Download - Linux Web Server and Domain Configuration Tutorial

4/7/2015 LinuxWebServerandDomainConfigurationTutorial

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html 1/33

LinuxInternetWebServerandDomainConfigurationTutorialHowToCreateanApachebasedLinuxwebsiteserver

CreateawebserverwithLinux,Apache,FTPandbindDNS:ThistutorialcoverstheLinuxserverconfigurationrequiredtohostawebsite.TheApachewebserver,FTPserverandDNSconfigurationarecovered.TheApachewebserverisrequiredtoservethewebpages,theFTPserverisrequiredforuserstouploadcontentandtheDNSserverisrequiredtoresolvethedomainnamessothataURLenteredintoawebbrowserwillpointtoyourwebserverandproperlyservethecorrectpages.TheconfigurationspresentedwillincludevirtualhostingwhichwillallowasingleLinuxservertosupportmultiplewebsitedomains.

Tutorialtopics:

#LinuxApacheweb(httpd)serverconfiguration#LinuxFTPdserverandFTPuseraccounts

#vsFTPdandFTPuseraccountconfiguration#wuFTPdandFTPuseraccountconfiguration

#Basic"useraccount"configurationformaximumsecurityonanInternetbasedwebserver#LinuxDNS(DomainNameServer)configurationusingBindversion8or9(named)#WebServerLoadBalancing#Managingwebserverdaemons(services)#LinksandResources

Alsosee:WebSiteSecurityTutorialYoLinuxInternetServerSecurityTutorial

search Search |HomePage|LinuxTutorials|Terms|PrivacyPolicy|Advertising|Contact|

RelatedYoLinuxTutorials:

Apacheloginauthentication

SecuringLinux

LinuxSecurityTools

LinuxNetworking

LinuxSysAdmin

InternetGateway

YoLinuxTutorialsIndex

FreeInformationTechnologyMagazinesandDocumentDownloads

4

Advertisements

Jobs

DevOpsLeadELSegundo,CASageITINC

UrgenttofillAustin,TXYanaSoftwareInc

EnterpriseArchitectKenosha,WITeamBradley

WebSitePrerequisites:

ThistutorialassumesthatacomputerhasLinuxinstalledandrunning.SeeRedHatInstallationforthebasics.Aconnectiontotheinternetisalsoassumed.connectionof128Mbits/secorgreaterwillyieldthebestresults.ISDN,DSL,cablemodemorbetterareallsuitable.A56kmodemwillworkbuttheresultswillbemediocreatbest.Thetasksmustalsobeperformedwiththerootuserloginandpassword.

Nosingledistributionseemstohaveanadvantage.AUbuntu,SuSe,Fedora,RedHatorCentOSdistributionwillincludeallofthesoftwareyouwillneedtoconfigureawebserver.IfusingRedHatEnterpriseLinux,boththeWorkstationortheServereditionwillsupportyourneedsexceptthattheWorkstationeditionwillnotincludethevsFTPpackage.Itwillhavetobecompiledfromsourceorusesftp.

SoftwarePrerequisites:TheApachewebserver(httpd),FTP(requiresxinetdorinetd)andBind(named)softwarepackageswiththeirdependenciesareallrequired.Onecanusetherpmcommandtoverifyinstallation:

FedoraCore1+,RedHatEnterprise4/5,CentOS4/5:

rpmqhttpdbindbindchrootbindutilssystemconfigbindxinetdvsftpd

RPMsaddedFC2+:systemconfighttpdRPMsaddedFC3+:httpdsuexec

RedHat9.0

rpmqhttpdbindxinetdvsftpd

ARedHat8.0wuftpdRPMmaybeinstalled(Newerversion2.6.2orlaterwithsecurityfixwuftpd2.6.211)orinstallfromsource.

RedHat8.0

rpmqhttpdbindxinetdwuftpd

RedHat7.x:

rpmqapachebindinetdwuftpd

Usewuftpdversion2.6.2orlatertoavoidsecurityproblems.

SuSE9.3:

rpmivhapache2apache2preforkbindbindchrootenvbindutilsvsftpd

Note:Theapache2MPMisagenerictermforApacheinstallationoptionsfor"MultiProcessingModules(MPM)s"prefork"or"worker".Ifyoutryandonlyinstallapache2youwillgetthefollowingerror:

apache2MPMisneededbyapache22.0.539

AlsoseeApache.org:MPMs

Ubuntu(natty11.04)/Debian:

aptgetinstallapache2aptgetinstallbind9aptgetinstallvsftpd

Ubuntu(dapper6.06/hardy8.04)/Debian:



SAPBASISNaples,NYAvaniTechSoutions

SeniorTradeEngineSystemsDeveloperChicago,ILRequestTechnologyRobynHonquest

SrProgramAnalystColumbus,OHConservationServicesGroup

TechnicalAnalystNorthampton,Northamptonshire,United...StreamRecruitment

Sr.NetDeveloperwithPower/Energy...Philadelphia,PAUnitedSoftwareGroupInc

HadoopAdministratorNorthbrook,ILRequestTechnologyStephanieBaker

SeniorSOADeveloperMcLean,VA

POSTAJOB>

POWEREDBYJOBTHREAD

aptgetinstallapache2apache2commonapache2mpmpreforkapache2utilsaptgetinstallbind9aptgetinstallvsftpd

OneshouldalsohaveaworkingknowledgeoftheLinuxinitprocesssothattheseservicesareinitiateduponsystemboot.SeetheYoLinuxinitprocesstutorialformoreinfo.

ApacheHTTPWebserverconfiguration:

ThistutorialisfortheApacheHTTPwebserver(Version1.3and2.0).SeetheYoLinuxlistofLinuxHTTPserversforalistofotherwebserversfortheHyperTextTransportProtocol.

TheApachewebserverconfigurationfileis:/etc/httpd/conf/httpd.conf

WebpagesareservedfromthedirectoryasconfiguredbytheDocumentRootdirective.Thedefaultdirectorylocationis:

Linuxdistribution Apachewebserver"DocumentRoot"RedHat7.x9,FedoraCore,RedHatEnterprise4/5/6,CentOS4/5/6 /var/www/html/RedHat6.xandolder /home/httpd/html/Suse9.x /srv/www/htdocs/Ubuntu(dapper6.06)/Debian /var/www/htmlUbuntu(hardy8.04/natty11.04)/Debian /var/www

Thedefaulthomepageforthedefaultconfigurationisindex.html.Notethepagesshouldnotbeownedbyuserapacheasthisistheprocessownerofthehttpdwebserverdaemon.Ifthewebserverprocessiscomprimised,itshouldnotbeallowedtoalterthefiles.Thefilesshouldofcoursebereadablebyuser

Apachemaybeconfiguredtorunasahostforonewebsiteinthisfashionoritmaybeconfiguredtoserveformultipledomains.Servingformultipledomainsmaybeachievedintwoways:

Virtualhosts:OneIPaddressbutmultipledomains"Namebased"virtualhosting.MultipleIPbasedvirtualhosts:OneIPaddressforeachdomain"IPbased"virtualhosting.

Thedefaultconfigurationwillallowonetohavemultipleuseraccountsunderonedomainbyusingareferencetotheuseraccount:http://www.domain.com/~user1/.Ifnodomainisregisteredorconfigured,theIPaddressmayalsobeused:http://XXX.XXX.XXX.XXX/~user1/.

[PotentialPitfall]Thedefaultumaskfordirectorycreationiscorrectbydefaultbutifnotuse:chmod755/home/user1/public_html

[PotentialPitfall]Whencreatingnew"Directory"configurationdirectives,Ifoundthatplacingthembytheexisting"Directory"directivestobeabadidea.Itwouldnotusethe.htaccessfile.Thiswasbecausethestatementdefiningtheuseofthe.htaccessfilewasafterthe"Directory"statement.PreviouslyinRH6.xthefileswereseparatedandtheorderwasdefinedalittledifferent.Inowplacenew"Directory"statementsneartheendofthefilejustbeforethe"statements.

ForusersofRedHat7.1,theGUIconfigurationtoolapacheconfwasintroducedforthecrowdwholiketouseprettypointandclicktools.

FilesusedbyApache:

Start/stop/restartscript:RedHat/Fedora/CentOS:/etc/rc.d/init.d/httpdSuSE9.3:/etc/init.d/apache2Ubuntu(dapper6.06/hardy8.04/natty11.04)/Debian:/etc/init.d/apache2

Apachemainconfigurationfile:RedHat/Fedora/CentOS:/etc/httpd/conf/httpd.confSuSE:/etc/apache2/httpd.conf(Needtoadddirective:ServerNamehostname)Ubuntu(dapper6.06/hardy8.04/natty11.04)/Debian:/etc/apache2/apache2.conf

Apachesuplementaryconfigurationfiles:RedHat/Fedora/CentOS:/etc/httpd/conf.d/component.confSuSE:/etc/apache2/conf.d/component.confUbuntu(dapper6.06/hardy8.04/natty11.04)/Debian:

Virtualdomains:/etc/apache2/sitesenabled/domain(Createsoftlinkfrom/etc/apache2/sitesenabled/domainto/etc/apache2/sitesavailable/domaintoturnon.UsecommandAdditionalconfigurationdirectives:/etc/apache2/conf.d/Modulestoload:/etc/apache2/modsavailable/(Softlinkto/etc/apache2/modsenabled/toturnon)Portstolistento:/etc/apache2/ports.conf

/var/log/httpd/access_loganderror_logRedHat/FedoraCoreApachelogfiles(Suse:/var/log/apache2/)

Start/Stop/Restartscripts:Thescriptistoberunwiththequalifiersstart,stop,restartorstatus.i.e./etc/rc.d/init.d/httpdrestart.Arestartallowsthewebservertostartagainandreadtheconfigurationfilestopickupanychanges.Tohavethisscriptinvokeduponsystembootissuethecommandchkconfigaddhttpd.SeeLinuxInitProcessTutorialforamorecompletediscussion.

AlsoApachecontroltool:/usr/sbin/apachectlstart

ApacheControlCommand:apachectl:

RedHat/FedoraCore/CentOS:apachectldirectiveUbuntudapper6.06/hardy8.04/natty11.04/Debian:apachectl(softlinktoapache2ctl)orapache2ctldirective



Directive Descriptionstart StarttheApachehttpddaemon.Givesanerrorifitisalreadyrunning.stop StopstheApachehttpddaemon.graceful GracefullyrestartstheApachehttpddaemon.Ifthedaemonisnotrunning,itisstarted.Thisdiffersfromanormalrestartinthatcurrently

openconnectionsarenotaborted.gracefulstop GracefullystopstheApachehttpddaemon.Thisdiffersfromanormalrestartinthatcurrentlyopenconnectionsarenotaborted.

restart RestartstheApachehttpddaemon.Ifthedaemonisnotrunning,itisstarted.Thiscommandautomaticallycheckstheconfigurationfilesasinconfigtestbeforeinitiatingtherestarttomakesurethedaemondoesn'tdie.

status Displaysabriefstatusreport.fullstatus Displaysafullstatusreportfrommod_status.Requiresmod_statusenabledonyourserverandatextbasedbrowsersuchaslynxavailableon

yoursystem.TheURLusedtoaccessthestatusreportcanbesetbyeditingtheSTATUSURLvariableinthescript.configtestt

Runaconfigurationfilesyntaxtest.

Apachecontroltool:apachectlmanpage

ApacheConfigurationFiles:

/etc/httpd/conf/httpd.conf:isusedtoconfigureApache.Inthepastitwasbrokendownintothreefiles.Thesemaynowbeallconcatenatedintoonefile.SeeApacheonlinedocumentationforthefullmanual./etc/httpd/conf.d/application.conf:AllconfigurationfilesinthisdirectoryareincludedduringApachestartup.Usedtostoreapplicationspecificconfigurations./etc/sysconfig/httpd:HoldsenvironmentvariablesusedwhenstartingApache.

Basicsettings:ChangethedefaultvalueforServerNamewww.

GivingApacheaccesstothefilesystem:ItisprudenttolimitApache'sviewofthefilesystemtoonlythosedirectoriesnecessary.Thisisdonewiththedirectorystatement.Startbydenyingaccesstoeverything,thengrantaccesstothenecessarydirectories.

Denyaccesscompletelytofilesystemroot("/")asthedefault:

Denyfirst,thengrantpermissions:

Setdefaultlocationofsystemwebpagesandallowaccess:(RedHat/Fedora/CentOS)

Grantaccesstoauser'swebdirectory:public_html

EnablingRedHat/FedoraLinux,Apachepublic_htmluserdirectoryaccess:

Thiswillallowuserstoservecontentfromtheirhomedirectoriesunderthesubdirectory"/home/userid/public_html/"byaccessingtheURLhttp://hostname/~userid/

File:/etc/httpd/conf/httpd.conf

LoadModuleuserdir_modulemodules/mod_userdir.so

...

...

