Documente Academic
Documente Profesional
Documente Cultură
Printing
Artland Communications, Lahore. September 2006
Published by
Pakistan Software Export Board
Disclaimer
This toolkit is published by the PSEB for members of the IT industry and the public-at-large.
The toolkit’s compilers, or the editor, are not responsible, in any way possible, for the
errors/omissions of this toolkit. The OSRC does not accept any liability for any direct and
consequential use of this toolkit or its contents. The contents of this toolkit may be distributed
only subject to the terms and conditions set forth in the Open Publication License v 1.0 or
later. The latest version is presently available at http://opencontent.org/openpub/
i
TABLE OF CONTENTS
INTRODUCTION...............................................................................................................................................1
DOMAIN NAME SYSTEM (DNS)........................................................................................................2
1. NAMED.CONF..............................................................................................................................................3
2. STEP-BY-STEP CONFIGURATION GUIDE..........................................................................................................3
APACHE WEB SERVER ......................................................................................................................8
1. INTRODUCTION TO APACHE.......................................................................................................9
2. INSTALLATION............................................................................................................................................9
2.1. Installing from the rpm..................................................................................................................9
2.2. Installing from the source............................................................................................................10
3. APACHE CONFIGURATION..........................................................................................................................10
3.1. Running Apache...........................................................................................................................11
4. BASICS OF APACHE CONFIGURATION...........................................................................................................11
4.1. Server-wide configuration...........................................................................................................11
4.2. Site-specific configuration...........................................................................................................12
4.3. Virtual Hosts................................................................................................................................12
4.3.1. IP-Based...........................................................................................................................................13
4.3.2. Name-Based.....................................................................................................................................13
4.4. Authentication, Authorization and Access Control.....................................................................14
4.5 Logging.........................................................................................................................................17
5. AN EXAMPLE SET-UP...............................................................................................................................17
6. REFERENCE ............................................................................................................................................18
MAIL SERVER.....................................................................................................................................19
1. HOW ELECTRONIC MAIL WORKS...............................................................................................................20
1.1 Mail between full-time Internet machines....................................................................................20
2. NOTIFIERS...............................................................................................................................................22
3. MAILBOX FORMATS..................................................................................................................................22
4. CHOOSING A MAIL TRANSPORT AGENT (MTA)..........................................................................................22
4.1 Sendmail.......................................................................................................................................23
4.2 smail v3.2......................................................................................................................................23
4.3 qmail.............................................................................................................................................23
5. LOCAL DELIVERY AGENTS (LDAS)...........................................................................................................23
6. USER AGENT ADMINISTRATION..................................................................................................................23
6.1 Mutt...............................................................................................................................................23
6.2 Elm................................................................................................................................................23
6.3 Mailx.............................................................................................................................................24
7. SENDMAIL - STEP-BY-STEP CONFIGURATION ................................................................................................24
7.1. MTA (sendmail)...........................................................................................................................24
7.2. POP3............................................................................................................................................26
7.3. Starting and Testing the Mail Server...........................................................................................26
8. QMAIL - STEP-BY-STEP CONFIGURATION ....................................................................................................26
8.1. Pre-requisites/Pre-installation steps...........................................................................................27
8.1.1. Required software/packages.............................................................................................................27
8.1.2. Software/packages that should not be installed................................................................................28
8.2 qmail Installation and Configuration...........................................................................................28
8.2.1. Download qmail...............................................................................................................................28
8.2.2. Installing qmail.................................................................................................................................28
8.3. qmail additional tools and utilities..............................................................................................30
8.3.1. ezmlm...............................................................................................................................................30
8.3.2. Autoresponder..................................................................................................................................30
8.3.3. Vpopmail..........................................................................................................................................30
8.3.4. Vqadmin...........................................................................................................................................30
8.3.5. Maildrop...........................................................................................................................................31
8.3.6. Qmailadmin......................................................................................................................................31
8.4. qmail Configuration.....................................................................................................................32
8.5. Testing qmail Installation and Configuration.............................................................................32
8.6. Courier-imap/imaps and Courierpassd.......................................................................................34
i
8.7. SquirrelMail.................................................................................................................................37
8.8. ClamAntivirus and SpamAssasin.................................................................................................39
9. REFERENCES............................................................................................................................................41
DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP).......................................................42
1. INTRODUCTION.........................................................................................................................................43
2. INSTALLTION............................................................................................................................................43
2.1. Server Configuration...................................................................................................................43
2.2. Client Configuration....................................................................................................................45
3. REFERENCES............................................................................................................................................45
LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL (LDAP)...................................................46
1. OVERVIEW:.............................................................................................................................................47
2. HOW DOES LDAP WORK?........................................................................................................................47
3. LDAP BACK-ENDS, OBJECTS AND ATTRIBUTES.............................................................................................48
4. STEP-BY-STEP CONFIGURATION GUIDE........................................................................................................49
4.1. Scenario.......................................................................................................................................49
4.2. Downloading and Installing the LDAP Packages.......................................................................49
4.2.1. Required LDAP Server RPMs..........................................................................................................49
4.2.2. Required LDAP Client RPMs..........................................................................................................50
4.3. Configuring the LDAP Server.....................................................................................................50
4.3.1. Create a database directory...............................................................................................................50
4.3.2. Create an LDAP "root" password.....................................................................................................50
4.3.3. Edit the slapd.conf file......................................................................................................................50
4.3.4. Start the LDAP daemon...................................................................................................................51
4.3.5. Convert the /etc/passwd file into LDIF format.................................................................................51
4.3.6. Create the ldapuser test account.......................................................................................................51
4.3.7. Extract the required records from /etc/passwd..................................................................................51
4.3.8. Find the conversion script................................................................................................................51
4.3.9. Convert the ".ldapuser" file..............................................................................................................52
4.3.10. Modify the LDIF files....................................................................................................................52
4.3.11. Edit the user LDIF file....................................................................................................................52
4.3.12. Create an LDIF file for the "tdomain.com" domain........................................................................52
4.3.13. Import the LDIF files into the database..........................................................................................53
4.3.14. Test the LDAP database.................................................................................................................53
4.4. Configuring the LDAP Client......................................................................................................53
4.4.1. Edit the ldap.conf configuration file.................................................................................................53
4.4.2. Edit the /etc/nsswitch file.................................................................................................................53
4.4.3. Create Home Directories on the LDAP Client..................................................................................54
4.4.4. Check if ldapuser is missing from the /etc/passwd file.....................................................................54
4.4.5. Create the Home Directory for ldapuser on the LDAP Client...........................................................54
4.5. Testing..........................................................................................................................................55
SAMBA...................................................................................................................................................56
1. OVERVIEW..............................................................................................................................................57
2. CONFIGURING SAMBA...............................................................................................................................58
2.1. Setting the NetBIOS parameters..................................................................................................58
2.2. Global printing settings...............................................................................................................58
2.3. Global security settings...............................................................................................................59
2.4. Global name resolution settings..................................................................................................59
2.5. Creating shares............................................................................................................................59
2.6. Share permissions........................................................................................................................60
2.7. Creating shares for home directories..........................................................................................60
2.8. Creating a printer share..............................................................................................................61
3. STARTING AND STOPPING THE SAMBA SERVER...............................................................................................61
4. STEP-BY-STEP CONFIGURATION GUIDE........................................................................................................61
4.1. Samba as Primary Domain Controller .......................................................................................61
4.2. Join Domain.................................................................................................................................63
SQUID CACHE SERVER ...................................................................................................................64
1. AN OVERVIEW.........................................................................................................................................65
2. WHY CACHE?..........................................................................................................................................65
2.1. Origin Server Load......................................................................................................................65
2.2. Quick Abort..................................................................................................................................65
ii
2.3. Peer Congestion...........................................................................................................................65
2.4. Traffic spikes................................................................................................................................66
2.5. Unreachable sites........................................................................................................................66
2.6. Costs............................................................................................................................................66
3. SUPPORTED PROTOCOLS............................................................................................................................66
3.1. Supported Client Protocols..........................................................................................................66
3.2 Inter-cache and Management Protocols......................................................................................66
3.3 Inter-cache Communication Protocols.........................................................................................66
4. SQUID CONFIGURATION.............................................................................................................................67
4.1 The Configuration File.................................................................................................................67
4.2 Setting Squid's HTTP Port............................................................................................................67
4.3 Storing Cached Data....................................................................................................................67
4.4 E-mail for the Cache Administrator.............................................................................................67
5. ACCESS CONTROL LISTS AND ACCESS CONTROL OPERATORS.........................................................................68
5.1 Simple Access Control..................................................................................................................68
6. STEP-BY-STEP CONFIGURATION GUIDE........................................................................................................69
FIREWALLS..........................................................................................................................................71
1. INTRODUCTION.........................................................................................................................................72
2. CONCEPTS...............................................................................................................................................72
3. IPFIREWALL (IPFW) .......................................................................................................................72
3.1. Enabling IPFW............................................................................................................................73
3.1.1. Kernel Options.................................................................................................................................73
3.1.2. /etc/rc.conf Options..........................................................................................................................74
3.3. IPFW Rule Sets............................................................................................................................75
3.3.1. Rule Syntax......................................................................................................................................75
3.4. Building a Rule Script..................................................................................................................78
3.4.1. A Sample Inclusive Rule set.............................................................................................................79
3.4.2. A Sample NAT and Stateful Rule set...............................................................................................82
ASTERISK ............................................................................................................................................87
1. OVERVIEW..............................................................................................................................................88
2. INTRODUCTION.........................................................................................................................................88
2.1. The Components..........................................................................................................................88
2.1.1. The IP PBX......................................................................................................................................88
2.1.2. Phones..............................................................................................................................................89
2.1.3. Network...........................................................................................................................................89
3. INSTALLATION AND CONFIGURATIONS..........................................................................................................89
Change the Linux Password...............................................................................................................91
Change the IP Address .....................................................................................................................91
Set Time Zone ....................................................................................................................................92
4. CONNECT TO AMP FROM A WEB BROWSER................................................................................................93
4.1 Logging into an Asterisk Management Portal (AMP)..................................................................93
4.2. General Settings...........................................................................................................................94
4.3. Extensions....................................................................................................................................95
5. SETTING THE SOFT PHONE..........................................................................................................................96
5.1. Profile Tab...................................................................................................................................97
5.2. Audio and Video Tab...................................................................................................................98
5.3. Network Tab.................................................................................................................................98
5.4. Call-forwarding...........................................................................................................................98
5.5. Flash Operator Panel (FOP).......................................................................................................99
iii
Introduction
This open source toolkit has been developed by the Open Source Resource Center (OSRC),
a project of the Ministry of Information Technology (MoIT). This toolkit contains step-by-step
manuals related to open source applications for databases, application servers, desktop
applications, office productivity suites, Enterprise Resource Planning (ERP) and Customer
Relationship Management (CRM) software, and open source desktop applications for the
Microsoft Windows platform. A set of CDs, including some Linux distributions and other
applications, forms an integral part of this open source toolkit.
I would like to thank the OSRC team, including Mr. Abubakar Shoaib, Mr. Iftikhar Ahmad, Mr.
Muhammad Hammmad, Mr. Muazzam Ali, Mr. Sher Shah Farooq, and Mr. Qandeel Aslam,
who have compiled this toolkit; and Miss Seema Javed Amin, who has edited it. The OSRC
would especially wish to thank PSEB’s Director (Projects) Mr. Nasir Khan Afridi, Former
Project Manger(OSRC) Mr. Osman Haq and Ministry of Information Technology's Member
(IT) Mr. M. Tariq Badsha for their generous moral support, without which this toolkit would
never have been completed.
This is the first edition of this toolkit, and the OSRC hopes to continue to improve it with the
help of your feedback and comments.
Sufyan Kakakhel
Open Source Resource Center,
Pakistan Software Export Board,
2nd Floor, ETC, Agha Khan Road, F-5,
Islamabad, Pakistan.
