DNS Setup
DNS CONFIGURATION
�DNS Setup
DNS Configuration
named daemon is used A DNS Server may be caching/master/slave server The named.ca file has information of all Root Servers. There is a Forward Zone file and a Reverse Zone file for every domain. Configuration file: /var/named/chroot/etc/named.conf Forward Zone File:
/var/named/chroot/var/named/
Reverse Zone File: /var/named/chroot/var/named/
�DNS Setup
Sample Master named.conf
zone "." { type hint; file "named.ca"; }; zone "0.0.127.in-addr.arpa" { type master; file "named.local"; allow-query {any;}; }; zone "iitk.ac.in" { type master; file "hosts.db"; allow-query {any;}; }; zone "95.200.203.IN-ADDR.ARPA" { type master; file "hosts.rev.203.200.95"; allow-query {any;}; }; zone "iitk.ernet.in" { type slave; file "hosts.iitk.ernet.in"; masters { 202.141.40.10; }; allow-query {any;};
�DNS Setup
Sample Forward Zone File
$TTL 86400 @ IN SOA ns1.iitk.ac.in. root.ns1.iitk.ac.in. ( 200605091 ; Serial 10800 ; Refresh - 3 hours 3600 ; Retry - 1 hour 1209600 ;Expire - 1 week 43200 ) ; Minimum TTL for negative answers - 12 hours IN NS ns1.iitk.ac.in. IN NS ns2.iitk.ac.in. IN MX 5 mail0.iitk.ac.in. IN MX 10 mail1.iitk.ac.in. IN MX 20 mail2.iitk.ac.in.
$ORIGIN iitk.ac.in. ns1 IN A mail0 IN A proxy IN CNAME
203.200.95.142 203.200.95.144 mail0
�DNS Setup
Sample Reverse Zone File
$TTL 86400 $ORIGIN 200.203.in-addr.arpa. 95 IN SOA ns1.iitk.ac.in. root.ns1.iitk.ac.in. ( 200605091 ; Serial 10800 ; Refresh - 5 minutes 3600 ; Retry - 1 minute 1209600 ; Expire - 1 weeks 43200 ) ; Minimum TTL for negative answers - 12 hours IN NS ns1.iitk.ac.in. IN NS ns2.iitk.ac.in. $ORIGIN 95.200.203.in-addr.arpa. ; ; 142 IN PTR ns1.iitk.ac.in. 144 IN PTR mail0.iitk.ac.in.
�DNS Setup
Configuring Local Resolver
/etc/resolv.conf
server 127.0.0.1
�DNS Setup
Test DNS
nslookup
host dig
Test your DNS with the following DNS diagnostics web site: dnsstuff.com
�Apache Setup
APACHE SETUP
�Web Server Setup
Web Server
Apache Web Server is used Daemon is httpd (service httpd start/stop/restart)
�Web Server Setup
Files used by Apache
Configuration file: /etc/httpd/conf/httpd.conf
Log files: /var/log/httpd/access_log and /var/log/httpd/error_log
Modules /etc/httpd/modules
Default Document Root /var/www/html Default CGI Root /var/www/cgi-bin
�Web Server Setup
Apache Configuration Directives
Server Name
Min and Max Servers
Document Root CGI Enable/Disable User Directory Directory Index Mime Types Modules Access Restrictions Secure Server Virtual Hosting
�Web Server Setup
Basic Settings
Change the default value for ServerName www. in httpd.conf and put the website content in /var/www/html
Additionally you can configure Name based Virtual Hosting (allow more than one websites to run on the same server)
�Web Server Setup
Virtual Hosting
NameVirtualHost *:80
ServerName server-name DocumentRoot path-to-virtual-document-root
ServerName server-name DocumentRoot path-to-virtual-document-root
�Squid Setup
SQUID SETUP
�Squid Setup
Obtaining Squid
Source code (in C) from www.squid-cache.org
Binary executables Linux (comes with RedHat and others) FreeBSD Windows Pre-installed in Fedora/Enterprise Linux
�Squid Setup
Basic Settings
Edit the /etc/squid/squid.conf file to configure squid
Configuration options: Disk Cache size and location Authentication Allowed Hosts Any other access restrictions (sites, content, size, time of access etc.) using ACL service squid start/stop/restart
�Squid Setup
Disc Requirements
Squid makes very heavy use of disc because of heavy read/write in cache Needs discs with low seek times SCSI is better Can spread cache over 2 or more discs Raid not recommended Cached data is not critical
�Squid Setup
Calculating Disc Space
Recommend keeping at least 2 days worth of objects 10 days may be better Example: 256Kbps link loaded 10 hrs/day ~= 1GB assume 50% cacheable - .5GB / day 2 days objects - 1GB 10 days objects - 5 GB
�Squid Setup
Squid.conf Basic Configuration
cache_dir ufs /var/spool/squid/cache 100 16 256
auth_param basic program /usr/lib/squid/ncsa_auth /etc/shadow
acl sidbiusers proxy_auth required http_access allow sidbiusers acl our_network src 172.28.250.0/24 http_access allow our_network
(Note: use squid –z for the first time to create the cache directory and its subdirectories)
�Sendmail Setup
SENDMAIL SETUP
�Mail Server Setup
Sendmail Configuration
Daemon: sendmail Configuration File: /etc/mail/sendmail.mc Edit the following lines LOCAL_DOMAIN(`localhost.localdomain')dnl
(Replace localhost.localdomain by the domain name for which the mail server is being configured)
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
(comment this line by adding dnl at the start of the line)
dnl MASQUERADE_AS(`mydomain.com')dnl
(remove dnl & replace mydomain.com by the domain name)
�Sendmail Setup
Sendmail Configuration
Add the range of IP addresses of your network in access file (e.g. 172.31. Relay) Run “make –C /etc/mail” command to compile sendmail.mc and generate sendmail.cf file.
Restart sendmail and watch for errors
�Sendmail Setup
PoP & IMAP Server
PoP3 & IMAP Server can be started using dovecot server. (service dovecot start)
��Firewall
FIREWALL
�Firewall
Basic Setup
Internet
Application Web Server
Firewall
Database
�Firewall
Firewall Rules
IP Address of Source (Allow from Trusted Sources)
IP Address of Destinations)
Destination
(Allow
to
trusted
Application Port Number (Allow Mail but restrict Telnet) Direction of Traffic (Allow outgoing traffic but restrict incoming traffic)
�Firewall
Firewall Implementation
Hardware Firewall: Dedicated Hardware Box (Cisco PIX, Netscreen ) Software Firewall: Installable on a Server ( ) Host OSs (Windows XP/Linux) also provide software firewall features to protect the host
These days Firewalls provide IDS/IPS (Intrusion Detection System/Intrusion Prevention System) services also.
�Linux Security
LINUX Firewall
Use GUI (Applications ->System Settings-> Security Level) to activate the firewall Allow standard services and any specific port based application All other services and ports are blocked
�Linux Security
LINUX Firewall
