym> and <acronym>RC5</acronym> algorithms. If their ciphers are used inside the USA and Japan?, you must contact <acronym>RSA</acronym>
Data Security for licensing conditions. Their web page is <link linkend="prtinxfp21">http://www.rsa.com/.</link>
</para></listitem><listitem><para>
<acronym>RC4</acronym> is a trademark of <acronym>RSA</acronym> Data Security, so use of this label should perhaps only be used with <acronym>RSA</acronym> Data Security's permission.
</para></listitem><listitem><para>
The <acronym>IDEA</acronym> algorithm is patented by Ascom in Austria, France, Germany, Italy, Japan, Netherlands, Spain, Sweden, Switzerland, UK and the USA. They should be contacted if that algorithm is to be
used; their web page is <link linkend="prtinxfp21">http://www.ascom.ch/</link>
</para></listitem>
</itemizedlist>
</para>
</warning>
<para>
These installation instructions assume:
<itemizedlist><listitem><para>
Commands are Unix-compatible.
</para></listitem><listitem><para>
The source path is <filename class="directory">/var/tmp</filename> -<emphasis>other paths are possible</emphasis>.
</para></listitem><listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem><listitem><para>
All steps in the installation will happen in super-user account <literal>root</literal>.
</para></listitem><listitem><para>
OpenSSL version number is 0.9.5a
</para></listitem>
</itemizedlist>
</para>
<para>
Before you decompress the tarballs, it is a good idea to make a list of files on the system before you install Openssl, and one afterwards, and then compare them using <command>diff</command> to find out what file it placed
where. Simply run <command>find</command> <userinput>/* > OpenSSL1</userinput> before and <command>find</command> <userinput>/* &gt; OpenSSL2</userinput> after you install the software, and use <command>diff</command> <userinput>OpenSSL1 OpenSSL2 &gt; OpenSSL-Installed</userinput>
to get a list of what changed.
</para>
<para>
These are the Package(s) required:
<simplelist>
<member>
OpenSSL Homepage: <link linkend="prtinxfp22">http://www.openssl.org/</link>
</member><member>
You must be sure to download: openssl-0.9.5a.tar.gz
</member>
</simplelist>
</para>
<para>
To Compile, you need to decompress the tarball (tar.gz).
<screen>
[root@deep] /# <command>cp</command> openssl-version.tar.gz /var/tmp
[root@deep] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>tar</command> xzpf openssl-version.tar.gz
</screen>
</para>
</section>
<section><?dbhtml filename="chap24sec192.html"?>
<title>Compile and Optimize</title>
<para>
Move into the new Openssl directory and type the following commands on your terminal:
</para>
<procedure>
<step><para>
Edit the <filename>c_rehash</filename> file, <command>vi</command> +11 <filename>tools/c_rehash</filename> and change the line:
<programlisting>
DIR=/usr/local/ssl
</programlisting>
To read:
<programlisting>
DIR=/usr
</programlisting>
The changed line above will build and install OpenSSL in the default location <filename class="directory">/usr</filename>.
</para></step>
<step><para>
By default, OpenSSL source files suppose that your Perl program directory is located under the <filename class="directory">/usr/local/bin/perl</filename> directory. We must modify the <markup>#!/usr/local/bin/perl</markup> line
in all scripts that rely on perl to reflect our Perl directory under Red Hat Linux to be <filename class="directory">/usr/bin</filename>.
<screen>
[root@deep ]/openssl-0.9.5a# <command>perl</command> util/perlpath.pl /usr/bin <co id="prssl"/>
</screen>
<calloutlist><callout arearefs="prssl">
<para>
where your perl program reside.
</para>
</callout></calloutlist>
</para></step>
<step><para>
OpenSSL must know where to find the necessary OpenSSL source libraries to compile successfully its required files. With the command below, we set the <literal>PATH</literal> environment variable to the default directory where we
have uncompressed the OpenSSL source files.
<screen>
[root@deep ]/openssl-0.9.5a# <command>export</command> LD_LIBRARY_PATH=`pwd`
</screen>
</para></step>
<step><para>
Now, we must configure OpenSSL for our system:
<programlisting>
CC="egcs" \
./Configure linux-elf -DSSL_FORBID_ENULL \ <co id="dsfrd"/>
--prefix=/usr \
--openssldir=/etc/ssl
</programlisting>
<calloutlist><callout arearefs="dsfrd">
<para>
The <envar>-DSSL_FORBID_ENULL</envar> option is required for not allowing null encryption for security reasons.
</para>
</callout></calloutlist>
</para></step>
<step><para>
Edit the Makefile.ssl file and change the following line:
</para>
<substeps>
<step><para>
<command>vi</command> +50 <filename>Makefile.ssl</filename>
<programlisting>
CC= gcc
</programlisting>
To read:
<programlisting>
CC= egcs
</programlisting>
</para></step>
<step><para>
Edit with <command>vi</command> +52 <filename>Makefile.ssl</filename> and add/change the following line:
<programlisting>
CFLAG= -DTHREADS -D_REENTRANT -DSSL_FORBID_ENULL -DL_ENDIAN -DTERMIO -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
</programlisting>
</para></step>
<step><para>
Edit with <command>vi</command> +79 <filename>Makefile.ssl</filename> and add the following value for a Pentium Pro processor:
<programlisting>
PROCESSOR= 686
</programlisting>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
The three modifications we made above will set the optimization flag for compilation of OpenSSL software on the server. For the last modification <envar>PROCESSOR=</envar> above, if you use
<literal>586</literal> to denote a Pentium, use <literal>686</literal> to denote Pro/II/III, use <literal>486</literal> to denote a 486, depending on the type of processor you have.
</para></note>
</para></step>
<step><para>
Edit with <command>vi</command> +161 <filename>Makefile.ssl</filename> and change the following line:
<programlisting>
MANDIR=$(OPENSSLDIR)/man
</programlisting>
To read:
<programlisting>
MANDIR=/usr/man
</programlisting>
This step is necessary to set the directory for where the man pages of OpenSSL will be installed. With this modification, we install them under <filename class="directory">/usr/man</filename> directory.
</para></step>
</substeps>
</step>
</procedure>
<para>
Now we must compile and install OpenSSL on the server:
<screen>
[root@deep ]/openssl-0.9.5a# <command>make</command> -f Makefile
[root@deep ]/openssl-0.9.5a# <command>make</command> test
[root@deep ]/openssl-0.9.5a# <command>make</command> install
[root@deep ]/openssl-0.9.5a# <command>mv</command> /etc/ssl/misc/* /usr/bin/
[root@deep ]/openssl-0.9.5a# <command>rm</command> -rf /etc/ssl/misc/
[root@deep ]/openssl-0.9.5a# <command>rm</command> -rf /etc/ssl/lib/
[root@deep ]/openssl-0.9.5a# <command>rm</command> -f /usr/bin/CA.pl
[root@deep ]/openssl-0.9.5a# <command>rm</command> -f /usr/bin/CA.sh
[root@deep ]/openssl-0.9.5a# <command>install</command> -m 644 libRSAglue.a /usr/lib/
[root@deep ]/openssl-0.9.5a# <command>install</command> -m 644 rsaref/rsaref.h /usr/include/openssl/
[root@deep ]/openssl-0.9.5a# <command>strip</command> /usr/bin/openssl
[root@deep ]/openssl-0.9.5a# <command>mkdir</command> -p /etc/ssl/crl
</screen>
</para> <para>
<itemizedlist><listitem><para>
The <command>make</command> -f command will build the OpenSSL libraries, <filename>libcrypto.a</filename> and <filename>libssl.a</filename> and the OpenSSL binary openssl. The libraries
will be built in the top-level directory, and the binary will be in the <filename class="directory">apps</filename> directory.
</para></listitem><listitem><para>
After a successful build, the <command>make test</command> will test the libraries and finally the <command>make install</command> will create the installation directory and <command>install</command> OpenSSL.
</para></listitem><listitem><para>
The <command>mv</command> command will move all files under the <filename class="directory">/etc/ssl/misc/</filename> directory to the <filename class="directory">/usr/bin/</filename> directory. These
files are binary and must be located under <filename class="directory">/usr/bin/</filename> since in our system, all binary files are keep in this directory. Also putting these files in the <filename class="directory">/usr/bin/</filename>
directory will keep them in our <literal>PATH</literal> environment variable.
</para></listitem><listitem><para>
The <command>rm</command> command will remove the <filename class="directory">/etc/ssl/misc/</filename> and <filename class="directory">/etc/ssl/lib/</filename> directories from our system, since files that were in these directories are
now located in other places. Also, it will remove the <filename>CA.pl</filename> and <filename>CA.sh</filename> files, that are small scripts used to create your own CA certificates. Those scripts related to <command>openssl ca</command>
commands has some strange requirements, and the default OpenSSL config doesn't allow one easily to use <command>openssl ca</command> directly. So we'll create the <filename>sign.sh</filename> script program later to replace them.
</para></listitem>
</itemizedlist>
</para>
<caution>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Caution.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Caution</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The <literal>bc-1.05a-4.i386.rpm</literal> package or higher must be already installed on your Linux server or you'll receive an error message during the library test of OpenSSL.
</para></caution>
<para>
Please don't forget to cleanup later:
<screen>
[root@deep] /# <command>cd</command> /var/tmp
[root@deep tmp]# <command>rm</command> -rf openssl-version/ openssl-version.tar.gz
</screen>
The <command>rm</command> command will remove all the source files we have used to compile and install OpenSSL. It will also remove the OpenSSL compressed archive from th<filename class="directory">/var/tmp</filename> directory.
</para>
</section>
<section><?dbhtml filename="chap24sec193.html"?>
<title>Configure OpenSSL to optimise</title>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>OpenSSL</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 16
-rw-r--r-- 1 harrypotter harrypotter 7002 Jun 8 13:00 openssl.cnf
-rwxr-xr-x 1 harrypotter harrypotter 1847 Jun 8 13:00 sign.sh*
-rwx------ 1 harrypotter harrypotter 362 Jun 8 13:00 ssl.sh*
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<para>
To run OpenSSL Server, the following files are required and must be created or copied to the appropriate directories on your server.
<orderedlist numeration="lowerroman">
<listitem><para>
Copy the <filename>openssl.cnf</filename> file to the <filename class="directory">/etc/ssl/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>sign.sh</filename> script file to the <filename class="directory">/usr/bin/</filename> directory.
</para></listitem>
</orderedlist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You can obtain the configuration files listed below on our <filename>floppy.tgz</filename> archive. Copy the following files from the decompressed <filename>floppy.tgz</filename> archive to the appropriate places or copy and
paste them directly from this book to the concerned file.
</para></tip>
</section>
<section><?dbhtml filename="chap24sec194.html"?>
<title>The <filename>/etc/ssl/openssl.cnf</filename> file</title>
<para>
This is the general configuration file for OpenSSL program where you can configure expiration date of your keys, the name of your organization, the address etc. The parameters you may change will be in the <literal><optional> CA_default </optional></literal>
and especially the <literal><optional> req_distinguished_name </optional></literal> sections.
Edit the <filename>openssl.cnf</filename> file, <command>vi</command> <filename>/etc/ssl/openssl.cnf</filename> and add or modify:
</para>
<programlisting>
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
RANDFILE = $ENV::HOME/.rnd
oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/ssl # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/ca.db.index # database index file.
new_certs_dir = $dir/ca.db.certs # default place for new certs.
certificate = $dir/certs/ca.crt # The CA certificate
serial = $dir/ca.db.serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE = $dir/ca.db.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = md5 # which md to use.
Preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CA
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Quebec
localityName = Locality Name (eg, city)
localityName_default = Montreal
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Open Network Architecture
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Internet Department
commonName = Common Name (eg, YOUR name)
commonName_default = www.openna.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = admin@openna.com
emailAddress_max = 40
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_ca]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# RAW DER hex encoding of an extension: beware experts only!
# 1.2.3.5=RAW:02:03
# You can even override a supported extension:
# basicConstraints= critical, RAW:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
</programlisting>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The file <filename>openssl.cnf</filename> already exists on your server when you compile and install the OpenSSL program, and can be found under the <filename class="directory">/etc/ssl/</filename> directory. You
don't need to change all the default options set in this file; The configurations you may usually change will be in the <literal><optional> CA_default </optional></literal> and <literal><optional> req_distinguished_name </optional></literal> sections only.
</para></tip>
</section>
<section><?dbhtml filename="chap24sec195.html"?>
<title>Create the <filename>/usr/bin/sign.sh</filename> program file</title>
<para>
The <command>openssl ca</command> commands has some strange requirements and the default OpenSSL config doesn't allow one easily to use <command>openssl ca</command> directly. Therefore, well create this <filename>sign.sh</filename>
program to replace it.
Create the <filename>sign.sh</filename> program file, <command>touch</command> <filename>/usr/bin/sign.sh</filename> and add to this file:
</para>
<programlisting>
#!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved.
##
# argument line handling
CSR=$1
if [ $# -ne 1 ]; then
echo "Usage: sign.sign &lt;whatever&gt;.csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac
# make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi
# create an own SSLeay config
cat &gt;ca.config &lt;&lt;EOT
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = /etc/ssl
certs = /etc/ssl/certs
new_certs_dir = /etc/ssl/ca.db.certs
database = /etc/ssl/ca.db.index
serial = /etc/ssl/ca.db.serial
RANDFILE = /etc/ssl/ca.db.rand
certificate = /etc/ssl/certs/ca.crt
private_key = /etc/ssl/private/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT
# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT &lt;-&gt; CA cert"
openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT
# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old
# die gracefully
exit 0
</programlisting>
<para>
Now, make this program executable, and change its default permissions:
<screen>
[root@deep] /# <command>chmod</command> 755 /usr/bin/sign.sh
</screen>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You can also find this program <filename>sign.sh</filename> in the mod_ssl distribution under the <filename class="directory">mod_ssl-version/pkg.contrib/</filename> subdirectory, or on our <filename>floppy.tgz</filename>
archive file. Also note that the section <literal><optional> CA_own </optional></literal> must be changed to refect your own environment and don't forget to change the openssl <literal>verify -CAfile /etc/ssl/certs/ca.crt $CERT</literal> line too.
</para></tip>
</section>
<section><?dbhtml filename="chap24sec196.html"?>
<title>Commands -often used</title>
<para>
The commands listed below are some that we use often, but many more exist. Check the man pages and documentation for more details and information.
As an example, we'll show you how to create certificates for your Apache Web Server and/or your own <acronym>CA</acronym> Certifying Authority to sign your Certificate Signing Request yourself.
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
All commands listed below are assumed to be made in the <filename class="directory">/etc/ssl/</filename> directory.
</para></important>
<para>
Create a RSA private key protected with a passphrase for your Apache Server.
<screen>
[root@deep ]/ssl#<command>openssl</command> genrsa -des3 -out server.key 1024
</screen>
<literallayout class="monospaced"><computeroutput>
Generating RSA private key, 1024 bit long modulus
......................+++++
.....+++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Please backup this server.key file and remember the pass-phrase you had to enter at a secure location.
</computeroutput></literallayout>
</para>
<para>
Generate a Certificate Signing Request <acronym>CSR</acronym> with the server <acronym>RSA</acronym> private key.
<screen>
[root@deep ]/ssl# <command>openssl</command> req -new -key server.key -out server.csr
</screen>
<literallayout class="monospaced"><computeroutput>
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Quebec]:
Locality Name (eg, city) [Montreal]:
Organization Name (eg, company) [Open Network Architecture]:
Organizational Unit Name (eg, section) [Internet Department]:
Common Name (eg, YOUR name) [www.openna.com]:
Email Address [admin@openna.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
</computeroutput></literallayout>
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Make sure you enter the <acronym>FQDN</acronym>, Fully Qualified Domain Name of the server when OpenSSL prompts you for the <literal>CommonName</literal>, i.e. when you generate a <acronym>CSR</acronym> for a website which will be
later accessed via <literal>https://www.mydomain.com/</literal>, enter <literal>www.mydomain.com</literal> here.
</para></note>
<para>
After generation of your Certificate Signing Request; <acronym>CSR</acronym>, you have two choices:
<orderedlist numeration="lowerroman">
<listitem><para>
the first is to send this certificate to a commercial Certifying Authority (<acronym>CA</acronym>) like Verisign or Thawte for signing. You usually have to post the <acronym>CSR</acronym> into a web form, pay for the signing, await the signed Certificate and store
it into a <filename>server.crt</filename> file. The result is then a real Certificate, which can be used for Apache.
</para></listitem><listitem><para>
Second, you can use your own <acronym>CA</acronym> and now have to sign the <acronym>CSR</acronym> yourself by this <acronym>CA</acronym>. This solution is economical, and allows an organization to host their own <acronym>CA</acronym> server and generate as many
certificates as they need for internal use without paying any cent to a commercial <acronym>CA</acronym>. Unfortunately. using your own <acronym>CA</acronym> to generate certificates cause problems in electronic commerce, because customers need to have some trust
in your organization by the use of recognized commercial <acronym>CA</acronym>.
</para></listitem>
</orderedlist>
See below on how to sign a <acronym>CSR</acronym> with your <acronym>CA</acronym> yourself.
</para>
<para>
Create a <acronym>RSA</acronym> private key for your <acronym>CA</acronym>.
<screen>
[root@deep ]/ssl# <command>openssl</command> genrsa -des3 -out ca.key 1024
</screen>
<literallayout class="monospaced"><computeroutput>
Generating RSA private key, 1024 bit long modulus
...........................+++++
............................................+++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Please backup this ca.key file and remember the pass-phrase you had to enter at a secure location.
</computeroutput></literallayout>
</para>
<para>
Create a self-signed <acronym>CA</acronym> certificate <literal>x509</literal> structure with the <acronym>RSA</acronym> key of the <acronym>CA</acronym>.
<screen>
[root@deep ]/ssl# <command>openssl</command> req -new -x509 -days 365 -key ca.key -out ca.crt
</screen>
<literallayout class="monospaced"><computeroutput>
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Quebec]:
Locality Name (eg, city) [Montreal]:
Organization Name (eg, company) [Open Network Architecture]:
Organizational Unit Name (eg, section) [Internet Department]:CA Marketing
Common Name (eg, YOUR name) [www.openna.com]:
Email Address [admin@openna.com]:
</computeroutput></literallayout>
<screen>
[root@deep ]/ssl# <command>mv</command> server.key private/
[root@deep ]/ssl# <command>mv</command> ca.key private/
[root@deep ]/ssl# <command>mv</command> ca.crt certs/
</screen>
</para>
<note>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Note</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The <command>req</command> command creates a self-signed certificate when the <parameter class="option">-x509</parameter> switch is used.
</para></note>
<para>
Signing a certificate request. We create and use our own Certificate Authority -<acronym>CA</acronym>,
Prepare the script for signing which is needed because the <command>openssl ca</command> command has some strange requirements, and the default OpenSSL config doesn't allow one easily to use <command>openssl ca</command>
directly. The script named <filename>sign.sh</filename> is distributed with the floppy disk under the openssl directory. Use this script for signing.
Now you can use this <acronym>CA</acronym> to sign server <acronym>CSR</acronym>'s in order to create real SSL Certificates for use inside an Apache Webserver assuming you already have a server.csr at hand:
<screen>
[root@deep ]/ssl# /usr/bin/sign.sh server.csr
</screen>
<literallayout class="monospaced"><computeroutput>
CA signing: server.csr -&gt; server.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'CA'
stateOrProvinceName :PRINTABLE:'Quebec'
localityName :PRINTABLE:'Montreal'
organizationName :PRINTABLE:'Open Network Architecture'
organizationalUnitName :PRINTABLE:'Internet Department'
commonName :PRINTABLE:'www.openna.com'
emailAddress :IA5STRING:'admin@openna.com'
Certificate is to be certified until Dec 1 14:59:29 2000 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt &lt;-&gt; CA cert
server.crt: OK
</computeroutput></literallayout>
</para>
<para>
This signs the <acronym>CSR</acronym> and results in a server.crt file.
<screen>
[root@deep ]/ssl# <command>mv</command> server.crt certs/
</screen>
Now you have two files: <filename>server.key</filename> and <filename>server.crt.</filename> These can now, for example, be used as follows, inside your Apache server's <filename>httpd.conf</filename> file:
<programlisting>
SSLCertificateFile /etc/ssl/certs/server.crt <co id="srpu"/>
SSLCertificateKeyFile /etc/ssl/private/server.key <co id="srprv"/>
</programlisting>
<calloutlist>
<callout arearefs="srpu"><para>
Our web server public key
</para></callout>
<callout arearefs="srprv"><para>
Our web server private key
</para></callout>
</calloutlist>
The <filename>server.csr</filename> file is no longer needed.
<screen>
[root@deep ]/ssl# <command>rm</command> -f server.csr
</screen>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
If you receive error message during signature of the certificate, it's probably because you've entered the wrong <acronym>FQDN</acronym>, Fully Qualified Domain Name for the server when OpenSSL prompted you for
the <literal>CommonName</literal>; the <literal>CommonName</literal> must be something like <literal>my.domain.com</literal> and not <literal>domain.com</literal>. Also, since you generate both the certificate
and the <acronym>CA</acronym> certificate, it's important that at least one piece of information differs between both files, or you may encounter problems during the signature of the certificate request.
</para></tip>
</section>
<section><?dbhtml filename="chap24sec197.html"?>
<title>Securing OpenSSL</title>
<para>
Make your keys <literal>Read and Write</literal> only by the super-user <literal>root</literal>. This is important because no one needs to touch these files.
use the following commands:
<screen>
[root@deep] /# <command>chmod</command> 600 /etc/ssl/certs/ca.crt
[root@deep] /# <command>chmod</command> 600 /etc/ssl/certs/server.crt
[root@deep] /# <command>chmod</command> 600 /etc/ssl/private/ca.key
[root@deep] /# <command>chmod</command> 600 /etc/ssl/private/server.key
</screen>
</para>
<para>
Some possible uses of OpenSSL software, for example OpenSSL can be used to:
<orderedlist numeration="lowerroman"><listitem><para>
Create your own Certificate Server.
</para></listitem><listitem><para>
Provide data confidentiality, integrity, authentication, and electronic signature in transmission for the users.
</para></listitem><listitem><para>
Secure electronic commerce transactions.
</para></listitem>
</orderedlist>
</para>
</section>
<section><?dbhtml filename="chap24sec198.html"?>
<title>Installed files</title>
<para>These are the files installed by OpenSSL software on your harddisk:</para>
<simplelist type="horiz" columns="3">
<member><filename>/etc/ssl</filename></member>
<member><filename>/etc/ssl/crl</filename></member>
<member><filename>/etc/ssl/certs</filename></member>
<member><filename>/etc/ssl/private</filename></member>
<member><filename>/etc/ssl/openssl.cnf</filename></member>
<member><filename>/usr/bin/openssl</filename></member>
<member><filename>/usr/bin/c_rehash</filename></member>
<member><filename>/usr/bin/sign.sh</filename></member>
<member><filename>/usr/bin/c_hash</filename></member>
<member><filename>/usr/bin/c_info</filename></member>
<member><filename>/usr/bin/c_issuer</filename></member>
<member><filename>/usr/bin/c_name</filename></member>
<member><filename>/usr/bin/der_chop</filename></member>
<member><filename>/usr/include/openssl</filename></member>
<member><filename>/usr/include/openssl/e_os.h</filename></member>
<member><filename>/usr/include/openssl/e_os2.h</filename></member>
<member><filename>/usr/include/openssl/crypto.h</filename></member>
<member><filename>/usr/include/openssl/tmdiff.h</filename></member>
<member><filename>/usr/include/openssl/opensslv.h</filename></member>
<member><filename>/usr/include/openssl/opensslconf.h</filename></member>
<member><filename>/usr/include/openssl/ebcdic.h</filename></member>
<member><filename>/usr/include/openssl/md2.h</filename></member>
<member><filename>/usr/include/openssl/md5.h</filename></member>
<member><filename>/usr/include/openssl/sha.h</filename></member>
<member><filename>/usr/include/openssl/mdc2.h</filename></member>
<member><filename>/usr/include/openssl/hmac.h</filename></member>
<member><filename>/usr/include/openssl/ripemd.h</filename></member>
<member><filename>/usr/include/openssl/des.h</filename></member>
<member><filename>/usr/include/openssl/rc2.h</filename></member>
<member><filename>/usr/include/openssl/rc4.h</filename></member>
<member><filename>/usr/include/openssl/rc5.h</filename></member>
<member><filename>/usr/include/openssl/idea.h</filename></member>
<member><filename>/usr/include/openssl/blowfish.h</filename></member>
<member><filename>/usr/include/openssl/cast.h</filename></member>
<member><filename>/usr/include/openssl/bn.h</filename></member>
<member><filename>/usr/include/openssl/rsa.h</filename></member>
<member><filename>/usr/include/openssl/dsa.h</filename></member>
<member><filename>/usr/include/openssl/dh.h</filename></member>
<member><filename>/usr/include/openssl/buffer.h</filename></member>
<member><filename>/usr/include/openssl/bio.h</filename></member>
<member><filename>/usr/include/openssl/stack.h</filename></member>
<member><filename>/usr/include/openssl/safestack.h</filename></member>
<member><filename>/usr/include/openssl/lhash.h</filename></member>
<member><filename>/usr/include/openssl/rand.h</filename></member>
<member><filename>/usr/include/openssl/err.h</filename></member>
<member><filename>/usr/include/openssl/objects.h</filename></member>
<member><filename>/usr/include/openssl/evp.h</filename></member>
<member><filename>/usr/include/openssl/asn1.h</filename></member>
<member><filename>/usr/include/openssl/asn1_mac.h</filename></member>
<member><filename>/usr/include/openssl/pem.h</filename></member>
<member><filename>/usr/include/openssl/pem2.h</filename></member>
<member><filename>/usr/include/openssl/x509.h</filename></member>
<member><filename>/usr/include/openssl/x509_vfy.h</filename></member>
<member><filename>/usr/include/openssl/x509v3.h</filename></member>
<member><filename>/usr/include/openssl/conf.h</filename></member>
<member><filename>/usr/include/openssl/txt_db.h</filename></member>
<member><filename>/usr/include/openssl/pkcs7.h</filename></member>
<member><filename>/usr/include/openssl/pkcs12.h</filename></member>
<member><filename>/usr/include/openssl/comp.h</filename></member>
<member><filename>/usr/include/openssl/ssl.h</filename></member>
<member><filename>/usr/include/openssl/ssl2.h</filename></member>
<member><filename>/usr/include/openssl/ssl3.h</filename></member>
<member><filename>/usr/include/openssl/ssl23.h</filename></member>
<member><filename>/usr/include/openssl/tls1.h</filename></member>
<member><filename>/usr/include/openssl/rsaref.h</filename></member>
<member><filename>/usr/lib/libcrypto.a</filename></member>
<member><filename>/usr/lib/libssl.a</filename></member>
<member><filename>/usr/lib/libRSAglue.a</filename></member>
<member><filename>/usr/man/man1/CA.pl.1</filename></member>
<member><filename>/usr/man/man1/asn1parse.1</filename></member>
<member><filename>/usr/man/man1/ca.1</filename></member>
<member><filename>/usr/man/man1/ciphers.1</filename></member>
<member><filename>/usr/man/man1/crl.1</filename></member>
<member><filename>/usr/man/man1/crl2pkcs7.1</filename></member>
<member><filename>/usr/man/man1/dgst.1</filename></member>
<member><filename>/usr/man/man1/dhparam.1</filename></member>
<member><filename>/usr/man/man1/dsa.1</filename></member>
<member><filename>/usr/man/man1/dsaparam.1</filename></member>
<member><filename>/usr/man/man1/enc.1</filename></member>
<member><filename>/usr/man/man1/gendsa.1</filename></member>
<member><filename>/usr/man/man1/genrsa.1</filename></member>
<member><filename>/usr/man/man1/nseq.1</filename></member>
<member><filename>/usr/man/man1/openssl.1</filename></member>
<member><filename>/usr/man/man1/pkcs12.1</filename></member>
<member><filename>/usr/man/man1/pkcs7.1</filename></member>
<member><filename>/usr/man/man1/pkcs8.1</filename></member>
<member><filename>/usr/man/man1/req.1</filename></member>
<member><filename>/usr/man/man1/rsa.1</filename></member>
<member><filename>/usr/man/man1/s_client.1</filename></member>
<member><filename>/usr/man/man1/s_server.1</filename></member>
<member><filename>/usr/man/man1/sess_id.1</filename></member>
<member><filename>/usr/man/man1/smime.1</filename></member>
<member><filename>/usr/man/man1/speed.1</filename></member>
<member><filename>/usr/man/man1/spkac.1</filename></member>
<member><filename>/usr/man/man1/verify.1</filename></member>
<member><filename>/usr/man/man1/version.1</filename></member>
<member><filename>/usr/man/man1/x509.1</filename></member>
<member><filename>/usr/man/man3/BN_CTX_new.3</filename></member>
<member><filename>/usr/man/man3/BN_CTX_start.3</filename></member>
<member><filename>/usr/man/man3/BN_add.3</filename></member>
<member><filename>/usr/man/man3/BN_add_word.3</filename></member>
<member><filename>/usr/man/man3/BN_bn2bin.3</filename></member>
<member><filename>/usr/man/man3/BN_cmp.3</filename></member>
<member><filename>/usr/man/man3/BN_copy.3</filename></member>
<member><filename>/usr/man/man3/BN_generate_prime.3</filename></member>
<member><filename>/usr/man/man3/BN_mod_inverse.3</filename></member>
<member><filename>/usr/man/man3/BN_mod_mul_montgomery.3</filename></member>
<member><filename>/usr/man/man3/BN_mod_mul_reciprocal.3</filename></member>
<member><filename>/usr/man/man3/BN_new.3</filename></member>
<member><filename>/usr/man/man3/BN_num_bytes.3</filename></member>
<member><filename>/usr/man/man3/BN_rand.3</filename></member>
<member><filename>/usr/man/man3/BN_set_bit.3</filename></member>
<member><filename>/usr/man/man3/BN_zero.3</filename></member>
<member><filename>/usr/man/man3/CRYPTO_set_ex_data.3</filename></member>
<member><filename>/usr/man/man3/DH_generate_key.3</filename></member>
<member><filename>/usr/man/man3/DH_generate_parameters.3</filename></member>
<member><filename>/usr/man/man3/DH_get_ex_new_index.3</filename></member>
<member><filename>/usr/man/man3/DH_new.3</filename></member>
<member><filename>/usr/man/man3/DH_set_method.3</filename></member>
<member><filename>/usr/man/man3/DH_size.3</filename></member>
<member><filename>/usr/man/man3/DSA_SIG_new.3</filename></member>
<member><filename>/usr/man/man3/DSA_do_sign.3</filename></member>
<member><filename>/usr/man/man3/DSA_dup_DH.3</filename></member>
<member><filename>/usr/man/man3/DSA_generate_key.3</filename></member>
<member><filename>/usr/man/man3/DSA_generate_parameters.3</filename></member>
<member><filename>/usr/man/man3/DSA_get_ex_new_index.3</filename></member>
<member><filename>/usr/man/man3/DSA_new.3</filename></member>
<member><filename>/usr/man/man3/DSA_set_method.3</filename></member>
<member><filename>/usr/man/man3/DSA_sign.3</filename></member>
<member><filename>/usr/man/man3/DSA_size.3</filename></member>
<member><filename>/usr/man/man3/ERR_GET_LIB.3</filename></member>
<member><filename>/usr/man/man3/ERR_clear_error.3</filename></member>
<member><filename>/usr/man/man3/ERR_error_string.3</filename></member>
<member><filename>/usr/man/man3/ERR_get_error.3</filename></member>
<member><filename>/usr/man/man3/ERR_load_crypto_strings.3</filename></member>
<member><filename>/usr/man/man3/ERR_load_strings.3</filename></member>
<member><filename>/usr/man/man3/ERR_print_errors.3</filename></member>
<member><filename>/usr/man/man3/ERR_put_error.3</filename></member>
<member><filename>/usr/man/man3/ERR_remove_state.3</filename></member>
<member><filename>/usr/man/man3/EVP_DigestInit.3</filename></member>
<member><filename>/usr/man/man3/EVP_EncryptInit.3</filename></member>
<member><filename>/usr/man/man3/OPENSSL_VERSION_NUMBER.3</filename></member>
<member><filename>/usr/man/man3/OpenSSL_add_all_algorithms.3</filename></member>
<member><filename>/usr/man/man3/RAND_add.3</filename></member>
<member><filename>/usr/man/man3/RAND_bytes.3</filename></member>
<member><filename>/usr/man/man3/RAND_cleanup.3</filename></member>
<member><filename>/usr/man/man3/RAND_egd.3</filename></member>
<member><filename>/usr/man/man3/RAND_load_file.3</filename></member>
<member><filename>/usr/man/man3/RAND_set_rand_method.3</filename></member>
<member><filename>/usr/man/man3/RSA_blinding_on.3</filename></member>
<member><filename>/usr/man/man3/RSA_check_key.3</filename></member>
<member><filename>/usr/man/man3/RSA_generate_key.3</filename></member>
<member><filename>/usr/man/man3/RSA_get_ex_new_index.3</filename></member>
<member><filename>/usr/man/man3/RSA_new.3</filename></member>
<member><filename>/usr/man/man3/RSA_padding_add_PKCS1_type_1.3</filename></member>
<member><filename>/usr/man/man3/RSA_print.3</filename></member>
<member><filename>/usr/man/man3/RSA_private_encrypt.3</filename></member>
<member><filename>/usr/man/man3/RSA_public_encrypt.3</filename></member>
<member><filename>/usr/man/man3/RSA_set_method.3</filename></member>
<member><filename>/usr/man/man3/RSA_sign.3</filename></member>
<member><filename>/usr/man/man3/RSA_sign_ASN1_OCTET_STRING.3</filename></member>
<member><filename>/usr/man/man3/RSA_size.3</filename></member>
<member><filename>/usr/man/man3/blowfish.3</filename></member>
<member><filename>/usr/man/man3/bn.3</filename></member>
<member><filename>/usr/man/man3/bn_internal.3</filename></member>
<member><filename>/usr/man/man3/buffer.3</filename></member>
<member><filename>/usr/man/man3/crypto.3</filename></member>
<member><filename>/usr/man/man3/d2i_DHparams.3</filename></member>
<member><filename>/usr/man/man3/d2i_RSAPublicKey.3</filename></member>
<member><filename>/usr/man/man3/dh.3</filename></member>
<member><filename>/usr/man/man3/dsa.3</filename></member>
<member><filename>/usr/man/man3/err.3</filename></member>
<member><filename>/usr/man/man3/hmac.3</filename></member>
<member><filename>/usr/man/man3/lh_stats.3</filename></member>
<member><filename>/usr/man/man3/lhash.3</filename></member>
<member><filename>/usr/man/man3/md5.3</filename></member>
<member><filename>/usr/man/man3/mdc2.3</filename></member>
<member><filename>/usr/man/man3/rand.3</filename></member>
<member><filename>/usr/man/man3/rc4.3</filename></member>
<member><filename>/usr/man/man3/ripemd.3</filename></member>
<member><filename>/usr/man/man3/rsa.3</filename></member>
<member><filename>/usr/man/man3/sha.3</filename></member>
<member><filename>/usr/man/man3/threads.3</filename></member>
<member><filename>/usr/man/man3/SSL_get_error.3</filename></member>
<member><filename>/usr/man/man3/ssl.3</filename></member>
<member><filename>/usr/man/man5/config.5</filename></member>
<member><filename>/usr/man/man7/des_modes.7</filename></member>
</simplelist>
</section>
</chapter>
<chapter label="25"><?dbhtml filename="fSWAn.html"?>
<title>Linux FreeS/WAN VPN</title>
<highlights><para>
Protection of client-to-server with <acronym>SSL</acronym> solutions is an excellent choice but sometime for enterprise environments establishing secure communication channels, assuring full privacy, authenticity
and data integrity in between two firewalls over the Internet are vital. For this, <acronym>IPSEC</acronym> has been created.
</para></highlights>
<section id="pr6ch25sc1fsw"><?dbhtml filename="chap25sec199.html"?>
<title>IPSEC/VPN -FreeS/WAN</title>
<para>
<acronym>IPSEC</acronym> is Internet Protocol SECurity. It uses strong cryptography to provide both authentication and encryption services. Authentication ensures that packets are from the right sender and have
not been altered in transit. Encryption prevents unauthorized reading of packet contents. <acronym>IPSEC</acronym> can protect any protocol running above <acronym>IP</acronym> and any medium used below
<acronym>IP</acronym>.
</para>
<para>
<acronym>IPSEC</acronym> can also provide some security services <emphasis>in the background</emphasis>, with no visible impact on users. More to the point, it can protect a mixture of protocols running over
a complex combination of media i.e. <acronym>IMAP</acronym>/<acronym>POP</acronym> etc. without having to change them in any ways, since the encryption occurs at the <acronym>IP</acronym> level.
</para><para>
<acronym>IPSEC</acronym> services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the <acronym>IPSEC</acronym> gateway machine and decrypted
by the gateway at the other end. The result is Virtual Private Network or <acronym>VPN</acronym>. This is a network, which is effectively private even though it includes machines at several different sites connected
by the insecure Internet.
<mediaobject>
<imageobject><imagedata fileref="./images/FreeSWAN-Schema.gif" format="GIF"/></imageobject>
<textobject><phrase>FreeSWAN VPN</phrase></textobject>
</mediaobject>
</para>
<para>
These installation instructions assume
<itemizedlist>
<listitem><para>
Commands are Unix-compatible.
</para></listitem><listitem><para>
The source path is <filename>/usr/src</filename>
</para></listitem><listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem><listitem><para>
All steps in the installation will happen in super-user account <literal>root</literal>
</para></listitem><listitem><para>
Kernel version number is 2.2.14
</para></listitem><listitem><para>
FreeS/WAN <acronym>VPN</acronym> version number is 1.3
</para></listitem>
</itemizedlist>
</para>
<para>
These are the Package(s) and available here
<simplelist>
<member>
Kernel Homepage: <link linkend="prtinxfp23">http://www.kernelnotes.org/</link>
</member><member>
You must be sure to download: linux-2_2_14_tar.gz
</member><member>
FreeS/WAN VPN Homepage Site: <link linkend="prtinxfp23">http://www.freeswan.org/</link>
</member><member>
FreeS/WAN VPN FTP Site: <link linkend="prtinxfp23">194.109.6.26</link>
</member><member>
You must be sure to download: freeswan-1.3.tar.gz
</member>
</simplelist>
</para>
<para>
Before you decompress the tarballs, it is a good idea to make a list of files on the system before you install FreeS/WAN, and one afterwards, and then compare them using diff to find out what file it placed where. Simply
run <command>find</command> <userinput>/* &gt; Freeswan1</userinput> before and <command>find</command> <userinput>/* &gt; Freeswan2</userinput> after you install the software, and use
<command>diff</command> <userinput>Freeswan1 Freeswan2 &gt; Freeswan-Installed</userinput> to get a list of what changed.
</para>
<para>
Some of the Prerequisites; the installation of <acronym>IPSEC</acronym> FreeS/WAN Virtual Private Network software requires some modification of your original kernel since FreeS/WAN must be included and incorporated in
your kernel before you can use it. For this reason the first step in installing FreeS/WAN software is to go to the <link linkend="pr3ch7lnke">Linux Kernel</link> section in this book and follow the instructions on how to
install the Linux Kernel on your system, <emphasis>even if you have already done this before</emphasis> and come back to Linux FreeS/WAN VPN (this section) after you have executed the <command>make dep</command>; <command>make clean</command>
commands, but before the <command>make bzImage</command> command in the Linux Kernel section.
</para>
<caution>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Caution.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Caution</phrase></textobject>
</inlinemediaobject>
</title>
<para>
It is highly recommended that you not compile anything in the kernel with optimization flags if you intend to install the FreeSWAN software on your system. Any optimization flags added to the Linux kernel will produce errors messages in
the FreeSWAN <acronym>IPSEC</acronym> software when it tries to run; this is an important warning you must note, or else nothing will work with FreeSWAN. The optimization flags documented in <link linkend="pr3ch7lnke">Configuring and Building a Secure, Optimized kernel </link>
apply without any problems to all sections and chapters of this book with the single exception of the FreeSWAN <acronym>IPSEC</acronym> software. Once again, I repeat, don't use or add any optimization options or flags into your Linux kernel when compiling
and patching it to support FreeSWAN.
</para></caution>
<para>
To Compile FreeS/WAN you need to decompress the tarball (tar.gz).
<screen>
[root@deep] /# <command>cp</command> freeswan-version.tar.gz /usr/src/
[root@deep] /# <command>cd</command> /usr/src
[root@deep ]/src# <command>tar</command> xzpf freeswan-version.tar.gz
[root@deep ]src# <command>chown</command> -R 0.0 /usr/src/freeswan-version
</screen>
</para>
</section>
<section><?dbhtml filename="chap25sec200..html"?>
<title>Compile, insert FreeS/WAN into the kernel</title>
<para>
You must modify the <filename>Makefile</filename> under the FreeS/WAN source directory and subdirectories named <filename class="directory">utils</filename>, <filename class="directory">klips/utils</filename>, <filename class="directory">Pluto</filename>,
and <filename class="directory">lib</filename> to specify installation paths. We must modify these files to be compliant with Red Hat's file system structure and install FreeS/WAN files under our <envar>PATH</envar> environment variable.
</para>
<procedure>
<step><para>
Move to the top-level directory of the new FreeS/WAN distribution and type the following commands on your terminal:
Edit the <filename>Makefile</filename> file, <command>vi</command> <filename>Makefile</filename> and change the following lines:
</para>
<substeps>
<step><para>
<programlisting>
PUBDIR=/usr/local/sbin
</programlisting>
To read:
<programlisting>
PUBDIR=/usr/sbin
</programlisting>
</para></step><step><para>
<programlisting>
PRIVDIR=/usr/local/lib/ipsec
</programlisting>
To read:
<programlisting>
PRIVDIR=/usr/lib/ipsec
</programlisting>
</para></step><step><para>
<programlisting>
FINALPRIVDIR=/usr/local/lib/ipsec
</programlisting>
To read:
<programlisting>
FINALPRIVDIR=/usr/lib/ipsec
</programlisting>
</para></step><step><para>
<programlisting>
MANTREE=/usr/local/man
</programlisting>
To read:
<programlisting>
MANTREE=/usr/man
</programlisting>
</para></step>
</substeps>
</step>
<step><para>
Edit the <filename>Makefile</filename> file of the subdirectory <filename class="directory">utils</filename>, <command>vi</command> <filename>utils/Makefile</filename> and change the following lines:
</para>
<substeps><step><para>
<programlisting>
PUBDIR=/usr/local/sbin
</programlisting>
To read:
<programlisting>
PUBDIR=/usr/sbin
</programlisting>
</para></step><step><para>
<programlisting>
PRIVDIR=/usr/local/lib/ipsec
</programlisting>
To read:
<programlisting>
PRIVDIR=/usr/lib/ipsec
</programlisting>
</para></step><step><para>
<programlisting>
FINALPRIVDIR=/usr/local/lib/ipsec
</programlisting>
To read:
<programlisting>
FINALPRIVDIR=/usr/lib/ipsec
</programlisting>
</para></step><step><para>
<programlisting>
MANTREE=/usr/local/man
</programlisting>
To read:
<programlisting>
MANTREE=/usr/man
</programlisting>
</para></step>
</substeps>
</step>
<step><para>
Edit the <filename>Makefile</filename> file of the subdirectory <filename class="directory">klips/utils</filename>, <command>vi</command> <filename>klips/utils/Makefile</filename> and change the following lines:
</para>
<substeps>
<step><para>
<programlisting>
BINDIR=/usr/local/lib/ipsec
</programlisting>
To read:
<programlisting>
BINDIR=/usr/lib/ipsec
</programlisting>
</para></step><step><para>
<programlisting>
MANTREE=/usr/local/man
</programlisting>
To read:
<programlisting>
MANTREE=/usr/man
</programlisting>
</para></step>
</substeps>
</step>
<step><para>
Edit the <filename>Makefile</filename> file of the subdirectory <filename class="directory">pluto</filename>, <command>vi</command> <filename>pluto/Makefile</filename> and change the following lines:
</para>
<substeps>
<step><para>
<programlisting>
BINDIR=/usr/local/lib/ipsec
</programlisting>
To read:
<programlisting>
BINDIR=/usr/lib/ipsec
</programlisting>
</para></step><step><para>
<programlisting>
MANTREE=/usr/local/man
</programlisting>
To read:
<programlisting>
MANTREE=/usr/man
</programlisting>
</para></step>
</substeps>
</step>
<step><para>
Edit the <filename>Makefile</filename> file of the subdirectory <filename class="directory">lib</filename>, <command>vi</command> <filename>lib/Makefile</filename> and change the following lines:
<programlisting>
MANTREE=/usr/local/man
</programlisting>
To read:
<programlisting>
MANTREE=/usr/man
</programlisting>
</para></step>
<step><para>
Edit the <filename>Makefile</filename> file of the subdirectory <filename class="directory">libdes</filename>, <command>vi</command> <filename>libdes/Makefile</filename> and change the following lines:
</para>
<substeps>
<step><para>
<programlisting>
LIBDIR=/usr/local/lib
</programlisting>
To read:
<programlisting>
LIBDIR=/usr/lib
</programlisting>
</para></step><step><para>
<programlisting>
BINDIR=/usr/local/bin
</programlisting>
To read:
<programlisting>
BINDIR=/usr/bin
</programlisting>
</para></step><step><para>
<programlisting>
INCDIR=/usr/local/include
</programlisting>
To read:
<programlisting>
INCDIR=/usr/include
</programlisting>
</para></step><step><para>
<programlisting>
MANDIR=/usr/local/man
</programlisting>
To read:
<programlisting>
MANDIR=/usr/man
</programlisting>
The above changes, from step1 to step 6, will locate all files related to the FreeS/WAN software to the destination target directories we have chosen in order to be compliant with the Red Hat file system structure.
</para></step>
</substeps>
</step>
</procedure>
<para>
Now, we must compile and install FreeSWAN on the server:
<screen>
[root@deep ]/freeswan-1.3# <command>make insert</command>
[root@deep ]/freeswan-1.3# <command>make programs</command>
[root@deep ]/freeswan-1.3# <command>make install</command>
</screen>
<itemizedlist>
<listitem><para>
The <command>make insert</command> command creates a symbolic link <filename class="symlink">/usr/src/linux/net/ipsec</filename>, pointing to the <acronym>KLIPS</acronym> source directory. It patches some kernel files, where
necessary, to know about <acronym>KLIPS</acronym> and/or to fix bugs. It also adds its default configuration to the kernel configuration file, and finally, it makes the <acronym>KLIPS</acronym> communication file, <filename>/dev/ipsec</filename>,
if it's not already there.
</para></listitem><listitem><para>
The <command>make programs</command> command builds the libraries, Pluto, and various user-level utilities.
</para></listitem><listitem><para>
The <command>make install</command> will install the Pluto daemon and user-level utilities, and set things up for boot-time startup.
</para></listitem>
</itemizedlist>
</para>
</section>
<section><?dbhtml filename="chap25sec201.html"?>
<title>Reconfigure and install the kernel with FreeS/WAN VPN support</title>
<para>
Now, we must return to the <filename class="directory">/usr/src/linux</filename> directory and execute the following commands to reconfigure the kernel with FreeS/WAN support enable:
<screen>
[root@deep ]/freeswan-1.3# <command>cd</command> /usr/src/linux
[root@deep ]/linux# <command>make config</command>
</screen>
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The difference with the <command>make config</command> command we used before is that now a new section related to FreeS/WAN has been included in our kernel configuration, and for this reason we must reconfigure the kernel to customize
the IPSec options to be part of your kernel.
</para></important>
<para>
The first thing you need to do is ensure that your kernel has been built with FreeS/WAN support enabled. In the 2.2.14 kernel version, a new section related to frees/WAN VPN support named <envar>IPSec options (FreeS/WAN)</envar>
should appear in your kernel configuration after you have patched the kernel with the FreeS/WAN program as descibed above. You need ensure that you have answered <userinput>Y</userinput> to the following questions under the
new section: <envar>IPSec options (FreeS/WAN).</envar>
<programlisting>
IPSec options (FreeS/WAN)
IP Security Protocol (FreeS/WAN IPSEC) (CONFIG_IPSEC) <literal><optional>Y/n/?</optional></literal>
IPSEC: IP-in-IP encapsulation (CONFIG_IPSEC_IPIP) <literal><optional>Y/n/?</optional></literal>
IPSEC: PF_KEYv2 kernel/user interface (CONFIG_IPSEC_PFKEYv2) <literal><optional>Y/n/?</optional></literal>
IPSEC: Enable ICMP PMTU messages (CONFIG_IPSEC_ICMP) <literal><optional>Y/n/?</optional></literal>
IPSEC: Authentication Header (CONFIG_IPSEC_AH) <literal><optional>Y/n/?</optional></literal>
HMAC-MD5 authentication algorithm (CONFIG_IPSEC_AUTH_HMAC_MD5) <literal><optional>Y/n/?</optional></literal>
HMAC-SHA1 authentication algorithm (CONFIG_IPSEC_AUTH_HMAC_SHA1) <literal><optional>Y/n/?</optional></literal>
IPSEC: Encapsulating Security Payload (CONFIG_IPSEC_ESP) <literal><optional>Y/n/?</optional></literal>
3DES encryption algorithm (CONFIG_IPSEC_ENC_3DES) <literal><optional>Y/n/?</optional></literal>
IPSEC Debugging Option (DEBUG_IPSEC) <literal><optional>Y/n/?</optional></literal>
</programlisting>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
All the customizations you made to your kernel the first time you ran the <command>make config</command>, <command>make dep</command>, and <command>make clean</command> commands will be preserved, so you don't need to
reconfigure every part of your kernel; Just the new section added by FreeS/WAN named <envar>IPSec options (FreeS/WAN)</envar> is required, as shown above.
</para></tip>
<para>
Some networking options will get turned on automatically, even if you previously turned them off, this is because IPSEC needs them. Whichever configuration program you are using, you should pay careful attention to a few issues.
In particular, <emphasis>do not disable any of the following under the</emphasis> <envar>Networking Options</envar> <emphasis>of your kernel configuration</emphasis>:
<programlisting>
Kernel/User netlink socket (CONFIG_NETLINK) <literal><optional>Y/n/?</optional></literal>
Netlink device emulation (CONFIG_NETLINK_DEV) <literal><optional>Y/n/?</optional></literal>
</programlisting>
</para>
<para>
You need to Compile and install the new kernel with FreeS/WAN, now that we have included in the kernel the support for FreeS/WAN VPN,
Return to the <filename class="directory">/usr/src/linux</filename> directory and run the following commands again:
<screen>
[root@deep ]/linux# <command>make dep</command>; <command>make clean</command>; <command>make bzImage</command>
</screen>
</para>
<para>
After execution of the commands above, follow the rest of the instructions in the Linux Kernel section of this book <link linkend="pr3ch7lnke">Configuring and Building a secure, optimized Kernel</link> as normal to install the kernel. At
this point, after you have copied and installed your new kernel image, system.map, or modules, if necessary and set the lilo.conf file to load the new kernel, you must edit and customize the configuration files related to
FreeS/WAN <filename>ipsec.conf</filename> and <filename>ipsec.secrets</filename> before rebooting your system.
</para>
<para>
Please don't forget to cleanup later:
<screen>
[root@deep] /# <command>cd</command> /usr/src
[root@deep ]/src# <command>rm</command> -rf freeswan-version/ freeswan-version.tar.gz
</screen>
The <command>rm</command> command will remove all the source files we have used to compile and install FreeS/WAN. It will also remove the FreeS/WAN compressed archive from the <filename class="directory">/usr/src</filename> directory.
</para>
</section>
<section><?dbhtml filename="chap25sec202.html"?>
<title>Configure to optimise</title>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>FreeSWAN</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 8
-rw-r--r-- 1 harrypotter harrypotter 998 Jun 8 13:00 ipsec.conf
-rw------- 1 harrypotter harrypotter 1838 Jun 8 13:00 ipsec.secrets
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<para>
To run FreeSWAN, the following files are required and must be created or copied to the appropriate directories on your server.
<orderedlist numeration="lowerroman">
<listitem><para>
Copy the <filename>ipsec.conf</filename> file to the <filename class="directory">/etc/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>ipsec.secrets</filename> file to the <filename class="directory">/etc/</filename> directory.
</para></listitem>
</orderedlist>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You can obtain the configuration files listed below on our <filename>floppy.tgz</filename> archive. Copy the following files from the decompressed <filename>floppy.tgz</filename> archive to the appropriate places or copy and paste them directly from this book to the concerned file.
</para></tip>
</para>
</section>
<section><?dbhtml filename="chap25sec203.html"?>
<title>Automatic or Manual Key connections</title>
<para>
The configuration file for FreeS/WAN <filename>/etc/ipsec.conf</filename> allows you to configure your <acronym>IPSEC</acronym> configurations, control information and connections types. <acronym>IPSEC</acronym> currently
supports two types of connections:
<variablelist><varlistentry>
<term>Manually keyed </term>
<listitem><para>
Manually keyed connections use keys stored in the <filename>/etc/ipsec.conf</filename> file. This type of connection is less secure then automatically keyed.
</para></listitem>
</varlistentry><varlistentry>
<term>Automatically keyed. </term>
<listitem><para>
Automatically keyed connections use keys automatically generated by the Pluto key negotiation daemon. The key negotiation protocol, used by default and named IKE, authenticates the other system using shared secrets stored in <filename>/etc/ipsec.secrets</filename> file.
</para></listitem>
</varlistentry>
</variablelist>
The difference is strictly in how they are keyed. For these reasons, we will use and show you the automatically keyed connection that is more secure then the manually keyed connection. <emphasis>Once again, it is highly recommended that
you use the automatically keyed connection</emphasis>.
</para>
<para>
In our example configuration below, we configure a sample tunnel with a firewall-penetrating tunnel, and we assume that firewalling is being done on the left and right side. We choose to show you this configuration
since we assume it is what most users and companies will use. Also, it allows us to play with more options in the configuration file <filename>ipsec.conf</filename> for automatically keyed connections. Different
configurations exist and you may consult the <filename>doc/examples</filename> file under the subdirectory <filename class="directory">doc</filename> of the frees/WAN source directory for more information and other
possible configurations.
</para>
<programlisting>
SubnetDeep======Deep------Deepgate..........Mailgate-------Mail======SubnetMail
Untrusted net
leftsubnet = SubnetDeep (192.168.1.0/24)
left = Deep (deep.openna.com)
leftnexthop = Deepgate (the first router in the direction or ISP router for deep.openna.com)
Internet = Untrusted net
rightnexthop = Mailgate (the first router in the direction or ISP router for mail.openna.com)
right = Mail (mail.openna.com)
rightsubnet = SubnetMail (192.168.1.0/24)
</programlisting>
<itemizedlist>
<listitem><para>
<literallayout>
SubnetDeep
\ 192.168.1.0/24 /
+--------------------+
|
</literallayout>
SubnetDeep is the <acronym>IP</acronym> network address of your private internal network on the first gateway. eth1 is attached to the internal network.
</para></listitem>
<listitem><para>
<literallayout>
Deep
\ 208.164.186.1 /
+-------------------+
|
</literallayout>
Deep is the <acronym>IP</acronym> address of your first Gateway. eth0 is attached to the Internet.
</para></listitem>
<listitem><para>
<literallayout>
Deepgate
\ 205.151.222.250 /
+----------------------+
|
</literallayout>
Deepgate is the <acronym>IP</acronym> address of the first router in the direction of your second gateway <literal>mail.openna.com</literal> or your <acronym>ISP</acronym> router.
</para></listitem>
<listitem><para>
<literallayout>
I N T E R N E T
|
</literallayout>
INTERNET is the untrusted network.
</para></listitem>
<listitem><para>
<literallayout>
Mailgate
/ 205.151.222.251 \
+------------------------+
|
</literallayout>
Mailgate is the <acronym>IP</acronym> address of the first router in the direction of your first gateway <literal>deep.openna.com</literal> or your <acronym>ISP</acronym> router.
</para></listitem>
<listitem><para>
<literallayout>
Mail
/ 208.164.186.2 \
+---------------------+
|
</literallayout>
Mail is the <acronym>IP</acronym> address of your second Gateway. eth0 is attached to the Internet.
</para></listitem>
<listitem><para>
<literallayout>
SubnetMail
/ 192.168.1.0/24 \
+----------------------+
</literallayout>
SubnetMail is the <acronym>IP</acronym> network address of your private internal network on the second gateway. eth1 is attached to the internal network.
</para></listitem>
</itemizedlist>
</section>
<section><?dbhtml filename="chap25sec203e.html"?>
<title>The <filename>/etc/ipsec.conf</filename> file</title>
<para>
We must edit the <filename>ipsec.conf</filename> file <command>vi</command> <filename>/etc/ipsec.conf</filename> and change the default values to fit our specifications for <acronym>IPSEC</acronym> configuration
and communication. Currently there are two types of section in this file <filename>/etc/ipsec.conf</filename>:
<orderedlist>
<listitem><para>
A <literal>config</literal> section which specifies general configuration information for <acronym>IPSEC</acronym>,
</para></listitem><listitem><para>
A <literal>conn</literal> section which specifies an <acronym>IPSEC</acronym> connection. Its contents are not security-sensitive unless manual keying is being done, <emphasis>recall, manual keying is not recommended for security reasons</emphasis>.
</para></listitem>
</orderedlist>
<itemizedlist>
<listitem><para>
The first section type, called <literal>config</literal> setup, is the only config section known to the <acronym>IPSEC</acronym> software containing overall setup parameters for <acronym>IPSEC</acronym> that apply to all connections, and information
used when the software is being started.
</para></listitem><listitem><para>
The second type, called <literal>conn</literal>, contains a connection specification defining a network connection to be made using <acronym>IPSEC</acronym>. The name it is given is arbitrary, and is simply used to identify
the connection to <citerefentry><refentrytitle>ipsec_auto</refentrytitle><manvolnum>8</manvolnum></citerefentry> and <citerefentry><refentrytitle>ipsec_manual</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
</para></listitem>
</itemizedlist>
<programlisting>
# /etc/ipsec.conf - FreeS/WAN <acronym>IPSEC</acronym> configuration file
# More elaborate and more varied sample configurations can be found
# in doc/examples.
# basic configuration
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
# sample connection
conn deep-mail
left=208.164.186.1
leftsubnet=192.168.1.0/24
leftnexthop=205.151.222.250
right=208.164.186.2
rightsubnet=192.168.1.0/24
rightnexthop=205.151.222.251
keyingtries=0
auth=ah
auto=start
</programlisting>
</para>
<para>
This tells <filename>ipsec.conf</filename> file to set itself up for this particular configuration setup with:
<glosslist><glossentry>
<glossterm>interfaces="<literal>ipsec0</literal>=<literal>eth0</literal>"</glossterm>
<glossdef><para>
This option specifies which appropriate virtual and physical interfaces for <acronym>IPSEC</acronym> to use. The default setting, <envar>interfaces=%defaultroute</envar>, will look for your default connection
to the Internet, or your corporate network. Also, you can name one or more specific interfaces to be used by FreeS/WAN. For example:
</para></glossdef>
</glossentry><glossentry>
<glossterm>interfaces="<literal>ipsec0</literal>=<literal>eth0</literal>"
interfaces="<literal>ipsec0</literal>=<literal>eth0</literal> ipsec1=ppp0"</glossterm>
<glossdef><para>
Both set the <literal>eth0</literal> interface as <literal>ipsec0</literal>. The second one, however, also supports <acronym>IPSEC</acronym> over a <acronym>PPP</acronym> interface. If the default setting <envar>interfaces=%defaultroute</envar>
is not used, then the specified interfaces will be the only ones this gateway machine can use to communicate with other <acronym>IPSEC</acronym> gateways.
</para></glossdef>
</glossentry><glossentry>
<glossterm>klipsdebug=none</glossterm>
<glossdef><para>
This option specifies the debugging output for <acronym>KLIPS</acronym> -the kernel <acronym>IPSEC</acronym> code. The default value none, means no debugging output and the value all means full output.
</para></glossdef>
</glossentry><glossentry>
<glossterm>plutodebug=none</glossterm>
<glossdef><para>
This option specifies the debugging output for the Pluto key. The default value, none, means no debugging output, and the value all means full output.
</para></glossdef>
</glossentry><glossentry>
<glossterm>plutoload=%search</glossterm>
<glossdef><para>
This option specifies which connections (by name) to load automatically into memory when Pluto starts. The default is none and the value %search loads all connections with auto=add or auto=start.
</para></glossdef>
</glossentry> <glossentry>
<glossterm>plutostart=%search</glossterm>
<glossdef><para>
This option specifies which connections (by name) to automatically negotiate when Pluto starts. The default is none and the value %search starts all connections with auto=start.
</para></glossdef>
</glossentry><glossentry>
<glossterm>conn deep-mail</glossterm>
<glossdef><para>
This option specifies the name given to identify the connection specification to be made using <acronym>IPSEC</acronym>. It's a good convention to name connections by their ends to avoid mistakes. For example, the link
between <literal>deep.openna.com</literal> and <literal>mail.openna.com</literal> gateways server can be named <literal>deep-mail</literal>, or the link between your Montreal and Paris offices, <literal>montreal-paris</literal>.
<note>
<title>
<inlinemediaobject><imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject></inlinemediaobject>
</title>
<para>
Note that the names <literal>deep-mail</literal> or whatever you have chosen should be the same in the <filename>ipsec.conf</filename> file on both gateways. In other words, the only change you should make in
the <filename>/etc/ipsec.conf</filename> file on the second gateway is changing the <envar>interfaces=</envar> line to match the interface the second gateway uses for <acronym>IPSEC</acronym> connection, if,
of course, it's different from the first gateway. For example, if the interface <literal>eth0</literal> is used on the both gateways for <acronym>IPSEC</acronym> communication, you don't need to change the line <envar>interfaces=</envar>
on the second gateway. On the other hand, if the first gateway use <literal>eth0</literal> and the second use eth1, you must change the line <envar>interfaces=</envar> on the second gateway to match the interface eth1.
</para></note>
</para></glossdef>
</glossentry><glossentry>
<glossterm>left=208.164.186.1</glossterm>
<glossdef><para>
This option specifies the <acronym>IP</acronym> address of the gateway's external interface used to talk to the other gateway.
</para></glossdef>
</glossentry><glossentry>
<glossterm>leftsubnet=192.168.1.0/24</glossterm>
<glossdef><para>
This option specifies the <acronym>IP</acronym> network or address of the private subnet behind the gateway.
</para></glossdef>
</glossentry><glossentry>
<glossterm>leftnexthop=205.151.222.250</glossterm>
<glossdef><para>
This option specifies the <acronym>IP</acronym> address of the first router in the appropriate direction or <acronym>ISP</acronym> router.
</para></glossdef>
</glossentry><glossentry>
<glossterm>right=208.164.186.2</glossterm>
<glossdef><para>
This is the same explanation as <envar>left=</envar> but for the right destination.
</para></glossdef>
</glossentry><glossentry>
<glossterm>rightsubnet=192.168.1.0/24</glossterm>
<glossdef><para>
This is the same explanation as <envar>leftsubnet=</envar> but for the right destination.
</para></glossdef>
</glossentry><glossentry>
<glossterm>rightnexthop=205.151.222.251</glossterm>
<glossdef><para>
This is the same explanation as <envar>leftnexthop=</envar> but for the right destination.
</para></glossdef>
</glossentry><glossentry>
<glossterm>keyingtries=0</glossterm>
<glossdef><para>
This option specifies how many attempts (an integer) should be made in (re)keying negotiations. The default value 0 (retry forever) is recommended.
</para></glossdef>
</glossentry><glossentry>
<glossterm>auth=ah</glossterm>
<glossdef><para>
This option specifies whether authentication should be done separately using AH (Authentication Header), or be included as part of the <acronym>ESP</acronym> -Encapsulated Security Payload service. This is preferable when the <acronym>IP</acronym> headers are exposed to prevent
man-in-the-middle attacks.
</para></glossdef>
</glossentry><glossentry>
<glossterm>auto=start</glossterm>
<glossdef><para>
This option specifies whether automatic startup operations should be done at <acronym>IPSEC</acronym> startup.
</para></glossdef>
</glossentry>
</glosslist>
</para>
<caution>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Caution.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Caution</phrase></textobject>
</inlinemediaobject>
</title>
<para>
A data mismatch anywhere in this configuration <filename>ipsec.conf</filename> will cause FreeS/WAN to fail and to log various error messages.
</para></caution>
</section>
<section><?dbhtml filename="chap25sec204.html"?>
<title>The <filename>/etc/ipsec.secrets</filename> file</title>
<para>
The file <filename>ipsec.secrets</filename> stores the secrets used by the pluto daemon to authenticate communication between both gateways. Two different kinds of secrets can be configured in this file, which
are preshared secrets and <acronym>RSA</acronym> private keys. You must check the modes and permissions of this file to be sure that the super-user <literal>root</literal> owns the file, and its permissions are set to block all
access by others.
</para>
<procedure>
<step><para>
An example secret is supplied in the <filename>ipsec.secrets</filename> file by default. You should change it by creating your own. With automatic keying you may have a shared secret up to 256 bits, which is
then used during the key exchanges to make sure a man in the middle attack does not occur.
To create a new shared secret, use the following commands:
<screen>
[root@deep] /# <command>ipsec</command> ranbits 256 &gt; temp
</screen>
New, random keys are created with the ranbits(8) utility in the file named <filename class="directory">temp.</filename> The ranbits utility may pause for a few seconds if not enough entropy is available immediately.
<caution>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Caution.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Caution</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Dont forget to delete the temporary file as soon as you are done with it.
</para></caution>
</para></step>
<step><para>
Now that our new shared secret key has been created in the <filename class="directory">temp</filename> file, we must put it in the <filename>/etc/ipsec.secrets</filename> file. When editing the <filename>ipsec.secrets</filename>
file, you should see something like the following appearing in your text editor. Each line has the <acronym>IP</acronym> addresses of the two gateways plus the secret. It should look something like this:
<programlisting>
# This file holds shared secrets which are currently the only inter-Pluto
# authentication mechanism. See ipsec_pluto(8) manpage. Each secret is
# (oversimplifying slightly) for one pair of negotiating hosts.
# The shared secrets are arbitrary character strings and should be both
# long and hard to guess.
# Note that all secrets must now be enclosed in quotes, even if they have
# no white space inside them.
10.0.0.1 11.0.0.1 "jxVS1kVUTTulkVRRTnTujSm444jRuU1mlkklku2nkW3nnVu
V2WjjRRnulmlkmU1Run5VSnnRT"
</programlisting>
</para>
<substeps><step><para>
Edit the ipsec.secrets file, <command>vi</command> <filename>/etc/ipsec.secrets</filename> and change the default secrets keys:
<programlisting>
10.0.0.1 11.0.0.1 " jxVS1kVUTTulkVRRTnTujSm444jRuU1mlkklku2nkW3nnVu
V2WjjRRnulmlkmU1Run5VSnnRT "
</programlisting>
To read:
<programlisting>
208.164.186.1 208.164.186.2 "0x9748cc31_2e99194f_d230589b_cd846b57_dc070b01_74b66f34_19c40a1a_804906ed"
</programlisting>
Where <literal>208.164.186.1</literal> and <literal>208.164.186.2</literal> are the <acronym>IP</acronym> addresses of the two gateways and <literal>"0x9748cc31_2e99194f_d230589b_cd846b57_dc070b01_74b66f34_19c40a1a_804906ed"</literal>
<emphasis>note that the quotes are required</emphasis> is the shared secret we have generated above with the command <userinput>ipsec ranbits 256 &gt; temp</userinput> in the <filename class="directory">temp</filename> file.
</para></step></substeps>
</step>
<step><para>
The files <filename>ipsec.conf</filename> and <filename>ipsec.secrets</filename> must be copied to the second gateway machine so as to be identical on both ends. The only exception to this is the <filename>ipsec.conf</filename> file, which
must have in it a section labeled by the line config setup with the correct interface settings for the second gateway, if they differ from the first. The <filename>ipsec.secrets</filename> file, contrary to the <acronym>RSA</acronym> private key,
should absolutely have the same-shared secrets on the two gateways.
</para></step>
</procedure>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The file <filename>/etc/ipsec.secrets</filename> should have permissions <literal>rw------- </literal>(600) and be owned by the super-user <literal>root.</literal> The file <filename>/etc/ipsec.conf</filename> is installed
with permissions <filename>rw-r--r</filename> (644) and must be owned also by <literal>root.</literal>
</para></important>
</section>
<section><?dbhtml filename="chap25sec205.html"?>
<title>Configure <acronym>RSA</acronym> private keys secrets</title>
<para>
Recall that currently with FreeSWAN software there are two kinds of secrets:
<orderedlist numeration="lowerroman">
<listitem><para>
preshared secrets
</para></listitem><listitem><para>
<acronym>RSA</acronym> private keys.