Ph: +92-51-9208748
Fax: +92-51-9204075
Email: skakakhel@pseb.org.pk
http://www.osrc.org.pk
1. named.conf
The configuration file for the named daemon is named.conf, located in the /etc directory. It
uses a flexible syntax similar to C programs. The format enables easy configuration of
selected zones, enabling features such as access control lists and categorized logging. The
named.conf file consists of BIND configuration commands with attached blocks, within which
specific options are listed. A configuration command is followed by arguments and a block
that is delimited with braces. Within the block are lines of option and feature entries. Each
entry is terminated with a semicolon. Comments can use the C, C++ or Shell/Perl Syntax:
enclosing /* */, preceding //, or preceding #. The following example shows a zone command
followed by the zone name and a block of options that begin with an opening brace, {. Each
option entry ends with a semicolon. The entire block ends with a closing brace also followed
by a semicolon.
The zone command is used to specify the domains that the name server will service for you.
Enter the keyword zone followed by the name of the domain placed within double quotes. Do
not place a period at the end of the domain name.
There are several types of zones to choose from: master, slave, stub, forward, and hint.
The type master specifies that the zone holds master information and is authorized to act on
it. The type slave indicates that the zone needs to update its date periodically from a
specified master name server. A slave is also known as a secondary server. You can use
this entry if your name sever is operating as a secondary server for another primary (master)
domain name server. A stub zone only copies other name server entries, instead of the entire
zone. A forward zone will direct all queries to a specified name server. A hint zone specifies
the set of root name servers used by all Internet domain name servers. You can also specify
several options that will override any global options set with the options command. The
following example illustrates a simple zone command for the mytrek.com domain. Its class is
Internet, IN, and type is master.
Hostname ops-isb
Domain name test.edu.pk
FQDN ops-isb.test.edu.pk
Routable/Static IP 203.135.44.5
Non-Routable IP 192.168.1.14
// generated by named-bootconf.pl
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a caching only nameserver config
//
};
options {
This portion of the file is left to its original state.
};
zone “.” {
type hint;
file db.cache;
};
zone “test.edu.pk” {
type master ;
file “db.test” ;
};
The key word zone is written as it is. Write the name of your zone in quotes. This zone name
must be the name as your domain name. Now the first line of the block defines the type of
this zone i.e. master. The type master means that it is an independent Name Server (NS)
i.e., it doesn’t need to be updated from any other NS, and if was to be updated from another
NS, then it would have been a type slave. File shows the name of your zone file i.e. db.test,
in which you will be configuring your zone.
zone “44.135.203.in-addr.arpa” {
type master ;
file “db.203.135.44” ;
};
zone “0.0.127.in.addr.arpa”{
type master ;
file named.local ;
};
NOTE
• Don’t forget to put a semicolon (;) after the closing braces of every zone block.
• Don’t forget to put the semicolon after each statement of the zone block.
• .db in the filename is just a naming naming convention and you can use your own
naming convention for this purpose.
• All the files mentioned in named.conf must exist in the specified path in the option {}
block and must be correctly configured.
After configuring the named.conf file, the next step is the zone files’ configuration. Go to the
path mentioned in the option {} block of the named.conf file, i.e., /var/named.
Begin with the zone file db.test (as mentioned in the third block of named.conf).
The next configuration is the reverse lookup zone i.e. it resolves IP to domain name. The file
name used in this example is db.203.135.44
named.local:
NOTE
• Numbers have been assigned to the above configuration files in order to clearly
explain each line, otherwise they (numbers i.e. 1, 2, 3…) must not be written, neither
in the zone, nor in any configuration files.
The next step is the zone file db.cache. Leave the zone db.cache to its default configurations.
search test.edu.pk
nameserver 203.135.44.5
nameserver 127.0.0.1
/etc/rc.d/init.d/named start
You can start, stop or restart the daemon by putting start, stop, restart at the end of the
/etc/rc.d/init.d/named script.
ping test.edu.pk
ping bakar.test.edu.pk
If you get the ping reply that means your DNS is functioning correctly.
nslookup test.edu.pk
Server: localhost
Address: 127.0.0.1
Name test.edu.pk
Address 203.135.44.5
The Apache HTTP web server is a part of the Apache Software Foundation, which supports
other open source projects as well, including Ant, SpamAssasin, Struts, and Tomcat, etc.
The current version of the Apache web server, which is being used for the purposes of this
tutorial, is version 2.2.0. It can be downloaded from its official website at
http://httpd.apache.org/download.cgi.
2. Installation
Apache is usually pre-installed in most Linux distributions. Use the rpm -qa |grep httpd
command to confirm whether it is installed or not. If Apache has been installed from the
source code, the command mentioned above will not produce any result. In this case, try
locating the httpd/apache/apache2 directories. If these directories exist on your system, it
means that Apache has already been installed on it.
Apache can also be installed manually as well, by downloading either the rpm or the source
code. This tutorial will demonstrate both methods.
# wget \
http://apache.mirrors.pair.com/httpd/binaries/rpm/i386/http://apache.mirrors.pa
ir.com/httpd/binaries/rpm/i386/httpd-2.2.0-1.i386.rpm
# rpm -e httpd
• From the source installation: Install the new rpm on a path that is different from
the path of the source installation. Apache’s rpm can be installed by the following
command:
If you get any dependency errors regarding the Apache Portable Runtime (APR or
apr) packages, upgrade it to the version compatible with the current version, httpd-
2.2.0-1. This is the apr-1.2.2-1, which can be downloaded from
http://apr.apache.org/.
# wget http://apache.mirror99.com/httpd/httpd-2.2.0.tar.gz
• Create an Apache directory in "/usr/local". This path is optional, and is being used for
the purposes of this tutorial only.
# make
# make install
3. Apache Configuration
If you are using pre-installed Apache that comes with the distribution, then it is probably
installed in /etc/httpd. If you have built it from the source, and followed the procedure
mentioned in the previous section, then the path is /usr/local/apache2. In order to refer to this
default installation path (“/etc/httpd" or "/usr/local/apache2") $APACHE_HOME will be used
for the purposes of this tutorial only.
Apache runs as a daemon in the background, on which the server handles requests
continuously. Port 80 is specified by default in the Apache configuration file, httpd.conf.
Running Apache on port 80 requires root privileges, and can be run via the following
command:
# $APACHE_HOME/bin/apachectl start
[If a pre-installed version of Apache is being used, then the bin might not be under the
$APACHE_HOME directory]
# $APACHE_HOME/bin/apachectl stop
A start-up script, httpd can also be used to start, stop, or restart the Apache web server:
# /etc/init.d/httpd start
• Global Environment: This section defines configuration parameters for the Apache
server process e.g. the path to the Apache configuration directory; the Apache pid
file, and the path to other configuration files, etc.
• Virtual Host: This section defines settings for virtual hosts that are either IP-based, or
name-based.
The configuration file is configured by placing directives. Most directives have a global scope
that applies to the entire server, but this can be changed by placing the directives in some
special directives, such as <Directory>, <DirectoryMatch>, <Files>, and <Location>, etc.
# apachectl configtest
The Apache configuration file, httpd.conf, specifies the web server listening port; it is 80 by
default. If it is not, change the port to 80, restart the Apache web server, and browse to
"http://localhost". If the configuration is correct, the browser will display, "Test Page".
Note: In Fedora Core 3, a special package, "SE Linux", can create problems in Apache’s
configuration. Ensure that it is disabled before testing the configuration, and then restart
Apache.
Server Name: This specifies the server name and the port which is used by the server to
identify itself. This is useful for the purposes of redirection e.g. when the machine’s name is
ServerName www.osrc.org.pk:80
Specify the server name in order to prevent any problem at start-up. This directive can also
be used in the virtual host section.
Listening Port: This specifies the port number or IP, and the port number on which the web
server will listen for incoming requests. If only the port is specified, then the server will listen
on the given port number on all IP interfaces, otherwise it will listen to the specified IP and
port number only:
Listen 80
[Listens on port 80 and all available interfaces]
Listen 12.34.56.78:80
[Listens on port 80 and the IP 12.34.54.78 only]
DocumentRoot /var/www/html
Directory Index: If the requested URL specifies a directory, this option specifies the resources
to look for e.g. http://www.xyz.com/downloads/ where / specifies that "downloads" is a
directory. The resources can be, for instance, index.html index.php, etc. It is important to
note that the order matters, and that the first available resource will always be returned:
The above configuration tells Apache to look for the index.html file in the "downloads"
directory. If there is no index.html, look for index.php, and then index.txt. If none of these
resources can be found, then the behavior depends upon whether the Options directive is set
or not with the Indexes options. This directive can also be used in virtual host section.
Options Indexes: If this option is set for a directory, and the requested URL maps to a
directory e.g. http://www.xyz.com/downloads/, and no DirectoryIndex is set, or the resource
specified in the DirectoryIndex cannot be found, then this option will create a default
formatted listing for the requested directory:
<Directory "/var/www/html">
Options Indexes
</Directory>
This configuration will set the auto index generation for the directory "html" and its sub-
directories. This directive can also be used in the virtual host section.
This allows running multiple websites, each with a different IP, on a single machine. This can
be achieved by hosts that have multiple network connections, or by virtual interfaces. A multi-
homed machine, for example, can have two network cards with IPs 192.168.2.58 and
10.10.10.100. You can configure a website http://www.xyz.com/accounts on 192.168.2.178
and http://www.xyz.com/hr on 10.10.10.100.
The following is a sample configuration of IP-based virtual hosts. The hostnames will be
resolved to their respective IP addresses.
<VirtualHost www.example1.com>
DocumentRoot /var/www/html/example1
</VirtualHost>
<VirtualHost www.example2.com>
DocumentRoot /var/www/html/example2
</VirtualHost>
Ensure that the entry NameVirtualHost in the main section is commented out. The above
configuration specifies that when a request is made from the client to
http://www.example1.com then first resolve the hostname, which returns to 192.168.2.58.
This returns the contents in the directory specified by DocumentRoot.
The above-mentioned configuration requires DNS name resolution, which will obviously slow
down the entire process. Please refer to http://httpd.apache.org/docs/2.2/dns-caveats.html
for more information. The recommended practice is to specify IP address instead of the
hostname in the virtual host section.
<VirtualHost 192.168.2.58>
DocumentRoot /var/www/html/example1
ServerName www.example1.com
</VirtualHost>
<VirtualHost 10.10.10.100>
DocumentRoot /var/www/html/example2
ServerName www.example2.com
</VirtualHost>
You need an additional directive, ServerName, so that the requests for example1 or
example2 can be mapped. If no ServerName is specified, then Apache will try the reverse
DNS in order to look up the hostname.
4.3.2. Name-Based
Name-based virtual hosts allow multiple websites on a single IP address. This is in contrast
to IP-based virtual hosts, where you need an IP address for each website. IP-based virtual
hosts rely explicitly on IP addresses to determine the correct virtual host to the server. Name-
NameVirtualHost 192.168.2.58:80
<VirtualHost 192.168.2.58:80>
DocumentRoot /var/www/html/example1
ServerName www.example1.com
</VirtualHost>
<VirtualHost 192.168.2.58:80>
DocumentRoot /var/www/html/example2
ServerName www.example2.com
</VirtualHost>
The directive NameVirtualHost specifies that IP 192.168.2.58 must listen on this specific IP
for incoming requests. Normally, you can use * here, but in cases which require mixed types
of settings, i.e. a host that supports both IP-based and name-based virtual hosts, you need to
specify which IP address you want to configure for name-based virtual hosting. If you are
planning to use multiple ports, such as SSL, for example, then specify the port here. The
argument given in NameVirtualHost must match with the virtual host section for name-based
virtual hosts:
NameVirtualHost *
<VirtualHost *>
DocumentRoot /var/www/html/example1
ServerName www.example1.com
</VirtualHost>
<VirtualHost *>
DocumentRoot /var/www/html/example2
ServerName www.example2.com
</VirtualHost>
Authorization is the process of granting someone access to the areas to which the user is
allowed to go.
