******************************************** * HINTS AND TIPS FOR DEBIAN * ******************************************** RELEVANT INFORMATION ON DEBIAN ============================== For French-speaking people: http://people.via.ecp.fr/~alexis/formation-linux/formation-linux.html A good french-speaking forum on Debian: http://www.pcimpact.com/forum SETTING UP HTTP SERVERS ======================= 1/ Introduction. HTTP is an Application protocol, describing the communication between a client and a server. HTTP is a protocol, while HTML is page description language. The connection between client and server is done on port 80. Some HTTP servers can also manage 'virtual hosts'. This function requires the HTTP server to work closely with a DNS server. They also offers a good management of the server resources. Apache, the leading HTTP server is a modular program. Additional functions can be added as modules to the main program. Apache can work in one of two modes. Either 'normal' or 'KeepAlive'. The KeepAlive mode is designed to download complex/rich content web pages (containing images or other multimedia elements). Like its name says 'KeepAlive' mode will keep a session opened on the server as long as the client has not expressly closed it. 2/ Resources: http://httpd.apache.org http://httpd.apache.org/docs-project/ 3/ Configuration: Edit the following file: /etc/apache2/apache2.conf Default virtual server are in: /etc/apache2/sites-available/default Copy this file under another name to configure a virtual server/site: cp -v default pierre Then, edit 'pierre' and change the following parameters if necessary: NameVirtualHost * # indicates the activation of # virtual hosts on all interfaces. ServerAdmin webmaster@localhost # email address of the webmaster. # start of directory config for '/' # start of directory config for # /var/www/ # The two following lines configure the cgi-bin directory # make sure you configure this properly!!! ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ The following is a commented /etc/apache2/sites-available/pierre ServerAdmin pierre@prenom.com # Admin email DocumentRoot /home/pierre/www/ # www directory ServerName pierre.prenom.com # name of the virtual server # configuration of www dir Options Indexes FollowSymLinks MultiViews Order Allow,Deny Allow from all AllowOverride None # Define the error log dir + log level. ErrorLog /var/log/apache2/pierre-error.log LogLevel warn # Define the customized log report CustomLog /var/log/apache2/pierre-access.log combined ServerSignature On # End of config. Please note the few differences with # the basic file /etc/apache2/sites-available/default. Once the file above (or its equivalent) has been entered, create a symbolic link in the directory: /etc/apache2/sites-enabled/ For instance the following command will create the relevant link if you already are in the 'sites-enabled' directory: ln -s /etc/apache2/sites-available/pierre 001-pierre Then, Apache should be restarted with the command: apache2ctl graceful 4/ Advanced configuration: Creating a private directory on a web server means creating a file named '.htaccess', which contains a login/password as well as different options from the normal configuration seen above. More information on the official Apache documentation site: http://httpd.apache.org/docs-2.0/howto/htaccess.html Every time the Apache web server finds a file named '.htaccess', it reads it and tries to interpret its directives. For instance: # Authentification type, digest=MD5 # Other type basic AuthType digest # Name of authentication AuthName "Private zone" # Name of authentication file: AuthUserFile "/home/pierre/www/prive/.htpasswd" # Please note that .htpasswd is the file that # contains the passwords for the authorized # users. # Requirements Require valid-user # Other options: # Disallow multiple sessions Options -Indexes -Multiviews Once '.htaccess' has been created, enter the following command to create the '.htpasswd' (password) file: htpasswd -c -m .htpasswd pierre Use 'man htpasswd' for more information on this command. To add several users in a row in the .htpasswd file, drop the '-c' option from the command line above. 5/ Installation: sudo apt-get install apache2 Bried description of a few packages: apache2-mpm-worker Multithreading apache2-mpm-prefork Roughly equivalent to Apache 1.3 INSTALLING SQUID UNDER DEBIAN ============================= The usual suspects: gil@vortex:~$ sudo apt-get install squid squidview For basic configuration, please see the file named: example_squid.conf AUTHENTIFICATION UNDER SQUID ============================ 1/ Squid configuration for authentication: Check the directory: /usr/lib/squid/ For the different authentification modules available under Squid. In this example, we will use the module named 'ncsa_auth'. This program should then be referenced in 'squid.conf'. Once the module has been chosen, an ACL must be created to allow the user access to squid's functions. In the file '/etc/squid/squid.conf', create the following line: auth_param basic /usr/lib/squid/ncsa_auth /etc/squid/users/squid_users This line will load the module 'ncsa_auth' with authentication type 'basic', the data created will be stored in: '/etc/squid/users/squid_users'. Then, add the following line, which will create the ACLs: acl auth proxy_auth REQUIRED Finally, define the access possibilities as follows: http_access allow salle2 auth 2/ Create the authentified users: Create the relevant file, as defined above in section 1/: cd /etc/squid mkdir users cd users htpasswd -c squid.users htpasswd squid.users Please note that the program used is 'htpasswd', as was the case for Apache. The same file can be used for both, if the file used in 'auth_param' (see above) is correctly entered. 