How to Set-Up a Home Server (Running from a USB Flash Drive)

On these page I describe how I did set-up my own home server connected to the internet via FTTH. I use this server as personal e-mail and web server. It contains a fanless motherboard only. It boots and runs from a 32GB USB flash drive, avoiding the need for an internal harddisk and CD-ROM drive. The serial port is used as console, avoiding the use of a monitor.

This is my second server, which I installed in 2007. Click here for the description of how I did install my first server in 2003, which used a fanless computer equiped with a 40GB harddisk and a CD-ROM drive.

Contents:

1. My Requirements
2. The Hardware
3. The Operating System
4. Serial Cable
5. My Network Configuration
6. Partitioning the Flash Drive
7. Installing Fedora Core 6 Linux
8. Installing the SYSLINUX Boot Loader
9. First Boot
10. Making a Backup First
11. Personal Fine Tuning of Fedora Core 6 Linux
12. Creating Additional User Accounts
13. Crontab
14. Telnet
15. FTP
16. DNS
17. E-Mail
18. Filtering Spam
19. Auto-Replying to E-Mail
20. Web Server
21. Web Usage Statistics
22. Samba
23. Protection Against Brute Force Password Hacking
24. Disabling Start-Up of Unused Services
25. Disabling Access Timestamps on Root Filesystem
26. NAT Settings FTTH Modem
Glossary and Abbreviations
References

1. My Requirements

For my server I had the following requirements:


2. The Hardware

As hardware I have used:

The VIA EPIA ML6000EAG Motherboard does not need a CPU fan. It provides:

Of these I only needed the ethernet port, the serial port and the USB 2.0 ports.

The Cubid 2699R Mini-ITX Case is a small 30x28x6cm box. It contains a fan-less 50W power supply, which gets its power from a 12V DC input. It comes with an external 100-240V AC to 12V DC power adapter similar to the ones used with laptops.



Picture 1: My server.

To set-up the BIOS, I needed to connect a monitor and a keyboard. This is the only time the monitor and keyboard are needed. Operating the system can be done using the serial port. Installing the system onto the USB flash drive can be done from any (laptop) computer.

I configured the BIOS to boot from USB and to reboot automatically after a power failure.


3. The Operating System

I not even considered Windows, since it is neither free nor well designed. Since I did want to have a free operating system, the choice was between one of the many Linux distributions and FreeBSD Unix. They are basically all variants of the same flavour.

I have chosen Fedora Core 6 Linux. This was because I used Fedora Core 6 Linux on my previous server. Fedora Core Linux is the free version of Red Hat Enterprise Linux. It is shipped with a lot of software and is well documented. Release 5 was the latest release when I made my choice. For more information on Fedore Core Linux see http://fedoraproject.org/.

Fedora Core 6 Linux is downloadable for free from many internet mirror sites.

One needs to download a DVD image file, which can be burned onto a DVD using standard DVD burning software. This can be done under Windows. Linux is not needed to create the DVD.

One needs to have the files / DVD:

This disk is bootable. It starts a user-friendly set-up program (Anconda), which guides the user through the installation process.

Alternatively one can download CD image files. In that case one needs the files / CDs:


4. Serial Cable

To connect my server to my laptop a cross-over cable is needed, connecting TXD of the server to RXD of the laptop, and RXD of the server to TXD of the laptop. The hardware handshake signals are looped back. Figure 1 shows the cable pinning.

 

Figure 1: Serial cross-over cable.


5. My Network Configuration

I got a single public IP address 62.251.90.62 from my internet provider. My internet provider (forward and reverse) maps this IP address to the name ip3efb5a3e.xs4all.space.

My home network is connected to the internet via an FritzBox FTTH modem. This modem provides Network Address Translation (NAT), Dynamic Host Configuration (DHCP) and a name server (DNS). It can connect to up to 4 ethernet devices via it's build-in hub.

My home network uses internal IP addresses, which can not be reached directly from the internet:

When IP packages pass through the FTTH modem, these internal IP addresses are translated into my public IP address and back. For traffic originating from my home network, the network address translator knows from which internal IP address the session originates. That way it is later able to send the response back to the right internal IP address.

For traffic originating from the internet, the network address translator has a table telling which protocols are handled by which internal IP address. If it receives an IP package of which the protocol is not listed in the table, they are discarded. By doing so it provides firewall functionality as a by-product of the network address translation.

For more information about Network Address Translation see "RFC3022" ([1]).

 

Figure 2: My network configuration.

I have registered my own domain fwiarda.com at Network Solutions (see http://www.networksolutions.com/). Within this domain:

The name servers of Network Solutions are the name servers for my domain fwiarda.com


6. Partitioning the Flash Drive

To install Fedora Core 6 Linux on the USB flash drive regular Windows laptop or desktop computer is used. The server hardware is not needed for this.

Two partitions are created on the flash drive:

Note that we do not make a swap partition. Swapping to a flash drive is a bad idea, since flash memory can withstand only a limmited number of write cycles. Instead we have choosen to use an abundant 1 GB of RAM, making swapping not necessary.

To prevent accidental deleting information from the wrong drive, remove all other USB flash drives, USB harddisks and SCSI harddisks. Only the USB flash drive to be partitioned shall be placed into the computer! Put the Fedora Core 6 DVD in the DVD drive and power the computer up. Enter at the boot prompt we enter:

linux rescue

Linux boots up from the DVD and starts a shell. The flash drive should be /dev/sda. Double check with the command ls /dev that  /dev/sdb does not exist!

First the USB flash drive is completely erased with the command:

dd if=/dev/zero of=/dev/sda bs=512 count=1

This commands erases the master boot record that contains the partition table. The drive is now completely empty. The 100 MB bootable FAT16 (DOS) partition at the beginning of the drive is created with the command:

fdisk /dev/sda

The fdisk program now prompts for input. The following commands are entered to the fdisk program:

p
n
p
1
1
+100M
t
6
a
1
p
w

The newly created partition will be formatted while installing Fedora Core 6 Linux with the Anaconda installer. During this installation proces the ext3 (Linux) partition will be created as well.


7. Installing Fedora Core 6 Linux

The DVD is placed in the DVD drive, and the USB flash drive is placed in one of the USB ports. Reboot the computer and enter at the boot prompt

linux i586

Linux boots up from the DVD and starts the Anaconda installer. The VIA Eden processor is Pentium compatible. The computer used to install Linux on the USB flash drive is installed might have a more advanced CPU. The i586 option forces the Anaconda installer to install a Linux kernel optimized for a Pentium CPU instead of the more advanced CPU.

The following choises are made in the Anaconda installer:

The Anaconda installer first creates and/or formats the needed partiotions. Then it installs Fedora Core 6 Linux. This takes a couple of hours.


