Linux Internet Web Server and Domain Configuration Tutorial: Prerequisites
Linux Internet Web Server and Domain Configuration Tutorial: Prerequisites
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
Prerequisites:
This tutorial assumes that a computer has Linux installed and running. See RedHat
Installation for the basics. A connection to the internet is also assumed. A connection of
128 Mbits/sec or greater will yield the best results. ISDN, DSL, cable modem or better
are all suitable. A 56k modem will work but the results will be mediocre at best. The
tasks must also be performed with the root user login and password.
Software Prerequisites: The Apache web server (httpd), FTP (requires xinetd or inetd)
and Bind (named) software packages with their dependencies are all required. One can
use the rpm command to verify installation:
A Red Hat 8.0 wu-ftpd RPM may be installed (Newer version 2.6.2 or later with
security fix wu-ftpd-2.6.2-11+) or install from source.
SuSE 9.3:
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
Note: The apache2-MPM is a generic term for Apache installation options for
"Multi-Processing Modules (MPM)s "prefork" or "worker". If you try and only
install apache2 you will get the following error:
One should also have a working knowledge of the Linux init process so that these
services are initiated upon system boot. See the YoLinux init process tutorial for more
info.
This tutorial is for the Apache HTTP web server (Version 1.3 and 2.0). See the YoLinux
list of Linux HTTP servers for a list of other web servers for the Hyper Text Transport
Protocol.
Web pages are served from the directory as configured by the DocumentRoot directive.
The default directory location is:
Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4/5, CentOS 4/5:
/var/www/html/
Red Hat 6.x and older: /home/httpd/html/
Suse 9.x: /srv/www/htdocs/
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
The default home page for the default configuration is index.html. Note the pages
should not be owned by user apache as this is the process owner of the httpd web
server daemon. If the web server process is comprimised, it should not be allowed to
alter the files. The files should of course be readable by user apache.
Apache may be configured to run as a host for one web site in this fashion or it may be
configured to serve for multiple domains. Serving for multiple domains may be achieved
in two ways:
Virtual hosts: One IP address but multiple domains - "Name based" virtual
hosting.
Multiple IP based virtual hosts: One IP address for each domain - "IP based"
virtual hosting.
The default configuration will allow one to have multiple user accounts under one
domain by using a reference to the user account: http://www.domain.com/~user1/. If no
domain is registered or configured, the IP address may also be used:
http://XXX.XXX.XXX.XXX/~user1/.
[Potential Pitfall] The default umask for directory creation is correct by default but if not
use: chmod 755 /home/user1/public_html
[Potential Pitfall] When creating new "Directory" configuration directives, I found that
placing them by the existing "Directory" directives to be a bad idea. It would not use
the .htaccess file. This was because the statement defining the use of the .htaccess
file was after the "Directory" statement. Previously in RH 6.x the files were separated
and the order was defined a little different. I now place new " Directory" statements
near the end of the file just before the "VirtualHost" statements.
For users of Red Hat 7.1, the GUI configuration tool apacheconf was introduced for the
crowd who like to use pretty point and click tools.
Start/stop/restart script:
o Red Hat/Fedora/CentOS: /etc/rc.d/init.d/httpd
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
Start/Stop/Restart scripts: The script is to be run with the qualifiers start, stop,
restart or status.
i.e. /etc/rc.d/init.d/httpd restart. A restart allows the web server to start again and
read the configuration files to pick up any changes. To have this script invoked upon
system boot issue the command chkconfig --add httpd. See Linux Init Process
Tutorial for a more complete discussion.
start Start the Apache httpd daemon. Gives an error if it is already running.
stop Stops the Apache httpd daemon.
graceful Gracefully restarts the Apache httpd daemon. If the daemon is not
running, it is started. This differs from a normal restart in that currently
open connections are not aborted.
restart Restarts the Apache httpd daemon. If the daemon is not running, it is
started. This command automatically checks the configuration files as
in configtest before initiating the restart to make sure the daemon
doesn't die.
status Displays a brief status report.
fullstatus Displays a full status report from mod_status. Requires mod_status
enabled on your server and a text-based browser such as lynx
available on your system. The URL used to access the status report
can be set by editing the STATUSURL variable in the script.
configtest Run a configuration file syntax test.
-t
Giving Apache access to the file system: It is prudent to limit Apache's view of the
file system to only those directories necessary. This is done with the directory
statement. Start by denying access to everything, then grant access to the necessary
directories.
<Directory />
Options None
AllowOverride None
</Directory>
Set default location of system web pages and allow access: (Red
Hat/Fedora/CentOS)
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
This will allow users to serve content from their home directories under the
subdirectory "/home/userid/public_html/" by accessing the URL
http://hostname/~userid/
File: /etc/httpd/conf/httpd.conf
LoadModule userdir_module modules/mod_userdir.so
...
...
<IfModule mod_userdir.c>
#UserDir disable - Add comment to this line
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disable" line above, and uncomment
# the following line instead:
UserDir public_html # Uncomment this line
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
</IfModule>
...
...
<Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
Change to a comment (add "#" at beginning of line) from Fedora Core default
UserDir disable and assign the directory public_html as a web server
accessible directory.
OR
Assign a single user the specific ability to share their directory:
<Directory /home/user1/public_html>
AllowOverride None
order allow,deny
allow from all
Options Indexes Includes FollowSymLinks
</Directory>
Allows the specific user, "user1" only, the ability to serve the directory
/home/user1/public_html/
File permissions: The Apache web server daemon must be able to read your web
pages in order to feed thier contents to the network. Use an appropriate umask
and file protection. This works: chmod ugo+r -R public_html
One may also use groups to control permisions. See the YoLinux tutorial on
managing groups.
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
Ubuntu has broken out the Apache loadable module directives into the directory
/etc/apache2/mods-available/. To enable an Apache module, generate soft
links to the directory /etc/apache2/sites-enabled/ by using the commands
a2enmod/a2dismod to enable/disable Apache modules.
Example:
o [root@node2]# a2enmod
A list of available modules is displayed. Enter "userdir" as the module to
enable.
o Restart Apache with the following command: /etc/init.d/apache2
force-reload
Note: This is the same as manually generating the following two soft links:
o ln -s /etc/apache2/mods-available/userdir.conf /etc/apache2/mods-
enabled/userdir.conf
o ln -s /etc/apache2/mods-available/userdir.load /etc/apache2/mods-
enabled/userdir.load
[Potential Pitfall]: If the Apache web server can not access the file you will get the
error "403 Forbidden" "You don't have permission to access file-name on this
server." Note the default permissions on a user directory when first created with
"useradd" are:
You must allow the web server running as user "apache" to access the directory
if it is to display pages held there.
Fix with command: chmod ugo+rx /home/userx
Fedora Core 3 and Red Hat Enterprise Linux 4 introduced SELinux (Security
Enhanced Linux) security policies and context labels.
To view the security context labels applied to your web page files use the
command: ls -Z
SELINUX=disabled
or using the command setenforce 0 to temporarily disable SELinux until the next
reboot.
When using SELinux security features, the security context labels must be added
so that Apache can read your files. The default security context label used is
inherited from the directory for newly created files. Thus a copy ( cp) must be
used and not a move (mv) when placing files in the content directory. Move does
not create a new file and thus the file does not recieve the directory security
context label. The context labels used for the default Apache directories can be
viewed with the command: ls -Z /var/www
The web directories of users (i.e. public_html) should be set with the appropriate
context label (httpd_sys_content_t).
Policy Description
httpd_enable_cgi Allow httpd cgi support.
httpd_enable_homedirs Allow httpd to read home directories.
httpd_ssi_exec
Allow httpd to run SSI executables in the same domain
as system CGI scripts.
Then restart Apache:
Red Hat/Fedora/Suse and all System V init script based Linux systems:
/etc/init.d/httpd restart
Red Hat/Fedora: service httpd restart
Virtual Hosts:
The Apache web server allows one to configure a single computer to represent multiple
websites as if they were on separate hosts. There are two methods available and we
describe the configuration of each. Choose one method for your domain:
Name based virtual host: (most common) A single computer with a single IP
adress supporting multiple web domains. The web browser using the http
protocol, identifies the domain being addressed.
IP based virtual host: The virtual hosts can be configured as a single multi-
homed computer with multiple IP addresses on a single network card, with each
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
A virtual host configuration allows one to host multiple web site domains on one
server. (This is not required for a dedicated linux server which hosts a single web
site.)
NameVirtualHost XXX.XXX.XXX.XXX
<VirtualHost XXX.XXX.XXX.XXX>
ServerName www.your-domain.com - CNAME (bind DNS alias www)
specified in Bind configuration file (/var/named/...)
ServerAlias your-domain.com - Allows requests by domain name
without the "www" prefix.
ServerAdmin [email protected]
DocumentRoot /home/user1/public_html
ErrorLog logs/your-domain.com-error_log
TransferLog logs/your-domain.com-access_log
</VirtualHost>
Notes:
You can specify more than one IP address. i.e. if web server is also being
used as a firewall/gateway and you have an external internet IP address
as well as a local network IP address.
NameVirtualHost XXX.XXX.XXX.XXX
NameVirtualHost 192.168.XXX.XXX
<Directory "/var/www/html">
</Directory>
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /var/www/html
ErrorLog logs/error_log
TransferLog logs/access_log
</VirtualHost>
# Add a VirtualHost definition for your domain which was once the system
default.
<VirtualHost XXX.XXX.XXX.XXX>
ServerName www.your-domain.com
ServerAlias your-domain.com
ServerAdmin [email protected]
DocumentRoot /var/www/html
ErrorLog logs/error_log
TransferLog logs/access_log
</VirtualHost>
...
..
<VirtualHost XXX.XXX.XXX.XXX>
ServerName www.your-domain.com - Note that no aliases are listed
...
...
</VirtualHost>
<VirtualHost XXX.XXX.XXX.XXX>
ServerName your-domain.com
ServerAlias other-domain.com
ServerAlias www.other-domain.com
Redirect permanent / http://www.your-domain.com.com/
</VirtualHost>
...