3/ Restart the squid server: sudo /etc/init.d/squid restart You should then test that you have an authentified access to the Internet. Don't forget to set up the 'proxy' functions of your www browser... :-) 4/ So does it works? Well, just check it out! /var/log/squid/ access.log cache.log store.log The three files shown above are actually the different squid logs. 5/ Another example: acl mine src 192.168.1.12/255.255.255.255 http_access allow mine http_access allow salle2 auth The lines shown above would authorize only the machine 192.168.1.12 to connect without authentication to the Internet. The ACL defined is named 'mine'. All other users would have to provide a name and a password. FILTERING CONTENT WITH SQUID ============================ [More information (in French) at http://christian.caleca.free.fr] 'Squid Guard' is a program to filter content in cooperation with Squid. Install 'squidguard' with the command: sudo apt-get install squidguard This program is configured through the file: /etc/squid/squidguard.conf The ACL for squidguard are in: /var/lib/squiguard/db/ To create an ACL, create a sub-directory in the directory shown above, and modify the squidguard.conf accordingly. Then, enter the command: squidguard -C all And restart Squid to take the changes into account. COMBINING APACHE AND PHP ======================== It is possible to 'embed' a PHP interpreter into Apache to provide a way to create dynamic pages with this language. To provide this functionality, several packages need to be added to the base Debian Linux (see below). PHP is a full- featured programming language, which looks like this: ".$result.""; phpinfo(); ?> Please note that the command 'phpinfo();' displays a lot of information on the installation of PHP on the server. The file should be saved with the extension '.php'. 1/ Installation: sudo apt-get install libapache2-mod-php4 [Installs a lot of things beyond PHP] 2/ Configuration: All configuration files can be accessed within the following directory: /etc/apache2/mods-enabled Most important files in this directory are: php4.conf pfp4.load which are symbolic links to: /etc/apache2/mods-available The PHP configuration itself is in the file: /etc/php4/apache2/php.ini IPTABLES FIREWALLING ==================== IPTables is a packet-filtering firewall, integrated in the Linux kernel. IPTables is actually the utility that allows the administrator to configure NetFilter, which is the kernel firewall itself. Netfilter is a stateful packet filter, able to keep track of the outgoing and incoming TCP/IP communications. Stateful filtering: Workstation: allows outgoing communication explicitely. allows incoming communication implicitely. Server: allows incoming communication explicitely. allows outgoing communication explicitely. Workstation 'tuple': random IP Address + random port. Server 'tuple': fixed IP Address + fixed port (80 = HTTP, etc.) To both tuples, it is possible to add a sequence number to the IP packet (based on the ISN: Initial Sequence Number). Remember the TCP/IP communication protocol handshaking: Client --> SYN (+ISN) --> Server Client <-- SYN+ACK <-- Server Client --> ACK --> Server After the handshake described above, the TCP/IP communication is established and data transfer begins. All of the above is not possible with UDP, since UDP does not provide a way to establish connections. 1/ Possible filtering options: IP Addresses (source [-s]/destination [-d]) Communication ports (TCP/UDP, source[--sport]/destination[--dport]) Communication transport protocol (TCP/UDP [-p]) ICMP messages Connection status [--state] Incoming/Outgoing packets Network interface (input [-i] / ouput [-o]) Two modifiers can be applied to these options: -m state: indicates stateful packet filtering. -m multiport: indicates multiple ports filtering. Please note that the modifier '-m state' should always be followed by the '--state' option. 2/ Possible Netfilter 'chains'. A chain is a group of filtering rules. There are 5 pre-defined chains in Netfilter. +-------------+ ------[0]--+---[1]------> | LOCAL | ----> [2]---+---[3]--------> | +-------------+ | | | +-------------------[4]--------------------+ [0] Pre-routing (= PAT) [1] Input [2] Output [3] Post-routing (= NAT) [4] Forward As long as the LOCAL machine does not do any routing, the most important chains are INPUT and OUTPUT. Pre-routing and Post-routing allow you to modify the TCP/IP headers, based on the NAT/PAT rules defined. [Tables are groups of chains. There are 3 tables pre-defined in Netfilter: MANGLE, NAT and FILTER] Filter: packet filter. Contains: input/output/forward. NAT: modify packet headers. Contains: pre-routing, output, post-routing. Mangle: modify packets themselves. Contains: all chains. 3/ How to build rules in a chain. The command 'iptables' should be used to add/modify or remove rules within a chain. First indicate the table with '-t': iptables -t Usually, this is the FILTER table (default). Only one table can be chosen. The name of the table should be entered in lower case. Then, indicate the target chain with '-A': iptables -t filter -A INPUT [please note *all caps*] Then, indicate the general command (Add, Remove, Flush, etc.) Then, indicate the different criterias and options for filtering. Finally, indicate the 'target' with the '-j': iptables ... -j DROP Possible targets: ACCEPT DROP REJECT LOG ACCEPT, DROP, REJECT and LOG are valid targets for FILTER. The difference between REJECT and DROP is that REJECT indicates (via ICMP) that the connection has been rejected. REJECT provides better response time, but also allows OS finger-printing. LOG provides a way to store relevant information in the system logs. LOG does not stop the packet filtering. Information on a packet is stored in the logs, and the other rules are then scanned to determine what to do with the packet. iptables ... -j DNAT Possible targets: DNAT SNAT MASQUERADE DNAT, SNAT, MASQUERADE are valid targets for NAT. DNAT: modifies destination address (PAT). SNAT: modifies source address (NAT) for fixed IP. MASQUERADE: modifies the source address for dynamic IP. DNAT uses the option '--to-destination', followed by an IP address and a port. For instance: '--to-destination 192.168.1.7:8080'. SNAT uses the option '--to-source', followed by an IP address (no port!). For instance: '--to-source 81.28.51.223'. ******** It is much better to define an IPTables * NOTE * firewall on paper first before starting ******** writing the script itself. 