IT training linux web server and domain configuration
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (271.77 KB, 23 trang )
Linux Web Server and Domain Configuration Tutorial
Page 1 of 23
Prerequisites:
This tutorial assumes that a computer has Linux installed and running. See RedHat Installation for the basics. A connection to the internet is also assumed. A
connection of 128 Mbits/sec or greater will yield the best results. ISDN, DSL, cable modem or better are all suitable. A 56k modem will work but the results will be
mediocre at best. The tasks must also be performed with the root user login and password.
Software Prerequisites: The Apache web server (httpd), FTP (requires xinetd or inetd) and Bind (named) software packages with their dependencies are all
required. One can use the rpm command to verify installation:
Fedora Core 1+, Red Hat Enterprise 4, CentOS 4:
rpm -q httpd bind bind-chroot bind-utils system-config-bind xinetd vsftpd
RPMs added FC2+: system-config-httpd
RPMs added FC3+: httpd-suexec
Red Hat 9.0
rpm -q httpd bind xinetd vsftpd
A Red Hat 8.0 wu-ftpd RPM may be installed (Newer version 2.6.2 or later with security fix wu-ftpd-2.6.2-11+) or install from source.
Red Hat 8.0
rpm -q httpd bind xinetd wu-ftpd
Red Hat 7.x:
rpm -q apache bind inetd wu-ftpd
Use wu-ftpd version 2.6.2 or later to avoid security problems.
SuSE 9.3:
rpm -ivh apache2 apache2-prefork bind bind-chrootenv bind-utils vsftpd
Note: The apache2-MPM is a generic term for Apache installation options for "Multi-Processing Modules (MPM)s "prefork" or "worker". If you try and only
apache2 you will get the following error:
apache2-MPM is needed by apache2-2.0.53-9
Also see Apache.org: MPMs
Ubuntu (dapper 6.06) / Debian:
apt-get
apt-get
apt-get
apt-get
apt-get
apt-get
install
install
install
install
install
install
apache2
apache2-common
apache2-mpm-prefork
apache2-utils
bind9
vsftpd
One should also have a working knowledge of the Linux init process so that these services are initiated upon system boot. See the YoLinux init process tutorial
more info.
Apache HTTP Web server configuration:
This tutorial is for the Apache HTTP web server (Version 1.3 and 2.0). See the YoLinux list of Linux HTTP servers for a list of other web servers for the Hyper Text
Transport Protocol.
The Apache configuration file is: /etc/httpd/conf/httpd.conf
Web pages are served from the directory as configured by the DocumentRoot directive. The default directory location is:
Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4, CentOS 4: /var/www/html/
Red Hat 6.x and older: /home/httpd/html/
Suse 9.x: /srv/www/htdocs/
Ubuntu (dapper 6.06) / Debian: /var/www/html
The default home page for the default configuration is index.html. Note the pages should not be owned by user apache as this is the process owner of the httpd web
server daemon. If the web server process is comprimised, it should not be allowed to alter the files. The files should of course be readable by user apache.
Apache may be configured to run as a host for one web site in this fashion or it may be configured to serve for multiple domains. Serving for multiple domains may
be achieved in two ways:
Virtual hosts: One IP address but multiple domains - "Name based" virtual hosting.
Multiple IP based virtual hosts: One IP address for each domain - "IP based" virtual hosting.
The default configuration will allow one to have multiple user accounts under one domain by using a reference to the user account: />If no domain is registered or configured, the IP address may also be used: />
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 2 of 23
[Potential Pitfall] The default umask for directory creation is correct by default but if not use: chmod 755 /home/user1/public_html
[Potential Pitfall] When creating new "Directory" configuration directives, I found that placing them by the existing "Directory" directives to be a bad idea. It would
not use the .htaccess file. This was because the statement defining the use of the .htaccess file was after the "Directory" statement. Previously in RH 6.x the files
were separated and the order was defined a little different. I now place new "Directory" statements near the end of the file just before the "VirtualHost" statements.
For users of Red Hat 7.1, the GUI configuration tool apacheconf was introduced for the crowd who like to use pretty point and click tools.
Files used by Apache:
Start/stop/restart script:
Red Hat/Fedora/CentOS: /etc/rc.d/init.d/httpd
SuSE 9.3: /etc/init.d/apache2
Ubuntu (dapper 6.06) / Debian: /etc/init.d/apache2
Apache main configuration file:
Red Hat/Fedora/CentOS: /etc/httpd/conf/httpd.conf
SuSE: /etc/apache2/httpd.conf
(Need to add directive: ServerName host-name)
Ubuntu (dapper 6.06) / Debian: /etc/apache2/apache2.conf
Apache suplementary configuration files:
Red Hat/Fedora/CentOS: /etc/httpd/conf.d/component.conf
SuSE: /etc/apache2/conf.d/component.conf
Ubuntu (dapper 6.06) / Debian:
Virtual domains: /etc/apache2/sites-enabled/domain
(Create soft link from /etc/apache2/sites-enabled/domain to /etc/apache2/sites-available/domain to turn on)
Additional configuration directives: /etc/apache2/conf.d/
Modules to load: /etc/apache2/mods-available/
(Soft link to /etc/apache2/mods-enabled/ to turn on)
Ports to listen to: /etc/apache2/ports.conf
/var/log/httpd/access_log and error_log - Red Hat/Fedora Core Apache log files
(Suse: /var/log/apache2/)
Start/Stop/Restart scripts: The script is to be run with the qualifiers start, stop, restart or status.
i.e. /etc/rc.d/init.d/httpd restart. A restart allows the web server to start again and read the configuration files to pick up any changes. To have this script
invoked upon system boot issue the command chkconfig --add httpd. See Init Process Tutorial for a more complete discussion.
Also Apache control tool: /usr/sbin/apachectl start
Apache Control Command: apachectl:
Red Hat / Fedora Core / CentOS: apachectl directive
Ubuntu dapper 6.06 / Debian: apache2ctl directive
Directive
Description
start
Start the Apache httpd daemon. Gives an error if it is already running.
stop
graceful
Stops the Apache httpd daemon.
Gracefully restarts the Apache httpd daemon. If the daemon is not running, it is started. This differs from a normal restart in that currently open
connections are not aborted.
restart
Restarts the Apache httpd daemon. If the daemon is not running, it is started. This command automatically checks the configuration files as in
configtest before initiating the restart to make sure the daemon doesn't die.
status
Displays a brief status report.
fullstatus Displays a full status report from mod_status. Requires mod_status enabled on your server and a text-based browser such as lynx available on
your system. The URL used to access the status report can be set by editing the STATUSURL variable in the script.
configtest Run a configuration file syntax test.
-t
Apache Configuration Files:
/etc/httpd/conf/httpd.conf:
is used to configure Apache. In the past it was broken down into three files. These may now be all concatenated into one file.
See Apache online documentation for the full manual.
/etc/httpd/conf.d/application.conf: All configuration files in this directory are included during Apache start-up. Used to store application specific
configurations.
/etc/sysconfig/httpd: Holds environment variables used when starting Apache.
Basic settings: Change the default value for ServerName www.<your-domain.com>
Giving Apache access to the file system: It is prudent to limit Apache's view of the file system to only those directories necessary. This is done with the directory
statement. Start by denying access to everything, then grant access to the necessary directories.
Deny access completely to file system root ("/") as the default:
<Directory />
Options None
AllowOverride None
</Directory>
Grant access to a user's directory:
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 3 of 23
<Directory /home/user1/public_html>
AllowOverride None
order allow,deny
allow from all
Options Indexes Includes FollowSymLinks
</Directory>
OR
use the statement UserDir public_html which does this by default for every user account at $HOME/public_html. Change to a comment (add "#" at beginning of line)
from Fedora Core default UserDir disable.
Also use SELinux command: setsebool httpd_enable_homedirs true
File permissions: The Apache web server daemon must be able to read your web pages in order to feed thier contents to the network. Use an appropriate umask
and file protection. This works: chmod ugo+r -R public_html
One may also use groups to control permisions. See the YoLinux tutorial on managing groups.