..
Note:
o See the YoLinux.com Apache "Redirect" Tutorial
More virtual host examples.
When specifying more domains, they may all use the same IP address or some/all may
use their own unique IP address. Specify a "NameVirtualHost" for each IP address.
After the Apache configuration files have been edited, restart the httpd daemon:
/etc/rc.d/init.d/httpd restart (Red Hat) or /etc/init.d/apache2 restart (Ubuntu /
Debian)
Ububntu separates out each virtual domain into a separate configuration file held in the
directory /etc/apache2/sites-available/. When the site domain is to become active, a
soft link is created to the directory /etc/apache2/sites-enabled/.
Example: /etc/apache2/sites-available/supercorp
<VirtualHost XXX.XXX.XXX.XXX>
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
ServerName supercorp.com
ServerAlias www.supercorp.com
ServerAdmin webmaster@localhost
DocumentRoot /home/supercorp/public_html/home
<Directory "/">
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /home/supercorp/public_html/home>
Options Indexes FollowSymLinks MultiViews
IndexOptions SuppressLastModified SuppressDescription
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog /var/log/apache2/supercorp.com-error.log
o /etc/init.d/apache2 restart
or
o /etc/init.d/apache2 reload
Also note that Apache modules can also be enabled/disabled with scripts
a2enmod/a2dismod.
Man pages:
One may assign multiple IP addresse to a single network interface. See the
YoLinux networking tutorial: Network Aliasing. Each IP address may then be it's
own virtual server and individual domain. The downside of the "IP based" virtual
host method is that you have to possess multiple/extra IP addresses. This
usually costs more. The standard name based virtual hosting method above is
more popular for this reason.
<VirtualHost *>
ServerAdmin [email protected]
DocumentRoot /home/user0/public_html
</VirtualHost>
<VirtualHost XXX.XXX.XXX.101>
ServerAdmin [email protected]
DocumentRoot /home/user1/public_html
</VirtualHost>
<VirtualHost XXX.XXX.XXX.102>
ServerAdmin [email protected]
DocumentRoot /home/user2/public_html
</VirtualHost>
The default <VirtualHost *> block will be used as the default for all IP
addresses not specified explicitly. This default IP (*) may not work for https
URL's.
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
ScriptAlias:
o Red Hat 7.x-9, Fedora core: ScriptAlias /cgi-bin/ "/var/www/cgi-
bin/"
o Red Hat 6.x and older: ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"
o Suse 9.x: ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
o Ubuntu (dapper/hardy) / Debian: ScriptAlias /cgi-bin/ "/usr/lib/cgi-
bin/"
or
Options +ExecCGI:
<Directory /var/www/cgi-bin>
Options +ExecCGI
</Directory>
The executable program files must have execute privileges, executable by the process
owner (Red Hat 7+/Fedora Core: apache. Older use nobody) under which the httpd
daemon is being run.
The suEXEC feature provides Apache users the ability to run CGI and SSI programs
under user IDs different from the user ID of the calling web-server. Normally, when a
CGI or SSI program executes, it runs as the same user who is running the web server.
NameVirtualHost XXX.XXX.XXX.XXX
<VirtualHost XXX.XXX.XXX.XXX>
ServerName node1.your-domain.com - Allows requests
by domain name without the "www" prefix.
ServerAlias your-domain.com www.your-domain.com - CNAME (alias
www) specified in Bind configuration file (/var/named/...)
ServerAdmin [email protected]
DocumentRoot /home/user1/public_html/your-domain.com
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
ErrorLog logs/your-domain.com-error_log
TransferLog logs/your-domain.com-access_log
ERROR Pages:
You can specify your own web pages instead of the default Apache error pages:
PHP:
If the appropriate php, perl and httpd RPM's are installed, the default Red Hat Apache
configuration and modules will support PHP content. RPM Packages (RHEL4):
Apache configuration:
...
[PHP]
engine = On
...
...
display_errors = Off
include_path = ".:/php/includes"
...
...
memory_limit = 32M ; Default is typically 8MB which is too low.
...
...
[MySQL]
...
...
mysql.default_host = superserver ; Hostname of the computer
mysql.default_user = dbuser
...
<?php
phpinfo();
?>
OR (older format)
<?
phpinfo();
?>
Test: http://localhost/~user1/test.php
For more info see YoLinux list of PHP information web sites.
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
The Apache web server daemon (httpd) can be started with the command line option "-
f" to specify a unique configuration file for each instance. Configure a unique IP address
for each instance of Apache. See the YoLinux Networking Tutorial to specify multiple IP
addresses for one NIC (Network Interface Card). Use the Apache configuration file
directive Listen XXX.XXX.XXX.XXX, where the IP address is unique for each instance of
Apache.
Adding web site login and password protection: See the YoLinux tutorial on web
site password protection.