4/ Stateful packet inspection/firewalling. [NEW] Client --> SYN (+ISN) --> Server [EST] Client <-- SYN+ACK <-- Server [EST] Client --> ACK --> Server [NEW] = New connection. [EST] = ESTABLISHED connection. Option: -m state --state NEW -m state --state ESTABLISHED Only available for routers: RELATED. The RELATED option is available for certain types of connections, such as FTP, where a client and a server open random connections between them. 5/ Example. We have a server machine on network 192.168.1.0/24, this network being connected through a router to network 192.168.2.0/24. This server provides 3 services: HTTP, FTP and DNS. HTTP should be available for everyone (port 80). FTP should be available only to the network 192.168.1.0/24. The following is the iptables script. See also the files named: firewall_server.txt firewall_nat.txt # First things first: # Complete flush of rules ------------------------------------------ iptables -t filter -F iptables -t filter -X iptables -t nat -F iptables -t nat -X # Defining default policies: REJECT -------------------------------- iptables -p INPUT REJECT iptables -p OUTPUT REJECT iptables -p FORWARD REJECT # Defining default policies for OUTPUT ----------------------------- iptables -t filter -A OUTPUT -p tcp -m state --state ESTABLISHED -j ACCEPT # ---------------------------- COMMENTS ----------------------------- # -t indicates the filter chain [this is *optional* filter is the default] # -A 'A'dd rule to OUTPUT # -p protocol: TCP # -m state defines state modifier for 'state'ful packet filtering # -state defines filtering *only* for ESTABLISHED connections # -j ultimate decision: ACCEPT # Defining policies for HTTP ---------------------------------------- iptables -t filter -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT # ---------------------------- COMMENTS ----------------------------- # -t indicates the filter chain [this is *optional* filter is the default] # -A 'A'dd rule to INPUT # -p tcp for 'p'rotocol TCP # --dport for 'd'estination 'p'ort 80: destination port on our server # -m state defines state modifier for 'state'ful packet filtering # --state defines stateful filtering for NEW and ESTABLISHED connections # -j final decision/target (ACCEPT) # Defining policies for FTP [1] ------------------------------------- iptables -t filter -A INPUT -p tcp -dport 21 -s 192.168.1.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT # ---------------------------- COMMENTS ----------------------------- # -t indicates the filter chain [this is *optional* filter is the default] # -A 'A'dd rule to INPUT # -p tcp for 'p'rotocol TCP # --dport for 'd'estination 'p'ort 21: destination port on our server # -s defines the 'authorized' (source) network # -m state defines state modifier for 'state'ful packet filtering # --state defines stateful filtering for NEW and ESTABLISHED connections # -j final decision/target (ACCEPT) # Defining policies for FTP [2] ------------------------------------- # iptables -t filter -A INPUT -p tcp -m state --state RELATED -j ACCEPT # iptables -t filter -A OUTPUT -p tcp -m state --state RELATED -j ACCEPT # ---------------------------- COMMENTS ----------------------------- # The two lines above can only be used on a machine that does NAT, # since '--state RELATED' is only available to NAT functions. iptables -t filter -A INPUT -p tcp -m multiport --dports 1024:65535 -s 192.168.1.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT # ---------------------------- COMMENTS ----------------------------- # -t indicates the filter chain [this is *optional* filter is the default] # -A 'A'dd rule to INPUT # this is *required* here, since we suppose FTP is in PASSIVE mode # -p tcp for 'p'rotocol TCP # -m multiport defines the modifier for multiports # --dports defines the authorized destination ports # -s defines the 'authorized' (source) network # -m state defines state modifier for 'state'ful packet filtering # --state defines stateful filtering for NEW and ESTABLISHED connections # -j final decision/target (ACCEPT) # # Please note that these rules are necessary, since FTP uses random # connections in terms of ports. # Defining policies for DNS [1] ------------------------------------- iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT # ---------------------------- COMMENTS ----------------------------- # -t indicates the filter chain [this is *optional* filter is the default] # -A 'A'dd a rule to INPUT # -p udp for 'p'rotocol UDP # --dport for destination port 53 (DNS) # -j final decision: ACCEPT # This rule is for the incoming DNS connections. # Defining policies for DNS [2] ------------------------------------- iptables -t filter -A OUTPUT -s udp --sport 53 -j ACCEPT # ---------------------------- COMMENTS ----------------------------- # -t indicates the filter chain [this is *optional* filter is the default] # -A 'A'dd a rule to OUTPUT # -p udp for 'p'rotocol UDP # --sport for source port 53 (DNS) # -j final decision: ACCEPT # This rule is for the outgoing DNS connections. SWITCHING FROM EXT2FS TO EXT3FS =============================== Use the command 'tune2fs' to switch an ext2fs filesystem or partition to the ext3fs filesystem. The easiest way