2. Basics
2.1 /etc/modules.conf
2.2 Session logging
2.3 Common command aliases: yes or no?
2.4 /etc/DIR_COLORS
2.5 Choosing passwords
2.6 Remote maintenance via SSH
3. Bind
3.1 Default configuration in ServerAtSchool
3.2 Scenario 1 - in-house web server
3.3 Scenario 2 - web server running at ISP
3.4 Firewall considerations
3.5 DNS-records and your ISP
4. Exim
4.1 Default configuration in ServerAtSchool
4.2 Firewall considerations
5. DHCPD
5.1 Default configuration in ServerAtSchool
5.2 Firewall considerations
7. MySQL
7.1 Default configuration in ServerAtSchool
7.2 Configuring MySQL access
7.3 Firewall considerations
8. Apache
8.1 Default Apache configuration in ServerAtSchool
8.2 Hints for a secure web server
8.3 Firewall considerations
9. Site@School
9.1 Starting the install.php script
9.2 Setting web server properties
9.3 Setting database server properties
9.4 Filling the site with demo data
9.5 Creating the administrator user account
9.6 Finishing the Site@School configuration
9.7 Cleaning up on the server
10. Janitor
10.1 The main Janitor configuration file
10.2 Other configuration files
10.3 Janitor initialisation
10.4 Adding the first user account
11. REOBack
11.1 Creating a backup partition and mount point
11.2 Checking the default ServerAtSchool configuration
11.3 Creating remote backups
11.4 Firewall considerations
11.5 Creating buddies
12. Samba
12.1 The Samba configuration file
12.2 Logon script and drive letters
12.3 Firewall considerations
13. Ghost for Unix
13.1 Creating a g4u user account
13.2 FTP server and DHCP server
13.3 Firewall considerations
13.4 Creating a g4u boot floppy
14. Squid
14.1 Adding a new DNS record for the proxy server
14.2 Configuration file squid.conf
14.3 Firewall considerations
14.4 Configuration issues for client computers
14.5 Increasing the size of the cache on disk
15. USB/Laptop
15.1 Configuring USB, hotplug and PCMCIA
15.2 Configuring APMD
15.3 Using USB storage
16. GIPTables
16.1 Firewall customisation
16.2 Firewall debugging and monitoring
17. Squirrelmail
17.1 Configuring Squirrelmail
17.2 Integrating Squirrelmail in Site@School
18. Mailman
18.1 Setting the Mailman site administrator password
18.2 Customising Mailman
18.3 Creating the mailman mailing list
18.4 Creating a mailing list for teachers
19. ClamAV
19.1 Scanning files with ClamAV
20. CUPS
20.1 Setting up a JetDirect network printer with CUPS
20.2 Setting up a shared printer via SMB
20.3 Configuring Samba printing
21. Flotsam and jetsam
21.1 NTP
21.2 Enabling Syslog for remote reception
21.3 Managing privileges via sudo
21.4 Switching off tpop3d
21.5 Autoupdate
21.6 Adding a pause to read boot messages
21.7 Miscellaneous goodies
21.8 Hourly backup and yearly maintenance
21.9 Your server is ready
NOTICE: While configuring the various services you often need to type
commands at the command prompt. By default the command prompt looks
like this: [root@praeceptor etc]# _
. The word 'root'
is the name of the user account you are logged into. The word
'praeceptor' indicates the hostname of the server you are currently
working on. The word 'etc' in this example shows the last part of the
name of the current working directory (here: '/etc').
All commands should be confirmed by pressing the [Enter]
key on the
keyboard. In order to keep the examples and illustrations clean, it is
assumed that you will press [Enter] after every command even if this is not
explicitly indicated in the text.
eth0
); perhaps even the internal network is
not yet connected (eth1
).
NOTICE:
In order to make sure that no intruder breaks into your server while
you are configuring it, it is a good idea to leave the network cable
for the external network interface eth0
unconnected. You can plug it in after you have completed
the configuration in section 21.9 below.
NOTICE:
For added safety you may want to take a peek ahead in section
21.5 Autoupdate and switch the automatic update
off by setting the parameter DoUpdate
to
0
. This prevents the server from updating itself while
you are busy configuring it. If you let the server update itself, the
lack of correlation between the documentation you are reading and a
newer version of some software package that has been installed
automatically may be very confusing. Note that autoupdate will not
work as long as you don't have a connection to the outside world.
In this section we will be changing a few configuration files to make life
easier while configuring the various subsystems. You can use either
vi(1)
(/bin/vi
) or nano(1)
(/usr/bin/nano
) to edit these files. If you selected
to install the documentation, you can read more about these editors by
typing the command man vi
or man nano
, respectively.
NOTICE:
It is quite common to refer to a command by its name followed by a
number in parenthesis, e.g. vi(1)
or
passwd(1)
. The name itself (here: vi
or
passwd
) refers to the corresponding file which comprises
the command (/bin/vi
or
/usr/bin/passwd
). The number in parentheses is the
number of the section in the manual which holds the relevant documentation.
Sometimes it is necessary to distinguish between the various sections
in the manual, e.g. there is a manual page for passwd(1)
describing the command but there is also a manual page
passwd(5)
which documents the layout of the file
/etc/passwd
. You can view the correct section of the
manual by specifying the correct section number in the command
like this: man 5 passwd
. The most important sections of the
manual are 1 (user commands and applications), 5 (file formats) and 8
(administrator commands). See also the manual's manual (man
man
).
In the remainder of this text we will assume that you are logged into the
console (tty1
) as root, using the root password you
entered during the installation phase (see section 13. Root password in chapter III. Using the text mode installation program).
eth0
is
the interface which connects to the outside world (Internet). The
server is connected to the LAN via interface eth1
.
The bare installation of the network interfaces and the assignment of
the names eth0
and eth1
depends on the order
in which the various kernel modules for network devices were loaded
during installation. There is a chance that the interface for the LAN
was assigned the name eth0
and the interface for
the external connection became eth1
.
The names eth0
and eth1
are aliases for the
network drivers. These aliases are defined in the file
/etc/modules.conf
. Here is an example of the contents of
such a file:
Note that the driver e1000
(an Intel PRO/1000 Gigabit
interface on an ASUS motherboard) is assigned the name
eth0
. It makes no sense to assign such a fast interface
to the outside connection, especially when the server is connected to a
gigabit switch serving the LAN. The other interface (in this case
a 3Com 3c905C-TX-M) with the 3c59x
driver is only a 10/100
Mb/s card, which is more than good enough for the external interface, but for
the internal interface the Intel Pro/1000 would be better. You could change
the file /etc/modules.conf
to look like this:
If you want to make sure that the changes work as you intended,
you should stop the network (which is doing nothing at this
point anyway), unload the relevant modules, and restart the network. This
ensures that the relevant modules are reloaded and that the network
interfaces are assigned the names you specified in
/etc/modules.conf
.
Issue the following commands:
eth0
and eth1
by issuing this command:
ifconfig | grep HWaddr
service network stop
.
rmmod e1000
and rmmod 3c59x
.
/etc/modules.conf
and make
necessary changes.
cat /etc/modules.conf
.
service network start
.
ifconfig | grep HWaddr
.
NOTICE:
The hardware addresses of network interfaces always start with
three vendor-specific octets called OUI (Organisational Unique
Identfier). These numbers are assigned globally
(by the IEEE). The Intel network interface in this
example can be recognised by the sequence
00:0E:A6:xx:xx:xx
, the 3Com interface is
00:0A:5E:xx:xx:xx
. A searchable list of these
OUIs can be found at
http://standards.ieee.org/regauth/oui/index.shtml.
NOTICE:
From the example above you can see that it is helpful to have two
different network cards in the server, since it makes it
easier to distinguish between them. However, you can of course
equip the server with two identical network cards if you wish. In this
case the rule of thumb is that the card closest to the
CPU is eth0
and the other one is eth1
.
script(1)
' (see man script
for more information). This command copies your complete terminal
session to a file. This file (a 'typescript' in a way, hence the name
'script') can be studied afterwards. It can also be used to help
auditing the server.
During the installation of ServerAtSchool a collection of goodies
was installed in the directory /home/share/install/goodies
.
You may want to copy the file /home/share/install/goodies/bash_profile
to the file /root/.bash_profile
. This modified file
.bash_profile
will then be executed every time you log in. You can
copy the file with the command below. Your input is shown
emphasised in the illustration.
|
Note that cp(1)
requires a confirmation before
overwriting an existing file. We will deal with that issue in
2.3 Common command aliases: yes or no? below.
The differences with the original file .bash_profile
are these:
$HOME
,
with a name based on today's date, e.g. /root/script/2005-03-05
.
When you log out and then on again, a script of every terminal session will be created. This is illustrated in the image below.
NOTICE: Because of the session scripting, it is necessary to log out twice in order to end the session. The first time ends the typescript, the second time ends the session.
NOTICE:
You can use the exit
command or the
[Ctrl-D]
key combination to log out from script(1)
and
from the Bash session.
/root/.bashrc
)
three aliases are defined:
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
These aliases enforce the interactive use of the
commands /bin/rm
, /bin/cp
and
/bin/mv
respectively. The interactive mode prompts you,
user 'root', every time a potentially destructive command is
given, e.g. the removal of a file or an attempt to overwrite an
existing file. This interactive mode can be a life saver,
especially when the command is issued when you are logged in as
root. If you do not use the interactive mode, the command
rm -rf /
will destroy your complete file
system, no questions asked.
For the more experienced systems administrator, this interactive use can
be very annoying. Such users may want to comment out or
remove these three commands in /root/.bashrc
. If you are
uncertain about this, please don't touch the file .bashrc
and you may save yourself some unpleasant experiences. Note that any changes
you make to this startup script are effective after you next
log in; you have to log out and log in again to let the changes take
effect.
NOTICE:
There lies a danger in using these interactive aliases.
You may get used to them and eventually depend on them,
e.g. when removing selected files with rm *
and
replying 'n
' for every file you want to keep. This is
really bad practice. You simply cannot and should not rely on this feature: if at
some point someone changes or removes these aliases, your 'trick' will stop
working and you will lose files. Also, if you happen to find yourself
at the root prompt on another (Linux) machine, you may find out the
hard way that you are not protected by the interactive use of
these commands. If you expect to become a seasoned sysadmin, you might
as well get used to living dangerously and remove these aliases.
It's up to you.
ls(1)
command. Depending on your preference, this can be
either extremely helpful or extremely annoying. You can switch off the coloured
ls
by editing the file /etc/DIR_COLORS
. Near the
top of the file there is an entry that looks like this:
COLOR tty
This means that the output of ls
will show colours when output
on a tty, but not when output is redirected to a pipe. You can
switch off the colour feature completely by changing this entry to read:
COLOR none
NOTICE: The file /etc/DIR_COLORS
configures the system-wide
default for ls
colourisation. The default can be overruled
on a per user basis by copying the file /etc/DIR_COLORS
to
$HOME/.dir_colors
and subsequently customising the copy
in the user's home directory. The settings in $HOME/.dir_colors
override the system defaults.
A good password has at least one digit (0,...,9), at least one lower-case letter (a,...,z), at least one upper-case letter (A,...,Z), and preferably at least one special character. Suitable special characters are: at-sign '@', hash '#', dollar '$', percent '%', caret '^', ampersand '&', asterisk '*', left parenthesis '(', right parenthesis ')', dash '-', underscore '_', plus '+', equals '=', left curly brace '{', right curly brace '}', opening bracket '[', closing bracket ']', semicolon ';', slash '/', dot '.', and question mark '?'. It is also a good idea to choose a password at least 8 characters long.
As part of the installation of ServerAtSchool, two small utility
programs were installed that can help you with generating passwords:
pwgen(1)
and makepasswd(1)
.
pwgen(1)
generates (more or less) pronouncable passwords
that are relatively easy to memorise. After entering the command, you
will see a screen like this:
|
From this list you can pick a password you like. If you want to make
the generated password more secure, you can add the -s
switch to the command. If you want to generate a single password consisting of 8
characters, you can use the command 'pwgen 8 1'. See man
pwgen
for more information.
makepasswd(1)
generates a single password by default. The
difference with pwgen(1)
is that the emphasis is on
secure passwords rather than pronouncable passwords. You can generate
more passwords at the same time, say seven, by using the command
'makepasswd --count=7'. See man makepasswd
for more
information.
You need to think of passwords when configuring MySQL, Site@School, Mailman and of course when adding user accounts to the system.
It is bad practice to re-use the same password over and over again. If you use the same password for everything, an intruder will only have to crack your password once to gain access to everything, which could include the all important root account. You really do not want that to happen.
It is also very bad practice to use existing words and names as passwords because it is easy to crack such passwords using a (precompiled) dictionary of words and names. Particularly bad choices for passwords are your own name, the name of your spouse, your children's names, the name of the dog, your postcode (zipcode) or the number on your car's license plate.
In section 3. Password list in Appendix D. Worksheets you will find a worksheet that can help you keep track of all the different passwords.
Apart from the possibility of using SSH to log in from a remote
location (inbound traffic), OpenSSH is also used to copy
backups from the server to a remote location (outbound
traffice). See section 11.3 Creating remote
backups for more information. You may also want to consult the
manual pages for ssh_config(5)
and
sshd_config(5)
.
A few settings may have to be changed in order for this to work:
/etc/ssh/sshd_config
/etc/ssh/ssh_config
/etc/giptables.conf
The default configuration for the SSH server is illustrated below. Lines of interest are shown emphasised.
|
Explanation:
PermitRootLogin
to yes
; you should not even
give outsiders half a chance to get a go at guessing your root
password this way.
PasswordAuthentication
to Yes
in order to be able to log in as a regular user
with just a password.
AllowGroups
limits access to the server
to members of the specified groups. By default only teleworkers and
buddies are allowed to log in (but see the notice below).
NOTICE:
The AllowGroups
directive may be
missing from the configuration file. In that case it is recommended to
add it manually, including the space-delimited list of allowed
groups. ServerAtSchool already has the groups 'teleworkers' and
'buddies' predefined.
NOTICE:
If you want to make access more secure, you could leave the directive
PasswordAuthentication
set to no
. However,
this means that you will always have to log in using a
private/public key pair. This is a good example of the trade off between
convenience and security.
NOTICE:
It may be convenient, at least for the time being, to have PasswordAuthentication
set
to yes
while you are setting up your server to
receive backups from another school. See section 11.5
Creating buddies below.
NOTICE: If you have changed the configuration file for the SSH server, you should restart the server. You can do so with the command 'service sshd restart'.
The default (system-wide) configuration for the SSH client is illustrated below. Lines of interest are shown emphasised.
|
Explanation:
PasswordAuthentication
to yes
in order to
log into another server using just a password (instead of a key
pair). This can be convenient when setting up remote backups (see
section 11.3 Creating remote backups below). You
should change it back to no
afterwards to prevent your
(compromised) system being used as a 'stepping stone' by crackers to
compromise other computers from.
