-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
1/33
LinuxInternetWebServerandDomainConfigurationTutorialHowToCreateanApachebasedLinuxwebsiteserver
CreateawebserverwithLinux,Apache,FTPandbindDNS:ThistutorialcoverstheLinuxserverconfigurationrequiredtohostawebsite.TheApachewebserver,FTPserverandDNSconfigurationarecovered.TheApachewebserverisrequiredtoservethewebpages,theFTPserverisrequiredforuserstouploadcontentandtheDNSserverisrequiredtoresolvethedomainnamessothataURLenteredintoawebbrowserwillpointtoyourwebserverandproperlyservethecorrectpages.TheconfigurationspresentedwillincludevirtualhostingwhichwillallowasingleLinuxservertosupportmultiplewebsitedomains.
Tutorialtopics:
#LinuxApacheweb(httpd)serverconfiguration#LinuxFTPdserverandFTPuseraccounts
#vsFTPdandFTPuseraccountconfiguration#wuFTPdandFTPuseraccountconfiguration
#Basic"useraccount"configurationformaximumsecurityonanInternetbasedwebserver#LinuxDNS(DomainNameServer)configurationusingBindversion8or9(named)#WebServerLoadBalancing#Managingwebserverdaemons(services)#LinksandResources
Alsosee:WebSiteSecurityTutorialYoLinuxInternetServerSecurityTutorial
search Search
|HomePage|LinuxTutorials|Terms|PrivacyPolicy|Advertising|Contact|
RelatedYoLinuxTutorials:
Apacheloginauthentication
SecuringLinux
LinuxSecurityTools
LinuxNetworking
LinuxSysAdmin
InternetGateway
YoLinuxTutorialsIndex
FreeInformationTechnologyMagazinesandDocumentDownloads
4
Advertisements
Jobs
DevOpsLeadELSegundo,CASageITINC
UrgenttofillAustin,TXYanaSoftwareInc
EnterpriseArchitectKenosha,WITeamBradley
WebSitePrerequisites:
ThistutorialassumesthatacomputerhasLinuxinstalledandrunning.SeeRedHatInstallationforthebasics.Aconnectiontotheinternetisalsoassumed.connectionof128Mbits/secorgreaterwillyieldthebestresults.ISDN,DSL,cablemodemorbetterareallsuitable.A56kmodemwillworkbuttheresultswillbemediocreatbest.Thetasksmustalsobeperformedwiththerootuserloginandpassword.
Nosingledistributionseemstohaveanadvantage.AUbuntu,SuSe,Fedora,RedHatorCentOSdistributionwillincludeallofthesoftwareyouwillneedtoconfigureawebserver.IfusingRedHatEnterpriseLinux,boththeWorkstationortheServereditionwillsupportyourneedsexceptthattheWorkstationeditionwillnotincludethevsFTPpackage.Itwillhavetobecompiledfromsourceorusesftp.
SoftwarePrerequisites:TheApachewebserver(httpd),FTP(requiresxinetdorinetd)andBind(named)softwarepackageswiththeirdependenciesareallrequired.Onecanusetherpmcommandtoverifyinstallation:
FedoraCore1+,RedHatEnterprise4/5,CentOS4/5:
rpmqhttpdbindbindchrootbindutilssystemconfigbindxinetdvsftpd
RPMsaddedFC2+:systemconfighttpdRPMsaddedFC3+:httpdsuexec
RedHat9.0
rpmqhttpdbindxinetdvsftpd
ARedHat8.0wuftpdRPMmaybeinstalled(Newerversion2.6.2orlaterwithsecurityfixwuftpd2.6.211)orinstallfromsource.
RedHat8.0
rpmqhttpdbindxinetdwuftpd
RedHat7.x:
rpmqapachebindinetdwuftpd
Usewuftpdversion2.6.2orlatertoavoidsecurityproblems.
SuSE9.3:
rpmivhapache2apache2preforkbindbindchrootenvbindutilsvsftpd
Note:Theapache2MPMisagenerictermforApacheinstallationoptionsfor"MultiProcessingModules(MPM)s"prefork"or"worker".Ifyoutryandonlyinstallapache2youwillgetthefollowingerror:
apache2MPMisneededbyapache22.0.539
AlsoseeApache.org:MPMs
Ubuntu(natty11.04)/Debian:
aptgetinstallapache2aptgetinstallbind9aptgetinstallvsftpd
Ubuntu(dapper6.06/hardy8.04)/Debian:
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
2/33
SAPBASISNaples,NYAvaniTechSoutions
SeniorTradeEngineSystemsDeveloperChicago,ILRequestTechnologyRobynHonquest
SrProgramAnalystColumbus,OHConservationServicesGroup
TechnicalAnalystNorthampton,Northamptonshire,United...StreamRecruitment
Sr.NetDeveloperwithPower/Energy...Philadelphia,PAUnitedSoftwareGroupInc
HadoopAdministratorNorthbrook,ILRequestTechnologyStephanieBaker
SeniorSOADeveloperMcLean,VA
POSTAJOB>
POWEREDBYJOBTHREAD
aptgetinstallapache2apache2commonapache2mpmpreforkapache2utilsaptgetinstallbind9aptgetinstallvsftpd
OneshouldalsohaveaworkingknowledgeoftheLinuxinitprocesssothattheseservicesareinitiateduponsystemboot.SeetheYoLinuxinitprocesstutorialformoreinfo.
ApacheHTTPWebserverconfiguration:
ThistutorialisfortheApacheHTTPwebserver(Version1.3and2.0).SeetheYoLinuxlistofLinuxHTTPserversforalistofotherwebserversfortheHyperTextTransportProtocol.
TheApachewebserverconfigurationfileis:/etc/httpd/conf/httpd.conf
WebpagesareservedfromthedirectoryasconfiguredbytheDocumentRootdirective.Thedefaultdirectorylocationis:
Linuxdistribution
Apachewebserver"DocumentRoot"RedHat7.x9,FedoraCore,RedHatEnterprise4/5/6,CentOS4/5/6
/var/www/html/RedHat6.xandolder /home/httpd/html/Suse9.x
/srv/www/htdocs/Ubuntu(dapper6.06)/Debian
/var/www/htmlUbuntu(hardy8.04/natty11.04)/Debian /var/www
Thedefaulthomepageforthedefaultconfigurationisindex.html.Notethepagesshouldnotbeownedbyuserapacheasthisistheprocessownerofthehttpdwebserverdaemon.Ifthewebserverprocessiscomprimised,itshouldnotbeallowedtoalterthefiles.Thefilesshouldofcoursebereadablebyuser
Apachemaybeconfiguredtorunasahostforonewebsiteinthisfashionoritmaybeconfiguredtoserveformultipledomains.Servingformultipledomainsmaybeachievedintwoways:
Virtualhosts:OneIPaddressbutmultipledomains"Namebased"virtualhosting.MultipleIPbasedvirtualhosts:OneIPaddressforeachdomain"IPbased"virtualhosting.
Thedefaultconfigurationwillallowonetohavemultipleuseraccountsunderonedomainbyusingareferencetotheuseraccount:http://www.domain.com/~user1/.Ifnodomainisregisteredorconfigured,theIPaddressmayalsobeused:http://XXX.XXX.XXX.XXX/~user1/.
[PotentialPitfall]Thedefaultumaskfordirectorycreationiscorrectbydefaultbutifnotuse:chmod755/home/user1/public_html
[PotentialPitfall]Whencreatingnew"Directory"configurationdirectives,Ifoundthatplacingthembytheexisting"Directory"directivestobeabadidea.Itwouldnotusethe.htaccessfile.Thiswasbecausethestatementdefiningtheuseofthe.htaccessfilewasafterthe"Directory"statement.PreviouslyinRH6.xthefileswereseparatedandtheorderwasdefinedalittledifferent.Inowplacenew"Directory"statementsneartheendofthefilejustbeforethe"statements.
ForusersofRedHat7.1,theGUIconfigurationtoolapacheconfwasintroducedforthecrowdwholiketouseprettypointandclicktools.
FilesusedbyApache:
Start/stop/restartscript:RedHat/Fedora/CentOS:/etc/rc.d/init.d/httpdSuSE9.3:/etc/init.d/apache2Ubuntu(dapper6.06/hardy8.04/natty11.04)/Debian:/etc/init.d/apache2
Apachemainconfigurationfile:RedHat/Fedora/CentOS:/etc/httpd/conf/httpd.confSuSE:/etc/apache2/httpd.conf(Needtoadddirective:ServerNamehostname)Ubuntu(dapper6.06/hardy8.04/natty11.04)/Debian:/etc/apache2/apache2.conf
Apachesuplementaryconfigurationfiles:RedHat/Fedora/CentOS:/etc/httpd/conf.d/component.confSuSE:/etc/apache2/conf.d/component.confUbuntu(dapper6.06/hardy8.04/natty11.04)/Debian:
Virtualdomains:/etc/apache2/sitesenabled/domain(Createsoftlinkfrom/etc/apache2/sitesenabled/domainto/etc/apache2/sitesavailable/domaintoturnon.UsecommandAdditionalconfigurationdirectives:/etc/apache2/conf.d/Modulestoload:/etc/apache2/modsavailable/(Softlinkto/etc/apache2/modsenabled/toturnon)Portstolistento:/etc/apache2/ports.conf
/var/log/httpd/access_loganderror_logRedHat/FedoraCoreApachelogfiles(Suse:/var/log/apache2/)
Start/Stop/Restartscripts:Thescriptistoberunwiththequalifiersstart,stop,restartorstatus.i.e./etc/rc.d/init.d/httpdrestart.Arestartallowsthewebservertostartagainandreadtheconfigurationfilestopickupanychanges.Tohavethisscriptinvokeduponsystembootissuethecommandchkconfigaddhttpd.SeeLinuxInitProcessTutorialforamorecompletediscussion.
AlsoApachecontroltool:/usr/sbin/apachectlstart
ApacheControlCommand:apachectl:
RedHat/FedoraCore/CentOS:apachectldirectiveUbuntudapper6.06/hardy8.04/natty11.04/Debian:apachectl(softlinktoapache2ctl)orapache2ctldirective
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
3/33
Directive Descriptionstart
StarttheApachehttpddaemon.Givesanerrorifitisalreadyrunning.stop
StopstheApachehttpddaemon.graceful
GracefullyrestartstheApachehttpddaemon.Ifthedaemonisnotrunning,itisstarted.Thisdiffersfromanormalrestartinthatcurrently
openconnectionsarenotaborted.gracefulstop
GracefullystopstheApachehttpddaemon.Thisdiffersfromanormalrestartinthatcurrentlyopenconnectionsarenotaborted.
restart
RestartstheApachehttpddaemon.Ifthedaemonisnotrunning,itisstarted.Thiscommandautomaticallycheckstheconfigurationfilesasinconfigtestbeforeinitiatingtherestarttomakesurethedaemondoesn'tdie.
status Displaysabriefstatusreport.fullstatus
Displaysafullstatusreportfrommod_status.Requiresmod_statusenabledonyourserverandatextbasedbrowsersuchaslynxavailableon
yoursystem.TheURLusedtoaccessthestatusreportcanbesetbyeditingtheSTATUSURLvariableinthescript.configtestt
Runaconfigurationfilesyntaxtest.
Apachecontroltool:apachectlmanpage
ApacheConfigurationFiles:
/etc/httpd/conf/httpd.conf:isusedtoconfigureApache.Inthepastitwasbrokendownintothreefiles.Thesemaynowbeallconcatenatedintoonefile.SeeApacheonlinedocumentationforthefullmanual./etc/httpd/conf.d/application.conf:AllconfigurationfilesinthisdirectoryareincludedduringApachestartup.Usedtostoreapplicationspecificconfigurations./etc/sysconfig/httpd:HoldsenvironmentvariablesusedwhenstartingApache.
Basicsettings:ChangethedefaultvalueforServerNamewww.
GivingApacheaccesstothefilesystem:ItisprudenttolimitApache'sviewofthefilesystemtoonlythosedirectoriesnecessary.Thisisdonewiththedirectorystatement.Startbydenyingaccesstoeverything,thengrantaccesstothenecessarydirectories.
Denyaccesscompletelytofilesystemroot("/")asthedefault:
Denyfirst,thengrantpermissions:
Setdefaultlocationofsystemwebpagesandallowaccess:(RedHat/Fedora/CentOS)
Grantaccesstoauser'swebdirectory:public_html
EnablingRedHat/FedoraLinux,Apachepublic_htmluserdirectoryaccess:
Thiswillallowuserstoservecontentfromtheirhomedirectoriesunderthesubdirectory"/home/userid/public_html/"byaccessingtheURLhttp://hostname/~userid/
File:/etc/httpd/conf/httpd.conf
LoadModuleuserdir_modulemodules/mod_userdir.so
...
...
#UserDirdisableAddcommenttothisline##Toenablerequeststo/~user/toservetheuser'spublic_html#directory,removethe"UserDirdisable"lineabove,anduncomment#thefollowinglineinstead:UserDirpublic_html#Uncommentthisline
...