</para></listitem>
</orderedlist>
The preshared secrets are what we have configured in our <filename>ipsec.conf</filename> and <filename>ipsec.secrets</filename> example, above. Some people may prefer to use <acronym>RSA</acronym> private keys for authentication
by the Pluto daemon of the other hosts. If you are in this situation, you will have to make some minor modifications to your <filename>ipsec.conf</filename> and <filename>ipsec.secrets</filename> files as described in the following steps:
</para>
<para>
You need to create a separate <acronym>RSA</acronym> key for *each* gateway. Each one gets its private key in its own <filename>ipsec.secrets</filename> file, and the public keys go in <filename>leftrsasigkey</filename>
and <filename>rightrsasigkey</filename> parameters in the conn description of <filename>ipsec.conf</filename> file, which goes to both.
</para>
<procedure>
<step><para>
Create a separate <acronym>RSA</acronym> key for *each* gateway:
</para>
<substeps><step><para>
On the first gateway i.e. <literal>deep</literal>, use the following commands:
<screen>
[root@deep] /# <command>cd</command> /
[root@deep] /# <command>ipsec</command> rsasigkey --verbose 1024 &gt; deep-keys
</screen>
<literallayout class="monospaced"><computeroutput>
computing primes and modulus...
getting 64 random bytes from /dev/random
looking for a prime starting there
found it after 30 tries
getting 64 random bytes from /dev/random
looking for a prime starting there
found it after 230 tries
swapping primes so p is the larger
computing (p-1)*(q-1)...
computing d...
computing exp1, exp1, coeff...
output...
</computeroutput></literallayout>
</para></step>
<step><para>
On the second gateway i.e. <literal>mail</literal>, use the following commands:
<screen>
[root@mail /]# <command>cd</command> /
[root@mail /]# <command>ipsec</command> rsasigkey --verbose 1024 &gt; mail-keys
</screen>
<literallayout class="monospaced"><computeroutput>
computing primes and modulus...
getting 64 random bytes from /dev/random
looking for a prime starting there
found it after 30 tries
getting 64 random bytes from /dev/random
looking for a prime starting there
found it after 230 tries
swapping primes so p is the larger
computing (p-1)*(q-1)...
computing d...
computing exp1, exp1, coeff...
output...
</computeroutput></literallayout>
The rsasigkey utility generates an <acronym>RSA</acronym> public and private key pair of a 1024-bit signature, and puts it in the file <filename>deep-keys</filename>. <filename>mail-keys</filename> for the second command on the
second gateway. The private key can be inserted verbatim into the <filename>ipsec.secrets</filename> file, and the public key into the <filename>ipsec.conf</filename> file.
</para></step>
</substeps>
</step>
<step><para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The rsasigkey utility may pause for a few seconds if not enough entropy is available immediately. You may want to give it some bogus activity such as random mouse movements. The temporary <acronym>RSA</acronym>.
<filename>deep-keys</filename> and <filename>mail-keys</filename> files should be deleted as soon as you are done with it. <emphasis>Don't forget to delete the <filename>deep-keys</filename> and <filename>mail-keys</filename> <acronym>RSA</acronym> files</emphasis>.
</para></tip>
</para></step>
<step><para>
Modify your <filename>/etc/ipsec.conf</filename> files to use <acronym>RSA</acronym> public keys in *each* gateway:
</para>
<substeps>
<step><para>
Edit you original <filename>ipsec.conf</filename> file, <command>vi</command> <filename>/etc/ipsec.conf</filename> and add the following parameters related to <acronym>RSA</acronym> in the conn desciption of your <filename>ipsec.conf</filename> file on both gateway:
<programlisting>
# sample connection
conn deep-mail
left=208.164.186.1
leftsubnet=192.168.1.0/24
leftnexthop=205.151.222.250
right=208.164.186.2
rightsubnet=192.168.1.0/24
rightnexthop=205.151.222.251
keyingtries=0
auth=ah
authby=rsasig <co id="atfsw"/>
leftrsasigkey=&lt;Public key of deep&gt; <co id="lskfsw"/>
rightrsasigkey=&lt;Public key of mail&gt; <co id="rskfsw"/>
auto=start
</programlisting>
<calloutlist><callout arearefs="atfsw"><para>
This parameter specifies how the two security gateways should authenticate each other. The default value is secret for shared secrets. We must specify rsasig for <acronym>RSA</acronym> since we have decided to use <acronym>RSA</acronym> digital signatures.
</para></callout>
<callout arearefs="lskfsw"><para>
This parameter specifies the left participant's public key for <acronym>RSA</acronym> signature authentication. In our example, left is 208.164.186.1, and represents deep.openna.com, so we must put the <acronym>RSA</acronym> public key for deep on this line.
</para></callout>
<callout arearefs="rskfsw"><para>
This parameter specifies the right participant's public key for <acronym>RSA</acronym> signature authentication. In our example, right is 208.164.186.2, and represents mail.openna.com, so we must put the <acronym>RSA</acronym> public key of mail on this line.
</para></callout>
</calloutlist>
</para>
</step>
<step><para>
You can retrieve the public key of deep in the <acronym>RSA</acronym> key file called <filename>deep-keys,</filename> and the public key of mail in the <acronym>RSA</acronym> key file named <filename>mail-keys,</filename> that
we have created in above step. These files will look like this:
<acronym>RSA</acronym> keys for gateway deep (deep-keys):
<screen>
[root@deep] /# <command>cd</command> /
[root@deep] /# <command>vi</command> deep-keys
</screen>
<literallayout class="monospaced"><computeroutput>
# 1024 bits, Fri Feb 4 05:05:19 2000
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0x010395daee1be05f3038ae529ef2668afd79f5ff1b16203c9ceaef801cea9cb74bcfb51a6ecc08890d3eb4b5470c0fc35465c8ba2ce9d1145ff07b5427e04cf4a38ef98a7f29edcb4d7689f2da7a69199e4318b4c8d0ea25d33e4f084186a2a54f4b4cec12cca1a5deac3b19d561c16a76bab772888f1fd71aa08f08502a141b611f
Modulus: 0x95daee1be05f3038ae529ef2668afd79f5ff1b16203c9ceaef801cea9cb74bcfb51a6ecc08890d3eb4b5470c0fc35465c8ba2ce9d1145ff07b5427e04cf4a38ef98a7f29edcb4d7689f2da7a69199e4318b4c8d0ea25d33e4f084186a2a54f4b4cec12cca1a5deac3b19d561c16a76bab772888f1fd71aa08f08502a141b611f
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x63e74967eaea2025c98c69f6ef0753a6a3ff6764157dbdf1f50013471324dd352366f48805b0b37f232384b2b52ce2ee85d173468b62eaa052381a9588a317b3a1324d01a531a41fa7add6c5efbdd88f4718feed2bc0246be924e81bb90f03e49ceedf7af0dd48f06f265b519600bd082c6e6bd27eaa71cc0288df1ecc3b062b
Prime1: 0xc5b471a88b025dd09d4bd7b61840f20d182d9b75bb7c11eb4bd78312209e3aee7ebfe632304db6df5e211d21af7fee79c5d45546bea3ccc7b744254f6f0b847f
Prime2: 0xc20a99feeafe79767122409b693be75f15e1aef76d098ab12579624aec708e85e2c5dd62080c3a64363f2f45b0e96cb4aef8918ca333a326d3f6dc2c72b75361
Exponent1: 0x83cda11b0756e935be328fcebad5f6b36573bcf927a80bf2328facb6c0697c9eff2a9976cade79ea3ec0be1674fff4512e8d8e2f29c2888524d818df9f5d02ff
Exponent2: 0x815c66a9f1fefba44b6c2b124627ef94b9411f4f9e065c7618fb96dc9da05f03ec83e8ec055d7c42ced4ca2e75f0f3231f5061086ccd176f37f9e81da1cf8ceb
Coefficient: 0x10d954c9e2b8d11f4db1b233ef37ff0a3cecfffad89ba5d515449b007803f577e3bd7f0183ceddfd805466d62f767f3f5a5731a73875d30186520f1753a7e325
</computeroutput></literallayout>
</para></step>
<step><para>
<acronym>RSA</acronym> keys for gateway mail -<filename>mail-keys</filename>:
<screen>
[root@mail /]# <command>cd</command> /
[root@mail /]# <command>vi</command> mail-keys
</screen>
<literallayout class="monospaced"><computeroutput>
# 1024 bits, Fri Feb 4 04:46:59 2000
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0x01037631b81f00d5e6f888c542d44dbb784cd3646f084ed96f942d341c7c4686cbd405b805dc728f8697475f11e8b1dd797550153a3f0d4ff0f2b274b70a2ebc88f073748d1c1c8821dc6be6a2f0064f3be7f8e4549f8ab9af64944f829b014788dd202cf7d2e320cab666f5e7a197e64efe0bfee94e92ce4dad82d5230c57b89edf
Modulus: 0x7631b81f00d5e6f888c542d44dbb784cd3646f084ed96f942d341c7c4686cbd405b805dc728f8697475f11e8b1dd797550153a3f0d4ff0f2b274b70a2ebc88f073748d1c1c8821dc6be6a2f0064f3be7f8e4549f8ab9af64944f829b014788dd202cf7d2e320cab666f5e7a197e64efe0bfee94e92ce4dad82d5230c57b89edf
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x4ecbd014ab3944a5b08381e2de7cfadde242f4b03490f50d737812fd8459dd3803d003e84c5faf0f84ea0bf07693a64e35637c2a08dff5f721a324b1747db09f62c871d5e11711251b845ae76753d4ef967c494b0def4f5d0762f65da603bc04c41b4c6cab4c413a72c633b608267ae2889c162a3d5bc07ee083b1c6e038400b
Prime1: 0xc7f7cc8feaaac65039c39333b878bffd8f95b0dc22995c553402a5b287f341012253e9f25b83983c936f6ca512926bebee3d5403bf9f4557206c6bbfd9aac899
Prime2: 0x975015cb603ac1d488dc876132d8bc83079435d2d3395c03d5386b5c004eadd4d7b01b3d86aad0a2275d2d6b791a2abe50d7740b7725679811a32ca22db97637
Exponent1: 0x854fddb5471c84357bd7b777d0507ffe5fb92092c1bb92e37801c3cc5aa22b5616e29bf6e7ad1028624a486e0c619d47f428e2ad2a6a2e3a159d9d2a911c85bb
Exponent2: 0x64e00e87957c81385b3daf9621e5d302050d7937377b92ad38d04792aadf1e8de52012290471e06c1a3e1e47a61171d435e4f807a4c39a6561177316c9264ecf
Coefficient: 0x6f087591becddc210c2ee0480e30beeb25615a3615203cd3cef65e5a1d476fd9602ca0ef10d9b858edb22db42c975fb71883a470b43433a7be57df7ace4a0a3f
</computeroutput></literallayout>
</para></step>
<step><para>
Extract and copy the public <acronym>RSA</acronym> key files of deep and mail to your <filename>ipsec.conf</filename> files as shown below. You can locate the line related to the public key by a sentence beginning with the commented-out:
<envar>#pubkey=</envar> line.
<programlisting>
# sample connection
conn deep-mail
left=208.164.186.1
leftsubnet=192.168.1.0/24
leftnexthop=205.151.222.250
right=208.164.186.2
rightsubnet=192.168.1.0/24
rightnexthop=205.151.222.251
keyingtries=0
auth=ah
authby=rsasig
leftrsasigkey=0x010395daee1be05f3038ae529ef2668afd79f5ff1b16203c9ceaef801cea9cb74bcfb51a6ecc08890d3eb4b5470c0fc35465c8ba2ce9d1145ff07b5427e04cf4a38ef98a7f29edcb4d7689f2da7a69199e4318b4c8d0ea25d33e4f084186a2a54f4b4cec12cca1a5deac3b19d561c16a76bab772888f1fd71aa08f08502a141b611f
rightrsasigkey=0x01037631b81f00d5e6f888c542d44dbb784cd3646f084ed96f942d341c7c4686cbd405b805dc728f8697475f11e8b1dd797550153a3f0d4ff0f2b274b70a2ebc88f073748d1c1c8821dc6be6a2f0064f3be7f8e4549f8ab9af64944f829b014788dd202cf7d2e320cab666f5e7a197e64efe0bfee94e92ce4dad82d5230c57b89edf
auto=start
</programlisting>
</para></step>
</substeps>
</step>
<step><para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Don't forget that, in this example,
<itemizedlist>
<listitem><para>
The <envar>leftrsasigkey=</envar> parameter contains the public key of deep
</para></listitem><listitem><para>
The <envar>rightrsasigkey=</envar> parameter contains the public key of mail.
</para></listitem>
</itemizedlist>
</para></note>
</para></step>
<step><para>
Modify your <filename>/etc/ipsec.secrets</filename> files to use <acronym>RSA</acronym> private keys in *each* gateway:
Edit your original <filename>ipsec.secrets</filename> file, <command>vi</command> <filename>/etc/ipsec.secrets</filename> and add the <acronym>RSA</acronym> private key for authentication on both gateways:
The <filename>ipsec.secrets</filename> file for gateway deep:
<screen>
[root@deep] /# <command>vi</command> /etc/ipsec.secrets
</screen>
<programlisting>
208.164.186.1 208.164.186.2 "0x9748cc31_2e99194f_d230589b_cd846b57_dc070b01_74b66f34_19c40a1a_804906ed"
</programlisting>
You must change your original <filename>ipsec.secrets</filename> file as shown above to look like the following on both gateways. It is important to note that the private keys are not the same on both gateways, <literal>deep</literal> and <literal>mail</literal>.
The private key for <literal>deep</literal> comes from the <acronym>RSA</acronym> key file <filename>deep-keys,</filename> while the private key for <literal>mail</literal> comes from the <acronym>RSA</acronym> key file <filename>mail-keys:</filename>
</para>
<substeps>
<step><para>
<programlisting>
208.164.186.1 208.164.186.2: <acronym>RSA</acronym> {
Modulus: 0x95daee1be05f3038ae529ef2668afd79f5ff1b16203c9ceaef801cea9cb74bcfb51a6ecc08890d3eb4b5470c0fc35465c8ba2ce9d1145ff07b5427e04cf4a38ef98a7f29edcb4d7689f2da7a69199e4318b4c8d0ea25d33e4f084186a2a54f4b4cec12cca1a5deac3b19d561c16a76bab772888f1fd71aa08f08502a141b611f
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x63e74967eaea2025c98c69f6ef0753a6a3ff6764157dbdf1f50013471324dd352366f48805b0b37f232384b2b52ce2ee85d173468b62eaa052381a9588a317b3a1324d01a531a41fa7add6c5efbdd88f4718feed2bc0246be924e81bb90f03e49ceedf7af0dd48f06f265b519600bd082c6e6bd27eaa71cc0288df1ecc3b062b
Prime1: 0xc5b471a88b025dd09d4bd7b61840f20d182d9b75bb7c11eb4bd78312209e3aee7ebfe632304db6df5e211d21af7fee79c5d45546bea3ccc7b744254f6f0b847f
Prime2: 0xc20a99feeafe79767122409b693be75f15e1aef76d098ab12579624aec708e85e2c5dd62080c3a64363f2f45b0e96cb4aef8918ca333a326d3f6dc2c72b75361
Exponent1: 0x83cda11b0756e935be328fcebad5f6b36573bcf927a80bf2328facb6c0697c9eff2a9976cade79ea3ec0be1674fff4512e8d8e2f29c2888524d818df9f5d02ff
Exponent2: 0x815c66a9f1fefba44b6c2b124627ef94b9411f4f9e065c7618fb96dc9da05f03ec83e8ec055d7c42ced4ca2e75f0f3231f5061086ccd176f37f9e81da1cf8ceb
Coefficient: 0x10d954c9e2b8d11f4db1b233ef37ff0a3cecfffad89ba5d515449b007803f577e3bd7f0183ceddfd805466d62f767f3f5a5731a73875d30186520f1753a7e325
}
</programlisting>
</para></step>
<step><para>
The <filename>ipsec.secrets</filename> file for gateway mail:
<screen>
[root@mail ]/# <command>vi</command> /etc/ipsec.secrets
</screen>
<programlisting>
208.164.186.1 208.164.186.2: RSA {
Modulus: 0x95daee1be05f3038ae529ef2668afd79f5ff1b16203c9ceaef801cea9cb74bcfb51a6ecc08890d3eb4b5470c0fc35465c8ba2ce9d1145ff07b5427e04cf4a38ef98a7f29edcb4d7689f2da7a69199e4318b4c8d0ea25d33e4f084186a2a54f4b4cec12cca1a5deac3b19d561c16a76bab772888f1fd71aa08f08502a141b611f
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x63e74967eaea2025c98c69f6ef0753a6a3ff6764157dbdf1f50013471324dd352366f48805b0b37f232384b2b52ce2ee85d173468b62eaa052381a9588a317b3a1324d01a531a41fa7add6c5efbdd88f4718feed2bc0246be924e81bb90f03e49ceedf7af0dd48f06f265b519600bd082c6e6bd27eaa71cc0288df1ecc3b062b
Prime1: 0xc5b471a88b025dd09d4bd7b61840f20d182d9b75bb7c11eb4bd78312209e3aee7ebfe632304db6df5e211d21af7fee79c5d45546bea3ccc7b744254f6f0b847f
Prime2: 0xc20a99feeafe79767122409b693be75f15e1aef76d098ab12579624aec708e85e2c5dd62080c3a64363f2f45b0e96cb4aef8918ca333a326d3f6dc2c72b75361
Exponent1: 0x83cda11b0756e935be328fcebad5f6b36573bcf927a80bf2328facb6c0697c9eff2a9976cade79ea3ec0be1674fff4512e8d8e2f29c2888524d818df9f5d02ff
Exponent2: 0x815c66a9f1fefba44b6c2b124627ef94b9411f4f9e065c7618fb96dc9da05f03ec83e8ec055d7c42ced4ca2e75f0f3231f5061086ccd176f37f9e81da1cf8ceb
Coefficient: 0x10d954c9e2b8d11f4db1b233ef37ff0a3cecfffad89ba5d515449b007803f577e3bd7f0183ceddfd805466d62f767f3f5a5731a73875d30186520f1753a7e325
}
</programlisting>
Authentication by <acronym>RSA</acronym> Signatures requires that each host have its own private key. The key part of an entry may start with a token indicating the kind of key. <acronym>RSA</acronym> signifies <acronym>RSA</acronym> private key
and <acronym>PSK</acronym> -<emphasis>which is the default</emphasis> signifies PreShared Key. Since <acronym>PSK</acronym> is the default, we must specify <acronym>RSA,</acronym> so that we'll be able to use <acronym>RSA</acronym> private keys
in this file <filename>ipsec.secrets.</filename> The super-user <literal>root</literal> should own the file <filename>ipsec.secrets,</filename> and its permissions should be set to block all access by others.
</para></step>
</substeps>
</step>
</procedure>
</section>
<section><?dbhtml filename="chap25sec206.html"?>
<title>Required network setup for IPSec</title>
<para>
There are some considerations you must ensure are correct before running FreeS/WAN software. These considerations are important if you don't want to receive error messages during start up of your <acronym>VPN</acronym>. The following
are required:
</para>
<para>
You will need to enable <acronym>TCP</acronym>/<acronym>IP</acronym> forwarding on the both gateway servers. In Red Hat Linux, this is accomplished by changing or adding the following line, depending on the Red Hat version you use:
<mediaobject>
<imageobject>
<imagedata format="GIF" fileref="images/Version6.1.gif"/>
</imageobject>
<textobject><phrase>Version 6.1 only</phrase></textobject>
</mediaobject>
Edit the <filename>network</filename> file, <command>vi</command> <filename>/etc/sysconfig/network</filename>, and change the following line:
<programlisting>
FORWARD_IPV4="false"
</programlisting>
To read:
<programlisting>
FORWARD_IPV4="yes"
</programlisting>
</para>
<para>
You must restart your network for the change to take effect:
<screen>
[root@deep] /# /etc/rc.d/init.d/network restart
</screen>
<literallayout class="monospaced"><computeroutput>
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</computeroutput></literallayout>
</para>
<mediaobject>
<imageobject><imagedata format="GIF" fileref="images/Version6.2.gif"/></imageobject>
<imageobject><imagedata format="GIF" fileref="images2/Version6.2.gif"/></imageobject>
<textobject><phrase>Version 6.2 only</phrase></textobject>
</mediaobject>
<para>
To enable IPv4 forwarding on your RH 6.2 system, use the following command:
Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<programlisting>
# Enable packet forwarding
net.ipv4.ip_forward = 1
</programlisting>
</para>
<para>
You must restart your network for the change to take effect. The command to restart the network is the following:
<screen>
[root@deep] /# /etc/rc.d/init.d/network <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</computeroutput></literallayout>
</para>
<para>
Recall that automatically keyed connections use keys automatically generated by the Pluto key negotiation daemon. The pluto daemon will start up, try to connect to the Pluto daemon at the other end of the tunnel, and establish a
connection. For this reason, an IPSEC gateway should have packet filters rules <emphasis>in the firewall script file</emphasis> permitting the following protocols to traverse the gateway when talking to other IPSEC gateway:
<orderedlist numeration="lowerroman">
<listitem><para>
UDP port 500 for IKE implemented by the Pluto daemon
</para></listitem><listitem><para>
Protocol 50 for ESP encryption and/or authentication
</para></listitem><listitem><para>
Protocol 51 for AH packet-level authentication
</para></listitem>
</orderedlist>
</para>
<procedure>
<step><para>
Edit the <filename>firewall</filename> script file, <command>vi</command> <filename>/etc/rc.d/init.d/firewall</filename> on both gateway machines, and add/check the following lines to allow IPSEC packets
to traverse the remote network gateway to your network gateway and vice versa:
<programlisting>
# FreeS/WAN IPSec <acronym>VPN</acronym>
# -------------------
# If you are using the FreeSWAN IPSec <acronym>VPN</acronym>, you will need to fill in the
# addresses of the gateways in the IPSECSG and the virtual interfaces for
# FreeS/Wan IPSEC in the FREESWANVI parameters. Look at the beginning of
# this firewall script rules file to set the parameters.
# IPSECSG is a Space separated list of remote gateways. FREESWANVI is a
# Space separated list of virtual interfaces for FreeS/Wan IPSEC
# implementation. Only include those that are actually used.
# Allow IPSEC protocol from remote gateways on external interface
# IPSEC uses three main types of packet:
# IKE uses the UDP protocol and port 500,
# ESP use the protocol number 50, and
# AH use the protocol number 51
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $IPSECSG -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-d $IPSECSG -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p 50 \
-s $IPSECSG -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p 50 \
-d $IPSECSG -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p 51 \
-s $IPSECSG -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p 51 \
-d $IPSECSG -j ACCEPT
# Allow all traffic to FreeS/WAN Virtual Interface
ipchains -A input -i $FREESWANVI \
-s $ANYWHERE \
-d $ANYWHERE -j ACCEPT
ipchains -A output -i $FREESWANVI \
-s $ANYWHERE \
-d $ANYWHERE -j ACCEPT
# Forward anything from the FreeS/WAN virtual interface IPSEC tunnel
ipchains -A forward -i $FREESWANVI \
-s $ANYWHERE \
-d $ANYWHERE -j ACCEPT
</programlisting>
where
<variablelist><varlistentry>
<term>EXTERNAL_INTERFACE="eth0"</term>
<listitem><para>
You external interface to the Internet.
</para></listitem>
</varlistentry>
<varlistentry>
<term>ANYWHERE="any/0"</term>
<listitem><para>
Mean everywhere 0.0.0.0/0.
</para></listitem>
</varlistentry>
<varlistentry>
<term>IPSECSG=<literal>208.164.186.2</literal></term>
<listitem><para>
Space separated list of remote <acronym>VPN</acronym> gateways.
</para></listitem>
</varlistentry>
<varlistentry>
<term>FREESWANVI=<literal>ipsec0</literal></term>
<listitem><para>
Space separated list of virtual interfaces for FreeS/Wan.
</para></listitem>
</varlistentry>
</variablelist>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
See <link linkend="pr4ch4nfl">Networking Firewall</link>, for more information. Dont forget to add/check these firewall rules in the other gateway as well.
</para></important>
</para></step>
<step><para>
The <literal>rp_filter</literal> subsystem related to <acronym>IP</acronym> spoofing protection must be turned off on both gateways for IPSEC to work properly. This is accomplished by checking if the value 0 (off) is set in
the <filename>/proc/sys/net/ipv4/conf/ipsec0/rp_filter</filename> and <filename>/proc/sys/net/ipv4/conf/eth0/rp_filter</filename> files respectively:
</para>
<substeps>
<step><para>
To check if the value 0 (off) is set in the <filename>rp_filter</filename> files, use the commands:
<screen>
[root@deep] /# <command>cat</command> /proc/sys/net/ipv4/conf/ipsec0/rp_filter
</screen>
<literallayout class="monospaced"><computeroutput>
0
</computeroutput></literallayout>
<screen>
[root@deep] /# <command>cat</command> /proc/sys/net/ipv4/conf/eth0/rp_filter
</screen>
<literallayout class="monospaced"><computeroutput>
0
</computeroutput></literallayout>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The subdirectory <filename>ipsec0</filename> in our example will be created only after the reboot of your system. So you may check the value of the <filename>rp_filter</filename> file in the <filename>ipsec0</filename>
directory after your system has been restarted.
</para></important>
</para></step>
<step><para>
To set the value 0 (off) in the both <filename>rp_filter</filename> files manually, use the command:
<screen>
[root@deep] /# <command>echo</command> 0 &gt; /proc/sys/net/ipv4/conf/ipsec0/rp_filter
[root@deep] /# <command>echo</command> 0 &gt; /proc/sys/net/ipv4/conf/eth0/rp_filter
</screen>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Also you can put lines like the following in your firewall script files <filename>/etc/rc.d/init.d/firewall</filename> on the both gateways to automatically set these values to 0 (off) and avoid making them manually:
<programlisting>
# Disable <acronym>IP</acronym> spoofing protection to allow IPSEC to work properly
<command>echo</command> 0 &gt; /proc/sys/net/ipv4/conf/ipsec0/rp_filter
<command>echo</command> 0 &gt; /proc/sys/net/ipv4/conf/eth0/rp_filter
</programlisting>
</para></tip>
</para></step>
</substeps>
</step>
<step><para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
In the example of the firewall script file above, we assume that <literal>eth0</literal> is the interface you use for your connection. Of course if you use <literal>eth1</literal> you must change <literal>eth0</literal> to <literal>eth1</literal>, and so on.
</para></note>
If you forget this step you will receive error messages on your terminal such as the following during the start up of FreeSWAN IPSEC:
<literallayout class="monospaced"><computeroutput>
ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = `1', should be 0)
ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', should be 0)
</computeroutput></literallayout>
</para></step>
<step><para>
It's important to note that any masquerading rules for internal networks that use IPSEC must come after the rules allowing IPSEC related traffic (The step 2 and 3 above), or the machine will try to masquerade the packets, instead of
them being passed over to IPSEC.
Edit the <filename>firewall</filename> script file, <command>vi</command> <filename>/etc/rc.d/init.d/firewall</filename> on both gateway machines and add/check the following lines to allow masqueraded packets to traverse the
remote network gateway to your network gateway and vice versa:
<programlisting>
# Masquerade internal traffic.
# All internal traffic is masqueraded externally.
ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ
</programlisting>
Where
<variablelist><varlistentry>
<term>EXTERNAL_INTERFACE="eth0"</term>
<listitem><para>
You external interface to the Internet.
</para></listitem>
</varlistentry>
<varlistentry>
<term>LOCALNET_1=" 192.168.1.0/24"</term>
<listitem><para>
whatever private range you use.
</para></listitem>
</varlistentry>
</variablelist>
</para></step>
</procedure>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
See <link linkend="pr4ch12nfmf">Networking Firewall with Masquerading and Forwarding</link> support for more information.
</para></note>
<para>
Now, you can reboot your system, and the machines on Gateway A should be able to talk to the machines on Gateway B with no problems.
</para>
</section>
<section><?dbhtml filename="chap25sec207.html"?>
<title>Testing the installation</title>
<para>
Reboot the both gateways to get FreeS/WAN started. Examine the <filename>/var/log/messages</filename> file for any signs of trouble. If all goes well you should see something like this in
the <filename>/var/log/messages</filename> file:
</para>
<literallayout class="monospaced"><computeroutput>
Feb 2 05:22:35 deep ipsec_setup: Starting FreeS/WAN IPSEC snap2000jan31b...
Feb 2 05:22:35 deep ipsec_setup: KLIPS debug `none'
Feb 2 05:22:35 deep ipsec_setup: KLIPS ipsec0 on eth0 192.168.1.1/255.255.255.0 broadcast 192.168.1.255
Feb 2 05:22:36 deep ipsec_setup: Disabling core dumps:
Feb 2 05:22:36 deep ipsec_setup: Starting Pluto (debug `none'):
Feb 2 05:22:37 deep ipsec_setup: Loading Pluto database `deep-mail':
Feb 2 05:22:37 deep ipsec_setup: Enabling Pluto negotiation:
Feb 2 05:22:37 deep ipsec_setup: Routing for Pluto conns `deep-mail':
Feb 2 05:22:37 deep ipsec_setup: Initiating Pluto tunnel `deep-mail':
Feb 2 05:22:39 deep ipsec_setup: 102 "deep-mail" #1: STATE_MAIN_I1: initiate
Feb 2 05:22:39 deep ipsec_setup: 104 "deep-mail" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2
Feb 2 05:22:39 deep ipsec_setup: 106 "deep-mail" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3
Feb 2 05:22:39 deep ipsec_setup: 004 "deep-mail" #1: STATE_MAIN_I4: SA established
Feb 2 05:22:39 deep ipsec_setup: 110 "deep-mail" #2: STATE_QUICK_I1: initiate
Feb 2 05:22:39 deep ipsec_setup: 004 "deep-mail" #2: STATE_QUICK_I2: SA established
Feb 2 05:22:39 deep ipsec_setup: ...FreeS/WAN IPSEC started
</computeroutput></literallayout>
<para>
Examine the <filename>/var/log/secure</filename> file for any signs of trouble. If all goes well you should see something like the following:
<literallayout class="monospaced"><computeroutput>
Feb 21 14:45:42 deep Pluto[432]: Starting Pluto (FreeS/WAN Version 1.3)
Feb 21 14:45:43 deep Pluto[432]: added connection description "deep-mail"
Feb 21 14:45:43 deep Pluto[432]: listening for IKE messages
Feb 21 14:45:43 deep Pluto[432]: adding interface ipsec0/eth0 192.168.1.1
Feb 21 14:45:43 deep Pluto[432]: loading secrets from "/etc/ipsec.secrets"
Feb 21 14:45:43 deep Pluto[432]: "deep-mail" #1: initiating Main Mode
Feb 21 14:45:44 deep Pluto[432]: "deep-mail" #1: ISAKMP SA established
Feb 21 14:45:44 deep Pluto[432]: "deep-mail" #2: initiating Quick Mode POLICY_RSASIG+POLICY_ENCRYPT+POLICY_AUTHENTICATE+POLICY_TUNNEL+POLICY_PFS
Feb 21 14:45:46 deep Pluto[432]: "deep-mail" #2: sent QI2, IPsec SA established
Feb 21 14:45:47 deep Pluto[432]: "deep-mail" #3: responding to Main Mode
Feb 21 14:45:49 deep Pluto[432]: "deep-mail" #3: sent MR3, ISAKMP SA established
Feb 21 14:45:49 deep Pluto[432]: "deep-mail" #4: responding to Quick Mode
Feb 21 14:45:50 deep Pluto[432]: "deep-mail" #4: IPsec SA established
</computeroutput></literallayout>
</para>
<para>
On both gateways, the following entries should now exist in the <filename class="directory">/proc/net/</filename> directory:
<screen>
[root@deep] /# <command>ls</command> -l /proc/net/ipsec_*
</screen>
</para>
<literallayout class="monospaced"><computeroutput>
-r--r--r-- 1 root root 0 Feb 2 05:30 /proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Feb 2 05:30 /proc/net/ipsec_klipsdebug
-r--r--r-- 1 root root 0 Feb 2 05:30 /proc/net/ipsec_spi
-r--r--r-- 1 root root 0 Feb 2 05:30 /proc/net/ipsec_spigrp
-r--r--r-- 1 root root 0 Feb 2 05:30 /proc/net/ipsec_spinew
-r--r--r-- 1 root root 0 Feb 2 05:30 /proc/net/ipsec_tncfg
-r--r--r-- 1 root root 0 Feb 2 05:30 /proc/net/ipsec_version
</computeroutput></literallayout>
<para>
The <acronym>IPSEC</acronym> interfaces should be attached on top of the specified physical interfaces. Confirm that with:
<screen>
[root@deep] /# <command>cat</command> /proc/net/ipsec_tncfg
</screen>
</para>
<literallayout class="monospaced"><computeroutput>
ipsec0 -&gt; eth0 mtu=16260 -&gt; 1500
ipsec1 -&gt; NULL mtu=0 -&gt; 0
ipsec2 -&gt; NULL mtu=0 -&gt; 0
ipsec3 -&gt; NULL mtu=0 -&gt; 0
</computeroutput></literallayout>
<para>
Now execute the following command to show minimal debugging information and see if the output looks something like this:
<screen>
[root@deep] /# <command>ipsec</command> look
</screen>
</para>
<literallayout class="monospaced"><computeroutput>
deep.openna.com Fri Feb 4 17:25:17 EST 2000
============-============
192.168.1.1/32 -&gt; 192.168.1.2/32 =&gt; tun0x106@192.168.1.2 esp0x4450894d@192.168.1.2 ah0x4450894c@192.168.1.2
------------=------------
ah0x3350f551@192.168.1.1 AH_HMAC_MD5: dir=in ooowin=32 seq=115 bit=0xffffffff alen=128 aklen=16 life(c,s,h)=bytes(16140,0,0)add(51656,0,0)use(54068,0,0)packets(115,0,0) idle=499
ah0x4450894c@192.168.1.2 AH_HMAC_MD5: dir=out ooowin=32 seq=2828 alen=128 aklen=16 life(c,s,h)=bytes(449488,0,0)add(51656,0,0)use(51656,0,0)packets(2828,0,0) idle=6
esp0x3350f552@192.168.1.1 ESP_3DES: dir=in ooowin=32 seq=115 bit=0xffffffff eklen=24 life(c,s,h)=bytes(13380,0,0)add(51656,0,0)use(54068,0,0)packets(115,0,0) idle=499
esp0x4450894d@192.168.1.2 ESP_3DES: dir=out ooowin=32 seq=2828 eklen=24 life(c,s,h)=bytes(381616,0,0)add(51656,0,0)use(51656,0,0)packets(2828,0,0) idle=6
tun0x105@192.168.1.1 IPIP: dir=in 192.168.1.2 -&gt; 192.168.1.1 life(c,s,h)=add(51656,0,0)
tun0x106@192.168.1.2 IPIP: dir=out 192.168.1.1 -&gt; 192.168.1.2 life(c,s,h)=bytes(327581,0,0)add(51656,0,0)use(51656,0,0)packets(2828,0,0) idle=6
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
192.168.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.1.2 192.168.1.2 255.255.255.255 UGH 0 0 0 ipsec0
Destination Gateway Genmask Flags MSS Window irtt Iface
</computeroutput></literallayout>
<para>
Try pinging <literal>192.168.1.2</literal> from the <literal>192.168.1.1</literal> client. If this works then you have set it up correctly. If it does not work check your network to make sure <literal>208.164.186.1</literal> can
reach <literal>208.164.186.2</literal>, and that <acronym>TCP</acronym>-<acronym>IP</acronym> forwarding is enabled, and make sure that no firewall rules are blocking the packets, or trying to masquerade them before the rules allowing
IPSec related traffic. For this test to work, it is important to use pings that go from one subnet to the other.
<literallayout class="monospaced"><computeroutput>
208.164.186.1 ---- 205.151.222.250 ---- 205.151.222.251 ---- 208.164.186.2
| |
192.168.1.0/24 192.168.1.0/24
| |
192.168.1.1 192.168.1.2
</computeroutput></literallayout>
</para>
<para>
A last note about testing the installation of FreeSWAN <acronym>IPSEC</acronym>, if you encounter a problem that you are unable to resolve, you can use the following command to view a collection of debugging information,
<emphasis>contents of files, selections from logs, etc.</emphasis> Anything related to the <acronym>IPSEC</acronym> encryption/authentication system that you should send to the Linux-IPSEC Mailing List <email>linux-ipsec@clinet.fi</email> to help you.
Use the following command to make an output of a collection of debugging information:
<screen>
[root@deep] /# <command>ipsec</command> barf &gt; result
</screen>
This command is primarily provided as a convenience for remote debugging; A single command which packages up -<emphasis>and labels</emphasis> all information that might be relevant to diagnosing a problem in <acronym>IPSEC</acronym>.
</para>
</section>
<section><?dbhtml filename="chap25sec208.html"?>
<title>Further documentation</title>
<para>
For more details, there are several man pages you can read:
</para>
<variablelist>
<varlistentry><term>
<citerefentry><refentrytitle>ipsec</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- invoke <acronym>IPSEC</acronym> utilities
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec atoasr</refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert <acronym>ASCII</acronym> to Internet address, subnet, or range
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec atobytes, bytestoa</refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert binary data bytes from and to <acronym>ASCII</acronym> formats
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec atodata, datatoa </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert binary data from and to <acronym>ASCII</acronym> formats
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec atosa, satoa </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert <acronym>IPSEC</acronym> Security Association IDs to and from <acronym>ASCII</acronym>
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec atosubnet, subnettoa </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert subnet/mask <acronym>ASCII</acronym> form to and from addresses
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec atoul, ultoa </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert unsigned-long numbers to and from <acronym>ASCII</acronym>
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec auto </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- control automatically-keyed <acronym>IPSEC</acronym> connections
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec barf </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- spew out collected <acronym>IPSEC</acronym> debugging information
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec bitstomask </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert bit count to Internet subnet mask
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec eroute </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- manipulate <acronym>IPSEC</acronym> extended routing tables
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec goodmask </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- is this Internet subnet mask a valid one?
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec hostof </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- given Internet address and subnet mask, return host part
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec klipsdebug </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- set Klips -kernel <acronym>IPSEC</acronym> support, debug features and level
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec look </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- show minimal debugging information
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec manual </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- take manually-keyed <acronym>IPSEC</acronym> connections up and down
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec masktobits </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert Internet subnet mask to bit count
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec optionsfrom </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- read additional <literal>command-line</literal> options from file
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec pluto </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- IPsec IKE keying daemon
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec ranbits </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- generate random bits in <acronym>ASCII</acronym> form
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec rangetoa </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert Internet address range to <acronym>ASCII</acronym>
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec rsasigkey </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- generate RSA signature key
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec setup </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- control <acronym>IPSEC</acronym> subsystem
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec spi </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- manage <acronym>IPSEC</acronym> Security Associations
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec spigrp </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- group/ungroup <acronym>IPSEC</acronym> Security Associations
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec subnetof </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- given Internet address and subnet mask, return subnet number
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec tncfg </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- associate <acronym>IPSEC</acronym> virtual interface with real interface
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec whack </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- control interface for <acronym>IPSEC</acronym> keying daemon
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec.conf </refentrytitle><manvolnum>5</manvolnum></citerefentry></term>
<listitem><para>
- <acronym>IPSEC</acronym> configuration and connections
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec.secrets </refentrytitle><manvolnum>5</manvolnum></citerefentry></term>
<listitem><para>
- secrets for IKE/IPsec authentication
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- invoke <acronym>IPSEC</acronym> utilities
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec atoaddr, addrtoa </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert Internet addresses to and from <acronym>ASCII</acronym>
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec atoasr </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert <acronym>ASCII</acronym> to Internet address, subnet, or range
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec atobytes, bytestoa </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert binary data bytes from and to <acronym>ASCII</acronym> formats
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec atodata, datatoa </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert binary data from and to <acronym>ASCII</acronym> formats
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec atosa, satoa </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert <acronym>IPSEC</acronym> Security Association IDs to and from <acronym>ASCII</acronym>
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec atosubnet, subnettoa </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert subnet/mask <acronym>ASCII</acronym> form to and from addresses
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec atoul, ultoa </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert unsigned-long numbers to and from <acronym>ASCII</acronym>
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec auto </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- control automatically-keyed <acronym>IPSEC</acronym> connections
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec barf </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- spew out collected <acronym>IPSEC</acronym> debugging information
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec bitstomask </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert bit count to Internet subnet mask
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec eroute </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- manipulate <acronym>IPSEC</acronym> extended routing tables
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec goodmask </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- is this Internet subnet mask a valid one?
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec hostof </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- given Internet address and subnet mask, return host part
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec klipsdebug </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- set Klips (kernel <acronym>IPSEC</acronym> support) debug features and level
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec look </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- show minimal debugging information
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec manual </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- take manually-keyed <acronym>IPSEC</acronym> connections up and down
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec masktobits </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert Internet subnet mask to bit count
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec optionsfrom </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- read additional <literal>command-line</literal> options from file
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec pluto </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- IPsec IKE keying daemon
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec ranbits </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- generate random bits in <acronym>ASCII</acronym> form
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec rangetoa </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- convert Internet address range to <acronym>ASCII</acronym>
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec rsasigkey </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- generate RSA signature key
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec setup </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- control <acronym>IPSEC</acronym> subsystem
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec spi </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- manage <acronym>IPSEC</acronym> Security Associations
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec spigrp </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- group/ungroup <acronym>IPSEC</acronym> Security Associations
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec subnetof </refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
- given Internet address and subnet mask, return subnet number
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec tncfg </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- associate <acronym>IPSEC</acronym> virtual interface with real interface
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec whack </refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
- control interface for <acronym>IPSEC</acronym> keying daemon
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec.conf </refentrytitle><manvolnum>5</manvolnum></citerefentry></term>
<listitem><para>
- <acronym>IPSEC</acronym> configuration and connections
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ipsec.secrets </refentrytitle><manvolnum>5</manvolnum></citerefentry></term>
<listitem><para>
- secrets for IKE/IPsec authentication
</para></listitem>
</varlistentry>
</variablelist>
</section>
<section><?dbhtml filename="chap25sec209.html"?>
<title>Installed files</title>
<para>These are the files installed on your system by the software program FreeS/WAN</para>
<simplelist type="horiz" columns="3">
<member><filename>/etc/rc.d/init.d/ipsec</filename></member>
<member><filename>/etc/rc.d/rc0.d/K68ipsec</filename></member>
<member><filename>/etc/rc.d/rc1.d/K68ipsec</filename></member>
<member><filename>/etc/rc.d/rc2.d/S47ipsec</filename></member>
<member><filename>/etc/rc.d/rc3.d/S47ipsec</filename></member>
<member><filename>/etc/rc.d/rc4.d/S47ipsec</filename></member>
<member><filename>/etc/rc.d/rc5.d/S47ipsec</filename></member>
<member><filename>/etc/rc.d/rc6.d/K68ipsec</filename></member>
<member><filename>/etc/ipsec.conf</filename></member>
<member><filename>/etc/ipsec.secrets</filename></member>
<member><filename>/usr/lib/ipsec</filename></member>
<member><filename>/usr/lib/ipsec/spi</filename></member>
<member><filename>/usr/lib/ipsec/eroute</filename></member>
<member><filename>/usr/lib/ipsec/spigrp</filename></member>
<member><filename>/usr/lib/ipsec/tncfg</filename></member>
<member><filename>/usr/lib/ipsec/klipsdebug</filename></member>
<member><filename>/usr/lib/ipsec/pluto</filename></member>
<member><filename>/usr/lib/ipsec/whack</filename></member>
<member><filename>/usr/lib/ipsec/ipsec</filename></member>
<member><filename>/usr/lib/ipsec/barf</filename></member>
<member><filename>/usr/lib/ipsec/manual</filename></member>
<member><filename>/usr/lib/ipsec/auto</filename></member>
<member><filename>/usr/lib/ipsec/look</filename></member>
<member><filename>/usr/lib/ipsec/showdefaults</filename></member>
<member><filename>/usr/lib/ipsec/_include</filename></member>
<member><filename>/usr/lib/ipsec/_confread</filename></member>
<member><filename>/usr/lib/ipsec/_keycensor</filename></member>
<member><filename>/usr/lib/ipsec/_secretcensor</filename></member>
<member><filename>/usr/lib/ipsec/_updown</filename></member>
<member><filename>/usr/lib/ipsec/ranbits</filename></member>
<member><filename>/usr/lib/ipsec/rsasigkey</filename></member>
<member><filename>/usr/lib/ipsec/setup</filename></member>
<member><filename>/usr/man/man3/ipsec_atoaddr.3</filename></member>
<member><filename>/usr/man/man3/ipsec_addrtoa.3</filename></member>
<member><filename>/usr/man/man3/ipsec_atosubnet.3</filename></member>
<member><filename>/usr/man/man3/ipsec_subnettoa.3</filename></member>
<member><filename>/usr/man/man3/ipsec_atoasr.3</filename></member>
<member><filename>/usr/man/man3/ipsec_rangetoa.3</filename></member>
<member><filename>/usr/man/man3/ipsec_atodata.3</filename></member>
<member><filename>/usr/man/man3/ipsec_atobytes.3</filename></member>
<member><filename>/usr/man/man3/ipsec_bytestoa.3</filename></member>
<member><filename>/usr/man/man3/ipsec_datatoa.3</filename></member>
<member><filename>/usr/man/man3/ipsec_atosa.3</filename></member>
<member><filename>/usr/man/man3/ipsec_satoa.3</filename></member>
<member><filename>/usr/man/man3/ipsec_atoul.3</filename></member>
<member><filename>/usr/man/man3/ipsec_ultoa.3</filename></member>
<member><filename>/usr/man/man3/ipsec_goodmask.3</filename></member>
<member><filename>/usr/man/man3/ipsec_masktobits.3</filename></member>
<member><filename>/usr/man/man3/ipsec_bitstomask.3</filename></member>
<member><filename>/usr/man/man3/ipsec_optionsfrom.3</filename></member>
<member><filename>/usr/man/man3/ipsec_subnetof.3</filename></member>
<member><filename>/usr/man/man3/ipsec_hostof.3</filename></member>
<member><filename>/usr/man/man3/ipsec_broadcastof.3</filename></member>
<member><filename>/usr/man/man5/ipsec.secrets.5</filename></member>
<member><filename>/usr/man/man5/ipsec.conf.5</filename></member>
<member><filename>/usr/man/man8/ipsec_spi.8</filename></member>
<member><filename>/usr/man/man8/ipsec.8</filename></member>
<member><filename>/usr/man/man8/ipsec_eroute.8</filename></member>
<member><filename>/usr/man/man8/ipsec_spigrp.8</filename></member>
<member><filename>/usr/man/man8/ipsec_tncfg.8</filename></member>
<member><filename>/usr/man/man8/ipsec_klipsdebug.8</filename></member>
<member><filename>/usr/man/man8/ipsec_pluto.8</filename></member>
<member><filename>/usr/man/man8/ipsec_whack.8</filename></member>
<member><filename>/usr/man/man8/ipsec_barf.8</filename></member>
<member><filename>/usr/man/man8/ipsec_look.8</filename></member>
<member><filename>/usr/man/man8/ipsec_manual.8</filename></member>
<member><filename>/usr/man/man8/ipsec_auto.8</filename></member>
<member><filename>/usr/man/man8/ipsec_setup.8</filename></member>
<member><filename>/usr/man/man8/ipsec_ranbits.8</filename></member>
<member><filename>/usr/man/man8/ipsec_rsasigkey.8</filename></member>
<member><filename>/usr/sbin/ipsec</filename></member></simplelist>
</section>
</chapter>
<chapter label="26"><?dbhtml filename="net-oLDAP.html"?>
<title>Linux OpenLDAP Server</title>
<highlights><para>
Until now, we have been talking about security and optimization in this book, so why would we talk about OpenLDAP? Well, the OpenLDAP directory server will expand our horizons through its many possibilities. We can use its replication
capability to centralize and consolidate different information on one server for all the others in our network. Imagine having the possibility of adding or disabling a Unix or NT account, setting access to a restricted Web server, and
adding a mail address or alias, all with a single operation available as an <acronym>NIS</acronym> service, with the added security of <acronym>SSL</acronym> encryption, and the speed of object-oriented hierarchies. Another interesting
use is to create an authoritative list of employees on one or more <acronym>LDAP</acronym> servers that can be accessible from your private network, or over the Internet.
</para></highlights>
<section id="pr6ch26sccmi"><?dbhtml filename="chap26sec210.html"?>
<title>Compile ans Install</title>
<sidebar>
<title>As per in the <citation>OpenLDAP web site</citation>:</title>
<para>
<acronym>LDAP</acronym> -Lightweight Directory Access Protocol is an open-standard protocol for accessing information services. The protocol runs over Internet transport protocols, such as <acronym>TCP</acronym>, and can be used to access
stand-alone directory servers or X.500 directories.
</para>
</sidebar>
<mediaobject>
<imageobject><imagedata fileref="./images/LDAP-Schema.gif" format="GIF"/></imageobject>
<textobject><phrase>LDAP</phrase></textobject>
</mediaobject>
<para>
These installation instructions assume
<itemizedlist>
<listitem><para>
Commands are Unix-compatible.
</para></listitem><listitem><para>
The source path is <filename class="directory">/var/tmp</filename>, <emphasis>other paths are possible</emphasis>.
</para></listitem><listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem><listitem><para>
All steps in the installation will happen in super-user account <literal>root</literal>.
</para></listitem><listitem><para>
OpenLDAP version number is 1.2.10
</para></listitem>
</itemizedlist>
</para>
<para>
The Package(s) required are and available at:
<simplelist>
<member>
OpenLDAP Homepage:<link linkend="prtinxfp25">http://www.openldap.org/</link>
</member><member>
OpenLDAP FTP Site: <link linkend="prtinxfp25">204.152.186.57</link>
</member><member>
You must be sure to download: openldap-1.2.10.tgz
</member>
</simplelist>
</para>
<para>
Before you decompress tarballs, it is a good idea to make a list of files on the system before you install OpenLDAP, and one afterwards, and then compare them using diff to find out what file it placed where. Simply
run <command>find</command> <userinput>/* &gt; OpenLDAP1</userinput> before and <command>find</command> <userinput>/* &gt; OpenLDAP2</userinput> after you install the software, and use <command>diff</command> <userinput>OpenLDAP1 OpenLDAP2 &gt; OpenLDAP-Installed</userinput>
to get a list of what changed.
</para>
<para>
Compile and decompress the tarball, <literal>tar.gz</literal>.
<screen>
[root@deep] /# <command>cp</command> openldap-version.tgz /var/tmp
[root@deep] /# <command>cd</command> /var/tmp/
[root@deep ]/tmp# <command>tar</command> xzpf openldap-version.tgz
</screen>
</para>
</section>
<section><?dbhtml filename="chap26sec211.html"?>
<title>Compile and Optimize</title>
<para>
Move into the new OpenLDAP directory and type the following commands on your terminal:
</para>
<para>
It is important to note that you can configure three different kinds of backend databases with <acronym>LDAP</acronym>.
<orderedlist numeration="lowerroman">
<listitem><para>
A high-performance, disk-based database called <literal>LDBM</literal>
</para></listitem><listitem><para>
A database interface to arbitrary UNIX commands or shell scripts calledd <literal>SHELL</literal>
</para></listitem><listitem><para>
A simple password file database named <literal>PASSWD</literal>
</para></listitem>
</orderedlist>
</para>
<procedure>
<step><para>
The default installation of OpenLDAP assumes an <literal>LDBM</literal> backend database, so if you want to configure another type of backend database, you must specify it during the configuration and compile time. For a <literal>SHELL</literal> backend
database you must add the <literal>--enable-shell</literal> option and for a <literal>PASSWD</literal> backend database used as replacement for <acronym>NIS</acronym> service you must add the <literal>--enable-passwd</literal> option in your
configuration lines.
<programlisting>
CC="egcs" \
CFLAGS="-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions -D_REENTRANT" \
./configure \
--prefix=/usr \
--libexecdir=/usr/sbin \
--localstatedir=/var/run \
--sysconfdir=/etc \
--enable-dns \
--enable-shared \
--with-gnu-ld \
--disable-debug
</programlisting>
This tells OpenLDAP to set itself up for this particular hardware setup as follows:
<itemizedlist>
<listitem><para>
Enable dns support.
</para></listitem><listitem><para>
Build shared libraries.
</para></listitem><listitem><para>
Assume the C compiler uses GNU ld.
</para></listitem>
</itemizedlist>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title> <para>
The compile options above assume that you want to set up an <literal>LDBM</literal> backend database. For the other type of backend database, you must add the required option in your configuration lines above.
</para></important>
</para></step>
</procedure>
<para>
Now, we must compile and install OpenLDAP in the server:
<screen>
[root@deep openldap-1.2.10]# <command>make depend</command>
[root@deep openldap-1.2.10]# <command>make</command>
[root@deep openldap-1.2.10]# <command>cd</command> tests/
[root@deep tests]# <command>make</command>
[root@deep tests]# <command>cd</command> ..
[root@deep openldap-1.2.10]# <command>make install</command>
</screen>
<itemizedlist>
<listitem><para>
The <command>make depend</command> command will build and make the necessary dependencies for different files,
</para></listitem><listitem><para>
<command>make</command> compiles all source files into executable binaries,
</para></listitem><listitem><para>
<command>make install</command> installs the binaries and any supporting files into the appropriate locations.
</para></listitem>
</itemizedlist>
</para>
<para>
The <command>make</command> command under <filename class="directory">/test</filename> subdirectory will do some important tests to verify the functionality of your <acronym>LDAP</acronym> server before the installation. If some
tests fails, you'll need to fixes the problems before continuing the installation.
</para>
<screen>
[root@deep openldap-1.2.10]# <command>install</command> -d -m 700 /var/ldap
[root@deep openldap-1.2.10]# echo localhost > /etc/openldap/ldapserver
[root@deep openldap-1.2.10]# <command>strip</command> /usr/lib/liblber.so.1.0.0
[root@deep openldap-1.2.10]# <command>strip</command> /usr/lib/libldap.so.1.0.0
[root@deep openldap-1.2.10]# <command>strip</command> /usr/lib/libldap.a
[root@deep openldap-1.2.10]# <command>strip</command> /usr/lib/liblber.a
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/in.xfingerd
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/go500
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/go500gw
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/mail500
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/rp500
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/rcpt500
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/fax500
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/slapd
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/slurpd
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/ldif
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/ldif2ldbm
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/ldif2index
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/ldif2id2entry
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/ldif2id2children
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/ldbmcat
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/ldbmtest
[root@deep openldap-1.2.10]# <command>strip</command> /usr/sbin/centipede
[root@deep openldap-1.2.10]# <command>strip</command> /usr/bin/ud
[root@deep openldap-1.2.10]# <command>strip</command> /usr/bin/ldapadd
[root@deep openldap-1.2.10]# <command>strip</command> /usr/bin/ldapsearch
[root@deep openldap-1.2.10]# <command>strip</command> /usr/bin/ldapmodify
[root@deep openldap-1.2.10]# <command>strip</command> /usr/bin/ldapmodrdn
[root@deep openldap-1.2.10]# <command>strip</command> /usr/bin/ldappasswd
[root@deep openldap-1.2.10]# <command>strip</command> /usr/bin/ldapdelete
</screen>
<para>
<itemizedlist><listitem><para>
The <command>install</command> command above will create a new directory named <filename class="directory">ldap</filename> under <filename class="directory">/var</filename> directory and will set its mode to
be readable, writable, and executable only by the super-user <literal>root</literal>, <literal>700</literal> for security reasons.
</para></listitem><listitem><para>
The <command>strip</command> command will discard all symbols from the object files. This means that our binary files will be smaller in size. This will improve the performance hit to the program since there
will be fewer lines to be read by the system when it executes the binary.
</para></listitem>
</itemizedlist>
</para>
<para>
Please don't forget to cleanup later:
<screen>
[root@deep] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>rm</command> -rf openldap-version/ openldap-version.tgz
</screen>
The <command>rm</command> command will remove all the source files we have used to compile and install OpenLDAP. It will also remove the OpenLDAP compressed archive from the <filename class="directory">/var/tmp</filename> directory.
</para>
</section>
<section><?dbhtml filename="chap26sec212.html"?>
<title>Configurations</title>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>OpenLDAP</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 16
-rw-r--r-- 1 harrypotter harrypotter 321 Jun 8 13:00 Compile-OpenLDAP
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 init.d/
-rwx------ 1 harrypotter harrypotter 893 Jun 8 13:00 ldap.sh*
-rw------- 1 harrypotter harrypotter 922 Jun 8 13:00 slapd.conf
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<para>
To run OpenLDAP server, the following files are required and must be created or copied to the appropriate directories on your server.
<orderedlist numeration="lowerroman">
<listitem><para>
Copy the <filename>slapd.conf</filename> file in the <filename class="directory">/etc/openldap/</filename> directory.
</para></listitem><listitem><para>
Copy the ldap script file in the <filename class="directory">/etc/rc.d/init.d/</filename> directory.
</para></listitem>
</orderedlist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You can obtain the configuration files listed in the next few sections on our <filename>floppy.tgz</filename> archive. Copy the following files from the decompressed <filename>floppy.tgz</filename> archive to the appropriate places or copy
and paste them directly from this book to the concerned file.
</para></tip>
</section>
<section><?dbhtml filename="chap26sec213.html"?>
<title>Configure the <filename>/etc/ldap/slapd.conf</filename> file</title>
<para>
The <filename>/etc/openldap/slapd.conf</filename> file is the main configuration file for the stand-alone <acronym>LDAP</acronym> daemon. Options like:
<simplelist type="inline"><member>permission</member> <member>password</member> <member>database type</member> <member>database location</member></simplelist> and so on can be configured in this file and will apply to the <literal>slapd</literal>
daemon as a whole. In the example below we configure the <filename>slapd.conf</filename> file for an <acronym>LDBM</acronym> backend database.
</para>
<para>
Edit the <filename>slapd.conf</filename> file, <command>vi</command> <filename>/etc/openldap/slapd.conf</filename> and add/adjust the following information:
<programlisting>
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/slapd.at.conf
include /etc/openldap/slapd.oc.conf
schemacheck off
#referral ldap://ldap.itd.umich.edu
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "o=openna, c=com"
directory /var/ldap
rootdn "cn=admin, o=openna, c=com"
rootpw secret
# cleartext passwords, especially for the rootdn, should
# be avoid. See slapd.conf(5) for details.
# ldbm indexed attribute definitions
index cn,sn,uid
index objectclass pres,eq
index default none
# ldbm access control definitions
defaultaccess read
access to attr=userpassword
by self write
by dn="cn=admin, o=openna, c=com" write
by * compare
</programlisting>
</para>
<para>
You should be sure to set the following options in your <filename>slapd.conf</filename> file above before starting the slapd daemon program:
<glosslist><glossentry>
<glossterm>suffix o=openna, c=com</glossterm>
<glossdef><para>
This option specifies the DN of the root of the sub tree you are trying to create. In other words, it indicates what entries are to be held by this database.
</para></glossdef>
</glossentry><glossentry>
<glossterm>directory /var/ldap</glossterm>
<glossdef><para>
This option specifies the directory where the database and associated indexes files of <acronym>LDAP</acronym> should reside. We must set this to <filename class="directory">/var/ldap</filename> because we created this directory
earlier in the installation stage specifically to handle the backend database of <acronym>LDAP</acronym>.
</para></glossdef>
</glossentry><glossentry>
<glossterm>rootdn cn=admin, o=openna, c=com</glossterm>
<glossdef>
<para>
This option specifies the DN of an entry allowed to do anything on the <acronym>LDAP</acronym> directory. The name entered here can be one that doesn't actually exist in your password file <filename>/etc/passwd</filename>.
</para>
</glossdef>
</glossentry><glossentry>
<glossterm>rootpw secret</glossterm>
<glossdef><para>
This option specifies the password that can be used to authenticate the <literal>super-user</literal> entry of the database. This is the password for the rootdn option above. Its important to not use clear text
passwords here and to use a crypto password instead.
</para></glossdef>
</glossentry><glossentry>
<glossterm>index cn,sn,uid | index objectclass pres,eq | index default none</glossterm>
<glossdef><para>
These options specify the index definitions you want to build and maintain in the database definition. The options we specifies in our <filename>slapd.conf</filename> file example above, cause all indexes to be maintained for
the <literal>cn</literal>, <literal>sn</literal>, and <literal>uid</literal> attributes; -<literal>index cn,sn,uid</literal>, presence and an equality indexes for the objectclass attribute -<literal>index objectclass pres,eq</literal>,
and no indexes for all remaining attributes -<literal>index default none</literal>. See your user manual for more information.
</para></glossdef>
</glossentry>
</glosslist>
</para>
<para>
The last options in the file <filename>slapd.conf</filename> relate to access control in <acronym>LDAP</acronym> directory.
<programlisting>
defaultaccess read
access to attr=userpassword
by self write
by dn="cn=admin, o=openna, c=com" write
by * compare
</programlisting>
This example applies to entries in the <literal>o=openna, c=com</literal> sub tree. Read access is granted to everyone, and the entry itself can write all attributes, except for userpassword. The userpassword attribute is writable only by
the specified <literal>cn</literal> entry; <literal>admin</literal>, and comparable by everybody else. See your user manual for more information.
</para>
</section>
<section><?dbhtml filename="chap26sec214.html"?>
<title>Configure the <filename>/etc/rc.d/init.d/ldap</filename> script file</title>
<para>
Configure your <filename>/etc/rc.d/init.d/ldap</filename> script file to start and stop <acronym>LDAP</acronym> Server. Create the ldap script file, <command>touch</command> <filename>/etc/rc.d/init.d/ldap</filename> and add:
</para>
<programlisting>
#!/bin/sh
#
# ldap This shell script takes care of starting and stopping
# ldap servers (slapd and slurpd).
#
# chkconfig: - 70 40
# description: <acronym>LDAP</acronym> stands for Lightweight Directory Access Protocol, used \
# for implementing the industry standard directory services.
# processname: slapd
# config: /etc/openldap/slapd.conf
# pidfile: /var/run/slapd.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] &amp;&amp; exit 0
[ -f /usr/sbin/slapd ] || exit 0
[ -f /usr/sbin/slurpd ] || exit 0
RETVAL=0
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting ldap: "
daemon slapd
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
if grep -q "^replogfile" /etc/openldap/slapd.conf; then
daemon slurpd
RETVAL=$?
[ $RETVAL -eq 0 ] &amp;&amp; pidof slurpd | cut -f 1 -d " " > /var/run/slurpd
fi
fi
echo
[ $RETVAL -eq 0 ] &amp;&amp; touch /var/lock/subsys/ldap
;;
stop)
# Stop daemons.
echo -n "Shutting down ldap: "
killproc slapd
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
if grep -q "^replogfile" /etc/openldap/slapd.conf; then
killproc slurpd
RETVAL=$?
fi
fi
echo
if [ $RETVAL -eq 0 ]; then
rm -f /var/lock/subsys/ldap
rm -f /var/run/slapd.args
fi
;;
status)
status slapd
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
if grep -q "^replogfile" /etc/openldap/slapd.conf; then
status slurpd
RETVAL=$?
fi
fi
;;
restart)
$0 stop
$0 start
RETVAL=$?
;;
reload)
killproc -HUP slapd
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
if grep -q "^replogfile" /etc/openldap/slapd.conf; then
killproc -HUP slurpd
RETVAL=$?
fi
fi
;;
*)
echo "Usage: $0 start|stop|restart|status}"
exit 1
esac
exit $RETVAL
</programlisting>
<para>
Now, make this script executable and change its default permissions:
<screen>
[root@deep] /# <command>chmod</command> 700 /etc/rc.d/init.d/ldap
</screen>
</para>
<para>
Create the symbolic rc.d links for OpenLDAP with the command:
<screen>
[root@deep] /# <command>chkconfig</command> --add ldap
</screen>
</para>
<para>
The OpenLDAP script will not automatically start the slapd daemon when you reboot the server. You can change its defaults by executing the following command:
<screen>
[root@deep] /# <command>chkconfig</command> --level 345 ldap on
</screen>
</para>
<para>
Start your OpenLDAP Server manually with the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/ldap start
</screen>
<literallayout class="monospaced"><computeroutput>
Starting ldap: [ OK ]
</computeroutput></literallayout>
</para>
</section>
<section><?dbhtml filename="chap26sec215.html"?>
<title>Securing OpenLDAP</title>
<para>
Don't forget to immunize important configuration files. The immutable bit can be used to prevent one from accidentally deleting or overwriting a file that must be protected. It also prevents someone from creating a symbolic link
to this file. Once your <filename>slapd.conf</filename> file has been configured, it's a good idea to immunize it with command like:
<screen>
[root@deep] /# <command>chattr</command> +i /etc/openldap/slapd.conf
</screen>
</para>
<para>
Further documentation, for more details there are several man pages you can read:
<variablelist>
<varlistentry>
<term><citerefentry><refentrytitle>ldapd</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
<acronym>LDAP</acronym> X.500 Protocol Daemon
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ldapdelete</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
ldap delete entry tool
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ldapfilter.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></term>
<listitem><para>
configuration file for <acronym>LDAP</acronym> get filter routines
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ldapfriendly</refentrytitle><manvolnum>5</manvolnum></citerefentry></term>
<listitem><para>
data file for <acronym>LDAP</acronym> friendly routines
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ldapmodify, ldapadd</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
ldap modify entry and ldap add entry tools
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ldapmodrdn</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
ldap modify entry RDN tool
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ldappasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
change the password of an <acronym>LDAP</acronym> entry
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ldapsearch</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
ldap search tool
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ldapsearchprefs.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></term>
<listitem><para>
configuration file for <acronym>LDAP</acronym> search preference routines
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ldaptemplates.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></term>
<listitem><para>
configuration file for <acronym>LDAP</acronym> display template routines
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ldif</refentrytitle><manvolnum>5</manvolnum></citerefentry></term>
<listitem><para>
<acronym>LDAP</acronym> Data Interchange Format
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>slapd</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
Stand-alone <acronym>LDAP</acronym> Daemon
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>slapd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></term>
<listitem><para>
configuration file for slapd, the stand-alone <acronym>LDAP</acronym> daemon
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>slurpd</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
Standalone <acronym>LDAP</acronym> Update Replication Daemon
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>ud</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
interactive <acronym>LDAP</acronym> Directory Server query program
</para></listitem>
</varlistentry>
</variablelist>
</para>
</section>
<section><?dbhtml filename="chap26sec216.html"?>
<title>OpenLDAP Creation and Maintenance Tools</title>
<para>
To Create of the LDMB backend database, there are two methods to create a database for <acronym>LDAP</acronym>,
<orderedlist>
<listitem><para>
The first is off-line with the <command>ldif2ldbm</command> command utility
</para></listitem><listitem><para>
The other is on-line with the <command>ldapadd</command> command utility.
</para></listitem>
</orderedlist>
Usually you use the off-line method when you have many thousands of entries to insert into your database and the on-line method when you have only a small number of entries to put into your database. It is also important to
note that
<itemizedlist>
<listitem><para>
The off-line method requires that your <literal>slapd</literal> daemon is not running
</para></listitem><listitem><para>
The on-line method requires that your <literal>slapd</literal> daemon of <acronym>LDAP</acronym> is running.
</para></listitem>
</itemizedlist>
</para>
<section>
<title><acronym>LDMB</acronym> backend database off-line </title>
<para>
The first thing to do is to create an <acronym>LDIF</acronym> input file containing a text representation of your entries. The text file named <filename>my-data-file</filename> below can be used as an example file. <emphasis>Of course, your
real LDIF input file will handle much more information than this example</emphasis>. When you install OpenLDAP for the first time and have big entries to put in your backend database, it's always a good idea to put all this information into
a text file and add them into your backend database with the <command>ldif2ldbm</command> command utility.
</para>
<example>
<title><filename>my-data-file</filename></title>
<para>
Create the file, <command>touch</command> <filename>/tmp/my-data-file</filename> and add as an example in this file the following lines:
</para></example>
<procedure>
<step><para>
<programlisting>
dn: o=openna, c=com
o: openna
objectclass: organization
dn: cn=Gerhard Mourani, o=openna, c=com
cn: Gerhard Mourani
sn: Mourani
mail: gmourani@videotron.ca
title: Author
objectclass: person
dn: cn=Anthony Bay, o=openna, c=com
cn: Anthony Bay
sn: Bay
homephone: (444) 111-2233
mobile: (444) 555-6677
mail: abay@openna.com
objectclass: person
dn: cn=George Parker, o=openna, c=com
cn: George Parker
sn: Parker
telephonenumber: (555) 234-5678
fax: (543) 987-6543
mobile: (543) 321-4354
description: E-Commerce
objectclass: person
</programlisting>
The above example shows you how to convert your information into <acronym>LDIF</acronym> files before adding them to your new backend directory. Consult your OpenLDAP documentation or book for more information.