8. Installing the SYSLINUX Boot Loader

To install the SYSLINUX boot loader the computer is booted up under Windows. Click here to download this boot loader. A command prompt is opened the current directory is changed to this temporary directory. The USB flash drive is put in one of the USB ports the follwing commands are entered at the command prompt (asuming the drive letter for the USB flash drive is f:):

syslinux.exe -fs f:
syslinux.exe -fa f:
syslinux.exe -fm f:
label f: FATBOOT

A file f:\syslinux.cfg is created to contain the following lines:

serial 0 19200
console 1
prompt 1
default linux
timeout 100

label linux
        kernel vmlinuz
        append console=ttyS0,19200n8 initrd=initrd.img ro root=LABEL=/

label linux2
        kernel vmlinuz
        append initrd=initrd.img ro root=LABEL=/

Now the Linux kernel to be booted must be transfered to the (FAT16) DOS partition. To to this put the Fedora Core 6 DVD in the DVD drive and reboot the computer up. At the boot prompt the following command is entered:

linux rescue

Linux boots up from the DVD. The question if we want to mount the image found is answered with yes. A shell is started. The following commands are entered:

chroot /mnt/sysimage
cp /boot/vmlinuz-2.16.18.1.2798.fc6 /fatboot/vmlinuz
cp /boot/initrd-2.16.18.1.2798.fc6.img /fatboot/initrd.img

Now the USB flash drive is ready to be booted for the first time.


9. First Boot

At first boot the graphical user interface is started and we have to answer some questions. Because the target server hardware uses a serial console instead of a graphical display, the USB flash drive is booted the first time on the computer used to install it.

The USB flash drive is placed in the computer. Be sure the BIOS has booting from a USB harddisk or flash drive enabled. At the boot prompt we enter:

linux2

Note that this points to the second entry in the syslinux.cfg file. In this entry console=ttyS0,19200n8 is missing, so no serial console is used.

If the computer used does not support booting from USB a special boot CD can be used instead. This boot CD fulfils the function in the boot process that otherwise would have been fulfilled by the bootable FAT16 (DOSi) partition on the USB flash drive. Click here for an .iso file to be burned onto a CD. Boot the computer with this boot CD and the USB flash drive inserted.

At the first boot screens we:

After filling in the firstboot screens the system reboots. The USB flash drive is now ready to boot-up our server with it.

The USB flash drive is now put into the server. The server is connected with the serial cross-over cable to our Windows computer. On the windows computer we run a VT100 terminal emulation program (like Kermit 95). The serial port settings are 19200 baud, no-parity and 8 data bits. When the server is powered up it boots from the USB flash drive. We get the Linux login prompt at our terminal emulator.

Further configuration must be done while logged in as root.


10. Making a Backup First

In the remainder of this page we do edit a lot of files. It is a good practice to make a backup copy of the original file with a .old extension before editing.

The system configuration is basically determined by the files in the /etc tree. The whole tree can be backed up to a file /root/etc.tar.gz with the command:

tar -zcf /root/etc.tar.gz /etc 

And it can be restored again with the commands:

cd /
rm -rf /etc 
tar -zxf /root/etc.tar.gz

11. Personal Fine Tuning of Fedora Core 6 Linux

The changes in this section are fine tunings which are a matter of personal taste. The system will work fine without them.

The file /etc/bashrc is edited to contain the following lines:

# If we are an interactive shell and the terminal is an xterm,
# the environment variable PROMPT_COMMAND is set to manipulate
# the window title.
if [ "$PS1" ]; then
    case $TERM in
        xterm*)
                PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#
$HOME/~}"; echo -ne "\007"'
                ;;
        *)
                PROMPT_COMMAND=''
            ;;
    esac
fi

# Set prompt.
PS1='\u@\h:\w \$ '

# Group and world do not get write permision on newly created files.
umask 022

# Define the equivalent of DOS commands as aliases.
alias cls="clear"
alias copy="cp -v"
alias del="rm"
alias dir="ls --color=never --time-style=long-iso -p -l -L"
alias md="mkdir"
alias rd="rmdir"
alias ren="mv -i"

# These changes reflect my personal taste.
alias info="info --vi-keys"
alias l.="ls --color=never --time-style=long-iso -p -a"
alias ll="ls --color=never --time-style=long-iso -p -l"
alias ls="ls --color=never --time-style=long-iso -p"
alias vi="/bin/vi"

The following lines are added to /etc/profile:

# A VT100 is a subset of of the ansi definition and more reliable.
if [ $TERM = ansi ] ; then TERM=vt100 ; fi
export TERM

# Define keys for command line editing. Note that ^H is 
# actually the backspace character.
if [ "$TERM" != "xterm" -a "$TERM" != "linux" -a "$TERM" != "cygwin" ] ; then
	stty erase ^H
fi
bind -f /etc/inputrc

# Get rid of strange (UTF8) characters in man pages and have ISO date
# formats.
LANG=en_DK
export LANG

# Define the prompt to be "user@host:directory $".
PS1='\u@\h:\w \$ '
export PS1

# Use the global vi preferences file.
EXINIT='so /etc/exrc'
export EXINIT

# Man shall look for man pages in /usr/local/share/man as well.
MANPATH=/usr/share/man:/usr/local/share/man
export MANPATH

# If it exists, add ~/bin to the path as well.
if [ -d ~/bin ] ; then
        PATH=~/bin:$PATH
fi

# Login shells seem to fail to run ~/.bashrc, so we do it explicitly.
if [ -f ~/.bashrc ]; then
	. ~/.bashrc
fi 

The files /etc/skel/.bashrc and /root/.bashrc shall contain the follwing lines:

# Source global definitions.
if [ -f /etc/bashrc ]; then
	. /etc/bashrc
fi

# User specific aliases and functions.

Existing profile files have been deleted using the following commands:

rm -f /etc/skel/.bash_profile
rm -f /root/.bash_profile
rm -f /home/*/.bash_profile

A global vi settings file /etc/exrc is created to contain the following lines:

# Autoindentation on.
set autoindent

# Color syntax off.
syn off

I like to have Windows XP style command line editing. To enable this the file /etc/inputrc must contain the following lines:

# Windows style command line editing. 
set completion-ignore-case on
set mark-directories off
set match-hidden-files off

tab: menu-complete

# Note that the command "stty erase ^H" must have been executed before, 
# to be able to re-map the delete key.
del: delete-char
control-h: backward-delete-char
$if term=xterm
	"\e[3~": delete-char
	del: backward-delete-char
$endif
$if term=linux
	"\e[3~": delete-char
	del: backward-delete-char
$endif