...
AllowOverrideFileInfoAuthConfigLimitOptionsMultiViewsIndexesSymLinksIfOwnerMatchIncludesNoExecOrderallow,denyAllowfromall
1 2 OptionsNone3 AllowOverrideNone4
1 DocumentRoot"/var/www/html"2 3 4 OptionsIndexesFollowSymLinks5
AllowOverrideNone6 Orderallow,deny7 Allowfromall8
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
4/33
Orderdeny,allowDenyfromall
Changetoacomment(add"#"atbeginningofline)fromFedoraCoredefaultUserDirdisableandassignthedirectorypublic_htmlasawebserveraccessibledirectory.ORAssignasingleuserthespecificabilitytosharetheirdirectory:
Allowsthespecificuser,"user1"only,theabilitytoservethedirectory/home/user1/public_html/
AlsouseSELinuxcommandtosetthesecuritycontext:setseboolhttpd_enable_homedirstrue
Directorypermissions:TheApachewebserverdaemonmustbeabletoreadyourwebpagesinordertofeedtheircontentstothenetwork.Useanappropriateumaskandfileprotection.Allowaccesstowebdirectory:chmodugo+rxRpublic_html.Notethattheuser'sdirectoryalsohastohavetheappropriatepermissionsasitistheparentofpublic_html.Defaultpermissionsonuserdirectory:lsl/homedrwx20user1user14096Mar512:16user1Allowthewebserveraccesstooperatetheparentdirectory:chmodugo+x/home/user1dwxxx20user1user14096Mar512:16user1
Onemayalsousegroupstocontrolpermisions.SeetheYoLinuxtutorialonmanaginggroups.
EnablingUbuntu'sApachepublic_htmluserdirectoryaccess:
UbuntuhasbrokenouttheApacheloadablemoduledirectivesintothedirectory/etc/apache2/modsavailable/.ToenableanApachemodule,generatesoftlinkstothedirectory/etc/apache2/sitesenabled/byusingthecommandsa2enmod/a2dismodtoenable/disableApachemodules.
Example:[root@node2]#a2enmodAlistofavailablemodulesisdisplayed.Enter"userdir"asthemoduletoenable.RestartApachewiththefollowingcommand:/etc/init.d/apache2forcereload
Note:Thisisthesameasmanuallygeneratingthefollowingtwosoftlinks:
lns/etc/apache2/modsavailable/userdir.conf/etc/apache2/modsenabled/userdir.conflns/etc/apache2/modsavailable/userdir.load/etc/apache2/modsenabled/userdir.load
Manpage:a2enmod/a2dismod
[PotentialPitfall]:IftheApachewebservercannotaccessthefileyouwillgettheerror"403Forbidden""Youdon'thavepermissiontoaccessonthisserver."Notethedefaultpermissionsonauserdirectorywhenfirstcreatedwith"useradd"are:
drwx3userxuserx
Youmustallowthewebserverrunningasuser"apache"toaccessthedirectoryifitistodisplaypagesheldthere.Fixwithcommand:chmodugo+rx/home/userx
drwxrxrx3userxuserx
SELinuxsecuritycontexts:
FedoraCore3andRedHatEnterpriseLinux4introducedSELinux(SecurityEnhancedLinux)securitypoliciesandcontextlabels.Toviewthesecuritycontextlabelsappliedtoyourwebpagefilesusethecommand:lsZ
Thesystemenables/disablesSELinuxpoliciesinthefile/etc/selinux/configSELinuxcanbeturnedoffbysettingthedirectiveSELINUX.(Thenrebootthesystem):
SELINUX=disabled
orusingthecommandsetenforce0totemporarilydisableSELinuxuntilthenextreboot.
WhenusingSELinuxsecurityfeatures,thesecuritycontextlabelsmustbeaddedsothatApachecanreadyourfiles.Thedefaultsecuritycontextlabelusedisinheritedfromthedirectoryfornewlycreatedfiles.Thusacopy(cp)mustbeusedandnotamove(mv)whenplacingfilesinthecontentdirectory.Movedoesnotcreateanewfileandthusthefiledoesnotrecievethedirectorysecuritycontextlabel.ThecontextlabelsusedforthedefaultApachedirectoriescanbeviewedwiththecommand:lsZ/var/wwwThewebdirectoriesofusers(i.e.public_html)shouldbesetwiththeappropriatecontextlabel(httpd_sys_content_t).
Assignasecuritycontextforwebpages:chconRhthttpd_sys_content_t/home/user1/public_htmlOptions:
R:Recursive.Filesanddirectoriesincurrentdirectoryandallsubdirectories.
1 2 AllowOverrideNone3 orderallow,deny4 allowfromall5
OptionsIndexesIncludesFollowSymLinks6
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
5/33
h:Affectsymboliclinks.t:Specifytypeofsecuritycontext.
Usethefollowingsecuritycontexts:
ContextType Descriptionhttpd_sys_content_t
Usedforstaticwebcontent.i.e.HTMLwebpages.httpd_sys_script_exec_t
UseforexecutableCGIscriptsorbinaryexecutables.httpd_sys_script_rw_t
CGIisallowedtoalter/deletefilesofthiscontext.httpd_sys_script_ra_t
CGIisallowedtoreadorappendfilesofthiscontext.httpd_sys_script_ro_t
CGIisallowedtoreadfilesanddirectoriesofthiscontext.
Setthefollowingoptions:setseboolhttpdoptiontrue(orsettofalse)
Policy Descriptionhttpd_enable_cgi
Allowhttpdcgisupport.httpd_enable_homedirs
Allowhttpdtoreadhomedirectories.httpd_ssi_exec
AllowhttpdtorunSSIexecutablesinthesamedomainassystemCGIscripts.ThenrestartApache:
RedHat/Fedora/SuseandallSystemVinitscriptbasedLinuxsystems:/etc/init.d/httpdrestartRedHat/Fedora:servicehttpdrestart
ThedefaultSEbooleanvaluesarespecifiedinthefile:/etc/selinux/targeted/booleans
FormoreonSELinuxseetheYoLinuxSystemsAdministrationtutorial.
VirtualHosts:
TheApachewebserverallowsonetoconfigureasinglecomputertorepresentmultiplewebsitesasiftheywereonseparatehosts.Therearetwomethodsavailableandwedescribetheconfigurationofeach.Chooseonemethodforyourdomain:
Namebasedvirtualhost:(mostcommon)AsinglecomputerwithasingleIPadresssupportingmultiplewebdomains.Thewebbrowserusingthehttpprotocol,identifiesthedomainbeingaddressed.IPbasedvirtualhost:ThevirtualhostscanbeconfiguredasasinglemultihomedcomputerwithmultipleIPaddressesonasinglenetworkcard,witheachIPaddressrepresentingadifferentwebdomain.ThishastheappearanceofawebdomainsupportedbyadedicatedcomputerbecauseithasadedicatedIPaddress.
Configuringa"namebased"virtualhost:
Avirtualhostconfigurationallowsonetohostmultiplewebsitedomainsononeserver.(Thisisnotrequiredforadedicatedlinuxserverwhichhostsasinglewebsite.)
NameVirtualHostXXX.XXX.XXX.XXX
ServerNamewww.yourdomain.comCNAME(bindDNSaliaswww)specifiedinBindconfigurationfile(/var/named/...)ServerAliasyourdomain.comAllowsrequestsbydomainnamewithoutthe"www"[email protected]/home/user1/public_htmlErrorLoglogs/yourdomain.comerror_logTransferLoglogs/yourdomain.comaccess_log
Notes:
YoucanspecifymorethanoneIPaddress.i.e.ifwebserverisalsobeingusedasafirewall/gatewayandyouhaveanexternalinternetIPaddressaswellasalocalnetworkIPaddress.
NameVirtualHostXXX.XXX.XXX.XXXNameVirtualHost192.168.XXX.XXX
.....
SeetheYoLinuxTutorialonconfiguringanetworkgateway/firewallusingiptablesandNAT.UseyourIPaddressforXXX.XXX.XXX.XXX,actualdomainnameandemailaddress.OnecanuseDNSviewstoprovidedifferentlocalnetworkDNSresults.
NotethatIconfigureApacheforbothrequestshttp://www.domainname.comandhttp://domainname.com.
Oncevirtualhostsareconfigured,yourdefaultsystemdomain(/var/www/html)willstopworking.Yourdefaultdomainnowmustbeconfiguredasavirtualdomain.
...Thispartremainsthesame
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
6/33
..
#Defaultforwhennodomainnameisgiven(i.e.accessbyIPaddress)
[email protected]/var/www/htmlErrorLoglogs/error_logTransferLoglogs/access_log
#AddaVirtualHostdefinitionforyourdomainwhichwasoncethesystemdefault.
ServerNamewww.yourdomain.comServerAliasyourdomain.comServerAdminuser1@yourdomain.comDocumentRoot/var/www/htmlErrorLoglogs/error_logTransferLoglogs/access_log
.....
ForwardingtoaprimaryURL.ItisbesttoavoidtheappearanceofduplicatedwebcontentfromtwoURLssuchashttp://www.yourdomainandhttp://yourdomain.com.SupplyaforwardingApache"Redirect".
ServerNamewww.yourdomain.comNotethatnoaliasesarelisted......
#AddaVirtualHostdefinitiontoforwardtoyourprimaryURL
ServerNameyourdomain.comServerAliasotherdomain.comServerAliaswww.otherdomain.comRedirectpermanent/http://www.yourdomain.com.com/
.....
Note:SeetheYoLinux.comApache"Redirect"Tutorial
Morevirtualhostexamples.
Whenspecifyingmoredomains,theymayallusethesameIPaddressorsome/allmayusetheirownuniqueIPaddress.Specifya"NameVirtualHost"foreachIPaddress.
AftertheApacheconfigurationfileshavebeenedited,restartthehttpddaemon:/etc/rc.d/init.d/httpdrestart(RedHat)or/etc/init.d/apache2restart(Ubuntu/Debian)
ApachevirtualdomainconfigurationwithUbuntuDapper/Hardy:
Ubuntuseparatesouteachvirtualdomainintoaseparateconfigurationfileheldinthedirectory/etc/apache2/sitesavailable/.Whenthesitedomainistobecomeactive,asoftlinkiscreatedtothedirectory/etc/apache2/sitesenabled/.
Example:/etc/apache2/sitesavailable/supercorp
01 02 ServerNamesupercorp.com03 ServerAliaswww.supercorp.com04
ServerAdminwebmaster@localhost05 06
DocumentRoot/home/supercorp/public_html/home07 08
OptionsFollowSymLinks09 AllowOverrideNone10 11 12
OptionsIndexesFollowSymLinksMultiViews13
IndexOptionsSuppressLastModifiedSuppressDescription14
AllowOverrideAll15 Orderallow,deny16 allowfromall17 18 19
ScriptAlias/cgibin//home/supercorp/cgibin/20 21 AllowOverrideNone22
Options+ExecCGIMultiViews+SymLinksIfOwnerMatch23
Orderallow,deny
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
7/33
Enabledomain:
Createsoftlink:Manually:lns/etc/apache2/sitesavailable/supercorp/etc/apache2/sitesenabled/supercorpUseUbuntuscriptsa2ensite/a2dissite.Typecommandanditwillpromptyouastowhichsiteyouwouldliketoenableordisable.
RestartApache:apache2ctlgracefulor/etc/init.d/apache2restartor/etc/init.d/apache2reload
AlsonotethatApachemodulescanalsobeenabled/disabledwithscriptsa2enmod/a2dismod.
Manpages:
a2ensite/a2dissite(Ubuntu:Apache2enable/disablesite)apache2ctl
Configuringan"IPbased"virtualhost:
OnemayassignmultipleIPaddressetoasinglenetworkinterface.SeetheYoLinuxnetworkingtutorial:NetworkAliasing.EachIPaddressmaythenbeit'sownvirtualserverandindividualdomain.Thedownsideofthe"IPbased"virtualhostmethodisthatyouhavetopossessmultiple/extraIPaddresses.Thisusuallycostsmore.Thestandardnamebasedvirtualhostingmethodaboveismorepopularforthisreason.
NameVirtualHost*IndicatesallIPaddresses
[email protected]/home/user0/public_html
[email protected]/home/user1/public_html
[email protected]/home/user2/public_html
ThedefaultblockwillbeusedasthedefaultforallIPaddressesnotspecifiedexplicitly.ThisdefaultIP(*)maynotworkforURL's.
CGI:(CommonGatewayInterface)
CGIisaprogramexecutablewhichdynamicallygeneratesawebpagebywritingtostdout.CGIispermittedbyeitheroftwoconfigurationfiledirectives:
ScriptAlias:RedHat7.x9,Fedoracore:ScriptAlias/cgibin/"/var/www/cgibin/"RedHat6.xandolder:ScriptAlias/cgibin/"/home/httpd/cgibin/"Suse9.x:ScriptAlias/cgibin/"/srv/www/cgibin/"Ubuntu(dapper/hardy/natty)/Debian:ScriptAlias/cgibin/"/usr/lib/cgibin/"
orOptions+ExecCGI:
Options+ExecCGI
Theexecutableprogramfilesmusthaveexecuteprivileges,executablebytheprocessowner(RedHat7+/FedoraCore:apache.Olderusenobodythehttpddaemonisbeingrun.
