GNU.WIKI: The GNU/Linux Knowledge Base

  [HOME] [HowTo] [ABS] [MAN1] [MAN2] [MAN3] [MAN4] [MAN5] [MAN6] [MAN7] [MAN8] [MAN9]

 


  "Pocket" ISP based on RedHat Linux HOWTO
  Anton Chuvakin, anton@chuvakin.org
  v2.0.0 10 January 2001

  This document outlines the setup of a single RedHat box for dialins,
  virtual web hosting, virtual email, POP3 and ftp servers. Why anybody
  might need this in one box is beyond the scope of this document. The
  idea is a complete ISP solution based on RedHat Linux. Any part of
  this setup can be implemented separately though. I will try to empha�
  size all the commands so one can just paste them to configure his own
  box.  The list of documents that I borrowed from and some further
  reading is provided below (see References section).  I will keep secu�
  rity in mind on all stages of the setup and will make clear all the
  security limitations of this setup, that I am aware of.  I should add
  that assets that are to be protected in this case are considered not
  very valuable (e.g. personal pages etc) thus efforts spent on securing
  the setup are allowed to be limited.
  ______________________________________________________________________

  Table of Contents


  1. Introduction

  2. Changes

  3. TODO Tue Jan  9 13:14:15 EST 2001

     3.1 New versions of this document
     3.2 Feedback
     3.3 Standard disclaimer
     3.4 Support
     3.5 Copyright information

  4. Step by step guide

     4.1 Get RH
     4.2 Install RH
     4.3 Some install tips
     4.4 Some preliminary security configuration
     4.5 Remove unnecessary services
     4.6 Enable multiple IP addresses
     4.7 Configure DNS
     4.8 Configure httpd
     4.9 Configure sendmail
        4.9.1 Setup
        4.9.2 Troubleshooting
     4.10 Configure POP3
        4.10.1 Setup
        4.10.2 Troubleshooting
     4.11 Configure FTP server
        4.11.1 Anonymous FTP setup
        4.11.2 Guest FTP setup
     4.12 Configure dialin
        4.12.1 Linux setup
        4.12.2 Windows setup
     4.13 Open access

  5. Conclusion

  6. References



  ______________________________________________________________________

  1.  Introduction

  The guide assumes some familiarity with Linux functionality and
  general Linux/UNIX setup procedure (although not very detailed). Fully
  functional brain is also required for some stages of the procedure.
  All setup would be done manually (without the use of linuxconf, Webmin
  or other tools). Not that those are bad or that there is anything
  wrong with them. The reasons for that are: 1) it is comparatively hard
  to give step by step directions that produce predictable results as
  these tools pretend they are intelligent and "know better" (also known
  as "Windows syndrome") 2) layout of tools changes with time and is
  different in some distributions 3) manual setup gives better
  understanding of system works (not that it is always required though)
  4)some tools allow only limited configuration of Linux system or do
  not keep up with updated features of services they try to configure.

  I should add, that another solution seems to be very promising. It is
  virtfs developed by Afra Ahmad. Its main part is a perl script so it
  does not suffer from being a "black box". It will automatically
  configure all virtual services in a highly customizable fashion.

  It is based on taking advantage of the chroot environment. A separate
  and smaller filesystem is created for each virtual server, and when a
  service is requested, the main server will chroot to the desired
  virtual server.

  This method may take up more disk space, but it is much more flexible,
  especially when dealing with the services. For example, it is possible
  to have two different email accounts bob@vdomain1.com and
  bob@vdomain2.com (as you are dealing with two different passwd files).
  It might be essential for a bigger hosting site.

  For more information please visit the Virtfs page at
  http://www.prongs.org/virtfs.

  While many improvements are possible to the setup described in this
  HOWTO they might be described in later editions of this document - I
  just outline one possible way (accidentally, the one I used). The
  writeup is aimed at RedHat Linux, but with trivial changes can be used
  on any modern Linux distribution.  The resulting configuration loosely
  follows the setup of some particular machines built by the author.


  2.  Changes

  from 1.1.1 to 2.0.0


  �  References updated (single IP hosting)

  �  RedHat 7.0 based

  �

  from 1.1.0 to 1.1.1


  �  Partitioning scheme described

  �  Some comments to dialin server setup added (based on user feedback)

  �  Some comments to ftp server setup added (based on user feedback)

  from 1.0.3 to 1.1.0


  �  Description of virtfs added

  �  Qpopper and WUftpd bugs described

  �  Double connections issue mentioned as requested by one of the
     readers

  �  POP-only accounts described

  �  References added

  from 1.0.2 to 1.0.3


  �  Some spelling errors corrected (thanks to Eugene Shishkin for that)

  from 1.0.1 to 1.0.2


  �  Some errors corrected (spelling)

  �  Method to chroot non-anonymous ftp users ("guest" users; those with
     password and usernames, but with access only to their home
     directories; used for easy web updates)

  �  References section updated

  �  Troubleshooting subsections added to two sections

  �  Qpopper update

  from 1.0.0 to 1.0.1


  �  Many errors corrected (both spelling and factual)

  �  References section updated

  �  Minor changes in wording and syntax to improve clarity

  �  More security info added to several sections

  �  Windows configuration for dialup added

  Next update planned at: upon request or when new program versions are
  released


  3.  TODO Tue Jan  9 13:14:15 EST 2001


  �  How to test each service section added! (including maybe strace:
     (mkdir /tmp/strace; mv .../in.ftpd .../in.ftpd.binary, create a two
     line shell script named in.ftpd with: #!/bin/sh  and I've described
     strace wrappers and reading strace output in past LG articles;
     search for some hints))

  �  More on security of all the services we install (clear text
     password, DoS by overflowing partition in mail and ftp, http access
     configs etc), including maybe the very basic ipchains setup
     (ipchains as safer alternative to tcp wrappers)

  �  Add info on POP3 and ftp tunneling via ssh (just for fun) or refer
     to other HOWTOs


  �  Add troubleshooting subsections to various sections

  �  Add SSL-enabled Apache install and basic configuration

  �  Add news server setup - who needs it?

  �  User accounting setup (acc, acua)

  �   Description of  mail-only users (playing with proxyarp and
     restricting their access only to the local machine)



  3.1.  New versions of this document

  New versions of this document can be found at

  http://www.chuvakin.org/ispdoc


  3.2.  Feedback

  All comments, error reports, additional information (very much
  appreciated!!!) and criticism of all sorts should be directed to:
  anton@chuvakin.org

  http://www.chuvakin.org/

  My PGP key is located at http://www.chuvakin.org/pgpkey

  Please direct spelling error comments to your friendly local spell
  checker.

  If you plan to ask for help, see support section first.


  3.3.  Standard disclaimer

  No liability for the contents of this document can be accepted.  Use
  the concepts, examples and other content at your own risk.
  Additionally, this is an early version, with many possibilities for
  inaccuracies and errors.

  One of many possible setups will be described. In the Linux world,
  there is usually a number of ways in which to accomplish things.

  As far as I know, only programs that under certain terms may be used
  or evaluated for personal purposes will be described. Most of the
  programs will be available complete with source under GNU-like terms.


  3.4.  Support

  This is ridiculous, right? Who may ask for support after seeing such a
  comprehensive doc ;-) ?

  Anyhow, if you are curious about some particular aspect of this setup
  or some of my writing is unclear, just drop me an email and I might
  answer it (at least, be assured that I will read it).

  Now, if you require a phone, hand-holding style support or my work on
  your system, I might be able to provide it on certain terms (if I have
  time and your case seems interesting enough ;-) )



  3.5.  Copyright information

  This document is copyrighted (c) 2000,2001 Anton Chuvakin and
  distributed under the following terms:


  �  Linux HOWTO documents may be reproduced and distributed in whole or
     in part, in any medium physical or electronic, as long as this
     copyright notice is retained on all copies. Commercial
     redistribution is allowed and encouraged; however, the author would
     like to be notified of any such distributions.

  �  All translations, derivative works, or aggregate works
     incorporating any Linux HOWTO documents must be covered under this
     copyright notice.  That is, you may not produce a derivative work
     from a HOWTO and impose additional restrictions on its
     distribution. Exceptions to these rules may be granted under
     certain conditions; please contact the Linux HOWTO coordinator at
     the address given below.

