ต่อไป »

[golfreeze]

Setting the Hostname

The first task is to set the proper hostname of the server.

To do this, SSH into your server and as root, execute the following commands:


echo domain.com > /etc/hostname
/bin/hostname -F /etc/hostname

Replace domain.com with your domain name.

Installing APF Firewall

Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today's Internet deployed servers and the unique needs of custom deployed Linux installations.

First, get the latest APF package by executing the following commands:


cd /usr/src
wget http://www.r-fx.ca/downloads/apf-current.tar.gz

Next, verify the md5sum of the file by executing the command:

md5sum apf-current.tar.gz

The md5sum should be 7e61bb201d137e038209ded82c106b84.

If the md5sum does not match, then delete the file by executing the command: rm apf-current.tar.gz and then download the file again.

Once the md5sum is OK, extract the files by executing the command:

tar -xvzf apf-current.tar.gz

Navigate to the directory apf-0.9.6-2 and install APF, by executing the following commands:


cd apf-0.9.6-2
sh install.sh

Next install the configuration files by executing the following commands:


cd /etc/apf
mv conf.apf conf.apf.old
wget http://technichristian.net/DEBIAN-ETCH-SERVER/conf.apf
chmod 640 conf.apf
cd /etc/apf/ad
mv conf.antidos conf.antidos.old
wget http://technichristian.net/DEBIAN-ETCH-SERVER/conf.antidos
chmod 640 conf.antidos
cd /usr/src

Find out your server's external interface by executing the command: ifconfig -a. The interface that contains your server's main IP is the external interface.

If your server's external interface is NOT eth0, then edit /etc/apf/conf.apf.

Find the lines:


IFACE_IN="eth0"
IFACE_OUT="eth0"

and change them accordingly.

Sometimes, the external interface might appear as: inet0:0. In this case, set the interface as inet0 in the lines above.

Start APF by executing the command: apf -s

Execute the command: apf -l and view the output.

If the output is any thing other than:

Chain INPUT (policy ACCEPT 12 packets, 859 bytes)
num pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 9 packets, 882 bytes)
num pkts bytes target prot opt in out source destination

you know your firewall is started and working.

My configuration has only the following ports open:

# port 21 - FTP
# port 22 - SSH
# Port 25 - SMTP
# port 80 - HTTP
# port 110 - POP3
# port 143 - IMAP
# Port 443 - HTTPS
# port 993 - IMAPS
# port 995 - POP3S

If you want to open out other ports (or close down open ports), then find the line (in /etc/apf/conf.apf) that reads: IG_TCP_CPORTS="22,80,25,443,143,110,995,993,21" and change the port numbers accordingly.

Restart APF by executing the command: apf -f && apf -s

Installing Lighttpd

Lighttpd is the perfect alternative to Apache. As the name suggests, it is very light on resources and runs like a champ.

The version in Debian Etch repository is a very old version [1.4.13]. The current version at this time of writing is 1.4.18. You are going to build lighttpd from source.

SSH into your server and as root, perform the following:

First, update your apt sources and then update your existing installation. To do this, execute the command: apt-get update && apt-get upgrade.

Next, install the build tools. To do this, execute the command:

apt-get install gcc build-essential autoconf automake patch bison flex

Next, install all the needed libraries and tools by executing the command:

apt-get install mysql-server mysql-client libmysqlclient15-dev libfam-dev fam libfam0 liblua5.1-0 liblua5.1-0-dev lua5.1 libmemcache-dev libmemcache0 memcached libgdbm-dev libgdbm3 pkg-config libssl-dev libpcre3 libpcre3-dev libxml2-dev libxml2 xml-core libxml2-utils libsqlite3-0 libsqlite3-dev sqlite

(All on ONE line)

MySQL will also be installed.

During the installation of MySQL, you have to set a password for the root MySQL user. Also for the choice: Support MySQL connections from hosts running Debian "sarge" or older, select No.

Portmap will also be installed. For the question: Should portmap be bound to the loopback address? answer Yes. Portmap should listen on the local system only.

Next, get the lighttpd source files. Execute the commands:

cd /usr/src
wget http://www.lighttpd.net/download/lighttpd-1.4.18.tar.bz2

to get the file.

Verify the md5sum of the file. To do this, execute the command:

md5sum lighttpd-1.4.18.tar.bz2.

The md5 sum should be: 26f98dddf9d8c0775221b800986003ee. If the md5sum is not as shown, then delete the file, by executing the command: rm lighttpd-1.4.18.tar.bz2 and then download the file again.

Once the md5sum matches, extract the file by executing the command: tar -xvjf lighttpd-1.4.18.tar.bz2.

Navigate into the extracted directory:cd lighttpd-1.4.18.

Configure the build by executing the command:

./configure --prefix=/usr --sysconfdir=/etc --with-mysql --with-openssl --with-pcre --with-bzip2 --with-fam --with-gdbm --with-memcache --with-lua=lua5.1 --with-webdav-props --with-webdav-locks

(All on ONE line)

Next, make and install the files by executing the command: make && make install.

Lighttpd is now installed.

Installing PHP

Lighttpd uses the fastcgi version of PHP. Install PHP and all the associated modules by executing the command:

cd /usr/src

apt-get install php5-cgi php5-curl php5-dev php5-gd php5-imagick php5-imap php5-json php5-mcrypt php5-memcache php5-mhash php5-mysql php5-pspell php5-sqlite3 php5-suhosin php5-xsl

(All on ONE line).

For the question Trust new CA certificates, answer Yes.

For the question Continue installing libc-client without Maildir support, answer Yes.

For the question Configure php.ini for json, answer Yes.

For the question Configure php.ini for memcache, answer Yes.

PHP is now installed.