ConfiguringCGIToRunWithUserPrivileges:
ThesuEXECfeatureprovidesApacheuserstheabilitytorunCGIandSSIprogramsunderuserIDsdifferentfromtheuserIDofthecallingwebserver.Normally,whenaCGIorSSIprogramexecutes,itrunsasthesameuserwhoisrunningthewebserver.
24 Allowfromall25 26 27
ErrorLog/var/log/apache2/supercorp.comerror.log28 29
#Possiblevaluesinclude:debug,info,notice,warn,error,30
#crit,alert,emerg.31 LogLevelwarn32
CustomLog/var/log/apache2/supercorp.comaccess.logcombined33
ServerSignatureOn34
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
8/33
NameVirtualHostXXX.XXX.XXX.XXX
ServerNamenode1.yourdomain.comAllowsrequestsbydomainnamewithoutthe"www"prefix.ServerAliasyourdomain.comwww.yourdomain.comCNAME(aliaswww)specifiedinBindconfigurationfile(/var/named/...)[email protected]/home/user1/public_html/yourdomain.comErrorLoglogs/yourdomain.comerror_logTransferLoglogs/yourdomain.comaccess_logSuexecUserGroupuser1user1Options+ExecCGI+IndexesAddHandlercgiscript.cgi
ERRORPages:
YoucanspecifyyourownwebpagesinsteadofthedefaultApacheerrorpages:
ErrorDocument404/Error404missing.html
CreatethefileError404missing.htmlinyour"DocumentRoot"directory.
Handleallerrorswithaforwardingpage:
ErrorDocument400/error.shtmlErrorDocument401/error.shtmlErrorDocument403/error.shtmlErrorDocument404/error.shtmlErrorDocument500/error.shtml
Samplefileerror.shtml(inyour"DocumentRoot"directory).
Pagedoesnotfound!
PHP:
Iftheappropriatephp,perlandhttpdRPM'sareinstalled,thedefaultRedHatApacheconfigurationandmoduleswillsupportPHPcontent.RPMPackages(RHEL4):
php:HTMLembeddedscriptinglanguagephppear:PEARisaframeworkanddistributionsystemforreusablePHPcomponents.phpmysql:MySQLdatabasesupport.phpldap:LightweightDirectoryAccessProtocol(LDAP)support
Apacheconfiguration:
Addphpdefaultpageindex.phptoapacheconfigfile:/etc/httpd/conf/httpd.conf
...
DirectoryIndexindex.htmlindex.htmindex.php
...
PHPConfigurationFile:
RHEL4PHP4.3:/etc/php.iniUbuntuDaper6.06/6.11:/etc/php5/apache2/php.ini
[PHP]engine=On......display_errors=Offinclude_path=".:/php/includes"......memory_limit=32M;Defaultistypically8MBwhichistoolow.......
[MySQL]......
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
9/33
mysql.default_host=superserver;Hostnameofthecomputermysql.default_user=dbuser...
Smallportionoffileshown.Notethatchangeswillnottakeeffectuntiltheapachewebserverdaemonisrestarted.
TestyouPHPcapabilitieswiththistestfile:/home/user1/public_html/test.php
OR(olderformat)
Test:http://localhost/~user1/test.php
FormoreinfoseeYoLinuxlistofPHPinformationwebsites.
RunningMultipleinstancesofhttpd:
TheApachewebserverdaemon(httpd)canbestartedwiththecommandlineoption"f"tospecifyauniqueconfigurationfileforeachinstance.uniqueIPaddressforeachinstanceofApache.SeetheYoLinuxNetworkingTutorialtospecifymultipleIPaddressesforoneNIC(NetworkInterfaceCard).UsetheApacheconfigurationfiledirectiveListenXXX.XXX.XXX.XXX,wheretheIPaddressisuniqueforeachinstanceofApache.
ApacheManPages:
httpdApacheHypertextTransferProtocolServerapachectlApacheHTTPServerControlInterfaceabApacheHTTPserverbenchmarkingtoolhtdigestmanageuserfilesfordigestauthenticationhtpasswdManageuserfilesforbasicauthenticationlogresolveResolveIPaddressestohostnamesinApachelogfilesrotatelogsPipedloggingprogramtorotateApachelogs
AlsoseethelocalonlineApacheconfigurationmanual:http://localhost/manual/.
ApacheRedHat/FedoraCoreGUIconfiguration:
GUIconfigurationtool:
RedHatEL4/5,Fedora210:/usr/bin/systemconfighttpdRedHat8/9,FedoraCore1:/usr/bin/redhatconfighttpd
Addingwebsiteloginandpasswordprotection:SeetheYoLinuxtutorialonwebsitepasswordprotection.
Logfileanalysis:
ScanningtheApacheweblogfileswillnotprovidemeaningfullstatisticsunlesstheyaregraphedorpresentedinaneasytoreadfashion.Thefollowingpackagestoagoodjobofpresentingsitestatistics.
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
10/33
AnalogAlsoseeReportMagicforAnalogWebalizerAWStats(requiresPERL)
Websitestatisticservices:
eXTReMeTracking
Loadtestingyourserver:
PureLoadJAVAloadtestingandreportingtool.WebPerformanceTrainerLoadTestingTools.
ApacheLinks:
CgiWrapsetuidwrapperthatallowsuserstoinstallandexecutetheirowncgiscriptsthatgetexecutedastheirownuseridWWWThreads.orgCommercialproductAdvancedWebConferencingSoftwareConfiguringhttps(mod_ssl):
Mod_SSL.org:HomePageMod_SSL.org:Mod_SSLHowToMod_SSL.org:StepstocreateSSLservercertificate
LogfileanalysisusingAnalog:
Installation:
RedHat/Fedora:yuminstallanalogUbuntu/Debian:aptgetinstallanalog
InstallationpackagesalsoavailablefromtheAnalogdownloadspage.
Configurationfile:/etc/analog.cfg
LOGFILE/var/log/httpd/yourdomain.comaccess_log*http://www.yourdomain.comUNCOMPRESS*.gz,*.Z"gzipcd"SUBTYPE*.gz,*.Z#OUTFILE/home/user1/public_html/analog/Report.html#HOSTNAME"YourDomain.com"HOSTURLhttp://www.yourdomain.com
....
...
..
REQINCLUDEpages#RequestpagestatsonlyALLONLANGUAGEUSENGLISH
Onecanviewthesettingswhichbeusedwithyourconfigurationfile(alsogoodfordebugging):analogsettings
MakeAnalogimagesavailabletotheusersreport:lns/usr/share/analog/images/*/home/user1/public_html/analog
Logfilelocation:
RedHat/Fedora:/var/log/httpd/Ubuntu/Debian:/var/log/apache2/
TheDirectiveALLONturnsonallofthefollowing:
AnalogDirective DescriptionMONTHLYON onelineforeachmonthWEEKLYON
onelineforeachweekDAILYREPON onelineforeachdayDAILYSUMON
onelineforeachdayoftheweekHOURLYREPON
onelineforeachhourofthedayGENERALON
theGeneralSummaryatthetopREQUESTON whichfileswererequestedFAILUREON
whichfileswerenotfound
DIRECTORYON DirectoryReportHOSTON
whichcomputersrequestedfilesORGANISATIONON
whichorganisationstheywerefromDOMAINON
whichcountriestheywereinREFERRERON
wherepeoplefollowedlinksfromFAILREFON
wherepeoplefollowedbrokenlinksfromSEARCHQUERYON
thephrasesandwordstheyused...
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
11/33
SEARCHWORDON ...tofindyoufromsearchenginesBROWSERSUMON
whichbrowsertypespeoplewereusingOSREPON
andwhichoperatingsystemsFILETYPEON typesoffilerequestedSIZEON
sizesoffilesrequestedSTATUSON
numberofeachtypeofsuccessandfailure
Cronjobtohandlemultipledomains:/etc/cron.daily/analog
#!/bin/shcp/opt/etc/analogdomain1.com.cfg/etc/analog.cfg/usr/bin/analogcp/opt/etc/analogdomain2.com.cfg/etc/analog.cfg/usr/bin/analog
...
Links:
AnaloghomepageAnalogcommandreference
MeasuringWebServerPerformance:
SeetheYoLinux.comwebserverbenchmarkingtutorial.
FTPdandFTPuseraccountconfiguration:
ManyFTPprogramsexist.Thisexamplecoversthepopularvsftpd(RedHatdefault9.0,FedoraCore,Suse)andwuftpd(WashingtonUniversity)programwhichcomesstandardwithRedHat(lastshippedwithRedHat8.0butcanbeinstalledonanyLinuxsystem).(RPM:wuftpd)ThereareotherFTPprogramsincludingproFtpd(supportsLDAPauthentication,Apachelikedirectives,fullfeaturedftpserversoftware),bftpd,pureftpd(freeBSDandoptionalonSuse),etc...
ForhostileenvironmentssetupachrootedenvironmentforansftpencryptedconnectionandthersshrestrictedshellforOpenSSH.SeetheYoLinux.cominternetsecuritytutorialforLinuxsftpandrsshconfiguration
AlsoseethepreferredchrootedsftpconfigurationforOpenSSH4.9+
FTPdandSELinux:ToallowFTPddaemonaccessandFTPaccesstousershomedirectories:
setseboolPallow_ftpd_full_access=1Otherwiseyouwillgetanerrorin/var/log/messages:SELinuxispreventingtheftpdaemonfromwritingfilesoutsidethehomedirectory(./public_html).setseboolPftp_home_dir1
Followwiththecommandservicevsftpdrestart
FTPdconfigurationtutorials:
#vsFTPd:Configuration#WUFTPd:Configuration#FTPClients:Links
vsFTPdandFTPuseraccountconfiguration:
ThevsFTPdftpserverwasfirstmadeavailableinRedHat9.0.IthasbeenadoptedbySuseandOpenBSDaswell.ThisiscurrentlytherecomendedFTPdaemonforuseonFTPservers.
Enablevsftpd:
RedHat/FedoraCore/CentOS:VsFTPdisastandaloneserviceandbythedefaultFedoraCoreinstallation,notcontrolledbyxinetdasisthewuftpddefaultinstallation.Thusstartservice:servicevsftpdstart(or:/etc/init.d/vsftpdstart)Configurevsftpdtostartuponsystemboot:chkconfigaddvsftpd
SuSE:Bydefault,thevsftpdisanxinetdcontrolledservice.ToenableFTPserverserviceseditthefile/etc/xinetd.d/vsftpdandchange:disable=yesto:disable=noRestartthexinetddaemon:/etc/init.d/xinetdrestartNote:vsftpdcanalsoberunasastandaloneservicetoachieveafasterresponsetime.
Ubuntu(dapper/hardy/natty)/Debian:Install:aptgetinstallvsftpdVsFTPdisastandaloneservice.
Start:/etc/init.d/vsftpdstart
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
12/33
Stop:/etc/init.d/vsftpdstopRestart:/etc/init.d/vsftpdrestart(Usethiscommandaftermakingconfigurationfilechanges)
Formoreonstarting/stopping/configuringLinuxservices,seetheYoLinuxtutorialontheLinuxinitprocessandserviceactivation.
Configurationfiles:
vsFTPdconfigurationfile:FedoraCore/RedHat:/etc/vsftpd/vsftpd.confS.u.S.e./Ubuntu(dapper/hardy/natty)/Debian:/etc/vsftpd.conf
DefaultforFedoraCore3:
anonymous_enable=YESAnonymousFTPallowedbydefaultifyoucommentthisout.Defaultdirectoryused:/var/ftp
local_enable=YESUncommentthistoallowlocaluserstologinwithFTP.MustalsosetSELinuxboolean:setseboolPftp_home_dir1
write_enable=YESUncommentthistoenableanyformofFTPwriteoruploadcommand.
local_umask=022Defaultis077.Umask022isusedbymostotherftpd's.
#anon_upload_enable=YESUncommenttoallowtheanonymousFTPusertouploadfiles.Requirestheaboveglobalwriteenabled.Directorymustalsobewritablebyuser.#anon_mkdir_write_enable=YESUncommentthistoallowtheanonymousFTPusertobeabletocreatenewdirectories.
dirmessage_enable=YESActivatedirectorymessages.Messagesgiventoremoteuserswhentheyentercertaindirectoriesxferlog_enable=YESActivateloggingofuploads/downloads.
connect_from_port_20=YESPORTtransferconnectionsoriginatefromport20(ftpdata)
#chown_uploads=YESUploadedanonymousfilessettoaspecifiedowner.(notroot)#chown_username=whoever
#xferlog_file=/var/log/vsftpd.logSpecifylogfileexplicitly.Defaultis/var/log/vsftpd.log
xferlog_std_format=YESOutputtologfileinstandardftpdxferlogformat
#idle_session_timeout=600Settimingoutforanidlesession.
