enable firewall

lokkit command

The lokkit command can be run at any time to change the security settings of Firewall installed on your system. To run this command you must first login as root or use the “su” command. If you are already super user on your Linux system start the lokkit command as follows:

/usr/sbin/lokkit

or to use the su command from a non-super user account as follows:

su –c “/usr/sbin/lokkit”

The lokkit command allows you to either enable or disable the Firewall. The first step if it is not already enabled is to enable it. Use the “Tab” key to move around and the “Space” key to select the “Enabled” option.

The second step is configure the Firewall. Use the Tab key to move the “Configure” button and press the “Space” key.

On the configuration screen simply select the service types that you want to support. Based on your selections lokkit will configure the Firewall to allow access to the appropriate ports. The services listed are HTTP, FTP, SSH, Telnet and Mail (SMTP). You can also specify other ports you wish to open on the Firewall in the “other ports” section.

The lokkit command also provides the option of specifying trusted devices on the "Configure" screen. In summary, it is possible to have more than one network device installed on a Linux system. In this scenario it might be that one device is connected to a trusted and secure network while the other is connected to a network that is connected to the outside world in some way (perhaps through a router or firewall to a broadband connection). The firewall feature allows you to disable the firewall settings for any connections coming in from the device connected to the trusted or secure network while applying the firewall rules to device connected ot the untrusted network.

PostgreSQL configuration

Login to the operating system as a User who has rights to create a database. If you haven't set this up yet, as user postgresql, run the createuser command and give the new User privileges to create databases.

Create the database:

createdb -E UNICODE calendar

1. Load the database schema:
   
   psql calendar <>
2. You will need to edit the postgresql.conf file. On RedHat Linux, this file is in the /var/lib/pgsql/data directory. On FreeBSD, this file is in /usr/local/pgsql/data. Change the line:

#tcpip_socket=false

to read

tcpip_socket=true
3. Restart the PostgreSQL Service.
4. Copy the JDBC Driver files to your application server's path, or the WEB-INF/lib directory.
5. Edit the pg_hba.conf file if necessary. To test if this is necessary, run the command:

psql -h calendar

If the connection is refused, you will need to add the appropriate permissions entries to PG_HBA.CONF. It may also be necessary to edit the startup script for postmaster to ensure that it is listening on TCP/IP sockets. Refer to the man page for postmaster for more information on startup options.
6. Edit the configuration.properties file, putting in the configuration entries for your database.

DBObjectClass=com.MHSoftware.db.support.PostgreSQLDB
JDBCConnectString=jdbc\:postgresql\://localhost\:5432/calendar
JDBCUserID=calendar
JDBCPassword=calendar
JDBCDriver=org.postgresql.Driver

Apache Configuration Files:

• /etc/httpd/conf/httpd.conf: is used to configure Apache. In the past it was broken down into three files. These may now be all concatenated into one file. See Apache online documentation for the full manual.
• /etc/httpd/conf.d/application.conf: All configuration files in this directory are included during Apache start-up. Used to store application specific configurations.
• /etc/sysconfig/httpd: Holds environment variables used when starting Apache.

Basic settings: Change the default value for ServerName www.<your-domain.com>

Giving Apache access to the file system: It is prudent to limit Apache's view of the file system to only those directories necessary. This is done with the directory statement. Start by denying access to everything, then grant access to the necessary directories.

Deny access completely to file system root ("/") as the default:

Options None AllowOverride None

Grant access to a user's directory:

AllowOverride None order allow,deny allow from all Options Indexes Includes FollowSymLinks

OR use the statement UserDir public_html which does this by default for every user account at $HOME/public_html. Change to a comment (add "#" at beginning of line) from Fedora Core default UserDir disable. Also use SELinux command: setsebool httpd_enable_homedirs true

File permissions: The Apache web server daemon must be able to read your web pages in order to feed thier contents to the network. Use an appropriate umask and file protection. This works: chmod ugo+r -R public_html
One may also use groups to control permisions. See the YoLinux tutorial on managing groups.

[Potential Pitfall]: If the Apache web server can not access the file you will get the error "403 Forbidden" "You don't have permission to access file-name on this server." Note the default permissions on a user directory when first created with "useradd" are:

drwx------ 3 userx userx

You must allow the web server running as user "apache" to access the directory if it is to display pages held there. Fix with command: chmod ugo+rx /home/userx

drwxr-xr-x 3 userx userx

apache http web server configuration

This tutorial is for the Apache HTTP web server (Version 1.3 and 2.0). for a list of other web servers for the Hyper Text Transport Protocol.

The Apache configuration file is: /etc/httpd/conf/httpd.conf

Web pages are served from the directory as configured by the DocumentRoot directive. The default directory location is:

• Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4, CentOS 4: /var/www/html/
• Red Hat 6.x and older: /home/httpd/html/
• Suse 9.x: /srv/www/htdocs/
• Ubuntu (dapper 6.06) / Debian: /var/www/html

The default home page for the default configuration is index.html. Note the pages should not be owned by user apache as this is the process owner of the httpd web server daemon. If the web server process is comprimised, it should not be allowed to alter the files. The files should of course be readable by user apache.

Apache may be configured to run as a host for one web site in this fashion or it may be configured to serve for multiple domains. Serving for multiple domains may be achieved in two ways:

• Virtual hosts: One IP address but multiple domains - "Name based" virtual hosting.
• Multiple IP based virtual hosts: One IP address for each domain - "IP based" virtual hosting.

The default configuration will allow one to have multiple user accounts under one domain by using a reference to the user account: http://www.domain.com/~user1/. If no domain is registered or configured, the IP address may also be used: http://XXX.XXX.XXX.XXX/~user1/.

