If You are experiencing the following error
pcfg_openfile: unable to check htaccess file, ensure it is readable
Do the following
Login to Cpanel
go Frontpage Extensions
Reinstall it
Reload the Url
Now it will be Okay.
Thursday, August 26, 2010
Find Usefull Commands
# find /path/to/base/dir -type f -exec chmod 755 {} \;
# find public_html/ -type f -exec chmod 644 {} \;
# find public_html/ -type f -exec chmod 644 {} \;
Find Usefull Commands
# find /path/to/base/dir -type f -exec chmod 755 {} \;
# find public_html/ -type f -exec chmod 644 {} \;
# find public_html/ -type f -exec chmod 644 {} \;
Monday, August 9, 2010
What is SSL and what are Certificates?
The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. This is in short how it works.
1.
A browser requests a secure page (usually https://).
2.
The web server sends its public key with its certificate.
3.
The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.
4.
The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
5.
The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
6.
The web server sends back the requested html document and http data encrypted with the symmetric key.
7.
The browser decrypts the http data and html document using the symmetric key and displays the information.
Several concepts have to be understood here.
1.
A browser requests a secure page (usually https://).
2.
The web server sends its public key with its certificate.
3.
The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted.
4.
The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data.
5.
The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.
6.
The web server sends back the requested html document and http data encrypted with the symmetric key.
7.
The browser decrypts the http data and html document using the symmetric key and displays the information.
Several concepts have to be understood here.
Sunday, August 1, 2010
COURIER INSTALLATION
COURIER_MTA INSTALLATION
1.Download the courier authentication library
URL://http://www.courier-mta.org/authlib/
# rpm -qa | grep libtool
# rpm -qa | grep binutil
# rpm -qa | grep expect
# su – vasanth
# tar xvjf courier-authlib-0.63.0.tar.bz2
# cd courier-authlib-0.63.0
# ./configure
# make
# make install
# cd /usr/local/etc/authlib
# /usr/local/sbin/authdaemond start
# ps -ax | grep auth
# cd /etc/init.d
# ln -s /usr/local/sbin/authdaemond
# ln -s /etc/init.d/authdaemond /etc/rc5.d/S20authdaemond
INSATALLING Courier-IMAP
At first check the mailbox format by checking
# cat /var/qmail/control/defaultdelivery
Note: Compile courier as non root user
# tar xvjf courier-imap-4.7.0.tar.bz2
# cd courier-imap-4.7.0
# su root
#make install (must be root)
# make install-configure(must be root )
# cd /usr/lib/courier-imap/ ( Every thing related to courier will be installed inside this directory)
1.bin >>> Contain the binary file related to the courier
2. etc >>> Contain the configuaration files
3. libexec >>> Contain the startup scripts
4. libexec >>> courier tcpd is the tcp super server like xinetd and inetd
5. man >>> Mnaul pages
CONFIGURING POP3 SERVICE
# cd /usr/lib/courier-imap/etc
# vi pop3d
#/usr/lib/courier-imap/libexec/pop3d.rc start
# netstat -nlp | grep 110
# vi /usr/local/etc/authlib/authdaemonrc
uncomment the following
authmodulelist="authuserdb authpam authldap authmysql authcustom authpipe"
IF any problem regarding pop read
http://www.courier-mta.org/authlib/README.authdebug.html
COURIER -POP3-SSL
# vi /usr/lib/courier-imap/etc/pop3d.cnf
Add the entrries to your choice
# cd /usr/lib/courier-imap/share
# ./mkpop3dcert
Certificate is stored in the /usr/lib/courier-imap/share/pop3d.pem
# cd /usr/lib/courier-imap/libexec
# ./pop3d-ssl.rc start
NOTE
Link all the startup script to /etc/init.d/
and /etc/rc3.d or rc5.d
1.Download the courier authentication library
URL://http://www.courier-mta.org/authlib/
# rpm -qa | grep libtool
# rpm -qa | grep binutil
# rpm -qa | grep expect
# su – vasanth
# tar xvjf courier-authlib-0.63.0.tar.bz2
# cd courier-authlib-0.63.0
# ./configure
# make
# make install
# cd /usr/local/etc/authlib
# /usr/local/sbin/authdaemond start
# ps -ax | grep auth
# cd /etc/init.d
# ln -s /usr/local/sbin/authdaemond
# ln -s /etc/init.d/authdaemond /etc/rc5.d/S20authdaemond
INSATALLING Courier-IMAP
At first check the mailbox format by checking
# cat /var/qmail/control/defaultdelivery
Note: Compile courier as non root user
# tar xvjf courier-imap-4.7.0.tar.bz2
# cd courier-imap-4.7.0
# su root
#make install (must be root)
# make install-configure(must be root )
# cd /usr/lib/courier-imap/ ( Every thing related to courier will be installed inside this directory)
1.bin >>> Contain the binary file related to the courier
2. etc >>> Contain the configuaration files
3. libexec >>> Contain the startup scripts
4. libexec >>> courier tcpd is the tcp super server like xinetd and inetd
5. man >>> Mnaul pages
CONFIGURING POP3 SERVICE
# cd /usr/lib/courier-imap/etc
# vi pop3d
#/usr/lib/courier-imap/libexec/pop3d.rc start
# netstat -nlp | grep 110
# vi /usr/local/etc/authlib/authdaemonrc
uncomment the following
authmodulelist="authuserdb authpam authldap authmysql authcustom authpipe"
IF any problem regarding pop read
http://www.courier-mta.org/authlib/README.authdebug.html
COURIER -POP3-SSL
# vi /usr/lib/courier-imap/etc/pop3d.cnf
Add the entrries to your choice
# cd /usr/lib/courier-imap/share
# ./mkpop3dcert
Certificate is stored in the /usr/lib/courier-imap/share/pop3d.pem
# cd /usr/lib/courier-imap/libexec
# ./pop3d-ssl.rc start
NOTE
Link all the startup script to /etc/init.d/
and /etc/rc3.d or rc5.d
QMAIL-SMARTHOST
QMAIL AS SAMRTHOST
Smart host means the email gateway between our localnetwork and remote network.
There are two files in /var/qmail/control.
1./var/qmail/control/locals
2./var/qmail/control/smtproutes
locals -> Define the local domains which are allowded to route messages. It normally define localdomain and fqdn of our server. If the message is destined remote domain it will consult the smtproutes and forward all messages to that server.
Mail open relay
mv /var/qmail/control/rcpthosts /var/qmail/control/rcpthosts.bak
Smart host means the email gateway between our localnetwork and remote network.
There are two files in /var/qmail/control.
1./var/qmail/control/locals
2./var/qmail/control/smtproutes
locals -> Define the local domains which are allowded to route messages. It normally define localdomain and fqdn of our server. If the message is destined remote domain it will consult the smtproutes and forward all messages to that server.
Mail open relay
mv /var/qmail/control/rcpthosts /var/qmail/control/rcpthosts.bak
APACHE-SSL
HOW TO APACHE-SSL
Install the following
# yum install httpd-*
# yum install openssl
# yum install mod-ssl
# yum install crypto-utils
Creating Self signed
# genkey www.example.com
Go next till the creatin of certificates(select 1024 and self signed)
Certificate are stored in /etc/pki/private/www.example.com
and in
/etc/pki/tls/certs/www.example.com
Update /etc/httpd/conf.d/ssl.conf
change the line SSLCertificatefile to the following
SSLCerticatefile /etc/pki/tls/certs/www.example.com.crt
SSLCertificatekeyfile /etc/pki/tls/private/www.example.com.key
Restart the server
# service httpd restart
To verify
netstat -ntlp | grep 443
Install the following
# yum install httpd-*
# yum install openssl
# yum install mod-ssl
# yum install crypto-utils
Creating Self signed
# genkey www.example.com
Go next till the creatin of certificates(select 1024 and self signed)
Certificate are stored in /etc/pki/private/www.example.com
and in
/etc/pki/tls/certs/www.example.com
Update /etc/httpd/conf.d/ssl.conf
change the line SSLCertificatefile to the following
SSLCerticatefile /etc/pki/tls/certs/www.example.com.crt
SSLCertificatekeyfile /etc/pki/tls/private/www.example.com.key
Restart the server
# service httpd restart
To verify
netstat -ntlp | grep 443
Saturday, July 31, 2010
Configuring Console Access
Configuring Console Access
When normal (non-root) users log in to a computer locally, they are given two types of special permissions:
1.They can run certain programs that they would not otherwise be able to run
2.They can access certain files (normally special device files used to access diskettes, CD-ROMs, and so on) that they would not otherwise be able to access
Since there are multiple consoles on a single computer and multiple users can be logged into the computer locally at the same time, one of the users has to "win" the race to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in will own the files.