Scanning the Apache web log files will not provide meaningfull statistics unless they are
graphed or presented in an easy to read fashion. The following packages to a good job
of presenting site statistics.
eXTReMe Tracking
Apache Links:
CgiWrap - setuid wrapper that allows users to install and execute their own cgi
scripts that get executed as their own userid
Thumbprint - CGI for viewing a directory of images as thumbnails
WWWThreads.org - Commercial product - Advanced Web Conferencing
Software
Configuring https (mod_ssl):
o Mod_SSL.org: Home Page
o Mod_SSL.org: Mod_SSL HowTo
o Mod_SSL.org: Steps to create SSL server certificate
o https configuration
Installation:
HOSTURL http://www.your-domain.com
....
...
..
...
Links:
Web performance benchmarking tool httperf. Httperf sends requests to the web server
at a specified rate and gathers stats. Increase till one finds the saturation point.
Installation:
Example useage:
Links:
autobench: Perl wrapper to httperf which itterates and gathers data for each run.
Creates csv file for use in a spreadsheet to generate graphs.
openload: Simulates number of concurrent users. Measures completed
requests/sec.
Apache JMeter: Java app for static and dynamic performance analysis.
Many FTP programs exist. This example covers the popular vsftpd (Red Hat default 9.0,
Fedora Core, Suse) and wu-ftpd (Washington University) program which comes
standard with RedHat (last shipped with RedHat 8.0 but can be installed on any Linux
system). (RPM: wu-ftpd) There are other FTP programs including proFtpd (supports
LDAP authentication, Apache like directives, full featured ftp server software), bftpd,
pure-ftpd (free BSD and optional on Suse), etc ...
FTPd and SELinux: To allow FTPd daemon access to users home directories:
setsebool -P ftp_home_dir 1
Follow with the command service vsftpd restart
# vsFTPd: Configuration
# WU-FTPd: Configuration
# FTP Clients: Links
The vsFTPd ftp server was first made available in Red Hat 9.0. It has been adopted by
Suse and OpenBSD as well. This is currently the recomended FTP daemon for use on
FTP servers.
Enable vsftpd:
For more on starting/stopping/configuring Linux services, see the YoLinux tutorial on the
Linux init process and service activation.
Configuration files:
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it, may
confuse older FTP clients.
#async_abor_enable=YES
/etc/vsftpd/chroot_list)
pam_service_name=vsftpd
Restart the FTP service if the config file is changed: service vsftpd restart (or:
/etc/init.d/vsftpd restart)
[Potential Pitfall]: vsftp does NOT support comments on the same line as a
directive. i.e.:
directive=XXX # comment
(Requires: chroot_list_enable=YES)
user1
user2
...
user-n
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
root
bin
daemon
adm
lp
sync
shutdown
halt
...
If userlist_enable=NO, then specify valid users.
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny
file=/etc/vsftpd.ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
This causes PAM to check /etc/vsftpd.ftpusers for users who are denied. This
duplicates /etc/vsftpd.user_list. Speciy user in both files as PAM is
independent of vsftpd configuration.
PAM authentication configuration file: ftpusers
o Red Hat: /etc/vsftpd/ftpusers
o Ubuntu: /etc/vsftpd.ftpusers
root
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
bin
daemon
adm
lp
sync
shutdown
halt
...
...
...
user6 - Users to deny
user8
...
...
/var/log/xferlog {
# ftpd doesn't handle SIGHUP properly
nocompress
missingok
}
# Access rights
anonymous_enable=YES - Turn on anonymous FTP
chown_uploads=YES - Uploaded files owned by an assigned user
chown_username=ftp - Uploaded files owned by this assigned user
local_enable=NO
write_enable=NO - No upload of files system changes allowed
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
anon_world_readable_only=YES
connect_from_port_20=YES
force_dot_files=NO
guest_enable=NO
hide_ids=YES
pasv_min_port=50000
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
anon_max_rate=50000
pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
Anonymous logins use the login name "anonymous" and then the user supplies
their email address as a password. Any password will be accepted. Used to allow
the public to download files from an ftp server. Generally, no upload is permitted.
Web hosting configuration: /etc/vsftpd/vsftpd.conf
# Access rights
anonymous_enable=NO
local_enable=YES - Allow users to ftp to their
home directories
write_enable=YES - Allow users to STOR, DELE,
RNFR, RNTO, MKD, RMD, APPE and SITE
local_umask=022
# Security
connect_from_port_20=YES
force_dot_files=NO
guest_enable=NO - Don't remap user name
ftpd_banner=Welcome to Super Duper Hosting - Customize the login banner
string.
chroot_local_user=YES - Limit user to browse their
own directory only
chroot_list_enable=YES - Enable list of system / power
users
chroot_list_file=/etc/vsftpd.chroot_list - Actual list of system / power
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
users
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
dirmessage_enable=YES - Message greeting held in file
.message or specify with message_file=...
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
#
pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
user1
user2
...
user-n
[Potential Pitfall]: Mispelling a directive will cause vsftpd to fail with little warning.
File: .message
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
Links:
The wu-ftpd FTP server can be downloaded (binary or source) from it's home page at
http://wu-ftpd.org.
shutdown /etc/shutmsg
Note:
user1, user2 and user3 refer to login accounts. Use the appropriate login name.