[Potential Pitfall] The default umask for directory creation is correct by default but if not use: chmod 755 /home/user1/public_html

[Potential Pitfall] When creating new "Directory" configuration directives, I found that placing them by the existing "Directory" directives to be a bad idea. It would not use the .htaccess file. This was because the statement defining the use of the .htaccess file was after the "Directory" statement. Previously in RH 6.x the files were separated and the order was defined a little different. I now place new "Directory" statements near the end of the file just before the "VirtualHost" statements.

For users of Red Hat 7.1, the GUI configuration tool apacheconf was introduced for the crowd who like to use pretty point and click tools.

Files used by Apache:

• Start/stop/restart script:
  • Red Hat/Fedora/CentOS: /etc/rc.d/init.d/httpd
  • SuSE 9.3: /etc/init.d/apache2
  • Ubuntu (dapper 6.06) / Debian: /etc/init.d/apache2
• Apache main configuration file:
  • Red Hat/Fedora/CentOS: /etc/httpd/conf/httpd.conf
  • SuSE: /etc/apache2/httpd.conf
    (Need to add directive: ServerName host-name)
  • Ubuntu (dapper 6.06) / Debian: /etc/apache2/apache2.conf
• Apache suplementary configuration files:
  • Red Hat/Fedora/CentOS: /etc/httpd/conf.d/component.conf
  • SuSE: /etc/apache2/conf.d/component.conf
  • Ubuntu (dapper 6.06) / Debian:
    • Virtual domains: /etc/apache2/sites-enabled/domain
      (Create soft link from /etc/apache2/sites-enabled/domain to /etc/apache2/sites-available/domain to turn on)
    • Additional configuration directives: /etc/apache2/conf.d/
    • Modules to load: /etc/apache2/mods-available/
      (Soft link to /etc/apache2/mods-enabled/ to turn on)
    • Ports to listen to: /etc/apache2/ports.conf
• /var/log/httpd/access_log and error_log - Red Hat/Fedora Core Apache log files
  (Suse: /var/log/apache2/)

Start/Stop/Restart scripts: The script is to be run with the qualifiers start, stop, restart or status.
i.e. /etc/rc.d/init.d/httpd restart. A restart allows the web server to start again and read the configuration files to pick up any changes. To have this script invoked upon system boot issue the command chkconfig --add httpd. See Init Process Tutorial for a more complete discussion.

Also Apache control tool: /usr/sbin/apachectl start

Apache Control Command: apachectl:

Red Hat / Fedora Core / CentOS: apachectl directive
Ubuntu dapper 6.06 / Debian: apache2ctl directive

Directive	Description
start	Start the Apache httpd daemon. Gives an error if it is already running.
stop	Stops the Apache httpd daemon.
graceful	Gracefully restarts the Apache httpd daemon. If the daemon is not running, it is started. This differs from a normal restart in that currently open connections are not aborted.
restart	Restarts the Apache httpd daemon. If the daemon is not running, it is started. This command automatically checks the configuration files as in configtest before initiating the restart to make sure the daemon doesn't die.
status	Displays a brief status report.
fullstatus	Displays a full status report from mod_status. Requires mod_status enabled on your server and a text-based browser such as lynx available on your system. The URL used to access the status report can be set by editing the STATUSURL variable in the script.
configtest -t	Run a configuration file syntax test.

SYNFlood

smurf

denial o f service bandwith exhaustion

denial o f service

FTPd and FTP user account configuration

Enable vsftpd:

Red Hat/Fedora Core/CentOS: VsFTPd is a stand alone service and by the default Fedora Core installation, not controlled by xinetd as is the wu-ftpd default installation.
Thus start service: service vsftpd start (or: /etc/init.d/vsftpd start)
Configure vsftpd to start upon system boot: chkconfig --add vsftpd


vsFTPd configuration file

Fedora Core / Red Hat: /etc/vsftpd/vsftpd.conf

anonymous_enable=YES            - Anonymous FTP allowed by default if you comment this out. Default directory used: /var/ftp

local_enable=YES                - Uncomment this to allow local users to log in with FTP.

write_enable=YES                - Uncomment this to enable any form of FTP write or upload command.

local_umask=022                 - Default is 077. Umask 022 is used by most other ftpd's.

#anon_upload_enable=YES         - Uncomment to allow the anonymous FTP user to upload files.
                              Requires the above global write enabled. Directory must also be writable by user.
#anon_mkdir_write_enable=YES    - Uncomment this to allow the anonymous FTP user to be able to create new directories.

dirmessage_enable=YES           - Activate directory messages.
                              Messages given to remote users when they enter certain directories
xferlog_enable=YES              - Activate logging of uploads/downloads.

connect_from_port_20=YES        - PORT transfer connections originate from port 20 (ftp-data)

#chown_uploads=YES              - Uploaded anonymous files set to a specified owner. (not root)
#chown_username=whoever

#xferlog_file=/var/log/vsftpd.log - Specify logfile explicitly. Default is /var/log/vsftpd.log

xferlog_std_format=YES          - Output to log file in standard ftpd xferlog format

#idle_session_timeout=600       - Set timing out for an idle session.

#data_connection_timeout=120    - Set timing out for an idle data connection. Port 20

#nopriv_user=ftpsecure          - Run ftp server as an isolated and unprivileged user.

# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it, may confuse older FTP clients.
#async_abor_enable=YES

#ascii_upload_enable=YES        - Improve performance by disabling ASCII mode. Disables command "ascii" and "SIZE /big/file".
#ascii_download_enable=YES

#ftpd_banner=Welcome to YoLinux - Customize the login banner string.

