Linux Internet Web Server and Domain Configuration Tutorial

This tutorial assumes that a computer has Linux installed and running. See RedHat Installation for the basics. A connection to the internet is also assumed. A connection of 128 Mbits/sec or greater will yield the best results. ISDN, DSL, cable modem or better are all suitable. A 56k modem will work but the results will be mediocre at best. The tasks must also be performed with the root user login and password.

No single distribution seems to have an advantage. A Ubuntu, SuSe, Fedora, Red Hat or CentOS distribution will include all of the software you will need to configure a web server. If using Red Hat Enterprise Linux, both the Workstation or the Server edition will support your needs except that the Workstation edition will not include the vsFTP package. It will have to be compiled from source or use sftp.

Software Prerequisites: The Apache web server (httpd), FTP (requires xinetd or inetd) and Bind (named) software packages with their dependencies are all required. One can use the rpm command to verify installation:

• Fedora Core 1+, Red Hat Enterprise 4/5, CentOS 4/5:

     rpm -q httpd bind bind-chroot bind-utils system-config-bind xinetd vsftpd
      

  RPMs added FC2+: system-config-httpd
  RPMs added FC3+: httpd-suexec

• Red Hat 9.0

     rpm -q httpd bind xinetd vsftpd
  

  A Red Hat 8.0 wu-ftpd RPM may be installed (Newer version 2.6.2 or later with security fix wu-ftpd-2.6.2-11) or install from source (rev 14).

• Red Hat 8.0

     rpm -q httpd bind xinetd wu-ftpd
  

• Red Hat 7.x:

     rpm -q apache bind inetd wu-ftpd
  

  Use wu-ftpd version 2.6.2 or later to avoid security problems.

• SuSE 9.3:

     rpm -ivh apache2 apache2-prefork bind bind-chrootenv bind-utils vsftpd
  

  Note: The apache2-MPM is a generic term for Apache installation options for "Multi-Processing Modules (MPM)s "prefork" or "worker". If you try and only install apache2 you will get the following error:

     apache2-MPM is needed by apache2-2.0.53-9
  

  Also see Apache.org: MPMs

• Ubuntu (natty 11.04/14.04) / Debian:

     apt-get install apache2
     apt-get install bind9 
     apt-get install vsftpd 
  

• Ubuntu (dapper 6.06/hardy 8.04) / Debian:

     apt-get install apache2 apache2-common apache2-mpm-prefork apache2-utils
     apt-get install bind9 
     apt-get install vsftpd 
  

One should also have a working knowledge of the Linux init process so that these services are initiated upon system boot. See the YoLinux init process tutorial for more info.

The Apache web server configuration file is: /etc/httpd/conf/httpd.conf

Web pages are served from the directory as configured by the DocumentRoot directive. The default directory location is:

Apache may be configured to run as a host for one web site in this fashion or it may be configured to serve for multiple domains. Serving for multiple domains may be achieved in two ways:

• Virtual hosts: One IP address but multiple domains - "Name based" virtual hosting.
• Multiple IP based virtual hosts: One IP address for each domain - "IP based" virtual hosting.

[Potential Pitfall] The default umask for directory creation is correct by default but if not use: chmod 755 /home/user1/public_html

[Potential Pitfall] When creating new "Directory" configuration directives, I found that placing them by the existing "Directory" directives to be a bad idea. It would not use the .htaccess file. This was because the statement defining the use of the .htaccess file was after the "Directory" statement. Previously in RH 6.x the files were separated and the order was defined a little different. I now place new "Directory" statements near the end of the file just before the "VirtualHost" statements.

For users of Red Hat 7.1, the GUI configuration tool apacheconf was introduced for the crowd who like to use pretty point and click tools.

Files used by Apache:

• Start/stop/restart script:
  • Red Hat/Fedora/CentOS: /etc/rc.d/init.d/httpd
  • SuSE 9.3: /etc/init.d/apache2
  • Ubuntu (dapper 6.06/hardy 8.04/natty 11.04/trusty 14.04) / Debian: /etc/init.d/apache2
• Apache main configuration file:
  • Red Hat/Fedora/CentOS: /etc/httpd/conf/httpd.conf
  • SuSE: /etc/apache2/httpd.conf
    (Need to add directive: ServerName host-name)
  • Ubuntu (dapper 6.06/hardy 8.04/natty 11.04/trusty 14.04) / Debian: /etc/apache2/apache2.conf
• Apache supplementary configuration files:
  • Red Hat/Fedora/CentOS: /etc/httpd/conf.d/component.conf
  • SuSE: /etc/apache2/conf.d/component.conf
  • Ubuntu (dapper 6.06/hardy 8.04/natty 11.04/trusty 14.04) / Debian:
    • Virtual domains: /etc/apache2/sites-enabled/domain
      (Create soft link from /etc/apache2/sites-enabled/domain to /etc/apache2/sites-available/domain to turn on. Use command a2ensite)
    • Additional configuration directives: /etc/apache2/conf.d/
    • Modules to load: /etc/apache2/mods-available/
      (Soft link to /etc/apache2/mods-enabled/ to turn on)
    • Ports to listen to: /etc/apache2/ports.conf
• /var/log/httpd/access_log and error_log - Red Hat/Fedora Core Apache log files
  (Suse: /var/log/apache2/)

Start/Stop/Restart scripts: The script is to be run with the qualifiers start, stop, restart or status.
i.e. /etc/rc.d/init.d/httpd restart. A restart allows the web server to start again and read the configuration files to pick up any changes. To have this script invoked upon system boot issue the command chkconfig --add httpd. See Linux Init Process Tutorial for a more complete discussion.

Also Apache control tool: /usr/sbin/apachectl start

Apache Control Command: apachectl:

Apache control tool: apachectl - man page

Apache Configuration Files:

• /etc/httpd/conf/httpd.conf: is used to configure Apache. In the past it was broken down into three files. These may now be all concatenated into one file. See Apache online documentation for the full manual.
• /etc/httpd/conf.d/application.conf: All configuration files in this directory are included during Apache start-up. Used to store application specific configurations.
• /etc/sysconfig/httpd: Holds environment variables used when starting Apache.

Basic settings: Change the default value for ServerName www.<your-domain.com>

Giving Apache access to the file system: It is prudent to limit Apache's view of the file system to only those directories necessary. This is done with the directory statement. Start by denying access to everything, then grant access to the necessary directories.

Deny access completely to file system root ("/") as the default:

<Directory />
   Options None
   AllowOverride None
</Directory>

DocumentRoot "/var/www/html"

<Directory "/var/www/html">
   Options Indexes FollowSymLinks
   AllowOverride None
   Order allow,deny
   Allow from all
   Require all granted   - This is required for Apache 2.4+
</Directory>

Grant access to a user's web directory: public_html

• Enabling Red Hat / Fedora Linux, Apache public_html user directory access:

  This will allow users to serve content from their home directories under the sub-directory "/home/userid/public_html/" by accessing the URL http://hostname/~userid/

  File: /etc/httpd/conf/httpd.conf

  LoadModule userdir_module modules/mod_userdir.so
  
  ...
  ...
  
  <IfModule mod_userdir.c>
      #UserDir disable             - Add comment to this line
      #
      # To enable requests to /~user/ to serve the user's public_html
      # directory, remove the "UserDir disable" line above, and uncomment
      # the following line instead:
      UserDir public_html          # Un-comment this line
  </IfModule>
  
  ...
  ...
  
  <Directory /home/*/public_html>
      AllowOverride FileInfo AuthConfig Limit
      Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
      <Limit GET POST OPTIONS>
          Order allow,deny
          Allow from all
      </Limit>
      <LimitExcept GET POST OPTIONS>
          Order deny,allow
          Deny from all
      </LimitExcept>
  </Directory>
  

  Change to a comment (add "#" at beginning of line) from Fedora Core default UserDir disable and assign the directory public_html as a web server accessible directory.
  OR
  Assign a single user the specific ability to share their directory:

  <Directory /home/user1/public_html>
     Options Indexes Includes FollowSymLinks
     AllowOverride None
     order allow,deny
     allow from all
     Require all granted   - This is required for Apache 2.4+
  </Directory>
  

  Allows the specific user, "user1" only, the ability to serve the directory /home/user1/public_html/

  Also use SELinux command to set the security context: setsebool httpd_enable_homedirs true

  Directory permissions: The Apache web server daemon must be able to read your web pages in order to feed their contents to the network. Use an appropriate umask and file protection. Allow access to web directory: chmod ugo+rx -R public_html.
  Note that the user's directory also has to have the appropriate permissions as it is the parent of public_html.
  Default permissions on user directory: ls -l /home
  drwx------ 20 user1 user1 4096 Mar 5 12:16 user1
  Allow the web server access to operate the parent directory: chmod ugo+x /home/user1
  d-wx--x--x 20 user1 user1 4096 Mar 5 12:16 user1

  One may also use groups to control permissions. See the YoLinux tutorial on managing groups.