In contrast, every user who logs in at the console will be allowed to run programs that accomplish tasks normally restricted to the root user. If X is running, these actions can be included as menu items in a graphical user interface. As shipped, the console-accessible programs include halt, poweroff and reboot.
Disabling Shutdown Via Ctrl-Alt-Del
By default, /etc/inittab specifies that your system is set to shutdown and reboot the system in response to a -- key combination used at the console. If you'd like to completely disable this ability, you will need to comment out the following line in /etc/inittab:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Alternatively, you may just want to allow certain non-root users the right to shutdown the system from the console using --. You can restrict this privilege to certain users, by taking the following steps:
1.Add a -a option to the /etc/inittab line shown above, so that it reads:
ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now
The -a flag tells shutdown to look for the /etc/shutdown.allow file, which you'll create in the next step.
2.Create a file named shutdown.allow in /etc. The shutdown.allow file should list the usernames of any users who are allowed to shutdown the system using --. The format of the /etc/shutdown.allow file is a list of usernames, one per line, like the following:
stephen
jack
sophie
According to this example shutdown.allow file, stephen, jack, and sophie are allowed to shutdown the system from the console using --. When that key combination is used, the shutdown -a in /etc/inittab checks to see if any of the users in /etc/shutdown.allow (or root) are logged in on a virtual console. If one of them is, the shutdown of the system will continue; if not, an error message will be written to the system console instead.
For more information on shutdown.allow see the shutdown man page.
Disabling Console Program Access
In order to disable access by users to console programs, you should run this command as root:
rm -f /etc/security/console.apps/*
In environments where the console is otherwise secured (BIOS and LILO passwords are set, -- is disabled, the power and reset switches are disabled, and so forth), you may not want to allow any user at the console to run poweroff, halt, and reboot, which are accessible from the console by default.
To remove these abilities, run the following commands as root:
rm -f /etc/security/console.apps/poweroff
rm -f /etc/security/console.apps/halt
rm -f /etc/security/console.apps/reboot
Disabling All Console Access
The PAM pam_console.so module manages console file permissions and authentication. (See Chapter 8 for more information on configuring PAM.) If you want to disable all console access, including program and file access, comment out all lines that refer to pam_console.so in the /etc/pam.d directory. The following script will do the trick:
cd /etc/pam.d
for i in * ; do
sed '/[^#].*pam_console.so/s/^/#/' < $i > foo && mv foo $i
done
Defining the Console
The pam_console.so module uses the /etc/security/console.perms file to determine the permissions for users at the system console. The syntax of the file is very flexible; you can edit the file so that these instructions no longer apply. However, the default file has a line that looks like this:
=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
When users log in, they are attached to some sort of named terminal, either an X server with a name like :0 or mymachine.example.com:1.0 or a device like /dev/ttyS0 or /dev/pts/2. The default is to define that local virtual consoles and local X servers are considered local, but if you want to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can change that line to read:
=tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9] /dev/ttyS1
Making Files Accessible From the Console
In /etc/security/console.perms, there is a section with lines like:
=/dev/fd[0-1]* \
/dev/floppy/*
=/dev/dsp* /dev/audio* /dev/midi* \
/dev/mixer* /dev/sequencer \
/dev/sound/*
=/dev/cdrom* /dev/cdwriter*
You can add your own lines to this section, if necessary. Make sure that any lines you add refer to the appropriate device. For example, you could add the following line:
=/dev/sga
(Of course, make sure that /dev/sga is really your scanner and not, say, your hard drive.)
That's the first step. The second step is to define what is done with those files. Look in the last section of /etc/security/console.perms for lines similar to:
0660 0660 root.floppy
0600 0640 root
0600 0600 root.disk
and add a line like:
0600 0600 root
Then, when you log in at the console, you will be given ownership of the /dev/sga device and the permissions will be 0600 (readable and writable by you only). When you log out, the device will be owned by root and still have 0600 (now: readable and writable by root only) permissions.
Enabling Console Access for Other Applications
If you wish to make other applications accessible to console users, you will have to do just a little bit more work.
First of all, console access only works for applications which reside in /sbin or /usr/sbin, so the application that you wish to run must be there. After verifying that, do the following steps:
1.Create a link from the name of your application, such as our sample foo program, to the /usr/bin/consolehelper application:
cd /usr/bin
ln -s consolehelper foo
2.Create the file /etc/security/console.apps/foo:
touch /etc/security/console.apps/foo
3.Create a PAM configuration file for the foo service in /etc/pam.d/. An easy way to do this is to start with a copy of the halt service's PAM configuration file, and then modify the file if you want to change the behavior:
cp /etc/pam.d/halt /etc/pam.d/foo
Now, when you run /usr/bin/foo, it will call consolehelper, which will authenticate the user with the help of /usr/sbin/userhelper. To authenticate the user, consolehelper will ask for the user's password if /etc/pam.d/foo is a copy of /etc/pam.d/halt (otherwise, it will do precisely what is specified in /etc/pam.d/foo) and then run /usr/sbin/foo
When normal (non-root) users log in to a computer locally, they are given two types of special permissions:
1.They can run certain programs that they would not otherwise be able to run
2.They can access certain files (normally special device files used to access diskettes, CD-ROMs, and so on) that they would not otherwise be able to access
Since there are multiple consoles on a single computer and multiple users can be logged into the computer locally at the same time, one of the users has to "win" the race to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in will own the files.
In contrast, every user who logs in at the console will be allowed to run programs that accomplish tasks normally restricted to the root user. If X is running, these actions can be included as menu items in a graphical user interface. As shipped, the console-accessible programs include halt, poweroff and reboot.
Disabling Shutdown Via Ctrl-Alt-Del
By default, /etc/inittab specifies that your system is set to shutdown and reboot the system in response to a -- key combination used at the console. If you'd like to completely disable this ability, you will need to comment out the following line in /etc/inittab:
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
Alternatively, you may just want to allow certain non-root users the right to shutdown the system from the console using --. You can restrict this privilege to certain users, by taking the following steps:
1.Add a -a option to the /etc/inittab line shown above, so that it reads:
ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now
The -a flag tells shutdown to look for the /etc/shutdown.allow file, which you'll create in the next step.
2.Create a file named shutdown.allow in /etc. The shutdown.allow file should list the usernames of any users who are allowed to shutdown the system using --. The format of the /etc/shutdown.allow file is a list of usernames, one per line, like the following:
stephen
jack
sophie
According to this example shutdown.allow file, stephen, jack, and sophie are allowed to shutdown the system from the console using --. When that key combination is used, the shutdown -a in /etc/inittab checks to see if any of the users in /etc/shutdown.allow (or root) are logged in on a virtual console. If one of them is, the shutdown of the system will continue; if not, an error message will be written to the system console instead.
For more information on shutdown.allow see the shutdown man page.
Disabling Console Program Access
In order to disable access by users to console programs, you should run this command as root:
rm -f /etc/security/console.apps/*
In environments where the console is otherwise secured (BIOS and LILO passwords are set, -- is disabled, the power and reset switches are disabled, and so forth), you may not want to allow any user at the console to run poweroff, halt, and reboot, which are accessible from the console by default.
To remove these abilities, run the following commands as root:
rm -f /etc/security/console.apps/poweroff
rm -f /etc/security/console.apps/halt
rm -f /etc/security/console.apps/reboot
Disabling All Console Access
The PAM pam_console.so module manages console file permissions and authentication. (See Chapter 8 for more information on configuring PAM.) If you want to disable all console access, including program and file access, comment out all lines that refer to pam_console.so in the /etc/pam.d directory. The following script will do the trick:
cd /etc/pam.d
for i in * ; do
sed '/[^#].*pam_console.so/s/^/#/' < $i > foo && mv foo $i
done
Defining the Console
The pam_console.so module uses the /etc/security/console.perms file to determine the permissions for users at the system console. The syntax of the file is very flexible; you can edit the file so that these instructions no longer apply. However, the default file has a line that looks like this:
When users log in, they are attached to some sort of named terminal, either an X server with a name like :0 or mymachine.example.com:1.0 or a device like /dev/ttyS0 or /dev/pts/2. The default is to define that local virtual consoles and local X servers are considered local, but if you want to consider the serial terminal next to you on port /dev/ttyS1 to also be local, you can change that line to read:
Making Files Accessible From the Console
In /etc/security/console.perms, there is a section with lines like:
/dev/floppy/*
/dev/mixer* /dev/sequencer \
/dev/sound/*
You can add your own lines to this section, if necessary. Make sure that any lines you add refer to the appropriate device. For example, you could add the following line:
(Of course, make sure that /dev/sga is really your scanner and not, say, your hard drive.)