  �  If you have questions, please contact Greg Hankins, the Linux HOWTO
     coordinator, at

     gregh@sunsite.unc.edu


  4.  Step by step guide


  Ingredients needed:

  �  RedHat Linux distribution (the instructions are exactly applicable
     to RedHat 6.x or 7.x and, I think,  with some minor changes to
     5.x))

  �  compatible hardware (also known as a PC), that includes network
     card and modem (at least one)

  �  3-256 IP addresses (as the machine will give out some IP addresses
     for modem callers and use others for virtual hosting more than 1 is
     needed, the upper number is the maximum number of IP-based virtual
     hosts allowed without recompiling the stock RedHat kernel, lower is
     one real IP, one modem and one virtual IP - see reference for
     sinlge IP virtual hosting below).

  �  some sort of permanent network connection (using some modems for
     dialin while providing the Internet access via another modem is
     considered totally weird and not recommended)

  Here follows the procedure:


  4.1.  Get RH

  Purchase or otherwise procure the RedHat 7.0 (further referred as RH,
  latest version number is 7.0 at the time of updating) distribution and
  compatible hardware.  One can get a full RH CDROM for about $3.00
  including shipping and handling at http://www.cheapbytes.com. This
  version will not contain such luxuries as secure web server and extra
  software. For those you should turn to RedHat website.  Or probably
  buying the PC with Linux RH pre-installed is  an option for some.



  4.2.  Install RH

  Install the RH following the *instructions on the package* (might be
  added here later). CDROM install is very easy to perform. I suggest
  using text-mode setup, in my case their graphical one failed
  miserably. When asked about the installation type
  (Server/Workstation/Custom) choose Server or Custom (if you know what
  you are doing)-you can always add software later. Some other important
  installation decisions are outlined further. For RH 6.0 and 6.1 you
  might be able to add packages to Workstation setup as well, but in RH
  6.2 and later (7.0) all the server services are disabled and
  significant amount of tweaking is required-so only Server or Custom is
  strongly recommended.


  4.3.  Some install tips

  If your hardware really is compatible the installation process will
  detect and configure it correctly. Otherwise, refer to corresponding
  documentation for troubleshooting network card, modem, video card, etc
  problems (mostly HOWTOs and mini-HOWTOs, some are in References
  section below).

  Here are some ideas on disk space partitioning. Read Linux Partitions
  HOWTO  (a bit outdated) to get some general hints on functions of
  partitions and their sizes for different kinds of server setups.

  Lest assume we are setting up a server for under one hundred users. We
  will need separate /tmp, /var and /home partititons (and swap, of
  course).  If you hard drive is around 4 GB than roughly 300 MB is
  /tmp, 100MB swap, 1 GB /var (you want ample logging) and 1GB /home.
  The remaining  1.6GB will be root partition (no separate /usr). The
  split between /home  and / might depend upon the amount of web pages
  you plan to host - the more pages the more space goes to /home. To
  enhance security it is nice to put some restricions (in /etc/fstab) to
  /tmp, /var and /home partitions (similar to those described in my
  Public Browser Station HOWTO .

  If your network card is detected properly you will be asked for an IP
  address of your machine, gateway address and network mask and the
  address of the DNS server (might be your own machine if you plan to
  set it up this way). Have all this info handy.  Also you will be asked
  for a machine name and domain name.  We will use a sample domain name
  you.com and the machine will be named ns (that gives us a fully
  qualified domain name (FQDN) ns.you.com). You should use whatever
  domain you registered (see Setting Up Your New Domain Mini-HOWTO, link
  in References section below) and intend to use as your primary domain
  (not a virtual).  For the gateway address we will use a sample
  111.222.333.111 address. Gateway is likely the router that connects
  your machine (or your LAN) to the outside world.

  Enable shadow and MD5 passwords for greater security.  First of those
  makes the file that contains encrypted passwords readable only to root
  user and the second allows longer and harder to crack passwords.  As
  it will be a standalone machine do not enable NIS/NFS.

  After installation finishes and machine reboots you will see the login
  prompt.  Enter login and password (for the root account) and start
  configuring you new Linux station.


  4.4.  Some preliminary security configuration

  First (and fast), add a line: ALL:ALL to your /etc/hosts.deny file.
  That would (to some known extent) prevent other people from accessing
  your machine while you are doing the configuration. That will also
  prevent you from doing the same. For further configuration efforts
  (that can be done remotely, by the way) secure shell is recommended.
  Download the RPM package for RH from one of the many sites and install
  it (as root) using:  rpm -U ssh*rpm or similar command (depends upon
  the version). You will have to get both client and server packages (if
  you want to ssh from this machines as well as to this machine). Upon
  installation all necessary post-installation commands (like server key
  generation) are run automatically by the RPM package. You will have to
  start server manually using command /etc/rc.d/init.d/sshd start.Some
  early versions of ssh1 and also all versions of ssh1 compiled with
  RSAREF library contain a buffer-overflow bug. Use ssh2 or the latest
  version of ssh1 without RSAREF. If you do this you will have to allow
  access using ssh from some trusted machine (described later) in
  /etc/hosts.allow file. RedHat 7.0 now includes OpenSSH clone that
  supports both ssh1 and ssh2 protocols. Its configuration is almost the
  same as ssh. It has some minor configuration advantages over ssh (for
  instance, no X11 forwarding by default) and is otherwise the same.
  Sshd (when run as daemon) will also refer to  /etc/hosts.deny and
  /etc/hosts.allow for access control.

  If you want to be really rigorous in you configuration pursuits go to
  single use mode by giving the command init 1, in this case all work is
  to be done locally and you would not be able to test you network-
  related configuration as network is not available in this mode.

  To further enhance your security ipchains software (that is usually
  part of your Linux distribution) can be used (for that refer to
  IPCHAINS HOWTO, link in References).  It takes quite a bit more
  efforts to configure it than TCP wrappers, although some automated
  tools are available for that too.


  4.5.  Remove unnecessary services

  Now lets deal with unnecessary services. Please note that my idea of
  "unnecessary" might not be 100% same as yours. Also, telnet is now
  considered by many to be not only unnecessary, but really utterly
  undesirable. Use ssh, and forget telnet once and for all!

  1. Services started from /etc/inetd.conf (RedHat 7.0 introduced the
     more advanced /etc/xinetd.conf which uses somewhat different
     syntax, see below):

     comment out all the lines, but those


       ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -L -l -i -a
       telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd



  Check this by using the command: grep -v '\#' /etc/inetd.conf

  If you will be using the secure shell (ssh), telnet is also not
  necessary and can be removed. Secure shell can either be started as a
  daemon on system startup or as a service from /etc/inetd.conf. Default
  configuration (used by the RPM package) is to start is as a daemon.
  Sshd can be compiled to refer to /etc/hosts.allow file for access
  control. In this case, while you will not have it in your
  /etc/inetd.conf, it will still use the settings from /etc/hosts.allow
  and /etc/hosts.deny. The advantages of this method is faster
  connection as the sshd will not have to regenerate server key every
  time somebody connects. On the other hand, if you start it from
  /etc/inetd.conf it will be more isolated from the outside world.  More
  lines will be added to /etc/inetd.conf as necessary (POP3 is one of
  those).

