.: Luke Cole - Home Page :.

HTTP/LDAP/SMTP/IMAP/POP/DNS/DHCP HOWTO

This web page provides all the commands required to setup a HTTP, LDAP, SMTP, IMAP, POP, DNS and DHCP server. The emacs commands mean you are required to edit this file. Acquiring example files is discussed at the bottom of this page.

HTTP Server HOWTO

server:~>apt-get install apache2
server:~>emacs /etc/apache2/sites-available/default
server:~>/etc/init.d/apache2 restart

Multiple Sites (VirtualHost)

Create as many virtual sites as you want in:

server:~>/etc/apache2/sites-available/

To enable any of them:

server:~>ln -s /etc/apache2/sites-available/{name} \
 /etc/apache2/sites-enable/{name}
server:~>/etc/init.d/apache2 restart

PHP Support

server:~>apt-get install php5 libapache2-mod-php5
server:~>/etc/init.d/apache2 restart

MySQL Support

server:~>apt-get install mysql-server-5.0 mysql-client-5.0 \
 libapache2-mod-auth-mysql php5-mysql
server:~>/etc/init.d/apache2 restart

server:~>/etc/init.d/mysql restart
server:~>mysql -u root -p mysql
mysql>GRANT ALL ON db_name.* TO username@'ip' IDENTIFIED BY 'passwd'

Edit Service Version

Change the ServerTokens and ServerSignature apache directives within /etc/apache2/apache2.conf, e.g.:

ServerTokens ProductOnly
ServerSignature Off

Testing

server:~>apt-get install telnet
server:~>telnet localhost 80
GET /

server:~>apt-get install lynx
server:~>lynx localhost

SSL Support

server:~>ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/ssl.load
server:~>ln -s /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-enabled/ssl.conf

NameVirtualHost *:443
<virtualhost *:443>

 ServerAdmin webmaster@localhost

 SSLCertificateFile /etc/apache2/ssl/apache.pem
 SSLEngine on

 # enable strongest 7 ciphers
 SSLProtocol all
 SSLCipherSuite HIGH:MEDIUM

...

server:~>a2ensite ssl

LDAP Server HOWTO

server:~>apt-get install slapd ldap-utils ldapscripts \
 libnss-ldap libpam-ldap db4.2-util nscd
server:~>emacs /etc/ldap/slapd.conf
server:~>emacs /etc/pam_ldap.conf
server:~>emacs /etc/libnss-ldap.conf
server:~>emacs /etc/nsswitch.conf
server:~>emacs /etc/pam.d/common-auth
server:~>emacs /etc/pam.d/common-account
server:~>emacs /etc/pam.d/common-password
server:~>/etc/init.d/slapd restart

Web-based Config

server:~>apt-get install phpldapadmin php5-ldap
server:~>emacs /etc/phpldapadmin/config.php
server:~>/etc/init.d/apache2 restart

Create apache2 VirtualHost (see above) to

server:~>/usr/share/phpldapadmin/

Alternative Config Method

server:~>man ldapsearch
server:~>man ldapadd
server:~>man ldapdelete
server:~>man ldapmodify

Current issues with LDAP

There is currently a bug in the latest nss_ldap-249+. If you system is booting slow and you are getting bootup messages like:

udevd[374]: nss_ldap: failed to bind to ldap server
 ldap://server can't connect ldap server
udevd[374]: nss_ldap: reconnecting to ldap server

host:~>addgroup --system nvram

More info at launchpad.net and livejournal.com.

LDAP Client HOWTO

client:~>apt-get install libnss-ldap libpam-ldap nscd
client:~>emacs /etc/pam_ldap.conf
client:~>emacs /etc/libnss-ldap.conf
client:~>emacs /etc/nsswitch.conf
client:~>emacs /etc/pam.d/common-auth
client:~>emacs /etc/pam.d/common-account
client:~>emacs /etc/pam.d/common-password

SMTP Server HOWTO (Outgoing Email Server)

server:~>apt-get install exim4
server:~>emacs /etc/exim4/update-exim4.conf.conf
server:~>/etc/init.d/exim4 force-stop
server:~>/etc/init.d/exim4 start

Edit Service Version

Change the smtp_banner variable within /etc/exim4/exim4.conf.template, e.g.:

smtp_banner = $smtp_active_hostname ESMTP $tod_full

Testing

server:~>apt-get install telnet
server:~>telnet localhost 25
HELO spam.org
MAIL FROM: <spamis@spam.org>
RCPT TO: <root@localhost>
DATA
Subject:Test Message
This is a test message.
.
QUIT

server:~>apt-get install mailx
server:~>echo "spam is good" | mail -s "31337" root@localhost

server:~>apt-get install swaks
server:~>swaks

SpamAssassin

server:~>apt-get install sa-exim spamssassin
server:~>emacs -nw /etc/spamassassin/local.cf
server:~>emacs -nw /etc/default/spamassassin

IMAP Server HOWTO (Incoming Email Server)

server:~>apt-get install courier-imap

Testing IMAP

server:~>apt-get install telnet
server:~>telnet localhost 143
1 LOGIN "username" "password"

IMAP over SSL Server HOWTO (Secure Incoming Email Server)

server:~>apt-get install courier-imap-ssl

POP Server HOWTO (Incoming Email Server)

server:~>apt-get install courier-pop

Testing POP

server:~>apt-get install telnet
server:~>telnet localhost 110
USER username
PASS passwd