• Enabling Ubuntu's Apache public_html user directory access:

  Ubuntu has broken out the Apache loadable module directives into the directory /etc/apache2/mods-available/. To enable an Apache module, generate soft links to the directory /etc/apache2/sites-enabled/ by using the commands a2enmod/a2dismod to enable/disable Apache modules.

  Example:
  • [root@node2]# a2enmod
    A list of available modules is displayed. Enter "userdir" as the module to enable.
  • Restart Apache with the following command: /etc/init.d/apache2 force-reload

  Note: This is the same as manually generating the following two soft links:

  • ln -s /etc/apache2/mods-available/userdir.conf /etc/apache2/mods-enabled/userdir.conf
  • ln -s /etc/apache2/mods-available/userdir.load /etc/apache2/mods-enabled/userdir.load
  Man page: a2enmod/a2dismod

  [Potential Pitfall]: If the Apache web server can not access the file you will get the error "403 Forbidden" "You don't have permission to access file-name on this server." Note the default permissions on a user directory when first created with "useradd" are:

  drwx------ 3 userx userx

  You must allow the web server running as user "apache" to access the directory if it is to display pages held there.

  Fix with command: chmod ugo+rx /home/userx

  drwxr-xr-x 3 userx userx

Config File Order Of Operation:

Red Hat/CentOS/Fedora/AWS configuration files are read in the following order:

1. /etc/httpd/conf/httpd.conf
   reads include files "Include conf.modules.d/*.conf" and "IncludeOptional conf.d/*.conf"
2. /etc/httpd/conf.modules/*.conf
3. /etc/httpd/conf.d/*.conf (typically virtual domain definitions for various web sites)
   The conf files are read in alphabetical order.

Ubuntu/Debian configuration files are read in the following order:

1. /etc/apache2/apache2.conf
   reads include files
2. /etc/apache2/mods-enabled/*.load
3. /etc/apache2/mods-enabled/*.conf
4. /etc/apache2/conf-enabled/*.conf
5. /etc/apache2/sites-enabled/*.conf (typically virtual domain definitions for various web sites)
   The conf files are read in alphabetical order.

The server default for access using the IP address is typically the first domain defined in "conf.d/*.conf" as defined by the alphabetical order. This is also the site hackers see when scanning the net via IP addresses. It is often a curse to have a domain starting with the letter "a" as mis-configured servers will lead all hacker traffic to this site. Thus it is good practice to to generate a default configuration for IP address access.

DirectoryIndex index.html
<VirtualHost *:80>
    ServerName   www4.defaultdomain.com
    DocumentRoot /srv/www/default/html
    ErrorLog     /var/log/httpd/1st-error.log
    TransferLog  /var/log/httpd/1st-access.log
    <Directory "/">
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /srv/www/default/html>
        Options FollowSymLinks MultiViews Includes
        IndexOptions SuppressLastModified SuppressDescription
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>

SELinux security contexts:

The system enables/disables SELinux policies in the file /etc/selinux/config
SELinux can be turned off by setting the directive SELINUX. (Then reboot the system):

SELINUX=disabled

When using SELinux security features, the security context labels must be added so that Apache can read your files. The default security context label used is inherited from the directory for newly created files. Thus a copy (cp) must be used and not a move (mv) when placing files in the content directory. Move does not create a new file and thus the file does not receive the directory security context label. The context labels used for the default Apache directories can be viewed with the command: ls -Z /var/www
The web directories of users (i.e. public_html) should be set with the appropriate context label (httpd_sys_content_t).

Assign a security context for web pages: chcon -R -h -t httpd_sys_content_t /home/user1/public_html
Options:

• -R: Recursive. Files and directories in current directory and all sub-directories.
• -h: Affect symbolic links.
• -t: Specify type of security context.

Use the following security contexts:

Set the following options: setsebool httpd-option true
(or set to false)

• Red Hat/Fedora/Suse and all System V init script based Linux systems: /etc/init.d/httpd restart
• Red Hat/Fedora: service httpd restart

The default SE boolean values are specified in the file: /etc/selinux/targeted/booleans

For more on SELinux see the YoLinux Systems Administration tutorial.

Virtual Hosts:

• Name based virtual host: (most common) A single computer with a single IP address supporting multiple web domains. The web browser using the http protocol, identifies the domain being addressed.
• IP based virtual host: The virtual hosts can be configured as a single multi-homed computer with multiple IP addresses on a single network card, with each IP address representing a different web domain. This has the appearance of a web domain supported by a dedicated computer because it has a dedicated IP address.

Configuring a "name based" virtual host:

NameVirtualHost XXX.XXX.XXX.XXX

<VirtualHost XXX.XXX.XXX.XXX>
   ServerName www.your-domain.com     - CNAME (DNS alias www) specified in (/var/named/...)
   ServerAlias your-domain.com        - Allows requests without the "www" prefix.
   ServerAdmin user1@your-domain.com
   DocumentRoot /home/user1/public_html
   ErrorLog logs/your-domain.com-error_log
   TransferLog logs/your-domain.com-access_log
</VirtualHost>

• You can specify more than one IP address. i.e. if web server is also being used as a firewall/gateway and you have an external internet IP address as well as a local network IP address.

  NameVirtualHost XXX.XXX.XXX.XXX
  NameVirtualHost 192.168.XXX.XXX
  
  <VirtualHost XXX.XXX.XXX.XXX 192.168.XXX.XXX>
     ...
     ..
  

  See the YoLinux Tutorial on configuring a network gateway/firewall using iptables and NAT.
• Use your IP address for XXX.XXX.XXX.XXX, actual domain name and e-mail address.
  One can use DNS views to provide different local network DNS results.

• The host IP address can be referenced generically to operate on all NICs:

  <VirtualHost *:80>
     ...
     ..
  

  Note this method is preferred for NAT based hosting like Amazon Web Services (AWS) EC2.

• Note that I configure Apache for both requests http://www.domain-name.com and http://domain-name.com.

• Once virtual hosts are configured, your default system domain (/var/www/html) will stop working. Your default domain now must be configured as a virtual domain.

  <Directory "/var/www/html">
  
     ...  This part remains the same
     ..
  
  </Directory>
  
  # Default for when no domain name is given (i.e. access by IP address)
  
  <VirtualHost *:80>
     ServerAdmin user1@your-domain.com
     DocumentRoot /var/www/html
     ErrorLog logs/error_log
     TransferLog logs/access_log
  </VirtualHost>
  
  # Add a VirtualHost definition for your domain which was once the system default.
  
  <VirtualHost XXX.XXX.XXX.XXX>
     ServerName www.your-domain.com
     ServerAlias your-domain.com
     ServerAdmin user1@your-domain.com
     DocumentRoot /var/www/html
     ErrorLog logs/error_log
     TransferLog logs/access_log
  </VirtualHost>
  
     ...
     ..
      

• Forwarding to a primary URL. It is best to avoid the appearance of duplicated web content from two URLs such as http://www.your-domain.com and http://your-domain.com. Supply a forwarding Apache "Redirect".

  <VirtualHost XXX.XXX.XXX.XXX>
     ServerName www.your-domain.com   - Note that no aliases are listed
     ...
     ...
  </VirtualHost>
  
  # Add a VirtualHost definition to forward to your primary URL
  
  <VirtualHost XXX.XXX.XXX.XXX>
     ServerName your-domain.com
     ServerAlias other-domain.com
     ServerAlias www.other-domain.com
     Redirect permanent / http://www.your-domain.com.com/
  </VirtualHost>
  
     ...
     ..
      

  Note:
  • See the YoLinux.com Apache "Redirect" Tutorial

• More virtual host examples.

When specifying more domains, they may all use the same IP address or some/all may use their own unique IP address. Specify a "NameVirtualHost" for each IP address.