to do this is to use a Live CD, such as Knoppix, to boot the system and start tune2fs on the target partitions. RESCUING A MANGLED SYSTEM ========================= Boot on a 'live CD', such as Knoppix or an installation CD. Open a (root) shell. Mount the '/' 'root' partition of the mangled installation. mount /dev/hda2 /mnt Mount the '/proc' mount -t proc proc /mnt/proc Launch a shell, using the correct root: chroot /mnt /bin/bash Re-install 'lilo' lilo Exit the shell Unmount the partitions Restart STOPPING AND STARTING SERVICES ============================== As root, use: /etc/init.d/ [start|stop] For instance: gil@vortex:~$ sudo /etc/init.d/samba stop Stopping Samba daemons: nmbd smbd. gil@vortex:~$ sudo /etc/init.d/exim4 stop Stopping MTA: exim4. MODIFYING THE NETWORK INTERFACE REAL QUICK ========================================== As root, edit the file named: /etc/network/interfaces And modify at will! For instance this is a valid interfaces file: # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 # iface eth0 inet dhcp iface eth0 inet static address 192.168.1.3 netmask 255.255.255.0 gateway 192.168.1.1 After modifying the file, enter the following command to apply changes: gil@vortex:~$ sudo /etc/init.d/networking restart ******** In '/etc/network.interfaces', the line: * NOTE * auto eth0 ******** should *ALWAYS* be uncommented!! JUST IN CASE YOU NEED DNS SERVERS ================================= Here are two of the wanadoo.fr DNS servers: nameserver 193.252.19.3 nameserver 193.252.19.4 HOW TO SAVE THE MBR OF A HARD DISK ================================== dd if=/dev/hda count=1 of=/home/user/save.mbr count = 1 block (512 bytes) EDITING THE BOOT SEQUENCE ========================= /etc/inittab This file contains the entire boot sequence for Debian. DISPLAYING THE CURRENT RUN LEVEL ================================ Simply type: gil@vortex:~$ sudo runlevel N 2 man runlevel for more information. DISPLAYING THE DEBIAN VERSION ============================= cat /etc/debian_version gil@vortex:~$ cat /etc/debian_version 3.1 MODIFYING THE ROOT PASSWORD UNDER RED HAT ========================================= Under LILO, press ESC+TAB, enter linux single at the prompt. --> ROOT prompt without a password! --> To be tested under Slackware [Tested: does not work]. BOOTING SINGLE MODE WITH GRUB ============================= Wait to see the GRUB screen, then press up/down to stop timer. Press 'e' to edit the boot sequence, then select the kernel to be launched. Press 'e' again on the kernel and add 'single' at the end of the kernel line. Press 'b' to boot the kernel in single-user mode. LOADING A KEYBOARD MAP IN AN EMERGENCY ====================================== loadkeys In a pinch, entering the following command should work: loadkeys fr MODIFYING THE GRUB CONFIGURATION ================================ Check /boot/grub/menu.lst. From this file: # menu.lst - See: grub(8), info grub, update-grub(8) # grub-install(8), grub-floppy(8), # grub-md5-crypt, /usr/share/doc/grub # and /usr/share/doc/grub-doc/. Here is an example of a valid/working menu.lst file for grub: title Debian GNU/Linux, kernel 2.4.27-2-386 root (hd0,0) kernel /boot/vmlinuz-2.4.27-2-386 root=/dev/hde1 ro initrd /boot/initrd.img-2.4.27-2-386 savedefault boot title Debian GNU/Linux, kernel 2.4.27-2-386 (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.4.27-2-386 root=/dev/hde1 ro single initrd /boot/initrd.img-2.4.27-2-386 savedefault boot title Debian GNU/Linux, kernel 2.4.31 root (hd0,0) kernel /boot/vmlinuz-2.4.31 root=/dev/hde1 ro initrd /boot/initrd-2.4.31 savedefault boot title Debian GNU/Linux, kernel 2.6.12 root (hd0,0) kernel /boot/vmlinuz-2.6.12 root=/dev/hde1 ro initrd /boot/initrd-2.6.12 savedefault boot For 'lilo', you should check /etc/lilo.conf, of course. (lilo is used in Debian < 3.1r0, Slackware, etc.) CONFIGURATION AND UPDATING THE INIT SEQUENCE OF A DEBIAN MACHINE ================================================================ update-rc.d start . stop . Please note the '.' at the end of the run level lists. man update-rc.d for more information. For instance [please note this is entered as root]: vortex:~# update-rc.d message.sh start 18 1 2 3 4 5 . stop 18 0 6 . Adding system startup for /etc/init.d/message.sh ... /etc/rc0.d/K18message.sh -> ../init.d/message.sh /etc/rc6.d/K18message.sh -> ../init.d/message.sh /etc/rc1.d/S18message.sh -> ../init.d/message.sh /etc/rc2.d/S18message.sh -> ../init.d/message.sh /etc/rc3.d/S18message.sh -> ../init.d/message.sh /etc/rc4.d/S18message.sh -> ../init.d/message.sh /etc/rc5.d/S18message.sh -> ../init.d/message.sh vortex:~# Please note: update-rc.d -f remove The above command (entered as root) will force the removal of a service from the init sequence of a Debian machine. BASIC APT-GET CONFIGURATION AND USAGE ===================================== apt-setup To configure apt-get apt-cache search To search for a given package apt-cache show To display more information on a given package apt-get install To install a given package apt-get remove To un-install a given package apt-get remove --purge To remove a given package AND the configuration files apt-get update To update the package lists based on the latest version apt-get upgrade To upgrade all packages already installed dpkg -l | less To display the installed packages Please note: to 'upgrade', always do an 'update' first! /etc/apt/sources.list Edit this file to configure apt-get more completely. /var/cache/apt/ Contains the cache file for apt-get CONFIGURATION OF THE XFREE86 SERVER =================================== The following command restarts the configuration of the XFree86 server: dpkg-reconfigure xserver-xfree86 This is in case something went wrong the first time... :-) HOW TO CONFIGURE AND RECOMPILE A KERNEL UNDER DEBIAN ==================================================== 1/ Check the hardware configuration lspci -vv cat /proc/cpuinfo 2/ Check the apt-get configuration apt-setup 3/ Download & install the required packages apt-get install kernel-package debianutils dpkg-dev libc6-dev libncurses5-dev gcc make bin86 All on one line: sudo apt-get install kernel-package debianutils dpkg-dev libc6-dev libncurses5-dev gcc make 4/ Configure the kernel cd /usr/src/linux- make menuconfig or: make xmenuconfig In menuconfig: [ ] Indicates a function in the kernel < > Indicates a function in the kernel or in a module: < > = uninstall <*> = in kernel = in module For each function, click on the space bar to select or remove the selected function. --> Indicates a sub-menu. Press Enter to display, or Esc. to exit the sub-menu. 5/ Use: Save configuration to an alternate file For instance : kern2.4.31 Then save anyway. 