StrictHostKeyChecking
to no
during the configuration phase on your server. This way you can
'automatically' collect common host keys. Afterwards you could then
reset this directive to yes
to prevent Trojan Horse
attacks. This is a security feature.
NOTICE: The SSH configuration files contain many more options than those shown here. You can distinguish between various hosts and use different settings for each of them. This topic, too, is discussed in chapter 16 of [Mourani 2002].
Even when the SSH server and client configuration files are set up
correctly, it may be necessary to check the firewall settings for
SSH. The illustration below shows the default settings for SSH in
/etc/giptables.conf
.
|
Explanation:
eth0
) is not allowed
eth1
) is not allowed
eth0
) is allowed
eth1
) is allowed
Basically this means that it is allowed to log into the server (for maintenance or otherwise) from either the Internet or the LAN. No outgoing traffic is allowed, nor is forwarded traffic from the LAN to the Internet allowed. This is a security measure.
NOTICE: By enabling SSH login from the LAN, you can perform maintenance tasks on the server while sitting behind a workstation somewhere in the building, in a comfy chair, rather than hanging upside down in a broom closet.
NOTICE: If you will not be carrying out remote server maintenance via
the Internet and you do not want to allow teleworking (i.e. letting
teachers access their documents on the server from home) you should
close the firewall for SSH on interface eth0
by setting
INTERFACE0_SSH_SERVER
to
"no"
. Then restart the
firewall for the changes to take effect. You can use the command
'service giptables restart' for this purpose.
NOTICE: If you really want to access the server via SSH (from the Internet
or from the LAN), you should use a regular user account (see section
10. Janitor for more information on creating user
accounts). This user account must also be a member of the predefined
user group teleworkers
. Only members of this group are allowed
to access the server in this way. This is taken care of in the
configuration file /etc/security/access.conf
.
named
' (for 'Name Daemon'). It is
pronounced 'name-dee'.
A default configuration file is generated during the installation of
ServerAtSchool, as are two 'zone files'. These files are located in
directories within the chroot jail in which Bind runs. The
configuration file is /chroot/named/etc/named.conf
and
the zone files are located in
/chroot/named/var/named/
. The names of the zone files are
derived from the local domain. Using the example from earlier
chapters (host praeceptor.exemplum.serveratschool.net
serving the internal network 172.17.2.0/24
), the
forward zone file (mapping names to numbers) is called
/chroot/named/var/named/db.exemplum.serveratschool.net
and the reverse zone file (mapping numbers to names) is called
/chroot/named/var/named/2.17.172.in-addr.arpa
.
As a rule, the configuration can be used as it is. However, depending on
your actual situation you may need to modify one or more of the
configuration files. In the remainder of this section we will discuss
the default setup and the reasons why this particular setup was
chosen. Also a few typical examples are shown, based on the same
demonstration host praeceptor
we used earlier.
A more thorough and in-depth explanation of Bind can be found in chapter 28 of [Mourani 2002]. You may also want to consult the Bind homepage at http://www.isc.org/sw/bind.
62.58.94.130
and 62.58.62.132
. These
name servers were defined in section 10. Network configuration in
chapter III. Using the text mode installation
program. The name server only listens to requests that come from
the LAN-side of the server, i.e. from the client computers, and
not to requests from the Internet at large.
By default the complete internal network is named after the host's
domain name: exemplum.serveratschool.net
. The individual
clients all have a name in that domain: c2
,
c3
, ..., c254
. All the client names map to
the corresponding IP address within the subnet: c2
has
address 172.17.2.2
, c3
has address
172.17.2.3
and so on.
Allthough it might seem boring to name the client computers with a letter followed by a number, this scheme actually makes it easier to keep track of individual client computers. You can give all your client computers a number (which you can write on the computer case with a big felt tip pen) and have your users easily identify the computer by number, which can be handy if you're troubleshooting over the phone.
The server itself has a series of different names within the domain:
ns
, mail
, news
,
gw
, gateway
, server
and of
course praeceptor
. All these different names for the
server are translated to the internal IP address
172.17.2.1
. There is one exception: the primary
hostname (praeceptor
in our example) also yields the
external IP address. That is the address that is assigned to
eth0
during the installation; 62.59.32.61
in
our example.
It may sound confusing to have so many names for the same server. The
reason for doing so is to make it easier to remember the
function of the server in a particular context. If you refer
to the server using the name ns
, chances are that you are
interested in the name server aspect of the server. If, however, you
are talking about mail
, you are probably working with
Exim or other software related to electronic mail. The added advantage
of using all these different names is that you could easily move say
the mail server to another machine (perhaps 172.17.2.2) by adjusting the
zone files accordingly, without having to reconfigure all your client
computers for the new mail server. If the client computers refer to
the mail server under the name mail
, it doesn't really
matter to the client if this is the same server as ns
or
not.
The name server runs in a chroot jail. That means that if someone
manages to abuse named
to gain remote access to
the server, the damage can be kept to a minimum because the intruder cannot get to the
system itself from the chroot jail. This is a security measure.
praeceptor.exemplum.serveratschool.net
and
you want to be able to use the well-known name www
for
it, you must add the hostname www
to the (forward) zone
file. Use an editor (vi
or nano
; both are
provided) and edit the zone file
/chroot/named/var/named/db.exemplum.serveratschool.net
mentioned earlier. You should add a single line in the zone file which
maps the name www
to the address 172.17.2.1
.
Every time you make a change to a zone file you should increase the zone file serial number. This indicates to any slave name servers that a master zone file has been changed and that the slave should update its cached data. Even though ServerAtSchool does not use slave name servers, it is still a good habit to update this serial number after every change. By convention the serial number has ten digits consisting of a 4-digit year, a 2-digit month, a 2-digit day and a 2-digit sequence number.
You also have to restart the name server in order for the changes to the zone file to take effect. You can use the command 'service named restart' for this purpose.
The example below shows the important parts of the modified zone file for this scenario. The modified and added lines are shown emphasised. (Note that a long list of host definitions was removed in this illustration to save space).
|
This modified zone file yields the IP address of the server
(172.17.2.1
) whenever the name server is queried for the
address www.exemplum.serveratschool.net
. Of course this
is only relevant to the clients on the LAN because the address
172.17.2.1
has no meaning on the Internet at large
since it is in a private address range. The net result is that any
client computer on the LAN can now 'surf' to
www.exemplum.serveratschool.net
.
This only works on the inside (on the LAN) because our name server
does not serve names to the outside world. This is stated in the
configuration file named.conf
in the option
allow-query { trusted; };
where the trusted
clients are limited to the clients on the LAN.
By adding www
to this zone file, nothing changes for the
outside world. If you want to make
www.exemplum.serveratschool.net
visible from the outside
too, you should also change the mapping between the name
www.exemplum.serveratschool.net
in the name server(s)
that serve the domain names to the Internet. This is usually done by
your ISP. You can probably simply ask your ISP to add or change the
mapping for the host www
in your domain to the external
IP address of your server. In our example that would be
62.59.32.61
. The situation is now as follows:
172.17.2.1
from the
name server when querying the name
www.exemplum.serveratschool.net
.
62.59.32.61
from the
name server of the ISP when querying the name
www.exemplum.serveratschool.net
.
This is exactly the result we were looking for; effectively the host
www.exemplum.serveratschool.net
can now be reached from
inside and from outside.
NOTICE:
This discussion only facilitates the access to the server using a name
rather than a numeric IP address. You still have to set up the web
server and perhaps check the firewall settings for HTTP if you really
want to serve your website to the LAN or the outside world. BIND only
deals with mapping names to numbers and vice versa. We just used the
hostname www
as an example here.
www.exemplum.serveratschool.net
on a server in your ISP's
data center. This could save you a lot of bandwidth on your xDSL or
cable connection, especially if your website is very popular. In this
case your ISP probably already has set up the correct mapping between
www.exemplum.serveratschool.net
and the IP address of one
of the ISP's servers, say 192.0.34.166
.
This means that any host on the Internet that tries to
resolve www.exemplum.serveratschool.net
is
directed to the host with the IP address 192.0.34.166
and
so reaches your website which is hosted on that
machine.
The notable exceptions to this story are the clients on your LAN. As
soon as one of the clients tries to resolve the name www
,
the authorative name server (your name server, not the one at
your ISP) will tell the client computer it cannot find the host
www
. This is of course due to the fact that
we told our name server that it is authorative for the domain
exemplum.serveratschool.net
and we did not tell
the name server to map the name www
in the domain to the
IP address of the ISP's server.
If you change the zone file
db.exemplum.serveratschool.net
and add www
this issue will be resolved. The modified zone file looks like this
(changed/added lines emphasised; irrelevant lines removed):
|
After you have changed these lines in the zone file all clients on
your LAN will be able to resolve the name www
to the
relevant IP address 192.0.34.166
, just like the rest of
the Internet.
NOTICE:
This scenario fails as soon as the ISP moves your site from
192.0.34.166
to another server. You can circumvent this
problem by using a CNAME record rather than an A record in the zone
file, e.g. www IN CNAME webserver.isp.net
. This works as
long as the ISP keeps your site on the machine
webserver.isp.net
and does not move it to another server
altogether.
During the installation of the firewall (see section
4. Firewall in chapter
III. Installing optional ServerAtSchool
components) a default configuration file for the firewall was
installed in /etc/giptables.conf
. This default
configuration file is already set up correctly for the name server.
The illustration below shows these default settings.
|
Explanation:
eth0
) is allowed
eth1
) is allowed
NOTICE: These default settings prohibit clients on the local network from querying outside name servers directly; all queries are to be answered by the name server running on the ServerAtSchool server. If necessary, the name server on the ServerAtSchool server will forward the requests to the name servers of the ISP. This is a security measure.
However, in order to resolve the 'official' names of the server from
the outside, something has to be done by the administrator of your
domain name. In this documentation that would be the administrator of
the domain exemplum.serveratschool.net
. If you plan to
serve your own website on the ServerAtSchool server (see scenario #1
above), you will want to have a mapping between the name www
and the IP address 62.59.32.61
. If you also want to be
able to reach your server via the Internet under the name
praeceptor
, that name should map to
62.59.32.61
too. You may also find it convenient to map
the empty hostname to the IP address 62.59.32.61
.
Finally, if you plan to handle your mail
directly on the ServerAtSchool server, you may want to have a mapping
between the name mail
and 62.59.32.61
.
The ISP's administrator should at least add the following entries to the external zone file for the domain. That is: the zone file that is used to serve the hostnames within the domain to the Internet at large.
|
If you plan to host your website at a server run by your ISP, the zone file should look like this.
|
NOTICE: It will probably be up to your ISP to make these changes to these
zone files. You do not have to apply these changes to the zone file on
your server. However, both zone files should agree on the
mapping of 'external' names such as www
to IP addresses.
A more thorough explanation of Exim can be found in chapter 30 of [Mourani 2002]. You may also want to consult the Exim homepage at http://www.exim.org. More information on Sender Policy Framework can be found at http://www.openspf.org
/etc/exim/exim.conf
. This file already contains the
hostname and the domain name that were specified earlier. The
configuration file is also prepared for sending mail via Squirrelmail
(if you chose to install that package) and for using Mailman (if you
chose to install that package).
You should check the configuration file to see if everything looks
all right. You also need to edit one more configuration file:
/etc/exim/localdomains
. Both files are discussed below.
|
Explanation:
MAILNAME
and MAINDOMAIN
should
have been set correctly during the installation, but it is a good idea to
double-check them.
SMARTHOST_ROUTELIST
has been commented out by
prepending the relevant line with a hash, '#'. This configures Exim to
try and deliver all outgoing mail by itself. If you want to use your
ISP's mail hosts to deliver your outgoing mail, you should
uncomment this line and add the name of your ISP's smart
host, e.g. SMARTHOST_ROUTELIST = smtp.isp.net
.
MAILMAN_HOME
is not commented out. This
variable enables Mailman support.
trusted_users
) is
limited to just the user mail
by default. If, however,
you decided to install the Webmail package (Squirrelmail), the user
www
is added to the list of trusted users. This makes it
possible for Squirrelmail users to send mail under their own name
rather than under the name of the user www
. That is, the
user www
is trusted to change the sender's address for
outgoing mail.
quota = 10M
. This default setting allows
for a maximum of 10 megabytes of stored mail per mailbox. It may be
necessary to increase this number. If the mailbox is filled for 75% or
more, the user will automatically receive a message from Exim with a
request to clean up the mailbox. This threshold can be set via the
quota_warn_threshold
parameter. If you do not want to
enable mail quota at all, you could set the parameter
quota
to 0.
/etc/exim/localdomains
. If the name of the local
domain is not already preconfigured, you should add the name of
the local domain as shown in the illustration below.
|
If you changed the configuration file, make sure you restart Exim for the changes to take effect. You can use the command 'service exim restart' to do so.
NOTICE:
If you have a more complex setup than the standard ServerAtSchool
setup, you may need to specify more than one domain in this
configuration file, e.g. downtown.stevensonschool.net
and stevensonschool.net
. This is necessary if
the server 'downtown' handles both the mail for the location
'downtown' and also for the Stevensonschool as a whole.
Note that the domains are specified one per line. See also the
discussion of the search option near the end of
section 11. Internet connection
details in chapter III. Using the text
mode installation program.
During the installation of the firewall (see section
4. Firewall in chapter
IV.Installing optional ServerAtSchool
components) a default configuration file for the firewall was
installed in /etc/giptables.conf
. This default
configuration file is already set up correctly for the mail server.
The illustration below shows these default settings.
|
The effect of these settings is that no client on the LAN has direct mail access to the outside world. This means that if an e-mail virus breaks loose on a client somewhere on the LAN, the virus will not be able to mail itself to other victims because no mail from the LAN is accepted by the server.
It is possible, however, to send mail via the web-based Squirrelmail. This outgoing mail will originate on the server and is therefore not blocked.
NOTICE: If you plan to use e-mail clients on the LAN rather than just
webmail, you will have to open up the firewall for incoming traffic on
interface eth1
. That is, the parameter
INTERFACE1_SMTP_SERVER
should then be set to
"yes"
.
An in-depth explanation of the DHCP server can be found in chapter 29 of [Mourani 2002]. You may also want to consult the DHCP homepage at http://www.isc.org/sw/dhcp.
eth0
and
eth1
were used to create the correct subnet
definitions. The generated configuration file should work
as it is. However, you may want to check the relevant file
(/etc/dhcpd.conf
) just to make sure that everything is
configured correctly. Below is an example of the file (with some
lines removed to save space).
|
Explanation:
get-lease-hostnames true;
means that the
DHCP server will provide client computers with their 'official' name
(as it is defined via the name server, see section 3. Bind above). This means there is no need to
define host names in this file /etc/dhcpd.conf
; it is
all done automatically.
subnet 172.17.2.0 netmask
255.255.255.0
. This definition starts with a few definitions
of client options:
default gateway (routers
), subnet mask, broadcast, name
servers, log server. These functions are all performed by the same
computer ('the' server at 172.17.2.1).
filename "pxelinux.0";
. A full
discussion of this package is beyond the scope of this manual.