#deny_email_enable=YES          - Disallow specified anonymous e-mail addresses. Used to combat certain DoS attacks.
#banned_email_file=/etc/vsftpd.banned_emails  (default)

#chroot_list_enable=YES         - List users chroot()'d to their home directory. If "NO", list users not chroot()'d.
#chroot_list_file=/etc/vsftpd.chroot_list     (default)

ls_recurse_enable=YES           - Allow "ls -R" recursive directory list. Default is disabled.

pam_service_name=vsftpd


userlist_enable=YES             - (Default) Deny users specified in file /etc/vsftpd.user_list
                              If "userlist_enable=NO" then allow specified users.
#deny_email_enable=YES          - Disallow specified anonymous e-mail addresses. Used to combat certain DoS attacks.

listen=YES                      - Enable for standalone mode as opposed to an xinetd service.
tcp_wrappers=YES

Restart the FTP service if the config file is changed: service vsftpd restart (or: /etc/init.d/vsftpd restart)

[Potential Pitfall]: vsftp does NOT support comments on the same line as a directive. i.e.:

directive=XXX # comment

vsftp.conf man page

Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list
(Requires: chroot_list_enable=YES)

user1
user2
...
user-n

If userlist_enable=NO, then specify users not to be chroot'd
Specify list of users: /etc/vsftpd.user_list
(Deny list of users requires: userlist_enable=YES)
Also see PAM configuration below.

root
bin
daemon
adm
lp
sync
shutdown
halt
...

If userlist_enable=NO, then specify valid users.

PAM configuration file Fedora Core 3: /etc/pam.d/vsftpd

#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

This causes PAM to check /etc/vsftpd.ftpusers for users who are denied. This duplicates /etc/vsftpd.user_list. Speciy user in both files.

File: /etc/vsftpd.ftpusers

This causes PAM to check /etc/vsftpd.ftpusers for users who are denied. This duplicates /etc/vsftpd.user_list. Speciy user in both files.

File: /etc/vsftpd.ftpusers

root
bin
daemon
adm
lp
sync
shutdown
halt
...

Logrotate configuration file: /etc/logrotate.d/vsftpd.log

/var/log/xferlog {
# ftpd doesn't handle SIGHUP properly
nocompress
missingok
}


Sample vsFTPd configurations:

Anonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf

# Access rights
anonymous_enable=YES          - Turn on anonymous FTP
chown_uploads=YES             - Uploaded files owned by an assigned user
chown_username=ftp            - Uploaded files owned by this assigned user
local_enable=NO
write_enable=NO               - No upload of files system changes allowed
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
anon_world_readable_only=YES
connect_from_port_20=YES
force_dot_files=NO
guest_enable=NO
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
anon_max_rate=50000

pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES





Anonymous logins use the login name "anonymous" and then the user supplies their
email address as a password. Any password will be accepted.
Used to allow the public to download files from an ftp server.
Generally, no upload is permitted.             

Web hosting configuration: /etc/vsftpd/vsftpd.conf

# Access rights
anonymous_enable=NO
local_enable=YES                              - Allow users to ftp to their home directories
write_enable=YES                              - Allow users to STOR,  DELE, RNFR, RNTO, MKD, RMD, APPE and SITE
local_umask=022
# Security
connect_from_port_20=YES
force_dot_files=NO
guest_enable=NO                               - Don't remap user name
ftpd_banner=Welcome to Super Duper Hosting    - Customize the login banner string.
chroot_local_user=YES                         - Limit user to browse their own directory only
chroot_list_enable=YES                        - Enable list of system / power users
chroot_list_file=/etc/vsftpd.chroot_list      - Actual list of system / power users
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
dirmessage_enable=YES                         - Message greeting held in file .message or specify with message_file=...
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
#
pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
        

Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list
Ubuntu typically: /etc/vsftpd.chroot_list
(Requires: chroot_list_enable=YES)

user1
user2
...
user-n

If userlist_enable=NO, then specify users not to be chroot'd..

[Potential Pitfall]: Mispelling a directive will cause vsftpd to fail with little warning.

File: .message

A NOTE TO USERS UPLOADING FILES:
File names may consist of letters (a-z, A-Z), numbers (0-9),
an under score ("_"), dash ("-") or period (".") only.
The file name may not begin with a period or dash.

Test if vsftp is listening: netstat -a | grep ftp

[root]# netstat -a | grep ftp
tcp        0      0 *:ftp                       *:*                         LISTEN

WU-FTPd and FTP user account configuration:

The wu-ftpd FTP server can be downloaded (binary or source) from it's home page at http://wu-ftpd.org.

There are three kinds of FTP logins that wu-ftpd provides:

• anonymous FTP - one logs in with the username 'anonymous'
• real FTP - log in with a real username and password and has access to the entire disk structure.
• guest FTP - one logs in with a real user name and password, but the user is chroot'ed to his home directory and cannot escape from it. They are constrained to their home directory which also means that they don't have access to /bin/ls and other commands on the server. Thus a local minimalist environment must be set up.

This tutorial covers "guest" FTP configuration.


The file /etc/ftpaccess controls the configuration of ftp.

# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534-
deny-gid %-99 %65534-

class   all   real,guest  *
email webmaster@your-domain.com
loginfails 5

readme  README*    login
readme  README*    cwd=*
message /welcome.msg            login
message .message                cwd=*

compress        yes             all
tar             yes             all
chmod           no              guest,anonymous
delete          no              anonymous    # delete files permission?
overwrite       no              anonymous    # overwrite files permission?
rename          no              anonymous    # rename files permission?
delete          yes             guest        # delete files permission?
overwrite       yes             guest        # overwrite files permission?
rename          yes             guest        # rename files permission?
umask           no              guest        # umask permission?

