Easy for me to answer, ArchLinux of course because it let you free and you have got the control, i have been trying a lot different linux and this one is making a difference, believe me.
I warn you however you should be familiar with the system otherwise it s going to be longer but it worth a try !!. People do not advice this linux for a beginner but i would say they r wrong, it s good to learn from the base, check it out guys !.
- Archlinux
- Install
- Pacman
- Config.
- Proftpd
- SSL
- SSH
- Utilities
- Now What ?
- Apache, Php, Mysql
- SFTP
- SCP
- ADSL, PPP
- Iptables
- DNS, Bind
- Upgrading
- Xorg
- Qmail
- Vpopmail
- Qmailadmin
- Mua, Pine...
- Squid
- Few Tips
- Linux
- Boot
- Security
- .htaccess, .htpasswd
- Sun Solaris
Configure System:
/etc/modprobe.conf
This is for use with 2.6.x kernels only.
alias eth0 8139too
alias eth1 8139too
# pacman --query
# pacman -Q
Ex: i have netkit-telnet (which is the telnet default package on Arch), it depends on xinetd so to remove xinetd, we should remove netkit first:
# pacman --remove netkit-telnet
removing ... done
# pacman -R xinetd
removing ... done
check nic: ifconfig
root@tester root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:E0:81:24:77:5E
inet addr:192.168.0.7 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::de0:81ff:fe24:775e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5259 errors:0 dropped:0 overruns:1 frame:0
TX packets:3266 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6076799 (5.7 Mb) TX bytes:332020 (324.2 Kb)
Interrupt:209 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
- mount the CDROM
mkdir cd into /mnt
then mount /dev/cdroms/cdrom0
SSH:
# pacman -A openssh* (insure SSL first as it s needed : # pacman -A openssl)
from the CDROM (/pkg)
- allow ssh clients to access; add sshd to /etc/hosts.allow
sshd:ALL (very important otherwise you get the 'ssh exchange identification connection closedby remote host' message)
- edit your /etc/rc.conf script; make sure you add sshd to your DAEMONS array
- hosts
- resolv.conf
NOTE: Before proceeding double check that you:
set up your bootmanager to the new system
called sshd from rc.conf
allowed other machines to access your server in /etc/hosts.allow
set a root password
- Again, don't forget to copy your ssl keys.:
From client or server :
# ssh-keygen -t rsa
id saved into /root/.ssh/id_rsa
public key in : /root/.ssh/id_rsa.pub
I put the id_rsa into the other machine (client if made on server and vice versa) via proftpd (see after).
- I use Cygwin to connect to the server :
# ssh server -l username
Then we should remove all uncessary packages such as Proftpd because we use 'sftp' from now on.
#pacman --add proftp* (from the cdrom)Do you know where the daemon is expecting to find the config file? If not check now, the two most likely places are /usr/local/etc/proftpd.conf and /etc/proftpd.conf.
FROM the CLient (Cygwin):
ftp server
username
password
(ssl)
Openssl
Removing packages
(must be out of cd)
example in /etc:
# pacman --remove foo
# pacman -R foo
# pacman --remove openssl*
OpenSSH Man Pages:ssh - OpenSSH SSH client (remote login program)
sshd - OpenSSH ssh daemon
ssh-keygen - Used to create RSA keys (host keys and user authentication keys)
ssh-add - adds RSA or DSA identities for the authentication agent. Used to register new keys with the agent.
scp - secure copy (remote file copy program)
ssh-agent - authentication agent This can be used to hold RSA keys for authentication.
sftp - Secure file transfer program
sftp-server - SFTP server subsystem
TTSSH is a free SSH client for Windows. It is implemented as an extension DLL for Teraterm Pro. Teraterm Pro is a superb free terminal emulator/telnet client for Windows, and its source is available. TTSSH adds SSH capabilities to Teraterm Pro without sacrificing any of Teraterm's existing functionality
TTSSH:
Authentication methods:
- Password only: The password you type in the 'passphrase' box is sent directly to the server.
- RSA: Select an file containing your RSA private key. You can select a file by clicking on the button or by typing its name directly into the box provided. This file must be generated by ssh-keygen, which is not supplied with TTSSH .
- rhosts and rhosts with RSA.
- TIS challenge/response: Select TIS. You cannot specify a password. The server will send a challenge message and let you enter a response.
#netstat -punta (Also try netstat -nlp)
active internet connections.
Also get traceroute
# pacman -S traceroute
# php -v
Check the Zend engine... yep it is here.