After the Apache configuration files have been edited, restart the httpd daemon: /etc/rc.d/init.d/httpd restart (Red Hat) or /etc/init.d/apache2 restart (Ubuntu / Debian)

Apache virtual domain configuration with Ubuntu:

<VirtualHost XXX.XXX.XXX.XXX>
        ServerName supercorp.com
        ServerAlias www.supercorp.com
        ServerAdmin webmaster@localhost

        DocumentRoot /home/supercorp/public_html/home
        <Directory "/">
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /home/supercorp/public_html/home>
                Options Indexes FollowSymLinks MultiViews
                IndexOptions SuppressLastModified SuppressDescription
                AllowOverride All
                Order allow,deny
                allow from all
                Require all granted   - This is required for Apache 2.4+
        </Directory>

        ScriptAlias /cgi-bin/ /home/supercorp/cgi-bin/
        <Directory "/home/supercorp/cgi-bin/">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/supercorp.com-error.log

        # Possible values include: debug, info, notice, warn, error,
        # crit, alert, emerg.
        LogLevel warn
        CustomLog /var/log/apache2/supercorp.com-access.log combined
        ServerSignature On
</VirtualHost>

• Create soft link:
  • Manually: ln -s /etc/apache2/sites-available/supercorp /etc/apache2/sites-enabled/supercorp
  • Use Ubuntu scripts a2ensite/a2dissite. Type command and it will prompt you as to which site you would like to enable or disable.
• Restart Apache:
  • apachectl graceful
    or
  • /etc/init.d/apache2 restart
    or
  • /etc/init.d/apache2 reload

Man pages:

• a2enmod/a2dismod (Ubuntu: Apache 2 enable/disable modules)
• apachectl

Configuring an "IP based" virtual host:

One may assign multiple IP addresses to a single network interface. See the YoLinux networking tutorial: Network Aliasing. Each IP address may then be it's own virtual server and individual domain. The downside of the "IP based" virtual host method is that you have to possess multiple/extra IP addresses. This usually costs more. The standard name based virtual hosting method above is more popular for this reason.

   
NameVirtualHost *              - Indicates all IP addresses

<VirtualHost *>
   ServerAdmin user0@default-domain.com
   DocumentRoot /home/user0/public_html
</VirtualHost>

<VirtualHost XXX.XXX.XXX.101>
   ServerAdmin user1@domain-1.com
   DocumentRoot /home/user1/public_html
</VirtualHost>

<VirtualHost XXX.XXX.XXX.102>
   ServerAdmin user1@domain-2.com
   DocumentRoot /home/user2/public_html
</VirtualHost>

CGI: (Common Gateway Interface)

• ScriptAlias:
  • Red Hat 7.x-9, Fedora core: ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
  • Red Hat 6.x and older: ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"
  • Suse 9.x: ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
  • Ubuntu (dapper/hardy/natty) / Debian: ScriptAlias /cgi-bin/ "/usr/lib/cgi-bin/"
  or
• Options +ExecCGI:

  <Directory /var/www/cgi-bin>
  Options +ExecCGI
  </Directory>
      

Configuring CGI To Run With User Privileges:

NameVirtualHost XXX.XXX.XXX.XXX

<VirtualHost XXX.XXX.XXX.XXX>
   ServerName node1.your-domain.com                   - Allows requests by domain name without the "www" prefix.
   ServerAlias your-domain.com www.your-domain.com   - CNAME (alias www) specified in Bind configuration file (/var/named/...)
   ServerAdmin user1@your-domain.com
   DocumentRoot /home/user1/public_html/your-domain.com
   ErrorLog logs/your-domain.com-error_log
   TransferLog logs/your-domain.com-access_log

   SuexecUserGroup user1 user1
   <Directory /home/user1/public_html/your-domain.com/>
      Options +ExecCGI +Indexes
      AddHandler cgi-script .cgi
   </Directory>
</VirtualHost>

ERROR Pages:

You can specify your own web pages instead of the default Apache error pages:

ErrorDocument 404 /Error404-missing.html

Handle all errors with a forwarding page:

ErrorDocument 400 /error.shtml
ErrorDocument 401 /error.shtml
ErrorDocument 403 /error.shtml
ErrorDocument 404 /error.shtml
ErrorDocument 500 /error.shtml

<!--#echo var="REQUEST_URI" -->
<!--#echo var="REDIRECT_STATUS" -->
<h2>Page does not found!</h2>
<!-- Redirect to home page -->
<META HTTP-EQUIV="Refresh" Content="1; URL=http://www.megacorp.com/">

PHP:

If the appropriate php, perl and httpd RPM's are installed, the default Red Hat Apache configuration and modules will support PHP content. RPM Packages (RHEL):

• php: HTML-embedded scripting language
• php-pear: PEAR is a framework and distribution system for reusable PHP components.
• php-mysql: MySQL database support.
• php-ldap: Lightweight Directory Access Protocol (LDAP) support

Apache configuration:

...

DirectoryIndex index.html index.htm index.php

...

• AWS - PHP 5.6: /etc/php-5.6.d/php.ini
• RHEL4 - PHP 4.3: /etc/php.ini
• Ubuntu 18.04: /etc/php/7.2/apache2/php.ini
• Ubuntu 6.06/6.11: /etc/php5/apache2/php.ini

[PHP]
engine = On
...
...
display_errors = Off
include_path = ".:/php/includes"
...
...
memory_limit = 32M   ; Default is typically 8MB which is too low.
...
...

[MySQL]
...
...
mysql.default_host = superserver    ; Hostname of the computer
mysql.default_user = dbuser
...

Test you PHP capabilities with this test file: /home/user1/public_html/test.php

<?php
   phpinfo();
?>

<?
   phpinfo();
?>

For more info see YoLinux list of PHP information web sites.

Running Multiple instances of httpd:

The Apache web server daemon (httpd) can be started with the command line option "-f" to specify a unique configuration file for each instance. Configure a unique IP address for each instance of Apache. See the YoLinux Networking Tutorial to specify multiple IP addresses for one NIC (Network Interface Card). Use the Apache configuration file directive Listen XXX.XXX.XXX.XXX, where the IP address is unique for each instance of Apache.

Apache Man Pages:

• httpd - Apache Hypertext Transfer Protocol Server
• apachectl - Apache HTTP Server Control Interface
• ab - Apache HTTP server bench-marking tool
• htdigest - manage user files for digest authentication
• htpasswd - Manage user files for basic authentication
• logresolve - Resolve IP-addresses to hostnames in Apache log files
• rotatelogs - Piped logging program to rotate Apache logs

Also see the local online Apache configuration manual: http://localhost/manual/.

Apache Red Hat / Fedora Core GUI configuration:

GUI configuration tool:

• Red Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-httpd
• Red Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-httpd

Adding web site login and password protection: See the YoLinux tutorial on web site password protection.

Log file analysis:

Scanning the Apache web log files will not provide meaningful statistics unless they are graphed or presented in an easy to read fashion. The following packages to a good job of presenting site statistics.

• Analog - Also see Report Magic for Analog
• Webalizer
• AWStats - (requires PERL)

Web site statistic services:

• eXTReMe Tracking

Load testing your server:

• PureLoad - JAVA load testing and reporting tool.
• WebPerformance Trainer - Load Testing Tools.

Apache Links:

• CgiWrap - setuid wrapper that allows users to install and execute their own cgi scripts that get executed as their own userid
• Configuring https (mod_ssl):
  • Mod_SSL.org: Home Page
  • Mod_SSL.org: Mod_SSL HowTo
  • Mod_SSL.org: Steps to create SSL server certificate

Installation:

• Red Hat / Fedora: yum install analog
• Ubuntu / Debian: apt-get install analog

LOGFILE /var/log/httpd/your-domain.com-access_log* http://www.your-domain.com
UNCOMPRESS *.gz,*.Z "gzip -cd"
SUBTYPE *.gz,*.Z
#
OUTFILE /home/user1/public_html/analog/Report.html
#
HOSTNAME "YourDomain.com"
HOSTURL  http://www.your-domain.com

....
...
..

REQINCLUDE pages                  # Request page stats only
ALL ON
LANGUAGE US-ENGLISH

Make Analog images available to the users report: ln -s /usr/share/analog/images/* /home/user1/public_html/analog

Log file location:

• Red Hat / Fedora: /var/log/httpd/
• Ubuntu / Debian: /var/log/apache2/

#!/bin/sh
cp /opt/etc/analog-domain1.com.cfg      /etc/analog.cfg
/usr/bin/analog
cp /opt/etc/analog-domain2.com.cfg      /etc/analog.cfg
/usr/bin/analog

...

• Analog home page
• Analog command reference

See the YoLinux.com web server bench-marking tutorial.

The File Transfer Protocol (FTP) is often used to upload and download files to a web server. FTP is unencrypted and is no longer suited for today's public internet. A private secure network is required for use of unencrypted FTP. Typically one will use rsync over ssh (tutorial) or sFTP. File transfers are commanded from a client application to transfer files to/from a server.