6/ Type as root: make dep make clean make bzImage make modules make modules_install | make install | cp -v ./arch/i386/boot/bzImage /boot/kern- The commands 'make install' and 'cp -v' are equivalent. Also possible, all on one line: make dep && make clean && make bzImage && make modules && make modules_install && make install && cp -v ./arch/i386/boot/bzImage /boot/kern- If a RAM disk has been configured in the kernel, you should also launch this command as root: mkinitrd -o /boot/initrd-2.4.31 The above line, for instance, is for a kernel 2.4.31 7/ Declare the kernel in lilo as root: lilo *********** * WARNING * This will prevent you from loading the old kernel. *********** or: edit /etc/lilo.conf by hand and lines to boot the new kernel. or: modify the grub configuration as shown above. For instance: title Debian GNU/Linux, kernel 2.4.31-1-386 root (hd0,0) kernel /boot/vmlinuz-2.4.31-1-386 root=/dev/hde1 ro initrd /boot/initrd.img-2.4.31-1-386 savedefault boot 8/ Reboot the 'puter and enjoy your new kernel (hopefully). KERNEL MODULES CONFIGURATION ============================ Debian offers a utility to configure the kernel modules. Simply type, as root: modconf INSTALLATION OF BIND UNDER DEBIAN ================================= To install BIND under Debian, do not forget to install the following packages : apt-get install bind9 bind9-host bind9-doc dnsutils CONFIGURATION OF THE DNS CLIENT =============================== Historical information: http://en.wikipedia.org/wiki/DNS This configuration is done through one file: /etc/resolv.conf In this file, the 'search' line indicates the search domain by default, and the 'nameserver' lines indicates the machines that should be interrogated by default. Please note that the best way to do this is to save the existing resolv.conf file to resolv.conf.old resolv.conf.bak. In resolv.conf, it is also possible to define a 'domain', which should be equivalent to the 'search' line. For instance: # gil.info2.cyl has the address 192.168.1.10 search gil.info2.cyl nameserver 192.168.1.10 domain gil.info2.cyl The name of the machine is configured in: /etc/hostname If working with a DHCP server, modify the file /etc/dhclient.conf, and make sure that: supersede domain-name --> is set to the local domain name. prepend domain-name-servers --> is set to the local address of the DNS server. CONFIGURATION OF THE DNS SERVER =============================== This configuration is done through the files: /etc/bind/named.conf /etc/bind/named.conf.options /etc/bind/named.conf.local Stopping/Restarting the BIND server is then done with: /etc/init.d/bind9 start /etc/init.d/bind9 stop Flushing the DNS cache can be done with the command: rndc flush In the file /etc/bind/named.conf.options, there is a sub-section named 'forwarders' in the section named 'options'. If not, create this 'forwarders' sub-section in order to create forwarders. For instance, here is a valid forwarder sub-section: options { forwarders { 192.168.1.17; }; } With the lines above, if the local BIND cannot resolve a DNS request, it will forward the request to the DNS server at address 192.168.1.17. Delegations are created in the same file, and almost in the same way: akli IN NS srv-akli.akli.info2.cyl srv-akli.akli in A 192.168.1.128 The two lines above create a delegation for the zone named 'akli' to the server named 'srv-akli' (with an address of 192.168.1.128). CREATING A REVERSE DNS SERVER ============================= To create a reversed DNS lookup, enter lines in the following format: 1.168.192.in-addr.arpa A reverse DNS requires a master/slave architecture, in which one DNS server is the 'master' and all other are slaves, which are going to update their master list from the master server. On the master server, in the file: /etc/bind/named.conf Add the following lines to allow reverse DNS (rDNS): // please note that comments should begin with two slashes // and not with the pound # sign as in other scripts. zone "1.168.192.in-addr.arpa" { // the following line indicates this is the master rDNS machine: type master file "/etc/bind/info2.rev"; // prevent slave servers from updating the reverse DNS: allow-update { none; }; // but allow slave servers to transfer rDNS information to local: allow-transfer { 192.168.1.0/24; }; }; On the master server, in the file: /etc/bind/db. Add the following lines (or create the file if it does not exist): @ IN NS For instance: @ IN NS srv-franck.franck.info2.cyl. The above line should be in a file named: /etc/bind/db.info2.cyl Then, pointers should be created for each server/sub-domain with: IN PTR For instance: 17 IN PTR srv-yann.yann.info2.cyl 18 IN PTR srv-akli.akli.info2.cyl Finally, the slaver servers should add a zone in /etc/bind/named.conf: zone "1.168.192.in-addr.arpa" { // indicate the local server is a slave: type slave; // indicate the name of the file: file "info2.rev"; // disallow the update of the file: allow-update { none; }; // indicates the IP