</para></step>
<step><para>
Once the <acronym>LDIF</acronym> input file containing our entries has been created, we must insert it in the <acronym>LDAP</acronym> directory server.
To insert the LDIF input file and create the database off-line, use the following command:
<screen>
[root@deep ]/tmp# <command>ldif2ldbm</command> -i &lt;inputfile&gt; -f &lt;slapdconfigfile&gt;
[root@deep ]/tmp# <command>ldif2ldbm</command> -i my-data-file -f /etc/openldap/slapd.conf
</screen>
The -i option with the &lt;inputfile&gt; option specifies the location of the LDIF input file containing the entries in text form to add. The &lt;slapdconfigfile&gt; option specifies the location of the slapd configuration file, which specifies where to create the indexes, what indexes to create, etc.
</para></step>
</procedure>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
It is important to note that the <command>slapd</command> daemon of <acronym>LDAP</acronym> is not started in this mode of creation.
</para></important>
</section>
</section>
<section><?dbhtml filename="chap26sec217.html"?>
<title>Create the LDMB backend database on-line</title>
<para>
If the entries in your directory server are already created or if you have only a small amount of information to insert into your backend database, you'll prefer to use the <command>ldapadd</command> command utility to do
your job on-line. For example, to add the <literal>Europe Mourani</literal> entry using the <command>ldapadd</command> tool, you could create a file called <filename>newentry</filename> in your <filename class="directory">/tmp</filename>
directory.
</para>
<example>
<title><acronym>LDMB</acronym> backend</title>
<para>
Create the <filename>newentry</filename> file, <command>touch</command> <filename>/tmp/newentry</filename> and add in this file the following contents:
</para>
</example>
<procedure>
<step><para>
<programlisting>
cn=Europe Mourani, o=openna, c=com
cn=Europe Mourani
sn=Mourani
mail=emourani@old.com
description=Marketing relation
objectClass=person
</programlisting>
</para></step>
<step><para>
Once the file <filename>newentry</filename> has been created, we must add the entry into the <acronym>LDAP</acronym> directory server.
To actually create the entry on-line in the backend database, use the following command:
<screen>
[root@deep] /# <command>ldapadd</command> -f /tmp/newentry -D "cn=admin, o=openna, c=com" -W
</screen>
<literallayout class="monospaced"><computeroutput>
Enter LDAP Password :
</computeroutput></literallayout>
The above command assumes that you have set rootdn to <literal>cn=admin, o=openna, c=com</literal> and rootpw to <literal>secret</literal>. You will be prompted to enter the password.
</para></step>
</procedure>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
It is important to note that the <command>slapd</command> daemon of <acronym>LDAP</acronym> is started in this mode of creation.
</para></important>
<section>
<title>ldapmodify</title>
<para>
Contrary to relational databases where data is constantly changed, the directory server contains information that is rarely modified once inserted. But, some times you need to modify information, and the <command>ldapmodify</command>
tool will help you in your tasks. The <command>ldapmodify</command> command allows you to add or modify entries on the backend directory server.
</para>
<example>
<title><filename>modifyentry</filename></title>
<para>
Assuming that we want to replace the contents of the <literal>Europe Mourani</literal> entry's mail attribute with the new value <literal>emourani@new.com,</literal> the following steps will be require:
</para>
</example>
<procedure>
<step><para>
Create the <filename>modifyentry</filename> file, <command>touch</command> <filename>/tmp/modifyentry</filename> and add in this file the contents:
<programlisting>
cn=Europe Mourani, o=openna, c=com
- mail=emourani@old.com # will delete the old mail address for Europe Mourani in the database.
+mail=emourani@new.com # will add the new mail address for Europe Mourani in the database.
</programlisting>
</para></step>
<step><para>
Once the <filename>modifyentry</filename> file has been created, we must replace the entry in the <acronym>LDAP</acronym> directory server with the one contained in this file -<filename>modifyentry</filename>.
To modify the contents of backend database, use the following command:
<screen>
[root@deep] /# <command>ladpmodify</command> -D cn=Admin, o=openna, c=com -W -f &lt;inputfile&gt;
[root@deep] /# <command>ladpmodify</command> -D cn=Admin, o=openna, c=com -W -f modifyentry
</screen>
Where &lt;inputfile&gt; is the name of the file <filename>modifyentry</filename> we created in step 1 above.
</para></step>
</procedure>
</section>
</section>
<section><?dbhtml filename="chap26sec218.html"?>
<title>OpenLDAP Users Tools</title>
<para>
To Search on <acronym>LDAP</acronym> directory server for entries, the ldapsearch utility searches through the backend database of <acronym>LDAP</acronym> directory for information you have requested.
You can use the following command:
<screen>
[root@deep] /# <command>ldapsearch</command> -b dn attrs
[root@deep] /# <command>ldapsearch</command> -b o=openna, c=com cn=europe*
</screen>
<literallayout class="monospaced"><computeroutput>
cn=Europe Mourani, o=openna, c=com
cn=Europe Mourani
sn=Mourani
mail=emourani@old.com
description=Marketing relation
objectClass=person
</computeroutput></literallayout>
This command will retrieve all entries and values for the name europe and will print the result to standard output in your terminal.
</para>
<para>
Some possible uses of OpenLDAP software, for instance OpenLDAP can be used as:
<orderedlist numeration="upperroman">
<listitem><para>
Web Catalogue Server.
</para></listitem><listitem><para>
White Pages Server.
</para></listitem><listitem><para>
Certificate Server.
</para></listitem><listitem><para>
An Access Control Server.
</para></listitem><listitem><para>
Network Name Server.
</para></listitem>
</orderedlist>
</para>
<section>
<title>The Netscape Address Book client for <acronym>LDAP</acronym></title>
<para>
If you have Netscape installed on a Linux workstation, or even another kind of operating system, you can use its Address Book features to access the <acronym>LDAP</acronym> Directory Server you have just installed
on Linux and query your directory server for information like you do with the <command>ldapsearch</command> command tool on Linux.
</para>
<para>
If you are interested in doing that, follow the simple steps below:
<orderedlist>
<listitem><para>
Open Netscape Communicator
</para></listitem><listitem><para>
Go to Communicator menu
</para></listitem><listitem><para>
Open the Address Book
</para></listitem><listitem><para>
Go to File menu
</para></listitem><listitem><para>
Click on New Directory
</para></listitem><listitem><para>
Fill the boxes with your server information
</para></listitem>
</orderedlist>
</para>
<example>
<title>Address Book</title>
<para>
<simplelist type="vert">
<member>
<guimenuitem>Description:</guimenuitem> <userinput>Open Network Architecture</userinput>
</member><member>
<guimenuitem>LDAP Server:</guimenuitem> <userinput>208.164.186.3</userinput>
</member><member>
<guimenuitem>Server Root:</guimenuitem> <userinput>o=openna, c=com</userinput>
</member>
</simplelist>
</para>
</example>
<para>
Now all you have to do is to make some queries to your <acronym>LDAP</acronym> Directory Server on Linux, by using the box named <guimenu>Show names Containing:</guimenu> to start your search, and clicking on
the button <guimenuitem>Search For:</guimenuitem> to get the results.
</para>
<para>
<mediaobject>
<imageobject><imagedata fileref="./images/LDAP-AddressBook.gif" format="GIF"/></imageobject>
<textobject><phrase>Address Book</phrase></textobject>
<caption><para>The Netscape Address Book Client Program.</para></caption>
</mediaobject>
</para>
</section>
</section>
<section><?dbhtml filename="chap26sec219.html"?>
<title>Installed files</title>
<para>
These are the files installed by the program OpenLDAP on your sytem.
</para>
<simplelist type="horiz" columns="2">
<member><filename>/etc/openldap</filename></member>
<member><filename>/etc/openldap/ldap.conf</filename></member>
<member><filename>/etc/openldap/ldap.conf.default</filename></member>
<member><filename>/etc/openldap/ldapfilter.conf</filename></member>
<member><filename>/etc/openldap/ldapfilter.conf.default</filename></member>
<member><filename>/etc/openldap/ldaptemplates.conf</filename></member>
<member><filename>/etc/openldap/ldaptemplates.conf.default</filename></member>
<member><filename>/etc/openldap/ldapsearchprefs.conf</filename></member>
<member><filename>/etc/openldap/ldapsearchprefs.conf.default</filename></member>
<member><filename>/etc/openldap/slapd.conf</filename></member>
<member><filename>/etc/openldap/slapd.conf.default</filename></member>
<member><filename>/etc/openldap/slapd.at.conf</filename></member>
<member><filename>/etc/openldap/slapd.at.conf.default</filename></member>
<member><filename>/etc/openldap/slapd.oc.conf</filename></member>
<member><filename>/etc/openldap/slapd.oc.conf.default</filename></member>
<member><filename>/etc/openldap/ldapserver</filename></member>
<member><filename>/etc/rc.d/init.d/ldap</filename></member>
<member><filename>/etc/rc.d/rc0.d/K40ldap</filename></member>
<member><filename>/etc/rc.d/rc1.d/K40ldap</filename></member>
<member><filename>/etc/rc.d/rc2.d/K40ldap</filename></member>
<member><filename>/etc/rc.d/rc3.d/S70ldap</filename></member>
<member><filename>/etc/rc.d/rc4.d/S70ldap</filename></member>
<member><filename>/etc/rc.d/rc5.d/S70ldap</filename></member>
<member><filename>/etc/rc.d/rc6.d/K40ldap</filename></member>
<member><filename>/usr/bin/ud</filename></member>
<member><filename>/usr/bin/ldapsearch</filename></member>
<member><filename>/usr/bin/ldapmodify</filename></member>
<member><filename>/usr/bin/ldapdelete</filename></member>
<member><filename>/usr/bin/ldapmodrdn</filename></member>
<member><filename>/usr/bin/ldappasswd</filename></member>
<member><filename>/usr/bin/ldapadd</filename></member>
<member><filename>/usr/include/ldap.h</filename></member>
<member><filename>/usr/include/lber.h</filename></member>
<member><filename>/usr/include/ldap_cdefs.h</filename></member>
<member><filename>/usr/include/disptmpl.h</filename></member>
<member><filename>/usr/include/srchpref.h</filename></member>
<member><filename>/usr/lib/liblber.so.1.0.0</filename></member>
<member><filename>/usr/lib/liblber.so.1</filename></member>
<member><filename>/usr/lib/liblber.so</filename></member>
<member><filename>/usr/lib/liblber.la</filename></member>
<member><filename>/usr/lib/liblber.a</filename></member>
<member><filename>/usr/lib/libldap.so.1.0.0</filename></member>
<member><filename>/usr/lib/libldap.so.1</filename></member>
<member><filename>/usr/lib/libldap.so</filename></member>
<member><filename>/usr/lib/libldap.la</filename></member>
<member><filename>/usr/lib/libldap.a</filename></member>
<member><filename>/usr/man/man1/ud.1</filename></member>
<member><filename>/usr/man/man1/ldapdelete.1</filename></member>
<member><filename>/usr/man/man1/ldapmodify.1</filename></member>
<member><filename>/usr/man/man1/ldapadd.1</filename></member>
<member><filename>/usr/man/man1/ldapmodrdn.1</filename></member>
<member><filename>/usr/man/man1/ldappasswd.1</filename></member>
<member><filename>/usr/man/man1/ldapsearch.1</filename></member>
<member><filename>/usr/man/man3/cldap_close.3</filename></member>
<member><filename>/usr/man/man3/cldap_open.3</filename></member>
<member><filename>/usr/man/man3/cldap_search_s.3</filename></member>
<member><filename>/usr/man/man3/cldap_setretryinfo.3</filename></member>
<member><filename>/usr/man/man3/lber-decode.3</filename></member>
<member><filename>/usr/man/man3/lber-encode.3</filename></member>
<member><filename>/usr/man/man3/ldap.3</filename></member>
<member><filename>/usr/man/man3/cldap.3</filename></member>
<member><filename>/usr/man/man3/ldap_abandon.3</filename></member>
<member><filename>/usr/man/man3/ldap_add.3</filename></member>
<member><filename>/usr/man/man3/ldap_add_s.3</filename></member>
<member><filename>/usr/man/man3/ldap_bind.3</filename></member>
<member><filename>/usr/man/man3/ldap_bind_s.3</filename></member>
<member><filename>/usr/man/man3/ldap_simple_bind.3</filename></member>
<member><filename>/usr/man/man3/ldap_simple_bind_s.3</filename></member>
<member><filename>/usr/man/man3/ldap_kerberos_bind_s.3</filename></member>
<member><filename>/usr/man/man3/ldap_kerberos_bind1.3</filename></member>
<member><filename>/usr/man/man3/ldap_kerberos_bind1_s.3</filename></member>
<member><filename>/usr/man/man3/ldap_kerberos_bind2.3</filename></member>
<member><filename>/usr/man/man3/ldap_kerberos_bind2_s.3</filename></member>
<member><filename>/usr/man/man3/ldap_unbind.3</filename></member>
<member><filename>/usr/man/man3/ldap_unbind_s.3</filename></member>
<member><filename>/usr/man/man3/ldap_set_rebind_proc.3</filename></member>
<member><filename>/usr/man/man3/ldap_cache.3</filename></member>
<member><filename>/usr/man/man3/ldap_enable_cache.3</filename></member>
<member><filename>/usr/man/man3/ldap_disable_cache.3</filename></member>
<member><filename>/usr/man/man3/ldap_destroy_cache.3</filename></member>
<member><filename>/usr/man/man3/ldap_flush_cache.3</filename></member>
<member><filename>/usr/man/man3/ldap_uncache_entry.3</filename></member>
<member><filename>/usr/man/man3/ldap_uncache_request.3</filename></member>
<member><filename>/usr/man/man3/ldap_set_cache_options.3</filename></member>
<member><filename>/usr/man/man3/ldap_charset.3</filename></member>
<member><filename>/usr/man/man3/ldap_set_string_translators.3</filename></member>
<member><filename>/usr/man/man3/ldap_enable_translation.3</filename></member>
<member><filename>/usr/man/man3/ldap_translate_from_t61.3</filename></member>
<member><filename>/usr/man/man3/ldap_translate_to_t61.3</filename></member>
<member><filename>/usr/man/man3/ldap_t61_to_8859.3</filename></member>
<member><filename>/usr/man/man3/ldap_8859_to_t61.3</filename></member>
<member><filename>/usr/man/man3/ldap_compare.3</filename></member>
<member><filename>/usr/man/man3/ldap_compare_s.3</filename></member>
<member><filename>/usr/man/man3/ldap_delete.3</filename></member>
<member><filename>/usr/man/man3/ldap_delete_s.3</filename></member>
<member><filename>/usr/man/man3/ldap_disptmpl.3</filename></member>
<member><filename>/usr/man/man3/ldap_init_templates.3</filename></member>
<member><filename>/usr/man/man3/ldap_init_templates_buf.3</filename></member>
<member><filename>/usr/man/man3/ldap_free_templates.3</filename></member>
<member><filename>/usr/man/man3/ldap_first_disptmpl.3</filename></member>
<member><filename>/usr/man/man3/ldap_next_disptmpl.3</filename></member>
<member><filename>/usr/man/man3/ldap_oc2template.3</filename></member>
<member><filename>/usr/man/man3/ldap_tmplattrs.3</filename></member>
<member><filename>/usr/man/man3/ldap_first_tmplrow.3</filename></member>
<member><filename>/usr/man/man3/ldap_next_tmplrow.3</filename></member>
<member><filename>/usr/man/man3/ldap_first_tmplcol.3</filename></member>
<member><filename>/usr/man/man3/ldap_next_tmplcol.3</filename></member>
<member><filename>/usr/man/man3/ldap_entry2text.3</filename></member>
<member><filename>/usr/man/man3/ldap_entry2text_search.3</filename></member>
<member><filename>/usr/man/man3/ldap_vals2text.3</filename></member>
<member><filename>/usr/man/man3/ldap_entry2html.3</filename></member>
<member><filename>/usr/man/man3/ldap_entry2html_search.3</filename></member>
<member><filename>/usr/man/man3/ldap_vals2html.3</filename></member>
<member><filename>/usr/man/man3/ldap_error.3</filename></member>
<member><filename>/usr/man/man3/ldap_perror.3</filename></member>
<member><filename>/usr/man/man3/ld_errno.3</filename></member>
<member><filename>/usr/man/man3/ldap_result2error.3</filename></member>
<member><filename>/usr/man/man3/ldap_open.3</filename></member>
<member><filename>/usr/man/man3/ldap_errlist.3</filename></member>
<member><filename>/usr/man/man3/ldap_err2string.3</filename></member>
<member><filename>/usr/man/man3/ldap_first_attribute.3</filename></member>
<member><filename>/usr/man/man3/ldap_next_attribute.3</filename></member>
<member><filename>/usr/man/man3/ldap_first_entry.3</filename></member>
<member><filename>/usr/man/man3/ldap_next_entry.3</filename></member>
<member><filename>/usr/man/man3/ldap_count_entries.3</filename></member>
<member><filename>/usr/man/man3/ldap_friendly.3</filename></member>
<member><filename>/usr/man/man3/ldap_friendly_name.3</filename></member>
<member><filename>/usr/man/man3/ldap_free_friendlymap.3</filename></member>
<member><filename>/usr/man/man3/ldap_get_dn.3</filename></member>
<member><filename>/usr/man/man3/ldap_explode_dn.3</filename></member>
<member><filename>/usr/man/man3/ldap_explode_dns.3</filename></member>
<member><filename>/usr/man/man3/ldap_dn2ufn.3</filename></member>
<member><filename>/usr/man/man3/ldap_is_dns_dn.3</filename></member>
<member><filename>/usr/man/man3/ldap_get_values.3</filename></member>
<member><filename>/usr/man/man3/ldap_get_values_len.3</filename></member>
<member><filename>/usr/man/man3/ldap_value_free.3</filename></member>
<member><filename>/usr/man/man3/ldap_value_free_len.3</filename></member>
<member><filename>/usr/man/man3/ldap_count_values.3</filename></member>
<member><filename>/usr/man/man3/ldap_count_values_len.3</filename></member>
<member><filename>/usr/man/man3/ldap_getfilter.3</filename></member>
<member><filename>/usr/man/man3/ldap_init_getfilter.3</filename></member>
<member><filename>/usr/man/man3/ldap_init_getfilter_buf.3</filename></member>
<member><filename>/usr/man/man3/ldap_getfilter_free.3</filename></member>
<member><filename>/usr/man/man3/ldap_getfirstfilter.3</filename></member>
<member><filename>/usr/man/man3/ldap_getnextfilter.3</filename></member>
<member><filename>/usr/man/man3/ldap_setfilteraffixes.3</filename></member>
<member><filename>/usr/man/man3/ldap_build_filter.3</filename></member>
<member><filename>/usr/man/man3/ldap_modify.3</filename></member>
<member><filename>/usr/man/man3/ldap_modify_s.3</filename></member>
<member><filename>usr/man/man3/ldap_mods_free.3</filename></member>
<member><filename>/usr/man/man3/ldap_modrdn.3</filename></member>
<member><filename>/usr/man/man3/ldap_modrdn_s.3</filename></member>
<member><filename>/usr/man/man3/ldap_modrdn2.3</filename></member>
<member><filename>/usr/man/man3/ldap_modrdn2_s.3</filename></member>
<member><filename>/usr/man/man3/ldap_init.3</filename></member>
<member><filename>/usr/man/man3/ldap_result.3</filename></member>
<member><filename>/usr/man/man3/ldap_msgfree.3</filename></member>
<member><filename>/usr/man/man3/ldap_search.3</filename></member>
<member><filename>/usr/man/man3/ldap_search_s.3</filename></member>
<member><filename>/usr/man/man3/ldap_search_st.3</filename></member>
<member><filename>/usr/man/man3/ldap_searchprefs.3</filename></member>
<member><filename>/usr/man/man3/ldap_init_searchprefs.3</filename></member>
<member><filename>/usr/man/man3/ldap_init_searchprefs_buf.3</filename></member>
<member><filename>/usr/man/man3/ldap_free_searchprefs.3</filename></member>
<member><filename>/usr/man/man3/ldap_first_searchobj.3</filename></member>
<member><filename>/usr/man/man3/ldap_next_searchobj.3</filename></member>
<member><filename>/usr/man/man3/ldap_sort.3</filename></member>
<member><filename>/usr/man/man3/ldap_sort_entries.3</filename></member>
<member><filename>/usr/man/man3/ldap_sort_values.3</filename></member>
<member><filename>/usr/man/man3/ldap_sort_strcasecmp.3</filename></member>
<member><filename>/usr/man/man3/ldap_ufn.3</filename></member>
<member><filename>/usr/man/man3/ldap_ufn_search_s.3</filename></member>
<member><filename>/usr/man/man3/ldap_ufn_search_c.3</filename></member>
<member><filename>/usr/man/man3/ldap_ufn_search_ct.3</filename></member>
<member><filename>/usr/man/man3/ldap_ufn_setprefix.3</filename></member>
<member><filename>/usr/man/man3/ldap_ufn_setfilter.3</filename></member>
<member><filename>/usr/man/man3/ldap_ufn_timeout.3</filename></member>
<member><filename>/usr/man/man3/ldap_url.3</filename></member>
<member><filename>/usr/man/man3/ldap_is_ldap_url.3</filename></member>
<member><filename>/usr/man/man3/ldap_url_parse.3</filename></member>
<member><filename>/usr/man/man3/ldap_free_urldesc.3</filename></member>
<member><filename>/usr/man/man3/ldap_url_search.3</filename></member>
<member><filename>/usr/man/man3/ldap_url_search_s.3</filename></member>
<member><filename>/usr/man/man3/ldap_url_search_st.3</filename></member>
<member><filename>/usr/man/man5/ldap.conf.5</filename></member>
<member><filename>/usr/man/man5/ldapfilter.conf.5</filename></member>
<member><filename>/usr/man/man5/ldapfriendly.5</filename></member>
<member><filename>/usr/man/man5/ldapsearchprefs.conf.5</filename></member>
<member><filename>/usr/man/man5/ldaptemplates.conf.5</filename></member>
<member><filename>/usr/man/man5/ldif.5</filename></member>
<member><filename>/usr/man/man5/slapd.conf.5</filename></member>
<member><filename>/usr/man/man5/slapd.replog.5</filename></member>
<member><filename>/usr/man/man5/ud.conf.5</filename></member>
<member><filename>/usr/man/man8/centipede.8</filename></member>
<member><filename>/usr/man/man8/chlog2replog.8</filename></member>
<member><filename>/usr/man/man8/edb2ldif.8</filename></member>
<member><filename>/usr/man/man8/go500.8</filename></member>
<member><filename>/usr/man/man8/go500gw.8</filename></member>
<member><filename>/usr/man/man8/in.xfingerd.8</filename></member>
<member><filename>/usr/man/man8/ldapd.8</filename></member>
<member><filename>/usr/man/man8/ldbmcat.8</filename></member>
<member><filename>/usr/man/man8/ldif.8</filename></member>
<member><filename>/usr/man/man8/ldif2ldbm.8</filename></member>
<member><filename>/usr/man/man8/ldif2index.8</filename></member>
<member><filename>/usr/man/man8/ldif2id2entry.8</filename></member>
<member><filename>/usr/man/man8/ldif2id2children.8</filename></member>
<member><filename>/usr/man/man8/mail500.8</filename></member>
<member><filename>/usr/man/man8/fax500.8</filename></member>
<member><filename>/usr/man/man8/rcpt500.8</filename></member>
<member><filename>/usr/man/man8/slapd.8</filename></member>
<member><filename>/usr/man/man8/slurpd.8</filename></member>
<member><filename>/usr/sbin/ldif</filename></member>
<member><filename>/usr/sbin/in.xfingerd</filename></member>
<member><filename>/usr/sbin/go500</filename></member>
<member><filename>/usr/sbin/go500gw</filename></member>
<member><filename>/usr/sbin/mail500</filename></member>
<member><filename>/usr/sbin/rp500</filename></member>
<member><filename>/usr/sbin/fax500</filename></member>
<member><filename>/usr/sbin/xrpcomp</filename></member>
<member><filename>/usr/sbin/rcpt500</filename></member>
<member><filename>/usr/sbin/slapd</filename></member>
<member><filename>/usr/sbin/ldif2ldbm</filename></member>
<member><filename>/usr/sbin/ldif2index</filename></member>
<member><filename>/usr/sbin/ldif2id2entry</filename></member>
<member><filename>/usr/sbin/ldif2id2children</filename></member>
<member><filename>/usr/sbin/ldbmcat</filename></member>
<member><filename>/usr/sbin/centipede</filename></member>
<member><filename>/usr/sbin/ldbmtest</filename></member>
<member><filename>/usr/sbin/slurpd</filename></member>
<member><filename>/usr/share/openldap</filename></member>
<member><filename>/usr/share/openldap/ldapfriendly</filename></member>
<member><filename>/usr/share/openldap/go500gw.help</filename></member>
<member><filename>/usr/share/openldap/rcpt500.help</filename></member>
<member><filename>/var/ldap</filename></member>
</simplelist>
</section>
</chapter>
<chapter label="27"><?dbhtml filename="datab-pSQL.html"?>
<title>Linux PostgreSQL Database Server</title>
<highlights><para>
Once you begin to serve, and supply services to your customers, you'll inevitably find that you need to keep information about them in an archive to be accessible and modifiable at any time, should you want it. These tasks can be accomplished
with the use of a database. Many databases are available on Linux; Choosing one can be complicated, as it must be able to support a number of programming languages, standards and features. PostgreSQL, developed originally in the UC Berkeley
Computer Science Department, pioneered many of the object-relational concepts now becoming available in commercial databases. It provides SQL92/SQL3 language support, transaction integrity, and type extensibility.
</para></highlights>
<section id="pr6ch27scpsql"><?dbhtml filename="chap27sec220.html"?>
<title>Install PostgreSQL</title>
<sidebar>
<title>As per the <citation>PostgreSQL web site</citation>:</title>
<para>
PostgreSQL is a sophisticated Object-Relational <acronym>DBMS</acronym>, supporting almost all <acronym>SQL</acronym> constructs, including subselects, transactions, and user-defined types and functions. It is the most advanced
open-source database available anywhere.
<mediaobject>
<imageobject>
<imagedata fileref="./images/SQL-Schema.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>
PostgresSQL
</phrase>
</textobject>
</mediaobject>
</para>
</sidebar>
<para>
These installation instructions assume
<itemizedlist>
<listitem><para>
Commands are Unix-compatible.
</para></listitem><listitem><para>
The source path is <filename>/var/tmp</filename>, <emphasis>other paths are possible</emphasis>.
</para></listitem>
<listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem><listitem><para>
All steps in the installation will happen in super-user account <literal>root</literal>.
</para></listitem><listitem><para>
PostgreSQL version number is 6.5.3
</para></listitem>
</itemizedlist>
</para>
<para>
These are the Package(s) and available here:
<simplelist><member>
PostgreSQL Homepage: <link linkend="prtinxfp27">http://www.postgresql.org/</link>
</member><member>
PostgreSQL FTP Site:<link linkend="prtinxfp27">216.126.84.28</link>
</member><member>
You must be sure to download: postgresql-6.5.3.tar.gz
</member>
</simplelist>
</para>
<para>
There are certain prerequisites before compiling the PostgreSQL program, you must verify that <literal>egcs-c++-version.i386.rpm</literal> package is installed on your system. The <literal>egcs-c++-version.i386.rpm</literal> package
is located in you Red Hat Linux CD-ROM under <filename class="directory">RedHat/RPMS</filename> subdirectory. After compilation and installation of PostgreSQL you can remove this package from your system.
To verify that egcs-c++-version.i386.rpm is already installed, use the following command:
<screen>
[root@deep] /# <command>rpm</command> -q egcs-c++
</screen>
To install egcs-c++-version.i386.rpm, use the following command:
<screen>
[root@deep] /# <command>mount</command> /dev/cdrom /mnt/cdrom
[root@deep] /# <command>cd</command> /mnt/cdrom/RedHat/RPMS
[root@deep ]/RPMS# <command>rpm</command> -Uvh egcs-c++-version.i386.rpm
</screen>
<literallayout class="monospaced"><computeroutput>
egcs-c++ ##################################################
</computeroutput></literallayout>
</para>
<para>
Before you decompress the tarballs, it is a good idea to make a list of files on the system before you install it, and one afterwards, and then compare them using diff to find out what file it placed where. Simply run <command>find</command> <userinput>/* &gt; PostgreSQL1</userinput>
before and <command>find</command> <userinput>/* &gt; PostgreSQL2</userinput> after you install the tarball, and use <command>diff</command> <userinput>PostgreSQL1 PostgreSQL2 &gt; PostgreSQL-Installed</userinput> to get a list of what changed.
</para>
<para>
To Compile you need to decompress the tarball -<literal>tar.gz</literal>:
<screen>
[root@deep] /# <command>cp</command> postgresql-version.tar.gz /var/tmp
[root@deep] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>tar</command> xzpf postgresql-version.tar.gz
</screen>
</para>
</section>
<section><?dbhtml filename="chap27sec221.html"?>
<title>Compile and Optimize</title>
<para>
First of all, to avoid security risks, we'll create an unprivileged user account named <literal>postgres</literal> to be the owner of the Postgres files.
</para>
<procedure>
<step><para>
To create the Postgres account, use the following command:
<screen>
[root@deep] /# <command>useradd</command> -M -o -r -d /var/lib/pgsql -s /bin/bash -c "PostgreSQL Server" -u 40 postgres &gt;/dev/null 2&gt;&amp;1 || :
</screen>
</para></step>
<step><para>
Move into the new PosgreSQL directory we have untarred earlier, and then move to its subdirectory named <filename class="directory">src</filename>. Type the following commands on your terminal:
<screen>
[root@deep] /# <command>cd</command> /var/tmp/postgresql-6.5.3
[root@deep ]/postgresql-6.5.3# <command>cd</command> src
CC="egcs" \
./configure \
--prefix=/usr \
--enable-locale
</screen>
This tells PostgreSQL to set itself up for this particular hardware setup with:
<simplelist><member>
- Enable locale support.
</member></simplelist>
</para></step>
<step><para>
Edit the <filename>Makefile.global</filename> file, <command>vi</command> +210 <filename>Makefile.global</filename> and change the line:
<programlisting>
CFLAGS= -I$(SRCDIR)/include -I$(SRCDIR)/backend
</programlisting>
To read:
<programlisting>
CFLAGS= -I$(SRCDIR)/include -I$(SRCDIR)/backend -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions
</programlisting>
These are our optimization flags for the PostgreSQL Server. Of course, you must tailor them to fit your system and CPU architecture.
</para></step>
</procedure>
<para>
Now, we must compile and install PosgreSQL on to the server:
<screen>
[root@deep ]/src# <command>make all</command>
[root@deep ]/src# <command>cd</command> ..
[root@deep ]/postgresql-6.5.3# <command>make</command> -C src install
[root@deep ]/postgresql-6.5.3# <command>make</command> -C src/man install
[root@deep ]/postgresql-6.5.3# <command>mkdir</command> -p /usr/include/pgsql
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/access /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/commands /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/executor /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/lib /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/libpq /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/libpq++ /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/port /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/utils /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/fmgr.h /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/os.h /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/config.h /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/c.h /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/postgres.h /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/postgres_ext.h /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/libpq-fe.h /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/libpq-int.h /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/ecpgerrno.h /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/ecpglib.h /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/ecpgtype.h /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/sqlca.h /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/include/libpq++.H /usr/include/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mkdir</command> -p /usr/lib/pgsql
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/lib/*source /usr/lib/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mv</command> /usr/lib/*sample /usr/lib/pgsql/
[root@deep ]/postgresql-6.5.3# <command>mkdir</command> -p /var/lib/pgsql
[root@deep ]/postgresql-6.5.3# <command>chown</command> -R postgres.postgres /var/lib/pgsql/
[root@deep ]/postgresql-6.5.3# <command>chmod</command> 755 /usr/lib/libpq.so.2.0
[root@deep ]/postgresql-6.5.3# <command>chmod</command> 755 /usr/lib/libecpg.so.3.0.0
[root@deep ]/postgresql-6.5.3# <command>chmod</command> 755 /usr/lib/libpq++.so.3.0
[root@deep ]/postgresql-6.5.3# <command>strip</command> /usr/bin/postgres
[root@deep ]/postgresql-6.5.3# <command>strip</command> /usr/bin/postmaster
[root@deep ]/postgresql-6.5.3# <command>strip</command> /usr/bin/ecpg
[root@deep ]/postgresql-6.5.3# <command>strip</command> /usr/bin/pg_id
[root@deep ]/postgresql-6.5.3# <command>strip</command> /usr/bin/pg_version
[root@deep ]/postgresql-6.5.3# <command>strip</command> /usr/bin/pg_dump
[root@deep ]/postgresql-6.5.3# <command>strip</command> /usr/bin/pg_passwd
[root@deep ]/postgresql-6.5.3# <command>strip</command> /usr/bin/psql
[root@deep ]/postgresql-6.5.3# <command>rm</command> -f /usr/lib/global1.description
[root@deep ]/postgresql-6.5.3# <command>rm</command> -f /usr/lib/local1_template1.description
</screen>
</para>
<para>
<itemizedlist>
<listitem><para>
The <command>make</command> command compiles all source files into executable binaries.
</para></listitem><listitem><para>
The <command>make install</command> command installs the binaries and any supporting files into the appropriate locations.
</para></listitem><listitem><para>
The <command>mkdir</command> will create a new directory named <filename class="directory">pgsql</filename> under the <filename class="directory">/usr/include</filename> and <filename class="directory">/usr/lib</filename> directories,
</para></listitem><listitem><para>
and then we move all subdirectories and files related to PostgreSQL under <filename class="directory">/usr/include</filename> and <filename class="directory">/usr/lib</filename> directories to the <filename class="directory">/usr/include/pgsql</filename>
and <filename class="directory">/usr/lib/pgsql</filename> directories respectively with the command <command>mv.</command>
</para></listitem><listitem><para>
The <command>chown</command> command will set the correct owner and group permission for the <filename class="directory">/var/lib/pgsql</filename> directory.
</para></listitem><listitem><para>
The <command>strip</command> command will discard all symbols from the object files. This means that our binary file will be smaller in size. This will improve the performance hit to the program since there will be fewer lines
to read by the system when it executes the binary.
</para></listitem><listitem><para>
The <command>rm</command> command will remove the <filename>global1.description</filename> and <filename>local1_template1.description</filename> files that are not needed by our PosgreSQL program.
</para></listitem>
</itemizedlist>
</para>
</section>
<section><?dbhtml filename="chap27sec222.html"?>
<title>Database installation using superuser account</title>
<para>
Once PostgreSQL is installed on your Linux server, it's important to create the database installation before starting your PostgreSQL server.
To create the database installation, use the following command:
<screen>
[root@deep] /# <command>su</command> postgres
[postgres@deep /]$ <command>initdb</command> --pglib=/usr/lib/pgsql --pgdata=/var/lib/pgsql
</screen>
</para>
<para>
We are initializing the database system with username postgres <literal>uid=40</literal>.
This user will own all the files and must also own the server process.
<literallayout class="monospaced"><computeroutput>
Creating Postgres database system directory /var/lib/pgsql/base
Creating template database in /var/lib/pgsql/base/template1
Creating global classes in /var/lib/pgsql/base
Adding template1 database to pg_database...
Vacuuming template1
Creating public pg_user view
Creating view pg_rules
Creating view pg_views
Creating view pg_tables
Creating view pg_indexes
Loading pg_description
</computeroutput></literallayout>
<screen>
[postgres@deep /]$ <command>chmod</command> 640 /var/lib/pgsql/pg_pwd
[postgres@deep /]$ <command>exit</command>
</screen>
<literallayout class="monospaced"><computeroutput>
exit
</computeroutput></literallayout>
<screen>
[root@deep] /#
</screen>
The <literal>--pglib</literal> command will specify where the library directory of PostgreSQL resides in the system, and the <literal>--pgdata</literal> command will specify where the database files must reside
for this installation on Linux.
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Do not create the database installation as <literal>root!</literal> This would be a major security hole.
</para>
</tip>
<para>
Please don't foreget to Cleanup later:
<screen>
[root@deep] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>rm</command> -rf postgresql-version/ postgresql-version.tar.gz
</screen>
Remove the egcs-c++-version.i386.rpm package to save space.
<screen>
[root@deep] /# <command>rpm</command> -e egcs-c++
</screen>
<itemizedlist><listitem><para>
The <command>rm</command> command will remove all the source files we have used to compile and install PostgreSQL. It will also remove the PostgreSQL compressed archive from the <filename class="directory">/var/tmp</filename> directory.
</para></listitem><listitem><para>
The <command>rpm</command> <literal>-e</literal> command will remove the egcs-c++ package we installed to compile the PosgreSQL Server. Note that the egcs-c++ package is required only for compiling programs like
PostgreSQL and can be uninstalled safely after successful compilation of PostgreSQL.
</para></listitem>
</itemizedlist>
</para>
</section>
<section><?dbhtml filename="chap27sec223.html"?>
<title>Configuration files</title>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>PostgreSQL</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 12
-rw-r--r-- 1 harrypotter harrypotter 58 Jun 8 13:00 Compile-PostgreSQL
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 init.d/
-rwx------ 1 harrypotter harrypotter 1504 Jun 8 13:00 postgres.sh*
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<para>
To run PostgreSQL Database server, the following file is required and must be created or copied to the appropriate directory on your server.
<orderedlist numeration="lowerroman"><listitem><para>
Copy the postgresql script file to the <filename class="directory">/etc/rc.d/init.d/</filename> directory.
</para></listitem></orderedlist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You can obtain the configuration files listed below on our <filename>floppy.tgz</filename> archive. Copy the following files from the decompressed <filename>floppy.tgz</filename> archive to the appropriate places, or copy and
paste them directly from this book to the concerned file.
</para>
</tip>
</section>
<section><?dbhtml filename="chap27sec224.html"?>
<title>Configure the <filename>/etc/rc.d/init.d/postgresql</filename> script file</title>
<para>
To start and stop PostgreSQL Server, create the <filename>postgresql</filename> script file, <command>touch</command> <filename>/etc/rc.d/init.d/postgresql</filename> and add:
</para>
<programlisting>
#! /bin/sh
# postgresql This is the init script for starting up the PostgreSQL
# server
# chkconfig: 345 85 15
# description: Starts and stops the PostgreSQL backend daemon that handles \
# all database requests.
# processname: postmaster
# pidfile: /var/run/postmaster.pid
#
# Source function library.
. /etc/rc.d/init.d/functions
# Get config.
. /etc/sysconfig/network
# Check that networking is up.
# Pretty much need it for postmaster.
[ ${NETWORKING} = "no" ] &amp;&amp; exit 0
[ -f /usr/bin/postmaster ] || exit 0
# This script is slightly unusual in that the name of the daemon (postmaster)
# is not the same as the name of the subsystem (postgresql)
# See how we were called.
case "$1" in
start)
echo -n "Checking postgresql installation: "
# Check for the PGDATA structure
if [ -f /var/lib/pgsql/PG_VERSION ] &amp;&amp; [ -d /var/lib/pgsql/base/template1 ]
then
# Check version of existing PGDATA
if [ `cat /var/lib/pgsql/PG_VERSION` != '6.5' ]
then
echo "old version. Need to Upgrade."
echo "See /usr/doc/postgresql-6.5.2/README.rpm for more information."
exit 1
else
echo "looks good!"
fi
# No existing PGDATA! Initdb it.
else
echo "no database files found."
if [ ! -d /var/lib/pgsql ]
then
mkdir -p /var/lib/pgsql
chown postgres.postgres /var/lib/pgsql
fi
su -l postgres -c '/usr/bin/initdb --pglib=/usr/lib/pgsql --pgdata=/var/lib/pgsql'
fi
# Check for postmaster already running...
pid=`pidof postmaster`
if [ $pid ]
then
echo "Postmaster already running."
else
#all systems go -- remove any stale lock files
rm -f /tmp/.s.PGSQL.* > /dev/null
echo -n "Starting postgresql service: "
su -l postgres -c '/usr/bin/postmaster -i -S -D/var/lib/pgsql'
sleep 1
pid=`pidof postmaster`
if [ $pid ]
then
echo -n "postmaster [$pid]"
touch /var/lock/subsys/postgresql
echo $pid > /var/run/postmaster.pid
echo
else
echo "failed."
fi
fi
;;
stop)
echo -n "Stopping postgresql service: "
killproc postmaster
sleep 2
rm -f /var/run/postmaster.pid
rm -f /var/lock/subsys/postgresql
echo
;;
status)
status postmaster
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: postgresql {start|stop|status|restart}"
exit 1
esac
exit 0
</programlisting>
<para>
Now, make this script executable and change its default permissions:
<screen>
[root@deep] /# <command>chmod</command> 700 /etc/rc.d/init.d/postgresql
</screen>
Create the symbolic rc.d links for PostgreSQL with the command:
<screen>
[root@deep] /# <command>chkconfig</command> --add postgresql
</screen>
</para>
<para>
Start your new PostgreSQL server manually with the following command:
<screen>
[root@deep] /# /etc/rc.d/init.d/postgresql <command>start</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Checking postgresql installation: looks good!
Starting postgresql service: postmaster [22401]
</computeroutput></literallayout>
</para>
</section>
<section><?dbhtml filename="chap27sec225.html"?>
<title>Commands often used</title>
<para>
The commands listed below are some that we use often, but many more exist. Check the man page for more details and information.
To define a new user in your database, run the createuser utility program:
<screen>
[root@deep] /# <command>su</command> postgres
[postgres@deep /]$ <command>createuser</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Enter name of user to add ---&gt; admin
Enter user's postgres ID or RETURN to use unix user ID: 500 ->
Is user "admin" allowed to create databases (y/n) y
Is user "admin" a superuser? (y/n) y
createuser: admin was successfully added
</computeroutput></literallayout>
</para>
<para>
To remove a user in your database, run the destroyuser utility program:
<screen>
[root@deep] /# <command>su</command> postgres
[postgres@deep /]$ <command>destroyuser</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Enter name of user to delete ---&gt; admin
destroyuser: delete of user admin was successful.
</computeroutput></literallayout>
</para>
<para>
To create a new database, run the createdb utility program:
<screen>
[root@deep] /# <command>su</command> postgres
[postgres@deep /]$ <command>createdb</command> dbname <co id="psqldbn"/>
</screen>
<calloutlist><callout arearefs="psqldbn"><para>
dbname is the name of the database.
</para>
</callout>
</calloutlist>
</para>
<para>
or with the Postgres terminal monitor program (psql)
<screen>
[root@deep] /# <command>su</command> admin
[admin@deep /]$ <command>psql</command> template1
</screen>
<literallayout class="monospaced"><computeroutput>
Welcome to the POSTGRESQL interactive sql monitor:
Please read the file COPYRIGHT for copyright terms of POSTGRESQL
[PostgreSQL 6.5.3 on i686-pc-linux-gnu, compiled by egcs ]
type \? for help on slash commands
type \q to quit
type \g or terminate with semicolon to execute query
You are currently connected to the database: template1
</computeroutput></literallayout>
<screen>
template1<command>-&gt;</command> <command>create</command> database foo;
CREATEDB
</screen>
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Client connections can be restricted by <acronym>IP</acronym> address and/or user name via the <filename>pg_hba.conf</filename> file in <envar>PG_DATA</envar>.
</para></note>
<para>
Other useful Postgres terminal monitor program commands (psql) are:
To connect to the new database, use the command:
<screen>
template1<command>-&gt;</command> \c foo
</screen>
connecting to new database: foo
<screen>
foo<command>-&gt;</command>
</screen>
</para>
<para>
To create a table, use the command:
<screen>
foo<command>-&gt;</command> create table bar (i int4, c char(16));
<userinput>CREATE</userinput>
foo<command>-&gt;</command>
</screen>
</para>
<para>
To inspect the new table, use the command:
<screen>
foo<command>-&gt;</command> \d bar
</screen>
<screen>
foo<command>-&gt;</command>
</screen>
<literallayout class="monospaced">
Table = bar
+----------------------------------+----------------------------------+------------+
| Field | Type | Length |
+----------------------------------+----------------------------------+------------+
| I | int4 | 4 |
| c | char() | 16 |
+----------------------------------+----------------------------------+------------+
</literallayout>
</para>
<para>
To drop a table, index, view, use the command:
<screen>
foo<command>-&gt;</command> drop table table_name;
foo<command>-&gt;</command> drop index index_name;
foo<command>-&gt;</command> drop view view_name;
</screen>
</para>
<para>
To insert into: <emphasis>once a table is created, it can be filled using the command</emphasis>.
<screen>
foo<command>-&gt;</command> insert into table_name (name_of_attr1, name_of_attr2, name_of_attr3)
foo<command>-&gt;</command> values (value1, value2, value3);
</screen>
</para>
</section>
<section><?dbhtml filename="chap27sec226.html"?>
<title>Installed files</title>
<simplelist type="horiz" columns="2">
<member><filename>/etc/rc.d/init.d/postgresql</filename></member>
<member><filename>/etc/rc.d/rc0.d/K15postgresql</filename></member>
<member><filename>/etc/rc.d/rc1.d/K15postgresql</filename></member>
<member><filename>/etc/rc.d/rc2.d/K15postgresql</filename></member>
<member><filename>/etc/rc.d/rc3.d/S85postgresql</filename></member>
<member><filename>/etc/rc.d/rc4.d/S85postgresql</filename></member>
<member><filename>/etc/rc.d/rc5.d/S85postgresql</filename></member>
<member><filename>/etc/rc.d/rc6.d/K15postgresql</filename></member>
<member><filename>/usr/bin/postgres</filename></member>
<member><filename>/usr/bin/postmaster</filename></member>
<member><filename>/usr/bin/ecpg</filename></member>
<member><filename>/usr/bin/pg_id</filename></member>
<member><filename>/usr/bin/pg_version</filename></member>
<member><filename>/usr/bin/psql</filename></member>
<member><filename>/usr/bin/pg_dump</filename></member>
<member><filename>/usr/bin/pg_dumpall</filename></member>
<member><filename>/usr/bin/pg_upgrade</filename></member>
<member><filename>/usr/bin/pg_passwd</filename></member>
<member><filename>/usr/bin/cleardbdir</filename></member>
<member><filename>/usr/bin/createdb</filename></member>
<member><filename>/usr/bin/createlang</filename></member>
<member><filename>/usr/bin/createuser</filename></member>
<member><filename>/usr/bin/destroydb</filename></member>
<member><filename>/usr/bin/destroylang</filename></member>
<member><filename>/usr/bin/destroyuser</filename></member>
<member><filename>/usr/bin/initdb</filename></member>
<member><filename>/usr/bin/vacuumdb</filename></member>
<member><filename>/usr/bin/initlocation</filename></member>
<member><filename>/usr/bin/ipcclean</filename></member>
<member><filename>/usr/include/lib</filename></member>
<member><filename>/usr/include/lib/dllist.h</filename></member>
<member><filename>/usr/include/pgsql</filename></member>
<member><filename>/usr/include/pgsql/access</filename></member>
<member><filename>/usr/include/pgsql/access/attnum.h</filename></member>
<member><filename>/usr/include/pgsql/commands</filename></member>
<member><filename>/usr/include/pgsql/commands/trigger.h</filename></member>
<member><filename>/usr/include/pgsql/executor</filename></member>
<member><filename>/usr/include/pgsql/executor/spi.h</filename></member>
<member><filename>/usr/include/pgsql/libpq</filename></member>
<member><filename>/usr/include/pgsql/libpq/pqcomm.h</filename></member>
<member><filename>/usr/include/pgsql/libpq/libpq-fs.h</filename></member>
<member><filename>/usr/include/pgsql/libpq++</filename></member>
<member><filename>/usr/include/pgsql/libpq++/pgconnection.h</filename></member>
<member><filename>/usr/include/pgsql/libpq++/pgdatabase.h</filename></member>
<member><filename>/usr/include/pgsql/libpq++/pgtransdb.h</filename></member>
<member><filename>/usr/include/pgsql/libpq++/pgcursordb.h</filename></member>
<member><filename>/usr/include/pgsql/libpq++/pglobject.h</filename></member>
<member><filename>/usr/include/pgsql/port</filename></member>
<member><filename>/usr/include/pgsql/port/linux</filename></member>
<member><filename>/usr/include/pgsql/utils</filename></member>
<member><filename>/usr/include/pgsql/utils/geo_decls.h</filename></member>
<member><filename>/usr/include/pgsql/utils/elog.h</filename></member>
<member><filename>/usr/include/pgsql/utils/palloc.h</filename></member>
<member><filename>/usr/include/pgsql/utils/mcxt.h</filename></member>
<member><filename>/usr/include/pgsql/fmgr.h</filename></member>
<member><filename>/usr/include/pgsql/os.h</filename></member>
<member><filename>/usr/include/pgsql/config.h</filename></member>
<member><filename>/usr/include/pgsql/c.h</filename></member>
<member><filename>/usr/include/pgsql/postgres.h</filename></member>
<member><filename>/usr/include/pgsql/postgres_ext.h</filename></member>
<member><filename>/usr/include/pgsql/libpq-fe.h</filename></member>
<member><filename>/usr/include/pgsql/libpq-int.h</filename></member>
<member><filename>/usr/include/pgsql/ecpgerrno.h</filename></member>
<member><filename>/usr/include/pgsql/ecpglib.h</filename></member>
<member><filename>/usr/include/pgsql/ecpgtype.h</filename></member>
<member><filename>/usr/include/pgsql/sqlca.h</filename></member>
<member><filename>/usr/include/pgsql/libpq++.H</filename></member>
<member><filename>/usr/lib/libpq.a</filename></member>
<member><filename>/usr/lib/libpq.so.2.0</filename></member>
<member><filename>/usr/lib/libpq.so.2</filename></member>
<member><filename>/usr/lib/libpq.so</filename></member>
<member><filename>/usr/lib/libecpg.a</filename></member>
<member><filename>/usr/lib/libecpg.so.3.0.0</filename></member>
<member><filename>/usr/lib/libecpg.so.3</filename></member>
<member><filename>/usr/lib/libecpg.so</filename></member>
<member><filename>/usr/lib/libpq++.a</filename></member>
<member><filename>/usr/lib/libpq++.so.3.0</filename></member>
<member><filename>/usr/lib/libpq++.so.3</filename></member>
<member><filename>/usr/lib/libpq++.so</filename></member>
<member><filename>/usr/lib/plpgsql.so</filename></member>
<member><filename>/usr/lib/pgsql</filename></member>
<member><filename>/usr/lib/pgsql/global1.bki.source</filename></member>
<member><filename>/usr/lib/pgsql/local1_template1.bki.source</filename></member>
<member><filename>/usr/lib/pgsql/pg_geqo.sample</filename></member>
<member><filename>/usr/lib/pgsql/pg_hba.conf.sample</filename></member>
<member><filename>/usr/man/man1/cleardbdir.1</filename></member>
<member><filename>/usr/man/man1/createdb.1</filename></member>
<member><filename>/usr/man/man1/createuser.1</filename></member>
<member><filename>/usr/man/man1/destroydb.1</filename></member>
<member><filename>/usr/man/man1/destroyuser.1</filename></member>
<member><filename>/usr/man/man1/ecpg.1</filename></member>
<member><filename>/usr/man/man1/initdb.1</filename></member>
<member><filename>/usr/man/man1/initlocation.1</filename></member>
<member><filename>/usr/man/man1/ipcclean.1</filename></member>
<member><filename>/usr/man/man1/pg_dump.1</filename></member>
<member><filename>/usr/man/man1/pg_dumpall.1</filename></member>
<member><filename>/usr/man/man1/pg_passwd.1</filename></member>
<member><filename>/usr/man/man1/pg_upgrade.1</filename></member>
<member><filename>/usr/man/man1/postgres.1</filename></member>
<member><filename>/usr/man/man1/postmaster.1</filename></member>
<member><filename>/usr/man/man1/psql.1</filename></member>
<member><filename>/usr/man/man3/catalogs.3</filename></member>
<member><filename>/usr/man/man3/libpq.3</filename></member>
<member><filename>/usr/man/man5/pg_hba.conf.5</filename></member>
<member><filename>/usr/man/manl</filename></member>
<member><filename>/usr/man/manl/abort.l</filename></member>
<member><filename>/usr/man/manl/alter_table.l</filename></member>
<member><filename>/usr/man/manl/alter_user.l</filename></member>
<member><filename>/usr/man/manl/begin.l</filename></member>
<member><filename>/usr/man/manl/close.l</filename></member>
<member><filename>/usr/man/manl/cluster.l</filename></member>
<member><filename>/usr/man/manl/commit.l</filename></member>
<member><filename>/usr/man/manl/copy.l</filename></member>
<member><filename>/usr/man/manl/create_aggregate.l</filename></member>
<member><filename>/usr/man/manl/create_database.l</filename></member>
<member><filename>/usr/man/manl/create_function.l</filename></member>
<member><filename>/usr/man/manl/create_index.l</filename></member>
<member><filename>/usr/man/manl/create_language.l</filename></member>
<member><filename>/usr/man/manl/create_operator.l</filename></member>
<member><filename>/usr/man/manl/create_rule.l</filename></member>
<member><filename>/usr/man/manl/create_sequence.l</filename></member>
<member><filename>/usr/man/manl/create_table.l</filename></member>
<member><filename>/usr/man/manl/create_trigger.l</filename></member>
<member><filename>/usr/man/manl/create_type.l</filename></member>
<member><filename>/usr/man/manl/create_user.l</filename></member>
<member><filename>/usr/man/manl/create_version.l</filename></member>
<member><filename>/usr/man/manl/create_view.l</filename></member>
<member><filename>/usr/man/manl/declare.l</filename></member>
<member><filename>/usr/man/manl/delete.l</filename></member>
<member><filename>/usr/man/manl/drop.l</filename></member>
<member><filename>/usr/man/manl/drop_aggregate.l</filename></member>
<member><filename>/usr/man/manl/drop_database.l</filename></member>
<member><filename>/usr/man/manl/drop_function.l</filename></member>
<member><filename>/usr/man/manl/drop_index.l</filename></member>
<member><filename>/usr/man/manl/drop_language.l</filename></member>
<member><filename>/usr/man/manl/drop_operator.l</filename></member>
<member><filename>/usr/man/manl/drop_rule.l</filename></member>
<member><filename>/usr/man/manl/drop_sequence.l</filename></member>
<member><filename>/usr/man/manl/drop_table.l</filename></member>
<member><filename>/usr/man/manl/drop_trigger.l</filename></member>
<member><filename>/usr/man/manl/drop_type.l</filename></member>
<member><filename>/usr/man/manl/drop_user.l</filename></member>
<member><filename>/usr/man/manl/drop_view.l</filename></member>
<member><filename>/usr/man/manl/end.l</filename></member>
<member><filename>/usr/man/manl/explain.l</filename></member>
<member><filename>/usr/man/manl/fetch.l</filename></member>
<member><filename>/usr/man/manl/grant.l</filename></member>
<member><filename>/usr/man/manl/insert.l</filename></member>
<member><filename>/usr/man/manl/listen.l</filename></member>
<member><filename>/usr/man/manl/load.l</filename></member>
<member><filename>/usr/man/manl/lock.l</filename></member>
<member><filename>/usr/man/manl/move.l</filename></member>
<member><filename>/usr/man/manl/notify.l</filename></member>
<member><filename>/usr/man/manl/reset.l</filename></member>
<member><filename>/usr/man/manl/revoke.l</filename></member>
<member><filename>/usr/man/manl/rollback.l</filename></member>
<member><filename>/usr/man/manl/select.l</filename></member>
<member><filename>/usr/man/manl/set.l</filename></member>
<member><filename>/usr/man/manl/show.l</filename></member>
<member><filename>/usr/man/manl/sql.l</filename></member>
<member><filename>/usr/man/manl/update.l</filename></member>
<member><filename>/usr/man/manl/vacuum.l</filename></member>
<member><filename>/var/lib/pgsql</filename></member>
<member><filename>/var/lib/pgsql/base</filename></member>
<member><filename>/var/lib/pgsql/base/template1</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_proc</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_type</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_attribute</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_class</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_inherits</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_index</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_statistic</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_operator</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_opclass</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_am</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_amop</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_amproc</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_language</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_aggregate</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_ipl</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_inheritproc</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_rewrite</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_listener</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_description</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_attribute_relid_attnam_index</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_attribute_relid_attnum_index</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_attribute_attrelid_index</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_proc_oid_index</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_proc_proname_narg_type_index</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_proc_prosrc_index</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_type_oid_index</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_type_typname_index</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_class_oid_index</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_class_relname_index</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_attrdef</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_attrdef_adrelid_index</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_relcheck</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_relcheck_rcrelid_index</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_trigger</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_trigger_tgrelid_index</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_description_objoid_index</filename></member>
<member><filename>/var/lib/pgsql/base/template1/PG_VERSION</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_user</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_rules</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_views</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_tables</filename></member>
<member><filename>/var/lib/pgsql/base/template1/pg_indexes</filename></member>
<member><filename>/var/lib/pgsql/pg_variable</filename></member>
<member><filename>/var/lib/pgsql/pg_database</filename></member>
<member><filename>/var/lib/pgsql/pg_shadow</filename></member>
<member><filename>/var/lib/pgsql/pg_group</filename></member>
<member><filename>/var/lib/pgsql/pg_log</filename></member>
<member><filename>/var/lib/pgsql/PG_VERSION</filename></member>
<member><filename>/var/lib/pgsql/pg_hba.conf</filename></member>
<member><filename>/var/lib/pgsql/pg_geqo.sample</filename></member>
<member><filename>/var/lib/pgsql/pg_pwd</filename></member>
</simplelist>
</section>
</chapter>
<chapter label="28" id="pr6sserprnt"><?dbhtml filename="netproxy-squid.html"?>
<title>Software -Server/Proxy Network</title>
<highlights><para>
Proxy-servers, with their capability to save bandwidth, improve security, and increase web-surfing speed are becoming more popular than ever. At this time only a few proxy-server programs are available. These proxy-servers have two main drawbacks:
<simplelist><member>
They are commercial.
</member><member>
They don't support <acronym>ICP</acronym>, <emphasis><acronym>ICP</acronym> is used to exchange hints about the existence of URLs in neighbor caches</emphasis> .
</member>
</simplelist>
Squid is the best choice for a proxy-cache server since it is robust, free, and can use <acronym>ICP</acronym> features.
</para>
<para>
Derived from the <literal>cached</literal> software from the <acronym>ARPA</acronym>-funded Harvest research project, developed at the National Laboratory for Applied Network Research and funded by the National Science Foundation, Squid
offers high-performance caching of web clients, and also supports <acronym>FTP</acronym>, Gopher, and <acronym>HTTP</acronym> data objects. It stores hot objects in <acronym>RAM</acronym>, maintains a robust database of objects on disk, has
a complex access control mechanism, and supports the <acronym>SSL</acronym> protocol for proxying secure connections. In addition, it can be hierarchically linked to other Squid-based proxy servers for streamlined caching of pages.
</para>
</highlights>
<section id="pr6ch28scsps"><?dbhtml filename="chap28sec227.html"?>
<title>Linux Squid Proxy Server</title>
<para>
In our compilation and configuration we'll configure Squid to run as an httpd-accelerator to get more performance out of our web server. In accelerator mode, the Squid server acts as a reverse proxy cache: it accepts client
requests, serves them out of cache, if possible, or requests them from the original server for which it is the reverse proxy. Also we'll show you how to configure Squid as a proxy-caching server to be able to let all users
in your corporate network use Squid to access the Internet.
</para>
<para>
These installation instructions assume
<itemizedlist><listitem><para>
Commands are Unix-compatible.
</para></listitem><listitem><para>
The source path is <filename class="directory">/var/tmp</filename>, <emphasis>other paths are possible</emphasis>.
</para></listitem><listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem><listitem><para>
All steps in the installation will happen in super-user account <literal>root.</literal>
</para></listitem><listitem><para>
Squid version number is 2.3.STABLE2
</para></listitem>
</itemizedlist>
</para>
<para>
These are Package(s) and are available here:
<simplelist>
<member>
Squid Homepage:<link linkend="prtinxfp28">http://www.squid-cache.org/</link>
</member><member>
Squid <acronym>FTP</acronym> Site: <link linkend="prtinxfp28">204.144.128.89</link>
</member><member>
You must be sure to download: squid-2.3.STABLE2-src.tar.gz
</member>
</simplelist>
</para>
<para>
Before you decompress tarballs, it is a good idea to make a list of files on the system before you install Squid, and one afterwards, and then compare them using diff to find out what file it placed where. Simply
run <command>find</command> <userinput>/* &gt; Squid1</userinput> before and <command>find</command> <userinput>/* &gt; Squid2</userinput> after you install the software, and use <command>diff</command> <userinput>Squid1 Squid2 &gt; Squid-Installed</userinput>
to get a list of what changed.
</para>
<para>
To Compile, you need to decompress the tarball, <literal>tar.gz.</literal>:
<screen>
[root@deep] /# <command>cp</command> squid-version.STABLEz-src.tar.gz /var/tmp
[root@deep] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>tar</command> xzpf squid-version.STABLEz-src.tar.gz
</screen>
</para>
</section>
<section><?dbhtml filename="chap28sec228.html"?>
<title>Configure and Optimize</title>
<para>
Squid Proxy Server can't run as super-user root, and for this reason we must create a special user with no shell for running Squid Proxy Server.
<screen>
[root@deep] /# <command>useradd</command> -d /cache/ -r -s /dev/null squid &gt;/dev/null 2&gt;&amp;1
[root@deep] /# <command>mkdir</command> /cache/
[root@deep] /# <command>chown</command> -R squid.squid /cache/
</screen>
First of all, we add the user <literal>squid</literal> to the <filename>/etc/passwd</filename> file. Then, we create the <filename class="directory">/cache</filename> directory if this directory doesn't exist, <emphasis>we repeat only if
it doesn't exist</emphasis>. Finally, we change the owner of the directory <filename class="directory">cache</filename> to be the user <literal>squid</literal>.
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Usually we don't need to perform the command, <command>mkdir</command> <filename class="directory">/cache/</filename>, because we have already created this directory when we partitioned our hard drive during the installation of Linux. If this
partition doesn't exist, you must execute this command to create the directory.
</para></tip>
<procedure>
<step><para>
Move into the new Squid directory and type the following commands on your terminal:
Edit the <filename>Makefile.in</filename> file, <command>vi</command> +18 <filename>icons/Makefile.in</filename> and change the line:
<programlisting>
DEFAULT_ICON_DIR = $(sysconfdir)/icons
</programlisting>
To read:
<programlisting>
DEFAULT_ICON_DIR = $(libexecdir)/icons
</programlisting>
</para></step>
<step><para>
We change the variable, <envar>sysconfdir</envar> to be <envar>libexecdir</envar>. With this modification, the <filename class="directory">icons</filename> directory of Squid will be located under the <filename class="directory">/usr/lib/squid</filename> directory.
</para>
<substeps>
<step><para>
Edit the <filename>Makefile.in</filename> file, <command>vi</command> +34 <filename>src/Makefile.in</filename> and change the lines:
<programlisting>
DEFAULT_CACHE_LOG = <prompt>$</prompt>(localstatedir)/logs/cache.log
</programlisting>
To read:
<programlisting>
DEFAULT_CACHE_LOG = <prompt>$</prompt>(localstatedir)/log/squid/cache.log
</programlisting>
</para></step><step><para>
<programlisting>
DEFAULT_ACCESS_LOG = <prompt>$</prompt>(localstatedir)/logs/access.log
</programlisting>
To read:
<programlisting>
DEFAULT_ACCESS_LOG = <prompt>$</prompt>(localstatedir)/log/squid/access.log
</programlisting>
</para></step><step><para>
<programlisting>
DEFAULT_STORE_LOG = <prompt>$</prompt>(localstatedir)/logs/store.log
</programlisting>
To read:
<programlisting>
DEFAULT_STORE_LOG = <prompt>$</prompt>(localstatedir)/log/squid/store.log
</programlisting>
</para></step><step><para>
<programlisting>
DEFAULT_PID_FILE = <prompt>$</prompt>(localstatedir)/logs/squid.pid
</programlisting>
To read:
<programlisting>
DEFAULT_PID_FILE = <prompt>$</prompt>(localstatedir)/run/squid.pid
</programlisting>
</para></step><step><para>
<programlisting>
DEFAULT_SWAP_DIR = <prompt>$</prompt>(localstatedir)/cache
</programlisting>
To read:
<programlisting>
DEFAULT_SWAP_DIR = /cache
</programlisting>
</para></step><step><para>
<programlisting>
DEFAULT_ICON_DIR = <prompt>$</prompt>(sysconfdir)/icons
</programlisting>
To read:
<programlisting>
DEFAULT_ICON_DIR = <prompt>$</prompt>(libexecdir)/icons
</programlisting>
We change the default location of <filename>cache.log,</filename> <filename>access.log,</filename> and <filename>store.log</filename> files to be located under <filename class="directory">/var/log/squid</filename> directory. Then, we put the pid file of Squid under <filename class="directory">/var/run</filename>
directory, and finally, locate the <filename class="directory">icons</filename> directory of Squid under <filename class="directory">/usr/lib/squid/icons</filename> with the variable <envar>libexecdir</envar> above.
</para></step>
</substeps>
</step>
</procedure>
</section>
<section><?dbhtml filename="gnumaloc.html"?>
<title>Improve performance Using GNU malloc library </title>
<para>
If you're suffering from memory limitations on your system, the cache performance of Squid will be affected. To reduce this problem, you can link Squid with an external malloc library such as GNU malloc. To make
Squid use GNU malloc as an external library, follows these simple steps:
</para>
<para>
These are the Package(s) required:
<simplelist><member>
GNU malloc Homepage:<link linkend="prtinxfp28"> http://www.gnu.org/order/ftp.html</link>
</member><member>
You must be sure to download: malloc.tar.gz
</member>
</simplelist>
</para>
<para>
<screen>
[root@deep] /# <command>cp</command> malloc.tar.gz /var/tmp
[root@deep] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>tar</command> xzpf malloc.tar.gz
</screen>
</para>
<procedure>
<step><para>
Compile and install GNU malloc on your system by executing the following commands:
<screen>
[root@deep ]/tmp# <command>cd</command> malloc
[root@deep ]/malloc# <command>export</command> CC=egcs
[root@deep ]/malloc# <command>make</command>
</screen>
</para></step>
<step><para>
Copy the <filename>libmalloc.a</filename> file to your system library directory and be sure to name it <filename>libgnumalloc.a</filename>
<screen>
[root@deep ]/malloc# <command>cp</command> libmalloc.a /usr/lib/libgnumalloc.a
</screen>
</para></step>
<step><para>
Copy the <filename>malloc.h</filename> file to your system's include directory and be sure to name it <filename>gnumalloc.h</filename>
<screen>
[root@deep ]/malloc# <command>cp</command> malloc.h /usr/include/gnumalloc.h
</screen>
With the files <filename>libgnumalloc.a</filename> and <filename>gnumalloc.h</filename> installed on your system, Squid will detect them automatically during its compile time, and will use them to improve its cache performance.
</para></step>
</procedure>
</section>
<section><?dbhtml filename="chap28sec229.html"?>
<title>Compile and Optimize</title>
<para>
Return into the new Squid directory and type the following commands on your terminal:
<screen>
CC="egcs" \
CFLAGS="-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions" \
./configure \
--prefix=/usr \
--exec-prefix=/usr \
--bindir=/usr/sbin \
--libexecdir=/usr/lib/squid \
--localstatedir=/var \
--sysconfdir=/etc/squid \
--enable-delay-pools \
--enable-cache-digests \
--enable-poll \
--disable-ident-lookups \
--enable-truncate \
--enable-heap-replacement
</screen>
</para>
<para>
This tells Squid to set itself up for this particular hardware setup with these options:
<itemizedlist>
<listitem><para>
Use the delay pools feature of Squid to limit and control bandwidth usage for users.
</para></listitem><listitem><para>
Use Cache Digests to improve client response time and network utilization.
</para></listitem><listitem><para>
Enable poll() instead of select() since its preferred over select.
</para></listitem><listitem><para>
Disable ident-lookups to remove code that performs Ident, <literal>RFC 931</literal>, lookups and reduce possible denial-of-service.
</para></listitem><listitem><para>
Enable truncate to glean some performance improvements when removing cached files.
</para></listitem><listitem><para>
Use the heap-replacement feature of Squid to have the choice of various cache replacement algorithms, instead of the standard LRU algorithm for better performance. See below for a more detailed explanation.