The above configuration disables anonymous FTP which allows anyone to
perform an FTP login with the id anonymous and an email address as a
password. To enable anonymous FTP, change the class directive to:
Optional configuration:
o Create a group ftpchroot
o Add users to this group
o Use directive: guestgroup ftpchroot
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
[Potential Pitfall]: Flakey ftp behavior, timeouts, etc?? FTP works best with name
resolution of the computer it is communicating with. This requires proper
/etc/resolve.conf and name server (bind) configuration, /etc/hosts or NIS/NFS
configuration.
File /home/user1/public_html/etc/pathmsg:
The whole point of the chroot directory is to make the user's home directory appear to
be the root of the filesystem (/) so one could not wander around the filesystem.
Configuration of /etc/ftpaccess will limit the user to their respective directories while
still offering access to /bin/ls and other system commands used in FTP operation.
As root:
cd /home/user1
mkdir public_html
chown $1.$1 public_html
touch .rhosts - Security protection
chmod ugo-xrw .rhosts
Man Pages:
Server:
File Formats:
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny
file=/etc/ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.ftpd
server_args = -l -a
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
}
Note: wu-FTPd is controlled by xinetd and not a stand alone service like vsFTPd.
Logrotate configuration file: /etc/logrotate.d/ftpd
/var/log/xferlog {
nocompress
}
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
More information:
FTP4All
CrushFTP - Java/cross platform
WS_FTP
FTP Pitfalls:
ftp> ls
227 Entering Passive Mode (208,188,34,109,208,89)
ftp: connect: No route to host
This means you have firewall issues most probably on the FTP server itself. Start by
removing the firewall "iptables" rules: iptables -F Add rules until you discover what is
causing the problem.
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
Passive mode:
You can also try adding ip_nat_ftp to the list of autoloaded modules: (This will also
load the dependancy: ip_conntrack_ftp.)
# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp
IPTABLES_MODULES="ip_nat_ftp"
Then restart the firewall: /etc/init.d/iptables condrestart
FTP will change ports during use. The ip_conntrack_ftp module will consider each
connection "RELATED". If iptables allows RELATED and ESTABLISHED connections
then FTP will work. i.e. rule: /etc/sysconfig/iptables
FTP fails because it can not change to the users home directory:
Error:
[user1@nodex ~]$ ftp node.domain.com
Connected to XXX.XXX.XXX.XXX.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (XXX.XXX.XXX.XXX:user1):
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/user1
Login failed.
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
ftp> bye
This is often a result of SELinux preventing the vsftpd process from accesing the
user's home directory. As root, grant access with the following command:
setsebool -P ftp_home_dir 1
Followed by: service vsftpd restart
kbear: GUI KDE based client. Connect to multiple servers, transfer files, directory
browsing, file content browsing. Comes with S.U.S.e. Linux.
gftp: GUI GTK+ Multithreaded client. File transfer directory browsing and
compare. Multiple protocols: FTP, FTPS (control connection only), HTTP,
HTTPS, SSH and FSP protocols. Proxy support. Comes with Red Hat / Fedora
Core.
ftp: (/usr/kerberos/bin/ftp) kerberos enabled console ftp client. (RPM package
FC3: krb5-workstation)
When hosting web sites, there is no need to grant a shell account which only allows the
server to have more potential security holes. Current systems can specify the user to
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
have only FTP access with no shell by granting them the "shell" /sbin/nologin provided
with the system or the "ftponly" shell described below. The shell can be specified in the
file /etc/passwd of when creting a user with the command adduser -s /sbin/nologin
user-id
[Potential Pitfall]: Red Hat 7.3 server with wu-ftp server 2.6.2-5 does not support this
configuration to prevent shell access. It requires users to have a real user shell. i.e.
/bin/bash It works great in older and current Red Hat versions. If it works for you, use it,
as it is more secure to deny the user shell access. You can always deny telnet access.
You should NOT be using this problem ridden version of ftpd. Use the latest wu-ftpd-
2.6.2-11 which supports users with shell /opt/bin/ftponly
[Potential Pitfall]: Ubuntu Dapper/Hardy - Setting the shell to the preconfigured shell
/bin/false will NOT allow vsftp access. One must create the shell "ftponly" as defined
below to allow vsftp access with no shell.
...
user1:x:502:503::/home/user1:/opt/bin/ftponly
...
#!/bin/sh
#
# ftponly shell
#
trap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15
#
[email protected]
#System=`/bin/hostname`@`/bin/domainname`
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
#
/bin/echo
/bin/echo
"********************************************************************"
/bin/echo " You are NOT allowed interactive access."
/bin/echo
/bin/echo " User accounts are restricted to ftp and web access."
/bin/echo
/bin/echo " Direct questions concerning this policy to $Admin."
/bin/echo
"********************************************************************"
/bin/echo
#
# C'ya
#
exit 0
The last step is to add this to the list of valid shells on the system.
