Professional Documents
Culture Documents
HowTo Create an Apache based Linux website server Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux server configuration required to host a website. The Apache web server, FTP server and DNS configuration are covered. The Apache web server is required to serve the web pages, the FTP server is required for users to upload content and the DNS server is required to resolve the domain names so that a URL entered into a web browser will point to your web server and properly serve the correct pages. The configurations presented will include virtual hosting which will allow a single Linux server to support multiple web site domains. Tutorial topics:
# Linux Apache web (httpd) server configuration # Linux FTPd server and FTP user accounts o # vsFTPd and FTP user account configuration o # wu-FTPd and FTP user account configuration # Basic "user account" configuration for maximum security on an Internet based web server # Linux DNS (Domain Name Server) configuration using Bind version 8 or 9 (named) # Web Server Load Balancing # Managing web server daemons (services) # Links and Resources
Software Prerequisites: The Apache web server (httpd), FTP (requires xinetd or inetd) and Bind (named) software packages with their dependencies are all required. One can use the rpm command to verify installation:
A Red Hat 8.0 wu-ftpd RPM may be installed (Newer version 2.6.2 or later with security fix wu-ftpd-2.6.2-11) or install from source.
SuSE 9.3:
rpm -ivh apache2 apache2-prefork bind bind-chrootenv bind-utils vsftpd
Note: The apache2-MPM is a generic term for Apache installation options for "Multi-Processing Modules (MPM)s "prefork" or "worker". If you try and only install apache2 you will get the following error:
apache2-MPM is needed by apache2-2.0.53-9
One should also have a working knowledge of the Linux init process so that these services are initiated upon system boot. See the YoLinux init process tutorial for more info.
Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4/5/6, /var/www/html/ CentOS 4/5/6 Red Hat 6.x and older Suse 9.x Ubuntu (dapper 6.06) / Debian Ubuntu (hardy 8.04/natty 11.04) / Debian
/home/httpd/html/ /srv/www/htdocs/ /var/www/html /var/www
The default home page for the default configuration is index.html. Note the pages should not be owned by user apache as this is the process owner of the httpd web server daemon. If the web server process is comprimised, it should not be allowed to alter the files. The files should of course be readable by user apache.
Apache may be configured to run as a host for one web site in this fashion or it may be configured to serve for multiple domains. Serving for multiple domains may be achieved in two ways:
Virtual hosts: One IP address but multiple domains - "Name based" virtual hosting. Multiple IP based virtual hosts: One IP address for each domain - "IP based" virtual hosting.
The default configuration will allow one to have multiple user accounts under one domain by using a reference to the user account: http://www.domain.com/~user1/. If no domain is registered or configured, the IP address may also be used: http://XXX.XXX.XXX.XXX/~user1/.
[Potential Pitfall] The default umask for directory creation is correct by default but if not use:
chmod 755 /home/user1/public_html
[Potential Pitfall] When creating new "Directory" configuration directives, I found that placing them by the existing "Directory" directives to be a bad idea. It would not use the .htaccess file. This was because the statement defining the use of the .htaccess file was after the "Directory" statement. Previously in RH 6.x the files were separated and the order was defined a little different. I now place new "Directory" statements near the end of the file just before the "VirtualHost" statements. For users of Red Hat 7.1, the GUI configuration tool apacheconf was introduced for the crowd who like to use pretty point and click tools. Files used by Apache:
Start/stop/restart script: o Red Hat/Fedora/CentOS: /etc/rc.d/init.d/httpd o SuSE 9.3: /etc/init.d/apache2 o Ubuntu (dapper 6.06/hardy 8.04/natty 11.04) / Debian:
/etc/init.d/apache2
Apache main configuration file: o Red Hat/Fedora/CentOS: /etc/httpd/conf/httpd.conf o SuSE: /etc/apache2/httpd.conf (Need to add directive: ServerName host-name) o Ubuntu (dapper 6.06/hardy 8.04/natty 11.04) / Debian:
/etc/apache2/apache2.conf
Apache suplementary configuration files: o Red Hat/Fedora/CentOS: /etc/httpd/conf.d/component.conf o SuSE: /etc/apache2/conf.d/component.conf o Ubuntu (dapper 6.06/hardy 8.04/natty 11.04) / Debian: Virtual domains: /etc/apache2/sites-enabled/domain (Create soft link from /etc/apache2/sites-enabled/domain to /etc/apache2/sites-available/domain to turn on. Use command a2ensite) Additional configuration directives: /etc/apache2/conf.d/ Modules to load: /etc/apache2/mods-available/ (Soft link to /etc/apache2/mods-enabled/ to turn on) Ports to listen to: /etc/apache2/ports.conf
Start/Stop/Restart scripts: The script is to be run with the qualifiers start, stop, restart or status. i.e. /etc/rc.d/init.d/httpd restart. A restart allows the web server to start again and read the configuration files to pick up any changes. To have this script invoked upon system boot issue the command chkconfig --add httpd. See Linux Init Process Tutorial for a more complete discussion. Also Apache control tool: /usr/sbin/apachectl start Apache Control Command: apachectl:
Red Hat / Fedora Core / CentOS: apachectl directive Ubuntu dapper 6.06 / hardy 8.04 / natty 11.04 / Debian: apache2ctl
directive
Description Start the Apache httpd daemon. Gives an error if it is already running. Stops the Apache httpd daemon.
graceful Gracefully restarts the Apache httpd daemon. If the daemon is not running, it is started. This differs from a normal restart in that currently open connections are not aborted. restart Restarts the Apache httpd daemon. If the daemon is not running, it is started. This command automatically checks the configuration files as in configtest before initiating the restart to make sure the daemon doesn't die. Displays a brief status report.
status
fullstatu Displays a full status report from mod_status. Requires mod_status s enabled on your server and a text-based browser such as lynx available on your system. The URL used to access the status report can be set by editing the STATUSURL variable in the script. configte Run a configuration file syntax test. st -t
broken down into three files. These may now be all concatenated into one file. See Apache online documentation for the full manual. /etc/httpd/conf.d/application.conf: All configuration files in this directory are included during Apache start-up. Used to store application specific configurations. /etc/sysconfig/httpd: Holds environment variables used when starting Apache.
Basic settings: Change the default value for ServerName www.<your-domain.com> Giving Apache access to the file system: It is prudent to limit Apache's view of the file system to only those directories necessary. This is done with the directory statement. Start by denying access to everything, then grant access to the necessary directories. Deny access completely to file system root ("/") as the default:
Deny first, then grant permissions:
1 <Directory /> 2 3 Options None AllowOverride None
4 </Directory>
Set default location of system web pages and allow access: (Red Hat/Fedora/CentOS)
1 DocumentRoot "/var/www/html" 2 3 <Directory "/var/www/html"> 4 5 6 7 Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all
8 </Directory>
Enabling Red Hat / Fedora Linux, Apache public_html user directory access:
This will allow users to serve content from their home directories under the subdirectory "/home/userid/public_html/" by accessing the URL http://hostname/~userid/
File: /etc/httpd/conf/httpd.conf
LoadModule userdir_module modules/mod_userdir.so ... ... <IfModule mod_userdir.c> #UserDir disable - Add comment to this line # # To enable requests to /~user/ to serve the user's public_html # directory, remove the "UserDir disable" line above, and uncomment # the following line instead: UserDir public_html # Uncomment this line </IfModule> ... ... <Directory /home/*/public_html> AllowOverride FileInfo AuthConfig Limit Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec <Limit GET POST OPTIONS> Order allow,deny Allow from all </Limit> <LimitExcept GET POST OPTIONS> Order deny,allow Deny from all </LimitExcept> </Directory>
Change to a comment (add "#" at beginning of line) from Fedora Core default UserDir disable and assign the directory public_html as a web server accessible directory. OR Assign a single user the specific ability to share their directory:
1 <Directory /home/user1/public_html> 2 AllowOverride None
3 4 5
6 </Directory>
Allows the specific user, "user1" only, the ability to serve the directory
/home/user1/public_html/
Directory permissions: The Apache web server daemon must be able to read your web pages in order to feed their contents to the network. Use an appropriate umask and file protection. Allow access to web directory: chmod ugo+rx -R public_html. Note that the user's directory also has to have the appropriate permissions as it is the parent of public_html. Default permissions on user directory: ls -l /home
drwx------ 20 user1 user1 4096 Mar 5 12:16 user1
Allow the web server access to operate the parent directory: chmod ugo+x /home/user1
d-wx--x--x 20 user1 user1 4096 Mar 5 12:16 user1
One may also use groups to control permisions. See the YoLinux tutorial on managing groups.