log transfers anonymous,real inbound,outbound

shutdown /etc/shutmsg

passwd-check rfc822 warn

# Must also create message file /etc/pathmsg of the guest directory.
# In this case it refers to /home/user1/public_html/etc/pathmsg.
path-filter  guest /etc/pathmsg  ^[-A-Za-z0-9_\.]*$  ^\.  ^-
limit all 2
noretrieve passwd .htaccess core    - Do not allow users to download files of these names
limit-time * 20
byte-limit in 5000                  - Limit file size
guestuser *      - Set system user default to be categorized as a "guest". A "real" user can roam the system. Guestuser is chrooted.
realgroup regularuserx regularusery - Assign real user privileges to members of groups "regularuserx" and "regularusery".
                                     Visibility of the whole file system and subject to regular UNIX file permissions
realuser user4                      - Assign real user privileges to user id "user4". 

restricted-uid user1 user2 user3    - Restricts FTP to the specified directories
guest-root /home/user1/public_html user1
guest-root /home/user2/public_html user2
guest-root /home/user3/public_html user3




            

Note:

• user1, user2 and user3 refer to login accounts. Use the appropriate login name.
• The above configuration disables anonymous FTP which allows anyone to perform an FTP login with the id anonymous and an email address as a password. To enable anonymous FTP, change the class directive to:
  

  class all real,guest,anonymous *

• GUI FTP configuration tools:
  • /usr/bin/kwuftpd
  • /sbin/linuxconf
    (Note: Linuxconf is no longer included with Red Hat 7.3 and later)
• Red Hat Linux assigns users a user id and group id which is the same. This means that it does not matter if you use a realuser or realgroup directive as they will act the same.
• Red Hat Linux 7.1 and later uses the xinet daemon to manage ftp connections. Thus xinetd must be running and configured to support ftp. The configuration file is /etc/xinetd.d/wu-ftpd. The command chkconfig wu-ftpd on will make the ftp server available. See xinet configuration for more info.
• Allow overide of deny-uid and/or deny-gid:

       allow-uid user-to-allow
   allow-gid group-to-allow
  

• Optional configuration:
  • Create a group ftpchroot
  • Add users to this group
  • Use directive: guestgroup ftpchroot

[Potential Pitfall]: Flakey ftp behavior, timeouts, etc?? FTP works best with name resolution of the computer it is communicating with. This requires proper /etc/resolve.conf and name server (bind) configuration, /etc/hosts or NIS/NFS configuration.

File /home/user1/public_html/etc/pathmsg:

A NOTE TO USERS UPLOADING FILES:
File names may consist of letters (a-z, A-Z), numbers (0-9),
an under score ("_"), dash ("-") or period (".") only.
The file name may not begin with a period or dash.
You have tried to upload a file with an inappropriate name.

The whole point of the chroot directory is to make the user's home directory appear to be the root of the filesystem (/) so one could not wander around the filesystem. Configuration of /etc/ftpaccess will limit the user to their respective directories while still offering access to /bin/ls and other system commands used in FTP operation.

As root:

cd /home/user1
mkdir public_html
chown $1.$1 public_html
touch .rhosts             - Security protection
chmod ugo-xrw .rhosts
            

Man Pages:

Server:

• ftpd - Internet File Transfer Protocol server

File Formats:

• /etc/ftpaccess - Configuration file for ftpd
• /etc/ftpservers - ftpd virtual hosting configuration file. (optional)
• /etc/ftphosts - allow or deny access to certain accounts from various hosts. (optional)
• /etc/ftpconversions - ftpd conversions database (for tar and compression)
• /var/log/xferlog - FTP server logfile
• ftp - File Transfer Client program

les: (RH 8.0+)

• PAM configuration file: /etc/pam.d/ftp

#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth







Xinetd configuration file: /etc/xinetd.d/wu-ftpd

service ftp
{
    disable = no
    socket_type             = stream
    wait                    = no
    user                    = root
    server                  = /usr/sbin/in.ftpd
    server_args             = -l -a
    log_on_success          += DURATION USERID
    log_on_failure          += USERID
    nice                    = 10




Note: wu-FTPd is controlled by xinetd and not a stand alone service like vsFTPd.
    

/var/log/xferlog {
nocompress
}



      

Logrotate configuration file: /etc/logrotate.d/ftpd

Domain Name Server (DNS) configuration (redhat/fedora)

Domain Name Server (DNS) configuration using Bind version 8 or 9

Primary server (master)

/etc/named.conf
______________________________________________________________________

options {
       version "Bind";                       - Don't disclose real version to hackers
       directory "/var/named";
       allow-transfer { XXX.XXX.XXX.XXX; };  - IP address of secondary DNS
       recursion no;
       fetch-glue no;                  - Bind 8 only! Not used by version 9
};
zone "your-domain.com"{
       type master;
       file "named.your-domain.com";
       notify yes;
};
zone "0.0.127.in-addr.arpa"{
       type master;
       file "named.local";
       allow-update { none; };
};

______________________________________________________________________

File: /var/named/named.your-domain.com

______________________________________________________________________

$TTL 604800         - Bind 9 (and some of the later versions of Bind 8) requires $TTL statement. Measured in seconds. This value is 7 days.
your-domain.com.    IN      SOA  ns1.your-domain.com.  hostmaster.your-domain.com. (
  2000021600 ; serial     - Many people use year+month+day+integer as a system. Never greater than 2147483647 for a 32 bit processor.
  86400 ; refresh         - How often secondary servers (in seconds) should check in for changes in serial number. (86400 sec = 24 hrs)
  7200 ; retry            - How long secondary server should wait for a retry if contact failed.
  1209600 ; expire        - Secondary server to purge info after this length of time.
  604800 ) ; default_ttl  - How long data is held in cache by remote servers.
      IN A       XXX.XXX.XXX.XXX  - Note that this is the default IP address of the domain.
                                    I put the web server IP address here so that domain.com points to the same servers as www.domain.com
;
; Name servers for the domain
;
      IN NS         ns1.your-domain.com.
      IN NS         ns2.your-domain.com.
;
; Mail server for domain
;
      IN MX    5    mail               - Identify "mail" as the node handling mail for the domain. Do NOT specify an IP address!
;
; Nodes in domain
;
node1  IN A          XXX.XXX.XXX.XXX    - Note that this is the IP address of node1
ns1    IN A          XXX.XXX.XXX.XXX    - Optional: For hosting your own primary name server. Note that this is the IP address of ns1
ns2    IN A          XXX.XXX.XXX.XXX    - Optional: For hosting your own secondary name server. Note that this is the IP address of ns2
mail   IN A          XXX.XXX.XXX.XXX    - Identify the IP address for node mail.
      IN MX    5    XXX.XXX.XXX.XXX    - Identify the IP address for mail server named "mail".
;
; Aliases to existing nodes in domain
;