  Here goes the note for RedHat 7.0 users. Inetd daemon (while still
  present in  the distribution) is now replaced with xinetd. Its
  configuration file format is  as follows:


       #
       # Simple configuration file for xinetd
       #
       # Some defaults, and include /etc/xinetd.d/

       defaults
       {
               instances               = 60
               log_type                = SYSLOG authpriv
               log_on_success          = HOST PID
               log_on_failure          = HOST RECORD
       }

       includedir /etc/xinetd.d



  where /etc/xinetd.d directory looks like (with probably more file in
  your case):


       -rw-r--r--    1 root     root          498 Aug 23 00:17 tftp
       -rw-r--r--    1 root     root          414 Jul 21 08:43 rsh
       -rw-r--r--    1 root     root          362 Jul 21 08:43 rexec
       -rw-r--r--    1 root     root          361 Jul 21 08:43 rlogin
       -rw-r--r--    1 root     root          347 Aug  9 05:55 wu-ftpd



  Files in the directory configure individual services like finger,
  telnet or ftp. There format is (this service, ftp, defaults to on on
  stock RedHat 7.0)


       # default: on
       # description: The wu-ftpd FTP server serves FTP connections. It uses \
       #       normal, unencrypted usernames and passwords for authentication.
       service ftp
       {
               socket_type             = stream
               wait                    = no
               user                    = root
               server                  = /usr/sbin/in.ftpd
               server_args             = -l -a
               log_on_success          += DURATION USERID
               log_on_failure          += USERID
               nice                    = 10
       }



  Or (this service, tftp, defaults to off on stock RedHat 7.0)



  # default: off
  # description: The tftp server serves files using the trivial file transfer \
  #       protocol.  The tftp protocol is often used to boot diskless \
  #       workstations, download configuration files to network-aware printers, \
  #       and to start the installation process for some operating systems.
  service tftp
  {
          socket_type             = dgram
          wait                    = yes
          user                    = nobody
          log_on_success          += USERID
          log_on_failure          += USERID
          server                  = /usr/sbin/in.tftpd
          server_args             = /tftpboot
          disable                 = yes
  }



  So, to disable services add "disable= yes" to the end of correspondent
  file or just remove the file.


  2. Services started on system startup from /etc/rc.d directory:

     Check what services are running by using: ps ax. You will get
     something similar to the sample output below:


           PID TTY      STAT   TIME COMMAND
           1 ?        S      0:04 init
           2 ?        SW     0:30 [kflushd]
           3 ?        SW     0:32 [kupdate]
           4 ?        SW     0:00 [kpiod]
           5 ?        SW     0:03 [kswapd]
           6 ?        SW<    0:00 [mdrecoveryd]
         296 ?        SW     0:00 [apmd]
         349 ?        S      0:00 syslogd -m 0
         360 ?        S      0:00 klogd
         376 ?        S      0:00 /usr/sbin/atd
         392 ?        S      0:00 crond
         412 ?        S      0:00 inetd
         454 ttyS0    S      0:00 gpm -t ms
         533 tty2     SW     0:00 [mingetty]
         534 tty3     SW     0:00 [mingetty]
         535 tty4     SW     0:00 [mingetty]
         536 tty5     SW     0:00 [mingetty]
         537 tty6     SW     0:00 [mingetty]
         667 tty1     SW     0:00 [mingetty]
        4540 ?        S      0:00 httpd
        5176 ?        S      0:00 httpd
        5177 ?        S      0:00 httpd
        5178 ?        S      0:00 httpd
        5179 ?        S      0:00 httpd
        5180 ?        S      0:00 httpd
        5181 ?        S      0:00 httpd
        5182 ?        S      0:00 httpd
        5183 ?        S      0:00 httpd
        7321 ?        S      0:00 /usr/sbin/sshd                 <<< only after you installed sshd to run on startup
        7323 pts/0    S      0:00 -bash
        7336 pts/0    R      0:00 ps ax



  Lets concentrate on processes that listen to network, such as lpd.
  Since we do not plan to use our server for printing (we sure might, I
  just don't describe it here), I suggest we remove the printer daemon
  by: rpm -e lpd . If rpm complains about any dependencies (like, in my
  case, printfilter and rhprinttool), add them to your rpm -e command
  and repeat it. Other services that should be removed are NFS, NIS,
  samba etc, if they got installed by mistake. Make sure you remove
  NFS/NIS (if you are not using them) as bugs are often found in them.
  Again, these are useful things, I am just following the *golden rule*
  "remove the software you don't currently use". And, with RH RPM it is
  really easy to add it any time in the future.

  Some more basic security settings can be obtained from Armoring Linux
  paper. As suggested there, lets make a wheel group with trusted users
  (in our case, only user youwill be able to do /bin/su and to run cron
  jobs (together with root).

  �  wheel group for sensitive commands:


     1. vi /etc/group, add a line (if it doesn't exist):

        wheel:x:10:root,you


     as shown.  You don't have to use vi (and somehow I understand it
     very well ;-)), just use your favorite editor (for a nice reason�
     ably user-friendly non-X editor try pico, distributed together with
     mail program pine, the latter is part of most Linux distributions)

     2.

        /bin/chgrp wheel /bin/su


     wheel group on /bin/su

     3.

        /bin/chmod 4750 /bin/su



  �  restrict cron:

     To only allow  root and you to submit cron jobs create a file
     called /etc/cron.allow that contains usernames that you want to be
     able to run cron jobs. This file might look like this:


       root
       you



  Why should one restrict cron jobs? Local exploits to elevate privi�
  leges to root from, say, nobody, exist for some versions of cron.

  I suggest you do not install X Windows as it will bring new concern
  that you might not be prepared to deal with.



  4.6.  Enable multiple IP addresses

  Now we are ready to enable our machine to handle multiple IP addresses
  for virtual hosting. At that point, the IP Aliasing HOWTO might come
  handy (see link in References).  For several reasons, IP-based virtual
  hosting is better (if you have enough IP addresses, that is). For
  instance, reverse lookups would succeed, if done from the browser
  side. It might also be needed for hosting cryptographically enabled
  websites (commonly known as "secure websites").  Older browsers (not
  supporting HTTP 1.1) will get unhappy too.

  The changes would be concentrated in /etc/rc.d/ directory.  To enable
  multiple IP addresses your kernel should support this. On a freshly
  installed RH Linux it does. To verify it one should look into the
  config file that was used to compile the kernel. In my case, it was
  /usr/src/linux/configs/kernel-2.2.17-i686.config since the machine has
  Pentium III processor.  This file exists, if the kernel-source RPM
  package was installed. If line CONFIG_IP_ALIAS=y is present in the
  file than you are OK.  While we are here, we can also confirm the
  ability to forward IP packets (needed for dialup users PPP). This
  ability is present, but not turned on by default (to turn it on do
  execute the following command echo 1 > /proc/sys/net/ipv4/ip_forward
  or add a line into /etc/sysctl.conf). Also needed is the support for
  PPP protocol (line CONFIG_PPP=m, this means PPP support is compiled as
  a kernel loadable module, CONFIG_PPP=y is also OK)

  The examples will use the ridiculous IP addresses
  111.222.333.444-111.222.333.777 from C block 111.222.333.0.
  111.222.333.444 is a real host IP (that is configured during RH
  installation), 111.222.333.555-777 are virtual addresses and
  111.222.333.888 is a dialin user address (can be more of those).


  Lets assume we want to configure 3 virtual hosts.

  Two sets of commands will be used:

  1.


       /sbin/ifconfig eth0:0 111.222.333.555
       /sbin/ifconfig eth0:1 111.222.333.666
       /sbin/ifconfig eth0:2 111.222.333.777



  These will bind the IP addresses to (virtual) interfaces
  eth0:0-eth0:2.


  2.


       /sbin/route add -host  111.222.333.555 dev eth0
       /sbin/route add -host  111.222.333.666 dev eth0
       /sbin/route add -host  111.222.333.777 dev eth0



  These commands will add routes for those addresses and connect those
  to real interface eth0 (ethernet card).