# ps -ef | grep qmail
# ps waux | grep qmail
Logs:
Typical locations include:
/var/log/syslog
/var/adm/SYSLOG
/var/log/maillog
- We are definitively ready to build up everything we need.How about apache, php and mysql, i want a website so let s do it right away: Wiki, MysqlThis site tells from ftp.
For now i 'm using my CDROM and later on i will update everything through ftp.
# mount cd
# cd /arch/pkg
# pacman --add expat*
(expat: XML Parser Toolki needed by apache)
# pacman --add apache*
(following are needed by php)
# pacman --add libjpeg*
# pacman --add freetype2*
# pacman --add libpng*
# pacman --add libxml2*
# pacman --add libxslt*
# pacman --add php*
# pacman --add mysql*
- APACHE
- Run in terminal (as root):
# httpd
- Edit /etc/rc.conf (to start Apache at boot):
Daemons=(some daemons now add httpd)
Or add this line to rc.local:
/etc/rc.d/httpd start
- If you want user directories (ie: ~/public_html on the machine is accessed as http://localhost/~user/) to be available on the web, uncomment the following lines in /etc/httpd/conf/httpd.conf:
UserDir public_html
and
Also read carefully that config file, for instance it s advised to set a servername even if you are not registered onto a dns.
- PHP
PHP is practically available out of the box now.
Uncomment this line in /etc/httpd/conf/httpd.conf
#LoadModule php5_module lib/apache/libphp5.so
Restart Apache Server to make changes take effect (as root):
# httpd -k restart- TEST
Test PHP with a simple, but very informational script:
Save this file as "test.php" and copy to /home/httpd/html/ or to ~/public_html if you permitted such a configuration. Also remember to make it executable (chmod a+x test.php).
- MYSQL
Edit /etc/php.ini (this is in /usr/etc on older systems) to uncomment the following line:
;extension=mysql.so
- The following two steps should also be done for you at the first time you start up /etc/rc.d/mysql. Have a look into this file, if you're unsure.
You may need to set up a passwd and group entry for mysql:
Add a mysql named group
# groupadd -g 89 mysql
Add the mysql user
# useradd -u 89 -g mysql -d /var/lib/mysql -s /bin/false mysql
Run in a root terminal (you don't need the --user option and chown if you let it run as root):
# mysql_install_db --user=mysql
# chown -R mysql.mysql /var/lib/mysql
If you trust the script, go on here:
Test mysql (as root):
# mysqld
# mysql
Create root password for mysql (at terminal, as root):
# mysqladmin -u root password 'roots_password'
Add mysqld to the list of daemons in /etc/rc.conf (as for httpd above) Or add this line in /etc/rc.local:
mysqld -u mysql to the DAEMONS list.
To login to mysql, type (at terminal, >hostname< as used in /etc/hosts)
Easy now:
$ sftp username@ip_server
From the client machine with the same username as before.
ForTransfering files, you can use the scp command:
scp -o User=user_name local_file ip_address:target_file
ex:
$ scp -o User=username -r dirname ip_addr:target_dir
copies all directory and files into target directory.
ADSL Connection over PPP (Gateway to internet plus Lan connection).
- My steps :
with the package rp-pppoe:
# pacman --add libcpcap* (needed by ppp)
# pacman --add ppp*
# pacman --add rp-pppoe* (Roaring)
Check it out:
# adsl-setup
...
# adsl-start
# adsl-status
# adsl-stop
- dnd NIC eth1
- modify /etc/rc.conf adding the line for eth1, check out the modprobe.conf too.
+ gateway to eth0.
# pacman --add iptables*
(Setting a firewall with iptables.)
PPP over Internet:
BEWARE THE hosts.allow and may be u should set up your DNS cache server coz need to input the DNS server or ur client machines,i put :
ALL:LOCAL into hosts.allow
- Delete and flush. Default table is "filter". Others like "nat" must be explicitly stated.
- START IPTABLES:
# /etc/rc.d/./iptables start (no need , already running by default)
(with our new iptables.rules
Debugging and logging:
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "
Add this to the end of your rules and you should be able to monitor dropped
connections in /var/log/messages. I do NOT log in this method due to the outrageous volume of messages
it generates. Use this for debugging or short term monitoring of the network.