#UserDirdisableAddcommenttothisline##Toenablerequeststo/~user/toservetheuser'spublic_html#directory,removethe"UserDirdisable"lineabove,anduncomment#thefollowinglineinstead:UserDirpublic_html#Uncommentthisline

...

...

AllowOverrideFileInfoAuthConfigLimitOptionsMultiViewsIndexesSymLinksIfOwnerMatchIncludesNoExecOrderallow,denyAllowfromall

1 2 OptionsNone3 AllowOverrideNone4

1 DocumentRoot"/var/www/html"2 3 4 OptionsIndexesFollowSymLinks5 AllowOverrideNone6 Orderallow,deny7 Allowfromall8



Orderdeny,allowDenyfromall

Changetoacomment(add"#"atbeginningofline)fromFedoraCoredefaultUserDirdisableandassignthedirectorypublic_htmlasawebserveraccessibledirectory.ORAssignasingleuserthespecificabilitytosharetheirdirectory:

Allowsthespecificuser,"user1"only,theabilitytoservethedirectory/home/user1/public_html/

AlsouseSELinuxcommandtosetthesecuritycontext:setseboolhttpd_enable_homedirstrue

Directorypermissions:TheApachewebserverdaemonmustbeabletoreadyourwebpagesinordertofeedtheircontentstothenetwork.Useanappropriateumaskandfileprotection.Allowaccesstowebdirectory:chmodugo+rxRpublic_html.Notethattheuser'sdirectoryalsohastohavetheappropriatepermissionsasitistheparentofpublic_html.Defaultpermissionsonuserdirectory:lsl/homedrwx20user1user14096Mar512:16user1Allowthewebserveraccesstooperatetheparentdirectory:chmodugo+x/home/user1dwxxx20user1user14096Mar512:16user1

Onemayalsousegroupstocontrolpermisions.SeetheYoLinuxtutorialonmanaginggroups.

EnablingUbuntu'sApachepublic_htmluserdirectoryaccess:

UbuntuhasbrokenouttheApacheloadablemoduledirectivesintothedirectory/etc/apache2/modsavailable/.ToenableanApachemodule,generatesoftlinkstothedirectory/etc/apache2/sitesenabled/byusingthecommandsa2enmod/a2dismodtoenable/disableApachemodules.

Example:[root@node2]#a2enmodAlistofavailablemodulesisdisplayed.Enter"userdir"asthemoduletoenable.RestartApachewiththefollowingcommand:/etc/init.d/apache2forcereload

Note:Thisisthesameasmanuallygeneratingthefollowingtwosoftlinks:

lns/etc/apache2/modsavailable/userdir.conf/etc/apache2/modsenabled/userdir.conflns/etc/apache2/modsavailable/userdir.load/etc/apache2/modsenabled/userdir.load

Manpage:a2enmod/a2dismod

[PotentialPitfall]:IftheApachewebservercannotaccessthefileyouwillgettheerror"403Forbidden""Youdon'thavepermissiontoaccessonthisserver."Notethedefaultpermissionsonauserdirectorywhenfirstcreatedwith"useradd"are:

drwx3userxuserx

Youmustallowthewebserverrunningasuser"apache"toaccessthedirectoryifitistodisplaypagesheldthere.Fixwithcommand:chmodugo+rx/home/userx

drwxrxrx3userxuserx

SELinuxsecuritycontexts:

FedoraCore3andRedHatEnterpriseLinux4introducedSELinux(SecurityEnhancedLinux)securitypoliciesandcontextlabels.Toviewthesecuritycontextlabelsappliedtoyourwebpagefilesusethecommand:lsZ

Thesystemenables/disablesSELinuxpoliciesinthefile/etc/selinux/configSELinuxcanbeturnedoffbysettingthedirectiveSELINUX.(Thenrebootthesystem):

SELINUX=disabled

orusingthecommandsetenforce0totemporarilydisableSELinuxuntilthenextreboot.

WhenusingSELinuxsecurityfeatures,thesecuritycontextlabelsmustbeaddedsothatApachecanreadyourfiles.Thedefaultsecuritycontextlabelusedisinheritedfromthedirectoryfornewlycreatedfiles.Thusacopy(cp)mustbeusedandnotamove(mv)whenplacingfilesinthecontentdirectory.Movedoesnotcreateanewfileandthusthefiledoesnotrecievethedirectorysecuritycontextlabel.ThecontextlabelsusedforthedefaultApachedirectoriescanbeviewedwiththecommand:lsZ/var/wwwThewebdirectoriesofusers(i.e.public_html)shouldbesetwiththeappropriatecontextlabel(httpd_sys_content_t).

Assignasecuritycontextforwebpages:chconRhthttpd_sys_content_t/home/user1/public_htmlOptions:

R:Recursive.Filesanddirectoriesincurrentdirectoryandallsubdirectories.

1 2 AllowOverrideNone3 orderallow,deny4 allowfromall5 OptionsIndexesIncludesFollowSymLinks6



h:Affectsymboliclinks.t:Specifytypeofsecuritycontext.

Usethefollowingsecuritycontexts:

ContextType Descriptionhttpd_sys_content_t Usedforstaticwebcontent.i.e.HTMLwebpages.httpd_sys_script_exec_t UseforexecutableCGIscriptsorbinaryexecutables.httpd_sys_script_rw_t CGIisallowedtoalter/deletefilesofthiscontext.httpd_sys_script_ra_t CGIisallowedtoreadorappendfilesofthiscontext.httpd_sys_script_ro_t CGIisallowedtoreadfilesanddirectoriesofthiscontext.

Setthefollowingoptions:setseboolhttpdoptiontrue(orsettofalse)

Policy Descriptionhttpd_enable_cgi Allowhttpdcgisupport.httpd_enable_homedirs Allowhttpdtoreadhomedirectories.httpd_ssi_exec AllowhttpdtorunSSIexecutablesinthesamedomainassystemCGIscripts.ThenrestartApache:

RedHat/Fedora/SuseandallSystemVinitscriptbasedLinuxsystems:/etc/init.d/httpdrestartRedHat/Fedora:servicehttpdrestart

ThedefaultSEbooleanvaluesarespecifiedinthefile:/etc/selinux/targeted/booleans

FormoreonSELinuxseetheYoLinuxSystemsAdministrationtutorial.

VirtualHosts:

TheApachewebserverallowsonetoconfigureasinglecomputertorepresentmultiplewebsitesasiftheywereonseparatehosts.Therearetwomethodsavailableandwedescribetheconfigurationofeach.Chooseonemethodforyourdomain:

Namebasedvirtualhost:(mostcommon)AsinglecomputerwithasingleIPadresssupportingmultiplewebdomains.Thewebbrowserusingthehttpprotocol,identifiesthedomainbeingaddressed.IPbasedvirtualhost:ThevirtualhostscanbeconfiguredasasinglemultihomedcomputerwithmultipleIPaddressesonasinglenetworkcard,witheachIPaddressrepresentingadifferentwebdomain.ThishastheappearanceofawebdomainsupportedbyadedicatedcomputerbecauseithasadedicatedIPaddress.

Configuringa"namebased"virtualhost:

Avirtualhostconfigurationallowsonetohostmultiplewebsitedomainsononeserver.(Thisisnotrequiredforadedicatedlinuxserverwhichhostsasinglewebsite.)

NameVirtualHostXXX.XXX.XXX.XXX

ServerNamewww.yourdomain.comCNAME(bindDNSaliaswww)specifiedinBindconfigurationfile(/var/named/...)ServerAliasyourdomain.comAllowsrequestsbydomainnamewithoutthe"www"[email protected]/home/user1/public_htmlErrorLoglogs/yourdomain.comerror_logTransferLoglogs/yourdomain.comaccess_log

Notes:

YoucanspecifymorethanoneIPaddress.i.e.ifwebserverisalsobeingusedasafirewall/gatewayandyouhaveanexternalinternetIPaddressaswellasalocalnetworkIPaddress.

NameVirtualHostXXX.XXX.XXX.XXXNameVirtualHost192.168.XXX.XXX

.....

SeetheYoLinuxTutorialonconfiguringanetworkgateway/firewallusingiptablesandNAT.UseyourIPaddressforXXX.XXX.XXX.XXX,actualdomainnameandemailaddress.OnecanuseDNSviewstoprovidedifferentlocalnetworkDNSresults.

NotethatIconfigureApacheforbothrequestshttp://www.domainname.comandhttp://domainname.com.

Oncevirtualhostsareconfigured,yourdefaultsystemdomain(/var/www/html)willstopworking.Yourdefaultdomainnowmustbeconfiguredasavirtualdomain.

...Thispartremainsthesame



..

#Defaultforwhennodomainnameisgiven(i.e.accessbyIPaddress)

[email protected]/var/www/htmlErrorLoglogs/error_logTransferLoglogs/access_log

#AddaVirtualHostdefinitionforyourdomainwhichwasoncethesystemdefault.

ServerNamewww.yourdomain.comServerAliasyourdomain.comServerAdminuser1@yourdomain.comDocumentRoot/var/www/htmlErrorLoglogs/error_logTransferLoglogs/access_log

.....

ForwardingtoaprimaryURL.ItisbesttoavoidtheappearanceofduplicatedwebcontentfromtwoURLssuchashttp://www.yourdomainandhttp://yourdomain.com.SupplyaforwardingApache"Redirect".

ServerNamewww.yourdomain.comNotethatnoaliasesarelisted......

#AddaVirtualHostdefinitiontoforwardtoyourprimaryURL

ServerNameyourdomain.comServerAliasotherdomain.comServerAliaswww.otherdomain.comRedirectpermanent/http://www.yourdomain.com.com/

.....

Note:SeetheYoLinux.comApache"Redirect"Tutorial

Morevirtualhostexamples.

Whenspecifyingmoredomains,theymayallusethesameIPaddressorsome/allmayusetheirownuniqueIPaddress.Specifya"NameVirtualHost"foreachIPaddress.

AftertheApacheconfigurationfileshavebeenedited,restartthehttpddaemon:/etc/rc.d/init.d/httpdrestart(RedHat)or/etc/init.d/apache2restart(Ubuntu/Debian)

ApachevirtualdomainconfigurationwithUbuntuDapper/Hardy:

Ubuntuseparatesouteachvirtualdomainintoaseparateconfigurationfileheldinthedirectory/etc/apache2/sitesavailable/.Whenthesitedomainistobecomeactive,asoftlinkiscreatedtothedirectory/etc/apache2/sitesenabled/.

Example:/etc/apache2/sitesavailable/supercorp

01 02 ServerNamesupercorp.com03 ServerAliaswww.supercorp.com04 ServerAdminwebmaster@localhost05 06 DocumentRoot/home/supercorp/public_html/home07 08 OptionsFollowSymLinks09 AllowOverrideNone10 11 12 OptionsIndexesFollowSymLinksMultiViews13 IndexOptionsSuppressLastModifiedSuppressDescription14 AllowOverrideAll15 Orderallow,deny16 allowfromall17 18 19 ScriptAlias/cgibin//home/supercorp/cgibin/20 21 AllowOverrideNone22 Options+ExecCGIMultiViews+SymLinksIfOwnerMatch23 Orderallow,deny



Enabledomain:

Createsoftlink:Manually:lns/etc/apache2/sitesavailable/supercorp/etc/apache2/sitesenabled/supercorpUseUbuntuscriptsa2ensite/a2dissite.Typecommandanditwillpromptyouastowhichsiteyouwouldliketoenableordisable.

RestartApache:apache2ctlgracefulor/etc/init.d/apache2restartor/etc/init.d/apache2reload

AlsonotethatApachemodulescanalsobeenabled/disabledwithscriptsa2enmod/a2dismod.

Manpages:

a2ensite/a2dissite(Ubuntu:Apache2enable/disablesite)apache2ctl

Configuringan"IPbased"virtualhost:

OnemayassignmultipleIPaddressetoasinglenetworkinterface.SeetheYoLinuxnetworkingtutorial:NetworkAliasing.EachIPaddressmaythenbeit'sownvirtualserverandindividualdomain.Thedownsideofthe"IPbased"virtualhostmethodisthatyouhavetopossessmultiple/extraIPaddresses.Thisusuallycostsmore.Thestandardnamebasedvirtualhostingmethodaboveismorepopularforthisreason.

NameVirtualHost*IndicatesallIPaddresses

[email protected]/home/user0/public_html



ThedefaultblockwillbeusedasthedefaultforallIPaddressesnotspecifiedexplicitly.ThisdefaultIP(*)maynotworkforURL's.

CGI:(CommonGatewayInterface)

CGIisaprogramexecutablewhichdynamicallygeneratesawebpagebywritingtostdout.CGIispermittedbyeitheroftwoconfigurationfiledirectives:

ScriptAlias:RedHat7.x9,Fedoracore:ScriptAlias/cgibin/"/var/www/cgibin/"RedHat6.xandolder:ScriptAlias/cgibin/"/home/httpd/cgibin/"Suse9.x:ScriptAlias/cgibin/"/srv/www/cgibin/"Ubuntu(dapper/hardy/natty)/Debian:ScriptAlias/cgibin/"/usr/lib/cgibin/"

orOptions+ExecCGI:

Options+ExecCGI

Theexecutableprogramfilesmusthaveexecuteprivileges,executablebytheprocessowner(RedHat7+/FedoraCore:apache.Olderusenobodythehttpddaemonisbeingrun.