Access control is also authorization, but it provides authorization at another layer i.e. based
on an IP address, hostname or the characteristic of the request.
Make sure that the requisite modules are installed and loaded in Apache beforehand. Please
refer to http://httpd.apache.org/docs/2.2/howto/auth.html and
http://httpd.apache.org/docs/2.2/howto/access.html for the list.
In order to implement such security mechanisms, you first need to understand the Apache
directory’s structure, and its configuration. Apache is normally configured using the main
httpd.conf file, where the configuration parameters are applicable to all the published web
<Directory /var/www/html/test>
Order allow,deny
Deny from all
</Directory>
This means denying access to the directory test and all its sub-directories. So, access to the
URL http://www.test.com pointing to the directory /var/www/html/test is denied. Access to the
URL http://www.test.com/public pointing to the directory /var/www/html/all is allowed.
<File private.html>
Order allow,deny
Deny from all
</File>
This means that access to the file private.html located anywhere is denied.
<Location /private>
Order allow,deny
Deny from all
</Location>
This means that access to any URL containing private is denied. Access to
http://www.test.com/private/public is not allowed, whereas access to
http://www.test.com/public is allowed.
The .htaccess method is easy to configure. Place the contents of the .httaccess file in
<Directory> </Directory> in the main configuration file.
The name of the .htaccess file can be changed by using the AccessFileName directive in the
main configuration file. Configure Apache to allow such configuration files for directories. This
can be done by using AllowOverride AuthConfig in <Directory> </Directory>. If you want a
special directory, /var/www/html/public/restricted to be restricted, for example, you must allow
the use of the .htaccess file. Place the following configuration in Apache’s main configuration
file:
<Directory /var/www/html/public/restricted>
AllowOverride AuthConfig
</Directory>
Define the users who are granted access to the restricted area. These users, and their
passwords, will be defined in a special file, which should be placed somewhere which is
inaccessible to the web. The file can be created with a special utility htpasswd that comes
with Apache:
.htaccess
----------------------------------------------
AuthType Basic
AuthName "Restricted Files"
# Optional line: AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
AuthUserFile /etc/httpd/conf/passwd
Require user user1
----------------------------------------------
AuthType specifies the type of authentication, and Basic is unencrypted. AuthName specifies
the realm which is used as a temporary session identifier. AuthUserFile specifies the path of
the password file, and Require user specifies the user to whom access must be granted.
Sometimes access needs to be granted to more than one user. This can be achieved by
using the Require valid-user, which will allow access to the restricted area to anyone listed in
the password file. Please see the “References” section for more advanced techniques
regarding configuring authentication/authorization, using groups, and databases.
In order to customize access based on hosts/IPs, use Allow and Deny directives. The Order
directive can also be used to specify the order in which the filters should be applied. The
syntax is:
Deny,Allow: First Deny, and then the Allow directive is evaluated. Access is allowed by the
default meaning that any client that matches neither the Deny nor the Access directive will be
allowed to access the server.
Allow,Deny: First Allow, and then the Deny directive is evaluated. Access is denied by the
default meaning that any client that matches neither the Allow nor the Deny directive will be
allowed to access the server.
Consider a real example, a directory /var/www/html/localusers. You want only local users
falling in the 192.168.2 network access to /var/www/html/localusers. Use the following
configuration:
Order Allow,Deny
Allow from 192.168.2.0/24
</Directory>
<Directory /var/www/html/localusers>
Order Allow,Deny
Allow from 192.168.2.0/24
Deny from 192.168.2.178
</Directory>
This will allow access to all hosts in the network 192.168.2.0/24 except 192.168.2.178. All
other requests will be denied by default. Changing the order from Allow,Deny to Deny,Allow
will only allow the host 192.168.2.178 to access, since Allow will override the Deny behavior.
4.5 Logging
Apache logs provide comprehensive information and customization for the purposes of
security analysis and troubleshooting. Apache logs are located, by default, under the
/var/log/httpd directory.
Error Log: This log provides error information while processing requests for diagnostic
purposes. The location of this log can be controlled by the ErrorLog directive in the main
configuration file. Error logs cannot be customized.
Access Log: This log records useful information, such as client IP, date/time, location
accessed, client platform information, and so on. An access log can be customized, and its
location and content can be controlled by the CustomLog directive.
5. An Example Set-up
Consider a real-world example to configure a static website. The configuration is given
below:
The machine’s name is osrc-test, but the DNS alias for this configuration is
www.testmachine.org.
Steps
• Save the Apache configuration file with new changes, exit, and restart the Apache
service.
Ensure that valid DNS entries exist for www.testmachine.org that should point to the IP of
your machine.
6. Reference
• http://httpd.apache.org/docs/2.2/mod/directives.html
• http://httpd.apache.org/docs/2.2/configuring.html
• http://httpd.apache.org/docs/2.2/sections.html
• http://httpd.apache.org/docs/2.2/logs.html
• http://httpd.apache.org/docs/2.2/howto/auth.html
• http://httpd.apache.org/docs/2.2/vhosts/
The arrangement and meaning of Internet mail headers are defined by an Internet standard
in RFC822.
Usually this program will be sendmail, although some alternative MTAs are gaining
popularity, and may appear in future Linux distributions. The MTA's job is to pass the mail to
an MTA on Omer's machine. It determines Omer's machine by analyzing the ‘To’ header and
by seeing the dobbs.com on the right-hand side of Omer's address. It uses that address to
open an Internet connection to Omer's machine. The mechanics of making that connection is
a separate topic. For the purposes of this tutorial, it is enough to know that that connection is
a way for Fraz's MTA to send text commands to Omer's machine, and receive replies to
those commands.
The MTA's commands do not go to a shell. Instead, they go to a service port on Fraz's
machine. A service port is a sort of rendezvous point, a known place where Internet service
programs “listen” for incoming requests. Service ports are numbered, and Fraz's MTA knows
that it needs to “talk” to port 25 on Omer's machine in order to pass on the mail.
On port 25, Omer's machine has its own MTA listening for commands. Fraz's MTA will go
through a dialogue with Omer's, using Simple Mail Transfer Protocol (SMTP). This is what an
SMTP dialogue looks like. Lines sent by Fraz's machine are identified by an “S”; responses
from Omer's machine are identified by an “R”:
S: MAIL FROM:<fraz@wonderland.com>
R: 250 OK
S: RCPT TO:<omer@dobbs.com>
R: 250 OK
S: DATA
R: 354 Start mail input; end with <CRLF>.<CRLF>
S: From: "Fraz" <fraz@wonderland.com>
S: Message-Id: <200211131704.MAA18447@wonderland.com>
S: Subject: Have you seen my white rabbit?
S: To: omer@dobbs.com (Omer)
S: Date: Thu, 13 Nov 2002 12:04:05 -0500 (EST)
S: Content-Type: text
S:
S: I'm most concerned. I fear he may have fallen down a hole.
S: --
S: >>Fraz>>
S: .
R: 250 OK
Usually, an SMTP command is a single text line, and so is its response. The DATA command
is an exception; after seeing that, the SMTP listener accepts message lines until it sees a
period on a line by itself. (SMTP is defined by the Internet standard RFC821.) Now Omer's
MTA has Fraz's message. It will add a header to the message that looks something like this:
This is for tracking purposes in case of mail errors (sometimes a message has to be relayed
through more than one machine, and it will have several of these). dobb's MTA will pass the
modified message to a Local Delivery Agent (LDA). On Linux systems, the LDA is usually a
program called procmail, although others exist. The LDA's job is to append the message to
Omer's mailbox. It is separate from the MTA so that both programs can be simpler, and then
2. Notifiers
There is yet another kind of program that is important in the mail chain, although it does not
itself read or transmit mail. It is a mail notifier, a program that watches your e-mail Inbox for
activity, and alerts you to new mail when it arrives.
The original notifiers were a pair of UNIX programs called biff(1) and comsat(8). The biff
program is a front-end that enables you to turn on the comsat service. When this service is
on, the header of new mail will be dumped onto your terminal as it arrives. This facility was
designed for people using line-oriented programs on CRTs; it is not really a good idea in
today's environment. Most UNIX shells have built-in mail check facilities that allow them to
function as notifiers in a rather less intrusive way (by emitting a message just before the
prompt when new mail is detected). Enable this facility by setting environment variables
documented on the shell's manual page. Systems supporting X come with one of several little
desktop gadgets that check for new mail periodically, and give you both visible and audible
indications of new mail. The oldest and most widely used of these is called xbiff; if your Linux
has a pre-configured X desktop setup, xbiff is probably on it. See the xbiff(1) manual page for
details.
3. Mailbox formats
When incoming mail gets appended to a mailbox, it is up to the MTA to provide some kind of
delimiters that indicate where one message stops, and the next one begins. Under UNIX, the
convention almost all mailers use is that each line beginning with “From” (the space is
significant) begins a new message. If “From” occurs at the beginning of a line in text, a UNIX
MTA will generally prefix it with a greater-than sign, so it looks like “>From”. RFC822 headers
follow this “From line” (which usually continues with the sender name and receipt date). This
convention originated with UNIX Version 7, so this kind of mailbox is referred to as a “V7
mailbox”; it is also sometimes called an “mbox format”. It is not, however, quite universal, and
tools expecting and generating different formats can confuse each other badly. The four other
formats are BABYL, MMDF, MH, and qmail maildir. Of these, MMDF is the simplest; it uses a
delimiter line consisting four control-As (ASCII 001) characters followed by CR-LF. MMDF
was an early and a rather crude Internet mail transport; a descendant is still in use on SCO
systems. BABYL is another survivor from an early mail system at MIT. It is still used by
Emacs's mail-reader mode.
MH and qmail maildir are 'mailbox' formats that actually burst each mailbox into a directory of
files, one per message. Running grep on such a 'mailbox' is useless, since all grep will see
are the directory bits.
Microsoft Outlook Express .mbx mailboxes can be converted to RFC822 format with
mbx2mbox app.
Sendmail is suitable for many sites with complicated options, but its configuration is too hard
for beginners. It is not very secure or very fast, so the following is really an outdated section
4.1 Sendmail
BSD sendmail is the oldest of Internet MTAs. It has outlasted a few would-be successors.
Most Linux distributions now use it and have it pre-installed.
4.3 qmail
qmail is a secure, reliable and robust MTA. It is a popular choice as a replacement for
sendmail. While sendmail is older than qmail, security was not considered a major issue
during its designing and development stages. Although its code has been repeatedly modified
to make it more secure, the whole design architecture of sendmail has to be replaced with a
new one. qmail, on the other hand, was designed with high security as a goal. qmail is much
more robust in terms of performance, and is reliable because of its internal architecture, to
deliver mails. This is possible because of its clean and simple modular approach.
6.1 Mutt
You should have no problem compiling, installing, or running Mutt. Users of qmail can either
get the patch, or run it with -f flag to read their local mail folder. If mutt sends an "unknown
terminal error" after a distribution upgrading, recompile it.
6.2 Elm
Elm compiles, installs and runs flawlessly under Linux. For more information, see its sources
and installation instructions. Elm and its filter need to be in mode 2755 (group mail) with
/var/spool/mail mode 775 and group mail.
Qmail users can get a patch to use interesting qmail features, or run Elm with the -f flag to
point to their local mail folder. If you have Elm compiled to be MIME-able, you need Metamail
installed and in the standard path, or Elm will not be able to read the MIME mail that you have
received. Metamail is available at thumper.bellcore.com and via "archie".
