Picture 1: My server.
On these page I describe how I did set-up my own home server connected to the internet via FTTH. I use this server as personal e-mail and web server. It contains a fanless motherboard only. It boots and runs from a 32 GB USB flash drive, avoiding the need for an internal harddisk and CD-ROM drive. The serial port is used as console, avoiding the use of a monitor.
This is my second server, which I installed in 2007. Click here for the description of how I did install my first server in 2003, which used a fanless computer equiped with a 40 GB harddisk and a CD-ROM drive.
Contents:
1. My Requirements
2. The Hardware
3. The Operating System
4. Serial Cable
5. My Network Configuration
6. Partitioning the Flash Drive
7. Installing Fedora Core 6 Linux
8. Installing the SYSLINUX Boot Loader
9. First Boot
10. Making a Backup First
11. Personal Fine Tuning of Fedora Core 6 Linux
12. Creating Additional User Accounts
13. Crontab
14. Telnet
15. FTP
16. DNS
17. E-Mail
18. Filtering Spam
19. Auto-Replying to E-Mail
20. Web Server
21. Web Usage Statistics
22. Samba
23. Protection against brute force password hacking
24. Disabling Start-Up of Unused Services
25. Disabling Access Timestamps on Root Filesystem
26. NAT Settings FTTH Modem
Glossary and Abbreviations
References
For my server I had the following requirements:
As hardware I have used:
The VIA EPIA ML6000EAG Motherboard does not need a CPU fan. It provides:
Of these I only needed the Ethernet Port, the Serial Port and the USB 2.0 ports.
The Cubid 2699R Mini-ITX Case is a small 30x28x6cm box. It contains a fan-less 50W power supply, which gets its power from a 12V DC input. It comes with an external 100-240V AC to 12V DC power adapter similar to the ones used with laptops.
Picture 1: My server.
To set-up the BIOS, I needed to connect a monitor and a keyboard. This is the only time the monitor and keyboard are needed. Operating system can be done using the serial port. Installing the system onto the USB flash drive can be done from any (laptop) computer.
I configured the BIOS to boot from USB and to reboot automatically after a power failure.
I not even considered Windows, since it is neither free nor well designed. Since I did want to have a free operating system, the choice was between one of the many Linux distributions and FreeBSD Unix. They are basically all variants of the same flavour.
I have chosen Fedora Core 6 Linux. This was because I used Fedora Core 6 Linux on my previous server. Fedora Core Linux is the free version of Red Hat Enterprise Linux. It is shipped with a lot of software and is well documented. Release 5 was the latest release when I made my choice. For more information on Fedore Core Linux see http://fedoraproject.org/.
Fedora Core 6 Linux is downloadable for free from many internet mirror sites.
One needs to download a DVD image file, which can be burned onto a DVD using standard DVD burning software. This can be done under Windows. Linux is not needed to create the DVD.
One needs to have the files / DVD:
This disk is bootable. It starts a user-friendly set-up program (Anconda), which guides the user through the installation process.
Alternatively one can download CD image files. In that case one needs the files / CDs:
To connect my server to my laptop a cross-over cable is needed, connecting TXD of the server to RXD of the laptop, and RXD of the server to TXD of the laptop. The hardware handshake signals are looped back. Figure 1 shows the cable pinning.
Figure 1: Serial cross-over cable.
I got a single public IP address 62.251.90.62 from my internet provider. My internet provider (forward and reverse) maps this IP address to the name ip3efb5a3e.xs4all.space.
My home network is connected to the internet via an FritzBox FTTH modem. This modem provides Network Address Translation (NAT), Dynamic Host Configuration (DHCP) and a name server (DNS). It can connect to up to 4 ethernet devices via it's build-in hub.
My home network uses internal IP addresses, which can not be reached directly from the internet:
When IP packages pass through the FTTH modem, these internal IP addresses are translated into my public IP address and back. For traffic originating from my home network, the network address translator knows from which internal IP address the session originates. That way it is later able to send the response back to the right internal IP address.
For traffic originating from the internet, the network address translator has a table telling which protocols are handled by which internal IP address. If it receives an IP package of which the protocol is not listed in the table, they are discarded. By doing so it provides firewall functionality as a by-product of the network address translation.
For more information about Network Address Translation see "RFC3022" ([1]).
Figure 2: My network configuration.
I have registered my own domain fwiarda.com at Network Solutions ( see http://www.networksolutions.com/). Within this domain:
If one registers a domain at Network Solutions, one has to specify the name servers which resolve the domain. Here I do specify ns.fwiarda.com (plus some additional external backup name servers I have rented for backup purposes). Network Solutions takes care my name servers are listed in the internet's root name servers, so clients can resolve my domain.
To install Fedora Core 6 Linux on the USB flash drive regular Windows laptop or desktop computer is used. The server hardware is not needed for this.
Two partitions are created on the flash drive:
Note that we do not make a swap partition. Swapping to a flash drive is a bad idea, since flash memory can withstand only a limmited number of write cycles. Instead we have choosen to use an abundant 1 GB of RAM, making swapping not necessary.
To prevent accidental deleting information from the wrong drive, remove all other USB flash drives, USB harddisks and SCSI harddisks. Only the USB flash drive to be partitioned shall be placed into the computer! Put the Fedora Core 6 DVD in the DVD drive and power the computer up. Enter at the boot prompt we enter:
linux rescue
Linux boots up from the DVD and starts a shell. The flash drive should be /dev/sda. Double check with the command ls /dev that /dev/sdb does not exist!
First the USB flash drive is completely erased with the command:
dd if=/dev/zero of=/dev/sda bs=512 count=1
This commands erases the master boot record that contains the partition table. The drive is now completely empty. The 100 MB bootable FAT16 (DOS) partition at the beginning of the drive is created with the command:
fdisk /dev/sda
The fdisk program now prompts for input. The following commands are entered to the fdisk program:
p n p 1 1 +100M t 6 a 1 p w
The newly created partition will be formatted while installing Fedora Core 6 Linux with the Anaconda installer. During this installation proces the ext3 (Linux) partition will be created as well.
The DVD is placed in the DVD drive, and the USB flash drive is placed in one of the USB ports. Reboot the computer and enter at the boot prompt
linux i586
Linux boots up from the DVD and starts the Anaconda installer. The VIA Eden processor is Pentium compatible. The computer used to install Linux on the USB flash drive is installed might have a more advanced CPU. The i586 option forces the Anaconda installer to install a Linux kernel optimized for a Pentium CPU instead of the more advanced CPU.