</para></listitem>
</itemizedlist>
</para>
<para>
Now, we must compile and install Squid on the server:
<screen>
[root@deep ]/squid-2.3.STABLE2# <command>make</command> -f makefile
[root@deep ]/squid-2.3.STABLE2# <command>make install</command>
[root@deep ]/squid-2.3.STABLE2# <command>mkdir</command> -p /var/log/squid
[root@deep ]/squid-2.3.STABLE2# <command>rm</command> -rf /var/logs/
[root@deep ]/squid-2.3.STABLE2# <command>chown</command> squid.squid /var/log/squid/
[root@deep ]/squid-2.3.STABLE2# <command>chmod</command> 750 /var/log/squid/
[root@deep ]/squid-2.3.STABLE2# <command>chmod</command> 750 /cache/
[root@deep ]/squid-2.3.STABLE2# <command>rm</command> -f /usr/sbin/RunCache
[root@deep ]/squid-2.3.STABLE2# <command>rm</command> -f /usr/sbin/RunAccel
[root@deep ]/squid-2.3.STABLE2# <command>strip</command> /usr/sbin/squid
[root@deep ]/squid-2.3.STABLE2# <command>strip</command> /usr/sbin/client
[root@deep ]/squid-2.3.STABLE2# <command>strip</command> /usr/lib/squid/dnsserver
[root@deep ]/squid-2.3.STABLE2# <command>strip</command> /usr/lib/squid/unlinkd
[root@deep ]/squid-2.3.STABLE2# <command>strip</command> /usr/lib/squid/cachemgr.cgi
</screen>
<itemizedlist>
<listitem><para>
The <command>make</command> -f command will compile all source files into executable binaries
</para></listitem><listitem><para>
The <command>make install</command> will install the binaries and any supporting files into the appropriate locations.
</para></listitem><listitem><para>
The <command>mkdir</command> command will create a new directory named <filename class="directory">squid</filename> under <filename class="directory">/var/log.</filename>
</para></listitem><listitem><para>
The <command>rm</command> -rf command will remove the <filename class="directory">/var/logs</filename> directory since this directory has been created to handle the log files related to Squid that we have moved to the <filename class="directory">/var/log/squid</filename> location.
</para></listitem><listitem><para>
The <command>chown</command> will change the owner of <filename class="directory">/var/log/squid</filename> to be the user squid
</para></listitem><listitem><para>
The <command>chmod</command> command will make the mode of <filename class="directory">squid</filename> and <filename class="directory">cache</filename> directories; <literal>0750/drwxr-x---</literal>, for security reasons.
</para></listitem>
</itemizedlist>
Take note that we remove the small scripts named <filename>RunCache</filename> and <filename>RunAccel</filename> which start Squid in either caching mode or accelerator mode, since we use a better script named <filename>squid</filename> located
under the <filename class="directory">/etc/rc.d/init.d/</filename> directory that takes advantage of Linux <literal>system V</literal>.
The <command>strip</command> command will reduce the size of binaries for optimum performance.
</para>
<para>
Please do cleanup later:
<screen>
[root@deep] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>rm</command> -rf squid-version/ squid-version.STABLEz-src.tar.gz
[root@deep ]/tmp# <command>rm</command> -rf malloc/ malloc.tar.gz (if you used the GNU malloc external library)
</screen>
The <command>rm</command> command will remove all the source files we have used to compile and install Squid and GNU malloc. It will also remove the Squid and GNU malloc compressed archive from the <filename class="directory">/var/tmp</filename>
directory.
</para>
</section>
<section><?dbhtml filename="chap28sec230.html"?>
<title>Configurations</title>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>Squid</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 20
-rw-r--r-- 1 harrypotter harrypotter 428 Jun 8 13:00 Compile-Squid
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 init.d/
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 logrotate.d/
-rw-r--r-- 1 harrypotter harrypotter 461 Jun 8 13:00 squid.conf
-rwx------ 1 harrypotter harrypotter 319 Jun 8 13:00 squid.sh*
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<para>
To run Squid server in <literal>httpd-accelerator</literal> mode, the following files are required and must be created or copied to the appropriate directories on your server.
<orderedlist numeration="lowerroman">
<listitem><para>
Copy the <filename>squid.conf</filename> file in the <filename class="directory">/etc/squid/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>squid</filename> script file in the <filename class="directory">/etc/rc.d/init.d/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>squid</filename> file in the <filename class="directory">/etc/logrotate.d/</filename> directory.
</para></listitem>
</orderedlist>
</para><para>
To run Squid server in <literal>proxy-caching</literal> mode, the following files are required and must be created or copied to the appropriate directories on your server.
<orderedlist numeration="lowerroman">
<listitem><para>
Copy the <filename>squid.conf</filename> file in the <filename class="directory">/etc/squid/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>squid</filename> script file in the <filename class="directory">/etc/rc.d/init.d/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>squid</filename> file in the <filename class="directory">/etc/logrotate.d/</filename> directory.
</para></listitem>
</orderedlist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You can obtain the configuration files listed below on our <filename>floppy.tgz</filename> archive. Copy the following files from the decompressed <filename>floppy.tgz</filename> archive to the appropriate places, or copy and
paste them directly from this book to the concerned file.
</para>
</tip>
</section>
<section id="pr6ch28scsqcnf"><?dbhtml filename="chap28sec231.html"?>
<title>Configure the <filename>/etc/squid/squid.conf</filename> file -in <literal>httpd-accelerator mode</literal></title>
<para>
The <filename>squid.conf</filename> file is used to set and configure all the different options for your Squid proxy server. In the configuration file below, we'll configure the <filename>/etc/squid/squid.conf</filename> file
to be in <literal>httpd-accelerator</literal> mode. In this acceleration mode, if the Web Server runs on the same server where Squid is installed, you must set its daemon to run on port 81. With the Apache web server, you can
do it by assigning the line <literal>Port 80</literal> to <literal>Port 81</literal> in its <filename>httpd.conf</filename> file. If the Web Server runs on other servers in your network like we do, you can keep the same port
number (80) for Apache, since Squid will bind on a different IP number where port (80) is not already in use.
<mediaobject>
<imageobject>
<imagedata fileref="./images/Squid-Accelerator-Schema.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Squid/Accelerator</phrase>
</textobject>
</mediaobject>
</para>
<para>
Edit the <filename>squid.conf file</filename>, <command>vi</command> <filename>/etc/squid/squid.conf</filename> and add/change the following options:
<programlisting>
http_port 80
icp_port 0
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 16 MB
cache_dir ufs /cache 200 16 256
emulate_httpd_log on
redirect_rewrites_host_header off
replacement_policy GDSF
acl all src 0.0.0.0/0.0.0.0
http_access allow all
cache_mgr admin@openna.com
cache_effective_user squid
cache_effective_group squid
httpd_accel_host 208.164.186.3
httpd_accel_port 80
log_icp_queries off
cachemgr_passwd my-secret-pass all
buffered_logs on
</programlisting>
This tells the <filename>squid.conf</filename> file to set itself up for this particular configuration setup with:
<glosslist>
<glossentry>
<glossterm><envar>http_port</envar> 80</glossterm>
<glossdef><para>
The option <envar>http_port</envar> specifies the port number where Squid will listen for <acronym>HTTP</acronym> client requests. If you set this option to port 80, the client will have the illusion of being connected
to the Apache Web Server. Since we are running Squid in accelerator mode, we must listen on port 80.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>icp_port 0</envar></glossterm>
<glossdef><para>
The option <envar>icp_port</envar> specifies the port number where Squid will sends and receive <acronym>ICP</acronym> requests from neighboring caches. We must set the value of this option to 0 to disable it, since we
are configuring Squid to be in accelerator mode for the Web Server. The <acronym>ICP</acronym> feature is needed only in a multi-level cache environment with multiple siblings and parent caches. Using <acronym>ICP</acronym>
in an accelerator mode configuration would add unwanted overhead to Squid.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>acl QUERY urlpath_regex cgi-bin \? and no_cache deny QUERY</envar></glossterm>
<glossdef><para>
The options <envar>acl QUERY urlpath_regex cgi-bin \? and no_cache deny QUERY</envar> are used to force certain objects to never be cached, like files under <filename class="directory">cgi-bin</filename> directory. This
is a security feature.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>cache_mem 16 MB</envar></glossterm>
<glossdef><para>
The option <envar>cache_mem</envar> specifies the amount of memory;
<acronym>RAM</acronym>, to be used for caching the so called:
In-Transit objects,
Hot Objects,
Negative-Cached objects.
This is an optimization feature. It's important to note that Squid can uses much more memory than the value you specify in this parameter, and for this reason if you have 48 MB free for Squid, you must put 48/3 = 16 MB here.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>cache_dir ufs /cache 200 16 256</envar></glossterm>
<glossdef><para>
The option <envar>cache_dir</envar> specifies in this order:
which kind of storage system to use; ufs,
the name of the cache directory; <filename class="directory">/cache</filename> for Squid,
the disk space in megabytes to use under this directory <emphasis>200 Mbytes</emphasis>,
the number of first-level subdirectories to be created under the cache directory; 16 Level-1,
and the number of second-level subdirectories to be created under each first-level cache directory; 256 Level-2.
In accelerator mode, this option is directly related to the size and number of files that you want to serve with your Apache web server.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>emulate_httpd_log on</envar></glossterm>
<glossdef><para>
The option <envar>emulate_httpd_log,</envar> if set to <envar>ON,</envar> specifies that Squid should emulate the log file format of the Apache web server. This is very useful if you want to use a third party program like Webalizer
to analyze the Web Server <literal>httpd</literal> log file.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>redirect_rewrites_host_header off</envar></glossterm>
<glossdef><para>
The option <envar>redirect_rewrites_host_header</envar>, if set to <envar>OFF,</envar> tells Squid to not rewrites any Host: header in redirected requests. It's recommended to set this option to <envar>OFF</envar> if you are running Squid
in accelerator mode.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>replacement_policy GDSF</envar></glossterm>
<glossdef><para>
The option <envar>replacement_policy</envar> specifies the cache policy Squid will use to determine which objects in the cache must be replaced when the proxy need to make disk space. The Squid LRU policy is used by default if you
have not specified the <literal>--enable-heap-replacement</literal> option during compile time. In our configuration, we choose the GDSF -<emphasis>Greedy-Dual Size Frequency</emphasis> policy as our default policy. See
<link linkend="prtinxfp28sqc">http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html</link> and <link linkend="prtinxfp28sqc">http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html</link> for more information.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>acl all src 0.0.0.0/0.0.0.0</envar> and <envar>http_access allow all</envar></glossterm>
<glossdef><para>
The options <envar>acl</envar> and <envar>http_access</envar> specify and define an access control list to be applied on the proxy server Squid. Our <envar>acl</envar> and <envar>http_access</envar> options are not restricted, and
allow every one to connect on the proxy server since we use this proxy to accelerate the public Apache Web Server. See your Squid documentation for more information when using Squid in non-accelerator mode.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>cache_mgr admin</envar></glossterm>
<glossdef><para>
The option <envar>cache_mgr</envar> specify the email-address of the administrator responsible for the Squid proxy server. This person is the one who will receive mail if Squid encounter problems. You can specify the name or the
complete email address in this option.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>cache_effective_user squid</envar> and <envar>cache_effective_group squid</envar></glossterm>
<glossdef><para>
The options <envar>cache_effective_user</envar> and <envar>cache_effective_group</envar> specify the <acronym>UID/GID</acronym> that the cache will run on. Don't forget to never run Squid as <literal>root</literal>. In our
configuration we use the <acronym>UID</acronym> <literal>squid</literal> and the <acronym>GID</acronym> <literal>squid</literal>.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>httpd_accel_host 208.164.186.3</envar> and <envar>httpd_accel_port 80</envar></glossterm>
<glossdef><para>
The options <envar>httpd_accel_host</envar> and <envar>httpd_accel_port</envar> specify to Squid the <acronym>IP</acronym> address and port number where the real <acronym>HTTP</acronym> Server <abbrev>i.e.</abbrev> Apache is. In
our configuration, the real <acronym>HTTP</acronym> Web Server is on the <acronym>IP</acronym> address <literal>208.164.186.3</literal>, <literal>www.openna.com</literal> and on port (80). <literal>www.openna.com</literal> is
another host name on our network, and since the Squid Proxy Server doesn't reside on the same host of Apache <acronym>HTTP</acronym> Web Server, we can use port (80) for our Squid Proxy Server, and port (80) for our Apache Web
Server, and the illusion is perfect.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>log_icp_queries off</envar></glossterm>
<glossdef><para>
The option <envar>log_icp_queries</envar> specifies if you want <acronym>ICP</acronym>; <emphasis><acronym>ICP</acronym> is used to exchange hints about the existence of <acronym>URL</acronym>s in neighbor caches</emphasis> queries
to be logged to the <filename>access.log</filename> file or not. Since we don't use the <acronym>ICP</acronym> feature in Squid accelerator mode, we can safely set this option to <envar>OFF</envar>.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>cachemgr_passwd my-secret-pass all</envar></glossterm>
<glossdef><para>
The option <envar>cachemgr_passwd</envar> specifies a password that will be required for accessing the operations of the <filename>cachemgr.cgi</filename> program utility. This <acronym>CGI</acronym> utility program is designed to run
through a web interface and outputs statistics about the Squid configuration and performance. The <filename>my-secret-pass</filename> is the password that you have chosen, and the keyword <envar>all</envar> specifies to set this
password to be the same for all actions you can perform with this program. See The cachemgr.cgi program utility of Squid, below in this chapter for more information.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>buffered_logs on</envar></glossterm>
<glossdef><para>
The option <envar>buffered_logs</envar>, if turned <envar>ON</envar>, can speed up the writing of some log files slightly. This is an optimization feature.
</para></glossdef>
</glossentry>
</glosslist>
</para>
</section>
<section><?dbhtml filename="chap28sec232.html"?>
<title>Configure of the <filename>/etc/squid/squid.conf</filename> file -/proxy-caching mode</title>
<para>
With some minor modification to the <filename>squid.conf</filename> file we have defined above to run in <literal>httpd-accelerator</literal> mode, we can run Squid as a proxy-caching server. With a proxy cache server, all users
in your corporate network use Squid to access the Internet. With this configuration, you can have complete control, and apply special policies on what can be viewed, accessed, and downloaded. You can also control bandwidth
usage, connection time, and so on. A proxy cache server can be configured to run as stand-alone server for your corporation, or to use and share caches hierarchically with other proxy servers around the Internet.
<mediaobject>
<imageobject>
<imagedata fileref="./images/Squid-Stand-Alone-Schema.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Squid-StandAlone</phrase></textobject>
</mediaobject>
</para>
<para>
With the first example below we show you how to configure Squid as a stand-alone server, and then speak a little bit about a cache hierarchy configuration, where two or more proxy-cache servers cooperate by serving documents to each other.
Edit the <filename>squid.conf</filename> file, <command>vi</command> <filename>/etc/squid/squid.conf</filename> and add/change the following options for proxy cache that run as a stand-alone server:
<programlisting>
http_port 8080
icp_port 0
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 16 MB
cache_dir ufs /cache 200 16 256
redirect_rewrites_host_header off
replacement_policy GDSF
acl localnet src 192.168.1.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl Safe_ports port 80 443 210 119 70 21 1025-65535
acl CONNECT method CONNECT
acl all src 0.0.0.0/0.0.0.0
http_access allow localnet
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT
http_access deny all
cache_mgr admin@openna.com
cache_effective_user squid
cache_effective_group squid
log_icp_queries off
cachemgr_passwd my-secret-pass all
buffered_logs on
</programlisting>
</para>
<para>
The big difference with the <literal>httpd-accellerator</literal> mode configuration is the use of access control lists (ACL). This feature allows you to restrict access based on source <acronym>IP</acronym> address (src), destination
<acronym>IP</acronym> address (dst), source domain, destination domain, time, and so on. Many types exist with this feature, and you should consult the <filename>Squid.conf</filename> file for a complete list. The four most used types
are as follows:
<literallayout>
acl name type data
| | | |
acl some-name src a.b.c.d/e.f.g.h # ACL restrict access based on source IP address
acl some-name dst a.b.c.d/e.f.g.h # ACL restrict access based on destination IP address
acl some-name srcdomain foo.com # ACL restrict access based on source domain
acl some-name dstdomain foo.com # ACL restrict access based on destination domain
</literallayout>
</para>
<para>
As an example, to restrict access to your Squid proxy server to only your internal clients, and to a specific range of designated ports, something like the following will make the job:
<programlisting>
acl localnet src 192.168.1.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl Safe_ports port 80 443 210 119 70 21 1025-65535
acl CONNECT method CONNECT
acl all src 0.0.0.0/0.0.0.0
http_access allow localnet
http_access allow localhost
http_access deny !Safe_ports
http_access deny CONNECT
http_access deny all
</programlisting>
</para>
<para>
This acl configuration will allow all internal clients from the private class C 192.168.1.0 to access the proxy server; it's also recommended that you allow the localhost IP (a special IP address used by your own server) to access
the proxy. After we choose a range of ports (80=http, 443=https, 210=wais, 119=nntp, 70=gopher, and 21=ftp) which our internal clients can use to access the Internet, we deny the <envar>CONNECT</envar> method to prevent outside people
from trying to connect to the proxy server, and finally, we deny all source IP address and ports on the proxy server.
</para>
<sidebar>
<title>Multi-level Web Caching</title>
<para>
The second method of proxy cache is the so-called <wordasword>Multi-level Web Caching</wordasword> where you choose to share and cooperate with more proxy-cache servers on the Internet. With this method, your organization uses the cache
of many others proxy cache servers, and to compensate, the other cache server can use yours. It's important to note that in this situation, the proxy cache can play two different roles in the hierarchy. It can be configured to be a sibling
cache, and be able to only serve documents it already has, or it can be configured as a parent cache, and be able to get documents from another cache or from the source directly.
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Squid-Hierarchy-Schema.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Squid-Hierarchy</phrase></textobject>
</inlinemediaobject>
</para>
</sidebar>
<tip>
<title>
<inlinemediaobject><imageobject><imagedata fileref="./images/Tip.gif" format="GIF"/></imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
A good strategy to avoid generating more network traffic than without web caching is to choose to have several sibling caches and only a small number of parent caches.
</para>
</tip>
</section>
<section><?dbhtml filename="chap28sec233.html"?>
<title>Configure the <filename>/etc/rc.d/init.d/squid</filename> script file -/all configurations</title>
<para>
Configure your <filename>/etc/rc.d/init.d/squid</filename> script file to start and stop the Squid Internet Object Cache. This script has been modified to setup swap cache for Squid in <filename class="directory">/cache</filename> instead
of <filename class="directory">/var/spool/squid</filename>.
Create the <filename>squid</filename> script file, <command>touch</command> <filename>/etc/rc.d/init.d/squid</filename> and add:
</para>
<programlisting>
#!/bin/bash
# squid This shell script takes care of starting and stopping
# Squid Internet Object Cache
#
# chkconfig: - 90 25
# description: Squid - Internet Object Cache. Internet object caching is \
# a way to store requested Internet objects (i.e., data available \
# via the <acronym>HTTP</acronym>, <acronym>FTP</acronym>, and gopher protocols) on a system closer to the \
# requesting site than to the source. Web browsers can then use the \
# local Squid cache as a proxy <acronym>HTTP</acronym> server, reducing access time as \
# well as bandwidth consumption.
# pidfile: /var/run/squid.pid
# config: /etc/squid/squid.conf
PATH=/usr/bin:/sbin:/bin:/usr/sbin
export PATH
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ <prompt>$</prompt>{NETWORKING} = "no" ] &amp;&amp; exit 0
# check if the squid conf file is present
[ -f /etc/squid/squid.conf ] || exit 0
# determine the name of the squid binary
[ -f /usr/sbin/squid ] &amp;&amp; SQUID=squid
[ -z "$SQUID" ] &amp;&amp; exit 0
# determine which one is the cache_swap directory
CACHE_SWAP=`sed -e 's/#.*//g' /etc/squid/squid.conf | \
grep cache_dir | sed -e 's/cache_dir//' | \
cut -d ' ' -f 2`
[ -z "$CACHE_SWAP" ] &amp;&amp; CACHE_SWAP=/cache
# default squid options
# -D disables initial dns checks. If you most likely will not to have an
# internet connection when you start squid, uncomment this
#SQUID_OPTS="-D"
RETVAL=0
case "$1" in
start)
echo -n "Starting $SQUID: "
for adir in $CACHE_SWAP; do
if [ ! -d $adir/00 ]; then
echo -n "init_cache_dir $adir... "
$SQUID -z -F 2&gt;/dev/null
fi
done
$SQUID $SQUID_OPTS &amp;
RETVAL=<prompt>$</prompt>?
echo $SQUID
[ $RETVAL -eq 0 ] &amp;&amp; touch /var/lock/subsys/$SQUID
;;
stop)
echo -n "Stopping $SQUID: "
$SQUID -k shutdown &amp;
RETVAL=<prompt>$</prompt>?
if [ $RETVAL -eq 0 ] ; then
rm -f /var/lock/subsys/$SQUID
while : ; do
[ -f /var/run/squid.pid ] || break
sleep 2 &amp;&amp; echo -n "."
done
echo "done"
else
echo
fi
;;
reload)
$SQUID $SQUID_OPTS -k reconfigure
exit <prompt>$</prompt>?
;;
restart)
$0 stop
$0 start
;;
status)
status $SQUID
$SQUID -k check
exit <prompt>$</prompt>?
;;
probe)
exit 0;
;;
*)
echo "Usage: $0 {start|stop|status|reload|restart}"
exit 1
esac
exit $RETVAL
</programlisting>
<para>
Now, make this script executable and change its default permissions:
<screen>
[root@deep /]# <command>chmod</command> 700 /etc/rc.d/init.d/squid
</screen>
Create the symbolic rc.d links for Squid with the command:
<screen>
[root@deep /]# <command>chkconfig</command> --add squid
</screen>
</para>
<para>
By default the squid script will not automatically start the proxy server on Red Hat Linux when you reboot the server. You can change it's default by executing the following command:
<screen>
[root@deep /]# <command>chkconfig</command> --level 345 squid on
</screen>
Start your new Squid Proxy Server manually with the following command:
<screen>
[root@deep /]# /etc/rc.d/init.d/squid <command>start</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Starting squid: init_cache_dir ufs... squid
</computeroutput></literallayout>
</para>
</section>
<section><?dbhtml filename="chap28sec234.html"?>
<title>Configure the <filename>/etc/logrotate.d/squid</filename> file</title>
<para>
Configure your <filename>/etc/logrotate.d/squid</filename> file to rotate your log files automatically each week.
Create the <filename>squid</filename> file, <command>touch</command> <filename>/etc/logrotate.d/squid</filename> and add:
</para>
<programlisting>
/var/log/squid/access.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
}
/var/log/squid/cache.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
}
/var/log/squid/store.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
# This script asks squid to rotate its logs on its own.
# Restarting squid is a long process and it is not worth
# doing it just to rotate logs
postrotate
/usr/sbin/squid -k rotate
endscript
}
</programlisting>
<section>
<title>Securing and Immunize Squid</title>
<para>
By having more control on mounting the cache directory of Squid, if you have created the cache directory of Squid in a separate partition of your Linux system <abbrev>i.e.</abbrev> <filename class="directory">/cache</filename>, like we have done during the install setup, then you can use
the <literal>noexec</literal>, <literal>nodev</literal>, and <literal>nosuid</literal> features to improve and consolidate the cache security. These features can be set up in the <filename>/etc/fstab</filename> file to tell the system to not allow execution of any binaries; <literal>noexec</literal>
to not interpret character or block special devices; <literal>nodev</literal> and to not allow set-user-identifier or set-group-identifier bits to take effect, <literal>nosuid</literal> on the mounted file system <filename class="directory">/cache</filename> <emphasis>in our example</emphasis>.
Applying this procedure on the partition where the Squid Cache resides will help to eliminate the possibility of <literal>DEV</literal>, <literal>SUID/SGID</literal>, and execution of any binaries.
</para>
<para>
As an example, assuming <filename>/dev/sda8</filename> is the partition in the system where the <filename class="directory">/cache</filename> directory of Squid lives, you must edit the fstab
file, <command>vi</command> <filename>/etc/fstab</filename> and change the line related to <filename>/dev/sda8:</filename>
<programlisting>
/dev/sda8 /cache ext2 defaults 1 2
</programlisting>
To read:
<programlisting>
/dev/sda8 /cache ext2 noexec,nodev,nosuid 1 2
</programlisting>
Dont you forget to reboot your system for the changes to take effect.
</para>
<para>
You should immunize important configuration file like <filename>squid.conf</filename>. As we already know, the immutable bit can be used to prevent deletion, overwriting, or creation of a symbolic link to a file. Once your <filename>squid.conf</filename>
file has been configured, it's a good idea to immunize it with the following command:
<screen>
[root@deep /]# chattr +i /etc/squid/squid.conf
</screen>
</para>
</section>
</section>
<section><?dbhtml filename="chap28sec235.html"?>
<title>Optimizing Squid</title>
<para>
The <envar>atime</envar> and <envar>noatime</envar> attributes can be used to get a measurable performance gain in the Squid cache directory. See <link linkend="prt2ch1gss">General System Optimization</link> in this book, for more information on the subject.
</para>
<para>
The most important resource for Squid is physical memory. Your processor does not need to be ultra-fast. Your disk system will be the major bottleneck, so fast disks are important for high-volume caches.
Do not use <acronym>IDE</acronym> disks if you can help it.
</para>
<section>
<title>The cachemgr.cgi </title>
<para>
The cachemgr.cgi utility program, which is available by default when you compile and install Squid into your system, is designed to run through a web interface, and outputs various statistics about Squid configuration and performance.
This program is located under the <filename>/usr/lib/squid</filename> directory, and you must put it in your <filename class="directory">cgi-bin</filename> directory (eg, /home/httpd/cgi-bin) to be able to use it. Follow the simple steps below to use this program.
</para>
<procedure>
<step><para>
Move the <command>cachemgr.cgi</command> program to your <literal>cgi-bin</literal> directory:
<screen>
[root@deep /]# <command>mv</command> /usr/lib/squid/cachemgr.cgi /home/httpd/cgi-bin
</screen>
I assume your <filename class="directory">cgi-bin</filename> directory is located under <filename class="directory">/home/httpd/cgi-bin</filename>, other paths are possible. Also, this <command>cgi-bin</command> will exist only if you've
installed the Apache Web Server on your system.
</para></step>
<step><para>
Once you've put the <command>cachemgr.cgi</command> program in your <filename class="directory">cgi-bin</filename> directory, you can point your web browser to the following address <literal>http://my-web-server/cgi-bin/cachemgr.cgi</literal>
to be able to use the various features of this program.
The <literal>my-web-server</literal> is the address where your Apache web server lives, and <command>cachemgr.cgi</command> is the utility program we have just placed in our <filename class="directory">cgi-bin</filename> directory to display
information and the configuration of our Squid Linux server.
</para></step>
</procedure>
<para>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Squid-CachePass.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Squid cache password</phrase></textobject>
</mediaobject>
If you have configured the <filename>squid.conf</filename> file to use password authentication for <command>cachemgr.cgi</command>, you'll be asked to enter the Cache Host, Cache Port, Manager name, and Password information before you are
able to access the <command>cachemgr.cgi</command> program. See the configuration of the <link linkend="pr6ch28scsqcnf">/etc/squid/squid.conf</link> file above for more information.
</para>
<para>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Squid-CacheMGR.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Squid cache Manager</phrase></textobject>
</mediaobject>
Once you have been authenticated by the server, you'll see in your web browser interface the Cache Manager menu where you can examine and analyze the different options related to your Squid Proxy server.
</para>
</section>
</section>
<section><?dbhtml filename="chap28sec236.html"?>
<title>Netscape Proxies Configuration</title>
<para>
If you decide to use Squid as proxy-caching server, and allow all users in your corporate network to use Squid to access the Internet only in this mode, you must instruct your users browsers to fetch objects from your
Squid proxy server instead of retrieving them directly from the Internet.
</para>
<para>
With Netscape Communicator, follow these simple steps below:
<orderedlist>
<listitem><para>
Open Netscape Communicator
</para></listitem><listitem><para>
Go to <guimenuitem>Edit</guimenuitem> menu
</para></listitem><listitem><para>
Click on <guisubmenu>Preferences</guisubmenu>
</para></listitem><listitem><para>
Double click <guisubmenu>Advanced</guisubmenu> category on the left side
</para></listitem><listitem><para>
Click on <guisubmenu>Proxies</guisubmenu> subcategory option
</para></listitem><listitem><para>
Select on the right side <guibutton>Manual proxy configuration</guibutton> radio button
</para></listitem><listitem><para>
Click on the <guibutton>View</guibutton> button
</para></listitem><listitem><para>
Fill the boxes with your proxy server information
</para></listitem>
</orderedlist>
</para>
<para>
For example:
<simplelist>
<member>
<acronym>HTTP</acronym>: <literal> 208.164.186.1 Port: 8080</literal>
</member><member>
Security: <literal>208.164.186.1 Port: 8080</literal>
</member><member>
<acronym>FTP</acronym>: <literal>208.164.186.1 Port: 8080</literal>
</member><member>
Gopher: <literal>208.164.186.1 Port: 8080</literal>
</member><member>
<acronym>WAIS</acronym>: <literal>208.164.186.1 Port: 8080</literal>
</member>
</simplelist>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Proxy-Configuration.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Proxy Netscape Configuration</phrase></textobject>
</mediaobject>
</para>
</section>
<section><?dbhtml filename="chap28sec237.html"?>
<title>Installed files</title>
<simplelist type="horiz" columns="2">
<member><filename>/etc/squid</filename></member>
<member><filename>/etc/squid/mib.txt</filename></member>
<member><filename>/etc/squid/squid.conf.default</filename></member>
<member><filename>/etc/squid/squid.conf</filename></member>
<member><filename>/etc/squid/mime.conf.default</filename></member>
<member><filename>/etc/squid/mime.conf</filename></member>
<member><filename>/etc/squid/errors</filename></member>
<member><filename>/etc/squid/errors/ERR_ACCESS_DENIED</filename></member>
<member><filename>/etc/squid/errors/ERR_CACHE_ACCESS_DENIED</filename></member>
<member><filename>/etc/squid/errors/ERR_CACHE_MGR_ACCESS_DENIED</filename></member>
<member><filename>/etc/squid/errors/ERR_CANNOT_FORWARD</filename></member>
<member><filename>/etc/squid/errors/ERR_CONNECT_FAIL</filename></member>
<member><filename>/etc/squid/errors/ERR_DNS_FAIL</filename></member>
<member><filename>/etc/squid/errors/ERR_FORWARDING_DENIED</filename></member>
<member><filename>/etc/squid/errors/ERR_FTP_DISABLED</filename></member>
<member><filename>/etc/squid/errors/ERR_FTP_FAILURE</filename></member>
<member><filename>/etc/squid/errors/ERR_FTP_FORBIDDEN</filename></member>
<member><filename>/etc/squid/errors/ERR_FTP_NOT_FOUND</filename></member>
<member><filename>/etc/squid/errors/ERR_FTP_PUT_CREATED</filename></member>
<member><filename>/etc/squid/errors/ERR_FTP_PUT_ERROR</filename></member>
<member><filename>/etc/squid/errors/ERR_FTP_PUT_MODIFIED</filename></member>
<member><filename>/etc/squid/errors/ERR_FTP_UNAVAILABLE</filename></member>
<member><filename>/etc/squid/errors/ERR_INVALID_REQ</filename></member>
<member><filename>/etc/squid/errors/ERR_INVALID_URL</filename></member>
<member><filename>/etc/squid/errors/ERR_LIFETIME_EXP</filename></member>
<member><filename>/etc/squid/errors/ERR_NO_RELAY</filename></member>
<member><filename>/etc/squid/errors/ERR_ONLY_IF_CACHED_MISS</filename></member>
<member><filename>/etc/squid/errors/ERR_READ_ERROR</filename></member>
<member><filename>etc/squid/errors/ERR_READ_TIMEOUT</filename></member>
<member><filename>/etc/squid/errors/ERR_SHUTTING_DOWN</filename></member>
<member><filename>/etc/squid/errors/ERR_SOCKET_FAILURE</filename></member>
<member><filename>/etc/squid/errors/ERR_TOO_BIG</filename></member>
<member><filename>/etc/squid/errors/ERR_UNSUP_REQ</filename></member>
<member><filename>/etc/squid/errors/ERR_URN_RESOLVE</filename></member>
<member><filename>/etc/squid/errors/ERR_WRITE_ERROR</filename></member>
<member><filename>/etc/squid/errors/ERR_ZERO_SIZE_OBJECT</filename></member>
<member><filename>/etc/rc.d/init.d/squid</filename></member>
<member><filename>/etc/rc.d/rc0.d/K25squid</filename></member>
<member><filename>/etc/rc.d/rc1.d/K25squid</filename></member>
<member><filename>/etc/rc.d/rc2.d/K25squid</filename></member>
<member><filename>/etc/rc.d/rc3.d/S90squid</filename></member>
<member><filename>/etc/rc.d/rc4.d/S90squid</filename></member>
<member><filename>/etc/rc.d/rc5.d/S90squid</filename></member>
<member><filename>/etc/rc.d/rc6.d/K25squid</filename></member>
<member><filename>/etc/logrotate.d/squid</filename></member>
<member><filename>/usr/lib/squid</filename></member>
<member><filename>/usr/lib/squid/dnsserver</filename></member>
<member><filename>/usr/lib/squid/unlinkd</filename></member>
<member><filename>/usr/lib/squid/cachemgr.cgi</filename></member>
<member><filename>/usr/lib/squid/icons</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-binhex.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-bomb.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-box.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-box2.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-c.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-compressed.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-dir.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-dirup.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-dvi.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-f.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-image.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-image2.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-layout.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-link.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-movie.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-pdf.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-portal.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-ps.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-quill.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-script.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-sound.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-tar.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-tex.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-text.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-unknown.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-xbm.gif</filename></member>
<member><filename>/usr/lib/squid/icons/anthony-xpm.gif</filename></member>
<member><filename>/usr/sbin/RunCache</filename></member>
<member><filename>/usr/sbin/RunAccel</filename></member>
<member><filename>/usr/sbin/squid</filename></member>
<member><filename>/usr/sbin/client</filename></member>
<member><filename>/var/log/squid</filename></member>
</simplelist>
</section>
</chapter>
<chapter label="29" id="pr6ch29wapch"><?dbhtml filename="netweb-Apache.html"?>
<title>Software -Network Server, web/Apache</title>
<highlights><para>
It is recommended that you compile and install this small program only if you intend to install and use the Apache web server with third party modules like:
<simplelist><member>
mod_ssl for encrypted data
</member><member>
mod_perl for the Perl programming language
</member><member>
mod_php for the <acronym>PHP</acronym> server-side scripting language.
</member>
</simplelist>
This program will provide a significant performance to Apache modules. For instance if you need to install Apache with SSL support for your electronic commerce on the Internet, this will allows the SSL protocol to use a high-performance RAM-based session cache instead of a disk-based one.
</para></highlights>
<section id="prt6ch29scmm"><?dbhtml filename="shrdmemlib.html"?>
<title>Linux MM Shared Memory Library </title>
<sidebar>
<title>As per the <citation>MM Shared Memory Library web site</citation>:</title>
<para>
The MM library is a 2-layer abstraction library, which simplifies the usage of shared memory between forked and, in this example, strongly related processes under Unix platforms. On the first layer it hides all platform dependent
implementation details; allocation and locking, when dealing with shared memory segments, and on the second layer it provides a high-level malloc(3)-style API for a convenient and well known way to work with data-structures inside
those shared memory segments.
</para>
<para>
The library is released under the term of an open-source, BSD-style license, because it was originally written as a proposal for use inside the next version of the Apache web server as a base library for providing shared memory pools
to Apache modules, Currently Apache modules can only use heap-allocated memory, which isn't shared across the pre-forked server processes. The requirement actually comes from comprehensive modules like mod_ssl, mod_perl and mod_php,
which would benefit a lot from easy to use shared memory pools.
</para>
</sidebar>
<para>
These installation instructions assume
<itemizedlist>
<listitem><para>
Commands are Unix-compatible.
</para></listitem><listitem><para>
The source path is <filename class="directory">/var/tmp</filename>, <emphasis>other paths are possible</emphasis>.
</para></listitem><listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem><listitem><para>
All steps in the installation will happen in super-user account <literal>root</literal>.
</para></listitem><listitem><para>
Mm version number is 1.1.2
</para></listitem>
</itemizedlist>
</para>
<para>
These are the package(s):
<simplelist>
<member>
MM Homepage:<link linkend="prtinxfp29">http://www.engelschall.com/sw/mm/</link>
</member><member>
You must be sure to download: <filename>mm-1.1.2.tar.gz</filename>
</member>
</simplelist>
</para>
<para>
Before you decompress the tarballs, it is a good idea to make a list of files on the system before you install MM, and one afterwards, and then compare them using diff to find out what file it placed where. Simply run
<command>find</command> <userinput>/* &gt; MM1</userinput> before and <command>find</command> <userinput>/* &gt; MM2</userinput> after you install the software, and use <command>diff</command> <userinput>MM1 MM2 &gt; MM-Installed</userinput>
to get a list of what changed.
</para>
<para>
To compile you need to decompress the tarball (tar.gz) first.
<screen>
[root@deep /]# <command>cp</command> mm-version.tar.gz /var/tmp
[root@deep /]# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>tar</command> xzpf mm-version.tar.gz
</screen>
</para>
</section>
<section><?dbhtml filename="chap29sec238.html"?>
<title>Compile</title>
<para>
Move into the new mm directory and type the following commands on your terminal:
<programlisting>
./configure \
--disable-shared \
--prefix=/usr
</programlisting>
This tells MM to set itself up for this particular hardware setup with:
<itemizedlist>
<listitem><para>
Disable shared libraries.
</para></listitem>
</itemizedlist>
</para>
<para>
Now, we must compile and install MM Shared Memory Library in the server:
<screen>
[root@deep ]/mm-1.1.2# <command>make</command>
[root@deep ]/mm-1.1.2# <command>make test</command>
[root@deep ]/mm-1.1.2# <command>make install</command>
</screen>
The <command>make test</command> command will make some important tests on the program to verify that it works, and respond properly before the installation.
</para>
<para>
Please do Cleanup later:
<screen>
[root@deep /]# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>rm</command> -rf mm-version/ mm-version.tar.gz
</screen>
The <command>rm</command> command will remove all the source files we have used to compile and install mm. It will also remove the mm compressed archive from the <filename class="directory">/var/tmp</filename> directory.
</para>
<para>
Further documentation, for more details there are several man pages you can read:
<variablelist>
<varlistentry>
<term><citerefentry><refentrytitle>MM</refentrytitle><manvolnum>3</manvolnum></citerefentry></term>
<listitem><para>
Shared Memory Library
</para></listitem>
</varlistentry>
<varlistentry>
<term><citerefentry><refentrytitle>mm-config</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
MM library configuration/build utility
</para></listitem>
</varlistentry>
</variablelist>
</para>
<section>
<title>Installed files</title>
<para>
These are the files installed by the program MM on your system.
<simplelist>
<member><filename>/usr/bin/mm-config</filename></member>
<member><filename>/usr/include/mm.h</filename></member>
<member><filename>/usr/lib/libmm.la</filename></member>
<member><filename>/usr/lib/libmm.a</filename></member>
<member><filename>/usr/man/man1/mm-config.1</filename></member>
<member><filename>/usr/man/man3/mm.3</filename></member>
</simplelist>
</para>
</section>
</section>
<section id="prt6ch29sapws"><?dbhtml filename="chap29sec239.html"?>
<title>Linux Apache Web Server</title><?dbhtml filename="apache-web.html"?>
<sidebar><para>
Apache is the most widely used HTTP-server in the world today. It surpasses all free and commercial competitors on the market, and provides a myriad of features; more than the nearest cmpetitor could give you on a UNIX variant.
It is also the most used web server for a Linux system. A web server like Apache, in its simplest function, is software that displays and serves HTML pages hosted on a server to a client browser that understands the HTML code.
Mixed with third party modules and programs, it can become powerful software, which will provide strong and useful services to a client browser.
</para></sidebar>
<para>
I expect that most of the users that read this book will be especially interested in knowing how to install the Apache web server in the most secure, and optimized, way. In its base install, Apache is no more difficult to install
then the other software we have installed on our Linux server. The process can become tricky when we want to add some third party modules or programs. There are a lot of possibilities, variants and options for installing Apache.
</para>
<para>
we have provided some step-by-step examples where you can see how to build Apache with other third-party modules and programs like mod_ssl, mod_perl, PHP4, LDAP connectivity, etc. Of course, the building of these programs is
optional, and you are free to compile only what you want, <abbrev>i.e.</abbrev> you may want to compile Apache with support for PHP4, but without SSL or PostgreSQL database connectivity <abbrev>etc.</abbrev> To simplify matters
we assume some prerequisites for each example. If these don't fit your needs, simply modify the steps to suit your needs.
</para>
<para>
In this section, we explain and cover some of the basic ways in which you can adjust the configuration to improve the server's performance. Also, for the interested, we'll provide a procedure to be able to run Apache as a non
root-user and in a chrooted environment for optimal security.
</para>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Apache-Schema.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>Apache web server</phrase></textobject>
</mediaobject>
<para>
These installation instructions assume
<itemizedlist>
<listitem><para>
Commands are Unix-compatible.
</para></listitem><listitem><para>
The source path is <filename class="directory">/var/tmp</filename>, <emphasis>other paths are possible</emphasis>.
</para></listitem><listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem><listitem><para>
All steps in the installation will happen in super-user account <literal>root</literal>.
</para></listitem><listitem><para>
Apache version number is 1.3.12
</para></listitem><listitem><para>
Mod_SSL version number is 2.6.4-1.3.12
</para></listitem><listitem><para>
Mod_Perl version number is 1.24
</para></listitem><listitem><para>
Mod_PHP version number is 4.0.0
</para></listitem>
</itemizedlist>
</para>
<para>
Packages
<simplelist type="vert" columns="2">
<member>
Apache Homepage: <link linkend="prtinxfp30">http://www.apache.org/</link>
</member><member>
Apache FTP Site: <link linkend="prtinxfp30">63.211.145.10</link>
</member><member>
You must be sure to download: apache_1.3.12.tar.gz
</member><member>
Mod_SSL Homepage: <link linkend="prtinxfp30">http://www.modssl.org/</link>
</member><member>
Mod_SSL FTP Site: <link linkend="prtinxfp30">129.132.7.171</link>
</member><member>
You must be sure to download: mod_ssl-2.6.4-1.3.12.tar.gz
</member><member>
Mod_Perl Homepage: <link linkend="prtinxfp30">http://perl.apache.org/</link>
</member><member>
Mod_Perl FTP Site: <link linkend="prtinxfp30">63.211.145.10</link>
</member><member>
You must be sure to download: mod_perl-1.24.tar.gz
</member><member>
Mod_PHP Homepage: <link linkend="prtinxfp30">http://www.php.net/</link>
</member><member>
You must be sure to download: php-4.0.0.tar.gz
</member>
</simplelist>
</para>
<para>
And don't forget that these are the prerequisites if you are following the steps described by us exactly.
<orderedlist numeration="lowerroman">
<listitem><para>
OpenSSL should be already installed on your system if you want Apache and SSL encryption support.
</para></listitem><listitem><para>
PosgreSQL should be already installed on your system if you want Apache and PostgreSQL database connectivity support.
</para></listitem><listitem><para>
MM should be already installed on your system if you want Apache and MM high-performance RAM-based session cache support.
</para></listitem><listitem><para>
OpenLDAP should be already installed on your system if you want Apache and LDAP directory connectivity support.
</para></listitem><listitem><para>
IMAP &amp; POP should be already installed on your system if you want Apache and IMAP &amp; POP capability.
</para></listitem>
</orderedlist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
For more information on the required software, see the related chapter(s) in this book.
</para></tip>
<para>
Before you decompress the tarballs, It is a good idea to make a list of files on the system before you install Apache, and one afterwards, and then compare them using diff to find out what file it placed where. Simply
run <command>find</command> <userinput>/* &gt; Apache1</userinput> before and <command>find</command> <userinput>/* &gt; Apache2</userinput> after you install the software, and use <command>diff</command> <userinput>Apache1 Apache2 &gt; Apache-Installed</userinput>
to get a list of what changed.
</para>
<para>
To compile, decompress the tarballs (tar.gz).
<screen>
[root@deep ]/# <command>cp</command> apache_version.tar.gz /var/tmp
[root@deep ]/# <command>cp</command> mod_ssl-version-version.tar.gz /var/tmp
[root@deep ]/# <command>cp</command> mod_perl-version.tar.gz /var/tmp
[root@deep ]/# <command>cp</command> php-version.tar.gz /var/tmp
[root@deep ]/# <command>cd</command> /var/tmp/
[root@deep ]/tmp# <command>tar</command> xzpf apache_version.tar.gz
[root@deep ]/tmp# <command>tar</command> xzpf mod_ssl-version-version.tar.gz
[root@deep ]/tmp# <command>tar</command> xzpf mod_perl-version.tar.gz
[root@deep ]/tmp# <command>tar</command> xzpf php-version.tar.gz
</screen>
</para>
</section>
<section><?dbhtml filename="chap29sec240.html"?>
<title>Compile and Optimize</title>
<para>
Apache Web Server, like many applications we'll install, cannot run as <wordasword>super-user</wordasword> root. For this reason we must create a special user that has minimal access to the system, and still function
enougn to run the Apache web Server. It is best to choose and create a new user just for the purpose of running the web server daemon.
</para>
<procedure>
<step><para>
<screen>
[root@deep ]/# <command>useradd</command> -c "Apache Server" -u 80 -s /bin/false -r -d /home/httpd www 2&gt;/dev/null || :
</screen>
</para></step>
<step><para>
You have to apply mod-ssl to Apache source tree, if you want to use and include the SSL data encryption support in your Apache web server, then move into the new mod_ssl source directory <command>cd</command> <filename class="directory">mod_ssl-version-version/</filename>
and type the following commands on your terminal:
<programlisting>
CC="egcs" \
CFLAGS="-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions" \
./configure \
--with-apache=../apache_1.3.12 \
--with-crt=/etc/ssl/certs/server.crt \
--with-key=/etc/ssl/private/server.key
</programlisting>
<itemizedlist>
<listitem><para>
The <literal>--with-apache</literal> option specifies the location of the Apache source directory, it's important to note that we suppose your Apache version in this example is 1.3.12,
</para></listitem>
<listitem><para>
The <literal>--with-crt</literal> option specifies the location of your existing public key for SSL encryption
</para></listitem><listitem><para>
The <literal>--with-key</literal> option specifies the location of your existing private key for SSL encryption.
</para></listitem>
</itemizedlist>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title><para>
OpenSSL software must already be installed on your server, and your public and private keys must already be existent or be created on your server, or you'll receive an error message during the configuration time of mod_ssl.
See <link linkend="pr6ch24sc1ossl">Software -Networking/Encryption</link>, in this book, for more information.
</para></important>
</para></step>
<step><para>
Improve the MaxClients Parameter of Apache, by default in the Apache configuration file; <filename>httpd.conf</filename>, the maximum number you can set for the MaxClients Parameter is 256. For a busy site, and for better
performance, its recommended that you increase the limit of this parameter. You can do it by editing the <filename class="headerfile">src/include/httpd.h</filename> file in the source directory of Apache and changing the
default value.
Move into the new Apache source directory, <command>cd</command> <filename class="directory">../apache_1.3.12/</filename> and edit the <filename class="headerfile">httpd.h</filename> file:
<programlisting>
#define HARD_SERVER_LIMIT 256
</programlisting>
To read:
<programlisting>
#define HARD_SERVER_LIMIT 1024
</programlisting>
</para></step>
<step><para>
Pre-configure Apache for <acronym>PHP4</acronym> configure step if you want to use and include the <acronym>PHP4</acronym> server-side scripting language support on your Apache web server, then move into the new Apache source directory <command>cd</command> <filename class="directory">apache_1.3.12/</filename>
if you are not already in it and type the following commands on your terminal:
<programlisting>
CC="egcs" \
OPTIM="-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions" \
CFLAGS="-DDYNAMIC_MODULE_LIMIT=0" \
./configure \
--prefix=/home/httpd \
--bindir=/usr/bin \
--sbindir=/usr/sbin \
--libexecdir=/usr/lib/apache \
--includedir=/usr/include/apache \
--sysconfdir=/etc/httpd/conf \
--localstatedir=/var \
--runtimedir=/var/run \
--logfiledir=/var/log/httpd \
--datadir=/home/httpd \
--proxycachedir=/var/cache/httpd \
--mandir=/usr/man
</programlisting>
</para></step>
</procedure>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title><para>
This step is necessary only if you want to include <acronym>PHP</acronym>4 support in your Apache source code, since it'll pre-configure Apache for <acronym>PHP</acronym>4s configure step below. Take a note that the <envar>-DDYNAMIC_MODULE_LIMIT=0</envar> option will
disable the use of dynamically loaded modules in our compilation of Apache, and will improve its performance.
</para></tip>
</section>
<section><?dbhtml filename="chap29sec241.html"?>
<title>Configure and apply <acronym>PHP4</acronym> to Apache source</title>
<para>
Now, move into the new php4 directory <command>cd</command> <filename>../php-4.0</filename> and type the following commands on your terminal:
</para>
<procedure>
<step><para>
Edit the <filename>php_pgsql.h</filename> file, <command>vi</command> <filename>ext/pgsql/php_pgsql.h</filename> and change the lines:
<programlisting>
#include <filename>libpq-fe.h</filename>
#include <filename>libpq/libpq-fs.h</filename>
</programlisting>
To read:
<programlisting>
#include <filename>/usr/include/pgsql/libpq-fe.h</filename>
#include <filename>/usr/include/pgsql/libpq/libpq-fs.h</filename>
</programlisting>
These modifications in the <filename>php_pgsql.h</filename> file are necessary to indicate the location of our <filename class="directory">libpq-fe.h</filename>, and <filename class="headerfile">libpq-fs.h</filename> header files of
PostgreSQL database during configure of PHP4. In Red Hat Linux, the libraries of PostgreSQL are located under <filename class="directory">/usr/include/pgsql.</filename>
</para></step>
<step><para>
Now, we must configure and install <acronym>PHP4</acronym> in the Linux server:
<programlisting>
CC="egcs" \
CFLAGS="-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions -I/usr/include/openssl" \
./configure \
--prefix=/usr \
--with-exec-dir=/usr/bin \
--with-apache=../apache_1.3.12 \
--with-config-file-path=/etc/httpd \
--disable-debug \
--enable-safe-mode \
--with-imap \ <co id="php4imp"/>
--with-ldap \ <co id="php4ldp"/>
--with-pgsql \ <co id="php4psq"/>
--with-mm \
--enable-inline-optimization \
--with-gnu-ld \
--enable-memory-limit
</programlisting>
<calloutlist>
<callout arearefs="php4imp">
<para>
If you want IMAP &amp; POP support.
</para>
</callout>
<callout arearefs="php4ldp"><para>
If you want LDAP database light directory support.
</para></callout>
<callout arearefs="php4psq"><para>
if you want PostgreSQL database support.
</para></callout>
</calloutlist>
This tells <acronym>PHP</acronym>4 to set itself up for this particular hardware setup with:
<itemizedlist>
<listitem><para>
Compile without debugging symbols.
</para></listitem><listitem><para>
Enable safe mode by default.
</para></listitem><listitem><para>
Include IMAP &amp; POP support.
</para></listitem><listitem><para>
Include <acronym>LDAP</acronym> directory support.
</para></listitem><listitem><para>
Include PostgresSQL database support.
</para></listitem><listitem><para>
Include mm support to improve performance of Memory Library.
</para></listitem><listitem><para>
Enable inline-optimization for better performance.
</para></listitem><listitem><para>
Compile with memory limit support.
</para></listitem><listitem><para>
Assume the C compiler uses GNU ld.
</para></listitem>
</itemizedlist>
</para></step>
<step><para>
<screen>
[root@deep ]/php-4.0# <command>make</command>
[root@deep ]/php-4.0# <command>make install</command>
</screen>
</para></step>
</procedure>
</section>
<section><?dbhtml filename="chap29sec242.html"?>
<title>Apply mod_perl to Apache source tree </title>
<para>
You need to build/install the Perl-side of mod_perl, if you want to use and include Perl programming language support in your Apache web server. Move into the new mod_perl source directory <command>cd</command> <filename>../mod_perl-1.24/</filename>
and type the following commands on your terminal:
</para>
<procedure>
<step><para>
<programlisting>
perl Makefile.PL \
EVERYTHING=1 \
APACHE_SRC=../apache_1.3.12/src \
USE_APACI=1 \
PREP_HTTPD=1 \
DO_HTTPD=1
</programlisting>
</para></step>
<step><para>
<screen>
[root@deep ]/mod_perl-1.24# <command>make</command>
[root@deep ]/mod_perl-1.24# <command>make install</command>
</screen>
</para></step>
<step><para>
Once you have included in your Apache source the third party modules that you want to support and use, it is time to compile and install it into your Linux system. The last step is to move into the new Apache source directory
<command>cd</command> <filename>../apache_1.3.12/</filename> and type the following commands on your terminal depending on what you want to install with Apache for example it could you want to Build/Install Apache with/without
mod_ssl +- PHP4 and/or mod_perl etc.
<programlisting>
SSL_BASE=SYSTEM \ <co id="apchmdssl"/>
EAPI_MM=SYSTEM \ <co id="apchmmshrd"/>
CC="egcs" \
OPTIM="-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions" \
CFLAGS="-DDYNAMIC_MODULE_LIMIT=0" \
./configure \
--prefix=/home/httpd \
--bindir=/usr/bin \
--sbindir=/usr/sbin \
--libexecdir=/usr/lib/apache \
--includedir=/usr/include/apache \
--sysconfdir=/etc/httpd/conf \
--localstatedir=/var \
--runtimedir=/var/run \
--logfiledir=/var/log/httpd \
--datadir=/home/httpd \
--proxycachedir=/var/cache/httpd \
--mandir=/usr/man \
--add-module=src/modules/experimental/mod_mmap_static.c \ <co id="apchmm"/>
--add-module=src/modules/standard/mod_auth_db.c \ <co id="apchdb"/>
--enable-module=ssl \ <co id="apchssl"/>
--enable-rule=SSL_SDBM \ <co id="apchssldbe"/>
--disable-rule=SSL_COMPAT \ <co id="apchssldbe1"/>
--activate-module=src/modules/php4/libphp4.a \ <co id="apchph4"/>
--enable-module=php4 \ <co id="apchph41"/>
--activate-module=src/modules/perl/libperl.a \ <co id="apchprl"/>
--enable-module=perl \ <co id="apchprl1"/>
--disable-module=status \
--disable-module=userdir \
--disable-module=negotiation \
--disable-module=autoindex \
--disable-module=asis \
--disable-module=imap \
--disable-module=env \
--disable-module=actions
</programlisting>
<calloutlist>
<callout arearefs="apchmdssl">
<para>
require only if you have included support for mod_ssl to your Apache source.
</para>
</callout>
<callout arearefs="apchmmshrd">
<para>
require only if you use the mm Shared Memory Library for Apache.
</para>
</callout>
<callout arearefs="apchmm"><para>
required only if you have the intention to use mod_mmap, see the section <link linkend="pr6ch29sapo">Optimizing Apache</link> in this chapter for more information.
</para></callout>
<callout arearefs="apchdb"><para>
required only if you have the intention to use mod_auth_db, see the section <link linkend="pr6ch29apscr">Securing Apache</link> in this chapter for more information.
</para></callout>
<callout arearefs="apchssl"><para>
required only if you have included support for mod_ssl data encryption to your Apache source.
</para></callout>
<callout arearefs="apchssldbe apchssldbe1"><para>
require only if you have included support for mod_ssl data encryption to your Apache source.
</para></callout>
<callout arearefs="apchph4 apchph41"><para>
require only if you have included support for PHP4 server-side scripting language to your Apache source.
</para></callout>
<callout arearefs="apchprl apchprl1"><para>
require only if you have included support for mod_perl programming language to your Apache source.
</para></callout>
</calloutlist>
</para></step>
</procedure>
<para>
This tells Apache to set itself up for this particular hardware setup with:
<itemizedlist>
<listitem><para>
module mod_mmap to improve performance.
</para></listitem><listitem><para>
module mod_auth_db for users password authentication security.
</para></listitem><listitem><para>
module mod_ssl for data encryptions and secure communication.
</para></listitem><listitem><para>
module mod_php4 for php server-side scripting language and improve the load of web pages build in <acronym>PHP</acronym>.
</para></listitem><listitem><para>
module mod_perl for better security and performance than the default cgi scripts.
</para></listitem><listitem><para>
disable module status
</para></listitem>
<listitem><para>
disable module userdir
</para></listitem><listitem><para>
disable module negotiation
</para></listitem><listitem><para>
disable module autoindex
</para></listitem><listitem><para>
disable module asis
</para></listitem><listitem><para>
disable module imap
</para></listitem><listitem><para>
disable module env
</para></listitem><listitem><para>
disable module actions
</para></listitem>
</itemizedlist>
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
It's important to note that removing all unrequired modules during the configure time will improve the performance of your Apache Web Server. In our configuration above, we've removed the most unused modules both to lower the load
operation, and limit the security risks in our Apache web server. See your Apache documentation for information on each one.
</para>
</important>
</section>
<section><?dbhtml filename="chap29sec243.html"?>
<title>Install Apache</title>
<para>
Now, we must install Apache in the Linux server:
<screen>
[root@deep ]/apache_1.3.12# <command>make</command>
[root@deep ]/apache_1.3.12# <command>make install</command>
[root@deep ]/apache_1.3.12# <command>rm</command> -f /usr/sbin/apachectl
[root@deep ]/apache_1.3.12# <command>rm</command> -f /usr/man/man8/apachectl.8
[root@deep ]/apache_1.3.12# <command>rm</command> -rf /home/httpd/icons/
[root@deep ]/apache_1.3.12# <command>rm</command> -rf /home/httpd/htdocs/
[root@deep ]/apache_1.3.12# <command>cd</command> /var/tmp/php-4.0
[root@deep ]/php-4.0.0# <command>install</command> -m 644 php.ini.dist /usr/lib/php.ini
[root@deep ]/php-4.0.0# <command>rm</command> -rf /etc/httpd/conf/ssl.crl/
[root@deep ]/php-4.0.0# <command>rm</command> -rf /etc/httpd/conf/ssl.crt/
[root@deep ]/php-4.0.0# <command>rm</command> -rf /etc/httpd/conf/ssl.csr/
[root@deep ]/php-4.0.0# <command>rm</command> -rf /etc/httpd/conf/ssl.key/
[root@deep ]/php-4.0.0# <command>rm</command> -rf /etc/httpd/conf/ssl.prm/
[root@deep ]/php-4.0.0# <command>rm</command> -f /etc/httpd/conf/srm.conf srm.conf.default access.conf access.conf.default
</screen>
</para>
<para>
<itemizedlist>
<listitem><para>
The <command>make</command> command will compile all source files into executable binaries
</para></listitem><listitem><para>
The <command>make install</command> will install the binaries and any supporting files into the appropriate locations.
</para></listitem><listitem><para>
The <command>rm</command> -f command will remove the small script <filename>apachectl</filename> responsible to start and stop the Apache daemon since we use a better script named <filename>httpd</filename> located
under the <filename class="directory">/etc/rc.d/init.d/</filename> directory that takes advantage of Linux system V.
</para></listitem><listitem><para>
We also remove the <filename class="directory">/home/httpd/icons</filename> directory used under Apache when you use its automatic indexing feature. This feature can bring about a security risk, and for this reason we've disabled
it in the configuration file. Therefore, we can safely remove the directory to make space on the Linux server. The <filename class="directory">/home/httpd/htdocs</filename> directory handles all documentation files related to Apache, so
after we have finished reading the documentation we can remove it to make space.
</para></listitem><listitem><para>
The <command>install</command> <literal>-m</literal> command will install the <filename>php.ini.dist</filename> file under the <filename class="directory">/etc/httpd/</filename> directory, and will rename it <filename>php.ini;</filename>
This file controls many aspects of <acronym>PHP</acronym>'s behavior.
</para></listitem><listitem><para>
The <filename>ssl.crl</filename>, <filename>ssl.crt</filename>, <filename>ssl.csr</filename>, <filename>ssl.key</filename> and <filename>ssl.prm</filename> directories under <filename class="directory">/etc/httpd/conf</filename> are all of the
directories related to SSL, and handle private and public keys. Since we use another location, <filename class="directory">/etc/ssl/</filename>, we can remove them safely.
</para></listitem><listitem><para>
Finally, we remove the unused <filename>srm.conf</filename>, <filename>srm.conf.default</filename>, <filename>access.conf</filename> and <filename>access.conf.default</filename> files, whose purposes are now handled by the <filename>httpd.conf</filename>
Apache file.
</para></listitem>
</itemizedlist>
</para>
<para>
Please as usual do cleanup later:
<screen>
[root@deep ]/# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>rm</command> -rf apache-version/ apache-version.tar.gz mod_ssl-version-version/ mod_ssl-version-version.tar.gz php-version/ php-version.tar.gz mod_perl-version/ mod_perl-version.tar.gz
</screen>
The <command>rm</command> command will remove all the source files we have used to compile and install Apache, mod_ssl, mod_perl, and php. It will also remove the Apache, mod_ssl, mod_perl, and php compressed
archives from the <filename class="directory">/var/tmp</filename> directory.
</para>
</section>
<section><?dbhtml filename="chap29sec244.html"?>
<title>Post install Configuration</title>
<para>
Configuration files for different services are very specific depending on your needs, and your network architecture. Someone might install Apache Server for showing web pages only; another might install it with database connectivity
and e-commerce with <acronym>SSL</acronym> support, etc. In this book, we provide you with an <filename>httpd.conf</filename> file, with <acronym>PHP</acronym>, Perl, <acronym>SSL</acronym>, <acronym>LDAP</acronym>, and password authentication
settings, to show you different possibilities.
</para>
<para>
We'll focus on optimization and security of these files, and leave all specific adjustments to your tastes. You will need to read the documentation that comes with these programs, and hopefully understand them.
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>Apache</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 16
-rw-r--r-- 1 harrypotter harrypotter 2417 Jun 8 13:00 Compile-Apache
-rw-r--r-- 1 harrypotter harrypotter 3426 Jun 8 13:00 httpd.conf
drwxr-xr-x 3 harrypotter harrypotter 4096 Jun 8 13:00 init.d/
drwxr-xr-x 3 harrypotter harrypotter 4096 Jun 8 13:00 logrotate.d/
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<para>
To run Apache server, the following files are required and must be created or copied to the appropriate directories on your server.
<orderedlist numeration="lowerroman">
<listitem><para>
Copy the <filename>httpd.conf</filename> file to the <filename class="directory">/etc/httpd/conf/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>apache</filename> file to the <filename class="directory">/etc/logrotate.d/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>httpd</filename> script file to the <filename class="directory">/etc/rc.d/init.d/</filename> directory.
</para></listitem>
</orderedlist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You can obtain the configuration files listed in the following section on our <filename>floppy.tgz</filename> archive. Copy the following files from the decompressed floppy.tgz archive to the appropriate places, or copy them directly from this book to the concerned file.
</para></tip>
</section>
<section><?dbhtml filename="chap29sec245.html"?>
<title>Configure the <filename>/etc/httpd/conf/httpd.conf</filename> file</title>
<para>
The <filename>httpd.conf</filename> file is the main configuration file for the Apache web server. A lot options exist, and it's important to read the documentation that comes with Apache for more information on different settings
and parameters. The following configuration example is a minimal working configuration file for Apache, with <acronym>SSL</acronym> support. Also, it's important to note that we only comment the parameters that relate to security
and optimization, and leave all the others to your own research.
</para>
<para>
Edit the <filename>httpd.conf</filename> file, <command>vi</command> <filename>/etc/httpd/conf/httpd.conf</filename> and add/change:
</para>
<programlisting>
### Section 1: Global Environment
#
ServerType standalone
ServerRoot "/etc/httpd"
PidFile /var/run/httpd.pid
ResourceConfig /dev/null
AccessConfig /dev/null
Timeout 300
KeepAlive On
MaxKeepAliveRequests 0
KeepAliveTimeout 15
MinSpareServers 16
MaxSpareServers 64
StartServers 16
MaxClients 512
MaxRequestsPerChild 100000
### Section 2: 'Main' server configuration
#
Port 80
&lt;IfDefine SSL&gt;
Listen 80
Listen 443
&lt;/IfDefine&gt;
User www
Group www
ServerAdmin admin@openna.com
ServerName www.openna.com
DocumentRoot "/home/httpd/ona"
&lt;Directory /&gt;
Options None
AllowOverride None
Order deny,allow
Deny from all
&lt;/Directory&gt;
&lt;Directory "/home/httpd/ona"&gt;
Options None
AllowOverride None
Order allow,deny
Allow from all
&lt;/Directory&gt;
&lt;Files .pl&gt;
Options None
AllowOverride None
Order deny,allow
Deny from all
&lt;/Files&gt;
&lt;IfModule mod_dir.c&gt;
DirectoryIndex index.htm index.html index.php index.php3 default.html index.cgi
&lt;/IfModule&gt;
#&lt;IfModule mod_include.c&gt;
#Include conf/mmap.conf
#&lt;/IfModule&gt;
UseCanonicalName On
&lt;IfModule mod_mime.c&gt;
TypesConfig /etc/httpd/conf/mime.types
&lt;/IfModule&gt;
DefaultType text/plain
HostnameLookups Off
ErrorLog /var/log/httpd/error_log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
SetEnvIf Request_URI \.gif$ gif-image
CustomLog /var/log/httpd/access_log combined env=!gif-image
ServerSignature Off
&lt;IfModule mod_alias.c&gt;
ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"
&lt;Directory "/home/httpd/cgi-bin"&gt;
AllowOverride None
Options None
Order allow,deny
Allow from all
&lt;/Directory&gt;
&lt;/IfModuleGT;
&lt;IfModule mod_mime.c&gt;
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz
AddType application/x-tar .tgz
&lt;/IfModule&gt;
ErrorDocument 500 "The server made a boo boo.
ErrorDocument 404 http://192.168.1.1/error.htm
ErrorDocument 403 "Access Forbidden -- Go away.