#data_connection_timeout=120Settimingoutforanidledataconnection.Port20
#nopriv_user=ftpsecureRunftpserverasanisolatedandunprivilegeduser.
#EnablethisandtheserverwillrecogniseasynchronousABORrequests.Not#recommendedforsecurity(thecodeisnontrivial).Notenablingit,mayconfuseolderFTPclients.#async_abor_enable=YES
#ascii_upload_enable=YESImproveperformancebydisablingASCIImode.Disablescommand"ascii"and"SIZE/big/file".#ascii_download_enable=YES
#ftpd_banner=WelcometoYoLinuxCustomizetheloginbannerstring.
#deny_email_enable=YESDisallowspecifiedanonymousemailaddresses.UsedtocombatcertainDoSattacks.#banned_email_file=/etc/vsftpd.banned_emails(Ubuntudefault.RedHat:/etc/vsftpd/banned_emails)
#chroot_list_enable=YESListuserschroot()'dtotheirhomedirectory.If"NO",listusersnotchroot()'d.#chroot_list_file=/etc/vsftpd.chroot_list(Ubuntudefault.RedHat:/etc/vsftpd/chroot_list)
ls_recurse_enable=YESAllow"lsR"recursivedirectorylist.Defaultisdisabled.
pam_service_name=vsftpd
userlist_enable=YES(UbuntuDefault)Denyusersspecifiedinfile/etc/vsftpd.user_listIf"userlist_enable=NO"thenallowspecifiedusers.RedHat:/etc/vsftpd/user_list#deny_email_enable=YESDisallowspecifiedanonymousemailaddresses.UsedtocombatcertainDoSattacks.
listen=YESEnableforstandalonemodeasopposedtoanxinetdservice.MustsetSELinuxboolean:setseboolPftpd_is_daemon1tcp_wrappers=YES
RestarttheFTPserviceiftheconfigfileischanged:servicevsftpdrestart(or:/etc/init.d/vsftpdrestart)
[PotentialPitfall]:vsftpdoesNOTsupportcommentsonthesamelineasadirective.i.e.:
directive=XXX#comment
vsftp.confmanpage
Specifylistoflocaluserschrootedtotheirhomedirectories:RedHat:/etc/vsftpd/vsftpd/chroot_listUbuntu:/etc/vsftpd/vsftpd.chroot_list
(Requires:chroot_list_enable=NO)
user1
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
13/33
user2...usern
Ifuserlist_enable=YES,thenspecifyusersnottobechroot'd..
Specifylistofusers:RedHat:/etc/vsftpd/user_listUbuntu:/etc/vsftpd.user_list
(Denylistofusersrequires:userlist_enable=YES)AlsoseePAMconfigurationbelow.
rootbindaemonadmlpsyncshutdownhalt...
Ifuserlist_enable=NO,thenspecifyvalidusers.
PAMconfigurationfileFedoraCore3:/etc/pam.d/vsftpd
#%PAM1.0authrequiredpam_listfile.soitem=usersense=denyfile=/etc/vsftpd.ftpusersonerr=succeedauthrequiredpam_stack.soservice=systemauthauthrequiredpam_shells.soaccountrequiredpam_stack.soservice=systemauthsessionrequiredpam_stack.soservice=systemauth
ThiscausesPAMtocheck/etc/vsftpd.ftpusersforuserswhoaredenied.Thisduplicates/etc/vsftpd.user_list.SpeciyuserinbothfilesasPAMisindependentofvsftpdconfiguration.
PAMauthenticationconfigurationfile:ftpusersRedHat:/etc/vsftpd/ftpusersUbuntu:/etc/vsftpd.ftpusers
rootbindaemonadmlpsyncshutdownhalt.........user6Userstodenyuser8......
Logrotateconfigurationfile:/etc/logrotate.d/vsftpd.log
/var/log/xferlog{#ftpddoesn'thandleSIGHUPproperlynocompressmissingok}
SamplevsFTPdconfigurations:
AnonymousdownloadFTPserverconfiguration:/etc/vsftpd/vsftpd.conf
#Accessrightsanonymous_enable=YESTurnonanonymousFTPchown_uploads=YESUploadedfilesownedbyanassigneduserchown_username=ftpUploadedfilesownedbythisassigneduserlocal_enable=NOwrite_enable=NONouploadoffilessystemchangesallowedanon_upload_enable=NOanon_mkdir_write_enable=NOanon_other_write_enable=NO#Securityanon_world_readable_only=YESconnect_from_port_20=YES
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
14/33
force_dot_files=NOguest_enable=NOhide_ids=YESpasv_min_port=50000pasv_max_port=60000#Featuresxferlog_enable=YESls_recurse_enable=NOascii_download_enable=NOasync_abor_enable=YES#Performanceone_process_model=NOidle_session_timeout=120data_connection_timeout=300accept_timeout=60connect_timeout=60max_per_ip=4anon_max_rate=50000
pam_service_name=vsftpduserlist_enable=YES#enableforstandalonemodelisten=YEStcp_wrappers=YES
Anonymousloginsusetheloginname"anonymous"andthentheusersuppliestheiremailaddressasapassword.Anypasswordwillbeaccepted.Usedtoallowthepublictodownloadfilesfromanftpserver.Generally,nouploadispermitted.
Webhostingconfiguration:/etc/vsftpd/vsftpd.conf
#Accessrightsanonymous_enable=NOlocal_enable=YESAllowuserstoftptotheirhomedirectorieswrite_enable=YESAllowuserstoSTOR,DELE,RNFR,RNTO,MKD,RMD,APPEandSITElocal_umask=022#Securityconnect_from_port_20=YESforce_dot_files=NOguest_enable=NODon'tremapusernameftpd_banner=WelcometoSuperDuperHostingCustomizetheloginbannerstring.chroot_local_user=YESLimitusertobrowsetheirowndirectoryonlychroot_list_enable=YESEnablelistofsystem/poweruserschroot_list_file=/etc/vsftpd.chroot_listActuallistofsystem/powerusershide_ids=YESpasv_min_port=50000pasv_max_port=60000#Featuresxferlog_enable=YESls_recurse_enable=NOascii_download_enable=NOasync_abor_enable=YESdirmessage_enable=YESMessagegreetingheldinfile.messageorspecifywithmessage_file=...#Performanceone_process_model=NOidle_session_timeout=120data_connection_timeout=300accept_timeout=60connect_timeout=60max_per_ip=4#pam_service_name=vsftpduserlist_enable=YES#enableforstandalonemodelisten=YEStcp_wrappers=YES
Specifylistoflocaluserschrootedtotheirhomedirectories:/etc/vsftpd/vsftpd.chroot_listUbuntutypically:/etc/vsftpd.chroot_list(Requires:chroot_list_enable=NO)
user1user2...usern
Ifuserlist_enable=YES,thenspecifyusersnottobechroot'd..
[PotentialPitfall]:Mispellingadirectivewillcausevsftpdtofailwithlittlewarning.
File:.message
ANOTETOUSERSUPLOADINGFILES:Filenamesmayconsistofletters(az,AZ),numbers(09),anunderscore("_"),dash("")orperiod(".")only.Thefilenamemaynotbeginwithaperiodordash.
Testifvsftpislistening:netstata|grepftp
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
15/33
[root]#netstata|grepftptcp00*:ftp*:*LISTEN
Links:
vsFTPdHomePageSampleconfigurationsvsftp.confManpage
WUFTPdandFTPuseraccountconfiguration:
ThewuftpdFTPservercanbedownloaded(binaryorsource)fromhttp://www.wfms.org/wuftpd/(atonetime:http://wuftpd.org).
TherearethreekindsofFTPloginsthatwuftpdprovides:
anonymousFTPonelogsinwiththeusername'anonymous'realFTPloginwitharealusernameandpasswordandhasaccesstotheentirediskstructure.guestFTPonelogsinwitharealusernameandpassword,buttheuserischroot'edtohishomedirectoryandcannotescapefromit.Theyareconstrainedtotheirhomedirectorywhichalsomeansthattheydon'thaveaccessto/bin/lsandothercommandsontheserver.Thusalocalminimalistenvironmentmustbesetup.
Thistutorialcovers"guest"FTPconfiguration.
Thefile/etc/ftpaccesscontrolstheconfigurationofftp.
#Don'tallowsystemaccountstologinoverftpdenyuid%99%65534denygid%99%65534
classallreal,guest*[email protected]
readmeREADME*loginreadmeREADME*cwd=*message/welcome.msgloginmessage.messagecwd=*
compressyesalltaryesallchmodnoguest,anonymousdeletenoanonymous#deletefilespermission?overwritenoanonymous#overwritefilespermission?renamenoanonymous#renamefilespermission?deleteyesguest#deletefilespermission?overwriteyesguest#overwritefilespermission?renameyesguest#renamefilespermission?umasknoguest#umaskpermission?
logtransfersanonymous,realinbound,outbound
shutdown/etc/shutmsg
passwdcheckrfc822warn
#Mustalsocreatemessagefile/etc/pathmsgoftheguestdirectory.#Inthiscaseitrefersto/home/user1/public_html/etc/pathmsg.pathfilterguest/etc/pathmsg^[AZaz09_\.]*$^\.^limitall2noretrievepasswd.htaccesscoreDonotallowuserstodownloadfilesofthesenameslimittime*20bytelimitin5000Limitfilesizeguestuser*Systemuserdefaultcategorizedasa"guest".A"real"usercanroamthesystem.Guestuserischrooted.realgroupregularuserxregularuseryAssignrealuserprivilegestomembersofgroups"regularuserx"and"regularusery".VisibilityofthewholefilesystemandsubjecttoregularUNIXfilepermissionsrealuseruser4Assignrealuserprivilegestouserid"user4".
restricteduiduser1user2user3RestrictsFTPtothespecifieddirectoriesguestroot/home/user1/public_htmluser1guestroot/home/user2/public_htmluser2guestroot/home/user3/public_htmluser3
Note:
user1,user2anduser3refertologinaccounts.Usetheappropriateloginname.TheaboveconfigurationdisablesanonymousFTPwhichallowsanyonetoperformanFTPloginwiththeidanonymousandanemailaddressasapassword.ToenableanonymousFTP,changetheclassdirectiveto:
classallreal,guest,anonymous*
GUIFTPconfigurationtools:/usr/bin/kwuftpd/sbin/linuxconf
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
16/33
(Note:LinuxconfisnolongerincludedwithRedHat7.3andlater)RedHatLinuxassignsusersauseridandgroupidwhichisthesame.Thismeansthatitdoesnotmatterifyouusearealuserorrealgrouptheywillactthesame.RedHatLinux7.1andlaterusesthexinetdaemontomanageftpconnections.Thusxinetdmustberunningandconfiguredtosupportftp.Theconfigurationfileis/etc/xinetd.d/wuftpd.Thecommandchkconfigwuftpdonwillmaketheftpserveravailable.Seexinetconfigurationinfo.Allowoverideofdenyuidand/ordenygid:
allowuidusertoallowallowgidgrouptoallow
Optionalconfiguration:CreateagroupftpchrootAdduserstothisgroupUsedirective:guestgroupftpchroot
[PotentialPitfall]:Flakeyftpbehavior,timeouts,etc??FTPworksbestwithnameresolutionofthecomputeritiscommunicatingwith.Thisrequiresproper/etc/resolve.confandnameserver(bind)configuration,/etc/hostsorNIS/NFSconfiguration.
File/home/user1/public_html/etc/pathmsg:
ANOTETOUSERSUPLOADINGFILES:Filenamesmayconsistofletters(az,AZ),numbers(09),anunderscore("_"),dash("")orperiod(".")only.Thefilenamemaynotbeginwithaperiodordash.Youhavetriedtouploadafilewithaninappropriatename.
Thewholepointofthechrootdirectoryistomaketheuser'shomedirectoryappeartobetherootofthefilesystem(/)soonecouldnotwanderaroundthefilesystem.Configurationof/etc/ftpaccesswilllimittheusertotheirrespectivedirectorieswhilestillofferingaccessto/bin/lsandothersystemcommandsusedinFTPoperation.
Asroot:
cd/home/user1mkdirpublic_htmlchown$1.$1public_htmltouch.rhostsSecurityprotectionchmodugoxrw.rhosts
ManPages:
Server:
ftpdInternetFileTransferProtocolserver
FileFormats:
/etc/ftpaccessConfigurationfileforftpd/etc/ftpserversftpdvirtualhostingconfigurationfile.(optional)/etc/ftphostsallowordenyaccesstocertainaccountsfromvarioushosts.(optional)/etc/ftpconversionsftpdconversionsdatabase(fortarandcompression)/var/log/xferlogFTPserverlogfileftpFileTransferClientprogram
Configurationfiles:(RH8.0+)
PAMconfigurationfile:/etc/pam.d/ftp
#%PAM1.0authrequiredpam_listfile.soitem=usersense=denyfile=/etc/ftpusersonerr=succeedauthrequiredpam_stack.soservice=systemauthauthrequiredpam_shells.soaccountrequiredpam_stack.soservice=systemauthsessionrequiredpam_stack.soservice=systemauth
Xinetdconfigurationfile:/etc/xinetd.d/wuftpd
serviceftp{disable=nosocket_type=streamwait=nouser=rootserver=/usr/sbin/in.ftpdserver_args=la
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
17/33
log_on_success+=DURATIONUSERIDlog_on_failure+=USERIDnice=10}
Note:wuFTPdiscontrolledbyxinetdandnotastandaloneservicelikevsFTPd.
