The following instrution cover the
installation of Fedora Core 4 on my Compaq ProLiant DL380 Dual 1Ghz
server.
As ever, if you use any of the information remember that I run a network securely protected by a firewall.
These
instructions are for installing Gnu/Linux as the only
operating system on a PC. All existing data and operating
systems will be overwritten and lost!
To install on a Compaq ProLiant DL380, the Compaq SmartStart v5.5 CD will be needed as well as the Fedora Core 4 installation CDs.
Remove the SmartStart CD and insert the first Fedora CD, then click on Continue.
| hda1 | 200 MB | /boot | ||
| hda2 | 4,000 MB | /home | ||
| hda3 | 4,000 MB | /var | ||
| hda5 | 2,000 MB | /tmp | ||
| hda6 | 1,000 MB | (swap) | ||
| hda7 | 23,500 MB | / |
| eth0 | eth1 | |
| Hostname | marilyn.stevesearle.com | |
| IP Address | 192.168.126.2 | 192.168.126.7 |
| Netmask | 255.255.255.0 | 255.255.255.0 |
| Gateway | 192.168.126.254 | |
| Primary DNS | 127.0.0.1 | |
| Secondary DNS | 192.168.126.4 | |
| Tertiary DNS | 158.152.1.58 |
Change CDs as prompted, and click on Reboot when the installation is complete.
Create a .forward file for root to ensure that you receive any mail sent to root.
Customise the shell prompt by adding the following lines to the end of /etc/bashrc.
ColourFuscia="\[\033[0;36m\]"
ColourGreen="\[\033[0;32m\]"
ColourDefault="\[\033[0m\]"
# Set green to red if root
if [ "$UID" = "0" ]; then
ColourGreen="\[\033[1;31m\]"
fi
PS1="$ColourGreen($ColourFuscia\u@\h$ColourGreen:$ColourFuscia\w$ColourGreen)$ColourFuscia\\$ $ColourDefault"
Edit /boot/grub/grub.conf to stop the graphical boot display and to change the resolution of the virtual terminals (running on Ctrl-Alt-1 through Ctrl-Alt-6). Remove rhgb and add vga=790 to the end of the menu kernel line, e.g.
kernel /vmlinuz-2.4.22-1.2115.nptlsmp ro root=LABEL=/ vga=790
790 produces a 1024x768 resolution with 32,768 colours. You could use any of the following (if you video card supports them).
| Colours | 640x480 | 800x600 | 1024x768 | 1280x1024 | 1600x1200 |
| 256 | 769 | 771 | 773 | 775 | 796 |
| 32,768 | 784 | 787 | 790 | 793 | 797 |
| 65,536 | 785 | 788 | 791 | 794 | 798 |
| 16.8M | 786 | 789 | 792 | 795 | 799 |
Stop the X server from starting automatically. Most of the time I don't want to waste resources running it. Edit /etc/inittab and change the default runlevel line.
id:3:initdefault:
Keep /tmp tidy. Create a script in /etc/cron.daily containing the following lines. It will delete files and directories that are more than a week old.
find /tmp -mtime +7 -type f -print -exec rm {} ";"
find /tmp -empty -mtime +7 -type d -print -exec rm -rf {} ";"
I don't allow ssh access to the root account, or access with a password. Edit /etc/ssh/sshd_config as follows.
... PermitRootLogin no ... PasswordAuthentication no ...
Restart the SSH daemon.
# service sshd restart
Run
yum to update any RPM packages that are out of date.
# yum update
Enable the yum daemon, which uses a daily cron job to get the updates automatically.
# chkconfig yum on # service yum start
Clean the old yum headers occaisionally with a monthly cron job to run.
yum clean oldheaders
Install extra packages.
# yum install qt-devel # yum install qt-designer # yum install php-mysql # yum install multitail # yum install arpwatch
By default, Fedora installs with a number of daemons that I don't need. Turning these off saves system resources and makes the machine more secure.
# chkconfig bluetooth off # service bluetooth stop # chkconfig cpuspeed off # service cpuspeed stop # chkconfig isdn off # service isdn stop # chkconfig lm_sensors off # service lm_sensors stop # chkconfig mdmonitor off # service mdmonitor stop # chkconfig pcmcia off # service pcmcia stop
These instructions have been derived from the excelent SpamAssassin-ClamAV-Procmail-Howto.