# Re-mapping of some keys that where not mapped well.
"\e[5~": beginning-of-history
"\e[6~": end-of-history

# A VT100 does not have a Home, End, PgUp and PgDn key. In my
# terminal emulator I programmed the vi key sequences for these
# actions under the these keys.
"\e\C-u": beginning-of-history
"\e\C-d": end-of-history
"\e0": beginning-of-line
"\e$": end-of-line

"\e[5~": beginning-of-history
"\e\C-u": beginning-of-history

"\e[6~": end-of-history
"\e\C-d": end-of-history

"\e0": beginning-of-line

"\e$": end-of-line

"\e[1;5C": forward-word
"\e[5C": forward-word
"\e\e[C": forward-word

"\e[1;5D": backward-word
"\e[5D": backward-word
"\e\e[D": backward-word

The file /etc/mail.rc has been edited to contain the following lines:

# Ask for the mail subject when accepting mail from a terminal.
set asksub

# Terminate mail input with a line containing a single dot.
set dot

# Retain read messages in the system mailbox instead of moving them
# to the mbox file.
set hold

# Don't save a message to the file dead.letter when input of the message
# is aborted with ctrl-C.
set nosave

# Don't display Received headers.
ignore Received

12. Creating Additional User Accounts

Two additional user accounts are created.

The account server is used for administrative purposes, like storing the web pages with usage statistics.

The account fwiarda is my personal account. My personal web site is stored under this account. I do receive my personal e-mail on this account. I mount the home directory of this account as an additional drive on my PC.

Creating the additional accounts is done by issuing the following comands:

useradd server -c "Server Administration"
useradd fwiarda -c "Frits Wiarda"
chmod 755 /home/server
chmod 755 /home/fwiarda
passwd server
passwd fwiarda

Note that with the chmod commands I make users home directories readable for all. The default for Fedora Core 6 Linux is that users home directories are strictly private. I consider this not handy since my users are myself in different roles, and now and then perhaps a well trusted friend.

I create a link /home/root as an alias to the root's home directory. I make the root's home directory world readable as well. Issuing the following commands does this:

ln -s /root /home/root
chmod 755 /root

13. Crontab

After installation the root mail is flooded with mail containing all kind of periodic reports. So I consider it desirable to clean all crontabs, and then add the things I consider useful.

Crontab is a feature which periodically executes certain tasks. There are two types of crontabs, user crontabs and system crontabs.

User crontabs are managed with the command crontab.

System crontabs are managed by editing the file /etc/crontab. By default this file contains 4 entries which periodically executes all executable files in the directories /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly. A 5th entry exists which calls the Multi Router Traphic Grapher, which we do not need. The file /etc/crontab is edited to contain the following lines:

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
MAILTO=root
HOME=/root

0 * * * * root run-parts /etc/cron.hourly
10 0 * * * root run-parts /etc/cron.daily
20 0 * * 0 root run-parts /etc/cron.weekly
30 0 1 * * root run-parts /etc/cron.monthly

The directories containing the files to be executed periodically are cleaned with the following commands:

mv /etc/cron.hourly /etc/cron.hourly.old
mv /etc/cron.daily /etc/cron.daily.old
mv /etc/cron.weekly /etc/cron.weekly.old
mv /etc/cron.monthly /etc/cron.monthly.old
mkdir /etc/cron.hourly
mkdir /etc/cron.daily
mkdir /etc/cron.weekly
mkdir /etc/cron.monthly

A file /etc/cron.daily/cleanup has been created containing the following
lines:

#!/bin/bash
/usr/sbin/tmpwatch -u -m -c -f 24 /tmp
/usr/sbin/tmpwatch -u -m -c -f 24 /var/spool/squirrelmail/attach

After editing, the permissions for this file have been changed with the command:

chmod 755 /etc/cron.daily/cleanup

14. Telnet

By default telnet is disabled on Fedora Core 6 Linux. To enable it edit the file /etc/xinetd.d/telnet and change disable = yes into disable = no. The change becomes effective after the xinet-daemon has been restarted, or after a system reboot.

It apeared that there was a bug in /usr/sbin/in.telnetd, making telnet sessions to exit immediately with an error message. Therefore I replaced this file with an old one from Red Hat Linux 8.0. Click here to download this file. Do not forget to set the executable flag with:

chmod +x /usr/sbin/in.telnetd

By default Fedora Core 6 Linux disallows root login via telnet, since it is considered insecure because telnet uses unencrypted password verification. However on a home network behind a firewall security is not an issue. To enable root login via telnet add the following lines to the file /etc/securetty:

pts/0
pts/1
pts/2
  .
  .
pts/99

15. FTP

By default FTP is disabled on Fedora Core 6 Linux. To enable it the following commands must be executed:

mv /etc/rc.d/rc2.d/K50vsftpd /etc/rc.d/rc2.d/S50vsftpd
mv /etc/rc.d/rc3.d/K50vsftpd /etc/rc.d/rc3.d/S50vsftpd
mv /etc/rc.d/rc4.d/K50vsftpd /etc/rc.d/rc4.d/S50vsftpd
mv /etc/rc.d/rc5.d/K50vsftpd /etc/rc.d/rc5.d/S50vsftpd

The renaming of these files makes that the FTP server is started during system boot.

By default Fedora Core 6 Linux disallows root login via FTP, since it is considered insecure because FTP uses unencrypted password verification. To change this the file /etc/vsftpd/ftpusers is edited. The entry root is removed.

To disable anonymous FTP, to enable ASCII transfers, to increase the idle session timeout, and to define the ports used for passive mode (which must be opened in my FTTH modem as well), the file /etc/vsftpd/vsftpd.conf has been edited changing or adding the following lines:

anonymous_enable=NO
ascii_upload_enable=YES
ascii_download_enable=YES
idle_session_timeout=3600
pasv_enable=YES
pasv_min_port=20000
pasv_max_port=20255

16. DNS

By default DNS is disabled on Fedora Core 6 Linux. To enable it the following commands must be executed:

mv /etc/rc.d/rc2.d/K87named /etc/rc.d/rc2.d/S13named
mv /etc/rc.d/rc3.d/K87named /etc/rc.d/rc3.d/S13named
mv /etc/rc.d/rc4.d/K87named /etc/rc.d/rc4.d/S13named
mv /etc/rc.d/rc5.d/K87named /etc/rc.d/rc5.d/S13named

The renaming of these files makes that the DNS server is started during system boot.

The file /etc/sysconfig/named has been edited commenting out the line:

#ROOTDIR=/var/named/chroot

A directory /etc/named is created to store our zone files. I do not like the Fedora Core 6 Linux default /var/named. Having all configuration files in the /etc tree makes it easier to backup the servers configuration.

