Linux System Administration and Server Conguration

Bangladesh Korea Information Access Center (IAC) Department of Computer Science and Engineering (CSE) Bangladesh University of Engineering and Technology (BUET) April 16, 2011

Linux System Administration and Server Conguration

Published by Bangladesh Korea Information Access Center (IAC) Department of Computer Science and Engineering (CSE) Bangladesh University of Engineering and Technology (BUET)

Compiled by Dr. Muhammad Masroor Ali and Shihabur Rahman Chowdhury

Version: 1.1 Last modied: Saturday the Sixteenth of April, Two Thousand and Eleven

Contents

Introduction 1.1 1.2 1.3 1.4 1.5 Introduction to UNIX and Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Linux Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2.1 1.3.1 1.4.1 Some Examples of Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . Sorts of Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Partition Layout and Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . General overview of the Linux le system . . . . . . . . . . . . . . . . . . . . . . . . . About Partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . More File System Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 1 1 2 3 3 4 4 5 9 9 9 9 10 10 10 10 11 11 11 11 12 12 12 13 13 13 13 13

Basic Commands in Linux 2.1 2.2 2.3 Seeing Manuals Before Everything . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Listing Files and Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.1 2.3.1 2.3.2 2.3.3 2.4 2.5 2.4.1 2.5.1 2.5.2 2.6 2.7 2.8 2.9 2.6.1 2.7.1 2.8.1 ls (list) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . mkdir (make directory) The Directories . and .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Making Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing to a Different Directory cd (change directory) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Pathnames

pwd (print working directory) . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Pathnames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (your home directory) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cp (copy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . mv (move) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . rm (remove), rmdir (remove directory) . . . . . . . . . . . . . . . . . . . . . . .

More About Home Directories and Pathnames . . . . . . . . . . . . . . . . . . . . . . .

Copying Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Moving les . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Removing les and directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Displaying the Contents of a File on the Screen . . . . . . . . . . . . . . . . . . . . . .

2.9.1 2.9.2 2.9.3 2.9.4 2.9.5

clear (clear screen) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cat (concatenate) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . less . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . head . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

13 13 14 14 14 14 14 15 15 15 16 16 17 17 18 19 19 19 19 20 20 20 21 21 21 23 23 23 23 24 24 25 26 27 28 29 29 29 29 30

2.10 Searching the Contents of a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.10.1 Simple Searching Using less . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.10.2 grep (global regular expression print) . . . . . . . . . . . . . . . . . . . . . . . 2.10.3 wc (word count) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.11 Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.12 Redirecting the Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.12.1 Appending to a le . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.13 Redirecting the Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.14 Pipes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.15 Root and Sudo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Users and Groups 3.1 3.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing Ubuntu Linux Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . 3.2.1 3.2.2 3.2.3 3.2.4 3.2.5 3.2.6 3.3 4 Adding a User to an Ubuntu Linux System . . . . . . . . . . . . . . . . . . . . Editing the Properties of a User . . . . . . . . . . . . . . . . . . . . . . . . . . Deleting a User from an Ubuntu Linux System . . . . . . . . . . . . . . . . . . Adding a New Group to an Ubuntu Linux System . . . . . . . . . . . . . . . . . Modifying an Ubuntu Linux Group . . . . . . . . . . . . . . . . . . . . . . . . Deleting a Group from an Ubuntu Linux System . . . . . . . . . . . . . . . . .

passwd - Change User Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

File Permissions and Owners 4.1 Linux File Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1.1 4.1.2 4.1.3 4.1.4 4.1.5 4.1.6 4.2 4.2.1 Permissions and Ownership Why? . . . . . . . . . . . . . . . . . . . . . . . . Understanding le ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding File Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . How to View File Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . How to Set File Permissions Symbolic Mode . . . . . . . . . . . . . . . . . How to Set File Permissions Numeric Mode . . . . . . . . . . . . . . . . . . chgrp - Change the Group Ownership of a File . . . . . . . . . . . . . . . . . .

chown - Change the Owner of a File . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Conguring Networks 5.1 5.2 5.3 5.4 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IP Addresses, an Explanation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii

5.5

Installing a Linux Machine on an Existing IP Network . . . . . . . . . . . . . . . . . . 5.5.1 5.5.2 5.5.3 5.5.4 Conguration Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conguring DHCP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conguring Static IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . .

30 30 31 31 31 32 32 32 33 33 33 33 33 34 34 34 35 35 35 35 36 36 36 37 37 37 38 38 41 41 41 42 42 44 45 45 45 45 45

5.6 5.7 5.8 6

Dene DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Test Network Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Linux (Ubuntu) Installation 6.1 6.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding More Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2.1 6.2.2 6.2.3 6.2.4 6.3 Adding Repositories in Ubuntu . . . . . . . . . . . . . . . . . . . . . . . . . . Updating the Package Database . . . . . . . . . . . . . . . . . . . . . . . . . . Installing a Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Updating Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Removing a Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Linux Processes 7.1 Multitasking: Background Process and Foreground Process . . . . . . . . . . . . . . . . 7.1.1 7.1.2 7.1.3 7.2 7.3 7.4 7.2.1 Background Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Foreground Process Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Launching Tasks in the Foreground and Background . . . . . . . . . . . . . . . ps Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

All Running Process in Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . top Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kill Process in Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.4.1 7.4.2 kill Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . killall Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7.5 8

Manipulate Process Priority with nice . . . . . . . . . . . . . . . . . . . . . . . . . .

Samba Server 8.1 8.2 8.3 8.4 8.5 Necessary Samba Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Naming Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Samba Server Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tesing and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Squid Proxy Server 9.1 9.2 Squid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installation and Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.2.1 9.2.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

9.3 9.4 9.5

Restart Squid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Important Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Further Congurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.5.1 9.5.2 9.5.3 Restricting Web Access by Time . . . . . . . . . . . . . . . . . . . . . . . . . . Restricting Access to Specic Web Sites . . . . . . . . . . . . . . . . . . . . . . Squid Transparent Proxy Conguration . . . . . . . . . . . . . . . . . . . . . . Why Peer? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Peer Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

47 47 47 47 48 49 49 49 50 51 51 51 51 52 53 55 55 55 56 56 57 57 57 58 58 58 58 59 59 60 60 61 63 64 65 65 66 67 69 69

9.6

Cache Hierarchies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9.6.1 9.6.2

10 Network File System 10.1 NFS in Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.2 NFS Server Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.2.1 Conguration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.2.2 Sharing Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Web Server 11.1 Introduction HTTPD Apache2 Web Server . . . . . . . . . . . . . . . . . . . . . 11.2 Browsing the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.5 Apache Directives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.6 Important Directives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.6.1 <VirtualHost> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.6.2 <Directory> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.6.3 <IfModule> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.7 Other Directives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.7.1 DocumentRoot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.7.2 ServerAdmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.7.3 Listen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.7.4 ServerName . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.8 Options Directive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.9 Order allow,deny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.10Virtual Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.10.1 Setting Up Name-Based Virtual Hosts . . . . . . . . . . . . . . . . . . . . . . . 11.10.2 Setting Up Address-Based Virtual Hosts . . . . . . . . . . . . . . . . . . . . . . 11.11Adding Virtual Hosts to Ubuntu Apache . . . . . . . . . . . . . . . . . . . . . . . . . . 11.12Apache Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.13HTTPS Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 DNS Server Conguration 12.1 How a Name Gets Resolved . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv

12.2 Useful Denitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.3 DNS Server in Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.3.1 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.3.2 Conguration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.4 Conguring Types of BIND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.5 Conguration as Caching Only Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.6 Conguration as Primary Master Server . . . . . . . . . . . . . . . . . . . . . . . . . . 12.6.1 Zone Declaration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.6.2 Create a Zone Denition File . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.6.3 Reverse zone declaration adn denition . . . . . . . . . . . . . . . . . . . . . . 12.7 Secondary Master Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.8 Testing and Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.9 Security of BIND DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.9.1 Create a RSA Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.9.2 Add the Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 FTP Server 13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.3 Basic Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.3.1 Running Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.3.2 Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.3.3 Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.3.4 Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.4 Controlling User Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.4.1 Anonymous Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.4.2 System Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.5 Enabling TLS/SSL Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Dynamic Host Conguration Protocol (DHCP) Server 14.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.2 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.3 Technical Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.4 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.5 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.5.1 Conguration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.5.2 Select Interface card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14.5.3 Congure Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Mail Server 15.1 Mail Transfer Agent Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.1.1 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.1.2 Conguration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

70 70 71 71 71 71 72 73 73 76 76 77 77 78 78 79 79 79 79 79 80 80 80 80 81 81 82 85 85 85 86 86 87 87 88 88 89 89 89 90

15.1.3 Creating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.1.4 Changing The Mailbox Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.1.5 Add Networks and Domains to Postx . . . . . . . . . . . . . . . . . . . . . . . 15.1.6 Enable Mail Transfer from Internet . . . . . . . . . . . . . . . . . . . . . . . . 15.1.7 Test Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.2 Mail Delivery Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.3 Webmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.3.1 Installation and Required Components . . . . . . . . . . . . . . . . . . . . . . . 15.3.2 Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.4 Virus Scanning and Spam Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.4.1 Clamav Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.4.2 Congure Spamassain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.4.3 Amavis Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15.4.4 Postx Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 MySQL Database Server 16.1 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.2 Basic Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.3 Creating a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.4 Adding a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.5 Changing User Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16.6 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

90 90 90 91 91 92 92 92 93 93 94 94 94 94 97 97 97 98 98 98 98

vi

Chapter

Introduction
1.1 Introduction to UNIX and Linux

Linux is a true 32-bit operating system that runs on a variety of different platforms, including Intel, Sparc, Alpha, and Power-PC (on some of these platforms, such as Alpha, Linux is actually 64-bit). Linux was rst developed back in the early 1990s, by a young Finnish then-university student named Linus Torvalds. Linus had a state-of-the-art 386 box at home and decided to write an alternative to the 286-based Minix system (a small UNIX-like implementation primarily used in operating systems classes), to take advantage of the extra instruction set available on the then-new chip, and began to write a small bare-bones kernel. The interesting thing about Linux is, it is completely free! Linus decided to adopt the GNU Copyleft license of the Free Software Foundation, which means that the code is protected by a copyright but protected in that it must always be available to others. Free means free you can get it for free, use it for free, and you are even free to sell it for a prot (this isnt as strange as it sounds; several organizations, including Red Hat, have packaged up the standard Linux kernel, a collection of GNU utilities, and put their own avor of included applications, and sell them as distributions. Some common and popular distributions are Slackware, Ubuntu, Red Hat, SuSe, and Debian! The great thing is, you have access to source code which means you can customize the operating systems to your own needs, not those of the target market of most commercial vendors. Among most of the distributions Ubuntu is now very popular. It provides very simple gui facilities and a good command line interface. For the purpose of our demonstration examples we will use this operating system. Linux can and should be considered a full-blown implementation of UNIX. However, it can not be called Unix; not because of incompatibilities or lack of functionality, but because the word Unix is a registered trademark owned by AT&T, and the use of the word is only allowable by license agreement. Linux is every bit as supported, as reliable, and as viable as any other operating system solution.