Installing Eaccelerator

eAccelerator is a free open-source PHP accelerator, optimizer, and dynamic content cache. It increases the performance of PHP scripts by caching them in their compiled state, so that the overhead of compiling is almost completely eliminated. It also optimizes scripts to speed up their execution. eAccelerator typically reduces server load and increases the speed of your PHP code by 1-10 times.

To install eaccelerator, as root, execute the following commands:

cd /usr/src

wget http://bart.eaccelerator.net/source/0.9.5.2/eaccelerator-0.9.5.2.tar.bz2

Verify the md5sum of the downloaded file, by executing the command:

md5sum eaccelerator-0.9.5.2.tar.bz2.

The md5sum should be: 7c44ee0bc5e7f74b7cb7f6360e015128. If it is not, then delete the file by executing the command: rm eaccelerator-0.9.5.2.tar.bz2 and then download the file again.

Once the md5sum is correct, extract the files by executing the command:

tar -xvjf eaccelerator-0.9.5.2.tar.bz2

Navigate into the eaccelerator directory, build and install the files by executing the commands:

cd eaccelerator-0.9.5.2
phpize
./configure
make
make install

Create the eaccelerator cache directory and assign the right ownership to it (the owner and group has to be the user and group lighttpd is running as - in this case www-data) by executing the commands:

mkdir /var/eaccelerator
chown -R www-data:www-data /var/eaccelerator/

Getting Lighttpd Ready to Run

Replace the existing php.ini with the modified php.ini, by executing the commands:

cd /etc/php5/cgi/
mv php.ini php.ini.old
wget http://technichristian.net/DEBIAN-ETCH-SERVER/php.ini

Create the directory from where files are served. The directory to use is /var/www/htdocs. Execute the following commands to create it:


mkdir -p /var/www/htdocs
chown -R www-data:www-data /var/www/htdocs

Create the lighttpd log directory, by executing the commands:


mkdir -p /var/log/lighttpd
touch /var/log/lighttpd/access.log
touch /var/log/lighttpd/error.log
chown -R www-data:www-data /var/log/lighttpd/

Create the lighttpd cache directory, by executing the following commands:


mkdir -p /var/cache/lighttpd/compress
chown -R www-data:www-data /var/cache/lighttpd/

Finally, create the lighttpd runtime directory, by executing the following commands:


mkdir -p /var/run/lighttpd/
chown -R www-data:www-data /var/run/lighttpd/

Get the lighttpd configuration file and place it in /etc by executing the commands:


cd /etc
wget http://technichristian.net/DEBIAN-ETCH-SERVER/lighttpd.conf

Start lighttpd by executing the command:


lighttpd -f /etc/lighttpd.conf

There should be no errors.

Executing ps -e | grep lighttpd should show the process number of the lighttpd process.

Executing ps -e | grep php5-cgi should show the process numbers of the php5-cgi processes.

Navigate to /var/www/htdocs and download the test php file, by executing the following commands:


cd /var/www/htdocs
wget http://technichristian.net/DEBIAN-ETCH-SERVER/info.phpq
mv info.phpq info.php
cd /usr/src

Open your web browser and navigate to http://domain.com/info.php (replace domain.com with your domain name) and you will see the php information in all its glory.

This indicates that both your lighttpd and php installs are working fine.

You should see the eaccelerator section in the output, indicating that your eaccelerator installation is working fine.

You should also see a suhosin section in the output, indicating that your PHP is hardened.

Next, setup lighttpd for HTTPS (Secure HTTP) operation.

Lighttpd can only serve either ssl or non-ssl at one time. To get over this, run two lighttpd daemons - one to server on port 80 [Non-SSL (which we have done earlier)] and the other to serve on port 443 (SSL).

Make a copy of the lighttpd binary and call it lighttpd-ssl by executing the following command:

cd /usr/src
cp /usr/sbin/lighttpd /usr/sbin/lighttpd-ssl

Next, create the SSL and cache directories to store the SSL key and the cache information, by executing the following commands:

mkdir -p /var/www/ssl/cache
chown -R www-data:www-data /var/www/ssl

Next, create the SSL self signed certificate by executing the following commands:

cd /var/www/ssl
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
chown www-data:www-data server.pem
chmod 600 server.pem

Here is an example of what you should enter as certificate information:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Dallas
Locality Name (eg, city) []:Texas
Organization Name (eg, company) [Internet Widgits Pty Ltd]:technichristian.info
Organizational Unit Name (eg, section) []:Internet Division
Common Name (eg, YOUR name) []:technichristian.info
Email Address []:[email protected]

Finally get the lighttpd-ssl.conf file and save it in /etc by executing the following commands:

cd /etc
wget http://technichristian.net/DEBIAN-ETCH-SERVER/lighttpd-ssl.conf

Start up lighttpd-ssl by executing the command:

lighttpd-ssl -f /etc/lighttpd-ssl.conf

There should be no errors.

Executing ps -e | grep lighttpd-ssl should show the process number of the lighttpd-ssl process.

Open your web browser and navigate to https://domain.com/info.php (replace domain.com with your domain name) and you will see the php information in all its glory.

You will see a certificate warning from your browser. This is because your SSL certificate is NOT verified by any certification authority such as Verisign or Geotrust for instance. Accept the certificate and continue. Your browsing is not less secure than if you paid for a verified certificate. You should pay and get a verified certificate if you are a commercial entity.

Now remove the info.php file by executing the command:rm info.php in your /var/www/htdocs directory. Having it there is a security risk as anyone can access its output through a web browser and see all your PHP information.

If you ever need to kill lighttpd, you can execute the following:

To kill lighttpd

killall -9 lighttpd php5-cgi

To kill lighttpd-ssl

killall -9 lighttpd-ssl php5-cgi

To kill both lighttpd and lighttpd-ssl

killall -9 lighttpd lighttpd-ssl php5-cgi

Installing Postfix and Courier

Postfix and Courier will take care of your mail server needs. The following section will show you how to install Postfix with SMTP-AUTH and TLS.