If you use a binary distribution, you'll need to create a "/usr/local/lib/elm/elm.rc" file to override
the compiled-in hostname and domain information:
A distribution of Elm-2.4.24 is available that is "PGP-aware". In order to try it, obtain the file
ftp://ftp.viewlogic.com/pub/elm-2.4pl24pgp3.tar.gz, which is elm2.4.24 with PGP hooks added.
Configure and build it in the same way as normal Elm by adding the patches mentioned
above. More recent versions include elm-ME+. While this item is not Linux-specific, it is,
nevertheless, wrongly perceived to be a nagging Elm bug. Elm sometimes fails with a
message that it is unable to malloc() massive numbers of bytes. The identified workaround is
to remove the post-processed global mail aliases (aliases.dir and aliases.pag). This is not a
bug in ELM; it is a configuration error. Elm has an enhanced and non-compatible format for
aliases; ensure that the path Elm uses for aliases is different from the path that
sendmail/smail uses. From the volume of reports regarding this problem, it is apparent that at
least one major distribution has been misconfigured in the past. {From Scot at catzen.gun.de
(Scot W. Stevenson)}. The current metamail package requires csh for some of its scripts.
Failure to install csh (or tcsh) will cause errors.
6.3 Mailx
If you do not have a local mailx program, obtain a mailx kit from Slackware 2.1.0 or later,
which contains an implementation of mailx 5.5. If you build from sources, mailx v5.5 compiles
without patching under Linux if you have "pmake" installed. Remove the old "edmail" from
SLS1.00 and replace it with mailx.
##################
Cwlocalhost
# file containing names of hosts for which we receive email
Fw/etc/sendmail.cw
Look for the line Cwlocalhost. At the end of this line, append the domain name for which you
want to receive mails.
Before any changes, the line will look like the following:
Cwlocalhost
In order to receive mails for the domain test.edu.pk, append the domain name after the
mentioned line, and it will look like this:
Cwlocalhost test.edu.pk
In order to receive mails for other domains as well, like testing.com and flipflop.org, append
these domain names after the previous one, and separate each domain name with a space.
The line will look like:
Cwlocalhost test.edu.pk testing.com flipflop.org
Go to the directory /etc/mail/. Create a file named relay-domains and configure an already-
existing file access.
relay-domains:
This file will contain the hosts that will allow relaying. Open this file with the command:
pico relay-domains
ALLOW
ALLOW
ALLOW
test.edu.pk ALLOW
.test.edu.pk ALLOW
Note: 210.56.18.203 is the real IP that has been assigned to the author’s machine against the
domain name test.edu.pk. This will be different in each machine’s case. 192.168.1 is the local
IP of the author’s machine. test.edu.pk is the domain name.
Access:
Open the file named access in the same directory i.e. /etc/mail and write the following lines in
it:
ops-isb.test.edu.pk RELAY
210.56.18 RELAY
1. RELAY
192.168.1 RELAY
Note: Where ops-isb is the machine or the hostname on which the domain exists.
Download it in the directory /usr/. Untar the qpopper3.1.tar.gz file with the command:
cd /usr/qpopper3.1
./configure
make
./configure --enable-specialauth
make
pico pop3
service pop3
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/qpopper3.1/popper/popper
server_args = qpopper –s
port = 110
}
Save the file and exit. Run the following commands to start the services:
/etc/rc.d/init.d/sendmail start
/etc/rc.d/init.d/xinetd restart
Telnet the localhost to check whether the pop3 is working properly or not:
You will see a response which will confirm that the qpopper is functioning smoothly. You can
now make users on Linux, and assign them their e-mail addresses. If you have a user called
bakar, for example, then his e-mail address will be bakar@test.edu.pk (test.edu.pk is the
domain name).
This guide is based on one of the How-Tos, qmailrocks, which describes qmail’s setup step-
by-step, in addition to installing qmail add-ons. These additional packages include ezmlm,
Autoresponder, Vpopmail, Vqadmin, maildrop, QmailAdmin, Courier-imap/imaps, Squirrel
mail, Clam AV, and SpamAssasin. A brief introduction to all these packages is given below:
Autoresponder
A useful utility which automatically responds to e-mails.
Vpopmail
Vpopmail is a useful program that facilitates the creation and management of multiple virtual
domains on a qmail server.
Vqadmin
Vqadmin is a web-based interface to manage Vpopmail at the root level.
Maildrop
Maildrop provides a mail-filtering service that can be used to filter incoming messages on the
server.
qmailAdmin
qmailAdmin is a useful tool that allows users to administer their own domains, but cannot
create new domains (Vqadmin can be used for this purpose).
SquirrelMail
SquirrelMail is a webclient for qmail with IMAP, which provides a web-based client interface
on the server.
1 Digest::SHA1
2 Digest::HMAC
3 Net::DNS
4 Time::HiRes
5 HTML::Tagset
6 HTML::Parser
4. GCC
5. MySQL, version 3.x or higher, is only required if it is integrated with vpopmail.
6. OpenSSL, version 0.9.5a or higher
7. OpenSSL-devel
8. patch and patchutils
1. Postfix
2. Any POP service
3. Any SMTP service. Leave Sendmail installed for the moment; it will be uninstalled later on
in the tutorial
Make sure that the following ports are not blocked in the firewall:
qmailrocks comes with a complete package to install and setup qmail. It also includes
automated scripts to perform some functionalities e.g. creating users, directories etc. Follow
the exact steps e.g. directory names, paths etc. because the scripts bundled with qmailrocks
have all the paths hard-coded. All the installation must be done as root user, unless
otherwise stated.
# mkdir /downloads
# cd /downloads
# wget http://www.qmailrocks.org/downloads/qmailrocks.tar.gz
The above-mentioned package contains everything required for this tutorial. In order to
download individual packages, visit http://downloads.qmailrocks.org/.
This step will demonstrate qmail installation along with ucspi-tcp and daemon tools, which
form the core components of a qmail server. You will also need to create some directories,
users and set permissions. qmailrocks has combined all these steps in a single script,
available at
# /downloads/qmailrocks/scripts/install/qmr_install_linux-s1.script
Apply patches to qmail in order to enhance its functionality. qmailrocks comes up with another
script to apply them. Details regarding these patches can be found at the qmailrocks website.
Run the following script in “/downloads”:
# /downloads/qmailrocks/scripts/util/qmail_big_patches.script
Install qmail, ucspi-tcp and daemon tools. Run the following steps in “/downloads”:
# cd /usr/src/qmail/qmail-1.03
# make man
# make setup check
# ./config
The config script will try to perform a reverse DNS against all local IP addresses. If the DNS
server on your network is working correctly, this should run smoothly. In case the DNS server
is not configured or setup, use config-fast:
# ./config-fast your_fqdn_hostname
qmail is now installed. Generate a certificate to communicate over TLS with the server. Run
the following command:
# make cert
This will ask some questions, you can fill in any value. The following is a sample:
This will install the certificate at “/var/qmail/control/servercert.pem” along with a symbolic link
to that certificate at “/var/qmail/control/clientcert.pem”. Set the right ownership for the
certificate:
# chown -R vpopmail:qmail /var/qmail/control/clientcert.pem \
/var/qmail/control/servercert.pem
# cd /usr/src/qmail/ucspi-tcp-0.88/
# patch < /downloads/qmailrocks/patches/ucspi-tcp-0.88.errno.patch
# make
# make setup check
You should be able to see svscanboot running at this moment. Run the following command to
confirm it:
8.3.1. ezmlm
# cd /downloads/qmailrocks/
# tar zxvf ezmlm-0.53-idx-0.41.tar.gz
# cd ezmlm-0.53-idx-0.41
# make
# make setup
8.3.2. Autoresponder
# cd /downloads/qmailrocks
# tar zxvf autorespond-2.0.5.tar.gz
# cd autorespond-2.0.5
# make
# make install
8.3.3. Vpopmail
Vpopmail can be installed with or without MySQL support. This guide will demonstrate setting
up Vpopmail without MySQL support, since MySQL integration will complicate matters, and is
required only when hosting a large number of domains.
# cd /downloads/qmailrocks
# tar zxvf vpopmail-5.4.9.tar.gz
# cd vpopmail-5.4.9
# ./configure –enable-logging=p
# make
# make install-strip
8.3.4. Vqadmin
# cd /downloads/qmailrocks
# tar zxvf vqadmin-2.3.6.tar.gz
# cd vqadmin-2.3.6
We need to know the location of the cgi-bin and web server publishing directory. On most
systems, it is “/var/www/cgi-bin” and “/var/www/html”.
# ./configure –enable-cgibindir=/var/www/cgi-bin \
--enable-htmldir=/var/www/html/
# make
# make install-strip
<Directory "/var/www/cgi-bin/vqadmin/">
deny from all
Options ExecCGI
AllowOverride AuthConfig
Order deny,allow
</Directory>
# cd /var/www/cgi-bin/vqadmin
# chown apache .htaccess
# chmod 644 .htaccess
Configure the vqadmin directory to restrict access to the Vqadmin interface to authorized
users only. Edit the “.httaccess” file:
AuthType Basic
AuthUserFile /path/to/where/you/want/to/store/the/password/file/vqadmin.passwd
AuthName vQadmin
require valid-user
satisfy any
Create the “vqadmin.passwd” file. [Make sure that the password file name is the same as has
been specified in the “.htaccess” file]
8.3.5. Maildrop
# cd /downloads/qmailrocks
# tar zxvf maildrop-1.6.3.tar.gz
# cd maildrop-1.6.3
# ./configure --prefix=/usr/local --exec-prefix=/usr/local \
--enable-maildrop-uid=root --enable-maildrop-gid=vchkpw –enable-maildirquota
# make
# make install-strip
# make install-man
8.3.6. Qmailadmin
# cd /downloads/qmailrocks
# tar zxvf qmailadmin-1.2.3.tar.gz
# cd qmailadmin-1.2.3
The path to your cgi-bin is “/var/www/cgi-bin”, and the path to your HTML directory is
“/var/www/html”.
# make
# make install-strip
# /downloads/qmailrocks/scripts/finalize/linux/finalize_linux.script
If the instructions have been followed until now, the script should not return any error.
# qmailctl stop
# echo '127.:allow,RELAYCLIENT=""' >> /etc/tcp.smtp
# qmailctl cdb
# ln -s /var/qmail/alias/.qmail-root /var/qmail/alias/.qmail-anonymous
# chmod 644 /var/qmail/alias/.qmail*
Before using qmail, uninstall sendmail. On Red Hat systems, sendmail is usually installed as
an “rpm”.
This should indicate whether any sendmail packages have been installed or not. Uninstall
using the following commands, but first stop any sendmail processes that might be running:
# /etc/rc.d/init.d/sendmail stop
# rpm -e --nodeps SENDMAIL_PACKAGE
# ln -s /var/qmail/bin/sendmail /usr/lib/sendmail
# ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail
qmail is configured and is now ready for use. qmailrocks presents a script that can be used to
test the installation and configuration process performed until now:
# /downloads/qmailrocks/scripts/util/qmr_inst_check
# qmailctl stop
# qmailctl start
The qmail status can be checked by running:
# qmailctl stat
You should see the following:
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
+OK <19917.1138776306@mail.osrc.org.pk>
user postmaster@osrc.org.pk
+OK
pass 123
+OK
quit
+OK
Connection closed by foreign host.
The italicized letters display the input to be entered. The above output shows that the POP
service is running successfully.
Send a mail to postmaster@osrc.org.pk. Ensure that the DNS is properly configured;
otherwise you will receive a delivery failure message. Connect again to post 110 using the
same credentials entered above:
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
+OK <21886.1138852777@mail.osrc.org.pk>
user postmaster@osrc.org.pk
+OK
pass 123
+OK
list
+OK
1 859
.
quit
+OK
Connection closed by foreign host.