Many FTP programs exist:

• sFTP configuration tutorial: preferred, chrooted and secure encrypted file transfer
• FTP - vsftpd configuration tutorial: once the default for Red Hat, Fedora Core, Suse, ...
• FTP - wu-ftpd configuration tutorial: Washington University FTP daemon which comes standard with RedHat (last shipped with RedHat 8.0 but can be installed on any Linux system: RPM: wu-ftpd)
• proFtpd: supports LDAP authentication, Apache like directives, full featured ftp server software
• bftpd
• pure-ftpd: free BSD and optional on Suse

For hostile environments set up a chrooted environment for an sftp encrypted connection and the rssh restricted shell for OpenSSH. See the YoLinux.com internet security tutorial for Linux sftp and rssh configuration

Also see the preferred chrooted sftp configuration for OpenSSH 4.9+

• FileZilla: FTP/sFTP client GUI
• gftp: GUI GTK+ Multi-threaded client. File transfer directory browsing and compare. Multiple protocols: FTP, FTPS (control connection only), HTTP, HTTPS, SSH and FSP protocols. Proxy support. Comes with Red Hat / Fedora Core.
• KFTPgrabber: GUI KDE based client.simultaneous FTP sessions in separate tabs. Ability to limit upload and download speed.
• kbear: GUI KDE based client. Connect to multiple servers, transfer files, directory browsing, file content browsing. Comes with S.U.S.e. Linux.
• ftp: (/usr/kerberos/bin/ftp) kerberos enabled console ftp client. (RPM package FC3: krb5-workstation)

When hosting web sites, there is no need to grant a shell account which only allows the server to have more potential security holes. Current systems can specify the user to have only FTP access with no shell by granting them the "shell" /sbin/nologin provided with the system or the "ftponly" shell described below. The shell can be specified in the file /etc/passwd of when creating a user with the command adduser -s /sbin/nologin user-id

[Potential Pitfall]: Ubuntu - Setting the shell to the pre-configured shell /bin/false will NOT allow vsftp access. One must create the shell "ftponly" as defined below to allow vsftp access with no shell.

1. Disable remote telnet login access allowing FTP access only:

   Change the shell for the user in /etc/passwd from /bin/bash to be /opt/bin/ftponly.

   ...
   user1:x:502:503::/home/user1:/opt/bin/ftponly
   ...
       

   Create file: /opt/bin/ftponly.
   Protection set to -rwxr-xr-x 1 root root
   with the command: chmod ugo+x /opt/bin/ftponly
   Contents of file:

   #!/bin/sh
   #
   # ftponly shell
   #
   trap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15
   #
   Admin=root@your-domain.com
   #System=`/bin/hostname`@`/bin/domainname`
   #
   /bin/echo
   /bin/echo "********************************************************************"
   /bin/echo "    You are NOT allowed interactive access."
   /bin/echo
   /bin/echo "     User accounts are restricted to ftp and web access."
   /bin/echo
   /bin/echo "  Direct questions concerning this policy to $Admin."
   /bin/echo "********************************************************************"
   /bin/echo
   #
   # C'ya
   #
   exit 0
       

   The last step is to add this to the list of valid shells on the system.
   Add the line /opt/bin/ftponly to /etc/shells.

   Sample file contents: /etc/shells

   /bin/bash
   /bin/bash1
   /bin/tcsh
   /bin/csh
   /opt/bin/ftponly
       

   See man page on /etc/shells.

   An alternative would be to assign the shell /bin/false or /sbin/nologin which became available in later releases of Red Hat, Debian and Ubuntu. In this case the shell /bin/false or /sbin/nologin would have to be added to /etc/shells to allow them to be used as a valid shell for FTP while disabling ssh or telnet access.

2. Set file quotas to limit user account.

For more on Linux security see the: YoLinux.com Internet web site Linux server security tutorial

Two of the most popular ways to configure the program Bind (Berkeley Internet Domain software) to perform DNS services is in the role of (1) ISP or (2) Web Host.

1. In an ISP configuration for clients (web surfers) connected to the internet, the DNS server must resolve IP addresses for any URL the user wishes to visit. (See DNS caching server)
2. In a purely web hosting configuration, Bind will only resolve for the IP addresses of the domains which are being hosted. This is the configuration which will be discussed and is often called an "Authoritative-only Nameserver".

When resolving IP addresses for a domain, Internic is expecting a "Primary" and a "Secondary" DNS name server. (Sometimes called Master and Slave) Each DNS name server requires the file /etc/named.conf and the files it points to. This is typically two separate computer systems hosted on two different IP addresses. It is not necessary that the Linux servers be dedicated to DNS as they may run a web server, mail server, etc.

Note on Bind versions: Red Hat versions 6.x used Bind version 8. Release 7.1 of Red Hat began using Bind version 9 and the GUI configuration tool bindconf was introduced for those of you that like a pretty point and click interface for configuration.

Installation Packages:

• Red Hat / Fedora Core / CentOS: bind, bind-chroot, bind-libs, bind-utils, system-config-bind
  • bind-chroot: Security jail for operation of bind.
  • bind-utils: Utility commands like nslookup, host, dig
  • system-config-bind: GUI config tool system-config-bind and related configuration files (/etc/security/console.apps/bindconf).
  • caching-nameserver: We will not be covering this as it is not required for web hosting. This is used by internet providers so their clients can cache the DNS entries of the sites they are visiting.
• Ubuntu (dapper/hardy/natty) / Debian: bind9

Configuration files:

Red Hat / Fedora / CentOS:

File	Description	Directory	Chrooted Directory
named.conf	Primary/Secondary DNS server configuration. (See default file /usr/share/doc/bind-9.X.X/sample/etc/named.conf)	/etc/	/var/named/chroot/etc/
named.root.hints	Configuration for recursive service. Required for all zones. (See default file /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints)	/etc/	/var/named/chroot/etc/
named	Red Hat system variables.	/etc/sysconfig/	no change
rndc.key	Primary/Secondary DNS server configuration.	/etc/	/var/named/chroot/etc/
Zone files	Configuration files for each domain. Create this file to resolve host name internet queries i.e. define IP address of web (www) and mail servers in the domain.	/var/named/	/var/named/chroot/var/named/

Debian / Ubuntu:

File	Description	Directory	Chrooted Directory
named.conf named.conf.options named.conf.local	Primary/Secondary DNS server configuration.	/etc/bind/	/var/bind/chroot/etc/bind/
rndc.key	Primary/Secondary DNS server configuration.	/etc/	/var/bind/chroot/etc/
Zone files	Configuration files for each domain.	/var/bind/data/	/var/bind/chroot/var/bind/data/

Primary server (master):

File: named.conf Red Hat / Fedora Core / CentOS: /etc/named.conf (chroot dir: /var/named/chroot/etc/named.conf) and /etc/sysconfig/named for system variables.
Ubuntu / Debian: /etc/bind/named.conf Place local definitions in /etc/bind/named.conf.options and /etc/bind/named.conf.local

Simple example: (no views)

options {                                     - Ubuntu stores options in /etc/bind/named.conf.options
        version "Bind";                       - Don't disclose real version to hackers
        directory "/var/named";               - Specified so relative path names can be used. Full path names still allowed.
        allow-transfer { XXX.XXX.XXX.XXX; };  - IP address of secondary DNS
        recursion no;
        auth-nxdomain no;                     - conform to RFC1035. (default)
        fetch-glue no;                  - Bind 8 only! Not used by version 9
};

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};
zone "0.0.127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "your-domain.com"{                 - Ubuntu separates the zone definitions into /etc/bind/named.conf.local 
        type master;                    - Specify master, slave, forward or hint
        file "data/named.your-domain.com"; 
        notify yes;                     - slave servers are notified when the zone is updated.
        allow-update { none; };         - deny updates from other hosts (default: none)
        allow-query { any; };           - allow clients to query this server (default: any)
};
zone "your-domain-2.com"{
        type master;
        file "data/named.your-domain-2.com";
        notify yes;
};

Note:

• The omission of zone ".". Required if providing a recursive service.
• Ubuntu includes the separated file of zone directives using the directive:
  include "/etc/bind/named.conf.local";

BIND Views: The BIND naming service can support "views" which allow various sub-networks (i.e. private internal or public external networks) to have a different domain name resolution result.