www    IN CNAME      node1              - Define the webserver "www" to be node1.
ftp    IN CNAME      node1              - Define the ftp server to be node1.

______________________________________________________________________


     
MX records for 3rd party off-site mail servers:        

______________________________________________________________________

your-domain.com.    IN MX  10 mail1.offsitemail.com.
your-domain.com.    IN MX  20 mail2.offsitemail.com.

note: append to the above file
______________________________________________________________________
 

Secondary server (slave)

/etc/named.conf

______________________________________________________________________

options {
       version "Bind";                 - Don't disclose real version to hackers
       directory "/var/named";
       allow-transfer { none; };
       recursion no;
       fetch-glue no;                  - Bind 8 only! Not used by version 9
};
zone "your-domain.com"{
       type slave;         
       file "named.your-domain.com";   - Specify slaves/named.your-domain.com for RHEL4 chrooted bind
       masters { XXX.XXX.XXX.XXX; };   - IP address of primary DNS
};
zone "0.0.127.in-addr.arpa"{
       type master;
       file "named.local";
};

Bind Defaults:

• Uses port 53 if none is specified with the listen-on port statement.
• Bind will use random ports above port 1024 for queries. For use with firewalls expecting all DNS traffic on port 53, specify the following option statement in /etc/named.conf

query-source address * port 53;

Logging is to : /var/log/messages


After the configuration files have been edited, restart the name daemon.
/etc/rc.d/init.d/named restart


/var/named/named.your-domain.com

This is created for you by Bind on the slave (secondary) server when it replicates from Primary server.

Test DNS

install packages:

• Red Hat / Fedora Core / SuSE: bind-utils

Test the name server with the host command in interactive mode:

   host  node.domain-to-test.com your-nameserver-to-test.domain.com
         

Note: The name server may also be specified by IP address.

or

Test the name server with the nslookup command in interactive mode:

   nslookup
  > server your-nameserver-to-test.domain.com
  > node.domain-to-test.com
  > exit
         

Test the MX record if appropriate:

   nslookup -querytype=mx domain-to-test.com
 
  OR

  host -t mx domain-to-test.com
         

Test using the dig command:

   dig @name-server domain-to-query

  OR

  dig @IP-address-of-name-server domain-to-query
         

Test your DNS with the following DNS diagnostics web site: DnsStuff.com

Extra logging to monitor Bind:

Add the following to your /etc/named.conf file.

logging {
       channel bindlog {
                          file "/var/log/bindlog"  versions 5 size 1m;     - Keep five old versions of the log-file (rotates logs)
                          print-time yes;
                          print-category yes;
                          print-severity yes;
                       };
       category xfer-out { bindlog; };         - Zone transfers
       category xfer-in  { bindlog; };         - Zone transfers
       category security { bindlog; };         - Approved/unapproved requests

//      The following logging statements, panic, insist and response-checks are valid for Bind 8 only. Do not user for version 9.
       category panic { bindlog; };            - System shutdowns
       category insist { bindlog; };           - Internal consistency check failures
       category response-checks { bindlog; };  - Messages
};

Chroot Bind for extra security:

---

Chrooted DNS configuration:

Modern releases of Linux (i.e. Fedore Core 3, Red Hat Enterprise Linux 4) come preconfigured to use "chrooted" bind. This security feature forces even an exploited version of bind to only operate within the "chrooted" jail /var/named/chroot which contains the familiar directories:

• /var/named/chroot/etc: Configuration files
• /var/named/chroot/dev: devices used by bind:
  • /dev/null
  • /dev/random
  • /dev/zero
  (Real devices created with the mknod command.)
• /var/named/chroot/var: Zone files and configuration information.

These directories are generated and configured by the Red Hat/Fedora RPM package "bind-chroot".

If building from source you will have to generate this configuration manually:

• mkdir -p /var/named/chroot
• mkdir /var/named/chroot/dev
• mknod /var/named/chroot/dev/null c 1 3
• mknod /var/named/chroot/dev/zero c 1 5
• mknod /var/named/chroot/dev/random c 1 8
• chmod 666 -R /var/named/chroot/dev
• mkdir -p /var/named/chroot/etc
• ln -s /var/named/chroot/etc/named.conf /etc/named.conf
• mkdir -p /var/named/chroot/var/named
• ln -s /var/named/chroot/var/named/named.XXXX /var/named/named.XXXX
• ln -s /var/named/chroot/var/named/named.YYYY /var/named/named.YYYY
• ...
• mkdir -p /var/named/chroot/var/named/slaves
• mkdir -p /var/named/chroot/var/named/data
• mkdir -p /var/named/chroot/var/run
• mkdir -p /var/named/chroot/var/tmp
• chown -R named:named /var/named/chroot
• chown -R root:named /var/named/chroot/var/named

---

Load Balancing of servers using Bind: DNS Round-Robin

This will populate name servers around the world with different IP addresses for your web server www.your-domain.com

www0   IN  A       XXX.XXX.XXX.1
           www1   IN  A       XXX.XXX.XXX.2
           www2   IN  A       XXX.XXX.XXX.3
           www3   IN  A       XXX.XXX.XXX.4
           www4   IN  A       XXX.XXX.XXX.5
           www5   IN  A       XXX.XXX.XXX.6

           www    IN  CNAME   www0.your-domain.com.
                  IN  CNAME   www1.your-domain.com.
                  IN  CNAME   www2.your-domain.com.
                  IN  CNAME   www3.your-domain.com.
                  IN  CNAME   www4.your-domain.com.
                  IN  CNAME   www5.your-domain.com.
                  IN  CNAME   www6.your-domain.com.

change my IP address...