address of the master: masters { 192.168.1.36; }; }; RESTARTING THE NETWORK UNDER DEBIAN =================================== /etc/init.d/networking restart MODIFYING THE NSLOOKUP BEHAVIOUR ================================ To search only by domain name, under nslookup, type, at the '>' prompt: gil@vortex:~$ nslookup > set q=ns > gilandre.org Server: 193.252.19.3 Address: 193.252.19.3#53 Non-authoritative answer: gilandre.org nameserver = full1.gandi.net. gilandre.org nameserver = full2.gandi.net. Authoritative answers can be found from: > gilandre.net Server: 193.252.19.3 Address: 193.252.19.3#53 Non-authoritative answer: gilandre.net nameserver = ns1.access.net. gilandre.net nameserver = ns2.access.net. Authoritative answers can be found from: > The command 'set q=ns' means: set query = name server. Another command to try is 'set q=soa' or 'set q=a'. > set q=soa > gilandre.org Server: 193.252.19.3 Address: 193.252.19.3#53 Non-authoritative answer: gilandre.org origin = full1.gandi.net mail addr = hostmaster.gandi.net serial = 2004081301 refresh = 28800 retry = 3600 expire = 604800 minimum = 43200 Authoritative answers can be found from: > gilandre.net Server: 193.252.19.3 Address: 193.252.19.3#53 Non-authoritative answer: gilandre.net origin = panix.com mail addr = hostmaster.access.net serial = 2005060202 refresh = 3600 retry = 300 expire = 3600000 minimum = 900 Authoritative answers can be found from: > set q=a > gilandre.net Server: 193.252.19.3 Address: 193.252.19.3#53 Non-authoritative answer: Name: gilandre.net Address: 166.84.62.124 Name: gilandre.net Address: 166.84.62.252 > SETTING UP A DHCP SERVER UNDER DEBIAN ===================================== DHCP 'Range' contains: IP Addresses Range DNX Suffix Gateway DNS Servers IP Reservation [always attribute the same address] Usually, DHCP ranges are attributed to separate physical networks. Logical sub-networks can be problematic for DHCP servers, since their behaviour by default is 'random' (the same machine can receive different DHCP addresses). 1/ Installation of a DHCP server under Debian: gil@vortex:~$ sudo apt-get install dhcp3-server Don't forget to stop the DHCP server immediately: gil@vortex:~$ sudo /etc/init.d/dhcp3-server stop 2/ Under Debian, the configuration file for the DHCP server is: /etc/dhcp3/dhcpd.conf First parameter is: ddns-update-style none; Dynamic update of the DNS server. Following parameters are: option domain-name Name of the local domain. option domaine-name-servers Name of the DNS servers. default-lease-time Default lease time (in seconds). max-lease-time Maximum lease time (in seconds). [Maximum lease time can be greater than the default to allow a machine to keep an IP address.] [The following line opens a 'section', which is a network managed by the local DHCP server. Please note the '{', which indicates the beginning of the section.] subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.1; range 192.168.1.200 192.168.1.250; } For instance: ddns-update-style none; option domain-name "service.stratinfo.si"; option domaine-name-servers 192.168.1.13; default-lease-time 60; max-lease-time 60; subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.1; range 192.168.1.200 192.168.1.250; } Please note the ';' at the end. Here the domain name is "service.stratinfo.si" and the DNS server is set to the local machine. The lease timers are both set to 60 seconds. This is for testing purposes only -- a normal network would give much higher values. 3/ To always assign the same address to a given machine: host { hardware ethernet ; fixed-address ; } 4/ Displaying the information of a running DHCP server: cat /var/lib/dhcp3/dhcp.leases SETTING UP NFS ON A DEBIAN MACHINE ================================== NFS = Network File System. NFS is based on the RPC (Remote Procedure Call), a protocol situated in the 'application' layer of the TCP/IP stack: +-------------+ | Application | <---- RPC / NFS +-------------+ | TCP / UDP | +-------------+ | IP | +-------------+ | Physical | +-------------+ NFS uses a program called 'port mapper' (or 'portmap') to function. Port mapper, in turn, uses the TCP and UDP port 111 To see if portmapper is working on your machine, enter: netstat -altupn | grep 111 netstat -altu rpcinfo -p localhost For instance: gil@vortex:~$ sudo rpcinfo -p localhost program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 680 status 100024 1 tcp 683 status In the example above, portmapper & status are the two programs that will be used by NFS. (For reference... NFS over SSH: http://blogs.sun.com/shepler/20050207 ) 1/ Installation of NFS over Debian: apt-get install nfs-kernel-server 2/ Configuration of NFS over Debian: This configuration is done in the file named: /etc/exports Information on this file is in the man page: man 5 exports First create the shared directory. For instance: sudo mkdir /home/nfs_share sudo chmod -v 777 /home/nfs_share Then declare the shared directory in /etc/exports. For instance: /home/nfs_share 192.168.1.0/24(ro,sync) / /(,) permissions: ro=read only, rw=read/write sync: sync/async. 'Async' offers better performances, but also could mean data loss if NFS connection is lost. Please note that, if several addresses need to be indicated, they should be on the same line, separated by spaces or tabs. For instance: /home/nfs_share 192.168.1.0/24(ro,sync) 192.168.1.20(rw,sync) In the case shown above, two possible access can be done to /home/nfs_share: from any machine on the network 192.168.1.0 (255.255.255.0) with read-only and synchronous connections. from machine 192.168.1.20, with read/write permissions and synchronous connections. It is also possible to configure NFS to accept hostname instead of IP address. For instance: /home/nfs_share *.stratinfo.com(rw,sync) Or, more declarative: /home/nfs_share srv-james.stratinfo.com(rw,sync) Please note that this means the machine 'srv-james' in domain 'acme.com' must be found either on a DNS server. This means the server should also be able to do reverse DNS (IP <-> FQDN). 