• If no views are specified then use the configuration shown above.
• The match-up between the "view" and the view client which receives the DNS information is specified by the match-clients statement.
• If even one view is specified, then ALL zones MUST be associated with a "view".
• Bind 9 allows for views which allow different zones to be served to different types of clients, localhost, private networks and public networks. This maps to the three view names "localhost_resolver", "internal" and "external":
  • localhost_resolver: Supports name resolution for the system (localhost) using BIND. Support for use of bind also has to be configured in /etc/nsswitch.conf
  • internal: User specified Local Area Network (LAN). If not used to support a local private LAN, remove (or comment out) this view.
  • external: The general public internet defined as client "any".
• If you are only setting up a caching name server, then only specify the view "localhost_resolver" (delete all other views).
• In order to support a DNS for internet domains using views, one will have to configure an "external" view

Typical Red Hat Enterprise 5 example: (Bind 9.3.4 with three "views")

options
{
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";

};
logging
{
    //  By default, SELinux policy does not allow named to modify the /var/named
    //  directory, so put the default debug log file in data/ :
 
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
view "localhost_resolver"
{
    //  This view sets up named to be a localhost resolver ( caching only nameserver ).
    //  If all you want is a caching-only nameserver, then you need only define this view:
    match-clients           { localhost; };
    ...
};
view "internal"
{
    // This view will contain zones you want to serve only to "internal" clients
    // that connect via your directly attached LAN interfaces - "localnets" .
    // For local private LAN. Not covered in this tutorial.
    // Delete this view if web hosting with no local LAN.
    match-clients           { localnets; };
    ...
};
key ddns_key
{
        algorithm hmac-md5;
        secret "use /usr/sbin/dns-keygen to generate TSIG keys";
};
view    "external"
{
    // This view will contain zones you want to serve only to "external" 
    // public internet clients. This is covered below.
    match-clients           { any; };
    ...
    .. 
};
          

Default configuration files: Red Hat may supply the default configuration in: /usr/share/doc/bind-9.X.X/sample/etc/named.conf

• cp /usr/share/doc/bind-9.X.X/sample/etc/named.conf /var/named/chroot/etc
• cp /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints /var/named/chroot/etc
• chcon -u system_u -r object_r -t named_conf_t /var/named/chroot/etc/named.conf /var/named/chroot/etc/named.root.hints

view "localhost_resolver": If supporting a caching DNS server (not required to support a web domain) you will also need the files:

• cp /usr/share/doc/bind-9.X.X/sample/etc/named.rfc1912.zones /var/named/chroot/etc
• cp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zones /var/named/chroot/var/named
  also from /usr/share/doc/bind-9.X.X/sample/var/named/: localhost.zones, named.local, named.zero, named.broadcast, named.ip6.local, named.root

view "external": (master) - details -

view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subnets:
 */
        match-clients           { any; };
        match-destinations      { any; };
        allow-transfer { XXX.XXX.XXX.XXX; };  - IP address of secondary DNS

        recursion no;
        // you'd probably want to deny recursion to external clients, so you don't
        // end up providing free DNS service to all takers

        // all views must contain the root hints zone:
        include "/etc/named.root.hints";

        // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:

        zone "your-domain.com" {
                type master;
                file "/var/named/data/external/named.your-domain.com";
                notify yes;
                allow-update { none; };
        };
 
        // You can also add the zones as a separate file like they do in Ubuntu by adding the following statement
        include "/etc/named.conf.local";      
};

DNS key:

Use the following command /usr/sbin/dns-keygen to create a key. Add this key to the "secret" statement as follows:

key ddns_key
{
        algorithm hmac-md5;
        secret "XlYKYLF5Y7YOYFFFY6YiYYXyFFFFBYYYYFfYYYJiYFYFYYLVrnrWrrrqrrrq";
};

Man Pages:

• named.conf

Forward Zone File: /var/named/named.your-domain.com

Red Hat 9 / CentOS 3: /var/named/named.your-domain.com
Red Hat EL4/5/6, Fedora 3+, CentOS 4/5/6: [Chrooted] /var/named/chroot/var/named/data/named.your-domain.com
Red Hat EL4/5/6, Fedora 3+, CentOS 4/5/6: /var/named/data/named.your-domain.com
Ubuntu / Debian: /etc/bind/data/named.your-domain.com

$TTL 604800         - Bind 9 (and some of the later versions of Bind 8) requires $TTL statement. 
                     Measured in seconds. This value is 7 days.
your-domain.com.    IN      SOA  ns1.your-domain.com.  hostmaster.your-domain.com. (
   2000021600 ; serial     - Many people use year+month+day+integer as a system.
   86400 ; refresh         - How often secondary servers (in seconds) should check in for changes in serial number. (86400 sec = 24 hrs)
   7200 ; retry            - How long secondary server should wait for a retry if contact failed.
   1209600 ; expire        - Secondary server to purge info after this length of time.
   86400 ) ; default_ttl   - How long data is held in cache by remote servers.
       IN A       XXX.XXX.XXX.XXX  - Note that this is the default IP address of the domain. 
                                     I put the web server IP address here so that domain.com points to the same servers as www.domain.com
;
; Name servers for the domain
;
       IN NS         ns1.your-domain.com.
       IN NS         ns2.your-domain.com.
;
; Mail server for domain
;
       IN MX    5    mail               - Identify "mail" as the node handling mail for the domain. Do NOT specify an IP address!
;
; Nodes in domain
;
node1  IN A          XXX.XXX.XXX.XXX    - Note that this is the IP address of node1
ns1    IN A          XXX.XXX.XXX.XXX    - Optional: For hosting your own primary name server. Note that this is the IP address of ns1
ns2    IN A          XXX.XXX.XXX.XXX    - Optional: For hosting your own secondary name server. Note that this is the IP address of ns2
mail   IN A          XXX.XXX.XXX.XXX    - Identify the IP address for node mail.
;
; Aliases to existing nodes in domain
;
www    IN CNAME      node1              - Define the webserver "www" to be node1.
ftp    IN CNAME      node1              - Define the ftp server to be node1.
                

DNS record types and format:

DNS record	Description and Format
SOA	Start of Authority: Primary domain server and contact info Note that there is a period following the primary domain server and contact email. Note that the email address is in the form where the first period represents the "@" symbol of the email address. your-domain.com in SOA ns1.your-domain.com. webmaster.your-domain.com. or @ in SOA ns1.your-domain.com. webmaster.your-domain.com. [Potential Pitfall]: Incorrect specification of the primary name server may result in the following message in /var/log/messages: view localhost_resolver: received notify for zone 'your-domain.com': not authoritative SOA attribute Description serial Never use a value greater than 2147483647 for a 32 bit processor. Increment to a higher value to indicate an update to the slave server. refresh Time increment (seconds) between update checks of the serial number with the primary server retry Time elapsed before a slave will contact the primary server if a connection failed expire Time till primary server information is considered invalid and should be refreshed if there is a new DNS query minimum Time for DNS servers should hold domain information in their cache before purging
IN	Indicate Internet.
NS	Specify the Authoritative Name servers for the domain.
A	Specify the IP address associated with the host name. Format: hostname IN A XXX.XXX.XXX.XXX Note that in my example, no hostname is specified for the first record. This will define the default for the domain.
CNAME	Specify an alias for the host name.
MX	Mail exchange record. Specify a priority number for the primary and back-up mail servers. The lowest number indicates the default mail server for the domain
PTR	Used to specify the reverse DNS lookup

MX records for 3rd party off-site mail servers:

your-domain.com.    IN MX  10 mail1.offsitemail.com.
your-domain.com.    IN MX  20 mail2.offsitemail.com.
      

Append to the above example file.

SPF Record:

To thwart spammers from pretending to be sending email from your domain (spoofing), use your DNS to specify your outbound email server.

Add a Sender Policy Framework (SPF) record as follows (pick one solution):

• Specify the inbound email server as defined by the DNS MX record is also your outbound email server:

  ;
  ; Mail server for domain
  ;
               IN MX    5      mail
  ;
  ; SPF allow MX mail server to send email for the domain
  your-domain.com. IN TXT   "v=spf1 a mx -all"
      

  • v=spf1: All SPF records all start with "v=spf1"
  • -all: fail network address if it does not pass the rules specified (use this)
  • +all: pass network address
  • ~all: soft fail
  • a: signifies that the host is authorized to send the emails on behalf of the domain
  • mx: specify the MX inbound mail server to also be the outbound mail server

• Specify the IP address of the outbound email server:

  your-domain.com. IN TXT   "v=spf1 a mx ip4:XXX.XXX.XXX.XXX -all"
      

  • Use ip4 or ip6 to specift an IP version 4 or version 6 network address

• Specify an alternate email service provider (in this case Google gmail) to also grant permission to send email on behalf of the domain:

  your-domain.com. IN TXT   "v=spf1 a mx include:_spf.google.com -all"
      

  • include: authorize outbound hosts outside of your domain

These are SPF examples for Bind 9 DNS. Note that the MX record specifies the email server to receive email and SPF defines the outbound server.