The root hints file /var/named/named.ca is copied to /etc/named/named.root. This file contains references to the internet's master name servers. It is advisable to check yearly for updates of this file at ftp://ftp.rs.internic.net/domain/.

For each domain for which we have the authority, we have to create a zone file resolving that domain.

Since my server is connected to the internet via a network address translating (NAT) FTTH modem, different IP addresses are needed to approach my server from the internet and from my home network. From the internet my server has to be approached with the public IP address 62.251.90.62 provided by my internet service provider. The FTTH modem translates this address into the internal IP address 10.0.0.254. If I approach my server from my internal home network, I have to use the internal IP address 10.0.0.254 directly.

Since my DNS has to return an internal IP address to clients locally on my home network (e.g. my laptop), different views are created. My DNS will return different information to request from local clients compared to requests from clients on the internet.

Ofcause the above requires that I specify my own DNS server 10.0.0.254 as the prefered DNS in the network configuration of all my local clients. That can be done either by editing the network settings for each client, or by editing the settings for the DHCP server in the FTTH modem.

My DNS has to do the following:

To cater for the above, the file /etc/named.conf must contain the following lines:

options {
	directory "/etc/named";
	max-cache-size 1m;
	listen-on {any; };
};

logging {
	category lame-servers { null; };
};

view "local" IN {
	match-clients { localnets; };
	recursion yes;
	zone "fwiarda.com." IN {
		type master;
		file "fwiarda.com.lzone";
	};
	zone "." IN {
		type hint;
		file "named.root";
	};
};
The zone file fwiarda.com.lzone resolving local requests for the fwiarda.com domain contains the following lines:
$TTL 2h

@  IN  SOA   ns.fwiarda.com.   fwiarda.xs4all.nl. (
                                  1 ; serial
                                  3h ; refresh
                                  1h ; retry
                                  1w ; expire
                                  1h ) ; negative caching ttl

@ IN  NS    ns.fwiarda.com.

@ IN  A     10.0.0.254

@ IN  MX    0    mail.fwiarda.com.

@ IN  TXT   "v=spf1 mx -all"

ftp.fwiarda.com.               IN  A   10.0.0.254
mail.fwiarda.com.              IN  A   10.0.0.254
ns.fwiarda.com.                IN  A   10.0.0.254
pc.fwiarda.com.                IN  A   10.0.0.201
telnet.fwiarda.com.            IN  A   10.0.0.254
server.fwiarda.com.            IN  A   10.0.0.254
ssh.fwiarda.com.               IN  A   10.0.0.254
www.fwiarda.com.               IN  A   10.0.0.254

mail.fwiarda.com.              IN  MX  0    mail.fwiarda.com.

mail.fwiarda.com.              IN  TXT     "v=spf1 mx -all"

Note that I have not used my regular e-mail address fwiarda@fwiarda.com in the SOA record , but the e-mail address fwiarda@xs4a11.n1 (which is written in SOA format as fwiarda.xs4all.nl), which I got from my internet service provider XS4ALL. If there are problems with my name server or my domain, it is likely that my e-mail address is experiencing problems as well. Therefore I use my e-mail address fwiarda@xs4a11.n1 for things like domain registration and maintenance. Normally this address is forwarded to my regular e-mail address fwiarda@fwiarda.com, but when I am experiencing problems I can cancel this forward and use the fwiarda@xs4a11.n1 address to communicate with the helpdesk.

The changes in this section become effective after the named-daemon is started manually or after a system reboot.

For more information about DNS see "DNS and BIND" ([2]);


17. E-Mail

By default POP3 and IMAP are disabled on Fedora Core 6 Linux. To enable it the following commands must be executed:

mv /etc/rc.d/rc2.d/K35dovecot /etc/rc.d/rc2.d/S65dovecot
mv /etc/rc.d/rc3.d/K35dovecot /etc/rc.d/rc3.d/S65dovecot
mv /etc/rc.d/rc4.d/K35dovecot /etc/rc.d/rc4.d/S65dovecot
mv /etc/rc.d/rc5.d/K35dovecot /etc/rc.d/rc5.d/S65dovecot

We need an additional deamon to be able to authenticate SMTP sessions. To enable it the following commands must be executed as well:

        mv /etc/rc.d/rc2.d/K05saslauthd /etc/rc.d/rc2.d/S95saslauthd
        mv /etc/rc.d/rc3.d/K05saslauthd /etc/rc.d/rc3.d/S95saslauthd
        mv /etc/rc.d/rc4.d/K05saslauthd /etc/rc.d/rc4.d/S95saslauthd
        mv /etc/rc.d/rc5.d/K05saslauthd /etc/rc.d/rc5.d/S95saslauthd

The renaming of these files makes that the the POP3 and IMAP server and the deamon needed for authentication are started during system boot.

To speed up mail delivery I have edited the file /etc/sysconfig/sendmail, and changed QUEUE=1h into QUEUE=10m. This change makes that the mail queue is processed every 10 minutes instead of every hour.

I have edited the file /etc/mail/sendmail.mc. to contain the following lines:

include(`/usr/share/sendmail-cf/m4/cf.m4')
OSTYPE(`linux')
VERSIONID(`linux setup for Red Hat Linux')
define(`confAUTH_MECHANISMS',`GSSAPI DIGEST-MD5 CRAM-MD5 KERBEROS_V4 LOGIN PLAIN')
define(`confCW_FILE',`/etc/mail/local-host-names')
define(`confDOMAIN_NAME',`mail.fwiarda.com')
define(`confDONT_BLAME_SENDMAIL',`GroupWritableDirPathFile')
define(`confDONT_BLAME_SENDMAIL',`GroupWritableDirPathFileSafe')
define(`confDONT_BLAME_SENDMAIL',`GroupWritableForwardFile')
define(`confDONT_BLAME_SENDMAIL',`GroupWritableForwardFileSafe')
define(`confDONT_BLAME_SENDMAIL',`GroupWritableIncludeFile')
define(`confDONT_BLAME_SENDMAIL',`GroupWritableIncludeFileSafe')
define(`confDOUBLE_BOUNCE_ADDRESS',`null')
define(`confFORWARD_PATH',`$z/.forward')
define(`confMAX_MESSAGE_SIZE',`0')
define(`confPRIVACY_FLAGS',`noexpn,novrfy')
define(`ALIAS_FILE',`/etc/mail/aliases')
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 KERBEROS_V4 LOGIN PLAIN')
FEATURE(`accept_unresolvable_domains')
FEATURE(`allmasquerade')
FEATURE(`always_add_domain')
FEATURE(`limited_masquerade')
FEATURE(`masquerade_envelope')
FEATURE(`use_cw_file')
FEATURE(`virtusertable',`hash /etc/mail/virtusertable.db')
MASQUERADE_AS(`mail.fwiarda.com')
MASQUERADE_DOMAIN(`server.fwiarda.com')
MAILER(`smtp')