&lt;IfModule mod_setenvif.c&gt;
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
&lt;/IfModule&gt;
### Section 3: Virtual Hosts
#
&lt;IfDefine SSL&gt;
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
&lt;/IfDefine&gt;
&lt;IfModule mod_ssl.c&gt;
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog /var/log/httpd/ssl_engine_log
SSLLogLevel warn
&lt;/IfModule>
&lt;IfDefine SSL&gt;
&lt;VirtualHost _default_:443&gt;
DocumentRoot "/home/httpd/ona"
ServerName www.openna.com
ServerAdmin admin@openna.com
ErrorLog /var/log/httpd/error_log
SSLEngine on
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCACertificatePath /etc/ssl/certs
SSLCACertificateFile /etc/ssl/certs/ca.crt
SSLCARevocationPath /etc/ssl/crl
SSLVerifyClient none
SSLVerifyDepth 10
SSLOptions +ExportCertData +StrictRequire
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SetEnvIf Request_URI \.gif$ gif-image
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" env=!gif-image
&lt;/VirtualHost&gt;
&lt;/IfDefine&gt;
</programlisting>
<para>
This tells <filename>httpd.conf</filename> file to set itself up for this particular configuration setup with:
</para>
<glosslist>
<glossentry>
<glossterm><envar>ServerType standalone</envar></glossterm>
<glossdef><para>
The option <envar>ServerType</envar> specifies how Apache should run on the system. You can run it from the super-server inetd, or as standalone daemon. It's highly recommended to run Apache in standalone type for
better performance and speed.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>ServerRoot "/etc/httpd"</envar></glossterm>
<glossdef><para>
The option <envar>ServerRoot</envar> specifies the directory in which the configuration files of the Apache server lives. It allows Apache to know where it can find its configuration files when it starts.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>PidFile</envar> <filename>/var/run/httpd.pid</filename></glossterm>
<glossdef><para>
The option <envar>PidFile</envar> specifies the location where the server will record the process id of the daemon when it starts. This option is only required when you configure Apache in standalone mode.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>ResourceConfig</envar> <filename class="directory">/dev/null</filename></glossterm>
<glossdef><para>
The option <envar>ResourceConfig</envar> specifies the location of the old <filename>srm.conf</filename> file that Apache read after it finished reading the <filename>httpd.conf</filename> file. When you set the location
to <filename class="directory">/dev/null,</filename> Apache allows you to include the content of this file in <filename>httpd.conf</filename> file, and in this manner, you have just one file that handles all your configuration
parameters for simplicity.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>AccessConfig</envar> <filename class="directory">/dev/null</filename></glossterm>
<glossdef><para>
The option <envar>AccessConfig</envar> specifies the location of the old <filename>access.conf</filename> file that Apache read after it finished reading the <filename>srm.conf</filename> file. When you set the location to <filename class="directory">/dev/null</filename>,
Apache allows you to include the content of this file in <filename>httpd.conf</filename> file, and in this manner, you have just one file that handles all your configuration parameters for simplicity.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>Timeout 300</envar></glossterm>
<glossdef><para>
The option <envar>Timeout</envar> specifies the amount of time Apache will wait for a GET, POST, PUT request and ACKs on transmissions. You can safely leave this option on its default values.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>KeepAlive On</envar></glossterm>
<glossdef><para>
The option <envar>KeepAlive</envar>, if set to <envar>On</envar>, specifies enabling persistent connections on this web server. For better performance, it's recommended to set this option to <envar>On</envar>, and allow more than one request per connection.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>MaxKeepAliveRequests 0</envar></glossterm>
<glossdef><para>
The option <envar>MaxKeepAliveRequests</envar> specifies the number of requests allowed per connection when the <envar>KeepAlive</envar> option above is set to <envar>On.</envar> When the value of this option is set to <envar>0</envar> then unlimited
requests are allowed on the server. For server performance, it's recommended to allow unlimited requests.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>KeepAliveTimeout 15</envar></glossterm>
<glossdef><para>
The option <envar>KeepAliveTimeout</envar> specifies how much time, in seconds, Apache will wait for a subsequent request before closing the connection. The value of <envar>15</envar> seconds is a good average for server performance.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>MinSpareServers 16</envar></glossterm>
<glossdef><para>
The option <envar>MinSpareServers</envar> specifies the minimum number of idle child server processes for Apache, which is not handling a request. This is an important tuning parameter regarding the performance of the Apache web server. For
high load operation, a value of <envar>16</envar> is recommended by various benchmarks on the Internet.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>MaxSpareServers 64</envar></glossterm>
<glossdef><para>
The option <envar>MaxSpareServers</envar> specifies the maximum number of idle child server processes for Apache, which is not handling a request. This is also an important tuning parameter regarding the performance of the Apache web
server. For high load operation, a value of <envar>64</envar> is recommended by various benchmarks on the Internet.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>StartServers 16</envar></glossterm>
<glossdef><para>
The option <envar>StartServers</envar> specifies the number of child server processes that will be created by Apache on start-up. This is, again, an important tuning parameter regarding the performance of the Apache web server. For high
load operation, a value of <envar>16</envar> is recommended by various benchmarks on the Internet.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>MaxClients 512</envar></glossterm>
<glossdef><para>
The option <envar>MaxClients</envar> specifies the number of simultaneous requests that can be supported by Apache. This too is an important tuning parameter regarding the performance of the Apache web server. For high load
operation, a value of <envar>512</envar> is recommended by various benchmarks on the Internet.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>MaxRequestsPerChild 100000</envar></glossterm>
<glossdef><para>
The option <envar>MaxRequestsPerChild</envar> specifies the number of requests that an individual child server process will handle. This too is an important tuning parameter regarding the performance of the Apache web server.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>User www</envar></glossterm>
<glossdef><para>
The option <envar>User</envar> specifies the <acronym>UID</acronym> that Apache server will run as. It's important to create a new user that has minimal access to the system, and functions just for the purpose of running the
web server daemon.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>Group www</envar></glossterm>
<glossdef><para>
The option <envar>Group</envar> specifies the <acronym>GID</acronym> the Apache server will run as. It's important to create a new group that has minimal access to the system and functions just for the purpose of running the web server daemon.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>DirectoryIndex index.htm index.html index.php index.php3 default.html index.cgi</envar></glossterm>
<glossdef><para>
The option <envar>DirectoryIndex</envar> specifies the files to use by Apache as a pre-written <acronym>HTML</acronym> directory index. In other words, if Apache can't find the default index page to display, it'll try the next entry in this parameter, if
available. To improve performance of your web server it's recommended to list the most used default index pages of your web site first.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>Include conf/mmap.conf</envar></glossterm>
<glossdef><para>
The option <envar>Include</envar> specifies the location of other files that you can include from within the server configuration files <filename>httpd.conf</filename>. In our case, we include the <filename>mmap.conf</filename> file located
under <filename class="directory">/etc/httpd/conf</filename> directory. This file <filename>mmap.conf</filename> maps files into memory for faster serving. See the section on <link linkend="pr6ch29sapo">Optimizing Apache</link> for more information.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>HostnameLookups Off</envar></glossterm>
<glossdef><para>
The option <envar>HostnameLookups</envar>, if set to <envar>Off</envar>, specifies the disabling of <acronym>DNS</acronym> lookups. It's recommended to set this option to <envar>Off</envar> in order to save the network traffic time, and to improve
the performance of your Apache web server.
</para></glossdef>
</glossentry>
</glosslist>
</section>
<section><?dbhtml filename="chap29sec246.html"?>
<title>Configure the <filename>/etc/logrotate.d/apache</filename> file</title>
<para>
Configure your <filename>/etc/logrotate.d/apache</filename> file to rotate each week your Apache log files automatically.
Create the <filename>apache</filename> file, <command>touch</command> <filename>/etc/logrotate.d/apache</filename> and add:
</para>
<programlisting>
/var/log/httpd/access_log {
missingok
postrotate
/usr/bin/killall -HUP httpd
endscript
}
/var/log/httpd/error_log {
missingok
postrotate
/usr/bin/killall -HUP httpd
endscript
}
/var/log/httpd/ssl_request_log {
missingok
postrotate
/usr/bin/killall -HUP httpd
endscript
}
/var/log/httpd/ssl_engine_log {
missingok
postrotate
/usr/bin/killall -HUP httpd
endscript
}
</programlisting>
<caution>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Caution.gif" format="GIF"/>
</imageobject>
<textobject><phrase>CAution</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Lines to automatically rotate the <acronym>SSL</acronym> log files named <filename>ssl_request_log</filename> and <filename>ssl_engine_log</filename> are included in this file. If you
intend to run Apache without <acronym>SSL</acronym> support, you must remove the lines related to <acronym>SSL</acronym>.
</para>
</caution>
</section>
<section><?dbhtml filename="chap29sec247.html"?>
<title>Configure the <filename>/etc/rc.d/init.d/httpd</filename> script file</title>
<para>
Configure your <filename>/etc/rc.d/init.d/httpd</filename> script file to start and stop Apache Web Server.
Create the <filename>httpd</filename> script file, <command>touch</command> <filename>/etc/rc.d/init.d/httpd</filename> and add:
</para>
<programlisting>
#!/bin/sh
#
# Startup script for the Apache Web Server
#
# chkconfig: 345 85 15
# description: Apache is a World Wide Web server. It is used to serve \
# HTML files and CGI.
# processname: httpd
# pidfile: /var/run/httpd.pid
# config: /etc/httpd/conf/httpd.conf
# Source function library.
. /etc/rc.d/init.d/functions
# See how we were called.
case "$1" in
start)
echo -n "Starting httpd: "
daemon httpd -DSSL
echo
touch /var/lock/subsys/httpd
;;
stop)
echo -n "Shutting down http: "
killproc httpd
echo
rm -f /var/lock/subsys/httpd
rm -f /var/run/httpd.pid
;;
status)
status httpd
;;
restart)
$0 stop
$0 start
;;
reload)
echo -n "Reloading httpd: "
killproc httpd -HUP
echo
;;
*)
echo "Usage: $0 {start|stop|restart|reload|status}"
exit 1
esac
exit 0
</programlisting>
<para>
Now, make this script executable and change its default permissions:
<screen>
[root@deep ]/# <command>chmod</command> 700 /etc/rc.d/init.d/httpd
</screen>
Create the symbolic rc.d links for Apache with the command:
<screen>
[root@deep ]/# <command>chkconfig</command> --add httpd
</screen>
</para>
<para>
Start your new Apache server manually with the following command:
<screen>
[root@deep ]/# /etc/rc.d/init.d/httpd <command>start</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Starting httpd: [ OK ]
</computeroutput></literallayout>
The <literal>-DSSL</literal> option will start Apache in <acronym>SSL</acronym> mode. If you want to start Apache in regular mode, remove the <literal>-DSSL</literal> option near the line that
reads <envar>daemon httpd</envar>.</para>
</section>
<section><?dbhtml filename="chap29sec248.html"?>
<title><acronym>PHP4</acronym> server-side scripting</title>
<para>
If you intend to use <acronym>PHP4</acronym> server-side scripting language support with your Apache web server don't forget to include in your <filename>/etc/httpd/conf/httpd.conf</filename> file the following lines to enable this feature:
</para>
<procedure>
<step><para>
Edit the <filename>httpd.conf</filename> file, <command>vi</command> <filename>/etc/httpd/conf/httpd.conf</filename>, and add the following lines between the section tags &lt;IfModule mod_mime.c&gt; and &lt;/IfModule&gt;:
<programlisting>
AddType application/x-httpd-php .php
AddType application/x-httpd-php .php3
AddType application/x-httpd-php-source .phps
</programlisting>
</para></step>
<step><para>
You must restart the Apache web server for the changes to take effect, using the following commands:
<screen>
[root@deep ]/# /etc/rc.d/init.d/httpd <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Shutting down http: [ OK ]
Starting httpd: [ OK ]
</computeroutput></literallayout>
</para></step>
<step><para>
Once the above lines have been included in our <filename>httpd.conf</filename> file, we must test the new <acronym>PHP4</acronym> feature to be sure it's working. We'll create a small <acronym>PHP</acronym> file named
<filename>php.php</filename> in our DocumentRoot, and then point our web broswer to this <acronym>PHP</acronym> document to see if <acronym>PHP</acronym>4 work on the server.
Create the <filename>php.php</filename> file in your DocumentRoot, <command>touch</command> <filename>/home/httpd/ona/php.php</filename> and add the following lines in the <acronym>PHP</acronym> file:
<programlisting>
&lt;body bgcolor="#FFFFFF"&gt;
&lt;?php phpinfo()?&gt;
&lt;/body&gt;
</programlisting>
These lines will inform <acronym>PHP</acronym>4 program to display various pieces of information about the configuration of our Linux server.
</para></step>
<step><para>
Now, point your web browser to the following address:<literal>http://my-web-server/php.php</literal>
The &lt;my-web-server&gt; is the address where your Apache web server resides, and &lt;php.php&gt; is the <acronym>PHP</acronym> document we have created above to display the information and configuration of our Linux server.
</para></step>
</procedure>
<mediaobject>
<imageobject>
<imagedata fileref="./images/PHP-Info.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>PHP info</phrase></textobject>
</mediaobject>
<para>
If you see something like the above page appearing in your web browser congratulations! Your <acronym>PHP</acronym> module is working.
</para>
</section>
<section id="pr6ch29sappsy"><?dbhtml filename="chap29sec249.html"?>
<title>Perl module Devel::Symdump</title>
<para>
If you intend to use the mod_perl programming language support with your Apache web server, it can be interesting to install the small perl module program named <filename>Devel::Symdump</filename>. This third party module will allow you to
inspect perl's symbol table and the class hierarchies within a running program. To build and install it, follow these steps.
</para>
<para>
These are the package(s)
<simplelist>
<member>
Devel-Symdump Homepage:<link linkend="prtinxfp31">http://www.perl.com/CPAN/modules/by-module/Devel/</link>
</member><member>
You must be sure to download: Devel-Symdump-2_00_tar.gz
</member>
<member>
Devel-Symdump version number is 2.00
</member>
</simplelist>
</para>
<para>
<screen>
[root@deep ]/# <command>cp</command> Devel-Symdump-version.tar.gz /var/tmp/
[root@deep ]/# <command>cd</command> /var/tmp/
[root@deep ]/tmp# <command>tar</command> xzpf Devel-Symdump-version.tar.gz
</screen>
</para>
<para>
Move into the new <filename class="directory">Devel-Symdump</filename> directory and type the following commands on your terminal to compile and install the module on your Linux server:
<screen>
[root@deep ]/Devel-Symdump-2.00# <command>perl</command> Makefile.PL
[root@deep ]/Devel-Symdump-2.00# <command>make</command>
[root@deep ]/Devel-Symdump-2.00# <command>make test</command>
[root@deep ]/Devel-Symdump-2.00# <command>make install</command>
</screen>
</para>
<para>
Once the module has been installed on your system, you must include in your <filename>/etc/httpd/conf/httpd.conf</filename> file the following lines to be able to see the status of different Perl modules on the server:
Edit the <filename>httpd.conf</filename> file, <command>vi</command> <filename>/etc/httpd/conf/httpd.conf</filename> and add the following lines:
</para>
<procedure>
<step><para>
<programlisting>
&lt;Location /perl-status&gt;
SetHandler perl-script
PerlHandler Apache::Status
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
&lt;/Location&gt;
</programlisting>
</para></step><step><para>
You must restart the Apache web server for the changes to take effect:
To restart Apache, use the following commands:
<screen>
[root@deep ]/# /etc/rc.d/init.d/httpd <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Shutting down http: [ OK ]
Starting httpd: [ OK ]
</computeroutput></literallayout>
</para></step>
<step><para>
Finally, we must test the new Devel-Symdump module to be sure that we can see status of different Perl modules on the server.
</para></step>
</procedure>
<para>
To verify that it works, points your web browser to the following address: <literal>http://my-web-server/perl-status/</literal>. The &lt;my-web-server&gt; is the address where your Apache web server resides.
</para>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Mod-Perl.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>Mod perl</phrase></textobject>
</mediaobject>
<para>
Please as always Cleanup :
<screen>
[root@deep ]/# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>rm</command> -rf Devel-Symdump.version/ Devel-Symdump-version.tar.gz
</screen>
</para>
<section>
<title>Installed files</title>
<simplelist>
<member><filename>/usr/lib/perl5/man/man3/Devel::Symdump.3</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Devel</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Devel/Symdump</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Devel/Symdump/.packlist</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/Devel</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/Devel/Symdump</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/Devel/Symdump/Export.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/Devel/Symdump.pm</filename></member>
</simplelist>
</section>
</section>
<section id="pr6ch29sapcgi"><?dbhtml filename="chap29sec250.html"?>
<title>CGI.pm Perl library</title>
<para>
The CGI.pm is a Perl5 library for writing World Wide Web <acronym>CGI</acronym> scripts. Older versions of this software exist by default on your system, but they are buggy. It's recommended that you update your copy to version 2.56, at least. To
update this module, please follow these steps.
</para>
<para>
These are the package(s)
<simplelist><member>
CGI.pm Homepage: <link linkend="prtinxfp32">http://stein.cshl.org/WWW/software/CGI/cgi_docs.html</link>
</member><member>
You must be sure to download: CGI_pm_tar.gz
</member><member>
CGI.pm version number is 2.56
</member>
</simplelist>
</para>
<screen>
[root@deep ]/# <command>cp</command> CGI_pm_tar.gz /var/tmp/
[root@deep ]/# <command>cd</command> /var/tmp/
[root@deep ]/tmp# <command>tar</command> xzpf CGI_pm_tar.gz
</screen>
<para>
First of all, well check the version of CGI.pm installed in our system with the following command:
<screen>
[root@deep ]/# <command>perl</command> -e 'use CGI; print $CGI::VERSION."\n";'
</screen>
<literallayout class="monospaced"><computeroutput>
2.46
</computeroutput></literallayout>
</para>
<para>
Move into the new CGI.pm directory and type the following commands on your terminal to compile and install the updated libraries on your Linux server:
<screen>
[root@deep ]/CGI.pm-2.56# <command>perl</command> Makefile.PL
[root@deep ]/CGI.pm-2.56# <command>make</command>
[root@deep ]/CGI.pm-2.56# <command>make test</command>
[root@deep ]/CGI.pm-2.56# <command>make install</command>
</screen>
</para>
<para>
Please do cleanup later:
<screen>
[root@deep ]/# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>rm</command> -rf CGI.pm-version/ CGI_pm_tar.gz
</screen>
</para>
<section>
<title>Installed files</title>
<simplelist>
<member><filename>/usr/lib/perl5/5.00503/CGI/Pretty.pm</filename></member>
<member><filename>/usr/lib/perl5/5.00503/i386-linux/auto/CGI</filename></member>
<member><filename>/usr/lib/perl5/5.00503/i386-linux/auto/CGI/.packlist</filename></member>
<member><filename>/usr/lib/perl5/man/man3/CGI::Pretty.3</filename></member>
</simplelist>
</section>
</section>
<section id="pr6ch29apscr"><?dbhtml filename="chap29sec251.html"?>
<title>Securing Apache</title>
<para>
Change some important permissions on files and directories for your Web Server. When you install Apache on your server, there are some files and directories that have too many permissions set by default. The binary program
<filename>httpd</filename> can be set to be read-only by the super-user <literal>root</literal>, and executable by the owner, group, and others for better security. The <filename class="directory">/etc/httpd/conf</filename>
and <filename class="directory">/var/log/httpd</filename> directories don't need to by readable, writable or executable by other people.
<screen>
[root@deep ]/# <command>chmod</command> 511 /usr/sbin/httpd
[root@deep ]/# <command>chmod</command> 750 /etc/httpd/conf/
[root@deep ]/# <command>chmod</command> 750 /var/log/httpd/
</screen>
</para>
<para>
If you have enabled the automatic indexing of directories in your Apache configuration file; <envar>IndexOptions</envar> in <filename>httpd.conf</filename>, then you'll have a security issue since any requests for a directory
that don't find an index file will build an index of what is in the directory. In many cases, you may only want people seeing files that you specifically link to. To turn this off, you need to remove read permissions from the
<filename class="directory">DocumentRoot</filename> directory but not the files inside it.
<screen>
[root@deep ]/# <command>cd</command> /home/httpd/
[root@deep ]/httpd# <command>chmod</command> 311 ona
[root@deep ]/httpd# ls -la
</screen>
<literallayout class="monospaced"><computeroutput>
d-wx--x--x 13 webadmin webadmin 1024 Jul 28 08:12 ona
</computeroutput></literallayout>
Now, with this modification, any requests for this protected directory should return an error message like:
<literallayout class="monospaced"><computeroutput>
Forbidden
You don't have permission to access /ona/ on this server.
</computeroutput></literallayout>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
<filename class="directory">ona</filename> is the <filename class="directory">DocumentRoot</filename>, the directory out of which you will serve your documents, in our example.
</para></tip>
</section>
<section><?dbhtml filename="chap29sec252.html"?>
<title>users authentication with <filename>.dbmpasswd</filename> password file</title>
<para>
This step is necessary only if you think that you'll use an access file authentication system for your web site. Access file authentication is used when you have the need to protect some part of your web site with a user password. With
Apache, a lot of options exist to protect your site with usernames and passwords.
</para>
<procedure>
<step><para>
The <command>dbmmanage</command> program utility of Apache can be used to create and update usernames and passwords of <acronym>HTTP</acronym> users. This method use a <acronym>DBM</acronym> format files that is the fastest mechanism when you have
thousands users to manage in your password file. First of all, it's important to change the permission of this program to be <literal>0750/-rwxr-x---</literal>, writable only by the super-user <literal>root</literal>, readable and executable by group
and nothing for the others.</para>
<substeps>
<step><para>
To change the permissions on the <command>dbmmanage</command> program, use the following command:
<screen>
[root@deep ]/# <command>chmod</command> 750 /usr/bin/dbmmanage
</screen>
</para></step>
<step><para>
To create a username and password, use the following command:
<screen>
[root@deep ]/# /usr/bin/dbmmanage /etc/httpd/.dbmpasswd adduser username
</screen>
<literallayout class="monospaced"><computeroutput>
New password:
Re-type new password:
User username added with password encrypted to l4jrdAL9MH0K.
</computeroutput></literallayout>
Where &lt;/etc/httpd&gt; is the location of the password file, &lt;.dbmpasswd&gt; is the name of the password file, and &lt;username&gt; is the name of the user you want to add in your <filename>.dbmpasswd</filename> file.
</para></step>
</substeps>
</step>
<step><para>
If you use the <command>dbmmanage</command> utility with your Apache web server to create passwords and usernames, don't forget to include in your <filename>/etc/httpd/conf/httpd.conf</filename> configuration file the part of your web site
you need to protect with user password authentication:
Edit the <filename>httpd.conf</filename> file <command>vi</command> <filename>/etc/httpd/conf/httpd.conf</filename> and add the following lines to protect the <literal>private</literal> directory of your web site <literal>ona</literal> with
user password authentication:
<programlisting>
&lt;Directory "/home/httpd/ona/private"&gt;
Options None
AllowOverride AuthConfig
AuthName "restricted stuff"
AuthType Basic
AuthDBUserFile /etc/httpd/.dbmpasswd
require valid-user
&lt;/Directory&gt;
</programlisting>
The path &lt;/home/httpd/ona/private&gt; specifies the directory we want to protect with a password and username, the &lt;/etc/httpd/.dbmpasswd&gt; specifies the location of the password file.
To add the DB password authentication module to your Apache Web Server, you must be sure to include it during the configuration time of Apache with the following parameter <envar>--add-module=src/modules/standard/mod_auth_db.c</envar>. See
your Apache documentation for more information.
</para></step>
<step><para>
You must restart Apache web server for the changes to take effect:
To restart Apache, use the following commands:
<screen>
[root@deep ]/# /etc/rc.d/init.d/httpd <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Shutting down http: [ OK ]
Starting httpd: [ OK ]
</computeroutput></literallayout>
</para></step>
<step><para>
Finally, we must test the new protected directory named <literal>private</literal>.
To verify that it works, point your web browser to the following address: <literal>http://my-web-server/private/</literal>. The &lt;my-web-server&gt; is the address where your Apache web server lives. The &lt;/private/&gt; is the directory
we want to protect with user password authentication.
</para></step>
</procedure>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Apache-Passwd.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Apache password</phrase></textobject>
</mediaobject>
<section><?dbhtml filename="chap29sec253.html"?>
<title>Immunize configuration files like <filename>httpd.conf</filename></title>
<para>
As we already know, the immutable bit can be used to prevent deletion, overwriting or creation of a symbolic link to a file. Once your <filename>httpd.conf</filename> file has been configured, it's a good idea to immunize it with
the following command:
<screen>
[root@deep ]/# <command>chattr</command> +i /etc/httpd/conf/httpd.conf
</screen>
</para>
</section>
</section>
<section><?dbhtml filename="chap29sec254.html"?>
<title>Apache in a chroot jail</title>
<para>
This part focuses on preventing Apache from being used as a point of break-in to the system hosting it. Apache by default runs as a non-root user, which will limit any damage to what can be done as a normal user with a local shell.
Of course, allowing what amounts to an anonymous guest account falls rather short of the security requirements for most Apache servers, so an additional step can be taken - that is, running Apache in a chroot jail.
</para>
<para>
The main benefit of a chroot jail is that the jail will limit the portion of the file system the daemon can see to the root directory of the jail. Additionally, since the jail only needs to support Apache, the programs available in
the jail can be extremely limited. Most importantly, there is no need for setuid-root programs, which can be used to gain root access and break out of the jail.
</para>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Apache-Chroot.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>Proxy Netscape Configuration</phrase></textobject>
</mediaobject>
<para>
Chrooting apache is no easy task and has a tendency to break things. Before we embark on this, we need to first decide whether it is beneficial for you to do so. Some pros and cons are there, but most certainly not limited to, the following:
</para>
<sidebar><title>Pros and Cons </title>
<para>
<orderedlist numeration="lowerroman">
<listitem><para>
If apache is ever compromised, the attacker will not have access to the entire file system.
</para></listitem><listitem><para>
Poorly written <acronym>CGI</acronym> scripts that may allow someone to access your server will not work.
</para></listitem>
</orderedlist>
</para>
<para>
<orderedlist numeration="lowerroman">
<listitem><para>
There are extra libraries you'll need to have in the chroot jail for Apache to work.
</para></listitem>
<listitem><para>
If you use any <acronym>Perl/CGI</acronym> features with Apache, you will need to copy the needed binaries, Perl libraries and files to the appropriate spot within the chroot space. The same applies for <acronym>SSL</acronym>, <acronym>PHP</acronym>, LDAP,
PostgresSQL and other third-party programs.
</para></listitem>
</orderedlist>
</para>
</sidebar>
<para>
The chrooted configuration listed below supposes that you've compiled your Apache server with the external program mod_ssl. The differences in what you've compiled with your Apache web server reside in which libraries and binaries
you'll need to copy to the chrooted directory.
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Remember that if you've compiled Apache to use mod_perl, you must copy all the related binaries and Perl libraries to the chrooted directory. Perl resides in <filename class="directory">/usr/lib/perl5</filename> and in case
you use Perl features, copy the Perl directories to <filename class="directory">/chroot/httpd/usr/lib/perl5/</filename>. Don't forget to create the directory <filename class="directory">/chroot/httpd/usr/lib/perl5</filename>
in your chrooted structure before copying.
</para></important>
<para>
The following are the necessary steps to run Apache Web Server in a chroot jail:
</para>
<para>
We must find the shared library dependencies of httpd. These will need to be copied into the chroot jail later.
To find the shared library dependencies of httpd, execute the following command:
<screen>
[root@deep ]/# ldd /usr/sbin/httpd
</screen>
<literallayout class="monospaced"><computeroutput>
libpam.so.0 =&gt;/lib/libpam.so.0 (0x40016000)
libm.so.6 =&gt;/lib/libm.so.6 (0x4001f000)
libdl.so.2 =&gt;/lib/libdl.so.2 (0x4003b000)
libcrypt.so.1 =&gt;/lib/libcrypt.so.1 (0x4003e000)
libnsl.so.1 =&gt;/lib/libnsl.so.1 (0x4006b000)
libresolv.so.2 =&gt;/lib/libresolv.so.2 (0x40081000)
libdb.so.3 =&gt;/lib/libdb.so.3 (0x40090000)
libc.so.6 =&gt;/lib/libc.so.6 (0x400cb000)
/lib/ld-linux.so.2 =&gt;/lib/ld-linux.so.2 (0x40000000)
</computeroutput></literallayout>
Make a note of the files listed above, you will need these later in our steps.
</para>
<para>
Add a new <acronym>UID</acronym> and a new <acronym>GID</acronym> if this is not already done for running Apache httpd. This is important because running it as root defeats the purpose of the jail, and
using a different <acronym>UID</acronym> that already exists on the system <abbrev>i.e.</abbrev> <literal>nobody</literal> can allow your services to access each others' resources. Consider the scenario
where a web server is running as <literal>nobody</literal>, or any other overly used <acronym>UID/GID</acronym> and compromised. The cracker can now access any other processes running as nobody from within
the chroot.
</para>
<procedure>
<step><para>
These are sample <acronym>UID/GID</acronym>s. Check the <filename>/etc/passwd</filename> and <filename>/etc/group</filename> files for a free <acronym>UID/GID</acronym> number. In our configuration we'll use
the numeric value <literal>80</literal> and <acronym>UID/GID</acronym> <literal>www</literal>.
<screen>
[root@deep ]/# <command>useradd</command> -c "Apache Server" -u 80 -s /bin/false -r -d /home/httpd www 2>/dev/null || :
</screen>
The above commands will create the group <literal>www</literal> with the numerical <acronym>GID</acronym> value <literal>80</literal>, and the user <literal>www</literal> with the numerical <acronym>UID</acronym> value <literal>80</literal>.
</para></step>
<step><para>
Set up the chroot environment. First we need to create the chrooted Apache structure. We use <filename class="directory">/chroot/httpd</filename> for the chrooted Apache. The <filename class="directory">/chroot/httpd</filename> is
just a directory on a different partition where we've decided to put apache for more security.
<screen>
[root@deep ]/# /etc/rc.d/init.d/httpd stop <co id="apchrt1"/>
</screen>
<calloutlist>
<callout arearefs="apchrt1"><para>
Only if Apache is already installed and run on your system.
</para></callout>
</calloutlist>
<literallayout class="monospaced"><computeroutput>
Shutting down http: [ OK ]
</computeroutput></literallayout>
<screen>
[root@deep ]/# <command>mkdir</command> /chroot/httpd
</screen>
</para></step>
<step><para>
Next, create the rest of directories as follows:
<screen>
[root@deep ]/# <command>mkdir</command> /chroot/httpd/dev
[root@deep ]/# <command>mkdir</command> /chroot/httpd/lib
[root@deep ]/# <command>mkdir</command> /chroot/httpd/etc
[root@deep ]/# <command>mkdir</command> -p /chroot/httpd/usr/sbin
[root@deep ]/# <command>mkdir</command> -p /chroot/httpd/var/run
[root@deep ]/# <command>mkdir</command> -p /chroot/httpd/var/log/httpd
[root@deep ]/# <command>chmod</command> 750 /chroot/httpd/var/log/httpd/
[root@deep ]/# <command>mkdir</command> -p /chroot/httpd/home/httpd
</screen>
</para></step>
<step><para>
Copy the main configuration directory, the configuration files, the cgi-bin directory, the root directory and the httpd program to the chroot jail:
[root@deep ]/# <command>cp</command> -r /etc/httpd /chroot/httpd/etc/
[root@deep ]/# <command>cp</command> -r /home/httpd/cgi-bin /chroot/httpd/home/httpd/
[root@deep ]/# <command>cp</command> -r /home/httpd/your-DocumentRoot /chroot/httpd/home/httpd/
[root@deep ]/# <command>mknod</command> /chroot/httpd/dev/null c 1 3
[root@deep ]/# <command>chmod</command> 666 /chroot/httpd/dev/null
[root@deep ]/# <command>cp</command> /usr/sbin/httpd /chroot/httpd/usr/sbin/
We need the <filename class="directory">/chroot/httpd/etc</filename>, <filename class="directory">/chroot/httpd/dev</filename>, <filename class="directory">/chroot/httpd/lib</filename>, <filename class="directory">/chroot/httpd/usr/sbin</filename>
<filename class="directory">/chroot/httpd/var/run</filename>, <filename class="directory">/chroot/httpd/home/httpd</filename> and <filename class="directory">/chroot/httpd/var/log/httpd</filename> directories because, from the point of the chroot,
we're sitting at <filename class="directory">/</filename>.
</para></step>
<step><para>
If you have compiled your Apache web server with <acronym>SSL</acronym> support, you must copy the entire <filename class="directory">/etc/ssl</filename> directory that handles all private and public keys to the chroot jail.
<screen>
[root@deep ]/# <command>cp</command> -r /etc/ssl /chroot/httpd/etc/ <20> require only if you use mod_ssl feature.
[root@deep ]/# <command>chmod</command> 600 /chroot/httpd/etc/ssl/certs/ca.crt <20> require only if you use mod_ssl feature.
[root@deep ]/# <command>chmod</command> 600 /chroot/httpd//etc/ssl/certs/server.crt <20> require only if you use mod_ssl feature.
[root@deep ]/# <command>chmod</command> 600 /chroot/httpd/etc/ssl/private/ca.key <20> require only if you use mod_ssl feature.
[root@deep ]/# <command>chmod</command> 600 /chroot/httpd/etc/ssl/private/server.key <20> require only if you use mod_ssl feature.
</screen>
</para></step>
</procedure>
</section>
<section><?dbhtml filename="chap29sec255.html"?>
<title>Apache to use shared libraries</title>
<para>
Since we have compiled apache to use shared libraries, we need to install them into the chroot directory structure. Use <command>ldd</command> <filename>/chroot/httpd/usr/sbin/httpd</filename> to find out which libraries are needed.
The output, depending on what you've compiled with Apache will be something similar to:
<literallayout class="monospaced"><computeroutput>
libpam.so.0 =&gt;/lib/libpam.so.0 (0x40016000)
libm.so.6 =&gt;/lib/libm.so.6 (0x4001f000)
libdl.so.2 =&gt;/lib/libdl.so.2 (0x4003b000)
libcrypt.so.1 =&gt;/lib/libcrypt.so.1 (0x4003e000)
libnsl.so.1 =&gt;/lib/libnsl.so.1 (0x4006b000)
libresolv.so.2 =&gt;/lib/libresolv.so.2 (0x40081000)
libdb.so.3 =&gt;/lib/libdb.so.3 (0x40090000)
libc.so.6 =&gt;/lib/libc.so.6 (0x400cb000)
/lib/ld-linux.so.2 =&gt;/lib/ld-linux.so.2 (0x40000000)
</computeroutput></literallayout>
</para>
<para>
Copy the shared libraries identified above:
<screen>
[root@deep ]/# <command>cp</command> /lib/libpam.so.0 /chroot/httpd/lib/
[root@deep ]/# <command>cp</command> /lib/libm.so.6 /chroot/httpd/lib/
[root@deep ]/# <command>cp</command> /lib/libdl.so.2 /chroot/httpd/lib/
[root@deep ]/# <command>cp</command> /lib/libcrypt.so.1 /chroot/httpd/lib/
[root@deep ]/# <command>cp</command> /lib/libnsl* /chroot/httpd/lib/
[root@deep ]/# <command>cp</command> /lib/libresolv* /chroot/httpd/lib/
[root@deep ]/# <command>cp</command> /lib/libdb.so.3 /chroot/httpd/lib/
[root@deep ]/# <command>cp</command> /lib/libc.so.6 /chroot/httpd/lib/
[root@deep ]/# <command>cp</command> /lib/ld-linux.so.2 /chroot/httpd/lib/
</screen>
</para>
<para>
You'll also need the following extra libraries for some network functions, like resolving:
<screen>
[root@deep ]/# <command>cp</command> /lib/libnss_compat* /chroot/httpd/lib/
[root@deep ]/# <command>cp</command> /lib/libnss_dns* /chroot/httpd/lib/
[root@deep ]/# <command>cp</command> /lib/libnss_files* /chroot/httpd/lib/
</screen>
</para>
<procedure>
<step><para>
We now need to copy the passwd and group files inside the <filename class="directory">/chroot/httpd/etc</filename> chrooted directory. The concept here is the same as how ftpd uses passwd and group files. Next, we'll remove
all entries except for the user that apache runs as in both files <literal>passwd</literal> and <literal>group</literal>.
</para>
<substeps>
<step><para>
<screen>
[root@deep ]/# <command>cp</command> /etc/passwd /chroot/httpd/etc/
[root@deep ]/# <command>cp</command> /etc/group /chroot/httpd/etc/
</screen>
</para></step>
<step><para>
Edit the <filename>passwd</filename> file, <command>vi</command> <filename>/chroot/httpd/etc/passwd</filename> and delete all entries except for the user apache run as in our configuration, it's <literal>www</literal>:
<programlisting>
www:x:80:80::/home/www:/bin/bash
</programlisting>
</para></step>
<step><para>
Edit the <literal>group</literal> file, <command>vi</command> <filename>/chroot/httpd/etc/group</filename> and delete all entries except the group apache run as, in our configuration it,s <literal>www</literal>:
<programlisting>
www:x:80:
</programlisting>
</para></step>
</substeps>
</step>
</procedure>
</section>
<section><?dbhtml filename="chap29sec256.html"?>
<title>The <filename class="directory">/chroot/etc</filename> directory</title>
<para>
You will also need <filename>/etc/resolv.conf</filename>, <filename>/etc/nsswitch.conf</filename> and <filename>/etc/hosts</filename> files in your chroot jail.
[root@deep ]/# <command>cp</command> /etc/resolv.conf /chroot/httpd/etc/
[root@deep ]/# <command>cp</command> /etc/hosts /chroot/httpd/etc/
[root@deep ]/# <command>cp</command> /etc/nsswitch.conf /chroot/httpd/etc/
</para>
<procedure>
<step><para>
Now we must set some files in the chroot jail directory immutable for better security.
</para>
<substeps>
<step><para>
Set the immutable bit on <filename>passwd</filename> file:
<screen>
[root@deep ]/# <command>cd</command> /chroot/httpd/etc/
[root@deep ]/# <command>chattr</command> +i passwd
</screen>
</para></step><step><para>
Set the immutable bit on <filename>group</filename> file:
<screen>
[root@deep ]/# <command>cd</command> /chroot/httpd/etc/
[root@deep ]/# <command>chattr</command> +i group
</screen>
</para></step>
<step><para>
Set the immutable bit on <filename>httpd.conf</filename> file:
<screen>
[root@deep ]/# <command>cd</command> /chroot/httpd/etc/httpd/conf/
[root@deep ]/# <command>chattr</command> +i httpd.conf
</screen>
</para></step>
<step><para>
Set the immutable bit on <filename>resolv.conf</filename> file:
<screen>
[root@deep ]/# <command>cd</command> /chroot/httpd/etc/
[root@deep ]/# <command>chattr</command> +i resolv.conf
</screen>
</para></step><step><para>
Set the immutable bit on <filename>hosts</filename> file:
<screen>
[root@deep ]/# <command>cd</command> /chroot/httpd/etc/
[root@deep ]/# <command>chattr</command> +i hosts
</screen>
Set the immutable bit on <filename>nsswitch.conf</filename> file:
<screen>
[root@deep ]/# <command>cd</command> /chroot/httpd/etc/
[root@deep ]/# <command>chattr</command> +i nsswitch.conf
</screen>
</para></step>
</substeps>
</step>
<step><para>
Copy the <filename>localtime</filename> file to the jail so that log entries are adjusted for your local timezone properly:
<screen>
[root@deep ]/# <command>cp</command> /etc/localtime /chroot/httpd/etc/
</screen>
</para></step>
<step><para>
Remove unnecessary Apache files and directories:
<screen>
[root@deep ]/# <command>rm</command> -rf /var/log/httpd/
[root@deep ]/# <command>rm</command> -rf /etc/httpd/
[root@deep ]/# <command>rm</command> -rf /home/httpd/
[root@deep ]/# <command>rm</command> -f /usr/sbin/httpd
</screen>
We can remove safely all of the above files and directories since they are now located under our chroot jail directory.
</para></step>
<step><para>
Normally, processes talk to syslogd through <filename class="directory">/dev/log</filename>. As a result of the chroot jail, this won't be possible, so syslogd needs to be told to listen to <filename class="directory">/chroot/httpd/dev/log</filename>.
To do this, edit the <filename>syslog</filename> startup script, <command>vi</command> <filename>/etc/rc.d/init.d/syslog</filename> to specify additional places to listen.
<programlisting>
daemon syslogd -m 0
</programlisting>
To read:
<programlisting>
daemon syslogd -m 0 -a /chroot/httpd/dev/log
</programlisting>
</para></step>
<step><para>
The default <filename>httpd</filename> script file of Apache starts the daemon <literal>httpd</literal> outside the chroot jail. We must change it to now start httpd from the chroot jail.
</para>
<substeps>
<step><para>
Edit the <filename>httpd</filename> script file, <command>vi</command> <filename>/etc/rc.d/init.d/httpd</filename> and change the line:
<programlisting>
daemon httpd
</programlisting>
To read:
<programlisting>
/usr/sbin/chroot /chroot/httpd/ /usr/sbin/httpd -DSSL
</programlisting>
</para></step>
<step><para>
<programlisting>
<command>rm</command> -f /var/run/httpd.pid
</programlisting>
To read:
<programlisting>
<command>rm</command> -f /chroot/httpd/var/run/httpd.pid
</programlisting>
</para></step>
</substeps>
</step>
</procedure>
</section>
<section><?dbhtml filename="chap29sec257.html"?>
<title>Test the new chrooted jail</title>
<para>
Finally, we must test the new chrooted jail configuration of our Apache Web Server. The first thing to do is to restart our syslogd daemon with the following command:
<screen>
[root@deep ]/# /etc/rc.d/init.d/syslog <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
</computeroutput></literallayout>
</para>
<para>
Now, start the new chrooted jail Apache with the following command:
<screen>
[root@deep ]/# /etc/rc.d/init.d/httpd <command>start</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Starting httpd: [ OK ]
</computeroutput></literallayout>
</para>
<para>
If you don't get any errors, do a <command>ps ax</command> | <command>grep httpd</command> and see if we're running:
<screen>
[root@deep ]/# <command>ps ax</command> | <command>grep httpd</command>
</screen>
<literallayout class="monospaced"><computeroutput>
14373 ? S 0:00 httpd -DSSL
14376 ? S 0:00 httpd -DSSL
14377 ? S 0:00 httpd -DSSL
14378 ? S 0:00 httpd -DSSL
14379 ? S 0:00 httpd -DSSL
14380 ? S 0:00 httpd -DSSL
14381 ? S 0:00 httpd -DSSL
14382 ? S 0:00 httpd -DSSL
14383 ? S 0:00 httpd -DSSL
14384 ? S 0:00 httpd -DSSL
14385 ? S 0:00 httpd -DSSL
14386 ? S 0:00 httpd -DSSL
14387 ? S 0:00 httpd -DSSL
14388 ? S 0:00 httpd -DSSL
14389 ? S 0:00 httpd -DSSL
14390 ? S 0:00 httpd -DSSL
14391 ? S 0:00 httpd -DSSL
14397 ? S 0:00 httpd -DSSL
14476 ? S 0:00 httpd -DSSL
14477 ? S 0:00 httpd -DSSL
14478 ? S 0:00 httpd -DSSL
</computeroutput></literallayout>
</para>
<para>
If so, lets check to make sure it's chrooted by picking out one of its process numbers and doing <userinput>ls -la /proc/that_process_number/root/.</userinput>
<screen>
[root@deep ]/# ls -la /proc/14373/root/
</screen>
If you see:
<literallayout class="monospaced"><computeroutput>
dev
etc
home
lib
usr
var
</computeroutput></literallayout>
congratulations!
</para>
<para>
As mentioned above, if you use Perl, you'll need to copy or hardlink any system libraries, perl libraries <filename>/usr/lib/perl5</filename>, and binaries into the chroot area. The same applies for <acronym>SSL</acronym>, <acronym>PHP</acronym>, LDAP,
PostgreSQL and other programs.
</para>
</section>
<section><?dbhtml filename="chap29sec258.html"?>
<title>Configure the new <filename>/etc/logrotate.d/apache</filename> file</title>
<para>
Now Apache logs files residing in the <filename>/chroot/var/log/httpd</filename> directory instead of <filename class="directory">/var/log/httpd</filename> and for this reason we need to modify the <filename>/etc/logrotate.d/httpd</filename>
file to point to the new chrooted directory. Also, we've compiled Apache with mod_ssl, so we'll add one more line to permit the logrotate program to rotate the <filename>ssl_request_log</filename> and <filename>ssl_engine_log</filename> files.
Configure your <filename>/etc/logrotate.d/apache</filename> file to rotate your log files each week automatically.
</para>
<para>
Create the <filename>apache</filename> file, <command>touch</command> <filename>/etc/logrotate.d/apache</filename> and add:
<programlisting>
/chroot/httpd/var/log/httpd/access_log {
missingok
postrotate
/usr/bin/killall -HUP /chroot/httpd/usr/sbin/httpd
endscript
}
/chroot/httpd/var/log/httpd/error_log {
missingok
postrotate
/usr/bin/killall -HUP /chroot/httpd/usr/sbin/httpd
endscript
}
/chroot/httpd/var/log/httpd/ssl_request_log {
missingok
postrotate
/usr/bin/killall -HUP /chroot/httpd/usr/sbin/httpd
endscript
}
/chroot/httpd/var/log/httpd/ssl_engine_log {
missingok
postrotate
/usr/bin/killall -HUP /chroot/httpd/usr/sbin/httpd
endscript
}
</programlisting>
</para>
</section>
<section id="pr6ch29sapo"><?dbhtml filename="chap29sec259.html"?>
<title>Optimizing Apache</title>
<para>
The mod_mmap_static module of Apache, is a special module with the Apache distribution named <literal>mod_mmap_static</literal> that can be used to improve the performance of your Web Server. This module works by providing
mappings of a statically configured list of frequently requested, but not changed, files in your RootDirectory. So, if files displayed by Apache don't change often, you can use this module to memory-map the static documents
and increase the speed of your Apache web server.
</para>
<para>
It's important to note that the mod_mmap_static module of Apache must be enabled during the configuration and compilation time of Apache before you can use it. If you have followed our steps described in the configuration and
compilation time section above, this is already in Apache <envar>--add-module-../mod_mmap_static.c</envar>.
</para>
<procedure>
<step><para>
To memory-map static documents, use the following command:
<screen>
[root@deep ]/# find /home/httpd/ona -type f -print | sed -e 's/.*/mmapfile &amp;/' /etc/httpd/conf/mmap.conf
</screen>
The <filename class="directory">/home/httpd/ona</filename> is the RootDirectory, or to be more precise, the directory out of which you will serve your documents, and the <filename class="directory">/etc/httpd/conf/mmap.conf</filename>
is the location where we want to create this file, <filename>mmap.conf</filename>, that contains a static memory-map of all documents under our RootDirectory.
</para></step>
<step><para>
Once the <filename>mmap.conf</filename> file has been created under the location where we have chosen to keep this file, we must include it in the <filename>httpd.conf</filename> file of Apache to be able to use its features on our web server.
Edit the <filename>httpd.conf</filename> file, <command>vi</command> <filename>/etc/httpd/conf/httpd.conf</filename> and add the line:
<programlisting>
&lt;IfModule mod_include.c&gt;
Include conf/mmap.conf
&lt;/IfModule&gt;
</programlisting>
</para></step>
</procedure>
<note>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Proxy Netscape Configuration</phrase></textobject>
</inlinemediaobject>
</title>
<para>
See your Apache documentation for more information about the use of mod_mmap_static. Remember that this feature must be only used when you serve documents that don't change often on your web site.
</para></note>
<para>
You must restart the Apache web server for the changes to take effect:
<screen>
[root@deep ]/# /etc/rc.d/init.d/httpd <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Shutting down http: [ OK ]
Starting httpd: [ OK ]
</computeroutput></literallayout>
</para>
<tip>
<title> The atime and noatime attributes</title>
<para>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</mediaobject>
The atime and noatime attributes of Linux can be used to get measurable performance gains in Apache. See in this book, <link linkend="pr2ch6scntm">General System Optimization</link>, for more information on the subject.
</para>
</tip>
</section>
<section><?dbhtml filename="chap29sec260.html"?>
<title>Installed files for Apache Web Server</title>
<para>
These are the files installed by the software program Apache on your server.
</para>
<simplelist type="horiz" columns="3">
<member><filename>/etc/rc.d/init.d/httpd</filename></member>
<member><filename>/etc/rc.d/rc0.d/K15httpd</filename></member>
<member><filename>/etc/rc.d/rc1.d/K15httpd</filename></member>
<member><filename>/etc/rc.d/rc2.d/K15httpd</filename></member>
<member><filename>/etc/rc.d/rc3.d/S85httpd</filename></member>
<member><filename>/etc/rc.d/rc4.d/S85httpd</filename></member>
<member><filename>/etc/rc.d/rc5.d/S85httpd</filename></member>
<member><filename>/etc/rc.d/rc6.d/K15httpd</filename></member>
<member><filename>/etc/logrotate.d/apache</filename></member>
<member><filename>/etc/httpd</filename></member>
<member><filename>/etc/httpd/conf</filename></member>
<member><filename>/etc/httpd/conf/httpd.conf.default</filename></member>
<member><filename>/etc/httpd/conf/httpd.conf</filename></member>
<member><filename>/etc/httpd/conf/mime.types.default</filename></member>
<member><filename>/etc/httpd/conf/mime.types</filename></member>
<member><filename>/etc/httpd/conf/magic.default</filename></member>
<member><filename>/etc/httpd/conf/magic</filename></member>
<member><filename>/etc/httpd/php.ini</filename></member>
<member><filename>/home/httpd</filename></member>
<member><filename>/home/httpd/cgi-bin</filename></member>
<member><filename>/home/httpd/cgi-bin/printenv</filename></member>
<member><filename>/home/httpd/cgi-bin/test-cgi</filename></member>
<member><filename>/usr/bin/htpasswd</filename></member>
<member><filename>/usr/bin/htdigest</filename></member>
<member><filename>/usr/bin/dbmmanage</filename></member>
<member><filename>/usr/include/apache</filename></member>
<member><filename>/usr/include/apache/xml</filename></member>
<member><filename>/usr/include/apache/xml/asciitab.h</filename></member>
<member><filename>/usr/include/apache/xml/hashtable.h</filename></member>
<member><filename>/usr/include/apache/xml/iasciitab.h</filename></member>
<member><filename>/usr/include/apache/xml/latin1tab.h</filename></member>
<member><filename>/usr/include/apache/xml/nametab.h</filename></member>
<member><filename>/usr/include/apache/xml/utf8tab.h</filename></member>
<member><filename>/usr/include/apache/xml/xmldef.h</filename></member>
<member><filename>/usr/include/apache/xml/xmlparse.h</filename></member>
<member><filename>/usr/include/apache/xml/xmlrole.h</filename></member>
<member><filename>/usr/include/apache/xml/xmltok.h</filename></member>
<member><filename>/usr/include/apache/xml/xmltok_impl.h</filename></member>
<member><filename>/usr/include/apache/alloc.h</filename></member>
<member><filename>/usr/include/apache/ap.h</filename></member>
<member><filename>/usr/include/apache/ap_compat.h</filename></member>
<member><filename>/usr/include/apache/ap_config.h</filename></member>
<member><filename>/usr/include/apache/ap_config_auto.h</filename></member>
<member><filename>/usr/include/apache/ap_ctx.h</filename></member>
<member><filename>/usr/include/apache/ap_ctype.h</filename></member>
<member><filename>/usr/include/apache/ap_hook.h</filename></member>
<member><filename>/usr/include/apache/ap_md5.h</filename></member>
<member><filename>/usr/include/apache/ap_mm.h</filename></member>
<member><filename>/usr/include/apache/ap_mmn.h</filename></member>
<member><filename>/usr/include/apache/ap_sha1.h</filename></member>
<member><filename>/usr/include/apache/buff.h</filename></member>
<member><filename>/usr/include/apache/compat.h</filename></member>
<member><filename>/usr/include/apache/conf.h</filename></member>
<member><filename>/usr/include/apache/explain.h</filename></member>
<member><filename>/usr/include/apache/fnmatch.h</filename></member>
<member><filename>/usr/include/apache/hsregex.h</filename></member>
<member><filename>/usr/include/apache/http_conf_globals.h</filename></member>
<member><filename>/usr/include/apache/http_config.h</filename></member>
<member><filename>/usr/include/apache/http_core.h</filename></member>
<member><filename>/usr/include/apache/http_log.h</filename></member>
<member><filename>/usr/include/apache/http_main.h</filename></member>
<member><filename>/usr/include/apache/http_protocol.h</filename></member>
<member><filename>/usr/include/apache/http_request.h</filename></member>
<member><filename>/usr/include/apache/http_vhost.h</filename></member>
<member><filename>/usr/include/apache/httpd.h</filename></member>
<member><filename>/usr/include/apache/multithread.h</filename></member>
<member><filename>/usr/include/apache/rfc1413.h</filename></member>
<member><filename>/usr/include/apache/scoreboard.h</filename></member>
<member><filename>/usr/include/apache/util_date.h</filename></member>
<member><filename>/usr/include/apache/util_md5.h</filename></member>
<member><filename>/usr/include/apache/util_script.h</filename></member>
<member><filename>/usr/include/apache/util_uri.h</filename></member>
<member><filename>/usr/include/apache/os.h</filename></member>
<member><filename>/usr/include/apache/os-inline.c</filename></member>
<member><filename>/usr/lib/apache</filename></member>
<member><filename>/usr/man/man1/htpasswd.1</filename></member>
<member><filename>/usr/man/man1/htdigest.1</filename></member>
<member><filename>/usr/man/man1/dbmmanage.1</filename></member>
<member><filename>/usr/man/man8/ab.8</filename></member>
<member><filename>/usr/man/man8/httpd.8</filename></member>
<member><filename>/usr/man/man8/logresolve.8</filename></member>
<member><filename>/usr/man/man8/rotatelogs.8</filename></member>
<member><filename>/usr/man/man8/apxs.8</filename></member>
<member><filename>/usr/sbin/httpd</filename></member>
<member><filename>/usr/sbin/ab</filename></member>
<member><filename>/usr/sbin/logresolve</filename></member>
<member><filename>/usr/sbin/rotatelogs</filename></member>
<member><filename>/usr/sbin/apxs</filename></member>
<member><filename>/var/log/httpd</filename></member>
<member><filename>/var/cache</filename></member>
<member><filename>/var/cache/httpd</filename></member>
</simplelist>
</section>
<section><?dbhtml filename="chap29sec261.html"?>
<title>Installed files /PHP4</title>
<para>
These are the tnstalled files by PHP4 server-side scripting language with Apache Web Server:
</para>
<simplelist type="horiz" columns="2">
<member><filename>/usr/bin/phpize</filename></member>
<member><filename>/usr/bin/php-config</filename></member>
<member><filename>/usr/include/php</filename></member>
<member><filename>/usr/include/php/Zend</filename></member>
<member><filename>/usr/include/php/Zend/FlexLexer.h</filename></member>
<member><filename>/usr/include/php/Zend/acconfig.h</filename></member>
<member><filename>/usr/include/php/Zend/modules.h</filename></member>
<member><filename>/usr/include/php/Zend/zend-parser.h</filename></member>
<member><filename>/usr/include/php/Zend/zend-scanner.h</filename></member>
<member><filename>/usr/include/php/Zend/zend.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_API.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_alloc.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_builtin_functions.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_compile.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_config.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_config.w32.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_constants.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_dynamic_array.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_errors.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_execute.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_execute_locks.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_extensions.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_fast_cache.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_globals.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_globals_macros.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_hash.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_highlight.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_indent.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_list.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_llist.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_operators.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_ptr_stack.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_stack.h</filename></member>
<member><filename>/usr/include/php/Zend/zend_variables.h</filename></member>
<member><filename>/usr/include/php/TSRM</filename></member>
<member><filename>/usr/include/php/TSRM/TSRM.h</filename></member>
<member><filename>/usr/include/php/ext</filename></member>
<member><filename>/usr/include/php/ext/standard</filename></member>
<member><filename>/usr/include/php/ext/standard/base64.h</filename></member>
<member><filename>/usr/include/php/ext/standard/basic_functions.h</filename></member>
<member><filename>/usr/include/php/ext/standard/cyr_convert.h</filename></member>
<member><filename>/usr/include/php/ext/standard/datetime.h</filename></member>
<member><filename>/usr/include/php/ext/standard/dl.h</filename></member>
<member><filename>/usr/include/php/ext/standard/dns.h</filename></member>
<member><filename>/usr/include/php/ext/standard/exec.h</filename></member>
<member><filename>/usr/include/php/ext/standard/file.h</filename></member>
<member><filename>/usr/include/php/ext/standard/flock_compat.h</filename></member>
<member><filename>/usr/include/php/ext/standard/fsock.h</filename></member>
<member><filename>/usr/include/php/ext/standard/global.h</filename></member>
<member><filename>/usr/include/php/ext/standard/head.h</filename></member>
<member><filename>/usr/include/php/ext/standard/html.h</filename></member>
<member><filename>/usr/include/php/ext/standard/info.h</filename></member>
<member><filename>/usr/include/php/ext/standard/md5.h</filename></member>
<member><filename>/usr/include/php/ext/standard/microtime.h</filename></member>
<member><filename>/usr/include/php/ext/standard/pack.h</filename></member>
<member><filename>/usr/include/php/ext/standard/pageinfo.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_array.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_assert.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_browscap.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_crypt.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_dir.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_filestat.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_image.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_iptc.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_lcg.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_link.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_mail.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_metaphone.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_output.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_rand.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_standard.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_string.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_syslog.h</filename></member>
<member><filename>/usr/include/php/ext/standard/php_var.h</filename></member>
<member><filename>/usr/include/php/ext/standard/phpdir.h</filename></member>
<member><filename>/usr/include/php/ext/standard/phpmath.h</filename></member>
<member><filename>/usr/include/php/ext/standard/quot_print.h</filename></member>
<member><filename>/usr/include/php/ext/standard/reg.h</filename></member>
<member><filename>/usr/include/php/ext/standard/type.h</filename></member>
<member><filename>/usr/include/php/ext/standard/uniqid.h</filename></member>
<member><filename>/usr/include/php/ext/standard/url.h</filename></member>
<member><filename>/usr/include/php/ext/standard/url_scanner.h</filename></member>
<member><filename>/usr/include/php/regex</filename></member>
<member><filename>/usr/include/php/regex/regex.h</filename></member>
<member><filename>/usr/include/php/regex/regex_extra.h</filename></member>
<member><filename>/usr/include/php/php.h</filename></member>
<member><filename>/usr/include/php/php_regex.h</filename></member>
<member><filename>/usr/include/php/php3_compat.h</filename></member>
<member><filename>/usr/include/php/safe_mode.h</filename></member>
<member><filename>/usr/include/php/fopen-wrappers.h</filename></member>
<member><filename>/usr/include/php/php_version.h</filename></member>
<member><filename>/usr/include/php/php_globals.h</filename></member>
<member><filename>/usr/include/php/php_reentrancy.h</filename></member>
<member><filename>/usr/include/php/php_ini.h</filename></member>
<member><filename>/usr/include/php/SAPI.h</filename></member>
<member><filename>/usr/include/php/php_config.h</filename></member>
<member><filename>/usr/include/php/zend_config.h</filename></member>
<member><filename>/usr/include/php/build-defs.h</filename></member>
<member><filename>/usr/lib/php</filename></member>
<member><filename>/usr/lib/php/DB</filename></member>
<member><filename>/usr/lib/php/DB/common.php</filename></member>
<member><filename>/usr/lib/php/DB/odbc.php</filename></member>
<member><filename>/usr/lib/php/DB/mysql.php</filename></member>
<member><filename>/usr/lib/php/DB/pgsql.php</filename></member>
<member><filename>/usr/lib/php/DB/storage.php</filename></member>
<member><filename>/usr/lib/php/build</filename></member>
<member><filename>/usr/lib/php/build/pear.m4</filename></member>
<member><filename>/usr/lib/php/build/fastgen.sh</filename></member>
<member><filename>/usr/lib/php/build/library.mk</filename></member>
<member><filename>/usr/lib/php/build/ltlib.mk</filename></member>
<member><filename>/usr/lib/php/build/program.mk</filename></member>
<member><filename>/usr/lib/php/build/rules.mk</filename></member>
<member><filename>/usr/lib/php/build/rules_pear.mk</filename></member>
<member><filename>/usr/lib/php/build/shtool</filename></member>
<member><filename>/usr/lib/php/build/acinclude.m4</filename></member>
<member><filename>/usr/lib/php/DB.php</filename></member>
</simplelist>
</section>
<section><?dbhtml filename="chap29sec262.html"?>
<title>Installed files by mod_perl</title>
<para>
Installed files by mod_perl programming language with Apache Web Server on your machine.
</para>
<simplelist type="horiz" columns="2">
<member><filename>/usr/lib/perl5/5.00503/i386-linux/perllocal.pod</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::Constants.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::Leak.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::Log.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::PerlRunXS.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::Symbol.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::Table.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::URI.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::Util.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::FakeRequest.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/mod_perl.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::ExtUtils.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::SIG.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::Status.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::Include.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::Debug.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::Resource.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::src.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::PerlRun.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::httpd_conf.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/mod_perl_traps.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::Options.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/mod_perl_cvs.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::Symdump.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::RegistryLoader.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/mod_perl_method_handlers.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/mod_perl_tuning.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/cgi_to_mod_perl.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::StatINC.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::Registry.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Bundle::Apache.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::SizeLimit.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::PerlSections.3</filename></member>
<member><filename>/usr/lib/perl5/man/man3/Apache::RedirectLogFix.3</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/buff.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/multithread.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/httpd.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/ap_config.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/alloc.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/ap.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/ap_md5.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/ap_ctx.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/util_md5.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/rfc1413.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/conf.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/util_uri.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/explain.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/ap_compat.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/http_config.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/ap_sha1.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/scoreboard.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/compat.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/http_request.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/http_core.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/ap_mm.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/http_protocol.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/util_date.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/ap_hook.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/http_main.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/http_conf_globals.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/util_script.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/http_vhost.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/ap_ctype.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/hsregex.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/ap_mmn.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/ap_config_auto.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/http_log.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/include/fnmatch.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/netware</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/netware/os.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/netware/getopt.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/netware/test_char.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/netware/uri_delims.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/netware/precomp.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/bs2000</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/bs2000/os-inline.c</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/bs2000/ebcdic.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/bs2000/os.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/tpf</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/tpf/ebcdic.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/tpf/os.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/tpf/os-inline.c</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/win32</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/win32/service.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/win32/getopt.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/win32/registry.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/win32/resource.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/win32/installer</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/win32/installer/installdll</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/win32/installer/installdll/test</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/win32/installer/installdll/test/test.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/win32/installer/installdll/test/resource.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/win32/os.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/win32/passwd.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/win32/readdir.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/unix</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/unix/os.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/unix/os-inline.c</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/os390</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/os390/os-inline.c</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/os390/ebcdic.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/os390/os.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/mpeix</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/mpeix/os-inline.c</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/mpeix/os.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/os2</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/os2/os.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/os/os2/os-inline.c</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/ssl</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/ssl/ssl_expr.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/ssl/ssl_util_table.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/ssl/ssl_util_ssl.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/ssl/ssl_expr_parse.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/ssl/mod_ssl.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/ssl/ssl_util_sdbm.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/perl</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/perl/mod_perl.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/perl/mod_perl_version.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/perl/perl_PL.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/perl/mod_perl_xs.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/php4</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/php4/mod_php4.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/proxy</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/proxy/mod_proxy.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/standard</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/modules/standard/mod_rewrite.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/support</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/support/suexec.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/lib</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/lib/expat-lite</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/lib/expat-lite/iasciitab.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/lib/expat-lite/latin1tab.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/lib/expat-lite/xmldef.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/lib/expat-lite/xmlparse.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/lib/expat-lite/xmltok.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/lib/expat-lite/xmlrole.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/lib/expat-lite/hashtable.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/lib/expat-lite/nametab.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/lib/expat-lite/xmltok_impl.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/lib/expat-lite/utf8tab.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/lib/expat-lite/asciitab.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/regex</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/regex/utils.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/regex/regex2.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/regex/cclass.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/include/regex/cname.h</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/typemap</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/Leak</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/Leak/Leak.so</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/Leak/Leak.bs</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/Symbol</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/Symbol/Symbol.so</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Apache/Symbol/Symbol.bs</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl/.packlist</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/mod_perl.pod</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Bundle</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Bundle/Apache.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/test.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Debug.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Resource.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/src.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/httpd_conf.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Symdump.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/RegistryLoader.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Registry.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/SizeLimit.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/RedirectLogFix.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/MyConfig.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Constants</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Constants/Exports.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/SIG.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/StatINC.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Opcode.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/PerlSections.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/FakeRequest.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/ExtUtils.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Include.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Status.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/PerlRun.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Options.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/RegistryNG.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/RegistryBB.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Connection.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Constants.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/File.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Leak.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Log.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/ModuleConfig.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/PerlRunXS.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Server.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Symbol.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Table.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/URI.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache/Util.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/mod_perl_hooks.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/mod_perl_hooks.pm.PL</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/mod_perl_tuning.pod</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/mod_perl_cvs.pod</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/mod_perl_method_handlers.pod</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/mod_perl.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/mod_perl_traps.pod</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/cgi_to_mod_perl.pod</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/Apache.pm</filename></member>
</simplelist>
</section>
</chapter>
<chapter label="30"><?dbhtml filename="opt-Apache.html"?>
<title>Optional component to install with Apache</title>
<highlights><para>
In this chapter, Three-useful external programs that you may install on your Linux server are explained. These programs have been made for use with the Apache Web Server, and are useful only if you intend to use Apache in your
organization. If this is not the case, you can skip this chapter and continue through the rest of this book. To begin, we'll talk about:
<orderedlist numeration="lowerroman">
<listitem><para>
Webalizer, which is a web server log file analysis program.
</para></listitem><listitem><para>
Then we'll discuss FAQ-O-Matic, which can be used when you want a <acronym>FAQ</acronym> list, bug-tracing database, documentation and much more on your server.
</para></listitem><listitem><para>
Finally, we'll talk about a very sophisticated and interesting program called Webmail, which allows you to offer free mail accounts to your clients, or access and read your mail, in a secure manner.
</para></listitem>
</orderedlist>
</para></highlights>
<section id="pr6ch30swblzr"><?dbhtml filename="webalizer.html"?>
<title>Linux Webalizer</title>
<para>
A web server like Apache logs all predefined log entry information into a text file that can be viewed and analyzed by the web administrator. This file can also be evaluated by a special program which can produce the information in a
graphical presentation, making interpretation easier for the administrator.
</para>
<sidebar>
<title>As per in the <citation>README</citation> file of Webalizer:</title>
<para>
The Webalizer is a web server log file analysis program, which produces usage statistics in HTML format for viewing with a browser. The results are presented in both columnar and graphical format, which facilitates
interpretation. Yearly, monthly, daily and hourly usage statistics are presented, along with the ability to display usage by site, URL, referrer, user agent, <emphasis>browser</emphasis> and country, <emphasis>user
agent and referrer are only available if your web server produces Combined log format files</emphasis>.
</para>
</sidebar>
<para>
These installation instructions assume
<itemizedlist>
<listitem><para>
Commands are Unix-compatible.
</para></listitem><listitem><para>
The source path is <filename class="directory">/var/tmp</filename>, <emphasis>other paths are possible</emphasis>.
</para></listitem><listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem><listitem><para>
All steps in the installation will happen in super-user account <literal>root</literal>.
</para></listitem><listitem><para>
Webalizer version number is 1_30-04
</para></listitem>
</itemizedlist>
</para>
<para>
These are the Package(s):
<simplelist>
<member>
Webalizer Homepage: <link linkend="prtinxfp33">http://www.mrunix.net/webalizer/</link>
</member><member>
Webalizer FTP Site: <link linkend="prtinxfp33">207.153.121.6</link>
</member><member>
You must be sure to download: webalizer-1_30-04-src.tgz
</member>
</simplelist>
</para>
<para>
Before you compile, decompress the tarball (tar.gz).
<screen>
[root@deep /]# <command>cp</command> webalizer-version-src.tgz /var/tmp/
[root@deep /]# <command>cd</command> /var/tmp/
[root@deep ]/tmp# <command>tar</command> xzpf webalizer-version-src.tgz
</screen>
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
There are a few prerequisites; the Webalizer requires that the <acronym>GD</acronym> Graphics Library, which is required for generating inline graphics for the Webalizer program, be already installed on your system. If this is
not the case, you must install it from your Red Hat Linux CD-ROM.
</para>
</important>
<para>
To verify that the <acronym>GD</acronym> package is installed on your Linux system, use the following command:
<screen>
[root@deep /]# <command>rpm</command> -qi gd
</screen>
<literallayout class="monospaced"><computeroutput>
package gd is not installed
</computeroutput></literallayout>
To install the <acronym>GD</acronym> packages on your Linux system, use the following command:
<screen>
[root@deep /]# <command>mount</command> /dev/cdrom /mnt/cdrom/
[root@deep /]# <command>cd</command> /mnt/cdrom/RedHat/RPMS/
[root@deep ]/RPMS# <command>rpm</command> -Uvh gd-version.i386.rpm
</screen>
<literallayout class="monospaced"><computeroutput>
gd ##################################################
</computeroutput></literallayout>
<screen>
[root@deep ]/RPMS# <command>rpm</command> -Uvh gd-devel-version.i386.rpm
</screen>
<literallayout class="monospaced"><computeroutput>
gd-devel ##################################################
</computeroutput></literallayout>
<screen>
[root@deep ]/RPMS# <command>cd</command> /; umount /mnt/cdrom/
</screen>
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The Apache web server should be already installed on your system to be able to use Webalizer software, of course.
</para>
</important>
<para>
For more information on <link linkend="pr6ch29wapch">Apache web server</link>, see its related chapter in this book.
</para>
</section>
<section><?dbhtml filename="chap29sec263.html"?>
<title>Compile</title>
<para>
Move into the new Webalizer directory and type the following commands on your terminal:
<programlisting>
CC="egcs" \
CFLAGS="-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions" \
./configure \
--prefix=/usr
</programlisting>
<screen>
[root@deep ]/webalizer-1.30-04# <command>make</command>
[root@deep ]/webalizer-1.30-04# <command>make install</command>
[root@deep ]/webalizer-1.30-04# <command>mkdir</command> /home/httpd/usage
</screen>
</para>
<para>
<itemizedlist>
<listitem><para>
The <command>make</command> command will compile all source files into executable binaries,
</para></listitem><listitem><para>
The <command>make install</command> will install the binaries and any supporting files into the appropriate locations.
</para></listitem><listitem><para>
The <command>mkdir</command> will create a new directory named <literal>usage</literal> under the <filename class="directory">/home/httpd/</filename> directory where we'll handle all related Webalizer files.
</para></listitem>
</itemizedlist>
</para>
<para>
Please do cleanup later:
<screen>
[root@deep /]# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>rm</command> -rf webalizer-version/ webalizer-version-src.tgz
</screen>
The <command>rm</command> command will remove all the source files we have used to compile and install Webalizer. It will also remove the Webalizer compressed archive from the <filename class="directory">/var/tmp</filename> directory.
</para>
<section><?dbhtml filename="chap29sec264.html"?>
<title>Configurations</title>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>Webalizer</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 8
-rw-r--r-- 1 harrypotter harrypotter 208 Jul 26 18:04 webalizer.conf
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<para>
To run Webalizer, the following file is required, and must be created or copied to the appropriate directory on your server.
<orderedlist numeration="lowerroman"><listitem><para>
Copy the webalizer.conf file to the <filename class="directory">/etc/</filename> directory.