That's the first step. The second step is to define what is done with those files. Look in the last section of /etc/security/console.perms for lines similar to:
and add a line like:
Then, when you log in at the console, you will be given ownership of the /dev/sga device and the permissions will be 0600 (readable and writable by you only). When you log out, the device will be owned by root and still have 0600 (now: readable and writable by root only) permissions.
Enabling Console Access for Other Applications
If you wish to make other applications accessible to console users, you will have to do just a little bit more work.
First of all, console access only works for applications which reside in /sbin or /usr/sbin, so the application that you wish to run must be there. After verifying that, do the following steps:
1.Create a link from the name of your application, such as our sample foo program, to the /usr/bin/consolehelper application:
cd /usr/bin
ln -s consolehelper foo
2.Create the file /etc/security/console.apps/foo:
touch /etc/security/console.apps/foo
3.Create a PAM configuration file for the foo service in /etc/pam.d/. An easy way to do this is to start with a copy of the halt service's PAM configuration file, and then modify the file if you want to change the behavior:
cp /etc/pam.d/halt /etc/pam.d/foo
Now, when you run /usr/bin/foo, it will call consolehelper, which will authenticate the user with the help of /usr/sbin/userhelper. To authenticate the user, consolehelper will ask for the user's password if /etc/pam.d/foo is a copy of /etc/pam.d/halt (otherwise, it will do precisely what is specified in /etc/pam.d/foo) and then run /usr/sbin/foo
IPTABLES+SQUID PROXY SETUP
Squid iptables firewall
The following iptables firewall is suited for a dual-homed Squid proxy server. ssh (TCP port 22), squid (TCP port 3128), and ICMP ECHO requests are allowed on the internal (LAN) interface.
Squid is configured to proxy ftp, http, https, and AOL Instant Messenger traffic. In addition, the server is running a caching/forwarding name server and time server and therefore requires therefore requires outgoing UDP port 123 (ntp) and TCP/UDP port 53 (dns).
#!/bin/sh
LAN="eth1"
INTERNET="eth0"
IPTABLES="/sbin/iptables"
# Kernel monitoring support
# More information:
# /usr/src/linux-`uname -r`/Documentation/networking/ip-sysctl.txt
# http://www.linuxgazette.com/book/view/1645
# http://www.spirit.com/Network/net0300.html
# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Needed for FTP (specifically, to allow incoming ftp-data connections)
/sbin/modprobe ip_conntrack_ftp
# Flush all chains
$IPTABLES --flush
# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Set default policies
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES s
# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow incoming port 22 (ssh) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state \
--state NEW -j ACCEPT
# Allow incoming port 3128 (squid) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state \
--state NEW -j ACCEPT
# Allow ICMP ECHO REQUESTS on LAN interface
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT
# Allow DNS resolution
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state \
--state NEW -j ACCEPT
# Allow ntp synchronization
$IPTABLES -A OUTPUT -o $LAN -p udp --destination-port 123 -m state \
--state NEW -j ACCEPT
# Allow ssh on LAN interface
$IPTABLES -A OUTPUT -o $LAN -p tcp --destination-port 22 -m state \
--state NEW -j ACCEPT
# Allow Squid to proxy ftp, http, https, and AIM traffic
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 5190 -m state \
--state NEW -j ACCEPT
# Create a LOGDROP chain to log and drop packets
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG
$IPTABLES -A LOGDROP -j DROP
# Drop all other traffic
$IPTABLES -A INPUT -j LOGDROP
# Have these rules take effect when iptables is started
/sbin/service iptables save
The following iptables firewall is suited for a dual-homed Squid proxy server. ssh (TCP port 22), squid (TCP port 3128), and ICMP ECHO requests are allowed on the internal (LAN) interface.
Squid is configured to proxy ftp, http, https, and AOL Instant Messenger traffic. In addition, the server is running a caching/forwarding name server and time server and therefore requires therefore requires outgoing UDP port 123 (ntp) and TCP/UDP port 53 (dns).
#!/bin/sh
LAN="eth1"
INTERNET="eth0"
IPTABLES="/sbin/iptables"
# Kernel monitoring support
# More information:
# /usr/src/linux-`uname -r`/Documentation/networking/ip-sysctl.txt
# http://www.linuxgazette.com/book/view/1645
# http://www.spirit.com/Network/net0300.html
# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Needed for FTP (specifically, to allow incoming ftp-data connections)
/sbin/modprobe ip_conntrack_ftp
# Flush all chains
$IPTABLES --flush
# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Set default policies
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES s
# Previously initiated and accepted exchanges bypass rule checking
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow incoming port 22 (ssh) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 22 -m state \
--state NEW -j ACCEPT
# Allow incoming port 3128 (squid) connections on LAN interface
$IPTABLES -A INPUT -i $LAN -p tcp --destination-port 3128 -m state \
--state NEW -j ACCEPT
# Allow ICMP ECHO REQUESTS on LAN interface
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type echo-request -j ACCEPT
# Allow DNS resolution
$IPTABLES -A OUTPUT -o $INTERNET -p udp --destination-port 53 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 53 -m state \
--state NEW -j ACCEPT
# Allow ntp synchronization
$IPTABLES -A OUTPUT -o $LAN -p udp --destination-port 123 -m state \
--state NEW -j ACCEPT
# Allow ssh on LAN interface
$IPTABLES -A OUTPUT -o $LAN -p tcp --destination-port 22 -m state \
--state NEW -j ACCEPT
# Allow Squid to proxy ftp, http, https, and AIM traffic
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 21 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 80 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 443 -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNET -p tcp --destination-port 5190 -m state \
--state NEW -j ACCEPT
# Create a LOGDROP chain to log and drop packets
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG
$IPTABLES -A LOGDROP -j DROP
# Drop all other traffic
$IPTABLES -A INPUT -j LOGDROP
# Have these rules take effect when iptables is started
/sbin/service iptables save
Restricting normal users in login in a linux server
Restricting normal users in login in a linux server
We can restrict normal users to login in server using pam. Pam module pam_nologin.so is used for the purpose. configure the /etc/pam.d/login like as shown below.#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
auth required pam_nologin.so file=/etc/nologin
#account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_ck_connector.so
We can restrict normal users to login in server using pam. Pam module pam_nologin.so is used for the purpose. configure the /etc/pam.d/login like as shown below.#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
auth required pam_nologin.so file=/etc/nologin
#account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_ck_connector.so
VSFTPD VIRTUAL USER SETUP
VSFTPD Virtual Users Setup (with individual FTP home directories)
STEP 1: Install Required packages:
pam (installed by default)
db4 (db4 is my version and was installed by default)
vsftpd
compat-db (this is the package name on fedora which provides the binary db42_load)
Check if the 'db' package is installed
[root@mysystem vsftpd]# rpm -qa | grep -i db
If the db4 package is not installed, do it:
[root@mysystem vsftpd]# yum install db4
The package compat-db will give us the db42_load binary used to build the virtual username/password db file
[root@mysystem vsftpd]# yum install compat-db
[root@mysystem vsftpd]# yum install vsftpd
Can't find dbXX_load binary? check the locations of the files in this package
[root@mysystem vsftpd]# rpm -ql compat-db
STEP 2: Configure PAM
Confirm existance/location of the file /lib/security/pam_userdb.so
[root@mysystem vsftpd]# rpm -ql pam | grep pam_userdb.so
[root@mysystem vsftpd]# vi /etc/pam.d/vsftpd
(I EDITED THE FILE TO LOOK LIKE THIS:)
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
#auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
#auth required pam_shells.so
#auth include system-auth
#account include system-auth
#session include system-auth
#session required pam_loginuid.so
(note: I had to comment out the bottom 6 lines to get the pam_userdb authentication to succeed for ftp logins. With them not commented out, authentication of known good users failed)
STEP 3: Create system user for vsftpd.conf (this is basically a dummy user, not logged into directly via FTP)
[root@mysystem vsftpd]# adduser -d /home/virtualftp/ virtualftp
STEP 4: Configure vsftpd for virtual users
[root@mysystem vsftpd]# cd /etc/vsftpd
[root@mysystem vsftpd]# vi vsftpd.conf
(HERE IS MY vsftpd.conf FILE MINUS DEFAULT COMMENTS:)
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
# Virtual users will be logged into /home/virtualftp/[username]/
user_sub_token=$USER
local_root=/home/virtualftp/$USER
guest_enable=YES
guest_username=virtualftp
# Umask applied for virtual users and anon
anon_umask=0022
# Allows uploading by virtual users
anon_upload_enable=YES
# Allows creation of directories by virtual users
anon_mkdir_write_enable=YES
# Allows deletion of files and directories by virtual users
anon_other_write_enable=YES
Now start up vsftpd (which is configured to run stand-alone in my config file):
[root@mysystem vsftpd]# vsftpd
STEP 5: Setup virtual FTP usernames and their passwords
[root@mysystem vsftpd]# vi /etc/vsftpd/vsftpd_users.txt
(FORMAT OF THE FILE:)
username1
passwordforusername1
username2
passwordforusername2
username3
passwordforusername3
Now we create the DB4 formatted username/password file from the plain text vsftpd_users.txt file that will be used by pam_userdb.so:
[root@mysystem vsftpd]# rm /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# db42_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# chmod 600 /etc/vsftpd/vsftpd_users.db /etc/vsftpd/vsftpd_users.txt
STEP 6: Create directories for each virtual FTP user
[root@mysystem vsftpd]# mkdir -p /home/virtualftp/username1
STEP 7: Test an FTP virtual user login
[root@mysystem vsftpd]# ftp localhost
Connected to localhost.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): username1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX
Using binary mode to transfer files.