/etc/dhcpd.conf
, you should restart the DHCP server for
the changes to take effect. You can use the command 'service dhcpd
restart' for this purpose.
NOTICE: The choices for both the 'dynamic' and the 'fixed' pool are arbitrary. The only real restrictions are
NOTICE: For the sake of completeness you can add 'fixed' definitions of other network devices to the 'fixed' pool. Examples of such devices would be network printers or smart network switches. If you wish, you can assign these devices a number between .2 and .20. This would make it easier to remember which is which, e.g. 172.17.2.1 - 172.17.2.9 are servers, 172.17.2.10 - 172.17.2.19 are printers and the rest are client computers. It is up to you.
During the installation of the firewall (see section
4. Firewall in chapter
IV. Installing optional ServerAtSchool
components) a default configuration file for the firewall was
installed in /etc/giptables.conf
. This default
configuration file is already set up correctly for the DHCP server.
The illustration below shows these default settings.
|
Any hosts blocked at the firewall by portsentry are
'released' once a week by means of a cronjob (see
/etc/cron.weekly/portsentry.cron
).
Portsentry is configured by means of configuration files in the directory
/etc/portsentry
. Of those files, one is especially
important: portsentry.ignore
. This file defines hosts
that should never be blocked by portsentry. The installation software
already has added both IP addresses of the server (62.59.32.61
and 172.17.2.1
) to this file. You may want to take a
peek to see if everything looks all right.
An in-depth discussion of Portsentry can be found in chapter 21 of [Mourani 2002].
NOTICE: Since /etc/cron.weekly/portsentry.cron
restarts
the firewall every week, any blocked hosts are
unblocked. So, if you happen to have a script that blocks
outsiders attempting to break in via port 22 (ssh), these outsiders
are 'freed' again every week.
mysqld
daemon and various client programs and libraries. The most important
application on the ServerAtSchool server is acting as the backend for
the website content management system (see section 9. Site@School for more information).
A thorough discussion of MySQL can be found in chapter 30 of [Mourani 2002]. You may also want to consult the MySQL homepage at http://www.mysql.com or more specifically the on-line documentation at http://dev.mysql.com/doc.
/etc/my.cnf
. You may want to take a
look at the contents of this file to see if everything looks all right.
The parameter skip-networking
in the section
[mysqld]
in the configuration file
/etc/my.cnf
is particulary noteworthy. Here MySQL is
configured not to listen to the network; only connections
originating at the server itself ('localhost') are accepted.
If you make any changes to the configuration file, you should restart the database server with the 'service mysqld restart' command.
NOTICE: The password 'ea8Nuiwo' in the example below was chosen from the
output of pwgen(1)
. You should not copy the example below
verbatim but use a password of your own choice. See section
2.5 Choosing passwords for more information.
|
At this point you have the opportunity to improve the security of the database by dropping access to the 'test' database for anonymous users. The test database is created by default. There really is no need to have this kind of access other than for testing purposes. If you do not wish to experiment with this MySQL server, you can safely execute the commands shown in the illustration below. Do not forget the command 'flush privileges' for the changes to take effect. Alternatively, you can restart the database server lateron with 'service mysqld restart'. Deleting the anonymous user accounts and the test database increase security.
|
Since you are already working with MySQL, now is a good time to create a new database, with appropriate permissions and a new user, especially for the website database that will be accessed via the Site@School content management system (CMS). This CMS will be configured shortly, see section 9. Site@School. Again, the commands to type are shown emphasised in the illustration below. The password 'ohF9quei' is used as an example. You should use a password of your own choice.
|
At this point you have created a new database named 'www' and a user named 'sasuser' who has been given full access to this database (but only from the host 'localhost'), provided the user produces the correct password, 'ohF9quei'.
The MySQL database is now ready for use. You can close the connection to the database and end the mysql program:
|
/etc/giptables.conf
in
the illustration below.
|
NOTICE: even if the firewall were opened for port 3306 (the default
port for MySQL), access would be denied due to the
skip-network
setting in /etc/my.cnf
as stated
above.
The Apache web server is an integral part of the ServerAtSchool server. It can be used to publish the school's website via the Site@School Content Management System (see section 9. Site@School for more information). It is also used to serve the web-based interface for Janitor (see section 10. Janitor for more information). Finally the web server is used to make the ServerAtSchool documentation available at http://server/doc/.
A thorough discussion of the Apache HTTP server can be found in chapter 43 of [Mourani 2002]. You may also want to consult the homepage of the project at http://httpd.apache.org or more specifically, the documentation at http://httpd.apache.org/docs-2.0.
/etc/httpd/conf/httpd.conf
. This configuration file
yields a working web server on the LAN. However, in order to serve pages
to the outside world, a few details still need attention.
The illustration below shows relevant parts of the preconfigured configuration file. Some lines were removed in order to save space. The more interesting lines and the lines that may need to be edited are shown emphasised.
|
Explanation:
Listen
directives which make the server listen (or not listen) to the
external interface. If you want to serve your website to the outside
world (via eth0, IP address 62.59.32.61), you should uncomment the two
relevant lines.
ServerAdmin
directive).
ServerName
directive).
DirectoryIndex
directive). The order is:
first index.php
, then index.htm
, and last,
index.html
. The effect is that the server will first
serve the file /home/httpd/htdocs/index.php
(which is the
main file of the Site@School Content Management System) rather than
/home/httpd/htdocs/index.html
which is the default Apache
placeholder.
/webmail/
as the
entry for access to Squirrelmail. You can change this alias to
something else if you wish, without moving the actual
Squirrelmail directory.
This alias is what users need to type in their browser. If you change
it to /schoolmail/
, Squirrelmail can be accessed via
http://praeceptor.exemplum.serveratschool.net/schoolmail/
.
The choice is yours.
/doc/
and
/janitor/
. You can change these aliases to something
else if you wish, e.g. /documentazione/
or
/maintainer/
, without moving the actual underlying directories.
ServerName
directive) in section
2). This virtual server can have one or more alternative names via the
ServerAlias
directive. In the preconfigured file these
names (server
and
server.exemplum.serveratschool.net
) are defined but
commented out. If you wish to let the server respond to yet another
alias e.g. www
or
www.exemplum.serveratschool.net
, or mail
or
mail.exemplum.serveratschool.nl
(see section 18.2 Customising Mailman below) you can define
it here. Do not forget to remove the '#' before the directive
ServerAlias
and to add the required aliases if you want to
use this ServerAlias feature.
ServerName
and
ServerAdmin
directives. See section 8.2
Hints for a secure web server below for a little more information.
If you really want to serve your website via the name
www.exemplum.serveratschool.net
, you need to make sure
that that name resolves to the correct IP address. See also section
3.2 Scenario 1 - in-house web server and section
3.5 DNS-records and your ISP above.
If you make changes to the configuration file, you need to restart the web server for the changes to take effect. You can use the command 'service httpd restart' for this purpose.
An exact recipe for setting up an SSL-enabled web server is beyond the scope of this guide. An in-depth explanation and examples are given in chapter 15 OpenSSL and chapter 43 Apache (pp. 1051, Running Apache with TLS/SSL support) of [Mourani 2002]. You may also want to refer to [Holbrook] (starting at page 36) for a discussion with an example of this kind of setup.
Below is a short checklist to give you an idea what needs to be done for setting up a secure web server. The basic strategy is as follows:
/etc/sysconfig/httpd
)
SSLCertificateFile
and
SSLCertificateKeyFile
mod_ssl
module must be uncommented in
/etc/httpd/conf/httpd.conf
/etc/giptables.conf
as it is installed with ServerAtSchool allows the following:
eth0
)
eth1
).
|
NOTICE: If you want to serve your website to the Internet at large you
should uncomment the appropriate Listen
directive in the
httpd.conf
file and you should set the
variable INTERFACE0_HTTP_SERVER
to
"yes"
. If either one is misconfigured, you will
not be able to retrieve pages from the web server. This is a security
consideration.
If you want to set up a secure web server (using TLS/SSL and the https protocol), you need to change the section in the firewall that deals with https. By default the firewall is closed for this protocol, as is illustrated below.
|
If you wish to enable https, you should at least set
ACCEPT_HTTPS
to "yes"
. You should
also take time to check the other relevant settings in this section of
the firewall.
The Site@School CMS is well-documented. If you chose to install the
documentation earlier (see section 8. Documentation in chapter III. Using the text mode installation program),
you can find the manual on your own server at
http://server/starnet/manual/
or
http://praeceptor.exemplum.serveratschool.net/starnet/manual/
.
The Site@School project's homepage can be found at http://siteatschool.sourceforge.net. There is also a support forum with an active community. The forum can be accessed via http://siteatschool.sourceforge.net/index.php?section=5&page=59.
Site@School must be configured with the name and login info of an existing MySQL
database. This can be done via the Site@School install script which
can be found at http://server/starnet/install/install.php
or
http://praeceptor.exemplum.serveratschool.net/starnet/install/install.php
.
If the external name servers are properly configured and you
have the name www
mapped to your server, you can
access the install script at
http://www.exemplum.serveratschool.net/starnet/install/install.php
.
See section 3.2 Scenario 1 - in-house
web server above for more information.
Configuration of the CMS requires a working database server (see
section 7. MySQL above) and a working web server
(see section 8. Apache above). Configuration is
done by running the install script via a browser. This means that you
also need a client computer with a browser connected to your
server. Note that you can also access the install
script from 'outside'. That is, if you have the external network
connection up and running (via eth0
), you can use any
computer connected to the Internet to surf to the install script.
Press the [Continue] button.
Explanation:
Exemplum Primary School
This is
the name of your website. By default it will appear on all your pages.
/home/httpd/htdocs/
starnet
http://www.exemplum.serveratschool.net
NOTICE: The Serverpath, i.e. the combination of the document root and the starnet directory must yield a valid path. Please make sure that the document root keeps its trailing slash '/'.
NOTICE: Assuming the name servers are properly configured, you can use different names for your server. We chose the name 'www.exemplum.serveratschool.net' in this screen. However, you might have entered the name 'exemplum.serveratschool.net' here (some people prefer to leave out the 'www' part of a website's address because they consider it a cleaner designation).
Explanation:
localhost
There is no need to
change this default value on the ServerAtSchool server.
sasuser
You should enter the username
that was defined for the website database near the end of section 7.2 Configuring MySQL access above.
ohF9quei
You should enter the password
that was defined for the website database near the end of section 7.2 Configuring MySQL access above.
www
You should enter the
name that was defined for the website database near the end of
section 7.2 Configuring MySQL access above.
sn_
There is no need to
change this default value on the ServerAtSchool server.
Choose Yes or No by checking the appropriate option. Press the [Continue] button to confirm your choice.
NOTICE: If you choose to install the demonstration data, you will get a working web site with a few sections and pages that show off the many features of Site@School. You can always delete these pages if you wish. However, if you already know about the Site@School features and you already have a good idea on structure and content of your website to be, you may be better off with an empty website to start with.
Explanation:
Freddie Frinton
This is the real name of the
person responsible for website administration.
webmaster
This is the name of the user account
that will be used by the administrator. This should preferably be a single
word not longer than 8 characters, without any spaces or punctuation
characters (letters and digits are fine).
Re6oifax
This is the password that the
administrator will use to authenticate.
webmaster@exemplum.serveratschool.net
This is the e-mail address associated with this user account. It is
used in the event the user forgets the password.
In this example the e-mail address
'webmaster@exemplum.serveratschool.net' is used. This implies that
mail for 'webmaster' will be processed on the server itself. By default
this address is an alias for 'root' which in turn is an alias for
'postmaster'. By default all mail for 'postmaster' is redirected to
the e-mail address you specified during installation, see section 14. E-mail address configuration in
chapter III. Using the text mode installation
program. This aliasing of e-mail addresses takes place in the file
/etc/exim/aliases
. See also section 10.4.1
The webmaster alias for more information about linking
the webmaster alias to the account of Freddie Frinton.
NOTICE: Freddie Frinton is a member of the Exemplum Primary School community. See section 5. The Exemplum Primary School in Appendix C. How the ServerAtSchool documentation was written for more information about this example school.
Press the [Continue] button to confirm the new settings.
If, however, you did install the demonstration data, the screen will look slightly different:
Please make a note of the username and the password if you did not do so already; you will need them to log in whenever you want to manage the website.
NOTICE:
If you did not install the demo data, you should at least add
1 section and 1 page in that section to the website, otherwise
your website visitors will see an error message like this:
No page was set as startpage for this section of the site
.
NOTICE: If you want to add content to the website, you can press the [Login] button. However, please do not forget that a little cleaning up needs to be done on the server at this point. See section 9.7 Cleaning up on the server below.
If you did install the demonstration data, your website will look like this:
You can log in via
http://www.exemplum.serveratschool.net/starnet/index.php
to maintain your website.
/home/httpd/htdocs/starnet/configuration/database.inc.php
.
When the Site@School installation script finishes, this file is
left with its permissions set to 0777
. This means that
anyone with access to the server will be able to read the
database password stored in this file and will also be able to
write to this file. You definitely do not want that. As a
matter of fact, no write access is necessary at all once this file has
been created by the installation script. Therefore, you should change
the permissions of this file to 0400
. The file already
belongs to user www
and group www
so no
changes are necessary in that respect.
Secondly, the contents of the directory
/home/httpd/htdocs/starnet/install/
will no
longer be needed. You can remove the entire directory.
Use the following commands (emphasised in the illustration below) to do the cleanup.
|
Your website and Site@School are now ready for use. Refer to the Site@School manual (if you installed that) for more information.
janitor(1)
and janitorcmd(1)
)
for use at the command line and a web interface
(http://server/janitor/index.php
). It was designed
especially for ServerAtSchool.
Before Janitor can be used, the directory tree containing the users' home directories and the shared groups must be created and configured. Also the hourly backup of user data must be initialised. When this one-time initialisation is completed, at least a single user account has to be created. This is a three-step procedure.
/etc/janitor/janitor.conf
janitor init
janitor(1)
at the
command line. This would be the account of a local systems administrator
or a 'janitor' as it is called in ServerAtSchool.
NOTICE: Unless you know exactly what you are doing, the Janitor initialisation is a process that can only be executed once. Please check and double-check the configuration file before you issue the init command.
/etc/janitor/
, notably the file
janitor.conf
. The default configuration file is shown
below. Lines of interest are shown emphasised and are explained below.
|
Explanation:
janitor(1)
. By concentrating all
language elements in a single file it is relatively easy to translate
the messages into another language. You could create your own messages
file and point Janitor to it using this parameter.
Desktop
and Start
Menu
under the users' home directories will be owned by this
group. The definition of this parameter is dynamic, i.e. it is
recalculated from the system database in /etc/group
every
time a janitor command is issued. If the name of the group (default:
programs) will never be changed, this parameter may be changed into a
static definition like this:
PROGRAMS="programs"
This saves a little processing power. Note that the name must correspond with the
name of the predefined group. If you are uncertain what to do, just leave
this parameter as it is.