[Potential Pitfall]: If the Apache web server can not access the file you will get the error "403 Forbidden" "You don't have permission to access file-name on this
server." Note the default permissions on a user directory when first created with "useradd" are:
drwx------ 3 userx userx
You must allow the web server running as user "apache" to access the directory if it is to display pages held there.
Fix with command: chmod ugo+rx /home/userx
drwxr-xr-x 3 userx userx
SELinux security contexts:
Fedora Core 3 and Red Hat Enterprise Linux 4 introduced SELinux (Security Enhanced Linux) security policies and context labels.
To view the security context labels applied to your web page files use the command: ls -Z
The system enables/disables SELinux policies in the file /etc/selinux/config
SELinux can be turned off by setting the directive SELINUX. (Then reboot the system):
SELINUX=disabled
or using the command setenforce 0 to temporarily disable SELinux until the next reboot.
When using SELinux security features, the security context labels must be added so that Apache can read your files. The default security context label used is
inherited from the directory for newly created files. Thus a copy (cp) must be used and not a move (mv) when placing files in the content directory. Move does
not create a new file and thus the file does not recieve the directory security context label. The context labels used for the default Apache directories can be
viewed with the command: ls -Z /var/www
The web directories of users (i.e. public_html) should be set with the appropriate context label (httpd_sys_content_t).
Assign a security context for web pages: chcon -R -h -t httpd_sys_content_t /home/user1/public_html
Options:
-R: Recursive. Files and directories in current directory and all subdirectories.
-h: Affect symbolic links.
-t: Specify type of security context.
Use the following security contexts:
Context Type
Description
Used for static web content. i.e. HTML web pages.
httpd_sys_script_exec_t Use for executable CGI scripts or binary executables.
httpd_sys_script_rw_t
CGI is allowed to alter/delete files of this context.
httpd_sys_script_ra_t
CGI is allowed to read or append files of this context.
httpd_sys_script_ro_t
CGI is allowed to read files and directories of this context.
httpd_sys_content_t
Set the following options: setsebool httpd-option true
(or set to false)
Policy
Description
Allow httpd cgi support.
httpd_enable_homedirs Allow httpd to read home directories.
httpd_ssi_exec
Allow httpd to run SSI executables in the same domain as system CGI scripts.
Then restart Apache:
Red Hat/Fedora/Suse and all System V init script based Linux systems: /etc/init.d/httpd restart
Red Hat/Fedora: service httpd restart
httpd_enable_cgi
The default SE boolean values are specified in the file: /etc/selinux/targeted/booleans
For more on SELinux see the YoLinux Systems Administration tutorial.
Configuring a "name based" virtual host:
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 4 of 23
A virtual host configuration allows one to host multiple web site domains on one server. (This is not required for a dedicated linux server which hosts a single
web site.)
NameVirtualHost XXX.XXX.XXX.XXX
<VirtualHost XXX.XXX.XXX.XXX>
ServerName www.your-domain.com
- CNAME (bind DNS alias www) specified in Bind configuration file (/var/named/...)
ServerAlias your-domain.com
- Allows requests by domain name without the "www" prefix.
ServerAdmin
DocumentRoot /home/user1/public_html
ErrorLog logs/your-domain.com-error_log
TransferLog logs/your-domain.com-access_log
</VirtualHost>
Notes:
You can specify more than one IP address. i.e. if web server is also being used as a firewall/gateway and you have an external internet IP address as
well as a local network IP address.
NameVirtualHost XXX.XXX.XXX.XXX
NameVirtualHost 192.168.XXX.XXX
<VirtualHost XXX.XXX.XXX.XXX 192.168.XXX.XXX>
...
..
See the YoLinux Tutorial on configuring a network gateway/firewall using iptables and NAT.
Use your IP address for XXX.XXX.XXX.XXX, actual domain name and e-mail address.
One can use DNS views to provide different local network DNS results.
Note that I configure Apache for both requests and .
Once virtual hosts are configured, your default system domain (/var/www/html) will stop working. Your default domain now must be configured as a
virtual domain.
<Directory "/var/www/html">
... This part remains the same
..
</Directory>
# Add a VirtualHost definition for what was once the default.
<VirtualHost XXX.XXX.XXX.XXX>
ServerName www.your-domain.com
ServerAlias your-domain.com
ServerAdmin
DocumentRoot /var/www/html
ErrorLog logs/error_log
TransferLog logs/access_log
</VirtualHost>
...
..
Forwarding to a primary URL. It is best to avoid the appearance of duplicated web content from two URLs such as and
. Supply a forwarding Apache "Redirect".
# Add a VirtualHost definition to forward to your primary URL
<VirtualHost XXX.XXX.XXX.XXX>
ServerName your-domain.com
ServerAlias other-domain.com
ServerAlias www.other-domain.com
Redirect permanent / /></VirtualHost>
...
..
Note:
This is to avoid Google ranking penalties. See the Yolinux.com discussion on Google's suplemental index.
See the YoLinux.com Apache "Redirect" Tutorial
More virtual host examples.
When specifying more domains, they may all use the same IP address or some/all may use their own unique IP address. Specify a "NameVirtualHost" for each IP
address.
After the Apache configuration files have been edited, restart the httpd daemon: /etc/rc.d/init.d/httpd restart (Red Hat) or /etc/init.d/apache2 restart
(Ubuntu / Debian)
Apache virtual domain configuration with Ubuntu 6.06 Dapper:
Ububntu separates out each virtual domain into a separate configuration file held in the directory /etc/apache2/sites-available/. When the site domain is to
become active, a soft link is created to the directory /etc/apache2/sites-enabled/.
Example: /etc/apache2/sites-available/supercorp
<VirtualHost XXX.XXX.XXX.XXX>
ServerName supercorp.com
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 5 of 23
ServerAlias www.supercorp.com
ServerAdmin webmaster@localhost
DocumentRoot /home/supercorp/public_html/home
<Directory "/">
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /home/supercorp/public_html/home>
Options Indexes FollowSymLinks MultiViews
IndexOptions SuppressLastModified SuppressDescription
AllowOverride All
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /home/supercorp/cgi-bin/
<Directory "/home/supercorp/cgi-bin/">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/supercorp.com-error.log
# Possible values include: debug, info, notice, warn, error,
# crit, alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/supercorp.com-access.log combined
ServerSignature On
</VirtualHost>
Enable domain:
Create soft link:
Manually: ln -s /etc/apache2/sites-available/supercorp /etc/apache2/sites-enabled/supercorp
Use Ubuntu scripts a2ensite/a2dissite. Type command and it will prompt you as to which site you would like to enable or disable.
Restart Apache:
apache2ctl graceful
or
/etc/init.d/apache2 restart
or
/etc/init.d/apache2 reload
Also note that Apache modules can also be enabled/disabled with scripts a2enmod/a2dismod.
CGI: (Common Gateway Interface)
CGI is a program executable which dynamically generates a web page by writing to stdout. CGI is permitted by either of two configuration file directives:
ScriptAlias:
Red Hat 7.x-9, Fedora core: ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
Red Hat 6.x and older: ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"
Suse 9.x: ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
Ubuntu (dapper 6.06) / Debian: ScriptAlias /cgi-bin/ "/usr/lib/cgi-bin/"
or
Options +ExecCGI:
<Directory /var/www/cgi-bin>
Options +ExecCGI
</Directory>
The executable program files must have execute privileges, executable by the process owner (Red Hat 7+/Fedora Core: apache. Older use nobody) under which the
httpd daemon is being run.
Configuring CGI To Run With User Privileges:
The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server. Normally,
when a CGI or SSI program executes, it runs as the same user who is running the web server.
NameVirtualHost XXX.XXX.XXX.XXX
<VirtualHost XXX.XXX.XXX.XXX>
ServerName node1.your-domain.com
ServerAlias your-domain.com www.your-domain.com
ServerAdmin
DocumentRoot /home/user1/public_html/your-domain.com
ErrorLog logs/your-domain.com-error_log
TransferLog logs/your-domain.com-access_log
- Allows requests by domain name without the "www" prefix.
- CNAME (alias www) specified in Bind configuration file (/var/named/...)