#iptables -nvL
#iptables -t nat -nvL
- Tuts:
* List firewall rules: iptables -L
* Clear firewall rules: iptables -F
#iptables -nvL
#iptables -t nat -nvL
tracking : Sns
Domain Name Server (DNS) configuration using Bind version 8 or 9:
First:
# pacman --add bind*
done.
- DNS caching server :
First you need a file called /etc/named.conf:
Check out your root.hint into /var/named/ and the other files too (i did not change anything).
For rndc to work you need /etc/rndc.conf to match this:
key rndc_key {
Algorithm "hmac-md5";
secret "c3Ryb25nIGVub3Vna...";
};
options {
default-server localhost;
default-key rndc_key;
};
- TO CHECK : RNDC
As you see the secret is identical. If you want to use rndc from other machines their times need to be within 5 minutes of eachother. I recommend using the ntp (xntpd and ntpdate) software to do this.
Next, you need a /etc/resolv.conf looking something like this: (Again: Remove spaces!)
search subdomain.your-domain.edu your-domain.edu
nameserver 127.0.0.1
- If you're using a dialup connection connect first. Now run named.
RNDC can control names remotely.
while starting named (do tail -f /var/log/messages) you should see something like:
(the lines ending in \ continues on the next line)
Dec 23 02:21:12 lookfar named[11031]: starting BIND 9.1.3
Dec 23 02:21:12 lookfar named[11031]: using 1 CPU
Dec 23 02:21:12 lookfar named[11034]: loading configuration from \
'/etc/named.conf'
Dec 23 02:21:12 lookfar named[11034]: the default for the \
'auth-nxdomain' option is now 'no'
Dec 23 02:21:12 lookfar named[11034]: no IPv6 interfaces found
Dec 23 02:21:12 lookfar named[11034]: listening on IPv4 interface lo, \
127.0.0.1#53
Dec 23 02:21:12 lookfar named[11034]: listening on IPv4 interface eth0, \
10.0.0.129#53
Dec 23 02:21:12 lookfar named[11034]: command channel listening on \
127.0.0.1#953
Dec 23 02:21:13 lookfar named[11034]: running
Now you can test your setup:
- Resolver: check your nsswitch.conf into /etc --> gethostbyname and gethostbyaddr (not changes too, should get "hosts: files dns").
!! i set up eth0 (the one connected to the net) as DHCP and !gateway.
- Forwarding (DNS of your ISP):
Then, in your named.conf file, inside the opening section called ``options'', insert these lines:
forward first;
forwarders {
10.0.0.1;
10.1.0.1;
};
Logging is to /var/log/messages
- try :
# route -C
- "Authoritative-only Nameserver" :
- Chroot Bind for extra security:
Named Command Syntax:
named -u user -g group -t directory-to-chroot-to
Example:
named -u named -g named -t /opt/named
A simple domain. How to set up your own domain ?.
I create /etc/named.conf.own
# cp named.conf named.conf.own
trigger
# cp named.conf named.conf.default
then check in /var/named/127.0.0.zone which i copy into 127.0.0.zone.own :
# cp 127.0.0.zone 127.0.0.zone.own
and make the appropriate changes into named.conf.own to point in this new file.
And put in 127.0.0.zone.own :
$TTL 3D
@ IN SOA ns.linux.bogus. hostmaster.linux.bogus. (
1 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
NS ns.linux.bogus.
1 PTR localhost.
Modify your resolv.conf with:
search linux.bogus
nameserver 127.0.0.1
Try it now:
# cp named.conf.own named.conf
# named
# dig -x 127.0.0.1
all good !!
Now for our main task, the linux.bogus domain, insert a new 'zone' section in named.conf.own:
zone "linux.bogus" IN {
type master;
notify no;
file "linux.bogus.zone";
};
(don't forget the ';')
and into our linux.bogus.zone:
;
; Zone file for linux.bogus
;
; The full zone file
;
$TTL 3D
@ IN SOA ns.linux.bogus. hostmaster.linux.bogus. (
199802151 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
;
NS ns ; Inet Address of name server
IN NS ns.linux.bogus.
;
localhost A 127.0.0.1
gw A 192.168.0.2
ns A 192.168.0.2
www CNAME ns
mail A 192.168.0.2
Configure RNDC , creating rndc.key... :
# "rndc-confgen -a
Restart bind:
# /etc/rc.d/./named restart
log into :
/var/log/messages
and errors
log shown:
# named -g
Upgrading a package with a package file:
# pacman --upgrade foo.pkg.tar.gz
# pacman -U foo.pkg.tar.gz
Big upgrade:
(Note refresh first with # pacman -Sy)
Twice the following if pacman has not been updated yet :
# pacman -Su --> wonderful !! keep tables in mysql... keep everything but the /etc/httpd/conf/http.conf to check -->
- LoadModule php5_module to uncomment
- userdir ...