JANITORS="janitors"
.
If you are uncertain what to do, just leave this parameter as it is.
/etc/sysconfig/network
. The parameter is used to
create the full e-mail addresses of the users (see section 17. Squirrelmail below). In the case of the Exemplum
Primary School, this parameter eventually would yield
exemplum.serveratschool.net
. If you are sure this domain
name will not change in the forseeable future, you may want to change
the definition of this parameter to something like
FULL_DOMAIN="exemplum.serveratschool.net"
. If
you are uncertain what to do, just leave this parameter as it is.
NOTICE:
In the case of the Robert L. Stevensonschool (see section
9. Hostname configuration in chapter
III. Using the text mode installation
program) you may want to overrule the 'automatic' domain name
(e.g. uptown.stevensonschool.net
or
downtown.stevensonschool.net
) with the domain name that
applies to both locations of the school,
e.g. FULL_DOMAIN="stevensonschool.net"
. In that case
e-mail addresses would look like username@stevensonschool.net.
EN
. The parameter is used in the web
interface code to construct the name of the language file,
e.g. /home/httpd/janitor/language/EN.php
. The value of
this parameter is propagated to the web interface via the
(automatically created) configuration file
/home/httpd/janitor/config/janitor.conf.php
as defined by
the parameter JANITOR_CONF_PHP.
PHP_ALLOWED_REMOTE_ADDR="127.0.0.0/8,$INTERNAL_ADDR,192.0.34.166/32"
.
Note that the network prefix of 32 yields a single host rather than a
'real' network. If you want to allow access to the web interface from
any host
(which is not recommended), you would need to specify
0.0.0.0/0
, which acts as a wildcard.
$HOME
. By
default (with
$HOME=/home/userdata/./home/users/<userid>
) this
environment looks like this:
$HOME/H/ = SMB_HOME
$HOME/H/.profile/ = SMB_HOME/SMB_PROFILE
$HOME/H/.profile/Desktop/ = SMB_HOME/SMB_PROFILE/SMB_DESKTOP
$HOME/H/.profile/Start Menu/ = SMB_HOME/SMB_PROFILE/SMB_STARTMENU
$HOME/H/My Documents/ = SMB_HOME/SMB_MYDOCUMENTS
$HOME/H/My Backups/ = SMB_HOME/SMB_BACKUP
The users Windows Home is $HOME/H
(a.k.a. H:\
from a Windows-client) The roving profile of
the user (Windows 9x) is stored in $HOME/H/.profile
, with
icons on the Desktop and in the Start Menu stored in
$HOME/H/.profile/Desktop
and $HOME/H/.profile/Start
Menu
respectively. The user's documents go in $HOME/H/My
Documents
. The directory H:\My Backups
contains a
read-only backup of the user's data (backed up every hour during school
hours; see bu(1)
). The parameter SMB_NESTS
is used to group the Desktops and Start Menus of groups (classes,
grades) of pupils (called 'nests' here) in
/home/userdata/home/groups/janitors/Desktop/SMB_NESTS/<group>
and /home/userdata/home/groups/janitors/Start
Menu/SMB_NESTS/<group>
in order to make the desktops of
many users (pupils) more manageable.
SMB_XXX
-parameters should
match those specified in the Samba configuration file
/etc/samba/smb.conf
, notably SMB_PROFILE
in
parameter logon home
in section [global]
and
SMB_HOME
in parameter path
in section
[homes]
(see also section 12. Samba below).
.lnk
or .pif
which are used
to launch Windows applications.
/etc/janitor/janitor.conf
is obviously the most important
configuration file for Janitor, but there are some more
configuration files. As a rule nothing will need to be changed
in these files. The additional files are listed below for the sake of
completeness.
/etc/janitor/janitor-bu.conf
/etc/janitor/janitor-bu.exclude
/etc/janitor/janitor-bu.include
bu(1)
. The actual hourly backup is done via a
cron job; see /etc/cron.hourly/janitor-bu.cron
. By
default a backup of /home/userdata/home
is
made to /home/userdata/backhome
every hour between eight
a.m. (08:00) and six p.m. (18:00),
Monday to Friday.
/etc/janitor/userdata_files.conf
/etc/janitor/buddies_files.conf
ssh(1)
, to manipulate
files (using ls(1)
, cp(1)
, rm(1)
etc.), and to upload and download files using
scp(1)
. Users who are only allowed in the chroot jail
can be recognised by the dot (full stop, '.') in the path to their home directory,
e.g.
$HOME=/home/userdata/./home/users/<userid>
.
Additional commands for these users may be specified in the file
userdata_files.conf
, although it is recommended to leave
the configuration as it is. The necessary files are updated
periodically from the system files, e.g. /bin/ls
is
copied to /home/userdata/bin/ls
, etc.
/home/httpd/janitor/config/config.php
/home/httpd/janitor/config/janitor.conf.php
/etc/janitor/janitor.conf
in a form that is easily
understood by the web interface program. The contents of this
configuration file can be regenerated from the main configuration file
with the command janitor configphp
.
NOTICE:
Please double-check the contents of the configuration file
/etc/janitor/janitor.conf
before performing the
Janitor initialisation. This initialisation is only done once, so
please make sure you get it right the first time.
You can initialise Janitor as shown below. The command you need to give is emphasised.
|
The effect of this command is that the directory trees under
/home/userdata/
and /home/buddies
are
created. Also the configuration data from janitor.conf
is
copied to the configuration of the web interface.
NOTICE:
If, despite all the warnings, you initialised Janitor
with the wrong parameters in janitor.conf
, even after you
had double-checked everything, you may need to redo the
initialisation. You can see what was done by reading the contents of
/etc/janitor/janitor_init.txt
. If you really need to redo
the initialisation, you will need to perform the following steps.
/home/userdata
and
/home/buddies
janitor -f init
If you wish, you can compare your file
/etc/janitor/janitor_init.txt
with the one in the
illustration below. This file was created using all defaults,
i.e. without changing anything in janitor.conf
.
|
NOTICE:
The password 'iaghee4H' in the example below was chosen from the
output of pwgen(1)
. The password 'fr56fr' was
constructed manually. You should not copy the example below verbatim
but you should instead use passwords (and usernames) of your own choice. See section 2.5 Choosing passwords for more information.
You can create a user account with Janitor as shown below. The command you need to give is shown emphasised.
NOTICE: In this illustration your input, which is shown emphasised, is split over multiple lines using the backslash character ('\'). This is done to make the illustration a little more readable. You are very welcome to create a long input line without backslashes; it works exactly the same. The output, consisting of the various bits of information entered for this user account, is shown in chunks of 76 characters per line. This too was done to make the illustration a little more readable.
|
Explanation:
janitor useradd
janitor(1)
,
asking it to perform the function useradd
. (In total there
are some 18 functions that can be executed this way; use
janitor
without parameters to get a quick overview). The
remainder is a list of arguments for Janitor's useradd
function.
-c "Freddie Frinton"
-c
sets the comment field in the system's
user database /etc/passwd
. This field is sometimes referred to
as the GECOS field. This field is used to store the
name of the user in human-readable form.
-d /home/userdata/home/users/ffrint
-d
defines the full path to the user's home
directory. If this user were to be limited to the chroot jail
mentioned earlier, the full path would have to be specified with an
extra dot and a slash between 'userdata' and 'home' like this:
/home/userdata/./home/users/ffrint
.
-G janitors,teleworkers,programs
-G
defines the secondary groups for this
user. These secondary groups must already exist before any of
them are used. In this case they are all predefined and can therefore
be used without having to add them to the system first. By making this
account a member of these groups, the following privileges are granted
to the account:
PUTTY.EXE
).
-s /bin/bash
-s
defines the command shell for this
account. By default the 'shell' /sbin/nologin
is assigned
to a user account. This 'shell' simply denies access (it immediately
logs out the user). This is a security measure. Only if the account
has a real shell like /bin/bash
will the user be able to
log in (via ssh or at the console). Note that the account must be both
a member of the teleworkers (for access via ssh) or janitors
(for access via the console) group and have a real shell.
-P 'iaghee4H'
-P
defines the shell password for the user
account. This is the password that is used to authenticate the user
for
-I
below)
/bin/bash
is specified as shell and the user is a member of the teleworkers group)
-W 'fr56fr'
-W
defines the user's password for Windows
Networking via the Samba server. This password is used to access the
server from a Windows client computer. Note that a user account has
two passwords. It is a good idea to make sure that these
passwords are not the same. This keeps the -P
password
(sometimes called the 'difficult' password) secret, even if the
-W
password (sometimes called the 'easy' password or the
SMB password) were to be compromised.
-E freddie.frinton,listmaster
-E
defines the user's e-mail aliases. It
consists of a comma-delimited list of different aliases for this
user's mailbox. In this case the mailbox name is ffrint
(see below, the last item in this list) and the aliases defined via
-E
ensure that mail addressed to
freddie.frinton@exemplum.serveratschool.net
and
listmaster@exemplum.serveratschool.net
also ends up in mailbox ffrint
. Note that the first alias in the
list is also used as the From address in Squirrelmail. Note also that
the domain name should not be specified here, just the bare alias. The
domain name is derived from the FULL_DOMAIN parameter in
/etc/janitor/janitor.conf
. See section 10.4.1 The webmaster alias below for a discussion
of how the 'webmaster' aliases should be added to this account.
Note that the listmaster
alias is used while configuring the
(optional) Mailman mailing list manager, see section
18.3 Creating the mailman mailing list below.
-I 0.0.0.0/0
-I
defines a comma-delimited list of
IP addresses from which it is allowed to access webmail
(Squirrelmail). By default, access to webmail is limited to the LAN by
using 127.0.0.0/8,172.17.2.0/24
. For this
user account, access is unlimited; the user is allowed to access
webmail from anywhere in the world. Specifying no access at all could
be done via 255.255.255.255/32
.
ffrint
NOTICE:
Another important parameter for janitor useradd
is
-g
. This parameter defines the user's primary group. By
default (if no primary group is specified), a group with the same name
as the userid is created automatically. This is called a User Private
Group or UPG for short. User accounts for the school staff are usually
created with UPGs. Accounts for pupils are usually not
created with UPGs.
NOTICE: The abbreviation GECOS stands for General Electric Comprehensive Operating System. The GECOS field used to be used to enable Unix computers to print on machines running GECOS. Nowadays the field is used for pertinent information about the user, such as the full name. You may want to consult the entry for GCOS in the Jargon File for more information.
If the user account was created successfully, Janitor responds with a colon-delimited string containing all the details of the account that was just created, including the default values for fields that were not explicitly defined. The format of this string is as follows:
userid:uid:pgroup:gecos:home:shell:sgroups:pwd:smbpwd:skel:aliases:ips
Brief explanation:
userid
: the name of the account (max. 16 letters and digits)
uid
: numerical user id
pgroup
: the name of the primary group (max. 16 letters and digits)
gecos
: a comma-delimited list of additional information,
first subfield is user's name in human-readable form
home
: full path to user's home directory
shell
: full path to the command shell for this account
sgroups
: comma-delimited list of secondary groups (max. 16 letters and digits each)
pwd
: shell password
smbpwd
: smb password, also known as the Windows Networking password
skel
: skeleton directory
aliases
: comma-delimited list of e-mail aliases, the
first one is also used as the sender address in squirrelmail
ips
: comma-delimited list of allowed IP addresses for web
mail access (CIDR format)
An in-depth discussion can be found in the chapter III. Janitor in ServerAtSchool User Manual.
With the new user account it is now possible to use the web interface
to Janitor. If you wish to add other user accounts via the web
interface, you should point a browser to
http://server/janitor/index.php
and enter the username
ffrint and the 'difficult' password. You should see the following.
Press the [OK] button to log in. Note that there is no need to rush; the other user accounts can be added later on. It is best to finish the server-related configuration tasks first and leave user management for later.
Full documentation of the Janitor program can be found in chapter III. Janitor in the ServerAtSchool User Manual.
/etc/exim/aliases
.
Because of the way Janitor works, it is not possible to use an alias
that already exists for a new user account. The alias first has to be
deleted from the account that currently uses the e-mail alias. In this
case, the alias is associated with the root account. Since that
account can not be managed with Janitor (for security
reasons), it is necessary to change this specific alias
manually. The best way to add the special alias 'webmaster' to the
account 'ffrint' is to first delete the alias from the file
/etc/exim/aliases
and subsequently modify the account
'ffrint'.
Take the following steps:
/etc/exim/aliases
, e.g. with
vi(1)
or nano(1)
.
webmaster: root
.
/usr/sbin/newaliases
in order to
rebuild Exim's aliases database. At this point the 'webmaster' e-mail
alias no longer exists.
janitor usermod -E freddie.frinton,listmaster,webmaster ffrint
.
This sequence of commands ensures that the three aliases 'freddie.frinton', 'listmaster', and 'webmaster' are linked to the account 'ffrint' in the correct order, i.e. the first alias specified will also be used as the sender address in Squirrelmail.
NOTICE:
Of course it would have been possible to simply change the line
'webmaster: root' into 'webmaster: ffrint' in
/etc/exim/aliases
followed by the command
newaliases
. However, this would change the sender address
in Squirrelmail to 'webmaster' the next time the ffrint account is
modified.
NOTICE:
This direct editing of /etc/exim/aliases
is only
necessary for the predefined e-mail aliases such as 'webmaster'. For
regular users and ordinary aliases these changes can be done via
Janitor. Janitor also takes care of automatically recreating the aliases
database. If you change the aliases file manually, you should run
newaliases
.
/etc/cron.daily/reoback.cron
. However, before REOBack
can run smoothly, a few things have to be done first:
/backup
must exist.
/etc/reoback/reoback.conf
.
At this point we need to prepare a partition on another disk for
storing backups. Assuming the allocation of disks conforms to the one
in the section mentioned above, we need to create a partition on disk
/dev/hdc
or the Secondary Master. The fastest way do do so
is to use /sbin/fdisk
. Below is an example that
illustrates the process with:
fdisk(8)
from the command line,
/dev/hdc
to primary
partition 1 using the default values by pressing [Enter]
when asked about first and last cylinder,
fdisk
program) using the w
command.
/dev/hdc1
.
|
Once the partition /dev/hdc1
has been defined, a file
system must be created on the partition. The preferred ServerAtSchool
file system is 'ReiserFS'. A file system is created with the command
mkreiserfs(8)
as is illustrated below.
|
After creating a file system on /dev/hdc1
an entry must
be added to fstab(5)
, the table with file systems. This
table is stored in the file /etc/fstab
. The entry should
enable the system to make the connection between the partition
(/dev/hdc1
) and the mount point (/backup
).
NOTICE: The mount point /backup
should already exist; it
was created during the installation of the ServerAtSchool server. If
for some reason the mount point does not exist, you can
create it (as root) with the command 'mkdir /backup'.
