DNS Setup DNS CONFIGURATION DNS Setup DNS Configuration named daemon is used A DNS Server may be caching/master/slave server The named.ca file has information of all Root Servers. There is a Forward Zone file and a Reverse Zone file for every domain. Configuration file: /var/named/chroot/etc/named.conf Forward Zone File: /var/named/chroot/var/named/<forward_zone_file> Reverse Zone File: /var/named/chroot/var/named/<reverse_zone_file> DNS Setup Sample Master named.conf zone "." { type hint; file "named.ca"; }; zone "0.0.127.in-addr.arpa" { type master; file "named.local"; allow-query {any;}; }; zone "iitk.ac.in" { type master; file "hosts.db"; allow-query {any;}; }; zone "95.200.203.IN-ADDR.ARPA" { type master; file "hosts.rev.203.200.95"; allow-query {any;}; }; zone "iitk.ernet.in" { type slave; file "hosts.iitk.ernet.in"; masters { 202.141.40.10; }; allow-query {any;}; DNS Setup Sample Forward Zone File $TTL 86400 @ IN SOA ns1.iitk.ac.in. root.ns1.iitk.ac.in. ( 200605091 ; Serial 10800 ; Refresh - 3 hours 3600 ; Retry - 1 hour 1209600 ;Expire - 1 week 43200 ) ; Minimum TTL for negative answers - 12 hours IN NS ns1.iitk.ac.in. IN NS ns2.iitk.ac.in. IN MX 5 mail0.iitk.ac.in. IN MX 10 mail1.iitk.ac.in. IN MX 20 mail2.iitk.ac.in. $ORIGIN iitk.ac.in. ns1 IN A mail0 IN A proxy IN CNAME 203.200.95.142 203.200.95.144 mail0 DNS Setup Sample Reverse Zone File $TTL 86400 $ORIGIN 200.203.in-addr.arpa. 95 IN SOA ns1.iitk.ac.in. root.ns1.iitk.ac.in. ( 200605091 ; Serial 10800 ; Refresh - 5 minutes 3600 ; Retry - 1 minute 1209600 ; Expire - 1 weeks 43200 ) ; Minimum TTL for negative answers - 12 hours IN NS ns1.iitk.ac.in. IN NS ns2.iitk.ac.in. $ORIGIN 95.200.203.in-addr.arpa. ; ; 142 IN PTR ns1.iitk.ac.in. 144 IN PTR mail0.iitk.ac.in. DNS Setup Configuring Local Resolver /etc/resolv.conf server 127.0.0.1 DNS Setup Test DNS nslookup host dig Test your DNS with the following DNS diagnostics web site: dnsstuff.com Apache Setup APACHE SETUP Web Server Setup Web Server Apache Web Server is used Daemon is httpd (service httpd start/stop/restart) Web Server Setup Files used by Apache Configuration file: /etc/httpd/conf/httpd.conf Log files: /var/log/httpd/access_log and /var/log/httpd/error_log Modules /etc/httpd/modules Default Document Root /var/www/html Default CGI Root /var/www/cgi-bin Web Server Setup Apache Configuration Directives Server Name Min and Max Servers Document Root CGI Enable/Disable User Directory Directory Index Mime Types Modules Access Restrictions Secure Server Virtual Hosting Web Server Setup Basic Settings Change the default value for ServerName www.<your-domain.com> in httpd.conf and put the website content in /var/www/html Additionally you can configure Name based Virtual Hosting (allow more than one websites to run on the same server) Web Server Setup Virtual Hosting NameVirtualHost *:80 <VirtualHost *:80> ServerName server-name DocumentRoot path-to-virtual-document-root </VirtualHost> <VirtualHost *:80> ServerName server-name DocumentRoot path-to-virtual-document-root </VirtualHost> Squid Setup SQUID SETUP Squid Setup Obtaining Squid Source code (in C) from www.squid-cache.org Binary executables Linux (comes with RedHat and others) FreeBSD Windows Pre-installed in Fedora/Enterprise Linux Squid Setup Basic Settings Edit the /etc/squid/squid.conf file to configure squid Configuration options: Disk Cache size and location Authentication Allowed Hosts Any other access restrictions (sites, content, size, time of access etc.) using ACL service squid start/stop/restart Squid Setup Disc Requirements Squid makes very heavy use of disc because of heavy read/write in cache Needs discs with low seek times SCSI is better Can spread cache over 2 or more discs Raid not recommended Cached data is not critical Squid Setup Calculating Disc Space Recommend keeping at least 2 days worth of objects 10 days may be better Example: 256Kbps link loaded 10 hrs/day ~= 1GB assume 50% cacheable - .5GB / day 2 days objects - 1GB 10 days objects - 5 GB Squid Setup Squid.conf Basic Configuration cache_dir ufs /var/spool/squid/cache 100 16 256 auth_param basic program /usr/lib/squid/ncsa_auth /etc/shadow acl sidbiusers proxy_auth required http_access allow sidbiusers acl our_network src 172.28.250.0/24 http_access allow our_network (Note: use squid –z for the first time to create the cache directory and its subdirectories) Sendmail Setup SENDMAIL SETUP Mail Server Setup Sendmail Configuration Daemon: sendmail Configuration File: /etc/mail/sendmail.mc Edit the following lines LOCAL_DOMAIN(`localhost.localdomain')dnl (Replace localhost.localdomain by the domain name for which the mail server is being configured) DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl (comment this line by adding dnl at the start of the line) dnl MASQUERADE_AS(`mydomain.com')dnl (remove dnl & replace mydomain.com by the domain name) Sendmail Setup Sendmail Configuration Add the range of IP addresses of your network in access file (e.g. 172.31. Relay) Run “make –C /etc/mail” command to compile sendmail.mc and generate sendmail.cf file. Restart sendmail and watch for errors Sendmail Setup PoP & IMAP Server PoP3 & IMAP Server can be started using dovecot server. (service dovecot start) Firewall FIREWALL Firewall Basic Setup Internet Application Web Server Database Firewall Firewall Firewall Rules IP Address of Source (Allow from Trusted Sources) IP Address of Destinations) Destination (Allow to trusted Application Port Number (Allow Mail but restrict Telnet) Direction of Traffic (Allow outgoing traffic but restrict incoming traffic) Firewall Firewall Implementation Hardware Firewall: Dedicated Hardware Box (Cisco PIX, Netscreen ) Software Firewall: Installable on a Server ( ) Host OSs (Windows XP/Linux) also provide software firewall features to protect the host These days Firewalls provide IDS/IPS (Intrusion Detection System/Intrusion Prevention System) services also. Linux Security LINUX Firewall Use GUI (Applications ->System Settings-> Security Level) to activate the firewall Allow standard services and any specific port based application All other services and ports are blocked Linux Security LINUX Firewall