Ubuntu has broken out the Apache loadable module directives into the directory /etc/apache2/mods-available/. To enable an Apache module, generate soft links to the directory /etc/apache2/sites-enabled/ by using the commands a2enmod/a2dismod to enable/disable Apache modules.
Example:
o [root@node2]# a2enmod
A list of available modules is displayed. Enter "userdir" as the module to enable. Restart Apache with the following command: /etc/init.d/apache2
force-reload
Note: This is the same as manually generating the following two soft links:
o o ln -s /etc/apache2/mods-available/userdir.conf /etc/apache2/modsenabled/userdir.conf ln -s /etc/apache2/mods-available/userdir.load /etc/apache2/modsenabled/userdir.load
[Potential Pitfall]: If the Apache web server can not access the file you will get the error "403 Forbidden" "You don't have permission to access file-name on this server." Note the default permissions on a user directory when first created with "useradd" are:
drwx------ 3 userx userx
You must allow the web server running as user "apache" to access the directory if it is to display pages held there. Fix with command: chmod ugo+rx /home/userx
drwxr-xr-x 3 userx userx
SELinux security contexts: Fedora Core 3 and Red Hat Enterprise Linux 4 introduced SELinux (Security Enhanced Linux) security policies and context labels. To view the security context labels applied to your web page files use the command: ls -Z
The system enables/disables SELinux policies in the file /etc/selinux/config SELinux can be turned off by setting the directive SELINUX. (Then reboot the system):
SELINUX=disabled
or using the command setenforce 0 to temporarily disable SELinux until the next reboot.
When using SELinux security features, the security context labels must be added so that Apache can read your files. The default security context label used is inherited from the directory for newly created files. Thus a copy (cp) must be used and not a move (mv) when placing files in the content directory. Move does not create a new file and thus the file does not recieve the directory security context label. The context labels used for the default Apache directories can be viewed with the command: ls -Z /var/www The web directories of users (i.e. public_html) should be set with the appropriate context label (httpd_sys_content_t). Assign a security context for web pages: chcon -R -h -t httpd_sys_content_t
/home/user1/public_html
Options:
-R: Recursive. Files and directories in current directory and all subdirectories. -h: Affect symbolic links. -t: Specify type of security context.
Description Used for static web content. i.e. HTML web pages. Use for executable CGI scripts or binary executables. CGI is allowed to alter/delete files of this context. CGI is allowed to read or append files of this context. CGI is allowed to read files and directories of this context.
httpd_sys_script_exec_t
httpd_sys_script_rw_t
httpd_sys_script_ra_t
httpd_sys_script_ro_t
Set the following options: setsebool httpd-option true (or set to false)
Policy
httpd_enable_cgi
Allow httpd to run SSI executables in the same domain as system CGI scripts.
Then restart Apache: Red Hat/Fedora/Suse and all System V init script based Linux systems: /etc/init.d/httpd restart Red Hat/Fedora: service httpd restart
available and we describe the configuration of each. Choose one method for your domain:
Name based virtual host: (most common) A single computer with a single IP adress supporting multiple web domains. The web browser using the http protocol, identifies the domain being addressed. IP based virtual host: The virtual hosts can be configured as a single multihomed computer with multiple IP addresses on a single network card, with each IP address representing a different web domain. This has the appearance of a web domain supported by a dedicated computer because it has a dedicated IP address.
Configuring a "name based" virtual host: A virtual host configuration allows one to host multiple web site domains on one server. (This is not required for a dedicated linux server which hosts a single web site.)
NameVirtualHost XXX.XXX.XXX.XXX <VirtualHost XXX.XXX.XXX.XXX> ServerName www.your-domain.com - CNAME (bind DNS alias www) specified in Bind configuration file (/var/named/...) ServerAlias your-domain.com - Allows requests by domain name without the "www" prefix. ServerAdmin user1@your-domain.com DocumentRoot /home/user1/public_html ErrorLog logs/your-domain.com-error_log TransferLog logs/your-domain.com-access_log </VirtualHost>
Notes:
You can specify more than one IP address. i.e. if web server is also being used as a firewall/gateway and you have an external internet IP address as well as a local network IP address.
NameVirtualHost XXX.XXX.XXX.XXX NameVirtualHost 192.168.XXX.XXX <VirtualHost XXX.XXX.XXX.XXX 192.168.XXX.XXX> ... ..
See the YoLinux Tutorial on configuring a network gateway/firewall using iptables and NAT. Use your IP address for XXX.XXX.XXX.XXX, actual domain name and e-mail address. One can use DNS views to provide different local network DNS results.
Note that I configure Apache for both requests http://www.domain-name.com and http://domain-name.com. Once virtual hosts are configured, your default system domain (/var/www/html) will stop working. Your default domain now must be configured as a virtual domain.
<Directory "/var/www/html"> ... .. This part remains the same
</Directory> # Default for when no domain name is given (i.e. access by IP address) <VirtualHost *:80> ServerAdmin user1@your-domain.com DocumentRoot /var/www/html ErrorLog logs/error_log TransferLog logs/access_log </VirtualHost> # Add a VirtualHost definition for your domain which was once the system default. <VirtualHost XXX.XXX.XXX.XXX> ServerName www.your-domain.com ServerAlias your-domain.com ServerAdmin user1@your-domain.com DocumentRoot /var/www/html ErrorLog logs/error_log TransferLog logs/access_log </VirtualHost> ... ..
Forwarding to a primary URL. It is best to avoid the appearance of duplicated web content from two URLs such as http://www.yourdomain.com and http://your-domain.com. Supply a forwarding Apache "Redirect".
<VirtualHost XXX.XXX.XXX.XXX> ServerName www.your-domain.com ... ... </VirtualHost>
# Add a VirtualHost definition to forward to your primary URL <VirtualHost XXX.XXX.XXX.XXX> ServerName your-domain.com
Note: See the YoLinux.com Apache "Redirect" Tutorial More virtual host examples.
o
When specifying more domains, they may all use the same IP address or some/all may use their own unique IP address. Specify a "NameVirtualHost" for each IP address. After the Apache configuration files have been edited, restart the httpd daemon: /etc/rc.d/init.d/httpd restart (Red Hat) or /etc/init.d/apache2 restart (Ubuntu / Debian) Apache virtual domain configuration with Ubuntu Dapper/Hardy:
Ububntu separates out each virtual domain into a separate configuration file held in the directory /etc/apache2/sites-available/. When the site domain is to become active, a soft link is created to the directory /etc/apache2/sites-enabled/. Example: /etc/apache2/sites-available/supercorp
01 <VirtualHost XXX.XXX.XXX.XXX> 02 03 04 05 06 07 08 09 10 11 DocumentRoot /home/supercorp/public_html/home <Directory "/"> Options FollowSymLinks AllowOverride None </Directory> <Directory /home/supercorp/public_html/home> ServerName supercorp.com ServerAlias www.supercorp.com ServerAdmin webmaster@localhost
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
Options Indexes FollowSymLinks MultiViews IndexOptions SuppressLastModified SuppressDescription AllowOverride All Order allow,deny allow from all </Directory>
ScriptAlias /cgi-bin/ /home/supercorp/cgi-bin/ <Directory "/home/supercorp/cgi-bin/"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory>
ErrorLog /var/log/apache2/supercorp.com-error.log
# Possible values include: debug, info, notice, warn, error, # crit, alert, emerg. LogLevel warn CustomLog /var/log/apache2/supercorp.com-access.log combined ServerSignature On
34 </VirtualHost>
Enable domain:
Use Ubuntu scripts a2ensite/a2dissite. Type command and it will prompt you as to which site you would like to enable or disable. Restart Apache:
o o o o
or or
Also note that Apache modules can also be enabled/disabled with scripts a2enmod/a2dismod.