Download Clam AntiVirus to /tmp.
Create a user group and user.
# groupadd clamav # useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
Install.
$ cd /tmp $ tar -xzf clamav-0.80.tar.gz $ cd clamav-0.80 $ ./configure $ make $ su -c "make install"
Edit both /usr/local/etc/clamd.conf and /usr/local/etc/freshclam.conf and remove or comment out the Example directive.
... # Comment or remove the line below. # Example ...
Create /etc/init.d/clamd as follows.
#!/bin/bash
TMPDIR=/tmp
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin
case "$1" in
start)
echo "Starting ClamAV..."
if [ -S /tmp/clamd ]; then
echo "ClamAV is already running!"
else
/usr/local/bin/freshclam -d -c 10 --datadir=/usr/local/share/clamav
/usr/local/sbin/clamd
fi
echo "ClamAV is now up and running!"
;;
stop)
echo "Shutting down ClamAV..."
array=(`ps ax | grep -iw '/usr/local/bin/freshclam' | grep -iv 'grep' \
| awk '{print $1}' | cut -f1 -d/ | tr '\n' ' '`)
element_count=${#array[@]}
index=0
while [ "$index" -lt "$element_count" ]
do
kill -9 ${array[$index]}
let "index = $index + 1"
done
array=(`ps ax | grep -iw '/usr/local/sbin/clamd' | grep -iv 'grep' \
| awk '{print $1}' | cut -f1 -d/ | tr '\n' ' '`)
element_count=${#array[@]}
index=0
while [ "$index" -lt "$element_count" ]
do
kill -9 ${array[$index]}
let "index = $index + 1"
done
if [ -S /tmp/clamd ]; then
rm -f /tmp/clamd
fi
echo "ClamAV stopped!"
;;
restart)
$0 stop && sleep 3
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
Make it executable and start it.
# chmod 755 /etc/init.d/clamd # /etc/init.d/clamd start
Make it start at boot up and stop at close down.
# ln -s /etc/init.d/clamd /etc/rc2.d/S20clamd # ln -s /etc/init.d/clamd /etc/rc3.d/S20clamd # ln -s /etc/init.d/clamd /etc/rc4.d/S20clamd # ln -s /etc/init.d/clamd /etc/rc5.d/S20clamd # ln -s /etc/init.d/clamd /etc/rc0.d/K20clamd # ln -s /etc/init.d/clamd /etc/rc1.d/K20clamd # ln -s /etc/init.d/clamd /etc/rc6.d/K20clamd
Schedule the following command to run regularly to check for viruses.
/usr/local/bin/clamscan -ir --stdout /
Uptimed is used to keep track of the highest uptimes my GNU/Linux computers have.
Download it, and build and install it with
$ cd /tmp $ tar -xjf uptimed-0.3.1.tar.bz2 $ cd uptimed-0.3.1 $ ./configure $ make $ su -c "make install"
Then add the following to /etc/rc.d/rc.sysinit to create a unique id each time the server is booted.
echo "Creating unique uptime daemon bootid..." /usr/local/sbin/uptimed -b
Now add these lines to /etc/rc.d/rc.local to start the uptime daemon.
echo "Starting uptime daemon..." /usr/local/sbin/uptimed
Rename uptimed.conf-dist
# mv /usr/local/etc/uptimed.conf-dist /usr/local/etc/uptimed.conf
then edit this to set the EMAIL and SEND_EMAIL variables.
Reboot and enter:
$ uprecords
to see how long the server has been up for.
I export a directory that I like to have available on any workstation I may be using. Create /etc/exports as follows.
/home/steve/share *(rw,sync,no_root_squash)
Then start the NFS daemon, and set it to start automatically in the future.
# service nfs start # chkconfig nfs on
Change the firewall settings to allow other machines to mount these exports.
Mount any NFS exports from other machines, by editing /etc/fstab and adding the appropriate lines, e.g.
hayley:/backups /backups nfs rsize=8192,wsize=8192
This would mount hayley's /backups directory under /backups on this machine. (Permission would have to be granted on hayley via the /etc/exports file to allow this.) Don't forget to create the /backups directory on the local machine.
Sendmail is a mail transfer
agent. MTAs are used to transfer messages between machines.