SuexecUserGroup user1 user1
<Directory /home/user1/public_html/your-domain.com/>
Options +ExecCGI +Indexes
AddHandler cgi-script .cgi
</Directory>
</VirtualHost>
Configuring an "IP based" virtual host:
One may assign multiple IP addresse to a single network interface. See the YoLinux networking tutorial: Network Aliasing. Each IP address may then be it's
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 6 of 23
own virtual server and individual domain. The downside of the "IP based" virtual host method is that you have to possess multiple/extra IP addresses. This
usually costs more. The standard name based virtual hosting method above is more popular for this reason.
NameVirtualHost *
- Indicates all IP addresses
<VirtualHost *>
ServerAdmin
DocumentRoot /home/user0/public_html
</VirtualHost>
<VirtualHost XXX.XXX.XXX.101>
ServerAdmin
DocumentRoot /home/user1/public_html
</VirtualHost>
<VirtualHost XXX.XXX.XXX.102>
ServerAdmin
DocumentRoot /home/user2/public_html
</VirtualHost>
The default <VirtualHost *> block will be used as the default for all IP addresses not specified explicitly. This default IP (*) may not work for https URL's.
ERROR Pages:
You can specify your own web pages instead of the default Apache error pages:
ErrorDocument 404 /Error404-missing.html
Create the file Error404-missing.html in your "DocumentRoot" directory.
PHP:
If the appropriate php, perl and httpd RPM's are installed, the default Red Hat Apache configuration and modules will support PHP content. RPM Packages
(RHEL4):
php: HTML-embedded scripting language
php-pear: PEAR is a framework and distribution system for reusable PHP components.
php-mysql: MySQL database support.
php-ldap: Lightweight Directory Access Protocol (LDAP) support
Apache configuration:
Add php default page index.php to apache config file: /etc/httpd/conf/httpd.conf
...
DirectoryIndex index.html index.htm index.php
...
PHP Configuration File:
RHEL4 - PHP 4.3: /etc/php.ini
Ubuntu Daper 6.06/6.11: /etc/php5/apache2/php.ini
[PHP]
engine = On
...
...
display_errors = Off
include_path = ".:/php/includes"
...
...
memory_limit = 32M
; Default is typically 8MB which is too low.
...
...
[MySQL]
...
...
mysql.default_host = superserver
mysql.default_user = dbuser
...
; Hostname of the computer
Small portion of file shown.
Note that changes will not take effect until the apache web server daemon is restarted.
Test you PHP capabilities with this test file: /home/user1/public_html/test.php
phpinfo();
?>
OR (older format)
phpinfo();
?>
Test: http://localhost/~user1/test.php
For more info see YoLinux list of PHP information web sites.
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 7 of 23
Running Multiple instances of httpd:
The Apache web server daemon (httpd) can be started with the command line option "-f" to specify a unique configuration file for each instance. Configure a unique
IP address for each instance of Apache. See the YoLinux Networking Tutorial to specify multiple IP addresses for one NIC (Network Interface Card). Use the Apache
configuration file directive Listen XXX.XXX.XXX.XXX, where the IP address is unique for each instance of Apache.
Apache Man Pages:
httpd - Apache Hypertext Transfer Protocol Server
apachectl - Apache HTTP Server Control Interface
ab - Apache HTTP server benchmarking tool
htdigest - manage user files for digest authentication
htpasswd - Manage user files for basic authentication
logresolve - Resolve IP-addresses to hostnames in Apache log files
rotatelogs - Piped logging program to rotate Apache logs
Also see the local online Apache configuration manual: http://localhost/manual/.
Apache Red Hat / Fedora Core GUI configuration:
GUI configuration tool:
Fedora Core 2/3/4: /usr/bin/system-config-httpd
Red Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-httpd
Adding web site login and password protection: See the YoLinux tutorial on web site password protection.
Log file analysis:
Scanning the Apache web log files will not provide meaningfull statistics unless they are graphed or presented in an easy to read fashion. The following packages to
a good job of presenting site statistics.
Analog - Also see Report Magic for Analog
Webalizer
AWStats - (requires PERL)
Web site statistic services:
eXTReMe Tracking
Load testing your server:
PureLoad - JAVA load testing and reporting tool.
WebPerformance Trainer - Load Testing Tools.
Apache Links:
CgiWrap - setuid wrapper that allows users to install and execute their own cgi scripts that get executed as their own userid
Thumbprint - CGI for viewing a directory of images as thumbnails
WWWThreads.org - Commercial product - Advanced Web Conferencing Software
Configuring https (mod_ssl):
Mod_SSL.org: Home Page
Mod_SSL.org: Mod_SSL HowTo
Mod_SSL.org: Steps to create SSL server certificate
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 8 of 23
https configuration
Measuring Web Server Performance:
Web performance benchmarking tool httperf. Httperf sends requests to the web server at a specified rate and gathers stats. Increase till one finds the saturation
point.
Installation:
Debian: apt-get install httperf
Example useage:
Print performance stats for home page of yourdomain.com: httperf --hog --server www.yourdomain.com
Create 100 connections at a rate of 10/sec: httperf --hog --server --num-conn 100 --rate 10 --timeout 5
Generate 10 sessions at a rate of i seesion/sec every 2 seconds: httperf --hog --ser=www --wsess=10,5,2 --rate 1 --timeout 5
httperf command line options:
Command
--hog
--num-calls
--max-connections=#
--num-calls=#
--server host-name
Command Description
Use as many TCP ports as necessary to generate stats (else limited to port 1024-5000)
Session oriented workloads.
Limit the number of connections to that specified.
Specify the number of calls to issue on each connection before closing it.
Default localhost. Specify IP address of host name.
--wsess=N1,N2,X
Specify session where
N1: number of sessions
N2: number of calls per session
X: delay between calls (sec)
Stop if there is no response within timeout period.
--timeout
Links:
httperf home page - downloads, documentation
Man page
Other web performance measurement tools:
autobench: Perl wrapper to httperf which itterates and gathers data for each run. Creates csv file for use in a spreadsheet to generate graphs.
openload: Simulates number of concurrent users. Measures completed requests/sec.
Apache JMeter: Java app for static and dynamic performance analysis.
FTPd and FTP user account configuration:
Many FTP programs exist. This example covers the popular vsftpd (Red Hat default 9.0, Fedora Core, Suse) and wu-ftpd (Washington University) program which
comes standard with RedHat (last shipped with RedHat 8.0 but can be installed on any Linux system). (RPM: wu-ftpd) There are other FTP programs including
proFtpd (supports LDAP authentication, Apache like directives, full featured ftp server software), bftpd, pure-ftpd (free BSD and optional on Suse), etc ...
FTPd configuration tutorials:
# vsFTPd: Configuration
# WU-FTPd: Configuration
# FTP Clients: Links
vsFTPd and FTP user account configuration:
The vsFTPd ftp server was first made available in Red Hat 9.0. It has been adopted by Suse and OpenBSD as well. This is currently the recomended FTP daemon
for use on FTP servers.
Enable vsftpd:
Red Hat/Fedora Core/CentOS: VsFTPd is a stand alone service and by the default Fedora Core installation, not controlled by xinetd as is the wu-ftpd default
installation.
Thus start service: service vsftpd start (or: /etc/init.d/vsftpd start)
Configure vsftpd to start upon system boot: chkconfig --add vsftpd
SuSE: By default, the vsftpd is an xinetd controlled service. To enable FTP server services edit the file /etc/xinetd.d/vsftpd and change:
disable = yes
to:
disable = no
Restart the xinetd daemon: /etc/init.d/xinetd restart
Note: vsftpd can also be run as a stand-alone service to achieve a faster response time.
Ubuntu (dapper 6.06) / Debian:
Install: apt-get install vsftpd
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 9 of 23
VsFTPd is a stand alone service.
Start: /etc/init.d/vsftpd start
Stop: /etc/init.d/vsftpd stop
For more on starting/stopping/configuring Linux services, see the YoLinux tutorial on the Linux init process and service activation.