After editing the file the following command must be executed:

m4 /etc/mail/sendmail.mc >/etc/mail/sendmail.cf

I have edited the file /etc/mail/submit.mc to contain the following lines:

include(`/usr/share/sendmail-cf/m4/cf.m4')
OSTYPE(`linux')
VERSIONID(`linux setup for Red Hat Linux')
define(`confCF_VERSION',`Submit')
define(`confPID_FILE',`/var/run/sm-client.pid')
define(`confTIME_ZONE',`USE_TZ')
FEATURE(`msp')

After editing the file the following command has been executed:

m4 /etc/mail/submit.mc >/etc/mail/submit.cf

I have edited the file /etc/mail/local-host-names to contain the following lines:

server.fwiarda.com
mail.fwiarda.com
fwiarda.com
ip3efb5a3e.xs4all.space 

I have edited the file /etc/mail/aliases to contain the following lines:

adm: 			bounce
amanda: 		bounce
apache: 		bounce
bin: 			bounce
canna: 			bounce
desktop: 		bounce
ftp: 			bounce
games: 			bounce
gdm: 			bounce
gopher: 		bounce
halt: 			bounce
ident: 			bounce
ldap: 			bounce
lp: 			bounce
mail: 			bounce
mailman: 		bounce
mailnull: 		bounce
mysql: 			bounce
named: 			bounce
netdump: 		bounce
news: 			bounce
nfsnobody: 		bounce
nobody: 		bounce
nscd: 			bounce
ntp: 			bounce
pcap: 			bounce
postfix: 		bounce
postgres: 		bounce
privoxy: 		bounce
pvm: 			bounce
radvd: 			bounce
rpc: 			bounce
rpcuser: 		bounce
rpm: 			bounce
shutdown: 		bounce
smmsp: 			bounce
squid: 			bounce
sshd: 			bounce
sync: 			bounce
uucp: 			bounce
vcsa: 			bounce
webalizer: 		bounce
wnn: 			bounce
xfs: 			bounce

mailer-daemon: 		/dev/null
null: 			/dev/null
root: 			fwiarda

server 	        	bounce

I have edited the file /etc/mail/virtusertable to contain the following lines:

fwiarda@fwiarda.com		fwiarda
null@fwiarda.com		null
bounce@fwiarda.com		bounce
@fwiarda.com			error:5.1.6:550 Mail to fwiarda@fwiarda.com instead

When hosting additional e-mail domains, a tab-separated list of e-mail addresses and the local mailboxes or aliases on which they must be mapped must be added to the file /etc/mail/virtusertable. Leaving the part of the e-mail address before the @ sign away maps the entire domain. Note that all domains for which e-mail can be received must be listed in the file /etc/mail/local-host-names.

For more information about e-mail see the book titled "Sendmail" ([3]).


18. Filtering Spam

I use spamassassin to tag spam for mail send to my personal mail account. My spamassassin configuration file /etc/mail/spamassassin/local.cf contains the following lines:

report_safe 0
add_header all Report "_REPORT_" 

Besides the lines above, I have added some personal rules to the file /etc/mail/spamassassin/local.cf . These rules are outside the scope of this document.

I have created a file /etc/mail/spamassassin/whitelist.cf containing the e-mail addresses of my contacts in lines like:

whitelist_from user@domain

I have created a file /etc/mail/spamassassin/blacklist.cf containing the e-mail addresses of people from who I do not want to receive e-mail in lines like:

blacklist_from user@domain

I have written a procmail script which moves spam to a seperate mailbox ~/mail/Spam. The suspected spammer will receive a mail that his e-mail has been deleted. In this mail he is informed that he can bypass the spam filter by starting the subject field with the keyword NOSPAM. Real spammers do not read bounced messages. But legitimate senders whose mail is accidentally tagged as spam will do. Click here for a copy of the script. Beware DOS to Unix text file conversion (CR-LF to LF) when downloading it. The script is self ducmenting. Copy it to /usr/local/bin/spamfilter. The file must be executable for everybody. This can be done with the command:

chmod 755 /usr/local/bin/spamfilter

To have all my e-mail filtered, I have created a /home/fwiarda/.forward containing the following line:

"|/usr/local/bin/spamfilter email=fwiarda@fwiarda.com"

Note that sendmail requires the /home/fwiarda/.forward file to be owned by fwiarda and not being world readable. When the file has been created by root, the following commands fix this:

chmod 644 /home/fwiarda/.forward
chown fwiarda:fwiarda /home/fwiarda/.forward

19. Auto-Replying to E-Mail


Fedora Core 6 Linux does not come with a vacation program, to auto-reply to your mail. I have written a perl script myself, which mimics the Unix vacation program.

In most aspects this script is stripped down in functionality compared to the Unix vacation program. However, with the handling of .forward files it is more advanced. If a .forward file already exists and contains forwards to something else then vacation, it adds a line to the original .forward file instead of overwriting it. Later, when vacation is disabled, this line is deleted again. This behaviour leaves other forwards intact.

Click here for a copy of the script. Beware DOS to Unix text file conversion (CR-LF to LF) when downloading it. The script is self ducmenting. Copy it to /usr/local/bin/vacation. The file must be executable for everybody. This can be done with the command:

chmod 755 /usr/local/bin/vacation

20. Web Server

By default the Apache web server is disabled at Fedora Core 6 Linux. To enable it the following commands must be executed:

mv /etc/rc.d/rc2.d/K15httpd /etc/rc.d/rc2.d/S85httpd
mv /etc/rc.d/rc3.d/K15httpd /etc/rc.d/rc3.d/S85httpd
mv /etc/rc.d/rc4.d/K15httpd /etc/rc.d/rc4.d/S85httpd
mv /etc/rc.d/rc5.d/K15httpd /etc/rc.d/rc5.d/S85httpd

The renaming of these files makes that the Apache web server is started during system boot. Note that we also rename the files from *15* into *86* This ensures the Apache web server is started after the name server has been started. In that case it is not able to resolve the host names used in it's configuration file.