3/ Start the NFS server: /etc/init.d/nfs-kernel-server start (make sure the file /etc/exports is saved first...) ********* NFS servers should unmount the client shares * NOTE: * before being restarted. Otherwise, clients ********* may go into a loop! Then, check the NFS server with the command: rpcinfo -p localhost You should have the following: gil@vortex:~$ sudo rpcinfo -p localhost program vers proto port [for more information:] 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100024 1 udp 680 status man rpc.statd 100024 1 tcp 683 status < In charge of reconnection. 100003 2 udp 2049 nfs man rpc.nfsd 100003 3 udp 2049 nfs < Daemon in charge of data 100003 2 tcp 2049 nfs < transfer between client 100003 3 tcp 2049 nfs < and server. 100021 1 udp 1856 nlockmgr man rpc.lockd 100021 3 udp 1856 nlockmgr < Daemon in charge of locking 100021 4 udp 1856 nlockmgr < files. 100021 1 tcp 1976 nlockmgr 100021 3 tcp 1976 nlockmgr 100021 4 tcp 1976 nlockmgr 100005 1 udp 958 mountd man rpc.mountd 100005 1 tcp 961 mountd < In charge of mounting and 100005 2 udp 958 mountd < checking permissions. 100005 2 tcp 961 mountd 100005 3 udp 958 mountd 100005 3 tcp 961 mountd 4/ Create an NFS mountpoint on the local disk. This is the directory where the shared NFS directories of other machines will be mounted on the local machine. 5/ Mount the NFS shared directories! With the command (as root): mount -v -o soft -t nfs :/ Please note that the command above mounts the NFS share as 'soft', which is usually safer than 'hard' mounts. For instance: mount -v -o soft -t nfs 192.168.1.20:/partage /mnt/nfs Or: sudo mount -v -o soft -t nfs 192.168.1.20:/partage /mnt/nfs The command should return a message such as: gil@vortex:~$ sudo mount -v -o soft -t nfs 192.168.1.20:/partage /mnt/nfs Password: 192.168.1.20:/partage on /mnt/nfs type nfs (rw,soft,addr=192.168.1.20) Normal commands are possible after this: gil@vortex:~$ cd /mnt/nfs/ gil@vortex:/mnt/nfs$ ls -alh total 7.0K drwxrwxrwx 2 root root 1.0K 2005-06-30 14:34 . drwxr-xr-x 4 root root 4.0K 2005-06-30 14:01 .. -rw-r--r-- 1 gil gil 16 2005-06-30 14:34 grosnichon.com -rw-r--r-- 1 gil gil 4 2005-06-30 14:34 vivagelbiensur 6/ Reload the configuration while NFS is working: Use the command (as root): gil@vortex:~$ sudo exportfs -a 7/ Notes. NFS uses 'squashing' to prevent files to be created as 'root' in an NFS share. Squashing means that files created as 'root' on an NFS share will be chown'ed to 'nobody'/'nogroup'. To disable squashing (bad idea!) add the option 'no_root_squash' to the /etc/exports file: /home/nfs_share 192.168.1.0/24(rw,sync,no_root_squash) Alternatively, it is possible to squash everyone with: /home/nfs_share 192.168.1.0/24(rw,sync,all_squash,anonuid=501,anongid=505) In the example shown above, all users will be squashed, but with the AnonUID 501 and the AnonGID 505. This specific option allows the creation of an 'anonymous' NFS server. Remember that NFS does not use encryption to establish connections. (this is true for NFS v3, NFS v4 will include more security measures). Authentication via Kerberos, NIS, NIS+, LDAP, or LDAP+Kerberos is strongly recommended. For Windows, download the free "Services for Unix" (SFU). :-) INSTALLATION OF SAMBA ===================== Just enter: apt-get install samba apt-get install samba-doc apt-get install samba-swat The package 'samba-swat' will install a graphical management interface for Samba, available with an HTML browser. SOME INFORMATION ON SAMBA ========================= http://fantasyzone.free.fr http://www.linux-france.org/~eprigent http://christian.caleca.free.fr And, of course: http://www.samba.org See: the Samba How-To Collection. In NetBIOS, the first machine running is the Master Explorer. This machine will then accept other machines, based on their addresses and names. Other computers will try to either steal the Master Explorer role, or, failing that, will renew their leases with the Master Explorer. Samba will behave as a normal NetBIOS computer. Samba Daemons: NetBIOS = Name resolution. nmbd SMB = Server Message Block. smbd SMB is used to transfer file and to authenticate. Samba keeps its own list of users to allow users to access UNIX disks. Two users must be created for Samba to work: the UNIX user and the Samba user. However the UNIX user can be desactivated and his/her shell linked to /bin/false. Authentification can be provided by a local service, or by LDAP, for instance. Create a Samba user with 'smbpasswd'. Type 'man smbpasswd' for more information. Within a domain, the domain controller is also the Master Explorer. This Domain Controller can be configured with WINS, the name resolution program for Windows domains. If the Windows domain contains several different versions of Windows, the 'earliest' (more modern) version of Windows will automatically become domain controller. This is determined by the "OS Level": Windows version OS Level =============== ======== 95, 98, ME 8 NT4 WK 16 2000 Pro 32 NT4 SRV 64 XP/XP Pro 96 2000 SRV 128 2003 SRV > 128 [Under XP Pro, desactivate the service named 'Network Explorer' to avoid having XP Pro machines grab the Master Explorer role...] Under Samba, the OS Level can be configured by the administrator... :-) A Samba machine is, by default, an autonomous server, but it can become a domain controller. This requires an additional account to be created, both within UNIX and within Samba. For instance, within the file '/etc/samba/smb.conf': [global] # [global] is the section of smb.conf that should be modified. local master = yes # samba machine is local master preferred master = yes # samba machine is pref