1.2

Linux Command Line

When Linus Torvalds introduced Linux and for a long time thereafter, Linux did not have a graphical user interface (GUI): It ran on character-based terminals only. All the tools ran from a command line. Today the Linux GUI is important but many peopleespecially system administratorsrun many command line programs. Command line utilities are often faster, more powerful, or more complete than their GUI counterparts. Sometimes there is no GUI counterpart to a textual utility; some people just prefer the 1

Chapter 1. Introduction hands-on feeling of the command line. When you work with a command line interface, you are working with a shell. A shell provides an interface between the user and operating system kernel. It is a command interpreter that takes commands from users and executes it. Linuxs most common command interpreter is called bash. Bash is the abbreviation of Bourne-Again Shell. The shell is where commands are invoked. When started, the bash shell gives us a prompt and waits for a command to be entered. The command is typed at the shell prompt. The prompt usually ends in a dollar sign ($). After typing a command we need to press ENTER to invoke it. The shell will execute the command. Another prompt will then appear. Shell commands consist of one or more words separated by spaces. The rst word is the command to be run. Subsequent words are either options or arguments to the command. Options usually start with one or two hyphens.

1.2.1

Some Examples of Commands

List all the les in the current directory: $ ls List the les in the long format (giving more information): $ ls -l List full information about some specic les: $ ls -l notes.txt report.txt List full information about all the .txt les: $ ls -l *.txt List all les in long format, even the hidden ones: $ ls -l -a $ ls -la The dollar ($) represents the prompt here. We do not need to type it. Most command take parameters. Some commands require them. Parameters are also known as arguments. For example the command echo simply displays its arguments. $ echo $ echo hello there hello there The rst echo command outputs a blank line and the second echo command outputs its arguments. Commands are usually case sensitive. Most of the commands are in lower case.

1.3. General overview of the Linux le system $ echo whisper whisper $ ECHO shout bash: ECHO: command not found Often it is desired to repeat a previously executed command. The shell keeps a command history for this purpose. We use UP and DOWN to scroll through the list of previously executed commands and then press ENTER to execute the desired command. Commands can also be edited before being run. The LEFT and RIGHT cursor keys navigate across a command. Extra characters can be typed at any point. BACKSPACE deletes characters to the left of the cursor. DEL and CTRL+D delete characters to the right. Typically successful commands do not give any output. However, messages are displayed in the case of errors.

1.3

General overview of the Linux le system

A simple description of the UNIX system, also applicable to Linux, is this: On a UNIX system, everything is a le; if something is not a le, it is a process. This statement is true because there are special les that are more than just les (named pipes and sockets, for instance), but to keep things simple, saying that everything is a le is an acceptable generalization. A Linux system, just like UNIX, makes no difference between a le and a directory, since a directory is just a le containing names of other les. Programs, services, texts, images, and so forth, are all les. Input and output devices, and generally all devices, are considered to be les, according to the system. In order to manage all those les in an orderly fashion, man likes to think of them in an ordered tree-like structure on the hard disk, as we know from MS-DOS (Disk Operating System) for instance. The large branches contain more branches, and the branches at the end contain the trees leaves or normal les. For now we will use this image of the tree, but we will nd out later why this is not a fully accurate image.

1.3.1

Sorts of Files

Most les are just les, called regular les; they contain normal data, for example text les, executable les or programs, input for or output from a program and so on. While it is reasonably safe to suppose that everything you encounter on a Linux system is a le, there are some exceptions. Directories: les that are lists of other les. Special les: the mechanism used for input and output. Most special les are in /dev, we will discuss them later. Links: a system to make a le or directory visible in multiple parts of the systems le tree. We will talk about links in detail. (Domain) sockets: a special le type, similar to TCP/IP sockets, providing inter-process networking protected by the le systems access control. Named pipes: act more or less like sockets and form a way for processes to communicate with each other, without using network socket semantics. The -l option to ls displays the le type, using the rst character of each input line:

4 jaime:/Documents> ls -l total 80 -rw-rw-r-1 jaime jaime -rw-rw-r-1 jaime jaime drwxrwxr-x 2 jaime jaime

Chapter 1. Introduction

31744 Feb 21 17:56 intro Linux.doc 41472 Feb 21 17:56 Linux.doc 4096 Feb 25 11:50 course

1.4

About Partitioning

Most people have a vague knowledge of what partitions are, since every operating system has the ability to create or remove them. It may seem strange that Linux uses more than one partition on the same disk, even when using the standard installation procedure, so some explanation is called for. One of the goals of having different partitions is to achieve higher data security in case of disaster. By dividing the hard disk in partitions, data can be grouped and separated. When an accident occurs, only the data in the partition that got the hit will be damaged, while the data on the other partitions will most likely survive. This principle dates from the days when Linux didnt have journaled le systems and power failures might have lead to disaster. The use of partitions remains for security and robustness reasons, so a breach on one part of the system doesnt automatically mean that the whole computer is in danger. This is currently the most important reason for partitioning. A simple example: a user creates a script, a program or a web application that starts lling up the disk. If the disk contains only one big partition, the entire system will stop functioning if the disk is full. If the user stores the data on a separate partition, then only that (data) partition will be affected, while the system partitions and possible other data partitions keep functioning. Mind that having a journaled le system only provides data security in case of power failure and sudden disconnection of storage devices. This does not protect your data against bad blocks and logical errors in the le system. In those cases, you should use a RAID (Redundant Array of Inexpensive Disks) solution.

1.4.1

Partition Layout and Types

There are two kinds of major partitions on a Linux system: data partition: normal Linux system data, including the root partition containing all the data to start up and run the system; and swap partition: expansion of the computers physical memory, extra memory on hard disk. Most systems contain a root partition, one or more data partitions and one or more swap partitions. Systems in mixed environments may contain partitions for other system data, such as a partition with a FAT or VFAT le system for MS Windows data. Most Linux systems use fdisk at installation time to set the partition type. This usually happens automatically. On some occasions, however, you may not be so lucky. In such cases, you will need to select the partition type manually and even manually do the actual partitioning. The standard Linux partitions have number 82 for swap and 83 for data, which can be journaled (ext3) or normal (ext2, on older systems). The fdisk utility has built-in help, should you forget these values. Apart from these two, Linux supports a variety of other le system types, such as the relatively new Reiser le system, JFS, NFS, FATxx and many other le systems natively available on other (proprietary) operating systems. The standard root partition (indicated with a single forward slash, / ) is about 100-500 MB, and contains the system conguration les, most basic commands and server programs, system libraries, some

1.5. More File System Layout temporary space and the home directory of the administrative user. A standard installation requires about 250 MB for the root partition. Swap space (indicated with swap) is only accessible for the system itself, and is hidden from view during normal operation. Swap is the system that ensures, like on normal UNIX systems, that you can keep on working, whatever happens. On Linux, you will virtually never see irritating messages like Out of memory, please close some applications rst and try again, because of this extra memory. The swap or virtual memory procedure has long been adopted by operating systems outside the UNIX world by now. Using memory on a hard disk is naturally slower than using the real memory chips of a computer, but having this little extra is a great comfort. Linux generally counts on having twice the amount of physical memory in the form of swap space on the hard disk. When installing a system, you have to know how you are going to do this. An example on a system with 512 MB of RAM: 1st possibility: one swap partition of 1 GB 2nd possibility: two swap partitions of 512 MB 3rd possibility: with two hard disks: 1 partition of 512 MB on each disk. The last option will give the best results when a lot of I/O is to be expected. Read the software documentation for specic guidelines. Some applications, such as databases, might require more swap space. Others, such as some handheld systems, might not have any swap at all by lack of a hard disk. Swap space may also depend on your kernel version. The kernel is on a separate partition as well in many distributions, because it is the most important le of your system. If this is the case, you will nd that you also have a /boot partition, holding your kernel(s) and accompanying data les. The rest of the hard disk(s) is generally divided in data partitions, although it may be that all of the non-system critical data resides on one partition, for example when you perform a standard workstation installation. When non-critical data is separated on different partitions, it usually happens following a set pattern:

1.5

More File System Layout

For convenience, the Linux le system is usually thought of in a tree structure. On a standard Linux system you will nd the layout generally follows the scheme presented in gureg:linuxlesystemlayout. Depending on the system admin, the operating system and the mission of the UNIX machine, the structure may vary, and directories may be left out or added at will. The names are not even required; they are only a convention. The tree of the le system starts at the trunk or slash, indicated by a forward slash (/). This directory, containing all underlying directories and les, is also called the root directory or the root of the le system. Directories that are only one level below the root directory are often preceded by a slash, to indicate their position and prevent confusion with other directories that could have the same name. When starting with a new system, it is always a good idea to take a look in the root directory. Lets see what you could run into as shown in Table 1.1.