Logrotateconfigurationfile:/etc/logrotate.d/ftpd
/var/log/xferlog{nocompress}
Moreinformation:
WUFTPDreleasedkftpbenchFTPbenchmarkprogramtogiveyouanideaastohowmanysimultaneousdialupclientsaservercansupport.FTPandtextfiletypeconversions:EndOfLineCharactersbyPeterBenjamin
ManpagesonrelatedFTPcommandsandfiles:
chrootRunwithaspecialrootdirectoryftpcountShownumberofconcurrentusers.ftpshutclosedowntheftpserversatagiventimeftprestartRestartpreviouslyshutdownftpserversftpwhoshowcurrentprocessinformationforeachftpuserprivatepwChangeWUFTPDGroupAccessFileInformation(admincommand)
OtherFTPdaemons:
CrushFTPJava/crossplatformWS_FTP
FTPPitfalls:
Ifyougetthefollowingerror:
ftp>ls227EnteringPassiveMode(208,188,34,109,208,89)ftp:connect:Noroutetohost
ThismeansyouhavefirewallissuesmostprobablyontheFTPserveritself.Startbyremovingthefirewall"iptables"rules:iptablesFAddrulesuntilyoudiscoverwhatiscausingtheproblem.
Passivemode:
Passivemodecanalsohelponepasttherules:
ftp>passivePassivemodeon.
Thistogglespassivemodeonandoff.Whenon,FTPwillbelimitedtoportsspecifiedinthevsftpdconfigurationfile:vsftpd.confwiththeparameterspasv_min_portandpasv_max_port
Firewallconnectiontrackingmodule:
#cat/etc/sysconfig/iptablesconfig|grepip_nat_ftpIPTABLES_MODULES="ip_conntrack_ftp"
NATfirewallmodules:
Youcanalsotryaddingip_nat_ftptothelistofautoloadedmodules:(Thiswillalsoloadthedependancy:ip_conntrack_ftp.)
#cat/etc/sysconfig/iptablesconfig|grepip_nat_ftpIPTABLES_MODULES="ip_nat_ftp"
Thenrestartthefirewall:/etc/init.d/iptablescondrestart
FTPwillchangeportsduringuse.Theip_conntrack_ftpmodulewillconsidereachconnection"RELATED".IfiptablesallowsRELATEDandESTABLISHEDconnectionsthenFTPwillwork.i.e.rule:/etc/sysconfig/iptables
AINPUTmstatestateESTABLISHED,RELATEDjACCEPT
FTPfailsbecauseitcannotchangetotheusershomedirectory:
Error:
[user1@nodex~]$ftpnode.domain.comConnectedtoXXX.XXX.XXX.XXX.530PleaseloginwithUSERandPASS.
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
18/33
530PleaseloginwithUSERandPASS.KERBEROS_V4rejectedasanauthenticationtypeName(XXX.XXX.XXX.XXX:user1):331Pleasespecifythepassword.Password:500OOPS:cannotchangedirectory:/home/user1Loginfailed.ftp>bye
ThisisoftenaresultofSELinuxpreventingthevsftpdprocessfromaccesingtheuser'shomedirectory.Asroot,grantaccesswiththefollowingcommand:setseboolPftp_home_dir1Followedby:servicevsftpdrestart
TestyourvsftpdSELinuxsettings:getseboola|grepftp
allow_ftpd_anon_write>offallow_ftpd_full_access>offallow_ftpd_use_cifs>offallow_ftpd_use_nfs>offallow_tftp_anon_write>offftp_home_dir>onftpd_disable_trans>offftpd_is_daemon>onhttpd_enable_ftp_server>offtftpd_disable_trans>off
FTPdSELinuxmanpage
FTPLinuxclients:
gftp:GUIGTK+Multithreadedclient.Filetransferdirectorybrowsingandcompare.Multipleprotocols:FTP,FTPS(controlconnectiononly),HTTP,HTTPS,SSHandFSPprotocols.Proxysupport.ComeswithRedHat/FedoraCore.KFTPgrabber:GUIKDEbasedclient.simultaneousFTPsessionsinseparatetabs.Abilitytolimituploadanddownloadspeed.kbear:GUIKDEbasedclient.Connecttomultipleservers,transferfiles,directorybrowsing,filecontentbrowsing.ComeswithS.U.S.e.Linux.ftp:(/usr/kerberos/bin/ftp)kerberosenabledconsoleftpclient.(RPMpackageFC3:krb5workstation)
Basicusersecurity:
Whenhostingwebsites,thereisnoneedtograntashellaccountwhichonlyallowstheservertohavemorepotentialsecurityholes.CurrentsystemscanspecifytheusertohaveonlyFTPaccesswithnoshellbygrantingthemthe"shell"/sbin/nologinprovidedwiththesystemorthe"ftponly"shelldescribedbelow.Theshellcanbespecifiedinthefile/etc/passwdofwhencretingauserwiththecommandaddusers/sbin/nologinuserid
[PotentialPitfall]:RedHat7.3serverwithwuftpserver2.6.25doesnotsupportthisconfigurationtopreventshellaccess.Itrequiresuserstohavearealusershell.i.e./bin/bashItworksgreatinolderandcurrentRedHatversions.Ifitworksforyou,useit,asitismoresecuretodenytheusershellaccess.Youcanalwaysdenytelnetaccess.YoushouldNOTbeusingthisproblemriddenversionofftpd.Usethelatestwuftpd2.6.211whichsupportsuserswithshell/opt/bin/ftponly
[PotentialPitfall]:UbuntuDapper/HardySettingtheshelltothepreconfiguredshell/bin/falsewillNOTallowvsftpaccess.Onemustcreatetheshell"ftponly"asdefinedbelowtoallowvsftpaccesswithnoshell.
1. DisableremotetelnetloginaccessallowingFTPaccessonly:
Changetheshellfortheuserin/etc/passwdfrom/bin/bashtobe/opt/bin/ftponly.
...user1:x:502:503::/home/user1:/opt/bin/ftponly...
Createfile:/opt/bin/ftponly.Protectionsettorwxrxrx1rootrootwiththecommand:chmodugo+x/opt/bin/ftponlyContentsoffile:
01 #!/bin/sh02 #03 #ftponlyshell04 #05
trap"/bin/echoSorry;exit0"1234567101506 #07
[email protected]
#System=`/bin/hostname`@`/bin/domainname`09 #10 /bin/echo11
/bin/echo"********************************************************************"12
/bin/echo"YouareNOTallowedinteractiveaccess."13 /bin/echo14
/bin/echo"Useraccountsarerestrictedtoftpandwebaccess."15
/bin/echo
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
19/33
Thelaststepistoaddthistothelistofvalidshellsonthesystem.Addtheline/opt/bin/ftponlyto/etc/shells.
Samplefilecontents:/etc/shells
/bin/bash/bin/bash1/bin/tcsh/bin/csh/opt/bin/ftponly
Seemanpageon/etc/shells.
Analternativewouldbetoassigntheshell/bin/falseor/sbin/nologinwhichbecameavailableinlaterreleasesofRedHat,DebianandUbuntu.Inthiscasetheshell/bin/falseor/sbin/nologinwouldhavetobeaddedto/etc/shellstoallowthemtobeusedasavalidshellforFTPwhiledisablingsshortelnetaccess.
2. Setfilequotastolimituseraccount.
FormoreonLinuxsecurityseethe:YoLinux.comInternetwebsiteLinuxserversecuritytutorial
DomainNameServer(DNS)configurationusingBindversion8or9:
TwoofthemostpopularwaystoconfiguretheprogramBind(BerkeleyInternetDomainsoftware)toperformDNSservicesisintheroleof(1)ISPor(2)WebHost.
1.
InanISPconfigurationforclients(websurfers)conectedtotheinternet,theDNSservermustresolveIPaddressesforanyURLtheuserwishestovisit.(SeeDNScachingserver)
2.
Inapurelywebhostingconfiguration,BindwillonlyresolvefortheIPaddressesofthedomainswhicharebeinghosted.Thisistheconfigurationwhichwillbediscussedandisoftencalledan"AuthoritativeonlyNameserver".
WhenresolvingIPaddressesforadomain,Internicisexpectinga"Primary"anda"Secondary"DNSnameserver.(SometimescalledMasterandSlave)EachDNSnameserverrequiresthefile/etc/named.confandthefilesitpointsto.ThisistypicallytwoseparatecomputersystemshostedontwodifferentIPaddresses.ItisnotnecesarythattheLinuxserversbededicatedtoDNSastheymayrunawebserver,mailserver,etc.
NoteonBindversions:RedHatversions6.xusedBindversion8.Release7.1ofRedHatbeganusingBindversion9andtheGUIconfigurationwasintroducedforthoseofyouthatlikeaprettypointandclickinterfaceforconfiguration.
InstallationPackages:
RedHat/FedoraCore/CentOS:bind,bindchroot,bindlibs,bindutils,systemconfigbindbindchroot:Securityjailforoperationofbind.bindutils:Utilitycommandslikenslookup,host,digsystemconfigbind:GUIconfigtoolsystemconfigbindandrelatedconfigurationfiles(/etc/security/console.apps/bindconf).cachingnameserver:Wewillnotbecoveringthisasitisnotrequiredforwebhosting.ThisisusedbyinternetproviderssotheirclientscancachetheDNSentriesofthesitestheyarevisiting.
Ubuntu(dapper/hardy/natty)/Debian:bind9
Configurationfiles:
RedHat/Fedora/CentOS:File Description Directory
ChrootedDirectory
named.conf
Primary/SecondaryDNSserverconfiguration.(Seedefaultfile/usr/share/doc/bind9.X.X/sample/etc/named.conf)
/etc/ /var/named/chroot/etc/
named.root.hints
Configurationforrecursiveservice.Requiredforallzones.(Seedefaultfile/usr/share/doc/bind9.X.X/sample/etc/named.root.hints)
/etc/ /var/named/chroot/etc/
named RedHatsystemvariables. /etc/sysconfig/ nochangerndc.key
Primary/SecondaryDNSserverconfiguration. /etc/
/var/named/chroot/etc/Zonefiles
Configurationfilesforeachdomain.Createthisfiletoresolvehostnameinternet
queriesi.e.defineIPaddressofweb(www)andmailserversinthedomain./var/named/
/var/named/chroot/var/named/
Debian/Ubuntu:File Description Directory ChrootedDirectory
named.confnamed.conf.optionsnamed.conf.local
Primary/SecondaryDNSserverconfiguration. /etc/bind/
/var/bind/chroot/etc/bind/
rndc.key Primary/SecondaryDNSserverconfiguration. /etc/
/var/bind/chroot/etc/
16 /bin/echo"Directquestionsconcerningthispolicyto$Admin."17
/bin/echo"********************************************************************"
18 /bin/echo19 #20 #C'ya21 #22 exit0
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
20/33
Zonefiles Configurationfilesforeachdomain. /var/bind/data/
/var/bind/chroot/var/bind/data/
Primaryserver(master):
File:named.conf
RedHat/FedoraCore/CentOS:/etc/named.conf(chrootdir:/var/named/chroot/etc/named.conf)and/etc/sysconfig/namedforsystemvariables.Ubuntu/Debian:/etc/bind/named.confPlacelocaldefinitionsin/etc/bind/named.conf.optionsand/etc/bind/named.conf.local
Simpleexample:(noviews)
options{Ubuntustoresoptionsin/etc/bind/named.conf.optionsversion"Bind";Don'tdiscloserealversiontohackersdirectory"/var/named";Specifiedsorelativepathnamescanbeused.Fullpathnamesstillallowed.allowtransfer{XXX.XXX.XXX.XXX;};IPaddressofsecondaryDNSrecursionno;authnxdomainno;conformtoRFC1035.(default)fetchglueno;Bind8only!Notusedbyversion9};
zone"localhost"{typemaster;file"/etc/bind/db.local";};zone"0.0.127.inaddr.arpa"{typemaster;file"/etc/bind/db.127";};
zone"yourdomain.com"{Ubuntuseparatesthezonedefinitionsinto/etc/bind/named.conf.localtypemaster;Specifymaster,slave,forwardorhintfile"data/named.yourdomain.com";notifyyes;slaveserversarenotifiedwhenthezoneisupdated.allowupdate{none;};denyupdatesfromotherhosts(default:none)allowquery{any;};allowclientstoquerythisserver(default:any)};zone"yourdomain2.com"{typemaster;file"data/named.yourdomain2.com";notifyyes;};
Note:
Theomissionofzone".".Requiredifprovidingarecursiveservice.Ubuntuincludestheseparatedfileofzonedirectivesusingthedirective:include"/etc/bind/named.conf.local";
BINDViews:TheBINDnamingservicecansupport"views"whichallowvarioussubnetworks(i.e.privateinternalorpublicexternalnetworks)tohaveadifferentdomainnameresolutionresult.
