How to Set-Up a Home Server

On this pages I describe how I did set-up my own home server connected to the internet via ADSL. I used this server as personal e-mail and web server. It is a fanless computer equiped with a 40GB harddisk and a CD-ROM drive. The serial port is used as console, avoiding the use of a monitor.

This was my first server, which I did install in 2003 and now has been replaced. Click here for the description of how I did install my current server.

Contents:

1. My Requirements
2. The Hardware
3. The Operating System
4. Serial Console Patch
5. Serial Cable
6. My Network Configuration
7. Installing Red Had Linux 8.0
8. Making a Backup First
9. Fixing the LILO Boot Loader
10. Personal Fine Tuning of Red Hat Linux 8.0
11. Creating Additional User Accounts
12. Crontab
13. Telnet
14. FTP
15. DNS
16. E-Mail
17. Filtering Spam
18. Auto-Replying to E-Mail
19. Web Server
20. Web Usage Statistics
21. Samba
22. Disabling Start-Up of Unused Services
23. NAT Settings ADSL Modem
Glossary and Abbreviations
References

1. My Requirements

For my server I had the following requirements:


2. The Hardware

As hardware I have used:

The VIA EPIA VE5000 Motherboard does not need a CPU fan. It provides:

Of these I only needed the ethernet port and the serial port.

The Cubid 2688R Mini-ITX Case is a small 30x28x6cm box. It contains a fan-less 50W power supply, which gets its power from a 12V DC input. It comes with an external 100-240V AC to 12V DC power adapter similar to the ones used with laptops.



Picture 1: My server.

To set-up the BIOS, I needed to connect a monitor and a keyboard. This is the only time the monitor and keyboard are needed. Installation of the operating system can be done using the serial port (if you already have a serial boot disk).

I configured the BIOS to boot from CD-ROM and alternatively, when no bootable CD-ROM is detected, to boot from harddisk.

Another important setting is the jumper setting which makes the system to reboot automatically after a power failure. By default the motherboard waited for somebody to press the front power switch before booting up. For a server this is not a good idea.


3. The Operating System

I not even considered Windows, since it is neither free nor well designed. Since I did want to have a free operating system, the choice was between one of the many Linux distributions and FreeBSD Unix. They are basically all variants of the same flavour.

I have chosen Red Hat Linux 8.0. This was because Red Hat Linux 8.0 is shipped with a lot of software and is well documented. Release 8.0 was the latest release when I made my choice. For more information on Red Hat Linux see http://www.redhat.com/.

Red Hat Linux 8.0 is downloadable for free from many internet mirror sites.p>

One needs to download CD image files, which can be burned onto a CD using standard CD burning software. This can be done under Windows. Linux is not needed to create the set of CDs.

One needs to have the following 3 files / disks:

Two more files / disks containing source code are available:

Disk #1 is bootable. It starts a user-friendly set-up program (Anconda), which guides the user through the installation process. This program will later prompt for disk #2 and disk #3. Even if you select a complete installation it will never prompt for disk #4 and disk #5.

There is one problem. The standard distribution of Red Hat Linux 8.0 used the video adapter and the keyboard as console. So a monitor and a keyboard must be connected to the system. To be able to use the serial port instead, I had to patch disk #1, so that it uses the serial port as console.


4. Serial Console Patch

To create a patched disk #1, a standard Linux system must be set-up first, using a monitor and a keyboard.

The original bootable disk #1 must be placed in the CD-ROM drive and mounted with the following command:

mount /dev/cdrom /mnt/cdrom

The contents must be copied to a temporary directory. Hidden files must be copied as well. This is done with the following commands:

mkdir tempcddir
cp -r /mnt/cdrom/* tempcddir
cp -r /mnt/cdrom/.discinfo tempcddir

The boot configuration file must be edited:

vi tempcddir/isolinux/isolinux.cfg

After editing it contains the following lines:

default linux
prompt 1
timeout 100
serial 0 19200
label linux
  kernel vmlinuz
  append initrd=initrd.img lang= devfs=nomount ramdisk_size=9216 text console=ttyS0,19200n8

The files containing the boot messages are removed because they mess-up the serial console:

rm tempcddir/isolinux/*.msg

The CD contains images for boot floppies. Similar changes must be made to these floppies. They can be edited by mounting the image files. First a directory is created to which the image files can be mounted:

mkdir tempfddir
Modification of the file tempcddir/isolinux/boot.img:
mount -t vfat -o loop tempcddir/images/boot.img tempfddir
cp tempcddir/isolinux/isolinux.cfg tempfddir/syslinux.cfg
rm tempfddir/*.msg
umount tempfddir
Modification of the file tempcddir/isolinux/bootnet.img:
mount -t vfat -o loop tempcddir/images/bootnet.img tempfddir
cp tempcddir/isolinux/isolinux.cfg tempfddir/syslinux.cfg
rm tempfddir/*.msg
umount tempfddir
Modification of the file tempcddir/isolinux/pcmcia.img:
mount -t vfat -o loop tempcddir/images/pcmcia.img tempfddir
cp tempcddir/isolinux/isolinux.cfg tempfddir/syslinux.cfg
rm tempfddir/*.msg
umount tempfddir

Finally a readme file is created:

vi tempcddir/README-Serial-Console-Modifications

With the following command a new CD image is created, which can be burned again onto a CD using standard CD burning software (either under Linux or under Windows):

mkisofs -o cdfile.iso -b isolinux/isolinux.bin -no-emul-boot \
-boot-load-size 4 -boot-info-table -R -J -T tempcddir

Note that I did not test the boot floppy images. In my system there are no floppy drives.


5. Serial Cable

To connect my server to my laptop a cross-over cable is needed, connecting TXD of the server to RXD of the laptop, and RXD of the server to TXD of the laptop. The hardware handshake signals are looped back. Figure 1 shows the cable pinning.

 

Figure 1: Serial cross-over cable.