Chapter 1. Introduction

Figure 1.1: Linux le system layout.

1.5. More File System Layout

Directory /bin /boot

/dev /etc /home /initrd /lib /lost+found /misc /mnt /net /opt /proc

/root /sbin /tmp /usr /var

Content Common programs, shared by the system, the system administrator and the users. The startup les and the kernel, vmlinuz. In some recent distributions also grub data. Grub is the GRand Unied Boot loader and is an attempt to get rid of the many different boot-loaders we know today. Contains references to all the CPU peripheral hardware, which are represented as les with special properties. Most important system conguration les are in /etc, this directory contains data similar to those in the Control Panel in Windows Home directories of the common users. (on some distributions) Information for booting. Do not remove! Library les, includes les for all kinds of programs needed by the system and the users. Every partition has a lost+found in its upper directory. Files that were saved during failures are here. For miscellaneous purposes. Standard mount point for external le systems, e.g. a CD-ROM or a digital camera. Standard mount point for entire remote le systems Typically contains extra and third party software. A virtual le system containing information about system resources. More information about the meaning of the les in proc is obtained by entering the command man proc in a terminal window. The le proc.txt discusses the virtual le system in detail. The administrative users home directory. Mind the difference between /, the root directory and /root, the home directory of the root user. Programs for use by the system and the system administrator. Temporary space for use by the system, cleaned upon reboot, so dont use this for saving any work! Programs, libraries, documentation etc. for all user-related programs. Storage for all variable les and temporary les created by users, such as log les, the mail queue, the print spooler area, space for temporary storage of les downloaded from the Internet, or to keep an image of a CD before burning it. Table 1.1: Principal directories in Linux les system.

Chapter 1. Introduction

Chapter

Basic Commands in Linux

2.1 Seeing Manuals Before Everything

Man pages (short for manual pages) are the extensive documentation that comes preinstalled with almost all substantial Unix and Unix-like operating systems. The Unix command used to display them is man. Each page is a self-contained document. To read a manual page for a Linux command, one can use $ man <command_name> at a shell prompt: for example, man ftp. In order to simplify navigation through the output, man generally uses the less terminal pager. Pages are traditionally referred to using the notation name(section): for example, ftp(1). The same page name may appear in more than one section of the manual, as when the names of system calls, user commands, or macro packages coincide. Examples are man(1) and man(7), or exit(2) and exit(3). The syntax for accessing the non-default manual section varies between different man implementations. On Linux and *BSD, for example, the syntax for reading printf(3) is man 3 printf which searches for printf in section 3 of the man pages. To quit and go back to the terminal session type q without the quotation marks.

2.2
2.2.1

Listing Files and Directories

ls (list)

When you rst login, your current working directory is your home directory. Your home directory has the same name as your user-name, for example, ee91ab, and it is where your personal les and subdirectories are saved. To nd out what is in your home directory, type $ ls

10

Chapter 2. Basic Commands in Linux The ls command ( lowercase L and lowercase S ) lists the contents of your current working directory. There may be no les visible in your home directory, in which case, the Linux prompt will be returned. Alternatively, there may already be some les inserted by the System Administrator when your account was created. ls does not, in fact, cause all the les in your home directory to be listed, but only those ones whose name does not begin with a dot (.) Files beginning with a dot (.) are known as hidden les and usually contain important program conguration information. They are hidden because you should not change them unless you are very familiar with Linux!!! To list all les in your home directory including those whose names begin with a dot, type $ ls -a As you can see, ls -a lists les that are normally hidden.

2.3
2.3.1

Making Directories
mkdir (make directory)

We will now make a subdirectory in your home directory to hold the les you will be creating and using in the course of this tutorial. To make a subdirectory called unixstuff in your current working directory type $ mkdir unixstuff To see the directory you have just created, type $ ls

2.3.2

Changing to a Different Directory cd (change directory)

The command cd directory means change the current working directory to directory. The current working directory may be thought of as the directory you are in, i.e. your current position in the lesystem tree. To change to the directory you have just made, type $ cd unixstuff Type ls to see the contents (which should be empty).

2.3.3

The Directories . and ..

Still in the unixstuff directory, type $ ls -a As you can see, in the unixstuff directory (and in all other directories), there are two special directories called (.) and (..)

2.4. Pathnames The current directory (.) In Linux, (.) means the current directory, so typing $ cd . NOTE: there is a space between cd and the dot means stay where you are (the unixstuff directory). This may not seem very useful at rst, but using (.) as the name of the current directory will save a lot of typing. The parent directory (..) (..) means the parent of the current directory, so typing $ cd .. will take you one directory up the hierarchy (back to your home directory). Note: typing cd with no argument always returns you to your home directory. This is very useful if you are lost in the le system.

11

2.4
2.4.1

Pathnames
pwd (print working directory)

Pathnames enable you to work out where you are in relation to the whole le-system. For example, to nd out the absolute pathname of your home-directory, type cd to get back to your home-directory and then type $ pwd The full pathname will look something like this \texttt{/home/its/ug1/ee51vn} which means that ee51vn (your home directory) is in the sub-directory ug1 (the group directory),which in turn is located in the its sub-directory, which is in the home sub-directory, which is in the top-level root directory called /.

2.5
2.5.1

More About Home Directories and Pathnames

Understanding Pathnames

First type cd to get back to your home-directory, then type $ ls unixstuff to list the conents of your unixstuff directory. Now type

12 $ ls backups You will get a message like this backups: No such file or directory

Chapter 2. Basic Commands in Linux

The reason is, backups is not in your current working directory. To use a command on a le (or directory) not in the current working directory (the directory you are currently in), you must either cd to the correct directory, or specify its full pathname. To list the contents of your backups directory, you must type $ ls unixstuff/backups

2.5.2 (your home directory)

Home directories can also be referred to by the tilde character. It can be used to specify paths starting at your home directory. So typing $ ls /unixstuff will list the contents of your unixstuff directory, no matter where you currently are in the le system. What do you think $ ls would list? What do you think $ ls /.. would list?

2.6
2.6.1

Copying Files
cp (copy)

cp le1 le2 is the command which makes a copy of file1 in the current working directory and calls it file2. What we are going to do now, is to take a le stored in an open access area of the le system, and use the cp command to copy it to your unixstuff directory. First, cd to your unixstuff directory. $ cd /unixstuff Then at the Linux prompt, type, $ cp /vol/examples/tutorial/science.txt . Note: Dont forget the dot . at the end. Remember, in Linux, the dot means the current directory. The above command means copy the le science.txt to the current directory, keeping the name the same.

2.7. Moving les

13

2.7
2.7.1

Moving les
mv (move)

mv le1 le2 moves (or renames) file1 to file2 To move a le from one place to another, use the mv command. This has the effect of moving rather than copying the le, so you end up with only one le rather than two. It can also be used to rename a le, by moving the le to the same directory, but giving it a different name. We are now going to move the le science.bak to your backup directory. First, change directories to your unixstuff directory. Then, inside the unixstuff directory, type $ mv science.bak backups/. Type ls and ls backups to see if it has worked.

2.8
2.8.1

Removing les and directories

rm (remove), rmdir (remove directory)

To delete (remove) a le, use the rm command. As an example, we are going to create a copy of the science.txt le then delete it. Inside your unixstuff directory, type $ $ $ $ cp science.txt tempfile.txt ls rm tempfile.txt ls

You can use the rmdir command to remove a directory (make sure it is empty rst). Try to remove the backups directory. You will not be able to since Linux will not let you remove a non-empty directory.

2.9
2.9.1

Displaying the Contents of a File on the Screen

clear (clear screen)

Before you start the next section, you may like to clear the terminal window of the previous commands so the output of the following commands can be clearly understood. At the prompt, type $ clear This will clear all text and leave you with the $ prompt at the top of the window.

2.9.2

cat (concatenate)

The command cat can be used to display the contents of a le on the screen. Type: $ cat science.txt As you can see, the le is longer than than the size of the window, so it scrolls past making it unreadable.

14

Chapter 2. Basic Commands in Linux

2.9.3

less

The command less writes the contents of a le onto the screen a page at a time. Type $ less science.txt Press the [space-bar] if you want to see another page, and type [q] if you want to quit reading. As you can see, less is used in preference to cat for long les.

2.9.4

head

The head command writes the rst ten lines of a le to the screen. First clear the screen then type $ head science.txt Then type $ head -5 science.txt What difference did the -5 do to the head command?

2.9.5

tail

The tail command writes the last ten lines of a le to the screen. Clear the screen and type $ tail science.txt By default tail displays the last 10 lines. For watching logs tail has a special command line option -f (follow). It allows a le to be monitored. Instead of displaying the last few lines and exiting, tail displays the lines and then continue to monitors the le. As new lines are added tail updates the display. This is particularly useful for monitoring log les. For example: $ tail -f /var/adm/messages

2.10
2.10.1

Searching the Contents of a File

Simple Searching Using less

Using less, you can search though a text le for a keyword (pattern). For example, to search through science.txt for the word science, type $ less science.txt then, still in less, type a forward slash [/] followed by the word to search /science As you can see, less nds and highlights the keyword. Type [n] to search for the next occurrence of the word.