Before trying any other methods to change your IP address, try turning off (or unplugging the power of) your Cable/DSL modem for five minutes. In many cases this will change your IP address. However, if that does not change your IP address, repeat the process for 8 hours (overnight works well) instead of 5 minutes. Hopefully this will result in an IP change.

If the above does not result in your IP address changing, please look through the below for the situation that best matches yours and attempt to change your IP address that way. Unfortunately you are not able to get your IP address to change in all cases, as it is ultimate determined by your ISP's DHCP configuration (when you've got a dynamically assigned IP address, that is.)

Windows - Computer connected directly to the modem

1. Get to a command prompt. (START, run, cmd).
   
2. Type "ipconfig /release" (without the quotes, on the command line by itself).
3. Type "ipconfig /renew" (without the quotes, on the command line by itself).

Windows (second option) - Computer connected directly to the modem

1. Get to a command prompt. (START, run, cmd).
2. Type "ipconfig /release" (without the quotes).
3. Shut down computer.
4. Turn off computer.
5. Turn off all ethernet hubs/switches.
6. Turn off cable/DSL modem.
7. Leave off overnight.
8. Turn everything back on.

Network with Router

1. Log into the router's admin console. (Often http://192.168.1.1/)
2. Release the IP address. (Method varies by router manufacturer)
3. Turn off router, ethernet hubs/switches, and the cable/DSL modem.
4. Leave off overnight.
5. Turn everything back on.

If you are using a cable/DSL modem and a router, you may wish to connect your computer directly to the cable/DSL modem. Please note that this could significantly impact your system security. This allows your ISP's DHCP to issue you a new (hopefully changed) IP address based of the (hardware) MAC address of your computer's ethernet card.

If all the above has not worked to change your IP address and you have a router, check and see if there is a "Clone MAC Address" option. Using it should change your IP address, however, you'll only be able to do it once (in most cases).

These will not work in all cases. If all else fails contact your internet service provider (ISP) and ask them if they are able to change your IP address or how long your connection needs to be off for your IP address to change.

If you trying to change your IP address because you are just trying to access web based forums you may wish to attempt to configure your internet browser to use a proxy server.

Proxy anonymity

The exchange of information in Internet is made by the “client - server” model. A client sends a request (what files he needs) and a server sends a reply (required files). For close cooperation (full understanding) between a client and a server the client sends additional information about itself: a version and a name of an operating system, configuration of a browser (including its name and version) etc. This information can be necessary for the server in order to know which web-page should be given (open) to the client. There are different variants of web-pages for different configurations of browsers. However, as long as web-pages do not usually depend on browsers, it makes sense to hide this information from the web-server.

What information transmits to a web-server (by a browser or proxy server):

• a name and a version of an operating system
• a name and a version of a browser
• configuration of a browser (display resolution, color depth, java / javascript support, etc.)
• IP-address of a client
• Other information

The most important part of such information (and absolutely needless for a web-server) is information about IP-address. Using your IP it is possible to know about you the following:

• a country where you are from
• a city
• your provider’s name and e-mail
• your physical address

Information, transmitted by a client to a server is available (accessible) for a server as environment variables. Every information unit is a value of some variable. If any information unit is not transmitted, then corresponding variable will be empty (its value will be undetermined).

These are some environment variables:

REMOTE_ADDR – IP address of a client
HTTP_VIA – if it is not empty, then a proxy is used. Value is an address (or several addresses) of a proxy server, this variable is added by a proxy server itself if you use one.
HTTP_X_FORWARDED_FOR – if it is not empty, then a proxy is used. Value is a real IP address of a client (your IP), this variable is also added by a proxy server if you use one.
HTTP_ACCEPT_LANGUAGE – what language is used in browser (what language a page should be displayed in).
HTTP_USER_AGENT – so called “a user’s agent”. For most browsers this is Mozilla. Furthermore, browser’s name and version (e.g. MSIE 5.5) and an operating system (e.g. Windows 98) is also mentioned here.
HTTP_HOST – is a web server’s name

This is a small part of environment variables. In fact there are much more of them (DOCUMENT_ROOT, HTTP_ACCEPT_ENCODING, HTTP_CACHE_CONTROL, HTTP_CONNECTION, SERVER_ADDR, SERVER_SOFTWARE, SERVER_PROTOCOL, ...). Their quantity can depend on settings of both a server and a client.

These are examples of variable values:

REMOTE_ADDR = 194.85.1.1
HTTP_ACCEPT_LANGUAGE = ru
HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
HTTP_HOST = www.webserver.ru
HTTP_VIA = 194.85.1.1 (Squid/2.4.STABLE7)
HTTP_X_FORWARDED_FOR = 194.115.5.5

Anonymity at work in Internet is determined by what environment variables “hide” from a web-server.

If a proxy server is not used, then environment variables look in the following way:

REMOTE_ADDR = your IP
HTTP_VIA = not determined
HTTP_X_FORWARDED_FOR = not determined

According to how environment variables “hided” by proxy servers, there are several types of proxies.