Configuration files:
vsFTPd configuration file:
Fedora Core / Red Hat: /etc/vsftpd/vsftpd.conf
S.u.S.e. / Ubuntu (dapper 6.06) / Debian: /etc/vsftpd.conf
Default for Fedora Core 3:
anonymous_enable=YES
- Anonymous FTP allowed by default if you comment this out. Default directory used: /var/ftp
local_enable=YES
- Uncomment this to allow local users to log in with FTP.
write_enable=YES
- Uncomment this to enable any form of FTP write or upload command.
local_umask=022
- Default is 077. Umask 022 is used by most other ftpd's.
#anon_upload_enable=YES
- Uncomment to allow the anonymous FTP user to upload files.
Requires the above global write enabled. Directory must also be writable by user.
- Uncomment this to allow the anonymous FTP user to be able to create new directories.
#anon_mkdir_write_enable=YES
xferlog_enable=YES
- Activate directory messages.
Messages given to remote users when they enter certain directories
- Activate logging of uploads/downloads.
connect_from_port_20=YES
- PORT transfer connections originate from port 20 (ftp-data)
#chown_uploads=YES
#chown_username=whoever
- Uploaded anonymous files set to a specified owner. (not root)
dirmessage_enable=YES
#xferlog_file=/var/log/vsftpd.log - Specify logfile explicitly. Default is /var/log/vsftpd.log
xferlog_std_format=YES
- Output to log file in standard ftpd xferlog format
#idle_session_timeout=600
- Set timing out for an idle session.
#data_connection_timeout=120
- Set timing out for an idle data connection. Port 20
#nopriv_user=ftpsecure
- Run ftp server as an isolated and unprivileged user.
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it, may confuse older FTP clients.
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
- Improve performance by disabling ASCII mode. Disables command "ascii" and "SIZE /big/file".
#ftpd_banner=Welcome to YoLinux - Customize the login banner string.
#deny_email_enable=YES
- Disallow specified anonymous e-mail addresses. Used to combat certain DoS attacks.
#banned_email_file=/etc/vsftpd.banned_emails (default)
#chroot_list_enable=YES
- List users chroot()'d to their home directory. If "NO", list users not chroot()'d.
#chroot_list_file=/etc/vsftpd.chroot_list
(default)
ls_recurse_enable=YES
- Allow "ls -R" recursive directory list. Default is disabled.
pam_service_name=vsftpd
userlist_enable=YES
#deny_email_enable=YES
listen=YES
tcp_wrappers=YES
- (Default) Deny users specified in file /etc/vsftpd.user_list
If "userlist_enable=NO" then allow specified users.
- Disallow specified anonymous e-mail addresses. Used to combat certain DoS attacks.
- Enable for standalone mode as opposed to an xinetd service.
Restart the FTP service if the config file is changed: service vsftpd restart (or: /etc/init.d/vsftpd restart)
[Potential Pitfall]: vsftp does NOT support comments on the same line as a directive. i.e.:
directive=XXX # comment
vsftp.conf man page
Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list
(Requires: chroot_list_enable=YES)
user1
user2
...
user-n
If userlist_enable=NO, then specify users not to be chroot'd..
Specify list of users: /etc/vsftpd.user_list
(Deny list of users requires: userlist_enable=YES)
Also see PAM configuration below.
root
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 10 of 23
bin
daemon
adm
lp
sync
shutdown
halt
...
If userlist_enable=NO, then specify valid users.
PAM configuration file Fedora Core 3: /etc/pam.d/vsftpd
#%PAM-1.0
auth
auth
auth
account
session
required
required
required
required
required
pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
pam_stack.so service=system-auth
pam_shells.so
pam_stack.so service=system-auth
pam_stack.so service=system-auth
This causes PAM to check /etc/vsftpd.ftpusers for users who are denied. This duplicates /etc/vsftpd.user_list. Speciy user in both files.
File: /etc/vsftpd.ftpusers
root
bin
daemon
adm
lp
sync
shutdown
halt
...
Logrotate configuration file: /etc/logrotate.d/vsftpd.log
/var/log/xferlog {
# ftpd doesn't handle SIGHUP properly
nocompress
missingok
}
Sample vsFTPd configurations:
Anonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf
# Access rights
anonymous_enable=YES
chown_uploads=YES
chown_username=ftp
local_enable=NO
write_enable=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
anon_world_readable_only=YES
connect_from_port_20=YES
force_dot_files=NO
guest_enable=NO
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
anon_max_rate=50000
- Turn on anonymous FTP
- Uploaded files owned by an assigned user
- Uploaded files owned by this assigned user
- No upload of files system changes allowed
pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
Anonymous logins use the login name "anonymous" and then the user supplies their email address as a password. Any password will be accepted. Used
to allow the public to download files from an ftp server. Generally, no upload is permitted.
Web hosting configuration: /etc/vsftpd/vsftpd.conf
# Access rights
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
# Security
connect_from_port_20=YES
force_dot_files=NO
- Allow users to ftp to their home directories
- Allow users to STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
-
guest_enable=NO
ftpd_banner=Welcome to Super Duper Hosting
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
dirmessage_enable=YES
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
#
pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
Page 11 of 23
Don't remap user name
Customize the login banner string.
Limit user to browse their own directory only
Enable list of system / power users
Actual list of system / power users
- Message greeting held in file .message or specify with message_file=...
Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list
Ubuntu typically: /etc/vsftpd.chroot_list
(Requires: chroot_list_enable=YES)
user1
user2
...
user-n
If userlist_enable=NO, then specify users not to be chroot'd..
[Potential Pitfall]: Mispelling a directive will cause vsftpd to fail with little warning.
File: .message
A NOTE TO USERS UPLOADING FILES:
File names may consist of letters (a-z, A-Z), numbers (0-9),
an under score ("_"), dash ("-") or period (".") only.
The file name may not begin with a period or dash.
Test if vsftp is listening: netstat -a | grep ftp
[root]# netstat -a | grep ftp
tcp
0
0 *:ftp
*:*
LISTEN
Links:
vsFTPd Home Page
Sample configurations
vsftp.conf Man page
WU-FTPd and FTP user account configuration:
The wu-ftpd FTP server can be downloaded (binary or source) from it's home page at .
There are three kinds of FTP logins that wu-ftpd provides:
anonymous FTP - one logs in with the username 'anonymous'
real FTP - log in with a real username and password and has access to the entire disk structure.
guest FTP - one logs in with a real user name and password, but the user is chroot'ed to his home directory and cannot escape from it. They are constrained to
their home directory which also means that they don't have access to /bin/ls and other commands on the server. Thus a local minimalist environment must be
set up.
This tutorial covers "guest" FTP configuration.
The file /etc/ftpaccess controls the configuration of ftp.
# Don't allow system accounts to log in over ftp
deny-uid %-99 %65534deny-gid %-99 %65534class
all
real,guest *
loginfails 5
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
readme
readme
message
message
README*
login
README*
cwd=*
/welcome.msg
.message
compress
tar
chmod
delete
overwrite
rename
delete
overwrite
rename
umask
yes
yes
no
no
no
no
yes
yes
yes
no
Page 12 of 23
login
cwd=*
all
all
guest,anonymous
anonymous
# delete files permission?
anonymous
# overwrite files permission?
anonymous
# rename files permission?
guest
# delete files permission?
guest
# overwrite files permission?
guest
# rename files permission?
guest
# umask permission?
log transfers anonymous,real inbound,outbound
shutdown /etc/shutmsg
passwd-check rfc822 warn
# Must also create message file /etc/pathmsg of the guest directory.
# In this case it refers to /home/user1/public_html/etc/pathmsg.
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^limit all 2
noretrieve passwd .htaccess core
- Do not allow users to download files of these names
limit-time * 20
byte-limit in 5000
- Limit file size
- Set system user default to be categorized as a "guest". A "real" user can roam the system. Guestuser is chrooted.
guestuser *
realgroup regularuserx regularusery - Assign real user privileges to members of groups "regularuserx" and "regularusery".
Visibility of the whole file system and subject to regular UNIX file permissions
realuser user4
- Assign real user privileges to user id "user4".
restricted-uid user1 user2 user3
- Restricts FTP to the specified directories
guest-root /home/user1/public_html user1
guest-root /home/user2/public_html user2
guest-root /home/user3/public_html user3
Note:
and user3 refer to login accounts. Use the appropriate login name.