2.11. Redirection

15

2.10.2

grep (global regular expression print)

grep is one of many standard Linux utilities. It searches les for specied words or patterns. First clear the screen, then type $ grep science science.txt As you can see, grep has printed out each line containg the word science. Try typing $ grep Science science.txt The grep command is case sensitive; it distinguishes between Science and science. To ignore upper/lower case distinctions, use the -i option, i.e. type $ grep -i science science.txt To search for a phrase or pattern, you must enclose it in single quotes (the apostrophe symbol). For example to search for spinning top, type $ grep -i spinning top science.txt

2.10.3

wc (word count)

A handy little utility is the wc command, short for word count. To do a word count on science.txt, type $ wc -w science.txt To nd out how many lines the le has, type $ wc -l science.txt

2.11

Redirection

Most processes initiated by Linux commands write to the standard output (that is, they write to the terminal screen), and many take their input from the standard input (that is, they read it from the keyboard). There is also the standard error, where processes write their error messages, by default, to the terminal screen. We have already seen one use of the cat command to write the contents of a le to the screen. Now type cat without specing a le to read $ cat Then type a few words on the keyboard and press the [Return] key. Finally hold the [Ctrl] key down and press [d] (written as for short) to end the input. D What has happened? If you run the cat command without specing a le to read, it reads the standard input (the keyboard), and on receiving the end of le (D), copies it to the standard output (the screen). In Linux, we can redirect both the input and the output of commands.

16

Chapter 2. Basic Commands in Linux

2.12

Redirecting the Output

We use the > symbol to redirect the output of a command. For example, to create a le called list1 containing a list of fruit, type $ cat > list1 Then type in the names of some fruit. Press [Return] after each one. pear banana apple D What happens is the cat command reads the standard input (the keyboard) and the > redirects the output, which normally goes to the screen, into a le called list1 To read the contents of the le, type $ cat list1

2.12.1

Appending to a le

The form >> appends standard output to a le. So to add more items to the le list1, type $ cat >> list1 Then type in the names of more fruit peach grape orange D To read the contents of the le, type $ cat list1 You should now have two les. One contains six fruit, the other contains four fruit. We will now use the cat command to join (concatenate) list1 and list2 into a new le called biglist. Type $ cat list1 list2 > biglist What this is doing is reading the contents of list1 and list2 in turn, then outputing the text to the le biglist To read the contents of the new le, type $ cat biglist

2.13. Redirecting the Input

17

2.13

Redirecting the Input

We use the < symbol to redirect the input of a command. The command sort alphabetically or numerically sorts a list. Type $ sort Then type in the names of some animals. Press [Return] after each one. dog cat bird ape D The output will be ape bird cat dog Using < you can redirect the input to come from a le rather than the keyboard. For example, to sort the list of fruit, type $ sort < biglist and the sorted list will be output to the screen. To output the sorted list to a le, type, $ sort < biglist > slist Use cat to read the contents of the le slist

2.14

Pipes

To see who is on the system with you, type $ who One method to get a sorted list of names is to type, $ who > names.txt $ sort < names.txt This is a bit slow and you have to remember to remove the temporary le called names when you have nished. What you really want to do is connect the output of the who command directly to the input of the sort command. This is exactly what pipes do. The symbol for a pipe is the vertical bar | For example, typing

18 $ who | sort will give the same result as above, but quicker and cleaner. To nd out how many users are logged on, type $ who | wc -l

Chapter 2. Basic Commands in Linux

2.15

Root and Sudo

The root user in GNU/Linux is the user which has administrative access to your system. Normal users do not have this access for security reasons. However, Ubuntu does not include the root user. Instead, administrative access is given to individual users, who may use the sudo application to perform administrative tasks. The rst user account you created on your system during installation will, by default, have access to sudo. When you run an application that requires root privileges, sudo will ask you to input your normal user password. This ensures that rogue applications cannot damage your system, and serves as a reminder that you are about to perform administrative actions which require you to be careful! To use sudo when using the command line, simply type sudo before the command you wish to run. Sudo will then prompt you for your password. Sudo will remember your password for a set amount of time. This feature was designed to allow users to perform multiple administrative tasks without being asked for a password each time.

Chapter

Users and Groups

3.1 Overview

A user is anyone who uses a computer. In this case, we are describing the names which represent those users. It may be Mary or Bill, and they may use the names Dragonlady or Pirate in place of their real name. All that matters is that the computer has a name for each account it creates, and it is this name by which a person gains access to use the computer. Some system services also run using restricted or privileged user accounts. Managing users is done for the purpose of security by limiting access in certain specic ways. Any individual may have more than one account, as long as they use a different name for each account they create. Further, there are some reserved names which may not be used, including root, hal, or adm. Users may be grouped together into a group, and users may choose to join an existing group to utilize the privileged access it grants. The beginner should use these tools carefully and stay away from having anything to do with any other existing user account, other than their own.

3.2

Managing Ubuntu Linux Users and Groups

Linux is a multi-user operating system. This means that more than one user can be actively logged and using the system at any one time. Obviously, it makes sense for each user to have their own user account and home directory, and for different users to have different privileges. Users are further divided into groups for the purposes of easier administration and those groups can have different levels of privileges. For example, you may have a group of users who work in the Accounting department. In such an environment you may wish to create an accounts group and assign all the Accounting department personnel to that group.

3.2.1

Adding a User to an Ubuntu Linux System

There are two methods for adding new users to a system, one way is using the graphical User settings tool and the other is to use the adduser command-line tool. Start a terminal window session and at the command prompt enter a command similar to: sudo adduser --home /home/john john 19

20

Chapter 3. Users and Groups The above command will prompt for a password for the account and optional contact information. Once the information has been gathered adduser creates the new account and the /home/john home directory. The adduser tool provides a number of different options, details of which can be learned by reviewing the adduser man page as follows: man adduser

3.2.2

Editing the Properties of a User

The properties of a user may be changed using the same User settings dialog used to add a user as outlined above. Select the System desktop menu and choose Users and Groups from the Administration sub-menu to launch the User settings dialog. To make changes to the user properties select the user from the list and click on Properties. Work through the various screens in the Account Properties for the selected user and click on the OK button to apply the changes.

3.2.3

Deleting a User from an Ubuntu Linux System

An existing user may be deleted using the same User settings dialog used to add a user as outlined above. Select the System desktop menu and choose Users and Groups from the Administration sub-menu to launch the User settings dialog. Select the user to be deleted and click on Delete. A conrmation dialog will appear. If you wish to proceed click on Delete in the conrmation dialog to commit the change. Note that the deletion process will remove the account but leave the users home directory intact. This will need to be deleted manually if it, and any les therein, are no longer required. A user account may also be deleted from command-line using the deluser utility: sudo deluser john It is also possible to remove the users home directory as part of the deletion process: sudo deluser --remove-home john Alternatively all les owned by the user, including those in the users home directory may be removed as follows: sudo deluser --remove-all-files john The les in the users home directory can also be backed up to another location before the directory is deleted using --backup-to command-line option together with the path to the backup directory: sudo deluser --backup-to /oldusers/backups/john --remove-home john

3.2.4

Adding a New Group to an Ubuntu Linux System

All users are members of one or more groups. As an administrator it makes sense to organize users into logical groups. For example all sales people might belong to a sales group, whilst accounting staff might belong to the accounts group and so on. New groups are added either using the Users settings graphical tool, or by using the addgroup command-line tool.

3.3. passwd - Change User Password

21

3.2.5

Modifying an Ubuntu Linux Group

To add a group from the command line, use the addgroup utility. For example: sudo addgroup accounts To add an existing user to an existing group: sudo adduser john accounts

3.2.6

Deleting a Group from an Ubuntu Linux System

A group may be deleted from a system using the delgroup utility: sudo delgroup accounts Note that if the group to be deleted is the primary group for any user it cannot be deleted. A group can be deleted only if it is empty using the following command: sudo delgroup --only-if-empty accounts To remove a user from membership of a group use the following command syntax: sudo deluser john accounts

3.3

passwd - Change User Password

The passwd command changes passwords for user accounts. A normal user may only change the password for his/her own account, while the superuser may change the password for any account. passwd also changes account information, such as the full name of the user, the users login shell, or his/her password expiry date and interval. The user is rst prompted for his/her old password, if one is present. This password is then encrypted and compared against the stored password. The user has only one chance to enter the correct password. The superuser is permitted to bypass this step so that forgotten passwords may be changed. After the password has been entered, password aging information is checked to see if the user is permitted to change the password at this time. If not, passwd refuses to change the password and exits. The user is then prompted twice for a replacement password. The second entry is compared against the rst and both are required to match in order for the password to be changed. Then, the password is tested for complexity. As a general guideline, passwords should consist of 6 to 8 characters including one or more characters from each of the following sets: lower case alphabetics digits 0 thru 9 punctuation marks Care must be taken not to include the system default erase or kill characters. passwd will reject any password which is not suitably complex. Type passwd command as follows to change your own password:

22 $ passwd Output: Changing password for buetcse (current) UNIX password: Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully

Chapter 3. Users and Groups

Chapter

File Permissions and Owners

4.1 Linux File Permissions

The basics of le ownership and permissions on Linux. Learn to understand who are the owners of a le or directory, how the le permissions work and how you can view them, and learn how to set basic le permissions yourself.

4.1.1

Permissions and Ownership Why?

If you cant access some of the les on your very own Linux system, its usually because of miscongured le access permissions. If you are the only user on your Linux box, you may be wondering whats the point of having all these permissions (or lack thereof) that restrict your access to your very own penguin OS. However, before pulling your hair off, you must keep in mind Linux is designed to be a multi-user environment. In an environment with more than one users, it is crucial to have a secure system for deciding which les are yours and who can ddle with them. Even if youre the only user on an ordinary desktop system, le permissions help keeping your important les safe, both from outsiders and your own mistakes.