The line mapping /dev/hdc1
to /backup
is
shown emphasised in the illustration below. You should edit the file
/etc/fstab
and apply this change.
|
The backup partition is now ready to receive backups.
NOTICE:
Note that the backup partition is not mounted at this time and is not
even mounted automatically at all. The daily cronjob
reoback.cron
takes care of mounting and unmounting the
partition. The only time the partition is mounted is while the backup
is being made. It is unmounted and therefore inaccessable for the rest of
the time. This is a security measure.
NOTICE:
You should mount the partition with mount /backup
at
least once. By issuing the mount command this way, you not only mount the
partition, but you also test to see if the system is able to make the
connection between the partition and the mount point, confirming that
you did not make any typing errors. After you have succesfully mounted
the partition, you can unmount it again.
/etc/reoback/reoback.conf
is shown in the illustration
below. A few lines of interest are shown emphasised. Please take a look at
this file to see if everything is all right.
|
Explanation:
host
should be configured to the name of
the host that is being backed up. In our case the word
UNKNOWN
should be changed to
praeceptor
. The hostname ends up as part of the filenames
of the compressed tar files that REOBack creates.
remotebackup
should be set to 1 instead of 0.
remotehost
and
remoteuser
parameters.
encryptbackup
should be set to 1 instead of 0 and
parameter encryptkey
should contain an encryption
key. (See NOTICE below).
NOTICE:
There is a known issue with remote backups: the parameter
remotepath
should be changed from ~/reoback
to ./reoback
. This is a quirk in this version of REOBack
which will be fixed in future versions.
NOTICE:
Please make sure that you keep a copy of the exact
encryptkey
written down in a safe place, i.e.
not in your desk drawer at school. Any encrypted backup
files will be rendered absolutely useless if you do not have the exact
same key as was used to encrypt the data. Without it, you will be unable to decrypt the data.
If you lose the paper with the secret key, you will also lose all your
encrypted backups. Consider yourself warned. Alternatively, you could
store the encryptkey
on a USB stick, see section
15.3 Using USB storage below.
NOTICE:
The format of the file /etc/reoback/reoback.conf
is
documented in the man page. See man reoback.conf
for more
information.
After editing this file /etc/reoback/reoback.conf
you
should check the file
/etc/reoback/reoback-files.conf
. This file lists the
directory trees that are backed up, basically one tree per backup file
in the default setup. The default configuration creates backups of the
following directory trees: /bin
, /boot
,
/chroot
, /dev
, /etc
,
/home
, /lib
, /root
,
/sbin
, /tmp
, /usr
,
/var
(excluding /var/lib/mysql
) and
/var/lib/mysql
. The default
reoback-files.conf(5)
is shown below.
|
By splitting various directory trees over different files the individual backup files won't be as big as they would be if all the backups were stored in a single file.
NOTICE: If the backup files grow too large to your taste, you can
always change the configuration to split them into smaller
chunks. A good candidate for splitting up is /home
: you
may want to split this tree into subtrees, e.g.
/home/share/program1
,
/home/share/program2
,
/home/share/iso
and the remainder of
/home
. Another good candidate is the subtree
/var/lib/g4u
if you have a few large client
disk images (see section 13. Ghost for Unix below).
Assuming that you have an agreement with the Elisa Dolittle School to store your backups on their server, their systems administrator would have provided the following information:
higgins.elisadolittle.org
exemplum
ssh-keygen -t rsa -N ''
. Accept
the default name and location by pressing [Enter]
. This
procedure is illustrated below. Your input is shown emphasised.
|
At this point, two files will have been generated. The first one,
/root/.ssh/id_rsa
is the private part of the keypair. The
second one, /root/.ssh/id_rsa.pub
, contains the public
part of the keypair.
NOTICE: It is important to keep the private part of a keypair strictly confidential. Please make certain that only the public part of the keypair leaves the server. Also the permissions on the private key should be as tight as possible: do not allow more than read and write access for the file owner, i.e. set permissions to 0600. The public key can have permissions 0644 if you wish.
ssh(1)
, using the
password you received from the administrator of the remote server.
.ssh
in your home directory on
the remote server.
exit
.
|
NOTICE:
If you cannot log into the remote server, you may need to check the
settings for ssh(1)
in /etc/ssh/ssh_config
,
notably the parameters 'PasswordAuthentication' and
'StrictHostKeyChecking'; see section 2.6 Remote
maintenance via SSH above for details.
NOTICE: You also should have the firewall configured to allow outgoing traffic. See section 11.4 Firewall considerations below for more information.
Once these steps are completed, the user 'root' from the Exemplum
Primary School (with ssh(1)
) can log into the account
exemplum
on the server
higgins.elisadolittle.org
of the Elisa Dolittle School
without being prompted for a password. Also, files can be copied (with
scp(1)
) without the need to specify a password. This is
what REOBack will be doing every night when remote backups over SSH
are enabled.
NOTICE: More information about setting up public key authentication
can be found in the manual page; see man reoback.conf
. An
in-depth discussion of the subject can be found in chapter 16 OpenSSH
(pp. 432, Creating OpenSSH private & public keys) of [Mourani 2002].
/etc/reoback/reoback.conf
. You will also need to enable remote
backups. The necessary changes are illustrated in the snippet
below. Lines of interest are shown emphasised.
|
Explanation:
remotebackup
must be set to 1 in order
to enable remote backups.
remotehost
must be set to the name of
the server that will receive your backups.
remotepath
must be changed to
'./reoback/', i.e. the tilde '~' must be changed into a dot '.'.
This a known issue in the default configuration file.
remoteuser
is the name of the account
on the remote server.
encryptbackup
must be set to
1 in order to create encrypted backups. If you do, be sure to
encryptkey
is the secrect
code which is used to encrypt your backups (if
encryptbackup
is set to 1). Please do not
use 'difficult' characters in this key. The easiest is to stick to
letters, digits, comma's, dots and underscores. Characters to
avoid are spaces, single and double quotation marks, the backquote, and other
punctuation characters.
/etc/giptables.conf
) has to be edited. The entry that allows outgoing
traffic to the Internet (via eth0
) needs to be changed. The
relevant line is shown emphasised in the illustration below. (Some lines have been
removed in order to save space).
|
You may also need to check the SSH client configuration. See section 2.6 Remote maintenance via SSH for more information on configuring SSH (both client and server).
Do not forget to restart the firewall after you have made changes to the firewall configuration. You can do so with the command 'service giptables restart'.
If you have an agreement with the Elisa Dolittle School for storing your backups on their server it is likely that you will return the favour by configuring your server to receive their backups. In order to make this work, you, the local systems administrator of the Exemplum Primary School, have to perform the following tasks.
elisadolittle
on your server
praeceptor.exemplum.serveratschool.net
.
NOTICE: The whole discussion in this section 11.5 can be considered the counterpart of the procedures described in section 11.3 above. In section 11.3 you were configuring your remote backups on their server, here in section 11.5 you are providing facilities for them to store their backups on your server.
fstab(5)
and mounting the partition. The procedure is
basically the same as the one described in section 11.1 Creating a backup partition and mount point
above, be it with a different disk. If you have followed the
instructions in section 2.3 Disks in
chapter II. Preparing the hardware for
installation, your buddies-disk would be /dev/hdd
.
You should take the following steps.
fdisk /dev/hdd
./dev/hdd1
. Do not forget to
actually write the partition table to the disk with the
w
command in fdisk(1)
.
mkreiserfs /dev/hdd1
.
fstab(5)
.
|
noauto
is not specified. This means that the partition
will be mounted every time the system is booted. For the buddies-partition
this is what you want, since you cannot predict when they
will want to store their backup. Therefore the buddies partition
must always be mounted.
noexec
) and it is also not
allowed to have files with the set-userid-bit set
(nosuid
). Even though you may completely trust the Elisa
Dolittle School with an account on your server, it is better to be
safe than sorry.
mount /home/buddies/home
.
The fastest way to add a buddy to the system is to use
janitor(1)
. Assuming you want to create an account
'elisadolittle' for the Elisa Dolittle School, with password
'Nae8upae', you would issue the command shown in the illustration
below.
|
Explanation:
janitor useradd
-c "Buddy Elisa Dolittle School"
-d /home/buddies/./home/elisadolittle
/dev/hdd1
which is mounted at
/home/buddies/home
.
-g buddies
-s /bin/bash
ssh(1)
and
scp(1)
.
-P 'Nae8upae'
elisadolittle
elisadolittle.org
in this case). The
next best choice would have been the name of the server of the
Elisa Dolittle School, e.g. higgins
. The name should
consist of no more than 16 letters and digits, as usual.
NOTICE: It would also have been possible to create the buddy account via the web interface; that is a matter of choice and convenience.
At this point you should talk to the systems administrator of the Elisa Dolittle School (by telephone or in person) and provide her with the following information:
praeceptor.exemplum.serveratschool.net
.
elisadolittle
.
Nae8upae
.
As soon as they have configured their 'automatic' login on your server, you can change the password for their account on your server. The password is no longer necessary as they will use their key pair to connect to your server.
/dev/hdd1
which is mounted on
/home/buddies/home
will fill up with data.
If your school, the Exemplum Primary School, starts creating remote
backups on higgins.elisadolittle.org
, their
partition /dev/hdd1
will be filled with data, too.
If you back up the complete directory tree under
/home
, you would also back up their data under
home/buddies/home/elisadolittle/
. This implies that
their backup is in fact stored a third time, on
their buddies disk, under
/home/buddies/home/exemplum/
. This data would then be
backed up one more time, from higgins
to
praeceptor
, etcetera.
In order to prevent this endless loop (which would fill up all
available space in no-time) from happening, you should exclude the directory tree
/home/buddies/home
from your
reoback-files.conf(5)
. Edit the file
/etc/reoback/reoback-files.conf
and add the line that is
emphasised in the illustration below.
|
Obviously, your peers at the Elisa Dolittle School should edit their configuration file in the same way.
NOTICE: You should be aware that a full backup of an average server may take a very long time and quite some bandwidth, even on an above average xDSL-connection. By creating a second instance of the REOBack cronjob, using a different configuration file specifying a well-chosen subset of files to backup, you can at least copy the most important files (school administration database, etc.) to a remote location without saturating the xDSL connection.
An in-depth discussion of the subject can be found in chapter 46 Samba of [Mourani 2002] and in the book Using Samba, 2nd Ed. (see [Ts, Eckstein, Collier-Brown]).
The Samba server has already been automatically configured for a standard ServerAtSchool installation based on the information you provided in section 15. Samba configuration in chapter III. Using the text mode installation program. It is merely a matter of checking the configuration file.
smb.conf(5)
is shown in the
illustration below. Documentation can be found in the man page via
man smb.conf
. Lines of interest are shown emphasised and are
explained below.
|
Explanation:
NET USE H: /HOME
. The actual profile is
stored in a subdirectory with a name that starts with a dot. This
makes the directory more or less 'invisible' for the
average user on the client computer.
NO PASSWORD
(all capitals and a space between
the two words) for that account via Janitor.
[homes]
, defines the exact directory which is
considered to be the home directory of the user. Note that there is an
unusual twist here. The macro %H
resolves to the
fully qualified path to the user's (Linux) home directory,
e.g. /home/userdata/home/users/ffrint
. The parameter
here adds yet another directory level to this path, namely a
subdirectory called H
. This letter was defined in
janitor.conf(5)
earlier. See the discussion of
SMB_HOME
in section 10.1 The main
Janitor configuration file above. The effect of this parameter
path
in combination with logon home
and
logon driver
is that the roaming profile of Freddie
Frinton is stored on the ServerAtSchool server in
/home/userdata/home/users/ffrint/H/.profile
, which is
equivalent to \\SERVER\ffrint\.profile
and
H:\.profile
as seen from the Windows 98 client.
valid user
. Note that there are in fact
user accounts on your server that do not require access
to your Samba shares, e.g. the members of the group 'buddies'.
NOTICE: All Samba shares are defined in such a way that by default both read and write (and search) permissions are granted to both the owner and the group whereas others ('the world') are granted no permissions at all. For regular files this means permissions 0660, for directories this means 0770.
NOTICE: It may sound complex to add yet another level (the subdirectory 'H') to the path that equates to the H: drive as seen from the client. However, there is some method in this madness: the users will eventually associate the letter 'H' with their home directory, i.e. the place where their documents are stored, etc. as seen from the LAN at school. The moment these users access the server at school from their home computer (e.g. via a secure connection using WinSCP), they will always land in their Linux home directory. Almost the only thing they see there is a subdirectory (a 'folder') named 'H' which happens to contain all their documents. It should not be so hard for the users to discover that the H: drive and this H folder are in fact the same thing.
/home/samba/netlogon/LOGON.BAT
. This script is
executed every time a user logs onto Windows Networking on a client
computer. The script is shown below.
|
This script performs the following tasks.
Once this script has been executed on the client computer, the user can refer to various Samba shares using the designated drive letters. The purpose of the drives is as follows.
janitor cdimage
from the command line).
/tmp
on the server.
NOTICE:
By default there is a shared directory (\\SERVER\install) that is
not assigned a drive letter. This share, which is writable
only to the members of the group 'janitors', can be used as a central
place for storing Windows packages that need to be installed,
e.g. OpenOffice.org. If you like, you can add
the line NET USE I: \\SERVER\install
to the LOGON.BAT
script in order to be able to access these installation files using
drive letter I:.
NOTICE: If the virtual CD software package DAEMON Tools is installed on the Windows clients, it is handy to configure DAEMON Tools in such a way that there is only a single virtual CD available. By convention this would be drive letter K:. The DAEMON Tools software can be downloaded via the home page of the DAEMON Tools project which can be found at http://www.daemon-tools.cc.
More information on DAEMON Tools can be found in chapter VI. DAEMON Tools in the ServerAtSchool User Manual.
/etc/giptables.conf
as it is installed by default on the
ServerAtSchool server. By default, access is enabled, but only to and
from interface eth1
, the LAN side of the server. It would
be a bad idea to open the firewall on eth0
for this type
of traffic.
|
NOTICE:
The firewall allows access from an SMB client program on the
server computer to any machine on the LAN
(INTERFACE1_NETBIOS_CLIENT="yes"
). This means
that you would be able to access file shares on client computers (if
they exist), e.g. with smbclient(1)
which is part of the
Samba suite. By the same token the firewall allows you to connect to a
shared printer on a Windows client in the LAN from the server
computer.
In this way you could turn a shared local printer on the LAN into a
system printer that is also accessible from the server. See chapter 10
Printing, section CUPS printers, page 332 of [Ts, Eckstein, Collier-Brown]
for more information.
Before g4u can be used in the ServerAtSchool environment, a few things have to be done:
install
to
connect to the server.
NOTICE: It is not necessary to name this user account
install
because you can specify another user account when
using g4u from a client computer. However, it is very
convenient to use this default name.