Normally Sendmail will send out any mail with headers showing
it as coming from the fully qualified name of the local machine,
e.g. steve@ingrid.stevesearle.com.
Some servers may refuse to accept email
unless it comes from a recognisable Internet domain. So
the following changes to the Sendmail configuration make it
look as if the email has come from my Internet domain,
stevesearle.com. To do this, the following lines are changed
or added to
the /etc/mail/sendmail.mc file (uncomment - remove dnl ...
dnl - and edit where neccessary). The EXPOSED_USER
andDAEMON_OPTIONS lines are
commented out so that root's mail will be masquaraded and so that
email can be received from other clients
on the local network.
... dnl # EXPOSED_USER(`root')dnl ... dnl # DAEMON_OPTIONS(`Port=smpt,Addr=127.0.0.1, Name=MTA')dnl ... MASQUERADE_AS(`stevesearle.com') ... FEATURE(masquerade_envelope) ... FEATURE(masquerade_entire_domain) ...
Regenerate the /etc/mail/sendmail.cf with the following command (note the sendmail-cf package must be installed for this to work, and no warnings are displayed if it isn't installed).
# make -C /etc/mail
Add the following lines to /etc/mail/access to allow the server to relay mail for local network clients.
... 192.168.126 RELAY 192.168.127 RELAY
Add the following lines to /etc/mail/local-host-names to allow the server to receive mail from these domains.
... champs.org.uk orange.searle searle.afraid.org stevesearle.com wormwoodstarsoft.co.uk wormwoodstarsoft.com
Add lines to /etc/aliases for users who might recieve email addressed to something other than their normal user name.
... kaysearle: kay mufc: steve stevesearle: steve webmaster: steve
Update the aliases database and restart sendmail.
# newaliases # service sendmail restart
Create a .forward file to ensure that any mail to root gets read.
Note that the EXPOSED_USER line in /etc/mail/sendmail.mc will prevent mail sent by root from being masqueraded, this should be removed if this is a problem.
Fetchmail retrieves mail
from remote mailservers. I use it to retrieve mail from a number
of different mailservers on which I have accounts. I use pop3, but
it also supports other POP and IMAP protocols.
Create /etc/fetchmailrc as follows.
# Multidrop mail where there is no matching local recipient should
# be sent to steve
set postmaster "steve"
# Don't bounce errors back to the sender, but forward to the
# postmaster
set nobouncemail
# Don't bounce spam-blocked email back to the originator
set no spambounce
# Used by extention scripts
set properties ""
# Retrieve mail every 300 seconds
set daemon 300
poll pop3.demon.co.uk with proto POP3
user 'kay+starsoft' there with password 'somepassword' is 'kay' here
poll pop3.demon.co.uk with proto POP3
user 'starsoft' there with password 'somepassword' is 'steve' here
poll pop3.uklinux.net with proto POP3 envelope Envelope-To
aka stevesearle.com
user 'searle' there with password 'anotherpassword' is 'steve' 'kay' 'kaysearle ' = 'kay' 'kieren' 'liam'
This will fetch any email for kay on my demon account (...@starsoft.demon.co.uk) and pass it to user kay. Any other email sent here will be retrieved and passed to user steve. Mail retrieved from my uklinux account (...@stevesearle.com) will be passed to steve, kay, kieren or liam if it is addressed to them. Mail addressed to kaysearle@... will also be passed to kay. Any other mail will be passed to steve because of the set postmaster "steve" line.sent here will be retrieved and passed to user steve. Mail retrieved from my uklinux account (...@stevesearle.com) will be passed to steve, kay, kieren or liam if it is addressed to them. Mail addressed to kaysearle@... will also be passed to kay. Any other mail will be passed to steve because of the set postmaster "steve" line.
Set the permissions for fetchmailrc.
# chmod 700 /etc/fetchmailrc
Now setup a daemon for fetchmail. Create /etc/rc.d/init.d/fetchmaild.
#!/bin/sh
# chkconfig: - 99 00
# description: Starts and stops fetchmail
. /etc/init.d/functions
case "$1" in
'start')
daemon fetchmail -f /etc/fetchmailrc
touch /var/lock/subsys/fetchmaild
;;
'stop')
fetchmail --quit
rm -f /var/lock/subsys/fetchmaild
;;
*)
echo "Usage :$0 { start | stop }"
;;
esac
exit 0
Make it executable, and set it to run automatically at bootup. Then start it.