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mail.osrc.org.pk ESMTP
ehlo localhost
250-mail.osrc.org.pk
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME
starttls
220 ready for tls
quit
quit
Connection closed by foreign host.
If you get the “220 ready for tls” message after entering the command starttls, it means that
the SMTP connection is good enough to go onto TLS encryption. If you receive an error
message, ensure that you have created certificates first.
At this point, qmail is setup and can be used. Functionalities, however, are still required in
order to remotely check mails, scan for viruses and spam. The next few sections will guide
you towards installing and setting them up.
# make
# make check
# make install-strip
# make install-configure
# vi /etc/rc.local
/usr/local/sbin/authdaemond start
Install courier-imap, which has to be compiled by a non-root user. Create a temporary user on
the system:
# useradd tempuser
# cd /downloads/qmailrocks/
$ exit
# make install-strip
# make install-configure
# vi /usr/local/etc/imapd.cnf
Change postmaster@example to postmaster@osrc.org.pk
# vi /usr/local/etc/imapd
Change IMAPDSTART=NO to IMAPDSTART=YES
# vi /usr/local/etc/imapd-ssl
Change IMAPDSTART=NO to IMAPDSTART=YES
and make sure TLS_CERTFILE=/usr/local/share/imapd.pem
# vi /usr/local/etc/authlib/authdaemonrc
“authmodulelist” should contain only authvchkpw i.e.
authmodulelist="authvchkpw”
# cp /usr/local/libexec/imapd.rc /etc/rc.d/init.d/imap
# cp /usr/local/libexec/imapd-ssl.rc /etc/rc.d/init.d/imaps
Start authdaemon, the IMAP and IMAPS server:
# /usr/local/sbin/authdaemond stop
# /usr/local/sbin/authdaemond start
# /etc/rc.d/init.d/imap stop
# /etc/rc.d/init.d/imaps stop
# /etc/rc.d/init.d/imap start
# /etc/rc.d/init.d/imaps start
The system should be listening on port 143 and 993. Use the nmap command to check it:
# namp localhost
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE
THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL
ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2005 Double
Precision, Inc. See COPYING for distribution information.
a login postmaster@osrc.org.pk 123
a OK LOGIN Ok.
a logout
* BYE Courier-IMAP server shutting down
a OK LOGOUT completed
Connection closed by foreign host.
The italicized letters display the input. The output shows a successful connection to the
server. Install courierpassd:
# cd /downloads/qmailrocks
# tar zxvf courierpassd-1.1.0-RC1.tar.gz
# cd courierpassd-1.1.0-RC1
# ./configure
# make
# make install
# cd /etc/xinetd.d
# vi courierpassd
service courierpassd
{
port = 106
socket_type = stream
protocol = tcp
user = root
server = /usr/local/sbin/courierpassd
server_args = -s imap
wait = no
# vi /etc/services
# /etc/rc.d/init.d/xinetd restart
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
200 courierpassd v1.1.0-RC1 hello, who are you?
user postmaster@osrc.org.pk
200 Your password please.
pass 123
200 Your new password please.
newpass 1234
200 Password changed, thank-you.
quit
200 Bye.
Connection closed by foreign host.
The italicized letters display the input. The above output shows that the service is running
smoothly
8.7. SquirrelMail
Edit the “php.ini” file and make sure that the variable “file_uploads” is “on”:
# vi /etc/php.ini
[php.ini path can vary]
file_uploads = on
# cd /downloads/qmailrocks
Configure SquirrelMail:
C Turn color on
S Save data
Q Quit
Command >>
Enter 2 at the prompt to change the server settings. The following settings are recommended:
General
-------
1. Domain : 192.168.2.66
2. Invert Time : false
3. Sendmail or SMTP : SMTP
IMAP Settings
--------------
4. IMAP Server : localhost
5. IMAP Port : 143
6. Authentication type : login
7. Secure IMAP (TLS) : false
8. Server software : other
9. Delimiter : detect
SMTP Settings
-------------
4. SMTP Server : localhost
5. SMTP Port : 25
6. POP before SMTP : false
7. SMTP Authentication : login
8. Secure SMTP (TLS) : false
9. Header encryption key :
Configure the Apache web server. Edit the Apache configuration file and add the following
line:
NameVirtualHost 192.168.2.178:80
You should now be able to use the web interface for qmail, and be able to send and receive
e-mails. Install the “change_pass” plug-in to SquirrelMail to change the password from the
web interface:
# cd /var/www/html/webmail/plugins/
Enter option 8 and you should see change_pass under the available plug-ins. Enter the
change_pass module number in order to activate it. Save the configuration and quit.
SquirrelMail is now fully configured.
Digest::SHA1
Digest::HMAC
Net::DNS
Time::HiRes
HTML::Tagset
HTML::Parser
Pod::Usage
Parse::Syslog
Statistics::Distributions
Other required packages include:
perl-suidperl
unzip
qmailrocks provides a script to check PERL modules. Run the script as a non-root user:
# su tempuser
$ /downloads/qmailrocks/scripts/util/check_perlmods.script
# exit
# cd /downloads/qmailrocks/perlmods
# tar zxvf Parse-Syslog-xxx.tar.gz
# cd Parse-Syslog-xxx
# perl Makefile.PL
# make
then use:
# rpm -Uvh spamassassin-3.0.2-1.i386.rpm \
spamassassin-tools-3.0.2-1.i386.rpm –nodeps
# groupadd spamd
Add/edit in the above file, and, in case there is no file, create a new one:
SPAMDOPTIONS="-x -u spamd -H /home/spamd -d"
Add the following line to “/etc/mail/spamassassin/local.cf”
required_hits 5
# /etc/rc.d/init.d/spamassassin start
SpamAssassin must be running, use ps
# ps -aux | grep spamd
Use the setup command to start the SpamAssassin service at boot time.
The qmail configuration is now complete, and the mail server can be used to send and
receive e-mails. For a production server, install some additional tools and configure the mails
server to secure it over the Internet.
The services that are required include:
# qmailctl stat
# /etc/rc.d/init.d/imap start
# /etc/rc.d/init.d/imaps start
# /etc/rc.d/init.d/spamd start
# /etc/rc.d/init.d/httpd start
9. References
• Qmailrocks.org: http://www.qmailrocks.org/
This guide will demonstrate how to set up a DHCP server and client. More information
regarding the protocol can be found in the “References” section.
2. Installtion
Many distributions come with a dhcpd server and client. In case you would like to install it
manually, however, you can use rpm -ivh dhcp-VERSION.rpm to install the rpm. The DHCP
server can be downloaded from "http://people.redhat.com/~jvdias/DHCP/". DHCP reads from
a configuration /etc/dhcpd.conf. The rpm package does not install this file, but you can use
the sample DHCP configuration file that can be found under /usr/share/doc/dhcp-<version-
number>/dhcpd.conf.sample. Copy this file to /etc and rename it to dhcpd.conf.
# cp /usr/share/doc/dhcp-3.0.1/dhcpd.conf.sample /etc/dhcpd.conf
ddns-update-style interim;
ignore client-updates;
The above configuration file specifies that the clients will be given an IP address in the range
10.10.10.10 to 10.10.10.50. The default lease time, in case the client does not explicitly ask
for it, will be 21600 seconds; otherwise the maximum allowed lease time is 43200 sconds.
The server also specifies that the client should use the subnet mask 255.0.0.0,
10.255.255.255 as its broadcast address, 10.10.10.1 as the default gateway and 10.10.10.10
as the DNS server.
Client 1
Client 2
Client n
Once you have edited the dhcpd.conf file, start the server. If you get a failure message
regarding lease file being missing, create the following file:
# touch /var/lib/dhcp/dhcpd.leases
# pgrep dhcpd
The above configuration file dynamically allocates an IP address. DHCP can also be
configured as a mixed environment that can allocate IP addresses dynamically and statically.
The "host" section in the sample configuration file allocates an IP, based on the hardware
address. Please see the “References” section for more advanced DHCP configurations. While
running, DHCP server creates the client entries in /var/lib/dhcp/dhcpd.leases.
For RedHat, you can use netconfig to configure the DHCP host.
# netconfig
This will ask for a couple of options. Click on "Use dynamic IP configuration (BOOTP/DHCP)".
Select "OK" and restart the network services.
If the DHCP server has been configured properly, the client should be able to get an IP
address. Use ipconfig to check the IP.
# ifconfig
3. References
• DHCP Server Setup: http://www.tldp.org/HOWTO/DHCP/x369.html
• Configuring the DHCP Server: http://www.linuxhomenetworking.com/linux-hn/dchp.htm
Each object has a unique Distinguished Name (DN) attribute for identification purposes. Each
object is a member of one or more object classes, which determine which attributes it may
and must have according to a well-defined schema. Objects in an LDAP database are
organized into a tree hierarchy, based on their DN.
By tradition, the organization example.com uses dc=example,dc=com for its root object (but
nothing enforces this tradition). Below the root are objects representing different
organizational units, such as people or hosts. The children of these objects are the people
and hosts themselves.
As you can see, each entry is uniquely identified by a DN. The DN consists of the name of the
entry, plus a path of names tracing the entry back to the top of the directory hierarchy.
In LDAP, an object class defines the collection of attributes that can be used to define an
entry. The LDAP standard provides the following basic types of object classes:
1. Groups in the directory, including unordered lists of individual objects, or groups of
objects
2. Locations, such as a country’s name and description
3. Organizations in the directory
4. People in the directory
An entry can belong to more than one object class. The entry for a person, for example, is
defined by the person object class, but can also be defined by attributes in the inetOrgPerson,
groupOfNames, and organization objectclasses. The server's object class structure (its
schema) determines the total list of required and allowed attributes for a particular entry.
Directory data is represented in the form of attribute-value pairs. Any specific piece of
information is associated with a descriptive attribute.
The Common Name (CN) attribute is used to store a person's name. A person named
Abubakar Shoaib can be represented in the directory as:
Each person entered in the directory is defined by the collection of attributes in the person
object class. Other attributes used to define this entry can include:
Required attributes include the attributes that must be present in entries using the object
class. All entries require the objectClass attribute, which lists the object classes to which an
entry belongs.
Allowed attributes include the attributes that may be present in entries using the object class.
In the person object class, for example, the CN and SN attributes are required. The
description, telephoneNumber, seeAlso, and userpassword attributes are allowed, but are not
required.
Each attribute has a corresponding syntax definition, which describes the type of information
provided by an attribute. Examples include:
1. BIN binary
2. CES Case Exact String (case must match during comparisons)
3. CIS Case Ignore String (case is ignored during comparisons)
4. TEL telephone number string (like CIS, but blanks and dashes "-" are ignored during
comparisons)
5. DN Distinguished Name
Note: Objectclass and attribute definitions generally reside on schema files, on the sub-
directory schema, under the OpenLDAP installation home.
4.1. Scenario
• A company wants a simple, secure, centralized login scheme for all its
servers/clients.
• It has decided to use the LDAP domain “tdomain.com” for its LDAP database, in
which one Domain Component (DC) will be “tdomain”, and the other will be “com”.
• The database will have only one organizational unit known as “People”, which is an
LDAP default.
• Each person will have attributes, such as a username (User ID or UID), password,
Linux home directory, and login shell.
• The Fedora Linux server known as Dman, with the IP address 192.168.2.79, will act
as the LDAP server containing the database.
• The Fedora Linux server known as smallfry will be used to test the system as the
LDAP client. It has the IP address 192.168.2.69.
• The server Dman has a special user account named ldapuser. It will be used to test
the LDAP logins.