Man pages:
Configuring an "IP based" virtual host: One may assign multiple IP addresse to a single network interface. See the YoLinux networking tutorial: Network Aliasing. Each IP address may then be it's own virtual server and individual domain. The downside of the "IP based" virtual host method is that you have to possess multiple/extra IP addresses. This usually costs more. The standard name based virtual hosting method above is more popular for this reason.
NameVirtualHost *
<VirtualHost *> ServerAdmin user0@default-domain.com DocumentRoot /home/user0/public_html </VirtualHost> <VirtualHost XXX.XXX.XXX.101> ServerAdmin user1@domain-1.com DocumentRoot /home/user1/public_html </VirtualHost> <VirtualHost XXX.XXX.XXX.102> ServerAdmin user1@domain-2.com DocumentRoot /home/user2/public_html </VirtualHost>
The default <VirtualHost *> block will be used as the default for all IP addresses not specified explicitly. This default IP (*) may not work for https URL's.
CGI: (Common Gateway Interface) CGI is a program executable which dynamically generates a web page by writing to stdout. CGI is permitted by either of two configuration file directives:
ScriptAlias: o Red Hat 7.x-9, Fedora core: ScriptAlias /cgi-bin/ "/var/www/cgibin/" o Red Hat 6.x and older: ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/" o Suse 9.x: ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/" o Ubuntu (dapper/hardy/natty) / Debian: ScriptAlias /cgi-bin/ "/usr/lib/cgi-bin/"
or
Options +ExecCGI: <Directory /var/www/cgi-bin> Options +ExecCGI </Directory>
The executable program files must have execute privileges, executable by the process owner (Red Hat 7+/Fedora Core: apache. Older use nobody) under which the httpd daemon is being run. Configuring CGI To Run With User Privileges: The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.
NameVirtualHost XXX.XXX.XXX.XXX <VirtualHost XXX.XXX.XXX.XXX> ServerName node1.your-domain.com by domain name without the "www" prefix. ServerAlias your-domain.com www.your-domain.com www) specified in Bind configuration file (/var/named/...) ServerAdmin user1@your-domain.com DocumentRoot /home/user1/public_html/your-domain.com ErrorLog logs/your-domain.com-error_log TransferLog logs/your-domain.com-access_log SuexecUserGroup user1 user1 <Directory /home/user1/public_html/your-domain.com/> Options +ExecCGI +Indexes AddHandler cgi-script .cgi </Directory> </VirtualHost> - Allows requests - CNAME (alias
ERROR Pages:
You can specify your own web pages instead of the default Apache error pages:
ErrorDocument 404 /Error404-missing.html
PHP:
If the appropriate php, perl and httpd RPM's are installed, the default Red Hat Apache configuration and modules will support PHP content. RPM Packages (RHEL4):
php: HTML-embedded scripting language php-pear: PEAR is a framework and distribution system for reusable PHP components. php-mysql: MySQL database support. php-ldap: Lightweight Directory Access Protocol (LDAP) support
Apache configuration:
Add php default page index.php to apache config file:
/etc/httpd/conf/httpd.conf ... DirectoryIndex index.html index.htm index.php ...
[PHP] engine = On ... ... display_errors = Off include_path = ".:/php/includes" ... ... memory_limit = 32M ; Default is typically 8MB which is too low. ... ... [MySQL] ... ... mysql.default_host = superserver mysql.default_user = dbuser ...
Small portion of file shown. Note that changes will not take effect until the apache web server daemon is restarted.
OR (older format)
<? ?> phpinfo();
Test: http://localhost/~user1/test.php
For more info see YoLinux list of PHP information web sites.
Running Multiple instances of httpd:
The Apache web server daemon (httpd) can be started with the command line option "-f" to specify a unique configuration file for each instance. Configure a unique IP address for each instance of Apache. See the YoLinux Networking Tutorial to specify multiple IP addresses for one NIC (Network Interface Card). Use the Apache configuration file directive Listen XXX.XXX.XXX.XXX, where the IP address is unique for each instance of Apache.
Apache Man Pages:
httpd - Apache Hypertext Transfer Protocol Server apachectl - Apache HTTP Server Control Interface
ab - Apache HTTP server benchmarking tool htdigest - manage user files for digest authentication htpasswd - Manage user files for basic authentication logresolve - Resolve IP-addresses to hostnames in Apache log files rotatelogs - Piped logging program to rotate Apache logs
Red Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-httpd Red Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-httpd
Adding web site login and password protection: See the YoLinux tutorial on web site password protection. Log file analysis:
Scanning the Apache web log files will not provide meaningfull statistics unless they are graphed or presented in an easy to read fashion. The following packages to a good job of presenting site statistics.
Analog - Also see Report Magic for Analog Webalizer AWStats - (requires PERL)
eXTReMe Tracking
PureLoad - JAVA load testing and reporting tool. WebPerformance Trainer - Load Testing Tools.
Apache Links:
CgiWrap - setuid wrapper that allows users to install and execute their own cgi scripts that get executed as their own userid WWWThreads.org - Commercial product - Advanced Web Conferencing Software Configuring https (mod_ssl): o Mod_SSL.org: Home Page o Mod_SSL.org: Mod_SSL HowTo o Mod_SSL.org: Steps to create SSL server certificate
Red Hat / Fedora: yum install analog Ubuntu / Debian: apt-get install analog
Installation packages also available from the Analog downloads page. Configuration file: /etc/analog.cfg
LOGFILE /var/log/httpd/your-domain.com-access_log* http://www.your-domain.com UNCOMPRESS *.gz,*.Z "gzip -cd" SUBTYPE *.gz,*.Z # OUTFILE /home/user1/public_html/analog/Report.html # HOSTNAME "YourDomain.com" HOSTURL http://www.your-domain.com
.... ... .. REQINCLUDE pages ALL ON LANGUAGE US-ENGLISH # Request page stats only
One can view the settings which be used with your configuration file (also good for debugging): analog -settings
The Directive ALL ON turns on all of the following: Analog Description Directive
MONTHLY ON WEEKLY ON DAILYREP ON DAILYSUM ON HOURLYREP ON GENERAL ON REQUEST ON FAILURE ON DIRECTORY ON HOST ON ORGANISATION ON DOMAIN ON REFERRER ON
one line for each month one line for each week one line for each day one line for each day of the week one line for each hour of the day the General Summary at the top which files were requested which files were not found Directory Report which computers requested files which organisations they were from which countries they were in where people followed links from
FAILREF ON
where people followed broken links from the phrases and words they used... ...to find you from search engines which browser types people were using and which operating systems types of file requested sizes of files requested number of each type of success and failure
/etc/analog.cfg /etc/analog.cfg
Links:
directives, full featured ftp server software), bftpd, pure-ftpd (free BSD and optional on Suse), etc ... For hostile environments set up a chrooted environment for an sftp encrypted connection and the rssh restricted shell for OpenSSH. See the YoLinux.com internet security tutorial for Linux sftp and rssh configuration FTPd and SELinux: To allow FTPd daemon access and FTP access to users home directories:
setsebool -P allow_ftpd_full_access=1 Other wise you will get an error in /var/log/messages: SELinux is preventing the ftp daemon from writing files outside the home directory (./public_html). setsebool -P ftp_home_dir 1
Red Hat/Fedora Core/CentOS: VsFTPd is a stand alone service and by the default Fedora Core installation, not controlled by xinetd as is the wu-ftpd default installation. Thus start service: service vsftpd start (or: /etc/init.d/vsftpd start) Configure vsftpd to start upon system boot: chkconfig --add vsftpd SuSE: By default, the vsftpd is an xinetd controlled service. To enable FTP server services edit the file /etc/xinetd.d/vsftpd and change:
disable = yes
to:
disable = no
Restart the xinetd daemon: /etc/init.d/xinetd restart Note: vsftpd can also be run as a stand-alone service to achieve a faster response time. Ubuntu (dapper/hardy/natty) / Debian:
o o
Install: apt-get install vsftpd VsFTPd is a stand alone service. Start: /etc/init.d/vsftpd start Stop: /etc/init.d/vsftpd stop Restart: /etc/init.d/vsftpd restart (Use this command after making configuration file changes)
For more on starting/stopping/configuring Linux services, see the YoLinux tutorial on the Linux init process and service activation. Configuration files:
vsFTPd configuration file: o Fedora Core / Red Hat: /etc/vsftpd/vsftpd.conf o S.u.S.e. / Ubuntu (dapper/hardy/natty) / Debian: /etc/vsftpd.conf Default for Fedora Core 3:
anonymous_enable=YES - Anonymous FTP allowed by default if you comment this out. Default directory used: /var/ftp local_enable=YES in with FTP. ftp_home_dir 1 write_enable=YES write or upload command. local_umask=022 other ftpd's. #anon_upload_enable=YES upload files. - Uncomment this to enable any form of FTP - Default is 077. Umask 022 is used by most - Uncomment to allow the anonymous FTP user to - Uncomment this to allow local users to log Must also set SELinux boolean: setsebool -P
Requires the above global write enabled. Directory must also be writable by user. #anon_mkdir_write_enable=YES - Uncomment this to allow the anonymous FTP user to be able to create new directories. dirmessage_enable=YES enter certain directories xferlog_enable=YES connect_from_port_20=YES port 20 (ftp-data) #chown_uploads=YES owner. (not root) #chown_username=whoever - Activate directory messages. Messages given to remote users when they - Activate logging of uploads/downloads. - PORT transfer connections originate from - Uploaded anonymous files set to a specified
/var/log/vsftpd.log xferlog_std_format=YES format #idle_session_timeout=600 #data_connection_timeout=120 Port 20 #nopriv_user=ftpsecure unprivileged user. - Output to log file in standard ftpd xferlog - Set timing out for an idle session. - Set timing out for an idle data connection. - Run ftp server as an isolated and
# Enable this and the server will recognise asynchronous ABOR requests. Not # recommended for security (the code is non-trivial). Not enabling it, may confuse older FTP clients. #async_abor_enable=YES #ascii_upload_enable=YES - Improve performance by disabling ASCII mode. Disables command "ascii" and "SIZE /big/file". #ascii_download_enable=YES #ftpd_banner=Welcome to YoLinux - Customize the login banner string. #deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DoS attacks. #banned_email_file=/etc/vsftpd.banned_emails (Ubuntu default. Red Hat: /etc/vsftpd/banned_emails) #chroot_list_enable=YES - List users chroot()'d to their home directory. If "NO", list users not chroot()'d. #chroot_list_file=/etc/vsftpd.chroot_list (Ubuntu default. Red Hat: /etc/vsftpd/chroot_list) ls_recurse_enable=YES Default is disabled. pam_service_name=vsftpd userlist_enable=YES file /etc/vsftpd.user_list users. - (Ubuntu Default) Deny users specified in If "userlist_enable=NO" then allow specified - Allow "ls -R" recursive directory list.
Red Hat: /etc/vsftpd/user_list #deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DoS attacks. listen=YES xinetd service. ftpd_is_daemon 1 tcp_wrappers=YES - Enable for standalone mode as opposed to an Must set SELinux boolean: setsebool -P
Restart the FTP service if the config file is changed: service vsftpd restart (or: /etc/init.d/vsftpd restart)
[Potential Pitfall]: vsftp does NOT support comments on the same line as a directive. i.e.:
directive=XXX # comment
Specify list of local users chrooted to their home directories: o Red Hat: /etc/vsftpd/vsftpd/chroot_list o Ubuntu: /etc/vsftpd/vsftpd.chroot_list (Requires: chroot_list_enable=NO)
user1 user2 ... user-n
Specify list of users: o Red Hat: /etc/vsftpd/user_list o Ubuntu: /etc/vsftpd.user_list (Deny list of users requires: userlist_enable=YES) Also see PAM configuration below.
root bin daemon adm lp sync shutdown halt ...
This causes PAM to check /etc/vsftpd.ftpusers for users who are denied. This duplicates /etc/vsftpd.user_list. Speciy user in both files as PAM is independent of vsftpd configuration. PAM authentication configuration file: ftpusers o Red Hat: /etc/vsftpd/ftpusers o Ubuntu: /etc/vsftpd.ftpusers
root bin daemon adm lp sync shutdown halt ... ... ... user6 user8 ... ...
- Users to deny
- Turn on anonymous FTP - Uploaded files owned by an assigned user - Uploaded files owned by this assigned user - No upload of files system changes allowed
hide_ids=YES pasv_min_port=50000 pasv_max_port=60000 # Features xferlog_enable=YES ls_recurse_enable=NO ascii_download_enable=NO async_abor_enable=YES # Performance one_process_model=NO idle_session_timeout=120 data_connection_timeout=300 accept_timeout=60 connect_timeout=60 max_per_ip=4 anon_max_rate=50000 pam_service_name=vsftpd userlist_enable=YES #enable for standalone mode listen=YES tcp_wrappers=YES
Anonymous logins use the login name "anonymous" and then the user supplies their email address as a password. Any password will be accepted. Used to allow the public to download files from an ftp server. Generally, no upload is permitted.
- Don't remap user name - Customize the login banner - Limit user to browse their own - Enable list of system / power - Actual list of system / power
ls_recurse_enable=NO ascii_download_enable=NO async_abor_enable=YES dirmessage_enable=YES - Message greeting held in file .message or specify with message_file=... # Performance one_process_model=NO idle_session_timeout=120 data_connection_timeout=300 accept_timeout=60 connect_timeout=60 max_per_ip=4 # pam_service_name=vsftpd userlist_enable=YES #enable for standalone mode listen=YES tcp_wrappers=YES
[Potential Pitfall]: Mispelling a directive will cause vsftpd to fail with little warning. File: .message
A NOTE TO USERS UPLOADING FILES: File names may consist of letters (a-z, A-Z), numbers (0-9), an under score ("_"), dash ("-") or period (".") only. The file name may not begin with a period or dash.
*:*
Links:
anonymous FTP - one logs in with the username 'anonymous' real FTP - log in with a real username and password and has access to the entire disk structure. guest FTP - one logs in with a real user name and password, but the user is chroot'ed to his home directory and cannot escape from it. They are constrained to their home directory which also means that they don't have access to /bin/ls and other commands on the server. Thus a local minimalist environment must be set up.
login cwd=* all all guest,anonymous anonymous # delete files permission? anonymous # overwrite files permission? anonymous # rename files permission? guest # delete files permission? guest # overwrite files permission? guest # rename files permission? guest # umask permission?
compress tar chmod delete overwrite rename delete overwrite rename umask
shutdown /etc/shutmsg passwd-check rfc822 warn # Must also create message file /etc/pathmsg of the guest directory. # In this case it refers to /home/user1/public_html/etc/pathmsg. path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^limit all 2 noretrieve passwd .htaccess core - Do not allow users to download files of these names limit-time * 20 byte-limit in 5000 - Limit file size guestuser * - Set system user default to be categorized as a "guest". A "real" user can roam the system. Guestuser is chrooted. realgroup regularuserx regularusery - Assign real user privileges to members of groups "regularuserx" and "regularusery". Visibility of the whole file system and subject to regular UNIX file permissions realuser user4 - Assign real user privileges to user id "user4". restricted-uid user1 user2 user3 - Restricts FTP to the specified directories guest-root /home/user1/public_html user1 guest-root /home/user2/public_html user2 guest-root /home/user3/public_html user3
Note:
user1, user2 and user3 refer to login accounts. Use the appropriate login
name. The above configuration disables anonymous FTP which allows anyone to perform an FTP login with the id anonymous and an email address as a password. To enable anonymous FTP, change the class directive to:
class all real,guest,anonymous *
GUI FTP configuration tools: (Note: Linuxconf is no longer included with Red Hat 7.3 and later) Red Hat Linux assigns users a user id and group id which is the same. This means that it does not matter if you use a realuser or realgroup directive as they will act the same. Red Hat Linux 7.1 and later uses the xinet daemon to manage ftp connections. Thus xinetd must be running and configured to support ftp. The configuration file is /etc/xinetd.d/wu-ftpd. The command chkconfig wu-ftpd on will make the ftp server available. See xinet configuration for more info. Allow overide of deny-uid and/or deny-gid:
allow-uid user-to-allow o o /usr/bin/kwuftpd /sbin/linuxconf
allow-gid group-to-allow
Optional configuration: o Create a group ftpchroot o Add users to this group o Use directive: guestgroup ftpchroot
[Potential Pitfall]: Flakey ftp behavior, timeouts, etc?? FTP works best with name resolution of the computer it is communicating with. This requires proper /etc/resolve.conf and name server (bind) configuration, /etc/hosts or NIS/NFS configuration.