ConfiguringCGIToRunWithUserPrivileges:

ThesuEXECfeatureprovidesApacheuserstheabilitytorunCGIandSSIprogramsunderuserIDsdifferentfromtheuserIDofthecallingwebserver.Normally,whenaCGIorSSIprogramexecutes,itrunsasthesameuserwhoisrunningthewebserver.

24 Allowfromall25 26 27 ErrorLog/var/log/apache2/supercorp.comerror.log28 29 #Possiblevaluesinclude:debug,info,notice,warn,error,30 #crit,alert,emerg.31 LogLevelwarn32 CustomLog/var/log/apache2/supercorp.comaccess.logcombined33 ServerSignatureOn34



NameVirtualHostXXX.XXX.XXX.XXX

ServerNamenode1.yourdomain.comAllowsrequestsbydomainnamewithoutthe"www"prefix.ServerAliasyourdomain.comwww.yourdomain.comCNAME(aliaswww)specifiedinBindconfigurationfile(/var/named/...)[email protected]/home/user1/public_html/yourdomain.comErrorLoglogs/yourdomain.comerror_logTransferLoglogs/yourdomain.comaccess_logSuexecUserGroupuser1user1Options+ExecCGI+IndexesAddHandlercgiscript.cgi

ERRORPages:

YoucanspecifyyourownwebpagesinsteadofthedefaultApacheerrorpages:

ErrorDocument404/Error404missing.html

CreatethefileError404missing.htmlinyour"DocumentRoot"directory.

Handleallerrorswithaforwardingpage:

ErrorDocument400/error.shtmlErrorDocument401/error.shtmlErrorDocument403/error.shtmlErrorDocument404/error.shtmlErrorDocument500/error.shtml

Samplefileerror.shtml(inyour"DocumentRoot"directory).

Pagedoesnotfound!

PHP:

Iftheappropriatephp,perlandhttpdRPM'sareinstalled,thedefaultRedHatApacheconfigurationandmoduleswillsupportPHPcontent.RPMPackages(RHEL4):

php:HTMLembeddedscriptinglanguagephppear:PEARisaframeworkanddistributionsystemforreusablePHPcomponents.phpmysql:MySQLdatabasesupport.phpldap:LightweightDirectoryAccessProtocol(LDAP)support

Apacheconfiguration:

Addphpdefaultpageindex.phptoapacheconfigfile:/etc/httpd/conf/httpd.conf

...

DirectoryIndexindex.htmlindex.htmindex.php

...

PHPConfigurationFile:

RHEL4PHP4.3:/etc/php.iniUbuntuDaper6.06/6.11:/etc/php5/apache2/php.ini

[PHP]engine=On......display_errors=Offinclude_path=".:/php/includes"......memory_limit=32M;Defaultistypically8MBwhichistoolow.......

[MySQL]......



mysql.default_host=superserver;Hostnameofthecomputermysql.default_user=dbuser...

Smallportionoffileshown.Notethatchangeswillnottakeeffectuntiltheapachewebserverdaemonisrestarted.

TestyouPHPcapabilitieswiththistestfile:/home/user1/public_html/test.php

OR(olderformat)

Test:http://localhost/~user1/test.php

FormoreinfoseeYoLinuxlistofPHPinformationwebsites.

RunningMultipleinstancesofhttpd:

TheApachewebserverdaemon(httpd)canbestartedwiththecommandlineoption"f"tospecifyauniqueconfigurationfileforeachinstance.uniqueIPaddressforeachinstanceofApache.SeetheYoLinuxNetworkingTutorialtospecifymultipleIPaddressesforoneNIC(NetworkInterfaceCard).UsetheApacheconfigurationfiledirectiveListenXXX.XXX.XXX.XXX,wheretheIPaddressisuniqueforeachinstanceofApache.

ApacheManPages:

httpdApacheHypertextTransferProtocolServerapachectlApacheHTTPServerControlInterfaceabApacheHTTPserverbenchmarkingtoolhtdigestmanageuserfilesfordigestauthenticationhtpasswdManageuserfilesforbasicauthenticationlogresolveResolveIPaddressestohostnamesinApachelogfilesrotatelogsPipedloggingprogramtorotateApachelogs

AlsoseethelocalonlineApacheconfigurationmanual:http://localhost/manual/.

ApacheRedHat/FedoraCoreGUIconfiguration:

GUIconfigurationtool:

RedHatEL4/5,Fedora210:/usr/bin/systemconfighttpdRedHat8/9,FedoraCore1:/usr/bin/redhatconfighttpd

Addingwebsiteloginandpasswordprotection:SeetheYoLinuxtutorialonwebsitepasswordprotection.

Logfileanalysis:

ScanningtheApacheweblogfileswillnotprovidemeaningfullstatisticsunlesstheyaregraphedorpresentedinaneasytoreadfashion.Thefollowingpackagestoagoodjobofpresentingsitestatistics.



AnalogAlsoseeReportMagicforAnalogWebalizerAWStats(requiresPERL)

Websitestatisticservices:

eXTReMeTracking

Loadtestingyourserver:

PureLoadJAVAloadtestingandreportingtool.WebPerformanceTrainerLoadTestingTools.

ApacheLinks:

CgiWrapsetuidwrapperthatallowsuserstoinstallandexecutetheirowncgiscriptsthatgetexecutedastheirownuseridWWWThreads.orgCommercialproductAdvancedWebConferencingSoftwareConfiguringhttps(mod_ssl):

Mod_SSL.org:HomePageMod_SSL.org:Mod_SSLHowToMod_SSL.org:StepstocreateSSLservercertificate

LogfileanalysisusingAnalog:

Installation:

RedHat/Fedora:yuminstallanalogUbuntu/Debian:aptgetinstallanalog

InstallationpackagesalsoavailablefromtheAnalogdownloadspage.

Configurationfile:/etc/analog.cfg

LOGFILE/var/log/httpd/yourdomain.comaccess_log*http://www.yourdomain.comUNCOMPRESS*.gz,*.Z"gzipcd"SUBTYPE*.gz,*.Z#OUTFILE/home/user1/public_html/analog/Report.html#HOSTNAME"YourDomain.com"HOSTURLhttp://www.yourdomain.com

....

...

..

REQINCLUDEpages#RequestpagestatsonlyALLONLANGUAGEUSENGLISH

Onecanviewthesettingswhichbeusedwithyourconfigurationfile(alsogoodfordebugging):analogsettings

MakeAnalogimagesavailabletotheusersreport:lns/usr/share/analog/images/*/home/user1/public_html/analog

Logfilelocation:

RedHat/Fedora:/var/log/httpd/Ubuntu/Debian:/var/log/apache2/

TheDirectiveALLONturnsonallofthefollowing:

AnalogDirective DescriptionMONTHLYON onelineforeachmonthWEEKLYON onelineforeachweekDAILYREPON onelineforeachdayDAILYSUMON onelineforeachdayoftheweekHOURLYREPON onelineforeachhourofthedayGENERALON theGeneralSummaryatthetopREQUESTON whichfileswererequestedFAILUREON whichfileswerenotfound

DIRECTORYON DirectoryReportHOSTON whichcomputersrequestedfilesORGANISATIONON whichorganisationstheywerefromDOMAINON whichcountriestheywereinREFERRERON wherepeoplefollowedlinksfromFAILREFON wherepeoplefollowedbrokenlinksfromSEARCHQUERYON thephrasesandwordstheyused...



SEARCHWORDON ...tofindyoufromsearchenginesBROWSERSUMON whichbrowsertypespeoplewereusingOSREPON andwhichoperatingsystemsFILETYPEON typesoffilerequestedSIZEON sizesoffilesrequestedSTATUSON numberofeachtypeofsuccessandfailure

Cronjobtohandlemultipledomains:/etc/cron.daily/analog

#!/bin/shcp/opt/etc/analogdomain1.com.cfg/etc/analog.cfg/usr/bin/analogcp/opt/etc/analogdomain2.com.cfg/etc/analog.cfg/usr/bin/analog

...

Links:

AnaloghomepageAnalogcommandreference

MeasuringWebServerPerformance:

SeetheYoLinux.comwebserverbenchmarkingtutorial.

FTPdandFTPuseraccountconfiguration:

ManyFTPprogramsexist.Thisexamplecoversthepopularvsftpd(RedHatdefault9.0,FedoraCore,Suse)andwuftpd(WashingtonUniversity)programwhichcomesstandardwithRedHat(lastshippedwithRedHat8.0butcanbeinstalledonanyLinuxsystem).(RPM:wuftpd)ThereareotherFTPprogramsincludingproFtpd(supportsLDAPauthentication,Apachelikedirectives,fullfeaturedftpserversoftware),bftpd,pureftpd(freeBSDandoptionalonSuse),etc...

ForhostileenvironmentssetupachrootedenvironmentforansftpencryptedconnectionandthersshrestrictedshellforOpenSSH.SeetheYoLinux.cominternetsecuritytutorialforLinuxsftpandrsshconfiguration

AlsoseethepreferredchrootedsftpconfigurationforOpenSSH4.9+

FTPdandSELinux:ToallowFTPddaemonaccessandFTPaccesstousershomedirectories:

setseboolPallow_ftpd_full_access=1Otherwiseyouwillgetanerrorin/var/log/messages:SELinuxispreventingtheftpdaemonfromwritingfilesoutsidethehomedirectory(./public_html).setseboolPftp_home_dir1

Followwiththecommandservicevsftpdrestart

FTPdconfigurationtutorials:

#vsFTPd:Configuration#WUFTPd:Configuration#FTPClients:Links

vsFTPdandFTPuseraccountconfiguration:

ThevsFTPdftpserverwasfirstmadeavailableinRedHat9.0.IthasbeenadoptedbySuseandOpenBSDaswell.ThisiscurrentlytherecomendedFTPdaemonforuseonFTPservers.

Enablevsftpd:

RedHat/FedoraCore/CentOS:VsFTPdisastandaloneserviceandbythedefaultFedoraCoreinstallation,notcontrolledbyxinetdasisthewuftpddefaultinstallation.Thusstartservice:servicevsftpdstart(or:/etc/init.d/vsftpdstart)Configurevsftpdtostartuponsystemboot:chkconfigaddvsftpd

SuSE:Bydefault,thevsftpdisanxinetdcontrolledservice.ToenableFTPserverserviceseditthefile/etc/xinetd.d/vsftpdandchange:disable=yesto:disable=noRestartthexinetddaemon:/etc/init.d/xinetdrestartNote:vsftpdcanalsoberunasastandaloneservicetoachieveafasterresponsetime.

Ubuntu(dapper/hardy/natty)/Debian:Install:aptgetinstallvsftpdVsFTPdisastandaloneservice.

Start:/etc/init.d/vsftpdstart



Stop:/etc/init.d/vsftpdstopRestart:/etc/init.d/vsftpdrestart(Usethiscommandaftermakingconfigurationfilechanges)

Formoreonstarting/stopping/configuringLinuxservices,seetheYoLinuxtutorialontheLinuxinitprocessandserviceactivation.

Configurationfiles:

vsFTPdconfigurationfile:FedoraCore/RedHat:/etc/vsftpd/vsftpd.confS.u.S.e./Ubuntu(dapper/hardy/natty)/Debian:/etc/vsftpd.conf

DefaultforFedoraCore3:

anonymous_enable=YESAnonymousFTPallowedbydefaultifyoucommentthisout.Defaultdirectoryused:/var/ftp

local_enable=YESUncommentthistoallowlocaluserstologinwithFTP.MustalsosetSELinuxboolean:setseboolPftp_home_dir1

write_enable=YESUncommentthistoenableanyformofFTPwriteoruploadcommand.

local_umask=022Defaultis077.Umask022isusedbymostotherftpd's.

#anon_upload_enable=YESUncommenttoallowtheanonymousFTPusertouploadfiles.Requirestheaboveglobalwriteenabled.Directorymustalsobewritablebyuser.#anon_mkdir_write_enable=YESUncommentthistoallowtheanonymousFTPusertobeabletocreatenewdirectories.

dirmessage_enable=YESActivatedirectorymessages.Messagesgiventoremoteuserswhentheyentercertaindirectoriesxferlog_enable=YESActivateloggingofuploads/downloads.

connect_from_port_20=YESPORTtransferconnectionsoriginatefromport20(ftpdata)

#chown_uploads=YESUploadedanonymousfilessettoaspecifiedowner.(notroot)#chown_username=whoever

#xferlog_file=/var/log/vsftpd.logSpecifylogfileexplicitly.Defaultis/var/log/vsftpd.log

xferlog_std_format=YESOutputtologfileinstandardftpdxferlogformat

#idle_session_timeout=600Settimingoutforanidlesession.