To install, Posfix, execute the following command:

apt-get install postfix libsasl2 sasl2-bin libsasl2-modules libdb3-util procmail

Note: Substitute your actual domain name for domain.com in the questions below.

Select Internet Site for the question General type of configuration?

Enter the admin address (for e.g. [email protected] or [email protected]) for the question Where should mail for root go? [You will create this account later]

Enter domain.com for the question Mail name?

Enter domain.com, localhost, localhost.localdomain for the question Other destinations to accept mail for?

Answer No for the question Force synchronous updates on mail queue?

Next, execute the command dpkg-reconfigure postfix to reconfigure postfix.

Answer the questions as above.

Enter 127.0.0.0/8 for the question Local Networks?

Answer Yes for the question Use Procmail for local delivery?

Enter 0 for the question Mailbox size limit?

Enter + for the question Local address extension character?

Select all for the question Internet protocols to use?

Next, execute the following commands to configure postfix and TLS.

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'mailbox_command ='

As postfix runs chrooted, you need to make a few changes for authentication through saslauthd to function properly.

First, create the saslauthd directory. To do this, execute the command:

mkdir -p /var/spool/postfix/var/run/saslauthd

Next, edit /etc/default/saslauthd.

Find the line that reads START=no and change it to START=yes.

Next, find the line that reads OPTIONS="-c" and change it to OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Start saslauthd by executing the command: /etc/init.d/saslauthd start

Edit /etc/postfix/main.cf

Find the line that reads smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) and change it to smtpd_banner = $myhostname ESMTP

No one needs to know which mailer and which OS we are using.

Find the line that reads #delay_warning_time = 4h and uncomment it (remove the '#' from it). Postfix will notify you in case it cannot deliver a mail even after 4 hours.

Add the following lines:


#Users mail will be delivered to Maildir directory in their home folder
home_mailbox = Maildir/


#The max size of a message is 31457280 bytes - i.e. 30 MB
message_size_limit = 31457280


#A helo from the receiving mail server is required
#else the connection will be dropped.
smtpd_helo_required = yes


#All incoming messages will be checked for spam
# with zen.spamhaus.org and if spam, rejected.
smtpd_client_restrictions = permit_mynetworks, \
reject_rbl_client zen.spamhaus.org, permit


#Protect against DOS attacks
disable_vrfy_command = yes
smtpd_error_sleep_time = 0s
smtpd_soft_error_limit = 5
smtpd_hard_error_limit = 10
smtpd_timeout = 30s
smtpd_delay_reject = no

Next, install Courier. This is the imap/pop3 server.

Execute the following command:

apt-get install courier-authdaemon courier-base courier-imap courier-imap-ssl courier-ssl courier-pop courier-pop-ssl gamin libgamin0 libglib2.0-0 ispell wamerican-huge

(All on ONE line).

Answer No for the question Create directories for web-based administration?

Click OK for the notice SSL certificate required.

Courier is now installed.

In the command above, ispell along with the American English dictionary is installed. British English users should install wbritish-huge instead of wamerican-huge.

Next, install postgrey. Postgrey is a greylisting daemon for postfix.

I

[golfreeze]

ต่อ
n name, as well as operation, greylisting is related to whitelisting and blacklisting. What happens is that each time a given mailbox receives an email from an unknown contact (ip), that mail is rejected with a "try again later"-message (This happens at the SMTP layer and is transparent to the end user). This, in the short run, means that all mail gets delayed at least until the sender tries again - but this is where spam loses out! Most spam is not sent out using RFC compliant MTAs; the spamming software will not try again later. [More information here.]

Execute the following commands to install it:


cd /usr/src
apt-get install postgrey

Postgrey should now be installed and running. Execute the command: netstat -anp | grep 60000 to verify that postgrey is running.

The output should look similar to:

tcp 0 0 127.0.0.1:60000 0.0.0.0:* LISTEN 22665/postgrey.pid

Edit /etc/postfix/main.cf

Find the line that reads:

smtpd_client_restrictions = permit_mynetworks, \
reject_rbl_client zen.spamhaus.org, permit

and change it to:

smtpd_client_restrictions = permit_mynetworks, check_policy_service inet:127.0.0.1:60000, \
reject_rbl_client zen.spamhaus.org, permit

Postgrey comes with a set of whitelisted servers. These are listed in /etc/postgrey/whitelist_clients. Postgrey automatically whitelists a server, after it has made 5 successful email deliveries to your email addresses.

Edit /etc/postgrey/whitelist_clients if you want to add or delete whitelisted servers.

Next, set up a filter to block all unwanted attachment extensions.

Execute the following commands:

cd /etc/postfix
wget http://technichristian.net/DEBIAN-ETCH-SERVER/mime_header_checks.regexp
cd /usr/src

The two lines in the file will reject all emails containing attachments with the specified extensions.

Note: I do NOT block zip files on my server. If you do NOT want to block zip files, then remove '|zip' from the first line.

The full list of extensions to block is here.

Next, configure Postfix to verify SPF information when receiving email.

A SPF record indicates that a specified server is allowed to send email for a specified domain or specified multiple domains.

First, install the Mail::SPF package, by executing the commands:


cd /usr/src
perl -MCPAN -e shell

Answer no for the question Are you ready for manual configuration? [yes]

At the cpan prompt enter: install Mail::SPF

Answer yes to install all dependencies.

The final lines of a successful build should be:


Installing /usr/local/bin/spfquery
Writing /usr/local/lib/perl/5.8.8/auto/Mail/SPF/.packlist
/usr/bin/make install -- OK

Exit the cpan shell with the command:exit.

Note: If the build fails and drops you back to the cpan shell prompt, enter exit to return to the bash prompt, then restart the cpan shell and the build..