File /home/user1/public_html/etc/pathmsg:
A NOTE TO USERS UPLOADING FILES: File names may consist of letters (a-z, A-Z), numbers (0-9), an under score ("_"), dash ("-") or period (".") only. The file name may not begin with a period or dash. You have tried to upload a file with an inappropriate name.
The whole point of the chroot directory is to make the user's home directory appear to be the root of the filesystem (/) so one could not wander around the filesystem. Configuration of /etc/ftpaccess will limit the user to their respective directories while still offering access to /bin/ls and other system commands used in FTP operation. As root:
cd /home/user1 mkdir public_html chown $1.$1 public_html touch .rhosts chmod ugo-xrw .rhosts
- Security protection
Man Pages:
Server:
File Formats: /etc/ftpaccess - Configuration file for ftpd /etc/ftpservers - ftpd virtual hosting configuration file. (optional) /etc/ftphosts - allow or deny access to certain accounts from various hosts. (optional)
/etc/ftpconversions - ftpd conversions database (for tar and compression) /var/log/xferlog - FTP server logfile ftp - File Transfer Client program
Note: wu-FTPd is controlled by xinetd and not a stand alone service like vsFTPd. Logrotate configuration file: /etc/logrotate.d/ftpd
/var/log/xferlog { nocompress }
More information:
WU-FTPD release dkftpbench - FTP benchmark program to give you an idea as to how many simultaneous dialup clients a server can support. FTP and text file type conversions: End Of Line Characters - by Peter Benjamin
ftpcount - Show number of concurrent users. ftpshut - close down the ftp servers at a given time ftprestart - Restart previously shutdown ftp servers ftpwho - show current process information for each ftp user privatepw - Change WU-FTPD Group Access File Information (admin command)
FTP Pitfalls:
If you get the following error:
ftp> ls 227 Entering Passive Mode (208,188,34,109,208,89) ftp: connect: No route to host
This means you have firewall issues most probably on the FTP server itself. Start by removing the firewall "iptables" rules: iptables -F Add rules until you discover what is causing the problem.
Passive mode:
Passive mode can also help one past the rules:
ftp> passive Passive mode on.
This toggles passive mode on and off. When on, FTP will be limited to ports specified in the vsftpd configuration file: vsftpd.conf with the parameters pasv_min_port and pasv_max_port
FTP will change ports during use. The ip_conntrack_ftp module will consider each connection "RELATED". If iptables allows RELATED and ESTABLISHED connections then FTP will work. i.e. rule: /etc/sysconfig/iptables
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
FTP fails because it can not change to the users home directory:
Error:
[user1@nodex ~]$ ftp node.domain.com Connected to XXX.XXX.XXX.XXX. 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (XXX.XXX.XXX.XXX:user1): 331 Please specify the password. Password: 500 OOPS: cannot change directory:/home/user1 Login failed. ftp> bye
This is often a result of SELinux preventing the vsftpd process from accesing the user's home directory. As root, grant access with the following command:
setsebool -P ftp_home_dir 1 Followed by: service vsftpd restart
gftp: GUI GTK+ Multithreaded client. File transfer directory browsing and compare. Multiple protocols: FTP, FTPS (control connection only), HTTP, HTTPS, SSH and FSP protocols. Proxy support. Comes with Red Hat / Fedora Core. KFTPgrabber: GUI KDE based client.simultaneous FTP sessions in separate tabs. Ability to limit upload and download speed. kbear: GUI KDE based client. Connect to multiple servers, transfer files, directory browsing, file content browsing. Comes with S.U.S.e. Linux. ftp: (/usr/kerberos/bin/ftp) kerberos enabled console ftp client. (RPM package FC3: krb5-workstation)
[Potential Pitfall]: Ubuntu Dapper/Hardy - Setting the shell to the preconfigured shell /bin/false will NOT allow vsftp access. One must create the shell "ftponly" as defined below to allow vsftp access with no shell.
1. Disable remote telnet login access allowing FTP access only:
Change the shell for the user in /etc/passwd from /bin/bash to be /opt/bin/ftponly.
... user1:x:502:503::/home/user1:/opt/bin/ftponly ...
Create file: /opt/bin/ftponly. Protection set to -rwxr-xr-x 1 root root with the command: chmod ugo+x /opt/bin/ftponly Contents of file:
01 #!/bin/sh 02 # 03 # ftponly shell 04 # 05 trap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15 06 # 07 Admin=root@your-domain.com 08 #System=`/bin/hostname`@`/bin/domainname` 09 # 10 /bin/echo 11 /bin/echo "********************************************************************" You are NOT allowed interactive access."
/bin/echo "********************************************************************"
The last step is to add this to the list of valid shells on the system. Add the line /opt/bin/ftponly to /etc/shells. Sample file contents: /etc/shells
An alternative would be to assign the shell /bin/false or /sbin/nologin which became available in later releases of Red Hat, Debian and Ubuntu. In this case the shell /bin/false or /sbin/nologin would have to be added to /etc/shells to allow them to be used as a valid shell for FTP while disabling ssh or telnet access.
2. Set file quotas to limit user account.
For more on Linux security see the: YoLinux.com Internet web site Linux server security tutorial
When resolving IP addresses for a domain, Internic is expecting a "Primary" and a "Secondary" DNS name server. (Sometimes called Master and Slave) Each DNS name server requires the file /etc/named.conf and the files it points to. This is typically two separate computer systems hosted on two different IP addresses. It is not necesary that the Linux servers be dedicated to DNS as they may run a web server, mail server, etc. Note on Bind versions: Red Hat versions 6.x used Bind version 8. Release 7.1 of Red Hat began using Bind version 9 and the GUI configuration tool bindconf was introduced for those of you that like a pretty point and click interface for configuration. Installation Packages:
for web hosting. This is used by internet providers so their clients can cache the DNS entries of the sites they are visiting. Ubuntu (dapper/hardy/natty) / Debian: bind9
Configuration files: Red Hat / Fedora / CentOS: File named.conf Description Primary/Secondary DNS server configuration. (See default file
/usr/share/doc/bind9.X.X/sample/etc/named.conf)
Directory /etc/
named.root.hi Configuration for recursive service. nts Required for all zones. (See default file
/usr/share/doc/bind9.X.X/sample/etc/named.root.hints)
/etc/
/var/named/chroot/etc/
named
rndc.key
Zone files
Configuration files for each domain. /var/named/ / Create this file to resolve host name var/named/chroot/var/nam internet queries i.e. define IP ed/ address of web (www) and mail servers in the domain.