4.1.2

Understanding le ownership

Every le on your Linux system, including directories, is owned by a specic user and group. Therefore, le permissions are dened separately for users, groups, and others. User: The username of the person who owns the le. By default, the user who creates the le will become its owner. Group: The usergroup that owns the le. All users who belong into the group that owns the le will have the same access permissions to the le. This is useful if, for example, you have a project that requires a bunch of different users to be able to access certain les, while others cant. In that case, youll add all the users into the same group, make sure the required les are owned by that group, and set the les group permissions accordingly. Other: A user who isnt the owner of the le and doesnt belong in the same group the le does. In other words, if you set a permission for the other category, it will affect everyone else by default. For this reason, people often talk about setting the world permission bit when they mean setting the permissions for other. 23

24

Chapter 4. File Permissions and Owners

4.1.3

Understanding File Permissions

There are three types of access permissions on Linux: read, write, and execute. These permissions are dened separately for the les owner, group and all other users. Read permission: On a regular le, the read permission bit means the le can be opened and read. On a directory, the read permission means you can list the contents of the directory. Write permission: On a regular le, this means you can modify the le, aka write new data to the le. In the case of a directory, the write permission means you can add, remove, and rename les in the directory. This means that if a le has the write permission bit, you are allowed to modify the les contents, but youre allowed to rename or delete the le only if the permissions of the les directory allow you to do so. Execute permission: In the case of a regular le, this means you can execute the le as a program or a shell script. On a directory, the execute permission (also called the search bit) allows you to access les in the directory and enter it, with the cd command, for example. However, note that although the execute bit lets you enter the directory, youre not allowed to list its contents, unless you also have the read permissions to that directory.

4.1.4

How to View File Permissions

You can view the access permissions of a le by doing the long directory listing with the ls -l command. This is what a long directory listing might look like: me@puter: /home/writers$ ls -l total 17 drwxr-xr-x 3 nana writers 80 2005-09-20 21:37 dir -rw-r----- 1 nana writers 8187 2005-09-19 13:35 file -rwxr-xr-x 1 nana writers 10348 2005-07-17 20:31 otherfile What does the output of ls -l mean? The very rst column, the one that looks like a bunch of mumbo jumbo, shows the le type and permissions. The second column shows the number of links (directory entries that refer to the le), the third one shows the owner of the le, and the fourth one shows the group the le belongs to. The other columns show the les size in bytes, date and time of last modication, and the lename. The rst column, the one that shows the les permissions and looks like mumbo jumbo, is organized into four separate groups, although it certainly doesnt look very organized. The rst group consists of only one character, and it shows the les type. For example, d means a directory and - means a normal le, so if you take a look at our example output, youll notice dir is a directory, while file and otherfile are regular les. The rst character can be any of these: d directory - regular le l symbolic link s Unix domain socket p named pipe c character device le b block device le The next nine characters show the les permissions, divided into three groups, each consisting of three characters. The rst group of three characters shows the read, write, and execute permissions for user,

4.1. Linux File Permissions the owner of the le. The next group shows the read, write, and execute permissions for the group of the le. Similarly, the last group of three characters shows the permissions for other, everyone else. In each group, the rst character means the read permission, the second one write permission, and the third one execute permission. The characters are pretty easy to remember. r read permission w write permission x execute permission - no permission What does this mean in practice? Lets have an example. Remember the imaginary directory listing we did at the beginning? The output looked like this: drwxr-xr-x 3 nana writers 80 2005-09-20 21:37 dir -rw-r----- 1 nana writers 8187 2005-09-19 13:35 file -rwxr-xr-x 1 nana writers 10348 2005-07-17 20:31 otherfile As we already noticed, dir is a directory, because the rst column begins with a d. The owner of this directory is user nana and the group owner is writers. The rst three characters, rwx, indicate the directorys owner, nana in this case, has full access to the directory. The user nana is able to access, view, and modify the les in that directory. The next three characters, r-x, indicate that all users belonging to group writers have read and execute permissions to the directory. They can change into the directory, execute les, and view its contents. However, because they dont have write permissions, they cant make any changes to the directory content. Finally, the last three characters, r-x, indicate that all the users who are not nana or dont belong into group writers, have read and execute permissions in the directory. How about file? Because the rst column begins with a -, the le is a regular le, owned by user nana and group writers, just like the directory in our example. The rst three characters, rw-, indicate the owner has read and write access to the le. According to the next three characters, r- -, the users belonging to group writers can view the le but not modify or execute it. The nal three characters, - - -, indicate no one else has any access to the le. Similarly, you can see otherfile is a regular le and its owner has full access to it, while everyone else can read and execute the le but not modify it.

25

4.1.5

How to Set File Permissions Symbolic Mode

You can set le permissions with the chmod command. Both the root user and the les owner can set le permissions. chmod has two modes, symbolic and numeric. The symbolic mode is pretty easy to remember. First, you decide if you set permissions for the user (u), the group (g), others (o), or all of the three (a). Then, you either add a permission (+), remove it (-), or wipe out the previous permissions and add a new one (=). Next, you decide if you set the read permission (r), write permission (w), or execute permission (x). Last, youll tell chmod which les permissions you want to change. Lets have a couple of examples. Suppose we have a regular le called testfile, and the le has full access permissions for all the groups (long directory listing would show -rwxrwxrwx as the les permissions). Wipe out all the permissions but add read permission for everybody: chmod a=r testfile

26

Chapter 4. File Permissions and Owners After the command, the les permissions would be -r--r--r-Add execute permissions for group: chmod g+x testfile Now, the les permissions would be -r--r-xr-Add both write and execute permissions for the les owner. Note how you can set more than one permission at the same time: chmod u+wx testfile After this, the le permissions will be -rwxr-xr-Remove the execute permission from both the les owner and group. Note, again, how you can set them both at once: chmod ug-x testfile Now, the permissions are -rw-r--r--

4.1.6

How to Set File Permissions Numeric Mode

The other mode in which chmod can be used is the numeric mode. In the numeric mode, the le permissions arent represented by characters. Instead, they are represented by a three-digit octal number. 4 read (r) 2 write (w) 1 execute (x) 0 no permission (-) To get the permission bits you want, you add up the numbers accordingly. For example, the rwx permissions would be 4+2+1=7, rx would be 4+1=5, and rw would be 4+2=6. Because you set separate permissions for the owner, group, and others, youll need a three-digit number representing the permissions of all these groups. Lets have an example. chmod 755 testfile This would change the testfiles permissions to -rwxr-xr-x. The owner would have full read, write, and execute permissions (7=4+2+1), the group would have read and execute permissions (5=4+1), and the world would have the read and execute permissions as well. Lets have another example: chmod 640 testfile In this case, testfiles permissions would be -rw-r-----. The owner would have read and write permissions (6=4+2), the group would have read permissions only (4), and the others wouldnt have any access permissions (0). The numeric mode may not be as straightforward as the symbolic mode, but with the numeric mode, you can more quickly and efciently set the le permissions. This quick reference for setting le permissions in numeric mode might help:

4.2. chown - Change the Owner of a File

27

4.2

chown - Change the Owner of a File

You can change the owner and group of a le or a directory with the chown command. Please, keep in mind you can do this only if you are the root user or the owner of the le. Set the les owner: chown username somefile After giving this command, the new owner of a le called somefile will be the user username. The les group owner will not change. Instead of a user name, you can also give the users numeric ID here if you want. You can also set the les group at the same time. If the user name is followed by a colon and a group name, the les group will be changed as well. chown username:usergroup somefile After giving this command, somefiles new owner would be user username and the group owner will be usergroup. You can set the owner of a directory exactly the same way you set the owner of a le: chown username somedir Note that after giving this command, only the owner of the directory will change. The owner of the les inside of the directory wont change. In order to set the ownership of a directory and all the les in that directory, youll need the -R option: chown -R username somedir Here, R stands for recursive because this command will recursively change the ownership of directories and their contents. After issuing this example command, the user username will be the owner of the directory somedir, as well as every le in that directory. Tell what happens: chown -v username somefile changed ownership of somefile to username Here, v stands for verbose. If you use the -v option, chown will list what it did (or didnt do) to the le. The verbose mode is especially useful if you change the ownership of several les at once. For example, this could happen when you do it recursively: chown -Rv username somedir changed ownership of somedir/ to username changed ownership of somedir/boringfile to username changed ownership of somedir/somefile to username As you can see, chown nicely reports to you what it did to each le.

28

Chapter 4. File Permissions and Owners

4.2.1

chgrp - Change the Group Ownership of a File

In addition to chown, you can also use the chgrp command to change the group of a le or a directory. You must, again, be either the root user or the owner of the le in order to change the group ownership. chgrp works pretty much the same way as chown does, except it changes the les user group instead of the owner, of course. chgrp usergroup somefile After issuing this command, the le somefile will be owned by a user group usergroup. Although the les group has changed to usergroup, the les owner will still be the same. The options of using chgrp are the same as using chown. So, for example, the -R and -v options will work with it just like they worked with chown: chgrp -Rv usergroup somedir changed group of somedir/ to usergroup changed group of somedir/boringfile to usergroup changed group of somedir/somefile to usergroup chown nicely reports to you what it did to each le.

Chapter

Conguring Networks
5.1 Overview

A computer network, often simply referred to as a network, is a collection of computers and devices interconnected by communications channels that facilitate communications among users and allows users to share resources. Networks may be classied according to a wide variety of characteristics. A computer network allows sharing of resources and information among interconnected devices.

5.2

IP Addresses, an Explanation

Internet Protocol Addresses are composed of four bytes. The convention is to write addresses in what is called dotted decimal notation. In this form each byte is converted to a decimal number (0-255) dropping any leading zeros unless the number is zero and written with each byte separated by a . character. By convention each interface of a host or router has an IP address. It is legal for the same IP address to be used on each interface of a single machine in some circumstances but usually each interface will have its own address.