The following choises are made in the Anaconda installer:
The Anaconda installer first creates and/or formats the needed partiotions. Then it installs Fedora Core 6 Linux. This takes a couple of hours.
To install the SYSLINUX boot loader the computer is booted up under Windows. Click here to download this boot loader. A command prompt is opened the current directory is changed to this temporary directory. The USB flash drive is put in one of the USB ports the follwing commands are entered at the command prompt (asuming the drive letter for the USB flash drive is f:):
syslinux.exe -fs f: syslinux.exe -fa f: syslinux.exe -fm f: label f: FATBOOT
A file f:\syslinux.cfg is created to contain the following lines:
serial 0 19200
console 1
prompt 1
default linux
timeout 100
label linux
kernel vmlinuz
append console=ttyS0,19200n8 initrd=initrd.img ro root=LABEL=/
label linux2
kernel vmlinuz
append initrd=initrd.img ro root=LABEL=/
Now the Linux kernel to be booted must be transfered to the DOS partition. To to this put the Fedora Core 6 DVD in the DVD drive and reboot the computer up. At the boot prompt the following command is entered:
linux rescue
Linux boots up from the DVD. The question if we want to mount the image found is answered with yes. A shell is started. The following commands are entered:
chroot /mnt/sysimage cp /boot/vmlinuz-2.16.18.1.2798.fc6 /fatboot/vmlinuz cp /boot/initrd-2.16.18.1.2798.fc6.img /fatboot/initrd.img
Now the USB flash drive is ready to be booted for the first time.
At first boot the graphical user interface is started and we have to answer some questions. Because the target server hardware uses a serial console instead of a graphical display, the USB flash drive is booted the first time on the computer used to install it.
The USB flash drive is placed in the computer. Be sure the BIOS has booting from a USB harddisk or flash drive enabled. At the boot prompt we enter:
linux2
Note that this points to the second entry in the syslinux.cfg file. In this entry console=ttyS0,19200n8 is missing, so no serial console is used.
If the computer used does not support booting from USB a special boot CD can be used instead. This boot CD fulfils the function in the boot process that otherwise would have been fulfilled by the bootable DOS partition on the USB flash drive. Click here for an .iso file to be burned onto a CD. Boot the computer with this boot CD and the USB flash drive inserted.
At the first boot screens we:
After filling in the firstboot screens the system reboots. The USB flash drive is now ready to boot-up our server with it.
The USB flash drive is now put into the server. The server is connected with the serial cross-over cable to our Windows computer. On the windows computer we run a VT100 terminal emulation program (like Kermit 95). The serial port settings are 19200 baud, no-parity and 8 data bits. When the server is powered up it boots from the USB flash drive. We get the Linux login prompt at our terminal emulator.
Further configuration must be done while logged in as root.
In the remainder of this page we do edit a lot of files. It is a good practice to make a
backup copy of the original file with a .old extension before editing.
The system configuration is basically determined by the files in the /etc tree. The whole
tree can be backed up to a file /root/etc.tar.gz with the commands:
tar -xf /root/etc.tar /etc gzip /root/etc.tar
The changes in this section are fine tunings which are a matter of personal taste. The system will work fine without them.
The file /etc/bashrc is edited to contain the following lines:
# If we are an interactive shell and the terminal is an xterm,
# the environment variable PROMPT_COMMAND is set to manipulate
# the window title.
if [ "$PS1" ]; then
case $TERM in
xterm*)
PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#
$HOME/~}"; echo -ne "\007"'
;;
*)
PROMPT_COMMAND=''
;;
esac
fi
# Set prompt.
PS1='\u@\h:\w \$ '
# Group and world do not get write permision on newly created files.
umask 022
# Define the equivalent of DOS commands as aliases.
alias copy="cp -v"
alias del="rm"
alias dir="ls -l -L -p --time-style=long-iso"
alias md="mkdir"
alias ren="mv"
alias rd="rmdir"
alias cls="clear"
# These changes reflect my personal taste.
alias info="info --vi-keys"
alias l.="ls --color=never --time-style=long-iso -p -a"
alias ll="ls --color=never --time-style=long-iso -p -l"
alias ls="ls --color=never --time-style=long-iso -p"
alias vi="/bin/vi"
# Append commands to history file directly, instead of overwriting
# whole history file on shell exit.
shopt -s histappend
The following lines are added to /etc/profile:
# A VT100 is a subset of of the ansi definition and more reliable.
if [ $TERM = ansi ] ; then TERM=vt100 ; fi
export TERM
# Define keys for command line editing. Note that ^H is
# actually the backspace character.
if [ "$TERM" != "xterm" -a "$TERM" != "linux" -a "$TERM" != "cygwin" ] ; then
stty erase ^H
fi
bind -f /etc/inputrc
# Get rid of strange (UTF8) characters in man pages and have ISO date
# formats.
LANG=en_DK
export LANG
# Define the prompt to be "user@host:directory $".
PS1='\u@\h:\w \$ '
export PS1
# Use the global vi preferences file.
EXINIT='so /etc/exrc'
export EXINIT
# Man shall look for man pages in /usr/local/share/man as well.
MANPATH=/usr/share/man:/usr/local/share/man
export MANPATH
# If it exists, add ~/bin to the path as well.
if [ -d ~/bin ] ; then
PATH=~/bin:$PATH
fi
# Login shells seem to fail to run ~/.bashrc, so we do it explicitly.
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
The files /etc/skel/.bashrc and /root/.bashrc shall contain the follwing lines:
# Source global definitions. if [ -f /etc/bashrc ]; then . /etc/bashrc fi # User specific aliases and functions.
Existing profile files have been deleted using the following commands:
rm -f /etc/skel/.bash_profile rm -f /root/.bash_profile rm -f /home/*/.bash_profile
A global vi settings file /etc/exrc is created to contain the following lines:
# Autoindentation on. set autoindent # Color syntax off. syn off
I like to have Windows XP style command line editing. To enable this the file /etc/inputrc must contain the following lines:
# Windows style command line editing. set completion-ignore-case on set mark-directories off set match-hidden-files off tab: menu-complete # Note that the command "stty erase ^H" must have been executed before, # to be able to re-map the delete key. del: delete-char control-h: backward-delete-char $if term=xterm "\e[3~": delete-char del: backward-delete-char $endif $if term=linux "\e[3~": delete-char del: backward-delete-char $endif # Re-mapping of some keys that where not mapped well. "\e[5~": beginning-of-history "\e[6~": end-of-history # A VT100 does not have a Home, End, PgUp and PgDn key. In my # terminal emulator I programmed the vi key sequences for these # actions under the these keys. "\e\C-u": beginning-of-history "\e\C-d": end-of-history "\e0": beginning-of-line "\e$": end-of-line "\e[5~": beginning-of-history "\e\C-u": beginning-of-history "\e[6~": end-of-history "\e\C-d": end-of-history "\e0": beginning-of-line "\e$": end-of-line "\e[1;5C": forward-word "\e[5C": forward-word "\e\e[C": forward-word "\e[1;5D": backward-word "\e[5D": backward-word "\e\e[D": backward-word
The file /etc/mail.rc has been edited to contain the following lines:
# Ask for the mail subject when accepting mail from a terminal. set asksub # Terminate mail input with a line containing a single dot. set dot # Retain read messages in the system mailbox instead of moving them # to the mbox file. set hold # Don't save a message to the file dead.letter when input of the message # is aborted with ctrl-C. set nosave # Don't display Received headers. ignore Received
Two additional user accounts are created.
The account server is used for administrative purposes, like storing the web pages with usage statistics.
The account fwiarda is my personal account. My personal web site is stored under this account. I do receive my personal e-mail on this account. I mount the home directory of this account as an additional drive on my PC.
Creating the additional accounts is done by issuing the following comands:
useradd server -c "Server Administration" useradd fwiarda -c "Frits Wiarda" chmod 755 /home/server chmod 755 /home/fwiarda passwd server passwd fwiarda
Note that with the chmod commands I make users home directories readable for all. The default for Fedora Core 6 Linux is that users home directories are strictly private. I consider this not handy since my users are myself in different roles, and now and then perhaps a well trusted friend.
I create a link /home/root as an alias to the root's home directory. I make the root's home directory world readable as well. Issuing the following commands does this:
ln -s /root /home/root chmod 755 /root
After installation the root mail is flooded with mail containing all kind of periodic reports. So I consider it desirable to clean all crontabs, and then add the things I consider useful.
Crontab is a feature which periodically executes certain tasks. There are two types of crontabs, user crontabs and system crontabs.
User crontabs are managed with the command crontab.
System crontabs are managed by editing the file /etc/crontab. By default this file contains 4 entries which periodically executes all executable files in the directories /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly. A 5th entry exists which calls the Multi Router Traphic Grapher, which we do not need. The file /etc/crontab is edited to contain the following lines:
SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin MAILTO=root HOME=/root 0 * * * * root run-parts /etc/cron.hourly 10 0 * * * root run-parts /etc/cron.daily 20 0 * * 0 root run-parts /etc/cron.weekly 30 0 1 * * root run-parts /etc/cron.monthly
The directories containing the files to be executed periodically are cleaned with the following commands:
mv /etc/cron.hourly /etc/cron.hourly.old mv /etc/cron.daily /etc/cron.daily.old mv /etc/cron.weekly /etc/cron.weekly.old mv /etc/cron.monthly /etc/cron.monthly.old mkdir /etc/cron.hourly mkdir /etc/cron.daily mkdir /etc/cron.weekly mkdir /etc/cron.monthly
A file /etc/cron.daily/cleanup has been created containing the
following
lines:
#!/bin/bash /usr/sbin/tmpwatch -u -m -c -f 24 /tmp /usr/sbin/tmpwatch -u -m -c -f 24 /var/spool/squirrelmail/attach After editing the permissions for this file have been changed with the command: chmod 755 /etc/cron.daily/cleanup
By default telnet is disabled on Fedora Core 6 Linux. To enable it edit the file /etc/xinetd.d/telnet and change disable = yes into disable = no. The change becomes effective after the xinet-daemon has been restarted, or after a system reboot.
It apeared that there was a bug in /usr/sbin/in.telnetd, making telnet sessions to exit immediately with an error message. Therefore I replaced this file with an old one from Red Hat Linux 8.0. Click here to download this file. Do not forget to set the executable flag with:
chmod +x /usr/sbin/in.telnetd
By default Fedora Core 6 Linux disallows root login via telnet, since it is considered insecure because telnet uses unencrypted password verification. However on a home network behind a firewall security is not an issue. To enable root login via telnet add the following lines to the file /etc/securetty:
pts/0 pts/1 pts/2 . . pts/99
By default FTP is disabled on Fedora Core 6 Linux. To enable it the following commands must be executed:
mv /etc/rc.d/rc2.d/K50vsftpd /etc/rc.d/rc2.d/S50vsftpd mv /etc/rc.d/rc3.d/K50vsftpd /etc/rc.d/rc3.d/S50vsftpd mv /etc/rc.d/rc4.d/K50vsftpd /etc/rc.d/rc4.d/S50vsftpd mv /etc/rc.d/rc5.d/K50vsftpd /etc/rc.d/rc5.d/S50vsftpd
The renaming of these files makes that the FTP server is started during system boot.
By default Fedora Core 6 Linux disallows root login via FTP, since it is considered insecure because FTP uses unencrypted password verification. To change this the file /etc/vsftpd/ftpusers is edited. The entry root is removed.
To disable anonymous FTP, to enable ASCII transfers, to increase the idle session timeout, and to define the ports used for passive mode (which must be opened in my FTTH modem as well), the file /etc/vsftpd/vsftpd.conf has been edited changing or adding the following lines:
anonymous_enable=NO ascii_upload_enable=YES ascii_download_enable=YES idle_session_timeout=3600 pasv_enable=YES pasv_min_port=20000 pasv_max_port=20255
By default DNS is disabled on Fedora Core 6 Linux. To enable it the following commands must be executed:
mv /etc/rc.d/rc2.d/K87named /etc/rc.d/rc2.d/S13named mv /etc/rc.d/rc3.d/K87named /etc/rc.d/rc3.d/S13named mv /etc/rc.d/rc4.d/K87named /etc/rc.d/rc4.d/S13named mv /etc/rc.d/rc5.d/K87named /etc/rc.d/rc5.d/S13named
The renaming of these files makes that the DNS server is started during system boot.
The file /etc/sysconfig/named has been edited commenting out the line:
#ROOTDIR=/var/named/chroot
A directory /etc/named is created to store our zone files. I do not like the
Fedora Core 6 Linux default /var/named. Having all configuration files in the /etc tree makes
it easier to backup the servers configuration.
The root hints file /var/named/named.ca is copied to /etc/named/named.root. This file
contains references to the internet's master name servers. It is advisable to check
yearly for updates of this file at ftp://ftp.rs.internic.net/domain/.