Ifnoviewsarespecifiedthenusetheconfigurationshownabove.Thematchupbetweenthe"view"andtheviewclientwhichreceivestheDNSinformationisspecifiedbythematchclientsstatement.Ifevenoneviewisspecified,thenALLzonesMUSTbeassociatedwitha"view".Bind9allowsforviewswhichallowdifferentzonestobeservedtodifferenttypesofclients,localhost,privatenetworksandpublicnetworks.Thismapstothethreeviewnames"localhost_resolver","internal"and"external":
localhost_resolver:Supportsnameresolutionforthesystem(localhost)usingBIND.Supportforuseofbindalsohastobeconfiguredin/etc/nsswitch.confinternal:UserspecifiedLocalAreaNetwork(LAN).IfnotusedtosupportalocalprivateLAN,remove(orcommentout)thisview.external:Thegeneralpublicinternetdefinedasclient"any".
Ifyouareonlysettingupacachingnameserver,thenonlyspecifytheview"localhost_resolver"(deleteallotherviews).InordertosupportaDNSforinternetdomainsusingviews,onewillhavetoconfigurean"external"view
TypicalRedHatEnterprise5example:(Bind9.3.4withthree"views")
options{directory"/var/named";//thedefaultdumpfile"data/cache_dump.db";statisticsfile"data/named_stats.txt";memstatisticsfile"data/named_mem_stats.txt";
};logging{//Bydefault,SELinuxpolicydoesnotallownamedtomodifythe/var/named//directory,soputthedefaultdebuglogfileindata/:channeldefault_debug{file"data/named.run";severitydynamic;};};view"localhost_resolver"{//Thisviewsetsupnamedtobealocalhostresolver(cachingonlynameserver).//Ifallyouwantisacachingonlynameserver,thenyouneedonlydefinethisview:matchclients{localhost;};...
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
21/33
};view"internal"{//Thisviewwillcontainzonesyouwanttoserveonlyto"internal"clients//thatconnectviayourdirectlyattachedLANinterfaces"localnets".//ForlocalprivateLAN.Notcoveredinthistutorial.//DeletethisviewifwebhostingwithnolocalLAN.matchclients{localnets;};...};keyddns_key{algorithmhmacmd5;secret"use/usr/sbin/dnskeygentogenerateTSIGkeys";};view"external"{//Thisviewwillcontainzonesyouwanttoserveonlyto"external"//publicinternetclients.Thisiscoveredbelow.matchclients{any;};.....};
Defaultconfigurationfiles:RedHatmaysupplythedefaultconfigurationin:/usr/share/doc/bind9.X.X/sample/etc/named.conf
cp/usr/share/doc/bind9.X.X/sample/etc/named.conf/var/named/chroot/etccp/usr/share/doc/bind9.X.X/sample/etc/named.root.hints/var/named/chroot/etcchconusystem_urobject_rtnamed_conf_t/var/named/chroot/etc/named.conf/var/named/chroot/etc/named.root.hints
view"localhost_resolver":IfsupportingacachingDNSserver(notrequiredtosupportawebdomain)youwillalsoneedthefiles:
cp/usr/share/doc/bind9.X.X/sample/etc/named.rfc1912.zones/var/named/chroot/etccp/usr/share/doc/bind9.X.X/sample/var/named/localdomain.zones/var/named/chroot/var/namedalsofrom/usr/share/doc/bind9.X.X/sample/var/named/:localhost.zones,named.local,named.zero,named.broadcast,named.ip6.local,named.root
view"external":(master)details
view"external"{/*Thisviewwillcontainzonesyouwanttoserveonlyto"external"clients*thathaveaddressesthatarenotonyourdirectlyattachedLANinterfacesubnets:*/matchclients{any;};matchdestinations{any;};allowtransfer{XXX.XXX.XXX.XXX;};IPaddressofsecondaryDNS
recursionno;//you'dprobablywanttodenyrecursiontoexternalclients,soyoudon't//endupprovidingfreeDNSservicetoalltakers
//allviewsmustcontaintheroothintszone:include"/etc/named.root.hints";
//Theseareyour"authoritative"externalzones,andwouldprobably//containentriesforjustyourwebandmailservers:
zone"yourdomain.com"{typemaster;file"/var/named/data/external/named.yourdomain.com";notifyyes;allowupdate{none;};};//YoucanalsoaddthezonesasaseparatefileliketheydoinUbuntubyaddingthefollowingstatementinclude"/etc/named.conf.local";};
DNSkey:
Usethefollowingcommand/usr/sbin/dnskeygentocreateakey.Addthiskeytothe"secret"statementasfollows:
keyddns_key{algorithmhmacmd5;secret"XlYKYLF5Y7YOYFFFY6YiYYXyFFFFBYYYYFfYYYJiYFYFYYLVrnrWrrrqrrrq";};
ManPages:
named.conf
ForwardZoneFile:/var/named/named.yourdomain.com
RedHat9/CentOS3:/var/named/named.yourdomain.com
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
22/33
RedHatEL4/5,Fedora3+,CentOS4/5:[Chrooted]/var/named/chroot/var/named/data/named.yourdomain.comRedHatEL4/5,Fedora3+,CentOS4/5:/var/named/data/named.yourdomain.comUbuntu/Debian:/etc/bind/data/named.yourdomain.com
$TTL604800Bind9(andsomeofthelaterversionsofBind8)requires$TTLstatement.Measuredinseconds.Thisvalueis7days.yourdomain.com.INSOAns1.yourdomain.com.hostmaster.yourdomain.com.(2000021600;serialManypeopleuseyear+month+day+integerasasystem.86400;refreshHowoftensecondaryservers(inseconds)shouldcheckinforchangesinserialnumber.(86400sec=24hrs)7200;retryHowlongsecondaryservershouldwaitforaretryifcontactfailed.1209600;expireSecondaryservertopurgeinfoafterthislengthoftime.86400);default_ttlHowlongdataisheldincachebyremoteservers.INAXXX.XXX.XXX.XXXNotethatthisisthedefaultIPaddressofthedomain.IputthewebserverIPaddressheresothatdomain.compointstothesameserversaswww.domain.com;;Nameserversforthedomain;INNSns1.yourdomain.com.INNSns2.yourdomain.com.;;Mailserverfordomain;INMX5mailIdentify"mail"asthenodehandlingmailforthedomain.DoNOTspecifyanIPaddress!;;Nodesindomain;node1INAXXX.XXX.XXX.XXXNotethatthisistheIPaddressofnode1ns1INAXXX.XXX.XXX.XXXOptional:Forhostingyourownprimarynameserver.NotethatthisistheIPaddressofns1ns2INAXXX.XXX.XXX.XXXOptional:Forhostingyourownsecondarynameserver.NotethatthisistheIPaddressofns2mailINAXXX.XXX.XXX.XXXIdentifytheIPaddressfornodemail.INMX5XXX.XXX.XXX.XXXIdentifytheIPaddressformailservernamed"mail".;;Aliasestoexistingnodesindomain;wwwINCNAMEnode1Definethewebserver"www"tobenode1.ftpINCNAMEnode1Definetheftpservertobenode1.
DNSrecordtypesandformat:
DNSrecord DescriptionandFormat
SOA
StartofAuthority:PrimarydomainserverandcontactinfoNotethatthereisaperiodfollowingtheprimarydomainserverandcontactemail.Notethattheemailaddressisintheformwherethefirstperiodrepresentsthe"@"symboloftheemailaddress.
yourdomain.cominSOAns1.yourdomain.com.webmaster.yourdomain.com.
or
@inSOAns1.yourdomain.com.webmaster.yourdomain.com.
[PotentialPitfall]:Incorrectspecificationoftheprimarynameservermayresultinthefollowingmessagein/var/log/messages
viewlocalhost_resolver:receivednotifyforzone'yourdomain.com':notauthoritative
SOAattribute Descriptionserial
Neveruseavaluegreaterthan2147483647fora32bitprocessor.
Incrementtoahighervaluetoindicateanupdatetotheslaveserver.refresh
Timeincrement(seconds)betweenupdatechecksoftheserialnumberwiththeprimaryserverretry
Timeelapsedbeforeaslavewillcontacttheprimaryserverifaconnectionfailedexpire
TimetillprimaryserverinformationisconsideredinvalidandshouldberefreshedifthereisanewDNSqueryminimum
TimeforDNSserversshouldholddomaininformationintheircachebeforepurging
IN IndicateInternet.NS
SpecifytheAuthoratativeNameserversforthedomain.
A
SpecifytheIPaddressassociatedwiththehostname.Format:hostnameINAXXX.XXX.XXX.XXXNotethatinmyexample,nohostnameisspecifiedforthefirstrecord.Thiswilldefinethedefaultforthedomain.
CNAME Specifyanaliasforthehostname.MX
Mailexchangerecord.Specifyaprioritynumberfortheprimaryandbackupmailservers.Thelowestnumberindicatesthedefaultmail
serverforthedomainPTR UsedtospecifythereverseDNSlookup
MXrecordsfor3rdpartyoffsitemailservers:
yourdomain.com.INMX10mail1.offsitemail.com.yourdomain.com.INMX20mail2.offsitemail.com.
Appendtotheaboveexamplefile.
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
23/33
Initialconfiguration:NotethatRedHatmaysupplythedefaultzoneconfigurationin:/usr/share/doc/bind9.X.X/sample/var/named/
cp/usr/share/doc/bind9.X.X/sample/var/named/localhost.zone/var/named/chroot/var/named/data/cp/usr/share/doc/bind9.X.X/sample/var/named/localdomain.zone/var/named/chroot/var/named/data/cp/usr/share/doc/bind9.X.X/sample/var/named/named.broadcast/var/named/chroot/var/named/data/cp/usr/share/doc/bind9.X.X/sample/var/named/named.ip6.local/var/named/chroot/var/named/data/cp/usr/share/doc/bind9.X.X/sample/var/named/named.zero/var/named/chroot/var/named/data/cp/usr/share/doc/bind9.X.X/sample/var/named/named.local/var/named/chroot/var/named/data/cp/usr/share/doc/bind9.X.X/sample/var/named/named.root/var/named/chroot/var/named/data/cd/var/named/chroot/var/named/data/chconusystem_urobject_rtnamed_cache_tlocalhost.zonelocaldomain.zonenamed.broadcastnamed.ip6.localnamed.zeronamed.rootnamed.local
Afilesuffixof"zone"isalsocommoni.e.yourdomain.com.zone
Secondaryserver(slave):
File:named.conf
RedHat/FedoraCore/CentOS:/etc/named.confUbuntu/Debian:/etc/bind/named.confSimpleexamplewithnoviews:
options{Ubuntustoresoptionsin/etc/bind/named.conf.optionsversion"Bind";Don'tdiscloserealversiontohackersdirectory"/var/named";allowtransfer{none;};Slaveisnottransferingupdatestoanyoneelserecursionno;authnxdomainno;conformtoRFC1035.(default)fetchglueno;Bind8only!Notusedbyversion9};zone"localhost"{typemaster;file"/etc/bind/db.local";Ubutu:/etc/bind/db.local,RedHat:/var/named/named.local};zone"0.0.127.inaddr.arpa"{typemaster;file"/etc/bind/db.127";};
zone"yourdomain.com"{typeslave;file"named.yourdomain.com";Specifyslaves/named.yourdomain.comforRHEL4/5chrootedbindmasters{XXX.XXX.XXX.XXX;};IPaddressofprimaryDNS};zone"yourdomain2.com"{typeslave;file"named.yourdomain2.com";masters{XXX.XXX.XXX.XXX;};};
view"external":(slave)
view"external"{matchclients{any;};matchdestinations{any;};allowtransfer{none;};Slavedoesnottransfertoanyone,slavereceivesrecursionno;include"/etc/named.root.hints";
zone"yourdomain.com"{typeslave;file"/var/named/slaves/external/named.yourdomain.com";notifyno;Slavedoesnotnotify,slaveisnotifiedbymastermasters{XXX.XXX.XXX.XXX;};StateIPofmasterserver};};
Note:RHEL4/5,CentOS4/5,Fedora3+usechrooteddirectorystructurepermissionswhichrequiretheuseoftheslavessubdirectory/var/named/slaves
SlaveZoneFiles:Thesearetransferedfrommastertoslaveandcachedbyslave.Thereisnoneedtogenerateazonefileontheslave.
AdditionalInformation:
Manpageonnamed.confManpageonnamedDNSserverFullDNSmanual
[PotentialPitfall]:Ubuntudapper/hardy/nattyPathnamesusedcannotviolateApparmorsecurityrulesasdefinedin/etc/apparmor.d/usr.sbin.namedthattheslavefilesaretypicallynamed"/var/lib/bind/named.yourdomain.com"aspermittedbythesecurityconfiguration.