  After doing them the ifconfig command output (ifconfig) will look like
  this:


       eth0      Link encap:Ethernet  HWaddr 02:60:8C:4D:24:CE
                 inet addr:111.222.333.444  Bcast:255.255.255.255  Mask:255.255.255.0
                 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                 RX packets:901597 errors:33 dropped:0 overruns:0 frame:823
                 TX packets:433589 errors:0 dropped:0 overruns:0 carrier:0
                 collisions:128327 txqueuelen:100
                 Interrupt:5 Base address:0x280

       eth0:0    Link encap:Ethernet  HWaddr 02:60:8C:4D:24:CE
                 inet addr:111.222.333.555  Bcast:111.222.333.255  Mask:255.255.255.0
                 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                 Interrupt:5 Base address:0x280

       eth0:1    Link encap:Ethernet  HWaddr 02:60:8C:4D:24:CE
                 inet addr:111.222.333.666  Bcast:111.222.333.255  Mask:255.255.255.0
                 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                 Interrupt:5 Base address:0x280

       eth0:2    Link encap:Ethernet  HWaddr 02:60:8C:4D:24:CE
                 inet addr:111.222.333.777  Bcast:111.222.333.255  Mask:255.255.255.0
                 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                 Interrupt:5 Base address:0x280

       lo        Link encap:Local Loopback
                 inet addr:127.0.0.1  Mask:255.0.0.0
                 UP LOOPBACK RUNNING  MTU:3924  Metric:1
                 RX packets:26232 errors:0 dropped:0 overruns:0 frame:0
                 TX packets:26232 errors:0 dropped:0 overruns:0 carrier:0
                 collisions:0 txqueuelen:0



  All commands can be added to the bottom of /etc/rc.d/rc.local so that
  the changes are saved after reboot. Strictly speaking, rebooting
  machine is not required for adding new IP addresses. Please, do docu�
  ment all changes you do to your machines. Many a good sysadmin (or,
  should I say not-so-good?)  were burned on that at some point in their
  careers.

  TO TEST THE CHANGES

  Do: ping virtual addresses as

  ping 111.222.333.555
  ping 111.222.333.666
  ping 111.222.333.777



  Should get: interfaces should be up


  4.7.  Configure DNS

  Now we are ready to configure DNS.  The easiest way would be to add
  the hostnames (real and all the virtual) that we want to be seen by
  the world to the configuration of some machine that already has bind
  (DNS daemon) running. But, since we are setting up ISP-in-a-box we
  might not be able to avoid "DNS fun".


  Now, let me also try to defend the (well, questionable) choice of
  "outdated" version of bind 4.9.7 (last of the pre-8 series). I know
  that my arguments can be beaten, now that even bind 9 is out, but I
  consider bind 4.9.7 much more time-tested and stable. The arguments
  for upgrading to 8.x (provided
  http://www.acmebw.com/askmrdns/00444.htm and
  http://www.dns.net/dnsrd/servers.html and, I guess, at many other
  places. Here is a message from Theo de Raadt himself (the head of
  OpenBSD development) where he justifies the choice of bind 4 as part
  of OpenBSD-the most secure UNIX OS around. He also shudders at the
  amount of bugs the OpenBSD auditing team saw in BIND 8 source code)
  still didn't seem to convince many people. And, lets not forget the
  "exploit of 1999" - ADMROCKS, that gives remote root access to almost
  any Linux machine running bind prior to 8.1.2 patch 3. Judging by the
  INCIDENTS mailing list, this is still a very popular way to attack RH
  versions 5.0-6.1 if no recommended upgrades are installed.  It is
  claimed that named (whatever version) should always be run in a chroot
  jail.

  Here are the instructions, loosely following the DNS book from
  O'Reilly (a good one, highly recommended to all, but very casual DNS
  user).


  1. Find and install bind 4.9.7 either from RPM package (RH 4.2, if I
     am not mistaken - for that you can use RPMFIND.net, personally I
     didn't try this and so I am somewhat skeptical about installing RH
     4.2 package on RH 6.1 system, but it might work) or from source
     (bind 4.9.7, compiling it is a bit troublesome, but reading all the
     README files in the archive will definitely help).

  2. Create files and directories needed for bind:

  �  /etc/named.boot

  �  /etc/namedb

  �  /etc/namedb/db.you

  �  /etc/namedb/db.111.222.333

  �  /etc/namedb/db.127.0.0

  �  /etc/namedb/db.yoursite1

  �  /etc/namedb/db.yoursite2

  �  /etc/namedb/db.yoursite3

     This will be used for 3 virtual domains:
     yoursite1.com,yoursite2.com and yoursite3.com. One more important
     comment refers to secondary DNS issue.  As all your domains and all
     their services will be hosted on the same machine, DNS backup in
     the form of secondary server doesn't make much sense: if your
     primary DNS is down everything else (mail, www, ftp, pop, etc) is
     down as well. But you do have to have a secondary DNS to register a
     domain.  Try to convince somebody to put you in as a secondary or
     use a free DNS service (link is in Setting Up Your New Domain Mini-
     HOWTO).

  3.

     That is how they look like (if you are unfamiliar with bind 4.x
     configuration file format, please, do read either the O'Reilly DNS
     book or any of the HOWTOs or documents at bind pages, or, better,
     all of the above.  You also have an option of using them without
     understanding, but this is a bad idea in general):

     /etc/named.boot

     This is the main config file for bind 4.9.x.


       directory /etc/namedb

       ;cache-obtained from internic, usually
       cache   .                               db.cache

       ;main config files
       primary you.com                         db.you
       ;reverse lookups
       primary 333.222.111.in-addr.arpa        db.111.222.333
       ;localhost.localnet configs
       primary 0.0.127.in-addr.arpa            db.127.0.0

       ;virtual Domains
       primary yoursite1.net                     db.yoursite1
       primary yoursite2.net                     db.yoursite2
       primary yoursite3.net                     db.yoursite3



  4.

     /etc/namedb/db.you



       ; defines our local hosts at you.com, just one in our case, and its aliases
       @                       IN      SOA     ns.you.com. root.ns.you.com. (
                                               2000012190 7200 1800 3600000 7200 )
       ;name servers and mail servers
                               IN      NS      ns.you.com.
                               IN      MX      10 ns.you.com.
                               IN      A       111.222.333.444
       ns                      IN      A       111.222.333.444

       ;address of the canonical names
       localhost               IN      A       127.0.0.1
       gateway                 IN      A       111.222.333.111

       ;aliases (to use in ftp: ftp ftp.you.com etc, for clarity)
       www                     CNAME   ns
       mail                    CNAME   ns
       ftp                     CNAME   ns
       pop3                    CNAME   ns



  5.

     /etc/namedb/db.111.222.333



  ;reverse mapping of our IP addresses
  .
  ;origin is 333.222.111.in-addr.arpa
  333.222.111.in-addr.arpa. IN    SOA     ns.you.com. root.ns.you.com. (
                                          1999121501 7200 1800 3600000 7200 )
  ;name Servers
                          IN      NS      ns.you.com.

  ;addresses point to canonical name
  444.333.222.111.in-addr.arpa.   IN      PTR     ns.you.com.
  ;dialins
  888                             IN      PTR     dialup.you.com.

  ;virtual hosts
  555                             IN      PTR    yoursite1.com.
  666                             IN      PTR    yoursite2.com.
  777                             IN      PTR    yoursite3.com.



  6. /etc/namedb/db.127.0.0



       ;local loop config file
       0.0.127.in-addr.arpa.   IN      SOA     ns.you.com. root.ns.you.com. (
                                               1997072200 7200 1800 3600000 7200 )
                               IN      NS      ns.you.com.
       1                       IN      PTR     localhost.



  7. /etc/namedb/db.yoursite1



       ; yoursite1.com
       @                       IN      SOA     virtual root.virtual (
                                               1999092201      ; Serial: update each time the file is changed
                                               7200            ; refresh, sec
                                               1800            ; retry, sec
                                               3600000         ; expire, sec
                                               7200 )          ; minimum TTL
       ;name servers
                               IN      NS      ns.you.com.
                               IN      MX      10 virtual
                               IN      A       111.222.333.555
       ;address of the canonical names
       localhost               IN      A       127.0.0.1
       gateway                 IN      A       111.222.333.111
       virtual                 IN      A       111.222.333.555
                               IN      MX      10 virtual
       ;aliases
       www                     CNAME   virtual
       mail                    CNAME   virtual
       ftp                     CNAME   virtual
       pop3                    CNAME   virtual