Ensure that the following packages are installed on your LDAP server:
1. openldap
2. openldap-clients
Ensure that the following packages are installed on your LDAP client:
1. openldap
2. openldap-clients
3. openldap-devel
4. nss_ldap
Fedora LDAP defaults to putting all databases in the /var/lib/ldap directory. For the tdomain,
create a dedicated tdomain.com directory owned by the user ldap. (The ldap user is always
created during the RPM installation process):
[root@Dman tmp]# mkdir /var/lib/ldap/tdomain.com
[root@Dman tmp]# chown ldap:ldap /var/lib/ldap/tdomain.com
Only an LDAP root user can create, import, and export data into an LDAP database. This
user requires an encrypted password. Create it with the slappasswd command, and use the
result in the LDAP configuration file:
[root@Dman tmp]# slappasswd
New password:
Re-enter new password:
{SSHA}v4qLq/qy01w9my60LLX9BvfNUrRhOjQZ
[root@Dman tmp]#
database ldbm
suffix "dc=tdomain,dc=com"
rootdn "cn=Manager,dc=tdomain,dc=com"
The service command uses the options “start”, “stop”, and “restart” to control the LDAP
server's operation. Use the “start” option to load the contents of the slapd.conf file.
[root@Dman tmp]# service ldap start
Starting slapd: [ OK ]
[root@Dman tmp]#
The data on the server's /etc/passwd file now needs to be converted into the LDAP Data
Interchange Files (LDIF) format before it can be imported into the LDAP database. You do not
need to import all of the usernames, only the ones you need.
To create the ldapuser account you will use for testing, type:
[root@Dman tmp]# useradd -g users ldapuser
[root@Dman tmp]# passwd ldapuser
Changing password for user ldapuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@Dman tmp]#
Extract the ldapuser information from the /etc/passwd file using the grep command. Save it by
appending the information to the /etc/openldap/passwd.ldapusers file, with the > character:
[root@Dman tmp]# grep ldapuser /etc/passwd > \
/etc/openldap/passwd.ldapusers
[root@Dman tmp]#
If this is your first time creating an LDAP database, extract the information for the Linux root
account from the /etc/passwd file to a new file known as /etc/openldap/passwd.root.
[root@Dman tmp]# grep root /etc/passwd > \
/etc/openldap/passwd.root
[root@Dman tmp]#
The /etc/passwd conversion program is called migrate_passw.pl; find it by using the “locate”
command. This utility updates its database every night, and might be unable to find newly-
installed files. Use the locate command to update ahead of schedule:
[root@Dman tmp]# locate -u
[root@Dman tmp]# locate migrate
Convert the extracted /etc/passwd data into an LDIF, which will then be imported into the
database. Give the file used by regular users the name /etc/openldap/ldapuser.ldif and the
one for the root user the name /etc/openldap/root.ldif.
[root@Dman tmp]# /usr/share/openldap/migration/migrate_passwd.pl \
/etc/openldap/passwd.ldapusers /etc/openldap/ldapusers.ldif
[root@Dman tmp]#
With your two new LDIF files, the next step is to import this data into the LDAP database. In
order to prepare for this, you must do some editing, and create a new LDIF file that defines an
organizational unit.
The Fedora migrate_passwd.pl script creates users that are all a part of an organizational unit
known as “People”, but everyone belongs to the padl.com domain. Edit both the LDIF files,
and convert the string "padl" into "tdomain" in each record. A text editor is suitable for this
purpose. For tdomain, at the vi editor's : prompt, use the following command to perform a
global substitution of “tdomain” for “padl”:
%s/padl/tdomain/g
In the slapd.conf file, you gave the root user a Common Name (CN) of Manager. Add this
information to the root LDIF file by inserting the following line under the UID line in the file:
cn: Manager
The LDIF files which you have created from /etc/passwd refers to users only. The attributes of
the tdomain.com domain, and the organizational unit known as “People”, have not yet been
defined. This can be done using a third LDIF file known as /etc/openldap/tdomain.com.ldif,
which should look like this:
dn: dc=tdomain,dc=com
dc: tdomain
description: Root LDAP entry for tdomain.com
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
Use the LDAP add command to import all three LDIF files into the database, starting with the
tdomain.com.ldif file, followed by root.ldif, and lastly by ldapusers.ldif.
When you are prompted, enter the LDAP root password you created:
[root@Dman tmp]# ldapadd -x -D "cn=Manager,dc=tdomain,dc=com" \
-W -f /etc/openldap/tdomain.com.ldif
[root@Dman tmp]# ldapadd -x -D "cn=Manager,dc=tdomain,dc=com" \
-W -f /etc/openldap/root.ldif
[root@Dman tmp]# ldapadd -x -D "cn=Manager,dc=tdomain,dc=com" \
-W -f /etc/openldap/ldapusers.ldif
[root@Dman tmp]#
View all the LDAP database entries all at once with the “ldapsearch” command; this test
confirms that you have all the correct functionality:
[root@Dman tmp]# ldapsearch -x -b 'dc=tdomain,dc=com' \
'(objectclass=*)'
[root@Dman tmp]#
LDAP clients are configured using the /etc/openldap/ldap.conf file. Make sure that the file
refers to the LDAP server's IP address for the domain tdomain.com. The file should look like
this:
HOST 192.168.2.79
BASE dc=tdomain,dc=com
The /etc/nsswitch.conf file defines the order in which the Linux operating system searches
login databases for login information.
Configure it to first search its /etc/passwd file. If it does not find the user password information
here, it goes to the LDAP server. Set this up by using the /usr/bin/authconfig command:
• Run /usr/bin/authconfig
• Select LDAP
You previously created a user known as ldapuser in the group users on server Dman. Ensure
that this user has a home directory on the LDAP client smallfry. The tdomain in this section
creates the directory, and makes ldapuser the owner. The server smallfry correctly gets its
user information about ldapuser from Dman; the chosen command does not complain about
ldapuser not existing in smallfry's /etc/passwd file.
Look for ldapuser by searching the /etc/passwd file with the grep command. There should be
no response:
[root@smallfry tmp]# grep ldapuser /etc/passwd
[root@smallfry tmp]#
4.4.5. Create the Home Directory for ldapuser on the LDAP Client
Create the home directory, copy a BASH login profile file into it, and modify the ownership of
the directory, and all the files, to user ldapuser.
Note: If the chosen command fails, it is probably because of an incorrect LDAP configuration,
in which the LDAP client cannot read the user information from the LDAP server.
In some cases, you might want to use NFS mounts to provide home directories for your
users, which will significantly reduce the need to perform this procedure:
[root@smallfry tmp]# mkdir /home/ldapuser
[root@smallfry tmp]# chmod 700 /home/ldapuser/
[root@smallfry tmp]# chown ldapuser:users /home/ldapuser/
[root@smallfry tmp]# ll /home
total 2
drwx------ 2 ldapuser users 1024 Aug 4 08:05 ldapuser
[root@smallfry tmp]#
[root@smallfry tmp]# cp /etc/skel/.* /home/ldapuser/
cp: omitting directory `/etc/skel/.'
cp: omitting directory `/etc/skel/..'
cp: omitting directory `/etc/skel/.kde'
4.5. Testing
Login to smallfry using the username ldapuser.
The Samba suite revolves around a pair of UNIX daemons that provide shared resources.
These daemons are:
• smbd: The smbd daemon is responsible for managing the shared resources between
the Samba server machine and its clients. It provides file, print, and browser services
to SMB clients across one or more networks. smbd handles all the notifications
between the Samba server and the network clients. It is also responsible for user
authentication, resource-locking, and data-sharing through the SMB protocol.nmbd.
• nmbd: The nmbd daemon is a nameserver that mimics the WINS and NetBIOS name
server functionality, as you might expect to encounter with a LAN Manager package.
This daemon listens for nameserver requests, and, when called upon, provides the
appropriate information. It also provides browsing lists for the Network Neighborhood,
and participates in browsing elections.
A share is a directory on the server that is accessible over the network, and which is
shared among users. This section has three sub-sections:
Note: Samba can be either a WINS server or a WINS client, but not both. Only one of the
WINS support and WINS server parameters can be set at a time. If you specify the IP
address of a WINS server, then the WINS support must be set to “No”.
[redbook]
comment = Redbook files
path = /redbook
browseable = yes
printable = no
writable = yes
write list = @users
[homes]
comment = Home Directories
path = %H
valid users = %S
Table 8 explains the use of certain variables in the [homes] share definition:
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user ’guest account’ to print
guest ok = no
writable = no
printable = yes
create mask = 0700
The [printers] section is just like the other share definitions. When a user prints, Samba
copies the data into the spool directory, after which it is handled by the local printing system.
The only major difference between a printer share and other share definitions is that the
printable parameter is set to “Yes”. This means that a user can write a spool file to the
directory specified under the share definition. If the share is printable, then it is also writable
by default.
/etc/rc.d/init.d/smb start
Two daemons have been started: smbd and nmbd. smbd is the Samba server, and nmbd is
the WINS server.
The Samba server can be stopped by executing the command:
/etc/rc.d/init.d/smb stop
Restart the Samba server whenever you modify the smb.conf configuration file.
[homes]
comment = Home Directories
browseable = no
writeable = yes
# smbpasswd -a root
# groupadd machines
# useradd -g machines –d /dev/null –s /bin/false ws01$
# smbpasswd –a –m ws01
On the login screen, select the domain, osrc, from the drop-down menu, and login with the
domain user.
Internet firewalls, which are used to protect company networks, often have a proxy
component. The Squid proxy is different from a firewall proxy in that most firewall proxies do
not store copies of the returned data; they re-fetch requested data from the remote Internet
server each time.
A 'cache', actually refers to a 'caching proxy' - something that keeps copies of returned data.
A 'proxy', on the other hand, is a program which does not cache replies.
The web consists of HTML pages, graphics, and sound files, etc. Since only a very small
portion of the web constitutes text, referring to all cached data as pages is misleading.
Caches store objects, not pages.
Many Internet servers support more than one protocol. A given server can support more than
one type of query protocol. A web server uses the HyperText Transfer Protocol (HTTP) to
serve data. An older protocol, the File Transfer Protocol (FTP) often runs on web servers as
well. Caching an FTP response and returning the same data to the client on a subsequent
HTTP request can cause confusion, and should, therefore, be avoided. Squid uses the
complete Universal Resource Locator (URL) to uniquely identify everything stored in the
cache. Objects must be expired in order to avoid returning outdated data to clients. Squid
allows you to set refresh times for objects, ensuring that this does not happen.
2. Why cache?
Small Internet Service Providers (ISPs) cache in order to reduce their line costs, since a large
portion of their operating costs is infrastructural rather than staff-related.
Large organizations are usually not short of bandwidth, but their customers occasionally
experience slow response times. There are many reasons for this:
Plan ahead for sports events, but it is difficult to estimate the load that they will eventually
cause. If you are a local ISP, and your local team reaches the finals, you are likely to
experience a huge peak in traffic. Companies can also be adversely affected by traffic spikes,
with the bulk transfer of large databases or presentations flooding the lines at random
intervals. Caching cannot completely solve this problem, but it can reduce its impact.
2.6. Costs
Since Internet connectivity is so expensive, ISPs and their customers reduce their bandwidth
requirements with caches.
3. Supported Protocols
User Base: The larger your user base, the more objects requested, the higher the chances of
an object being requested twice. In order to increase your hit rate, add more clients.
Reduced Load: If you have a large network, one cache might be unable to handle all
incoming requests. Rather than having to continuously upgrade one machine, it makes sense
to divide the load between multiple servers. This reduces an individual server’s load, while
increasing the overall number of queries your cache system can handle.
Squid implements inter-cache protocols very efficiently, through ICP multi-cast queries and
cache digests, which allow for large networks of caches (hierarchies).
Disk Space: If you load-balance between multiple caches, avoid duplication of data.
Duplicated objects reduce the quantity of objects in the overall store, which reduces your
Raw bandwidth is not the only issue affecting the efficiency and speed of your cache system.
Choosing the right hardware and software also presents its own challenges.
4. Squid Configuration
Squid assumes that you wish to use the default value if there is no occurrence of a tag in the
squid.conf file. Theoretically, you can even run Squid with a zero-length configuration file.