Execute: wget http://www.openspf.org/blobs/postfix-policyd-spf-perl-2.004.tar.gz. This is the package that integrates with postfix and verifies the SPF header.

Check the md5sum with the command: md5sum postfix-policyd-spf-perl-2.004.tar.gz.

The md5sum should be: d7e1b3524483f99521913d3cd87a9215 for the present version (2.004). If the md5sum does not match, then delete the file by executing the command: rm postfix-policyd-spf-perl-2.004.tar.gz and download the file again.

Once the md5sum matches, install the package with the commands:


tar -xvzf postfix-policyd-spf-perl-2.004.tar.gz
cd postfix-policyd-spf-perl-2.004
cp postfix-policyd-spf-perl /usr/lib/postfix/policyd-spf-perl
cd /usr/src
echo "policy unix - n n - - spawn user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl" >> /etc/postfix/master.cf

Edit /etc/postfix/main.cf. Find the line that reads:

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

and change it to:


smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination, check_policy_service unix:private/policy

Finally, edit /etc/aliases

and verify that the following three aliases are present:


root: [email protected]
postmaster: [email protected]
abuse: [email protected]

Add them if they are not present. Substitute the email address you entered when configuring postfix (Where should mail for root go?)

Rebuild the aliases database by executing the command: newaliases.

Restart postfix by executing the command: /etc/init.d/postfix restart.

The output of the command: ps -e should indicate that the processes: courierlogger, authdaemond, couriertcpd, postgrey, master, pickup and qmgr are running.

Create the user you entered when configuring postfix (Where should mail for root go?) - For e.g. user admin

Execute the command: useradd -d /home/admin -g users -m -s /bin/false admin to create the user.

(Remember to change 'admin' to the desired username in the command above).

Next, set a password for the newly created user by executing the command: passwd admin

(Again remember to change 'admin' to the desired username in the command above).

The new user's mail directory will be created AFTER the first email is received. Send an email to [[email protected]] (substitute your actual email address).

Wait a few minutes and then check the mail log by executing the command: tail /var/log/mail.log.

The output should have a line similar to the following:

Nov 16 11:44:37 li6-24 postfix/local[23178]: B48391D48A: to=, relay=local, delay=0.48, delays=0.43/0.02/0/0.03, dsn=2.0.0, status=sent (delivered to maildir)

This indicates that the mail directory is created successfully and the mail delivered to it.

The output should also have a line similar to the following:

Nov 23 01:40:34 host postfix/policy-spf[24947]: : Policy action=PREPEND Received-SPF: pass (gmail.com ... _spf.google.com: 72.14.202.183 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'ip4:72.14.192.0/18' matched)) receiver=technichristian.net; identity=mfrom; envelope-from="[email protected]"; helo=ro-out-1112.google.com; client-ip=72.14.202.183

This indicates that Postfix verifies SPF records before accepting the email.

Installing Squirrelmail

Next, install squirrelmail as the webmail client.

Execute the following commands:


cd /var/www/htdocs
wget http://jaist.dl.sourceforge.net/sourceforge/squirrelmail/squirrelmail-1....

Verify the md5sum of the downloaded file by executing the command: md5sum squirrelmail-1.4.11.tar.gz. The md5sum should be b2768e991a688eb27793d3abde5720a2.

If the md5sum does not match, then delete the file by executing the command: rm squirrelmail-1.4.11.tar.gz and the download the file again.

Once the md5sum is correct, extract the file by executing the command: tar -xvzf squirrelmail-1.4.11.tar.gz

Rename the downloaded directory to a more descriptive name - webmail for example.

mv squirrelmail-1.4.11 webmail

Create a directory where attachments are stored, inside the webmail directory, by executing the command: mkdir -p /var/www/htdocs/webmail/attachments.

Set the proper permissions on the data and attachments by executing the following commands:

cd /var/www/htdocs/webmail
chown -R www-data data
chmod go-w data
chown -R root attachments
chgrp -R www-data attachments
chmod -R 730 attachments

Configure squirrelmail by executing the commands:


cd /var/www/htdocs/webmail
perl config/conf.pl

Enter 1 to select Organization preferences. Change Organization Name, Organization Title, Provider link and
Provider name according to your preferences.

Enter S to save the details and then enter R to return to the main menu.

Enter 2 to select Server Settings. Change Domain to your domain name [e.g. technichristian.info]. Select Sendmail for Sendmail or SMTP.

Enter A to update IMAP Settings. Again, enter 8 to change Server Software. Type in courier as the server software.

Enter S to save the details and then enter R to return to the main menu.

Enter 4 to select General Options. Change Data Directory to /var/www/htdocs/webmail/data. Next, change Attachment Directory to /var/www/htdocs/webmail/attachments.

Enter S to save the details and then enter R to return to the main menu.

Enter 9 to select Plugins. Enable any plugins you like. One plugin that I recommend is squirrelspell. Enable it to spell check your emails before sending them.

Enter S to save the details and then enter R to return to the main menu.

Finally, enter Q to quit the configuration editor.

Open your web browser, navigate to https://domain.com/webmail/ and check your mail.

Create a new mail user with the command:

useradd -d /home/mail-user-name -g users -m -s /bin/false mail-user-name

Change the mail-user-name password with the command:

passwd mail-user-name

Remember to change mail-user-name to the desired user name.

In squirrelmail, open a received mail and click View Full Header. The email headers are then displayed. One of the header lines should be similar to the following:

Received-SPF: pass (gmail.com ... _spf.google.com: 72.14.202.183 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'ip4:72.14.192.0/18' matched)) receiver=technichristian.net; identity=mfrom; envelope-from="[email protected]"; helo=ro-out-1112.google.com; client-ip=72.14.202.183
Received: from ro-out-1112.google.com (ro-out-1112.google.com [72.14.202.183])

This indicates that Postfix verifies SPF records before accepting the email.

