Public Data:

Popular Project Sites:

SourceForge.net Project Sites:

Luke Cole

Donate to Luke Cole
Locations of visitors to this page

HTTP/LDAP/SMTP/IMAP/POP/DNS/DHCP HOWTO

This web page provides all the commands required to setup a HTTP, LDAP, SMTP, IMAP, POP, DNS and DHCP server. The emacs commands mean you are required to edit this file. Acquiring example files is discussed at the bottom of this page. The following should work for most flavors of Ubuntu (last updated for 10.10). The package names may have changed somewhat.

HTTP Server HOWTO

server:~>apt-get install apache2
server:~>emacs /etc/apache2/sites-available/default
server:~>/etc/init.d/apache2 restart

NOTE: Server Load Optimization

Multiple Sites (VirtualHost)

Create as many virtual sites as you want in:

server:~>/etc/apache2/sites-available/

To enable any of them:

server:~>ln -s /etc/apache2/sites-available/{name} \
 /etc/apache2/sites-enable/{name}
server:~>/etc/init.d/apache2 restart

PHP Support

server:~>apt-get install php5 libapache2-mod-php5
server:~>/etc/init.d/apache2 restart

MySQL Support

server:~>apt-get install mysql-server mysql-client \
 libapache2-mod-auth-mysql php5-mysql
server:~>/etc/init.d/apache2 restart
To enable remote login set bind-address in /etc/mysql/my.cnf to your ip and then:
server:~>/etc/init.d/mysql restart
server:~>mysql -u root -p mysql
mysql>GRANT ALL ON db_name.* TO username@'ip' IDENTIFIED BY 'passwd'

Edit Service Version

Change the ServerTokens and ServerSignature apache directives within /etc/apache2/apache2.conf, e.g.:

ServerTokens ProductOnly
ServerSignature Off

Testing

server:~>apt-get install telnet
server:~>telnet localhost 80
GET /
Remember to press the ENTER key twice.
OR
server:~>apt-get install lynx
server:~>lynx localhost

SSL Support

server:~>ln -s /etc/apache2/mods-available/ssl.load \
  /etc/apache2/mods-enabled/ssl.load
server:~>ln -s /etc/apache2/mods-available/ssl.conf \
  /etc/apache2/mods-enabled/ssl.conf
Then edit your VirtualHost it looks something like:
NameVirtualHost *:443
<virtualhost *:443>

 ServerAdmin webmaster@localhost

 SSLCertificateFile /etc/apache2/ssl/apache.pem
 SSLEngine on

 # enable strongest 7 ciphers
 SSLProtocol all
 SSLCipherSuite HIGH:MEDIUM

...
Now do:
server:~>a2ensite ssl

LDAP Server HOWTO

server:~>apt-get install slapd ldap-utils ldapscripts \
 libnss-ldap libpam-ldap db4.2-util nscd
server:~>emacs /etc/ldap/slapd.conf
server:~>emacs /etc/pam_ldap.conf
server:~>emacs /etc/libnss-ldap.conf
server:~>emacs /etc/nsswitch.conf
server:~>emacs /etc/pam.d/common-auth
server:~>emacs /etc/pam.d/common-account
server:~>emacs /etc/pam.d/common-password
server:~>/etc/init.d/slapd restart

Web-based Config

server:~>apt-get install phpldapadmin php5-ldap
server:~>emacs /etc/phpldapadmin/config.php
server:~>/etc/init.d/apache2 restart

Create apache2 VirtualHost (see above) to

server:~>/usr/share/phpldapadmin/
Remember to export a .ldif file of your ldap directory just incase your ldap database is lost!