The fastest way to add this account to the system is to use
janitor(1)
. Assuming you want to create the account
'install' with password 'cooT9joo', you would issue the command shown
in the illustration below.
|
Explanation:
janitor useradd
-c "Ghost for Unix"
-d /var/lib/g4u
/dev/hdd11
which is mounted at
/var/lib
. By default this partition occupies
about a third of the total disk space for the benefit
of g4u and the large files g4u creates.
-g install
-m -k /usr/share/empty
/usr/share/empty
as a skeleton directory for the new
user account. As its name implies, this directory is empty. This
means that the home directory of the new account will also be
empty, or at least as empty as possible.
-I 255.255.255.255/32
-P 'cooT9joo'
install
NOTICE: It would also have been possible to create the install account via the web interface; that is a matter of choice and convenience.
NOTICE:
No shell has been specified. This means that (by default) this user
will be using /sbin/nologin
. Access via FTP does not
require a real shell. Using nologin(8)
prevents this user
account from logging in either at the console or via ssh(1)
over the network.
NOTICE:
Specifying an empty skeleton directory helps to keep the home
directory clean. However, Janitor still insists on creating a
subdirectory H
. For this account even that is
not necessary. You can safely remove this directory tree with the
command 'rm -r /var/lib/g4u/H'.
vsftpd(8)
, the Very Secure FTP Daemon, is started
automatically in a standard ServerAtSchool configuration.
If this is not the case, the daemon can be started immediately with 'service vsftpd start'. This makes that the FTP server will run until the server is rebooted (or the FTP server is stopped again, e.g. with 'service vsftpd stop').
If you want to make sure the FTP server is started every time the
server is rebooted, you should activate it using
chkconfig(8)
. For the purpose of ServerAtSchool, the
FTP server should be started at least at runlevel 3. By convention it
is also started at runlevels 4 and 5. The correct command would be
'chkconfig --level 345 vsftpd on'. You can check the current settings
via 'chkconfig --list vsftpd'. More information about this FTP server
can be found in chapter 42 vsFTPd of [Mourani 2002].
More or less the same reasoning applies to the DHCP server. This server too should be running by default in a standard ServerAtSchool configuration.
If this is not the case, you should start the DHCP server with 'service dhcpd start'. If you want to make this change permanent (in order to survive a server reboot), you should use 'chkconfig --level 345 dhcpd on'. You can check the settings with 'chkconfig --list --dhcpd'.
The default settings for the DHCP server were discussed in section 5. DHCPD above.
NOTICE: If you start a service manually, e.g. with 'service vsftpd start' and forget to make the changes permanent with 'chkconfig --level 345 vsftpd on', you could be in for a surprise if many months later the server is rebooted for whatever reason. You could easily spend hours wondering why g4u 'suddenly' stopped working.
eth1
. The settings for DHCP
where already discussed in section 5.2 Firewall
considerations above.
The snippet below shows the relevant part for FTP of the firewall
configuration file /etc/giptables.conf
as it is installed
by default on the ServerAtSchool server. Lines of interest are emphasised.
|
By default, the configuration file enables access to the FTP-related
firewall rules with ACCEPT_FTP="yes"
. Access to
the FTP server from the LAN ($NETWORK1
) is granted via
INTERFACE1_FTP_SERVER="yes"
. This is exactly
what is required for g4u.
NOTICE:
If you do not want to use g4u (anymore) you may want to shut down the
FTP server with service vsftpd stop
and close the
firewall by setting variable INTERFACE1_FTP_SERVER
to
"no"
. Do not forget to restart the firewall
with 'service giptables restart' after you have made the changes. The
FTP server can be disabled permanently with the command
chkconfig --level 345 vsftpd off
. You could even remove
it completely from your server with rpm -e vsftpd
.
/home/share/install/goodies/g4u/
. The
file g4u-1.17.fs
(1,474,560 bytes) contains the image
with which you can create a bootable 1.44 MB floppy disk. The file
g4u-1.17.iso
(1,572,864 bytes) contains an ISO-image
which can be used to create a CD-ROM.
The exact procedure for creating a bootable CD-ROM from
g4u-1.17.iso
is beyond the scope of this manual. However,
creating a bootable floppy disk while sitting at the server is
extremely easy, unlike the process of creating such a floppy using
RAWRITE.EXE
on a Windows client.
In order to create a bootable g4u floppy you need to take the following steps.
dd if=/home/share/install/goodies/g4u/g4u-1.17.fs of=/dev/fd0
dd(1)
is done and your bootable
floppy is ready.
NOTICE: Version 1.17 is not the latest version of g4u. This is not an oversight, but a conscious decision. This version is the latest version that still fits on a single floppy disk. Newer versions require two disks, which makes using g4u more complicated. If, however, you want to use the latest and greatest version, perhaps because your client computer's network interface is not supported in 1.17, you can always download it from http://www.feyrer.de/g4u.
NOTICE:
If you are more comfortable at a DOS prompt, you could also use the
RAWRITE.EXE
program to create a bootable floppy
disk. This tool is also available in the 'goodies' directory,
(including documentation and source code); look for
rawrite.*
.
NOTICE:
If you created the g4u boot floppy using dd(1)
,
you might as well repeat the process and also create the 'Autoclave'
diskette that is used in chapter IV. Workstation setup in the ServerAtSchool User Manual. Of course
you need to use a different image file; use
/home/share/install/goodies/autoclave/clave03.img
. If you can
not find the 'Autoclave' image file on the ServerAtSchool server or on
the ServerAtSchool distribution CD, you can download it via
http://staff.washington.edu/jdlarios/autoclave-discontinued/index.html.
Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. It keeps metadata and often requested pages and files (also known as 'hot objects') cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests.
An in-depth discussion of Squid can be found in chapter 11 Squid in [Mourani 2002]. More information can be found on the project's home page at http://www.squid-cache.org or in [Wessels]. A full discussion of all the idiosyncrasies of this complex piece of software is beyond the scope of this document. However, a lot of bandwidth can be saved and performance can be gained by using Squid in proxy-caching mode. The remainder of this section is dedicated to that subject.
proxy
, that hostname must be defined via the name
server. We have already manipulated the zone files for
exemplum.serveratschool.net
before, e.g. in section
3.2 Scenario 1 - in-house web server.
You can simply add a line to the file
/chroot/named/var/named/db.exemplum.serveratschool.net
that looks like this:
|
NOTICE: Do not forget to increment the serial number of the zone file before saving the file!
After saving the file, you should restart the name server, e.g. with 'service named restart'. The name 'proxy' should now resolve to IP address 172.17.2.1.
/etc/squid/squid.conf
.
There are a lot of options that can be set in this file. The default
file in ServerAtSchool contains only a small subset of the available parameters.
All the parameters that are not specified (or commented out) will
be used with their well-chosen default values.
The illustration below shows the trimmed-down version of
squid.conf
. Lines of interest and lines that may need to
be added or edited (with vi(1)
or nano(1)
) are
shown emphasised.
|
Explanation:
http_port 172.17.2.1:3128
eth1
, access is limited to the hosts connected to
that interface, i.e. the machines on the LAN, so external hosts have
no access. This is a security measure. The specified port
3128
is the default port for Squid in Proxy-Caching
Mode. Note that this port still has to be opened in the
firewall. This works much the same as the Listen
directive we discussed in section 8.1 Default
Apache configuration in ServerAtSchool above.
cache_mem 128 MB
cache_dir diskd /var/spool/squid 250 16 256
/var/spool/squid
, each of those
with 256 subdirectories. Note that at busy times Squid will exceed the
limit for short periods of time. A rule of the thumb is to use 80%
of your real limit. Also note that the available space on the
/var
partition is limited to 512 MB by default. See
section 14.5 Increasing the size of the cache on
disk below for a way to increase the size of the cache.
acl localnet src 172.17.2.0/255.255.255.0
# http_access allow authenticated
cache_mgr webmaster@exemplum.serveratschool.net
root@localhost
which might lose its meaning on
another host than localhost
.
visible_hostname proxy.exemplum.serveratschool.net
praeceptor.exemplum.serveratschool.net
. Using
the hostname proxy
is perhaps slightly more elegant.
cachemgr_passwd Thohc4fo all
http://proxy.exemplum.serveratschool.net/cgi-bin/cachemgr.cgi
.
Access to the Cache Manager is protected with the password
specified via the cachemgr_passwd
directive, in this case
'Thohc4fo' (without the quotation marks). Do not use this password
verbatim, but choose your own password, as dicussed earlier in
section 2.5 Choosing passwords.
Note that you can disable access to Cache Manager alltogether by
specifying the special password disable
. With
cachemgr_passwd disable all
access to the Cache
Manager is completely blocked.
NOTICE:
The order in which acl
and in particular http_access
directives are specified is important. The acl directives must
be specified first, followed by the http_access directives. The latter will be
evaluated in the order in which they are given. Evaluation of the
http_access directives ends with the first matching directive.
NOTICE: Setting up Squid as a sophisticated tool for controlling access to the world-wide web can be a very complex task. This is illustrated by the fact that there is a book fully dedicated to Squid, see [Wessels].
When you have edited /etc/squid/squid.conf
, you must make
sure that this configuration file has the correct permissions. The
permissions should be no more than 0600 (read and write access for the
file owner) and possibly even as low as 0400 (read-only). The file must be owned
by user root and group root. The file should certainly not be
world-readable because of the plain-text password for the Cache
Manager which is stored in the file.
You may want to use the following commands to adjust permissions.
|
Finally, as always, you should restart Squid for the changes to take effect. You could use the command 'service squid restart' for that purpose.
The snippet below illustrates the relevant part of the firewall
configuration in /etc/giptables.conf
. Lines of interest
are shown emphasised.
NOTICE:
You may find that the 5 lines starting with
INTERFACE1_
are not preconfigured in your
/etc/giptables.conf
. In that case you should add these
lines manually using vi(1)
or nano(1)
.
Please make sure you enter these lines exactly as they are shown here.
|
Explanation:
ACCEPT_SQUID
to
yes
, you enable the SQUID module of the firewall.
INTERFACE1_SQUID_SERVER
to
yes
you allow traffic from the LAN to the internal
interface.
3128
.
NOTICE:
The default port for Squid in HTTPD-accelerator Mode is
8080
. This port is not used in this scenario.
When you have made the changes to the firewall script, you should restart the firewall, e.g. with 'service giptables restart'.
You need to specify two parameters:
proxy.exemplum.serveratschool.net
3128
By configuring the software on the clients this way, the clients will all use the cached files. This will be considerably faster if more than a few users (pupils) access the same web site. It will take only a little time to copy a file from the remote site to the cache the first time the file is accessed. Once that is done, all subsequent requests for the same file will be served from the local server rather than by fetching the file over and over again via the external connection.
If, however, you wish to use Squid as a sophisticated tool for
access control, perhaps blocking specific computers and/or specific
users (pupils) from Internet access, you should close the direct access to the Internet, at
least via port 80 (HTTP). You can do so by editing the firewall
/etc/giptables.conf
and changing the relevant directive:
NETWORK1_HTTP_CLIENT="no"
. Do not forget to
restart the firewall, e.g. with 'service giptables restart' for the
changes to take effect.
After closing this 'direct route' you will want to allow limited
access via the appropriate access control lists ('acl') in
/etc/squid/squid.conf
. Please refer to the project's home
page at http;//www.squid-cache.org or [Wessels] for more information on
this advanced topic.
cache_dir
(discussed in 14.2 Configuration file squid.conf above) you can
limit the amount of disk space used by Squid. The maximum amount of
disk space is limited by the partition size. The standard
ServerAtSchool partitioning scheme allocates 512 MB space to the
partition where Squid stores the cached files. This is obviously a
very hard limit.
If you want to be able to perform other tasks on the
server such as sending and receiving mail via Exim or printing documents via
Cups, you simply cannot have Squid use all the available space, since
Exim uses space on the same partition (in
/var/spool/mail
), as does Cups
(in /var/spool/cups
). Also, the system log files are located
on the same partition (in /var/log
).
If you want to increase the size of the Squid cache, you have no other
option than to move it to another partition. A suitable partition
would be /var/lib
. If you want to increase the size of
the disk-based cache to say 750 MB, you should take the following
steps.
/etc/squid/squid.conf
and
change the line with the cache_dir directive to read cache_dir
diskd /var/lib/squid 750 16 256
(i.e. two changes: the path and
the maximum size).
The disk-based cache has now been moved to the new location.
If you did install the Laptop packages, the following software was installed.
In addition, the following software was installed.
/etc/modules.conf
: if an alias
usb-controller
exists, the hardware was detected. The
image below illustrates this.
If the USB hardware is available, the main system startup script
/etc/rc.d/rc.sysinit
takes care of initialising
the USB subsystem at boot time, even at a fairly early stage. This
means that it is not necessary to configure anything for USB; it
should simply work.
You can verify this by checking the log files. Take the following steps:
tail -f /var/log/messages
.
These steps are illustrated below.
|
You will notice that the USB disk has been registered and that the SCSI subsystem is being used. When you disconnect the USB device, something like the following entry will be added to the log file:
|
As you can see, USB disconnection also works. At this point you can end
the tailing of the log file by pressing [Ctrl-C]
.
NOTICE:
If it appears that the USB subsystem initialisation does not
work as it should, you could try to initialise it manually by executing the
script /etc/hotplug/usb.rc start
. If you discover you
need to do this every time the server is booted, you may want to edit the
file /etc/rc.d/rc.local
and add this command there. The
effect will be that the command will be executed at every boot
time, but in this case as one of the last tasks in the system initialisation
procedure. As an alternative you could try removing the USB device,
waiting a few seconds, and reinserting the USB device in order to get the USB
subsystem to work.
The PCMCIA daemon is started automatically via the script
/etc/rc.d/init.d/pcmcia
. If the startup script does not
detect PCMCIA hardware, the card manager daemon will not be
started. If you happen to have PCMCIA sockets in your server, the
daemon will be activated and will remain in memory to handle PCMCIA inserts and
removals. There is no need to configure anything.
NOTICE:
If your server does not have any PCMCIA hardware, you may want to
remove the PCMCIA software from the server alltogether. You could do
that with the command rpm -e pcmcia-cs
.
/etc/sysconfig/apmd
. Notice that APMD works as a wrapper
around existing software in your system's BIOS. If you do not need the
Advanced Power Management daemon you can remove the software with
rpm -e apmd
.
A USB disk could give you a (large) disk that can be easily plugged in without bringing the server down. It is a convenient route to copy many files from the server to a disk with a high storage capacity that can subsequently be stored somewhere off-site.
A USB key, also known as a USB stick, usually has a somewhat lower
storage capacity. It can be used, however, to store important
information. An example of important information would be the secret
code you use to encrypt your REOBack backups (see the parameter
encryptkey
in /etc/reoback/reoback.conf
in
section 11.2 Checking the default ServerAtSchool
configuration).
If you want to use a USB stick with the server, you should take the following steps.