The above configuration disables anonymous FTP which allows anyone to perform an FTP login with the id anonymous and an email address as a password.
To enable anonymous FTP, change the class directive to:
user1, user2
class all real,guest,anonymous *
GUI FTP configuration tools:
/usr/bin/kwuftpd
/sbin/linuxconf
(Note: Linuxconf is no longer included with Red Hat 7.3 and later)
Red Hat Linux assigns users a user id and group id which is the same. This means that it does not matter if you use a realuser or realgroup directive as they
will act the same.
Red Hat Linux 7.1 and later uses the xinet daemon to manage ftp connections. Thus xinetd must be running and configured to support ftp. The configuration
file is /etc/xinetd.d/wu-ftpd. The command chkconfig wu-ftpd on will make the ftp server available. See xinet configuration for more info.
Allow overide of deny-uid and/or deny-gid:
allow-uid user-to-allow
allow-gid group-to-allow
Optional configuration:
Create a group ftpchroot
Add users to this group
Use directive: guestgroup ftpchroot
[Potential Pitfall]: Flakey ftp behavior, timeouts, etc?? FTP works best with name resolution of the computer it is communicating with. This requires
proper /etc/resolve.conf and name server (bind) configuration, /etc/hosts or NIS/NFS configuration.
File /home/user1/public_html/etc/pathmsg:
A NOTE TO USERS UPLOADING FILES:
File names may consist of letters (a-z, A-Z), numbers (0-9),
an under score ("_"), dash ("-") or period (".") only.
The file name may not begin with a period or dash.
You have tried to upload a file with an inappropriate name.
The whole point of the chroot directory is to make the user's home directory appear to be the root of the filesystem (/) so one could not wander around the filesystem.
Configuration of /etc/ftpaccess will limit the user to their respective directories while still offering access to /bin/ls and other system commands used in FTP
operation.
As root:
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
cd /home/user1
mkdir public_html
chown $1.$1 public_html
touch .rhosts
chmod ugo-xrw .rhosts
Page 13 of 23
- Security protection
Man Pages:
Server:
ftpd - Internet File Transfer Protocol server
File Formats:
/etc/ftpaccess - Configuration file for ftpd
/etc/ftpservers - ftpd virtual hosting configuration file. (optional)
/etc/ftphosts - allow or deny access to certain accounts from various hosts. (optional)
/etc/ftpconversions - ftpd conversions database (for tar and compression)
/var/log/xferlog - FTP server logfile
ftp - File Transfer Client program
Configuration files: (RH 8.0+)
PAM configuration file: /etc/pam.d/ftp
#%PAM-1.0
auth
auth
auth
account
session
required
required
required
required
required
pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
pam_stack.so service=system-auth
pam_shells.so
pam_stack.so service=system-auth
pam_stack.so service=system-auth
Xinetd configuration file: /etc/xinetd.d/wu-ftpd
service ftp
{
disable = no
socket_type
wait
user
server
server_args
log_on_success
log_on_failure
nice
}
= stream
= no
= root
= /usr/sbin/in.ftpd
= -l -a
+= DURATION USERID
+= USERID
= 10
Note: wu-FTPd is controlled by xinetd and not a stand alone service like vsFTPd.
Logrotate configuration file: /etc/logrotate.d/ftpd
/var/log/xferlog {
nocompress
}
More information:
WU-FTPD Development Group Home Page
More resources
Academ Consulting
FTP FAQ - Koos van den Hout's
dkftpbench - FTP benchmark program to give you an idea as to how many simultaneous dialup clients a server can support.
FTP and text file type conversions: End Of Line Characters - by Peter Benjamin
Chrooted sftp (ssl) project
Man pages on related FTP commands and files:
chroot - Run with a special root directory
ftpcount - Show number of concurrent users.
ftpshut - close down the ftp servers at a given time
ftprestart - Restart previously shutdown ftp servers
ftpwho - show current process information for each ftp user
privatepw - Change WU-FTPD Group Access File Information (admin command)
Other FTP daemons:
FTP4All
CrushFTP - Java/cross platform
WS_FTP
FTP Pitfalls:
If you get the following error:
ftp> ls
227 Entering Passive Mode (208,188,34,109,208,89)
ftp: connect: No route to host
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 14 of 23
This means you have firewall issues most probably on the FTP server itself. Start by removing the firewall "iptables" rules: iptables -F Add rules until you discover
what is causing the problem.
Passive mode:
Passive mode can also help one past the rules:
ftp> passive
Passive mode on.
This toggles passive mode on and off. When on, FTP will be limited to ports specified in the vsftpd configuration file: vsftpd.conf with the parameters
pasv_min_port and pasv_max_port
Firewall connection tracking module:
# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp
IPTABLES_MODULES="ip_conntrack_ftp"
NAT firewall modules:
You can also try adding ip_nat_ftp to the list of autoloaded modules: (This will also load the dependancy: ip_conntrack_ftp.)
# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp
IPTABLES_MODULES="ip_nat_ftp"
Then restart the firewall: /etc/init.d/iptables condrestart
FTP will change ports during use. The ip_conntrack_ftp module will consider each connection "RELATED". If iptables allows RELATED and ESTABLISHED
connections then FTP will work. i.e. rule: /etc/sysconfig/iptables
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
FTP Linux clients:
kbear: GUI KDE based client. Connect to multiple servers, transfer files, directory browsing, file content browsing. Comes with S.U.S.e. Linux.
gftp: GUI GTK+ Multithreaded client. File transfer directory browsing and compare. Multiple protocols: FTP, FTPS (control connection only), HTTP, HTTPS,
SSH and FSP protocols. Proxy support. Comes with Red Hat / Fedora Core.
ftp: (/usr/kerberos/bin/ftp) kerberos enabled console ftp client. (RPM package FC3: krb5-workstation)
Basic user security:
When hosting web sites, there is no need to grant a shell account which only allows the server to have more potential security holes. Current systems can specify
the user to have only FTP access with no shell by granting them the "shell" /sbin/nologin provided with the system or the "ftponly" shell described below. The shell
can be specified in the file /etc/passwd of when creting a user with the command adduser -s /sbin/nologin user-id
[Potential Pitfall]: Red Hat 7.3 server with wu-ftp server 2.6.2-5 does not support this configuration to prevent shell access. It requires users to have a real user shell.
i.e. /bin/bash It works great in older and current Red Hat versions. If it works for you, use it, as it is more secure to deny the user shell access. You can always deny
telnet access. You should NOT be using this problem ridden version of ftpd. Use the latest wu-ftpd-2.6.2-11 which supports users with shell /etc/ftponly
[Potential Pitfall]: Ubuntu Dapper - Setting the shell to the preconfigured shell /bin/false will NOT allow vsftp access. One must create the shell "ftponly" as defined
below to allow vsftp access with no shell.
1. Disable remote telnet login access allowing FTP access only:
Change the shell for the user in /etc/passwd from /bin/bash to be /etc/ftponly.
...
user1:x:502:503::/home/user1:/etc/ftponly
...
Create file: /etc/ftponly.
Protection set to -rwxr-xr-x 1 root root
with the command: chmod ugo+x /etc/ftponly
Contents of file:
#!/bin/sh
#
# ftponly shell
#
trap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15
#
Admin=
#System=`/bin/hostname`@`/bin/domainname`
#
/bin/echo
/bin/echo "********************************************************************"
/bin/echo "
You are NOT allowed interactive access."
/bin/echo
/bin/echo "
User accounts are restricted to ftp and web access."
/bin/echo
/bin/echo " Direct questions concerning this policy to $Admin."
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 15 of 23
/bin/echo "********************************************************************"
/bin/echo
#
# C'ya
#
exit 0
The last step is to add this to the list of valid shells on the system.
Add the line /etc/ftponly to /etc/shells.
Sample file contents: /etc/shells
/bin/bash
/bin/bash1
/bin/tcsh
/bin/csh
/etc/ftponly
See man page on /etc/shells.
An alternative would be to assign the shell /bin/false or /sbin/nologin which became available in later releases of Red Hat.