ftp>
Troubleshooting
If there are problems logging in with a virtual ftp user, check /var/log/secure FIRST!
[root@mysystem vsftpd]# tail -f /var/log/secure
Mar 2 15:07:04 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'testing' granted access
Mar 2 15:07:04 mysystem vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Mar 2 15:07:04 mysystem vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testing rhost=mysystem.cluster
Mar 2 15:07:04 mysystem vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user testing
Mar 2 15:08:32 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'testing' granted access
Mar 2 15:11:15 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user0123456789012345678901234' granted access
Mar 2 15:12:36 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user01234567890123456789012345' granted access
Mar 2 15:13:43 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user012345678901234567890123456' granted access
Mar 2 15:14:51 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user0123456789012345678901234567' granted access
I found a few times, which can be seen in the real log files above, that the vsftpd_users.db file was not correctly recreated with the db42_load command over the top of an existing vsftpd_users.db file. To resolve this, I simply remove the current vsftpd_users.db file and recreate the file from scratch with the db42_load.
[root@mysystem vsftpd]# strings /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# db42_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db
STEP 1: Install Required packages:
pam (installed by default)
db4 (db4 is my version and was installed by default)
vsftpd
compat-db (this is the package name on fedora which provides the binary db42_load)
Check if the 'db' package is installed
[root@mysystem vsftpd]# rpm -qa | grep -i db
If the db4 package is not installed, do it:
[root@mysystem vsftpd]# yum install db4
The package compat-db will give us the db42_load binary used to build the virtual username/password db file
[root@mysystem vsftpd]# yum install compat-db
[root@mysystem vsftpd]# yum install vsftpd
Can't find dbXX_load binary? check the locations of the files in this package
[root@mysystem vsftpd]# rpm -ql compat-db
STEP 2: Configure PAM
Confirm existance/location of the file /lib/security/pam_userdb.so
[root@mysystem vsftpd]# rpm -ql pam | grep pam_userdb.so
[root@mysystem vsftpd]# vi /etc/pam.d/vsftpd
(I EDITED THE FILE TO LOOK LIKE THIS:)
#%PAM-1.0
session optional pam_keyinit.so force revoke
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
#auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
#auth required pam_shells.so
#auth include system-auth
#account include system-auth
#session include system-auth
#session required pam_loginuid.so
(note: I had to comment out the bottom 6 lines to get the pam_userdb authentication to succeed for ftp logins. With them not commented out, authentication of known good users failed)
STEP 3: Create system user for vsftpd.conf (this is basically a dummy user, not logged into directly via FTP)
[root@mysystem vsftpd]# adduser -d /home/virtualftp/ virtualftp
STEP 4: Configure vsftpd for virtual users
[root@mysystem vsftpd]# cd /etc/vsftpd
[root@mysystem vsftpd]# vi vsftpd.conf
(HERE IS MY vsftpd.conf FILE MINUS DEFAULT COMMENTS:)
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
# Virtual users will be logged into /home/virtualftp/[username]/
user_sub_token=$USER
local_root=/home/virtualftp/$USER
guest_enable=YES
guest_username=virtualftp
# Umask applied for virtual users and anon
anon_umask=0022
# Allows uploading by virtual users
anon_upload_enable=YES
# Allows creation of directories by virtual users
anon_mkdir_write_enable=YES
# Allows deletion of files and directories by virtual users
anon_other_write_enable=YES
Now start up vsftpd (which is configured to run stand-alone in my config file):
[root@mysystem vsftpd]# vsftpd
STEP 5: Setup virtual FTP usernames and their passwords
[root@mysystem vsftpd]# vi /etc/vsftpd/vsftpd_users.txt
(FORMAT OF THE FILE:)
username1
passwordforusername1
username2
passwordforusername2
username3
passwordforusername3
Now we create the DB4 formatted username/password file from the plain text vsftpd_users.txt file that will be used by pam_userdb.so:
[root@mysystem vsftpd]# rm /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# db42_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# chmod 600 /etc/vsftpd/vsftpd_users.db /etc/vsftpd/vsftpd_users.txt
STEP 6: Create directories for each virtual FTP user
[root@mysystem vsftpd]# mkdir -p /home/virtualftp/username1
STEP 7: Test an FTP virtual user login
[root@mysystem vsftpd]# ftp localhost
Connected to localhost.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (localhost:root): username1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX
Using binary mode to transfer files.
ftp>
Troubleshooting
If there are problems logging in with a virtual ftp user, check /var/log/secure FIRST!
[root@mysystem vsftpd]# tail -f /var/log/secure
Mar 2 15:07:04 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'testing' granted access
Mar 2 15:07:04 mysystem vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Mar 2 15:07:04 mysystem vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=testing rhost=mysystem.cluster
Mar 2 15:07:04 mysystem vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user testing
Mar 2 15:08:32 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'testing' granted access
Mar 2 15:11:15 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user0123456789012345678901234' granted access
Mar 2 15:12:36 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user01234567890123456789012345' granted access
Mar 2 15:13:43 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user012345678901234567890123456' granted access
Mar 2 15:14:51 mysystem vsftpd: pam_userdb(vsftpd:auth): user 'user0123456789012345678901234567' granted access
I found a few times, which can be seen in the real log files above, that the vsftpd_users.db file was not correctly recreated with the db42_load command over the top of an existing vsftpd_users.db file. To resolve this, I simply remove the current vsftpd_users.db file and recreate the file from scratch with the db42_load.
[root@mysystem vsftpd]# strings /etc/vsftpd/vsftpd_users.db
[root@mysystem vsftpd]# db42_load -T -t hash -f /etc/vsftpd/vsftpd_users.txt /etc/vsftpd/vsftpd_users.db
Plaggubale Authentication Modules
LINUX PAM
What is authentication ?
Program which grant user access to system verify each users identity though a process called authentication. Each program have its own way of authentication. Under linux many programs are configured to use a centralized authentication mechanism
called pluggable authentication modules.
Advantage of using PAM
1.It provide common authentication scheme that can used with wide verity of application.
2.It provide large amount of flexibility for both system administrators and developers.
3.It allows application developers to develop program with out creating their own authentication scheme.
LOCATION OF CONFIGURATION FILE
Location of configuration files is in /etc/pam.d/. In older versions pam configuration is in /etc/pam.conf.
Each pam aware application must have an entry in /etc/pam.d/.
EG: Login program must have an entry in /etc/pam.d/ directory.
PAM CONFIGURATION FILE FORMAT
PAM configuration file contain a group of
directive as follows.
(module interface)( control flag)(module name)(module arguments)
MODULE INTERFACE
These are all four type of pam module interface which correlates four type authentications process.