For each domain for which we have the authority, we have to create a zone file
resolving that domain.
Since my server is connected to the internet via a network address translating (NAT)
FTTH modem, different IP addresses are needed to approach my server from the internet
and from my home network. From the internet my server has to be approached with the
public IP address 62.251.90.62 provided by my internet service provider. The FTTH modem
translates this address into the internal IP address 10.0.0.254. If I approach my
server from my internal home network, I have to use the internal IP address
10.0.0.254 directly.
Since my DNS has to return an internal IP address to clients locally on my home
network (e.g. my laptop), different views are created. My DNS will return different information to request from local clients
compared to requests from
clients on the internet.
Ofcause the above requires that I specify my own DNS server
10.0.0.254 as the prefered DNS in the network configuration of all my
local clients. That can be done either by editing the network settings for each
client, or by editing the settings for the DHCP server in the FTTH modem.
My DNS has to do the following:
To cater for the above, the file /etc/named.conf must contain the following lines:
options {
directory "/etc/named";
max-cache-size 1m;
listen-on {any; };
};
logging {
category lame-servers { null; };
};
view "local" IN {
match-clients { localnets; };
recursion yes;
zone "fwiarda.com." IN {
type master;
file "fwiarda.com.lzone";
};
zone "." IN {
type hint;
file "named.root";
};
};
view "world" IN {
match-clients { any; };
recursion no;
zone "fwiarda.com." IN {
type master;
file "fwiarda.com.zone";
};
};$TTL 2h
@ IN SOA ns.fwiarda.com. fwiarda.xs4all.nl. (
1 ; serial
3h ; refresh
1h ; retry
1w ; expire
1h ) ; negative caching ttl
@ IN NS ns.fwiarda.com.
@ IN A 10.0.0.254
@ IN MX 0 mail.fwiarda.com.
@ IN TXT "v=spf1 mx -all"
ftp.fwiarda.com. IN A 10.0.0.254
mail.fwiarda.com. IN A 10.0.0.254
ns.fwiarda.com. IN A 10.0.0.254
pc.fwiarda.com. IN A 10.0.0.201
telnet.fwiarda.com. IN A 10.0.0.254
server.fwiarda.com. IN A 10.0.0.254
ssh.fwiarda.com. IN A 10.0.0.254
www.fwiarda.com. IN A 10.0.0.254
mail.fwiarda.com. IN MX 0 mail.fwiarda.com.
mail.fwiarda.com. IN TXT "v=spf1 mx -all"
The zone file fwiarda.com.zone resolving requests from the internet for the fwiarda.com domain contains the following lines:
$TTL 2h
@ IN SOA ns.fwiarda.com. fwiarda.xs4all.nl. (
1 ; serial
3h ; refresh
1h ; retry
1w ; expire
1h ) ; negative caching ttl
@ IN NS ns.fwiarda.com.
@ IN A 62.251.90.62
@ IN MX 0 mail.fwiarda.com.
ftp.fwiarda.com. IN A 62.251.90.62
mail.fwiarda.com. IN A 62.251.90.62
ns.fwiarda.com. IN A 62.251.90.62
pc.fwiarda.com. IN A 62.251.90.62
telnet.fwiarda.com. IN A 62.251.90.62
server.fwiarda.com. IN A 62.251.90.62
ssh.fwiarda.com. IN A 62.251.90.62
www.fwiarda.com. IN A 62.251.90.62
mail.fwiarda.com. IN MX 0 mail.fwiarda.com.
Note that I have not used my regular e-mail address fwiarda@fwiarda.com in the SOA record , but the e-mail address fwiarda@xs4a11.n1 (which is written in SOA format as fwiarda.xs4all.nl), which I got from my internet service provider XS4ALL. If there are problems with my name server or my domain, it is likely that my e-mail address is experiencing problems as well. Therefore I use my e-mail address fwiarda@xs4a11.n1 for things like domain registration and maintenance. Normally this address is forwarded to my regular e-mail address fwiarda@fwiarda.com, but when I am experiencing problems I can cancel this forward and use the fwiarda@xs4a11.n1 address to communicate with the helpdesk.
The changes in this section become effective after the named-daemon is started manually or after a system reboot.
For more information about DNS see "DNS and BIND" ([2]);
By default POP3 and IMAP are disabled on Fedora Core 6 Linux. To enable it the following commands must be executed:
mv /etc/rc.d/rc2.d/K35dovecot /etc/rc.d/rc2.d/S65dovecot mv /etc/rc.d/rc3.d/K35dovecot /etc/rc.d/rc3.d/S65dovecot mv /etc/rc.d/rc4.d/K35dovecot /etc/rc.d/rc4.d/S65dovecot mv /etc/rc.d/rc5.d/K35dovecot /etc/rc.d/rc5.d/S65dovecot
We need an additional deamon to be able to authenticate SMTP sessions. To enable it the following commands must be executed as well:
mv /etc/rc.d/rc2.d/K05saslauthd /etc/rc.d/rc2.d/S95saslauthd
mv /etc/rc.d/rc3.d/K05saslauthd /etc/rc.d/rc3.d/S95saslauthd
mv /etc/rc.d/rc4.d/K05saslauthd /etc/rc.d/rc4.d/S95saslauthd
mv /etc/rc.d/rc5.d/K05saslauthd /etc/rc.d/rc5.d/S95saslauthd
The renaming of these files makes that the the POP3 and IMAP server and the deamon needed for authentication are started during system boot.
To mail delivery I have edited the file /etc/sysconfig/sendmail, and changed QUEUE=1h into QUEUE=10m. This change makes that the mail queue is processed every 10 minutes instead of every hour.