</para></listitem></orderedlist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
To run Webalizer, the following file from the floppy.tgz archive is required and must be created or copied to the appropriate directory on your server. Copy the sxid.conf file to the <filename class="directory">/etc/</filename> directory.
or alternatively you can copy and paste directly from this book to the concerned file.
</para></tip>
</section>
</section>
<section><?dbhtml filename="chap29sec265.html"?>
<title>Configure the <filename>/etc/webalizer.conf</filename> file</title>
<para>
The <filename>/etc/webalizer.conf</filename> is the default configuration file for Webalizer. With it, you can specify which directories or pages in your web site to analyze, which <acronym>URL</acronym>s to hide, and so on. By default,
the Webalizer program will install a sample configuration file named <filename>webalizer.conf.sample</filename> under the <filename class="directory">/etc/</filename> directory of Linux. You can use this file to configure your choices and
then rename it <filename>webalizer.conf</filename>, and the Webalizer program will be able to find and use it. A lot of options exist and it's important to read the documentation that comes with Webalizer for more information on all of
the different setting and parameters. Also, it's important to note that we comment in this Webalizer configuration file only the most common and used parameters.
</para>
<para>
Edit the <filename>webalizer.conf.sample</filename> file, <command>vi</command> <filename>/etc/webalizer.conf.sample</filename> or create the <filename>webalizer.conf</filename> file, <command>touch</command> <filename>/etc/webalizer.conf</filename>
and add/change in this file:
<programlisting>
LogFile /var/log/httpd/access_log
OutputDir /home/httpd/usage
Incremental yes
PageType htm*
PageType cgi
PageType php
HideURL *.gif
HideURL *.GIF
HideURL *.jpg
HideURL *.JPG
HideURL *.ra
IgnoreURL /taskbar*
</programlisting>
</para>
<para>
This tells the <filename>webalizer.conf</filename> file to set itself up for this particular configuration setup with:
</para>
<glosslist>
<glossentry>
<glossterm><envar>LogFile</envar> <filename>/var/log/httpd/access_log</filename></glossterm>
<glossdef><para>
The option <envar>LogFile</envar> specifies the logfile to use with Webalizer. The default log file is supposed to be the <filename>access_log</filename> of Apache Web Server, but you can specifies a different one,
like the one Squid Proxy Server makes named <filename>access.log</filename> if you use it in httpd-accelerator mode. See, <link linkend="pr6sserprnt">Software -Server/Proxy Network</link>, for more information.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>OutputDir</envar> <filename>/home/httpd/usage</filename></glossterm>
<glossdef><para>
The option <envar>OutputDir</envar> specifies the location of the output directory to use for the reports of Webalizer. All present and future report files generated by the Webalizer program will be hosted in this directory.
It is recommended that you create this directory where your Apache web site resides.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>Incremental yes</envar></glossterm>
<glossdef><para>
The option <envar>Incremental</envar> if set to <envar>Yes</envar> tells the program only to process partial logs file, and allows you to rotate your log files as much as you want without the loss of access information. It's
recommended to set this option to <envar>Yes</envar>.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>PageType htm* cgi php</envar></glossterm>
<glossdef><para>
The option <envar>PageType</envar> specifies what file extensions you want Webalizer to consider as a page to count. Each added file extensions must be specified on its own line as shown in the Webalizer configuration file above.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>HideURL *.gif *.GIF *.jpg *.JPG *.ra</envar></glossterm>
<glossdef><para>
The option <envar>HideURL</envar> specifies what kind of items such as graphic files, audio files or other <literal>non-html</literal> files to hide from the reports page. Each added item must be specified on its own line as
shown in the Webalizer configuration file above.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>IgnoreURL /taskbar*</envar></glossterm>
<glossdef><para>
The option <envar>IgnoreURL</envar> specifies <acronym>URL</acronym>s to be completely ignored from the generated statistics reports. This option can be used to ignore directories that are not important in our statistics reports. It's
also useful when you want to manage and class which <acronym>URL</acronym>s should be monitored and which should be ignored.
</para></glossdef>
</glossentry>
</glosslist>
<caution>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Caution.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Caution</phrase></textobject>
</inlinemediaobject>
</title>
<para>
If you decide to use the existent <filename>/etc/webalizer.conf.sample</filename> file to configure your parameters for Webalizer, don't forget to rename it <filename>webalizer.conf</filename> or the program will be unable to
use it.
</para>
</caution>
</section>
<section><?dbhtml filename="chap29sec266.html"?>
<title>Make Apache aware of Webalizer output directory</title>
<para>
Once Webalizer has been installed in the system we must add the following lines into the <filename>httpd.conf</filename> file of Apache to be able to locate and use it features.
</para>
<procedure>
<step><para>
Edit the <filename>httpd.conf</filename> file, <command>vi</command> <filename>/etc/httpd/conf/httpd.conf</filename> and add the following lines between the section tags &lt;IfModule mod_alias.c&gt; and &lt;/IfModule&gt;:
<programlisting>
Alias /usage/ "/home/httpd/usage/"
&lt;Directory "/home/httpd/usage"&gt;
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
&lt;/Directory&gt;
</programlisting>
</para></step>
<step><para>
Don't forget to restart your Apache web server once you have added the above lines to its <filename>httpd.conf</filename> file:
<screen>
[root@deep ] /# /etc/rc.d/init.d/httpd <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Shutting down http: [ OK ]
Starting httpd: [ OK ]
</computeroutput></literallayout>
</para></step>
</procedure>
<section>
<title>Running Webalizer manually first time</title>
<para>
Now it's time to run the program to generate reports, <literal>html</literal> and graphics in the default Webalizer directory so that we can see them in our web browser interface. This step is required just the first time you install
and use Webalizer, since it's preferable to use a cron job to automate this task in the future. To run Webalizer manually, to generate reports, use the following command:
</para>
<screen>
[root@deep ] /# /usr/bin/webalizer
</screen>
<literallayout class="monospaced"><computeroutput>
Webalizer V1.30-04 (Linux 2.2.14) English
Using logfile /var/log/httpd/access_log
Creating output in /home/httpd/usage
Hostname for reports is 'deep.openna.com'
History file not found...
Previous run data not found...
Saving current run data... [03/06/2000 04:42:03]
Generating report for March 2000
Generating summary report
Saving history information...
81 records (2 ignored) in 0.31 seconds
</computeroutput></literallayout>
<para>
At this stage, we should verify that Webalizer is working on the system. To do that, point your web browser to the following address: <literal>http://my-web-server/usage/</literal>.
The <filename>my-web-server</filename> is the address where your Apache web server lives, and <filename>usage</filename> is the directory that host all the Webalizer reports files.
</para>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Webalizer.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>Webalizer</phrase></textobject>
</mediaobject>
</section>
</section>
<section><?dbhtml filename="chap29sec267.html"?>
<title>Run Webalizer automatically with a cron job</title>
<para>
The last thing you can do now is automate the task of generating a new log file to update your Webalizer reports. Place an entry into root's crontabs to make Webalizer run as a cron job. To add Webalizer in your cron job you must edit the
crontab and add the following line as root to run it, for example, every 28 minutes for busy sites:
<screen>
[root@deep ] /# <command>crontab</command> -e
</screen>
<programlisting>
# Run Webalizer to update Apache Log files every 28 minutes.
28 * * * * /usr/bin/webalizer
</programlisting>
</para>
<section>
<title>Installed files</title>
<para>
These are the following files installed by Webalizer.
</para>
<simplelist>
<member><filename>/etc/webalizer.conf.sample</filename></member>
<member><filename>/usr/bin/webalizer</filename></member>
<member><filename>/usr/man/man1/webalizer.1</filename></member>
</simplelist>
</section>
</section>
<section id="pr6ch30scfqmtc"><?dbhtml filename="faqomqtic.html"?>
<title>Linux FAQ-O-Matic</title>
<sidebar>
<title>As per the <citation>Faq-O-Matic</citation> web site:</title>
<para>
A mailing list archive is good, because it lets thoughtful people with Frequently Asked Questions search for an immediate answer, and avoids bothering the people who have answers. Unfortunately, the answers in a mailing list
archive become stale over time, are disorganized, and are hard to sift from the conversational noise of the mailing list.
</para>
</sidebar>
<para>
A Frequently Asked Questions, list <acronym>FAQ</acronym> is even better, because the people with questions can be a little lazier and still find their answer right away. Unfortunately, maintaining a <acronym>FAQ</acronym> list requires
effort; if people with the answers become lazy, the <acronym>FAQ</acronym> list becomes stale.
</para>
<para>
The Faq-O-Matic is a <acronym>CGI</acronym>-based system that automates the process of maintaining a <acronym>FAQ</acronym> or Frequently Asked Questions list. It allows visitors to your <acronym>FAQ</acronym> to take part in
keeping it up-to-date. A permission system also makes it useful as a help-desk application, bug-tracking database, or documentation system.
</para>
<para>
These installation instructions assume
<itemizedlist>
<listitem><para>
Commands are Unix-compatible.
</para></listitem><listitem><para>
The source path is <filename class="directory">/var/tmp</filename>, <emphasis>other paths are possible</emphasis>.
</para></listitem><listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem><listitem><para>
All steps in the installation will happen in super-user account <literal>root</literal>.
</para></listitem><listitem><para>
FAQ-O-Matic version number is 2.709
</para></listitem>
</itemizedlist>
</para>
<para>
These are the Package(s) required:
<simplelist><member>
FAQ-O-Matic Homepage: <link linkend="prtinxfp34">http://www.dartmouth.edu/~jonh/ff-serve/cache/1.html</link>
</member><member>
The most recent version of the FAQ-O-Matic is always available at: <link linkend="prtinxfp34">ftp://ftp.cs.dartmouth.edu/pub/jonh.</link>
</member><member>
You must be sure to download: FAQ-OMatic-2.709.tar.gz
</member>
</simplelist>
</para>
<para>
There are some prerequisites which you need to keep in mind before can install FAQ-O-Matic,
<orderedlist numeration="lowerroman">
<listitem><para>
Apache web server should be already installed on your system in order to be able to use FAQ-O-Matic software.
</para></listitem><listitem><para>
Revision Control System, <acronym>RCS</acronym> file version management tools should also already be installed on your system to be able to use FAQ-O-Matic software.
</para></listitem>
</orderedlist>
</para>
<para>
To verify that the <acronym>RCS</acronym> package is installed on your system, use the following command:
<screen>
[root@deep ] /# <command>rpm</command> -qi rcs
</screen>
<literallayout class="monospaced"><computeroutput>
package rcs is not installed
</computeroutput></literallayout>
</para>
<para>
To install the <command>RCS</command> package on your Linux system, use the following command:
<screen>
[root@deep ] /# <command>mount</command> /dev/cdrom /mnt/cdrom/
[root@deep ] /# <command>cd</command> /mnt/cdrom/RedHat/RPMS/
[root@deep ]/RPMS# <command>rpm</command> -Uvh rcs-version.i386.rpm
</screen>
<literallayout class="monospaced"><computeroutput>
rcs ##################################################
</computeroutput></literallayout>
<screen>
[root@deep ]/RPMS# <command>cd</command> /; umount /mnt/cdrom/
</screen>
For more information on the required software, see the related chapters in this book.
</para>
</section>
<section><?dbhtml filename="chap29sec269.html"?>
<title>Compile and install FAQ-O-Matic</title>
<para>
Before you Compile, Decompress the tarball (tar.gz).
<screen>
[root@deep ] /# <command>cp</command> FAQ-O-Matic-version.tar.gz /var/tmp/
[root@deep ] /# <command>cd</command> /var/tmp/
[root@deep ]/tmp# <command>tar</command> xzpf FAQ-O-Matic-version.tar.gz
</screen>
</para>
<para>
You need to compile, to install the Faq-O-Matic program on your computer, move into the new FAQ-O-Matic directory and type the following commands on your terminal:
<screen>
[root@deep ] /FAQ-OMatic-2.709# <command>perl</command> Makefile.PL
[root@deep ] /FAQ-OMatic-2.709# <command>make</command>
[root@deep ] /FAQ-OMatic-2.709# <command>make install</command>
[root@deep ] /FAQ-OMatic-2.709# <command>mv</command> fom /home/httpd/cgi-bin/ <co id="cgbnap"/>
[root@deep ] /FAQ-OMatic-2.709# <command>mkdir</command> -p /home/httpd/cgi-bin/fom-meta
[root@deep ] /FAQ-OMatic-2.709# <command>mkdir</command> -p /home/httpd/faqomatic
[root@deep ] /FAQ-OMatic-2.709# <command>chown</command> root.www /home/httpd/cgi-bin/fom
[root@deep ] /FAQ-OMatic-2.709# <command>chown</command> -R www.www /home/httpd/cgi-bin/fom-meta/
[root@deep ] /FAQ-OMatic-2.709# <command>chown</command> -R www.www /home/httpd/faqomatic/
</screen>
<calloutlist><callout arearefs="cgbnap"><para>
Or wherever your CGIs live.
</para></callout></calloutlist>
<itemizedlist>
<listitem><para>
The <command>make</command> command will compile all source files into executable binaries
</para></listitem><listitem><para>
The <command>make install</command> will install the Perl programs and any supporting files into the appropriate locations
</para></listitem><listitem><para>
The <command>mv</command> command will move the main <literal>fom</literal> <acronym>CGI</acronym> program of Faq-O-Matic to the <filename class="directory">cgi-bin</filename> directory of your Apache web server.
</para></listitem><listitem><para>
The <command>mkdir</command> will create new directories named <filename class="directory">fom-meta</filename> and <filename class="directory">faqomatic</filename> under the <filename class="directory">/home/httpd/</filename>
directory where we'll handle all related FAQ-O-Matic files.
</para></listitem><listitem><para>
Finally, the <command>chown</command> command will set the owner of the <literal>fom</literal> <acronym>CGI</acronym> program to be the super-user <literal>root</literal> and the group to be the user Apache run as <literal>www</literal>
and will set the directories <filename class="directory">fom-meta</filename> and <filename class="directory">faqomatic</filename> to be owned by <literal>www</literal> and group by <literal>www</literal>.
</para></listitem>
</itemizedlist>
</para>
<note>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Note</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You'll receive a temporary password via mail during the compilation of the software. This password will be necessary to complete later the installation of Faq-O-Matic through the web interface.
</para></note>
</section>
<section><?dbhtml filename="chap29sec270.html"?>
<title>Make Apache aware Faq-O-Matic file's location</title>
<para>
Once Faq-O-Matic has been installed in the system, we must add the following lines to the <filename>httpd.conf</filename> file of Apache to be able to locate and use it's features.
</para>
<procedure>
<step><para>
Edit the <filename>httpd.conf</filename> file, <command>vi</command> <filename>/etc/httpd/conf/httpd.conf</filename> and add the following lines between the section tags &lt;IfModule mod_alias.c&gt; and &lt;/IfModule&gt;:
<programlisting>
Alias /faqomatic/ "/home/httpd/faqomatic/"
&lt;Directory "/home/httpd/faqomatic"&gt;
Options None
AllowOverride None
Order allow,deny
Allow from all
&lt;/Directory&gt;
Alias /bags/ "/home/httpd/faqomatic/bags/"
&lt;Directory "/home/httpd/faqomatic/bags"&gt;
Options None
AllowOverride None
Order allow,deny
Allow from all
&lt;/Directory&gt;
Alias /cache/ "/home/httpd/faqomatic/cache/"
&lt;Directory "/home/httpd/faqomatic/cache"&gt;
Options None
AllowOverride None
Order allow,deny
Allow from all
&lt;/Directory&gt;
Alias /item/ "/home/httpd/faqomatic/item/"
&lt;Directory "/home/httpd/faqomatic/item"&gt;
Options None
AllowOverride None
Order allow,deny
Allow from all
&lt;/Directory&gt;
</programlisting>
</para></step>
<step><para>
Don't forget to restart your Apache web server once you have added the above lines to its <filename>httpd.conf</filename> file:
<screen>
[root@deep ] /# /etc/rc.d/init.d/httpd <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Shutting down http: [ OK ]
Starting httpd: [ OK ]
</computeroutput></literallayout>
</para></step>
</procedure>
</section>
<section><?dbhtml filename="chap29sec271.html"?>
<title>Configure your FAQ-O-Matic</title>
<para>
The rest of this installation will be made through the use of your web browser. With Netscape Communicator, follow the simple steps below:
</para>
<procedure>
<step><para>
The first step is to load your web browser and use it to configure Faq-O-Matic.
</para>
<substeps>
<step><para>
Point your Netscape browser to the following <literal>location:http://my-web-server/cgi-bin/fom</literal>
</para></step><step><para>
Enter your temporary password
</para></step><step><para>
Create the <filename class="directory">/home/httpd/cgi-bin/fom-meta/</filename> directory first
</para></step>
<step><para>
Configure the <envar>Define configuration parameters</envar> in the configuration main menu
</para></step>
</substeps>
</step>
<step><para>
<example>
<title>Using Netscape browser</title>
<para>
Fill under the sections marked Mandatory the following information:
<programlisting>
<prompt>$</prompt>adminAuth= admin@openna.com
<prompt>$</prompt>serverBase= http://www.openna.com
<prompt>$</prompt>cgiURL= /cgi-bin/fom
<prompt>$</prompt>serveDir= /home/httpd/faqomatic/
<prompt>$</prompt>serveURL= /faqomatic/
</programlisting>
</para></example>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/FAQ-O-Matic-Conf.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>FAQ-O-Matic-Configuration</phrase></textobject>
</inlinemediaobject>
Configure the rest of the <envar>Define configuration parameters</envar> as you need. Once you have finished setting your parameters, click on the <command><guibutton>Define</guibutton></command> button to validate your choices.
<note>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The <filename>my-web-server</filename> is the address where your Apache web server resides, and the temporary password is the one you should have received by mail during the install stage of this software.
</para></note>
</para></step>
<step><para>
Once you have finished configuring the <envar>Define configuration parameters</envar>, you must perform the rest of the FAQ-O-Matic configuration in order to be able to use it as described in the configuration
main menu of the FAQ-O-Matic software.
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/FAQ-O-Matic.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>Test FAQ-O-Matic</phrase></textobject>
</inlinemediaobject>
</para></step>
<step><para>
Please do cleanup later:
<screen>
[root@deep ] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>rm</command> -rf FAQ-OMatic-version/ FAQ-O-Matic-version.tar.gz
</screen>
</para></step>
</procedure>
<para>
The <command>rm</command> command will remove all the source files we have used to compile and install FAQ-O-Matic. It will also remove the FAQ-O-Matic compressed archive from the <filename class="directory">/var/tmp</filename> directory.
</para>
</section>
<section><?dbhtml filename="chap29sec272.html"?>
<title>Installed files</title>
<para>
These are the files installed by FAQ-O-Matic software on your system:
</para>
<simplelist type="horiz" columns="2">
<member><filename>/usr/lib/perl5/man/man3/FAQ::OMatic::API.3</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/FAQ</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/FAQ/OMatic</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/i386-linux/auto/FAQ/OMatic/.packlist</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/Bags.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/authenticate.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/ImageRef.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/Groups.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/submitGroup.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/recent.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/submitItem.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/maintenance.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/Language_de_iso8859_1.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/Slow.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/help.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/selectBag.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/submitPart.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/delPart.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/buildSearchDB.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/mirrorServer.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/editItem.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/search.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/SearchMod.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/addItem.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/Versions.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/displaySlow.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/Language_fr.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/img.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/editPart.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/AuthLocal.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/ColorPicker.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/ImageData.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/changePass.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/submitBag.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/submitModOptions.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/I18N.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/Log.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/appearanceForm.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/moveItem.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/editGroups.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/HelpMod.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/searchForm.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/submitPass.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/submitMove.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/Set.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/statgraph.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/stats.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/Item.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/Words.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/Appearance.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/dispatch.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/editBag.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/submitCatToAns.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/submitAnsToCat.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/editModOptions.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/Auth.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/install.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/Part.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/faq.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic/API.pm</filename></member>
<member><filename>/usr/lib/perl5/site_perl/5.005/FAQ/OMatic.pm</filename></member>
</simplelist>
</section>
<section id="pr6ch30swmlimp"><?dbhtml filename="webmlimp.html"?>
<title>Linux Webmail IMP</title>
<para>
Webmail IMP allows universal, web-based access to <acronym>IMAP/POP3</acronym> servers and provides an address book, <acronym>LDAP</acronym> directory searches, full support for sending and receiving attachments, and
many other features normally only found in desktop mail clients. If you have installed Apache with <acronym>SSL</acronym> support, clients can access and read mail through a secure manner by way of <acronym>SSL</acronym>
encryption. By default in this section, we have configured Webmail <acronym>IMP</acronym> to use PostgreSQL database and <acronym>IMAP</acronym> connections. There is, though, much support for other databases within Webmail IMP. If you prefer, you can use MySQL, Oracle, Sybase, or other well know SQL databases. You may also choose to use POP3 instead of IMAP connection to your clients.
</para>
<para>
These installation instructions assume
<itemizedlist>
<listitem><para>
Commands are Unix-compatible.
</para></listitem><listitem><para>
The source path is <filename class="directory">/home/httpd</filename>.
</para></listitem><listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem><listitem><para>
All steps in the installation will happen in super-user account <literal>root</literal>.
</para></listitem><listitem><para>
Horde version number is 1.2.0
</para></listitem><listitem><para>
Webmail <acronym>IMP</acronym> version number is 2.2.0
</para></listitem><listitem><para>
PHPLib version number is 7.2b
</para></listitem>
</itemizedlist>
</para>
<para>
These are the Package(s):
<simplelist>
<member>
Webmail <acronym>IMP</acronym> Homepage:<link linkend="prtinxfp35">http://www.horde.org/imp/</link>
</member>
<member>
You must be sure to download: horde-1.2.0-pre11.tar.gz
</member><member>
You must be sure to download: imp-2.2.0-pre11.tar.gz
</member><member>
PHPLib Homepage:<link linkend="prtinxfp35">http://phplib.netuse.de/index.php3</link>
</member><member>
You must be sure to download: phplib-7.2b.tar.gz
</member>
</simplelist>
</para>
<para>
there are some prerequisites youi need to take care of:
<orderedlist><listitem><para>
Apache web server should be already installed on your system to be able to use the Webmail IMP software.
</para></listitem><listitem><para>
The PHP4 server-side scripting language support should be already installed on your system to be able to use the Webmail IMP software.
</para></listitem><listitem><para>
Postgresql, or another database server, should be already installed on your system if you intend to use the Webmail IMP software with SQL support.
</para></listitem><listitem><para>
The OpenLDAP directory server should be already installed on your system if you intend to use the Webmail IMP software with LDAP support.
</para></listitem><listitem><para>
The IMAP/POP server should be already installed on your system to be able to use the Webmail IMP software.
</para></listitem><listitem><para>
The PHPLIB files, 7.2 or greater, should be already installed on your system to be able to use the Webmail IMP software.
</para></listitem>
</orderedlist>
</para>
<note>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Note</phrase></textobject>
</inlinemediaobject>
</title>
<para>
For more information on the required software, see the related chapter in this book.
</para></note>
</section>
<section id="pr6ch30sphplb"><?dbhtml filename="chap29sec274.html"?>
<title>Set up PHPLib </title>
<para>
To be able to run Webmail IMP on your Linux server; PHPLib, a toolkit development of Web applications for PHP developers software must be installed. To install PHPLib, follow the simple steps below:
</para>
<para>
These are the package(s)
<simplelist><member>
PHPLib Homepage: <link linkend="prtinxfp36">http://phplib.netuse.de/index.php3</link>, <link linkend="prtinxfp36">http://phplib.netuse.de/index.php3</link>
</member><member>
You must be sure to download: phplib-7.2b.tar.gz
</member>
</simplelist>
</para>
<para>
<screen>
[root@deep ] /# <command>cp</command> phplib-7.2b.tar.gz /home/httpd/
[root@deep ] /# <command>cd</command> /home/httpd/
[root@deep ] /httpd# <command>tar</command> xzpf phplib-7.2b.tar.gz
</screen>
</para>
<para>
Move to your web server's DocumentRoot, and create a <filename class="directory">/home/httpd/php</filename> directory by executing the following commands:
<screen>
[root@deep ] /# <command>cd</command> /home/httpd/
[root@deep ] /httpd# <command>mkdir</command> php
</screen>
</para>
<para>
Copy the contents of the PHPLib distributions <filename class="directory">php</filename> directory into the <filename class="directory">php</filename> directory that you created in your DocumentRoot:
<screen>
[root@deep ] /# <command>cd</command> /home/httpd/phplib-7.2b/php/
[root@deep ] /php# <command>cp</command> * /home/httpd/php/
[root@deep ] /php# <command>cd</command> /home/httpd/
[root@deep ] /httpd# <command>rm</command> -f phplib-7.2b.tar.gz
[root@deep ] /httpd# <command>rm</command> -rf phplib-7.2b/
</screen>
</para>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
We remove the tar archive and <filename class="directory">phplib-version</filename> directory of PHPLib once we are finished copying its <filename class="directory">php</filename> directory into the new <filename class="directory">php</filename>
directory we created in our DocumentRoot.
</para></important>
</section>
<section><?dbhtml filename="chap29sec275.html"?>
<title>Compile to install Webmail IMP</title>
<para>
To install the Webmail IMP program on your server, please follow the simple steps below.
</para>
<procedure>
<step><para>
Copy <literal>horde-1.2.0-pre11.tar.gz</literal> to your web servers DocumentRoot, <filename class="directory">/home/httpd/</filename>, untar it and move the directory from <filename class="directory">horde-version</filename>
to <filename class="directory">horde</filename> by executing the following commands:
<screen>
[root@deep ] /# <command>cp</command> horde-version.tar.gz /home/httpd/
[root@deep ] /# <command>cd</command> /home/httpd/
[root@deep ] /httpd# <command>tar</command> xzpf horde-version.tar.gz
[root@deep ] /httpd# <command>mv</command> horde-version horde
[root@deep ] /httpd# <command>rm</command> -f horde-version.tar.gz
</screen>
We remove the tar archive of Horde once we have finished moving the <filename class="directory">horde-version</filename> directory of Horde to its new name <filename class="directory">horde</filename>.
</para></step>
<step><para>
Copy <literal>imp-2.2.0-pre11.tar.gz</literal> to your new <filename class="directory">horde</filename> directory, <filename class="directory">/home/httpd/horde/</filename>, untar it and move the directory from <filename class="directory">imp-version</filename>
to <filename class="directory">imp</filename> by executing the following commands:
<screen>
[root@deep ] /# <command>cp</command> imp-version.tar.gz /home/httpd/horde/
[root@deep ] /# <command>cd</command> /home/httpd/horde/
[root@deep ] /horde# <command>tar</command> xzpf imp-version.tar.gz
[root@deep ] /horde# <command>mv</command> imp-version imp
[root@deep ] /horde# <command>rm</command> -f imp-version.tar.gz
</screen>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
It's important that the directory <filename class="directory">imp</filename> reside inside <filename class="directory">horde</filename> directory, or Webmail will not work. We remove the tar archive of IMP once we have
finished moving the <filename class="directory">imp-version</filename> directory of IMP to its new name <filename class="directory">imp</filename>.
</para></important>
</para></step>
<step><para>
Change the <filename class="directory">horde</filename> directory and all its subdirectories and files to be owned by the super-user <literal>root</literal> for security reasons.
<screen>
[root@deep ] /# <command>chown</command> -R 0.0 /home/httpd/horde/
</screen>
</para></step>
<step><para>
Copy the <filename>/home/httpd/horde/phplib/*.ihtml</filename> files to your new <filename class="directory">php</filename> directory, <filename class="directory">/home/httpd/php/</filename> by executing the following commands:
<screen>
[root@deep ] /# <command>cp</command> /home/httpd/horde/phplib/*.ihtml /home/httpd/php/
</screen>
</para></step>
</procedure>
</section>
<section><?dbhtml filename="chap29sec276.html"?>
<title>Configure and create Webmail IMP SQL database</title>
<para>
We must now configure our database to be able to use Webmail <acronym>IMP</acronym> with the <acronym>SQL</acronym> database. The easier method is to use the predefined scripts located under the <filename class="directory">/home/httpd/horde/imp/config/scripts/</filename>
subdirectory. For PostgreSQL support, follow the simple steps below.
</para>
<procedure>
<step><para>
First of all, we must edit the script file <filename>pgsql_create.sql</filename> related to PostgreSQL located under the <filename class="directory">/home/httpd/horde/imp/config/scripts</filename> subdirectory, and change its default
value for the username to run as from <literal>httpd</literal> to <literal>www</literal>.
<programlisting>
GRANT SELECT, INSERT, UPDATE ON imp_pref, imp_addr TO nobody;
</programlisting>
To read:
<programlisting>
GRANT SELECT, INSERT, UPDATE ON imp_pref, imp_addr TO www;
</programlisting>
</para></step>
<step><para>
Now, we must define the username for Apache named <literal>www</literal> in our PostgreSQL database, to be able to create the Webmail IMP database with this username.
To define the httpd username named <literal>www</literal> in your database, run the createuser utility program of PostgreSQL:
<screen>
[root@deep ] /# <command>su</command> postgres
[postgres@deep /]$ <command>createuser</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Enter name of user to add ---&gt; www
Enter user's postgres ID or RETURN to use unix user ID: 80 -[Press Enter]
Is user "www" allowed to create databases (y/n) y
Is user "www" a superuser? (y/n) n
createuser: www was successfully added
</computeroutput></literallayout>
</para></step>
<step><para>
Once the httpd user <literal>www</literal> has been included in PostgreSQL, log in as the user your PostgreSQL database runs as, in our case <literal>postgres</literal> and insert the small script related to PostgreSQL to
automatically create the Webmail IMP database in PostgreSQL.
To automatically create Webmail IMP database in PostgreSQL, use the following commands:
<screen>
[root@deep ] /# <command>cd</command> /home/httpd/horde/imp/config/scripts/
[root@deep scripts]# <command>su</command> postgres
[postgres@deep ] /scripts$ <command>psql</command> template1 &lt; pgsql_create.sql
</screen>
<literallayout class="monospaced"><computeroutput>
// IMP database creation script for postgreSQL
// Author: barce@lines.edu
// Date: Aug-29-1998
// Notes: replace "nobody" with yours httpd username
// Run using: psql template1 &lt; pgsql_create.sql
CREATE DATABASE horde;
CREATEDB
\connect horde
connecting to new database: horde
CREATE TABLE imp_pref (
username text,
sig text,
fullname text,
replyto text,
lang varchar(30)
);
CREATE
CREATE TABLE imp_addr (
username text,
address text,
nickname text,
fullname text
);
CREATE
GRANT SELECT, INSERT, UPDATE ON imp_pref, imp_addr TO www;
CHANGE
EOF
</computeroutput></literallayout>
</para></step>
<step><para>
We must restart the PostgreSQL server for the changes to take effect:
<screen>
[root@deep ] /# /etc/rc.d/init.d/postgresql <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Stopping postgresql service: [ OK ]
Checking postgresql installation: looks good!
Starting postgresql service: postmaster [13474]
</computeroutput></literallayout>
</para></step>
<step><para>
Copy and rename the file <filename>/home/httpd/horde/phplib/horde_phplib.inc</filename> to <filename>/home/httpd/php/local.inc</filename>, then edit the new <filename>local.inc</filename> file which is your phplib
configuration file containing settings that will define the behavior of phplib, and follow its instruction to define the storage container you'll want to uncomment.
</para>
<substeps>
<step><para>
<screen>
[root@deep ] /# <command>cp</command> /home/httpd/horde/phplib/horde_phplib.inc /home/httpd/php/local.inc
</screen>
<literallayout class="monospaced"><computeroutput>
cp: overwrite `/home/httpd/php/local.inc'? y
</computeroutput></literallayout>
</para></step>
<step><para>
Edit the <filename>local.inc</filename> file, <command>vi</command> <filename>/home/httpd/php/local.inc</filename>, then uncomment and set the following lines to define <acronym>SQL</acronym> as your default database:
<programlisting>
/* To use an SQL database, uncomment and edit the following: */
class HordeDB extends DB_Sql {
var $Host = 'localhost';
var $Database = 'horde';
var $User = 'www';
var $Password = 'some-password';
var $Port = '5432';
function halt($msg) {
printf("&lt;b&gt;Database error (HordeDB):&lt;/b&gt; %s&lt;br&gt;\n", $msg);
}
}
class HordeCT extends CT_Sql {
var $database_class = 'HordeDB'; // Which database class to use...
var $database_table = 'active_sessions'; // and find our data in this table.
}
</programlisting>
Don't forget to uncomment in this file the type of storage container you want to use for Webmail <acronym>IMP</acronym>. Remember to uncomment only one type. In our case we chose to use <acronym>SQL</acronym>. Also the
parameters you must set for <acronym>SQL</acronym> database are the <envar>var $User =</envar>, <envar>var $Password =</envar>, and <envar>var $Port =</envar>. The <envar>var $User =</envar> corresponds to your httpd
username, in our case <literal>www</literal>, <envar>var $Password =</envar> corresponds to the password for the user <literal>www</literal> you have defined in PostgreSQL, and <envar>var $Port =</envar> is the <acronym>IP</acronym>
port number used to connect to your <acronym>SQL</acronym> database.
</para></step>
</substeps>
</step>
<step><para>
Finally edit the <filename>/home/httpd/php/prepend.php3</filename> file and specifies your default database type.
Edit the <filename>prepend.php3</filename> file, <command>vi</command> <filename>/home/httpd/php/prepend.php3</filename> then change the following line to define PostgreSQL as your database type:
<programlisting>
require($_PHPLIB["libdir"] . "db_mysql.inc");
</programlisting>
To read:
<programlisting>
require($_PHPLIB["libdir"] . "db_pgsql.inc");
</programlisting>
</para></step>
</procedure>
</section>
<section><?dbhtml filename="chap29sec277.html"?>
<title>Configure your <filename>php.ini</filename> from PHP4</title>
<para>
Another setting you need to configure is in your PHP4 configuration file <filename>/etc/httpd/php.ini</filename>. This modification is required in order to define which features, such as <acronym>IMAP</acronym>, PostgreSQL and others,
are to be loaded automatically by PHP4. Since we decided to use PostgreSQL as our database, and need to use <acronym>IMAP</acronym> features in our Webmail software, we must define them in the <filename>php.ini</filename> configuration
file of PHP4.
</para>
<para>
Edit the <filename>php.ini</filename> file, <command>vi</command> <filename>/etc/httpd/php.ini</filename>, and add under the Dynamic Extensions section your desired choices. In our case, as you can see, we chose <acronym>IMAP</acronym>
and PostgreSQL support:
<programlisting>
extension=imap.so ; Added for IMAP support
extension=pgsql.so ; Added for PostgreSql support
extension=mysql.so ; Added for MySql support
extension=ldap.so ; Added for LDAP support
</programlisting>
</para>
<para>
You must tell where to look when including files that don't have absolute paths as well, to automatically prepend the contents of phplib's <filename>prepend.php3</filename> to each file, and turns off magic quotes.
Edit the <filename>php.ini</filename> file, <command>vi</command> <filename>/etc/httpd/php.ini</filename> and add the following parameters to the related lines:
<programlisting>
magic_quotes_gpc = Off
auto_prepend_file = "/home/httpd/php/prepend.php3"
include_path = "/home/httpd/horde:/home/httpd/php"
</programlisting>
</para>
<section><?dbhtml filename="chap29sec278.html"?>
<title>Configure Apache to recognize Webmail IMP</title>
<para>
Once Webmail <acronym>IMP</acronym> has been installed in the system, we must add the following lines in the <filename>httpd.conf</filename> file of Apache to be able to locate and use its features.
</para>
<para>
Edit the <filename>httpd.conf</filename> file, <command>vi</command> <filename>/etc/httpd/conf/httpd.conf</filename> and add the following lines between the section tags &lt;IfModule mod_alias.c&gt; and &lt;/IfModule&gt;:
<programlisting>
Alias /horde/ "/home/httpd/horde/"
&lt;Directory "/home/httpd/horde"&gt;
Options None
AllowOverride None
Order allow,deny
Allow from all
&lt;/Directory&gt;
Alias /imp/ "/home/httpd/horde/imp/"
&lt;Directory "/home/httpd/horde/imp"&gt;
Options None
AllowOverride None
Order allow,deny
Allow from all
&lt;/Directory&gt;
</programlisting>
</para>
<para>
You must restart the Apache web server for the changes to take effect, use the following commands:
<screen>
[root@deep ] /# /etc/rc.d/init.d/httpd <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Shutting down http: [ OK ]
Starting httpd: [ OK ]
</computeroutput></literallayout>
</para>
</section>
</section>
<section><?dbhtml filename="chap29sec279.html"?>
<title>Configure Webmail <acronym>IMP</acronym> via your web browser</title>
<para>
Several ways exist to configure Webmail <acronym>IMP</acronym>, and the one we've chosen is the new setup engine named <filename>setup.php3</filename>, which gives people the ability to configure <acronym>IMP</acronym> via
a web browser.
</para>
<procedure>
<step><para>
For security reasons, it is disabled by default, but you can enable it with the following commands:
To enable <filename>setup.php</filename>, use the following command:
<screen>
[root@deep ] /# <command>cd</command> /home/httpd/horde/
[root@deep ] /horde# sh ./install.sh
</screen>
<literallayout class="monospaced"><computeroutput>
Your blank configuration files have been created, please go to
the configuration utitlity at :
your install path url/setup.php3
</computeroutput></literallayout>
</para></step>
<step><para>
Once the new setup engine of Webmail IMP has been enabled, point your browser to the following URL: <literal>http://my-web-server/horde/setup.php</literal>. At this point, you can walk through the graphical setup program
and configure all aspects of <acronym>IMP</acronym>.
<filename>my-web-server</filename> is the address where your Apache web server lives, and the <filename class="directory">/horde/</filename> directory is where the <filename>setup.php</filename> file resides.
</para></step>
<step><para>
When you are done with the new setup engine of Webmail IMP, be sure to disable it again for security reasons.
To disable <filename>setup.php</filename>, use the following command:
<screen>
[root@deep ] /# <command>cd</command> /home/httpd/horde/
[root@deep ] /horde# sh ./secure.sh
</screen>
<literallayout class="monospaced"><computeroutput>
I have made your configuration files, and libraries mode 0555
which is read / execute for everyone.
And the setup.php is mode 0000 which is no access period.
</computeroutput></literallayout>
</para></step></procedure>
<para>
At this stage, we must verify that Webmail <acronym>IMP</acronym> is working on your system. To do this, point your web browser to the following address: <literal>http://my-web-server/horde/</literal>.
<filename>my-web-server</filename> is the address where your Apache web server lives, and <filename class="directory">/horde</filename> is the directory that host Webmail <literal>IMP</literal> program.
</para>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Webmail-IMP.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>Webmail through browser</phrase></textobject>
</mediaobject>
</section>
</chapter>
<chapter label="31"><?dbhtml filename="soft-fileshrng.html"?>
<title>Software -Server/File Sharing-Network</title>
<highlights><para>
Enterprise-level organizations often use different operating systems for handling many kind of jobs and have the need to keep them in a networked environment for files sharing and printers. Employees may work on workstations like Linux, Microsoft Windows 95/98/NT,
OS/2 or Novel and still need to access the server in their daily work. A Linux server with Samba support can be used for these activities.
</para></highlights>
<section id="pr6ch31slss"><?dbhtml filename="chap29sec280.html"?>
<title>Linux Samba Server</title>
<para>
Samba is a strong network service for file and print sharing that works on the majority of operating systems available today. When well implemented by the administrator, it's faster and more secure than the native file sharing services available on Microsoft Windows machines.
</para>
<sidebar>
<title>As per the <citation>README file of Samba</citation>:</title>
<para>
Samba is the protocol by which a lot of PC-related machines share files and printers, and other information, such as lists of available files and printers. Operating systems that support this natively include Windows 95/98/NT, OS/2,
and Linux, and add on packages that achieve the similar thing are available for DOS, Windows, VMS, Unix of all kinds, MVS, and more.
</para>
<para>
Apple Macs and some Web Browsers can speak this protocol as well. Alternatives to <acronym>SMB</acronym> include Netware, <acronym>NFS</acronym>, AppleTalk, Banyan Vines, Decnet etc. Many of these have advantages but none are public
specifications and widely implemented in desktop machines by default. Samba software includes an <acronym>SMB</acronym> server, to provide Windows NT and LAN Manager-style file and print services to <acronym>SMB</acronym> clients
such as Windows 95, Warp Server, smbfs and others, a NetBIOS, <wordasword>rfc1001/1002</wordasword> name server, which amongst other things gives browsing support, an ftp-like <acronym>SMB</acronym> client so that you can access
PC resources; disks and printers from Unix, Netware and other operating systems, and finally, a tar extension to the client for backing up PCs.
</para>
</sidebar>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Samba-Schema.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>Samba</phrase></textobject>
</mediaobject>
<para>
These installation instructions assume
<itemizedlist><listitem><para>
Commands are Unix-compatible.
</para></listitem><listitem><para>
The source path is <filename class="directory">/var/tmp</filename>, <emphasis>other paths are possible</emphasis>.
</para></listitem><listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem><listitem><para>
All steps in the installation will happen in super-user account <literal>root</literal>.
</para></listitem><listitem><para>
Samba version number is 2.0.7
</para></listitem>
</itemizedlist>
</para>
<para>
These are the Package(s) required:
<simplelist>
<member>
Samba Homepage: <link linkend="prtinxfp31er">http://us1.samba.org/samba/samba.html</link>
</member><member>
Samba FTP Site: <link linkend="prtinxfp31er">63.238.153.11</link>
</member><member>
You must be sure to download: samba-2.0.7.tar.gz
</member>
</simplelist>
</para>
<para>
Before you decompress the tarballs, It is a good idea to make a list of files on the system before you install Samba, and one afterwards, and then compare them using diff to find out what file it placed where. Simply run
<command>find</command> <userinput>/* > Samba1</userinput> before and <command>find</command> <userinput>/* > Samba2</userinput> after you install the software, and use <command>diff</command> <userinput>Samba1 Samba2 &gt; Samba-Installed</userinput>
to get a list of what changed.
</para>
<para>
To compile, decompress the tarball (tar.gz):
<screen>
[root@deep ] /# <command>cp</command> samba-version.tar.gz /var/tmp
[root@deep ] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>tar</command> xzpf samba-version.tar.gz
</screen>
</para>
</section>
<section><?dbhtml filename="chap29sec281.html"?>
<title>Configure Samba</title>
<para>
Move into the new Samba directory, and move into its <filename>source</filename> subdirectory.
</para>
<procedure>
<step><para>
Edit the <filename>smbsh.in</filename> file, <command>vi</command> <filename>smbwrapper/smbsh.in</filename> and change the line:
<programlisting>
SMBW_LIBDIR=${SMBW_LIBDIR-@builddir@/smbwrapper}
</programlisting>
To read:
<programlisting>
SMBW_LIBDIR=${SMBW_LIBDIR-/usr/bin}
</programlisting>
This change will relocate the <filename class="directory">lib</filename> directory of Samba to be under the <filename class="directory">/usr/bin</filename> directory.
</para></step>
<step><para>
Edit the <filename>Makefile.in</filename> file, <command>vi</command> <filename>Makefile.in</filename> and change the line:
</para>
<substeps>
<step><para>
<programlisting>
SBINDIR = @bindir@
</programlisting>
To read:
<programlisting>
SBINDIR = @sbindir@
</programlisting>
</para></step>
<step><para>
<programlisting>
VARDIR = @localstadir@
</programlisting>
To read:
<programlisting>
VARDIR = /var/log/samba
</programlisting>
This will specify that our <filename class="directory">sbin</filename> directory for the Samba binaries files will be located in the <filename class="directory">/usr/sbin</filename> directory, and that the <filename class="directory">/var</filename>
directory for Samba log files will be under the <filename class="directory">/var/log/samba</filename> subdirectory.
</para></step>
</substeps>
</step>
<step><para>
Edit the <filename>convert_smbpasswd</filename> file, <command>vi</command> <filename>script/convert_smbpasswd</filename> and change the line:
<programlisting>
nawk 'BEGIN {FS=":"}
</programlisting>
To:
<programlisting>
gawk 'BEGIN {FS=":"}
</programlisting>
This will specify to use the <acronym>GNU</acronym> Linux version of the awk text processing utility instated of the Bell Labs research version of awk program for the <filename>smbpasswd</filename> file.
</para></step>
<step><para>
Edit the <filename>smbmount.c</filename> file, <command>vi</command> <filename>client/smbmount.c</filename> and change the lines:
<programlisting>
static void close_our_files(int client_fd)
{
int i;
for (i = 0; i &lt; 256; i++) {
if (i == client_fd) continue;
close(i);
}
</programlisting>
To read:
<programlisting>
static void close_our_files(int client_fd)
{
struct rlimit limits;
int i;
getrlimit(RLIMIT_NOFILE,&amp;limits);
for (i = 0; i &lt; limits.rlim_max; i++) {
if (i == client_fd) continue;
close(i);
}
</programlisting>
This step will make the <filename>smbmount.c</filename> file compatible with Red Hat's glibc 2.1 library.
</para></step>
</procedure>
</section>
<section><?dbhtml filename="chap29sec282.html"?>
<title>Compile and optimize</title>
<para>
Type the following commands on your terminal:
<programlisting>
CC="egcs" \
./configure \
--prefix=/usr \
--libdir=/etc \
--with-lockdir=/var/lock/samba \
--with-privatedir=/etc \
--with-swatdir=/usr/share/swat \
--with-pam \
--with-mmap \
--without-sambabook
</programlisting>
</para>
<caution>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Caution.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Caution</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The option <literal>--with-mmap</literal> can give a large performance boost on some machines, while on others it makes no difference at all, and on some it may reduce performance.
</para>
</caution>
<para>
This tells Samba to set itself up for this particular hardware setup with:
<orderedlist numeration="lowerroman">
<listitem><para>
Include PAM password database support for better security.
</para></listitem><listitem><para>
Include experimental MMAP support to improve Samba performance.
</para></listitem><listitem><para>
Don't install the book help that come with Samba distribution.
</para></listitem>
</orderedlist>
</para>
<para>
Now, we must install Samba in the Linux server:
<screen>
[root@deep ] /source# <command>make</command> all
[root@deep ] /source# <command>make install</command>
[root@deep ] /source# <command>install</command> -m 755 script/mksmbpasswd.sh /usr/bin/
[root@deep ] /source# <command>rm</command> -rf /usr/share/swat/ <co id="smsqco1"/>
[root@deep ] /source# <command>rm</command> -f /usr/sbin/swat
[root@deep ] /source# <command>rm</command> -f /usr/man/man8/swat.8
[root@deep ] /source# <command>mkdir</command> -p /var/lock/samba
[root@deep ] /source# <command>mkdir</command> -p /var/spool/samba <co id="smsqco2"/>
[root@deep ] /source# <command>chmod</command> 1777 /var/spool/samba/ <co id="smsqco3"/>
</screen>
<calloutlist>
<callout arearefs="smsqco1">
<para>
If like me, you don't like to configure Samba in HTML.
</para>
</callout>
<callout arearefs="smsqco2">
<para>
Only require if you are the intention to use printer sharing.
</para>
</callout>
<callout arearefs="smsqco3">
<para>
Only require if you are the intention to use printer sharing.
</para>
</callout>
</calloutlist>
<itemizedlist>
<listitem><para>
The <command>install</command> command will install the script <filename>mksmbpasswd.sh</filename> under <filename class="directory">/usr/bin/</filename> directory. This script is needed to setup Samba users allowed to connect on our server
via the <filename>smbpasswd</filename> file. See later in this documentation for how to setup and use Samba password.
</para></listitem><listitem><para>
The <command>rm</command> command will remove the <filename class="directory">/usr/share/swat</filename> directory and all the files under it, and it will also remove the <command>swat</command> binary program under
<filename class="directory">/usr/sbin/</filename>. The <acronym>SWAT</acronym> program is a web-based configuration utility that permits you to configure the <filename>smb.conf</filename> file of Samba via a web
browser interface. Of course, in order to use the <acronym>SWAT</acronym> utility you will need to have a web server running, such as Apache. The SWAT utility can open a security breach on your server and for this
reason I recommend that you remove and not use it.
</para></listitem><listitem><para>
The <command>mkdir</command> command will create a <filename class="directory">/var/spool/samba/</filename> directory on your system for all print sharing jobs you may have. Of course this directory is only necessary
if you intend to use Samba print sharing over your LAN. Since we have not configured our Samba server to use print sharing, we do not need to create this directory, <filename class="directory">/var/spool/samba/</filename>
on our server, and we do not need to use the command <command>chmod</command> to change the <literal>sticky</literal> bit in <filename class="directory">/var/spool/samba</filename> so only the file's owner can delete a
given file in this directory.
</para></listitem>
</itemizedlist>
</para>
<para>
Please do cleanup later:
<screen>
[root@deep ] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>rm</command> -rf samba-version/ samba-version.tar.gz
</screen>
The <command>rm</command> command will remove all the source files we have used to compile and install Samba. It will also remove the Samba compressed archive from the <filename class="directory">/var/tmp</filename> directory.
</para>
</section>
<section><?dbhtml filename="chap29sec283.html"?>
<title>Configurations</title>
<para>
Configuration files for different services are very specific, depending on your need and your network architecture. Someone could install Samba Server and have just one client connection, and another could install it with 1000 connections.
</para>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>Samba</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 28
-rw-r--r-- 1 harrypotter harrypotter 196 Jun 8 13:00 Compile-Samba
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 init.d/
-rw-r--r-- 1 harrypotter harrypotter 94 Jun 8 13:00 lmhosts
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 logrotate.d/
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 pam.d/
-rwx------ 1 harrypotter harrypotter 282 Jun 8 13:00 samba.sh*
-rw-r--r-- 1 harrypotter harrypotter 1157 Jun 8 13:00 smb.conf
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<para>
To run a Samba server, the following files are required and must be created or copied to the appropriate directories on your server.
<orderedlist numeration="lowerroman">
<listitem><para>
Copy the <filename>smb.conf</filename> and lmhosts files in the <filename class="directory">/etc/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>smb</filename> script file in the <filename class="directory">/etc/rc.d/init.d/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>samba</filename> file in the <filename class="directory">/etc/logrotate.d/</filename> directory.
</para></listitem><listitem><para>
Copy the <filename>samba</filename> file in the <filename class="directory">/etc/pam.d/</filename> directory.
</para></listitem>
</orderedlist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
To run Samba, the following file from the floppy.tgz archive is required and must be created or copied to the appropriate directory on your server. Copy the *.conf file to the <filename class="directory">/etc/</filename> directory.
or alternatively you can copy and paste directly from this book to the concerned file.
</para></tip>
</section>
<section><?dbhtml filename="chap29sec284.html"?>
<title>Configuration of the <filename>/etc/smb.conf</filename> file</title>
<para>
The <filename>/etc/smb.conf</filename> file is the main configuration file for the Samba server, in which you can specify which directory you want to access from Windows machines, which <acronym>IP</acronym> addresses are authorized,
and so on. The first few lines of the file under the <filename><replaceable>[global]</replaceable></filename> line contain global configuration directives, which are common to all shares, <emphasis>unless they are over-ridden on a
per-share basis</emphasis>, followed by share sections. A lot of options exist, and it's important to read the documentation that comes with Samba for more information on each of the different settings and parameters.
</para>
<para>
The following configuration example is a minimal working configuration file for Samba with encrypted password support. Also, it's important to note that we comment in this Samba configuration only parameters that relate to security
and optimization, and left other posiblities for you to explore.
</para>
<para>
In our example we have created just one directory, <filename class="directory"><replaceable>[tmp]</replaceable></filename> and have allowed only <wordasword>class C</wordasword> machine <acronym>IP</acronym> address ranges to connect on the
Samba server. Also, we don't use print-sharing capability between Samba and Windows on this server.
Edit the <filename>smb.conf</filename> file, <command>vi</command> <filename>/etc/smb.conf</filename> and add/change the following parameters:
</para>
<programlisting>
[global]
workgroup = OPENNA
server string = R&amp;D of Open Network Architecture Samba Server
encrypt passwords = True
security = user
smb passwd file = /etc/smbpasswd
log file = /var/log/samba/log.%m
socket options = IPTOS_LOWDELAY TCP_NODELAY
domain master = Yes
local master = Yes
preferred master = Yes
os level = 65
dns proxy = No
name resolve order = lmhosts host bcast
bind interfaces only = True
interfaces = eth0 192.168.1.1
hosts deny = ALL
hosts allow = 192.168.1.4 127.0.0.1
debug level = 1
create mask = 0644
directory mask = 0755
level2 oplocks = True
read raw = no
write cache size = 262144
[homes]
comment = Home Directories
browseable = no
read only = no
invalid users = root bin daemon nobody named sys tty disk mem kmem users
[tmp]
comment = Temporary File Space
path = /tmp
read only = No
valid users = admin
invalid users = root bin daemon nobody named sys tty disk mem kmem users
</programlisting>
<para>
This tells the <filename>smb.conf</filename> file to set itself up for this particular configuration setup with:
</para>
<formalpara>
<title><filename><replaceable>[global]</replaceable></filename></title>
<para>
<glosslist>
<glossentry>
<glossterm><envar>workgroup = OPENNA</envar></glossterm>
<glossdef><para>
The option <envar>workgroup</envar> specifies the workgroup your server will appear to be in when queried by clients. It's important to have the same workgroup name on both clients and servers.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>server string = R&amp;D of Open Network Architecture Samba Server</envar></glossterm>
<glossdef><para>
The option <envar>server string</envar> specifies the string that you wish to show to your users in the printer comment box in print manager, or to the <acronym>IPC</acronym> connection in the <literal>net view</literal>
command under Windows machines.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>encrypt passwords = True</envar></glossterm>
<glossdef><para>
The option <envar>encrypt passwords</envar> if set to <envar>True</envar> instructs Samba to use encrypted passwords instead of plain text password when negotiating with the client. Sniffer program will not be able to
detect your password when it is encrypted. This option always must be set to <envar>True</envar> for security reasons.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>security = user</envar></glossterm>
<glossdef><para>
The option <envar>security</envar>, if set to <envar>user</envar>, specifies that a client must first <literal>log-on</literal> with a valid username and password, or the connection will be refused. This means that a
valid username and password for the client must exit in your <filename>/etc/passwd</filename> file on the Linux server and in the <filename>/etc/smbpasswd</filename> file of the Samba server, or the connection from
the client will fail. See <link linkend="pr6ch31ssmb">Securing samba</link> in this chapter for more information about the <filename>smbpasswd</filename> file.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>smb passwd file = /etc/smbpasswd</envar></glossterm>
<glossdef><para>
The option <envar>smb passwd file</envar> specifies the path to the encrypted <filename>smbpasswd</filename> file. The <filename>smbpasswd</filename> file is a copy of the <filename>/etc/passwd</filename> file of the
Linux system containing valid usernames and passwords of clients allowed to connect to the Samba server. The Samba software reads this file, <filename>smbpasswd</filename> when a connection is requested.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>log file = /var/log/samba/log.%m</envar></glossterm>
<glossdef><para>
The option <envar>log file</envar> specifies the locations and names of Samba log files. With the name extension <envar>%m</envar>, it allows you to have separate log files for each user or machine that logs on your
Samba server <abbrev>i.e.</abbrev> <literal>log.machine1</literal>.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>socket options = IPTOS_LOWDELAY TCP_NODELAY</envar></glossterm>
<glossdef><para>
The option <envar>socket options</envar> specifies parameters that you can include in your Samba configuration to tune and improve your samba server for optimal performance. By default we chose to tune the connection
for a local network, and improve the performance of the Samba server for transferring files.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>domain master = Yes</envar></glossterm>
<glossdef><para>
The option <envar>domain master</envar> specifies to set <envar>nmbd</envar>, the Samba server daemon, as a domain master browser for its given workgroup. This option usually must be set to <envar>Yes</envar> only on
one Samba server for all other Samba servers on the same network and workgroup.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>local master = Yes</envar></glossterm>
<glossdef><para>
The option <envar>local master</envar> allows <envar>nmbd</envar>, the Samba server daemon, to try to become a local master browser on a subnet. Like the above, usually this option must be set to <envar>Yes</envar> only
on one Samba server that acts as a local master on a subnet for all the other Samba servers on your network.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>preferred master = Yes</envar></glossterm>
<glossdef><para>
The option <envar>preferred master</envar> specifies and controls if <envar>nmbd</envar> the Samba server daemon, is a preferred master browser for its workgroup. Once again, this must usually be set to <envar>Yes</envar>
on one server for all the others on your network.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>os level = 65</envar></glossterm>
<glossdef><para>
The option <envar>os level</envar> specifies by its value whether <envar>nmbd</envar>, the Samba server daemon, has a chance of becoming a local master browser for the Workgroup in the local broadcast area. The number 65 will
win against any NT Server. If you have an NT Server on your network, and want to set your Linux Samba server to be a local master browser for the Workgroup in the local broadcast area then you must set the <envar>os level</envar>
option to 65. Also, this option must be set only on one Linux Samba server, and must be disabled on all other Linux Samba servers you may have on your network.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>dns proxy = No</envar></glossterm>
<glossdef><para>
The option <envar>dns proxy</envar> if set to <envar>Yes</envar> specifies that <envar>nmbd</envar>, the Samba server daemon, when acting as a WINS server and finding that a Net BIOS name has not been registered, should treat the
Net BIOS name word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the name-querying client. Since we have not configured the Samba server to act as a WINS server, we don't need to set this
option to <envar>Yes</envar>. Also, setting this option to <envar>Yes</envar> will degrade your Samba performance.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>name resolve order = lmhosts host bcast</envar></glossterm>
<glossdef><para>
The option <envar>name resolve order</envar> specifies what naming services to use in order to resolve host names to <acronym>IP</acronym> addresses, and in what order. The parameters we chose cause the local <filename>lmhosts</filename>
file of samba to be examined first, followed by the rest.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>bind interfaces only = True</envar></glossterm>
<glossdef><para>
The option <envar>bind interfaces only</envar> if set to <envar>True</envar>, allows you to limit what interfaces will serve <literal>smb</literal> requests. This is a security feature. The configuration option <envar>interfaces = eth0 192.168.1.1</envar>
below completes this option.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>interfaces = eth0 192.168.1.1</envar></glossterm>
<glossdef><para>
The option <envar>interfaces</envar> allows you to override the default network interface list that Samba will use for browsing, name registration and other NBT traffic. By default, Samba will query the kernel for the list of all active interfaces and use
any interface, except <literal>127.0.0.1</literal>, that is broadcast capable. With this option, Samba will only listen on interface <literal>eth0</literal> on the <acronym>IP</acronym> address <literal>192.168.1.1</literal>. This is a security feature,
and completes the above configuration option <envar>bind interfaces only = True</envar>.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>hosts deny = ALL</envar></glossterm>
<glossdef><para>
The option <envar>hosts deny</envar> specifies the list of hosts that are <emphasis>not</emphasis> permitted access to Samba services unless the specific services have their own lists to override this one. For simplicity, we
deny access to all hosts by default, and allow specific hosts in the <envar>hosts allow =</envar> option below.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>hosts allow = 192.168.1.4 127.0.0.1</envar></glossterm>
<glossdef><para>
The option <envar>hosts allow</envar> specifies which hosts are permitted to access a Samba service. By default, we allow hosts from <acronym>IP</acronym> class C <literal>192.168.1.4</literal> and our localhost <literal>127.0.0.1</literal>
to access the Samba server. Note that the localhost must always be set or you will receive some error messages.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>debug level = 1</envar></glossterm>
<glossdef><para>
The option <envar>debug level</envar> allows the logging level to be specified in the <filename>smb.conf</filename> file. If you set the debug level higher than 2 then you may suffer a large drop in performance. This is because
the server flushes the log file after each operation, which can be very expensive.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>create mask = 0644</envar></glossterm>
<glossdef><para>
The option <envar>create mask</envar> specifies and sets the necessary permissions according to the mapping from DOS modes to UNIX permissions. With this option set to <literal>0644</literal>, all file copying or creating from a
Windows system to the Unix system will have a permission of <literal>0644</literal> by default.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>directory mask = 0755</envar></glossterm>
<glossdef><para>
The option <envar>directory mask</envar> specifies and set the octal modes, which are used when converting DOS modes to UNIX modes when creating UNIX directories. With this option set to <literal>0755</literal>, all directory copying
or creating from a Windows system to the Unix system will have a permission of <literal>0755</literal> by default.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>level2 oplocks = True</envar></glossterm>
<glossdef><para>
The option <envar>level2 oplocks</envar>, if set to <envar>True</envar>, will increase the performance for many accesses of files that are not commonly written, <emphasis>such as .EXE application files</emphasis>.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>read raw = no</envar></glossterm>
<glossdef><para>
The option <envar>read raw</envar> controls whether or not the server will support the raw read SMB requests when transferring data to clients. Note that memory mapping is not used by the <literal>read raw</literal> operation. Thus, you
may find memory mapping is more effective if you disable <literal>read raw</literal> using <envar>read raw = no</envar>, like we do.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>write cache size = 262144</envar></glossterm>
<glossdef><para>
The option <envar>write cache size</envar> allows Samba to improve performance on systems where the disk subsystem is a bottleneck. The value of this option is specified in bytes, and a size of 262,144 represent a 256k cache size per file.
</para></glossdef>
</glossentry>
</glosslist>
</para>
</formalpara>
<formalpara>
<title><filename><replaceable>[tmp]</replaceable></filename></title>
<para>
<glosslist>
<glossentry>
<glossterm><envar>comment = Temporary File Space</envar></glossterm>
<glossdef><para>
The option <envar>comment</envar> allows you to specify a comment that will appear next to a share when a client does queries to the server.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>path = /tmp</envar></glossterm>
<glossdef><para>
The option <envar>path</envar> specifies a directory to which the user of the service is to be given access. In our example this is the <filename class="directory">tmp</filename> directory of the Linux server.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>read only = No</envar></glossterm>
<glossdef><para>
The option <envar>read only</envar> specifies if users should be allowed to only read files or not. In our example, since this is a configuration for the <filename class="directory">tmp</filename> directory of the Linux server, users
can do more than just read files.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>valid users = admin</envar></glossterm>
<glossdef><para>
The option <envar>valid users</envar> specifies a list of users that should be allowed to login to this service. In our example only the user <literal>admin</literal> is allowed to access the service.
</para></glossdef>
</glossentry><glossentry>
<glossterm><envar>invalid users = root bin daemon nobody named sys tty disk mem kmem users</envar></glossterm>
<glossdef><para>
The option <envar>invalid users</envar> specifies a list of users that should not be allowed to login to this service. This is really a <literal>paranoid</literal> check to absolutely ensure an improper setting does not breach your
security. It is recommended that you include all default users that run daemons on the server.
</para></glossdef>
</glossentry>
</glosslist>
</para>
</formalpara>
</section>
<section><?dbhtml filename="chap29sec285.html"?>
<title>Configure the <filename>/etc/lmhosts</filename> file</title>
<para>
Configure your <filename>/etc/lmhosts</filename> file. The <filename>lmhosts</filename> file is the Samba Net BIOS name to <acronym>IP</acronym> address mapping file. It is very similar to the <filename>/etc/hosts</filename> file format, except
that the hostname component must correspond to the Net BIOS naming format.
</para>
<para>
Create the <filename>lmhosts</filename> file, <command>touch</command> <filename>/etc/lmhosts</filename> and add your client hosts:
<programlisting>
# Sample Samba lmhosts file.
#
127.0.0.1 localhost
192.168.1.1 deep
192.168.1.4 win
</programlisting>
In our example, this file contains three <acronym>IP</acronym> to Net BIOS name mappings. The localhost, <literal>127.0.0.1</literal>, client named deep, <literal>192.168.1.1</literal> and client named win, <literal>192.168.1.4.</literal>
</para>
<section>
<title>Configure the <filename>/etc/pam.d/samba</filename> file</title>
<para>
Configure your <filename>/etc/pam.d/samba</filename> file to use pam authentication by creating the <filename>samba</filename> file, <command>touch</command> <filename>/etc/pam.d/samba</filename> and add the following lines:
</para>
<programlisting>
Auth required /lib/security/pam_pwdb.so nullok shadow
Account required /lib/security/pam_pwdb.so
</programlisting>
<section>
<title>Configure the <filename>/etc/logrotate.d/samba</filename> file</title>
<para>
Configure your <filename>/etc/logrotate.d/samba</filename> file to rotate each week your log files automatically.
</para>
<para>
Create the <filename>samba</filename> file, <command>touch</command> <filename>/etc/logrotate.d/samba</filename> and add the following lines:
<programlisting>
/var/log/samba/log.nmb {
notifempty
missingok
postrotate
/usr/bin/killall -HUP nmbd
endrotate
}
/var/log/samba/log.smb {
notifempty
missingok
postrotate
/usr/bin/killall -HUP smbd
endrotate
}
</programlisting>
</para>
</section>
</section>
</section>
<section><?dbhtml filename="chap29sec286.html"?>
<title>Encrypted Samba password file for clients</title>
<para>
The <filename>/etc/smbpasswd</filename> file is the Samba encrypted password file. It contains the username; Unix UID and SMB hashed passwords of the allowed users to your Samba server, as well as account flag information and the time the
password was last changed. It's important to create this password file and include all allowed users to it before your clients try to connect to your Samba server. Without this step, no one will be able to connect to your Samba server.
</para>
<procedure>
<step><para>
To create a Samba account you must first have a valid Linux account for them, so create in your <filename>etc/passwd</filename> file all the users you want to connect to your Samba server first before generating the <filename>smbpasswd</filename>
file of Samba.</para>
<substeps>
<step><para>
To add a new users to your <filename>/etc/passwd</filename> file, use the following commands:
<screen>
[root@deep ] /# <command>useradd</command> smbclient
</screen>
</para></step>
<step><para>
To add password for users in your <filename>/etc/passwd</filename> file, use the following commands:
<screen>
[root@deep ] /# passwd smbclient
</screen>
<literallayout class="monospaced"><computeroutput>
Changing password for user smbclient
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully
</computeroutput></literallayout>
</para></step>
</substeps>
</step>
<step><para>
Once we have added all Samba clients in our <filename>/etc/passwd</filename> file on the Linux server, we can now generate the <filename>smbpasswd</filename> file from the <filename>/etc/passwd</filename> file.
To generate <filename>smbpasswd</filename> file from the <filename>/etc/passwd</filename> file, use the following commands:
<screen>
[root@deep ] /# <command>cat</command> /etc/passwd | mksmbpasswd.sh &gt; /etc/smbpasswd
</screen>
</para></step>
<step><para>
Finally, the last step we must perform is to create the Samba user account in our <filename>/etc/smbpasswd</filename> file before we are able to use it.
To create the <literal>Samba</literal> user account, use the following commands:
<screen>
[root@deep ] /# smbpasswd -a smbclient <co id="smbpswd"/>
</screen>
<calloutlist><callout arearefs="smbpswd"><para>
Remember that <literal>smbclient</literal> must be a valid Linux account.
</para></callout></calloutlist>
<literallayout class="monospaced"><computeroutput>
New SMB password:
Retype new SMB password:
Added user smbclient.
Password changed for user smbclient.
</computeroutput></literallayout>
</para></step>
<step><para>
Don't forget to change the permission of your new <filename>smbpasswd</filename> file to be readable and writable only by the super-user <literal>root</literal>, and nothing for group and other <literal>0600/-rw-------</literal> This
is a security measure.
<screen>
[root@deep ] /# <command>chmod</command> 600 /etc/smbpasswd
[root@deep ] /# <command>testparm</command> <co id="smbtsp"/>
</screen>
<calloutlist><callout arearefs="smbtsp"><para>
This will verify the <filename>smb.conf</filename> file for error.
</para></callout></calloutlist>
See <filename>ENCRYPTION.txt</filename> in <filename class="directory">samba/doc/texts/</filename> for more information.
</para></step>
</procedure>
</section>
<section><?dbhtml filename="chap29sec287.html"?>
<title>Optimizing Samba</title>
<para>
It is a big mistake to set the <envar>wide links</envar> Samba parameter to <envar>no</envar> in the Samba configuration file <filename>/etc/smb.conf</filename>. This option, if set to <envar>no</envar>, tells Samba not to follow
symbolic links outside of an area designated as being exported as a share point. In order to determine if a link points outside the shared area, Samba has to follow the link and then do a directory path lookup to determine where
on the file system the link ended up. This ends up adding a total of six extra system calls per filename lookup, and Samba looks up filenames a lot. A test done was published that showed that setting this parameter will cause a
25 to 30 -percent slowdown in Samba performance.
</para>
<section><?dbhtml filename="chap29sec288.html"?>
<title>Tuning the buffer cache</title>
<para>
The modification of the filesystem cache-tuning parameters can significantly improve Linux's file-serving performance up to a factor of two. Linux will attempt to use memory not being used for any other purpose for filesystem caching.