AUTH
This module is responsible for asking a password and verify the validity of a password. It can also set confidence for group membership of kerberos tickets.
ACCOUNT
This module interface verify the access is allowed.
eg: It check whether the account is expired or it is allowed to login in particular time of day.
PASSWORD
This module interface set and verify password.
SESSION
This module interface configures and manages user sessions. Modules using with this interface can also perform additional task that are needed to allow access ie mounting users home directory and making users mail box available.
NOTE: An individual module can be used with any or all the modules.
that is pam_unix.so can be uesd with all of the four interfaces.
Module interface directive can be stacked. When module inter face are used in pam configuration file the use of each module is available like a stack,that is first in last out. When multiple modules are ued for one purpose the order in which module interface are used are very important.
CONTROL FLAG
All pam modules generates a success or failure when it is called. Control flag tells pam what to do with the result. Since modules
are stacked in particular order control flag decides how important is the success or failure of a particular module in overall rule of authenticating a service to the user.
There are four predefined control flag
1.required
2.requisite
3.sufficient
4.optional
Required
The module result must be successful to authentication to continue. If a required module results fails the user is notified until results on all module referencing that interface are completed.
Requisite
This module result must be successful to continue. However the requisite module fails the user is notified with message reflecting the first failed required or requisite module.
sufficient
The module result must be ignored it fails. However a sufficient flagged module result is successful no required flagged result are failed then no other result are required an user is authenticated to the service.
optional
This module result is ignored. A module result is only become
necessary for successful authentication when there is no other module referencing the that interface.
Module name
In older pam configuration file module must be specified in absolute path naming. eg: /lib/security/pam_stack.so. In the newer system only module name must be specified in pam configuration file.
Modules location
Location of pam modules is in /lib/security/.
Module argument
We can pass arguments to used pam modules in pam configuration module. That is pam_userdb.so module uses secrets with in Berkeleydb file to authenticate the user. Berkeleydb file is an open source database system which is embedded in many application. The above mentioned module take db arguments. db=path to files.
Pam error messages
All the pam module report error messages in /var/log/messages.
AVILABLE MODULES
1.pam_access.so
The pam_access.so module is a acces control module. It can be used with the module interface account. It requires the configuration file /etc/security/access.conf. When the pam_access module is invoked, the /etc/security/access.conf file is searched for the first entry that matches the username and tty or hostname pair. If no match is found, then access is granted.
FIELDS IN /etc/security/access.conf
Each login access control line in /etc/security/access.conf has
three fields separated by a symbol : .
permission:user/group:origins ( in case of non networked login)
permission field may be a symbol + or - . + symbol indicate that the access is granted. - symbol indicate that access is denied.
second field is the user/group field which may be one or more login names group name or ALL. It should be noted that group entries should be written in ( ).
Third field is a list of one or more tty names hostname domainnames(begin with “.”). or internet network number(end with “ . “) .
The wild card ALL or LOCAL may also used.
Sample /etc/security/access.conf File
1. # access.conf file
2. -:ALL:.evil.com .spam.org
3. -:ALL EXCEPT root: tty1
4. +:ALL EXCEPT root:172.17.
5. +:wheel paul:leghorn
6.-:ALL:ALL
Now simply add the line
account required /lib/security/pam_securitty.so
Example of adding pam_access to the /etc/pam.d/login File
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_pwdb.so
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
account required /lib/security/pam_access.so
password required /lib/security/pam_cracklib.so minlen=20
retry=3 type=SECRET
password required /lib/security/pam_pwdb.so md5 use_authtok
session required /lib/security/pam_pwdb.so
Any attempted access from a denied location will result in a Permission denied error message, as shown in Example 5-23, where Paul attempts to log in at the console.All failed attempts due to pam_access are logged in /var/log/messages by default. See Chapter 8 for further information about log files.
PAM_CRACKLIB.SO
PAM_CRACKLIB.SO
In order to improve the security of standard reusable password tell us the users to require to change the password regularly,enforce minimum length and good rules for new passwords,and even keep the history of user passwords so that users don't repeat their passwords.
Enabling pam_cracklib.so
pam_cracklib.so module is enabled in pam configuration file ie in Debian systems /etc/pam.d/common-password,in RedHat linux system it is in /etc/pam.d/system-auth. Tipical configuration file look like this
password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_unix.so md5 use_authtok
The first line enables the pam_cracklib module and set several parameters.
retry=3 means user get three chances to pick a good password before the password program exit. minlen=6 set minimum characters in password.
diffok=3 set the minimum number of characters that must be different from the previous password. If you increase the value of minimum length you must also increase the value of difok.
What is authentication ?
Program which grant user access to system verify each users identity though a process called authentication. Each program have its own way of authentication. Under linux many programs are configured to use a centralized authentication mechanism
called pluggable authentication modules.
Advantage of using PAM
1.It provide common authentication scheme that can used with wide verity of application.
2.It provide large amount of flexibility for both system administrators and developers.
3.It allows application developers to develop program with out creating their own authentication scheme.
LOCATION OF CONFIGURATION FILE
Location of configuration files is in /etc/pam.d/. In older versions pam configuration is in /etc/pam.conf.
Each pam aware application must have an entry in /etc/pam.d/.
EG: Login program must have an entry in /etc/pam.d/ directory.
PAM CONFIGURATION FILE FORMAT
PAM configuration file contain a group of
directive as follows.
(module interface)( control flag)(module name)(module arguments)
MODULE INTERFACE
These are all four type of pam module interface which correlates four type authentications process.
AUTH
This module is responsible for asking a password and verify the validity of a password. It can also set confidence for group membership of kerberos tickets.
ACCOUNT
This module interface verify the access is allowed.
eg: It check whether the account is expired or it is allowed to login in particular time of day.
PASSWORD
This module interface set and verify password.
SESSION
This module interface configures and manages user sessions. Modules using with this interface can also perform additional task that are needed to allow access ie mounting users home directory and making users mail box available.
NOTE: An individual module can be used with any or all the modules.
that is pam_unix.so can be uesd with all of the four interfaces.
Module interface directive can be stacked. When module inter face are used in pam configuration file the use of each module is available like a stack,that is first in last out. When multiple modules are ued for one purpose the order in which module interface are used are very important.
CONTROL FLAG
All pam modules generates a success or failure when it is called. Control flag tells pam what to do with the result. Since modules
are stacked in particular order control flag decides how important is the success or failure of a particular module in overall rule of authenticating a service to the user.
There are four predefined control flag
1.required
2.requisite
3.sufficient
4.optional
Required
The module result must be successful to authentication to continue. If a required module results fails the user is notified until results on all module referencing that interface are completed.
Requisite
This module result must be successful to continue. However the requisite module fails the user is notified with message reflecting the first failed required or requisite module.
sufficient
The module result must be ignored it fails. However a sufficient flagged module result is successful no required flagged result are failed then no other result are required an user is authenticated to the service.
optional
This module result is ignored. A module result is only become
necessary for successful authentication when there is no other module referencing the that interface.
Module name
In older pam configuration file module must be specified in absolute path naming. eg: /lib/security/pam_stack.so. In the newer system only module name must be specified in pam configuration file.
Modules location
Location of pam modules is in /lib/security/.
Module argument
We can pass arguments to used pam modules in pam configuration module. That is pam_userdb.so module uses secrets with in Berkeleydb file to authenticate the user. Berkeleydb file is an open source database system which is embedded in many application. The above mentioned module take db arguments. db=path to files.
Pam error messages
All the pam module report error messages in /var/log/messages.
AVILABLE MODULES
1.pam_access.so
The pam_access.so module is a acces control module. It can be used with the module interface account. It requires the configuration file /etc/security/access.conf. When the pam_access module is invoked, the /etc/security/access.conf file is searched for the first entry that matches the username and tty or hostname pair. If no match is found, then access is granted.
FIELDS IN /etc/security/access.conf
Each login access control line in /etc/security/access.conf has
three fields separated by a symbol : .
permission:user/group:origins ( in case of non networked login)
permission field may be a symbol + or - . + symbol indicate that the access is granted. - symbol indicate that access is denied.
second field is the user/group field which may be one or more login names group name or ALL. It should be noted that group entries should be written in ( ).
Third field is a list of one or more tty names hostname domainnames(begin with “.”). or internet network number(end with “ . “) .
The wild card ALL or LOCAL may also used.