5.3

MAC Address

A Media Access Control address (MAC address) is a unique identier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies including Ethernet. Logically, MAC addresses are used in the Media Access Control protocol sub-layer of the OSI reference model. MAC addresses are most often assigned by the manufacturer of a network interface card (NIC) and are stored in its hardware, the cards read-only memory, or some other rmware mechanism. If assigned by the manufacturer, a MAC address usually encodes the manufacturers registered identication number and may be referred to as the burned-in address. It may also be known as an Ethernet hardware address (EHA), hardware address or physical address. MAC addresses are formed according to the rules of one of three numbering name spaces managed by the Institute of Electrical and Electronics Engineers (IEEE): MAC-48, EUI-48, and EUI-64. The IEEE claims trademarks on the names EUI-48 and EUI-64, in which EUI is an acronym for Extended Unique Identier.

29

30

Chapter 5. Conguring Networks

Special Note for NetworkManager Users NetworkManager (http://projects.gnome.org/NetworkManager/) other sets of les from those described here. NetworkManager will only handle interfaces not declared in /etc/network/interfaces. Also, the network applet may not display connections properly.

5.4

Gateway

A gateway is a network point that acts as an entrance to another network. On the Internet, a node or stopping point can be either a gateway node or a host (end-point) node. Both the computers of Internet users and the computers that serve pages to users are host nodes, while the nodes that connect the networks in between are gateways. For example, the computers that control trafc between company networks or the computers used by internet service providers (ISPs) to connect users to the internet are gateway nodes. In the network for an enterprise, a computer server acting as a gateway node is often also acting as a proxy server and a rewall server. A gateway is often associated with both a router, which knows where to direct a given packet of data that arrives at the gateway, and a switch, which furnishes the actual path in and out of the gateway for a given packet. On an IP network, clients should automatically send IP packets with a destination outside a given subnet mask to a network gateway. A subnet mask denes the IP range of a network. For example, if a network has a base IP address of 192.168.0.0 and has a subnet mask of 255.255.255.0, then any data going to an IP address outside of 192.168.0.X will be sent to that networks gateway. While forwarding an IP packet to another network, the gateway might or might not perform Network Address Translation. A gateway is an essential feature of most routers, although other devices (such as any PC or server) can function as a gateway. Most computer operating systems use the terms described above. A computer running Microsoft Windows however describes this standard networking feature as Internet Connection Sharing; which will act as a gateway, offering a connection between the Internet and an internal network. Such a system might also act as a DHCP server. Dynamic Host Conguration Protocol (DHCP) is a protocol used by networked devices (clients) to obtain various parameters necessary for the clients to operate in an Internet Protocol (IP) network. By using this protocol, system administration workload greatly decreases, and devices can be added to the network with minimal or no manual congurations.

5.5
5.5.1

Installing a Linux Machine on an Existing IP Network

Conguration Items

If you wish to install a linux machine onto an existing IP network then you should contact whoever administers the network and ask them for the following information: Host IP address IP network address (not always required) IP broadcast address (not always required) IP netmask, also called subnet mask Router (gateway) address

5.5. Installing a Linux Machine on an Existing IP Network Domain Name Server address You should then congure your linux network device with those details. You can not make them up and expect your conguration to work.

31

5.5.2

Ethernet

Most Ethernet conguration is centralized in a single le, /etc/network/interfaces. If you have no Ethernet devices, only the loopback interface will appear in this le, and it will look something like this: # This file describes the network interfaces available # on your system and how to activate them. For more # information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback address 127.0.0.1 netmask 255.0.0.0

5.5.3

Conguring DHCP Address

If you want to congure DHCP address you need to edit the /etc/network/interfaces sudo nano /etc/network/interfaces and you need to add the following lines. auto eth0 iface eth0 inet dhcp If you have only one Ethernet device, eth0, and it gets its conguration from a DHCP server, and it should come up automatically at boot, only above two additional lines are required. The rst line species that the eth0 device should come up automatically when you boot. The second line means that interface (iface) eth0 should have an IPv4 address space (replace inet with inet6 for an IPv6 device) and that it should get its conguration automatically from DHCP. Assuming your network and DHCP server are properly congured, this machines network should need no further conguration to operate properly. The DHCP server will provide the default gateway (implemented via the route command), the devices IP address (implemented via the ifconfig command), and DNS servers used on the network (implemented in the /etc/resolv.conf le.)

5.5.4

Conguring Static IP Address

If you want to congure static IP address you need to edit the /etc/network/interfaces. sudo nano /etc/network/interfaces

32

Chapter 5. Conguring Networks To congure your Ethernet device with a static IP address and custom conguration, some more information will be required. Suppose you want to assign the IP address 192.168.0.2 to the device eth0, with the typical netmask of 255.255.255.0. Your default gateways IP address is 192.168.0.1. You would enter something like this into /etc/network/interfaces: iface eth0 inet static address 192.168.0.2 netmask 255.255.255.0 gateway 192.168.0.1 After entering all the details you need to restart networking services using the following command: sudo /etc/init.d/networking restart

5.6

Dene DNS Servers

Open /etc/resolv.conf le sudo nano /etc/resolv.conf In this case, you will need to specify your DNS servers manually in, which should look something like this: search mydomain.example nameserver 192.168.0.1 nameserver 4.2.2.2 The search directive will append mydomain.example to hostname queries in an attempt to resolve names to your network. For example, if your networks domain is mydomain.example and you try to ping the host mybox, the DNS query will be modied to mybox.mydomain.example for resolution. The nameserver directives specify DNS servers to be used to resolve hostnames to IP addresses. If you use your own nameserver, enter it here. Otherwise, ask your Internet Service Provider for the primary and secondary DNS servers to use, and enter them into /etc/resolv.conf as shown above. Test DNS server host www.buet.ac.bd

5.7

Test Network Connectivity

Send ICMP ECHO REQUEST to network hosts, routers, servers etc with ping command. This veries connectivity exists between local host and remote network system.

5.8

Managing Hosts

To manage hosts, you can add, edit, or remove hosts from /etc/hosts le. The le contains IP addresses and their corresponding hostnames. When your system tries to resolve a hostname to an IP address or determine the hostname for an IP address, it refers to the /etc/hosts le before using the name servers. If the IP address is listed in the /etc/hosts le, the name servers are not used. This behavior can be modied by editing /etc/nsswitch.conf at your peril.

Chapter

Linux (Ubuntu) Installation

6.1 Installation

Refer to the documents at https://help.ubuntu.com/community/Installation. These are dynamic in nature and always updated. For the Graphical Installation procedure refer to https://help.ubuntu.com/community/GraphicalInstall.

6.2

Adding More Software

There are literally thousands of Ubuntu programs available to meet the needs of Ubuntu users. Many of these programs are stored in software archives commonly referred to as repositories. Repositories make it very easy to install new software onto Ubuntu using an Internet connection, while also providing a high level of security, as each program available in the repositories is thoroughly tested and built specically for each version of Ubuntu.

6.2.1

Adding Repositories in Ubuntu

The list of repositories are listed in the /etc/apt/sources.list le. To add a new repository open the le with any text editor of your choice and add the repository link add the end of the le. There is a special format for adding the repository: deb <url> <ubuntu_version> <repository_type> <url> is the url of the repository <ubuntu version> is the rst part of the ubuntu code name. e.g lucid, karmic etc. <repository type> You nd the details of repository types at the https://help.ubuntu.com/community/Repositories/Ubuntu page.

6.2.2

Updating the Package Database

To synchronize the local package database with that of the repositories enter the following command in the terminal: 33

34 sudo apt-get update

Chapter 6. Linux (Ubuntu) Installation

6.2.3

Installing a Software

Softwares come in packages. A package is usually a .deb or .rpm le. Ubuntu uses .deb packages. A user can download a .deb package from the internet and install it with the following command: sudo dpkg -i <path_of_deb_file> Or, the user can use the apt-get tool to download and install package. sudo apt-get install <package_name> The apt-get tool automatically downloads and installs the required package. To download the package les only run the same command with -d option. sudo apt-get install -d <package_name> This will download the packages into /var/cache/apt/archive directory.

6.2.4

Updating Software

To upgrade the installed softwares run the following command: sudo apt-get upgrade

6.3

Removing a Software

To remove a package from the system use the following command: sudo apt-get remove <package_name> To remove the package along with all conguration les and data use the following command: sudo apt-get purge <package_name>

Chapter

Linux Processes
7.1 Multitasking: Background Process and Foreground Process

As a multitasking operating system, Linux lets you run processes in the background while continue to work in the foreground. Let me explain how they work.

7.1.1

Background Process

Unlike with a foreground process, the shell does not have to wait for a background process to end before it can run more processes. Within the limit of the amount of memory available, you can enter many background commands one after another. To run a command as a background process, type the command and add a space and an ampersand to the end of the command. For example: command1 & Immediately after entering the above command, the shell will execute the command. While that is running in the background, the shell prompt will return. At this point, you can enter another command for either foreground or background process. Background jobs are run at a lower priority to the foreground jobs. You will see a message on the screen when a background process is nished running.

7.1.2

Foreground Process Work

A foreground process is different from a background process in two ways: 1. Some foreground processes show the user an interface, through which the user can interact with the program. 2. The user must wait for one foreground process to complete before running another one. To start a foreground process, enter a command at the prompt, e.g., command1 The next prompt will not appear until command1 nishes running. 35

36

Chapter 7. Linux Processes

7.1.3

Launching Tasks in the Foreground and Background

Suppose you have a long-running task (for example, compiling a large program) that you need to run, but you also want to get some other work done. If you start a long-running task and forget to add the ampersand, you can still swap that task into the background. Instead of pressing Ctrl-C (to terminate the foreground task) and then restarting it in the background, just press Ctrl-Z after the command starts, type bg, and press enter. Youll get your prompt back and be able to continue with other work. Use the fg command to bring a background task to the foreground. You might wonder why youd ever want to swap programs between the foreground and background, but this is quite useful if for example youre doing a long-running compile and you need to issue a quick command at the shell prompt. While the compilation is running, you could press Ctrl-Z and then enter the bg command to put the compiler in the background. Then do your thing at the shell prompt and enter the fg command to return the compiler task to the foreground. The Ctrl-Z trick also works with the Emacs text editor and the Pine email program. You can suspend either program and then return to your work in progress with the fg command. Of course, in the X Windows environment, all these unnatural gyrations are not necessary. Just start another shell window and run the other command there. You can watch both processes running in separate windows at the same time, and you dont have to worry about adding ampersands, piping output to les, or keeping track of foreground versus background processes.