#data_connection_timeout=120Settimingoutforanidledataconnection.Port20

#nopriv_user=ftpsecureRunftpserverasanisolatedandunprivilegeduser.

#EnablethisandtheserverwillrecogniseasynchronousABORrequests.Not#recommendedforsecurity(thecodeisnontrivial).Notenablingit,mayconfuseolderFTPclients.#async_abor_enable=YES

#ascii_upload_enable=YESImproveperformancebydisablingASCIImode.Disablescommand"ascii"and"SIZE/big/file".#ascii_download_enable=YES

#ftpd_banner=WelcometoYoLinuxCustomizetheloginbannerstring.

#deny_email_enable=YESDisallowspecifiedanonymousemailaddresses.UsedtocombatcertainDoSattacks.#banned_email_file=/etc/vsftpd.banned_emails(Ubuntudefault.RedHat:/etc/vsftpd/banned_emails)

#chroot_list_enable=YESListuserschroot()'dtotheirhomedirectory.If"NO",listusersnotchroot()'d.#chroot_list_file=/etc/vsftpd.chroot_list(Ubuntudefault.RedHat:/etc/vsftpd/chroot_list)

ls_recurse_enable=YESAllow"lsR"recursivedirectorylist.Defaultisdisabled.

pam_service_name=vsftpd

userlist_enable=YES(UbuntuDefault)Denyusersspecifiedinfile/etc/vsftpd.user_listIf"userlist_enable=NO"thenallowspecifiedusers.RedHat:/etc/vsftpd/user_list#deny_email_enable=YESDisallowspecifiedanonymousemailaddresses.UsedtocombatcertainDoSattacks.

listen=YESEnableforstandalonemodeasopposedtoanxinetdservice.MustsetSELinuxboolean:setseboolPftpd_is_daemon1tcp_wrappers=YES

RestarttheFTPserviceiftheconfigfileischanged:servicevsftpdrestart(or:/etc/init.d/vsftpdrestart)

[PotentialPitfall]:vsftpdoesNOTsupportcommentsonthesamelineasadirective.i.e.:

directive=XXX#comment

vsftp.confmanpage

Specifylistoflocaluserschrootedtotheirhomedirectories:RedHat:/etc/vsftpd/vsftpd/chroot_listUbuntu:/etc/vsftpd/vsftpd.chroot_list

(Requires:chroot_list_enable=NO)

user1



user2...usern

Ifuserlist_enable=YES,thenspecifyusersnottobechroot'd..

Specifylistofusers:RedHat:/etc/vsftpd/user_listUbuntu:/etc/vsftpd.user_list

(Denylistofusersrequires:userlist_enable=YES)AlsoseePAMconfigurationbelow.

rootbindaemonadmlpsyncshutdownhalt...

Ifuserlist_enable=NO,thenspecifyvalidusers.

PAMconfigurationfileFedoraCore3:/etc/pam.d/vsftpd

#%PAM1.0authrequiredpam_listfile.soitem=usersense=denyfile=/etc/vsftpd.ftpusersonerr=succeedauthrequiredpam_stack.soservice=systemauthauthrequiredpam_shells.soaccountrequiredpam_stack.soservice=systemauthsessionrequiredpam_stack.soservice=systemauth

ThiscausesPAMtocheck/etc/vsftpd.ftpusersforuserswhoaredenied.Thisduplicates/etc/vsftpd.user_list.SpeciyuserinbothfilesasPAMisindependentofvsftpdconfiguration.

PAMauthenticationconfigurationfile:ftpusersRedHat:/etc/vsftpd/ftpusersUbuntu:/etc/vsftpd.ftpusers

rootbindaemonadmlpsyncshutdownhalt.........user6Userstodenyuser8......

Logrotateconfigurationfile:/etc/logrotate.d/vsftpd.log

/var/log/xferlog{#ftpddoesn'thandleSIGHUPproperlynocompressmissingok}

SamplevsFTPdconfigurations:

AnonymousdownloadFTPserverconfiguration:/etc/vsftpd/vsftpd.conf

#Accessrightsanonymous_enable=YESTurnonanonymousFTPchown_uploads=YESUploadedfilesownedbyanassigneduserchown_username=ftpUploadedfilesownedbythisassigneduserlocal_enable=NOwrite_enable=NONouploadoffilessystemchangesallowedanon_upload_enable=NOanon_mkdir_write_enable=NOanon_other_write_enable=NO#Securityanon_world_readable_only=YESconnect_from_port_20=YES



force_dot_files=NOguest_enable=NOhide_ids=YESpasv_min_port=50000pasv_max_port=60000#Featuresxferlog_enable=YESls_recurse_enable=NOascii_download_enable=NOasync_abor_enable=YES#Performanceone_process_model=NOidle_session_timeout=120data_connection_timeout=300accept_timeout=60connect_timeout=60max_per_ip=4anon_max_rate=50000

pam_service_name=vsftpduserlist_enable=YES#enableforstandalonemodelisten=YEStcp_wrappers=YES

Anonymousloginsusetheloginname"anonymous"andthentheusersuppliestheiremailaddressasapassword.Anypasswordwillbeaccepted.Usedtoallowthepublictodownloadfilesfromanftpserver.Generally,nouploadispermitted.

Webhostingconfiguration:/etc/vsftpd/vsftpd.conf

#Accessrightsanonymous_enable=NOlocal_enable=YESAllowuserstoftptotheirhomedirectorieswrite_enable=YESAllowuserstoSTOR,DELE,RNFR,RNTO,MKD,RMD,APPEandSITElocal_umask=022#Securityconnect_from_port_20=YESforce_dot_files=NOguest_enable=NODon'tremapusernameftpd_banner=WelcometoSuperDuperHostingCustomizetheloginbannerstring.chroot_local_user=YESLimitusertobrowsetheirowndirectoryonlychroot_list_enable=YESEnablelistofsystem/poweruserschroot_list_file=/etc/vsftpd.chroot_listActuallistofsystem/powerusershide_ids=YESpasv_min_port=50000pasv_max_port=60000#Featuresxferlog_enable=YESls_recurse_enable=NOascii_download_enable=NOasync_abor_enable=YESdirmessage_enable=YESMessagegreetingheldinfile.messageorspecifywithmessage_file=...#Performanceone_process_model=NOidle_session_timeout=120data_connection_timeout=300accept_timeout=60connect_timeout=60max_per_ip=4#pam_service_name=vsftpduserlist_enable=YES#enableforstandalonemodelisten=YEStcp_wrappers=YES

Specifylistoflocaluserschrootedtotheirhomedirectories:/etc/vsftpd/vsftpd.chroot_listUbuntutypically:/etc/vsftpd.chroot_list(Requires:chroot_list_enable=NO)

user1user2...usern

Ifuserlist_enable=YES,thenspecifyusersnottobechroot'd..

[PotentialPitfall]:Mispellingadirectivewillcausevsftpdtofailwithlittlewarning.

File:.message

ANOTETOUSERSUPLOADINGFILES:Filenamesmayconsistofletters(az,AZ),numbers(09),anunderscore("_"),dash("")orperiod(".")only.Thefilenamemaynotbeginwithaperiodordash.

Testifvsftpislistening:netstata|grepftp



[root]#netstata|grepftptcp00*:ftp*:*LISTEN

Links:

vsFTPdHomePageSampleconfigurationsvsftp.confManpage

WUFTPdandFTPuseraccountconfiguration:

ThewuftpdFTPservercanbedownloaded(binaryorsource)fromhttp://www.wfms.org/wuftpd/(atonetime:http://wuftpd.org).

TherearethreekindsofFTPloginsthatwuftpdprovides:

anonymousFTPonelogsinwiththeusername'anonymous'realFTPloginwitharealusernameandpasswordandhasaccesstotheentirediskstructure.guestFTPonelogsinwitharealusernameandpassword,buttheuserischroot'edtohishomedirectoryandcannotescapefromit.Theyareconstrainedtotheirhomedirectorywhichalsomeansthattheydon'thaveaccessto/bin/lsandothercommandsontheserver.Thusalocalminimalistenvironmentmustbesetup.

Thistutorialcovers"guest"FTPconfiguration.

Thefile/etc/ftpaccesscontrolstheconfigurationofftp.

#Don'tallowsystemaccountstologinoverftpdenyuid%99%65534denygid%99%65534

classallreal,guest*[email protected]

readmeREADME*loginreadmeREADME*cwd=*message/welcome.msgloginmessage.messagecwd=*

compressyesalltaryesallchmodnoguest,anonymousdeletenoanonymous#deletefilespermission?overwritenoanonymous#overwritefilespermission?renamenoanonymous#renamefilespermission?deleteyesguest#deletefilespermission?overwriteyesguest#overwritefilespermission?renameyesguest#renamefilespermission?umasknoguest#umaskpermission?

logtransfersanonymous,realinbound,outbound

shutdown/etc/shutmsg

passwdcheckrfc822warn

#Mustalsocreatemessagefile/etc/pathmsgoftheguestdirectory.#Inthiscaseitrefersto/home/user1/public_html/etc/pathmsg.pathfilterguest/etc/pathmsg^[AZaz09_\.]*$^\.^limitall2noretrievepasswd.htaccesscoreDonotallowuserstodownloadfilesofthesenameslimittime*20bytelimitin5000Limitfilesizeguestuser*Systemuserdefaultcategorizedasa"guest".A"real"usercanroamthesystem.Guestuserischrooted.realgroupregularuserxregularuseryAssignrealuserprivilegestomembersofgroups"regularuserx"and"regularusery".VisibilityofthewholefilesystemandsubjecttoregularUNIXfilepermissionsrealuseruser4Assignrealuserprivilegestouserid"user4".

restricteduiduser1user2user3RestrictsFTPtothespecifieddirectoriesguestroot/home/user1/public_htmluser1guestroot/home/user2/public_htmluser2guestroot/home/user3/public_htmluser3

Note:

user1,user2anduser3refertologinaccounts.Usetheappropriateloginname.TheaboveconfigurationdisablesanonymousFTPwhichallowsanyonetoperformanFTPloginwiththeidanonymousandanemailaddressasapassword.ToenableanonymousFTP,changetheclassdirectiveto:

classallreal,guest,anonymous*

GUIFTPconfigurationtools:/usr/bin/kwuftpd/sbin/linuxconf



(Note:LinuxconfisnolongerincludedwithRedHat7.3andlater)RedHatLinuxassignsusersauseridandgroupidwhichisthesame.Thismeansthatitdoesnotmatterifyouusearealuserorrealgrouptheywillactthesame.RedHatLinux7.1andlaterusesthexinetdaemontomanageftpconnections.Thusxinetdmustberunningandconfiguredtosupportftp.Theconfigurationfileis/etc/xinetd.d/wuftpd.Thecommandchkconfigwuftpdonwillmaketheftpserveravailable.Seexinetconfigurationinfo.Allowoverideofdenyuidand/ordenygid:

allowuidusertoallowallowgidgrouptoallow

Optionalconfiguration:CreateagroupftpchrootAdduserstothisgroupUsedirective:guestgroupftpchroot

[PotentialPitfall]:Flakeyftpbehavior,timeouts,etc??FTPworksbestwithnameresolutionofthecomputeritiscommunicatingwith.Thisrequiresproper/etc/resolve.confandnameserver(bind)configuration,/etc/hostsorNIS/NFSconfiguration.

File/home/user1/public_html/etc/pathmsg:

ANOTETOUSERSUPLOADINGFILES:Filenamesmayconsistofletters(az,AZ),numbers(09),anunderscore("_"),dash("")orperiod(".")only.Thefilenamemaynotbeginwithaperiodordash.Youhavetriedtouploadafilewithaninappropriatename.

Thewholepointofthechrootdirectoryistomaketheuser'shomedirectoryappeartobetherootofthefilesystem(/)soonecouldnotwanderaroundthefilesystem.Configurationof/etc/ftpaccesswilllimittheusertotheirrespectivedirectorieswhilestillofferingaccessto/bin/lsandothersystemcommandsusedinFTPoperation.

Asroot:

cd/home/user1mkdirpublic_htmlchown$1.$1public_htmltouch.rhostsSecurityprotectionchmodugoxrw.rhosts

ManPages:

Server:

ftpdInternetFileTransferProtocolserver

FileFormats:

/etc/ftpaccessConfigurationfileforftpd/etc/ftpserversftpdvirtualhostingconfigurationfile.(optional)/etc/ftphostsallowordenyaccesstocertainaccountsfromvarioushosts.(optional)/etc/ftpconversionsftpdconversionsdatabase(fortarandcompression)/var/log/xferlogFTPserverlogfileftpFileTransferClientprogram

Configurationfiles:(RH8.0+)

PAMconfigurationfile:/etc/pam.d/ftp

#%PAM1.0authrequiredpam_listfile.soitem=usersense=denyfile=/etc/ftpusersonerr=succeedauthrequiredpam_stack.soservice=systemauthauthrequiredpam_shells.soaccountrequiredpam_stack.soservice=systemauthsessionrequiredpam_stack.soservice=systemauth

Xinetdconfigurationfile:/etc/xinetd.d/wuftpd

serviceftp{disable=nosocket_type=streamwait=nouser=rootserver=/usr/sbin/in.ftpdserver_args=la



log_on_success+=DURATIONUSERIDlog_on_failure+=USERIDnice=10}

Note:wuFTPdiscontrolledbyxinetdandnotastandaloneservicelikevsFTPd.