2. Set file quotas to limit user account.
For more on Linux security see the: YoLinux.com Internet web site Linux server security tutorial
Domain Name Server (DNS) configuration using Bind version 8 or 9:
Two of the most popular ways to configure the program Bind to perform DNS services is in the role of (1) ISP or (2) Web Host.
1. In an ISP configuration the DNS server must resolve IP addresses for any URL the user wishes to visit. (See DNS caching server)
2. In a purely web hosting configuration, Bind will only resolve for the IP addresses of the domains which are being hosted. This is the configuration which will be
discussed and is often called an "Authoritative-only Nameserver".
When resolving IP addresses for a domain, Internic is expecting a "Primary" and a "Secondary" DNS name server. (Sometimes called Master and Slave) Each DNS
name server requires the file /etc/named.conf and the files it points to. This is typically two separate computer systems hosted on two different IP addresses. It is not
necesary that the Linux servers be dedicated to DNS as they may run a web server, mail server, etc.
Note on Bind versions: Red Hat versions 6.x used Bind version 8. Release 7.1 of Red Hat began using Bind version 9 and the GUI configuration tool bindconf
introduced for those of you that like a pretty point and click interface for configuration.
Packages:
Red Hat / Fedora Core / CentOS: bind
Ubuntu (dapper 6.06) / Debian: bind9
Primary server (master):
File: named.conf
Red Hat / Fedora Core / CentOS: /etc/named.conf
Ubuntu / Debian: /etc/bind/named.conf Place local definitions in /etc/bind/named.conf.local
options {
version "Bind";
- Don't disclose real version to hackers
directory "/var/named";
allow-transfer { XXX.XXX.XXX.XXX; }; - IP address of secondary DNS
recursion no;
fetch-glue no;
- Bind 8 only! Not used by version 9
};
zone "your-domain.com"{
type master;
file "named.your-domain.com";
notify yes;
};
zone "0.0.127.in-addr.arpa"{
type master;
file "named.local";
allow-update { none; };
};
Note the omission of zone "."
File: /var/named/named.your-domain.com
Red Hat 9 / CentOS 3: /var/named/named.your-domain.com
Red Hat EL4 / Fedora Core / CentOS 4: [Chrooted] /var/named/chroot/var/named/data/named.your-domain.com
Red Hat EL4 / Fedora Core / CentOS 4: /var/named/data/named.your-domain.com
Ubuntu / Debian: /etc/bind/data/named.your-domain.com
$TTL 604800
- Bind 9 (and some of the later versions of Bind 8) requires $TTL statement. Measured in seconds. This value is 7 days.
your-domain.com.
IN
SOA ns1.your-domain.com. hostmaster.your-domain.com. (
2000021600 ; serial
- Many people use year+month+day+integer as a system. Never greater than 2147483647 for a 32 bit processor.
86400 ; refresh
- How often secondary servers (in seconds) should check in for changes in serial number. (86400 sec = 24 hrs)
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 16 of 23
7200 ; retry
- How long secondary server should wait for a retry if contact failed.
1209600 ; expire
- Secondary server to purge info after this length of time.
604800 ) ; default_ttl - How long data is held in cache by remote servers.
IN A
XXX.XXX.XXX.XXX - Note that this is the default IP address of the domain.
I put the web server IP address here so that domain.com points to the same servers as www.domain.com
;
; Name servers for the domain
;
IN NS
ns1.your-domain.com.
IN NS
ns2.your-domain.com.
;
; Mail server for domain
;
IN MX
5
;
; Nodes in domain
;
node1 IN A
XXX.XXX.XXX.XXX
ns1
IN A
XXX.XXX.XXX.XXX
ns2
IN A
XXX.XXX.XXX.XXX
IN A
XXX.XXX.XXX.XXX
IN MX
5
XXX.XXX.XXX.XXX
;
; Aliases to existing nodes in domain
;
www
IN CNAME
node1
ftp
IN CNAME
node1
-
Identify "mail" as the node handling mail for the domain. Do NOT specify an IP address!
Note that this is the IP address of node1
Optional: For hosting your own primary name server. Note that this is the IP address of ns1
Optional: For hosting your own secondary name server. Note that this is the IP address of ns2
Identify the IP address for node mail.
Identify the IP address for mail server named "mail".
Define the webserver "www" to be node1.
Define the ftp server to be node1.
MX records for 3rd party off-site mail servers:
your-domain.com.
your-domain.com.
IN MX
IN MX
10 mail1.offsitemail.com.
20 mail2.offsitemail.com.
Append to the above file.
Secondary server (slave):
File: named.conf
Red Hat / Fedora Core / CentOS: /etc/named.conf
Ubuntu / Debian: /etc/bind/named.conf
options {
version "Bind";
directory "/var/named";
allow-transfer { none; };
recursion no;
fetch-glue no;
};
zone "your-domain.com"{
type slave;
file "named.your-domain.com";
masters { XXX.XXX.XXX.XXX; };
};
zone "0.0.127.in-addr.arpa"{
type master;
file "named.local";
};
- Don't disclose real version to hackers
- Bind 8 only! Not used by version 9
- Specify slaves/named.your-domain.com for RHEL4 chrooted bind
- IP address of primary DNS
Note: RHEL4, CentOS 4, Fedora Core 3+ use chrooted directory structure permissions which require the use of the slaves subdirectory /var/named/slaves
Man page on named.conf - Best source of information!!!
[Potential Pitfall]: Ubuntu dapper - Create log file and set ownership and permission for file not created by installation:
touch /var/log/bindlog
chown root.bind /var/log/bindlog
chmod 664 /var/log/bindlog
[Potential Pitfall]: Error in /var/log/messages:
transfer of 'yolinux.com/IN' from XXX.XXX.XXX.XXX#53: failed while receiving responses: permission denied
Named needs write permission on the directory containing the file. This condition often occurs for a new "slave" or "secondary" name server where the zone
files do not yet exist.
The default (RHEL4, CentOS 4, Fedora Core 3, ...):
drwxr-x--- 4 root named 4096 Aug 25 2004 named
drwxrwx--- 2 named named 4096 Sep 17 20:37 slaves
Fix: In named.conf specify that the slaves to go to slaves directory /var/named/chroot/var/named/slaves with the directive:
file "slaves/named.your-domain.com";
Bind Defaults:
Uses port 53 if none is specified with the listen-on port statement.
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 17 of 23
Bind will use random ports above port 1024 for queries. For use with firewalls expecting all DNS traffic on port 53, specify the following option statement
in /etc/named.conf
query-source address * port 53;
Logging is to /var/log/messages
After the configuration files have been edited, restart the name daemon.
/etc/rc.d/init.d/named restart
(Note: Debian uses the directory: /etc/init.d/)
Bind zone transfers work best if the clocks of the two systems are synchronised. See the YoLinux SysAdmin Tutorial: Time and ntpd
File: /var/named/named.your-domain.com This is created for you by Bind on the slave (secondary) server when it replicates from Primary server.
DNS GUI configuration:
Fedora Core 2/3: /usr/bin/system-config-bind
Red Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-bind
Test DNS:
Must install packages:
Red Hat / Fedora Core / SuSE: bind-utils
Ubuntu (dapper 6.06) / Debian: bind9-host
Test the name server with the host command in interactive mode:
host
node.domain-to-test.com your-nameserver-to-test.domain.com
Note: The name server may also be specified by IP address.
or
Test the name server with the nslookup command in interactive mode:
nslookup
> server your-nameserver-to-test.domain.com
> node.domain-to-test.com
> exit
Test the MX record if appropriate:
nslookup -querytype=mx domain-to-test.com
OR
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 18 of 23
host -t mx domain-to-test.com
Test using the dig command:
dig @name-server domain-to-query
OR
dig @IP-address-of-name-server domain-to-query
Test your DNS with the following DNS diagnostics web site: DnsStuff.com
Extra logging to monitor Bind:
Add the following to your /etc/named.conf file.
logging {
channel bindlog {
file "/var/log/bindlog"
print-time yes;
print-category yes;
print-severity yes;
};
category xfer-out { bindlog; };
category xfer-in { bindlog; };
category security { bindlog; };
versions 5 size 1m;
- Keep five old versions of the log-file (rotates logs)
- Zone transfers
- Zone transfers
- Approved/unapproved requests
The following logging statements, panic, insist and response-checks are valid for Bind 8 only. Do not user for version 9.
category panic { bindlog; };
- System shutdowns
category insist { bindlog; };
- Internal consistency check failures
category response-checks { bindlog; }; - Messages
//
};
Chroot Bind for extra security:
Note: Most modern Linux distributions default to a "chrooted" installation. This technique runs the Bind name service with a view of the filesystem which
changes the definition of the root directory "/" to a directory in which Bind will operate. i.e. /var/named/chroot.