Sample /etc/security/access.conf File
1. # access.conf file
2. -:ALL:.evil.com .spam.org
3. -:ALL EXCEPT root: tty1
4. +:ALL EXCEPT root:172.17.
5. +:wheel paul:leghorn
6.-:ALL:ALL
Now simply add the line
account required /lib/security/pam_securitty.so
Example of adding pam_access to the /etc/pam.d/login File
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_pwdb.so
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
account required /lib/security/pam_access.so
password required /lib/security/pam_cracklib.so minlen=20
retry=3 type=SECRET
password required /lib/security/pam_pwdb.so md5 use_authtok
session required /lib/security/pam_pwdb.so
Any attempted access from a denied location will result in a Permission denied error message, as shown in Example 5-23, where Paul attempts to log in at the console.All failed attempts due to pam_access are logged in /var/log/messages by default. See Chapter 8 for further information about log files.
PAM_CRACKLIB.SO
PAM_CRACKLIB.SO
In order to improve the security of standard reusable password tell us the users to require to change the password regularly,enforce minimum length and good rules for new passwords,and even keep the history of user passwords so that users don't repeat their passwords.
Enabling pam_cracklib.so
pam_cracklib.so module is enabled in pam configuration file ie in Debian systems /etc/pam.d/common-password,in RedHat linux system it is in /etc/pam.d/system-auth. Tipical configuration file look like this
password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_unix.so md5 use_authtok
The first line enables the pam_cracklib module and set several parameters.
retry=3 means user get three chances to pick a good password before the password program exit. minlen=6 set minimum characters in password.
diffok=3 set the minimum number of characters that must be different from the previous password. If you increase the value of minimum length you must also increase the value of difok.
Block Non root user from shutdown the system
Prevent a non-root user from shutting down or rebooting the system
To prevent all non-root users from using the shutdown, reboot or halt commands, do the following :
1. In the file /etc/X11/gdm/gdm.conf , change the line that reads :
SystemMenu=true
to
SystemMenu=false
2. In the file /etc/inittab, change the line that reads :
ca:ctrlaltdel:/sbin/shutdown -t3 -r now
to
ca:ctrlaltdel:echo "You are not authorized to turn off the machine"
3. In the directory /etc/security/console.apps/, delete the file reboot, poweroff and halt.
4. Remove the file /usr/bin/poweroff
To prevent all non-root users from using the shutdown, reboot or halt commands, do the following :
1. In the file /etc/X11/gdm/gdm.conf , change the line that reads :
SystemMenu=true
to
SystemMenu=false
2. In the file /etc/inittab, change the line that reads :
ca:ctrlaltdel:/sbin/shutdown -t3 -r now
to
ca:ctrlaltdel:echo "You are not authorized to turn off the machine"
3. In the directory /etc/security/console.apps/, delete the file reboot, poweroff and halt.
4. Remove the file /usr/bin/poweroff
SquirrelMail Installation from Source
SquirrelMail
# wget http://sourceforge.net/projects/squirrelmail/files/stable/1.4.20/squirrelmail-1.4.20.tar.bz2/download
# tar xvjf /squirrelmail-1.4.20.tar.bz2/
# mv /squirrelmail-1.4.20 /varwww/html
#chown -R apache:apache /var/www/html/ squirrelmail-1.4.20
# cd /var/www/html/ squirrelmail-1.4.20
# cd /var/www/html
# mv squirrelmail-1.4.20 webmail
# cd webmail
# mkdir -p /var/local/squirrelmail
# mv -i data/ /var/local/squirrelmail/
# chown -R apache.apache /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/
# chown -R apache /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/
# chgrp -R apache /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/
Data directory inside the above location is to moved to some whare else, Because squirrel mail maintains uplodaed data in this directory.
# cd /var/www/html/ webmail/config
# ./conf.pl
Select the option 2
and enter like given below
1. Domain : ip address of the server
2. Invert Time : false
3. Sendmail or SMTP : Sendmail
A. Update IMAP Settings : localhost:143 (courier )
B. Change Sendmail Config : /usr/sbin/sendmail
Save and return to previous menu
From the main menu select the option 4 general options and change the following settings.
1. Data Directory : /var/www/html/squirrelmail-1.4.20/data/ // This is optional
2.Attachment Directory : $data_dir/ // This is optional
Save and return to previous menu
Add The virtualhost in apache.
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /var/www/html/webmail
ServerName www.test.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
# service httpd restart
#/etc/init.d/imapd.rc restart
In the browser enter localhost/webmail
# wget http://sourceforge.net/projects/squirrelmail/files/stable/1.4.20/squirrelmail-1.4.20.tar.bz2/download
# tar xvjf /squirrelmail-1.4.20.tar.bz2/
# mv /squirrelmail-1.4.20 /varwww/html
#chown -R apache:apache /var/www/html/ squirrelmail-1.4.20
# cd /var/www/html/ squirrelmail-1.4.20
# cd /var/www/html
# mv squirrelmail-1.4.20 webmail
# cd webmail
# mkdir -p /var/local/squirrelmail
# mv -i data/ /var/local/squirrelmail/
# chown -R apache.apache /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/
# chown -R apache /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/
# chgrp -R apache /var/local/squirrelmail/attach/ /var/local/squirrelmail/data/
Data directory inside the above location is to moved to some whare else, Because squirrel mail maintains uplodaed data in this directory.
# cd /var/www/html/ webmail/config
# ./conf.pl
Select the option 2
and enter like given below
1. Domain : ip address of the server
2. Invert Time : false
3. Sendmail or SMTP : Sendmail
A. Update IMAP Settings : localhost:143 (courier )
B. Change Sendmail Config : /usr/sbin/sendmail
Save and return to previous menu
From the main menu select the option 4 general options and change the following settings.
1. Data Directory : /var/www/html/squirrelmail-1.4.20/data/ // This is optional
2.Attachment Directory : $data_dir/ // This is optional
Save and return to previous menu
Add The virtualhost in apache.
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /var/www/html/webmail
ServerName www.test.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common
# service httpd restart
#/etc/init.d/imapd.rc restart
In the browser enter localhost/webmail
Thursday, July 29, 2010
SENDMAIL LOGGING
SENDMAIL [ SYSLOG]
How does syslog determine where to send the log files for sendmail ?
catting the out put of mail in syslog in sles is shown below.
# grep -i mail /etc/syslog.conf
mail.* - /var/log/mail
mail.info - /var/log/mail.info
mail.warning - /var/log/mail.warn
mail.err - /var/log/mail.err
*.*,mail.none,news.none - /var/log/messages
Explanation:-
In general syslog entry in linux and unix servers are in the following form.
Facility.level -
Facility is mail in syslog.conf
level may be one of the 0 to 8 ie (debug-emergency)
mail.* in syslog.conf indicate that all the levels.
NOTE: debug produces more messages and enmergency produces less messages.
Debug level creates lots of disk IO.
System log setup with sendmail is each line conatain atleast two lines.
First line acknowledges the receive of the message and second lne correcsponds to the delivery attempts.
Example are gievn below.
Recieving of message from the mail user agent
Jun 2 11:42:13 pc1 sendmail[6484]: o526C9vA006484: from=root, size=6, class=0, nrcpts=1, msgid=<201006020612.o526C9vA006484@pc1.test.com>, relay=root@localhost
Jun 2 11:42:22 pc1 sm-mta[6500]: o526CD0Q006500: from=, size=262, class=0, nrcpts=1, msgid=<201006020612.o526C9vA006484@pc1.test.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Delivery of the message
Jun 2 11:42:22 pc1 sm-mta[6500]: o526CD0Q006500: to=, ctladdr= (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30262, dsn=2.0.0, stat=Sent
Jun 2 11:42:22 pc1 sendmail[6484]: o526C9vA006484: to=root, ctladdr=root (0/0), delay=00:00:13, xdelay=00:00:09, mailer=relay, pri=30006, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (o526CD0Q006500 Message accepted for delivery).
How does syslog determine where to send the log files for sendmail ?
catting the out put of mail in syslog in sles is shown below.
# grep -i mail /etc/syslog.conf
mail.* - /var/log/mail
mail.info - /var/log/mail.info
mail.warning - /var/log/mail.warn
mail.err - /var/log/mail.err
*.*,mail.none,news.none - /var/log/messages
Explanation:-
In general syslog entry in linux and unix servers are in the following form.