Configuring MySQL

MySQL is already installed. You can get my optimized MySQL configuration and save it as /etc/mysql/my.cnf.

Start MySQL by executing the command: /etc/init.d/mysql restart. Execute the command: netstat -tap | grep mysqld to verify that mysql is running.

Installing Proftpd

Proftpd is a FTP server. Execute the command: apt-get install proftpd ucf to install it. Select Standalone for server Type.

Execute the following commands to get my proftpd configuration.


cd /etc/proftpd
mv proftpd.conf proftpd.conf.old
wget http://technichristian.net/DEBIAN-ETCH-SERVER/proftpd.conf
echo admin >> /etc/ftpusers
cd /usr/src

Restart proftpd with the command: /etc/init.d/proftpd restart. Execute the command: ps -e | grep proftpd to see that proftpd is running.

Root login is disabled and only users with a valid shell are allowed to login to proftpd. As of now, there is no such user who can login to proftpd.


Next, create a user who can login to proftpd, with the command:

useradd -d /home/ftpusername -g users -m -s /bin/bash ftpusername

Then set the password with the command: passwd ftpusername

Substitute your desired username for ftpusername in the commands above.

Open your preferred ftp client and connect as the ftp user.

Configuring SSH

SSH is already installed and running. Execute the following commands to get my SSH configuration:


cd /etc/ssh
mv sshd_config sshd_config.old
wget http://technichristian.net/DEBIAN-ETCH-SERVER/sshd_config
cd /usr/src

Root login is disabled. You can either use the ftp user to login to SSH or create a new user with the commands:

useradd -d /home/sshusername -g users -m -s /bin/bash sshusername
passwd sshusername

In any case, edit /etc/ssh/sshd_config and find the line that reads AllowUsers CHANGEME. Replace CHANGEME with your actual SSH user name.

Next, add the following command to /root/.profile (Create it if it does not exist):


echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" [email protected]

Replace [email protected] with your actual EXTERNAL email (e.g. [email protected]).

This line will send an email any time anyone logs in as root.

Restart SSH with the command: /etc/init.d/ssh restart.

Log out of SSH and try to login back as root. You should get an Access Denied message. Login as your SSH user and you should be able to login successfully.

Installing Chkrootkit

Chkrootkit is a tootl to check for signs of a rootkit.

Execute the following command to install chkrootkit: apt-get install chkrootkit

Answer Yes to the question Would you like to run chkrootkit automatically every day?

Enter -q for the arguments to pass.

Answer No to the question Only report problems if they differ from yesterday's problems?

Execute chkrootkit and view the output.

If any of the ouptut lines say INFECTED, then wipe your server and re-install. Your server has been owned.

The chkrootkit installation automatically installs a cron job that runs daily, checks the system and mails the result to the root email.

Installing Rkhunter

Rkhunter is another tool to check for rootkits.

Execute the following command to install rkhunter: apt-get install rkhunter.

Answer Yes to the question Activate daily run

Answer Yes to the question Activate weekly database update

Run rkhunter with the command: rkhunter -c -sk.

The rkhunter automatically installs a cron job that checks for rootkits and emails the results to the root email everyday. Also installed, is another cron job that updates the rkhunter database every day.

Installing Logwatch

Logwatch is a customizable log analysis system. Logwatch parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require.

Execute the following commands to install logwatch.


cd /usr/src
apt-get install logwatch
cp /usr/share/logwatch/scripts/services/* /etc/logwatch/scripts/services/
mkdir -p /var/cache/logwatch
cd /etc/logwatch/conf/
wget http://technichristian.net/DEBIAN-ETCH-SERVER/logwatch.conf
cd /usr/src

Run logwatch, by executing the command: logwatch. Login to your root email and check the results.

The logwatch installation automatically installs a cron script that runs logwatch and emails the results to the root email every day.

Installing BFD

BFD (Brute Force Detection) is a modular shell script for parsing applicable logs and checking for
authentication failures.

Execute the following commands to download BFD.

[golfreeze]

cd /usr/src
wget http://www.r-fx.ca/downloads/bfd-current.tar.gz

Check the md5sum of the downloaded file: md5sum bfd-current.tar.gz. The md5sum should be 3b19507e6722ea291aabc5e3aa6af208 for the current version (0.9).

If the md5sum does not match, then delete the downloaded file by executing the command: rm bfd-current.tar.gz and download the file again.

Once the mdsum matches, install BFD by executing the commands:


tar -xvzf bfd-current.tar.gz
cd bfd-0.9
./install.sh
cd /usr/src

Edit /usr/local/bfd/conf.bfd. Find the line that reads ALERT_USR="0" and change it to ALERT_USR="1".

Edit /etc/cron.d/bfd. Find the line that reads MAILTO= and change it to MAILTO=root.

Start bfd by executing the command: /usr/local/sbin/bfd -s

BFD will detect brute force logging attempts and ban the relevant IPs automatically.

Installing Webalizer

The Webalizer is a fast, free web server log file analysis program. It produces highly detailed, easily configurable usage reports in HTML format, for viewing with a standard web browser.

Execute the following commands to install Webalizer: apt-get install webalizer

Enter /var/www/htdocs/webalizer as the directory in which to put webalizer output.

Enter Usage statistics for as the Title.

Enter /var/log/lighttpd/access.log as the Webserver's rotated file name.

Answer Yes to the question Enable DNSCache Option

Execute the following commands to get my webalizer configuration:


cd /etc/webalizer
mv webalizer.conf webalizer.conf.old
wget http://technichristian.net/DEBIAN-ETCH-SERVER/webalizer.conf
cd /usr/src

Execute the command: webalizer to run webalizer.

Open your web browser and navigate to either http://yourdomain.com/webalizer or https://yourdomain.com/webalizerto see the web stats. (Substitute your actual domain name for yourdomain.com)

Securing Webalizer Output

Next, secure webalizer output such that only an authorized user can view it.