7.2

All Running Process in Linux

You need to use the ps command. It provides information about the currently running processes, including their process identication numbers (PIDs). Both Linux and UNIX support ps command to display information about all running process. ps command gives a snapshot of the current processes.

7.2.1 ps Command
Type the following ps command to display all running process: ps aux | less Where, -A: select all processes a: select all processes on a terminal, including those of other users x: select processes without controlling ttys See every process on the system ps -A ps -e See every process except those running as root ps -U root -u root -N See process run by user masroor ps -u masroor

7.3. top Command

37

Figure 7.1: Output from top command.

7.3

top Command

The top program provides a dynamic real-time view of a running system. Type the top at command prompt: # top To quit press q, for help press h.

7.4
7.4.1

Kill Process in Linux

kill Command

Linux and all other UNIX like oses comes with kill command. The command kill sends the specied signal (such as kill process) to the specied process or process group. If no signal is specied, the TERM signal is sent. First, you need to nd out process PID (process id). The PIDs can be obtained by rst using the ps command, which lists the names and PIDs of processes currently on the system. Use ps command or pidof command to nd out process ID (PID). Syntax: ps aux | grep processname pidof processname

38

Chapter 7. Linux Processes For example if process name is lighttpd, you can use any one of the following command to obtain process ID: ps aux | grep lighttpd Output:
lighttpd 3486 0.0 0.1 lighttpd 3492 0.0 0.5 4248 13752 1432 ? S Jul31 0:00 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf 3936 ? Ss Jul31 0:00 /usr/bin/php5-cg

Or use pidof command which is use to nd the process ID of a running program: pidof lighttpd Output: 3486 Now kill process using PID (process id) Above command tells you PID (3486) of lighttpd process. Now kill process using this PID: kill 3486 Or kill -9 3486 Where, -9 is special Kill signal, which will kill the process.

7.4.2 killall Command

The killall command is used to kill all processes associated with programs whose names are provided to it as arguments. The killall command kill processes by name (no need to nd PID): killall -9 lighttpd Kill Firefox process: killall -9 firefox-bin

7.5

Manipulate Process Priority with nice

As mentioned earlier, modern operating systems are multi-user and multitasking, which means that multiple users and multiple tasks can be using the computer at any given time. Typically youll have one person using a desktop system running any number of applications or many users using many applications on a server.

7.5. Manipulate Process Priority with nice The amount of time devoted to tasks largely depends on how intensive the task is. Some tasks require higher priority than others; for instance, if you were compiling a large software package you didnt need immediately, that priority should probably be lower than your Web browser or e-mail client. Each process has a niceness value associated with it, which is what the kernel uses to determine which processes require more processor time than others. The higher the nice value, the lower the priority of the process. In other words, the nicer the program, the less CPU it will try to take from other processes; programs that are less nice tend to demand more CPU time than other programs that are nicer. The priority is noted by a range of -20 (the highest) to 20 (the lowest). Using ps, you can see the current nice value of all programs:
$ ps axl F 4 1 5 ... UID 0 0 0 PID 1 2 3 PPID PRI 0 1 1 16 34 10 NI 0 19 -5 VSZ 2648 0 0 RSS WCHAN 112 STAT TTY S ? ? ? TIME COMMAND 0:01 init [3] 0:02 [ksoftirqd/0] 0:00 [events/0]

39

0 ksofti SN 0 worker S<

You can see that init has a nice value of 0, while other kernel tasks associated with PID 2 and 3 have a nice value of 19 and -5 respectively. Typically, a program inherits its nice value from its parent; this prevents low priority processes from spawning high priority children. Having said that, you can use the nice command (as root or via sudo) with the command you wish to execute in order to alter its nice value. Here is a short illustration:
# ps axl | grep axl | grep -v grep 4 0 30819 30623 15 0 4660 772 R+ pts/0 0:00 ps axl

# nice -10 ps axl | grep axl | grep -v grep 4 0 30822 30623 30 10 4660 772 RN+ pts/0 0:00 ps axl

You can see there that the nice value, represented by column six, has been altered. You can also use the renice command to alter running processes. In the following example, nano was started to edit the le foo and began with a default nice value of 0. Using renice, we can change its priority:
# ps axl | grep nano | grep -v grep 0 0 30832 30623 16 0 15840 3140 S+ pts/0 0:00 nano foo

# renice -5 30832

30832: old priority 0, new priority -5

# ps axl | grep nano | grep -v grep 0 0 30832 30623 15 -5 15840 3140 S<+ pts/0 0:00 nano foo

Here, we have adjusted the priority of nano, giving it a slightly higher priority. Renice operates on the process ID, so using grep, we determined that nano is process ID 30832 and saw that the nice value was 0. After executing renice, the nice value is now -5.

40

Chapter 7. Linux Processes You should remember that only root can alter the nice priority of programs. So if you nd that your compilation is taking too much CPU from other activities, consider renicing the parent process via root. Subsequent children should have a better nice value, or you can even start the compilation (or any other activity) with nice, specifying an appropriate nice value. You can also use renice to renice all programs belonging to a process group or user name/ID.

Chapter

Samba Server
A Network File System (NFS) allows users to mount a remote le system on a local mount point and access it as if it is part of the local le system. Users can also open the les in the remote le system with another program. It has the drawback that it supports only Linux. Another le sharing server is FTP server. Though it is cross OS compatible but it does not provide the facilities of a le system. That is it cannot be mounted on a local mount point, it does not allow users to open the remote les with a program. Samba server combines the facilities of both NFS and FTP. Samba shares are cross OS compatible and it allows the users to treat a remote le system as a local le system.

8.1

Necessary Samba Components

Samba has one server component and a number of client components. The server component is the smbd daemon. And the client components are smbfs and smbclient. smbclient is like a ftp client, which can be used to connect to a samba server and upload / download les to / from it. smbfs is used for mounting remote directories into local machines provided by samba share. Once mounted, any application can access the les on the remote directory as if it is in the local directory. There are also some useful utilities. Such as, nmblookup, which lists all hosts in a network that provides samba service. nmbd which broadcasts name information in the network. All these componets can be installed by the apt-get command. For example, to install Samba enter the following command into shell sudo apt-get install samba

8.2

Naming Scheme

Each host on a network acting as Samba server can have a name (possibly different from its host name). The resource it is sharing can also be given a name (possibly different from its original name). To locate a resource on a server the resource is identied by its path which is written as: //COMPUTER_NAME/SHARE_1/SUB_FOLDER_1/.../SUB_FOLDER_K

41

42

Chapter 8. Samba Server

8.3

Creating Users

In order to give access to the shared resource, users need to be created and added to samba. An user can be created using the useradd or adduser command. Then it can be assigned a password by passwd command. Use the smbpasswd command with -a option followed by an username to add that particular user to Samba server.

8.4

Samba Server Conguration

In order to share different resources over a network using Samba server, the conguration le needs to be changed. The main conguration le is /etc/samba/smbd.conf. The conguration le is divided into several sections. Its structured looks like as follows: [global] #..This section contains global settings.. [homes] #..settings for user home directories.. [name_of_share_1] #..share 1 settings.. [name_of_share_2] #..share 2 settings.....[name_of_share_k] #..share k settings.. [printer] #..settings for shared printers.. The global section contains global settings which applies for all the shares. Global settings can be overriden by specifying share specic settings. The home sectoin contains settings about user home folders. Samba server can be used to maintain the home folders of the network users. User accounts can be created in the server and the users can log in from remote machine and access their home folder from remote machine. All other sections shown except the printer is for each individual shared resource. Each shared resource is given a name which can be used by the client to locate it. In each section a number of settings are specied. A settings has the form keyword = value. The are several keywords dened for the Samba server. Some of the most important keywords are explained. workgroup This is the windows workgroup of which the samba server is part of. netbios name This is used in the global section only. This is used for giving the sharing server a name which will be used by the client to locate the resource. This can be different from the host name / domain name of the server. netbios name = sambaserver will give the server a name sambaserver. encrypt password Its value can be either yes or no. If this is enabled then all the passwords will be kept / transferred encrypted. If there is older windows systems (Windows 95, 3.x) then this should be disabled as these systems do not support it. This is also used in global options interfaces This global option specied which networks are connected to the server and can access the shares. There is another option bind interfaces only. It can have yes/no value. If it has yes value then access is strictly restricted to the networks specied in interfaces directive.