[PotentialPitfall]:Ubuntudapper/hardy/nattyCreatelogfileandsetownershipandpermissionforfilenotcreatedbyinstallation:
touch/var/log/bindlogchownroot.bind/var/log/bindlog
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
24/33
chmod664/var/log/bindlog
[PotentialPitfall]:Errorin/var/log/messages:
transferof'yolinux.com/IN'fromXXX.XXX.XXX.XXX#53:failedwhilereceivingresponses:permissiondenied
Namedneedswritepermissiononthedirectorycontainingthefile.Thisconditionoftenoccursforanew"slave"or"secondary"nameserverwherethezonefilesdonotyetexist.Thedefault(RHEL4/5,CentOS4/5,FedoraCore3+,...):
drwxrx4rootnamed4096Aug252004nameddrwxrwx2namednamed4096Sep1720:37slaves
Fix:Innamed.confspecifythattheslavestogotoslavesdirectory/var/named/chroot/var/named/slaveswiththedirective:file"slaves/named.yourdomain.com";
BindDefaults:
Usesport53ifnoneisspecifiedwiththelistenonportstatement.Bindwilluserandomportsaboveport1024forqueries.ForusewithfirewallsexpectingallDNStrafficonport53,specifythefollowingstatementin/etc/named.conf
querysourceaddress*port53;querysourcev6port53;
Loggingisto/var/log/messages
Aftertheconfigurationfileshavebeenedited,restartthenamedaemon.
/etc/init.d/namedrestart
(Note:Ubuntu/Debianrestart:/etc/init.d/bind9restart)
Bindzonetransfersworkbestiftheclocksofthetwosystemsaresynchronised.SeetheYoLinuxSysAdminTutorial:Timeandntpd
File:/var/named/named.yourdomain.comThisiscreatedforyoubyBindontheslave(secondary)serverwhenitreplicatesfromPrimaryserver.
DNSGUIconfiguration:
RedHatEL4/5,Fedora210:/usr/bin/systemconfigbindRedHat8/9,FedoraCore1:/usr/bin/redhatconfigbind
TestDNS:
Mustinstallpackages:
RedHat/FedoraCore/SuSE:bindutils
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
25/33
Ubuntu(dapper/hardy/natty)/Debian:bind9host
Testthenameserverwiththehostcommandininteractivemode:
hostnode.domaintotest.comyournameservertotest.domain.com
Note:ThenameservermayalsobespecifiedbyIPaddress.
or
Testthenameserverwiththenslookupcommandininteractivemode:
nslookup>serveryournameservertotest.domain.com>node.domaintotest.com>exit
TesttheMXrecordifappropriate:
nslookupquerytype=mxdomaintotest.comOR
hosttmxdomaintotest.com
Testusingthedigcommand:
dig@nameserverdomaintoquery
OR
dig@IPaddressofnameserverdomaintoquery
TestyourDNSwiththefollowingDNSdiagnosticswebsite:DnsStuff.com
ExtraloggingtomonitorBind:
Addthefollowingtoyour/etc/named.conffile.
logging{channelbindlog{//Keepfiveoldversionsofthelogfile(rotateslogs)file"/var/log/bindlog"versions5size1m;printtimeyes;printcategoryyes;printseverityyes;};/*Ifyouwanttoenabledebugging,eg.usingthe'rndctrace'command,*namedwilltrytowritethe'named.run'fileinthe$directory(/var/named).*Bydefault,SELinuxpolicydoesnotallownamedtomodifythe/var/nameddirectory,*soputthedefaultdebuglogfileindata/:*/channeldefault_debug{file"data/named.run";severitydynamic;};categoryxferout{bindlog;};Zonetransferscategoryxferin{bindlog;};Zonetransferscategorysecurity{bindlog;};Approved/unapprovedrequests
//Thefollowingloggingstatements,panic,insistandresponsechecksare//validforBind8only.Donotuserforversion9.categorypanic{bindlog;};Systemshutdownscategoryinsist{bindlog;};Internalconsistencycheckfailurescategoryresponsechecks{bindlog;};Messages};
ChrootBindforextrasecurity:
Note:MostmodernLinuxdistributionsdefaulttoa"chrooted"installation.ThistechniquerunstheBindnameservicewithaviewofthefilesystemwhichchangesthedefinitionoftherootdirectory"/"toadirectoryinwhichBindwilloperate.i.e./var/named/chroot.
ThefollowingexampleusestheRedHatRPMbind8.2.30.6.x.i386.rpm.AppliestoBindversion9aswell.
ThelatestRedHatbindupdatesrunthenamedasuser"named"toavoidalotofearlierhackerexploits.Tochroottheprocessistocreateanevenmoresecureenvironmentbylimitingtheviewofthesystemthattheprocesscanaccess.Theprocessislimitedtothechrooteddirectoryassigned.
ThechrootofthenamedprocesstoadirectoryunderagivenuserwillpreventthepossibilityofanexploitwhichatonetimewouldresultinTheoriginaldefaultRedHatconfiguration(6.2)ranthenamedprocessasroot,thusifanexploitwasfound,thenamedprocesswillallowthehackertousetheprivilegesoftherootuser.(nolongertrue)
NamedCommandSytax:
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
26/33
nameduuserggrouptdirectorytochrootto
Example:
namedunamedgnamedt/opt/named
Whenchrooted,theprocessdoesnothaveaccesstosystemlibrariesthusalocallibdirectoryisrequiredwiththeappropriatelibraryfilestheoretically.ThisdoesnotseemtobethecasehereandasnotedaboveinchrootedFTP.It'samysterytomebutitworks????Anothermethodtohandlelibrariesistorecompilethenamedbinarywitheverythingstaticallylinked.Addstatictothecompileoptions.Thechrootedprocessshouldalsorequirealocal/etc/named.confetc...butdoesn'tseemto???
Scripttocreateachrootedbindenvironment:
#!/bin/shcd/optmkdirnamedcdnamedmkdiretcmkdirbinmkdirvarcdvarmkdirnamedmkdirruncd..chownRnamed.namedbinetcvar
Youcanprobablystophere.Ifyoursystemactslikeachrootedsystemshould,thencontinuewiththefollowing:
cpp/etc/named.confetccpp/etc/localtimeetccpp/bin/falsebinecho"named:x:25:25:Named:/var/named:/bin/false">etc/passwdecho"named:x:25:">etc/grouptouchvar/run/named.pid
if[f/etc/namedb]thencpp/etc/namedbetc/namedbfi
mkdirdevcddev
#Createacharacterunbufferedfile.mknodmugo+rwnullc13
cd..chownRnamed.namedbinetcvar
Addchangestotheinitscript:/etc/rc.d/init.d/named
01 #!/bin/bash02 #03
#namedThisshellscripttakescareofstartingandstopping04
#named(BINDDNSserver).05 #06 #chkconfig:554507
#description:named(BIND)isaDomainNameServer(DNS)\08
#thatisusedtoresolvehostnamestoIPaddresses.09 #probe:true10 11
#Sourcefunctionlibrary.12 ./etc/rc.d/init.d/functions13 14
#Sourcenetworkingconfiguration.15 ./etc/sysconfig/network16 17
#Checkthatnetworkingisup.18 [${NETWORKING}="no"]&&exit019
20 [f/etc/sysconfig/named]&&./etc/sysconfig/named21 22
[f/usr/sbin/named]||exit023 24 [f/etc/named.conf]||exit025 26
RETVAL=027 28 start(){29 #Startdaemons.30 echon"Startingnamed:"31
daemonnamedunamedgnamedt/opt/named#Changemadehere32 RETVAL=$?
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
27/33
Note:ThecurrentversionofbindfromtheRedHaterrataupdatesandsecurityfixes(http://www.redhat.com/support/errata/)runsthenamedprocessasuser"named"inthehome(notchrooted)directory/var/namedwithnoshellavailable.(namedunamed)Thisshouldbesecureenough.Proceedwithachrootedinstallationifyourareparanoid.
See:
SecuringDNS:Howtousechrootbindfeatures
ChrootedDNSconfiguration:
ModernreleasesofLinux(i.e.FedoreCore3,RedHatEnterpriseLinux4)comepreconfiguredtouse"chrooted"bind.Thissecurityfeatureforcesevenanexploitedversionofbindtoonlyoperatewithinthe"chrooted"jail/var/named/chrootwhichcontainsthefamiliardirectories:
/var/named/chroot/etc:Configurationfiles/var/named/chroot/dev:devicesusedbybind:
/dev/null/dev/random/dev/zero
(Realdevicescreatedwiththemknodcommand.)/var/named/chroot/var:Zonefilesandconfigurationinformation.
ThesedirectoriesaregeneratedandconfiguredbytheRedHat/FedoraRPMpackage"bindchroot".
Ifbuildingfromsourceyouwillhavetogeneratethisconfigurationmanually:
mkdirp/var/named/chrootmkdir/var/named/chroot/devmknod/var/named/chroot/dev/nullc13
33 [$RETVALeq0]&&touch/var/lock/subsys/named34 echo35
return$RETVAL
36 }37 stop(){38 #Stopdaemons.39 echon"Shuttingdownnamed:"40
killprocnamed41 RETVAL=$?42
[$RETVALeq0]&&rmf/var/lock/subsys/named43 echo44
return$RETVAL45 }46 rhstatus(){47 /usr/sbin/ndcstatus48 return$?49
}50 restart(){51 stop52 start53 }54 reload(){55
/usr/sbin/ndcreload56 return$?57 }58 probe(){59
#namedknowshowtoreloadintelligently;wedon'twantlinuxconf60
#tooffertorestarteverytime61
/usr/sbin/ndcreload>/dev/null2>&1||echostart62 return$?63
}64 65 #Seehowwewerecalled.66 case"$1"in67 start)68 start69 ;;70
stop)71 stop72 ;;73 status)74 rhstatus75 ;;76 restart)77 restart78
;;79 condrestart)80 [f/var/lock/subsys/named]&&restart||:81
;;82 reload)83 reload84 ;;85 probe)86 probe87 ;;88 *)89
echo"Usage:named{start|stop|status|restart|condrestart|reload|probe}"90
exit191 esac92 93 exit$?
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
28/33
mknod/var/named/chroot/dev/zeroc15mknod/var/named/chroot/dev/randomc18chmod666R/var/named/chroot/devmkdirp/var/named/chroot/etclns/var/named/chroot/etc/named.conf/etc/named.confmkdirp/var/named/chroot/var/namedlns/var/named/chroot/var/named/named.XXXX/var/named/named.XXXXlns/var/named/chroot/var/named/named.YYYY/var/named/named.YYYY...mkdirp/var/named/chroot/var/named/slavesmkdirp/var/named/chroot/var/named/datamkdirp/var/named/chroot/var/runmkdirp/var/named/chroot/var/tmpchownRnamed:named/var/named/chrootchownRroot:named/var/named/chroot/var/named
LoadBalancingofserversusingBind:DNSRoundRobin
ThiswillpopulateDNScachingnameserversaroundtheworldwithdifferentIPaddressesforyourwebserverwww.yourdomain.com
File:/var/named/data/named.yourdomain.com
$TTL604800yourdomain.com.INSOAns1.yourdomain.com.hostmaster.yourdomain.com.
...
...
wwwINA192.168.1.1wwwINA192.168.1.2wwwINA192.168.1.3wwwINA192.168.1.4wwwINA192.168.1.5wwwINA192.168.1.6
Note:
Thisexamplewillresolvethewww.yourdomain.comURLtoeachoftheIPaddresseslisted,oneatatimeforeachrequest.Firstrequestwillresolveto192.168.1.1,thesecondrequestwillresolveto192.168.1.2,etc.AperfectlyevenloadbalanceisnotpossiblebecausednetworkserviceprovidersrunDNScachingserverswhichholdtheresolvedIPaddressforadifferentnumberofusers.UsingmultipleCNAME'storotaterecordsisnolongerpermissibleinbind9.ListingarecordmultipletimeswiththesameIPaddresswillnotchangetheloadsharing.Bindwillignoreduplicaterecords.Reducingthetimetolive(TTL)willcauseloadsharingtotakeplacemorefrequentlythusrespondingtoachangeinserversmorequickly.
Alsoseelbnamed:lbnamedloadbalancingnamed
Bind/DNSLinks:
InternetSoftwareConsortium(ISC)HomePageISCBindHomeZytraxBind9manualBindforrocketscientistscomp.protocols.tcpip.domainsFAQHTMLversionmod_rewrite:pageforwarding,loadbalancingandroundrobinschemesLDPDNSHOWTODNSSecuritybestpracticesCricketLiu(coauthorofDNSandBind)DNSSecurityPaperCraigRowlandEveryDNS.netFreeDNSSecondary.comFreesecondarynamesserverhosting(fiveorfewerdomains)TZO.comDynamic,secondaryDNSservices.OpenDNS.comCanallowforwardingtoOpenDNSservers.Addto"options"section:forwarders{208.67.222.222;208.67.222.220;};DynDNS:dyn.comCommand:ipcheck.pyieth0DynDNSuseridpasswordnode.dnsalias.netThenaddscriptupdate.dyndns.iptodirectory/etc/cron.daily/toupdateIP.Thishostmustalsobeallowedaccessthroughanyfirewallrules.DynDNS.comDynamicDNSforthosewithdynamicIPaddresses.(i.e.dialupgameserversetc.)