You can also use multiple ports, appending a second port number to the http_port variable.
Consider the following example:
The first option for the cache_dir tag sets the directory where the data will be stored. The
prefix value simply has /cache/ tagged onto the end, and it is used as the default directory.
The second option for the cache_dir tag is a size value. Squid will store up the specified
amount of data in that directory. The value is in megabytes, as is that of the cache store. The
default is 100 megabytes.
The other two options are more complex: they set the number of sub-directories (first and
second-tier) to create in this directory.
Rule sets like the ones given above are straightforward enough for small organizations. For
large organizations, however, it is more convenient to create classes of users. You can then
allow or deny classes of users in more complex relationships. Consider the following
example, in which you duplicate the above-mentioned example with classes of users:
# classes
acl mynetwork src 10.0.0.0/255.0.0.0
acl servernet src 10.0.1.0/255.255.255.0
# what HTTP access to allow classes
http_access deny servernet
http_access allow mynet
# what ICP access to allow classes
icp_access deny servernet
icp_access allow mynet
The squid.conf file that comes with Squid includes ACLs, which denies all HTTP requests.
Explicitly allow incoming requests to use your cache from an appropriate range. The
squid.conf file includes text that reads:
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
In order to allow access to your client machines, add rules similar to the ones given below.
The default access-control rules prevent users from exploiting your cache; it is advisable to
leave them in.
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR
CLIENTS
#
# acls for my network addresses
acl my-iplist-1 src 192.168.1.0/24
acl my-iplist-2 src 10.0.0.0/255.255.0.0
# Check that requests are from users on our network
http_access allow my-iplist-1
http_access allow my-iplist-2
icp_access allow my-iplist-1
icp_access allow my-iplist-2
# allow requests from the local machine (for testing and the like)
http_access allow localhost
# End of locally-inserted rules
http_access deny all
Install the Squid rpm from the Red Hat CD. This will install its configuration file (squid.conf) in
the directory /etc.
Open the file /etc/squid.conf and follow the steps given below:
• Search for the line http_port, and change the port if required:
http_port 8080
This is the port that your users will use in order to access the Internet.
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95
Uncomment these lines if they are commented, and leave the values unchanged.
• ip_cache_size 1024
ipcache_low 90
ipcache_high 95
• cache_access_log /var/log/squid/access.log
access.log is used to see the web requests going through your proxy server, as in
winproxy in MS Windows. Uncomment it.
• cache_log /var/log/squid/cache.log
Uncomment it.
• cache_store_log /var/log/squid/store.log
Uncomment it.
• pid_filename /var/run/squid.pid
Uncomment it.
• log_fqdn off
Uncomment it, and change it into its “On” state, so that it looks like this:
log_fqdn on
/etc/rc.d/init.d/squid start
Open a browser on any workstation, and enter the proxy address along with the port, i.e.
8080.
Firewalls can greatly enhance the security of a host or a network. They can be used to
perform one or more of the following actions:
• To protect and insulate the applications, services and machines of your internal
network from unwanted traffic coming in from the public Internet.
• To limit or disable access from hosts of the internal network to services of the public
Internet.
• To support Network Address Translation (NAT), which allows your internal network to
use private IP addresses and share a single connection to the public Internet (either
with a single IP address or by a shared pool of automatically assigned public
addresses).
2. Concepts
There are two basic ways to create firewall rulesets: “inclusive” or “exclusive”. An exclusive
firewall allows all traffic through, except for the traffic matching the ruleset. An inclusive
firewall does the reverse. It only allows traffic matching the rules through, and blocks
everything else.
Inclusive firewalls are generally safer than exclusive firewalls because they significantly
reduce the risk of allowing unwanted traffic to pass through the firewall.
Security can be further tightened using a “stateful firewall”. This firewall keeps track of which
connections are opened through the firewall, and will only allow traffic through which either
matches an existing connection, or opens a new one. The disadvantage of a stateful firewall
is that it can be vulnerable to Denial of Service (DoS) attacks if a lot of new connections are
opened very quickly. It is generally possible to use a combination of stateful and non-stateful
behavior to make an optimal firewall for a website.
Many firewall packages are available for UNIX-flavored systems. IPFW is the easiest and
most efficient IP-based firewall system currently running on FreeBSD OS.
3. IPFIREWALL (IPFW)
The IPFIREWALL (IPFW) is a FreeBSD-sponsored firewall software application, authored
and maintained by FreeBSD volunteer staff members. It uses the legacy stateless rules and a
legacy rule coding technique to achieve what is referred to as Simple Stateful logic.
The IPFW sample rule set (found in /etc/rc.firewall) in the standard FreeBSD install is rather
simple and it is not expected that it used directly without modifications. The example does not
use stateful filtering, which is beneficial in most setups, so it will not be used as base for this
section.
The IPFW stateless rule syntax is empowered with technically sophisticated selection
capabilities, which far surpass the knowledge level of the customary firewall installer. IPFW is
targeted at professional users and at advanced technical computer hobbyists who have
advanced packet selection requirements. A high degree of detailed knowledge into how
different protocols use and create their unique packet header information is a prerequisite.
Providing that level of explanation is out of the scope of this tutorial.
IPFW is composed of seven components:
1. The primary component is the kernel firewall filter rule processor and its integrated
packet accounting facility
2. The logging facility
The loadable module already has logging ability compiled in it. To enable logging and set the
verbose logging limit, there is a knob you can set in /etc/sysctl.conf by adding these
statements; logging will be enabled on future reboots:
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
It is not a mandatory requirement to enable IPFW by compiling the following options into the
FreeBSD kernel unless you need the NAT function. It is presented in this tutorial as
background information:
options IPFIREWALL
Enables logging of packets that pass through IPFW and have the 'log' keyword specified in
the rule set.
options IPFIREWALL_VERBOSE_LIMIT=5
Limits the number of packets logged through syslogd on a per-entry basis. Use this option in
hostile environments in which you want to log firewall activity. This will close a possible Denial
of Service (DoS) attack via syslog flooding.
options IPFIREWALL_DEFAULT_TO_ACCEPT
This option will allow everything to pass through the firewall by default, which is a good idea
when you are first setting up your firewall.
options IPV6FIREWALL
options IPV6FIREWALL_VERBOSE
options IPV6FIREWALL_VERBOSE_LIMIT
options IPV6FIREWALL_DEFAULT_TO_ACCEPT
These options are exactly the same as the IPv4 options, but they are for IPv6. If you do not
use IPv6, you might want to use IPV6FIREWALL without any rules to block all IPv6.
If you do not have IPFW compiled into your kernel, you will need to load it with the following
statement in /etc/rc.conf:
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
Enable logging:
firewall_logging="YES"
The IPFW command is very useful to display the running firewall rules to the console screen.
The IPFW accounting facility dynamically creates a counter for each rule that counts each
packet that matches the rule. During the process of testing a rule, listing the rule with its
counter is one of the ways of determining if the rule is functioning.
# ipfw list
To list all the rules with a time stamp of when the last time the rule was matched:
# ipfw -t list
To list the accounting information, packet-count the matched rules along with the rules
themselves. The first column is the rule number, followed by the number of outgoing matched
packets, followed by the number of incoming matched packets, and then the rule itself:
# ipfw -a list
# ipfw -d -e list
When a packet enters the firewall, it is compared against the first rule in the rule set. It then
progresses one rule at a time, moving from top to bottom of the set in an ascending rule
number sequence order. When the packet matches a rule selection’s parameters, the rules
action field value is executed, and the search of the rule set terminates for that packet. This is
referred to as “the first match wins” search method. If the packet does not match any of the
rules, it gets caught by the mandatory IPFW default rule, number 65535, which denies all
packets, and discards them, without any reply, back to the originating destination.
The instructions contained here are based on using rules that contain the stateful 'keep state',
'limit', 'in'/'out', and ‘via’ options. This is the basic framework for coding an inclusive type
firewall rule set.
An inclusive firewall only allows those services to come through which match the rules. In this
way, you can control which services can originate behind the firewall destined for the public
Internet, and also control the services which can originate from the public Internet accessing
your private network. Everything else is denied by the default design. Inclusive firewalls are
much more secure than exclusive firewall rule sets, and are the only rule set type covered in
this tutorial.
The rule syntax presented here has been simplified to include only that which is necessary to
create a standard inclusive type firewall rule set.
Rules contain keywords; these keywords have to be coded in a specific order from left to right
on the line. Keywords are identified in bold type. Some keywords have sub-options, which
may be keywords themselves, and also include more sub-options.
# is used to mark the start of a comment and may appear at the end of a rule line, or on its
own lines. Blank lines are ignored.
RULE_NUMBER
Each rule has to have a rule number to go with it.
ACTION
A rule can be associated with one of the following actions, which will be executed when the
packet matches the selection criterion of the rule.
When a packet matches a rule with the log keyword, a message will be logged to syslogd with
a facility name of SECURITY. The logging only occurs if the number of packets logged so far
for that particular rule does not exceed the logamount parameter. If no logamount is specified,
the limit is taken from the sysctl variable net.inet.ip.fw.verbose_limit. In both cases, a value of
zero removes the logging limit. Once the limit is reached, logging can be re-enabled by
clearing the logging counter or the packet counter for that rule; see the IPFW reset log
command.
SELECTION
The keywords described below are used to describe the attributes of the packet to be
interrogated when determining whether the rules match the packet or not. The following
general-purpose attributes are provided for matching, and must be used in this order:
or any protocol names found in /etc/protocols are recognized and may be used. The value
specified has a protocol to be matched against. This is a mandatory requirement.
The ‘from’ and ‘to’ keywords are used to match against IP addresses. Rules must specify both
the source and the destination parameters. ‘any’ is a special keyword that matches any IP
address. ‘me’ is a special keyword that matches any IP address configured on an interface in
your FreeBSD system to represent the PC the firewall is running on (i.e. this box) as in 'from
me to any' or 'from any to me' or 'from 0.0.0.0/0 to any' or 'from any to 0.0.0.0/0' or 'from
0.0.0.0 to any' or 'from any to 0.0.0.0' or 'from me to 0.0.0.0'. IP addresses are specified as a
dotted IP address numeric form/mask-length, or as a single-dotted IP address numeric form.
This is a mandatory requirement.
port number
For protocols which support port numbers (such as TCP and UDP). It is mandatory that you
code the port number of the service you want to match it with. Service names (from
/etc/services) may be used instead of numeric port values.
in | out
The keywords ‘in’ and ‘out’ match incoming or outgoing packets, respectively; it is mandatory
that you code one or the other as part of your rule-matching criterion.
via IF
Matches packets going through an interface specified by an exact name. The ‘via’ keyword
causes the interface to always be checked as part of the matching process.
setup
This is a mandatory keyword that identifies the session start request for TCP packets.
keep-state
The firewall will only allow N connections with the same set of parameters as specified in the
rule. One or more of the source and destination addresses and ports can be specified. Both
'limit' and 'keep-state' cannot be used on the same rule. Also, ‘limit’ provides the same stateful
function as 'keep-state', plus its own functions.
'check-state' is used to identify where, in the IPFW rules set, the packet is to be tested against
the dynamic rules facility. Upon finding a match, the packet exits the firewall to continue on its
way, and a new rule is dynamically created for the next anticipated packet being exchanged
during this bi-directional session conversation. Upon not matching, the packet advances to
the next rule in the rule set for testing.
The dynamic rules facility is vulnerable to resource depletion from a SYN-flood attack, which
can open a huge number of dynamic rules. To counter this attack, FreeBSD Version 4.5 has
added another new option known as ‘limit'. This option is used to limit the number of
simultaneous session conversations by interrogating the rules source or destinations fields as
directed by the limit option and using the packet's IP address found there, in a search of the
open dynamic rules counting the number of times this rule and IP address combination
occurred, if this count is greater that the value specified on the limit option, the packet is
discarded.