POP over SSL Server HOWTO (Secure Incoming Email Server)

server:~>apt-get install courier-pop-ssl

Courier IMAP/POP LDAP Support

server:~>apt-get install courier-ldap
server:~>emacs /etc/courier/authdaemonrc
server:~>emacs /etc/courier/authldaprc
server:~>emacs /etc/courier/ldapaliasrc
server:~>/etc/init.d/courier-authdaemon restart
server:~>/etc/init.d/courier-ldap restart

server:~>/etc/init.d/courier-imap restart
server:~>/etc/init.d/courier-imap-ssl restart
server:~>/etc/init.d/courier-pop restart
server:~>/etc/init.d/courier-pop-ssl restart

Email Aliases

Use phpldapadmin to add LDAP email aliases or just use the file:

server:~>emacs -nw /etc/aliases

DNS HOWTO

server:~>apt-get install bind9
server:~>emacs -nw /etc/bind/named.conf.options
server:~>emacs -nw /etc/bind/named.conf.local
server:~>emacs -nw /etc/bind/db.{name}
server:~>/etc/init.d/bind9 restart

Notes

• Each time you edit the db files (e.g. db.mydomain.com or db.0.0.10) you need to increase the serial number.
• The @ IN NS needs in db.mydomain.com needs to match the @ IN NS record in db.0.0.10

Testing

server:~>apt-get install host dns-browse
server:~>host machine_name
server:~>dig machine_name
server:~>nslookup machine_name

DHCP HOWTO

server:~>apt-get install dhcp3-server
server:~>emacs -nw /etc/dchp3/dhcpd.conf
server:~>/etc/init.d/dhcp3-server restart

Client Config

client:~> less /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

client:~>ifup eth0

APT Cache

server:~> apt-get install apt-cacher
server:~> emacs /etc/apt-cacher/apt-cacher.conf

deb http://archive.ubuntu.com/ubuntu/ dapper main restricted

deb http://server:3142/apt-cacher/archive.ubuntu.com/ubuntu/ \
dapper main restricted

Timezone Config

client:~>echo "Australia/Sydney" > /etc/timezone
client:~>ln -s /usr/share/zoneinfo/Australia/Sydney /etc/localtime

NTP Config

client:~>apt-get install ntpdate
client:~>ntpdate ntp.server.com

Access Point Config

Setup the device in master mode:

server:~>iwconfig ath0 mode master

Error for wireless request "Set Mode" (8B06) :
SET failed on device ath0 ; Invalid argument.

server:~>modprobe ath_pci autocreate=ap

server:~>iwconfig ath0 essid my_wireless_name
server:~>ifconfig ath0 192.168.1.1 up

Network Router Config

If your server is connected to the internet via a router, you will need your router to forward incomming traffic on port 25 (SMTP), port 143 (IMAP), port 80 (HTTP) to your server. This can be done via the following script:

Example Port Forwarding Script:

#!/bin/sh

ETH="ppp0"
DMZ_HOST="10.0.0.10"
DMZ_PORTS="ssh,www,imap"

echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables -t nat -A PREROUTING -p tcp -m multiport /
 --dport $DMZ_PORTS -i $ETH -j DNAT --to $DMZ_HOST

Prevent SYN flood bombs

Turn ON SYN cookies

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog

"Testing" / "Monitoring"

Live-CDs / Frameworks: BackTrack, Phlak, Metasploit

Ubuntu/Debian Packages:

server:~>apt-get install netcat nessus nmap tcpick tcpdump iptraf /
 iproute pktstat traceroute ethereal etherape geoip-bin net-tools /
 sysstat hddtemp hdparm lm-sensors snort psad fail2ban clamav /
 rkhunter chkrootkit nikto dsniff scapy packit nast distributed-net /
 fakepop kismet airsnort weplab aircrack john medussa crack-md5 /
 fcrackzip pdfcrack wordplay an apg gpw otp 

Machine Optimization

1. svctm (via iostat) should be no greater then 30 (milliseconds) and %util (via iostat) should be no greater then 5 (%). This indicates the system disk(s) are not tuned or are too slow.
2. %wa (via top) should be no greater then 30 (%). This indicates the system disk(s) are not tuned or are too slow.
3. procs r (via vmstat) should be no greater then the number of CPUs on the system and no more then four times the number of available CPUs on the system. This indicates shortage of CPU power.
4. cpu sy (via vmstat) should be no greater then four times cpu us (via vmstat). This indicates shortage of CPU power.

Once you have determined a machine is in overload (e.g. your server is using to much cpu, memory or disk read/write access). Then you can either upgrade the cpu, memory or disk speed. However if disk speed is your problem (a common problem, see above) due to, for example, mysql, you could even the load via moving your /var/lib/mysql/ directory to a second drive or another machine.

For more info, then I recommend you read documents such as

• Solaris Performance Monitoring & Tuning - iostat , vmstat & netstat
• Server Overloading Explained
• Optimaization how to move mysql to a second drive.

Example Files

Users of this network can ssh to lukecole.name and visit the config backup directory for lukecole.name which provides the current server and router config, crontab and script files:

server:~>/data/conf/server/
server:~>/data/conf/router/
server:~>/data/bin/

Enjoy!