Logrotateconfigurationfile:/etc/logrotate.d/ftpd

/var/log/xferlog{nocompress}

Moreinformation:

WUFTPDreleasedkftpbenchFTPbenchmarkprogramtogiveyouanideaastohowmanysimultaneousdialupclientsaservercansupport.FTPandtextfiletypeconversions:EndOfLineCharactersbyPeterBenjamin

ManpagesonrelatedFTPcommandsandfiles:

chrootRunwithaspecialrootdirectoryftpcountShownumberofconcurrentusers.ftpshutclosedowntheftpserversatagiventimeftprestartRestartpreviouslyshutdownftpserversftpwhoshowcurrentprocessinformationforeachftpuserprivatepwChangeWUFTPDGroupAccessFileInformation(admincommand)

OtherFTPdaemons:

CrushFTPJava/crossplatformWS_FTP

FTPPitfalls:

Ifyougetthefollowingerror:

ftp>ls227EnteringPassiveMode(208,188,34,109,208,89)ftp:connect:Noroutetohost

ThismeansyouhavefirewallissuesmostprobablyontheFTPserveritself.Startbyremovingthefirewall"iptables"rules:iptablesFAddrulesuntilyoudiscoverwhatiscausingtheproblem.

Passivemode:

Passivemodecanalsohelponepasttherules:

ftp>passivePassivemodeon.

Thistogglespassivemodeonandoff.Whenon,FTPwillbelimitedtoportsspecifiedinthevsftpdconfigurationfile:vsftpd.confwiththeparameterspasv_min_portandpasv_max_port

Firewallconnectiontrackingmodule:

#cat/etc/sysconfig/iptablesconfig|grepip_nat_ftpIPTABLES_MODULES="ip_conntrack_ftp"

NATfirewallmodules:

Youcanalsotryaddingip_nat_ftptothelistofautoloadedmodules:(Thiswillalsoloadthedependancy:ip_conntrack_ftp.)

#cat/etc/sysconfig/iptablesconfig|grepip_nat_ftpIPTABLES_MODULES="ip_nat_ftp"

Thenrestartthefirewall:/etc/init.d/iptablescondrestart

FTPwillchangeportsduringuse.Theip_conntrack_ftpmodulewillconsidereachconnection"RELATED".IfiptablesallowsRELATEDandESTABLISHEDconnectionsthenFTPwillwork.i.e.rule:/etc/sysconfig/iptables

AINPUTmstatestateESTABLISHED,RELATEDjACCEPT

FTPfailsbecauseitcannotchangetotheusershomedirectory:

Error:

[user1@nodex~]$ftpnode.domain.comConnectedtoXXX.XXX.XXX.XXX.530PleaseloginwithUSERandPASS.



530PleaseloginwithUSERandPASS.KERBEROS_V4rejectedasanauthenticationtypeName(XXX.XXX.XXX.XXX:user1):331Pleasespecifythepassword.Password:500OOPS:cannotchangedirectory:/home/user1Loginfailed.ftp>bye

ThisisoftenaresultofSELinuxpreventingthevsftpdprocessfromaccesingtheuser'shomedirectory.Asroot,grantaccesswiththefollowingcommand:setseboolPftp_home_dir1Followedby:servicevsftpdrestart

TestyourvsftpdSELinuxsettings:getseboola|grepftp

allow_ftpd_anon_write>offallow_ftpd_full_access>offallow_ftpd_use_cifs>offallow_ftpd_use_nfs>offallow_tftp_anon_write>offftp_home_dir>onftpd_disable_trans>offftpd_is_daemon>onhttpd_enable_ftp_server>offtftpd_disable_trans>off

FTPdSELinuxmanpage

FTPLinuxclients:

gftp:GUIGTK+Multithreadedclient.Filetransferdirectorybrowsingandcompare.Multipleprotocols:FTP,FTPS(controlconnectiononly),HTTP,HTTPS,SSHandFSPprotocols.Proxysupport.ComeswithRedHat/FedoraCore.KFTPgrabber:GUIKDEbasedclient.simultaneousFTPsessionsinseparatetabs.Abilitytolimituploadanddownloadspeed.kbear:GUIKDEbasedclient.Connecttomultipleservers,transferfiles,directorybrowsing,filecontentbrowsing.ComeswithS.U.S.e.Linux.ftp:(/usr/kerberos/bin/ftp)kerberosenabledconsoleftpclient.(RPMpackageFC3:krb5workstation)

Basicusersecurity:

Whenhostingwebsites,thereisnoneedtograntashellaccountwhichonlyallowstheservertohavemorepotentialsecurityholes.CurrentsystemscanspecifytheusertohaveonlyFTPaccesswithnoshellbygrantingthemthe"shell"/sbin/nologinprovidedwiththesystemorthe"ftponly"shelldescribedbelow.Theshellcanbespecifiedinthefile/etc/passwdofwhencretingauserwiththecommandaddusers/sbin/nologinuserid

[PotentialPitfall]:RedHat7.3serverwithwuftpserver2.6.25doesnotsupportthisconfigurationtopreventshellaccess.Itrequiresuserstohavearealusershell.i.e./bin/bashItworksgreatinolderandcurrentRedHatversions.Ifitworksforyou,useit,asitismoresecuretodenytheusershellaccess.Youcanalwaysdenytelnetaccess.YoushouldNOTbeusingthisproblemriddenversionofftpd.Usethelatestwuftpd2.6.211whichsupportsuserswithshell/opt/bin/ftponly

[PotentialPitfall]:UbuntuDapper/HardySettingtheshelltothepreconfiguredshell/bin/falsewillNOTallowvsftpaccess.Onemustcreatetheshell"ftponly"asdefinedbelowtoallowvsftpaccesswithnoshell.

1. DisableremotetelnetloginaccessallowingFTPaccessonly:

Changetheshellfortheuserin/etc/passwdfrom/bin/bashtobe/opt/bin/ftponly.

...user1:x:502:503::/home/user1:/opt/bin/ftponly...

Createfile:/opt/bin/ftponly.Protectionsettorwxrxrx1rootrootwiththecommand:chmodugo+x/opt/bin/ftponlyContentsoffile:

01 #!/bin/sh02 #03 #ftponlyshell04 #05 trap"/bin/echoSorry;exit0"1234567101506 #07 [email protected] #System=`/bin/hostname`@`/bin/domainname`09 #10 /bin/echo11 /bin/echo"********************************************************************"12 /bin/echo"YouareNOTallowedinteractiveaccess."13 /bin/echo14 /bin/echo"Useraccountsarerestrictedtoftpandwebaccess."15 /bin/echo



Thelaststepistoaddthistothelistofvalidshellsonthesystem.Addtheline/opt/bin/ftponlyto/etc/shells.

Samplefilecontents:/etc/shells

/bin/bash/bin/bash1/bin/tcsh/bin/csh/opt/bin/ftponly

Seemanpageon/etc/shells.

Analternativewouldbetoassigntheshell/bin/falseor/sbin/nologinwhichbecameavailableinlaterreleasesofRedHat,DebianandUbuntu.Inthiscasetheshell/bin/falseor/sbin/nologinwouldhavetobeaddedto/etc/shellstoallowthemtobeusedasavalidshellforFTPwhiledisablingsshortelnetaccess.

2. Setfilequotastolimituseraccount.

FormoreonLinuxsecurityseethe:YoLinux.comInternetwebsiteLinuxserversecuritytutorial

DomainNameServer(DNS)configurationusingBindversion8or9:

TwoofthemostpopularwaystoconfiguretheprogramBind(BerkeleyInternetDomainsoftware)toperformDNSservicesisintheroleof(1)ISPor(2)WebHost.

1. InanISPconfigurationforclients(websurfers)conectedtotheinternet,theDNSservermustresolveIPaddressesforanyURLtheuserwishestovisit.(SeeDNScachingserver)

2. Inapurelywebhostingconfiguration,BindwillonlyresolvefortheIPaddressesofthedomainswhicharebeinghosted.Thisistheconfigurationwhichwillbediscussedandisoftencalledan"AuthoritativeonlyNameserver".

WhenresolvingIPaddressesforadomain,Internicisexpectinga"Primary"anda"Secondary"DNSnameserver.(SometimescalledMasterandSlave)EachDNSnameserverrequiresthefile/etc/named.confandthefilesitpointsto.ThisistypicallytwoseparatecomputersystemshostedontwodifferentIPaddresses.ItisnotnecesarythattheLinuxserversbededicatedtoDNSastheymayrunawebserver,mailserver,etc.

NoteonBindversions:RedHatversions6.xusedBindversion8.Release7.1ofRedHatbeganusingBindversion9andtheGUIconfigurationwasintroducedforthoseofyouthatlikeaprettypointandclickinterfaceforconfiguration.

InstallationPackages:

RedHat/FedoraCore/CentOS:bind,bindchroot,bindlibs,bindutils,systemconfigbindbindchroot:Securityjailforoperationofbind.bindutils:Utilitycommandslikenslookup,host,digsystemconfigbind:GUIconfigtoolsystemconfigbindandrelatedconfigurationfiles(/etc/security/console.apps/bindconf).cachingnameserver:Wewillnotbecoveringthisasitisnotrequiredforwebhosting.ThisisusedbyinternetproviderssotheirclientscancachetheDNSentriesofthesitestheyarevisiting.

Ubuntu(dapper/hardy/natty)/Debian:bind9

Configurationfiles:

RedHat/Fedora/CentOS:File Description Directory ChrootedDirectory

named.conf Primary/SecondaryDNSserverconfiguration.(Seedefaultfile/usr/share/doc/bind9.X.X/sample/etc/named.conf)

/etc/ /var/named/chroot/etc/

named.root.hints Configurationforrecursiveservice.Requiredforallzones.(Seedefaultfile/usr/share/doc/bind9.X.X/sample/etc/named.root.hints)

/etc/ /var/named/chroot/etc/

named RedHatsystemvariables. /etc/sysconfig/ nochangerndc.key Primary/SecondaryDNSserverconfiguration. /etc/ /var/named/chroot/etc/Zonefiles Configurationfilesforeachdomain.Createthisfiletoresolvehostnameinternet

queriesi.e.defineIPaddressofweb(www)andmailserversinthedomain./var/named/ /var/named/chroot/var/named/

Debian/Ubuntu:File Description Directory ChrootedDirectory

named.confnamed.conf.optionsnamed.conf.local

Primary/SecondaryDNSserverconfiguration. /etc/bind/ /var/bind/chroot/etc/bind/

rndc.key Primary/SecondaryDNSserverconfiguration. /etc/ /var/bind/chroot/etc/

16 /bin/echo"Directquestionsconcerningthispolicyto$Admin."17 /bin/echo"********************************************************************"

18 /bin/echo19 #20 #C'ya21 #22 exit0



Zonefiles Configurationfilesforeachdomain. /var/bind/data/ /var/bind/chroot/var/bind/data/

Primaryserver(master):

File:named.conf

RedHat/FedoraCore/CentOS:/etc/named.conf(chrootdir:/var/named/chroot/etc/named.conf)and/etc/sysconfig/namedforsystemvariables.Ubuntu/Debian:/etc/bind/named.confPlacelocaldefinitionsin/etc/bind/named.conf.optionsand/etc/bind/named.conf.local

Simpleexample:(noviews)

options{Ubuntustoresoptionsin/etc/bind/named.conf.optionsversion"Bind";Don'tdiscloserealversiontohackersdirectory"/var/named";Specifiedsorelativepathnamescanbeused.Fullpathnamesstillallowed.allowtransfer{XXX.XXX.XXX.XXX;};IPaddressofsecondaryDNSrecursionno;authnxdomainno;conformtoRFC1035.(default)fetchglueno;Bind8only!Notusedbyversion9};

zone"localhost"{typemaster;file"/etc/bind/db.local";};zone"0.0.127.inaddr.arpa"{typemaster;file"/etc/bind/db.127";};

zone"yourdomain.com"{Ubuntuseparatesthezonedefinitionsinto/etc/bind/named.conf.localtypemaster;Specifymaster,slave,forwardorhintfile"data/named.yourdomain.com";notifyyes;slaveserversarenotifiedwhenthezoneisupdated.allowupdate{none;};denyupdatesfromotherhosts(default:none)allowquery{any;};allowclientstoquerythisserver(default:any)};zone"yourdomain2.com"{typemaster;file"data/named.yourdomain2.com";notifyyes;};

Note:

Theomissionofzone".".Requiredifprovidingarecursiveservice.Ubuntuincludestheseparatedfileofzonedirectivesusingthedirective:include"/etc/bind/named.conf.local";

BINDViews:TheBINDnamingservicecansupport"views"whichallowvarioussubnetworks(i.e.privateinternalorpublicexternalnetworks)tohaveadifferentdomainnameresolutionresult.