All logged packets’ messages are written by default to the /var/log/security file, which is
Consider the following example. The script syntax used here is compatible with the 'sh', 'csh',
'tcsh' shells. Symbolic substitution fields are prefixed with a dollar sign $. Symbolic fields do
not have the $ prefix. The value to populate the symbolic field must be enclosed in "double
quotes".
The rules are not important in this example; how the symbolic substitution field is populated
and used is.
If the above example is in the /etc/ipfw.rules file, you can reload these rules by typing:
# sh /etc/ipfw.rules
The /etc/ipfw.rules file can be located and named according to your preference. This can also
be accomplished by running the following commands:
# ipfw -q -f flush
# ipfw -q add check-state
# ipfw -q add deny all from any to any frag
# ipfw -q add deny tcp from any to any established
# ipfw -q add allow tcp from any to any 80 out via tun0 setup keep-state
# ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state
# ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state
Stateful Ruleset
The following non-NATed rule set is an example of how to code a very secure 'inclusive' type
of firewall. An inclusive firewall only allows those services to pass through that match the
rules, and blocks all other by default. All firewalls have a minimum of two interfaces, which
have to have rules to allow the firewall to function.
The interface which faces the public Internet is the one which you code your rules to authorize
and control access out to the public Internet and access requests arriving from the public
Internet. This can be your ppp tun0 interface, or your NIC that is connected to your DSL or
cable modem.
In cases where one or more than one NIC is connected to a private LAN behind the firewall,
the interfaces must have rules coded to allow the free movement of packets originating from
those LAN interfaces.
The rules should first be organized into three major sections: all the free interfaces; the public
interface outbound, and the public interface inbound.
The order of the rules in each of the public interface sections should be in order of the most-
used rules being placed before less often-used rules, with the last rule in the section being a
block log all packets on that interface and direction.
The ‘Outbound’ section in the following rule set only contains 'allow' rules, which contain
selection values that uniquely identify the service that is authorized for public Internet access.
All the rules have proto, port, in/out, via and keep state option coded. The 'proto tcp' rules
have the 'setup' option included to identify the start session request as the trigger packet to be
posted to the keep state stateful table.
The ‘Inbound’ section contains all the blocking of unwelcome packets for two different
reasons. Firstly, the packets being blocked may be part of an otherwise valid packet, which
may be allowed in by later authorized service rules. Secondly, this rule explicitly blocks
selected packets that one receives on an infrequent basis, and does not want to see in the
log. This keeps them from being caught by the last rule in the section, which blocks and logs
all packets which have fallen through the rules. This last rule creates the legal evidence
needed to prosecute the people who are attacking your system.
No response is returned for any unwelcome material; their packets just get dropped and
vanish. This way, the attacker has no knowledge of whether his or her packets have reached
your system. The less the attackers can learn about your system, the more secure it is. When
you log packets with port numbers you do not recognize, look the numbers up in /etc/services/
or go to http://www.securitystats.com/tools/portsearch.php and look up a port number to find
what its purpose is. Visit http://www.simovits.com/trojans/trojans.html for port numbers used
by Trojans.
The following non-NATed rule set is a completely inclusive type rule set. Comment out any
pass rules for services you do not want. If you see any unwelcome messages in your log, add
a deny rule in the inbound section. Change the 'dc0' interface name in every rule to the
interface name of the NIC that connects your system to the public Internet. For user ppp it
would be 'tun0'.
#################################################################
# No restrictions on Inside LAN Interface for private network
# Not needed unless you have LAN.
# Change xl0 to your LAN NIC interface name
#################################################################
#$cmd 00005 allow all from any to any via xl0
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 00010 allow all from any to any via lo0
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 00015 check-state
#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public Internet.
#################################################################
#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################
# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP.s DHCP server as it.s the only
# authorized source to send this packet type.
Some additional configuration statements need to be enabled in order to activate IPFW’s NAT
function. The kernel source needs the 'option divert' statement to be added to the other
IPFIREWALL statements, and compiled into a custom kernel.
In addition to the normal IPFW options in /etc/rc.conf, the following are required:
Utilizing stateful rules with the ‘divert natd’ rule (Network Address Translation) greatly
complicates the rule set coding logic. The positioning of the ‘check-state’ and 'divert natd'
rules in the rule set becomes very critical. This is no longer a simple fall-through logic flow. A
new action type is used, called 'skipto'. To use the skipto command, it is mandatory that you
number each rule so that you know exactly where the skipto rule number is you are really
jumping to.
The following is an uncommented example of one coding method, selected here to explain
the sequence of the packet flow through the rule sets.
The processing flow starts with the first rule from the top of the rule file, and its progress, one
rule at a time, deeper into the file, until the end is reached, or the packet being tested to the
selection criteria matches it, and the packet is released out of the firewall. It is important to
take notice of the location of rule numbers 100, 101, 450, 500, and 510. These rules control
the translation of the outbound and inbound packets, so their entries in the keep-state
dynamic table always register the private LAN IP address. Allow and deny rules specify the
direction in which the packet is going (outbound or inbound) and the interface. All the start
outbound session requests skip to rule 500 for the network address translation.
Suppose a LAN user uses his or her web browser to get a web page. Web pages
communicate over port 80. The packet enters the firewall. It does not match rule 100 because
it is headed out, not in. It passes rule 101 because this is the first packet, so it has not been
On the inbound side, everything coming in that is part of an existing session conversation is
being automatically handled by the ‘check-state’ rule and the properly placed ‘divert natd’
rules. All you have to address is deny all the bad packets and only allow in the authorized
services. Let us say there is an Apache server running on the firewall box, and you want
people on the public Internet to be able to access the local website. The new inbound start
request packet matches rule 100, and its IP address is mapped to the LAN IP for the firewall
box. The packet is then matched against the unwelcome elements you want to check for, and
finally matches against rule 425. Upon matching, two things happen. The packet rule is
posted to the keep-state dynamic table, but this time, any new session request originating
from that source IP address is limited to two. This defends against Denial of Service (DoS)
attacks running on the specified port number. The action is allowed, and the packet is
released to the LAN. On returning, the check-state rule recognizes the packet as belonging to
an existing session conversation, sends it to rule 500 for NATing, and it is released to an
outbound interface.
ipfw -q -f flush
$cmd 002 allow all from any to any via xl0 # exclude LAN traffic
$cmd 003 allow all from any to any via lo0 # exclude loopback traffic
The following is pretty much the same as above, but uses a self-documenting coding style full
of description comments to help an inexperienced IPFW rule writer better understand what
the rules are doing.
#################################################################
# No restrictions on Inside LAN Interface for private network
# Change xl0 to your LAN NIC interface name
#################################################################
$cmd 005 allow all from any to any via xl0
#################################################################
# No restrictions on Loopback Interface
#################################################################
$cmd 010 allow all from any to any via lo0
#################################################################
# check if packet is inbound and nat address if it is
#################################################################
$cmd 014 divert natd ip from any to any in via $pif
#################################################################
# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by a allow keep-state statement.
#################################################################
$cmd 015 check-state
#################################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network or from this gateway server
# destine for the public Internet.
#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#################################################################
# Deny ACK packets that did not match the dynamic rule table
$cmd 332 deny tcp from any to any established in via $pif
# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP's DHCP server as it's the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for 'user ppp' type connection to
# the public Internet. This is the same IP address you captured
# and used in the outbound section.
$cmd 360 allow udp from x.x.x.x to any 68 in via $pif keep-state
# Reject & Log all unauthorized incoming connections from the public Internet
$cmd 400 deny log all from any to any in via $pif
# Reject & Log all unauthorized out going connections to the public Internet
$cmd 450 deny log all from any to any out via $pif
The idea of VoIP is certainly not new, as there are research papers and patents dating back
several decades; and demonstrations of the concept have been given at various times over
the years. VoIP took center stage with the "information super highway" (or, the Internet)
concept that was popularized by former US Vice President Al Gore in the 1990s. It was
envisioned that the Internet would make it possible to interconnect every home and every
business with a packet-switched data network. Before Al Gore's effort to grow the Internet,
the Internet was generally limited to use in academic environments only, but the possibility of
mass deployment of the Internet sparked renewed interest in VoIP.
2. Introduction
Asterisk© is a Linux-based IPBX application developed by Mark Spencer of Digium™, the
company behind Asterisk. Asterisk@Home© evolved from the core of Asterisk. It is made up
of several major components. These were developed under the GNU General Public License
(GPL), supported relatively by the users themselves. It consists of applications, a provisioning
system, an installer, and an operating system that, together, constitute a complete package
ready-for-use as an out-of-the-box PBX.
For the purposes of this tutorial, the major components of Asterisk@Home© include:
• An Asterisk-powered IP PBX
• The phones (or softphones)
• Network
2.1.2. Phones
You can use soft phones as well as hard phones from Planet, and Cisco, etc.
To get started, it is easiest to get a softphone, and run it on another computer. For details,
see the section on how to install a softphone.
2.1.3. Network
• Press the “Enter” key to start the installation. It will take approximately 30 minutes for
the installation to be complete ready for the configuration stage.
• During this stage, you will see screens similar to the following. Linux and the required
files are being installed. Wait for the process to end.
help-aah
Change some of the other default passwords as well; set your date, and the IP address of
your box to a static address.
Change the IP Address
Change the Asterisk IP address from DHCP to static. At the command prompt, type:
netconfig
redhat-config-date
config
Press D.
Log off Linux and reboot. Asterisk will now start with the new IP address.
Once you have logged into an AMP, you will be presented with the following screen:
This is where you start configuring Asterisk@Home. Notice the selection options on the left
hand side. Selecting each option will display a configuration screen for that particular function
e.g. creating new extensions, creating new trunks, etc.
In the Asterisk Dial command option, customize your preferences regarding Asterisk’s
“behavior”, e.g. if you want the caller to hear music instead of the standard ringing sound,
replace the “r” with an “m”. For further options, hover your mouse over the label, and you will
be informed about other options. After setting up the General Settings, click on the “Submit
Changes” button, and the red bar on the top of the screen for the changes to take place.
4.3. Extensions
The number of extensions to be set up depends upon you. You can have soft phones
installed in four or five computers, or have a mixture of ATAs and SIP SoftPhones.
Select the type of trunk e.g. SIP, IAX2, ZAP or Custom, from the Create Extension main
menu illustrated below:
The AAH v2.x’s screen, where you actually create an extension, is given below:
Click on the “Add Extension” button to add more extensions, e.g. 201, 202, 2000 and 2001.
Allocate the password in the numeric form. If you enabled Voicemail, allocate the same
password as well. You may also nominate an e-mail address for Voicemail e-mail notification.
After downloading and set up, the following screen will be displayed when it runs:
• Click on the Tuning Wizard to tune your audio input and output.
• Check Auto Send Video, if you are using video. Check it anyway.
• Check Auto Receive Video, if you are using video. Check it anyway.
Click OK.
Click OK.
5.4. Call-forwarding
To forward an unanswered call to an extension, click on the “Call Forward” tab, and enter the
telephone number you want to forward your incoming calls to. You have three options of call-
forwarding – Always On, Busy, or No Answer. This facility is only available, however, if your
PC is on, and the softphone is active.
Click OK.
If you use one of the softphones and dial 7777, Asterisk will simulate an incoming call.
It also supports contexts: you can have one server running, and many different client displays
(for hosted PBX, different departments, etc).
It can integrate with CRM software, by popping up a web page (and passing the CLID) when
a specified button is ringing.
• Hang-up a channel
• Using drag-and-drop to transfer a call
• Initiate calls by drag-and-drop
• Barge in on a call using drag-and-drop
• Set the caller ID when transferring or originating a call
• Automatically pop-up a web page with customer details
• Click-to-dial from a web page