The following example uses the Red Hat RPM bind-8.2.3-0.6.x.i386.rpm. Applies to Bind version 9 as well.
The latest RedHat bind updates run the named as user "named" to avoid a lot of earlier hacker exploits. To chroot the process is to create an even more
secure environment by limiting the view of the system that the process can access. The process is limited to the chrooted directory assigned.
The chroot of the named process to a directory under a given user will prevent the possibility of an exploit which at one time would result in root access. The
original default RedHat configuration (6.2) ran the named process as root, thus if an exploit was found, the named process will allow the hacker to use the
privileges of the root user. (no longer true)
Named Command Sytax:
named -u user -g group -t directory-to-chroot-to
Example:
named -u named -g named -t /opt/named
When chrooted, the process does not have access to system libraries thus a local lib directory is required with the appropriate library files - theoretically. This
does not seem to be the case here and as noted above in chrooted FTP. It's a mystery to me but it works???? Another method to handle libraries is to re
compile the named binary with everything statically linked. Add -static to the compile options. The chrooted process should also require a
local /etc/named.conf etc... but doesn't seem to???
Script to create a chrooted bind environment:
#!/bin/sh
cd /opt
mkdir named
cd named
mkdir etc
mkdir bin
mkdir var
cd var
mkdir named
mkdir run
cd ..
chown -R named.named bin etc var
You can probably stop here. If your system acts like a chrooted system should, then continue with the following:
cp -p /etc/named.conf etc
cp -p /etc/localtime etc
cp -p /bin/false bin
echo "named:x:25:25:Named:/var/named:/bin/false" > etc/passwd
echo "named:x:25:" > etc/group
touch var/run/named.pid
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 19 of 23
if [ -f /etc/namedb ]
then
cp -p /etc/namedb etc/namedb
fi
mkdir dev
cd dev
# Create a character unbuffered file.
mknod -m ugo+rw null c 1 3
cd ..
chown -R named.named bin etc var
Add changes to the init script: /etc/rc.d/init.d/named
#!/bin/bash
#
# named
This shell script takes care of starting and stopping
#
named (BIND DNS server).
#
# chkconfig: - 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -f /etc/sysconfig/named ] && . /etc/sysconfig/named
- Added in Red Hat version 7.1
[ -f /usr/sbin/named ] || exit 0
[ -f /etc/named.conf ] || exit 0
RETVAL=0
start() {
# Start daemons.
echo -n "Starting named: "
- Change made here
daemon named -u named -g named -t /opt/named
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named
echo
return $RETVAL
}
stop() {
# Stop daemons.
echo -n "Shutting down named: "
killproc named
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named
echo
return $RETVAL
}
rhstatus() {
/usr/sbin/ndc
return $?
}
restart() {
stop
start
}
reload() {
/usr/sbin/ndc
return $?
}
probe() {
# named knows
# to offer to
/usr/sbin/ndc
return $?
}
status
reload
how to reload intelligently; we don't want linuxconf
restart every time
reload >/dev/null 2>&1 || echo start
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
rhstatus
;;
restart)
restart
;;
condrestart)
[ -f /var/lock/subsys/named ] && restart || :
;;
reload)
reload
;;
probe)
probe
;;
*)
echo "Usage: named {start|stop|status|restart|condrestart|reload|probe}"
exit 1
esac
exit $?
Note: The current version of bind from the RedHat errata updates and security fixes ( runs the named process as user
"named" in the home (not chrooted) directory /var/named with no shell available. (named -u named) This should be secure enough. Proceed with a chrooted
installation if your are paranoid.
See:
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 20 of 23
Securing DNS: How to use chroot bind features
Chrooted DNS configuration:
Modern releases of Linux (i.e. Fedore Core 3, Red Hat Enterprise Linux 4) come preconfigured to use "chrooted" bind. This security feature forces even an exploited
version of bind to only operate within the "chrooted" jail /var/named/chroot which contains the familiar directories:
/var/named/chroot/etc:
/var/named/chroot/dev:
/dev/null
/dev/random
/dev/zero
Configuration files
devices used by bind:
(Real devices created with the mknod command.)
Zone files and configuration information.
/var/named/chroot/var:
These directories are generated and configured by the Red Hat/Fedora RPM package "bind-chroot".
If building from source you will have to generate this configuration manually:
mkdir
mkdir
mknod
mknod
mknod
chmod
mkdir
ln -s
mkdir
ln -s
ln -s
-p /var/named/chroot
/var/named/chroot/dev
/var/named/chroot/dev/null c 1 3
/var/named/chroot/dev/zero c 1 5
/var/named/chroot/dev/random c 1 8
666 -R /var/named/chroot/dev
-p /var/named/chroot/etc
/var/named/chroot/etc/named.conf /etc/named.conf
-p /var/named/chroot/var/named
/var/named/chroot/var/named/named.XXXX /var/named/named.XXXX
/var/named/chroot/var/named/named.YYYY /var/named/named.YYYY
...
mkdir
mkdir
mkdir
mkdir
chown
chown
-p
-p
-p
-p
-R
-R
/var/named/chroot/var/named/slaves
/var/named/chroot/var/named/data
/var/named/chroot/var/run
/var/named/chroot/var/tmp
named:named /var/named/chroot
root:named /var/named/chroot/var/named
Load Balancing of servers using Bind: DNS Round-Robin
This will populate name servers around the world with different IP addresses for your web server www.your-domain.com
www0
www1
www2
www3
www4
www5
IN
IN
IN
IN
IN
IN
A
A
A
A
A
A
XXX.XXX.XXX.1
XXX.XXX.XXX.2
XXX.XXX.XXX.3
XXX.XXX.XXX.4
XXX.XXX.XXX.5
XXX.XXX.XXX.6
www
IN
IN
IN
IN
IN
IN
IN
CNAME
CNAME
CNAME
CNAME
CNAME
CNAME
CNAME
www0.your-domain.com.
www1.your-domain.com.
www2.your-domain.com.
www3.your-domain.com.
www4.your-domain.com.
www5.your-domain.com.
www6.your-domain.com.
Also see lbnamed: lbnamed load balancing named
Bind/DNS Links:
Internet Software Consortium (ISC) Home Page - ISC Bind Home
Bind FAQ, pitfalls and answers
Zytrax Bind 9 manual - Bind for rocket scientists
comp.protocols.tcp-ip.domains FAQ - HTML version
More on load balancing and round robin schemes
LDP DNS-HOWTO
ACME: DNS resources
DNS Security presentation - Cricket Liu (coauthor of DNS and Bind)
DNS Security Paper - Craig Rowland
GraniteCanyon.com: Free DNS hosting - If you don't want to set it up, have someone do it for you.
EveryDNS.net - Free DNS
DNS2GO - Domain hosting for DHCP clients.
Secondary.com - Free secondary names server hosting (five or fewer domains)
TZO.com - Dynamic, secondary DNS services.
UltraDNS.com - Outsourced DNS management and service
DynDNS.org
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 21 of 23
Command: ipcheck.py -i eth0 DynDNS-user-id password node.dnsalias.net
Then add script update.dyndns.ip to directory /etc/cron.daily/ to update IP.
This host must also be allowed access through any firewall rules.
DynDNS/TODD - Dynamic DNS for those with dynamic IP addresses. (i.e. dial-up game servers etc.)
Domain name registration:
Domain Name Registrars:
NetworkSolutions.com
Register.com
Registrar.GoDaddy.com - Domain name registration for only $8.95/year!!!
Dotster.com - Domain name registration for only $14.95/year
DomainsNext.com - $11.95/year
EasyDNS.com - $25.00/year
Aplus.net - Domain Registration $7.95/year - Not good
Gandi.net - European
AfterNic.com - Domain name exchange and auction.