6. My Network Configuration

I got a single public IP address 82.161.42.40 from my internet provider. My internet provider (forward and reverse) maps this IP address to the name ip52a12a28.xs4all.nl.

My home network is connected to the internet via an Alcatel Speedtouch 510 ADSL modem. This modem provides Network Address Translation (NAT), Dynamic Host Configuration (DHCP) and a name server (DNS). It can connect to up to 4 ethernet devices via it's build-in hub.

My home network uses internal IP addresses, which can not be reached directly from the internet:

When IP packages pass through the ADSL modem, these internal IP addresses are translated into my public IP address and back. For traffic originating from my home network, the network address translator knows from which internal IP address the session originates. That way it is later able to send the response back to the right internal IP address.

For traffic originating from the internet, the network address translator has a table telling which protocols are handled by which internal IP address. If it receives an IP package of which the protocol is not listed in the table, they are discarded. By doing so it provides firewall functionality as a by-product of the network address translation. The network address translation table in my ADSL modem is configuered to forward the following protocols to my server (IP address 10.0.0.254):

For more information about Network Address Translation see "RFC3022" ([1]).

 

Figure 2: My network configuration.

I have registered my own domain fwiarda.com at Network Solutions ( see http://www.netsol.com/). Within this domain:

If one registers a domain at Network Solutions, one has to specify the name servers which resolve the domain. Here I do specify ns.fwiarda.com (plus some additional external backup name servers I have rented for backup purposes). Network Solutions takes care my name servers are listed in the internet's root name servers, so clients can resolve my domain.


7. Installing Red Had Linux 8.0

To install Red Hat Linux 8.0 we connect a laptop with the serial cross-over cable to the serial port of the server. At the laptop we run a VT100 terminal emulator (like Kermit 95). The serial port settings are 19200 baud, no-parity and 8 data bits.

NOTE: Unless indicated otherwise, the remainder of this description is valid as well when you want a standard installation which uses the monitor and keyboard as console. Just, use the original disk #1 instead of the patched disk #1.

The patched disk #1 is placed in the CD-ROM drive, and the server is reset. Linux boots and the Red Hat installation program Anaconda starts automatically. Choose the following configuration options:

Now we can reboot the system. After reboot it starts up with a login prompt. Further configuration must be done while logged in as root.


8. Making a Backup First

In the remainder of this page we do edit a lot of files. It is a good practice to make a backup copy of the original file with a .old extension before editing.

The system configuration is basically determined by the files in the /etc tree. The whole tree can be backed up to a file /root/etc.tar.gz with the command:

tar -zcf /root/etc.tar.gz /etc 

And it can be restored again with the commands:

cd /
rm -rf /etc
tar -zxf /root/etc.tar.gz

9. Fixing the LILO Boot Loader

The first thing one has to do is editing the file /etc/lilo.conf to make a minor fix to the LILO boot loader. (NOTE: For a standard installation using the monitor and keyboard as console instead of the serial port this change shall not be made.)

Before booting the system the LILO boot loader prompts the user for boot parameters. During this very first phase of the boot, the baud rate has not yet been set correctly, causing the initial prompt to be garbled. We fix this by changing the line serial=0 into serial=0,19200n8.

Now the file /etc/lilo.conf contains the following lines:

prompt
timeout=50
default=linux
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
serial=0,19200n8
lba32

image=/boot/vmlinuz-2.4.18-14
	label=linux
	initrd=/boot/initrd-2.4.18-14.img
	read-only
	append="root=LABEL=/ console=ttyS0,19200n8"

The command lilo is executed to write the changes we made to the master boot record.


10. Personal Fine Tuning of Red Hat Linux 8.0

The changes in this section are fine tunings which are a matter of personal taste. The system will work fine without them.

The file /etc/bashrc is edited to contain the following lines:

# If we are an interactive shell and the terminal is an xterm,
# the environment variable PROMPT_COMMAND is set to manipulate
# the window title.
if [ "$PS1" ]; then
    case $TERM in
        xterm*)
                PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME%%.*}:${PWD/#
$HOME/~}"; echo -ne "\007"'
                ;;
        *)
                PROMPT_COMMAND=''
            ;;
    esac
fi

# Group and world do not get write permision on newly created files.
umask 022

# Define the equivalent of DOS commands as aliases.
alias copy="cp -v"
alias del="rm"
alias dir="ls -l"
alias md="mkdir"
alias ren="mv"
alias rd="rmdir"
alias cls="clear"

# These changes reflect my personal taste.
alias info="info --vi-keys"
alias l.="ls --color=never -p -a"
alias ll="ls --color=never -p -l"
alias ls="ls --color=never -p"
alias vi="/bin/vi"

The following lines are added to /etc/profile:

# A VT100 is a subset of of the ansi definition and more reliable.
if [ $TERM = ansi ] ; then TERM=vt100 ; fi
export TERM

# Define keys for command line editing. Note that ^H is 
# actually the backspace character.
if [ $TERM != xterm ] ; then
	stty erase ^H
fi
bind -f /etc/inputrc

# Get rid of strange characters in man pages.
LANG=en_US
export LANG

# Define the prompt to be "user@host:directory $".
PS1='\u@\h:\w \$ '
export PS1

# Use the global vi settings file.
EXINIT='so /etc/exrc'
export EXINIT

# Man shall look for man pages in /usr/local/share/man as well.
MANPATH=/usr/share/man:/usr/local/share/man
export MANPATH 

A global vi settings file /etc/exrc is created to contain the following lines:

# Autoindentation on.
set autoindent

#colors off.
syn off

I like to have Windows XP style command line editing. To enable this the file /etc/inputrc must contain the following lines:

# Windows style command line editing. 
set completion-ignore-case on
set mark-directories off
set match-hidden-files off

tab: menu-complete

# Note that the command "stty erase ^H" must have been executed before, 
# to be able to re-map the delete key.
del: delete-char
control-h: backward-delete-char
$if term=xterm
	"\e[3~": delete-char
	del: backward-delete-char
$endif
$if term=linux
	"\e[3~": delete-char
	del: backward-delete-char
$endif