# chmod 755 /etc/rc.d/init.d/fetchmaild # chkconfig --add fetchmaild # chkconfig fetchmaild on # service fetchmaild start
Procmail processes my emails before I read them. I use it to check for spam and viruses and copy emails to other users. This is done using a procmail recipe. Create /home/steve/.procmailrc as follows.
# Some variables
SHELL=/bin/bash
MAILDIR=$HOME/.mail
DEFAULT=$MAILDIR
LOGFILE=$MAILDIR/.log
VERBOSE=no
# If the email contains the following line, it has already been
# delivered to me and is deleted to avoid any infinite delivery
# loops which might arise.
:0
* ^X-Loop: 5a42f054-92aa-494b-b71e-e2eb99da5fec
/dev/null
# Otherwise mark all mail passing through.
:0 fhw
| formail -A "X-Loop: 5a42f054-92aa-494b-b71e-e2eb99da5fec"
# Put liam's and Robbie's mail into a separate folder so I can
# check it is suitible for them (they are only kids).
:0
* ^To.*liam@stevesearle.com|\
^To.*rob@stevesearle.com
liam
# Send my wife a copy of anything from family and friends.
:0
* ^From.*friend@somedomain.com|\
^From.*family@somedomain.com
{
:0 c
! kay
}
# Anything that gets through to here ends up in my inbox.
:0
/var/spool/mail/steve
Enable the imap and pop3 services.
# chkconfig dovecot on
Now add the following -j ACCEPT lines to /etc/sysconfig/iptables (before the -j REJECT line).
... # SMTP -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT # IMAP -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT #POP3 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT ... -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ...
Restart the firewall.
# service iptables restart
Most of the information in this seciton is derived from the SpamAssassin-ClamAV-Procmail-Howto. It assumes SpamAssasin has been installed - if it is missing use yum to install it - and that Clam AntiVirus has been installed as specified earlier.
Install trashscan, a script that is used to scan incomming emails for viruses.
$ tar -xzf trashscan-0.12.tar.gz $ cd trashscan-0.12 $ su -c "cp trashscan /usr/local/sbin"
Now make the following changes to /usr/local/sbin/trashscan. Change to use uudeview rather than metamail and set the correct email addresses.
... # DECODER=metamail # Decoder: "metamail" or "uudeview" # DECODPRG=/usr/bin/metamail # Absolute path to decoder: metamail DECODER=uudeview # Decoder: "metamail" or "uudeview" DECODPRG=/usr/local/bin/uudeview # Absolute path to decoder: uudeview VSCANNER=clamav # Scanner: "clamav". If you are using # clamav and you define "clamav" here # then the name of the detected virus # will be reported ... ... ALERT=yes # send alert messages if a virus was detected (yes | no) ALERTRCVR=steve@stevesearle.com # Receiver of virus alert messages ALERTSNDR=mailservice@stevesearle.com # Sender of virus alert messages ALERTCTCT=steve@stevesearle.com # Person to contact (appears in the ...
Install uudeview which is used to decode emails.
$ tar -xzf uudeview-0.5.20.tar.gz $ cd uudeview-0.5.20 $ ./configure $ make $ su -c "make install"
Configure procmail
Add the follwing recipes to /home/steve/.procmailrc to scan email with attachments for viruses, and to delete them if they are infected. Note that these two recipes go either side of the recipes that check and set X-Loop to avoid infinite delivery loops.
... # Check for viruses :0 * multipart * !^X-Virus-Scan: | /usr/local/sbin/trashscan ... # Virus? :0 : * ^X-Virus-Scan: Suspicious /dev/null ...
I use SpamAssassin to check for spam. Set the spamassassin service to start when the server is booted, and start it now.
# chkconfig spamassassin on # service spamassassin start
As rfc-ignorant.org is no longer up and running, we need to change the SpamAssasin preferences so that it ignores this check. This way we can avoid the lame server resolving ... ipwhois.rfc-ignorant.org messages from BIND. Add the following lines to /home/steve/.spamassassin/user_prefs.
score RCVD_IN_RFCI 0
Configure procmail
Add the follwing recipes to /home/steve/.procmailrc to put any spam into a separate spam folder. If you become confident enough in that only spam is being diverted there, you can change this to delete the spam instead. These recipes should follow the virus checking recipes added earlier.