Debian / Ubuntu: File named.conf Description Primary/Secondary DNS Directory /etc/bind/ Chrooted Directory /var/bind/chroot/etc/bind/
named.conf.opti server configuration. ons named.conf.loca l rndc.key Primary/Secondary DNS server configuration. /etc/ /var/bind/chroot/etc/
Zone files
Primary server (master): File: named.conf Red Hat / Fedora Core / CentOS: /etc/named.conf (chroot dir: /var/named/chroot/etc/named.conf) and /etc/sysconfig/named for system variables. Ubuntu / Debian: /etc/bind/named.conf Place local definitions in /etc/bind/named.conf.options and /etc/bind/named.conf.local Simple example: (no views)
options { - Ubuntu stores options in /etc/bind/named.conf.options version "Bind"; - Don't disclose real version to hackers directory "/var/named"; - Specified so relative path names can be used. Full path names still allowed. allow-transfer { XXX.XXX.XXX.XXX; }; - IP address of secondary DNS recursion no; auth-nxdomain no; - conform to RFC1035. (default) fetch-glue no; - Bind 8 only! Not used by version 9 }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "0.0.127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "your-domain.com"{ - Ubuntu separates the zone definitions into /etc/bind/named.conf.local type master; - Specify master, slave, forward or hint file "data/named.your-domain.com";
notify yes; - slave servers are notified when the zone is updated. allow-update { none; }; - deny updates from other hosts (default: none) allow-query { any; }; - allow clients to query this server (default: any) }; zone "your-domain-2.com"{ type master; file "data/named.your-domain-2.com"; notify yes; };
Note: The omission of zone ".". Required if providing a recursive service. Ubuntu includes the separated file of zone directives using the directive:
include "/etc/bind/named.conf.local";
BIND Views: The BIND naming service can support "views" which allow various sub-networks (i.e. private internal or public external networks) to have a different domain name resolution result. If no views are specified then use the configuration shown above. The match-up between the "view" and the view client which receives the DNS information is specified by the match-clients statement. If even one view is specified, then ALL zones MUST be associated with a "view". Bind 9 allows for views which allow different zones to be served to different types of clients, localhost, private networks and public networks. This maps to the three view names "localhost_resolver", "internal" and "external": o localhost_resolver: Supports name resolution for the system (localhost) using BIND. Support for use of bind also has to be configured in /etc/nsswitch.conf o internal: User specified Local Area Network (LAN). If not used to support a local private LAN, remove (or comment out) this view. o external: The general public internet defined as client "any". If you are only setting up a caching name server, then only specify the view "localhost_resolver" (delete all other views). In order to support a DNS for internet domains using views, one will have to configure an "external" view
Typical Red Hat Enterprise 5 example: (Bind 9.3.4 with three "views")
options { directory "/var/named"; dump-file statistics-file memstatistics-file // the default "data/cache_dump.db"; "data/named_stats.txt"; "data/named_mem_stats.txt";
}; logging { // By default, SELinux policy does not allow named to modify the /var/named // directory, so put the default debug log file in data/ : channel default_debug { file "data/named.run"; severity dynamic; }; }; view "localhost_resolver" { // This view sets up named to be a localhost resolver ( caching only nameserver ). // If all you want is a caching-only nameserver, then you need only define this view: match-clients { localhost; }; ... }; view "internal" { // This view will contain zones you want to serve only to "internal" clients // that connect via your directly attached LAN interfaces - "localnets" . // For local private LAN. Not covered in this tutorial. // Delete this view if web hosting with no local LAN. match-clients { localnets; }; ... }; key ddns_key { algorithm hmac-md5; secret "use /usr/sbin/dns-keygen to generate TSIG keys"; }; view "external" { // This view will contain zones you want to serve only to "external" // public internet clients. This is covered below. match-clients { any; }; ... .. };
Default configuration files: Red Hat may supply the default configuration in: /usr/share/doc/bind-9.X.X/sample/etc/named.conf
cp /usr/share/doc/bind-9.X.X/sample/etc/named.conf /var/named/chroot/etc cp /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints /var/named/chroot/etc chcon -u system_u -r object_r -t named_conf_t /var/named/chroot/etc/named.conf /var/named/chroot/etc/named.root.hints
view "localhost_resolver": If supporting a caching DNS server (not required to support a web domain) you will also need the files:
cp /usr/share/doc/bind-9.X.X/sample/etc/named.rfc1912.zones /var/named/chroot/etc cp /usr/share/doc/bind9.X.X/sample/var/named/localdomain.zones /var/named/chroot/var/named also from /usr/share/doc/bind-9.X.X/sample/var/named/: localhost.zones, named.local, named.zero, named.broadcast, named.ip6.local, named.root
view "external": (master) - details view "external" { /* This view will contain zones you want to serve only to "external" clients * that have addresses that are not on your directly attached LAN interface subnets: */ match-clients { any; }; match-destinations { any; }; allow-transfer { XXX.XXX.XXX.XXX; }; - IP address of secondary DNS recursion no; // you'd probably want to deny recursion to external clients, so you // end up providing free DNS service to all takers // all views must contain the root hints zone: include "/etc/named.root.hints"; // These are your "authoritative" external zones, and would probably // contain entries for just your web and mail servers: zone "your-domain.com" { type master; file "/var/named/data/external/named.your-domain.com"; notify yes; allow-update { none; }; }; // You can also add the zones as a separate file like they do in Ubuntu by adding the following statement include "/etc/named.conf.local";
don't
};
DNS key:
Use the following command /usr/sbin/dns-keygen to create a key. Add this key to the "secret" statement as follows:
key ddns_key { algorithm hmac-md5; secret "XlYKYLF5Y7YOYFFFY6YiYYXyFFFFBYYYYFfYYYJiYFYFYYLVrnrWrrrqrrrq"; };
Man Pages:
named.conf
IN MX 5 mail - Identify "mail" as the node handling mail for the domain. Do NOT specify an IP address! ; ; Nodes in domain ; node1 IN A XXX.XXX.XXX.XXX - Note that this is the IP address of node1 ns1 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own primary name server. Note that this is the IP address of ns1 ns2 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own secondary name server. Note that this is the IP address of ns2 mail IN A XXX.XXX.XXX.XXX - Identify the IP address for node mail. IN MX 5 XXX.XXX.XXX.XXX - Identify the IP address for mail server named "mail". ; ; Aliases to existing nodes in domain ; www IN CNAME node1 - Define the webserver "www" to be node1. ftp IN CNAME node1 - Define the ftp server to be node1.
or
webmaster.your-domain.com.
@ in SOA ns1.your-domain.com.
[Potential Pitfall]: Incorrect specification of the primary name server may result in the following message in /var/log/messages:
view localhost_resolver: received notify for zone 'your-domain.com': not authoritative
webmaster.your-domain.com.
Description Never use a value greater than 2147483647 for a 32 bit processor. Increment to a higher value to indicate an update to the slave
server. refresh Time increment (seconds) between update checks of the serial number with the primary server Time elapsed before a slave will contact the primary server if a connection failed Time till primary server information is considered invalid and should be refreshed if there is a new DNS query
retry
expire
minimum Time for DNS servers should hold domain information in their cache before purging IN NS A Indicate Internet. Specify the Authoratative Name servers for the domain. Specify the IP address associated with the host name. Format: hostname IN A XXX.XXX.XXX.XXX Note that in my example, no hostname is specified for the first record. This will define the default for the domain.