  8. /etc/namedb/db.yoursite2


  ; yoursite2.com
  @                       IN      SOA     virtual root.virtual (
                                          1999092201      ; Serial: update each time the file is changed
                                          7200            ; refresh, sec
                                          1800            ; retry, sec
                                          3600000         ; expire, sec
                                          7200 )          ; minimum TTL
  ;name servers
                          IN      NS      ns.you.com.
                          IN      MX      10 virtual
                          IN      A       111.222.333.666
  ;address of the canonical names
  localhost               IN      A       127.0.0.1
  gateway                 IN      A       111.222.333.111
  virtual                 IN      A       111.222.333.666
                          IN      MX      10 virtual
  ;aliases
  www                     CNAME   virtual
  mail                    CNAME   virtual
  ftp                     CNAME   virtual
  pop3                    CNAME   virtual



  9. /etc/namedb/db.yoursite3



       ; yoursite3.com
       @                       IN      SOA     virtual root.virtual (
                                               1999092201      ; Serial: update each time the file is changed
                                               7200            ; refresh, sec
                                               1800            ; retry, sec
                                               3600000         ; expire, sec
                                               7200 )          ; minimum TTL
       ;name servers
                               IN      NS      ns.you.com.
                               IN      MX      10 virtual
                               IN      A       111.222.333.777
       ;address of the canonical names
       localhost               IN      A       127.0.0.1
       gateway                 IN      A       111.222.333.111
       virtual                 IN      A       111.222.333.777
                               IN      MX      10 virtual
       ;aliases
       www                     CNAME   virtual
       mail                    CNAME   virtual
       ftp                     CNAME   virtual
       pop3                    CNAME   virtual



  These configuration files will allow you to host these three virtual
  domains and your real domain you.com.

  TO TEST THE CHANGES

  Do: check address resolution

  nslookup www.you.com
  nslookup www.yoursite1.com
  nslookup www.yoursite2.com
  nslookup www.yoursite3.com

  Should get: nslookup returns the correct IP addresses for all
  hostnames


  4.8.  Configure httpd

  To server html pages httpd daemon is used. RH 7.0 comes with Apache
  1.3.12 (latest version is currently 1.3.14 and the alpha of the
  upcoming 2.0 is released).  At that point it is wise to check RH site
  or its mirrors (RH Mirrors) for updates.

  Most changes that we are about to make concentrate in
  /etc/httpd/httpd.conf (RH standard location for Apache configuration).
  Default location for html pages (shown when you go to www.you.com) is
  /home/httpd/html. You can allocate directories for virtual hosts
  within the same  /home/httpd, shown below are the following locations
  for them: /home/httpd/yoursite1, /home/httpd/yoursite2 and
  /home/httpd/yoursite3.

  Below I provide the minimum necessary changes for your
  /etc/httpd/httpd.conf file:



       <VirtualHost 111.222.333.555>
       ServerAdmin webmaster@you.com
       DocumentRoot /home/httpd/yoursite1
       ServerName www.yoursite1.com
       ErrorLog yoursite1-error_log
       TransferLog yoursite1-access_log
       </VirtualHost>


       <VirtualHost 111.222.333.666>
       ServerAdmin webmaster@you.com
       DocumentRoot /home/httpd/yoursite2
       ServerName www.yoursite2.com
       ErrorLog yoursite2-error_log
       TransferLog yoursite2-access_log
       </VirtualHost>

       <VirtualHost 111.222.333.777>
       ServerAdmin webmaster@you.com
       DocumentRoot /home/httpd/yoursite3
       ServerName www.yoursite3.com
       ErrorLog yoursite3-error_log
       TransferLog yoursite3-access_log
       </VirtualHost>



  That configuration will cause all logs to be stored in one directory
  (whatever is specified as such) for all sites. If that is not desired
  the ErrorLog and TransferLog directives can be changed to point to the
  proper location separately for each virtual host. The pages for the
  "real" www.you.com will be stored in default location
  /home/httpd/html.


  For more information, look at http://www.apache.org, Apache http
  server homepage. They have a lot of support pages, including those for
  virtual hosting setup (both IP-based and name-based [uses just 1 IP
  address]). Also useful is Linux WWW HOWTO (link in References
  section), section on virtual hosting.

  TO TEST THE CHANGES

  Do: access the test pages via Lynx browser or telnet to port 80

  lynx http://www.you.com
  lynx http://www.yoursite1.com
  lynx http://www.yoursite2.com
  lynx http://www.yoursite3.com



  Should get: Test pages will be returned (if you put them in the proper
  directories)


  4.9.  Configure sendmail


  4.9.1.  Setup

  Now we will deal with sendmail. Again, proposed are the minimum
  necessary changes to the stock RH /etc/sendmail.cf and
  /etc/sendmail.cw.

  1. look for the lines that starts from Dj$w.foo.com and change it to
     point to your main ("real", not virtual) server name (you.com, so
     it will looks like this Dj$w.you.com).

  2. locate file /etc/sendmail.cw and make it look like this


       # sendmail.cw - include all aliases for your machine here.
       you.com
       ns.you.com
       mail.you.com
       yoursite1.com
       mail.yoursite1.com
       yoursite2.com
       mail.yoursite2.com
       yoursite3.com
       mail.yoursite3.com



  These are necessary so that sendmail accepts mail for these domains.

  This does not address the issue of user@yoursite1.com and
  user@yoursite2.com mail getting to different mailboxes. For that look
  into /etc/mail/virtusertable  functionality (appropriate line in
  /etc/sendmail.cw is Kvirtuser hash -o /etc/mail/virtusertable,
  detailed info may be added here later).  Excellent documentation on
  that is on http://www.sendmail.org/virtual, sendmail reference on
  virtual hosting.

  It is worthwhile to add that linuxconf proposes a somewhat different
  scheme for virtual email with separate spool directories for all
  domains (that cleanly solves the above "name-conflict" issue"), but
  that requires a special virtual-aware POP/IMAP server (included with
  RH) and is somewhat more complicated. It is recommended for bigger
  email volume sites with many users within each domain.

  A few words about sendmail, it is a good idea (good from the security
  standpoint) to have sendmail run from inetd.conf and not as a
  standalone daemon. For that we need to add it to /etc/inetd.conf,
  remove it from /etc/rc.d/init.d, add the sendmail queue processing to
  cron. Here is what you have to do:

  1. Add the following line to /etc/inetd.conf:

     smtp  stream  tcp     nowait  root    /usr/sbin/tcpd  /usr/sbin/sendmail -bs



  Or, if using xinetd create a file sendmail  in /etc/xinetd.d/ similar
  to


       # default: on
       service sendmail
       {
               socket_type     = stream
               wait            = no
               user            = root
               server          = /usr/bin/sendmail -bs
       }



  2.  Edit /etc/rc.d/init.d/sendmail to have  exit 0  somewhere in the
     very beginning (might not be the best way, be sure to document the
     changes you do to these files) so that this file does nothing
     instead of starting sendmail

  3.  By editing your (root's) crontab (to edit do crontab -e) add a
     line like this


     */20 * * * * /usr/sbin/sendmail -q



  That would process sendmail queue every 20 min (if it exists).  The
  described steps will simplify sendmail access control and will let you
  regulate who can talk to your 25 port, not just who can send email
  through you.  The lines in /etc/hosts.allow that let all machines from
  .com and .org domains send you email are as follows

  sendmail: .com .org


  Please, note, that the daemon name, not protocol name is used here
  (sendmail, NOT smtp).

  That would allow your system to handle email for all those domains.


  4.9.2.  Troubleshooting

  PROBLEM: mail that you are trying to send is denied with a message
  Relaying denied

  SOLUTION:Look into your /etc/sendmail.cw. Are you sure all possible
  variations of your hostname and of your virtual hostnames are here?
  Look in the message headers and see from what machine it was rejected
  from: does it look like another name of yours that you missed?

  TO TEST THE CHANGES

  Do: access the SMTP port 25 via telnet

  telnet www.you.com 25
  telnet www.yoursite1.com 25
  telnet www.yoursite2.com 25
  telnet www.yoursite3.com 25



  Should get: Sendmail should respond with prompt and version number!
  Type QUIT to get out of the prompt.