Domainnameregistration:
DomainNameRegistrars:NetworkSolutions.comRegister.comRegistrar.GoDaddy.comDomainnameregistrationforonly$8.95/year!!!Dotster.comDomainnameregistrationforonly$14.95/yearDomainsNext.com$11.95/yearEasyDNS.com$25.00/yearGandi.netEuropean
AfterNic.comDomainnameexchangeandauction.BuyDomains.comBuyadomainnamethatasquatterisholding.
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
29/33
NotethattheNameregistrationspoliciesfortheregistrarsarestatedatICANN.org.
YoumustrenewwiththesameregistrarwithinfivedaysBEFOREtheexpirationdate.Thereisnoruleforafterwards.Mostfreeadomainname30daysafteritexpires.
WebServerLoadBalancing:
Loadbalancingbecomesimportantifyourtrafficvolumebecomestoogreatforeitheryourserverornetworkconnectionorboth.Multipleoptionsareavailableforloadbalancing.
DNSroundrobin:Discussedabove,thisusesDNStopointuserstorandomserverinalistofappropriateservers.Thisspreadstheloadamongtheserversinthelist.UseaLinuxVirtualServertoCreateaLoadBalanceCluster.Seenextsectionbelow.Runareverseproxy.Seenginx("engineX").Fromasingleexternalinternetnetworkconnection,routehttp,smtp,imaporpop3traffictovariousserversonaninternalnetwork.Resultsarepushedbacktothenginxproxyforroutingtotheinternet(nocaching).RuntheApachehttpdwebservermodule"mod_proxy"tooffloadprocessingofdynamiccontenttoanotherwebserver.Thisactsasareverseproxy,routingexternaltraffictovariousserversonaninternalnetwork.
UsingaLinuxVirtualServertoCreateaLoadBalanceCluster:
YoucanuseasingleLinuxservertoforwardrequeststoaclusterofserversusingiptablesforIPmasqueradingandIPVsadmtoscaleyourload.Theloadbalancingserverreceivingandroutingtherequestsiscalledthe"LinuxVirtualServer"(LVS).TheLVSreceivestherequestswhicharepassedtotherealserverswhichprocessandreplytotherequest.ThisreplyisforwardedtotheclientbytheLVS.
ThisfeatureisavailablewiththeLinux2.4/2.6kernel.(Ifcompilingkernel:NetworkingOptions+IP:VirtualServerConfiguration)
Configuration:Thisexamplewillloadbalancehttptraffictothreewebserversandftptraffictoafourthserver.
EnableForwarding:(AlsoseeYoLinuxNetworkingTutorial:EnableForwarding)
echo"1">/proc/sys/net/ipv4/ip_forward
EnableIPMasquerading:
iptablestnatPPOSTROUTINGDROPiptablestnatAPOSTROUTINGoeth0jMASQUERADE
FormoreonIPMasquerading,iptablesandsubnetaddresses,seetheYoLinuxnetworkgatewaytutorial.
Enablevirtualserver:Createvirtualserviceandchooseschedulerforhttp(80)andftp(21):
ipvsadmAt66.218.88.103:80swlcipvsadmAt66.218.88.103:21swrr
Commanddirectives:A:AddavirtualservicedefinedbyIPaddress,portnumber,andprotocol.t:UseTCPservicehost:ports:scheduler:
rr:RobinRobin:distributesjobsequallyamongsttheavailablerealservers.wrr:WeightedRoundRobin.lc:LeastConnection:assignsmorejobstorealserverswithfeweractivejobs.wlc:(Default)WeightedLeastConnection:assignsmorejobstoserverswithfewerjobsandrelativetotherealserver'slblc,lblcr,dh,sh,sed,nq.Seemanpage.
Configureloadbalancingcluser.
ipvsadmat66.218.88.103:80r176.168.1.1:80mipvsadmat66.218.88.103:80r176.168.1.2:80mw2ipvsadmat66.218.88.103:80r176.168.1.3:80mipvsadmat66.218.88.103:21r176.168.1.4:21m
Commanddirectives:r:Realserver.m:Usemasqueradingalsoknownasnetworkaddresstranslation(NAT)w:Weightisanintegerspecifyingthecapacityofaserverrelativetotheothersinthepool.Thevalidvaluesofweightareto65535.Thedefaultis1.
Links:
LinuxVirtualServer.orgiptablesAdministrationtoolforIPv4packetfilteringandNATipvsadmAdministertheroutingtableonaLinuxVirtualServer.
ManagingWebServerDaemons:
Toviewiftheseservicesarerunning,typepsauxandlookforthehttpd,inetdandnamedservices(daemons).Thesearebackgroundprocessesnecessarytoperformtheservertasks.
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
30/33
root6810.00.52304744?SSep090:01namednobody281230.01.130361420?SOct060:00httpdnobody281860.00.73044896?SOct060:00httpdroot3850.00.11136232?SSep090:00inetd
AnewinstallationwillmostlikelyNOTstartthenamedbackgroundprocesswhichmaybestartedmanuallyafterconfiguration.SeetheYoLinuxInitProcessTutorialformoreinformation.Theinetd(orxinetd)backgroundprocessistheInternetdaemonwhichstartsFTPwhenanftprequestismade.
SysAdminScript:
Scripttoprepareanaccount:(RedHat/Fedora)
#!/bin/sh#AuthorGregIppolito#Requires:/opt/etc/AccountDefaults/pathmsgfavicon.icomwhmini_tr.gifetc.#/opt/bin/ftponly#Youmustberoottorunthisscript.#if[$#eq0]thenecho"Enteruseridasacommandargument"elseif[r/home/$1]thenecho"User'shomedirectoryalreadyexists"elseecho"1)Createuser."adduserm$1
echo"2)SetuserPassword."passwd$1
echo"3)Addreadaccesstouserdirectorysoapachecanreadit."cd/homechmodugo+rx$1cd$1
echo"4)Createwebdirectories."mkdirpublic_htmlchown$1.$1public_htmlchconRhusystem_urobject_rthttpd_sys_content_tpublic_htmlcdpublic_htmlmkdirimageschown$1.$1imageschconRhusystem_urobject_rthttpd_sys_content_timages
#Blockpotentialforunauthenticatedloginscd../touch.rhostschmodugoxrw.rhosts
echo"5)Createdefaultwebpage"sed"/HEADING/s!HEADING!$1!"/opt/etc/AccountDefaults/defaultindex.html>index.htmlcpp/opt/etc/AccountDefaults/favicon.ico.cpp/opt/etc/AccountDefaults/defaultlogo.gif./imagescpp/opt/etc/AccountDefaults/robots.txt.chown$1.$1index.htmlfavicon.icorobots.txtchconRhthttpd_sys_content_tindex.htmlfavicon.icorobots.txtchconRhthttpd_sys_content_timages/defaultlogo.gif
echo"6)Edit/etc/passwdfilechangeusershellto/opt/bin/ftponly"cpp/etc/passwd/etc/passwd`date+%m%d%y`sed"/^$1/s!/bin/bash!/opt/bin/ftponly!"/etc/passwd`date+%m%d%y`>/etc/passwd
#wuftp#Requires:/etc/ftpaccessguestuserrestrictuid#wuftp#echo"7)Adduserto/etc/ftpaccessfile"#wuftp#cpp/etc/ftpaccess/etc/ftpaccess`date+%m%d%y`#wuftp#sed"/^guestuser/s!guestuser!guestuser$1!"/etc/ftpaccess`date+%m%d%y`>/etc/ftpaccess#wuftp#sed"/^restricteduid/s!restricteduid!restricteduid$1!"/etc/ftpaccess`date+%m%d%y`>/etc/ftpaccess#wuftp#echo"guestroot/home/$1/public_html$1">>/etc/ftpaccess
echo"7)Addusertovsftpdchrootlistcat`echo$1`>>/etc/vsftpd/vsftpd.chroot_list
echo"8)SettingDiskQuotastodefault50Mblimit:"#Useuserjohndoeasaprototype.edquotapjohndoe$1
echo"9)AdminFollowup:"echo"Modifyquota.userifdifferentthandefault"echo"MakechangestoBindnamesservicesondns1anddns2ifnecessary"echo"Change/etc/http/conf/httpd.conforecho"addconfigto/etc/http/conf.d/ifusinganewdomainname"echo"Addemailaliasestomailserverifnecessary"fifi
FYI:Samplerobots.txtfiles:
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
31/33
yolinux.com/robots.txtUSC.edu/robots.txt
Usefullinksandresources:
LinuxInitProcessYoLinux.comtutorialSettingupanApacheredirectYoLinux.comtutorialApacheDocumentationLDPHowToGuides:
DNSHOWTODNSadministrationNicolaiLangfeldtSecuringDomainHOWTOISPSetupRedHatUsingLinuxtohostanISPAntonChuvakinLinuxNetworkingOverviewHOWTODanielLopezRidruejoVirtualServicesHOWTODNS,FTP,Apache,Mail(POP,Qmail,Sendmail),SyslogdandSambaWWWHOWTOSettingupApacheservicesWWWmSQLHOWTO
ListofInternetExchanges[mapandlist]AnInternetExchange(IX)isajunctionbetweenmultipleprincipleInternetcommunicationlines.atorclosetoanIXwillhaveyourbestabilitytohandletrafficandyourlowestlatencies.descriptionofIXSettingupamailserverYoLinuxTutorial
Books:
"UbuntuUnleashed2013edition:"Covering12.10and13.04(8thEdition)byMatthewHelmke,AndrewHudsonandPaulHudsonSamsPublishing,ISBN#0672336243(Dec15,2012)
"UbuntuUnleashed2012edition:"Covering11.10and12.04(7thEdition)byMatthewHelmke,AndrewHudsonandPaulHudsonSamsPublishing,ISBN#0672335786(Jan16,2012)
"UbuntuUnleashed2011edition:"Covering10.10and11.04(6thEdition)byMatthewHelmke,RyanTroy,AndrewHudsonandPaulHudsonSurfingTurtlePress,ISBN#0672333449(Dec24,2010)
"Fedora18DesktopHandbook"byRichardPetersenSurfingTurtlePress,ISBN#1936280639(Mar6,2013)
"Fedora18NetworkingandServers"byRichardPetersenSurfingTurtlePress,ISBN#1936280698(March29,2013)
"Fedora14DesktopHandbook"byRichardPetersen
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
32/33
Amazonbookimage
SurfingTurtlePress,ISBN#1936280167(Nov30,2010)
Amazonbookimage
"Fedora14AdministrationandSecurity"byRichardPetersenSurfingTurtlePress,ISBN#1936280221(Jan6,2011)
Amazonbookimage
"Fedora14NetworkingandServers"byRichardPetersenSurfingTurtlePress,ISBN#1936280191(Dec26,2010)
Amazonbookimage
"PracticalGuidetoUbuntuLinux(Versions8.10and8.04)"byMarkSobellPrenticeHallPTR,ISBN#01370038892edition(January9,2009)
Amazonbookimage
"Fedora10andRedHatEnterpriseLinuxBible"byChristopherNegusWiley,ISBN#0470413395
"RedHatFedora6andEnterpriseLinuxBible"byChristopherNegusSams,ISBN#047008278X
"Fedora7&RedHatEnterpriseLinux:TheCompleteReference"byRichardPetersenSams,ISBN#0071486429
"RedHatFedoraCore6Unleashed"byPaulHudson,AndrewHudsonSams,ISBN#0672329298
"RedHatLinuxFedora3Unleashed"byBillBall,HoytDuffSams,ISBN#0672327082
"RedHatLinux9Unleashed"byBillBall,HoytDuffSams,ISBN#0672325888May8,2003
IhavetheRedHat6versionandIhavefoundittobeveryhelpful.IhavefoundittobewaymorecompletethantheotherLinuxbooks.ItisthemostcompletegeneralLinuxbookinpublication.Whileotherbooksinthe"Unleashed"serieshavedissapointedme,thisbookisthebestoutthere.
"ApacheServerBible2"
-
4/7/2015 LinuxWebServerandDomainConfigurationTutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html
33/33
byMohammedJ.KabirISBN#0764548212,HungryMinds
Thisbookisverycompletecoveringallaspectsindetail.Itisnotyourbasicreprintoftheapache.orgdocumentslikesomanyothers.
"ProDNSandBind"byRonaldAitchisonApress,ISBN#1590594940
YoLinux.comHomePageYoLinuxTutorialIndex|TermsPrivacyPolicy|Advertisewithus|FeedbackForm|Unauthorizedcopyingorredistributionprohibited.
4totopofpage
Copyright20002014byGregIppolito