The following lines must be added to or changed in the main server configuration section of /etc/httpd/conf/httpd.conf:

# Set my e-mail address as the server administrators e-mail.
ServerAdmin "fwiarda@fwiarda.com"

# Set the name of the server. An IP address is OK here.
ServerName "10.0.0.254"

# We listen on port 80 for HTTP and on port 443 for HTTPS.
Listen 80
Listen 443

# The following options are necessary for HTTPS.
LoadModule ssl_module modules/mod_ssl.so
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLCryptoDevice builtin
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile "/etc/pki/tls/certs/localhost.crt"
SSLCertificateKeyFile "/etc/pki/tls/private/localhost.key"
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# We configure the default to be a very relaxed set of features,
# so we do not have to switch them on seperately for each virtual
# server.
<Directory "/">
	Options All
	AllowOverride All
	Order allow,deny
	Allow from all
</Directory>

# We set the documents defining a directory index.
DirectoryIndex "index.htm" "index.html" "index.txt" "index.cgi" "index.php"

# The default is to present a test page if there is no index file in
# the document root directory. We like Apache to display the directory
# contents instead, by commenting the corresponding directives out.
#<LocationMatch "^/$>
# 	Options -Indexes
# 	ErrorDocument 403 /error/noindex.html
#</LocationMatch>

# We define the format of directory listings.
IndexOptions FancyIndexing NameWidth=* FoldersFirst SuppressDescription 

# We disable headers and readme files in directory listings by commenting
# the corresponding directives out.
#ReadmeName README.html
#HeaderName HEADER.html

# All files ending with .cgi are scripts, even if they are not placed
# in a special directory for cgi-scripts.
AddHandler cgi-script .cgi

# We set .htaccess to be the file from which access permission can be
# overriden.
AccessFileName ".htaccess"

# We do not want .htaccess, .htpasswd and .htgroup files to be displayed.
<Files ~ "^\.ht">
	Order allow,deny
	Deny from all
</Files>

# We lookup the hostnames for the IP addresses to which
# we provide pages. This makes our log files more readable.
HostnameLookups On

# We set the error log file.
ErrorLog "/var/log/httpd/error_log"

# We set the access log file.
CustomLog "/var/log/httpd/access_log" combined

# We don't want to have the server name below directory indexes generated
# by Apache.
ServerSignature Off

# Disable http://server.fwiarda.com/manual/ to be the Apache
# manual, by commenting the corresponding directives out.
#Alias /manual "/var/www/manual"
#
#<Directory "/var/www/manual">
#	Options Indexes FollowSymLinks MultiViews
# 	AllowOverride None
# 	Order allow,deny
# 	Allow from all
#</Directory>

# Disable http://server.fwiarda.com/cgi-bin/ to be a server
# wide script directory.
#ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

These settings are valid for all virtual hosts. The following lines have been added to or changed in the virtual host section of /etc/httpd/conf/httpd.conf:

# We define we are going to use name based virtual hosts.
NameVirtualHost "10.0.0.254:80"

# This entry is the default entry for HTTP. It is used when the hostname 
# in the URL is not known to us. Hackers just trying our IP address end-up
# here. We will always return an empty page with mime-type text/plain. All 
# settings for this entry are taken from the main server configuration
# section above.
<VirtualHost "10.0.0.254:80">
	<Directory "/dev">
		ForceType text/plain
	</Directory>
	AliasMatch .* "/dev/null"
	CustomLog "/var/log/httpd/access_log" combined
	ErrorLog "/var/log/httpd/error_log"
</VirtualHost>

# This entry is the entry used for all HTTPS connections. Because
# name based virtual hosts are not working for SSL connections we
# use a trick. We change "https://" in the URL into "http://" 
# using mod_rewrite. Apache now internally forwards the HTTPS 
# request to itself as an HTTP request.
<VirtualHost "10.0.0.254:443">
	SSLEngine on
	RewriteEngine On
	RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [proxy]
	CustomLog "/dev/null" combined
	CustomLog "/var/log/httpd/ssl_access_log" combined
	ErrorLog "/var/log/httpd/ssl_error_log"
</VirtualHost>

# The entry for calls to http://mail.fwiarda.com/ . It accesses
# SquirrelMail, a web based mail client which is part of the Red Hat
# Linux 8.0 distribution. Since it is a web site on it's own,
# it has it's own error log and access log files.
<VirtualHost "10.0.0.254:80">
	ServerName "mail.fwiarda.com"
	DocumentRoot "/usr/share/squirrelmail"
	ErrorLog "/var/log/httpd/mail.fwiarda.com.error_log"
	CustomLog "/var/log/httpd/mail.fwiarda.com.access_log" combined
</VirtualHost>

# The entry for calls to http://server.fwiarda.com/ . 
# It has it's own error log and access log files. 
<VirtualHost "10.0.0.254:80">
	ServerName "server.fwiarda.com"
	DocumentRoot "/home/server/www"
	ErrorLog "/var/log/httpd/server.fwiarda.com.error_log"
	CustomLog "/var/log/httpd/server.fwiarda.com.access_log" combined
</VirtualHost>

# The entry for calls to my personal web site
# http://www.fwiarda.com/ . It has it's own document root, and it's
# own, error log and access log files.
<VirtualHost "10.0.0.254:80">
	ServerName "www.fwiarda.com"
	ServerAlias "fwiarda.com"
	DocumentRoot "/home/fwiarda/www"
	ErrorLog "/var/log/httpd/www.fwiarda.com.error_log"
	CustomLog "/var/log/httpd/www.fwiarda.com.access_log" combined
</VirtualHost> 

The following files have been edited commenting everything out by placing a # at the beginning of each line:

/etc/httpd/conf.d/mailman.conf
/etc/httpd/conf.d/manual.conf
/etc/httpd/conf.d/mrtg.conf
/etc/httpd/conf.d/squid.conf
/etc/httpd/conf.d/squirrelmail.conf
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/webalizer.conf
/etc/httpd/conf.d/welcome.conf

The document root directory, the directory containing the log files, and all the directories above them, must be searchable and readable for the user apache. To be able to test this, it practical to login as user apache. However, by default no login shell is assigned to the user apache. We fix this editing the file /etc/passwd and changing the line:

apache:x:48:48:Apache:/var/www:/sbin/nologin

into:

apache:x:48:48:Apache:/var/www:/bin/bash

When logged-in as root, we can now log-in as apache by issuing the following command:

su - apache

If there is any flaw in file access permission settings, they will become clearly noticeable.

The web site http://server.fwiarda.com/ is used for accessing the access and error logs, and the usage statistics of my server. The directory /home/server/www is the document root for this web site. It must be created, as well as sub-directories for usage statistics and a link to the directory containing the servers log files:

mkdir /home/server/www
mkdir /home/server/www/usage
mkdir /home/server/www/usage/mail.fwiarda.com
mkdir /home/server/www/usage/server.fwiarda.com
ln -s /var/log/httpd /home/server/www/log
chmod 755 /var/log/httpd

I do not want everybody to have access to my logs and usage statistics. Therefore a file /home/server/www/.htaccess is created, containing the following lines:

AuthUserFile /home/server/www/.htpasswd
AuthName "Server Administrator"
AuthType Basic
<Limit GET POST>
	require valid-user
</Limit>

A file /home/server/www/.htpasswd is created by issuing the following commands:

htpasswd /home/server/www/.htpasswd root
htpasswd /home/server/www/.htpasswd fwiarda

The htpasswd program prompts for the appropriate passwords.