Edit /etc/php.ini (this is in /usr/etc on older systems) to uncomment the following line:
;extension=mysql.so
Wiki
# pacman -S xorg
50.0 MB
really fast !
# xorgconfig does everything you need (you must know your hardware !)
Email Server with Courier fetchmail procmail or all QMAIL ! (check next)
# pacman -A fetchmail*
# pacman -A procmail*
# pacman -A imap*
done.
- Using fetchmail:
Server options are called into service in the .fetchmailrc file by the use of a special option verb, poll or skip, that precedes any of the server information. The poll action tells Fetchmail to use this server option when it is run, which actually checks it for email using the various user options.
Just make .fetchmailrc in your home-directory and add the following lines:
set postmaster "user1"
set bouncemail
poll pop.domain.com proto pop3
user 'user1' there with password 'secret' is user1 here
(all email errors are sent to the postmaster instead of the sender (bouncemail option)).
poll pop.isp.net protocol POP3
user toto is dede
password XXXXXXX
poll pop.isp.net2 protocol POP3
user toto1 is dede
password XXXXXXX
The file .fetchmailrc must have permissions set as follow, otherwise fetchmail will refuse to run:
-rw------- 1 dede dede 189 oct 6 21:45 /home/dede/.fetchmailrc
Conf:
fecthmailconf into /usr/bin
- Using procmail:
Procmail allows you to filter email as it is received from a remote email server,or placed in your spool file on a local or remote email server.
Create and edit .procmailrc in your home-directory
PATH=$HOME/bin:/usr/bin:/bin:/usr/local/bin:.
MAILDIR=$HOME/Maildir/
DEFAULT=$HOME/Maildir/
LOGFILE=$MAILDIR/procmail.log
Now secure your .fetchmailrc since they contain passwords
# chmod 600 .fetchmailrc
- Imap:
I enabled imap service into /xinetd.d/imap then reboot
or
# xinetd restart
(make sure you still have xinetd or install it !)
a new port is opened at 143 (# netstat -punta)
Server smtp, pop3 ...
# pacman -S qmail-installer
0.1 MB
You definitively need an internet connection for installing that package:
# /usr/sbin/./qmail-installer.sh
! before make sure you installed wget:
# pacman -S wget
Then logout and run :
# config-fast your_domain_name
and:
# ln -s /var/qmail/supervise/qmail-send /var/qmail/supervise/qmail-smtpd /service
Conf in /var/qmail/control
Life with qmail:
Life with QMail
Requirements:
Access to a domain name server (DNS) is highly recommended. Without one, qmail can only send to remote systems configured in its smtproutes config file.
- Create System Aliase:
- Test the Installation
qmail should now be running. First run qmailctl stat to verify that the services are up and running:
# qmail-qstat
- QMAIL Gal:
Control files in /var/qmail/control,
try :
# qmail-showctl
# man qmail-control
The .qmail file:
# man dot-qmail
- Access Control
/etc/tcp.smtp as the access control file
127.0.0.1:allow,RELAYCLIENT=""
192.168.0.:allow,RELAYCLIENT=""
:allow
# man tcprules
After you've created your rules, you need to activate them, tcpserver works by reading a cdb (database) file. You use the tcprules program to build the database file from your /etc/tcp.smtp file. This is accomplished by the following command:
idem for tcp.pop3
Secure, Qmail
Restarting Qmail:
# /etc/rc.d/./qmail stop
# /etc/rc.d/./qmail start
At this point the qmail daemons should be running. A good way to verify this is to use this command :
ps axf
Testing Email Delivery
Queue viewing (See # qmail-qread)
Maildir mailboxes should be created with the maildirmake program that comes with qmail. E.g., "maildirmake ~/Maildir". Be sure to run maildirmake as the owner of the maildir, not as root.
# maildirmake Maildir
The readproctitle program keeps a log of error messages generated by services managed by svscan. To see these messages, use ps or some other process listing command. For example, you might see something like:
# ps -efl | grep "service errors" | grep -v grep
000 S root 1006 1001 0 76 0 - 334 pipe_w Mar31 ? 00:00:00
readproctitle service errors: ...unable to start qmail-smtpd/run: exec format error
#
qmail-user programs:
. Set up the log directory and permissions on the run scripts, and link the service into /service:
Vpopmail is a virtual domain package add-on for qmail. It can handle multiple domains on a single IP address, and none of the user accounts are /etc/passwd or "system" accounts.