# Re-mapping of some keys that where not mapped well.
"\e[5~": beginning-of-history
"\e[6~": end-of-history

# A VT100 does not have a Home, End, PgUp and PgDn key. In my
# terminal emulator I programmed the vi key sequences for these
# actions under the these keys.
"\e\C-u": beginning-of-history
"\e\C-d": end-of-history
"\e0": beginning-of-line
"\e$": end-of-line

"\e[5~": beginning-of-history
"\e\C-u": beginning-of-history

"\e[6~": end-of-history
"\e\C-d": end-of-history

"\e0": beginning-of-line

"\e$": end-of-line

"\e[1;5C": forward-word
"\e[5C": forward-word
"\e\e[C": forward-word

"\e[1;5D": backward-word
"\e[5D": backward-word
"\e\e[D": backward-word

The file /etc/mail.rc has been edited to contain the following lines:

# Ask for the mail subject when accepting mail from a terminal.
set asksub

# Terminate mail input with a line containing a single dot.
set dot

# Retain read messages in the system mailbox instead of moving them
# to the mbox file.
set hold

# Don't save a message to the file dead.letter when input of the message
# is aborted with ctrl-C.
set nosave

# Don't display Received headers.
ignore Received

11. Creating Additional User Accounts

Two additional user accounts are created.

The account server is used for administrative purposes, like storing the web pages with usage statistics.

The account fwiarda is my personal account. My personal web site is stored under this account. I do receive my personal e-mail on this account. I mount the home directory of this account as an additional drive on my PC.

Creating the additional accounts is done by issuing the following comands:

useradd server -c "Server Administration"
useradd fwiarda -c "Frits Wiarda"
chmod 755 /home/server
chmod 755 /home/fwiarda
passwd server
passwd fwiarda

Note that with the chmod commands I make users home directories readable for all. The default for Red hat Linux 8.0 is that users home directories are strictly private. I consider this not handy since my users are myself in different roles, and now and then perhaps a well trusted friend.

I create a link /home/root as an alias to the root's home directory. I make the root's home directory world readable as well. Issuing the following commands does this:

ln -s /root /home/root
chmod 755 /root

12. Crontab

After installation the root mail is flooded with mail containing all kind of periodic reports. So I consider it desirable to clean all crontabs, and then add the things I consider useful.

Crontab is a feature which periodically executes certain tasks. There are two types of crontabs, user crontabs and system crontabs.

User crontabs are managed with the command crontab. After installation a crontab exists for the user mailman. This crontab is removed with the command:

crontab -u mailman -r

System crontabs are managed by editing the file /etc/crontab. By default this file contains 4 entries which periodically executes all executable files in the directories /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly. A 5th entry exists which calls the Multi Router Traphic Grapher, which we do not need. The file /etc/crontab is edited to contain the following lines:

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
MAILTO=root
HOME=/root

0 * * * * root run-parts /etc/cron.hourly
10 0 * * * root run-parts /etc/cron.daily
20 0 * * 0 root run-parts /etc/cron.weekly
30 0 1 * * root run-parts /etc/cron.monthly

The directories containing the files to be executed periodically are cleaned with the following commands:

mv /etc/cron.hourly /etc/cron.hourly.old
mv /etc/cron.daily /etc/cron.daily.old
mv /etc/cron.weekly /etc/cron.weekly.old
mv /etc/cron.monthly /etc/cron.monthly.old
mkdir /etc/cron.hourly
mkdir /etc/cron.daily
mkdir /etc/cron.weekly
mkdir /etc/cron.monthly

A file /etc/cron.daily/cleanup has been created containing the following
lines:

#!/bin/bash
/usr/sbin/tmpwatch 24 /tmp
/usr/sbin/tmpwatch 24 /var/spool/squirrelmail/attach
After editing the permissions for this file have been changed with the
command:
chmod 755 /etc/cron.daily/cleanup

13. Telnet

By default telnet is disabled on Red Hat Linux 8.0. To enable it edit the file /etc/xinetd.d/telnet and change disable = yes into disable = no. The change becomes effective after the xinet-daemon has been restarted, or after a system reboot.

By default Red Hat Linux 8.0 disallows root login via telnet, since it is considered insecure because telnet uses unencrypted password verification. However on a home network behind a firewall security is not an issue. To enable root login via telnet add the following lines to the file /etc/securetty:

pts/0
pts/1
pts/2
pts/3
pts/4
pts/5
pts/6
pts/7
pts/8
pts/9
pts/10
pts/11

14. FTP

By default FTP is disabled on Red Hat Linux 8.0. To enable it edit the file /etc/xinetd.d/wu-ftpd and change disable = yes into disable = no. The change becomes effective after the xinet-daemon has been restarted, or after a system reboot.

To configure FTP the file /etc/ftpaccess is edited and shall contain the following lines:

class all real,guest,anonymous *
email fwiarda@fwiarda.com
hostname server.fwiarda.com
log transfers anonymous,guest,real inbound,outbound

By default Red Hat Linux 8.0 disallows root login via FTP, since it is considered insecure because FTP uses unencrypted password verification. On the other hand it allows by default anonymous login, which is of no use to a personal web server. To change this the file /etc/ftpusers is. The entry root is removed. An en entry ftp is added.


15. DNS

By default DNS is disabled on Red Hat Linux 8.0. To enable it the following commands must be executed:

mv /etc/rc.d/rc2.d/K45named /etc/rc.d/rc2.d/S55named
mv /etc/rc.d/rc3.d/K45named /etc/rc.d/rc3.d/S55named
mv /etc/rc.d/rc4.d/K45named /etc/rc.d/rc4.d/S55named
mv /etc/rc.d/rc5.d/K45named /etc/rc.d/rc5.d/S55named

The renaming of these files makes that the DNS server is started during system boot.