Ifnoviewsarespecifiedthenusetheconfigurationshownabove.Thematchupbetweenthe"view"andtheviewclientwhichreceivestheDNSinformationisspecifiedbythematchclientsstatement.Ifevenoneviewisspecified,thenALLzonesMUSTbeassociatedwitha"view".Bind9allowsforviewswhichallowdifferentzonestobeservedtodifferenttypesofclients,localhost,privatenetworksandpublicnetworks.Thismapstothethreeviewnames"localhost_resolver","internal"and"external":

localhost_resolver:Supportsnameresolutionforthesystem(localhost)usingBIND.Supportforuseofbindalsohastobeconfiguredin/etc/nsswitch.confinternal:UserspecifiedLocalAreaNetwork(LAN).IfnotusedtosupportalocalprivateLAN,remove(orcommentout)thisview.external:Thegeneralpublicinternetdefinedasclient"any".

Ifyouareonlysettingupacachingnameserver,thenonlyspecifytheview"localhost_resolver"(deleteallotherviews).InordertosupportaDNSforinternetdomainsusingviews,onewillhavetoconfigurean"external"view

TypicalRedHatEnterprise5example:(Bind9.3.4withthree"views")

options{directory"/var/named";//thedefaultdumpfile"data/cache_dump.db";statisticsfile"data/named_stats.txt";memstatisticsfile"data/named_mem_stats.txt";

};logging{//Bydefault,SELinuxpolicydoesnotallownamedtomodifythe/var/named//directory,soputthedefaultdebuglogfileindata/:channeldefault_debug{file"data/named.run";severitydynamic;};};view"localhost_resolver"{//Thisviewsetsupnamedtobealocalhostresolver(cachingonlynameserver).//Ifallyouwantisacachingonlynameserver,thenyouneedonlydefinethisview:matchclients{localhost;};...



};view"internal"{//Thisviewwillcontainzonesyouwanttoserveonlyto"internal"clients//thatconnectviayourdirectlyattachedLANinterfaces"localnets".//ForlocalprivateLAN.Notcoveredinthistutorial.//DeletethisviewifwebhostingwithnolocalLAN.matchclients{localnets;};...};keyddns_key{algorithmhmacmd5;secret"use/usr/sbin/dnskeygentogenerateTSIGkeys";};view"external"{//Thisviewwillcontainzonesyouwanttoserveonlyto"external"//publicinternetclients.Thisiscoveredbelow.matchclients{any;};.....};

Defaultconfigurationfiles:RedHatmaysupplythedefaultconfigurationin:/usr/share/doc/bind9.X.X/sample/etc/named.conf

cp/usr/share/doc/bind9.X.X/sample/etc/named.conf/var/named/chroot/etccp/usr/share/doc/bind9.X.X/sample/etc/named.root.hints/var/named/chroot/etcchconusystem_urobject_rtnamed_conf_t/var/named/chroot/etc/named.conf/var/named/chroot/etc/named.root.hints

view"localhost_resolver":IfsupportingacachingDNSserver(notrequiredtosupportawebdomain)youwillalsoneedthefiles:

cp/usr/share/doc/bind9.X.X/sample/etc/named.rfc1912.zones/var/named/chroot/etccp/usr/share/doc/bind9.X.X/sample/var/named/localdomain.zones/var/named/chroot/var/namedalsofrom/usr/share/doc/bind9.X.X/sample/var/named/:localhost.zones,named.local,named.zero,named.broadcast,named.ip6.local,named.root

view"external":(master)details

view"external"{/*Thisviewwillcontainzonesyouwanttoserveonlyto"external"clients*thathaveaddressesthatarenotonyourdirectlyattachedLANinterfacesubnets:*/matchclients{any;};matchdestinations{any;};allowtransfer{XXX.XXX.XXX.XXX;};IPaddressofsecondaryDNS

recursionno;//you'dprobablywanttodenyrecursiontoexternalclients,soyoudon't//endupprovidingfreeDNSservicetoalltakers

//allviewsmustcontaintheroothintszone:include"/etc/named.root.hints";

//Theseareyour"authoritative"externalzones,andwouldprobably//containentriesforjustyourwebandmailservers:

zone"yourdomain.com"{typemaster;file"/var/named/data/external/named.yourdomain.com";notifyyes;allowupdate{none;};};//YoucanalsoaddthezonesasaseparatefileliketheydoinUbuntubyaddingthefollowingstatementinclude"/etc/named.conf.local";};

DNSkey:

Usethefollowingcommand/usr/sbin/dnskeygentocreateakey.Addthiskeytothe"secret"statementasfollows:

keyddns_key{algorithmhmacmd5;secret"XlYKYLF5Y7YOYFFFY6YiYYXyFFFFBYYYYFfYYYJiYFYFYYLVrnrWrrrqrrrq";};

ManPages:

named.conf

ForwardZoneFile:/var/named/named.yourdomain.com

RedHat9/CentOS3:/var/named/named.yourdomain.com



RedHatEL4/5,Fedora3+,CentOS4/5:[Chrooted]/var/named/chroot/var/named/data/named.yourdomain.comRedHatEL4/5,Fedora3+,CentOS4/5:/var/named/data/named.yourdomain.comUbuntu/Debian:/etc/bind/data/named.yourdomain.com

$TTL604800Bind9(andsomeofthelaterversionsofBind8)requires$TTLstatement.Measuredinseconds.Thisvalueis7days.yourdomain.com.INSOAns1.yourdomain.com.hostmaster.yourdomain.com.(2000021600;serialManypeopleuseyear+month+day+integerasasystem.86400;refreshHowoftensecondaryservers(inseconds)shouldcheckinforchangesinserialnumber.(86400sec=24hrs)7200;retryHowlongsecondaryservershouldwaitforaretryifcontactfailed.1209600;expireSecondaryservertopurgeinfoafterthislengthoftime.86400);default_ttlHowlongdataisheldincachebyremoteservers.INAXXX.XXX.XXX.XXXNotethatthisisthedefaultIPaddressofthedomain.IputthewebserverIPaddressheresothatdomain.compointstothesameserversaswww.domain.com;;Nameserversforthedomain;INNSns1.yourdomain.com.INNSns2.yourdomain.com.;;Mailserverfordomain;INMX5mailIdentify"mail"asthenodehandlingmailforthedomain.DoNOTspecifyanIPaddress!;;Nodesindomain;node1INAXXX.XXX.XXX.XXXNotethatthisistheIPaddressofnode1ns1INAXXX.XXX.XXX.XXXOptional:Forhostingyourownprimarynameserver.NotethatthisistheIPaddressofns1ns2INAXXX.XXX.XXX.XXXOptional:Forhostingyourownsecondarynameserver.NotethatthisistheIPaddressofns2mailINAXXX.XXX.XXX.XXXIdentifytheIPaddressfornodemail.INMX5XXX.XXX.XXX.XXXIdentifytheIPaddressformailservernamed"mail".;;Aliasestoexistingnodesindomain;wwwINCNAMEnode1Definethewebserver"www"tobenode1.ftpINCNAMEnode1Definetheftpservertobenode1.

DNSrecordtypesandformat:

DNSrecord DescriptionandFormat

SOA StartofAuthority:PrimarydomainserverandcontactinfoNotethatthereisaperiodfollowingtheprimarydomainserverandcontactemail.Notethattheemailaddressisintheformwherethefirstperiodrepresentsthe"@"symboloftheemailaddress.

yourdomain.cominSOAns1.yourdomain.com.webmaster.yourdomain.com.

or

@inSOAns1.yourdomain.com.webmaster.yourdomain.com.

[PotentialPitfall]:Incorrectspecificationoftheprimarynameservermayresultinthefollowingmessagein/var/log/messages

viewlocalhost_resolver:receivednotifyforzone'yourdomain.com':notauthoritative

SOAattribute Descriptionserial Neveruseavaluegreaterthan2147483647fora32bitprocessor.

Incrementtoahighervaluetoindicateanupdatetotheslaveserver.refresh Timeincrement(seconds)betweenupdatechecksoftheserialnumberwiththeprimaryserverretry Timeelapsedbeforeaslavewillcontacttheprimaryserverifaconnectionfailedexpire TimetillprimaryserverinformationisconsideredinvalidandshouldberefreshedifthereisanewDNSqueryminimum TimeforDNSserversshouldholddomaininformationintheircachebeforepurging

IN IndicateInternet.NS SpecifytheAuthoratativeNameserversforthedomain.

A SpecifytheIPaddressassociatedwiththehostname.Format:hostnameINAXXX.XXX.XXX.XXXNotethatinmyexample,nohostnameisspecifiedforthefirstrecord.Thiswilldefinethedefaultforthedomain.

CNAME Specifyanaliasforthehostname.MX Mailexchangerecord.Specifyaprioritynumberfortheprimaryandbackupmailservers.Thelowestnumberindicatesthedefaultmail

serverforthedomainPTR UsedtospecifythereverseDNSlookup

MXrecordsfor3rdpartyoffsitemailservers:

yourdomain.com.INMX10mail1.offsitemail.com.yourdomain.com.INMX20mail2.offsitemail.com.

Appendtotheaboveexamplefile.



Initialconfiguration:NotethatRedHatmaysupplythedefaultzoneconfigurationin:/usr/share/doc/bind9.X.X/sample/var/named/

cp/usr/share/doc/bind9.X.X/sample/var/named/localhost.zone/var/named/chroot/var/named/data/cp/usr/share/doc/bind9.X.X/sample/var/named/localdomain.zone/var/named/chroot/var/named/data/cp/usr/share/doc/bind9.X.X/sample/var/named/named.broadcast/var/named/chroot/var/named/data/cp/usr/share/doc/bind9.X.X/sample/var/named/named.ip6.local/var/named/chroot/var/named/data/cp/usr/share/doc/bind9.X.X/sample/var/named/named.zero/var/named/chroot/var/named/data/cp/usr/share/doc/bind9.X.X/sample/var/named/named.local/var/named/chroot/var/named/data/cp/usr/share/doc/bind9.X.X/sample/var/named/named.root/var/named/chroot/var/named/data/cd/var/named/chroot/var/named/data/chconusystem_urobject_rtnamed_cache_tlocalhost.zonelocaldomain.zonenamed.broadcastnamed.ip6.localnamed.zeronamed.rootnamed.local

Afilesuffixof"zone"isalsocommoni.e.yourdomain.com.zone

Secondaryserver(slave):

File:named.conf

RedHat/FedoraCore/CentOS:/etc/named.confUbuntu/Debian:/etc/bind/named.confSimpleexamplewithnoviews:

options{Ubuntustoresoptionsin/etc/bind/named.conf.optionsversion"Bind";Don'tdiscloserealversiontohackersdirectory"/var/named";allowtransfer{none;};Slaveisnottransferingupdatestoanyoneelserecursionno;authnxdomainno;conformtoRFC1035.(default)fetchglueno;Bind8only!Notusedbyversion9};zone"localhost"{typemaster;file"/etc/bind/db.local";Ubutu:/etc/bind/db.local,RedHat:/var/named/named.local};zone"0.0.127.inaddr.arpa"{typemaster;file"/etc/bind/db.127";};

zone"yourdomain.com"{typeslave;file"named.yourdomain.com";Specifyslaves/named.yourdomain.comforRHEL4/5chrootedbindmasters{XXX.XXX.XXX.XXX;};IPaddressofprimaryDNS};zone"yourdomain2.com"{typeslave;file"named.yourdomain2.com";masters{XXX.XXX.XXX.XXX;};};

view"external":(slave)

view"external"{matchclients{any;};matchdestinations{any;};allowtransfer{none;};Slavedoesnottransfertoanyone,slavereceivesrecursionno;include"/etc/named.root.hints";

zone"yourdomain.com"{typeslave;file"/var/named/slaves/external/named.yourdomain.com";notifyno;Slavedoesnotnotify,slaveisnotifiedbymastermasters{XXX.XXX.XXX.XXX;};StateIPofmasterserver};};

Note:RHEL4/5,CentOS4/5,Fedora3+usechrooteddirectorystructurepermissionswhichrequiretheuseoftheslavessubdirectory/var/named/slaves

SlaveZoneFiles:Thesearetransferedfrommastertoslaveandcachedbyslave.Thereisnoneedtogenerateazonefileontheslave.

AdditionalInformation:

Manpageonnamed.confManpageonnamedDNSserverFullDNSmanual

[PotentialPitfall]:Ubuntudapper/hardy/nattyPathnamesusedcannotviolateApparmorsecurityrulesasdefinedin/etc/apparmor.d/usr.sbin.namedthattheslavefilesaretypicallynamed"/var/lib/bind/named.yourdomain.com"aspermittedbythesecurityconfiguration.