Transparent Proxies

They do not hide information about your IP address:

REMOTE_ADDR = proxy IP
HTTP_VIA = proxy IP
HTTP_X_FORWARDED_FOR = your IP

The function of such proxy servers is not the improvement of your anonymity in Internet. Their purpose is information cashing, organization of joint access to Internet of several computers, etc.

Anonymous Proxies

All proxy servers, that hide a client’s IP address in any way are called anonymous proxies.

Simple Anonymous Proxies

These proxy servers do not hide a fact that a proxy is used, however they replace your IP with its own:
REMOTE_ADDR = proxy IP
HTTP_VIA = proxy IP
HTTP_X_FORWARDED_FOR = proxy IP

These proxies are the most widespread among other anonymous proxy servers.

Distorting Proxies

As well as simple anonymous proxy servers these proxies do not hide the fact that a proxy server is used. However a client’s IP address (your IP address) is replaced with another (arbitrary, random) IP:

REMOTE_ADDR = proxy IP
HTTP_VIA = proxy IP
HTTP_X_FORWARDED_FOR = random IP address

High Anonymity Proxies (Elite proxies)

These proxy servers are called “high anonymity proxy” or "elite proxy". In contrast to other types of anonymity proxy servers they hide a fact of using a proxy:

REMOTE_ADDR = proxy IP
HTTP_VIA = not determined
HTTP_X_FORWARDED_FOR = not determined

That means that values of variables are the same as if proxy is not used, with the exception of one very important thing – proxy IP is used instead of your IP address.

Summary

Depending on purposes there are transparent and anonymity proxies. However, remember, using proxy servers you hide only your IP from a web-server, but other information (about browser configuration) is accessible!

Java

• Fedora Core provides an open source implementation of Java. See http://fedora.redhat.com/docs/release-notes/fc5/test3-latest-en/#sn-Java for information about this. However many users, myself included, prefer Sun Java for their purposes. To install Sun Java open Firefox, go to http://java.sun.com/j2se/1.5.0/download.jsp, click on Download JRE 5.0 Update 8, click the radio button to accept the license agreement, under "Linux Platform - J2SE(TM) Runtime Environment 5.0 Update 8" click on "Linux self-extracting file", to download jre-1_5_0_08-linux-i586.bin (save to disk). This should save the file to your home folder. If it saves the file to your desktop instead go to your desktop and drag the file into your "Home" folder. (Left mouse click on the file and drag it on top of your "Home" folder while holding the left mouse button down. Then release the mouse button.)

• If you have not already done so go to "System" > "Administration" > "Security Level and Firewall". Enter your root password and click "ok". On the "SELinux" tab click on "Modify SELinux Policy", click on "Compatibility" to open it and tick the check box next to "Allow the use of shared libraries with Text Relocation". Click "ok". Reboot your machine to implement the new SELinux policy.

• Open a terminal. Type:

  su
  

  Hit enter. Type your root password. Hit enter.

• Type:

  mv *.bin /opt
  

  Hit enter.

• Type:

  cd /opt
  

  Hit enter.

• Type:

  chmod +x *-linux-i586.bin
  

  Hit enter.

• Type:

  ./*.bin
  

  Hit enter. Hold the enter key down until the yes/no line appears to allow you to agree to the license agreement. Type "yes" and hit enter. Wait for the installation to complete.

• Type:

  rm *.bin
  

  Hit enter. Type "y" and hit enter.

• Type:

  su -
  

  Hit enter. This gives you root privileges and also puts you in the /root directory.

• Type:

  ln -s /opt/jre1.5.0_08/plugin/i386/ns7/libjavaplugin_oji.so /usr/lib/mozilla/plugins/libjavaplugin_oji.so
  

  (Note that by default Firefox looks in /usr/lib/mozilla/plugins for its plugins. If you have trouble with your plugins in Firefox you could substitute "firefox-1.5.0.1" or your most recent firefox directory name in place of "mozilla" in the above command.) Hit enter. Close the terminal. Restart Firefox to enable the java plugin. You could go to http://www.java.com/en/download/help/testvm.xml to test your java plugin installation.

  (If you wish to install the JDK which includes the Java development environment rather than the JRE download the JDK .bin file from Sun instead of the JRE .bin file, substitute "jdk1.5.0_08" for "jre1.5.0_08" in the commands above and below and use "ln -s /opt/jdk1.5.0_08/jre/plugin/i386/ns7/libjavaplugin_oji.so /usr/lib/mozilla/plugins/libjavaplugin_oji.so" rather than "ln -s /opt/jre1.5.0_08/plugin/i386/ns7/libjavaplugin_oji.so /usr/lib/mozilla/plugins/libjavaplugin_oji.so" to create the browser plugin.)

  We are not done with Java quite yet, even though your browser plugin is working. Please proceed to the next step.

• If you wish to run Java applications such as LimeWire, JAlbum or Azureus and you have installed the Sun J2SE JRE into /opt as described above, open a terminal and type:

  su -
  

  Hit enter. Type your root password. Hit enter.

• Type:

  gedit /etc/profile.d/java.sh
  

  Hit enter.

• In gedit type or copy and paste these lines:

  export J2RE_HOME=/opt/jre1.5.0_08
  export PATH=$J2RE_HOME/bin:$PATH
  
  

  Be sure to enter a carriage return after these lines. Click on the "save" icon in gedit and exit gedit.

• In the terminal (which should still be open) type:

  source /etc/profile.d/java.sh
  

  Hit enter.

• Type:

  which java
  

  Hit enter.

• You should see:

  /opt/jre1.5.0_08/bin/java
  

• Type:

  /usr/sbin/alternatives --install /usr/bin/java java /opt/jre1.5.0_08/bin/java 2
  

  Hit enter.

• Type:

  /usr/sbin/alternatives --config java
  

  Hit enter.