A directory /etc/named is created to store our zone files. I do not like the Red Hat Linux 8.0 default /var/named. Having all configuration files in the /etc tree makes it easier to backup the servers configuration.

The root hints file /var/named/named.ca is copied to /etc/named/named.root. This file contains references to the internet's master name servers. It is advisable to check yearly for updates of this file at ftp://ftp.rs.internic.net/domain/.

For each domain for which we have the authority, we have to create a zone file resolving that domain.

Since my server is connected to the internet via a network address translating (NAT) ADSL modem, different IP addresses are needed to approach my server from the internet and from my home network. From the internet my server has to be approached with the public IP address 82.161.42.40 provided by my internet service provider. The ADSL modem translates this address into the internal IP address 10.0.0.254. If I approach my server from my internal home network, I have to use the internal IP address 10.0.0.254 directly.

Since my DNS has to return an internal IP address to clients locally on my home network (e.g. my laptop), different views are created. My DNS will return different information to request from local clients compared to requests from clients on the internet.

Ofcause the above requires that I specify my own DNS server 10.0.0.254 as the prefered DNS in the network configuration of all my local clients. That can be done either by editing the network settings for each client, or by editing the settings for the DHCP server in the ADSL modem (not possible on older Alcatel SpeedTouch 510 models).

My DNS has to do the following:

To cater for the above, the file /etc/named.conf must contain the following lines:

options {
	directory "/etc/named";
	max-cache-size 1m;
};

logging {
	category lame-servers { null; };
};

view "local" IN {
	match-clients { localnets; };
	recursion yes;
	zone "fwiarda.com." IN {
		type master;
		file "fwiarda.com.lzone";
	};
	zone "ip52a12a28.xs4all.nl." IN {
		type master;
		file "ip52a12a28.xs4all.nl.lzone";
	};
	zone "." IN {
		type hint;
		file "named.root";
	};
};

view "world" IN {
	match-clients { any; };
	recursion no;
	zone "fwiarda.com." IN {
		type master;
		file "fwiarda.com.zone";
	};
};
The zone file fwiarda.com.lzone resolving local requests for the fwiarda.com domain contains the following lines:
$TTL 2h

@  IN  SOA   ns.fwiarda.com.   fwiarda.xs4all.nl. (
                                  1 ; serial
                                  3h ; refresh
                                  1h ; retry
                                  1w ; expire
                                  1h ) ; negative caching ttl

@ IN  NS    ns.fwiarda.com.

@ IN  A     10.0.0.254

@ IN  MX    0    mail.fwiarda.com.

@ IN  TXT   "v=spf1 mx -all"

ftp.fwiarda.com.               IN  A   10.0.0.254
mail.fwiarda.com.              IN  A   10.0.0.254
ns.fwiarda.com.                IN  A   10.0.0.254
pc.fwiarda.com.                IN  A   10.0.0.201
telnet.fwiarda.com.            IN  A   10.0.0.254
server.fwiarda.com.            IN  A   10.0.0.254
www.fwiarda.com.               IN  A   10.0.0.254

mail.fwiarda.com.              IN  MX  0   mail.fwiarda.com.

mail.fwiarda.com.              IN  TXT     "v=spf1 mx -all"

The zone file ip52a12a28.xs4all.nl.lzone resolving local requests for the ip52a12a28.xs4all.nl sub-domain contains the following lines:

$TTL 2h 

@  IN  SOA   ns.fwiarda.com.   fwiarda.xs4all.nl. (
                                  1 ; serial 
                                  3h ; refresh 
                                  1h ; retry 
                                  1w ; expire 
                                  1h ) ; negative caching ttl

@  IN  NS    ns.fwiarda.com. 

@  IN  A     10.0.0.254 
The zone file fwiarda.com.zone resolving requests from the internet for the fwiarda.com domain contains the following lines:
$TTL 2h

@  IN  SOA   ns.fwiarda.com.   fwiarda.xs4all.nl. (
                                  1 ; serial
                                  3h ; refresh
                                  1h ; retry
                                  1w ; expire
                                  1h ) ; negative caching ttl

@ IN  NS    ns.fwiarda.com.

@ IN  A     82.161.42.40

@ IN  MX    0    mail.fwiarda.com.

ftp.fwiarda.com.               IN  A   82.161.42.40
mail.fwiarda.com.              IN  A   82.161.42.40
ns.fwiarda.com.                IN  A   82.161.42.40
pc.fwiarda.com.                IN  A   82.161.42.40
telnet.fwiarda.com.            IN  A   82.161.42.40
server.fwiarda.com.            IN  A   82.161.42.40
www.fwiarda.com.               IN  A   82.161.42.40

mail.fwiarda.com.       IN  MX  0    mail.fwiarda.com.

Note that I have not used my regular e-mail address fwiarda@fwiarda.com in the SOA record , but the e-mail address fwiarda@xs4a11.n1 (which is written in SOA format as fwiarda.xs4all.nl), which I got from my internet service provider XS4ALL. If there are problems with my name server or my domain, it is likely that my e-mail address is experiencing problems as well. Therefore I use my e-mail address fwiarda@xs4a11.n1 for things like domain registration and maintenance. Normally this address is forwarded to my regular e-mail address fwiarda@fwiarda.com, but when I am experiencing problems I can cancel this forward and use the fwiarda@xs4a11.n1 address to communicate with the helpdesk.

The changes in this section become effective after the named-daemon is started manually or after a system reboot.

For more information about DNS see "DNS and BIND" ([2]);


16. E-Mail

By default POP3 and IMAP are disabled on Red Hat Linux 8.0. To enable it edit the files /etc/xinetd.d/ipop3 and /etc/xinetd.d/imap and change in both files disable = yes into disable = no. The change becomes effective after the xinet-daemon has been restarted, or after a system reboot.

To speed up mail delivery I have edited the file /etc/sysconfig/sendmail, and changed QUEUE=1h into QUEUE=10m. This change makes that the mail queue is processed every 10 minutes instead of every hour.