[PotentialPitfall]:Ubuntudapper/hardy/nattyCreatelogfileandsetownershipandpermissionforfilenotcreatedbyinstallation:

touch/var/log/bindlogchownroot.bind/var/log/bindlog



chmod664/var/log/bindlog

[PotentialPitfall]:Errorin/var/log/messages:

transferof'yolinux.com/IN'fromXXX.XXX.XXX.XXX#53:failedwhilereceivingresponses:permissiondenied

Namedneedswritepermissiononthedirectorycontainingthefile.Thisconditionoftenoccursforanew"slave"or"secondary"nameserverwherethezonefilesdonotyetexist.Thedefault(RHEL4/5,CentOS4/5,FedoraCore3+,...):

drwxrx4rootnamed4096Aug252004nameddrwxrwx2namednamed4096Sep1720:37slaves

Fix:Innamed.confspecifythattheslavestogotoslavesdirectory/var/named/chroot/var/named/slaveswiththedirective:file"slaves/named.yourdomain.com";

BindDefaults:

Usesport53ifnoneisspecifiedwiththelistenonportstatement.Bindwilluserandomportsaboveport1024forqueries.ForusewithfirewallsexpectingallDNStrafficonport53,specifythefollowingstatementin/etc/named.conf

querysourceaddress*port53;querysourcev6port53;

Loggingisto/var/log/messages

Aftertheconfigurationfileshavebeenedited,restartthenamedaemon.

/etc/init.d/namedrestart

(Note:Ubuntu/Debianrestart:/etc/init.d/bind9restart)

Bindzonetransfersworkbestiftheclocksofthetwosystemsaresynchronised.SeetheYoLinuxSysAdminTutorial:Timeandntpd

File:/var/named/named.yourdomain.comThisiscreatedforyoubyBindontheslave(secondary)serverwhenitreplicatesfromPrimaryserver.

DNSGUIconfiguration:

RedHatEL4/5,Fedora210:/usr/bin/systemconfigbindRedHat8/9,FedoraCore1:/usr/bin/redhatconfigbind

TestDNS:

Mustinstallpackages:

RedHat/FedoraCore/SuSE:bindutils



Ubuntu(dapper/hardy/natty)/Debian:bind9host

Testthenameserverwiththehostcommandininteractivemode:

hostnode.domaintotest.comyournameservertotest.domain.com

Note:ThenameservermayalsobespecifiedbyIPaddress.

or

Testthenameserverwiththenslookupcommandininteractivemode:

nslookup>serveryournameservertotest.domain.com>node.domaintotest.com>exit

TesttheMXrecordifappropriate:

nslookupquerytype=mxdomaintotest.comOR

hosttmxdomaintotest.com

Testusingthedigcommand:

dig@nameserverdomaintoquery

OR

dig@IPaddressofnameserverdomaintoquery

TestyourDNSwiththefollowingDNSdiagnosticswebsite:DnsStuff.com

ExtraloggingtomonitorBind:

Addthefollowingtoyour/etc/named.conffile.

logging{channelbindlog{//Keepfiveoldversionsofthelogfile(rotateslogs)file"/var/log/bindlog"versions5size1m;printtimeyes;printcategoryyes;printseverityyes;};/*Ifyouwanttoenabledebugging,eg.usingthe'rndctrace'command,*namedwilltrytowritethe'named.run'fileinthe$directory(/var/named).*Bydefault,SELinuxpolicydoesnotallownamedtomodifythe/var/nameddirectory,*soputthedefaultdebuglogfileindata/:*/channeldefault_debug{file"data/named.run";severitydynamic;};categoryxferout{bindlog;};Zonetransferscategoryxferin{bindlog;};Zonetransferscategorysecurity{bindlog;};Approved/unapprovedrequests

//Thefollowingloggingstatements,panic,insistandresponsechecksare//validforBind8only.Donotuserforversion9.categorypanic{bindlog;};Systemshutdownscategoryinsist{bindlog;};Internalconsistencycheckfailurescategoryresponsechecks{bindlog;};Messages};

ChrootBindforextrasecurity:

Note:MostmodernLinuxdistributionsdefaulttoa"chrooted"installation.ThistechniquerunstheBindnameservicewithaviewofthefilesystemwhichchangesthedefinitionoftherootdirectory"/"toadirectoryinwhichBindwilloperate.i.e./var/named/chroot.

ThefollowingexampleusestheRedHatRPMbind8.2.30.6.x.i386.rpm.AppliestoBindversion9aswell.

ThelatestRedHatbindupdatesrunthenamedasuser"named"toavoidalotofearlierhackerexploits.Tochroottheprocessistocreateanevenmoresecureenvironmentbylimitingtheviewofthesystemthattheprocesscanaccess.Theprocessislimitedtothechrooteddirectoryassigned.

ThechrootofthenamedprocesstoadirectoryunderagivenuserwillpreventthepossibilityofanexploitwhichatonetimewouldresultinTheoriginaldefaultRedHatconfiguration(6.2)ranthenamedprocessasroot,thusifanexploitwasfound,thenamedprocesswillallowthehackertousetheprivilegesoftherootuser.(nolongertrue)

NamedCommandSytax:



nameduuserggrouptdirectorytochrootto

Example:

namedunamedgnamedt/opt/named

Whenchrooted,theprocessdoesnothaveaccesstosystemlibrariesthusalocallibdirectoryisrequiredwiththeappropriatelibraryfilestheoretically.ThisdoesnotseemtobethecasehereandasnotedaboveinchrootedFTP.It'samysterytomebutitworks????Anothermethodtohandlelibrariesistorecompilethenamedbinarywitheverythingstaticallylinked.Addstatictothecompileoptions.Thechrootedprocessshouldalsorequirealocal/etc/named.confetc...butdoesn'tseemto???

Scripttocreateachrootedbindenvironment:

#!/bin/shcd/optmkdirnamedcdnamedmkdiretcmkdirbinmkdirvarcdvarmkdirnamedmkdirruncd..chownRnamed.namedbinetcvar

Youcanprobablystophere.Ifyoursystemactslikeachrootedsystemshould,thencontinuewiththefollowing:

cpp/etc/named.confetccpp/etc/localtimeetccpp/bin/falsebinecho"named:x:25:25:Named:/var/named:/bin/false">etc/passwdecho"named:x:25:">etc/grouptouchvar/run/named.pid

if[f/etc/namedb]thencpp/etc/namedbetc/namedbfi

mkdirdevcddev

#Createacharacterunbufferedfile.mknodmugo+rwnullc13

cd..chownRnamed.namedbinetcvar

Addchangestotheinitscript:/etc/rc.d/init.d/named

01 #!/bin/bash02 #03 #namedThisshellscripttakescareofstartingandstopping04 #named(BINDDNSserver).05 #06 #chkconfig:554507 #description:named(BIND)isaDomainNameServer(DNS)\08 #thatisusedtoresolvehostnamestoIPaddresses.09 #probe:true10 11 #Sourcefunctionlibrary.12 ./etc/rc.d/init.d/functions13 14 #Sourcenetworkingconfiguration.15 ./etc/sysconfig/network16 17 #Checkthatnetworkingisup.18 [${NETWORKING}="no"]&&exit019 20 [f/etc/sysconfig/named]&&./etc/sysconfig/named21 22 [f/usr/sbin/named]||exit023 24 [f/etc/named.conf]||exit025 26 RETVAL=027 28 start(){29 #Startdaemons.30 echon"Startingnamed:"31 daemonnamedunamedgnamedt/opt/named#Changemadehere32 RETVAL=$?



Note:ThecurrentversionofbindfromtheRedHaterrataupdatesandsecurityfixes(http://www.redhat.com/support/errata/)runsthenamedprocessasuser"named"inthehome(notchrooted)directory/var/namedwithnoshellavailable.(namedunamed)Thisshouldbesecureenough.Proceedwithachrootedinstallationifyourareparanoid.

See:

SecuringDNS:Howtousechrootbindfeatures

ChrootedDNSconfiguration:

ModernreleasesofLinux(i.e.FedoreCore3,RedHatEnterpriseLinux4)comepreconfiguredtouse"chrooted"bind.Thissecurityfeatureforcesevenanexploitedversionofbindtoonlyoperatewithinthe"chrooted"jail/var/named/chrootwhichcontainsthefamiliardirectories:

/var/named/chroot/etc:Configurationfiles/var/named/chroot/dev:devicesusedbybind:

/dev/null/dev/random/dev/zero

(Realdevicescreatedwiththemknodcommand.)/var/named/chroot/var:Zonefilesandconfigurationinformation.

ThesedirectoriesaregeneratedandconfiguredbytheRedHat/FedoraRPMpackage"bindchroot".

Ifbuildingfromsourceyouwillhavetogeneratethisconfigurationmanually:

mkdirp/var/named/chrootmkdir/var/named/chroot/devmknod/var/named/chroot/dev/nullc13

33 [$RETVALeq0]&&touch/var/lock/subsys/named34 echo35 return$RETVAL

36 }37 stop(){38 #Stopdaemons.39 echon"Shuttingdownnamed:"40 killprocnamed41 RETVAL=$?42 [$RETVALeq0]&&rmf/var/lock/subsys/named43 echo44 return$RETVAL45 }46 rhstatus(){47 /usr/sbin/ndcstatus48 return$?49 }50 restart(){51 stop52 start53 }54 reload(){55 /usr/sbin/ndcreload56 return$?57 }58 probe(){59 #namedknowshowtoreloadintelligently;wedon'twantlinuxconf60 #tooffertorestarteverytime61 /usr/sbin/ndcreload>/dev/null2>&1||echostart62 return$?63 }64 65 #Seehowwewerecalled.66 case"$1"in67 start)68 start69 ;;70 stop)71 stop72 ;;73 status)74 rhstatus75 ;;76 restart)77 restart78 ;;79 condrestart)80 [f/var/lock/subsys/named]&&restart||:81 ;;82 reload)83 reload84 ;;85 probe)86 probe87 ;;88 *)89 echo"Usage:named{start|stop|status|restart|condrestart|reload|probe}"90 exit191 esac92 93 exit$?



mknod/var/named/chroot/dev/zeroc15mknod/var/named/chroot/dev/randomc18chmod666R/var/named/chroot/devmkdirp/var/named/chroot/etclns/var/named/chroot/etc/named.conf/etc/named.confmkdirp/var/named/chroot/var/namedlns/var/named/chroot/var/named/named.XXXX/var/named/named.XXXXlns/var/named/chroot/var/named/named.YYYY/var/named/named.YYYY...mkdirp/var/named/chroot/var/named/slavesmkdirp/var/named/chroot/var/named/datamkdirp/var/named/chroot/var/runmkdirp/var/named/chroot/var/tmpchownRnamed:named/var/named/chrootchownRroot:named/var/named/chroot/var/named

LoadBalancingofserversusingBind:DNSRoundRobin

ThiswillpopulateDNScachingnameserversaroundtheworldwithdifferentIPaddressesforyourwebserverwww.yourdomain.com

File:/var/named/data/named.yourdomain.com

$TTL604800yourdomain.com.INSOAns1.yourdomain.com.hostmaster.yourdomain.com.

...

...

wwwINA192.168.1.1wwwINA192.168.1.2wwwINA192.168.1.3wwwINA192.168.1.4wwwINA192.168.1.5wwwINA192.168.1.6

Note:

Thisexamplewillresolvethewww.yourdomain.comURLtoeachoftheIPaddresseslisted,oneatatimeforeachrequest.Firstrequestwillresolveto192.168.1.1,thesecondrequestwillresolveto192.168.1.2,etc.AperfectlyevenloadbalanceisnotpossiblebecausednetworkserviceprovidersrunDNScachingserverswhichholdtheresolvedIPaddressforadifferentnumberofusers.UsingmultipleCNAME'storotaterecordsisnolongerpermissibleinbind9.ListingarecordmultipletimeswiththesameIPaddresswillnotchangetheloadsharing.Bindwillignoreduplicaterecords.Reducingthetimetolive(TTL)willcauseloadsharingtotakeplacemorefrequentlythusrespondingtoachangeinserversmorequickly.

Alsoseelbnamed:lbnamedloadbalancingnamed

Bind/DNSLinks:

InternetSoftwareConsortium(ISC)HomePageISCBindHomeZytraxBind9manualBindforrocketscientistscomp.protocols.tcpip.domainsFAQHTMLversionmod_rewrite:pageforwarding,loadbalancingandroundrobinschemesLDPDNSHOWTODNSSecuritybestpracticesCricketLiu(coauthorofDNSandBind)DNSSecurityPaperCraigRowlandEveryDNS.netFreeDNSSecondary.comFreesecondarynamesserverhosting(fiveorfewerdomains)TZO.comDynamic,secondaryDNSservices.OpenDNS.comCanallowforwardingtoOpenDNSservers.Addto"options"section:forwarders{208.67.222.222;208.67.222.220;};DynDNS:dyn.comCommand:ipcheck.pyieth0DynDNSuseridpasswordnode.dnsalias.netThenaddscriptupdate.dyndns.iptodirectory/etc/cron.daily/toupdateIP.Thishostmustalsobeallowedaccessthroughanyfirewallrules.DynDNS.comDynamicDNSforthosewithdynamicIPaddresses.(i.e.dialupgameserversetc.)