# echo "yourdomain.com" > /var/vpopmail/etc/defaultdomain
Setup the MySQL support in the vpopmail sources
~vpopmail/etc/vpopmail.mysql
Into mysql:
CREATE DATABASE vpopmail;
GRANT select,insert,update,delete,create,drop ON vpopmail.*
TO vpopmailuser@localhost IDENTIFIED BY 'vpoppasswd';
# chown vpopmail.vchkpw ~vpopmail/etc/vpopmail.mysql
# chmod 640 ~vpopmail/etc/vpopmail.mysql
- Error Share lib with libmysqlclient.so.12,
here is a solution (need to symlink):
ln -s /usr/lib/mysql/mysql/libmysqlclient.so.14 /usr/lib/libmysqlclient.so.12
To add a domain :
Pipeline
/home/vpopmail/bin/vadddomain yourdomain.com yourpassword
# this creates the domain and makes a mailbox postmaster@yourdomain.com
# vconvert -e -S domainname
- then Try adding new user:
# vadduser bibi
Pipeline, Qmail
- Go TO:
http://yourdomain/cgi-bin/qmailadmin
is wonderful !!
Logging in via POP3
When your users are setting up their POP3 email clients (eg Outlook Express), they should use settings like this :
My incoming mail server is a POP3 server
Incoming mail server (POP3): pop3.yourdomain.com
Outgoing mail server (SMTP): smtp.yourdomain.com
POP3 account name : theirusername@yourdomain.com
Password: theirpassword
- PINE (manage email - i love that prog)
# pacman -A pine*
- MUTT:
# pacman -S mutt
Unfortunatly it did not work out for a non local mail server !!.
Proxy Server for linux:
# pacman -S squid
...
Check the config file with the 'acl' allowing host : /etc/squid/squid.confonly with acl .. allowournetworks .. should be ok.
# squid -z which creates the cache dir.
# squid
Then it WORKS !!
Check that tut about transparent mode:
httpd_accel_host vertual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
#Transparent proxy -> add this line to the rules
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
- OUTLOOK :
echo 1 > /proc/sys/net/ipv4/ip_forward - Enables packet forwarding by kernel
Supposing that:
192.168.0.0/24 is you LAN, and eth0 is the WAN device, you need iptables as root:
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
You wish a webserver, cheap hosting even free !!
You only get a dynamic IP address:
May be you can:
- build a cron job to check the changes of that IP and modify files in consequences !
- from the same job send the message to a free hoster where you set up a list of mirrors(your IPs) to upload and download files ! or a redirecting page to your home server !.
can it be ?? let's try it out...
it does work fine.
RCS:
ci(1)
co(1)
rcs(1)
rcsdiff(1)
rlog(1)
China linux ex. firewall rules at boot up:
The Arch way of doing this is as follows:
1. Place your script in /etc/rc.d/
2. Chown it to root and chmod 744
3. Add the name of the script in the DAEMONS array in /etc/rc.conf. Mine looks like this:
code:
DAEMONS=(!pcmcia firewall network archstats)
4. Reboot or start the script by running /etc/rc.d/firewall start (replace firewall with the name of your script if needed).
5. If anything goes wrong, please ask again.bbs.archlinux.org is good for arch-specifik things.
Security, Yolinux
- Use the find command to locate vulnerabilities - find suid and guid files as well as world writable files and directories.
- Use the command chattr and lsattr to make a file unmodifiable over and above the usual permissions.
Make a file unmodifiable:
# chattr +i /bin/ls
Make directories unmodifiable:
# chattr -R +i /bin /sbin /boot /lib
Make a file append only:
# chattr +a /var/log/messages
User access can be restricted with the configuration files:
* /etc/security/limits.conf
* /etc/security/group.conf
* /etc/security/time.conf
See YoLinux SysAdmin tutorial - restrict users
htaccess, Apache
There are two main reasons to avoid the use of .htaccess files.:
The first of these is performance. When AllowOverride is set to allow the use of .htaccess files, Apache will look in every directory for .htaccess files. Thus, permitting .htaccess files causes a performance hit, whether or not you actually even use them! Also, the .htaccess file is loaded every time a document is requested.
My conf:
Sun solaris Tut