Initial configuration:

Note that Red Hat may supply the default zone configuration in: /usr/share/doc/bind-9.X.X/sample/var/named/

• cp /usr/share/doc/bind-9.X.X/sample/var/named/localhost.zone /var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zone /var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/named.broadcast /var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/named.ip6.local /var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/named.zero /var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/named.local /var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/named.root /var/named/chroot/var/named/data/
• cd /var/named/chroot/var/named/data/
• chcon -u system_u -r object_r -t named_cache_t localhost.zone localdomain.zone named.broadcast named.ip6.local named.zero named.root named.local

A file suffix of "zone" is also common i.e. your-domain.com.zone

Secondary server (slave):

File: named.conf Red Hat / Fedora Core / CentOS: /etc/named.conf
Ubuntu / Debian: /etc/bind/named.conf
Simple example with no views:

options {                               - Ubuntu stores options in /etc/bind/named.conf.options
        version "Bind";                 - Don't disclose real version to hackers
        directory "/var/named";
        allow-transfer { none; };    - Slave is not transfering updates to anyone else
        recursion no;
        auth-nxdomain no;               - conform to RFC1035. (default)
        fetch-glue no;                - Bind 8 only! Not used by version 9
};
zone "localhost" {
        type master;
        file "/etc/bind/db.local";       - Ubutu: /etc/bind/db.local, Red Hat: /var/named/named.local
};
zone "0.0.127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "your-domain.com"{
        type slave;          
        file "named.your-domain.com";   - Specify slaves/named.your-domain.com for RHEL chrooted bind
        masters { XXX.XXX.XXX.XXX; };   - IP address of primary DNS
};
zone "your-domain-2.com"{
        type slave;          
        file "named.your-domain-2.com";
        masters { XXX.XXX.XXX.XXX; };
};
        

view "external": (slave)

view    "external"
{
        match-clients           { any; };
        match-destinations      { any; };
        allow-transfer { none; };  - Slave does not transfer to anyone, slave receives
        recursion no;
        include "/etc/named.root.hints";

        zone "your-domain.com" {
                type slave;
                file "/var/named/slaves/external/named.your-domain.com";
                notify no;                  - Slave does not notify, slave is notified by master
                masters { XXX.XXX.XXX.XXX; }; - State IP of master server
        };
};

Note: RHEL, CentOS, Fedora use chrooted directory structure permissions which require the use of the slaves sub-directory /var/named/slaves

Slave Zone Files: These are transfered from master to slave and cached by slave. There is no need to generate a zone file on the slave.

Additional Information:

• Man page on named.conf
• Man page on named DNS server
• Full DNS manual

[Potential Pitfall]: Ubuntu dapper/hardy/natty - Path names used can not violate Apparmor security rules as defined in /etc/apparmor.d/usr.sbin.named. Note that the slave files are typically named "/var/lib/bind/named.your-domain.com" as permitted by the security configuration.

[Potential Pitfall]: Ubuntu dapper/hardy/natty - Create log file and set ownership and permission for file not created by installation:

• touch /var/log/bindlog
• chown root.bind /var/log/bindlog
• chmod 664 /var/log/bindlog

[Potential Pitfall]: Error in /var/log/messages:

transfer of 'yolinux.com/IN' from XXX.XXX.XXX.XXX#53: failed while receiving responses: permission denied
      

Named needs write permission on the directory containing the file. This condition often occurs for a new "slave" or "secondary" name server where the zone files do not yet exist.
The default (RHEL, CentOS, Fedora, ...):

• drwxr-x--- 4 root named 4096 Aug 25 2004 named
• drwxrwx--- 2 named named 4096 Sep 17 20:37 slaves

Fix: In named.conf specify that the slaves to go to slaves directory /var/named/chroot/var/named/slaves with the directive:

file "slaves/named.your-domain.com";

Bind Defaults:

• Uses port 53 if none is specified with the listen-on port statement.
• Bind will use random ports above port 1024 for queries. For use with firewalls expecting all DNS traffic on port 53, specify the following option statement in /etc/named.conf

  query-source address * port 53;
  query-source-v6 port 53;
            

• Logging is to /var/log/messages

After the configuration files have been edited, restart the name daemon.

/etc/init.d/named restart

(Note: Ubuntu / Debian restart: /etc/init.d/bind9 restart)

Bind zone transfers work best if the clocks of the two systems are synchronised. See the YoLinux SysAdmin Tutorial: Time and ntpd

File: /var/named/named.your-domain.com This is created for you by Bind on the slave (secondary) server when it replicates from Primary server.

DNS GUI configuration:

• Red Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-bind
• Red Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-bind

Test DNS:

Must install packages:

• Red Hat / Fedora Core / SuSE: bind-utils
• Ubuntu (dapper/hardy/natty) / Debian: bind9-host

Test the name server with the host command in interactive mode:

   host  node.domain-to-test.com your-nameserver-to-test.domain.com
          

Note: The name server may also be specified by IP address.

or

Test the name server with the nslookup command in interactive mode:

   nslookup
   > server your-nameserver-to-test.domain.com
   > node.domain-to-test.com
   > exit
          

Test the MX record if appropriate:

   nslookup -querytype=mx domain-to-test.com
   
   OR

   host -t mx domain-to-test.com
          

Test using the dig command:

   dig @name-server domain-to-query

   OR

   dig @IP-address-of-name-server domain-to-query
          

Test your DNS with the following DNS diagnostics web site: DnsStuff.com

---

Extra logging to monitor Bind:

Add the following to your /etc/named.conf file.

logging {
        channel bindlog {
                           // Keep five old versions of the log-file (rotates logs)
                           file "/var/log/bindlog"  versions 5 size 1m;
                           print-time yes;
                           print-category yes;
                           print-severity yes;
                        };
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :
 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
        category xfer-out { bindlog; };         - Zone transfers
        category xfer-in  { bindlog; };         - Zone transfers
        category security { bindlog; };         - Approved/unapproved requests

//      The following logging statements, panic, insist and response-checks are 
//      valid for Bind 8 only. Do not user for version 9.
        category panic { bindlog; };            - System shutdowns
        category insist { bindlog; };           - Internal consistency check failures
        category response-checks { bindlog; };  - Messages
};
      

Chroot Bind for extra security:

Note: Most modern Linux distributions default to a "chrooted" installation. This technique runs the Bind name service with a view of the filesystem which changes the definition of the root directory "/" to a directory in which Bind will operate. i.e. /var/named/chroot.

The following example uses the Red Hat RPM bind-8.2.3-0.6.x.i386.rpm. Applies to Bind version 9 as well.

The latest RedHat bind updates run the named as user "named" to avoid a lot of earlier hacker exploits. To chroot the process is to create an even more secure environment by limiting the view of the system that the process can access. The process is limited to the chrooted directory assigned.

The chroot of the named process to a directory under a given user will prevent the possibility of an exploit which at one time would result in root access. The original default RedHat configuration (6.2) ran the named process as root, thus if an exploit was found, the named process will allow the hacker to use the privileges of the root user. (no longer true)

Named Command Sytax:

   named -u user -g group -t directory-to-chroot-to
          

Example:

    named -u named -g named -t /opt/named

When chrooted, the process does not have access to system libraries thus a local lib directory is required with the appropriate library files - theoretically. This does not seem to be the case here and as noted above in chrooted FTP. It's a mystery to me but it works???? Another method to handle libraries is to re-compile the named binary with everything statically linked. Add -static to the compile options. The chrooted process should also require a local /etc/named.conf etc... but doesn't seem to???

