DNS Setup

DNS CONFIGURATION

DNS Configuration

DNS Setup

named daemon is used

A DNS Server may be caching/master/slave server

The named.ca file has information of all Root Servers.

There is a Forward Zone file and a Reverse Zone file for every domain.

Configuration file:

/var/named/chroot/etc/named.conf

Forward Zone File:

/var/named/chroot/var/named/<forward_zone_file>

Reverse Zone File:

/var/named/chroot/var/named/<reverse_zone_file>

Sample Master named.confDNS Setup

zone "." { type hint; file "named.ca";};zone "0.0.127.in-addr.arpa" { type master; file "named.local"; allow-query {any;};};zone "iitk.ac.in" { type master; file "hosts.db"; allow-query {any;};};zone "95.200.203.IN-ADDR.ARPA" { type master; file "hosts.rev.203.200.95"; allow-query {any;};};

zone "iitk.ernet.in" {

type slave;

file "hosts.iitk.ernet.in";

masters { 202.141.40.10; };

allow-query {any;};

Sample Forward Zone File

DNS Setup

$TTL 86400

@ IN SOA ns1.iitk.ac.in. root.ns1.iitk.ac.in. (

200605091 ; Serial

10800 ; Refresh - 3 hours

3600 ; Retry - 1 hour

1209600 ;Expire - 1 week

43200 ) ; Minimum TTL for negative answers - 12 hours

IN NS ns1.iitk.ac.in.

IN NS ns2.iitk.ac.in.

IN MX 5 mail0.iitk.ac.in.

IN MX 10 mail1.iitk.ac.in.

IN MX 20 mail2.iitk.ac.in.

$ORIGIN iitk.ac.in.

ns1 IN A 203.200.95.142

mail0 IN A 203.200.95.144

proxy IN CNAME mail0

Sample Reverse Zone FileDNS Setup

$TTL 86400$ORIGIN 200.203.in-addr.arpa.95 IN SOA ns1.iitk.ac.in. root.ns1.iitk.ac.in. ( 200605091 ; Serial 10800 ; Refresh - 5 minutes 3600 ; Retry - 1 minute 1209600 ; Expire - 1 weeks 43200 ) ; Minimum TTL for negative answers - 12 hours IN NS ns1.iitk.ac.in. IN NS ns2.iitk.ac.in.

$ORIGIN 95.200.203.in-addr.arpa.;;142 IN PTR ns1.iitk.ac.in.144 IN PTR mail0.iitk.ac.in.

Configuring Local ResolverDNS Setup

/etc/resolv.conf

server 127.0.0.1

Test DNSDNS Setup

nslookup

host

dig

Test your DNS with the following DNS diagnostics web site: dnsstuff.com

Apache Setup

APACHE SETUP

Web ServerWeb Server Setup

Apache Web Server is used

Daemon is httpd (service httpd start/stop/restart)

Files used by ApacheWeb Server Setup

Configuration file: /etc/httpd/conf/httpd.conf

Log files: /var/log/httpd/access_log and /var/log/httpd/error_log

Modules /etc/httpd/modules

Default Document Root /var/www/html

Default CGI Root /var/www/cgi-bin

Apache Configuration Directives

Web Server Setup

Server Name

Min and Max Servers

Document Root

CGI Enable/Disable

User Directory

Directory Index

Mime Types

Modules

Access Restrictions

Secure Server

Virtual Hosting

Basic SettingsWeb Server Setup

Change the default value for ServerName www.<your-domain.com> in httpd.conf and put the website content in /var/www/html

Additionally you can configure Name based Virtual Hosting (allow more than one websites to run on the same server)

Virtual HostingWeb Server Setup

NameVirtualHost *:80

<VirtualHost *:80>

ServerName server-name

DocumentRoot path-to-virtual-document-root

</VirtualHost>

<VirtualHost *:80>

ServerName server-name

DocumentRoot path-to-virtual-document-root

</VirtualHost>

Squid Setup

SQUID SETUP

Obtaining Squid

Squid Setup

Source code (in C) from www.squid-cache.org

Binary executables

Linux (comes with RedHat and others)

FreeBSD

Windows

Pre-installed in Fedora/Enterprise Linux

Basic Settings

Squid Setup

Edit the /etc/squid/squid.conf file to configure squid

Configuration options:

Disk Cache size and location

Authentication

Allowed Hosts

Any other access restrictions (sites, content, size, time of access etc.) using ACL

service squid start/stop/restart

Disc Requirements

Squid Setup

Squid makes very heavy use of disc because of heavy read/write in cache

Needs discs with low seek times

SCSI is better

Can spread cache over 2 or more discs

Raid not recommended

Cached data is not critical

Calculating Disc Space

Squid Setup

Recommend keeping at least 2 days worth of objects

10 days may be better

Example:

256Kbps link loaded 10 hrs/day ~= 1GB

assume 50% cacheable - .5GB / day

2 days objects - 1GB

10 days objects - 5 GB

Squid.conf Basic Configuration

Squid Setup

cache_dir ufs /var/spool/squid/cache 100 16 256

auth_param basic program /usr/lib/squid/ncsa_auth /etc/shadow

acl sidbiusers proxy_auth required

http_access allow sidbiusers

acl our_network src 172.28.250.0/24

http_access allow our_network

(Note: use squid –z for the first time to create the cache directory and its subdirectories)

Sendmail Setup

SENDMAIL SETUP

Sendmail ConfigurationMail Server Setup

Daemon: sendmailConfiguration File: /etc/mail/sendmail.mcEdit the following lines

LOCAL_DOMAIN(`localhost.localdomain')dnl(Replace localhost.localdomain by the domain name for which the mail server is being configured)DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl(comment this line by adding dnl at the start of the line)

dnl MASQUERADE_AS(`mydomain.com')dnl (remove dnl & replace mydomain.com by the domain name)

Sendmail Configuration

Sendmail Setup

Add the range of IP addresses of your network in access file

(e.g. 172.31. Relay)

Run “make –C /etc/mail” command to compile sendmail.mc and generate sendmail.cf file.

Restart sendmail and watch for errors

PoP & IMAP Server

Sendmail Setup

PoP3 & IMAP Server can be started using dovecot server. (service dovecot start)

Firewall

FIREWALL

Basic Setup

Firewall

Internet

Database

ApplicationWeb Server

Firewall

Firewall RulesIP Address of Source (Allow from Trusted Sources)

IP Address of Destination (Allow to trusted Destinations)

Application Port Number (Allow Mail but restrict Telnet)

Direction of Traffic (Allow outgoing traffic but restrict incoming traffic)

Firewall

Firewall ImplementationHardware Firewall: Dedicated Hardware Box (Cisco PIX, Netscreen )

Software Firewall: Installable on a Server ( )

Host OSs (Windows XP/Linux) also provide software firewall features to protect the host

These days Firewalls provide IDS/IPS (Intrusion Detection System/Intrusion Prevention System) services also.

Firewall

LINUX Firewall

Linux Security

Use GUI (Applications ->System Settings-> Security Level) to activate the firewall

Allow standard services and any specific port based application

All other services and ports are blocked

LINUX Firewall

Linux Security