The ownership of the /home/server/www tree shall belong to the user server. If this directory tree has been created while being logged-in as root, the ownership must be transferred with the following command:

chown -R server:server /home/server/www

For more information about the Apache web server see "Apache; The Definitive Guide" ([4]).


21. Web Usage Statistics

Webalizer is a tool for generating usage statistics for web pages.

The file /etc/webalizer.conf is edited, to ensure the following parameters are defined or commented out:

# We will specify the log file at the command line.
# The entry LogFile is commented out.
#LogFile /var/log/httpd/access_log
# We will specify the output directory at the command line.
# The entry OutputDir is commented out.
#OutputDir .
# The file webalizer.hist in the output directory will
# contain the data for previous months.
HistoryName webalizer.hist
# We only process entries not yet processed before. We
# retrieve the old usage information form the files
# webalizer.hist and webalizer.current
Incremental yes
# The file webalizer.current in the output directory will
# contain the data for the current month.
IncrementalName webalizer.current
# For debugging purposes we enable log messages. When 
# webalizer is called from a script, we suppres all messages 
# by adding the -Q option at the command line.
Quiet no

A file /etc/cron.daily/webalizer is created. This file is executed daily since it resides in the /etc/cron.daily directory. It must contain the following lines:

#!/bin/bash
if [ -s /var/log/httpd/server.fwiarda.com.access_log ] ; then
	/usr/bin/webalizer -Q \
		-n server.fwiarda.com \
		-r server.fwiarda.com \
		-o /home/server/www/usage/server.fwiarda.com \
		/var/log/httpd/server.fwiarda.com.access_log
fi
if [ -s /var/log/httpd/mail.fwiarda.com.access_log ] ; then
	/usr/bin/webalizer -Q \
		-n mail.fwiarda.com \
		-r mail.fwiarda.com \
		-o /home/server/www/usage/mail.fwiarda.com \
		/var/log/httpd/mail.fwiarda.com.access_log
fi
if [ -s /var/log/httpd/www.fwiarda.com.access_log ] ; then
	/usr/bin/webalizer -Q \
		-n www.fwiarda.com \
		-r www.fwiarda.com \
		-r fwiarda.com \
		-o /home/server/www/usage/www.fwiarda.com \
		/var/log/httpd/www.fwiarda.com.access_log
fi 

After editing this file must be made executable with the command:

chmod 755 /etc/cron.daily/webalizer

22. Samba

By default samba is disabled at Fedora Core 6 Linux. To enable it the following commands must be executed:

mv /etc/rc.d/rc2.d/K35smb /etc/rc.d/rc2.d/S65smb
mv /etc/rc.d/rc3.d/K35smb /etc/rc.d/rc3.d/S65smb
mv /etc/rc.d/rc4.d/K35smb /etc/rc.d/rc4.d/S65smb
mv /etc/rc.d/rc5.d/K35smb /etc/rc.d/rc5.d/S65smb

The file /etc/samba/smb.conf is edited and shall contain the following lines:

[global]
workgroup = fwiarda-group
netbios name = fwiarda-server
server string = Frits Wiarda's Server
encrypt passwords = yes
security = user
time service = yes
follow symlinks = yes
wide links = yes
unix extensions = no

[fwiarda]
path = /home/fwiarda
comment = /home/fwiarda
read only = no
create mask = 644
force create mode = 644
directory mask = 755
force directory mode = 755
guest ok = no 

Samba uses the passwords from file /etc/smbpasswd instead of /etc/passwd or /etc/shadow. That means separate passwords for samba must be created. This is done with the following comand:

smbpasswd -a fwiarda

The smbpasswd program prompts for the appropriate password.

For more information on samba see "Using Samba" ([5]).


23. Protection Against Brute Force Password Hacking

After running a server for some time, one will discover in the log files that hackers are trying to discover passwords by just trying out huge volumes of passwords. To make this kind of attacks more difficult it is wise not to use easy to guess passwords like regular words from the dictionary. The best passwords consist out of letters, digits and other characters.

To make brute force password hacking even more difficult, I have installed fail2ban. Fail2ban scans the log files for failed login attempts, and blocks a couple of hours the IP addresses from which to many failed login attempts are made. It uses the iptables command to discard all IP packets from these IP addresses. That makes my server totally unreachable from these IP addresses, stopping the attack after a few attempts.

Click here for the files needed to install fail2ban. Just copy the files in this archive to the server.


24. Disabling Start-Up of Unused Services

Linux knows different run levels:

When the system boots, it reads from the file /etc/inittab to which run level it should switch. It will then run the startup scripts for this run level (see /etc/rc.d/rc?.d).

We will use the unused run level 4. To have the system boot in run level 4, we edit /etc/inittab changing the initdefault line into:

id:4:initdefault:

With the following rename we make that only the services we need are started:

mv /etc/rc.d/rc4.d/S04readahead_early   /etc/rc.d/rc4.d/K96readahead_early
mv /etc/rc.d/rc4.d/S05kudzu             /etc/rc.d/rc4.d/K95kudzu
mv /etc/rc.d/rc4.d/S06cpuspeed          /etc/rc.d/rc4.d/K94cpuspeed
mv /etc/rc.d/rc4.d/S08arptables_jf      /etc/rc.d/rc4.d/K92arptables_jf
mv /etc/rc.d/rc4.d/S08ip6tables         /etc/rc.d/rc4.d/K92ip6tables
mv /etc/rc.d/rc4.d/S08iptables          /etc/rc.d/rc4.d/K92iptables
mv /etc/rc.d/rc4.d/S09isdn              /etc/rc.d/rc4.d/K91isdn
mv /etc/rc.d/rc4.d/S10restorecond       /etc/rc.d/rc4.d/K90restorecond
mv /etc/rc.d/rc4.d/S11auditd            /etc/rc.d/rc4.d/K89auditd
mv /etc/rc.d/rc4.d/S13irqbalance        /etc/rc.d/rc4.d/K87irqbalance
mv /etc/rc.d/rc4.d/S13iscsi             /etc/rc.d/rc4.d/K87iscsi
mv /etc/rc.d/rc4.d/S13mcstrans          /etc/rc.d/rc4.d/K87mcstrans
mv /etc/rc.d/rc4.d/S13portmap           /etc/rc.d/rc4.d/K87portmap
mv /etc/rc.d/rc4.d/S14nfslock           /etc/rc.d/rc4.d/K86nfslock
mv /etc/rc.d/rc4.d/S15mdmonitor         /etc/rc.d/rc4.d/K85mdmonitor
mv /etc/rc.d/rc4.d/S18rpcidmapd	        /etc/rc.d/rc4.d/K82rpcidmapd
mv /etc/rc.d/rc4.d/S19rpcgssd           /etc/rc.d/rc4.d/K81rpcgssd
mv /etc/rc.d/rc4.d/S22messagebus        /etc/rc.d/rc4.d/K78messagebus
mv /etc/rc.d/rc4.d/S25bluetooth         /etc/rc.d/rc4.d/K75bluetooth
mv /etc/rc.d/rc4.d/S25netfs             /etc/rc.d/rc4.d/K75netfs
mv /etc/rc.d/rc4.d/S25pcscd             /etc/rc.d/rc4.d/K75pcscd
mv /etc/rc.d/rc4.d/S26apmd              /etc/rc.d/rc4.d/K74apmd
mv /etc/rc.d/rc4.d/S26hidd              /etc/rc.d/rc4.d/K74hidd
mv /etc/rc.d/rc4.d/S26lm_sensors        /etc/rc.d/rc4.d/K74lm_sensors
mv /etc/rc.d/rc4.d/S28autofs            /etc/rc.d/rc4.d/K72autofs
mv /etc/rc.d/rc4.d/S44acpid             /etc/rc.d/rc4.d/K56acpid
mv /etc/rc.d/rc4.d/S50hplip             /etc/rc.d/rc4.d/K50hplip
mv /etc/rc.d/rc4.d/S85gpm               /etc/rc.d/rc4.d/K15gpm
mv /etc/rc.d/rc4.d/S90xfs               /etc/rc.d/rc4.d/K10xfs
mv /etc/rc.d/rc4.d/S95anacron           /etc/rc.d/rc4.d/K05anacron
mv /etc/rc.d/rc4.d/S95atd               /etc/rc.d/rc4.d/K05atd
mv /etc/rc.d/rc4.d/S97yum-updatesd      /etc/rc.d/rc4.d/K03yum-updatesd
mv /etc/rc.d/rc4.d/S98avahi-daemon      /etc/rc.d/rc4.d/K02avahi-daemon
mv /etc/rc.d/rc4.d/S98haldaemon         /etc/rc.d/rc4.d/K02haldaemon
mv /etc/rc.d/rc4.d/S98xend              /etc/rc.d/rc4.d/K02xend
mv /etc/rc.d/rc4.d/S99smartd            /etc/rc.d/rc4.d/K01smartd
mv /etc/rc.d/rc4.d/S99xendomains        /etc/rc.d/rc4.d/K01xendomains 

The command ls /etc/rc.d/rc4.d/S* will list all the services that will be started at run level 4:

/etc/rc.d/rc4.d/S10network
/etc/rc.d/rc4.d/S12syslog
/etc/rc.d/rc4.d/S13named
/etc/rc.d/rc4.d/S35dhcpd
/etc/rc.d/rc4.d/S50vsftpd
/etc/rc.d/rc4.d/S55cups
/etc/rc.d/rc4.d/S55sshd
/etc/rc.d/rc4.d/S56xinetd
/etc/rc.d/rc4.d/S65dovecot
/etc/rc.d/rc4.d/S65smb
/etc/rc.d/rc4.d/S74ntpd
/etc/rc.d/rc4.d/S80sendmail
/etc/rc.d/rc4.d/S85httpd
/etc/rc.d/rc4.d/S90crond
/etc/rc.d/rc4.d/S95saslauthd
/etc/rc.d/rc4.d/S98fail2ban
/etc/rc.d/rc4.d/S99local

25. Disabling Access Timestamps on Root Filesystem

Linux records in the filesystem information about when files were created, last modified as well as when they were last accessed. Recording the last access time means that for every read operation a write operation is needed as well. This has a performance penalty, especially on flash drives. Flash drives are much faster while reading then while writing. The life span of flash drives is also limmited to a certain number of writes, making a write for every read undesirable.

Because of this it is desirable to switch this feature off. That is done by mounting the filesystem with the noatime attribute. The file /etc/fstab defines which filesystems are mounted on boot, and how they are mounted. We change the following line:

LABEL=/		/		ext3	defaults		1 1
into:
LABEL=/		/		ext3	defaults,noatime	1 1


26. NAT Settings FTTH Modem

To be able to reach my server from the internet, the some NAT settings must me made in the FTTH modem.

The easiest option is to set the default address to which IP packages from the internet must be routed to the servers internal IP address 10.0.0.254. Now all IP packages from the internet are send to the server.

The best option is to list explicitly for which TCP and UDP ports IP packages must be routed to the servers internal IP address 10.0.0.254. Other IP packages can be discarded, making life for hackers more difficult. The ports which must be opened are:


Glossary and Abbreviations

DHCP Dynamic Host Configuration Protocol.
   
DNS Domain Name System.
   
FTP File Transfer Protocol.
   
FTTH Fiber To The Home.
   
HTML HyperText Mark-up Language.
   
HTTP HyperText Transfer Protocol.
   
HTTPS HyperText Transfer Protocol Secure.
   
IMAP Internet Mail Access Protocol.
   
IP Internet Protocol.
   
IPv4 Internet Protocol Version 4.
   
IPv6 Internet Protocol Version 6.
   
POP3 Post Office Protocol version 3.
   
NAT Network Address Translation.
   
RFC Request For Comment.
   
RXD Receive Data.
   
SMTP Simple Mail Transfer Protocol.
   
SSH Secure SHell.
   
SSL Secure Socket Layer.
   
STL Secure Transport Layer.
   
TCP Transmission Control Protocol.
   
TXD Transmit Data.
   
UDP User Datagram Protocol.
   
USB Universal Serial Bus.


References

[1] RFC3022; Traditional IP Network Address Translator (Traditional NAT); Available at ftp://ftp.rfc-editor.org/in-notes/rfc3022.txt

[2] DNS and BIND; Paul Albitz and Cricket Liu; O'Reilly Publishing

[3] Sendmail; Bryan Costales with Eric Alllman; O'Reilly Publishing

[4] Apache; The Definitive Guide; Ben Laurie and Peter Laurie; O'Reilly Publishing

[5] Using Samba; Jay Ts, Robert Eckstein and David Colloier-Brown; O'Reilly Publishing; Digital copy available at http://www.samba.org/samba/docs/using_samba/toc.html


Home fwiarda@fwiarda.com