Alternative Config Method

server:~>man ldapsearch
server:~>man ldapadd
server:~>man ldapdelete
server:~>man ldapmodify

Current issues with LDAP

There is currently a bug in the latest nss_ldap-249+. If you system is booting slow and you are getting bootup messages like:

udevd[374]: nss_ldap: failed to bind to ldap server
 ldap://server can't connect ldap server
udevd[374]: nss_ldap: reconnecting to ldap server
Then do the following on your server/clients to fix it:
host:~>addgroup --system nvram
and set "bind_policy hard" within /etc/libnss-ldap.conf

More info at launchpad.net and livejournal.com.

LDAP Client HOWTO

client:~>apt-get install libnss-ldap libpam-ldap nscd
client:~>emacs /etc/pam_ldap.conf
client:~>emacs /etc/libnss-ldap.conf
client:~>emacs /etc/nsswitch.conf
client:~>emacs /etc/pam.d/common-auth
client:~>emacs /etc/pam.d/common-account
client:~>emacs /etc/pam.d/common-password

SMTP Server HOWTO (Outgoing Email Server)

  1. Install
    server:~> sudo apt-get install exim4
    
  2. Configure Mail Hostname
    server:~> echo "mail.domainname.com" > /etc/mailname
    
  3. Configure Exim as smarthost and split config files
    server:~> sudo dpkg-reconfigure exim4-config
    
    Exim config file /etc/exim4/update-exim4.conf.conf should look something like:
    dc_eximconfig_configtype='smarthost'
    dc_other_hostnames='mail:mail.domainname.com:anotherdomain.com'
    dc_local_interfaces=''
    dc_readhost='mail.domainname.com'
    dc_relay_domains=''
    dc_minimaldns='false'
    dc_relay_nets='10.0.0.0/8:192.168.1.0/8'
    dc_smarthost='mail.ispsmtpserver.com'
    CFILEMODE='644'
    dc_use_split_config='true'
    dc_hide_mailname='true'
    dc_mailname_in_oh='true'
    dc_localdelivery='maildir_home'
    
  4. Edit Service Version (Optional Security by Obscurity) - change the smtp_banner variable within /etc/exim4/conf.d/main/02_exim4-config_options, e.g.:
    smtp_banner = $smtp_active_hostname ESMTP $tod_full
    

  5. Restart Exim
    server:~>sudo /etc/init.d/exim4 restart
    

Testing

server:~>apt-get install telnet
server:~>telnet localhost 25
HELO spam.org
MAIL FROM: <spamis@spam.org>
RCPT TO: <root@localhost>
DATA
Subject:Test Message
This is a test message.
.
QUIT
OR
server:~>apt-get install mailutils
server:~>echo "spam is good" | mail -s "31337" root@localhost
OR
server:~>apt-get install swaks
server:~>swaks

SpamAssassin

  1. Install
    server:~>sudo apt-get install sa-exim spamassassin
    
  2. Configure SpamAssassin (Optional)
    server:~>sudo emacs -nw /etc/spamassassin/local.cf
    
  3. Enable SpamAssassin
    • Set ENABLE=1 in /etc/default/spamassassin
    • Comment out SAEximRunCond: 0 from /etc/exim4/sa-exim.conf
  4. Train the bayesian filter what spam is
    sudo sa-learn --spam -u spamd --dir /home/<username>/Maildir/.Junk/* -D
    
  5. Train the bayesian filter what non-spam is (Optional)
    sudo sa-learn --ham -u spamd --dir /home/<username>/Maildir/cur/* -D
    
  6. Restart Exim and SpamAssassin
    server:~>sudo /etc/init.d/spamassassin restart
    server:~>sudo /etc/init.d/exim4 restart
    

Virtual Hosts

  1. Create virtual hosts/emails
    mkdir /etc/exim4/virtual
    echo "*: <username>@localhost" > /etc/exim4/virtual/domainname.com
    echo "*: <username>@localhost" > /etc/exim4/virtual/domainname2.com
    echo "webmaster: root@localhost" » /etc/exim4/virtual/domainname2.com
    