CNAME Specify an alias for the host name. MX Mail exchange record. Specify a priority number for the primary and back-up mail servers. The lowest number indicates the default mail server for the domain Used to specify the reverse DNS lookup
PTR
Append to the above example file. Initial configuration: Note that Red Hat may supply the default zone configuration in: /usr/share/doc/bind-9.X.X/sample/var/named/
cp /usr/share/doc/bind-9.X.X/sample/var/named/localhost.zone /var/named/chroot/var/named/data/ cp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zone /var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.broadcast /var/named/chroot/var/named/data/ cp /usr/share/doc/bind-9.X.X/sample/var/named/named.ip6.local /var/named/chroot/var/named/data/ cp /usr/share/doc/bind-9.X.X/sample/var/named/named.zero /var/named/chroot/var/named/data/ cp /usr/share/doc/bind-9.X.X/sample/var/named/named.local /var/named/chroot/var/named/data/ cp /usr/share/doc/bind-9.X.X/sample/var/named/named.root /var/named/chroot/var/named/data/ cd /var/named/chroot/var/named/data/ chcon -u system_u -r object_r -t named_cache_t localhost.zone localdomain.zone named.broadcast named.ip6.local named.zero named.root named.local
A file suffix of "zone" is also common i.e. your-domain.com.zone Secondary server (slave): File: named.conf Red Hat / Fedora Core / CentOS: /etc/named.conf Ubuntu / Debian: /etc/bind/named.conf Simple example with no views:
options { /etc/bind/named.conf.options version "Bind"; hackers directory "/var/named"; allow-transfer { none; }; anyone else recursion no; auth-nxdomain no; fetch-glue no; }; zone "localhost" { type master; file "/etc/bind/db.local"; /var/named/named.local }; zone "0.0.127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "your-domain.com"{ type slave; file "named.your-domain.com"; for RHEL4/5 chrooted bind masters { XXX.XXX.XXX.XXX; }; }; zone "your-domain-2.com"{ type slave; - Ubuntu stores options in - Don't disclose real version to - Slave is not transfering updates to - conform to RFC1035. (default) - Bind 8 only! Not used by version 9
receives
Note: RHEL4/5, CentOS 4/5, Fedora 3+ use chrooted directory structure permissions which require the use of the slaves subdirectory
/var/named/slaves
Slave Zone Files: These are transfered from master to slave and chached by slave. There is no need to generate a zone file on the slave. Additional Information:
Man page on named.conf Man page on named DNS server Full DNS manual
[Potential Pitfall]: Ubuntu dapper/hardy/natty - Path names used can not violate Apparmor security rules as defined in /etc/apparmor.d/usr.sbin.named. Note that the slave files are typically named "/var/lib/bind/named.your-domain.com" as permitted by the security configuration. [Potential Pitfall]: Ubuntu dapper/hardy/natty - Create log file and set ownership and permission for file not created by installation:
touch /var/log/bindlog chown root.bind /var/log/bindlog chmod 664 /var/log/bindlog
transfer of 'yolinux.com/IN' from XXX.XXX.XXX.XXX#53: failed while receiving responses: permission denied
Named needs write permission on the directory containing the file. This condition often occurs for a new "slave" or "secondary" name server where the zone files do not yet exist. The default (RHEL4/5, CentOS 4/5, Fedora Core 3+, ...):
drwxr-x--- 4 root named 4096 Aug 25 2004 named drwxrwx--- 2 named named 4096 Sep 17 20:37 slaves
Fix: In named.conf specify that the slaves to go to slaves directory /var/named/chroot/var/named/slaves with the directive:
file "slaves/named.your-domain.com";
Bind Defaults:
Uses port 53 if none is specified with the listen-on port statement. Bind will use random ports above port 1024 for queries. For use with firewalls expecting all DNS traffic on port 53, specify the following option statement in
/etc/named.conf query-source address * port 53; query-source-v6 port 53;
Logging is to /var/log/messages
After the configuration files have been edited, restart the name daemon.
/etc/init.d/named restart
Bind zone transfers work best if the clocks of the two systems are synchronised. See the YoLinux SysAdmin Tutorial: Time and ntpd File: /var/named/named.your-domain.com This is created for you by Bind on the slave (secondary) server when it replicates from Primary server.
Red Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-bind Red Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-bind
Test DNS:
Red Hat / Fedora Core / SuSE: bind-utils Ubuntu (dapper/hardy/natty) / Debian: bind9-host Test the name server with the host command in interactive mode:
host node.domain-to-test.com your-nameserver-to-test.domain.com
or Test the name server with the nslookup command in interactive mode:
Test your DNS with the following DNS diagnostics web site: DnsStuff.com
Extra logging to monitor Bind: Add the following to your /etc/named.conf file.
logging { channel bindlog {
file "/var/log/bindlog" versions 5 size 1m; Keep five old versions of the log-file (rotates logs) print-time yes; print-category yes; print-severity yes; }; /* If you want to enable debugging, eg. using the 'rndc trace' command, * named will try to write the 'named.run' file in the $directory (/var/named). * By default, SELinux policy does not allow named to modify the /var/named directory, * so put the default debug log file in data/ : */ channel default_debug { file "data/named.run"; severity dynamic; }; category xfer-out { bindlog; }; - Zone transfers category xfer-in { bindlog; }; - Zone transfers category security { bindlog; }; - Approved/unapproved requests
// The following logging statements, panic, insist and response-checks are valid for Bind 8 only. Do not user for version 9. category panic { bindlog; }; - System shutdowns category insist { bindlog; }; - Internal consistency check failures category response-checks { bindlog; }; - Messages };
Chroot Bind for extra security: Note: Most modern Linux distributions default to a "chrooted" installation. This technique runs the Bind name service with a view of the filesystem which changes the definition of the root directory "/" to a directory in which Bind will operate. i.e. /var/named/chroot.
The following example uses the Red Hat RPM bind-8.2.3-0.6.x.i386.rpm. Applies to Bind version 9 as well. The latest RedHat bind updates run the named as user "named" to avoid a lot of earlier hacker exploits. To chroot the process is to create an even more secure environment by limiting the view of the system that the process can access. The process is limited to the chrooted directory assigned. The chroot of the named process to a directory under a given user will prevent the possibility of an exploit which at one time would result in root access. The original default RedHat configuration (6.2) ran the named process as root, thus if an exploit was found, the named process will allow the hacker to use the privileges of the root user. (no longer true) Named Command Sytax:
named -u user -g group -t directory-to-chroot-to
Example:
named -u named -g named -t /opt/named
When chrooted, the process does not have access to system libraries thus a local lib directory is required with the appropriate library files - theoretically. This does not seem to be the case here and as noted above in chrooted FTP. It's a mystery to me but it works???? Another method to handle libraries is to re-compile the named binary with everything statically linked. Add -static to the compile options. The chrooted process should also require a local /etc/named.conf etc... but doesn't seem to??? Script to create a chrooted bind environment:
#!/bin/sh cd /opt mkdir named cd named mkdir etc mkdir bin mkdir var cd var mkdir named mkdir run cd .. chown -R named.named bin etc var
You can probably stop here. If your system acts like a chrooted system should, then continue with the following:
cp -p /etc/named.conf etc cp -p /etc/localtime etc cp -p /bin/false bin echo "named:x:25:25:Named:/var/named:/bin/false" > etc/passwd echo "named:x:25:" > etc/group touch var/run/named.pid if [ -f /etc/namedb ] then cp -p /etc/namedb etc/namedb fi mkdir dev cd dev # Create a character unbuffered file. mknod -m ugo+rw null c 1 3 cd .. chown -R named.named bin etc var
05 # 06 # chkconfig: - 55 45 07 # description: named (BIND) is a Domain Name Server (DNS) \ 08 # that is used to resolve host names to IP addresses. 09 # probe: true 10 11 # Source function library. 12 . /etc/rc.d/init.d/functions 13 14 # Source networking configuration. 15 . /etc/sysconfig/network 16 17 # Check that networking is up. 18 [ ${NETWORKING} = "no" ] && exit 0 19 20 [ -f /etc/sysconfig/named ] && . /etc/sysconfig/named 21 22 [ -f /usr/sbin/named ] || exit 0 23 24 [ -f /etc/named.conf ] || exit 0 25 26 RETVAL=0 27 28 start() { 29 30 31 # Start daemons. echo -n "Starting named: " daemon named -u named -g named -t /opt/named # Change made here
32 33 34 35 36 }
37 stop() { 38 39 40 41 42 43 44 45 } 46 rhstatus() { 47 48 49 } 50 restart() { 51 52 53 } 54 reload() { 55 56 57 } 58 probe() { 59 # named knows how to reload intelligently; we don't want linuxconf /usr/sbin/ndc reload return $? stop start /usr/sbin/ndc status return $? # Stop daemons. echo -n "Shutting down named: " killproc named RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named echo return $RETVAL
60
85 86
probe) probe
87 88 89 90 91 esac 92 93 exit $? *)
;;
Note: The current version of bind from the RedHat errata updates and security fixes (http://www.redhat.com/support/errata/) runs the named process as user "named" in the home (not chrooted) directory /var/named with no shell available. (named -u named) This should be secure enough. Proceed with a chrooted installation if your are paranoid. See:
Chrooted DNS configuration: Modern releases of Linux (i.e. Fedore Core 3, Red Hat Enterprise Linux 4) come preconfigured to use "chrooted" bind. This security feature forces even an exploited version of bind to only operate within the "chrooted" jail /var/named/chroot which contains the familiar directories:
/var/named/chroot/etc: Configuration files /var/named/chroot/dev: devices used by bind: o /dev/null o /dev/random o /dev/zero
These directories are generated and configured by the Red Hat/Fedora RPM package "bind-chroot".