A special daemon, called <literal>bdflush</literal>, will periodically flush <literal>dirty</literal> buffers, <emphasis>buffers that contain modified filesystem data or metadata</emphasis> to the disk.
</para>
<para>
The secret to good performance is to keep as much of the data in memory for as long as is possible. Writing to the disk is the slowest part of any filesystem. If you know that the filesystem will be heavily used, then you can tune this
process for Linux Samba. As with many kernel tuneable options, this can be done on the fly by writing to special files in the <filename class="directory">/proc</filename> filesystem. The trick is, you have to tell Linux you want it to do that. You do so by executing the
following command for a Linux 2.2 kernel.
</para>
<para>
The default setup for the <literal>bdflush</literal> parameters under Red Hat Linux is:
<programlisting>
"40 500 64 256 500 3000 500 1884 2"
</programlisting>
To change the values of bdflush, type the following command on your terminal:
</para>
<para>
Under
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Version6.1.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>Version 6.1</phrase></textobject>
</inlinemediaobject>
<screen>
[root@deep ] /# echo "80 500 64 64 15 6000 6000 1884 2" &gt;/proc/sys/vm/bdflush
</screen>
You may add the above commands to the <filename>/etc/rc.d/rc.local</filename> script file and you'll not have to type it again the next time you reboot your system.
</para>
<para>
Under
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Version6.2.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>Version 6.2</phrase></textobject>
</inlinemediaobject>
Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<programlisting>
# Improve file system performance
vm.bdflush = 80 500 64 64 15 6000 6000 1884 2
</programlisting>
</para>
<para>
You must restart your network for the change to take effect. The command to restart the network is the following:
<screen>
[root@deep ] /# /etc/rc.d/init.d/network <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</computeroutput></literallayout>
This line tells <literal>bdflush</literal> not to worry about writing out dirty blocks to the disk until the filesystem buffer cache is 80 percent full (80). The other values tune such things as the number of buffers
to write out in one disk operation (500), how long to allow dirty buffers to age in the kernel (60*HZ), etc. You can find full details in the 2.2 kernel documentation in the file <filename>linux/Documentation/sysctl/vm.txt</filename>,
and also, you can check <link linkend="pr3ch6lglc">General System Optimization</link>, for more information.
</para>
</section>
</section>
<section><?dbhtml filename="chap29sec289.html"?>
<title>Tuning the buffermem</title>
<para>
Another helpful tuning hint is to tell Linux the following: Use a minimum of 60 percent of memory for the buffer cache; only prune when the percentage of memory used for the buffer cache gets over 10 percent (this parameter is now unused);
and allow the buffer cache to grow to 60 percent of all memory (this parameter is also unused now).
</para>
<para>
The default setup for the <literal>buffermem</literal> parameters under Red Hat Linux is:
<programlisting>
"2 10 60"
</programlisting>
</para>
<para>
Under
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Version6.1.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Version 6.1</phrase></textobject>
</inlinemediaobject>
To change the values of buffermem, type the following command on your terminal:
<screen>
[root@deep ] /# echo "60 10 60" &gt;/proc/sys/vm/buffermem
</screen>
You can put the above command in the <filename>/etc/rc.d/rc.local</filename> script file and avoid typing it again the next time your system reboots. You can find full details in the 2.2 kernel documentation in the file <filename>linux/Documentation/sysctl/vm.txt</filename> a
nd also, you can check <link linkend="pr3ch6lglc">General System Optimization</link>, for more information.
</para>
<para>
Under
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Version6.2.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Version 6.2</phrase></textobject>
</inlinemediaobject>
Edit the <filename>/etc/sysctl.conf</filename> file and add the following line:
<programlisting>
# Improve virtual memory performance
vm.buffermem = 60 10 60
</programlisting>
</para>
<para>
You must restart your network for the change to take effect. The command to restart the network is the following:
<screen>
[root@deep ] /# /etc/rc.d/init.d/network <command>restart</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</computeroutput></literallayout>
Recall that the last two parameters, 10 and 60 are unused by the system so we don't need to change the default ones.
</para>
</section>
<section><?dbhtml filename="chap29sec290.html"?>
<title>Further documentation</title>
<para>
For more details, there are several man pages you can read:
</para>
<variablelist>
<varlistentry>
<term><citerefentry><refentrytitle>Samba</refentrytitle><manvolnum>7</manvolnum></citerefentry></term>
<listitem><para>
A Windows SMB/CIFS fileserver for UNIX
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></term>
<listitem><para>
The configuration file for the Samba suite
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>smbclient</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
ftp-like client to access SMB/CIFS resources on servers
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>smbd</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
server to provide SMB/CIFS services to clients
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>smbmnt</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
mount smb file system
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>smbmount</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
mount smb file system
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>smbpasswd</refentrytitle><manvolnum>5</manvolnum></citerefentry></term>
<listitem><para>
The Samba encrypted password file
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>smbpasswd</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
change a users SMB password
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>smbrun</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
interface program between smbd and external programs
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>smbsh</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
Allows access to Windows NT filesystem using UNIX commands
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>smbstatus</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
report on current Samba connections
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>smbtar</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
shell script for backing up SMB shares directly to UNIX tape drives
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>smbumount</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
umount for normal users
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>testparm</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
check an smb.conf configuration file for internal correctness
</para></listitem>
</varlistentry><varlistentry>
<term><citerefentry><refentrytitle>testprns</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
check printer name for validity with smbd
</para></listitem>
</varlistentry>
</variablelist>
</section>
<section><?dbhtml filename="chap29sec291.html"?>
<title>Samba Administrative Tools</title>
<para>
The commands listed below are some that we use often, but many more exist. Check the man pages and documentation for more details and information.
</para>
<formalpara>
<title>smbstatus</title>
<para>
The smbstatus utility is a very simple program to list the current Samba connections.
To report current Samba connections, use the following command:
<screen>
[root@deep ] /# smbstatus
</screen>
<literallayout class="monospaced"><computeroutput>
Samba version 2.0.7
Service uid gid pid machine
----------------------------------------------
tmp webmaster webmaster 3995 gate (192.168.1.3) Sat Sep 25 19:40:54 1999
No locked files
Share mode memory usage (bytes):
1048464(99%) free + 56(0%) used + 56(0%) overhead = 1048576(100%) total
</computeroutput></literallayout>
</para>
</formalpara>
<section>
<title>Samba Users Tools</title>
<para>
The commands listed below are some that we use often, but many more exist. Check the man pages and documentation for more details and information.
</para>
<formalpara>
<title>smbclient</title>
<para>
The <command>smbclient</command> program utility for Samba works much like the interface of the FTP program. This small program allow you to get files from the server to the local machine, put files from the local machine
to the server, retrieve directory information from the server, and so on.
</para>
</formalpara>
<para>
To connect to a Windows machine with smbclient utility, use the following command:
<screen>
[root@deep ] /# smbclient //sbmserver/sharename -U smbclient
[root@deep ] /# smbclient //gate/tmp -U smbclient
</screen>
</para>
<para>
<literallayout class="monospaced"><computeroutput>
Password:
Domain=[OPENNA] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
smb: \&gt; ls
. D 0 Tue Mar 14 15:31:50 2000
.. D 0 Tue Mar 14 15:31:50 2000
PostgreSQL D 0 Tue Mar 14 15:32:22 2000
Squid D 0 Tue Mar 14 15:32:28 2000
E_comm D 0 Tue Mar 14 15:32:42 2000
StackGuard.pdf A 61440 Tue Dec 21 20:41:34 1999
installation-without-XFree86 A 448 Tue Dec 21 20:41:28 1999
lcap-0_0_3-2_src.rpm A 13481 Thu Jan 13 01:50:12 2000
mirc561t.exe A 948224 Tue Dec 21 20:41:54 1999
65510 blocks of size 32768. 5295 blocks available
smb: \&gt;
</computeroutput></literallayout>
Where <literal>//sbmserver</literal> is the name of the server you want to connect to. <filename class="directory">/sharename</filename> is the directory on this server you want to connect to, and <literal>smbclient</literal> is
your username on this machine.
</para>
</section>
</section>
<section><?dbhtml filename="chap29sec292.html"?>
<title>The <filename>/etc/rc.d/init.d/smb</filename> script file</title>
<para>
Configure your <filename>/etc/rc.d/init.d/smb</filename> script file to start and stop Samba <literal>smbd</literal> and <literal>nmbd</literal> daemons Server automaticaly.
Create the <filename>smb</filename> script file, <command>touch</command> <filename>/etc/rc.d/init.d/smb</filename> and add the following lines:
</para>
<programlisting>
#!/bin/sh
#
# chkconfig: - 91 35
# description: Starts and stops the Samba smbd and nmbd daemons \
# used to provide SMB network services.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] &amp;&amp; exit 0
# Check that smb.conf exists.
[ -f /etc/smb.conf ] || exit 0
RETVAL=0
# See how we were called.
case "$1" in
start)
echo -n "Starting SMB services: "
daemon smbd -D
RETVAL=$?
echo
echo -n "Starting NMB services: "
daemon nmbd -D
RETVAL2=$?
echo
[ $RETVAL -eq 0 -a $RETVAL2 -eq 0 ] &amp;&amp; touch /var/lock/subsys/smb || \
RETVAL=1
;;
stop)
echo -n "Shutting down SMB services: "
killproc smbd
RETVAL=$?
echo
echo -n "Shutting down NMB services: "
killproc nmbd
RETVAL2=$?
[ $RETVAL -eq 0 -a $RETVAL2 -eq 0 ] &amp;&amp; rm -f /var/lock/subsys/smb
echo ""
;;
restart)
$0 stop
$0 start
RETVAL=$?
;;
reload)
echo -n "Reloading smb.conf file: "
killproc -HUP smbd
RETVAL=$?
echo
;;
status)
status smbd
status nmbd
RETVAL=$?
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit $RETVAL
</programlisting>
<para>
Now, make this script executable and change its default permissions:
<screen>
[root@deep ] /# <command>chmod</command> 700 /etc/rc.d/init.d/smb
</screen>
Create the symbolic <filename class="symlink">rc.d</filename> links for Samba with the command:
<screen>
[root@deep ] /# <command>chkconfig</command> --add smb
</screen>
</para>
<para>
Samba script will not automatically start the smbd and nmbd daemon when you reboot the server. You can change it to do this by default by executing the following command:
<screen>
[root@deep ] /# <command>chkconfig</command> --level 345 smb on
</screen>
Start your Samba Server manually with the following command:
<screen>
[root@deep ] /# /etc/rc.d/init.d/smb <command>start</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Starting SMB services: [ OK ]
Starting NMB services: [ OK ]
</computeroutput></literallayout>
</para>
<section id="pr6ch31ssmb">
<title>Securing Samba</title>
<para>
Immunize important configuration files, the immutable bit can be used to prevent accidentally deleting or overwriting a file that must be protected. It also prevents someone from creating a symbolic link to this file. Once your <filename>smb.conf</filename>
and <filename>lmhosts</filename> files have been configured, it's a good idea to immunize them with a command like:
<screen>
[root@deep ] /# <command>chattr</command> +i /etc/smb.conf
[root@deep ] /# <command>chattr</command> +i /etc/lmhosts
</screen>
</para>
</section>
</section>
<section><?dbhtml filename="chap29sec293.html"?>
<title>Installed files</title>
<para>
These are the files installed by Samba software on your sytem.
</para>
<simplelist type="horiz" columns="3">
<member><filename>/etc/rc.d/init.d/smb</filename></member>
<member><filename>/etc/rc.d/rc0.d/K35smb</filename></member>
<member><filename>/etc/rc.d/rc1.d/K35smb</filename></member>
<member><filename>/etc/rc.d/rc2.d/K35smb</filename></member>
<member><filename>/etc/rc.d/rc3.d/S91smb</filename></member>
<member><filename>/etc/rc.d/rc4.d/S91smb</filename></member>
<member><filename>/etc/rc.d/rc5.d/S91smb</filename></member>
<member><filename>/etc/rc.d/rc6.d/K35smb</filename></member>
<member><filename>/etc/pam.d/samba</filename></member>
<member><filename>/etc/logrotate.d/samba</filename></member>
<member><filename>/etc/codepages</filename></member>
<member><filename>/etc/codepages/codepage.437</filename></member>
<member><filename>/etc/codepages/unicode_map.437</filename></member>
<member><filename>/etc/codepages/codepage.737</filename></member>
<member><filename>/etc/codepages/unicode_map.737</filename></member>
<member><filename>/etc/codepages/codepage.775</filename></member>
<member><filename>/etc/codepages/codepage.850</filename></member>
<member><filename>/etc/codepages/unicode_map.850</filename></member>
<member><filename>/etc/codepages/codepage.852</filename></member>
<member><filename>/etc/codepages/unicode_map.852</filename></member>
<member><filename>/etc/codepages/codepage.861</filename></member>
<member><filename>/etc/codepages/unicode_map.861</filename></member>
<member><filename>/etc/codepages/codepage.932</filename></member>
<member><filename>/etc/codepages/unicode_map.932</filename></member>
<member><filename>/etc/codepages/codepage.866</filename></member>
<member><filename>/etc/codepages/unicode_map.866</filename></member>
<member><filename>/etc/codepages/codepage.949</filename></member>
<member><filename>/etc/codepages/unicode_map.949</filename></member>
<member><filename>/etc/codepages/codepage.950</filename></member>
<member><filename>/etc/codepages/unicode_map.950</filename></member>
<member><filename>/etc/codepages/codepage.936</filename></member>
<member><filename>/etc/codepages/unicode_map.936</filename></member>
<member><filename>/etc/codepages/codepage.1251</filename></member>
<member><filename>/etc/codepages/unicode_map.ISO8859-1</filename></member>
<member><filename>/etc/codepages/unicode_map.ISO8859-2</filename></member>
<member><filename>/etc/codepages/unicode_map.ISO8859-5</filename></member>
<member><filename>/etc/codepages/unicode_map.ISO8859-7</filename></member>
<member><filename>/etc/codepages/unicode_map.KOI8-R</filename></member>
<member><filename>/etc/lmhosts</filename></member>
<member><filename>/etc/smb.conf</filename></member>
<member><filename>/etc/smbpasswd</filename></member>
<member><filename>/etc/gshadow-</filename></member>
<member><filename>/usr/bin/smbclient</filename></member>
<member><filename>/usr/bin/smbspool</filename></member>
<member><filename>/usr/bin/testparm</filename></member>
<member><filename>/usr/bin/testprns</filename></member>
<member><filename>/usr/bin/smbstatus</filename></member>
<member><filename>/usr/bin/rpcclient</filename></member>
<member><filename>/usr/bin/smbpasswd</filename></member>
<member><filename>/usr/bin/make_smbcodepage</filename></member>
<member><filename>/usr/bin/make_unicodemap</filename></member>
<member><filename>/usr/bin/nmblookup</filename></member>
<member><filename>/usr/bin/make_printerdef</filename></member>
<member><filename>/usr/bin/smbtar</filename></member>
<member><filename>/usr/bin/addtosmbpass</filename></member>
<member><filename>/usr/bin/convert_smbpasswd</filename></member>
<member><filename>/usr/bin/mksmbpasswd.sh</filename></member>
<member><filename>/usr/man/man1/make_smbcodepage.1</filename></member>
<member><filename>/usr/man/man1/make_unicodemap.1</filename></member>
<member><filename>/usr/man/man1/nmblookup.1</filename></member>
<member><filename>/usr/man/man1/smbclient.1</filename></member>
<member><filename>/usr/man/man1/smbrun.1</filename></member>
<member><filename>/usr/man/man1/smbsh.1</filename></member>
<member><filename>/usr/man/man1/smbstatus.1</filename></member>
<member><filename>/usr/man/man1/smbtar.1</filename></member>
<member><filename>/usr/man/man1/testparm.1</filename></member>
<member><filename>/usr/man/man1/testprns.1</filename></member>
<member><filename>/usr/man/man5/lmhosts.5</filename></member>
<member><filename>/usr/man/man5/smb.conf.5</filename></member>
<member><filename>/usr/man/man5/smbpasswd.5</filename></member>
<member><filename>/usr/man/man7/samba.7</filename></member>
<member><filename>/usr/man/man8/nmbd.8</filename></member>
<member><filename>/usr/man/man8/smbd.8</filename></member>
<member><filename>/usr/man/man8/smbmnt.8</filename></member>
<member><filename>/usr/man/man8/smbmount.8</filename></member>
<member><filename>/usr/man/man8/smbpasswd.8</filename></member>
<member><filename>/usr/man/man8/smbspool.8</filename></member>
<member><filename>/usr/man/man8/smbumount.8</filename></member>
<member><filename>/usr/sbin/smbd</filename></member>
<member><filename>/usr/sbin/nmbd</filename></member>
<member><filename>/var/log/samba</filename></member>
<member><filename>/var/lock/samba</filename></member>
</simplelist>
</section>
</chapter>
<chapter label="32"><?dbhtml filename="ftpd.html"?>
<title>Linux <literal>FTP</literal> Server</title>
<highlights><para>
Despite its age, using the File Transfer Protocol, <literal>FTP</literal> is one of the most popular way to transfer files from machine to machine across a network. Clients and servers have been written for almost all popular platforms in
the market, thereby making <literal>FTP</literal> the most convenient way to perform file transfers.
</para>
</highlights>
<section id="pr6ch32sftp"><?dbhtml filename="chap29sec294.html"?>
<title>chroot'd Guest FTP access</title>
<para>
Various methods exist to configure your <literal>FTP</literal> servers. One is as a private user-only site, which is the default configuration for an <literal>FTP</literal> server; a private <literal>FTP</literal> server allows users on
the Linux system only to be able to connect via <literal>FTP</literal> and access their files.
</para>
<para>
Anohter method is to configure as an anonymous <literal>FTP</literal> server. An anonymous <literal>FTP</literal> server allows anyone on the network to connect to it and transfer files without having an account. Due to the potential
security risk involved with this setup, precautions should be taken to allow access only to certain directories on the system.
</para>
<para>
The configuration we will cover here is an <literal>FTP</literal> server that allows <literal>FTP</literal> to semi-secure areas of a Unix file system, <emphasis>chroot'd Guest FTP access</emphasis>. This configuration allows users to
have access to the <literal>FTP</literal> server directories without allowing them to get into higher levels. This is the most secure setup for an <literal>FTP</literal> server.
<mediaobject>
<imageobject>
<imagedata fileref="./images/FTP-Schema.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>FTP</phrase></textobject>
</mediaobject>
</para>
<para>
These installation instructions assume
<itemizedlist><listitem><para>
Commands are Unix-compatible.
</para></listitem><listitem><para>
The source path is <filename class="directory">/var/tmp</filename>, <emphasis>other paths are possible</emphasis>.
</para></listitem><listitem><para>
Installations were tested on Red Hat Linux 6.1 and 6.2.
</para></listitem><listitem><para>
All steps in the installation will happen in super-user account <literal>root</literal>.
</para></listitem><listitem><para>
wu-ftpd version number is 2.6.0
</para></listitem>
</itemizedlist>
</para>
<para>
These are the Package(s):
<simplelist><member>
Wu-ftpd Homepage:<link linkend="prtinxfp32er">http://www.wu-ftpd.org/</link>
</member><member>
Wu-ftpd FTP Site:<link linkend="prtinxfp32er">205.133.13.68</link>
</member><member>
You must be sure to download: wu-ftpd-2.6.0.tar.gz
</member>
</simplelist>
</para>
<para>
To compile, you need to decompress the tarball, <literal>tar.gz</literal>.
<screen>
[root@deep ] /# <command>cp</command> wu-ftpd-version.tar.gz /var/tmp
[root@deep ] /# <command>cd</command> /var/tmp
[root@deep ]/tmp# <command>tar</command> xzpf wu-ftpd-version.tar.gz
</screen>
</para>
</section>
<section><?dbhtml filename="chap29sec295.html"?>
<title>Setup an <literal>FTP</literal> user account minus shells</title>
<para>
It's important to give to your strictly <literal>FTP</literal> users no real shell account on the Linux system. In this manner, if for any reasons someone could successfully get out of the <literal>FTP</literal> chrooted environment, it would
not have the possibility of executing any user tasks since it doesn't have a bash shell. First, create new users for this purpose;
<simplelist><member>
These users will be the users allowed to connect to your <literal>FTP</literal> server.
</member></simplelist>
This has to be separate from a regular user account with unlimited access because of how the <literal>chroot</literal> environment works. Chroot makes it appear from the user's perspective as if the level of the file system you've placed them
in is the top level of the file system.
</para>
<para>
Use the following command to create users in the <filename>/etc/passwd</filename> file. This step must be done for each additional new user you allow to access your <literal>FTP</literal> server.
<screen>
[root@deep ] /# <command>mkdir</command> /home/ftp
[root@deep ] /# <command>useradd</command> -d /home/ftp/ftpadmin/ -s /dev/null ftpadmin &gt; /dev/null 2&gt;&amp;1
[root@deep ] /# <command>passwd</command> ftpadmin
</screen>
<literallayout class="monospaced"><computeroutput>
Changing password for user ftpadmin
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully
</computeroutput></literallayout>
<itemizedlist><listitem><para>
The <command>mkdir</command> command will create the <filename class="directory">ftp</filename> directory under the <filename class="directory">/home</filename> directory to handle all <literal>FTP</literal> users'
home directories we'll have on the server.
</para></listitem><listitem><para>
The <command>useradd</command> command will add the new user named <literal>ftpadmin</literal> to our Linux server.
</para></listitem><listitem><para>
Finally, the <command>passwd</command> command will set the password for this user <literal>ftpadmin</literal>.
</para></listitem>
</itemizedlist>
Once the <filename class="directory">home/ftp/</filename> directory has been created you don't have to use this command again for additional <literal>FTP</literal> users.
</para>
<procedure>
<step><para>
Edit the <filename>/etc/shells</filename> file, <command>vi</command> <filename>/etc/shells</filename> and add a non-existent shell name like <literal>null</literal>, for example. This fake shell will limit access on
the system for <literal>FTP</literal> users.
<screen>
[root@deep ] /# <command>vi</command> /etc/shells
</screen>
<literallayout class="monospaced"><computeroutput>
/bin/bash
/bin/sh
/bin/ash
/bin/bsh
/bin/tcsh
/bin/csh
/dev/null
</computeroutput></literallayout>
<literal>/dev/null</literal>, This is our added no-existent shell. With Red Hat Linux, a special device name <filename>/dev/null</filename> exists for purposes such as these.
</para></step>
<step><para>
Now, edit your <filename>/etc/passwd</filename> file and add manually the <literal>/./</literal> line to divide the <filename class="directory">/home/ftp</filename> directory with the <filename class="directory">/ftpadmin</filename>
directory where the user <literal>ftpadmin</literal> should be automatically chdir'd to. This step must be done for each <literal>FTP</literal> user you add to your <filename>passwd</filename> file.
<programlisting>
ftpadmin:x:502:502::/home/ftp/ftpadmin/:/dev/null
</programlisting>
To read:
<programlisting>
ftpadmin:x:502:502::/home/ftp/./ftpadmin/:/dev/null
^^
</programlisting>
The account is <literal>ftpadmin</literal>, but you'll notice the path to the home directory is a bit odd. The first part <filename class="directory">/home/ftp/</filename> indicates the filesystem that should be considered their new root directory.
The dot <literal>.</literal> divides that from the directory they should be automatically chdir'd. <emphasis>change directory'd</emphasis> into, <filename class="directory">/ftpadmin/.</filename>
</para></step>
</procedure>
<para>
Once again, the <filename class="directory">/dev/null</filename> part disables their login as a regular user. With this modification, the user <literal>ftpadmin</literal> now has a fake shell instead of a real shell resulting in properly limited access on the system.
</para>
</section>
<section><?dbhtml filename="chap29sec296.html"?>
<title>Setup a chroot user environment</title>
<para>
What you're essentially doing is creating a skeleton root file system with enough components necessary, <emphasis>binaries, password files, etc.</emphasis> to allow Unix to do a chroot when the user logs in. Note that if you use the
<literal>--enable-ls</literal> option during compilation as seen above, the <filename class="directory">/home/ftp/bin</filename>, and <filename class="directory">/home/ftp/lib</filename> directories are not required since this new
option allows Wu-ftpd to use its own <literal>ls</literal> function. We still continue to demonstrate the old method for people that prefer to copy <filename class="directory">/bin/ls</filename> to the chroot'd <literal>FTP</literal>
directory, <literal>/home/ftp/bin</literal> and create the appropriated library related to <literal>ls</literal>.
<mediaobject>
<imageobject>
<imagedata fileref="./images/FTP-Chroot.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>FTP chrooted</phrase></textobject>
</mediaobject>
The following are the necessary steps to run Wu-ftpd software in a chroot jail:
</para>
<para>
First create all the necessary chrooted environment directories as shown below:
<screen>
[root@deep ] /# <command>mkdir</command> /home/ftp/dev
[root@deep ] /# <command>mkdir</command> /home/ftp/etc
[root@deep ] /# <command>mkdir</command> /home/ftp/bin <co id="ftpchr1"/>
[root@deep ] /# <command>mkdir</command> /home/ftp/lib <co id="ftpchr2"/>
</screen>
<calloutlist>
<callout arearefs="ftpchr1"><para>
Require only if you are not using the <envar>--enable-ls</envar> option.
</para></callout>
<callout arearefs="ftpchr2"><para>
Require only if you are not using the <envar>--enable-ls</envar> option
</para></callout>
</calloutlist>
</para>
<para>
Change the new directories permission to <literal>0511</literal> for security reasons:
The <command>chmod</command> command will make our chrooted <filename class="directory">dev</filename>, <filename class="directory">etc</filename>, <filename class="directory">bin</filename>, and <filename class="directory">lib</filename> directories
readable and executable by the super-user <literal>root</literal> and executable by the user-group and all users.
<screen>
[root@deep ] /# <command>chmod</command> 0511 /home/ftp/dev/
[root@deep ] /# <command>chmod</command> 0511 /home/ftp/etc/
[root@deep ] /# <command>chmod</command> 0511 /home/ftp/bin <co id="ftpchr3"/>
[root@deep ] /# <command>chmod</command> 0511 /home/ftp/lib <co id="ftpchr4"/>
</screen>
<calloutlist>
<callout arearefs="ftpchr3"><para>
Require only if you are not using the <envar>--enable-ls</envar> option.
</para></callout><callout arearefs="ftpchr4"><para>
Require only if you are not using the <envar>--enable-ls</envar> option.
</para></callout>
</calloutlist>
</para>
<procedure>
<step><para>
Copy the <literal>/bin/ls</literal> binary to <filename class="directory">/home/ftp/bin</filename> directory and change the permission of the <literal>ls</literal> program to <literal>0111</literal>.
<emphasis>You don't want users to be able to modify the binaries</emphasis>:
<screen>
[root@deep ] /# <command>cp</command> /bin/ls /home/ftp/bin <co id="ftpchr6"/>
[root@deep ] /# <command>chmod</command> 0111 /bin/ls /home/ftp/bin/ls <co id="ftpchr7"/>
</screen>
<calloutlist>
<callout arearefs="ftpchr6"><para>
Require only if you are not using the <envar>--enable-ls</envar> option.
</para></callout>
<callout arearefs="ftpchr7"><para>
Require only if you are not using the <envar>--enable-ls</envar> option.
</para></callout>
</calloutlist>
This step is necessary only if you're not using the <envar>--enable-ls</envar> option during the configure time of Wu-ftpd. See the <link linkend="pr6ch32sftp">Compile and Optimize</link> section in this chapter for more information.
</para></step>
<step><para>
Find the shared library dependencies of the <literal>ls</literal> Linux binary program:
</para>
<substeps>
<step><para>
<screen>
[root@deep ] /# ldd /bin/ls <co id="ftpsc1"/>
</screen>
<calloutlist>
<callout arearefs="ftpsc1"><para>
Require only if you are not using the <envar>--enable-ls</envar> option.
</para></callout>
</calloutlist>
<literallayout class="monospaced"><computeroutput>
libc.so.6 =&gt; /lib/libc.so.6 (0x00125000)
/lib/ld-linux.so.2 =7gt; /lib/ld-linux.so.2 (0x00110000)
</computeroutput></literallayout>
</para></step>
<step><para>
Copy the shared libraries identified above to your new <filename class="directory">lib</filename> directory under <filename class="directory">/home/ftp</filename> directory:
<screen>
[root@deep ] /# <command>cp</command> /lib/libc.so.6 /home/ftp/lib/ <co id="ftpsc2"/>
[root@deep ] /# <command>cp</command> /lib/ld-linux.so.2 /home/ftp/lib/ <co id="ftpsc3"/>
</screen>
<calloutlist>
<callout arearefs="ftpsc2"><para>
Require only if you are not using the <envar>--enable-ls</envar> option
</para></callout>
<callout arearefs="ftpsc3"><para>
Require only if you are not using the <envar>--enable-ls</envar> option
</para></callout>
</calloutlist>
</para></step>
<step><para>
<caution>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Caution.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>Caution</phrase></textobject>
</inlinemediaobject>
</title><para>
These library are needed to make <literal>ls</literal> work. Also, steps 3 and 4 above are required only if you want to use the <literal>ls</literal> Linux binary program instead of the <envar>--enable-ls</envar> option that uses
the new internal <literal>ls</literal> capability of Wu-ftpd.
</para>
</caution>
</para></step>
</substeps>
</step>
<step><para>
Create your <filename>/home/ftp/dev/null</filename> file:
<screen>
[root@deep ] /# <command>mknod</command> /home/ftp/dev/null c 1 3
[root@deep ] /# <command>chmod</command> 666 /home/ftp/dev/null
</screen>
</para></step>
<step><para>
Copy the <filename>group</filename> and <filename>passwd</filename> files in <filename class="directory">/home/ftp/etc</filename> directory. This should not be the same as your real ones. For this reason, we'll remove all non <literal>FTP</literal>
users except for the super-user <literal>root</literal> in both of these files, <filename>passwd</filename> and <filename>group</filename>.
</para>
<substeps>
<step><para>
<screen>
[root@deep ] /# <command>cp</command> /etc/passwd /home/ftp/etc/
[root@deep ] /# <command>cp</command> /etc/group /home/ftp/etc/
</screen>
</para></step>
<step><para>
Edit the <filename>passwd</filename> file, <command>vi</command> <filename>/home/ftp/etc/passwd</filename> and delete all entries except for the super-user <literal>root</literal> and your allowed <literal>FTP</literal> users. It is very important that the <filename>passwd</filename> file in
the chroot environment has entries like:
<programlisting>
root:x:0:0:root:/:/dev/null
ftpadmin:x:502:502::/ftpadmin/:/dev/null
</programlisting>
</para></step>
<step><para>
<note><title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>Note</phrase></textobject>
</inlinemediaobject>
</title><para>
We can notice two things here: first, the home directory for all users inside this modified <filename>passwd</filename> file are now changed to reflect the new chrooted <literal>FTP</literal>
directory <abbrev>i.e.</abbrev> <filename class="directory">/home/ftp/./ftpadmin/</filename> begins <filename class="directory">/ftpadmin/</filename>, and also, the name of the user's login
shell for the <literal>root</literal> account has been changed to <filename class="directory">/dev/null</filename>.
</para>
</note>
</para></step>
<step><para>
Edit the <filename class="directory">group</filename> file, <command>vi</command> <filename>/home/ftp/etc/group</filename> and delete all entries except for the super-user <literal>root</literal>
and all your allowed <literal>FTP</literal> users. The <filename>group</filename> file should correspond to your normal group file:
<programlisting>
root:x:0:root
ftpadmin:x:502:
</programlisting>
</para></step>
</substeps>
</step>
<step><para>
Now we must set <filename>passwd</filename>, and <filename>group</filename> files in the chroot jail directory immutable for better security.
</para>
<substeps>
<step><para>
<screen>
[root@deep ] /# <command>cd</command> /home/ftp/etc/
[root@deep ] /# <command>chattr</command> +i passwd
</screen>
</para></step>
<step><para>
Set the immutable bit on <filename>group</filename> file:
<screen>
[root@deep ] /# <command>cd</command> /home/ftp/etc/
[root@deep ] /# <command>chattr</command> +i group
</screen>
</para></step>
</substeps>
</step>
</procedure>
</section>
<section><?dbhtml filename="chap29sec297.html"?>
<title>Configurations</title>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>All the configuration files required for each software described in this book has been provided by us as a gzipped file, <filename>floppy.tgz</filename> for your convenience. This can be downloaded from this web address: <link linkend="sc24obecfrs2">http://www.openna.com/books/floppy.tgz</link>
You can unpack this to any location on your local machine, say for example <filename class="directory">/tmp</filename>, assuming you have done this your directory structure will be <filename class="directory">/tmp/floppy</filename>. Within this floppy directory each configuration file has its own directory
for respective software. For example <wordasword>FTP</wordasword> configuration file are organised like this:
<literallayout class="monospaced"><computeroutput>
total 32
-rw-r--r-- 1 harrypotter harrypotter 419 Jun 8 13:00 Compile-Wuftpd
-rw------- 1 harrypotter harrypotter 1036 Jun 8 13:00 ftpaccess
-rw------- 1 harrypotter harrypotter 538 Jun 8 13:00 ftpconversions
-rw------- 1 harrypotter harrypotter 39 Jun 8 13:00 ftpgroups
-rw------- 1 harrypotter harrypotter 188 Jun 8 13:00 ftphosts
-rw------- 1 harrypotter harrypotter 79 Jun 8 13:00 ftpusers
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 logrotate.d/
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 pam.d/
</computeroutput></literallayout>
You can either cut and paste this directly if you are faithfully following our instructions from the begining or manually edit these to modify to your needs. This facility is there though as a convenience but please don't forget ultimately it will be your
responsibility to check, verify, <abbrev>etc.</abbrev> before you use them whether modified or as it is.
</para>
</note>
<para>
To run an <literal>FTP</literal> server, the following files are required and must be created or copied to the appropriate directories on your server.
<orderedlist numeration="lowerroman">
<listitem><para>
Copy the ftpaccess file in the <filename class="directory">/etc/</filename> directory.
</para></listitem><listitem><para>
Copy the ftpusers file in the <filename class="directory">/etc/</filename> directory.
</para></listitem><listitem><para>
Copy the ftphosts file in the <filename class="directory">/etc/</filename> directory.
</para></listitem><listitem><para>
Copy the ftpgroups file in the <filename class="directory">/etc/</filename> directory.
</para></listitem><listitem><para>
Copy the ftpconversion file in the <filename class="directory">/etc/</filename> directory.
</para></listitem><listitem><para>
Copy the ftp file in the <filename class="directory">/etc/pam.d/</filename> directory.
</para></listitem><listitem><para>
Copy the ftpd file in the <filename class="directory">/etc/logrotate.d/</filename> directory.
</para></listitem>
</orderedlist>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You can obtain the configuration files listed in the next sections on our <filename class="directory">floppy.tgz</filename> archive. Copy the following files from the decompressed
<filename class="directory">floppy.tgz</filename> archive to the appropriate places, or copy them directly from this book to the concerned file.
</para></tip>
</section>
<section><?dbhtml filename="chap29sec298.html"?>
<title>Configure the <filename>/etc/ftphosts</filename> file</title>
<para>
The <filename>/etc/ftphosts</filename> file is used to define whether users are allowed to log in from certain hosts or whether there are denied access.
</para>
<procedure>
<step><para>
Create the <filename>ftphosts</filename> file, <command>touch</command> <filename>/etc/ftphosts</filename> and add for example in this file the following lines:
<programlisting>
# Example host access file
#
# Everything after a '#' is treated as comment,
# empty lines are ignored
allow ftpadmin 208.164.186.1 208.164.186.2 208.164.186.4
deny ftpadmin 208.164.186.5
</programlisting>
In the example below, we allow the user <literal>ftpadmin</literal> to connect via <literal>FTP</literal> from the explicitly listed addresses <literal>208.164.186.1</literal> <literal>208.164.186.2 </literal><literal>208.164.186.4,</literal> and
deny the specified <literal>ftpadmin</literal> user to connect from the site <literal>208.164.186.5.</literal>
</para></step>
<step><para>
Now, change its default permission to be <literal>600</literal>:
<screen>
[root@deep ] /# <command>chmod</command> 600 /etc/ftphosts
</screen>
</para></step>
</procedure>
<section>
<title>Configure the <filename>/etc/ftpusers</filename> file</title>
<para>
The <filename>/etc/ftpusers/</filename> file specifies those users that are <emphasis>NOT</emphasis> allowed to connect to your <literal>FTP</literal> server.
</para>
<procedure>
<step><para>
Create the <filename>ftpusers</filename> file, <command>touch</command> <filename>/etc/ftpusers</filename> and add in this file the following users for security reasons:
<programlisting>
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
</programlisting>
</para></step>
<step><para>
Now, change its default permission to be <literal>600</literal>:
<screen>
[root@deep ] /# <command>chmod</command> 600 /etc/ftpusers
</screen>
</para></step>
</procedure>
</section>
</section>
<section><?dbhtml filename="chap29sec299.html"?>
<title>Configure the <filename>/etc/ftpconversions</filename> file</title>
<para>
The <filename>/etc/ftpconversions</filename> file contains instructions that permit you to compress files on demand before the transfer.
</para>
<procedure>
<step><para>
Edit the <filename>ftpconversions</filename> file, <command>vi</command> <filename>/etc/ftpconversions</filename> and add in this file the following lines:
<programlisting>
:.Z: : :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS:UNCOMPRESS
: : :.Z:/bin/compress -c %s:T_REG:O_COMPRESS:COMPRESS
:.gz: : :/bin/gzip -cd %s:T_REG|T_ASCII:O_UNCOMPRESS:GUNZIP
: : :.gz:/bin/gzip -9 -c %s:T_REG:O_COMPRESS:GZIP
: : :.tar:/bin/tar -c -f - %s:T_REG|T_DIR:O_TAR:TAR
: : :.tar.Z:/bin/tar -c -Z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+COMPRESS
: : :.tar.gz:/bin/tar -c -z -f - %s:T_REG|T_DIR:O_COMPRESS|O_TAR:TAR+GZIP
: : :.crc:/bin/cksum %s:T_REG::CKSUM
: : :.md5:/bin/md5sum %s:T_REG::MD5SUM
</programlisting>
</para></step>
<step><para>
Now, change its default permissions to be <literal>600</literal>:
<screen>
[root@deep ] /# <command>chmod</command> 600 /etc/ftpconversions
</screen>
</para></step>
</procedure>
<section>
<title>Configure the <filename>/etc/pam.d/ftp</filename> file</title>
<para>
Configure your <filename>/etc/pam.d/ftp</filename> file to use pam authentication by creating the <filename>/etc/pam.d/ftp</filename> file and add the following lines:
<programlisting>
#%PAM-1.0
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_shells.so
account required /lib/security/pam_pwdb.so
session required /lib/security/pam_pwdb.so
</programlisting>
</para>
</section>
</section>
<section><?dbhtml filename="chap29sec300.html"?>
<title>Configure the <filename>/etc/logrotate.d/ftpd</filename> file</title>
<para>
Configure your <filename>/etc/logrotate.d/ftpd</filename> file to automatically rotate your log files each week by creating the <filename>/etc/logrotate.d/ftpd</filename> file and add the following lines:
<programlisting>
/var/log/xferlog {
# ftpd doesn't handle SIGHUP properly
nocompress
}
</programlisting>
</para>
<section>
<title>Configure ftpd to use tcp-wrappers inetd</title>
<para>
Tcp-wrappers should be enabled to start and stop the ftpd server. Upon execution, inetd reads its configuration information from a configuration file which, by default, is <filename>/etc/inetd.conf</filename>. There
must be an entry for each field of the configuration file, with entries for each field separated by a tab or a space.
</para>
<para>
Edit the <filename>inetd.conf</filename> file, <command>vi</command> <filename>/etc/inetd.conf</filename> and add or verify the existence of the following line:
<programlisting>
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
</programlisting>
Update your <filename>inetd.conf</filename> file by sending a SIGHUP signal, <command>killall</command> <parameter class="option">-HUP</parameter> inetd, after adding the above line in the file.
<screen>
[root@deep ] /# killall -HUP inetd
</screen>
</para>
<para>
Edit the <filename>hosts.allow</filename> file, <command>vi</command> <filename>/etc/hosts.allow</filename> and add, for example, the following line:
<programlisting>
in.ftpd: 192.168.1.4 win.openna.com
</programlisting>
Which means client <acronym>IP</acronym> <literal>192.168.1.4</literal> with host name <literal>win.openna.com</literal> is allowed to <literal>FTP</literal> on to the server.
</para>
</section>
</section>
<section><?dbhtml filename="chap29sec301.html"?>
<title><acronym>FTP</acronym> Administrative Tools</title>
<formalpara>
<title>ftpwho</title>
<para>
The ftpwho program utility displays all active ftp users, and their current process information on the system. The output of the command is in the format of the <parameter class="command">/bin/ps</parameter> command. The format of this command is:
</para>
</formalpara>
<para>
To displays all active ftp users and their current process, use the following command:
<screen>
[root@deep ] /# <command>ftpwho</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Service class openna:
5443 ? S 0:00 ftpd: win.openna.com: ftpadmin: IDLE
- 1 users ( 20 maximum)
</computeroutput></literallayout>
Here, you can see that one user is logged in, 20 users are allowed to be connected, and this user has the username <literal>ftpadmin</literal> who claims to be from <literal>win.openna.com</literal>.
</para>
<formalpara>
<title>ftpcount</title>
<para>
The ftpcount program utility, which is a simplified version of ftpwho, shows only the current number of users logged in to the system, and the maximum number of users allowed.
</para>
</formalpara>
<para>
To shows only the current number of users logged in to the system and the maximum number of users allowed, use the following command:
<screen>
[root@deep ] /# <command>ftpcount</command>
</screen>
<literallayout class="monospaced"><computeroutput>
Service class openna - 1 users ( 20 maximum)
</computeroutput></literallayout>
</para>
</section>
<section><?dbhtml filename="chap29sec301.html"?>
<title>Securing <literal>FTP</literal></title>
<formalpara>
<title>The ftpusers file</title>
<para>
It's important to ensure that you have set up the file <filename>/etc/ftpusers</filename> which specifies those users that are NOT allowed to connect to your <literal>FTP</literal> server. This should include, as a MINIMUM, the following
entries: <literal>root</literal>, bin, daemon, adm, lp, sync, shutdown, halt, mail, news, uucp, operator, games, nobody and ALL other default vendor supplied accounts available in your <filename>/etc/passwd</filename> file.
</para>
</formalpara>
<formalpara>
<title>The anonymous <literal>FTP</literal> program</title>
<para>
To disable anonymous <literal>FTP</literal>, remove the anonymous user <literal>ftp</literal> from your password file and verify that anonftp-version.i386.rpm package is not installed on your system.
</para>
</formalpara>
<para>
To remove the user <literal>ftp</literal> from your password file, use the following command:
<screen>
[root@deep ] /# <command>userdel</command> ftp
</screen>
To verify that the <acronym>RPM</acronym> package of anonymous <literal>FTP</literal> program is not installed on your Linux system, use the following command:
<screen>
[root@deep ] /# <command>rpm</command> -q anonftp
</screen>
<literallayout class="monospaced"><computeroutput>
package anonftp is not installed
</computeroutput></literallayout>
</para>
<formalpara>
<title>The upload command</title>
<para>
By default, the Wu-ftpd server will grant upload privileges to all users. The upload parameter allow remote clients to load and place files on the <literal>FTP</literal> server. For optimal security, we don't want users being able to
upload into <filename class="directory">bin</filename>, <filename class="directory">etc</filename>, <filename class="directory">dev</filename>, and <filename class="directory">lib</filename> subdirectories in the <filename class="directory">/home/ftp</filename>
directory. In our <filename>/etc/ftpaccess</filename> file we have already chroot'd users to <filename class="directory">/home/ftp</filename> and they cannot access any area of the filesystem outside that directory structure, but in case something
happens to the permissions on them you should deny upload privileges in your <filename class="directory">/etc/ftpaccess</filename> file into these areas; <filename class="directory">/home/ftp/</filename>, <filename class="directory">/home/ftp/bin</filename>,
<filename class="directory">/home/ftp/etc</filename>, <filename class="directory">/home/ftp/dev</filename>, and <filename class="directory">/home/ftp/lib</filename>.
</para>
</formalpara>
<para>
Edit the <filename>ftpaccess</filename> file, <command>vi</command> <filename>/etc/ftpaccess</filename> and add the following lines to deny upload privileges into these areas.
<programlisting>
# We don't want users being able to upload into these areas.
upload /home/ftp/* / no
upload /home/ftp/* /etc no
upload /home/ftp/* /dev no
upload /home/ftp/* /bin no <co id="ftacss1"/>
upload /home/ftp/* /lib no <co id="ftacss2"/>
</programlisting>
<calloutlist>
<callout arearefs="ftacss1"><para>
Require only if you are not using the <parameter class="option">--enable-ls</parameter> option.
</para></callout>
<callout arearefs="ftacss2"><para>
Require only if you are not using the <parameter class="option">--enable-ls</parameter> option.
</para></callout>
</calloutlist>
The above lines specify to deny upload into the <filename class="directory">/</filename>, <filename class="directory">/etc</filename>, <filename class="directory">/dev</filename>, <filename class="directory">/bin</filename> and <filename class="directory">/lib</filename>
directories of the chroot'd <filename class="directory">/home/ftp</filename> directory structure.
</para>
</section>
<section><?dbhtml filename="chap29sec302.html"?>
<title>The special file <filename>.notar</filename></title>
<para>
Whether you allow on-the-fly tarring of directories or not, you should make sure an end-run cannot be made using tar command in all areas where the upload parameter is not permit.
To do so, create the special file <filename>.notar</filename> in each directory and in the <literal>FTP</literal> directory.
</para>
<screen>
[root@deep ] /# <command>touch</command> /home/ftp/.notar
[root@deep ] /# <command>touch</command> /home/ftp/etc/.notar
[root@deep ] /# <command>touch</command> /home/ftp/dev/.notar
[root@deep ] /# <command>touch</command> /home/ftp/bin/.notar <co id="ftpntr1"/>
[root@deep ] /# <command>touch</command> /home/ftp/lib/.notar <co id="ftpntr2"/>
[root@deep ] /# <command>chmod</command> 0 /home/ftp/.notar
[root@deep ] /# <command>chmod</command> 0 /home/ftp/etc/.notar
[root@deep ] /# <command>chmod</command> 0 /home/ftp/dev/.notar
[root@deep ] /# <command>chmod</command> 0 /home/ftp/bin/.notar <co id="ftpntr3"/>
[root@deep ] /# <command>chmod</command> 0 /home/ftp/lib/.notar <co id="ftpntr4"/>
</screen>
<calloutlist>
<callout arearefs="ftpntr1"><para>
Require only if you are not using the <parameter class="option">--enable-ls</parameter> option.
</para></callout>
<callout arearefs="ftpntr2"><para>
Require only if you are not using the <parameter class="option">--enable-ls</parameter> option.
</para></callout>
<callout arearefs="ftpntr3"><para>
Require only if you are not using the <parameter class="option">--enable-ls</parameter> option.
</para></callout>
<callout arearefs="ftpntr4"><para>
Require only if you are not using the <parameter class="option">--enable-ls</parameter> option.
</para></callout>
</calloutlist>
<para>
The zero-length <filename>.notar</filename> file can confuse some web clients and <literal>FTP</literal> proxies, so let's mark it irretrievable to solve the problem. Add the following lines to your <filename>/etc/ftpaccess</filename> file.
<programlisting>
noretrieve .notar
</programlisting>
</para>
<formalpara>
<title>The noretrieve command</title>
<para>
The noretrieve parameter of Wu-ftpd server allow you to deny transfer of the sectected directories or files. It is also a good idea to prevent downloads of those subdirectories <filename class="directory">bin</filename>, <filename class="directory">etc</filename>,
<filename class="directory">dev</filename>, and <filename class="directory">lib</filename> in the <filename class="directory">/home/ftp</filename> directory with the command <command>noretrieve</command> in your <filename>/etc/ftpaccess</filename> file.
<programlisting>
# We'll prevent downloads with noretrieve.
noretrieve /home/ftp/etc
noretrieve /home/ftp/dev
noretrieve /home/ftp/bin <co id="ftpntrv1"/>
noretrieve /home/ftp/lib <co id="ftpntrv2"/>
</programlisting>
<calloutlist>
<callout arearefs="ftpntrv1"><para>
Require only if you are not using the <parameter class="option">--enable-ls</parameter> option.
</para></callout>
<callout arearefs="ftpntrv2"><para>
Require only if you are not using the <parameter class="option">--enable-ls</parameter> option.
</para></callout>
</calloutlist>
</para>
</formalpara>
</section>
<section><?dbhtml filename="chap29sec303.html"?>
<title>Installed files</title>
<para>
These are the files installed on your system:
</para>
<simplelist type="horiz" columns="2">
<member><filename>/etc/pam.d/ftp</filename></member>
<member><filename>/etc/logrotate.d/ftpd</filename></member>
<member><filename>/etc/ftpaccess</filename></member>
<member><filename>/etc/ftpconversions</filename></member>
<member><filename>/etc/ftpgroups</filename></member>
<member><filename>/etc/ftphosts</filename></member>
<member><filename>/etc/ftpusers</filename></member>
<member><filename>/home/ftp/</filename></member>
<member><filename>/usr/bin/ftpcount</filename></member>
<member><filename>/usr/bin/ftpwho</filename></member>
<member><filename>/usr/man/man1/ftpcount.1</filename></member>
<member><filename>/usr/man/man1/ftpwho.1</filename></member>
<member><filename>/usr/man/man5/ftpaccess.5</filename></member>
<member><filename>/usr/man/man5/ftphosts.5</filename></member>
<member><filename>/usr/man/man5/ftpconversions.5</filename></member>
<member><filename>/usr/man/man5/xferlog.5</filename></member>
<member><filename>/usr/man/man8/ftpd.8</filename></member>
<member><filename>/usr/man/man8/ftpshut.8</filename></member>
<member><filename>/usr/man/man8/ftprestart.8</filename></member>
<member><filename>/usr/sbin/in.ftpd</filename></member>
<member><filename>/usr/sbin/ftpshut</filename></member>
<member><filename>/usr/sbin/ckconfig</filename></member>
<member><filename>/usr/sbin/ftprestart</filename></member>
<member><filename>/usr/sbin/xferstats</filename></member>
<member><filename>/usr/sbin/wu.ftpd</filename></member>
<member><filename>/usr/sbin/in.wuftpd</filename></member>
<member><filename>/var/log/xferlog</filename></member>
</simplelist>
</section>
</chapter>
</part>
<part label="7"><?dbhtml filename="backup-rest.html"?>
<title>Backup and Restore</title>
<partintro>
<mediaobject>
<imageobject>
<imagedata fileref="./resources/Annimals/Chapter19-20.gif" format="GIF" align="center"/>
</imageobject>
<textobject><phrase>hen, cock!</phrase></textobject>
</mediaobject>
<abstract><para>
A secure and reliable server is closely related to performing regular backups. Failures will probably occur sometimes. They may be caused by attacks, hardware failure, human error, power outages, etc. The safest method of doing backups
is to record them in a location separate from your Linux system like over a network, from tape, removable drive, writable CD-ROM, etc.
</para></abstract></partintro>
<chapter label="33"><?dbhtml filename="whywhen.html"?>
<title>Why's and When's of Backup and Restore</title>
<highlights><para>
Many methods of performing backups with Linux exist, such as dump, tar, cpio, as well as dd that are each available by default on your Linux system. Also available are text-based utilities, such as Amanda, which is designed to add a friendlier
user interface to the backup and restore procedures. Finally, commercial backup utilities are also available, such as BRU.
</para>
<para>
The procedures for performing a backup and restore will differ depending on your choice of a backup solution. For this reason we will discuss methods for performing backups with the traditional UNIX tools:
<orderedlist numeration="lowerroman">
<listitem><para>
tar
</para></listitem><listitem><para>
dump which is a command-line backup tool.
</para></listitem>
</orderedlist>
</para>
</highlights>
<section><?dbhtml filename="whatoback.html"?>
<title>What to backup</title>
<para>
The idea of making a backup is to back up as much as possible on your system, but some exceptions do exist as shown below. It is not logical to include these in your backup at the cost of time and space in your media for nothing.
The major exceptions to not include in your backup are:
<itemizedlist>
<listitem><para>
The <filename>/proc</filename> file system: since it only contains data that the kernel generates automatically, it is never a good idea to back it up.
</para></listitem><listitem><para>
The <filename>/mnt</filename> file system, because it is where you mount your removable media like CD-ROM, floppy disk and other.
</para></listitem>
</itemizedlist>
</para>
<para>
The backup directory or media where you have placed your backup files, such as a tape, CD-ROM, NFS mounted file system, remote/local directory or other kind of media.
Software that can be easily reinstalled, though they may have configuration files that are important to back up, lest you do all the work to configure them all over again. I will recommend putting them. <emphasis>the configuration files for software</emphasis> on the floppy disk.
</para>
</section>
<section><?dbhtml filename="chap29sec305.html"?>
<title>The tar backup program</title>
<para>
The tar backup program is an archiving program designed to store and extract files from an archive file known as a tarfile. A tarfile may be made on a tape drive; however, it is also common to write a tarfile to a normal file.
</para>
<para>
A simple backup is when you decide to make a backup of files on your system you must choose a backup scheme before the beginning of your backup procedure. A lot of strategic backup schemes exist, and depend on the backup policies you
want to use. In the following, We have shown you one backup scheme that you may use which takes advantage of the tar program's capabilities. This scheme is to first back up everything once, then back up everything that has been modified
since the previous backup.
<orderedlist numeration="lowerroman">
<listitem><para>
The first backup is called a full backup
</para></listitem><listitem><para>
The subsequent ones are incremental backups.
</para></listitem>
</orderedlist>
</para>
<para>
With six tapes you can make backups every day; The procedure is to use tape 1 for the first full backup <emphasis>Friday 1</emphasis>, and tapes 2 to 5 for the incremental backups <emphasis>Monday through Thursday</emphasis>. Then, you make a new full backup
on tape 6 <emphasis>second Friday</emphasis>, and start doing incremental ones with tapes 2 to 5 again. It's important to keep tape 1 at its state until you've got a new full backup with tape 6.
</para>
<para>
In the following example below, we assume that we write the backup to a <acronym>SCSI</acronym> tape drive named <filename>/dev/st0,</filename> and we backup the home directory <filename class="directory">/home</filename> of
our system. First of all, we must to move to the file system <filename>/</filename> partition. When creating an archive file, tar will strip leading <literal>/</literal> <emphasis>slash</emphasis> characters from file path names. This
means that restored files may not end up in the same locations they were backed up from. Therefore, to solve the problem, the solution is to change to the <filename>/</filename> root directory before making all backups and
restorations.
</para>
<para>
To move to the <filename class="directory">/</filename> root directory, use the command:
<screen>
[root@deep]# <command>cd</command> /
</screen>
It is important to always start with a full backup; <emphasis>say on a Friday</emphasis>, for example:
</para>
<formalpara>
<title>Friday 1</title>
<para>
use tape 1 for the first full backup.
<screen>
[root@deep] /# <command>cd</command> /
[root@deep] /# <command>tar</command> cpf /dev/st0 --label=" full-backup created on `date '+%d-%B-%Y'`." \
--directory / home
</screen>
</para>
</formalpara>
<formalpara>
<title>Monday</title>
<para>
use tapes 2 for the incremental backups.
<screen>
[root@deep] /# <command>cd</command> /
[root@deep] /# <command>tar</command> cpNf /dev/st0 --label=" full-backup created on `date '+%d-%B-%Y'`." \
--directory / home
</screen>
</para>
</formalpara>
<formalpara>
<title>Tuesday</title>
<para>
use tapes 3 for the incremental backups.
<screen>
[root@deep] /# <command>cd</command> /
[root@deep] /# <command>tar</command> cpNf /dev/st0 --label=" full-backup created on `date '+%d-%B-%Y'`." \
--directory / home
</screen>
</para>
</formalpara>
<formalpara>
<title>Wednesday</title>
<para>
use tapes 4 for the incremental backups.
<screen>
[root@deep] /# <command>cd</command> /
[root@deep] /# <command>tar</command> cpNf /dev/st0 --label=" full-backup created on `date '+%d-%B-%Y'`." \
--directory / home
</screen>
</para>
</formalpara>
<formalpara>
<title>Thursday</title>
<para>
use tapes 5 for the incremental backups.
<screen>
[root@deep] /# <command>cd</command> /
[root@deep] /# <command>tar</command> cpNf /dev/st0 --label=" full-backup created on `date '+%d-%B-%Y'`." \
--directory / home
</screen>
</para>
</formalpara>
<formalpara>
<title>Friday 2</title>
<para>
use tape 6 for the new full backups.
<screen>
[root@deep] /# <command>cd</command> /
[root@deep] /# <command>tar</command> cpf /dev/st0 --label=" full-backup created on `date '+%d-%B-%Y'`." \
--directory / home
</screen>
</para>
</formalpara>
<para>
Now, start doing incremental ones with tapes 2 to 5 again and so on.
<itemizedlist>
<listitem><para>
The <literal>c</literal> option specifies that an archive file is begin created.
</para></listitem><listitem><para>
The <literal>p</literal> option preserves permissions; file protection information will be <emphasis>remembered</emphasis>.
</para></listitem><listitem><para>
The <literal>N</literal> option does an incremental backup and only stores files newer than DATE.
</para></listitem><listitem><para>
The <literal>f</literal> option states that the very next argument will be the name of the archive file or device being written.
</para></listitem>
</itemizedlist>
</para>
<para>
Notice how a filename, which contains the current date, is derived, simply by enclosing the <literal>date</literal> command between two back-quote characters. A common naming convention is to add a <literal>tar</literal> suffix for non-compressed
archives, and a <literal>tar.gz</literal> suffix for compressed ones. Since we aren't able to specify a filename for the backup set, the <literal>--label</literal> option can be used to write some information about the backup set into the
archive file itself. Finally, only the files contained in the <filename class="directory">/home</filename> are written to the tape.
</para>
<para>
Because the tape drive is a character device, it is not possible to specify an actual file name. Therefore, the file name used as an argument to <literal>tar</literal> is simply the name of the
device, <filename>/dev/st0</filename>, the first tape device. The <filename>/dev/st0</filename> device does not rewind after the backup set is written. Therefore it is possible to write multiple
sets on one tape. You may also refer to the device as <filename>/dev/st0</filename>, in which case the tape is automatically rewound after the backup set is written. When working with tapes you
can use the following commands to rewind and eject your tape:
<screen>
[root@deep] /# <command>mt</command> -f /dev/st0 rewind
[root@deep] /# <command>mt</command> -f /dev/st0 offline
</screen>
</para>
<caution>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Caution.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Caution</phrase></textobject>
</inlinemediaobject>
</title>
<para>
To reduce the space needed on a <literal>tar</literal> archive, the backups can be compressed with the <literal>z</literal> option of <command>tar</command> program. Unfortunately, using this option to compress backups can cause trouble. Due to
the nature of how compression works, if a single bit in the compressed backup is wrong, all the rest of the compressed data will be lost. It's recommended to NOT using compression, the <literal>z</literal> option to make backups with the <command>tar</command> command.
</para>
</caution>
<para>
If your backup doesn't fit on one tape, you'll need to use the <literal>--multi-volume</literal> <literal>-M</literal> option:
<screen>
[root@deep] /# <command>cd</command> /
[root@deep] /# <command>tar</command> cMpf /dev/st0 /home
</screen>
Prepare volume #2 for <filename>/dev/st0</filename> and hit return:
</para>
<para>
After you have made a backup, you should check that it is OK, using the <literal>--compare</literal> <literal>-d</literal> option as shown below:
<screen>
[root@deep] /# <command>cd</command> /
[root@deep] /# <command>tar</command> dvf /dev/st0
</screen>
</para>
<para>
To perform a backup of your entire system, use the following command:
<screen>
[root@deep] /# <command>cd</command> /
[root@deep] /# <command>tar</command> cpf /archive/full-backup-`date '+%d-%B-%Y'`.<command>tar</command> \
--directory / --exclude=proc --exclude=mnt --exclude=archive \
--exclude=cache --exclude=*/lost+found .
</screen>
<itemizedlist>
<listitem><para>
The <literal>--directory</literal> option tells <command>tar</command> to first switch to the following directory path, the <filename class="directory">/</filename> directory in this example, prior to starting the backup.
</para></listitem><listitem><para>
The <literal>--exclude</literal> options tells <command>tar</command> not to bother backing up the specified directories or files.
</para></listitem><listitem><para>
The <literal>.</literal> character at the end of the command tells <command>tar</command> that it should back up everything in the current directory.
</para></listitem>
</itemizedlist>
</para>
<caution>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Caution.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Caution</phrase></textobject>
</inlinemediaobject>
</title>
<para>
When backing up your file systems, do not include the <filename class="symlink">/proc</filename> pseudo-file-system! The files in <filename class="symlink">/proc</filename> are not actually files but are simply file-like links which describe
and point to kernel data structures. Also, do not include the <filename class="directory">/mnt</filename>, <filename class="directory">/archive</filename>, and all <filename class="directory">lost+found</filename> directories.
</para>
</caution>
</section>
<section><?dbhtml filename="chap29sec306.html"?>
<title>Automating backups with <command>tar</command></title>
<para>
It is always interesting to automate the tasks of a backup. Automation offers enormous opportunities for using your Linux server to achieve the goals you set. The following example below is our backup
script, called <filename>backup.cron.</filename> This script is designed to run on any computer by changing only the four variables:
<orderedlist numeration="lowerroman">
<listitem><para>
COMPUTER
</para></listitem><listitem><para>
DIRECTORIES
</para></listitem><listitem><para>
BACKUPDIR
</para></listitem><listitem><para>
TIMEDIR
</para></listitem>
</orderedlist>
</para>
<para>
We suggest that you set this script up and run it at the beginning of the month for the first time, and then run it for a month before making major changes. In our example below we do the backup to a directory on
the local server BACKUPDIR, but you could modify this script to do it to a tape on the local server or via an <acronym>NFS</acronym> mounted file system.
</para>
<procedure>
<step><para>
Create the backup script <filename>backup.cron</filename> file, <command>touch</command> <filename>/etc/cron.daily/backup.cron</filename> and add the following lines to this backup file:
<programlisting>
#!/bin/sh
# full and incremental backup script
# created 07 February 2000
# Based on a script by Daniel O'Callaghan &lt;danny@freebsd.org&gt;
# and modified by Gerhard Mourani &lt;gmourani@videotron.ca&gt;
#Change the 5 variables below to fit your computer/backup
COMPUTER=deep # name of this computer
DIRECTORIES="/home" # directoris to backup
BACKUPDIR=/backups # where to store the backups
TIMEDIR=/backups/last-full # where to store time of full backup
TAR=/bin/tar # name and locaction of tar
#You should not have to change anything below here
PATH=/usr/local/bin:/usr/bin:/bin
DOW=`date +%a` # Day of the week e.g. Mon
DOM=`date +%d` # Date of the Month e.g. 27
DM=`date +%d%b` # Date and Month e.g. 27Sep
# On the 1st of the month a permanet full backup is made
# Every Sunday a full backup is made - overwriting last Sundays backup
# The rest of the time an incremental backup is made. Each incremental
# backup overwrites last weeks incremental backup of the same name.
#
# if NEWER = "", then tar backs up all files in the directories
# otherwise it backs up files newer than the NEWER date. NEWER
# gets it date from the file written every Sunday.
# Monthly full backup
if [ $DOM = "01" ]; then
NEWER=""
$TAR $NEWER -cf $BACKUPDIR/$COMPUTER-$DM.tar $DIRECTORIES
fi
# Weekly full backup
if [ $DOW = "Sun" ]; then
NEWER=""
NOW=`date +%d-%b`
# Update full backup date
echo $NOW > $TIMEDIR/$COMPUTER-full-date
$TAR $NEWER -cf $BACKUPDIR/$COMPUTER-$DOW.tar $DIRECTORIES
# Make incremental backup - overwrite last weeks
else
# Get date of last full backup
NEWER="--newer `cat $TIMEDIR/$COMPUTER-full-date`"
$TAR $NEWER -cf $BACKUPDIR/$COMPUTER-$DOW.tar $DIRECTORIES
fi
</programlisting>
<example>
<title>Backup directory of a week</title>
<para>
Here is an abbreviated look of the backup directory after one week:
<screen>
[root@deep] /# <command>ls</command> -l /backups/
</screen>
<literallayout class="monospaced"><computeroutput>
total 22217
-rw-r--r-- 1 root root 10731288 Feb 7 11:24 deep-01Feb.<command>tar</command>
-rw-r--r-- 1 root root 6879 Feb 7 11:24 deep-Fri.<command>tar</command>
-rw-r--r-- 1 root root 2831 Feb 7 11:24 deep-Mon.<command>tar</command>
-rw-r--r-- 1 root root 7924 Feb 7 11:25 deep-Sat.<command>tar</command>
-rw-r--r-- 1 root root 11923013 Feb 7 11:24 deep-Sun.<command>tar</command>
-rw-r--r-- 1 root root 5643 Feb 7 11:25 deep-Thu.<command>tar</command>
-rw-r--r-- 1 root root 3152 Feb 7 11:25 deep-Tue.<command>tar</command>
-rw-r--r-- 1 root root 4567 Feb 7 11:25 deep-Wed.<command>tar</command>
drwxr-xr-x 2 root root 1024 Feb 7 11:20 last-full
</computeroutput></literallayout>
</para></example>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The directory where to store the backups <filename class="directory">BACKUPDIR</filename>, and the directory where to store time of full backup <filename class="directory">TIMEDIR</filename> must exist or be created before
the use of the backup-script, or you will receive an error message.
</para></important>
</para></step>
<step><para>
If you are not running this backup script from the beginning of the month <emphasis>01-month-year</emphasis>, the incremental backups will need the time of the Sunday backup to be able to work properly. If you start in the
middle of the week, you will need to create the time file in the <filename class="directory">TIMEDIR</filename>.
To create the time file in the <filename class="directory">TIMEDIR</filename> directory, use the following command:
<screen>
[root@deep] /# <command>date</command> +%d%b &lt; /backups/last-full/myserver-full-date
</screen>
Where <envar>/backups/last-full</envar> is our variable TIMEDIR wherein we want to store the time of the full backup, and <envar>myserver-full-date</envar> is the name of our server e.g. <literal>deep</literal>, and our time
file consists of a single line with the present date i.e. 15-Feb.
</para></step>
<step><para>
Make this script executable and change its default permissions to be writable only by the super-user <literal>root</literal> <literal>755</literal>.
<screen>
[root@deep] /# <command>chmod</command> 755 /etc/cron.daily/backup.cron
</screen>
</para></step>
</procedure>
<note>
<title><inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</inlinemediaobject></title>
<para>
Because this script is in the <filename class="directory">/etc/cron.daily</filename> directory, it will be automatically run as a cron job at one o'clock in the morning every day.
</para></note>
</section>
<section><?dbhtml filename="chap29sec307.html"?>
<title>Restore files with <command>tar</command></title>
<para>
More important than performing regular backups is having them available when we need to recover important files! In this section, we will discuss methods for restoring files, which have been backed up with <command>tar</command> command.
</para>
<para>
The following command will restore all files from the <literal>full-backup-Day-Month-Year.tar</literal> archive, which is an example backup of our <filename class="directory">home</filename> directory created from the
example <command>tar</command> commands shown above.
<screen>
[root@deep] /# <command>cd</command> /
[root@deep] /# <command>tar</command> xpf /dev/st0/full-backup-Day-Month-Year.<command>tar</command>
</screen>
The above command extracts all files contained in the compressed archive, preserving original file ownership and permissions.
<itemizedlist>
<listitem><para>
The x option stands for extract.
</para></listitem><listitem><para>
The <literal>p</literal> option preserve permissions; file protection information will be <emphasis>remembered.</emphasis>
</para></listitem><listitem><para>
The <literal>f</literal> option states that the very next argument will be the name of the archive file or device.
</para></listitem>
</itemizedlist>
</para>
<para>
If you do not need to restore all the files contained in the archive, you can specify one or more files that you wish to restore:
To specify one or more files that you wish to restore, use the following command:
<screen>
[root@deep]# <command>cd</command> /
[root@deep]# <command>tar</command> xpf /dev/st0/full-backup-Day-Month-Year.<command>tar</command> \
home/wahib/Personal/Contents.doc home/quota.user
</screen>
The above command restores the <filename>/home/wahib/Personal/Contents.doc</filename> and <filename>/home/quota.user</filename> files from the archive.
</para>
<para>
If you just want to see what files are in the backup volume, Use the <literal>--list</literal> or <literal>-t</literal> option:
<screen>
[root@deep] /# <command>tar</command> tf /dev/st0
</screen>
</para>
<caution>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Caution.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Caution</phrase></textobject>
</inlinemediaobject>
</title>
<para>
If you have files on your system set with the immutable bit, using the <command>chattr</command> command, these files will not be remembered with the immutable bit from your restored backup. You must reset it immutable with the
command <command>chattr</command> +i after the backup is completed.