... # Check for spam (only check email smaller than 250Kb) :0 fw: spamassassin.lock * < 256000 | spamc # Spam? :0 : * ^X-Spam-Status: Yes spam ...
Training SpamAssassin's Bayesian Classifier
Bayesian spam analysis allows you to refine SpamAssassin to identify spam and ham (non-spam) by training it with your own spam and ham. This can greatly reduce the number of false positives and negatives. Assuming all spam not caught by SpamAssassin is saved to a ~/.mail/spam mailbox, and all legitimate mail is saved to ~/.mail/trash (instead of being deleted), create executable script learn.spam as follows, and set up a cron job to run it once a week.
#!/bin/bash HAMBOX=/home/steve/.mail/trash SPAMBOX=/home/steve/.mail/spam if sa-learn --mbox --ham $HAMBOX then cat /dev/null > $HAMBOX fi if sa-learn --mbox --spam $SPAMBOX then cat /dev/null > $SPAMBOX fi exit 0
I run an old machine as a backup device. A backup folder is NFS exported to the rest of the network, and each machine runs a cron tar job to back up various files and directories.
Setup ingrid as an NTP server, synchronising its time with some servers on the Internet and serving the rest of the machines on the LAN with the time. NTP is installed already, so just replace the server ... lines in /etc/ntp.conf with the following lines.
... server ntp1.demon.co.uk server ntp1.pucpr.br server fartein.ifi.uio.no server ntp2b.mcc.ac.uk ...
You should pick your own timeservers, look for some here. Set the NTP service to start when the server is booted, and start it now.
# chkconfig ntpd on # service ntpd start
Now add the following -j ACCEPT lines to /etc/sysconfig/iptables (before the -j REJECT line).
... # ntp -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT ... -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ...
Restart the firewall.
# service iptables restart
Download various perl modules as follows.
The SSLeay stuff is needed to use SSL with Webmin. You need
to be on-line for this.
# perl -MCPAN -e shell cpan> install MD5 cpan> install Bundle::CPAN cpan> reload CPAN cpan> install Net::SSLeay cpan> install Date::Calc cpan> install Number::Format cpan> exit
Install Webmin, an excellent browser
based tool for administering and configuring the system.
The tarball should be un-tarred in /usr/local or similar, as this is just configured in the directory it was un-tarred in.
# cd /usr/local # tar -xzf webmin-1.130.tar.gz # cd webmin-1.130 # ./setup.sh
Now add the following -j ACCEPT lines to /etc/sysconfig/iptables (before the -j REJECT line).
... # ntp -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT ... -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ...
Restart the firewall.
# service iptables restart
Download and install Vim, the best editor around.
$ cd /tmp $ tar -xjf vim-6.2.tar.bz2 $ cd vim62 $ ./configure $ make $ su -c "make install"
Add the following line to your /etc/bashrc, to make Vim the default editor for mutt, crontab, etc. The "-f" will prevent it forking when invoked, and will avoid the update encoding warning when editing an email.
export EDITOR="gvim -f"
Mutt is my email client of choice.
Dowload it and build it. Note that version 1.4.2.1 won't compile
with Fedora Core 4, but development version 1.5.9 does.
$ cd /tmp $ tar -xzf mutt-1.4.2.1i.tar.gz $ cd mutt-1.4.2.1 $ ./configure --enable-pop --enable-imap --with-ssl $ su -c "make install"
Now install urlview, a utility that will fire up the browser to display any URLs in any emails.
$ cd /tmp $ tar -xzf urlview-0.9.tar.gz $ cd urlview-0.9 $ ./configure $ make $ su -c "make install" $ su -c "cp url_handler.sh /usr/local/bin"
/usr/local/bin/url_handler.sh needs to be edited to select the preferred browser. Change any occurances of /usr/X11R6/bin/netscape to /usr/bin/firefox.
I use BIND as the DNS Server for
my system. I got most of the information here from the excellent DNS HOWTO.