I have edited the file /etc/mail/sendmail.mc. to contain the following lines:

include(`/usr/share/sendmail-cf/m4/cf.m4')
OSTYPE(`linux')
VERSIONID(`linux setup for Red Hat Linux')
define(`confAUTH_MECHANISMS',`GSSAPI LOGIN PLAIN')
define(`confCW_FILE',`/etc/mail/local-host-names')
define(`confDOMAIN_NAME',`mail.fwiarda.com')
define(`confDONT_BLAME_SENDMAIL',`GroupWritableDirPathFile')
define(`confDONT_BLAME_SENDMAIL',`GroupWritableDirPathFileSafe')
define(`confDONT_BLAME_SENDMAIL',`GroupWritableForwardFile')
define(`confDONT_BLAME_SENDMAIL',`GroupWritableForwardFileSafe')
define(`confDONT_BLAME_SENDMAIL',`GroupWritableIncludeFile')
define(`confDONT_BLAME_SENDMAIL',`GroupWritableIncludeFileSafe')
define(`confDOUBLE_BOUNCE_ADDRESS',`null')
define(`confFORWARD_PATH',`$z/.forward')
define(`confMAX_MESSAGE_SIZE',`0')
define(`confTO_QUEUERETURN',`12h')
define(`confTO_QUEUEWARN',`30m')
define(`ALIAS_FILE',`/etc/mail/aliases')
TRUST_AUTH_MECH(`GSSAPI LOGIN PLAIN')
FEATURE(`accept_unresolvable_domains')
FEATURE(`allmasquerade')
FEATURE(`always_add_domain')
FEATURE(`limited_masquerade')
FEATURE(`masquerade_envelope')
FEATURE(`use_cw_file')
FEATURE(`virtusertable',`hash /etc/mail/virtusertable.db')
MASQUERADE_AS(`mail.fwiarda.com')
MASQUERADE_DOMAIN(`server.fwiarda.com')
MAILER(`smtp')

After editing the file the following command must be executed:

m4 /etc/mail/sendmail.mc >/etc/mail/sendmail.cf

I have edited the file /etc/mail/submit.mc to contain the following
lines:

include(`/usr/share/sendmail-cf/m4/cf.m4')
OSTYPE(`linux')
VERSIONID(`linux setup for Red Hat Linux')
define(`confCF_VERSION',`Submit')
define(`confPID_FILE',`/var/run/sm-client.pid')
define(`confTIME_ZONE',`USE_TZ')
FEATURE(`msp')

After editing the file the following command has been executed:

m4 /etc/mail/submit.mc >/etc/mail/submit.cf

I have edited the file /etc/mail/local-host-names to contain the following lines:

server.fwiarda.com
mail.fwiarda.com
ip52a12a28.xs4all.nl
fwiarda.com

I have edited the file /etc/mail/aliases to contain the following lines:

adm: 			bounce
amanda: 		bounce
apache: 		bounce
bin: 			bounce
canna: 			bounce
desktop: 		bounce
ftp: 			bounce
games: 			bounce
gdm: 			bounce
gopher: 		bounce
halt: 			bounce
ident: 			bounce
ldap: 			bounce
lp: 			bounce
mail: 			bounce
mailman: 		bounce
mailnull: 		bounce
mysql: 			bounce
named: 			bounce
netdump: 		bounce
news: 			bounce
nfsnobody: 		bounce
nobody: 		bounce
nscd: 			bounce
ntp: 			bounce
pcap: 			bounce
postfix: 		bounce
postgres: 		bounce
privoxy: 		bounce
pvm: 			bounce
radvd: 			bounce
rpc: 			bounce
rpcuser: 		bounce
rpm: 			bounce
shutdown: 		bounce
smmsp: 			bounce
squid: 			bounce
sshd: 			bounce
sync: 			bounce
uucp: 			bounce
vcsa: 			bounce
webalizer: 		bounce
wnn: 			bounce
xfs: 			bounce

mailer-daemon: 		/dev/null
null: 			/dev/null
root: 			fwiarda

server 	        	bounce

I have edited the file /etc/mail/virtusertable to contain the following lines:

fwiarda@fwiarda.com		fwiarda
null@fwiarda.com		null
bounce@fwiarda.com		bounce
@fwiarda.com			error:5.1.6:550 Mail to fwiarda@fwiarda.com instead

When hosting additional e-mail domains, a tab-separated list of e-mail addresses and the local mailboxes or aliases on which they must be mapped must be added to the file /etc/mail/virtusertable. Leaving the part of the e-mail address before the @ sign away maps the entire domain. Note that all domains for which e-mail can be received must be listed in the file /etc/mail/local-host-names.

For more information about e-mail see the book titled "Sendmail" ([3]).


17. Filtering Spam

I use spamassassin to tag spam for mail send to my personal mail account. My spamassassin configuration file /etc/mail/spamassassin/local.cf contains the following lines:

report_header 1
rewrite_subject 0
defang_mime 0

Besides the lines above, I have added some personal rules to the file /etc/mail/spamassassin/local.cf . These rules are outside the scope of this document.

I have created a file /etc/mail/spamassassin/whitelist.cf containing the e-mail addresses of my contacts in lines like:

whitelist_from user@domain

I have created a file /etc/mail/spamassassin/blacklist.cf containing the e-mail addresses of people from who I do not want to receive e-mail in lines like:

blacklist_from user@domain

I have written a procmail script which moves spam to a seperate mailbox ~/mail/Spam. The suspected spammer will receive a mail that his e-mail has been deleted. In this mail he is informed that he can bypass the spam filter by starting the subject field with the keyword NOSPAM. Real spammers do not read bounced messages. But legitimate senders whose mail is accidentally tagged as spam will do. Click here for a copy of the script. Beware DOS to Unix text file conversion (CR-LF to LF) when downloading it. The script is self ducmenting. Copy it to /usr/local/bin/spamfilter. The file must be executable for everybody. This can be done with the command:

chmod 755 /usr/local/bin/spamfilter

To have all my e-mail filtered, I have created a /home/fwiarda/.forward containing the following line:

"|/usr/local/bin/spamfilter email=fwiarda@fwiarda.com"

Note that sendmail requires the /home/fwiarda/.forward file to be owned by fwiarda and not being world readable. When the file has been created by root, the following commands fix this:

chmod 644 /home/fwiarda/.forward
chown fwiarda:fwiarda /home/fwiarda/.forward

18. Auto-Replying to E-Mail


Red Hat Linux 8.0 does not come with a vacation program, to auto-reply to your mail. I have written a perl script myself, which mimics the Unix vacation program.