</para></caution>
<note>
<title>Test the ability to recover</title>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Note.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>Note</phrase>
</textobject>
</mediaobject>
<para>
Dont forget to test the ability to recover from backups, for many system administrators, recovering a file from a backup is an uncommon activity. This step assures that if you need to recover a file, the tools and processes will work. Performing
this test periodically will help you to discover problems with the backup procedures so you can correct them before losing data. Some backup restoration software does not accurately recover the correct file protection and file ownership controls.
Check the attributes of restored files to ensure they are being set correctly. Periodically test to ensure that you can perform a full system recovery from your backups.
</para>
</note>
<para>
Further documentation, for more details, there is man page you can read:
<variablelist>
<varlistentry><term>
<citerefentry><refentrytitle>tar</refentrytitle><manvolnum>1</manvolnum></citerefentry></term>
<listitem><para>
- The GNU version of the <command>tar</command> archiving utility
</para></listitem>
</varlistentry>
</variablelist>
</para>
</section>
<section><?dbhtml filename="back-dump.html"?>
<title>The dump backup program</title>
<para>
Dump is completely different from <command>tar</command>, it is a program for backing up and restoring file system. It backups up the entire file system - not the files. Dump does not care what file system is on the hard drive, or
even if there are files in the file system. It examines files on an ext2 file system, determines which ones need to be backed up, and copies those files to a specified disk, tape, file or other storage medium. It dumps one file
system at a time quickly and efficiently. Unfortunately, it does not do individual directories, and so it eats up a great deal more storage space than <command>tar</command>. It is also written specifically for backups.
</para>
<para>
The restore command performs the inverse function of dump, It can restore a full backup of a file system. Subsequent incremental backups can then be layered on top of the full backup. Single files and directory sub trees may
also be restored from full or partial backups. You can use dump if you need a procedure for both backing up file systems and restoring file systems after backups.
</para>
<para>
Dump has several levels of backup procedures. The levels range from 0 to 9, where level number 0 means a full backup and guarantees the entire file system is copied. A level number above 0, incremental backup, tells dump to copy
all files new or modified since the last dump of the same or lower level. To be more precise, at each incremental backup level you back up everything that has changed since the previous backup at the same or a previous level.
</para>
<para>
What are the advantages and the reasons to create and use several levels to make a backup? I try to explain it with the following schemas:
<literallayout class="monospaced">
0 3 2 5 4 7 6 9 8 9
| | | | | | | | | |
0 means a full backup. | | |
| | | | | | | | |
3 means copy all files new or modified since level 0, and 3.
| | | | | | | |
2 means copy all files new or modified since level 0, and 2.
| | | | | | |
5 means copy all files new or modified since level 0, 3, and 5.
| | | | | |
4 means copy all files new or modified since level 0, 3, and 4.
| | | | |
7 means copy all files new or modified since level 0, 3, 4, and 7.
| | | |
6 means copy all files new or modified since level 0, 3, 4, and 6.
| | |
9 means copy all files new or modified since level 0, 3, 4, 6, and 9.
| |
8 means copy all files new or modified since level 0, 3, 4, 6, and 8.
|
9 means copy all files new or modified since level 0, 3, 4, 6, 8, and 9.
</literallayout>
</para>
<para>
The advantages and reasons for doing this are that with multiple levels, the backup history can be extended more cheaply. A longer backup history is useful, since deleted or corrupted files are often not noticed for a
long time. Even a version of a file that is not very up to date is better than no file at all. Also, backup levels are used to keep both the backup and restore times to a minimum -<emphasis>low</emphasis>.
</para>
<para>
The dump manual page suggests a good scheme to take the full advantage of backup levels: 3, 2, 5, 4, 7, 6, 9, 8, 9, etc as described by the table below. The most you have to backup is two day's worth of work. The number
of tapes for a restore depends on how long you keep between full backups.
<table frame="all" pgwide="1"><title>Dump scheme</title>
<tgroup cols="4" align="center" colsep="1" rowsep="1">
<colspec colname="clnm1" colwidth="1inch"/>
<colspec colname="clnm2" colwidth="1inch"/>
<colspec colname="clnm3" colwidth="1inch"/>
<colspec colname="clnm4" colwidth="1inch"/>
<thead valign="middle">
<row>
<entry>Tape</entry>
<entry>Level</entry>
<entry>Backup <emphasis>days</emphasis></entry>
<entry>Restore tapes</entry>
</row>
</thead>
<tbody valign="middle">
<row>
<entry>1</entry>
<entry>0</entry>
<entry><abbrev>N.A.</abbrev></entry>
<entry>1</entry>
</row>
<row>
<entry>2</entry>
<entry>3</entry>
<entry>1</entry>
<entry>1, 2</entry>
</row>
<row>
<entry>3</entry>
<entry>2</entry>
<entry>2</entry>
<entry>1, 3</entry>
</row>
<row>
<entry>4</entry>
<entry>5</entry>
<entry>1</entry>
<entry>1, 2, 4</entry>
</row>
<row>
<entry>5</entry>
<entry>4</entry>
<entry>2</entry>
<entry>1, 2, 5</entry>
</row>
<row>
<entry>6</entry>
<entry>7</entry>
<entry>1</entry>
<entry>1, 2, 5, 6</entry>
</row>
<row>
<entry>7</entry>
<entry>6</entry>
<entry>2</entry>
<entry>1, 2, 5, 7</entry>
</row>
<row>
<entry>8</entry>
<entry>9</entry>
<entry>1</entry>
<entry>1, 2, 5, 7, 8</entry>
</row>
<row>
<entry>9</entry>
<entry>8</entry>
<entry>2</entry>
<entry>1, 2, 5, 7, 9</entry>
</row>
<row>
<entry>10</entry>
<entry>9</entry>
<entry>1</entry>
<entry>1, 2, 5, 7, 9, 10</entry>
</row>
</tbody>
</tgroup>
</table>
</para>
</section>
<section><?dbhtml filename="chap29sec309.html"?>
<title>Making backups with dump</title>
<para>
It's interesting to use the dump backup program if you want to take advantage of its several levels of backup procedures. Given below is a procedure to have a longer backup history and to keep both the backup and restore times to a
minimum. In the following example, we assume that the backup is written to a tape drive named <filename>/dev/st0</filename> and we backup the home directory <filename>/home</filename> of our system.
</para>
<para>
It is important to always start with a level 0 backup, for example:
</para>
<formalpara>
<title>Friday 1</title>
<para>
use tape 1 for the first full backup.
<screen>
[root@deep] /# <command>dump</command> -0u -f /dev/st0 /home
</screen>
<literallayout class="monospaced"><computeroutput>
DUMP: Date of this level 0 dump: Fri Jan 28 21:25:12 2000
DUMP: Date of last level 0 dump: the epoch
DUMP: Dumping /dev/sda6 (/home) to /dev/st0
DUMP: mapping (Pass I) [regular files]
DUMP: mapping (Pass II) [directories]
DUMP: estimated 18582 tape blocks on 0.48 tape(s).
DUMP: Volume 1 started at: Fri Jan 28 21:25:14 2000
DUMP: dumping (Pass III) [directories]
DUMP: dumping (Pass IV) [regular files]
DUMP: DUMP: 18580 tape blocks on 1 volumes(s)
DUMP: finished in 4 seconds, throughput 4645 KBytes/sec
DUMP: Volume 1 completed at: Fri Jan 28 21:25:18 2000
DUMP: Volume 1 took 0:00:04
DUMP: Volume 1 transfer rate: 4645 KB/s
DUMP: level 0 dump on Fri Jan 28 21:25:12 2000
DUMP: DUMP: Date of this level 0 dump: Fri Jan 28 21:25:12 2000
DUMP: DUMP: Date this dump completed: Fri Jan 28 21:25:18 2000
DUMP: DUMP: Average transfer rate: 4645 KB/s
DUMP: Closing /dev/st0
DUMP: DUMP IS DONE
</computeroutput></literallayout>
</para>
</formalpara>
<formalpara>
<title>Monday</title>
<para>
use tape 2 for the incremental backups.
<screen>
[root@deep] /# <command>dump</command> -3u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Tuesday</title>
<para>
use tape 3 for the incremental backups.
<screen>
[root@deep] /# <command>dump</command> -2u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Wednesday</title>
<para>
use tape 4 for the incremental backups.
<screen>
[root@deep] /# <command>dump</command> -5u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Thursday</title>
<para>
use tape 5 for the incremental backups.
<screen>
[root@deep] /# <command>dump</command> -4u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Friday 2</title>
<para>
use tape 6 for the incremental backups.
<screen>
[root@deep] /# <command>dump</command> -7u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Monday</title>
<para>
use tape 2 for the incremental backups.
<screen>
[root@deep] /# <command>dump</command> -3u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Tuesday</title>
<para>
use tape 3 for the incremental backups.
<screen>
[root@deep] /# <command>dump</command> -2u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Wednesday</title>
<para>
use tape 4 for the incremental backups.
<screen>
[root@deep] /# <command>dump</command> -5u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Thursday</title>
<para>
use tape 5 for the incremental backups.
<screen>
[root@deep] /# <command>dump</command> -4u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Friday 3</title>
<para>
use tape 7 for the incremental backups.
<screen>
[root@deep] /# <command>dump</command> -6u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Monday</title>
<para>
use tape 2 for the incremental backups.
<screen>
[root@deep] /# <command>dump</command> -3u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Tuesday</title>
<para>
use tape 3 for the incremental backups.
<screen>
[root@deep] /# <command>dump</command> -2u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Wednesday</title>
<para>
use tape 4 for the incremental backups.
<screen>
[root@deep] /# <command>dump</command> -5u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Thursday</title>
<para>
use tape 5 for the incremental backups.
<screen>
[root@deep] /# <command>dump</command> -4u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Friday 4</title>
<para>
use tape 8 for the incremental backups only if there have five Fridays in one month.
<screen>
[root@deep] /# <command>dump</command> -9u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Monday</title>
<para>
use tape 2 for the incremental backups only if there have five Fridays in one month.
<screen>
[root@deep] /# <command>dump</command> -3u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Tuesday</title>
<para>
use tape 3 for the incremental backups only if there have five Fridays in one month.
<screen>
[root@deep] /# <command>dump</command> -2u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Wednesday</title>
<para>
use tape 4 for the incremental backups only if there have five Fridays in one month.
<screen>
[root@deep] /# <command>dump</command> -5u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Thursday</title>
<para>
use tape 5 for the incremental backups only if there have five Fridays in one month.
<screen>
[root@deep] /# <command>dump</command> -4u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<formalpara>
<title>Month</title>
<para>
use another tape for a new full backup when the month change.
<screen>
[root@deep] /# <command>dump</command> -0u -f /dev/st0 /home
</screen>
</para>
</formalpara>
<para>
Where
<itemizedlist>
<listitem><para>
<literal>-0</literal> to <literal>-9</literal> is the backup level option you want to use,
</para></listitem><listitem><para>
the <literal>u</literal> option means to update the file <filename>/etc/dumpdates</filename> after a successful dump,
</para></listitem><listitem><para>
The <literal>-f</literal> option to write the backup to file
</para></listitem>
</itemizedlist>
The file may be a
<orderedlist numeration="lowerroman">
<listitem><para>
special device file like <filename>/dev/st0</filename>, <emphasis>a tape drive</emphasis>,
</para></listitem><listitem><para>
<filename>/dev/rsd1c</filename>, <emphasis>a disk drive</emphasis>,
</para></listitem><listitem><para>
An ordinary file
</para></listitem><listitem><para>
<emphasis>the standard output</emphasis>.
</para></listitem>
</orderedlist>
Finally, you must specify what you want to backup. In our example, it is the <filename class="directory">/home</filename> directory <filename class="directory">/home</filename>.
</para>
<para>
You can see that we use the same tapes 2 to 5 for daily backups -<emphasis>Monday to Thursday = 4 tapes</emphasis>, tapes 6, 7, and 8 for weekly backups -<emphasis>other Fridays, 6 + 7 + 8 = 3 tapes</emphasis>. note that there
can be five Fridays in one month and tapes 1 and any subsequent new one for monthly backups -<emphasis>first Friday each month, 1 + any subsequent</emphasis> <literal>11 months</literal> <emphasis>= 12 tapes</emphasis>. In
conclusion, if we use 8 tapes <literal>4 + 3 + 1 = 8</literal>, we can have a full backup for one month and repeat the procedure with the 8 tapes to get our subsequent 11 months to come for a total of 1-year individual full backups.
</para>
<para>
The full backup should be done at set intervals, say once a month, and on a set of fresh tapes that are saved forever. With this kind of procedure, you will have 12 tapes for 12 months that handle histories and changes of your
system for one year. Later, you can copy the 12 tape backups onto a different computer designated to keep all yearly backups for a long time and be able to reuse them, <emphasis>12 tapes</emphasis>, to repeat the procedure for a new year.
</para>
</section>
<section><?dbhtml filename="chap29sec310.html"?>
<title>Restoring files with dump</title>
<para>
The restore command performs the inverse function of <citerefentry><refentrytitle>dump</refentrytitle><manvolnum>8</manvolnum></citerefentry>. It restores files or file systems from backups made with dump. A full backup of a file system
may be restored, and subsequent incremental backups layered on top of it. Single files and directory sub-trees may be restored from full, or partial backups. You have a number of possibile commands and options to restore backed up data
with the dump program. Below, detailed is a procedure that uses the full potential of the restore program with the most options possible. It is also done in interactive mode.
</para>
<para>
In an interactive restoration of files from a dump, the restore program provides a shell like interface that allows the user to move around the directory tree selecting files to be extracted, after reading in the directory information
from the dump. The following is what we will see if we try to restore our <filename class="directory">/home</filename> directory:
</para>
<para>
First of all, with the following command we must move to the partition file system where we want to restore our backup. This is required, since the interactive mode of the restore program will restore our backups from the current partition file system where we
have executed the restore command from.
<screen>
[root@deep] /# <command>cd</command> /home
</screen>
To restore files from a dump in interactive mode, use the following command:
<screen>
[root@deep /home]# <command>restore</command> -i -f /dev/st0
</screen>
<literallayout class="monospaced"><computeroutput>
restore &gt;
</computeroutput></literallayout>
A prompt will appear in your terminal, to list the current, or specified, directory. Use the <command>ls</command> command as shown below:
<literallayout class="monospaced"><computeroutput>
restore &gt; <userinput>ls</userinput>
.:
admin/ lost+found/ named/ quota.group quota.user wahib/
restore &gt;
</computeroutput></literallayout>
</para>
<para>
To change the current working directory to the specified one, use the <command>cd</command> commands. <emphasis>In our example, we change to wahib directory</emphasis>, as shown below:
<literallayout class="monospaced"><computeroutput>
restore &gt; <command>cd</command> wahib
restore &gt; ls
./wahib:
.Xdefaults .bash_logout .bashrc
.bash_history .bash_profile Personal/
restore &gt;
</computeroutput></literallayout>
</para>
<para>
To add the current directory or file to the list of files to be extracted, use the <command>add</command> command. <emphasis>If a directory is specified, then it and all its descendents are added to the extraction list</emphasis> as shown below:
<literallayout class="monospaced"><computeroutput>
restore &gt; <userinput>add</userinput> Personal/
restore &gt;
</computeroutput></literallayout>
</para>
<para>
Files that are on the extraction list are prepended with a <literal>*</literal> when they are listed by the <command>ls</command> command:
restore &gt; ls
./wahib:
.Xdefaults .bash_logout .bashrc
.bash_history .bash_profile *Personal/
</para>
<para>
To delete the current directory or specified argument from the list of files to be extracted, use the <command>delete</command> command. <emphasis>If a directory is specified, then all its descendents including itself are deleted from the extraction list</emphasis>, as shown below:
<literallayout class="monospaced"><computeroutput>
restore &gt; <command>cd</command> Personal/
restore &gt; ls
./wahib/Personal:
*Ad?le_Nakad.doc *Overview.doc
*BIMCOR/ *Resume/
*My Webs/ *SAMS/
*Contents.doc *Templates/
*Divers.doc *bruno universite.doc
*Linux/ *My Pictures/
</computeroutput></literallayout>
<literallayout class="monospaced"><computeroutput>
restore &gt; delete Resume/
restore &gt; ls
./wahib/Personal:
*Ad?le_Nakad.doc *Overview.doc
*BIMCOR/ Resume/
*My Webs/ *SAMS/
*Contents.doc *Templates/
*Divers.doc *bruno universite.doc
*Linux/ *My Pictures/
</computeroutput></literallayout>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The most expedient way to extract most of the files from a directory is to add the directory to the extraction list and then delete those files that are not needed.
</para></tip>
</para>
<para>
To extract all files in the extraction list from the dump, use the <command>extract</command> command. <emphasis>Restore will ask which volume the user wishes to mount. The fastest way to extract a few files is to start with
the last volume and work towards the first volume</emphasis>, as shown below:
<literallayout class="monospaced"><computeroutput>
restore &gt; extract
You have not read any tapes yet.
Unless you know which volume your file(s) are on you should s<command>tar</command>t
with the last volume and work towards the first.
Specify next volume #: 1
set owner/mode for '.'? [yn] y
</computeroutput></literallayout>
</para>
<para>
To exit from the interactive restore mode after you have finished extracting your directories or files, use the <command>quit</command> command as shown below.
<literallayout class="monospaced"><computeroutput>
/sbin/restore &gt; quit
</computeroutput></literallayout>
</para>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
Other methods of restoration exist with the dump program, consult the man page of dump for more information.
</para></tip>
<para>
Further documentation, for more details, there are man pages you can read:
<variablelist>
<varlistentry>
<term><citerefentry><refentrytitle>dump</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
ext2 filesystem backup
</para></listitem>
</varlistentry>
<varlistentry>
<term><citerefentry><refentrytitle>restore</refentrytitle><manvolnum>8</manvolnum></citerefentry></term>
<listitem><para>
restore files or file systems from backups made with dump
</para></listitem>
</varlistentry>
</variablelist>
</para>
</section>
<section><?dbhtml filename="chap29sec311.html"?>
<title>Backing up and restoring over the network</title>
<para>
Backups allow you to restore the availability and integrity of information resources following security breaches and accidents. Without a backup, you may be unable to restore a computer's data after system failures and security
breaches. It is important to develop a plan that is broad enough to cover all the servers you plan to deploy. We must determine what categories of files will be backed up. For example, you may choose to back up only user data
files <abbrev>i.e.</abbrev> <filename>/home</filename> because damaged system files should be reloaded from the original distribution media.
</para>
<para>
There are common technological approaches to file backups. For network servers, an authoritative version of the informational content of the server is created and maintained on a secure machine that is backed up. If the server
is compromised and its content damaged, it can be reloaded from the secure system maintaining the authoritative version. This approach is typically used for public servers, such as Web servers, because the content changes at
more predictable intervals.
</para>
<para>
It is important to ensure that backups are performed in a secure manner and that the contents of the backups remain secure. We recommend that the plan specify that:
<itemizedlist><listitem><para>
The source data is encrypted before being transmitted to the storage medium.
</para></listitem><listitem><para>
The data remains encrypted on the backup storage media.
</para></listitem><listitem><para>
The storage media are kept in a physically secure facility that is protected from man-made and natural disasters.
</para></listitem>
</itemizedlist>
</para>
<para>
You should make sure that transfer of your backup happens in a secure manner over the network. In the previous sections, we have shown you how to make a backup onto both a tape and files from the same system where you execute
the backup procedure, with utilities like <command>tar</command> and <command>dump</command>. These programs <command>tar</command> and <command>dump</command> are capable of making backups over the network as well. To be able
to backup over the network you must ensure that the packages named rmt and rsh are installed on your system. The rmt utility provides remote access to tape devices for programs like <command>dump</command>, and <command>tar</command>.
To complement this, the rsh package contains a set of programs which allow users to run commands on remote machines, login to other machines and copy files between machines, <emphasis>rsh, rlogin and rcp are this set of programs</emphasis>.
</para>
<para>
Since rsh can be easily hacked, and rmt depends on rsh to be able to work, we have chosen to not install them in our setup installation, see <link linkend="pr1ch2">Installation of your Linux Server</link> for more information, due to security reasons.
Therefore, we must find another way to make backups over the network in a secure manner. SSH technology is the solution for our problem <link linkend="prt6ch15ssh">Software -Securities</link>, because it also has the ability to copy data across
the network with its <command>scp</command> command, through encryption. The following is a method that permits us to use the potential of SSH software to transfer our backups made with <command>tar</command> or dump in a secure manner via the
<command>scp</command> SSH utility.
</para>
<section>
<title>Using the scp SSH command </title>
<para>
The <command>scp</command> command copies files between hosts on a network. It uses SSH for data transfer, and uses the same authentication, and provides the same security, as SSH. Unlike the rcp utility that comes with the package rsh, scp will ask
for passwords or passphrases. In our example below, we transfer a backup file made with the <command>tar</command> archive program. The procedure to transfer a backup file or tape made with dump program is the same.
To use scp to copy a backup tape or file to a remote secure system, use the command:
<screen>
[admin@deep /]# scp &lt;localdir/to/filelocation&gt; &lt;user@host:/dir/for/file&gt;
</screen>
Where &lt;localdir/to/filelocation&gt; is the directory where your backup file resides on your local server,
and &lt;user@host:/dir/for/file&gt; represents, in this order:
<orderedlist numeration="upperroman">
<listitem><para>
The username, <literal>user</literal> of the person on the remote site that will hold the backup file,
</para></listitem><listitem><para>
The hostname, <literal>host</literal> of the remote host where you want to send the backup file,
</para></listitem><listitem><para>
The remote directory of this host where you want to place the transferred backup file.
</para></listitem>
</orderedlist>
</para>
<example>
<title>scp SSH command</title>
<para>
A real example will look like this:
<screen>
[admin@deep /]# <command>scp</command> -Cp /backups/deep-01Feb.<command>tar</command> admin@backupserver:/archive/deep/deep-01Feb.<command>tar</command>
</screen>
<literallayout class="monospaced"><computeroutput>
admin@backupserver's password:
deep-01Feb.tgz | 10479 KB | 154.1 kB/s | ETA: 00:00:00 | 100%
</computeroutput></literallayout>
</para>
</example>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
The <literal>C</literal> option enables compression for fast data transfer over the encrypted session, the <literal>p</literal> option indicates that the modification and access
times as well as modes of the source file should be preserved on the copy. This is usually desirable. It is important to note that the <filename class="directory">dir/for/file</filename> directory
on the remote host, <filename class="directory">/archive/deep</filename> in our example, must be owned by the <literal>username</literal> you specify in your scp command <literal>admin</literal> is
this username in our example, or you may receive error message like: <computeroutput>scp: /archive/deep/deep-01Feb.<command>tar</command>: Permission denied.</computeroutput>
</para></important>
<para>
To use scp to copy a remote tape or file to the local system, use the command:
<screen>
[admin@deep /]# scp &lt;user@host:/dir/for/file&gt; &lt;localdir/to/filelocation&gt;
</screen>
Where &lt;user@host:/dir/for/file&gt; represents, in this order;
<orderedlist numeration="upperroman">
<listitem><para>
The username <literal>user</literal> of the person on the remote site that holds the backup file,
</para></listitem><listitem><para>
The hostname <literal>host</literal> of the remote host where you want to get the backup file,
</para></listitem><listitem><para>
The remote directory of this host where the backup file is kept,
</para></listitem><listitem><para>
&lt;localdir/to/filelocation&gt; is the local directory on your system where your want to place the backup file that you get from the remote host.
</para></listitem>
</orderedlist>
</para>
<example>
<title>scp SSH command</title>
<para>
A real example would look like this:
<screen>
[admin@deep /]# <command>scp</command> -Cp admin@backupserver:/archive/deep/deep-01Feb.tar /backups
</screen>
<literallayout class="monospaced"><computeroutput>
admin@backupserver's password:
deep-01Feb.tgz | 10479 KB | 154.1 kB/s | ETA: 00:00:00 | 100%
</computeroutput></literallayout>
</para></example>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
It is important to note that the <filename class="directory">localdir/to/filelocation</filename> directory on the local host, <filename class="directory">/backups</filename> in our example, must be owned
by the <literal>username</literal> you specify in your scp command, <literal>admin</literal> is this username in our example or you may receive an error message like: <computeroutput>/backups/deep-01Feb.tar: Permission denied.</computeroutput>
</para></important>
<section id="prt7chscatd">
<title>Alternatives to <command>tar</command> and dump backups</title>
<simplelist>
<member>
AMANDA Homepage: <link linkend="prtinxfp26">http://www.cs.umd.edu/projects/amanda/</link>
</member>
<member>
BRU Homepage: <link linkend="prtinxfp26">http://www.bru.com/</link>
</member>
</simplelist>
</section>
</section>
</section>
</chapter>
</part>
<part label="I"><?dbhtml filename="Appendix.html"?>
<title>Appendixes</title>
<partintro>
<informaltable pgwide="1" frame="none">
<tgroup cols="1">
<tbody>
<row valign="middle"><entry align="center">
<inlinemediaobject>
<imageobject>
<imagedata fileref="./resources/Annimals/Chapter17.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Elephant</phrase></textobject>
</inlinemediaobject>
</entry></row>
</tbody>
</tgroup>
</informaltable>
</partintro>
<appendix label="A"><?dbhtml filename="appendixa.html"?>
<title>Resources</title>
<para><emphasis>Surprised!</emphasis>, Don't be, what we have attempted is to duplicate a server-side redirect here. The idea is, supposingly you are viewing this book online from a website, this will give enough time to
think about leaving this environement which is what would have happened if you had clicked on any link, or save this page and go back to the page you were browsing. this will leave with the option of checking out the
later at your convenience. To us when and if, <wordasword>a misnomer</wordasword> the link needs to be updated or changed or edited etc. we have to tinker with this page rather than hunt and peck at the links by searching them from different pages
</para>
<para>I have strived hard to make it as easy as possible for all to traverse here for finding the links . As a thumb rule all the links have as title the name of the chapter you clicked on the link. </para>
<formalpara id="rsrcofwbi1">
<title>Open Network Architecture</title>
<para>
The official website of Securing and Optimizing Linux Redhat Edition
<ulink url="http://www.openna.com">www.openna.com</ulink>
</para>
</formalpara>
<formalpara id="rsrclgnwbi2">
<title><link linkend="binflgnrsr1">Legalnotice</link></title>
<para>
<simplelist type="vert"><member>
For the latest version of Open Publication License:
<ulink url="http://www.opencontent.org/openpub/">www.opencontent.org/openpub/</ulink>.
</member><member>
For the commercial printing license please contact:
<ulink url="http://www.opendocspublishing.com/">OpenDocs @www.opendocspublishing.com/</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="sc24obecfrs1">
<title><link linkend="pr1ch2s4obefs">
Obtaining the book and example configuration files</link></title>
<para>
From the original web site
<simplelist type="vert">
<member>
<systemitem class="systemname">Open Network Architecture</systemitem><ulink url="www.openna.com"></ulink>
</member>
<member>
<systemitem class="systemname">The Linux Documentation Project homepage:</systemitem>
<ulink url="http://www.linuxdoc.org/guides.html">www.linuxdoc.org</ulink>
</member>
<member>
<systemitem class="systemname">O'Reilly Network:</systemitem>
<ulink url="http://oreilly.linux.com/pub/d/25">oreilly.linu.com/pub/d/25</ulink>
</member>
<member>
<ulink url="http://www.opendocspublishing.com/wheretobuy.lxp">
<inlinemediaobject>
<imageobject><imagedata align="center" format="GIF" fileref="./images/lcanim-1.gif"/></imageobject>
<textobject><phrase>
You can Buy here!
</phrase></textobject>
</inlinemediaobject>
By clicking here!
</ulink>
</member>
<member>
<systemitem class="systemname">Linux Security portal</systemitem>
<ulink url="www.linuxsecurity.com/docs">www.linuxsecurity.com/docs</ulink>
</member>
</simplelist>
</para>
</formalpara>
<para>
For the latest version of this book keep checking here:
<ulink url="http://www.linuxdoc.org/">www.linuxdoc.org/</ulink>
</para>
<para id="sc24obecfrs2">
The <link linkend="pr1ch2s4obefs1">example configuration files</link> can obtained from here:
<ulink url="http://www.openna.com/books/floppy.tgz">www.openna.com/books/floppy.tgz.</ulink>
</para>
<formalpara id="prtinxfp4"><title><link linkend="prt2ch2sc2">Creating the Boot Disk and Booting</link></title>
<para>
Redhat boot images are available here:
<simplelist ><member>
<ulink url="http://www.redhat.com/errata">www.redhat.com/errata</ulink>
</member></simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp5">
<title><link linkend="prt2ch3sc7uls">Update of the latest software</link></title>
<para>
The errata page for RedHat Linux distro:
<simplelist><member>
<ulink url="http://www.redhat.com/corp/support/errata/index.html">www.redhat.com/corp/support/errata/index.html</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfperrt1">
<title>Openna Errata</title>
<para>
The Firewall Scripts Errata page is here <ulink url="http://www.openna.com/books/errata.htm">http://www.openna.com/books/errata.htm</ulink>
</para>
</formalpara>
<formalpara id="prtinxfp6">
<title><link linkend="prt3ch2sc2br">Benchmark Results</link></title>
<para>
The benchmarking results can be retrieved from <acronym>GCC</acronym> homepage:
<simplelist ><member>
<ulink url="http://egcs.cygnus.com/">http://egcs.cygnus.com/</ulink>
</member></simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp7">
<title><link linkend="prt3ch3sc1pi">Pre-install</link></title>
<para>
For the latest Linux kernel check out the Kernel homepage here:
<simplelist ><member>
<ulink url="http://www.kernelnotes.org/">http://www.kernelnotes.org/</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara>
<title>Secure Linux Kernel</title>
<para id="prtinxfp71">
For the latest the place to check for the latest Secure Linux Kernel Patches Homepage:
<simplelist ><member>
<ulink url="http://www.openwall.com/linux/">http://www.openwall.com/linux/</ulink>
</member></simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp8">
<title><xref linkend="prt5ch2ssmt"/> </title>
<para>
The sXid packages can be found here:
<simplelist><member>
<ulink url="ftp://marcus.seva.net/pub/sxid/">ftp://marcus.seva.net/pub/sxid/</ulink>
</member></simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp9">
<title><link linkend="pr5ch2sc3lc">Logcheck</link></title>
<para>
The Logcheck homepage is:
<simplelist><member>
<ulink url="http://www.psionic.com/abacus/logcheck/">http://www.psionic.com/abacus/logcheck/</ulink>
</member></simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp10">
<title><xref linkend="prt5ch2sc5PS"/></title>
<para>
The Portsentry Homepage is:
<simplelist><member>
<ulink url="http://www.psionic.com/abacus/portsentry/">http://www.psionic.com/abacus/portsentry/</ulink>
</member></simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp11">
<title><link linkend="prt6ch1sc1ossh">OpenSSh</link></title>
<para>
The OpenSSh package can be downloaded from:
<simplelist><member>
<ulink url="http://www.openssh.com">http://www.openssh.com</ulink>
</member></simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp12">
<title><xref linkend="prt6ch1sc8pty"/></title>
<para>
<simplelist><member>
<ulink url="http://www.chiark.greenend.org.uk/~sgtatham/putty.html">http://www.chiark.greenend.org.uk/~sgtatham/putty.html</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp13">
<title><link linkend="prt6ch1sc8ttsh">Tera Term Pro and TTSSH</link></title>
<para>
<simplelist><member>
<ulink url="http://hp.vector.co.jp/authors/VA002416/teraterm.html">http://hp.vector.co.jp/authors/VA002416/teraterm.html</ulink>,
</member><member>
<ulink url="http://www.zip.com.au/~roca/download.html">http://www.zip.com.au/~roca/download.html</ulink>.
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp14">
<title><link linkend="prt6ch2sc1ssh">Linux SSH2 Client/Server</link></title>
<para>
The SSH2 (commercial) homepage is:
<simplelist><member>
<ulink url="http://www.ssh.org/">http://www.ssh.org/</ulink>
</member></simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp15">
<title><link linkend="prt6ch3sc1trwr">Linux Tripwire 2.2.1</link></title>
<para>
<simplelist><member>
<ulink url="http://www.tripwiresecurity.com/">http://www.tripwiresecurity.com/</ulink>
</member></simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp16">
<title><link linkend="pr6ch4sc1ltp">Linux Tripwire ASR 1.3.1</link></title>
<para>
<simplelist><member>
<ulink url="http://www.tripwiresecurity.com/">http://www.tripwiresecurity.com/</ulink>
</member></simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp17">
<title><link linkend="pr6ch4sc52tri">Alternatives to Tripwire:</link></title>
<para>
<variablelist>
<varlistentry>
<term>ViperDB</term>
<listitem><para>
ViperDB Homepage: <ulink url="http://www.resentment.org/projects/viperdb/">http://www.resentment.org/projects/viperdb/</ulink>
</para></listitem>
</varlistentry>
<varlistentry>
<term>FCHECK</term>
<listitem><para>
FCHECK Homepage:<ulink url="http://sites.netscape.net/fcheck/fcheck.html">http://sites.netscape.net/fcheck/fcheck.html</ulink>
</para></listitem>
</varlistentry>
<varlistentry>
<term>Sentinel</term>
<listitem><para>
Sentinel Homepage:<ulink url="http://zurk.netpedia.net/zfile.html">http://zurk.netpedia.net/zfile.html</ulink>
</para></listitem>
</varlistentry>
</variablelist>
</para>
</formalpara>
<formalpara id="prtinxfp19er">
<title><link linkend="pr6ch19sgpgp">Linux GnuPG</link></title>
<para>
These are the Package(s) you must be sure to download:
<simplelist><member>
GnuPG Homepage:<ulink url="http://www.gnupg.org/">http://www.gnupg.org/</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp18">
<title><link linkend="pr6ch7sc1dbs">Linux <acronym>DNS</acronym> and <acronym>BIND</acronym> Server</link></title>
<para>
The required packages of <acronym>DNS</acronym>/BIND can be got here:
<simplelist><member>
<acronym>ISC</acronym> <acronym>BIND</acronym> Homepage:<ulink url="http://www.isc.org/">http://www.isc.org/</ulink>
</member><member>
<acronym>ISC</acronym> <acronym>BIND</acronym> <acronym>FTP</acronym> Site:<ulink url="ftp://204.152.184.27"><literal>204.152.184.27</literal></ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp19">
<title><link linkend="pr6ch22sc1snml">Sendmail</link></title>
<para>
<simplelist>
<member>
Sendmail Homepage: <ulink url="http://www.sendmail.org/">http://www.sendmail.org/</ulink>
</member><member>
Sendmail <acronym>FTP</acronym> Sire: <ulink url="ftp://204.152.184.34">204.152.184.34</ulink>
</member><member>
You must be sure to download: sendmail.8.10.1.tar.gz
</member>
</simplelist>
</para>
</formalpara>
<para>
For details, regarding <link linkend="pr6ch22sc3gls">Realtime Blackhole List database</link> see:
<simplelist>
<member>
<ulink url="http://maps.vix.com/rbl/">http://maps.vix.com/rbl/</ulink>
</member>
</simplelist>
</para>
<formalpara id="prtinxfp20">
<title><link linkend="pr6ch23sc1ip">Linux <acronym>IMAP</acronym> &amp; <acronym>POP</acronym> Server</link></title>
<para>
These are the Package(s) needed and should be available here:
<simplelist type="vert">
<member>
<acronym>IMAP</acronym>/<acronym>POP</acronym> Homepage: <ulink url="http://www.washington.edu/imap/">http://www.washington.edu/imap/</ulink>
</member><member>
<acronym>IMAP</acronym>/<acronym>POP</acronym> <acronym>FTP</acronym> Site: <ulink url="ftp://140.142.3.227">140.142.3.227</ulink> or <ulink url="ftp://140.142.4.227">140.142.4.227</ulink>
</member><member>
You must be sure to download: imap.tar.Z
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp21">
<title><link linkend="pr6ch24sc1wr">Patents</link></title>
<para>
<simplelist>
<member><acronym>RSA</acronym> Data Security:Their web page is <ulink url="http://www.rsa.com/">http://www.rsa.com/</ulink></member>
<member>Ascom in Austria:Their web page is <ulink url="http://www.ascom.ch/">http://www.ascom.ch/</ulink></member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp22">
<title><xref linkend="pr6ch24sc1ossl"/></title>
<para>
<simplelist>
<member>OpenSSL Homepage: <ulink url="http://www.openssl.org/">http://www.openssl.org/</ulink></member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp23">
<title><link linkend="pr6ch25sc1fsw">IPSEC/VPN -FreeS/WAN</link></title>
<para>
<simplelist>
<member>
Kernel Homepage: <ulink url="http://www.kernelnotes.org/">http://www.kernelnotes.org/</ulink>
</member><member>
FreeS/WAN VPN Homepage Site: <ulink url="http://www.freeswan.org/">http://www.freeswan.org/</ulink>
</member><member>
FreeS/WAN VPN FTP Site: <ulink url="ftp://194.109.6.26">194.109.6.26</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp25">
<title><link linkend="pr6ch26sccmi">Compile and Install</link></title>
<para>
<simplelist>
<member>
OpenLDAP Homepage:<ulink url="http://www.openldap.org/">http://www.openldap.org/</ulink>
</member><member>
OpenLDAP FTP Site: <ulink url="ftp://204.152.186.57">204.152.186.57</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp26">
<title><link linkend="prt7chscatd">Alternatives to <command>tar</command> and dump backups</link></title>
<para>
<simplelist>
<member>
AMANDA Homepage: <ulink url="http://www.cs.umd.edu/projects/amanda/">http://www.cs.umd.edu/projects/amanda/</ulink>
</member>
<member>
BRU Homepage: <ulink url="http://www.bru.com/">http://www.bru.com/</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp27">
<title><link linkend="pr6ch27scpsql">Install PostgreSQL</link></title>
<para>
PostgreSQL packages are found here:
<simplelist><member>
PostgreSQL Homepage: <ulink url="http://www.postgresql.org/">http://www.postgresql.org/</ulink>
</member><member>
PostgreSQL FTP Site:<ulink url="ftp://216.126.84.28">216.126.84.28</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp28">
<title><link linkend="pr6ch28scsps">Linux Squid Proxy Server</link></title>
<para>
These are Package(s) and are available here:
<simplelist>
<member>
Squid Homepage:<ulink url="http://www.squid-cache.org/">http://www.squid-cache.org/</ulink>
</member><member>
Squid <acronym>FTP</acronym> Site: <ulink url="ftp://204.144.128.89">204.144.128.89</ulink>
</member><member>
GNU malloc Homepage:<ulink url="http://www.gnu.org/order/ftp.html"> http://www.gnu.org/order/ftp.html</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp28sqc">
<title><link linkend="pr6ch28scsqcnf">Configure the <filename>/etc/squid/squid.conf</filename> file -in <literal>httpd-accelerator</literal> mode</link></title>
<para>
<simplelist>
<member>
<ulink url="http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html">http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html</ulink>
</member><member>
<ulink url="http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html">http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp29">
<title><link linkend="prt6ch29scmm">Linux MM Shared Memory Library </link></title>
<para>
MM Homepage:<ulink url="http://www.engelschall.com/sw/mm/">http://www.engelschall.com/sw/mm/</ulink>
</para>
</formalpara>
<formalpara id="prtinxfp30">
<title><link linkend="prt6ch29sapws">Linux Apache Web Server</link></title>
<para>
<simplelist type="vert" columns="2">
<member>
Apache Homepage: <ulink url="http://www.apache.org/">http://www.apache.org/</ulink>
</member><member>
Apache FTP Site: <ulink url="ftp://63.211.145.10">63.211.145.10</ulink>
</member><member>
Mod_SSL Homepage: <ulink url="http://www.modssl.org/">http://www.modssl.org/</ulink>
</member><member>
Mod_SSL FTP Site: <ulink url="ftp://129.132.7.171">129.132.7.171</ulink>
</member><member>
Mod_Perl Homepage: <ulink url="http://perl.apache.org/">http://perl.apache.org/</ulink>
</member><member>
Mod_Perl FTP Site: <ulink url="ftp://63.211.145.10">63.211.145.10</ulink>
</member><member>
Mod_PHP Homepage: <ulink url="http://www.php.net/">http://www.php.net/</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp31">
<title><link linkend="pr6ch29sappsy">Perl module Devel::Symdump</link></title>
<para>
<simplelist>
<member>
Devel-Symdump Homepage:<ulink url="http://www.perl.com/CPAN/modules/by-module/Devel/">http://www.perl.com/CPAN/modules/by-module/Devel/</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp32">
<title><link linkend="pr6ch29sapcgi">CGI.pm Perl library</link></title>
<para>
<simplelist><member>
CGI.pm Homepage: <ulink url="http://stein.cshl.org/WWW/software/CGI/cgi_docs.html">http://stein.cshl.org/WWW/software/CGI/cgi_docs.html</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp33">
<title><link linkend="pr6ch30swblzr">Linux Webalizer</link></title>
<para>
These are the Package(s):
<simplelist>
<member>
Webalizer Homepage: <ulink url="http://www.mrunix.net/webalizer/">http://www.mrunix.net/webalizer/</ulink>
</member><member>
Webalizer FTP Site: <ulink url="ftp://207.153.121.6">207.153.121.6</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp34">
<title><link linkend="pr6ch30scfqmtc">Linux FAQ-O-Matic</link></title>
<para>
These are the Package(s) required:
<simplelist><member>
FAQ-O-Matic Homepage: <ulink url="http://www.dartmouth.edu/~jonh/ff-serve/cache/1.html">http://www.dartmouth.edu/~jonh/ff-serve/cache/1.html</ulink>
</member><member>
The most recent version of the FAQ-O-Matic is always available at: <ulink url="ftp://ftp.cs.dartmouth.edu/pub/jonh.">ftp://ftp.cs.dartmouth.edu/pub/jonh.</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp35">
<title><link linkend="pr6ch30swmlimp">Linux Webmail IMP</link></title>
<para>
These are the Package(s):
<simplelist>
<member>
Webmail <acronym>IMP</acronym> Homepage:<ulink url="http://www.horde.org/imp/">http://www.horde.org/imp/</ulink>
</member><member>
PHPLib Homepage:<ulink url="http://phplib.netuse.de/index.php3">http://phplib.netuse.de/index.php3</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp36">
<title><link linkend="pr6ch30sphplb">phplib</link></title>
<para>
These are the package(s)
<simplelist><member>
PHPLib Homepage: <ulink url="http://phplib.netuse.de/index.php3">http://phplib.netuse.de/index.php3</ulink>, <ulink url="http://phplib.netuse.de/index.php3">http://phplib.netuse.de/index.php3</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp31er">
<title><link linkend="pr6ch31slss">Linux Samba Server</link></title>
<para>
The Package(s) required are and available at:
<simplelist>
<member>
Samba Homepage: <ulink url="http://us1.samba.org/samba/samba.html">http://us1.samba.org/samba/samba.html</ulink>
</member><member>
Samba FTP Site: <ulink url="ftp://63.238.153.11">63.238.153.11</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp32er">
<title><link linkend="pr6ch32sftp">Linux <literal>FTP</literal> Server</link></title>
<para>
These are the Package(s):
<simplelist><member>
Wu-ftpd Homepage:<ulink url="http://www.wu-ftpd.org/">http://www.wu-ftpd.org/</ulink>
</member><member>
Wu-ftpd FTP Site:<ulink url="ftp://205.133.13.68">205.133.13.68</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp24">
<title><link linkend="pr7ap3rfc">Appendix -RFC</link></title>
<para>
<simplelist>
<member>
<ulink url="http://www.cis.ohio-state.edu/rfc/"> http://www.cis.ohio-state.edu/rfc/</ulink>
</member>
</simplelist>
</para>
</formalpara>
<formalpara id="prtinxfp1acn">
<title><link linkend="pr1ch1ackn">Docbook and Additional resources</link></title>
<para>
<informaltable frame="none">
<tgroup cols="1">
<tbody valign="middle">
<row><entry>
Norman walsh, <ulink url="http://nwalsh.com/~ndw/">http://nwalsh.com/~ndw/</ulink>
</entry></row>
<row><entry>
Peter Graves, <ulink url="http://armedbear.org">http://armedbear.org</ulink>
</entry></row>
<row><entry>
Bryan henderson, <ulink url="http://netpbm.sourceforge.net/">http://netpbm.sourceforge.net/</ulink>
</entry></row>
<row><entry>
James clark, <ulink url="http://www.jclark.com/">http://www.jclark.com/</ulink> for his xt and xp
</entry></row>
<row><entry>
Michael Kay, <ulink url="http://users.iclway.co.uk/mhkay/saxon/">http://users.iclway.co.uk/mhkay/saxon/</ulink> for Saxon
</entry></row>
<row><entry>
To each and everyone at OASIS, <ulink url="http://www.oasis-open.org/docbook/">http://www.oasis-open.org/docbook/</ulink>
</entry></row>
<row><entry>
To each and everyone at Docbook.org, <ulink url="http://docbook.org/">http://docbook.org/</ulink>
</entry></row>
<row><entry>
Sebestain Rahtz, <ulink url="http://users.ox.ac.uk/~rahtz/passivetex/">http://users.ox.ac.uk/~rahtz/passivetex/</ulink> for his contribution to DocBook
</entry></row>
<row><entry>
Mark Gallasi<ulink url="http://nis-www.lanl.gov/~rosalia/mydocs/ ">http://nis-www.lanl.gov/~rosalia/mydocs/</ulink>
</entry></row>
</tbody>
</tgroup>
</informaltable>
</para>
</formalpara>
</appendix>
<appendix><?dbhtml filename="appendixb.html"?>
<title>Tweaks, Tips and Administration tasks</title>
<para>
Some of the tips in this section are specific to Linux systems. Most are applicable to <acronym>UNIX</acronym> system in general.
</para>
<tip>
<title>The <command>du</command> utility command</title>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</mediaobject>
<para>
You can use the <command>du</command> utility to estimate file space usage. For example, to determine in megabyte the sizes of the <filename class="directory">/var/log/</filename> and <filename class="directory">/home/</filename> directory
trees, type the following command:
<screen>
[root@deep] /# <command>du</command> -sh /var/log /home
</screen>
<literallayout class="monospaced"><computeroutput>
3.5M /var/log
350M /home
</computeroutput></literallayout>
</para>
<para>
Keep in mind that the above command will report the actual size of your data. Now that you know for example that <filename class="directory">/home</filename> is using 350M you can move into it and <command>du</command> -sh * to
locate where the largest files are.
</para>
<para>
<screen>
[root@deep] /# <command>cd</command> /home/
[root@deep ]/home# <command>du</command> -sh *
</screen>
<literallayout class="monospaced"><computeroutput>
343M admin
11k ftp
6.8M httpd
12k lost+found
6.0k named
6.0k smbclient
6.0k test
8.0k www
</computeroutput></literallayout>
</para>
</tip>
<tip>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</inlinemediaobject>
</title>
<para>
You can add this command to your crontab so that every day you get emailed the desired disk space list, and you'll be able to monitor it without logging in constantly.
</para></tip>
<tip>
<title>Find the route </title>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</mediaobject>
<para>
If you want to find out the route that the packets sent from your machine to a remote host, simply issue the following command:
<screen>
[root@deep] /# <command>traceroute</command> www.redhat.com
</screen>
<literallayout class="monospaced"><computeroutput>
traceroute to www.portal.redhat.com (206.132.41.202), 30 hops max, 38 byte packets
1 ppp005.108-253-207.mtl.mt.videotron.net (207.253.108.5) 98.584 ms 1519.806 ms 109.911 ms
2 fa5-1-0.rb02-piex.videotron.net (207.96.135.1) 149.888 ms 89.830 ms 109.914 ms
3 ia-tlpt-bb01-fec1.videotron.net (207.253.253.53) 149.896 ms 99.873 ms 139.930 ms
4 ia-cduc-bb02-ge2-0.videotron.net (207.253.253.61) 99.897 ms 169.863 ms 329.926 ms
5 if-4-1.core1.Montreal.Teleglobe.net (207.45.204.5) 409.895 ms 1469.882 ms 109.902 ms
6 if-1-1.core1.NewYork.Teleglobe.net (207.45.223.109) 189.920 ms 139.852 ms 109.939 ms
7 206.132.150.133 (206.132.150.133) 99.902 ms 99.724 ms 119.914 ms
8 pos1-0-2488M.wr2.CLE1.gblx.net (206.132.111.89) 189.899 ms 129.873 ms 129.934 ms
9 pos8-0-2488m.wr2.kcy1.globalcenter.net (206.132.111.82) 169.890 ms 179.884 ms 169.933 ms
10 206.132.114.77 (206.132.114.77) 199.890 ms 179.771 ms 169.928 ms
11 pos8-0-2488M.wr2.SFO1.gblx.net (206.132.110.110) 159.909 ms 199.959 ms 179.837 ms
12 pos1-0-2488M.cr1.SNV2.gblx.net (208.48.118.118) 179.885 ms 309.855 ms 299.937 ms
13 pos0-0-0-155M.hr2.SNV2.gblx.net (206.132.151.46) 329.905 ms 179.843 ms 169.936 ms
14 206.132.41.202 (206.132.41.202) 2229.906 ms 199.752 ms 309.927 ms
</computeroutput></literallayout>
Where &lt;www.redhat.com&gt; is the name or ip address of the host that you want to trace.
</para>
</tip>
<tip>
<title>Display Web pages access</title>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</mediaobject>
<para>
To display quickly the number of times your web page has been accessed use this command:
<screen>
[root@deep] /# <command>grep</command> "GET / HTTP" /var/log/httpd/access_log | wc -l
</screen>
<literallayout class="monospaced"><computeroutput>
467
</computeroutput></literallayout>
</para>
</tip>
<tip>
<title>Shut down most services altogether</title>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</mediaobject>
<para>
As root, you can shut down most services altogether with the following command:
<screen>
[root@deep] /# killall httpd smbd nmbd slapd named
</screen>
The above command will shut down the Apache server, Samba services, <acronym>LDAP</acronym> server, and <acronym>DNS</acronym> server respectively.
</para>
</tip>
<tip>
<title>clock on the top of your terminal </title>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</mediaobject>
<para>
Edit the <filename>profile</filename> file, <command>vi</command> <filename>/etc/profile</filename> and add the following line:
<programlisting>
PROMPT_COMMAND='echo -ne "\0337\033[2;999r\033[1;1H\033[00;44m\033[K"`date`"\033[00m\0338"'
</programlisting>
The result will look like:
<mediaobject>
<imageobject>
<imagedata fileref="./images/time01.gif" format="GIF"/>
</imageobject>
<textobject>
<phrase>
Clock on terminal window
</phrase>
</textobject>
</mediaobject>
</para>
</tip>
<tip>
<title>lsof installed on your server?</title>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</mediaobject>
<para>
If not, install it and execute <command>lsof</command>-i. This should list which ports you have open on your machine. The lsof program is a great tool as it will tell you which processes are
listening on a given port.
<screen>
[root@deep] /# <command>lsof</command> -i
</screen>
<literallayout class="monospaced"><computeroutput>
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Inetd 344 root 4u IPv4 327 TCP *:ssh (LISTEN)
sendmail 389 root 4u IPv4 387 TCP *:smtp (LISTEN)
smbd 450 root 5u IPv4 452 TCP deep.openna.com:netbios-ssn (LISTEN)
nmbd 461 root 5u IPv4 463 UDP *:netbios-ns
nmbd 461 root 6u IPv4 465 UDP *:netbios-dgm
nmbd 461 root 8u IPv4 468 UDP deep.openna.com:netbios-ns
nmbd 461 root 9u IPv4 470 UDP deep.openna.com:netbios-dgm
named 2599 root 4u IPv4 3095 UDP *:32771
named 2599 root 20u IPv4 3091 UDP localhost.localdomain:domain
named 2599 root 21u IPv4 3092 TCP localhost.localdomain:domain (LISTEN)
named 2599 root 22u IPv4 3093 UDP deep.openna.com:domain
named 2599 root 23u IPv4 3094 TCP deep.openna.com:domain (LISTEN)
</computeroutput></literallayout>
</para>
</tip>
<tip>
<title>commands on remote servers via ssh protocol </title>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</mediaobject>
<para>
The <command>ssh</command> command can also be used to run commands on remote systems without logging in. The output of the command is displayed, and control returns to the local system. Here is an example which will display all
the users logged in on the remote system.
<screen>
[admin@deep /]$ <command>ssh</command> mail.openna.com who
</screen>
<literallayout class="monospaced"><computeroutput>
admin@mail.openna.com's password:
root tty1 Dec 2 14:45
admin tty2 Dec 2 14:45
wahib pts/0 Dec 2 11:38
</computeroutput></literallayout>
</para>
</tip>
<tip>
<title>Filename Completion</title>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</mediaobject>
<para>
Tab filename completion allows you to type in portions of a filename or program, and then press <keycap>TAB</keycap>, and it will complete the filename for you. If there's more than one file or program that starts with what you already
typed in, it will beep, and then when you press <keycap>TAB</keycap> again it will list all the files that start with what you initially typed.
</para>
</tip>
<tip>
<title>Special Characters</title>
<mediaobject>
<imageobject>
<imagedata fileref="./images/Tip.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Tip</phrase></textobject>
</mediaobject>
<para>
You can quickly accomplish tasks that you perform frequently by using shortcut keys one or more keys you press on the keyboard to complete a task. For example, special characters can be used on the Linux shell like the following:
<itemizedlist><listitem><para>
<keycap>Control</keycap>+<keycap>d</keycap>: If you are in the shell and hit <keycap>Control</keycap>+<keycap>d</keycap> you get logged off.
</para></listitem><listitem><para>
<keycap>Control</keycap>+<keycap>l</keycap>: If you are in the shell and hit <keycap>Control</keycap>+<keycap>l</keycap> you clear the screen.
</para></listitem><listitem><para>
<keycap>?</keycap>: This is a wildcard. This can represent a single character. If you specified something at the command line like "m?b" Linux would look for mob, mib, mub, and every other letter/number between a-z, 0-9.
</para></listitem><listitem><para>
<keycap>*</keycap>: This can represent any number of characters. If you specified a "mi*" it would use "mit", mim, miiii, miya, and ANYTHING that starts with mi. "m*l" could by mill, mull, ml, and anything that starts with an m and ends with an l.
</para></listitem>
<listitem><para>
<keycombo><keycap>[]</keycap></keycombo> - Specifies a range. if I did m[o,u,i]m Linux would think: mim, mum, mom if I did: m[a-d]m Linux would think: mam, mbm, mcm, mdm. Get the idea? The <keycap>[]</keycap>, <keycap>?</keycap>,
and <keycap>*</keycap> are usually used with copying, deleting, and directory listings.
</para></listitem>
</itemizedlist>
</para>
</tip>
<important>
<title>
<inlinemediaobject>
<imageobject>
<imagedata fileref="./images/Important.gif" format="GIF"/>
</imageobject>
<textobject><phrase>Important</phrase></textobject>
</inlinemediaobject>
</title>
<para>
<emphasis>Everything in Linux is</emphasis> CASE <emphasis>sensitive</emphasis>. This means "Bill" and "bill" are not the same thing. This allows for many files to be able to be stored, since "Bill" "bill" "bIll" "biLl", etc. can be
different files. So, when using the <keycap>[]</keycap> stuff, you have to specify capital letters if any files you are dealing with have capital letters. Much of everything is lower case in UNIX, though.
</para>
</important>
</appendix>
<appendix id="pr7ap3rfc"><?dbhtml filename="appendixc.html"?>
<title>Obtaining Requests for Comments (RFCs)</title>
<para>
Requests for Comments -<acronym>RFC</acronym>s is an ongoing set of documents issued by the Internet Engineering Task Force -<acronym>IETF</acronym> at the Network Information Center -<acronym>NIC</acronym> that presents
new protocols and establishes standards for the Internet protocol suite. Each such document defines an aspect of protocol regarding the Internet. We have listed below all the <acronym>RFC</acronym>s that pertain to this
book, and various software described in this book. <acronym>RFC</acronym>s are available from the following site: <link linkend="prtinxfp24">http://www.cis.ohio-state.edu/rfc/</link>
</para>
<glosslist><glossentry>
<glossterm><acronym>RFC</acronym>706</glossterm>
<glossdef><para>
On the Junk Mail Problem.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>733</glossterm>
<glossdef><para>
Standard for the Format of <acronym>ARPA</acronym> Network Text Messages.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>768</glossterm>
<glossdef><para>
User Datagram Protocol -<acronym>UDP</acronym>.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>791</glossterm>
<glossdef><para>
Internet Protocol -<acronym>IP</acronym>.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>792</glossterm>
<glossdef><para>
Internet Control Message Protocol -<acronym>ICMP</acronym>.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>793</glossterm>
<glossdef><para>
Transmission Control Protocol (<acronym>TCP</acronym>).
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>805 </glossterm>
<glossdef><para>
Computer Mail Meting Notes.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>821</glossterm>
<glossdef><para>
Simple Mail Transfert Protocol -<acronym>SMTP</acronym>.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>822</glossterm>
<glossdef><para>
Standard for the Format of ARPA Internet Text Massages.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>934</glossterm>
<glossdef><para>
Proposed Standard for Message Encapsulation.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>950</glossterm>
<glossdef><para>
<acronym>IP</acronym> Subnet Extention.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>959</glossterm>
<glossdef><para>
File Transfer Protocol (<acronym>FTP</acronym>).
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>976</glossterm>
<glossdef><para>
<acronym>UUCP</acronym> Mail Interchange Format Standard.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1034</glossterm>
<glossdef><para>
Domain Names: Concepts and Facilities.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1036</glossterm>
<glossdef><para>
Standard for Interchange of USENET Message.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1058</glossterm>
<glossdef><para>
Routing Information Protocol -<acronym>RIP</acronym>.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1112</glossterm>
<glossdef><para>
Internet Group Multicast Protocol <acronym>IGMP.</acronym>
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1122</glossterm>
<glossdef><para>
Requirement for Internet Host Communication Layers.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1123</glossterm>
<glossdef><para>
Requirements for Internet Host Application and Support.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1137</glossterm>
<glossdef><para>
Mapping Between Full <acronym>RFC</acronym> 822 and <acronym>RFC</acronym> 822 with Restricted Encoding.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1153</glossterm>
<glossdef><para>
Digest Message Format.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1155</glossterm>
<glossdef><para>
Structure of Management Information <acronym>SMI.</acronym>
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1157</glossterm>
<glossdef><para>
Simple Network Management Protocol <acronym>SNMP.</acronym>
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1176</glossterm>
<glossdef><para>
Interactive Mail Access Protocol: Version 2.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1274</glossterm>
<glossdef><para>
The COSINE and Internet X.500 Schema.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1275</glossterm>
<glossdef><para>
Replication Requirements to provide an Internet Directory using X.500.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1279</glossterm>
<glossdef><para>
X.500 and Domains.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1308</glossterm>
<glossdef><para>
Executive Introduction to Directory Services Using the X.500 Protocol.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1309</glossterm>
<glossdef><para>
Technical Overview of Directory Services Using the X.500 Protocol.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1310</glossterm>
<glossdef><para>
The Internet Standards Process.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1319</glossterm>
<glossdef><para>
MD2 Message-Digest Algorithm.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1320</glossterm>
<glossdef><para>
MD4 Message-Digest Algorithm.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1321</glossterm>
<glossdef><para>
MD5 Message-Digest Algorithm.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1343</glossterm>
<glossdef><para>
User Agent Configuration Mechanism for Multimedia Mail Format Information.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1344</glossterm>
<glossdef><para>
Implications of <acronym>MIME</acronym> for Internet Mail Gateways.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1345</glossterm>
<glossdef><para>
Character Mnemonics and Character Sets.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1421</glossterm>
<glossdef><para>
Privacy Enhancement for Internet Electronic Mail: Part IMessage Encipherment and authentication Procedures.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1422</glossterm>
<glossdef><para>
Privacy Enhancement for Internet Electronic Mail: Part IICertificate-based key Management.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1423</glossterm>
<glossdef><para>
Privacy Enhancement for Internet Electronic Mail: Part IIIAlgorithms, modes, and identifiers [Draft].
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1428</glossterm>
<glossdef><para>
Transmition of Internet Mail from Just-Send-8 to 8bit-<acronym>SMTP</acronym>/<acronym>MIME</acronym>.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1430</glossterm>
<glossdef><para>
A Strategic Plan for Deploying an Internet X.500 Directory Service.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1492</glossterm>
<glossdef><para>
An Access Control Protocol, Sometimes Called TACACS.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1495</glossterm>
<glossdef><para>
Mapping Between X.400(1988)/ISO 10021 and <acronym>RFC</acronym> 822.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1496</glossterm>
<glossdef><para>
X.400 1988 to 1984 Downgrading.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1505</glossterm>
<glossdef><para>
Encoding Header Field for Internet Messages.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1510</glossterm>
<glossdef><para>
The Kerberos Network Authentication Service (V5).
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1519</glossterm>
<glossdef><para>
Classless Inter-Domain Routing, -<acronym>CIDR</acronym> Assignment and Aggregation Strategy.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1521</glossterm>
<glossdef><para>
<acronym>MIME</acronym> -Multipurpose Internet Mail Extensions: Mechanisms for Specifying and Describing the Format of Internet Message Bodies (<acronym>MIME</acronym>).
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1522</glossterm>
<glossdef><para>
Representation of Non-<acronym>ASCII</acronym> Text in Internet Message Headers.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1558</glossterm>
<glossdef><para>
A String Representation of <acronym>LDAP</acronym> Search Filters.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1566</glossterm>
<glossdef><para>
Mail Monitoring MIB.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1579</glossterm>
<glossdef><para>
Firewall-Friendly <acronym>FTP</acronym>.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1583</glossterm>
<glossdef><para>
Open Shortest Path First Routing V2 (OSPF2).
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1617</glossterm>
<glossdef><para>
Naming and Structuring Guidelines for X.500 Directory Pilots.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1625</glossterm>
<glossdef><para>
<acronym>WAIS</acronym> over Z39.50-1988.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1631</glossterm>
<glossdef><para>
The <acronym>IP</acronym> Network Address Translator -<acronym>NAT.</acronym>
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1652</glossterm>
<glossdef><para>
<acronym>SMTP</acronym> Service Extentions for 8bit-<acronym>MIME</acronym>transport.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1661</glossterm>
<glossdef><para>
Point-to-Point Protocol -<acronym>PPP</acronym>.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1711</glossterm>
<glossdef><para>
Classifications in E-mail Routing.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1725</glossterm>
<glossdef><para>
Post Office Protocol, Version 3 -<acronym>POP</acronym>3.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1738</glossterm>
<glossdef><para>
Uniform Resource Locators -<acronym>URL</acronym>.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1739</glossterm>
<glossdef><para>
A Primer on Internet and <acronym>TCP</acronym>/<acronym>IP</acronym> Tools.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1777</glossterm>
<glossdef><para>
Lightweight Directory Access Protocol.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1778</glossterm>
<glossdef><para>
The String Representation of Standard Attribute Syntaxes.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1779</glossterm>
<glossdef><para>
A String Representation of Distinguished Names.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1781</glossterm>
<glossdef><para>
Using the <acronym>OSI</acronym> Directory to Achieve User Friendly Naming.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1796</glossterm>
<glossdef><para>
Not All <acronym>RFC</acronym>s are Standards.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1798</glossterm>
<glossdef><para>
Connection-less Lightweight Directory Access Protocol.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1823</glossterm>
<glossdef><para>
The <acronym>LDAP</acronym> Application Program Interface.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1830</glossterm>
<glossdef><para>
<acronym>SMTP</acronym> Services Extentions for Transmission of Large and Binary <acronym>MIME</acronym> Messages.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1844</glossterm>
<glossdef><para>
Multimedia E-mail -<acronym>MIME</acronym>, User Agent checklist.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1845</glossterm>
<glossdef><para>
<acronym>SMTP</acronym> Service Extension for Checkpoint/Restart.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1846</glossterm>
<glossdef><para>
<acronym>SMTP</acronym> 521 Reply Code.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1854</glossterm>
<glossdef><para>
<acronym>SMTP</acronym> Service Extention for command pipelining.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1855</glossterm>
<glossdef><para>
Netiquette Guidelines.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1864</glossterm>
<glossdef><para>
The content-MD5 Header.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1866</glossterm>
<glossdef><para>
Hypertext Markup Language - 2.0.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1869</glossterm>
<glossdef><para>
<acronym>SMTP</acronym> Service Extensions.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1870</glossterm>
<glossdef><para>
<acronym>SMTP</acronym> Service Extension for Message Size Declaration.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1872</glossterm>
<glossdef><para>
The <acronym>MIME</acronym> Multipart/Related Content-type.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1873</glossterm>
<glossdef><para>
Message/External-Body Content-ID Access-type.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1883</glossterm>
<glossdef><para>
Internet Protocol, Version 6 (Ipv6) Specification.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1884</glossterm>
<glossdef><para>
<acronym>IP</acronym> Version 6 Addressing Atchitecture.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1886</glossterm>
<glossdef><para>
<acronym>DNS</acronym> Extentions to support <acronym>IP</acronym> version 6.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1891</glossterm>
<glossdef><para>
<acronym>SMTP</acronym> Service Extension for Delivery Status Notifications.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1892</glossterm>
<glossdef><para>
The Multipart/Report Content Type for the Reporting of Mail System Administrative Messages.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1893</glossterm>
<glossdef><para>
Enhanced Mail System Status Codes.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1894</glossterm>
<glossdef><para>
An Extensible Message Format for Delivery Status Notifications.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1918</glossterm>
<glossdef><para>
Address Allocation for Private Internets.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1928</glossterm>
<glossdef><para>
SOCKS Protocol Version 5.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1929</glossterm>
<glossdef><para>
Username/Password Authentication for SOCKS V5.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1959</glossterm>
<glossdef><para>
An <acronym>LDAP</acronym> <acronym>URL</acronym> Format.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1960</glossterm>
<glossdef><para>
A String Representation of <acronym>LDAP</acronym> Search Filters.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>1961</glossterm>
<glossdef><para>
<acronym>GSS</acronym>-<acronym>API</acronym> Authentication Method for SOCKS Version 5.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2003</glossterm>
<glossdef><para>
<acronym>IP</acronym> Encapsulation within <acronym>IP</acronym>.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2028</glossterm>
<glossdef><para>
The Organizations Involved in the <acronym>IETF</acronym> Standards Process.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2044</glossterm>
<glossdef><para>
UTF-8, a transformation format of Unicode and <acronym>ISO</acronym> 10646.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2060</glossterm>
<glossdef><para>
Internet Message Access Protocol Version 4rev1 -<acronym>IMAP</acronym>4.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2104</glossterm>
<glossdef><para>
HMAC: Keyed-Hashing for Message Authentication.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2138</glossterm>
<glossdef><para>
Remote Authentication Dial In User Service (RADIUS).
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2164</glossterm>
<glossdef><para>
Use of an X.500/<acronym>LDAP</acronym> directory to support MIXER address mapping.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2200</glossterm>
<glossdef><para>
Internet Official Protocol Standards.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2218</glossterm>
<glossdef><para>
A Common Schema for the Internet White Pages Service.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2247</glossterm>
<glossdef><para>
Using Domains in <acronym>LDAP</acronym>/X.500 Distinguished Names.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2251</glossterm>
<glossdef><para>
Lightweight Directory Access Protocol (v3).
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2252</glossterm>
<glossdef><para>
Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2253</glossterm>
<glossdef><para>
Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2254</glossterm>
<glossdef><para>
The String Representation of <acronym>LDAP</acronym> Search Filters.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2255</glossterm>
<glossdef><para>
The <acronym>LDAP</acronym> <acronym>URL</acronym> Format.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2256</glossterm>
<glossdef><para>
A Summary of the X.500(96) User Schema for use with <acronym>LDAP</acronym>v3.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2279</glossterm>
<glossdef><para>
UTF-8, a transformation format of <acronym>ISO</acronym> 10646.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2293</glossterm>
<glossdef><para>
Representing Tables and Subtrees in the X.500 Directory.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2294</glossterm>
<glossdef><para>
Representing the O/R Address hierarchy in the X.500 Directory Information Tree.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2305</glossterm>
<glossdef><para>
A Simple Mode of Facsimile Using Internet Mail.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2307</glossterm>
<glossdef><para>
An Approach for Using <acronym>LDAP</acronym> as a Network Information Service.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2313</glossterm>
<glossdef><para>
PKCS 1: RSA Encryption Version 1-5.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2314</glossterm>
<glossdef><para>
PKCS 10: Certification Request Syntax Version 1-5.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2315</glossterm>
<glossdef><para>
PKCS 7: Cryptographic Message Syntax Version 1-5.
</para></glossdef>
</glossentry><glossentry>
<glossterm><acronym>RFC</acronym>2377</glossterm>
<glossdef><para>
Naming Plan for Internet Directory-Enabled Applications.
</para></glossdef>
</glossentry>
</glosslist>
</appendix>
</part>
</book>
View Git Blame Copy Permalink