  2. Change domainlist local_domains (in /etc/exim4/main/01_exim4-config_listmacrosdefs) from:
    domainlist local_domains = MAIN_LOCAL_DOMAINS
    
    to:
    domainlist local_domains = @:localhost:dsearch;/etc/exim4/virtual
    
  3. Create Virtual Host Exim Config - add the following file to /etc/exim4/router/350_exim4-config_vdom_aliases
    vdom_aliases:
            driver = redirect
            allow_defer
            allow_fail
            domains = dsearch;/etc/exim4/virtual
            data = \
      ${expand:${lookup{$local_part}lsearch*@{/etc/exim4/virtual/$domain}}}
            retry_use_local_part
            pipe_transport   = address_pipe
            file_transport   = address_file
    
  4. Restart Exim
    server:~>sudo /etc/init.d/exim4 restart
    

IMAP Server HOWTO (Incoming Email Server)

server:~>apt-get install courier-imap

Testing IMAP

server:~>apt-get install telnet
server:~>telnet localhost 143
1 LOGIN "username" "password"

IMAP over SSL Server HOWTO (Secure Incoming Email Server)

server:~>apt-get install courier-imap-ssl

POP Server HOWTO (Incoming Email Server)

server:~>apt-get install courier-pop

Testing POP

server:~>apt-get install telnet
server:~>telnet localhost 110
USER username
PASS passwd

POP over SSL Server HOWTO (Secure Incoming Email Server)

server:~>apt-get install courier-pop-ssl

Courier IMAP/POP LDAP Support

server:~>apt-get install courier-ldap
server:~>emacs /etc/courier/authdaemonrc
server:~>emacs /etc/courier/authldaprc
server:~>emacs /etc/courier/ldapaliasrc
server:~>/etc/init.d/courier-authdaemon restart
server:~>/etc/init.d/courier-ldap restart

Now restart the services you are running, such as:

server:~>/etc/init.d/courier-imap restart
server:~>/etc/init.d/courier-imap-ssl restart
server:~>/etc/init.d/courier-pop restart
server:~>/etc/init.d/courier-pop-ssl restart

Email Aliases

Use phpldapadmin to add LDAP email aliases or just use the file:

server:~>emacs -nw /etc/aliases

DNS HOWTO

server:~>apt-get install bind9
server:~>emacs -nw /etc/bind/named.conf.options
server:~>emacs -nw /etc/bind/named.conf.local
server:~>emacs -nw /etc/bind/db.{name}
server:~>/etc/init.d/bind9 restart

Notes

  • Each time you edit the db files (e.g. db.mydomain.com or db.0.0.10) you need to increase the serial number.
  • The @ IN NS needs in db.mydomain.com needs to match the @ IN NS record in db.0.0.10

Testing

server:~>apt-get install host dns-browse
server:~>host machine_name
server:~>dig machine_name
server:~>nslookup machine_name

DHCP HOWTO

server:~>apt-get install dhcp3-server
server:~>emacs -nw /etc/dchp3/dhcpd.conf
server:~>/etc/init.d/dhcp3-server restart

Client Config

client:~> less /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

client:~>ifup eth0

Jail (chroot)

  1. Install
    server:~> sudo apt-get install rssh jailer
    server:~> sudo chmod u+s /usr/lib/rssh/rssh_chroot_helper
    
  2. Configure RSSH - allow services (e.g. allowscp) and set chrootpath = /jail in /etc/rssh.conf
  3. Create the /jail/ with mkchroot.sh
  4. Setup syslog:
    server:~> /sbin/syslogd -a /jail/dev/log
    
  5. Set jail home path and rssh shell for each jail user in /etc/passwd, e.g.
    user:x:3000:3000:,,,:/home/user:/bin/bash
    jailuser:x:3000:3000:,,,:/jail/home/jailuser:/usr/bin/rssh
    
  6. Remove all non-jail users and set the home path and rssh shell for each jail user in /jail/etc/passwd. e.g.
    jailuser:x:3000:3000:,,,:/home/jailuser:/usr/bin/rssh
    