Check that the nameserver line in /etc/resolv.conf includes the localhost IP address. It should look something like this.
search stevesearle.com nameserver 127.0.0.1 nameserver 158.152.1.58
Create /var/named/chroot/etc/named.conf as follows. The DHCP_UPDATER lines allow the dhcpd daemon to update the name server with names and addresses of the clients it hands out IP addresses to, so DHCP needs to be set up as well.
options {
directory "/var/named";
};
logging {
category lame-servers { null; };
};
key "rndckey" {
algorithm hmac-md5;
secret "somesecretgoeshere==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndckey"; };
};
key DHCP_UPDATER {
algorithm hmac-md5;
secret "anothersecretgoeshere==";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." {
type hint;
file "root.hints";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "pz/127.0.0";
};
zone "stevesearle.com" {
type master;
file "pz/stevesearle.com";
notify yes;
allow-update { key DHCP_UPDATER; };
};
zone "126.168.192.in-addr.arpa" {
type master;
file "pz/192.168.126";
notify yes;
allow-update { key DHCP_UPDATER; };
};
zone "orange.searle" {
type master;
file "pz/orange.searle";
notify yes;
allow-update { key DHCP_UPDATER; };
};
zone "127.168.192.in-addr.arpa" {
type master;
file "pz/192.168.127";
notify yes;
allow-update { key DHCP_UPDATER; };
};
zone "red.searle" {
type master;
file "pz/red.searle";
notify yes;
allow-update { key DHCP_UPDATER; };
};
zone "128.168.192.in-addr.arpa" {
type master;
file "pz/192.168.128";
notify yes;
allow-update { key DHCP_UPDATER; };
};
See rndc for how to create the key and controls sections of this file.
The /var/named/chroot/var/named directory should have permissions, owner and group set like this.
drwxr-x--- 4 root named 4096 Dec 11 23:52 named
Create root.hints, which describes the root name servers in the world, and as long as you have internet access and access to another DNS server, can be created or refreshed with:
# dig @e.root-servers.net . ns > /var/named/chroot/var/named/root.hints
Create directory /var/named/chroot/var/named/pz with permissions, owner and group like this.
drwxr-xr-x 2 named named 4096 Dec 23 21:22 pz
Create the following network zone files in this directory. These should all have permissions, owner and group set like this.
-rw-r--r-- 1 named named 199 Apr 1 16:49 127.0.0 -rw-r--r-- 1 named named 325 Apr 1 16:50 192.168.126 -rw-r--r-- 1 named named 220 Apr 1 16:50 192.168.127 -rw-r--r-- 1 named named 219 Apr 1 16:50 192.168.128 -rw-r--r-- 1 named named 344 Apr 1 16:49 orange.searle -rw-r--r-- 1 named named 345 Apr 1 16:49 red.searle -rw-r--r-- 1 named named 561 Apr 1 16:49 stevesearle.com
/var/named/chroot/var/named/pz/127.0.0
$TTL 295200 @ IN SOA marilyn.stevesearle.com. steve.stevesearle.com. ( 1 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS marilyn.stevesearle.com. 1 PTR localhost.
/var/named/chroot/var/named/pz/192.168.126
$TTL 3D @ IN SOA marilyn.stevesearle.com. steve.stevesearle.com. ( 200604011 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS marilyn.stevesearle.com. 1 PTR ingrid.stevesearle.com. 2 PTR marilyn.stevesearle.com. 4 PTR hayley.stevesearle.com. 5 PTR kirsty.stevesearle.com. 6 PTR lisa.stevesearle.com. 8 PTR nina.stevesearle.com. 50 PTR steve.stevesearle.com. 52 PTR wormwood.stevesearle.com. 254 PTR angie.stevesearle.com.
/var/named/chroot/var/named/pz/192.168.127
$TTL 3D @ IN SOA marilyn.stevesearle.com. steve.stevesearle.com. ( 200604011 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS marilyn.stevesearle.com. 1 PTR elaine.orange.searle. 254 PTR angie.orange.searle.
/var/named/chroot/var/named/pz/192.168.128
$TTL 3D @ IN SOA marilyn.stevesearle.com. steve.stevesearle.com. ( 200604011 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS marilyn.stevesearle.com. 1 PTR angie.red.searle. 254 PTR becky.red.searle.