• You should see:

  There are 2 programs which provide 'java'.
  
   Selection    Command
  -----------------------------------------------
  *  1           /usr/lib/jvm/jre-1.4.2-gcj/bin/java
  + 2           /opt/jre1.5.0_08/bin/java
  
  Enter to keep the current selection[+], or type selection number:
  

• Type:

  2
  

  Hit enter.

• Type:

  /usr/sbin/alternatives --display java
  

  Hit enter.

• You should see:

  java - status is manual.
  link currently points to /opt/jre1.5.0_08/bin/java
  /usr/lib/jvm/jre-1.4.2-gcj/bin/java - priority 1420
  slave rmiregistry: /usr/lib/jvm/jre-1.4.2-gcj/bin/rmiregistry
  slave jre_exports: /usr/lib/jvm-exports/jre-1.4.2-gcj
  slave jre: /usr/lib/jvm/jre-1.4.2-gcj
  /opt/jre1.5.0_08/bin/java - priority 2
  slave rmiregistry: (null)
  slave jre_exports: (null)
  slave jre: (null)
  Current `best' version is /usr/lib/jvm/jre-1.4.2-gcj/bin/java.
  

  You should now be able to install and run Java applications.

Yum

To configure your Fedora Core 5 yum application to use the RPMForge repositories proceed as follows:

• Open the terminal. Type:

  su -
  

  Hit enter. Type your root password. Hit enter.

• Type:

  rpm -ivh http://ftp.freshrpms.net/pub/freshrpms/fedora/linux/5/freshrpms-release/freshrpms-release-1.1-1.fc.noarch.rpm
  

  Hit enter and wait for the installation to complete.

• Type:

  gedit /etc/yum.repos.d/macromedia.repo
  

  Hit enter and gedit will open.

• Type or copy and paste the following in gedit:

  [macromedia]
  name=Macromedia for i386 Linux
  baseurl=http://macromedia.rediris.es/rpm/
  #baseurl=http://macromedia.mplug.org/rpm/
  #baseurl=http://sluglug.ucsc.edu/macromedia/rpm/
  enabled=1
  gpgcheck=1
  gpgkey=http://macromedia.rediris.es/FEDORA-GPG-KEY
  
  

  Be sure there is a carriage return (blank line) at the bottom of the file. Click the "save" icon in gedit and then close gedit.

• Type:

  gedit /etc/yum.repos.d/dries.repo
  

  Hit enter and gedit will open.

• Type or copy and paste the following in gedit:

  [dries]
  name=Extra Fedora rpms dries - $releasever - $basearch
  baseurl=http://ftp.belnet.be/packages/dries.ulyssis.org/fedora/linux/$releasever/$basearch/dries/RPMS/
  enabled=1
  gpgcheck=1
  
  

  Be sure there is a carriage return (blank line) at the bottom of the file. Click the "save" icon in gedit and then close gedit.

• While still in the root terminal type:

  rpm --import http://freshrpms.net/packages/RPM-GPG-KEY.txt
  

  Hit enter. You have just imported the GPG key for the freshrpms repository.

• Also type:

  rpm --import http://apt.sw.be/dries/RPM-GPG-KEY.dries.txt
  

  Hit enter. You have just imported the GPG key for the dries repository.

• Type:

  yum -y update
  

  Hit enter. Your system will be updated. Reboot your machine.

• Note: You can temporarily disable a troublesome repository with a command such as, for example "yum -y --disablerepo updates update" as root. This is especially useful if you get the message "No more mirrors to try..." which occurs occasionally when the mirrors are very busy or down. To clean your repository data and get a fresh list of updates do a "yum clean all" followed by a "yum -y update" as root. Please see the official Fedora Core Yum guide at http://fedora.redhat.com/docs/yum/ for more details about Yum and its configuration. (Tip: Some users have reported better success with yum updates if they edit the repository files in the /etc/yum.repos.d directory and remove the comment mark ("#") from the beginning of the "baseurl=" lines, especially if they are getting "Error: Cannot find a valid baseurl for repo:" errors.)

Special Attributes on files (use "+" to set permissions and "-" to remove)
chattr +a file1	allows write opening of a file only append mode
chattr +c file1	allows that a file is compressed / decompressed automatically by the kernel
chattr +d file1	makes sure that the program ignores Dump the files during backup
chattr +i file1	makes it an immutable file, which can not be removed, altered, renamed or linked
chattr +s file1	allows a file to be deleted safely
chattr +S file1	makes sure that if a file is modified changes are written in synchronous mode as with sync
chattr +u file1	allows you to recover the contents of a file even if it is canceled
lsattr	show specials attributes

Permits on Files (use "+" to set permissions and "-" to remove)
ls -lh	show permits
ls /tmp | pr -T5 -W$COLUMNS	divide terminal into 5 columns
chmod ugo+rwx directory1	set permissions reading (r), write (w) and (x) access to users owner (u) group (g) and others (o)
chmod go-rwx directory1	remove permits reading (r), write (w) and (x) access to users group (g) and others (or
chown user1 file1	change owner of a file
chown -R user1 directory1	change user owner of a directory and all the files and directories contained inside
chgrp group1 file1	change group of files
chown user1:group1 file1	change user and group ownership of a file
find / -perm -u+s	view all files on the system with SUID configured
chmod u+s /bin/file1	set SUID bit on a binary file - the user that running that file gets same privileges as owner
chmod u-s /bin/file1	disable SUID bit on a binary file
chmod g+s /home/public	set SGID bit on a directory - similar to SUID but for directory
chmod g-s /home/public	disable SGID bit on a directory
chmod o+t /home/public	set STIKY bit on a directory - allows files deletion only to legitimate owners
chmod o-t /home/public	disable STIKY bit on a directory