I have edited the file /etc/mail/sendmail.mc. to contain the following lines:
include(`/usr/share/sendmail-cf/m4/cf.m4') OSTYPE(`linux') VERSIONID(`linux setup for Red Hat Linux') define(`confAUTH_MECHANISMS',`GSSAPI DIGEST-MD5 CRAM-MD5 KERBEROS_V4 LOGIN PLAIN') define(`confCW_FILE',`/etc/mail/local-host-names') define(`confDOMAIN_NAME',`mail.fwiarda.com') define(`confDONT_BLAME_SENDMAIL',`GroupWritableDirPathFile') define(`confDONT_BLAME_SENDMAIL',`GroupWritableDirPathFileSafe') define(`confDONT_BLAME_SENDMAIL',`GroupWritableForwardFile') define(`confDONT_BLAME_SENDMAIL',`GroupWritableForwardFileSafe') define(`confDONT_BLAME_SENDMAIL',`GroupWritableIncludeFile') define(`confDONT_BLAME_SENDMAIL',`GroupWritableIncludeFileSafe') define(`confDOUBLE_BOUNCE_ADDRESS',`null') define(`confFORWARD_PATH',`$z/.forward') define(`confMAX_MESSAGE_SIZE',`0') define(`confPRIVACY_FLAGS',`noexpn,novrfy') define(`ALIAS_FILE',`/etc/mail/aliases') TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 KERBEROS_V4 LOGIN PLAIN') FEATURE(`accept_unresolvable_domains') FEATURE(`allmasquerade') FEATURE(`always_add_domain') FEATURE(`limited_masquerade') FEATURE(`masquerade_envelope') FEATURE(`use_cw_file') FEATURE(`virtusertable',`hash /etc/mail/virtusertable.db') MASQUERADE_AS(`mail.fwiarda.com') MASQUERADE_DOMAIN(`server.fwiarda.com') MAILER(`smtp')
After editing the file the following command must be executed:
m4 /etc/mail/sendmail.mc >/etc/mail/sendmail.cf
I have edited the file /etc/mail/submit.mc to contain the following lines:
include(`/usr/share/sendmail-cf/m4/cf.m4') OSTYPE(`linux') VERSIONID(`linux setup for Red Hat Linux') define(`confCF_VERSION',`Submit') define(`confPID_FILE',`/var/run/sm-client.pid') define(`confTIME_ZONE',`USE_TZ') FEATURE(`msp')
After editing the file the following command has been executed:
m4 /etc/mail/submit.mc >/etc/mail/submit.cf
I have edited the file /etc/mail/local-host-names to contain the following lines:
server.fwiarda.com mail.fwiarda.com fwiarda.com ip3efb5a3e.xs4all.space
I have edited the file /etc/mail/aliases to contain the following lines:
adm: bounce amanda: bounce apache: bounce bin: bounce canna: bounce desktop: bounce ftp: bounce games: bounce gdm: bounce gopher: bounce halt: bounce ident: bounce ldap: bounce lp: bounce mail: bounce mailman: bounce mailnull: bounce mysql: bounce named: bounce netdump: bounce news: bounce nfsnobody: bounce nobody: bounce nscd: bounce ntp: bounce pcap: bounce postfix: bounce postgres: bounce privoxy: bounce pvm: bounce radvd: bounce rpc: bounce rpcuser: bounce rpm: bounce shutdown: bounce smmsp: bounce squid: bounce sshd: bounce sync: bounce uucp: bounce vcsa: bounce webalizer: bounce wnn: bounce xfs: bounce mailer-daemon: /dev/null null: /dev/null root: fwiarda server bounce
I have edited the file /etc/mail/virtusertable to contain the following lines:
fwiarda@fwiarda.com fwiarda null@fwiarda.com null bounce@fwiarda.com bounce @fwiarda.com error:5.1.6:550 Mail to fwiarda@fwiarda.com instead
When hosting additional e-mail domains, a tab-separated list of e-mail addresses and the local mailboxes or aliases on which they must be mapped must be added to the file /etc/mail/virtusertable. Leaving the part of the e-mail address before the @ sign away maps the entire domain. Note that all domains for which e-mail can be received must be listed in the file /etc/mail/local-host-names.
For more information about e-mail see the book titled "Sendmail" ([3]).
I use spamassassin to tag spam for mail send to my personal mail account. My spamassassin configuration file /etc/mail/spamassassin/local.cf contains the following lines:
report_safe 0 add_header all Report "_REPORT_"
Besides the lines above, I have added some personal rules to the file /etc/mail/spamassassin/local.cf . These rules are outside the scope of this document.
I have created a file /etc/mail/spamassassin/whitelist.cf containing the e-mail addresses of my contacts in lines like:
whitelist_from user@domain
I have created a file /etc/mail/spamassassin/blacklist.cf containing the e-mail addresses of people from who I do not want to receive e-mail in lines like:
blacklist_from user@domain
I have written a procmail script which moves spam to a seperate mailbox ~/mail/Spam. The suspected spammer will receive a mail that his e-mail has been deleted. In this mail he is informed that he can bypass the spam filter by starting the subject field with the keyword NOSPAM. Real spammers do not read bounced messages. But legitimate senders whose mail is accidentally tagged as spam will do. Click here for a copy of the script. Beware DOS to Unix text file conversion (CR-LF to LF) when downloading it. The script is self ducmenting. Copy it to /usr/local/bin/spamfilter. The file must be executable for everybody. This can be done with the command:
chmod 755 /usr/local/bin/spamfilter
To have all my e-mail filtered, I have created a /home/fwiarda/.forward containing the following line:
"|/usr/local/bin/spamfilter email=fwiarda@fwiarda.com"
Note that sendmail requires the /home/fwiarda/.forward file to be owned by fwiarda and not being world readable. When the file has been created by root, the following commands fix this:
chmod 644 /home/fwiarda/.forward chown fwiarda /home/fwiarda/.forward chgrp fwiarda /home/fwiarda/.forward
Fedora Core 6 Linux does not come with a vacation program, to auto-reply to your
mail. I have written a perl script myself, which mimics the Unix vacation
program.
In most aspects this script is stripped down in functionality compared to the Unix vacation program. However, with the handling of .forward files it is more advanced. If a .forward file already exists and contains forwards to something else then vacation, it adds a line to the original .forward file instead of overwriting it. Later, when vacation is disabled, this line is deleted again. This behaviour leaves other forwards intact.
Click here for a copy of the script. Beware DOS to Unix text file conversion (CR-LF to LF) when downloading it. The script is self ducmenting. Copy it to /usr/local/bin/vacation. The file must be executable for everybody. This can be done with the command:
chmod 755 /usr/local/bin/vacation
By default the Apache web server is disabled at Fedora Core 6 Linux. To enable it the following commands must be executed:
mv /etc/rc.d/rc2.d/K15httpd /etc/rc.d/rc2.d/S85httpd mv /etc/rc.d/rc3.d/K15httpd /etc/rc.d/rc3.d/S85httpd mv /etc/rc.d/rc4.d/K15httpd /etc/rc.d/rc4.d/S85httpd mv /etc/rc.d/rc5.d/K15httpd /etc/rc.d/rc5.d/S85httpd
The renaming of these files makes that the Apache web server is started during system boot. Note that we also rename the files from *15* into *86* This ensures the Apache web server is started after the name server has been started. In that case it is not able to resolve the host names used in it's configuration file.