  4.10.  Configure POP3


  4.10.1.  Setup

  POP3 configuration is easy (no "virtualization" is required for this
  setup). RH comes equipped with imapd IMAP server. If you do not want
  to use IMAP functionality or do not like this particular
  implementation (buffer overflow bugs were discovered in it at some
  point) the good idea is to use qpopper, free POP3 daemon from Eudora
  http://www.eudora.com/freeware/qpop.html. At the time of writing the
  released version is qpopper 3.0.2.  It is important to note that
  versions earlier than 2.5 contain a buffer overflow error that allows
  remote root exploit to be executed. Same problem plagues "public
  betas" up to 3.0 release 21. Use either 2.53 or the latest 3.0 (the
  former is better audited and the latter is better suited for RH -
  seamlessly works with PAM authentication). I suggest using 3.0, so the
  instructions below apply to that case. As of April 13, Qpopper 3.0 is
  no longer beta, but a regular software. As of recently, the bug was
  discovered even in Qpopper 2.53 that allows the attacker  to obtain a
  shell with group-id 'mail', potentially allowing read/write access to
  all mail.



  1. wget
     ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper3.0.tar.Z

     Retrieve the archive from Eudora site.

  2. tar zxvf qpopper3.0.tar.Z

     Uncompress and untar the contents.

  3. cd qpopper

     If you need explanation for this step, please, discontinue reading
     the document.

  4. ./configure --enable-specialauth --with-pam --enable-log-login
     --enable-shy

     The options here are:

     --enable-specialauth : allows MD5 and shadow passwords

     --with-pam: allows the use of RH Pluggable Authentication Modules
     (PAM) technology

     --enable-log-login: log successful logins, not only failures (not
     really that useful as it will use tcpd wrappers logging anyway)

     --enable-shy: conceal version number (yeah, a little pesky
     manifestation of "security through obscurity")

  5. make

     That compiles the popper

  6.

     /bin/cp popper/popper /usr/local/bin



  Copies the binary to /usr/local/bin

  7. Now set the mode to

     -rwx------   1 root     root       297008 Feb 16 15:41 /usr/local/bin/popper


  by using the command:

  chmod 700 /usr/local/bin/popper



  8. Add a line to /etc/inetd.conf

     pop3  stream tcp        nowait root /usr/sbin/tcpd /usr/local/bin/popper -s


  That would cause the tcpd wrapper to control access to popper.

  The lines to add in /etc/hosts.allow are

  popper: .good.com .nice.org


  That will allow people from domains good.com and nice.org to read
  email via POP3 client from your machine.

  To cause qpopper to use PAM authentication one must create a file for
  POP3 service in /etc/pam.d/ directory. File should be named "pop3"
  (same as line in /etc/services and qpopper compile-time option). The
  file looks like this:



       auth       required     /lib/security/pam_pwdb.so shadow
       account    required     /lib/security/pam_pwdb.so
       password   required     /lib/security/pam_cracklib.so
       password   required     /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
       session    required     /lib/security/pam_pwdb.so



  9. For whatever reason stock RH lists line in /etc/services file for
     POP3 protocol as "pop-3". And since qpopper prefers to see "pop3",
     it should be edited to be:

     pop3            110/tcp         # pop3 service



  That would allow all user to get their email via any reasonable mail
  client.

  4.10.2.  Troubleshooting

  PROBLEM: you are connecting to your POP server with valid password and
  username and they are rejected with a message Password incorrect.

  SOLUTION: PAM doesn't like your setup. This message is common for
  qpopper 2.53, use 3.0 and it should disappear. Otherwise, look into
  /etc/pam.d/pop3 that you created. Is it OK?

  TO TEST THE CHANGES

  Do: access the POP3 port 110 via telnet

  telnet www.you.com 110



  Should get: Qpopper should respond with prompt and version number!
  Type QUIT to get out of the prompt.


  4.11.  Configure FTP server


  4.11.1.  Anonymous FTP setup

  We will use only anonymous ftp and will not allow any non-anonymous
  user any access.  Here we describe the anonymous ftp server setup that
  allows anonymous uploads.  Any self-respecting guide on the subject
  will tell you that "this is a bad thing". But how is it worse than
  allowing users to ftp from untrusted location and transfer their
  passwords in clear text? Not everybody (especially, using Windows) can
  easily setup an ftp tunnel via ssh. But you definitely should restrict
  access via tcp wrappers and watch for "warez puppies" (people who will
  try to exchange stolen software via your ftp site if you allow
  unlimited downloads!).

  I suggest using the stock RH wu-ftpd (version 2.6.1 at the time of
  writing). While it is rumored that there are "more secure" ftp daemons
  (Pro-ftpd), wu-ftp appears to be one most commonly used. Recently a
  series of bugs was again discovered in wu-ftp (even in 2.6.x versions)
  and its reputation as the most popular ftp daemon seem to be
  dwindling. CERT has issued an advisory concerning WU-FTPD and all ftp
  daemons derived from BSD's final release.

  RH installs the wu-ftpd (package wu-ftpd-2.6.1-1) by default in server
  configuration. You are encouraged to check for updates as running ftp
  is an important security concern. There is also a separate rpm package
  that creates a separate directory structure for anonymous ftp home
  (anonftp-2.8-1).  As anonymous ftp always does a chroot() system call
  (puts the user in the restricted file system) all necessary binaries
  and libraries are required. The typical directory looks like this
  (output of ls -lRa in /home/ftp):



  .:
  total 20
  d--x--x--x   2 root     root         4096 Feb 15 06:22 bin
  d--x--x--x   2 root     root         4096 Feb 15 06:22 etc
  drwxrws-wt   2 root     wheel        4096 Feb 18 19:51 incoming
  drwxr-xr-x   2 root     root         4096 Feb 15 06:22 lib
  drwxr-sr-x   3 root     ftp          4096 Feb 15 23:34 pub

  bin:
  total 344
  ---x--x--x   1 root     root        15204 Mar 21  1999 compress
  ---x--x--x   1 root     root        52388 Mar 21  1999 cpio
  ---x--x--x   1 root     root        50384 Mar 21  1999 gzip
  ---x--x--x   1 root     root        29308 Mar 21  1999 ls
  ----------   1 root     root        62660 Mar 21  1999 sh
  ---x--x--x   1 root     root       110668 Mar 21  1999 tar
  lrwxrwxrwx   1 root     root            4 Feb 15 06:22 zcat -> gzip

  etc:
  total 40
  -r--r--r--   1 root     root           53 Mar 21  1999 group
  -rw-r--r--   1 root     root        31940 Mar 21  1999 ld.so.cache
  -r--r--r--   1 root     root           79 Mar 21  1999 passwd

  incoming:
  total 0

  lib:
  total 1212
  -rwxr-xr-x   1 root     root        77968 Mar 21  1999 ld-2.1.1.so
  lrwxrwxrwx   1 root     root           11 Feb 15 06:22 ld-linux.so.2 -> ld-2.1.1.so
  -rwxr-xr-x   1 root     root      1031004 Mar 21  1999 libc-2.1.1.so
  lrwxrwxrwx   1 root     root           13 Feb 15 06:22 libc.so.6 -> libc-2.1.1.so
  -rwxr-xr-x   1 root     root        77196 Mar 21  1999 libnsl-2.1.1.so
  lrwxrwxrwx   1 root     root           15 Feb 15 06:22 libnsl.so.1 -> libnsl-2.1.1.so
  -rwxr-xr-x   1 root     root        33596 Mar 21  1999 libnss_files-2.1.1.so
  lrwxrwxrwx   1 root     root           21 Feb 15 06:22 libnss_files.so.2 -> libnss_fi
  les-2.1.1.so

  pub:
  total 0



  Notice though, that for whatever reason, RH puts a copy of /bin/sh in
  /home/ftp/bin.  I do not feel good about having it there, so it is
  chmoded to 0 by chmod 0 sh (can also be removed completely, but RPM
  might be slightly unhappy if you attempt to remove the package
  afterwards).

  Permissions on /home/ftp directories and files should be carefully
  considered. In the above example, all of the system files are owned by
  root and are only readable (executable where necessary) by all. Files
  in bin are only executable (as is the directory itself to prevent
  listing of its contents).

  The interesting part is permissions on pub and incoming.