master domain logons = yes # authorize logon from domain os level 128 # os level to override most XPs unix password sync = yes # synchronize UNIX/samba password password program = /usr/bin/passwd %u # program to be used to change password chat = # see /etc/samba/smb.conf logon script = logon.bat # script to be used on logon # add a completely empty user account for machine add machine script = useradd -s /bin/false -d /dev/null -nogroup %u # -s /bin/false = no shell # -d /dev/null = no home dir # -nogroup = no group ID # allow user 'root' to connect to Samba domain controller # invalid users = root With this type of configuration, it is necessary to create a 'root' user in Samba to 'map' the UNIX root user and to be able to add machines in the Windows domain. To do this, use the command: smbpasswd -a root Creating groups under Samba: It is necessary to 'map' the Windows SID and the UNIX GID. SID are assigned a random number, except for 'built-in' groups (such as Administrator, Backup operator, etc), which have a fixed number (called RID) in their SID: S-1-2-3S1-....-XXX |--------------|---| Server ID RID |<------- SID ---->| Possible RID values are: Value: User type: ======= =========== S12 Domain Administrator S13 Domain User S14 Domain Guests To display the SID (on the UNIX machine), type the command: net getlocalsid To display the names of the local group (on the UNIX machine), use the command: net groupmap list To create groups under Samba, first, create UNIX groups with the 'groupadd' command; then, map UNIX groups and Windows groups with the following command: net groupmap modify ntgroup="Domain Admins" unixgroup=admins net groupmap modify ntgroup="Domain Users" unixgroup=users net groupmap modify ntgroup="Domain Guests" unixgroup=guests Or: net groupmap add To display all group mappings, display the file named: /var/lib/samba Security under Samba: In the [global] section, check the following lines: hosts allow = 192.168.1.0/24 hosts deny = 192.168.1.1 invalid users = root @guests valid users = samba @admins @users # Please note that group names are preceded with a @ character. # The commands above apply to the *login* and not the shared disks. In the [share] section, check the following lines: read list = @users # Give group users read rights on share. write list = @admins # Give group admin write rights on share. # The following 4 commands short-circuit UNIX permissions: create mask = 666 # UNIX UMASK for new files. directory mask = 777 # UNIX UMASK for new directories. # Optional: force user = samba # Force new files/dirs to belong to user samba. force group = users # For new files/dirs to belong to group users. FTP UNDER DEBIAN ================ 1/ Reminder: FTP listens in on port 21 (control channel). FTP requires the user to authenticate (name/password). As soon as advanced commands are used, a data channel is opened. FTP servers can work either in 'active' or in 'passive' mode. Active mode: the server connects to the client port of the data channel. (data channel port > 1024) Problem: this is very risky in terms of security... Passive mode: the client connects the server port of the data channel. 2/ Installation of ProFTPd: sudo apt-get install proftpd proftpd-doc Then, check the installation with: sudo netstat -altp | grep ftp You may need to install a text-only ftp client as well: sudo apt-get install ftp Then test ProFTPd by using the ftp client to login on the local machine. 3/ Configuration of ProFTPd: For the ProFTPd server, the connections are managed by inetd/xinetd. The configuration file is: /etc/proftpd.conf Some interesting lines in this configuration file (with comments!): ServerType inetd # launch with inetd or standalone MultilineRFC2228 on # use RFC2228 style messages ShowSymlinks on # show symbolic links or not TimeoutNoTransfer 600 # cut connection if no transfer (in sec.) TimeoutStalled 600 # cut connection if problem (in sec.) TimeoutIdle 1200 # cut connection if no command (in sec.) DisplayLogin welcome.msg # indicate welcome message DisplayFirstChdir .message # indicate directory message # Port 21 is the standard FTP port. Port 21 MaxInstances 30 # max. number of clients (standalone only) DefaultRoot ~ # limit the user to their 'home' dir. Launching the ProFTPd server through inetd/xinetd has one advantage: the ProFTP process does not need to be restarted if the configuration file is modified, since inetd/xinetd launches independent processes, which then load the config file. 4/ Anonymous context of ProFTPd configuration. The 'anonymous' context is a part of the /etc/proftpd.conf file, which is written in XML. This defines special parameters that apply ONLY to anonymous connections to ProFTPd. For instance: # # Limit WRITE everywhere in the anonymous chroot # # # DenyAll # # The lines shown above limit the extent of the 'write' operation in all directories of the ProFTPd server. There are sub-contexts like this one in the general XML context , to control who can 'put' files on the FTP server. These contexts are commented out, with the '#' comment character. Removing these characters activates the functions. 4/ Filtering FTP traffic with inetd/xinetd. The best way to filter FTP traffic is to go through tcp wrappers. This allows the system to authorize/deny access to the ftp process. The two configuration files are: /etc/hosts.allow /etc/hosts.deny This configuration is usually done in /etc/hosts.deny by entering: ALL:ALL Once everything has been denied with the above line, enter in /etc/hosts.allow: proftpd: 192.168.1.0/24 sshd: 192.168.1.0/24 Please note that, by default, proftpd does not use hosts.allow and hosts.deny if it is used as standalone. The inetd/xinetd manager is required to use tcp wrappers with ProFTPd. On the other hand, 'sshd' is always comiled with tcp wrappers support by default.