The following lines must be added to or changed in the main server configuration section of /etc/httpd/conf/httpd.conf:
# Set my e-mail address as the server administrators e-mail.
ServerAdmin "fwiarda@fwiarda.com"
# Set the name of the server. An IP address is OK here.
ServerName "10.0.0.254"
# We listen on port 80 for HTTP and on port 443 for HTTPS.
Listen 80
Listen 443
# The following options are necessary for HTTPS.
LoadModule ssl_module modules/mod_ssl.so
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLCryptoDevice builtin
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile "/etc/pki/tls/certs/localhost.crt"
SSLCertificateKeyFile "/etc/pki/tls/private/localhost.key"
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# We configure the default to be a very relaxed set of features,
# so we do not have to switch them on seperately for each virtual
# server.
<Directory "/">
Options All
AllowOverride All
Order allow,deny
Allow from all
</Directory>
# We set the documents defining a directory index.
DirectoryIndex "index.htm" "index.html" "index.txt" "index.cgi" "index.php"
# The default is to present a test page if there is no index file in
# the document root directory. We like Apache to display the directory
# contents instead, by commenting the corresponding directives out.
#<LocationMatch "^/$>
# Options -Indexes
# ErrorDocument 403 /error/noindex.html
#</LocationMatch>
# We define the format of directory listings.
IndexOptions FancyIndexing NameWidth=* FoldersFirst SuppressDescription
# We disable headers and readme files in directory listings by commenting
# the corresponding directives out.
#ReadmeName README.html
#HeaderName HEADER.html
# All files ending with .cgi are scripts, even if they are not placed
# in a special directory for cgi-scripts.
AddHandler cgi-script .cgi
# We set .htaccess to be the file from which access permission can be
# overriden.
AccessFileName ".htaccess"
# We do not want .htaccess, .htpasswd and .htgroup files to be displayed.
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
# We lookup the hostnames for the IP addresses to which
# we provide pages. This makes our log files more readable.
HostnameLookups On
# We set the error log file.
ErrorLog "/var/log/httpd/error_log"
# We set the access log file.
CustomLog "/var/log/httpd/access_log" combined
# We don't want to have the server name below directory indexes generated
# by Apache.
ServerSignature Off
# Disable http://server.fwiarda.com/manual/ to be the Apache
# manual, by commenting the corresponding directives out.
#Alias /manual "/var/www/manual"
#
#<Directory "/var/www/manual">
# Options Indexes FollowSymLinks MultiViews
# AllowOverride None
# Order allow,deny
# Allow from all
#</Directory>
# Disable http://server.fwiarda.com/cgi-bin/ to be a server
# wide script directory.
#ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
These settings are valid for all virtual hosts. The following lines have been added to or changed in the virtual host section of /etc/httpd/conf/httpd.conf:
# We define we are going to use name based virtual hosts.
NameVirtualHost "10.0.0.254:80"
NameVirtualHost "10.0.0.254:443"
# This entry is the default entry for HTTP. It is used when the hostname
# in the URL is not known to us. Hackers just trying our IP address end-up
# here. We will always return an empty page with mime-type text/plain. All
# settings for this entry are taken from the main server configuration
# section above.
<VirtualHost "10.0.0.254:80">
<Directory "/dev">
ForceType text/plain
</Directory>
AliasMatch .* "/dev/null"
CustomLog "/var/log/httpd/access_log" combined
ErrorLog "/var/log/httpd/error_log"
</VirtualHost>
# This entry is the entry used for all HTTPS connections. Because
# name based virtual hosts are not working for SSL connections we
# use a trick. We change "https://" in the URL into "http://"
# using mod_rewrite. Apache now internally forwards the HTTPS
# request to itself as an HTTP request.
<VirtualHost "10.0.0.254:443">
SSLEngine on
RewriteEngine On
RewriteRule (.*) http://%{HTTP_HOST}%{REQUEST_URI} [proxy]
CustomLog "/dev/null" combined
CustomLog "/var/log/httpd/ssl_access_log" combined
ErrorLog "/var/log/httpd/ssl_error_log"
</VirtualHost>
# The entry for calls to http://mail.fwiarda.com/ . It accesses
# SquirrelMail, a web based mail client which is part of the Red Hat
# Linux 8.0 distribution. Since it is a web site on it's own,
# it has it's own error log and access log files.
<VirtualHost "10.0.0.254:80">
ServerName "mail.fwiarda.com"
DocumentRoot "/usr/share/squirrelmail"
ErrorLog "/var/log/httpd/mail.fwiarda.com.error_log"
CustomLog "/var/log/httpd/mail.fwiarda.com.access_log" combined
</VirtualHost>
# The entry for calls to http://server.fwiarda.com/ .
# It has it's own error log and access log files.
<VirtualHost "10.0.0.254:80">
ServerName "server.fwiarda.com"
DocumentRoot "/home/server/www"
ErrorLog "/var/log/httpd/server.fwiarda.com.error_log"
CustomLog "/var/log/httpd/server.fwiarda.com.access_log" combined
</VirtualHost>
# The entry for calls to my personal web site
# http://www.fwiarda.com/ . It has it's own document root, and it's
# own, error log and access log files.
<VirtualHost "10.0.0.254:80">
ServerName "www.fwiarda.com"
ServerAlias "www.fwiarda.com"
DocumentRoot "/home/fwiarda/www"
ErrorLog "/var/log/httpd/www.fwiarda.com.error_log"
CustomLog "/var/log/httpd/www.fwiarda.com.access_log" combined
</VirtualHost>
The following files have been edited commenting everything out by placing a # at the beginning of each line:
/etc/httpd/conf.d/mailman.conf /etc/httpd/conf.d/manual.conf /etc/httpd/conf.d/mrtg.conf /etc/httpd/conf.d/squid.conf /etc/httpd/conf.d/squirrelmail.conf /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/webalizer.conf /etc/httpd/conf.d/welcome.conf
The document root directory, the directory containing the log files, and all the directories above them, must be searchable and readable for the user apache. To be able to test this, it practical to login as user apache. However, by default no login shell is assigned to the user apache. We fix this editing the file /etc/passwd and changing the line:
apache:x:48:48:Apache:/var/www:/sbin/nologin
into:
apache:x:48:48:Apache:/var/www:/bin/bash
When logged-in as root, we can now log-in as apache by issuing the following command:
su - apache
If there is any flaw in file access permission settings, they will become clearly noticeable.