Execute the command: apt-get install apache2-utils. apache2-utils is the package that contains the htdigest utility that you use to set up a password for the webalizer output.

Execute the command: htdigest -c /etc/webalizer-pass "Authorized User Only" desired-user-name. (Substitute your desired user name for desired-user-name).

Edit /etc/lighttpd.conf. Find the following block:


#$HTTP["url"] =~ "^/webalizer/" {
# auth.backend = "htdigest"
#auth.backend.htdigest.userfile = "/etc/webalizer-pass"
#auth.require = ("/webalizer/" => (
# "method" => "digest",
# "realm" => "Authorized User Only",
# "require" => "user=PUT-YOUR-USER-NAME"
#))
#}

Remove the '#' from all the lines. Enter your user name where it says PUT-YOUR-USER-NAME.

Similarly, edit /etc/lighttpd-ssl.conf.

Kill the running lighttpd and lighttpd-ssl process with the command: killall -9 lighttpd lighttpd-ssl php5-cgi.

Start the lighttpd and lighttpd-ssl processes with the commands:


lighttpd -f /etc/lighttpd.conf
lighttpd-ssl -f /etc/lighttpd-ssl.conf

If you get this message: lighttpd: Symbol `FamErrlist' has different size in shared object, consider re-linking, then execute the command: apt-get install libfam0, kill the lighttpd and lighttpd-ssl processes and then restart both lighttpd and lighttpd-ssl. Evidently there is a conflict between fam and gamin that causes this bug in lighttpd.

Open your browser and navigate to http://yourdomain.com/webalizer or https://yourdomain.com/webalizer. A password prompt will be displayed. Enter your user name and password to view the webalizer statistics.

The webalizer installation automatically installs a cron job that updates the webalizer statistics every day.

Installing Munin

Munin is a monitoring software that monitors your server's vital statistics and displays them in an easy to read graphical format. Execute the following command to install munin: apt-get install munin munin-node.

Next, execute the following commands to set up the output directory correctly:


/etc/init.d/munin-node stop
mv /var/www/munin/ /var/www/htdocs/

Next, edit /etc/munin/munin.conf.

Change htmldir to /var/www/htdocs/munin

Find the following block:


# a simple host tree
[localhost.localdomain]
address 127.0.0.1
use_node_name yes

Change it to:


# a simple host tree
[yourdomain.com]
address 127.0.0.1
use_node_name yes

(Substitute your domain name for yourdomain.com).

Execute the command: echo "allow ^66\.160\.141\.24$" >> /etc/munin/munin-node.conf (Substitute your actual server IP for 66.160.141.24 but preserve the format in which the IP is entered. For e.g. if your IP is 59.216.1.28, then the format should be: ^59\.216\.1\.28$).

Link as many parameters you want to monitor. For e.g. to monitor memory, execute the command:


ln -s /usr/share/munin/plugins/memory /etc/munin/plugins/

To remove a linked parameter [for e.g. memory], execute the command:


rm /etc/munin/plugins/memory

Now, start munin-node with the command: /etc/init.d/munin-node start

Wait for 5 mins for the server to be monitored. Open your browser and navigate to either http://yourdomain.com/munin or https://yourdomain.com/munin and you should see the monitored graphs.

Remember to execute:/etc/init.d/munin-node restart, every time you link or remove a parameter.

Securing Munin Output

Next, secure munin output such that only an authorized user can view it.

Execute the command: htdigest -c /etc/munin-pass "Authorized User Only" desired-user-name. (Substitute your desired user name for desired-user-name).

Edit /etc/lighttpd.conf. Find the following block:


#$HTTP["url"] =~ "^/munin/" {
# auth.backend = "htdigest"
#auth.backend.htdigest.userfile = "/etc/munin-pass"
#auth.require = ("/munin/" => (
# "method" => "digest",
# "realm" => "Authorized User Only",
# "require" => "user=PUT-YOUR-USER-NAME"
#))
#}

Remove the '#' from all the lines. Enter your user name where it says PUT-YOUR-USER-NAME.

Similarly, edit /etc/lighttpd-ssl.conf.

Kill the running lighttpd and lighttpd-ssl process with the command: killall -9 lighttpd lighttpd-ssl php5-cgi.

Start the lighttpd and lighttpd-ssl processes with the commands:


lighttpd -f /etc/lighttpd.conf
lighttpd-ssl -f /etc/lighttpd-ssl.conf

If you get this message: lighttpd: Symbol `FamErrlist' has different size in shared object, consider re-linking, then execute the command: apt-get install libfam0, kill the lighttpd and lighttpd-ssl processes and then restart both lighttpd and lighttpd-ssl. Evidently there is a conflict between fam and gamin that causes this bug in lighttpd.

Open your browser and navigate to http://yourdomain.com/munin or https://yourdomain.com/munin. A password prompt will be displayed. Enter your user name and password to view the munin output.

The munin installation automatically installs a cron job that updates the munin output every 5 mins.

Installing Vnstat

vnStat is a network traffic monitor for Linux that keeps a log of daily network traffic for the selected interface(s).

Execute the following command to install vnstat: apt-get install vnstat

Execute the following command to generate the vnstat interface database: vnstat -u -i eth0 (substitute your server's external interface if it is NOT eth0).

Next, get a good PHP frontend for vnstat and install it.

Execute the following commands to download the PHP interface:


cd /var/www/htdocs/
wget http://www.sqweek.com/sqweek/files/vnstat_php_frontend-1.3.tar.gz

Check the md5sum of the downloaded file, with the command: md5sum vnstat_php_frontend-1.3.tar.gz.

The md5sum should be 190b37808ae16bd1c1a132434b170437 for the current version (1.3). If the md5sum does not match, then delete the file by executing the command: rm vnstat_php_frontend-1.3.tar.gz and download the file again.