/mnt/usbstick
. You can do that with the command
mkdir /mnt/usbstick
.
/etc/fstab
like the
following:
|
mount /mnt/usbstick
The USB stick is now mounted, and you can use it to store
important files. Use the command cp /etc/reoback/reoback.conf
/mnt/usbstick
to make a copy of the file with the password
that encrypts your off-site backups.
NOTICE: Even though a USB device is hot-pluggable and you can physically remove the device from the connector at any time, you still have to unmount the device first! This is necessary because the Linux kernel may still have some data in RAM that needs to be written to the device. By unmounting the device you can be certain that all pending data is actually stored on the device. If you simply remove the device, the data may not yet be completely written.
You can unmount the USB stick with umount /mnt/usbstick
.
Once the USB stick is unmounted, you can safely remove it from the
USB connector on the server.
NOTICE: By default only 'root' is allowed to mount and unmount devices. This is a security measure.
NOTICE:
USB storage uses the SCSI subsystem. This explains why the first
partition of the first SCSI disk (/dev/sda1
) is used to
access the USB stick. If your server already has some real SCSI disks,
you may need to use another SCSI device to access your USB stick, such as
/dev/sdb1
or/dev/sdc1
. This depends on the
available hardware.
NOTICE:
It may be necessary to partition your USB device and to put a file
system on it. This can be done the usual way, with
fdisk(8)
and mkfs(8)
. USB keys often come
readily partitioned and formatted with a filesystem of the FAT type.
GIPTables Firewall is a free set of shell scripts that helps you generate iptables rules for Linux 2.4.x and newer kernels. It is very easy to configure and at present, designed to run on hosts with one or two network cards. It doesn't require you to install any additional components to make it work with your GNU/Linux system. All you need to set up a very secure firewall for your GNU/Linux machines is iptables and GIPTables Firewall. An in-depth discussion of the basic firewall concept and the GIPTables Firewall can be found in chapters 9 and 10 in [Mourani 2002]. The home page of the GIPTables Firewall project can be found at http://www.giptables.org.
The default ServerAtSchool installation of the GIPTables Firewall is quite strict. Only the following services or ports are opened, some of them only partially; the rest is simply closed or disabled. This is a security consideration; nothing is allowed unless it is explicitly allowed.
exemplum.serveratschool.net
. (see section 3.4 above).
ssh(1)
are not allowed. Direct
SSH sessions from the LAN to the internet are also not
allowed. You may already have changed these default settings
because of remote maintenance (see section 2.6
above) or because of setting up a backup exchange with another
school (see section 11.4 above).
The details of the configuration of the various GIPTables Firewall modules are discussed in the various sections where the corresponding subsystem is discussed. These details will not be repeated here.
NOTICE: If you change any settings in the firewall, be sure to restart it, using the command 'service giptables restart'.
Sometimes, however, it is necessary to punch a hole through the
firewall for a very specific purpose. These customisations can be done
in a structured way via the file
/etc/rc.d/rc.giptables.custom
. Every time you (re)start
the firewall with 'service giptables restart', the code in
rc.giptables.custom
is executed. Therefore, this is the
natural place for additional non-standard firewall commands.
The example below illustrates how this script can be used to open the
relevant port for a printserver with IP address
172.17.2.11
. This device uses port 9100
for
direct ('raw') access to the printer (see also section 20.1 Setting up a JetDirect network printer with
CUPS). The lines that were added are shown emphasised.
|
In essence, two rules have been added to the firewall. The first one
accepts (-j ACCEPT
) network traffic for a connection (either a NEW
or an
ESTABLISHED
one) from the server (from address
$INTERFACE1_IPADDR
or 172.17.2.1
and ports
$UNPRIV_PORTS
or 1024:65535) to the
printer (via $JETDIRECT_IPADDR
or 172.17.2.11
and at port $JETDIRECT_PORT
or 9100
).
The second rule allows replies from the printer to the server. Note
that the printer is not allowed to initiate a transaction; only
existing connections (--state ESTABLISHED
) are allowed.
More information on iptables can be found on the home page of the
Netfilter project at http://www.netfilter.org. You may
also want to take a look at the manpage of iptables(8)
.
NOTICE:
It is important to make sure that the firewall is correctly configured and that it
stays that way. If you are uncertain about tweaking this customisation
file you are probably better off not touching it at all. All standard
functions have already been dealt with in the regular configuration file
/etc/giptables.conf
.
/etc/rc.d/rc.giptables.custom
as illustrated in the
snippet below.
|
Together, these three lines ensure that every packet that reaches
the end of the firewall is logged in the system log file,
/var/log/messages
.
This enables you to see who is trying to get in from the outside, probing all sorts of exotic and trivial ports on your server. At the same time you will be reassured to know that the firewall is actually working and is blocking everything that is not specifically allowed.
And, even more interesting, you can often see particular machines from the LAN trying desperately to connect to suspect ports on strange IP addresses on the Internet. This is often the case when pupils download programs onto their computers that may appear innocent but turns out to be anything but. Often this is software such as peer-to-peer servers or simply spyware or browser plugins. It is nice to know that the firewall also blocks outgoing traffic if it is not explicitely allowed.
SquirrelMail is a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an e-mail client, including strong MIME support, address books, and folder manipulation. The home page of the project can be found at http://www.squirrelmail.org.
NOTICE:
The version of Squirrelmail used in ServerAtSchool has a special patch
which allows for IP-based access control to the webmail
application. The code of this patch is contained in the file
/home/httpd/squirrelmail/serc/janitor-sqm.php
and this
file is included on line 90 in
/home/httpd/squirrelmail/serc/redirect.php
.
/home/httpd/squirrelmail
. It should be configured by
running the menu-based perl script conf.pl
in the directory
/home/httpd/squirrelmail/config/
. Take the following
steps to configure Squirrelmail.
cd /home/httpd/squirrelmail/config/
.
perl conf.pl
.
1
,...,9
(followed by
[Enter]
) to access the submenus to change the various
settings and preferences (see below for a list of options of
interest). Use the R
command (followed by
[Enter]
) to return to the main menu from a submenu.
S
command (followed
by [Enter]
).
Q
command (followed by
[Enter]
).
The image below shows the main menu of the Squirrelmail configuration program.
|
The following options are of interest.
en_US
. You
can change the default language by entering one of the
supported language codes. The codes of the supported languages
can be found in /home/httpd/squrrelmail/locale/
.
false
because the
default IMAP server (BincIMAP) has a problem with server thread
sorting.
false
because the
default IMAP server (BincIMAP) has a problem with server side
sorting.
NOTICE: There are many options not discussed above. You should consult the documentation at http://www.squirrelmail.org/wiki/SquirrelMail or take a look at a list of Frequently Asked Questions regarding installation of Squirrelmail at http://www.squirrelmail.org/wiki/en_US/InstallingSquirrelMail.
NOTICE:
Currently only an English dictionary is installed on the
ServerAtSchool server. This means that using the spelling checker
plugin from Squirrelmail will check against the English dictionary
or will fail because the dictionary for your language is not
installed. The underlying spelling checker is aspell
and
that project's home page is located at http://aspell.sourceforge.net.
This would be a good starting point to look for dictionaries in other
languages.
When you use the S
command, conf.pl
will
save the configuration in the file
/home/httpd/squirrelmail/config/config.php
. If you run
conf.pl
again in the future, it will use the values that
were saved
in this configuration file. You could also edit the configuration file
manually. However, that is not recommended.
After configuration is complete, you can access Squirrelmail via
http://www.exemplum.serveratschool.net/webmail/
if you run your
own web server (see section
3.2 Scenario 1 - in-house web server above) or
http://praeceptor.exemplum.serveratschool.net/webmail/
(if your main website is hosted at your ISP's server as described in
section 3.3 Scenario 2 - web server running at ISP
above).
NOTICE: The local part of the URL ('/webmail/') is configured in the configuration file of the Apache web server, see section 8.1 Default Apache configuration in ServerAtSchool. If you have changed the alias to something else, you should use the changed local part of the URL to access webmail.
http://praeceptor.exemplum.serveratschool.net/webmail/
.
All you need to do is to add the following HTML code to a new page.
|
NOTICE: The only thing you may have to adapt to your situation is the exact name of your web server. This name is shown emphasised in the image above.
Take the following steps.
http://praeceptor.exemplum.serveratschool.net/starnet/
webmaster
account you created in
section 9.5 Creating the administrator user
account above.
[SRC]
button.
[SRC]
button again at this
point, because otherwise the editor will mangle your carefully crafted
HTML code! Instead, save the page without further ado.
At this point you have duplicated the essential fields for Webmail login. If you open your website and go to the first section 'School info', then select the second item on the left hand side, 'Webmail', you will see the following displayed on your screen.
If you (or any of your users) enter the correct name and password, you can open your webmail.
If you also want to integrate the Squirrelmail signout page, you have
to use conf.pl
again. In Menu 1 - Organizational
Preferences, change Option 5 - Signout Page to read
/index.php?page=11§ion=1
so you will be taken
back to the integrated login screen you created rather than the rather
sparse Squirrelmail signout page.
NOTICE:
Remember never to 'touch' this page 11 in the editor again. The editor
is actually quite unforgiving with handmade input forms like the login
screen you just created. If you really have to do something with this
page, it is best to repeat the procedure you did, i.e. copying the
snippet above into the text area after pressing the
[SRC]
button. This is one of the idiosyncrasies of this
particular editor.
Mailman, the GNU Mailing List Manager, is used for managing electronic mail discussion and e-newsletter lists. Mailman is web-integrated, making it easy for users to manage their accounts and for list owners to administer their lists. Mailman supports built-in archiving, automatic bounce processing, content filtering, digest delivery, spam filters, and more. Mailman is free software, distributed under the GNU General Public License. It is written in the Python programming language, with a little bit of C code for security. The name of this software is spelled Mailman with a capital leading M and a lowercase second m. It is incorrect to spell it "MailMan" (i.e. you should not use CamelCase). The home page of this project can be found at http://www.gnu.org/software/mailman.
Before Mailman can be used to create real mailing lists, a few things have to be done first.
mmsitepass
, as
illustrated below. Note that the password, say 'oolaeh0E', is not
echoed to the screen. This is a security consideration.
|
/var/lib/mailman/Mailman/mm_cfg.py
(with
vi(1)
or nano(1)
) and enter the correct
values for the DEFAULT_URL_HOST
and
DEFAULT_EMAIL_HOST
, somewhere around line 72 . Take the
following steps.
/var/lib/mailman/Mailman/mm_cfg.py
for
editing, and move to line 72.
DEFAULT_URL_HOST
from mm_cfg_has_not_been_edited_to_set_host_domains
to www.exemplum.serveratschool.net
(but see notice
below). Make sure the surrounding single quotation marks are not deleted.
DEFAULT_EMAIL_HOST
from mm_cfg_has_not_been_edited_to_set_host_domains
to exemplum.serveratschool.net
. Make sure the
surrounding single quotation marks are not deleted.
nano +72 mm_cfg.py
,
vi +72 mm_cfg.py
.
At this point Mailman knows about the place where users visit the web interface and the domain name that will be used to send messages.
NOTICE:
You can use the name www.exemplum.serveratschool.net
as
value for DEFAULT_URL_HOST
. This tells Mailman that users
will be using URLs like
http://www.exemplum.serveratschool.net/mailman/listinfo
to access the Mailman web interface. If you host your website at your
ISP (see section 3.3 Scenario 2 - web server running at
ISP above), you need to use a name that resolves to your server
rather than the one at your ISP. A suitable name would be
mail.exemplum.serveratschool.net
. In this case you also
need to tell Apache to respond to this (virtual) hostname. See
the discussion of ServerAlias
in section 8.1 Default Apache configuration in ServerAtSchool above.
NOTICE:
The variable DEFAULT_EMAIL_HOST
should match
the settings you used earlier in the configuration of Exim (see section
4.1 Default configuration in ServerAtSchool
above), notably the variable MAINDOMAIN
in the file
/etc/exim
.
As you can see, configuring software like Mailman can be a daunting task because of the interaction with Bind, Exim and Apache.
mm_cfg.py
is configured, the mailing list
mailman
must be created. This mailing list is
used internally by Mailman. Take the following steps to create this
mailing list.
script /tmp/mm.tmp
. This will
record all your input into and (more important) all output from
the next command in a file.
/var/lib/mailman/bin/newlist
. Use
listmaster@exemplum.serveratschool.net
when prompted
for an e-mail address (see notice below).
exit
.
/etc/exim/aliases
as per the instructions of the
newlist
command.
newaliases
in order to rewrite
Exim's aliases database.
service mailman start
.
NOTICE:
When you are prompted for an e-mail address, you could use the address
listmaster@exemplum.serveratschool.net
. This alias for
user ffrint
has already been defined in section
10.4 Adding the first user account above. It is
helpful to use functional e-mail aliases for a
webmaster or a mailing list administrator. If you were to use a
personal alias rather than a functional one, then if
the person in question were to leave the school, you would have
to reconfigure an entire application rather than simply change the mailbox to which
the alias points.
The image below illustrates the procedure. The commands you should enter are shown emphasised. Note that once again you need to enter a password, for example 'ookuoC5u'. The password is not echoed to the screen. This is a security consideration.
|
At this point the Mailman mailing list manager is configured.
NOTICE:
The 10 aliases are the lines between ## mailman mailing
list
and Hit enter to notify mailman owner...
. The
effect of adding these lines to the aliases file is that
messages directed to say mailman-owner
are directed
through a pipe (hence the |
) to a program called
/var/lib/mailman/mail/mailman
with parameters
owner
and mailman
. In effect all messages
that are destined for one of the 10 aliases (from 'mailman' to
'mailman-unsubscribe') are processed by the mailman program, which
eventually deals with the messages, taking the
responsability off Exim. Exim only has to pass on these messages to
mailman rather than deliver the messages to a mailbox.
NOTICE:
Starting the mailman service via 'service mailman start' does not show
the familiar green OK. This is one of the
idiosyncrasies of this particular service. You can check if the
mailman service is running by searching through the process list,
e.g. with ps ax | grep mailman
. This should give you a
list of the processes associated with mailman.
You can create a new mailing list via the web interface at
http://www.exemplum.serveratschool.net/mailman/create
(or
http://mail.exemplum.serveratschool.net/mailman/create
depending on what
you configured in mm_cfg.py
in section
18.2 Customising Mailman above) as illustrated in
the image below.
NOTICE: Some of the available languages have been removed from the list in the image below in order to save space.
Explanation:
teachers
teachers@exemplum.serveratschool.net
.
listmaster@exemplum.serveratschool.net
No
No
Yes
[Create List]
, Mailman will create the
list. The following message will be shown.
The last thing you need to do is to add 10 aliases to the file
/etc/exim/aliases
and run the command
newaliases
again. You have already done this before with
the mailman mailing list in section 18.3 Creating the
mailman mailing list above. The lines to add are shown below.
|
Do not forget to run the command newaliases
after adding
these aliases.