APT Cache

server:~> apt-get install apt-cacher
server:~> emacs /etc/apt-cacher/apt-cacher.conf
Then change entries in /etc/apt/sources.list form
deb http://archive.ubuntu.com/ubuntu/ dapper main restricted
to
deb http://server:3142/apt-cacher/archive.ubuntu.com/ubuntu/ \
dapper main restricted

Timezone Config

client:~>echo "Australia/Sydney" > /etc/timezone
client:~>ln -s /usr/share/zoneinfo/Australia/Sydney /etc/localtime

NTP Config

client:~>apt-get install ntpdate
client:~>ntpdate ntp.server.com

Access Point Config

Setup the device in master mode:

server:~>iwconfig ath0 mode master
However if that command returns:
Error for wireless request "Set Mode" (8B06) :
SET failed on device ath0 ; Invalid argument.
Try to set the mode during installation of the module, for example some madwifi modules for Atheros wireless NIC's require:
server:~>modprobe ath_pci autocreate=ap
Then simply set the ESSID and IP address:
server:~>iwconfig ath0 essid my_wireless_name
server:~>ifconfig ath0 192.168.1.1 up

NOTES: Replace ath0 with the correct NIC device name.

Network Router Config

If your server is connected to the internet via a router, you will need your router to forward incomming traffic on port 25 (SMTP), port 143 (IMAP), port 80 (HTTP) to your server. This can be done via the following script:

Example Port Forwarding Script:

#!/bin/sh

ETH="ppp0"
DMZ_HOST="10.0.0.10"
DMZ_PORTS="ssh,www,imap"

echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables -t nat -A PREROUTING -p tcp -m multiport /
 --dport $DMZ_PORTS -i $ETH -j DNAT --to $DMZ_HOST

However you may wish to run a serious firewall, so feel free to use Luke Cole's iptables firewall sh script firewall-router.

Prevent SYN flood bombs

Turn ON SYN cookies

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Increase half-open connections can be kept by the backlog queue.
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog

"Testing" / "Monitoring"

Live-CDs / Frameworks: BackTrack, Phlak, Metasploit

Ubuntu/Debian Packages:

server:~>apt-get install netcat nessus nmap tcpick tcpdump iptraf /
 iproute pktstat traceroute ethereal etherape geoip-bin net-tools /
 sysstat hddtemp hdparm lm-sensors snort psad fail2ban clamav /
 rkhunter chkrootkit nikto dsniff scapy packit nast distributed-net /
 fakepop kismet airsnort weplab aircrack john medussa crack-md5 /
 fcrackzip pdfcrack wordplay an apg gpw otp 

Machine Optimization

  1. svctm (via iostat) should be no greater then 30 (milliseconds) and %util (via iostat) should be no greater then 5 (%). This indicates the system disk(s) are not tuned or are too slow.
  2. %wa (via top) should be no greater then 30 (%). This indicates the system disk(s) are not tuned or are too slow.
  3. procs r (via vmstat) should be no greater then the number of CPUs on the system and no more then four times the number of available CPUs on the system. This indicates shortage of CPU power.
  4. cpu sy (via vmstat) should be no greater then four times cpu us (via vmstat). This indicates shortage of CPU power.

Once you have determined a machine is in overload (e.g. your server is using to much cpu, memory or disk read/write access). Then you can either upgrade the cpu, memory or disk speed. However if disk speed is your problem (a common problem, see above) due to, for example, mysql, you could even the load via moving your /var/lib/mysql/ directory to a second drive or another machine.

For more info, then I recommend you read documents such as

Example Files

Users of this network can ssh to lukecole.name and visit the config backup directory for lukecole.name which provides the current server and router config, crontab and script files:

server:~>/data/conf/server/
server:~>/data/conf/router/
server:~>/data/bin/
Otherwise contact Luke Cole for examples.

Enjoy!

 

© 2000-2019 Luke Cole
All rights reserved