In most aspects this script is stripped down in functionality compared to the Unix vacation program. However, with the handling of .forward files it is more advanced. If a .forward file already exists and contains forwards to something else then vacation, it adds a line to the original .forward file instead of overwriting it. Later, when vacation is disabled, this line is deleted again. This behaviour leaves other forwards intact.

Click here for a copy of the script. Beware DOS to Unix text file conversion (CR-LF to LF) when downloading it. The script is self ducmenting. Copy it to /usr/local/bin/vacation. The file must be executable for everybody. This can be done with the command:

chmod 755 /usr/local/bin/vacation

19. Web Server

By default the Apache web server is disabled at Red Hat Linux 8.0. To enable it the following commands must be executed:

mv /etc/rc.d/rc2.d/K15httpd /etc/rc.d/rc2.d/S85httpd
mv /etc/rc.d/rc3.d/K15httpd /etc/rc.d/rc3.d/S85httpd
mv /etc/rc.d/rc4.d/K15httpd /etc/rc.d/rc4.d/S85httpd
mv /etc/rc.d/rc5.d/K15httpd /etc/rc.d/rc5.d/S85httpd

The renaming of these files makes that the Apache web server is started during system boot. Note that we also rename the files from *15* into *86* This ensures the Apache web server is started after the name server has been started. In that case it is not able to resolve the host names used in it's configuration file.

The following lines must be added to or changed in the main server configuration section of /etc/httpd/conf/httpd.conf:

# Set my e-mail address as the server administrators e-mail.
ServerAdmin "fwiarda@fwiarda.com"
# Set the name of the server.
ServerName "server.fwiarda.com"
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# We configure the default to be a very relaxed set of features,
# so we do not have to switch them on seperately for each virtual
# server.
<Directory "/">
	Options All
	AllowOverride All
	Order allow,deny
	Allow from all
</Directory>

# We set the documents defining a directory index.
DirectoryIndex "index.htm" "index.html" "index.txt" "index.cgi" "index.php"

# The default is to present a test page if there is no index file in
# the document root directory. We like Apache to display the directory
# contents instead, by commenting the corresponding directives out.
#<LocationMatch "^/$>
# 	Options -Indexes
# 	ErrorDocument 403 /error/noindex.html
#</LocationMatch>

# We define the format of directory listings.
IndexOptions FancyIndexing NameWidth=* FoldersFirst SuppressDescription 

# We disable headers and readme files in directory listings by commenting
# the corresponding directives out.
#ReadmeName README.html
#HeaderName HEADER.html

# All files ending with .cgi are scripts, even if they are not placed
# in a special directory for cgi-scripts.
AddHandler cgi-script .cgi

# We set .htaccess to be the file from which access permission can be
# overriden.
AccessFileName ".htaccess"

# We do not want .htaccess, .htpasswd and .htgroup files to be displayed.
<Files ~ "^\.ht">
	Order allow,deny
	Deny from all
</Files>

# We lookup the hostnames for the IP addresses to which
# we provide pages. This makes our log files more readable.
HostnameLookups On

# We set the error log file.
ErrorLog "/var/log/httpd/error_log"

# We set the access log file.
CustomLog "/var/log/httpd/access_log" combined

# We don't want to have the server name below directory indexes generated
# by Apache.
ServerSignature Off

# Disable http://server.fwiarda.com/manual/ to be the Apache
# manual, by commenting the corresponding directives out.
#Alias /manual "/var/www/manual"
#
#<Directory "/var/www/manual">
#	Options Indexes FollowSymLinks MultiViews
# 	AllowOverride None
# 	Order allow,deny
# 	Allow from all
#</Directory>

# Disable http://server.fwiarda.com/cgi-bin/ to be a server
# wide script directory.
#ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

These settings are valid for all virtual hosts. The following lines have been added to or changed in the virtual host section of /etc/httpd/conf/httpd.conf:

# We define we are going to use name based virtual hosting.
NameVirtualHost "10.0.0.254"

# This entry is the default entry. It is used when the hostname in the
# URL is not known to us. Hackers just trying our IP address end-up here.
# We will always return an empty page with mime-type text/plain. All 
# settings for this entry are taken form the main server configuration
# section above.
<VirtualHost "10.0.0.254">
	<Directory "/dev">
		ForceType text/plain
	</Directory>
	AliasMatch .* "/dev/null"
	CustomLog "/var/log/httpd/access_log" combined
	ErrorLog "/var/log/httpd/error_log"
</VirtualHost>

# The entry for calls to http://mail.fwiarda.com/ . It accesses
# SquirrelMail, a web based mail client which is part of the Red Hat
# Linux 8.0 distribution. Since it is a web site on it's own,
# it has it's own error log and access log files.
<VirtualHost "10.0.0.254">
	ServerName "mail.fwiarda.com"
	DocumentRoot "/usr/share/squirrelmail"
	ErrorLog "/var/log/httpd/mail.fwiarda.com.error_log"
	CustomLog "/var/log/httpd/mail.fwiarda.com.access_log" combined
</VirtualHost>