Script to create a chrooted bind environment:

#!/bin/sh
cd /opt
mkdir named
cd named
mkdir etc
mkdir bin
mkdir var
cd var
mkdir named
mkdir run
cd ..
chown -R named.named bin etc var

You can probably stop here. If your system acts like a chrooted system should, then continue with the following:

cp -p /etc/named.conf etc
cp -p /etc/localtime  etc
cp -p /bin/false bin
echo "named:x:25:25:Named:/var/named:/bin/false" > etc/passwd
echo "named:x:25:" > etc/group
touch  var/run/named.pid 

if [ -f /etc/namedb ]
then
   cp -p /etc/namedb etc/namedb
fi

mkdir dev
cd dev

# Create a character unbuffered file.
mknod -m ugo+rw null c 1 3     

cd ..
chown -R named.named bin etc var

Add changes to the init script: /etc/rc.d/init.d/named

#!/bin/bash
#
# named           This shell script takes care of starting and stopping
#                 named (BIND DNS server).
#
# chkconfig: - 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

[ -f /etc/sysconfig/named ] && . /etc/sysconfig/named 

[ -f /usr/sbin/named ] || exit 0

[ -f /etc/named.conf ] || exit 0

RETVAL=0

start() {
        # Start daemons.
        echo -n "Starting named: "
        daemon named -u named -g named -t /opt/named   # Change made here
	RETVAL=$?
 	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named
	echo
	return $RETVAL
}
stop() {
        # Stop daemons.
        echo -n "Shutting down named: "
        killproc named
	RETVAL=$?
	[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named
        echo
	return $RETVAL
}
rhstatus() {
	/usr/sbin/ndc status
	return $?
}	
restart() {
	stop
	start
}	
reload() {
	/usr/sbin/ndc reload
	return $?
}
probe() {
	# named knows how to reload intelligently; we don't want linuxconf
	# to offer to restart every time
	/usr/sbin/ndc reload >/dev/null 2>&1 || echo start
	return $?
}  

# See how we were called.
case "$1" in
	start)
		start
		;;
	stop)
		stop
		;;
	status)
		rhstatus
		;;
	restart)
		restart
		;;
	condrestart)
		[ -f /var/lock/subsys/named ] && restart || :
		;;
	reload)
		reload
		;;
	probe)
		probe
		;;
	*)
        	echo "Usage: named {start|stop|status|restart|condrestart|reload|probe}"
		exit 1
esac

exit $?

Note: The current version of bind from the RedHat errata updates and security fixes (http://www.redhat.com/support/errata/) runs the named process as user "named" in the home (not chrooted) directory /var/named with no shell available. (named -u named) This should be secure enough. Proceed with a chrooted installation if your are paranoid.

See:

---

Chrooted DNS configuration:

Modern releases of Linux (i.e. Fedore Core 3, Red Hat Enterprise Linux 4) come pre-configured to use "chrooted" bind. This security feature forces even an exploited version of bind to only operate within the "chrooted" jail /var/named/chroot which contains the familiar directories:

• /var/named/chroot/etc: Configuration files
• /var/named/chroot/dev: devices used by bind:
  • /dev/null
  • /dev/random
  • /dev/zero
  (Real devices created with the mknod command.)
• /var/named/chroot/var: Zone files and configuration information.

These directories are generated and configured by the Red Hat/Fedora RPM package "bind-chroot".

If building from source you will have to generate this configuration manually:

• mkdir -p /var/named/chroot
• mkdir /var/named/chroot/dev
• mknod /var/named/chroot/dev/null c 1 3
• mknod /var/named/chroot/dev/zero c 1 5
• mknod /var/named/chroot/dev/random c 1 8
• chmod 666 -R /var/named/chroot/dev
• mkdir -p /var/named/chroot/etc
• ln -s /var/named/chroot/etc/named.conf /etc/named.conf
• mkdir -p /var/named/chroot/var/named
• ln -s /var/named/chroot/var/named/named.XXXX /var/named/named.XXXX
• ln -s /var/named/chroot/var/named/named.YYYY /var/named/named.YYYY
• ...
• mkdir -p /var/named/chroot/var/named/slaves
• mkdir -p /var/named/chroot/var/named/data
• mkdir -p /var/named/chroot/var/run
• mkdir -p /var/named/chroot/var/tmp
• chown -R named:named /var/named/chroot
• chown -R root:named /var/named/chroot/var/named

Load Balancing of servers using Bind: DNS Round-Robin:

This will populate DNS caching name servers around the world with different IP addresses for your web server www.your-domain.com

File: /var/named/data/named.your-domain.com

$TTL 604800
your-domain.com.    IN      SOA  ns1.your-domain.com.  hostmaster.your-domain.com.

...
...

www   IN  A       192.168.1.1
www   IN  A       192.168.1.2
www   IN  A       192.168.1.3
www   IN  A       192.168.1.4
www   IN  A       192.168.1.5
www   IN  A       192.168.1.6

Note:

• This example will resolve the www.your-domain.com URL to each of the IP addresses listed, one at a time for each request. First request will resolve to 192.168.1.1, the second request will resolve to 192.168.1.2, etc.
• A perfectly even load balance is not possible becaused network service providers run DNS caching servers which hold the resolved IP address for a different number of users.
• Using multiple CNAME's to rotate records is no longer permissible in bind9.
• Listing a record multiple times with the same IP address will not change the load sharing. Bind will ignore duplicate records.
• Reducing the time to live (TTL) will cause load sharing to take place more frequently thus responding to a change in servers more quickly.

Also see lbnamed: lbnamed load balancing named

Bind/DNS Links:

• Internet Software Consortium (ISC) Home Page - ISC Bind Home
• Zytrax Bind 9 manual - Bind for rocket scientists
• mod_rewrite: page forwarding, load balancing and round robin schemes
• LDP DNS-HOWTO
• Secondary.com - Free secondary names server hosting (five or fewer domains)
• OpenDNS.com - Can allow forwarding to OpenDNS servers.
  Add to "options" section: forwarders { 208.67.222.222; 208.67.222.220; };
• DynDNS: dyn.com
  Command: ipcheck.py -i eth0 DynDNS-user-id password node.dnsalias.net
  Then add script update.dyndns.ip to directory /etc/cron.daily/ to update IP.
  This host must also be allowed access through any firewall rules.
• DynDNS.com - Dynamic DNS for those with dynamic IP addresses. (i.e. dial-up game servers etc.)

Domain name registration:

• Domain Name Registrars:
  • NetworkSolutions.com
  • Register.com
  • GoDaddy.com - Domain name registration for only $8.95/year!!!
  • Dotster.com - Domain name registration for only $14.95/year
  • DomainsNext.com - $11.95/year
  • EasyDNS.com - $25.00/year
  • Gandi.net - European
• AfterNic.com - Domain name exchange and auction.
• BuyDomains.com - Buy a domain name that a squatter is holding.

Note that the Name registrations policies for the registrars are stated at ICANN.org.

• You must renew with the same registrar within five days BEFORE the expiration date. There is no rule for afterwards.
• Most free a domain name 30 days after it expires.

Web Server Load Balancing:

Load balancing becomes important if your traffic volume becomes too great for either your server or network connection or both. Multiple options are available for load balancing.

• DNS round-robin: Discussed above, this uses DNS to point users to random server in a list of appropriate servers. This spreads the load among the servers in the list.
• Use a Linux Virtual Server to Create a Load Balance Cluster. See next section below.
• Run a reverse proxy. See nginx ("engine X"). From a single external internet network connection, route http, smtp, imap or pop3 traffic to various servers on an internal network. Results are pushed back to the nginx proxy for routing to the internet (no caching).
• Run the Apache httpd web server module "mod_proxy" to offload processing of dynamic content to another web server. This acts as a reverse proxy, routing external traffic to various servers on an internal network.

Using a Linux Virtual Server to Create a Load Balance Cluster:

You can use a single Linux server to forward requests to a cluster of servers using iptables for IP masquerading and IPVsadm to scale your load. The load balancing server receiving and routing the requests is called the "Linux Virtual Server" (LVS). The LVS receives the requests which are passed to the real servers which process and reply to the request. This reply is forwarded to the client by the LVS.

This feature is available with the Linux 2.4/2.6 kernel. (If compiling kernel: Networking Options + IP: Virtual Server Configuration)

Configuration: This example will load balance http traffic to three web servers and ftp traffic to a fourth server.

• Enable Forwarding: (Also see YoLinux Networking Tutorial: Enable Forwarding)

  echo "1" > /proc/sys/net/ipv4/ip_forward
                

• Enable IP Masquerading:

  iptables -t nat -P POSTROUTING DROP
  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
      

  For more on IP Masquerading, iptables and subnet addresses, see the YoLinux network gateway tutorial.
• Enable virtual server:
  • Create virtual service and choose scheduler for http (80) and ftp (21):

    ipvsadm -A -t 66.218.88.103:80 -s wlc
    ipvsadm -A -t 66.218.88.103:21 -s wrr
        

    Command directives:
    • A: Add a virtual service defined by IP address, port number, and protocol.
    • -t: Use TCP service host:port
    • -s: scheduler:
      • rr: Robin Robin: distributes jobs equally amongst the avail- able real servers.
      • wrr: Weighted Round Robin.
      • lc: Least-Connection: assigns more jobs to real servers with fewer active jobs.
      • wlc: (Default) Weighted Least-Connection: assigns more jobs to servers with fewer jobs and relative to the real server's weight.
      • lblc, lblcr, dh, sh, sed, nq. See man page.
  • Configure load balancing cluser.

    ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.1:80 -m
    ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.2:80 -m -w 2
    ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.3:80 -m
    ipvsadm -a -t 66.218.88.103:21 -r 176.168.1.4:21 -m
        

    Command directives:
    • -r: Real server.
    • -m: Use masquerading also known as network address translation (NAT)
    • -w: Weight is an integer specifying the capacity of a server relative to the others in the pool. The valid values of weight are 0 through to 65535. The default is 1.