Facility.level -
Facility is mail in syslog.conf
level may be one of the 0 to 8 ie (debug-emergency)
mail.* in syslog.conf indicate that all the levels.
NOTE: debug produces more messages and enmergency produces less messages.
Debug level creates lots of disk IO.
System log setup with sendmail is each line conatain atleast two lines.
First line acknowledges the receive of the message and second lne correcsponds to the delivery attempts.
Example are gievn below.
Recieving of message from the mail user agent
Jun 2 11:42:13 pc1 sendmail[6484]: o526C9vA006484: from=root, size=6, class=0, nrcpts=1, msgid=<201006020612.o526C9vA006484@pc1.test.com>, relay=root@localhost
Jun 2 11:42:22 pc1 sm-mta[6500]: o526CD0Q006500: from=
Delivery of the message
Jun 2 11:42:22 pc1 sm-mta[6500]: o526CD0Q006500: to=
Jun 2 11:42:22 pc1 sendmail[6484]: o526C9vA006484: to=root, ctladdr=root (0/0), delay=00:00:13, xdelay=00:00:09, mailer=relay, pri=30006, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (o526CD0Q006500 Message accepted for delivery).
RESTRICTING MESSAGE SIZE IN SENDMAIL
RESTRICTING MESSAGE SIZE
Go to /data/sendmail-8.14.0/cf/cf
# vi sendmial.mc
insert the following line
define(`confMAX_MESSAGE_SIZE', `4096') // mAXIMUM MESSAGE SIZE IN coming toTHE SERVER IS RESTRICTED TO 4k
# cp sendmail.cf /etc/mail
# grep ^o /etc/smail/sendmail.cf
The output should conatin the following line.
MaxMessageSize=4096
Go to /data/sendmail-8.14.0/cf/cf
# vi sendmial.mc
insert the following line
define(`confMAX_MESSAGE_SIZE', `4096') // mAXIMUM MESSAGE SIZE IN coming toTHE SERVER IS RESTRICTED TO 4k
# cp sendmail.cf /etc/mail
# grep ^o /etc/smail/sendmail.cf
The output should conatin the following line.
MaxMessageSize=4096
CLAMAV INSTALLATION ON OpenSuse 11
CLAMAV INSTALLATION
# cd /data
# cd clamav
# tar xvzf clamav-0.96.1.tar.gz
# cd clamav
# groupadd clamav
# useradd -g clamav clamav
# ./configure
#make
# make install
# cd /usr/local/etc/
# vi clamd.conf
comment out the line Example.
#Example
uncomment the line
LocalSocket /tmp/clamd.socket
:wq //save the file
# vi freshclam.conf
Comment out the line Example
# Example
:wq //Save the file.
# touch /var/log/freshclam.log
# chmod 600 /var/log/freshclam.log
#chown clamav /var/log/freshclam.log
# which freshclam // This is the utility responsible for updating clam.
The output should be:
/usr/local/bin/freshclam
Run the following
# ldconfig
# freshclam // This command is for updating clamd
# clamscan
# clamd start
# ps -ax | grep clam
The output should be:
# ps -ax | grep clam
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
3981 ? Ssl 0:00 clamd start
4010 pts/0 R+ 0:00 grep clam
# freshclam // This option is mainly used for the updating clamav.
# which freshclam
The log file for the fresh clam process is
# ls -l /var/log/freshclam.log
Run the freshclam process in dialy basis in cron.
# cd /data
# cd clamav
# tar xvzf clamav-0.96.1.tar.gz
# cd clamav
# groupadd clamav
# useradd -g clamav clamav
# ./configure
#make
# make install
# cd /usr/local/etc/
# vi clamd.conf
comment out the line Example.
#Example
uncomment the line
LocalSocket /tmp/clamd.socket
:wq //save the file
# vi freshclam.conf
Comment out the line Example
# Example
:wq //Save the file.
# touch /var/log/freshclam.log
# chmod 600 /var/log/freshclam.log
#chown clamav /var/log/freshclam.log
# which freshclam // This is the utility responsible for updating clam.
The output should be:
/usr/local/bin/freshclam
Run the following
# ldconfig
# freshclam // This command is for updating clamd
# clamscan
# clamd start
# ps -ax | grep clam
The output should be:
# ps -ax | grep clam
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
3981 ? Ssl 0:00 clamd start
4010 pts/0 R+ 0:00 grep clam
# freshclam // This option is mainly used for the updating clamav.
# which freshclam
The log file for the fresh clam process is
# ls -l /var/log/freshclam.log
Run the freshclam process in dialy basis in cron.
Thursday, July 8, 2010
SAMBA PRIMARY DOMAIN CNROLLER
AMABA PDC
1.It removes duplicate users and group from each stand alone server.
2.Coupled with Microsoft's networking facility that allows a user to log in to her local workstation via a domain account
ADVANTAGES AND DISADVANTAGES
1.Samba 3.0 can act as a Windows NT 4.0 domain controller
2.It does not implement the Windows System Account Manager (SAM) replication protocol
3.This means that it cannot participate as a domain controller with Windows DCs in either an NT 4.0 or mixed-mode Active Directory domain.
ENTER THE FOLLOWING CONFIIGURATION IN TO /etc/samba/smb.conf.
# mkdir -p /data/public
# mkdir -p /data/netlogon
# vi /etc/samba/smb.conf
[global]
netbios name = SERVER1
workgroup = SUPPORT
security = user
encrypt passwords = yes
// enable PDC functionality
domain master = yes
domain logons = yes
os level = 33 //
preferred master = yes // DC act as local master browser
local master = yes //
[public]
path = /data/public
read only = no
[netlogon] // emulates the NETLOGON service on Windows domain controller
comment = Net Logon service
path = /data/netlogon
read only = yes // share is read only
write list = +ntadmin // includes the ntadmin group in the write list
Save the file
Wait approximately one minute for nmbd to complete its name registration process.
Run the following command.
// Enabling the domain master parameter in the global section of smb.conf causes nmbd to register the DOMAIN<0x1b> name (ORA<0x1b> in our example). This name is used by Windows clients to locate the PDC for a domain. When searching for any domain controller, not necessarily just the PDC, a Windows client attempts to resolve the DOMAIN<0x1c> name. You can instruct nmbd to register this name (e.g., ORA<0x1c>) by setting the domain logons option in smb.conf.
# nmblookup 'SUPPORT#1b' 'SUPPORT#1c'
The output should be:
querying SUPPORT on 192.168.1.255
192.168.1.2 SUPPORT<1b>
querying SUPPORT on 192.168.1.255
192.168.1.2 SUPPORT<1c>
Also verify the nmbd log file.
# tail -f /var/log/samba/nmbd.log
The output is:
[2010/07/08 21:53:53, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)
*****
Samba name server STROK is now a local master browser for workgroup SUPPORT on subnet 192.168.1.12
become_logon_server_success: Samba is now a logon server for workgroup SUPPORT on subnet 192.168.1.12
*****
2.SETTING UP WINDOWS CLIENT ACCOUNT ON THE SAMBA DC
On joining a domain client establishes a password known to its self and to the domain controller. This password is called the machine trust account password and is used to prove the identity of the computer each time it contacts the DC. Windows 2000 and later require that you provide credentials for an administrative account that can potentially create the new machine account and assign it a random password.
Domain Admins
Domain Admins is a special group in Windows domains. The group's RID is always 512. When a Windows client joins a domain, it adds this domain group to its local Administrators group. The result is that members of Domain Admins automatically gain administrative privileges on all domain members. Samba honors membership in the Domain Admins group as well, by granting all Domain Admins the ability to manage the user rights assignments necessary to authorize users to join hosts to the domain.
# vi /etc/samba/smb.conf
add
the following line to the GLOBAL section
enable privileges = yes
save the file
# service smb restart
In order to create a group mapping entry for this special domain RID, you must first look up the SID of the ORA domain. You must be root for all the command examples in this section
# net getlocalsid SUPPORT
The output is:
SID for domain SUPPORT is: S-1-5-21-2126422966-4252198253-3505372293
Now append the Domain Admins RID to the domain SID and create a group mapping entry for it:
# net groupmap add sid=-S-1-5-21-2126422966-4252198253-3505372293-512 \
ntgroup="Domain Admins" unixgroup=ntadmin
The output is:
Successfully added group Domain Admins to the mapping db
Now all members of the ntadmin Unix group will be seen as domain administrators by both Samba and Windows clients.
1.It removes duplicate users and group from each stand alone server.