# The entry for calls to http://server.fwiarda.com/ . 
# It has it's own error log and access log files. 
<VirtualHost "10.0.0.254">
	ServerName "server.fwiarda.com"
	DocumentRoot "/home/server/www"
	ErrorLog "/var/log/httpd/server.fwiarda.com.error_log"
	CustomLog "/var/log/httpd/server.fwiarda.com.access_log" combined
</VirtualHost>

# The entry for calls to my personal web site
# http://www.fwiarda.com/ . It has it's own document root, and it's
# own, error log and access log files.
<VirtualHost "10.0.0.254">
	ServerName "www.fwiarda.com"
	ServerAlias "fwiarda.com"
	DocumentRoot "/home/fwiarda/www"
	ErrorLog "/var/log/httpd/www.fwiarda.com.error_log"
	CustomLog "/var/log/httpd/www.fwiarda.com.access_log" combined
</VirtualHost>

Since I have defined http://mail.fwiarda.com/ to access SquirrelMail, I considered it not necessary that http://server.fwiarda.com/webmail/ accesses SquirrelMail as well. The /etc/httpd/conf.d/squirrelmail.conf has been edited to delete the line:

Alias /webmail /usr/share/squirrelmail

The document root directory, the directory containing the log files, and all the directories above them, must be searchable and readable for the user apache. To be able to test this, it practical to login as user apache. However, by default no login shell is assigned to the user apache. We fix this editing the file /etc/passwd and changing the line:

apache:x:48:48:Apache:/var/www:/sbin/nologin

into:

apache:x:48:48:Apache:/var/www:/bin/bash

When logged-in as root, we can now log-in as apache by issuing the following command:

su - apache

If there is any flaw in file access permission settings, they will become clearly noticeable.

The web site http://server.fwiarda.com/ is used for accessing the access and error logs, and the usage statistics of my server. The directory /home/server/www is the document root for this web site. It must be created, as well as sub-directories for usage statistics and a link to the directory containing the servers log files:

mkdir /home/server/www
mkdir /home/server/www/usage
mkdir /home/server/www/usage/mail.fwiarda.com
mkdir /home/server/www/usage/server.fwiarda.com
ln -s /var/log/httpd /home/server/www/log
chmod 755 /var/log/httpd

I do not want everybody to have access to my logs and usage statistics. Therefore a file /home/server/www/.htaccess is created, containing the following lines:

AuthUserFile /home/server/www/.htpasswd
AuthName "Server Administrator"
AuthType Basic
<Limit GET POST>
	require valid-user
</Limit>

A file /home/server/www/.htpasswd is created by issuing the following commands:

htpasswd /home/server/www/.htpasswd root
htpasswd /home/server/www/.htpasswd fwiarda

The htpasswd program prompts for the appropriate passwords.

The ownership of the /home/server/www tree shall belong to the user server. If this directory tree has been created while being logged-in as root, the ownership must be transferred with the following command:

chown -R server:server /home/server/www

For more information about the Apache web server see "Apache; The Definitive Guide" ([4]).


20. Web Usage Statistics

Webalizer is a tool for generating usage statistics for web pages.

The file /etc/webalizer.conf is edited, to ensure the following parameters are defined or commented out:

# We will specify the log file at the command line.
# The entry LogFile is commented out.
#LogFile /var/log/httpd/access_log
# We will specify the output directory at the command line.
# The entry OutputDir is commented out.
#OutputDir .
# The file webalizer.hist in the output directory will
# contain the data for previous months.
HistoryName webalizer.hist
# We only process entries not yet processed before. We
# retrieve the old usage information form the files
# webalizer.hist and webalizer.current
Incremental yes
# The file webalizer.current in the output directory will
# contain the data for the current month.
IncrementalName webalizer.current
# For debugging purposes we enable log messages. When 
# webalizer is called from a script, we suppres all messages 
# by adding the -Q option at the command line.
Quiet no

A file /etc/cron.daily/webalizer is created. This file is executed daily since it resides in the /etc/cron.daily directory. It must contain the following lines:

#!/bin/bash
if [ -s /var/log/httpd/server.fwiarda.com.access_log ] ; then
	/usr/bin/webalizer -Q \
		-n server.fwiarda.com \
		-r server.fwiarda.com \
		-o /home/server/www/usage/server.fwiarda.com \
		/var/log/httpd/server.fwiarda.com.access_log
fi
if [ -s /var/log/httpd/mail.fwiarda.com.access_log ] ; then
	/usr/bin/webalizer -Q \
		-n mail.fwiarda.com \
		-r mail.fwiarda.com \
		-o /home/server/www/usage/mail.fwiarda.com \
		/var/log/httpd/mail.fwiarda.com.access_log
fi
if [ -s /var/log/httpd/www.fwiarda.com.access_log ] ; then
	/usr/bin/webalizer -Q \
		-n www.fwiarda.com \
		-r www.fwiarda.com \
		-r fwiarda.com \
		-o /home/server/www/usage/www.fwiarda.com \
		/var/log/httpd/www.fwiarda.com.access_log
fi 

After editing this file must be made executable with the command:

chmod 755 /etc/cron.daily/webalizer

21. Samba

By default samba is disabled at Red Hat Linux 8.0. To enable it the following commands must be executed:

mv /etc/rc.d/rc2.d/K35smb /etc/rc.d/rc2.d/S65smb
mv /etc/rc.d/rc3.d/K35smb /etc/rc.d/rc3.d/S65smb
mv /etc/rc.d/rc4.d/K35smb /etc/rc.d/rc4.d/S65smb
mv /etc/rc.d/rc5.d/K35smb /etc/rc.d/rc5.d/S65smb

The file /etc/samba/smb.conf is edited and shall contain the following lines:

[global]
workgroup = fwiarda-group
netbios name = fwiarda-server
server string = Frits Wiarda's Server
encrypt passwords = yes
security = user
time service = yes

[fwiarda]
path = /home/fwiarda
comment = /home/fwiarda
read only = no
create mask = 644
force create mode = 644
directory mask = 755
force directory mode = 755
guest ok = no

Samba uses the passwords from file /etc/smbpasswd instead of /etc/passwd or /etc/shadow. That means separate passwords for samba must be created. This is done with the following comand:

smbpasswd -a fwiarda

The smbpasswd program prompts for the appropriate password.