/var/named/chroot/var/named/pz/orange.searle
$TTL 3D @ IN SOA marilyn.stevesearle.com. steve.stevesearle.com. ( 200604011 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D ; Minimum TTL ) NS marilyn.stevesearle.com. MX 10 marilyn.stevesearle.com. TXT "orange.searle, Steve Searle's DMZ" localhost A 127.0.0.1 elaine A 192.168.127.1 angie A 192.168.127.254
/var/named/chroot/var/named/pz/red.searle
$TTL 3D @ IN SOA marilyn.stevesearle.com. steve.stevesearle.com. ( 200604011 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D ; Minimum TTL ) NS marilyn.stevesearle.com. MX 10 marilyn.stevesearle.com. TXT "red.searle, Steve Searle's red zone" localhost A 127.0.0.1 angie A 192.168.128.1 becky A 192.168.128.254
/var/named/chroot/var/named/pz/stevesearle.com
$TTL 3D @ IN SOA marilyn.stevesearle.com. steve.stevesearle.com. ( 200604011 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D ; Minimum TTL ) NS marilyn.stevesearle.com. MX 10 marilyn.stevesearle.com. TXT "stevesearle.com, Steve Searle's domain" localhost A 127.0.0.1 ingrid A 192.168.126.1 marilyn A 192.168.126.2 ns CNAME marilyn hayley A 192.168.126.4 kirsty A 192.168.126.5 lisa A 192.168.126.6 nina A 192.168.126.8 steve A 192.168.126.50 wormwood A 192.168.126.52 angie A 192.168.126.254 www A 80.84.64.24
Then set the named service to start when the server is booted, and start it now with:
# chkconfig named on # service named start
Now add the following -j ACCEPT lines to /etc/sysconfig/iptables (before the -j REJECT line) to allow other machines to query the server.
... # named -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT ... -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ...
Restart the firewall.
# service iptables restart
The rndc utility can be used to control named, if it connects form the local host and identifies itself with an encoded secret key. For this to work, generate an rndc.conf file.
# rndc-confgen > /etc/rndc.conf
The second half of this file is commented out. This commented section should be copied into the named.conf file and uncommented to form the key and control section.
If the BIND configuration files are changed, they can be reloaded with:
$ rndc reload
BIND can be restarted with either of the following commands:
$ rndc stop; named -u named -t /var/named/chroot
or
# service named restart
The server provides
a DHCP service to my
network.
Create /etc/dhcpd.conf
authoritative;
ddns-updates on;
ddns-domainname "stevesearle.com.";
ddns-rev-domainname "in-addr.arpa.";
ddns-update-style interim;
allow client-updates;
default-lease-time 86400;
max-lease-time 172800;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.126.255;
option routers 192.168.126.254;
option domain-name-servers 192.168.126.1, 192.168.126.4;
option domain-name "stevesearle.com";
subnet 192.168.126.0 netmask 255.255.255.0 {
range 192.168.126.128 192.168.126.191;
}
key DHCP_UPDATER {
algorithm hmac-md5;
secret "anothersecretgoeshere==";
};
zone stevesearle.com. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
zone 126.168.192.in-addr.arpa. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
This will provide an IP address in the range 192.168.126.128 to 192.168.126.191 to any machine requesting an IP address. It will also update the BIND files so that it can serve the names for these machines.
Set the DHCPD daemon to start when the server is booted, and start it now with:
# chkconfig dhcpd on # service dhcpd start
I use MySQL as my preferred
database. Set it to run at bootup, and start it with the
following commands.
# chkconfig mysqld on # service mysqld start
Fire up a MySQL session with:
# mysql -u root
Create a regular mysql user - searle, the one created here, will have full access from any workstation on my domain.
mysql> GRANT ALL ON *.* TO searle@localhost IDENTIFIED BY 'somepassword' WITH GRANT OPTION; mysql> GRANT ALL ON *.* TO searle@'%' IDENTIFIED BY 'somepassword' WITH GRANT OPTION; mysql> GRANT ALL ON *.* TO searle@marilyn.stevesearle.com IDENTIFIED BY 'somepassword' WITH GRANT OPTION;
All three statements are necessary. Then check that the database is accessable by this user, before setting a password on the root login as follows:
mysql> SET PASSWORD FOR root@localhost=PASSWORD('anotherpassword');
mysql> SET PASSWORD FOR root@marilyn.stevesearle.com=PASSWORD('anotherpassword');
Again, both lines are necessary.