Once the md5sum matches, extract the file with the commands:


tar -xvzf vnstat_php_frontend-1.3.tar.gz
mv vnstat_php_frontend-1.3 vnstat

Next, edit the file: /var/www/htdocs/vnstat/config.php. Find the line that reads:

$iface_list = array('eth0', 'eth1', 'sixxs');

and edit it according to your server's external interface.

For e.g. this line from my server's configuration is $iface_list = array('eth0');

Find the following lines and edit/comment them out accordingly:


$iface_title['eth0'] = 'Internal';
$iface_title['eth1'] = 'Internet';
$iface_title['sixxs'] = 'SixXS IPv6';

For e.g. these lines from my server's configuration are:


$iface_title['eth0'] = 'External';
//$iface_title['eth1'] = 'Internet';
//$iface_title['sixxs'] = 'SixXS IPv6';

Find the line that reads: $vnstat_bin = ''; and change it to: $vnstat_bin = '/usr/bin/vnstat';

Find the line that reads: $data_dir = './dumps'; and comment it out, i.e. change it to: //$data_dir = './dumps';

Open your browser and navigate to either http://yourdomain.com/vnstat or https://yourdomain.com/vnstat and you should see the traffic graphs.

Securing Vnstat Output

Next, secure vnstat output such that only an authorized user can view it.

Execute the command: htdigest -c /etc/vnstat-pass "Authorized User Only" desired-user-name. (Substitute your desired user name for desired-user-name).

Edit /etc/lighttpd.conf. Find the following block:


#$HTTP["url"] =~ "^/vnstat/" {
# auth.backend = "htdigest"
#auth.backend.htdigest.userfile = "/etc/vnstat-pass"
#auth.require = ("/vnstat/" => (
# "method" => "digest",
# "realm" => "Authorized User Only",
# "require" => "user=PUT-YOUR-USER-NAME"
#))
#}

Remove the '#' from all the lines. Enter your user name where it says PUT-YOUR-USER-NAME.

Similarly, edit /etc/lighttpd-ssl.conf.

Kill the running lighttpd and lighttpd-ssl process with the command: killall -9 lighttpd lighttpd-ssl php5-cgi.

Start the lighttpd and lighttpd-ssl processes with the commands:


lighttpd -f /etc/lighttpd.conf
lighttpd-ssl -f /etc/lighttpd-ssl.conf

If you get this message: lighttpd: Symbol `FamErrlist' has different size in shared object, consider re-linking, then execute the command: apt-get install libfam0, kill the lighttpd and lighttpd-ssl processes and then restart both lighttpd and lighttpd-ssl. Evidently there is a conflict between fam and gamin that causes this bug in lighttpd.

Open your browser and navigate to http://yourdomain.com/vnstat or https://yourdomain.com/vnstat. A password prompt will be displayed. Enter your user name and password to view the traffic output.

Hardening sysctl.conf and host.conf

Execute the following commands to harden /etc/sysctl.conf:


cd /etc/
mv sysctl.conf sysctl.conf.old
wget http://technichristian.net/DEBIAN-ETCH-SERVER/sysctl.conf
sysctl -p
cd /usr/src

Execute the following commands to harden /etc/host.conf


echo "order hosts,bind" >> /etc/host.conf
echo "nospoof on" >> /etc/host.conf

Getting Programs to Start at Boot

The final step before cleaning up is to ensure that all installed programs start at server boot.

Install rcconf by executing the command: apt-get install rcconf. rcconf is an utility to select the programs to start at boot in various runlevels.

Execute rcconf with the command: rccconf and enable only the following:

courier-authdaemon, courier-imap, courier-imap-ssl, courier-pop, courier-pop-ssl, cron, fam, klogd, makedev, memcached, munin-node, mysql, mysql-ndb, mysql-ndb-mgm, postfix, postgrey, proftpd, saslauthd, ssh, sysklogd.

Ensure that all the other entries do NOT have a

• in front of them. Press Tab to highlight OK and press Enter to save the settings.

Add the following entries to /etc/rc.local before the line exit 0


/bin/hostname -F /etc/hostname
/usr/sbin/lighttpd -f /etc/lighttpd.conf
/usr/sbin/lighttpd-ssl -f /etc/lighttpd-ssl.conf
/usr/local/sbin/apf -s > /dev/null
/usr/local/sbin/bfd -s

Also, execute the following commands:


rm /etc/cron.daily/fw
echo "#! /bin/sh" >> /etc/cron.daily/apf
echo "/usr/local/sbin/apf -f > /dev/null" >> /etc/cron.daily/apf
echo "sleep 2" >> /etc/cron.daily/apf
echo "/usr/local/sbin/apf -s > /dev/null" >> /etc/cron.daily/apf
chmod +x /etc/cron.daily/apf

These commands stop and start the APF firewall every day so that the new list of malicious systems can be downloaded.

Installing Snort

Snort? is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods.

Login to mysql, by executing the command: mysql -u root -p

At the mysql prompt, create a database for mysql to use: create database snortdb;

Next, create a snort database user and assign correct permissions: grant all on snortdb.* to snortuser identified by 'snort-user-password';

Exit mysql by executing the command: quit

Execute the following command to install snort:apt-get install snort-mysql

Enter the interface name [e.g. eth0] on which snort should listen. Change the interface if your server's external interface is NOT eth0.

Next, enter your server's IP address,/strong> as the address range that snort will listen on. For e.g. 66.160.141.24/32 [IP-address/32] for a single IP.

Enter root for the address to which daily snort statistics should be sent.

Answer Yes to set up a snort MySQL database.

Enter localhost for the MySQL server.

Enter the name of the Snort MYSQL database that you setup previously [e.g. snortdb]

Enter the name of the Snort MYSQL database user that you setup previously [e.g. snortuser]

Enter a password for the Snort database.