For more information on samba see "Using Samba" ([5]).


22. Disabling Start-Up of Unused Services

Linux knows different run levels:

When the system boots, it reads from the file /etc/inittab to which run level it should switch. It will then run the startup scripts for this run level (see /etc/rc.d/rc?.d).

We will use the unused run level 4. To have the system boot in run level 4, we edit /etc/inittab changing the initdefault line into:

id:4:initdefault:

With the following rename we make that only the services we need are started:

mv /etc/rc.d/rc4.d/S05kudzu      /etc/rc.d/rc4.d/K95kudzu
mv /etc/rc.d/rc4.d/S08ip6tables  /etc/rc.d/rc4.d/K92ip6tables
mv /etc/rc.d/rc4.d/S08ipchains   /etc/rc.d/rc4.d/K92ipchains
mv /etc/rc.d/rc4.d/S08iptables   /etc/rc.d/rc4.d/K92iptables
mv /etc/rc.d/rc4.d/S09isdn       /etc/rc.d/rc4.d/K91isdn
mv /etc/rc.d/rc4.d/S13portmap    /etc/rc.d/rc4.d/K87portmap
mv /etc/rc.d/rc4.d/S14nfslock    /etc/rc.d/rc4.d/K86nfslock
mv /etc/rc.d/rc4.d/S17keytable   /etc/rc.d/rc4.d/K83keytable
mv /etc/rc.d/rc4.d/S24pcmcia     /etc/rc.d/rc4.d/K76pcmcia
mv /etc/rc.d/rc4.d/S25netfs      /etc/rc.d/rc4.d/K75netfs
mv /etc/rc.d/rc4.d/S26apmd       /etc/rc.d/rc4.d/K74apmd
mv /etc/rc.d/rc4.d/S28autofs     /etc/rc.d/rc4.d/K72autofs
mv /etc/rc.d/rc4.d/S56rawdevices /etc/rc.d/rc4.d/K44rawdevices
mv /etc/rc.d/rc4.d/S84privoxy    /etc/rc.d/rc4.d/K16privxy
mv /etc/rc.d/rc4.d/S85gpm        /etc/rc.d/rc4.d/K15gpm
mv /etc/rc.d/rc4.d/S90canna      /etc/rc.d/rc4.d/K10canna
mv /etc/rc.d/rc4.d/S90xfs        /etc/rc.d/rc4.d/K10xfs
mv /etc/rc.d/rc4.d/S95anacron    /etc/rc.d/rc4.d/K05anacron
mv /etc/rc.d/rc4.d/S95atd        /etc/rc.d/rc4.d/K05atd
mv /etc/rc.d/rc4.d/S97rhnsd      /etc/rc.d/rc4.d/K03rhnsd
mv /etc/rc.d/rc4.d/S98wine       /etc/rc.d/rc4.d/K02wine
mv /etc/rc.d/rc4.d/S99mdmonitor  /etc/rc.d/rc4.d/K99mdmonitor

The command ls /etc/rc.d/rc4.d/S* will list all the services that will be started at run level 4:

/etc/rc.d/rc4.d/S00microcode_ctl
/etc/rc.d/rc4.d/S10network
/etc/rc.d/rc4.d/S12syslog
/etc/rc.d/rc4.d/S20random
/etc/rc.d/rc4.d/S55named
/etc/rc.d/rc4.d/S65smb
/etc/rc.d/rc4.d/S55sshd
/etc/rc.d/rc4.d/S56xinetd
/etc/rc.d/rc4.d/S60lpd
/etc/rc.d/rc4.d/S80sendmail
/etc/rc.d/rc4.d/S85httpd
/etc/rc.d/rc4.d/S90crond
/etc/rc.d/rc4.d/S99local

23. NAT Settings ADSL Modem

To be able to reach my server from the internet, the some NAT settings must me made in the ADSL modem.

The easiest option is to set the default address to which IP packages from the internet must be routed to the servers internal IP address 10.0.0.254. Now all IP packages from the internet are send to the server.

The best option is to list explicitly for which TCP and UDP ports IP packages must be routed to the servers internal IP address 10.0.0.254. Other IP packages can be discarded, making life for hackers more difficult. The ports which must be opened are:


Glossary and Abbreviations

ADSL Asymetric Digital Subscriber Line.
   
BOOTP BOOTstrap Protocol.
   
DHCP Dynamic Host Configuration Protocol.
   
DNS Domain Name System.
   
FTP File Transfer Protocol.
   
HTML HyperText Mark-up Language.
   
HTTP HyperText Transfer Protocol.
   
IMAP Internet Mail Access Protocol.
   
IP Internet Protocol.
   
LPD Line Printer Daemon.
   
POP3 Post Office Protocol version 3.
   
NAT Network Address Translation.
   
RFC Request For Comment.
   
RXD Receive Data.
   
SMTP Simple Mail Transfer Protocol.
   
SSH Secure SHell.
   
TCP Transmission Control Protocol.
   
TXD Transmit Data.
   
USB Universal Serial Bus.
   
UDP User Datagram Protocol.


References

[1] RFC3022; Traditional IP Network Address Translator (Traditional NAT); Available at ftp://ftp.rfc-editor.org/in-notes/rfc3022.txt

[2] DNS and BIND; Paul Albitz and Cricket Liu; O'Reilly Publishing

[3] Sendmail; Bryan Costales with Eric Alllman; O'Reilly Publishing

[4] Apache; The Definitive Guide; Ben Laurie and Peter Laurie; O'Reilly Publishing

[5] Using Samba; Jay Ts, Robert Eckstein and David Colloier-Brown; O'Reilly Publishing; Digital copy available at http://www.samba.org/samba/docs/using_samba/toc.html


Home fwiarda@fwiarda.com