Add the line /opt/bin/ftponly to /etc/shells.
/bin/bash
/bin/bash1
/bin/tcsh
/bin/csh
/opt/bin/ftponly
For more on Linux security see the: YoLinux.com Internet web site Linux server
security tutorial
Two of the most popular ways to configure the program Bind (Berkeley Internet Domain
software) to perform DNS services is in the role of (1) ISP or (2) Web Host.
1. In an ISP configuration for clients (web surfers) conected to the internet, the DNS
server must resolve IP addresses for any URL the user wishes to visit. (See DNS
caching server)
2. In a purely web hosting configuration, Bind will only resolve for the IP addresses
of the domains which are being hosted. This is the configuration which will be
discussed and is often called an "Authoritative-only Nameserver".
Note on Bind versions: Red Hat versions 6.x used Bind version 8. Release 7.1 of Red
Hat began using Bind version 9 and the GUI configuration tool bindconf was introduced
for those of you that like a pretty point and click interface for configuration.
Installation Packages:
Configuration files:
File: named.conf
Red Hat / Fedora Core / CentOS: /etc/named.conf (chroot dir:
/var/named/chroot/etc/named.conf) and /etc/sysconfig/named for system
variables.
Ubuntu / Debian: /etc/bind/named.conf Place local definitions in
/etc/bind/named.conf.options and /etc/bind/named.conf.local
Simple example: (no views)
options { - Ubuntu stores options in
/etc/bind/named.conf.options
version "Bind"; - Don't disclose real version
to hackers
directory "/var/named"; - Specified so relative path
names can be used. Full path names still allowed.
allow-transfer { XXX.XXX.XXX.XXX; }; - IP address of secondary DNS
recursion no;
auth-nxdomain no; - conform to RFC1035.
(default)
fetch-glue no; - Bind 8 only! Not used by version 9
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
type master;
file "data/named.your-domain-2.com";
notify yes;
};
Note:
BIND Views: The BIND naming service can support "views" which allow various
sub-networks (i.e. private internal or public external networks) to have a different
domain name resolution result.
Typical Red Hat Enterprise 5 example: (Bind 9.3.4 with three "views")
options
{
directory "/var/named"; // the default
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
logging
{
// By default, SELinux policy does not allow named to modify the
/var/named
// directory, so put the default debug log file in data/ :
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view "localhost_resolver"
{
// This view sets up named to be a localhost resolver ( caching only
nameserver ).
// If all you want is a caching-only nameserver, then you need only
define this view:
match-clients { localhost; };
...
};
view "internal"
{
// This view will contain zones you want to serve only to "internal"
clients
// that connect via your directly attached LAN interfaces - "localnets" .
// For local private LAN. Not covered in this tutorial.
// Delete this view if web hosting with no local LAN.
match-clients { localnets; };
...
};
key ddns_key
{
algorithm hmac-md5;
secret "use /usr/sbin/dns-keygen to generate TSIG keys";
};
view "external"
{
// This view will contain zones you want to serve only to "external"
// public internet clients. This is covered below.
match-clients { any; };
...
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
..
};
Default configuration files: Red Hat may supply the default configuration in:
/usr/share/doc/bind-9.X.X/sample/etc/named.conf
cp /usr/share/doc/bind-9.X.X/sample/etc/named.conf
/var/named/chroot/etc
cp /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints
/var/named/chroot/etc
chcon -u system_u -r object_r -t named_conf_t
/var/named/chroot/etc/named.conf
/var/named/chroot/etc/named.root.hints
cp /usr/share/doc/bind-9.X.X/sample/etc/named.rfc1912.zones
/var/named/chroot/etc
cp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zones
/var/named/chroot/var/named
also from /usr/share/doc/bind-9.X.X/sample/var/named/:
localhost.zones, named.local, named.zero, named.broadcast,
named.ip6.local, named.root
recursion no;
// you'd probably want to deny recursion to external clients, so you
don't
// end up providing free DNS service to all takers
include "/etc/named.root.hints";
zone "your-domain.com" {
type master;
file "/var/named/data/external/named.your-domain.com";
notify yes;
allow-update { none; };
};
// You can also add the zones as a separate file like they do in
Ubuntu by adding the following statement
include "/etc/named.conf.local";
};
DNS key:
Use the following command /usr/sbin/dns-keygen to create a key. Add this key
to the "secret" statement as follows:
key ddns_key
{
algorithm hmac-md5;
secret
"XlYKYLF5Y7YOYFFFY6YiYYXyFFFFBYYYYFfYYYJiYFYFYYLVrnrWrrrqrrrq";
};
Man Pages:
named.conf
your-domain.com. IN MX 10 mail1.offsitemail.com.
your-domain.com. IN MX 20 mail2.offsitemail.com.