Next, execute the following command to extract the MySQL schema for Snort: gunzip /usr/share/doc/snort-mysql/create_mysql.gz

Import the MySQL schema into the Snort database with the command: mysql -u snortuser -p snort < /usr/share/doc/snort-mysql/create_mysql

Edit /etc/snort/snort.conf. Uncomment the line: #var HOME_NET $eth0_ADDRESS and comment out the line var HOME_NET any. This line indicates the IP address for which all traffic will be monitored.

Change the line: var HTTP_PORTS 80 to var HTTP_PORTS [80:443]. This indicates that both HTTP as well as HTTPS ports are monitored.

Scroll down to the line: output database: log, mysql and ensure that the database settings are correct.

Execute the command: rm /etc/snort/db-pending-config to remove the db-pending-config file.

Start Snort with the command: /etc/init.d/snort start. Execute the command: ps -e | grep snort to see the process number of the running snort process.

Next, get the adodb PHP database library with the commands:

cd /var/www/htdocs
wget http://jaist.dl.sourceforge.net/sourceforge/adodb/adodb502a.tgz

Check the md5sum of the downloaded file: md5sum adodb502a.tgz. The md5sum should be 7c4e0e851b6520681ad237721f1c8ab5 for the version at the time of writing. If the md5sum does not match, then delete the file with the command: rm adodb502a.tgz and download the file again.

Once the md5sum matches, extract the file with the commands:


tar -xvzf adodb502a.tgz
rm adodb502a.tgz

Next, get BASE (the Basic Analysis and Security Engine) with the commands:


cd /var/www/htdocs/
wget http://jaist.dl.sourceforge.net/sourceforge/secureideas/base-1.3.9.tar.gz

Check the md5sum of the downloaded file: md5sum base-1.3.9.tar.gz. The md5sum should be 66e50f45c6bbf6b0cb2913b8c67f50d6 for the version at the time of writing. If the md5sum does not match, then delete the file with the command: rm base-1.3.9.tar.gz and download the file again.

Once the md5sum matches, extract the file with the commands:


tar -xvzf base-1.3.9.tar.gz
rm base-1.3.9.tar.gz
mv base-1.3.9/ snort-analysis
chmod 757 snort-analysis

Open your web browser and navigate to http://yourdomain.com/snort-analysis. The BASE page should be displayed. The values should be as follows:


Settings
Config Writeable: Yes
PHP Version: YOUR-PHP-VERSION
PHP Logging Level: [ERROR][WARNING][PARSE]

Click Continue.

Enter /var/www/htdocs/adodb5 for the Path to ADODB and click Submit Query.

Enter your Snort MySQL database settings.

Leave Archive Database alone and then click Submit Query.

Leave Use Authentication System alone and then click Submit Query

Click Create Base AG and wait for the tables to be created.

The output should be:


Successfully created 'acid_ag'
Successfully created 'acid_ag_alert'
Successfully created 'acid_ip_cache'
Successfully created 'acid_event'
Successfully created 'base_roles'
Successfully INSERTED Admin role
Successfully INSERTED Authenticated User role
Successfully INSERTED Anonymous User role
Successfully INSERTED Alert Group Editor role
Successfully created 'base_users'

Click Continue to Step 5.

You are done with BASE.

Next, execute the following commands:


pear install Image_Color
pear install Image_Canvas-alpha
pear install Image_Graph-alpha

to install the required packages for BASE graphs to work.

Execute the commands:


cd /var/www/htdocs
chmod 775 snort-analysis

to set proper permissions on the BASE directory.

Execute the command: htdigest -c /etc/base-pass "Authorized User Only" desired-user-name. (Substitute your desired user name for desired-user-name).

Edit /etc/lighttpd.conf. Find the following block:


#$HTTP["url"] =~ "^/snort-analysis/" {
# auth.backend = "htdigest"
#auth.backend.htdigest.userfile = "/etc/base-pass"
#auth.require = ("/snort-analysis/" => (
# "method" => "digest",
# "realm" => "Authorized User Only",
# "require" => "user=PUT-YOUR-USER-NAME"
#))
#}

Remove the '#' from all the lines. Enter your user name where it says PUT-YOUR-USER-NAME.

Similarly, edit /etc/lighttpd-ssl.conf.

Kill the running lighttpd and lighttpd-ssl process with the command: killall -9 lighttpd lighttpd-ssl php5-cgi.

Start the lighttpd and lighttpd-ssl processes with the commands:


lighttpd -f /etc/lighttpd.conf
lighttpd-ssl -f /etc/lighttpd-ssl.conf

Open your browser and navigate to http://yourdomain.com/snort-analysis or https://yourdomain.com/snort-analysis. A password prompt will be displayed. Enter your user name and password to view the BASE output.

Final Cleaning Up

The final task is to remove all unwanted packages of the server.

Execute the command:


apt-get remove --purge autotools-dev dpkg-dev libc6-dev libgdbm-dev liblua5.1-0-dev libmemcache-dev libmysqlclient15-dev libncurses5-dev libpcre3-dev libreadline5-dev libsqlite3-dev libssl-dev libstdc++6-4.1-dev libxml2-dev linux-kernel-headers php5-dev zlib1g-dev exim autoconf automake patchutils flex bison telnet gcc cpp cpp-4.1 laptop-detect m4 make

(All on ONE line) to remove all unwanted packages.

Clear the apt-cache by executing the command: apt-get clean

Clear out the /usr/src directory with the command: rm -rf /usr/src/*

Remove unwanted tar.gz files from /var/www/htdocs with the command: rm -rf /var/www/htdocs/*.tar.gz

Reboot the server once with the command: shutdown -r now to check whether everything comes up OK. All necessary services should be started at boot up.

[magicmo]

เยี่ยมเลยนะครับ

[seoindeed]

   งงเลยครับ