  Below follows the configuration file for ftp daemon (/etc/ftpaccess).
  It is well commented to the degree of being self-explanatory:



  #ideas from <htmlurl url="ftp://ftp.wu-ftpd.org/pub/wu-ftpd/upload.configuration.HOWTO" name="ftp://ftp.wu-ftpd.org/pub/wu-ftpd/upload.configuration.HOWTO">
  #only allow anonymous users-no other classes defined
  class anonftp anonymous *

  #number of users restriction with message shown when too many
  limit   remote  10  Any                 /toomany.msg

  #prevent uploads everywhere (for now)
  upload /home/ftp * no

  #display the contents of some files upon login/cd
  readme  README*    login
  readme  README*    cwd=*
  message /welcome.msg            login
  message .message                cwd=*

  #log all file transfers DISABLED
  #log transfers anonymous

  #prevent these file operations for anon users
  delete          no      anonymous
  overwrite       no      anonymous

  #fast cd and aliasing for the same reason (not really necessary, but convenient)
  alias   inc:    /incoming
  cdpath  /incoming
  cdpath  /pub
  cdpath  /

  #what is allowed in paths
  path-filter  anonymous  /etc/pathmsg  ^[-A-Za-z0-9_\.]*$  ^\.  ^-

  #prevent the retrieval of some file
  noretrieve .notar

  #allow upload with NO subdirectory creation by anon users
  upload    /home/ftp    /incoming   yes root wheel 0400 nodirs

  #allow upload with subdirectory creation by anon users DISABLED
  #upload    /home/ftp    /incoming   yes root wheel 0400 dirs

  #prevent anon users to GET files from incoming (you might not like it, but it
  #is a good idea-to prevent some people from using your ftp server to store
  #their own stuff, pics, warez etc)
  noretrieve /home/ftp/incoming



  That would allow only anonymous users to do downloads and uploads in
  somewhat (!)  controlled manner. Make sure you update the permissions
  on files that you changed  after you upgrade the RPM packages next
  time.


  4.11.2.  Guest FTP setup

  Guest FTP users are those that have valid usernames and passwords
  (unlike anonymous), but do not have access to the whole directory
  structure (unlike real ones). So they are chrooted after
  authentication. Guest users can do uploads in this configuration.

  Easy 21-step directions for that are provided below ;-)

  Software used: wu-ftpd-2.6.1

  Sample username will be created: ftpguy, user ID=505.

  Her group will be: lusers, group ID=701.

  If you want more users of the same sort, they should be the members of
  the same group. For that it might be good to change the directory
  structure somewhat so that all of them use the same passwd file and
  the same static ls. But, for better separation you can give each of
  them their own files.


  1. adduser ftpguy

     creates an entry in /etc/passwd

  2. passwd ftpguy change password to whatever

  3. Edit file /etc/passwd, last line (that contains our new user)
     should look like this

     ftpguy:x:505:701::/home/ftpguy/./:/etc/ftponly


  yes, that is "slash"-"dot"-"slash" after his home directory.

  4. Edit file /etc/shells, add line, below

     /etc/ftponly


  This file has to exist in some newer Linux distributions (contrary to
  what is claimed at Guest FTP HOWTO).  Sometimes one can put /bin/true
  in its place.

  5. Edit file  /etc/group, add line, below

     lusers:x:701:ftpguy



  6. cd /home

  7.

     chown ftpguy.lusers ftpguy


  this directory is created by adduser command

  8.

     cd ftpguy; mkdir etc bin ; chown root.daemon etc bin


  this creates a directory tree for chroot

  9.

     chmod 111 etc bin


  this sets very conservative permissions on directories within the
  chrooted tree

  10.

     cp ~/static_ls /home/ftpguy/bin/ls


  obtaining static (not calling any libraries) version of /bin/ls: this
  directory (http://www.stanford.edu/group/itss-ccs/security/bina�
  ries/linux/redhat/) contains static version of many RH 6.x/7.x-compat�
  ible utilities, including ls (local copy is http://www.chu�
  vakin.org/ispdoc/ls.gz here, gunzip ls.gz to run)

  11.

     cd bin ; chown root.bin ls



  12.

     chmod 111 ls


  this sets very conservative permissions on binaries within chroot

  13.

     cd ../etc



  14.
     Create file /home/ftpguy/etc/passwd as follows


       root:*:0:0::/:/etc/ftponly
       ftpguy:*:505:701::/home/ftpguy/./:/etc/ftponly



  15.
     Create file /home/ftpguy/etc/group, contents follow


       root::0:root
       lusers::701:ftpguy



  16.

     chown root.daemon passwd group


  this sets proper ownership of these files

  17.

     chmod 444 passwd group


  this sets minimum necessary permission on that file

  18.

     cd ~ftpguy; touch .forward

  this creates .forward file

  19.

     chown root.root .forward ; chmod 400 .forward


  and locks it for security reasons

  20.

     cd /etc



  21.
     Add the facilities for handling guest users into /etc/ftpaccess


       #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
       class anonftp guest,anonymous *

       delete     no   anonymous,guest               # delete permission?
       overwrite  no   anonymous,guest               # overwrite permission?
       rename     no   anonymous,guest               # rename permission?
       chmod      no   anonymous,guest               # chmod permission?
       umask      no   anonymous,guest               # umask permission?

       guestgroup lusers

       limit   remote  10  Any                 /toomany.msg
       upload /home/ftp * no
       readme  README*    login
       readme  README*    cwd=*
       message /welcome.msg            login
       message .message                cwd=*

       alias   inc:    /incoming
       cdpath  /incoming
       cdpath  /pub
       cdpath  /

       path-filter  anonymous  /etc/pathmsg  ^[-A-Za-z0-9_\.]*$  ^\.  ^-
       noretrieve .notar
       upload    /home/ftp    /incoming   yes root wheel 0400 nodirs
       noretrieve /home/ftp/incoming



  Lets test this beast:



  localhost[anton]#1008: ftp localhost
  Connected to anton.
  220 anton FTP server (Version wu-2.6.1(1) Mon Feb 28 10:30:36 EST 2000) ready.
  Name (localhost:anton): ftpguy
  331 Password required for ftpguy.
  Password:
  230 User ftpguy logged in.  Access restrictions apply.
  Remote system type is UNIX.
  Using binary mode to transfer files.
  ftp> ls -la
  200 PORT command successful.
  150 Opening ASCII mode data connection for /bin/ls.
  total 4
  drwx------   4 505      701          1024 Apr  8 02:16 .
  drwx------   4 505      701          1024 Apr  8 02:16 ..
  -r--------   1 0        0               0 Apr  8 02:16 .forward
  d--x--x--x   2 0        2            1024 Apr  8 02:09 bin
  d--x--x--x   2 0        2            1024 Apr  8 02:15 etc
  226 Transfer complete.
  ftp> mkdir TEST
  257 "/TEST" new directory created.
  ftp> ls -l
  200 PORT command successful.
  150 Opening ASCII mode data connection for /bin/ls.
  total 3
  -r--------   1 0        0               0 Apr  8 02:16 .forward
  drwxr-xr-x   2 505      701          1024 Apr  8 02:32 TEST
  d--x--x--x   2 0        2            1024 Apr  8 02:09 bin
  d--x--x--x   2 0        2            1024 Apr  8 02:15 etc
  226 Transfer complete.
  ftp>



  and so on.

  TO TEST THE CHANGES

  Do: access the ftp server using ftp client

  ftp www.you.com



  Should get: ftp daemon should respond with prompt and version number!


  4.12.  Configure dialin

  Now the fun part starts. We want the machine to allow dial-in access
  via attached (inserted?) modem or modems. It will provide either
  regular shell or restricted shell (that only executes pppd daemon).
  Windows 95/98 users should be able to effortlessly dial in using all
  default settings of their computers.


  4.12.1.  Linux setup

  To handle login via serial line some version of getty program is
  needed. This program  monitors the serial line (/dev/ttyS1 will be
  used throughout the document, see serial HOWTO for details) and upon
  connection shown the login prompt or starts a program.

  I suggest using the mgetty program (as it has more features and is
  easier to setup than some of the competitors).
  RH comes with mgetty-1.1.21-2, that also has extensions to receive
  faxes and voice mail (if the modem supports this). Check whether
  mgetty is installed by doing: rpm -qa | grep mgetty.