This list of aliases is also sent in a message to the mailman administrator (the one behind the alias 'mailman-owner' created earlier). The mailman administrator should ask the systems administrator to add those 10 aliases to the aliases file. However, in the case of the Exemplum Primary School, both administrators are the same person, namely ffrint.
The difference between these 10 aliases and the 10 aliases that were defined earlier (for the mailman mailing list) only differ in the first and the last word on each line. Here it is 'teacher' where it was 'mailman' in the previous set of aliases. The rest is the same.
The mailing list for teachers can now be managed, members can be
added, additional settings can be configured, etcetera, via
http://www.exemplum.serveratschool.net/mailman/admin/teachers
,
using the password 'Shaevuf5' (without the quotation marks). As a confirmation
of the list creation, Mailman will send the following message to the
list owner.
|
On the ServerAtSchool server, updates of virus definitions are
downloaded on a daily basis by means of a cron job,
/etc/cron.daily/freshclam.cron
. For the daily update to
work correctly, the firewall has to be open, allowing HTTP traffic
originating on the server to reach the outside world. By default this is already
the case (see the discussion in section 8.3 Firewall
considerations above).
NOTICE:
You can see if freshclam.cron
is working as it should by consulting
the log files in /var/log/clamav
. The downloaded virus
definition files are stored in /var/lib/clamav
.
viruscan.sh
) that does just that is shown below.
|
This script uses /usr/bin/clamscan
to scan both
/tmp
and /home/userdata
. If an infected file
is found, it is moved to /var/lib/clamscan
so you can inspect
the file if you want. The results of the scan are sent to root in an
e-mail message. An example of such a message is shown below.
|
You could simply store the script in /etc/cron.daily/viruscan.sh
in
order to have it executed every day. However, if you want to make sure
that you will be scanning with the latest virus definition files, you
should arrange for this script to be
executed after the automatic update
freshclam
has run. You can do this by performing the
following steps.
viruscan.sh
in a good place,
e.g. /usr/sbin/viruscan.sh
.
/etc/cron.daily/freshclam.cron
:/usr/sbin/viruscan.sh
The changed script freshclam.cron
should now look as
illustrated below (changes are emphasised):
|
The effect is that first the freshclam.cron
script will
run /usr/bin/freshclam
, the workhorse program that
fetches the new virus definitions. Once that is done, the
viruscan.sh
is run, using the updated virus
definitions.
If you wish, you may want to verify the correct operation of the virus scanner by creating a special 'test virus'. There is a standard test, developed explicitly for testing antivirus programs. It was developed by the European Institute for Computer Anti-Virus Research (EICAR). You can easily create this test using any text editor. The test file consists of 68 plain ASCII characters as shown below. Note that the 3rd character is a capital 'O' and not the digit '0'.
X
5O
!P
%@
AP
[4
\P
ZX
54
(P
^)
7C
C)
7}
$E
ICAR-STANDARD-ANTIVIRUS-TEST-FILE!$
H+
H*
If you store these 68 characters in a file called EICAR.COM, say in
the directory /tmp
the viruscan.sh
script should
correctly identify it. More information can be found on the EICAR web
site at
http://www.eicar.org/anti_virus_test_file.htm.
Note that this EICAR.COM file in itself is a valid but harmless DOS program. When executed (in a DOS box), it simply displays the text 'EICAR-STANDARD-ANTIVIRUS-TEST-FILE!', nothing more.
There are different ways in which a printer can be accessed.
The third option is not discussed because using a parallel or serial printer connected directly to the server is not a very flexible solution, in that the printer has to be located close to the server. It is doubtful that there is sufficient room in the broom closet to accommodate the printer.
The fourth option is more or less the same as the first one. The only difference is that the print server may use a port number other than 9100.
NOTICE: There are more ways to connect a printer but an in-depth treatment is beyond the scope of this guide.
lpadmin(8)
as follows:
|
/etc/cups/printers.conf
.
|
-E
switch used here is equivalent to the following combination of
commands: accept(8)
and enable(8)
. See also
the manual pages (start with man lpadmin
).
At this point the print queue laserprinter
has been
created and is ready to be used. It can subsequently be used to print
documents from the server using the lpr(1)
) command. You
can also access this printer queue from the network using Samba, see
section 20.3 Configuring Samba printing beiow.
NOTICE: The standard HP JetDirect port is 9100 for a single-port printer server. Check the documentation of your print server if you have an external model with 2 or more ports or if your print server is a different make.
This easy recipe works for a printer that understands the PostScript page description language. If you have a printer that uses another language, e.g. an Epson printer, you need to specify the appropriate PPD file, as shown below.
|
Note that in this example the printer also uses a different port (10000 rather than 9100). You would have to open the firewall for this port at the IP address 172.17.2.12. Consult the printer documentation for more information.
NOTICE:
The most commonly used PPD files are already installed on the server, in
the directory /usr/share/cups/model
. You may also find
a suitable PPD file on the driver CD that comes with the printer.
The example below assumes that an HP Deskjet 930C is connected to the
parallel port of computer C34 (IP address 172.17.2.34) which is running
Windows. Furthermore it is assumed that the printer is configured on
computer C34 (i.e. the appropriate driver is installed) and that the
printer is shared with the network under the name HP930C
.
The following things have to be done.
smbspool(8)
program for Cups with: ln -s /usr/bin/smbspool /usr/lib/cups/backend/smb
.
#application/octet-stream
in
/etc/cups/mime.types
(around line 157) in order to
enable 'raw' printing.
#application/octet-stream
application/vnd.cups-raw 0 -
in
/etc/cups/mime.convs
(around line 114) in order to
enable 'raw' printing.
lpadmin -p deskjet -E -v smb://c34/hp930c
lpadmin -p deskjet -E
When you have done this, you can submit print jobs to the queue 'deskjet' in much the same way as you can for 'laserjet' and 'epson' in the previous example. You are in fact using the Windows workstation as a print server for this printer.
More information on the subject can be found in [Ts, Eckstein, Collier-Brown], chapter 10, Printing, section CUPS printers, page 332.
NOTICE:
You can specify a line number on the command line when you start the
editor and then the editor will place the cursor at the correct line after
opening the file. Examples: nano +157 mime.types
or
vi +114 mime.convs
.
The integration between Samba and Cups is fairly tight; you really do
not have to do anything special to get it to work.
If you restarted Samba with 'service smb restart', the print queues
become visible over the network with Samba. After configuring the
correct printer driver on the Windows client computer, you could use
any of these queues for network printing. The exact procedure of
configuring a Windows printer is beyond the scope of this
guide. Hoewever, it might be useful to know that the print queues can
be access (from Windows) using the network addresses
\\SERVER\LASERJET
, \\SERVER\EPSON
, and
\\SERVER\DESKJET
, respectively.
NOTICE:
Of course you can also let other Windows clients access the
printer on computer C34 directly by using the network address
\\C34\HP930C
. The advantage of using CUPS in this case is
that documents will be queued on the server and will print as soon the
computer C34 is switched on. With a direct connection the computer
that is trying to print will not succeed until C34 is switched on.
ntp.isp.net
or time.isp.net
or maybe simply
by providing a dotted decimal IP address.
A default time server is already configured in
/etc/ntp.conf
but as a matter of courtesy, please
change the IP address 195.83.132.135
of the preconfigured
server to that of a time server near you. Do not forget to check if
the firewall is opened for NTP (see section 16. GIPTables above), even though by default the firewall is
opened for traffic originating on the server, as is illustrated
below.
|
If you changed the ntp.conf
configuration file, you
should restart the ntpd daemon with 'service ntpd restart'. If you
changed the firewall configuration, you will need to restart the
firewall too, with 'service giptables restart'.
See also chapter 26 NTP of [Mourani 2002].
NOTICE: by default the firewall does not allow clients on the LAN to access time servers at the Internet. Assuming that the clients are Windows workstations, the time on those machines will already be synchronised by means of the LOGON.BAT script, see section 12.2 Logon script and drive letters above.
/etc/sysconfig/syslog
and add the switch
-r
to the variable SYSLOGD_OPTIONS
. Do not
forget to restart the syslog daemons with 'service syslog
restart'. You can check the log files, e.g. with
tail /var/log/messages
, to see if it works. Look for a
line reading praeceptor syslogd 1.4.1: restart (remote
reception)
.
sudo(8)
to execute a root shell.
The way to do this is to edit the file /etc/sudoers
. You
could add 'ffrint' to the comma-delimited list of
FULLTIME_USERS
. Unless you know exactly what you are
doing, you should edit this file using the visudo(8)
command.
NOTICE:
You may want to remove the default list in FULLTIME_USERS
and replace it with just the name 'ffrint'.
NOTICE:
If you are not comfortable with vi(1)
, you may want to set the
environment variable EDITOR
to nano
before
you start visudo
. If you do so, nano(1)
will be
used to do the actual editing rather than vi(1)
. You may
even want to add the line export EDITOR=/bin/nano
to your
startup script, .bashrc
.
After you have promoted 'ffrint' to be a 'Sudo-er', this account can
be used to escalate privileges. The first time, however, a warning
message will be displayed to make the user aware that this
privilege brings
a lot of power; you can basically do anything on the system, see any
file, remove anything. This can be quite a responsibility. The image
below shows what you see when you use sudo(8)
for the
first time (assuming a connection via SSH from home).
|
NOTICE:
You need to know two passwords to become root this way. In the first place, you need
to know your own password to log into the regular account.
Then, when prompted by sudo(1)
, you need to enter the root password.
See also [Mourani 2002], chapter 17, Sudo.
chkconfig --level 345 tpop3d off
.
If you do wish to use the POP3 server, you should also open
the firewall for POP3 by editing the relevant section in
/etc/giptables.conf
and restarting the firewall with 'service
giptables restart'. The snippet below illustrates the default settings
for POP3 in the firewall. The lines of interest are shown emphasised.
|
Explanation:
ACCEPT_POP3="no"
NETWORK1_POP3_CLIENT="yes"
INTERFACE0_POP3_SERVER="no"
INTERFACE1_POP3_SERVER="no"
autoupdate(8)
is installed. This tool can be
used to automatically download and install newer versions of software
in .RPM-format. Configuration of this tool is done via
/etc/autoupdate.d/autoupdate.conf
. There is a manual page
with more information.
It can be convenient to have the latest and greatest installed automatically and unattended. However, you may run into trouble if an update backfires and leaves the system in an inconsistent and/or inaccessable state.
A nice compromise is to have autoupdate download new RPMs but
without actually updating them. In order for it to do so, you have
to set the line DoUpdate=1
to DoUpdate=0
in
the configuration file.
Now autoupdate(8)
will still check for new RPMs (via
/etc/cron.daily/autoupdate.cron
), and it will also download them
(to /var/spool/autoupdate
), but it will not perform the actual update.
If you decide to upgrade an RPM package, you should use
rpm(8)
. There are many, many options that can be used with
rpm(8)
, see the manual page for an overview. However,
only a few options are essential, namely -i
to install
packages, -U
to update packages, and -e
to
erase (remove) packages. Other useful options are -v
for
verbose messages, and -h
to show hashes '#' to indicate
progress during installation.
The illustration below shows how to upgrade a package using
rpm(8)
. We use unzip
as an example.
|
If you wanted to install a completely new package, say the
eject
package, you would use something like rpm -ivh
eject-0.99-1.i686.rpm
.
NOTICE:
If you tried to update a package with -U
and the package
was not already installed, rpm(8)
is forgiving enough to
continue anyway, pretending you said -i
.
/etc/rc.d/rc.local
.
|
This displays a countdown before the screen is cleared and the login: prompt appears.
/home/share/install/goodies
. Some of them may come in handy when
using client computers running MS Windows (e.g. QRes
(qres-setup1090.exe
) and WinSCP
(winscp376setup.exe
)), others can be used on the server
(bash_profile
, SopPasswd-0.1.tar.gz
). You will also find
copies of images (floppy disk or CD) for ghost for unix (g4u)
and Autoclave.
bu(1)
to create hourly backups of all
files in the directory tree /home/userdata/home/
, which
holds nearly all the user home directories, to
/home/userdata/backhome/
. The bu(1)
program
should be configured using the configuration files in
/etc/janitor/
(see also section 10.2
Other configuration files above). The actual hourly backup (Monday
to Friday, from 08.00 to 18.00 hours) of all user data is done by means of a
cronjob, /etc/cron.hourly/janitor-bu.cron
.
Because the hourly backup also keeps previous versions of files, the directory tree holding the backups will eventually grow to fill all the available disk space. Therefore it is essential for this tree of backup files to be cleaned up periodically. A good time of year to remove superfluous hourly backup files would be directly after all the pupil accounts have been promoted to the next grade and before the new school year begins. The net effect will be that users have backup copies of every version of documents created in the new school year, while at the same time they will have a backup copy of the last version of each document created in the previous school year.
A more or less safe way of cleaning up the hourly backup tree is illustrated below. Your input is shown emphasised. Note that you need to become root to perform this action.
|
Note that rm(1)
can be very destructive,
especially if the wrong directory tree is deleted. The more or less
safe way to perform this action is:
cd(1)
.
pwd(1)
)
to verify that you made no error in the previous step.
rm -r *
.
Once the directory tree under /home/userdata/backhome/
is
deleted, it takes at most 1 hour (Monday to Friday, between 08:00 and
18:00 hours) for another, fresh hourly backup to be created of
all the files under /home/userdata/home
.
If empty disk space on the /home
partition is running low,
you may want to consider emptying the directory tree under
/home/userdata/backhome/
more often than once a year.
The next step is to plug in the network cable of the external connection (see the notice in section 2. Basics at the beginning of this chapter). If is now safe to do so because configuration of the server is now complete.
NOTICE:
At this point it is highly recommended to shut down the server, using
/sbin/shutdown -h now
. There should be no problem
whatsoever at this stage; shutdown should be clean. When is
done, you may even want to switch off the computer entirely before
restarting it. This is the ultimate test of your hard
work. All services should now start without errors (at this point you
should see only green OK's) and everything should then be
working the way it should.
The reason for doing this is to identify potential problems. Suppose that during installation you
switched on a service 'foobar' manually, e.g. with 'service foobar
start'. If you forgot to add this change
permanently with chkconfig(8)
, the service will
fail to start automatically. Now is a good time to find out about this
mistake. If you leave the server on after installation, you could have a hard
time figuring out why the foobar service 'suddenly' stopped working
(and it may be many months from now before you find out).
At this point you have completed the configuration of your own rock-solid, industrial strength, secure server at school.
The next steps you could take might be:
All these activities are beyond the scope of this ServerAtSchool Installation Guide. You may want to continue with the ServerAtSchool User Manual now.
Prev | Home | Next |
IV. Installing optional ServerAtSchool components | Appendix A. Manual disk partitioning |
Author: Peter Fokker <peter (at) berestijn.nl> $Id: configuring.html,v 1.61 2006/04/06 21:06:45 peter Exp $