cp /usr/share/doc/bind-9.X.X/sample/var/named/localhost.zone
/var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zone
/var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.broadcast
/var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.ip6.local
/var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.zero
/var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.local
/var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.root
/var/named/chroot/var/named/data/
cd /var/named/chroot/var/named/data/
chcon -u system_u -r object_r -t named_cache_t localhost.zone
localdomain.zone named.broadcast named.ip6.local named.zero named.root
named.local
File: named.conf
Red Hat / Fedora Core / CentOS: /etc/named.conf
Ubuntu / Debian: /etc/bind/named.conf
Simple example with no views:
options { - Ubuntu stores options in
/etc/bind/named.conf.options
version "Bind"; - Don't disclose real version to
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
hackers
directory "/var/named";
allow-transfer { none; }; - Slave is not transfering updates
to anyone else
recursion no;
auth-nxdomain no; - conform to RFC1035. (default)
fetch-glue no; - Bind 8 only! Not used by version 9
};
zone "localhost" {
type master;
file "/etc/bind/db.local"; - Ubutu: /etc/bind/db.local, Red
Hat: /var/named/named.local
};
zone "0.0.127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "your-domain.com"{
type slave;
file "named.your-domain.com"; - Specify slaves/named.your-
domain.com for RHEL4/5 chrooted bind
masters { XXX.XXX.XXX.XXX; }; - IP address of primary DNS
};
zone "your-domain-2.com"{
type slave;
file "named.your-domain-2.com";
masters { XXX.XXX.XXX.XXX; };
};
zone "your-domain.com" {
type slave;
file "/var/named/slaves/external/named.your-domain.com";
notify no; - Slave does not notify, slave
is notified by master
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
[Potential Pitfall]: Ubuntu dapper/hardy - Path names used can not violate Apparmor
security rules as defined in /etc/apparmor.d/usr.sbin.named. Note that the slave files
are typically named "/var/lib/bind/named.your-domain.com" as permitted by the
security configuration.
[Potential Pitfall]: Ubuntu dapper/hardy - Create log file and set ownership and
permission for file not created by installation:
touch /var/log/bindlog
chown root.bind /var/log/bindlog
chmod 664 /var/log/bindlog
Bind Defaults:
Logging is to /var/log/messages
After the configuration files have been edited, restart the name daemon.
/etc/init.d/named restart
(Note: Ubuntu / Debian restart: /etc/init.d/bind9 restart)
Bind zone transfers work best if the clocks of the two systems are synchronised. See
the YoLinux SysAdmin Tutorial: Time and ntpd
Test DNS:
Test the name server with the host command in interactive mode:
host node.domain-to-test.com your-nameserver-to-test.domain.com
or
Test the name server with the nslookup command in interactive mode:
nslookup
> server your-nameserver-to-test.domain.com
> node.domain-to-test.com
> exit
OR
host -t mx domain-to-test.com
OR
Test your DNS with the following DNS diagnostics web site: DnsStuff.com
The latest RedHat bind updates run the named as user "named" to avoid a lot of
earlier hacker exploits. To chroot the process is to create an even more secure
environment by limiting the view of the system that the process can access. The
process is limited to the chrooted directory assigned.
The chroot of the named process to a directory under a given user will prevent
the possibility of an exploit which at one time would result in root access. The
original default RedHat configuration (6.2) ran the named process as root, thus if
an exploit was found, the named process will allow the hacker to use the
privileges of the root user. (no longer true)
Example:
named -u named -g named -t /opt/named
When chrooted, the process does not have access to system libraries thus a
local lib directory is required with the appropriate library files - theoretically. This
does not seem to be the case here and as noted above in chrooted FTP. It's a
mystery to me but it works???? Another method to handle libraries is to re-
compile the named binary with everything statically linked. Add -static to the
compile options. The chrooted process should also require a local
/etc/named.conf etc... but doesn't seem to???
#!/bin/sh
cd /opt
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
mkdir named
cd named
mkdir etc
mkdir bin
mkdir var
cd var
mkdir named
mkdir run
cd ..
chown -R named.named bin etc var
You can probably stop here. If your system acts like a chrooted system should,
then continue with the following:
cp -p /etc/named.conf etc
cp -p /etc/localtime etc
cp -p /bin/false bin
echo "named:x:25:25:Named:/var/named:/bin/false" > etc/passwd
echo "named:x:25:" > etc/group
touch var/run/named.pid
if [ -f /etc/namedb ]
then
cp -p /etc/namedb etc/namedb
fi
mkdir dev
cd dev
cd ..
chown -R named.named bin etc var
#!/bin/bash
#
# named This shell script takes care of starting and stopping
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
[ -f /usr/sbin/named ] || exit 0
[ -f /etc/named.conf ] || exit 0
RETVAL=0
start() {
# Start daemons.
echo -n "Starting named: "
daemon named -u named -g named -t /opt/named - Change made
here
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named
echo
return $RETVAL
}
stop() {
# Stop daemons.
echo -n "Shutting down named: "
killproc named
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named
echo
return $RETVAL
}
rhstatus() {
/usr/sbin/ndc status
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
return $?
}
restart() {
stop
start
}
reload() {
/usr/sbin/ndc reload
return $?
}
probe() {
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/sbin/ndc reload >/dev/null 2>&1 || echo start
return $?
}
exit $?