  After installing mgetty some reconfiguration is necessary.  The files
  that should be changed and the details follow:


  1. /etc/inittab

     That enables mgetty to start when system is booted and be respawned
     accordingly.  These lines should be added in the end.



       #for dialins use mgetty
       #note this S1 in the beginning of the line and ttyS1 in the end
       S1:2345:respawn:/sbin/mgetty ttyS1



  2. /etc/ppp/options

     This file controls the pppd daemon whenever it is started.  Some of
     the options here are optional (hey, that why they are called
     options, right?).



       auth -chap +pap login modem crtscts debug proxyarp lock
       ms-dns 111.222.333.444



  Here is their brief meaning:


  �  auth : use some sort of authentication for dialin clients

  �  -chap: not CHAP

  �   +pap: use PAP

  �   login : use the  system  password file for authenticating the
     client using PAP and record the user in the system wtmp  file,
     /etc/ppp/pap-secrets should still be present (see below)

  �  modem : use the modem control lines (for carrier detection and
     other stuff)

  �   crtscts : use hardware flow control

  �  debug : log extra info (might be removed after everything is fine)

  �   proxyarp : this is needed to connect from the client to the
     Internet, not just to the LAN you dialed into

  �  lock: pppd should create a lock  file  for the serial device

  �  ms-dns 111.222.333.444: this info is provided to Windows box as a
     default DNS server

     Look at pppd man page for all the juicy details (parts of the above
     info is adapted from there)

     Another note is appropriate here. Some people reported that they
     had more success with +chap -pap in authenticating both Windows and
     Linux dial-up clients. If you are having problems, try changing
     /etc/ppp/options to have +chap -pap. In this case the new file
     /etc/ppp/chap-secrets should be created (same contents as
     recommended /etc/ppp/pap-secrets).

     Some other people reported that having default line from
     /etc/mgetty+sendfax/login.config works fine. I am very happy to
     hear that, and I never claimed that my way to set things up is the
     only true way.

  3. /etc/ppp/options.ttyS1

     This file serves purpose similar to the previous one, but only
     applies to particular modem line. It specifies the IP address given
     to the remote machine (dynamic, in some sense, if you have more
     than one line) and the local IP as well.



       111.222.333.444:111.222.333.888



  4. /etc/mgetty+sendfax/login.config


     This file is the main mgetty control file. Mgetty is Windows-PPP-
     aware, so it has provisions to start pppd automatically upon
     receiving connect from the Windows machine.

     These lines should be present:



       /AutoPPP/ -     -       /usr/sbin/pppd



  Before adding them, check that some other version of similar command
  is absent there (commented out by default).


  5. /etc/ppp/pap-secrets

     This is similar to /etc/password file, but only used for dialins
     and contains plain text passwords (apparently, only visible to
     root). All users that you want to be able to dialin must have their
     usernames and password listed in this file. They should enter the
     same username and password into Windows Dial Up Networking
     configuration.



       # Secrets for authentication using PAP
       # these two users below can use dialin
       # client        server  secret pword   remote IP addresses
       dialinuser1     *       b1ab1a!?         111.222.333.888
       dialinuser2     *       p8sSw0rD         111.222.333.888

  Check that mgetty is running by looking for similar line in the output
  of ps ax command.



        4625 ?        S      0:00 /sbin/mgetty ttyS1



  Now this machine will allow modem calls from any Windows 95/98 box.

  As was noted by one of the readers some steps are to be taken to
  prevent users from sharing their dialin password with others. A simple
  perl/shell script will do the job by killing and logging connections
  that use the same username.

  Also, if it is desirable to prevent users from using dialing in their
  usernames should not be put into /etc/ppp/pap-secrets .

  4.12.2.  Windows setup

  This is really straightforward.

  1. Click on My Computer

  2. Click on Dial Up networking

  3. Click on Make New Connection

  4. Proceed according to directions, enter the phone number etc

  5. After a new connection is created click on it and enter the
     username and password (same as mentioned in /etc/passwd and
     /etc/ppp/pap-secrets)

  6. Click Connect and it should work (it did in my case ;-) )


  TO TEST THE CHANGES

  Do: try to dial in using terminal program (UNIX:minicom
  /Windows:terminal or other)

  Should get: Mgetty should respond with prompt and you Linux
  distribution version!

  4.13.  Open access


  Now, after testing all the services, we are ready to open the access
  to this machine. The main access control facility in our case is TCP
  wrappers (tcpd). In case of RH 7 the xinetd will check the same access
  control files itself without any need to wrap services with
  /usr/sbin/tcpd.  These facilities are controlled by 2 files
  /etc/hosts.allow and /etc/hosts.deny, as was mentioned in the sections
  devoted to various network services. TCP wrappers configuration can be
  done in 2 distinct ways and we will employ the simplest.

  Let our /etc/hosts.deny contain ALL:ALL clause, thus denying the
  access to all services (started from /etc/inetd.conf ) for all hosts
  and all users on them. Now we can allow what we need explicitly in
  /etc/hosts.allow, thus following the philosophy "what is not expressly
  allowed is denied".


  Lets assume we want to allow people to read and send email, we want
  some trusted hosts to update contents of the web pages and we want
  admin workstation to have full access. So we arrive at the following
  /etc/hosts.allow:


       #
       # hosts.allow   This file describes the names of the hosts which are
       #               allowed to use the local INET services, as decided
       #               by the '/usr/sbin/tcpd' server.
       #
       ALL: 127.0.0.1 adminbox.some.net
       #we rely on anti-relaying features of sendmail 8.9+ to fight spam
       #and also restrict some sites that we don't want to see email from
       sendmail: ALL EXCEPT .kr .cn
       popper: .com .edu .gov .mil
       #these people can upload/download stuff, make it restrictive to avoid warez!
       in.ftpd: .this.net .that.net



  5.  Conclusion

  There must be the conclusion, right?


  6.  References

  Useful LDP HOWTOs (well, actually, all others are useful too)

  1. Setting Up Your New Domain Mini-HOWTO., really good guide of DNS
     setup and general network setup (recommended reading)

  2. Linux WWW HOWTO, provides more details on Apache setup, including
     virtual hosting

  3. Red Hat Linux 6.X as an Internet Gateway for a Home Network, some
     hints on network setup

  4. IP Aliasing On A Linux Machine, used for multiple IP on the same
     interface

  5. Ethernet HOWTO, look here in case of network card trouble

  6. IPCHAINS HOWTO, turn to this if more security is desired

  7. Serial HOWTO, serial ports, lines, modems and related stuff

  8. PPP HOWTO,some notes on PPP server setup

  Software (used or mentioned) websites


  1. Eudora POP3 server

  2. WU-FPTD ftp server

  3. Sendmail MTA

  4. Mgetty pages

  5. Apache httpd server


  Other documents

  1. Armoring Linux

  2. Setting Up POP/PPP server

  3. Mgetty and Windows dialin info

  4. Using RedHat 5.1 to Start an ISP, the short article on how to start
     an ISP if all you have is a Linux RH ;-)

  5. Guest FTP server setup

  6. Linux Dialin Server Setup Guide Yet Another Guide about that

  7. virtfs a nice automatic tool for configuring virtual services based
     on Perl script

  8. Linux Public Access HOWTOan old and not updated for 5 years
     document describing Linux-based ISP, some nice hints on equipment
     (serial boards) and performance

  9. Sinlge IP virtual hosting, nice doc describing how to host
     everything on a single IP.

  Resources, not related to the topic of the document ;-)


  1. I also maintain a list of computer/network security related books
     with (where available) reviews and online availability. It is
     posted at http://www.chuvakin.org/books.  If you have a book that I
     don't list please use the form on the page and I will add it to the
     list and maybe review it later.

  2. Public Browser Station HOWTO, my mini-HOWTO on web-access terminal
     based on RedHat Linux

  3. Access the Web Anywhere, my article in Linux Journal about Internet
     Kiosks







  All copyrights belong to their respective owners. Other site content (c) 2014, GNU.WIKI. Please report any site errors to webmaster@gnu.wiki.