The web site http://server.fwiarda.com/ is used for accessing the access and error logs, and the usage statistics of my server. The directory /home/server/www is the document root for this web site. It must be created, as well as sub-directories for usage statistics and a link to the directory containing the servers log files:
mkdir /home/server/www mkdir /home/server/www/usage mkdir /home/server/www/usage/mail.fwiarda.com mkdir /home/server/www/usage/server.fwiarda.com ln -s /var/log/httpd /home/server/www/log chmod 755 /var/log/httpd
I do not want everybody to have access to my logs and usage statistics. Therefore a file /home/server/www/.htaccess is created, containing the following lines:
AuthUserFile /home/server/www/.htpasswdAuthName "Server Administrator" AuthType Basic<Limit GET POST> require valid-user </Limit>
A file /home/server/www/.htpasswd is created by issuing the following commands:
htpasswd /home/server/www/.htpasswd root htpasswd /home/server/www/.htpasswd fwiarda
The htpasswd program prompts for the appropriate passwords.
The ownership of the /home/server/www tree shall belong to the user server. If this directory tree has been created while being logged-in as root, the ownership must be transferred with the following command:
chown -R server:server /home/server/www
For more information about the Apache web server see "Apache; The Definitive Guide" ([4]).
Webalizer is a tool for generating usage statistics for web pages.
The file /etc/webalizer.conf is edited, to ensure the following parameters are defined or commented out:
# We will specify the log file at the command line. # The entry LogFile is commented out. #LogFile /var/log/httpd/access_log# We will specify the output directory at the command line. # The entry OutputDir is commented out. #OutputDir .# The file webalizer.hist in the output directory will # contain the data for previous months. HistoryName webalizer.hist# We only process entries not yet processed before. We # retrieve the old usage information form the files # webalizer.hist and webalizer.current Incremental yes# The file webalizer.current in the output directory will # contain the data for the current month. IncrementalName webalizer.current# For debugging purposes we enable log messages. When # webalizer is called from a script, we suppres all messages # by adding the -Q option at the command line. Quiet no
A file /etc/cron.daily/webalizer is created. This file is executed daily since it resides in the /etc/cron.daily directory. It must contain the following lines:
#!/bin/bash if [ -s /var/log/httpd/server.fwiarda.com.access_log ] ; then /usr/bin/webalizer -Q \ -n server.fwiarda.com \ -r server.fwiarda.com \ -o /home/server/www/usage/server.fwiarda.com \ /var/log/httpd/server.fwiarda.com.access_log fi if [ -s /var/log/httpd/mail.fwiarda.com.access_log ] ; then /usr/bin/webalizer -Q \ -n mail.fwiarda.com \ -r mail.fwiarda.com \ -o /home/server/www/usage/mail.fwiarda.com \ /var/log/httpd/mail.fwiarda.com.access_log fi if [ -s /var/log/httpd/www.fwiarda.com.access_log ] ; then /usr/bin/webalizer -Q \ -n www.fwiarda.com \ -r www.fwiarda.com \ -r fwiarda.com \ -o /home/server/www/usage/www.fwiarda.com \ /var/log/httpd/www.fwiarda.com.access_log fi
After editing this file must be made executable with the command:
chmod 755 /etc/cron.daily/webalizer
By default samba is disabled at Fedora Core 6 Linux. To enable it the following commands must be executed:
mv /etc/rc.d/rc2.d/K35smb /etc/rc.d/rc2.d/S65smb mv /etc/rc.d/rc3.d/K35smb /etc/rc.d/rc3.d/S65smb mv /etc/rc.d/rc4.d/K35smb /etc/rc.d/rc4.d/S65smb mv /etc/rc.d/rc5.d/K35smb /etc/rc.d/rc5.d/S65smb
The file /etc/samba/smb.conf is edited and shall contain the following lines:
[global] workgroup = fwiarda-group netbios name = fwiarda-server server string = Frits Wiarda's Server encrypt passwords = yes security = user time service = yes follow symlinks = yes wide links = yes unix extensions = no [fwiarda] path = /home/fwiarda comment = /home/fwiarda read only = no create mask = 644 force create mode = 644 directory mask = 755 force directory mode = 755 guest ok = no
Samba uses the passwords from file /etc/smbpasswd instead of /etc/passwd or /etc/shadow. That means separate passwords for samba must be created. This is done with the following comand:
smbpasswd -a fwiarda
The smbpasswd program prompts for the appropriate password.
For more information on samba see "Using Samba" ([5]).
After running a server for some time, one will discover in the log files that hackers are trying to discover passwords by just trying out huge volumes of passwords. To make this kind of attacks more difficult it is wise not to use easy to guess passwords like regular words from the dictionary. The best passwords consist out of letters, digits and other characters.
To make brute force password hacking even more difficult, I have installed fail2ban. Fail2ban scans the log files for failed login attempts, and blocks a couple of hours the IP addresses from which to many failed login attempts are made. It uses the iptables command to discard all IP packets from these IP addresses. That makes my server totally unreachable from these IP addresses, stopping the attack after a few attempts.
Click here for the files needed to install fail2ban. Just copy the files in this archive to the server.
Linux knows different run levels:
When the system boots, it reads from the file /etc/inittab to which run level it should switch. It will then run the startup scripts for this run level (see /etc/rc.d/rc?.d).