Note: The current version of bind from the RedHat errata updates and security
fixes (http://www.redhat.com/support/errata/) runs the named process as user
"named" in the home (not chrooted) directory /var/named with no shell available.
(named -u named) This should be secure enough. Proceed with a chrooted
installation if your are paranoid.
See:
Modern releases of Linux (i.e. Fedore Core 3, Red Hat Enterprise Linux 4) come
preconfigured to use "chrooted" bind. This security feature forces even an exploited
version of bind to only operate within the "chrooted" jail /var/named/chroot which
contains the familiar directories:
These directories are generated and configured by the Red Hat/Fedora RPM package
"bind-chroot".
If building from source you will have to generate this configuration manually:
Linux Internet Web Server and Domain Configuration Tutorial
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux
server configuration required to host a website. The Apache web server, FTP server and DNS
configuration are covered. The Apache web server is required to serve the web pages, the FTP
server is required for users to upload content and the DNS server is required to resolve the
domain names so that a URL entered into a web browser will point to your web server and
properly serve the correct pages. The configurations presented will include virtual hosting which
will allow a single Linux server to support multiple web site domains.
mkdir -p /var/named/chroot
mkdir /var/named/chroot/dev
mknod /var/named/chroot/dev/null c 1 3
mknod /var/named/chroot/dev/zero c 1 5
mknod /var/named/chroot/dev/random c 1 8
chmod 666 -R /var/named/chroot/dev
mkdir -p /var/named/chroot/etc
ln -s /var/named/chroot/etc/named.conf /etc/named.conf
mkdir -p /var/named/chroot/var/named
ln -s /var/named/chroot/var/named/named.XXXX /var/named/named.XXXX
ln -s /var/named/chroot/var/named/named.YYYY /var/named/named.YYYY
...
mkdir -p /var/named/chroot/var/named/slaves
mkdir -p /var/named/chroot/var/named/data
mkdir -p /var/named/chroot/var/run
mkdir -p /var/named/chroot/var/tmp
chown -R named:named /var/named/chroot
chown -R root:named /var/named/chroot/var/named
This will populate name servers around the world with different IP addresses for your
web server www.your-domain.com
www0 IN A XXX.XXX.XXX.1
www1 IN A XXX.XXX.XXX.2
www2 IN A XXX.XXX.XXX.3
www3 IN A XXX.XXX.XXX.4
www4 IN A XXX.XXX.XXX.5
www5 IN A XXX.XXX.XXX.6
Bind/DNS Links:
Note that the Name registrations policies for the registrars are stated at ICANN.org.
You must renew with the same registrar within five days BEFORE the expiration
date. There is no rule for afterwards.
Most free a domain name 30 days after it expires.
DNS round-robin: Discussed above, this uses DNS to point users to random
server in a list of appropriate servers. This spreads the load among the servers in
the list.
Use a Linux Virtual Server to Create a Load Balance Cluster. See next section
below.
Run a reverse proxy. See nginx ("engine X"). From a single external internet
network connection, route http, smtp, imap or pop3 traffic to various servers on
an internal network. Results are pushed back to the nginx proxy for routing to the
internet (no caching).
Run the Apache httpd web server module "mod_proxy" to offload processing of
dynamic content to another web server. This acts as a reverse proxy, routing
external traffic to various servers on an internal network.
You can use a single Linux server to forward requests to a cluster of servers using
iptables for IP masquerading and IPVsadm to scale your load. The load balancing
server receiving and routing the requests is called the "Linux Virtual Server" (LVS). The
LVS receives the requests which are passed to the real servers which process and
reply to the request. This reply is forwarded to the client by the LVS.
This feature is available with the Linux 2.4/2.6 kernel. (If compiling kernel: Networking
Options + IP: Virtual Server Configuration)
Configuration: This example will load balance http traffic to three web servers and ftp
traffic to a fourth server.
Enable IP Masquerading:
For more on IP Masquerading, iptables and subnet addresses, see the YoLinux
network gateway tutorial.
Command directives:
Command directives:
Links:
LinuxVirtualServer.org
iptables - Administration tool for IPv4 packet filtering and NAT
ipvsadm - Administer the routing table on a Linux Virtual Server.
To view if these services are running, type ps -aux and look for the httpd, inetd and
named services (daemons). These are background processes necessary to perform the
server tasks.
A new installation will most likely NOT start the named background process which may
be started manually after configuration.
See the YoLinux Init Process Tutorial for more information.
The inetd (or xinetd) background process is the Internet daemon which starts FTP when
an ftp request is made.
#!/bin/sh
# Author Greg Ippolito
# Requires: /opt/etc/AccountDefaults/pathmsg favicon.ico mwh-mini_tr.gif
etc.
# /opt/bin/ftponly
# You must be root to run this script.
#
if [ $# -eq 0 ]
then
echo "Enter user id as a command argument"
else if [ -r /home/$1 ]
then
echo "User's home directory already exists"
else
echo "1) Create user."
adduser -m $1
echo "3) Add read access to user directory so apache can read it."
cd /home
chmod ugo+rx $1
cd $1