2.Coupled with Microsoft's networking facility that allows a user to log in to her local workstation via a domain account
ADVANTAGES AND DISADVANTAGES
1.Samba 3.0 can act as a Windows NT 4.0 domain controller
2.It does not implement the Windows System Account Manager (SAM) replication protocol
3.This means that it cannot participate as a domain controller with Windows DCs in either an NT 4.0 or mixed-mode Active Directory domain.
ENTER THE FOLLOWING CONFIIGURATION IN TO /etc/samba/smb.conf.
# mkdir -p /data/public
# mkdir -p /data/netlogon
# vi /etc/samba/smb.conf
[global]
netbios name = SERVER1
workgroup = SUPPORT
security = user
encrypt passwords = yes
// enable PDC functionality
domain master = yes
domain logons = yes
os level = 33 //
preferred master = yes // DC act as local master browser
local master = yes //
[public]
path = /data/public
read only = no
[netlogon] // emulates the NETLOGON service on Windows domain controller
comment = Net Logon service
path = /data/netlogon
read only = yes // share is read only
write list = +ntadmin // includes the ntadmin group in the write list
Save the file
Wait approximately one minute for nmbd to complete its name registration process.
Run the following command.
// Enabling the domain master parameter in the global section of smb.conf causes nmbd to register the DOMAIN<0x1b> name (ORA<0x1b> in our example). This name is used by Windows clients to locate the PDC for a domain. When searching for any domain controller, not necessarily just the PDC, a Windows client attempts to resolve the DOMAIN<0x1c> name. You can instruct nmbd to register this name (e.g., ORA<0x1c>) by setting the domain logons option in smb.conf.
# nmblookup 'SUPPORT#1b' 'SUPPORT#1c'
The output should be:
querying SUPPORT on 192.168.1.255
192.168.1.2 SUPPORT<1b>
querying SUPPORT on 192.168.1.255
192.168.1.2 SUPPORT<1c>
Also verify the nmbd log file.
# tail -f /var/log/samba/nmbd.log
The output is:
[2010/07/08 21:53:53, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2(396)
*****
Samba name server STROK is now a local master browser for workgroup SUPPORT on subnet 192.168.1.12
become_logon_server_success: Samba is now a logon server for workgroup SUPPORT on subnet 192.168.1.12
*****
2.SETTING UP WINDOWS CLIENT ACCOUNT ON THE SAMBA DC
On joining a domain client establishes a password known to its self and to the domain controller. This password is called the machine trust account password and is used to prove the identity of the computer each time it contacts the DC. Windows 2000 and later require that you provide credentials for an administrative account that can potentially create the new machine account and assign it a random password.
Domain Admins
Domain Admins is a special group in Windows domains. The group's RID is always 512. When a Windows client joins a domain, it adds this domain group to its local Administrators group. The result is that members of Domain Admins automatically gain administrative privileges on all domain members. Samba honors membership in the Domain Admins group as well, by granting all Domain Admins the ability to manage the user rights assignments necessary to authorize users to join hosts to the domain.
# vi /etc/samba/smb.conf
add
the following line to the GLOBAL section
enable privileges = yes
save the file
# service smb restart
In order to create a group mapping entry for this special domain RID, you must first look up the SID of the ORA domain. You must be root for all the command examples in this section
# net getlocalsid SUPPORT
The output is:
SID for domain SUPPORT is: S-1-5-21-2126422966-4252198253-3505372293
Now append the Domain Admins RID to the domain SID and create a group mapping entry for it:
# net groupmap add sid=-S-1-5-21-2126422966-4252198253-3505372293-512 \
ntgroup="Domain Admins" unixgroup=ntadmin
The output is:
Successfully added group Domain Admins to the mapping db
Now all members of the ntadmin Unix group will be seen as domain administrators by both Samba and Windows clients.
Virtual domain with sendmail and dovecot
Special Thanks To : BasilKurain.
Virtual hosting with dovecot
# grep dovecot /etc/passwd
The outpu is:
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
# grep dovecot /etc/group
dovecot:x:97:
# grep vmail /etc/passwd
The output is:
blank
# grep vmail /etc/group
The output is:
blank
# groupadd vmail
# useradd vmail -g vmail
# ls /home/ -l
The output is:
drwx------ 6 vmail vmail 4096 Jul 8 16:23 vmail
# touch /var/log/dovecot.log
# touch /var/log/dovecot-info.log
# vi /etc/dovecot.conf
add the following entries
# Remove imaps things if you don’t want them
protocols = imaps
# It’s nice to have separate log files for Dovecot. You could do this
# by changing syslog configuration also, but this is easier.
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
# Disable SSL for now.
ssl = no # v1.2+, for older versions use: ssl_disable = yes
disable_plaintext_auth = no
# We’re using Maildir format
mail_location = maildir:~/Maildir
# If you’re using POP3, you’ll need this:
# pop3_uidl_format = %08Xu%08Xv
# Authentication configuration:
auth_verbose = yes
auth default {
mechanisms = plain
passdb passwd-file {
args = /etc/dovecot/passwd
}
userdb static {
args = uid=vmail gid=vmail home=/home/vmail/%u
}
}
# mkdir /etc/dovecot/
# touch /etc/dovecot/passwd
# chown -R dovecot:dovecot /etc/dovecot
add the following line to
# vi /etc/dovecot/passwd
add this line:
vasanth@tetsing:{PLAIN}redhat
hemanth@testing.com:{PLAIN}redhat
save the file
Take browser
enter
localhost/webmail
username: vasanth@tetsing.com
password: redhat
You can also use
username: hemanth@testing.com
password: redhat
Now virtual domain testing.com is configured in the domain and users vasanth and hemanth are added.
Vasanth.T.M
Virtual hosting with dovecot
# grep dovecot /etc/passwd
The outpu is:
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
# grep dovecot /etc/group
dovecot:x:97:
# grep vmail /etc/passwd
The output is:
blank
# grep vmail /etc/group
The output is:
blank
# groupadd vmail
# useradd vmail -g vmail
# ls /home/ -l
The output is:
drwx------ 6 vmail vmail 4096 Jul 8 16:23 vmail
# touch /var/log/dovecot.log
# touch /var/log/dovecot-info.log
# vi /etc/dovecot.conf
add the following entries
# Remove imaps things if you don’t want them
protocols = imaps
# It’s nice to have separate log files for Dovecot. You could do this
# by changing syslog configuration also, but this is easier.
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log
# Disable SSL for now.
ssl = no # v1.2+, for older versions use: ssl_disable = yes
disable_plaintext_auth = no
# We’re using Maildir format
mail_location = maildir:~/Maildir
# If you’re using POP3, you’ll need this:
# pop3_uidl_format = %08Xu%08Xv
# Authentication configuration:
auth_verbose = yes
auth default {
mechanisms = plain
passdb passwd-file {
args = /etc/dovecot/passwd
}
userdb static {
args = uid=vmail gid=vmail home=/home/vmail/%u
}
}
# mkdir /etc/dovecot/
# touch /etc/dovecot/passwd
# chown -R dovecot:dovecot /etc/dovecot
add the following line to
# vi /etc/dovecot/passwd
add this line:
vasanth@tetsing:{PLAIN}redhat
hemanth@testing.com:{PLAIN}redhat
save the file
Take browser
enter
localhost/webmail
username: vasanth@tetsing.com
password: redhat
You can also use
username: hemanth@testing.com
password: redhat
Now virtual domain testing.com is configured in the domain and users vasanth and hemanth are added.
Vasanth.T.M
Wednesday, July 7, 2010
Sendmail cotrolling script
I am posting one useful script to start, stop, restrat sendmail( Source code installation )
#! /bin/sh
case "$1" in
start)
echo "Starting SMTP port. (sendmail)"
/usr/sbin/sendmail -bd -q1h
;;
stop)
echo "Stopping down SMTP port:"
killall /usr/sbin/sendmail
;;
restart|reload)
$0 stop && $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac
exit 0
#! /bin/sh
case "$1" in
start)
echo "Starting SMTP port. (sendmail)"
/usr/sbin/sendmail -bd -q1h
;;
stop)
echo "Stopping down SMTP port:"
killall /usr/sbin/sendmail
;;
restart|reload)
$0 stop && $0 start
;;
*)
echo "Usage: $0 {start|stop|restart|reload}"
exit 1
esac
exit 0
Subscribe to:
Comments (Atom)