We will use the unused run level 4. To have the system boot in run level 4, we edit /etc/inittab changing the initdefault line into:
id:4:initdefault:
With the following rename we make that only the services we need are started:
mv /etc/rc.d/rc4.d/S04readahead_early /etc/rc.d/rc4.d/K96readahead_early mv /etc/rc.d/rc4.d/S05kudzu /etc/rc.d/rc4.d/K95kudzu mv /etc/rc.d/rc4.d/S06cpuspeed /etc/rc.d/rc4.d/K94cpuspeed mv /etc/rc.d/rc4.d/S08arptables_jf /etc/rc.d/rc4.d/K92arptables_jf mv /etc/rc.d/rc4.d/S08ip6tables /etc/rc.d/rc4.d/K92ip6tables mv /etc/rc.d/rc4.d/S08iptables /etc/rc.d/rc4.d/K92iptables mv /etc/rc.d/rc4.d/S09isdn /etc/rc.d/rc4.d/K91isdn mv /etc/rc.d/rc4.d/S10restorecond /etc/rc.d/rc4.d/K90restorecond mv /etc/rc.d/rc4.d/S11auditd /etc/rc.d/rc4.d/K89auditd mv /etc/rc.d/rc4.d/S13irqbalance /etc/rc.d/rc4.d/K87irqbalance mv /etc/rc.d/rc4.d/S13iscsi /etc/rc.d/rc4.d/K87iscsi mv /etc/rc.d/rc4.d/S13mcstrans /etc/rc.d/rc4.d/K87mcstrans mv /etc/rc.d/rc4.d/S13portmap /etc/rc.d/rc4.d/K87portmap mv /etc/rc.d/rc4.d/S14nfslock /etc/rc.d/rc4.d/K86nfslock mv /etc/rc.d/rc4.d/S15mdmonitor /etc/rc.d/rc4.d/K85mdmonitor mv /etc/rc.d/rc4.d/S18rpcidmapd /etc/rc.d/rc4.d/K82rpcidmapd mv /etc/rc.d/rc4.d/S19rpcgssd /etc/rc.d/rc4.d/K81rpcgssd mv /etc/rc.d/rc4.d/S22messagebus /etc/rc.d/rc4.d/K78messagebus mv /etc/rc.d/rc4.d/S25bluetooth /etc/rc.d/rc4.d/K75bluetooth mv /etc/rc.d/rc4.d/S25netfs /etc/rc.d/rc4.d/K75netfs mv /etc/rc.d/rc4.d/S25pcscd /etc/rc.d/rc4.d/K75pcscd mv /etc/rc.d/rc4.d/S26apmd /etc/rc.d/rc4.d/K74apmd mv /etc/rc.d/rc4.d/S26hidd /etc/rc.d/rc4.d/K74hidd mv /etc/rc.d/rc4.d/S26lm_sensors /etc/rc.d/rc4.d/K74lm_sensors mv /etc/rc.d/rc4.d/S28autofs /etc/rc.d/rc4.d/K72autofs mv /etc/rc.d/rc4.d/S44acpid /etc/rc.d/rc4.d/K56acpid mv /etc/rc.d/rc4.d/S50hplip /etc/rc.d/rc4.d/K50hplip mv /etc/rc.d/rc4.d/S85gpm /etc/rc.d/rc4.d/K15gpm mv /etc/rc.d/rc4.d/S90xfs /etc/rc.d/rc4.d/K10xfs mv /etc/rc.d/rc4.d/S95anacron /etc/rc.d/rc4.d/K05anacron mv /etc/rc.d/rc4.d/S95atd /etc/rc.d/rc4.d/K05atd mv /etc/rc.d/rc4.d/S97yum-updatesd /etc/rc.d/rc4.d/K03yum-updatesd mv /etc/rc.d/rc4.d/S98avahi-daemon /etc/rc.d/rc4.d/K02avahi-daemon mv /etc/rc.d/rc4.d/S98haldaemon /etc/rc.d/rc4.d/K02haldaemon mv /etc/rc.d/rc4.d/S98xend /etc/rc.d/rc4.d/K02xend mv /etc/rc.d/rc4.d/S99smartd /etc/rc.d/rc4.d/K01smartd mv /etc/rc.d/rc4.d/S99xendomains /etc/rc.d/rc4.d/K01xendomains
The command ls /etc/rc.d/rc4.d/S* will list all the services that will be started at run level 4:
/etc/rc.d/rc4.d/S10network /etc/rc.d/rc4.d/S12syslog /etc/rc.d/rc4.d/S13named /etc/rc.d/rc4.d/S35dhcpd /etc/rc.d/rc4.d/S50vsftpd /etc/rc.d/rc4.d/S55cups /etc/rc.d/rc4.d/S55sshd /etc/rc.d/rc4.d/S56xinetd /etc/rc.d/rc4.d/S65dovecot /etc/rc.d/rc4.d/S65smb /etc/rc.d/rc4.d/S74ntpd /etc/rc.d/rc4.d/S80sendmail /etc/rc.d/rc4.d/S85httpd /etc/rc.d/rc4.d/S90crond /etc/rc.d/rc4.d/S95saslauthd /etc/rc.d/rc4.d/S98fail2ban /etc/rc.d/rc4.d/S99local
Linux records in the filesystem information about when files were created, last modified as well as when they were last accessed. Recording the last access time means that for every read operation a write operation is needed as well. This has a performance penalty, especially on flash drives. Flash drives are much faster while reading then while writing. The life span of flash drives is also limmited to a certain number of writes, making a write for every read undesirable.
Because of this it is desirable to switch this feature off. That is done by mounting the filesystem with the noatime attribute. The file /etc/fstab defines which filesystems are mounted on boot, and how they are mounted. We change the following line:
into:LABEL=/ / ext3 defaults 1 1
LABEL=/ / ext3 defaults,noatime 1 1
To be able to reach my server from the internet, the some NAT settings must me made in the FTTH modem.
The easiest option is to set the default address to which IP packages from the internet must be routed to the servers internal IP address 10.0.0.254. Now all IP packages from the internet are send to the server.
The best option is to list explicitly for which TCP and UDP ports IP packages must be routed to the servers internal IP address 10.0.0.254. Other IP packages can be discarded, making life for hackers more difficult. The ports which must be opened are:
| BOOTP | BOOTstrap Protocol. |
| DHCP | Dynamic Host Configuration Protocol. |
| DNS | Domain Name System. |
| FTP | File Transfer Protocol. |
| HTML | HyperText Mark-up Language. |
| HTTP | HyperText Transfer Protocol. |
| IMAP | Internet Mail Access Protocol. |
| IP | Internet Protocol. |
| LPD | Line Printer Daemon. |
| POP3 | Post Office Protocol version 3. |
| NAT | Network Address Translation. |
| RFC | Request For Comment. |
| SMTP | Simple Mail Transfer Protocol. |
[1] RFC3022; Traditional IP Network Address Translator (Traditional NAT); Available at ftp://ftp.rfc-editor.org/in-notes/rfc3022.txt
[2] DNS and BIND; Paul Albitz and Cricket Liu; O'Reilly Publishing
[3] Sendmail; Bryan Costales with Eric Alllman; O'Reilly Publishing
[4] Apache; The Definitive Guide; Ben Laurie and Peter Laurie; O'Reilly Publishing
[5] Using Samba; Jay Ts, Robert Eckstein and David Colloier-Brown; O'Reilly Publishing; Digital copy available at http://www.samba.org/samba/docs/using_samba/toc.html
| Home | fwiarda@fwiarda.com |