If building from source you will have to generate this configuration manually:
-p /var/named/chroot /var/named/chroot/dev /var/named/chroot/dev/null c 1 3 /var/named/chroot/dev/zero c 1 5 /var/named/chroot/dev/random c 1 8 666 -R /var/named/chroot/dev -p /var/named/chroot/etc /var/named/chroot/etc/named.conf /etc/named.conf -p /var/named/chroot/var/named /var/named/chroot/var/named/named.XXXX /var/named/named.XXXX /var/named/chroot/var/named/named.YYYY /var/named/named.YYYY -p -p -p -p -R -R /var/named/chroot/var/named/slaves /var/named/chroot/var/named/data /var/named/chroot/var/run /var/named/chroot/var/tmp named:named /var/named/chroot root:named /var/named/chroot/var/named
...
mkdir mkdir mkdir mkdir chown chown
Load Balancing of servers using Bind: DNS Round-Robin This will populate name servers around the world with different IP addresses for your web server www.your-domain.com
www0 www1 www2 www3 www4 www5 www IN IN IN IN IN IN IN IN IN IN IN IN IN A A A A A A CNAME CNAME CNAME CNAME CNAME CNAME CNAME XXX.XXX.XXX.1 XXX.XXX.XXX.2 XXX.XXX.XXX.3 XXX.XXX.XXX.4 XXX.XXX.XXX.5 XXX.XXX.XXX.6 www0.your-domain.com. www1.your-domain.com. www2.your-domain.com. www3.your-domain.com. www4.your-domain.com. www5.your-domain.com. www6.your-domain.com.
Internet Software Consortium (ISC) Home Page - ISC Bind Home Bind FAQ, pitfalls and answers Zytrax Bind 9 manual - Bind for rocket scientists comp.protocols.tcp-ip.domains FAQ - HTML version More on load balancing and round robin schemes
LDP DNS-HOWTO DNS Security best practices - Cricket Liu (coauthor of DNS and Bind) DNS Security Paper - Craig Rowland GraniteCanyon.com: Free DNS hosting - If you don't want to set it up, have someone do it for you. EveryDNS.net - Free DNS DNS2GO - Domain hosting for DHCP clients. Secondary.com - Free secondary names server hosting (five or fewer domains) TZO.com - Dynamic, secondary DNS services. OpenDNS.com - Can allow forwarding to OpenDNS servers. Add to "options" section: forwarders { 208.67.222.222; 208.67.222.220; }; DynDNS.org Command: ipcheck.py -i eth0 DynDNS-user-id password node.dnsalias.net Then add script update.dyndns.ip to directory /etc/cron.daily/ to update IP. This host must also be allowed access through any firewall rules. DynDNS.com - Dynamic DNS for those with dynamic IP addresses. (i.e. dial-up game servers etc.)
Domain Name Registrars: o NetworkSolutions.com o Register.com o Registrar.GoDaddy.com - Domain name registration for only $8.95/year!!! o Dotster.com - Domain name registration for only $14.95/year o DomainsNext.com - $11.95/year o EasyDNS.com - $25.00/year o Aplus.net - Domain Registration $7.95/year - Not good o Gandi.net - European AfterNic.com - Domain name exchange and auction. BuyDomains.com - Buy a domain name that a squatter is holding.
Note that the Name registrations policies for the registrars are stated at ICANN.org.
You must renew with the same registrar within five days BEFORE the expiration date. There is no rule for afterwards. Most free a domain name 30 days after it expires.
DNS round-robin: Discussed above, this uses DNS to point users to random server in a list of appropriate servers. This spreads the load among the servers in the list. Use a Linux Virtual Server to Create a Load Balance Cluster. See next section below. Run a reverse proxy. See nginx ("engine X"). From a single external internet network connection, route http, smtp, imap or pop3 traffic to various servers on an internal network. Results are pushed back to the nginx proxy for routing to the internet (no caching). Run the Apache httpd web server module "mod_proxy" to offload processing of dynamic content to another web server. This acts as a reverse proxy, routing external traffic to various servers on an internal network.
Enable IP Masquerading:
iptables -t nat -P POSTROUTING DROP iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
For more on IP Masquerading, iptables and subnet addresses, see the YoLinux network gateway tutorial.
Enable virtual server: o Create virtual service and choose scheduler for http (80) and ftp (21):
Command directives: A: Add a virtual service defined by IP address, port number, and protocol. -t: Use TCP service host:port -s: scheduler: rr: Robin Robin: distributes jobs equally amongst the avail- able real servers. wrr: Weighted Round Robin. lc: Least-Connection: assigns more jobs to real servers with fewer active jobs. wlc: (Default) Weighted Least-Connection: assigns more jobs to servers with fewer jobs and relative to the real server's weight. lblc, lblcr, dh, sh, sed, nq. See man page. Configure load balancing cluser.
-a -a -a -a -t -t -t -t 66.218.88.103:80 66.218.88.103:80 66.218.88.103:80 66.218.88.103:21 -r -r -r -r 176.168.1.1:80 176.168.1.2:80 176.168.1.3:80 176.168.1.4:21 -m -m -w 2 -m -m
Command directives: -r: Real server. -m: Use masquerading also known as network address translation (NAT) -w: Weight is an integer specifying the capacity of a server relative to the others in the pool. The valid values of weight are 0 through to 65535. The default is 1.
Links:
LinuxVirtualServer.org iptables - Administration tool for IPv4 packet filtering and NAT ipvsadm - Administer the routing table on a Linux Virtual Server.
S S S
A new installation will most likely NOT start the named background process which may be started manually after configuration. See the YoLinux Init Process Tutorial for more information. The inetd (or xinetd) background process is the Internet daemon which starts FTP when an ftp request is made.
mwh-mini_tr.gif etc.
echo "5) Create default web page" sed "/HEADING/s!HEADING!$1!" /opt/etc/AccountDefaults/default-index.html > index.html cp -p /opt/etc/AccountDefaults/favicon.ico . cp -p /opt/etc/AccountDefaults/default-logo.gif ./images cp -p /opt/etc/AccountDefaults/robots.txt . chown $1.$1 index.html favicon.ico robots.txt chcon -R -h -t httpd_sys_content_t index.html favicon.ico robots.txt chcon -R -h -t httpd_sys_content_t images/default-logo.gif echo "6) Edit /etc/passwd file - change user shell to /opt/bin/ftponly" cp -p /etc/passwd /etc/passwd-`date +%m%d%y` sed "/^$1/s!/bin/bash!/opt/bin/ftponly!" /etc/passwd-`date +%m%d%y` > /etc/passwd #wu-ftp# Requires: /etc/ftpaccess guestuser restrict-uid #wu-ftp# echo "7) Add user to /etc/ftpaccess file" #wu-ftp# cp -p /etc/ftpaccess /etc/ftpaccess-`date +%m%d%y` #wu-ftp# sed "/^guestuser/s!guestuser !guestuser $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess #wu-ftp# sed "/^restricted-uid/s!restricted-uid !restricted-uid $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess #wu-ftp# echo "guest-root /home/$1/public_html $1" >> /etc/ftpaccess echo "7) Add user to vsftpd chroot list cat `echo $1` >> /etc/vsftpd/vsftpd.chroot_list # echo "8) Setting Disk Quotas to default 50Mb limit:" Use user johndoe as a prototype. edquota -p johndoe $1 Admin Follow-up:" Modify quota.user if different than default" Make changes to Bind names services on dns1 and dns2 if Change /etc/http/conf/httpd.conf or add config to /etc/http/conf.d/ if using a new domain name" Add e-mail aliases to mail server if necessary"
echo "9) echo " echo " necessary" echo " echo " echo " fi fi
yolinux.com/robots.txt