Links:

• LinuxVirtualServer.org
• iptables - Administration tool for IPv4 packet filtering and NAT
• ipvsadm - Administer the routing table on a Linux Virtual Server.

Managing Web Server Daemons:

To view if these services are running, type ps -aux and look for the httpd, inetd and named services (daemons). These are background processes necessary to perform the server tasks.

   root       681  0.0  0.5  2304  744 ?        S    Sep09   0:01 named
   nobody   28123  0.0  1.1  3036 1420 ?        S    Oct06   0:00 httpd
   nobody   28186  0.0  0.7  3044  896 ?        S    Oct06   0:00 httpd
   root       385  0.0  0.1  1136  232 ?        S    Sep09   0:00 inetd

A new installation will most likely NOT start the named background process which may be started manually after configuration.
See the YoLinux Init Process Tutorial for more information.
The inetd (or xinetd) background process is the Internet daemon which starts FTP when an ftp request is made.

Sys Admin Script:

Script to prepare an account: (Red Hat/Fedora)

#!/bin/sh
# Author Greg Ippolito
# Requires: /opt/etc/AccountDefaults/pathmsg favicon.ico  mwh-mini_tr.gif etc.
#           /opt/bin/ftponly
#   You must be root to run this script.
#
if [ $# -eq 0 ]
then
   echo "Enter user id as a command argument"
else if [ -r /home/$1 ]
then
   echo "User's home directory already exists"
else
   echo "1)  Create user."
   adduser -m $1

   echo "2)  Set user Password."
   passwd $1

   echo "3)  Add read access to user directory so apache can read it."
   cd /home
   chmod ugo+rx $1
   cd $1

   echo "4)  Create web directories."
   mkdir public_html
   chown $1.$1 public_html
   chcon -R -h -u system_u -r object_r -t httpd_sys_content_t public_html
   cd public_html
   mkdir images
   chown $1.$1 images
   chcon -R -h -u system_u -r object_r -t httpd_sys_content_t images

   # Block potential for unauthenticated logins
   cd ../
   touch .rhosts
   chmod ugo-xrw .rhosts

   echo "5)  Create default web page"
   sed "/HEADING/s!HEADING!$1!" /opt/etc/AccountDefaults/default-index.html > index.html
   cp -p /opt/etc/AccountDefaults/favicon.ico .
   cp -p /opt/etc/AccountDefaults/default-logo.gif ./images
   cp -p /opt/etc/AccountDefaults/robots.txt .
   chown $1.$1 index.html favicon.ico robots.txt
   chcon -R -h -t httpd_sys_content_t index.html favicon.ico robots.txt
   chcon -R -h -t httpd_sys_content_t images/default-logo.gif

   echo "6)  Edit /etc/passwd file - change user shell to /opt/bin/ftponly"
   cp -p  /etc/passwd /etc/passwd-`date +%m%d%y`
   sed "/^$1/s!/bin/bash!/opt/bin/ftponly!" /etc/passwd-`date +%m%d%y` > /etc/passwd

#wu-ftp# Requires: /etc/ftpaccess guestuser restrict-uid
#wu-ftp#   echo "7)  Add user to /etc/ftpaccess file"
#wu-ftp#   cp -p  /etc/ftpaccess /etc/ftpaccess-`date +%m%d%y`
#wu-ftp#   sed "/^guestuser/s!guestuser !guestuser $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess
#wu-ftp#   sed "/^restricted-uid/s!restricted-uid !restricted-uid $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess
#wu-ftp#   echo "guest-root /home/$1/public_html $1" >> /etc/ftpaccess

   echo "7)  Add user to vsftpd chroot list
   cat `echo $1` >> /etc/vsftpd/vsftpd.chroot_list

   echo "8)  Setting Disk Quotas to default 50Mb limit:"
#  Use user johndoe as a prototype.
   edquota -p johndoe $1

   echo "9)  Admin Follow-up:"
   echo "     Modify quota.user if different than default"
   echo "     Make changes to Bind names services on dns1 and dns2 if necessary"
   echo "       Change /etc/http/conf/httpd.conf or 
   echo "       add config to /etc/http/conf.d/ if using a new domain name"
   echo "       Add e-mail aliases to mail server if necessary"
fi
fi

FYI: Sample robots.txt files:

• yolinux.com/robots.txt
• USC.edu/robots.txt

Useful links and resources:

• Linux Init Process - YoLinux.com tutorial
• Setting up an Apache redirect - YoLinux.com tutorial
• Apache Documentation
• LDP HowTo Guides:
  • DNS-HOWTO - DNS administration - Nicolai Langfeldt
  • Securing-Domain-HOWTO
  • ISP-Setup-RedHat - Using Linux to host an ISP - Anton Chuvakin
  • Linux Networking Overview HOWTO - Daniel Lopez Ridruejo
  • Virtual-Services-HOWTO - DNS, FTP, Apache, Mail (POP, Qmail, Sendmail), Syslogd and Samba
  • WWW-HOWTO - Setting up Apache services
  • WWW-mSQL-HOWTO
• List of Internet Exchanges - [map and list] An Internet Exchange (IX) is a junction between multiple principle Internet communication lines. A colo hosted at or close to an IX will have your best ability to handle traffic and your lowest latencies.
  description of IX
• Setting up a mail server - YoLinux Tutorial

Books:

	"Ubuntu Unleashed 2017 edition:" Covering 16.10 and 17.04, 17.10 (12th Edition) by Matthew Helmke, Andrew Hudson and Paul Hudson Sams Publishing, ISBN# 0134511182
	"Ubuntu Unleashed 2013 edition:" Covering 12.10 and 13.04 (8th Edition) by Matthew Helmke, Andrew Hudson and Paul Hudson Sams Publishing, ISBN# 0672336243 (Dec 15, 2012)
	"Ubuntu Unleashed 2012 edition:" Covering 11.10 and 12.04 (7th Edition) by Matthew Helmke, Andrew Hudson and Paul Hudson Sams Publishing, ISBN# 0672335786 (Jan 16, 2012)
	"Red Hat Enterprise Linux 7: Desktops and Administration" by Richard Petersen Surfing Turtle Press, ISBN# 1936280620 (Jan 13, 2017)
	"Fedora 18 Desktop Handbook" by Richard Petersen Surfing Turtle Press, ISBN# 1936280639 (Mar 6, 2013)
	"Fedora 18 Networking and Servers" by Richard Petersen Surfing Turtle Press, ISBN# 1936280698 (March 29, 2013)
	"Fedora 14 Desktop Handbook" by Richard Petersen Surfing Turtle Press, ISBN# 1936280167 (Nov 30, 2010)
	"Fedora 14 Administration and Security" by Richard Petersen Surfing Turtle Press, ISBN# 1936280221 (Jan 6, 2011)
	"Fedora 14 Networking and Servers" by Richard Petersen Surfing Turtle Press, ISBN# 1936280191 (Dec 26, 2010)
	"Practical Guide to Ubuntu Linux (Versions 8.10 and 8.04)" by Mark Sobell Prentice Hall PTR, ISBN# 0137003889 2 edition (January 9, 2009)
	"Fedora 10 and Red Hat Enterprise Linux Bible" by Christopher Negus Wiley, ISBN# 0470413395
	"Red Hat Fedora 6 and Enterprise Linux Bible" by Christopher Negus Sams, ISBN# 047008278X
	"Fedora 7 & Red Hat Enterprise Linux: The Complete Reference" by Richard Petersen Sams, ISBN# 0071486429
	"Red Hat Fedora Core 6 Unleashed" by Paul Hudson, Andrew Hudson Sams, ISBN# 0672329298
	"Red Hat Linux Fedora 3 Unleashed" by Bill Ball, Hoyt Duff Sams, ISBN# 0672327082
	"Red Hat Linux 9 Unleashed" by Bill Ball, Hoyt Duff Sams, ISBN# 0672325888 May 8, 2003 I have the Red Hat 6 version and I have found it to be very helpful. I have found it to be way more complete than the other Linux books. It is the most complete general Linux book in publication. While other books in the "Unleashed" series have dissapointed me, this book is the best out there.
	"Apache Server Bible 2" by Mohammed J. Kabir ISBN # 0764548212, Hungry Minds This book is very complete covering all aspects in detail. It is not your basic reprint of the apache.org documents like so many others.
	"Pro DNS and Bind" by Ronald Aitchison Apress, ISBN# 1590594940

   

Advertisements