Now add the following -j ACCEPT lines to /etc/sysconfig/iptables (before the -j REJECT line).
... # MySQL -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT ... -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ...
Restart the firewall.
# service iptables restart
Naturally I use Apache to
host the development copy of my website. I configure Apache to
allow virtual hosting so that I have the flexibility to create
multiple websites. To create the steve.stevesearle.com site which is
hosted on this server, the following steps are required.
First give this server eth0 ethernet interface a second IP address, 192.168.126.50, which was assigned to steve.stevesearle.com when BIND was set up earlier. Add the folowing lines to /etc/rc.d/rc.local - you will also need to enter the commands manually unless you reboot before attempting to view the site.
ifconfig eth0:1 192.168.126.50 route add -host 192.168.126.50 dev eth0:1
Now add the following to the end of /etc/httpd/conf/httpd.conf.
NameVirtualHost steve
<VirtualHost steve>
ServerAdmin webmaster@stevesearle.com
DocumentRoot /var/www/steve
ServerName steve.stevesearle.com
ErrorLog logs/steve.stevesearle.com-error_log
CustomLog logs/steve.stevesearle.com-access_log common
ScriptAlias /cgi-bin/ /var/www/steve/cgi-bin/
Options ExecCGI Includes
<Directory "/var/www/steve">
AllowOverride None
Options Includes ExecCGI
Order allow,deny
Allow from all
</Directory>
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
AddHandler server-parsed .shtml .html
</VirtualHost>
Create /var/www/steve which is where the sites files will be kept.
To enable html includes on the web server root, make the following changes to /etc/httpd/conf/httpd.conf. These changes and additions are made within the <Directory "/var/www/html"> section
<Directory "/var/www/html">
...
# The following line was originally: Options Indexes FollowSymLinks
Options Indexes FollowSymLinks Includes
...
AddHandler server-parsed .html
<Directory>
Then set Apache to start at bootup, and start it with:
# mkdir /var/www/steve # chkconfig httpd on # service httpd start
Now add the following -j ACCEPT lines to /etc/sysconfig/iptables (before the -j REJECT line).
... # http -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT # https -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT ... -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ...
Restart the firewall.
# service iptables restart
I use Samba to
enable MS Windows computers to access files on the server. Make
the following changes or addittions to /etc/samba/smb.conf.
...
workgroup = 10FORBES
...
# The following line prevents Samba outputting getpeername failed
# messages when Windows clients attempt to connect using port 445 as
# well as 139.
smb ports=139
...
# This was added to enbable people to share files
[tmp]
comment = Temporary file space
path = /tmp
read only = no
public = yes
# This was added to enable Windows user steve to access steve's home directory
[steve]
comment = steve's home
path = /home/steve
valid users = steve
public = no
writable = yes
printable = no
Set the Samba password for steve (the same as his Windows one).
# smbpasswd -a steve
Set Samba to start at bootup, and start it with:
# chkconfig smb on # service smb start
Now add the following -j ACCEPT lines to /etc/sysconfig/iptables (before the -j REJECT line).
... # Samba -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT ... -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ...
Restart the firewall.
# service iptables restart
I use phpMyAdmin as one
way of maintaining my MySQL database. To install it untar into
the webserver's document root, change the ownership of the files,
restrict access to config.inc.php and create a soft link for the
directory, as follows.
# cd /var/www/html # tar -xjf /backups/downloads.linux/phpMyAdmin-2.6.1-pl3.tar.bz2 # chown -R steve.apache phpMyAdmin-2.6.1-pl3 # ln -s phpMyAdmin-2.6.1-pl3 phpMyAdmin # cd phpMyAdmin # mkdir config # chmod 757 config
User your browser to perform the setup, go to https//marilyn/phpMyAdmin/scripts/setup.php to do this.
Now copy the config file to the phpMySql directory and delete the config sub directory.
# cd /var/www/html/phpMyAdmin # cp config/config.inc.php . # rm -rf config
I use arpwatch to keep an eye on what machines join my network - there are so few changes that it is an extra belt and braces approach to wireless network security. Install it, set it to start on bootup, and start it with:
# chkconfig arpwatch on # service arpwatch start