Domainnameregistration:

DomainNameRegistrars:NetworkSolutions.comRegister.comRegistrar.GoDaddy.comDomainnameregistrationforonly$8.95/year!!!Dotster.comDomainnameregistrationforonly$14.95/yearDomainsNext.com$11.95/yearEasyDNS.com$25.00/yearGandi.netEuropean

AfterNic.comDomainnameexchangeandauction.BuyDomains.comBuyadomainnamethatasquatterisholding.



NotethattheNameregistrationspoliciesfortheregistrarsarestatedatICANN.org.

YoumustrenewwiththesameregistrarwithinfivedaysBEFOREtheexpirationdate.Thereisnoruleforafterwards.Mostfreeadomainname30daysafteritexpires.

WebServerLoadBalancing:

Loadbalancingbecomesimportantifyourtrafficvolumebecomestoogreatforeitheryourserverornetworkconnectionorboth.Multipleoptionsareavailableforloadbalancing.

DNSroundrobin:Discussedabove,thisusesDNStopointuserstorandomserverinalistofappropriateservers.Thisspreadstheloadamongtheserversinthelist.UseaLinuxVirtualServertoCreateaLoadBalanceCluster.Seenextsectionbelow.Runareverseproxy.Seenginx("engineX").Fromasingleexternalinternetnetworkconnection,routehttp,smtp,imaporpop3traffictovariousserversonaninternalnetwork.Resultsarepushedbacktothenginxproxyforroutingtotheinternet(nocaching).RuntheApachehttpdwebservermodule"mod_proxy"tooffloadprocessingofdynamiccontenttoanotherwebserver.Thisactsasareverseproxy,routingexternaltraffictovariousserversonaninternalnetwork.

UsingaLinuxVirtualServertoCreateaLoadBalanceCluster:

YoucanuseasingleLinuxservertoforwardrequeststoaclusterofserversusingiptablesforIPmasqueradingandIPVsadmtoscaleyourload.Theloadbalancingserverreceivingandroutingtherequestsiscalledthe"LinuxVirtualServer"(LVS).TheLVSreceivestherequestswhicharepassedtotherealserverswhichprocessandreplytotherequest.ThisreplyisforwardedtotheclientbytheLVS.

ThisfeatureisavailablewiththeLinux2.4/2.6kernel.(Ifcompilingkernel:NetworkingOptions+IP:VirtualServerConfiguration)

Configuration:Thisexamplewillloadbalancehttptraffictothreewebserversandftptraffictoafourthserver.

EnableForwarding:(AlsoseeYoLinuxNetworkingTutorial:EnableForwarding)

echo"1">/proc/sys/net/ipv4/ip_forward

EnableIPMasquerading:

iptablestnatPPOSTROUTINGDROPiptablestnatAPOSTROUTINGoeth0jMASQUERADE

FormoreonIPMasquerading,iptablesandsubnetaddresses,seetheYoLinuxnetworkgatewaytutorial.

Enablevirtualserver:Createvirtualserviceandchooseschedulerforhttp(80)andftp(21):

ipvsadmAt66.218.88.103:80swlcipvsadmAt66.218.88.103:21swrr

Commanddirectives:A:AddavirtualservicedefinedbyIPaddress,portnumber,andprotocol.t:UseTCPservicehost:ports:scheduler:

rr:RobinRobin:distributesjobsequallyamongsttheavailablerealservers.wrr:WeightedRoundRobin.lc:LeastConnection:assignsmorejobstorealserverswithfeweractivejobs.wlc:(Default)WeightedLeastConnection:assignsmorejobstoserverswithfewerjobsandrelativetotherealserver'slblc,lblcr,dh,sh,sed,nq.Seemanpage.

Configureloadbalancingcluser.

ipvsadmat66.218.88.103:80r176.168.1.1:80mipvsadmat66.218.88.103:80r176.168.1.2:80mw2ipvsadmat66.218.88.103:80r176.168.1.3:80mipvsadmat66.218.88.103:21r176.168.1.4:21m

Commanddirectives:r:Realserver.m:Usemasqueradingalsoknownasnetworkaddresstranslation(NAT)w:Weightisanintegerspecifyingthecapacityofaserverrelativetotheothersinthepool.Thevalidvaluesofweightareto65535.Thedefaultis1.

Links:

LinuxVirtualServer.orgiptablesAdministrationtoolforIPv4packetfilteringandNATipvsadmAdministertheroutingtableonaLinuxVirtualServer.

ManagingWebServerDaemons:

Toviewiftheseservicesarerunning,typepsauxandlookforthehttpd,inetdandnamedservices(daemons).Thesearebackgroundprocessesnecessarytoperformtheservertasks.



root6810.00.52304744?SSep090:01namednobody281230.01.130361420?SOct060:00httpdnobody281860.00.73044896?SOct060:00httpdroot3850.00.11136232?SSep090:00inetd

AnewinstallationwillmostlikelyNOTstartthenamedbackgroundprocesswhichmaybestartedmanuallyafterconfiguration.SeetheYoLinuxInitProcessTutorialformoreinformation.Theinetd(orxinetd)backgroundprocessistheInternetdaemonwhichstartsFTPwhenanftprequestismade.

SysAdminScript:

Scripttoprepareanaccount:(RedHat/Fedora)

#!/bin/sh#AuthorGregIppolito#Requires:/opt/etc/AccountDefaults/pathmsgfavicon.icomwhmini_tr.gifetc.#/opt/bin/ftponly#Youmustberoottorunthisscript.#if[$#eq0]thenecho"Enteruseridasacommandargument"elseif[r/home/$1]thenecho"User'shomedirectoryalreadyexists"elseecho"1)Createuser."adduserm$1

echo"2)SetuserPassword."passwd$1

echo"3)Addreadaccesstouserdirectorysoapachecanreadit."cd/homechmodugo+rx$1cd$1

echo"4)Createwebdirectories."mkdirpublic_htmlchown$1.$1public_htmlchconRhusystem_urobject_rthttpd_sys_content_tpublic_htmlcdpublic_htmlmkdirimageschown$1.$1imageschconRhusystem_urobject_rthttpd_sys_content_timages

#Blockpotentialforunauthenticatedloginscd../touch.rhostschmodugoxrw.rhosts

echo"5)Createdefaultwebpage"sed"/HEADING/s!HEADING!$1!"/opt/etc/AccountDefaults/defaultindex.html>index.htmlcpp/opt/etc/AccountDefaults/favicon.ico.cpp/opt/etc/AccountDefaults/defaultlogo.gif./imagescpp/opt/etc/AccountDefaults/robots.txt.chown$1.$1index.htmlfavicon.icorobots.txtchconRhthttpd_sys_content_tindex.htmlfavicon.icorobots.txtchconRhthttpd_sys_content_timages/defaultlogo.gif

echo"6)Edit/etc/passwdfilechangeusershellto/opt/bin/ftponly"cpp/etc/passwd/etc/passwd`date+%m%d%y`sed"/^$1/s!/bin/bash!/opt/bin/ftponly!"/etc/passwd`date+%m%d%y`>/etc/passwd

#wuftp#Requires:/etc/ftpaccessguestuserrestrictuid#wuftp#echo"7)Adduserto/etc/ftpaccessfile"#wuftp#cpp/etc/ftpaccess/etc/ftpaccess`date+%m%d%y`#wuftp#sed"/^guestuser/s!guestuser!guestuser$1!"/etc/ftpaccess`date+%m%d%y`>/etc/ftpaccess#wuftp#sed"/^restricteduid/s!restricteduid!restricteduid$1!"/etc/ftpaccess`date+%m%d%y`>/etc/ftpaccess#wuftp#echo"guestroot/home/$1/public_html$1">>/etc/ftpaccess

echo"7)Addusertovsftpdchrootlistcat`echo$1`>>/etc/vsftpd/vsftpd.chroot_list

echo"8)SettingDiskQuotastodefault50Mblimit:"#Useuserjohndoeasaprototype.edquotapjohndoe$1

echo"9)AdminFollowup:"echo"Modifyquota.userifdifferentthandefault"echo"MakechangestoBindnamesservicesondns1anddns2ifnecessary"echo"Change/etc/http/conf/httpd.conforecho"addconfigto/etc/http/conf.d/ifusinganewdomainname"echo"Addemailaliasestomailserverifnecessary"fifi

FYI:Samplerobots.txtfiles:



yolinux.com/robots.txtUSC.edu/robots.txt

Usefullinksandresources:

LinuxInitProcessYoLinux.comtutorialSettingupanApacheredirectYoLinux.comtutorialApacheDocumentationLDPHowToGuides:

DNSHOWTODNSadministrationNicolaiLangfeldtSecuringDomainHOWTOISPSetupRedHatUsingLinuxtohostanISPAntonChuvakinLinuxNetworkingOverviewHOWTODanielLopezRidruejoVirtualServicesHOWTODNS,FTP,Apache,Mail(POP,Qmail,Sendmail),SyslogdandSambaWWWHOWTOSettingupApacheservicesWWWmSQLHOWTO

ListofInternetExchanges[mapandlist]AnInternetExchange(IX)isajunctionbetweenmultipleprincipleInternetcommunicationlines.atorclosetoanIXwillhaveyourbestabilitytohandletrafficandyourlowestlatencies.descriptionofIXSettingupamailserverYoLinuxTutorial

Books:

"UbuntuUnleashed2013edition:"Covering12.10and13.04(8thEdition)byMatthewHelmke,AndrewHudsonandPaulHudsonSamsPublishing,ISBN#0672336243(Dec15,2012)

"UbuntuUnleashed2012edition:"Covering11.10and12.04(7thEdition)byMatthewHelmke,AndrewHudsonandPaulHudsonSamsPublishing,ISBN#0672335786(Jan16,2012)

"UbuntuUnleashed2011edition:"Covering10.10and11.04(6thEdition)byMatthewHelmke,RyanTroy,AndrewHudsonandPaulHudsonSurfingTurtlePress,ISBN#0672333449(Dec24,2010)

"Fedora18DesktopHandbook"byRichardPetersenSurfingTurtlePress,ISBN#1936280639(Mar6,2013)

"Fedora18NetworkingandServers"byRichardPetersenSurfingTurtlePress,ISBN#1936280698(March29,2013)

"Fedora14DesktopHandbook"byRichardPetersen



Amazonbookimage

SurfingTurtlePress,ISBN#1936280167(Nov30,2010)

Amazonbookimage

"Fedora14AdministrationandSecurity"byRichardPetersenSurfingTurtlePress,ISBN#1936280221(Jan6,2011)

Amazonbookimage

"Fedora14NetworkingandServers"byRichardPetersenSurfingTurtlePress,ISBN#1936280191(Dec26,2010)

Amazonbookimage

"PracticalGuidetoUbuntuLinux(Versions8.10and8.04)"byMarkSobellPrenticeHallPTR,ISBN#01370038892edition(January9,2009)

Amazonbookimage

"Fedora10andRedHatEnterpriseLinuxBible"byChristopherNegusWiley,ISBN#0470413395

"RedHatFedora6andEnterpriseLinuxBible"byChristopherNegusSams,ISBN#047008278X

"Fedora7&RedHatEnterpriseLinux:TheCompleteReference"byRichardPetersenSams,ISBN#0071486429

"RedHatFedoraCore6Unleashed"byPaulHudson,AndrewHudsonSams,ISBN#0672329298

"RedHatLinuxFedora3Unleashed"byBillBall,HoytDuffSams,ISBN#0672327082

"RedHatLinux9Unleashed"byBillBall,HoytDuffSams,ISBN#0672325888May8,2003

IhavetheRedHat6versionandIhavefoundittobeveryhelpful.IhavefoundittobewaymorecompletethantheotherLinuxbooks.ItisthemostcompletegeneralLinuxbookinpublication.Whileotherbooksinthe"Unleashed"serieshavedissapointedme,thisbookisthebestoutthere.

"ApacheServerBible2"



byMohammedJ.KabirISBN#0764548212,HungryMinds

Thisbookisverycompletecoveringallaspectsindetail.Itisnotyourbasicreprintoftheapache.orgdocumentslikesomanyothers.

"ProDNSandBind"byRonaldAitchisonApress,ISBN#1590594940

YoLinux.comHomePageYoLinuxTutorialIndex|TermsPrivacyPolicy|Advertisewithus|FeedbackForm|Unauthorizedcopyingorredistributionprohibited.

4totopofpage

Copyright20002014byGregIppolito