BuyDomains.com - Buy a domain name that a squatter is holding.
Note that the Name registrations policies for the registrars are stated at ICANN.org.
You must renew with the same registrar within five days BEFORE the expiration date. There is no rule for afterwards.
Most free a domain name 30 days after it expires.
Web Server Load Balancing:
Load balancing becomes important if your traffic volume becomes too great for either your server or network connection or both. Multiple options are available for
load balancing.
DNS round-robin: Discussed above, this uses DNS to point users to random server in a list of appropriate servers. This spreads the load among the servers in
the list.
Use a Linux Virtual Server to Create a Load Balance Cluster. See next section below.
Run a reverse proxy. See nginx ("engine X"). From a single external internet network connection, route http, smtp, imap or pop3 traffic to various servers on an
internal network. Results are pushed back to the nginx proxy for routing to the internet (no caching).
Run the Apache httpd web server module "mod_proxy" to offload processing of dynamic content to another web server. This acts as a reverse proxy, routing
external traffic to various servers on an internal network.
Using a Linux Virtual Server to Create a Load Balance Cluster:
You can use a single Linux server to forward requests to a cluster of servers using iptables for IP masquerading and IPVsadm to scale your load. The load balancing
server receiving and routing the requests is called the "Linux Virtual Server" (LVS). The LVS receives the requests which are passed to the real servers which
process and reply to the request. This reply is forwarded to the client by the LVS.
This feature is available with the Linux 2.4/2.6 kernel. (If compiling kernel: Networking Options + IP: Virtual Server Configuration)
Configuration: This example will load balance http traffic to three web servers and ftp traffic to a fourth server.
Enable Forwarding: (Also see YoLinux Networking Tutorial: Enable Forwarding)
echo "1" > /proc/sys/net/ipv4/ip_forward
Enable IP Masquerading:
iptables -t nat -P POSTROUTING DROP
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
For more on IP Masquerading, iptables and subnet addresses, see the YoLinux network gateway tutorial.
Enable virtual server:
Create virtual service and choose scheduler for http (80) and ftp (21):
ipvsadm -A -t 66.218.88.103:80 -s wlc
ipvsadm -A -t 66.218.88.103:21 -s wrr
Command directives:
A: Add a virtual service defined by IP address, port number, and protocol.
-t: Use TCP service host:port
-s: scheduler:
rr: Robin Robin: distributes jobs equally amongst the avail- able real servers.
wrr: Weighted Round Robin.
lc: Least-Connection: assigns more jobs to real servers with fewer active jobs.
wlc: (Default) Weighted Least-Connection: assigns more jobs to servers with fewer jobs and relative to the real server's weight.
lblc, lblcr, dh, sh, sed, nq. See man page.
Configure load balancing cluser.
ipvsadm
ipvsadm
ipvsadm
ipvsadm
-a
-a
-a
-a
-t
-t
-t
-t
66.218.88.103:80
66.218.88.103:80
66.218.88.103:80
66.218.88.103:21
-r
-r
-r
-r
176.168.1.1:80
176.168.1.2:80
176.168.1.3:80
176.168.1.4:21
-m
-m -w 2
-m
-m
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
Page 22 of 23
Command directives:
-r: Real server.
-m: Use masquerading also known as network address translation (NAT)
-w: Weight is an integer specifying the capacity of a server rela- tive to the others in the pool. The valid values of weight are 0 through to
65535. The default is 1.
Links:
LinuxVirtualServer.org
iptables - Administration tool for IPv4 packet filtering and NAT
ipvsadm - Administer the routing table on a Linux Virtual Server.
Managing Web Server Daemons:
To view if these services are running, type ps -aux and look for the httpd, inetd and named services (daemons). These are background processes necessary to
perform the server tasks.
root
nobody
nobody
root
681
28123
28186
385
0.0
0.0
0.0
0.0
0.5
1.1
0.7
0.1
2304 744 ?
3036 1420 ?
3044 896 ?
1136 232 ?
S
S
S
S
Sep09
Oct06
Oct06
Sep09
0:01
0:00
0:00
0:00
named
httpd
httpd
inetd
A new installation will most likely NOT start the named background process which may be started manually after configuration.
See the YoLinux Init Process Tutorial for more information.
The inetd (or xinetd) background process is the Internet daemon which starts FTP when an ftp request is made.
Sys Admin Script:
Script to prepare an account:
#!/bin/sh
# Author Greg Ippolito
# Puspose: Set up chroot'ed user directories for web and ftponly access.
# Requires: /opt/etc/AccountDefaults/pathmsg favicon.ico mwh-mini_tr.gif etc.
#
/etc/ftponly
#
/etc/ftpaccess
#
guestuser *
# Restricts users
#
restricted-uid # Extra restrictions
#
#
You must be root to run this script.
#
if [ $# -eq 0 ]
then
echo "Enter user id as a command argument"
else if [ -r /home/$1 ]
then
echo "User's home directory already exists"
else
echo "1) Create user."
adduser $1
echo "2) Set user Password."
passwd $1
echo "3) Add read access to user directory so apache can read it."
cd /home
chmod ugo+rx $1
cd $1
echo "4) Create web and ftp directories."
mkdir public_html
chown $1.$1 public_html
cd public_html
mkdir lib bin etc images
chown $1.$1 images
# This method was necessary but does not seem to be necessary any more.
# cp -p /home/ftp/etc/ld.so.cache ./etc
# cp -p /home/ftp/bin/compress
./bin
# cp -p /home/ftp/bin/cpio
./bin
# cp -p /home/ftp/bin/gzip
./bin
# cp -p /home/ftp/bin/ls
./bin
# cp -p /home/ftp/bin/tar
./bin
cd bin
# ln -s gzip
zcat
cd ../lib
# cp -p /home/ftp/lib/ld-2*
.
# cp -p /home/ftp/lib/libc-*
.
# cp -p /home/ftp/lib/libnsl-*
.
# cp -p /home/ftp/lib/libnss_files-* .
# ln -s ld-*
ld-linux.so.2
# ln -s libc-*
libc.so.6
# ln -s libnsl-*
libnsl.so.1
# ln -s libnss_files-* libnss_files.so.2
cd ../
cp -p /opt/etc/AccountDefaults/pathmsg ./etc/pathmsg
touch .rhosts
chmod ugo-xrw .rhosts
echo "5) Create default web page"
sed "/HEADING/s!HEADING!$1!" /opt/etc/AccountDefaults/default-index.html > index.html
cp -p /opt/etc/AccountDefaults/favicon.ico .
cp -p /opt/etc/AccountDefaults/mwh-mini_tr.gif ./images
cp -p /opt/etc/AccountDefaults/robots.txt .
/>
03/14/08
Linux Web Server and Domain Configuration Tutorial
#
#
Page 23 of 23
chown $1.$1 index.html favicon.ico robots.txt
echo "6) Edit /etc/passwd file - change user shell to /etc/ftponly"
cp -p /etc/passwd /etc/passwd-`date +%m%d%y`
sed "/^$1/s!/bin/bash!/etc/ftponly!" /etc/passwd-`date +%m%d%y` > /etc/passwd
echo "7) Add user to /etc/ftpaccess file"
cp -p /etc/ftpaccess /etc/ftpaccess-`date +%m%d%y`
sed "/^guestuser/s!guestuser !guestuser $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess
sed "/^restricted-uid/s!restricted-uid !restricted-uid $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess
echo "guest-root /home/$1/public_html $1" >> /etc/ftpaccess
echo "8) Setting Disk Quotas to default 50Mb limit:"
Use user johndoe as a prototype.
edquota -p johndoe $1
echo "9) Admin Follow-up:"
echo "
Modify quota.user if different than default"
echo "
Make changes to Bind names services on dns1 and dns2 if necessary"
echo "
Change /etc/http/conf/httpd.conf if using a new domain name"
echo "
Add e-mail aliases to node2 if necessary"
fi
fi
FYI: Sample robots.txt files:
yolinux.com/robots.txt
yo-linux.com/robots.txt
USC.edu/robots.txt
/>
03/14/08