8.4. Samba Server Conguration hosts allow and hosts deny These directives contain IP addresses of the hosts that will get address or will not get access. If a client is in hosts allow then it is given access, if it is not listed in allow but listed in hosts deny then it is not allowed. If it is not specied in either of these then it is allowed. If both the directives contain the same IP address, then that host is not allowed. read only A share specic settings having yes / no value. A yes value causes the share to be read only. If nothing is specied then the share becomes read only. writable A share specic value acts as the same way as read only but in an opposite way. browsable This can have yes / no value. A shared folder must have browsable set to yes in order to be accessible. path Its value is a string indicating the path of a shared folder. write list A space separated list of users who can write into the shared directory. Instead of a list of users a user group can also be specied here. But user group name must be preceded by a @ symbol. valid users A space separated list of user(s) or usergroups(s) who are eligible to access this shared resource. invalid user Analogous to valid users. If a user is specied in both valid and invalid users list then it is not given access to the shared resource. guest ok This opttion has yes / no value. A yes value allows clients to connect to the share without supplying a password. create mask determines the permissions new les will have when created within the shared directory. directory mask determines the permissions new directories will have when created within the shared directory. printable This option has yes / no value. It should have yes value if printer sharing is to be enabled. Lets consider an example. We want to setup a Samba server at IP address 192.168.200.100; There are three users need to be created in the server, alice, bob and tom. Tow folders in the server, /tmp/a and /tmp/b needs to be shared. But the clients will see the shared folders as Music and Pictures. The shares will have following features: The shares will be available only to the network 192.168.200.0/24 and localhost The IP address 192.168.200.50 will be banned to access any resource on the server The server name and workgroup will be sambashare and WORKGROUP respectively Passwords will be encrypted The home directories will be accessible and writable The Music share will be read only. Users without password will be able to access it. But user tom will not have any access to it.

43

44

Chapter 8. Samba Server The Pictures share will be writable. Users without password will not be able to access it. Any le created withing the directory will not have write permission for group and other. And any directory created within the share will not have any permission for group and others. Users alice and bob will be able to access it. Printer sharing should be enabled. Anyone without password should be able to print from the shared printer. First create and add the users to Samba server. useradd alice passwd alice useradd bob passwd bob useradd tom passwd tom smbpasswd -a alice smbpasswd -a bob smbpasswd -a tom The smbd.conf le will look like as follows: [global] workgroup = WORKGROUP netbios name = sambashare encrypt password = yes interfaces = 127.0.0.0, 192.168.200.0/24 bind interfaces only = yes hosts deny = 192.168.200.50 [home] read only = no browsable = yes [Music] path = /tmp/a browsable = yes read only = yes invalid users = tom guest ok = yes [Pictures] path = /tmp/b browsable = yes read only = no valid users = alice bob create mask = 0755 directory mask = 0700 guest ok = no [printer] browsable = no printable = yes guest ok = yes

8.5

Tesing and Troubleshooting

The log les of Samba server is stored in /var/log/samba folder. There are atleast two les here, one for the smbd daemon and another for nmbd daemon. By default for each access from a client to a share a separate log le is created with client IP / host name. There are some global options such ase syslog only, syslog etc. for changing logging settings. After making changes to the conguration le it can be checked for errors by using the testparm command. For checking the servers functionality from user side an attempt to mount a shared folder can be made. To mount the Music share to a local folder named /tmp/c the following command should be entered into clients terminal: sudo smbmount //192.168.200.10/Music /tmp/c

Chapter

Squid Proxy Server

9.1 Squid

Squid is a full-featured web proxy cache server application which provides proxy and cache services for Hyper Text Transport Protocol (HTTP), File Transfer Protocol (FTP), and other popular network protocols. Squid can implement caching and proxying of Secure Sockets Layer (SSL) requests and caching of Domain Name Server (DNS) lookups, and perform transparent caching. Squid also supports a wide variety of caching protocols, such as Internet Cache Protocol (ICP), the Hyper Text Caching Protocol (HTCP), the Cache Array Routing Protocol (CARP), and the Web Cache Coordination Protocol (WCCP). The Squid proxy cache server is an excellent solution to a variety of proxy and caching server needs, and scales from the branch ofce to enterprise level networks while providing extensive, granular access control mechanisms and monitoring of critical parameters via the Simple Network Management Protocol (SNMP). When selecting a computer system for use as a dedicated Squid proxy, or caching servers, ensure your system is congured with a large amount of physical memory, as Squid maintains an inmemory cache for increased performance. Details of Squid can be found at http://www.squid-cache.org/.

9.2
9.2.1

Installation and Conguration

Installation

At a terminal prompt, enter the following command to install the Squid server: sudo apt-get install squid3

9.2.2

Conguration

The complete conguration le is found at /etc/squid3/squid.conf. However, since the Squid conguration le has over 4960 lines it is not the easiest to work with. A basic conguration of Squid only needs one modication, if you are using private networks. Squid is congured by editing the directives contained within the /etc/squid3/squid.conf conguration le. The following examples illustrate some of the directives which may be modied to affect the behavior of the Squid server. 45

46 Naming the Proxy

Chapter 9. Squid Proxy Server

Its important that Squid knows the name of the machine. To do this, locate the line visible_hostname. For example, if the machine called iaclsasc insert: visible_hostname iaclsasc Choosing the Port By default, the proxy server will use port 3128. To choose another port, locate the line: http_port 3128 and change the port number, for example: http_port 3177 Choosing the Interface By default the proxy server will listen on all interfaces. For security reasons, its better to put in on your local network only. For example, if the network card connected to your LAN, has IP 10.0.0.1, change the line: http_port 10.0.0.1:3177 Setting Access Rights and Priorities By default, nobody is allowed to connect to the proxy server. (Only from your machine itself). A list of permissions must be created. Squid can be congured to allow/disallow hosts based on certain rules. This is called ACL (Access Control List). An ACL is a space separeted collection of rules. An ACL is a logical AND of the rules it contains. Squid matches each Web access request it receives by checking the http_access list from top to bottom. If it nds a match, it enforces the allow or deny statement and stops reading further. You have to be careful not to place a deny statement in the list that blocks a similar allow statement below it. The nal http_access statement denies everything, so it is best to place new http_access statements above it. Allow all hosts: http_access allow all Deny all hosts:
Prior to editing the conguration le, you should make a copy of the original le and protect it from writing so you will have the original settings as a reference, and to re-use as necessary. Copy the /etc/squid3/squid.conf le and protect it from writing with the following commands entered at a terminal prompt: sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.original sudo chmod a-w /etc/squid3/squid.conf.original

9.3. Restart Squid http_access deny all For example, we will dene a group encompassing the local network. Find the line beginning with acl localhost... At the end of the section, add: acl lanhome src 10.0.0.0/8 Now that the group is dened, we will authorize to use the proxy. Locate the line http_access allow ... and add below (before the line http_access deny all): http_access allow lanhome Changing where to Store the Cache Files Do a search for cache_dir ufs. You will nd a line similar to this cache_dir ufs /var/spool/squid3 10000 16 256 In my example the rst part is the squid lesystem type and location. 10000 is the storage in MBytes, the default is 100. 16 and 256 are the number of Level1 and Level2 directories.

47

9.3

Restart Squid

Restart the proxy to take apply the modications you made, sudo /etc/init.d/squid3 restart Or, go for the quicker method, sudo /etc/init.d/squid3 reload

9.4

Important Locations

Once you install Squid, you will need to be familiar with these locations that are important for Squid. /etc/squid cong directory /etc/squid3/squid.conf squid conguration le /usr/share/doc/squid documentation and examples /usr/lib/squid support les /usr/sbin/squid squid daemon /var/log/squid3 log directory /var/spool/squid3 cache directory

9.5
9.5.1

Further Congurations
Restricting Web Access by Time

You can create access control lists with time parameters. For example, you can allow only business hour access from the home network, while always restricting access to host 192.168.1.23.

48

Chapter 9. Squid Proxy Server # # Add this to the bottom of the ACL section of squid.conf # acl home_network src 192.168.1.0/24 acl business_hours time M T W H F 9:00-17:00 acl RestrictedHost src 192.168.1.23 # # Add this at the top of the http_access section of squid.conf # http_access deny RestrictedHost http_access allow home_network business_hours Or, you can allow morning access only: # # Add this to the bottom of the ACL section of squid.conf # acl mornings time 08:00-12:00 # # Add this at the top of the http_access section of squid.conf # http_access allow mornings home_network business_hours

9.5.2

Restricting Access to Specic Web Sites

Squid is also capable of reading les containing lists of web sites and/or domains for use in ACLs. To deploy the web-site blocking mechanism in Squid, add the following entries to your Squid conguration le: acl bad url_regex "/usr/local/etc/squid3/squid-block.acl" http_access deny bad The le /usr/local/etc/squid3/squid-block.acl contains web sites or words you want to block. You can name the le whatever you like. If a site has the URL or word listed in squid-block.acl le, it wont be accesible to your users. The entries can be like this: .noentry.com .badboy.com.br ugly With the squid-block.acl le in action, internet users cannot access the following sites: Sites that have addresses ending with .noentry.com Sites that have addresses ending with .badboy.com.br Sites containing the word ugly in its pages

9.6. Cache Hierarchies You should beware that by blocking sites containing the word sex, you will also block sites which have the word any where in the pages. To resolve this problem, you can put those sites in a special le called squid-noblock.acl: http://www.middlesex.ac.uk http://www.sussex.ac.uk

49

9.5.3

Squid Transparent Proxy Conguration

It is possible to limit HTTP Internet access to only the Squid server without having to modify the browser settings on your client PCs. This called a transparent proxy conguration. It is usually achieved by conguring a rewall between the client PCs and the Internet to redirect all HTTP (TCP port 80) trafc to the Squid server on TCP port 3128, which is the Squid servers default TCP port. Your rst step will be to modify your squid.conf to create a transparent proxy. Squid simply require you to add the word transparent to the default http_port 3128 statement. In this example, Squid not only listens on TCP port 3128 for proxy connections, but will also do so in transparent mode. http_port 3128 transparent

9.6

Cache Hierarchies

Squid is particularly good at communicating with other caches and proxies. Numerous inter-cache communication protocols are supported, including ICP (Inter-Cache Protocol), Cache-Digests, HTCP (Hyper-Text Cache Protocol) and CARP (Cache Array Routing Protocol). Each of these protocols has specic strengths and weaknesses; they are more suited to some circumstances than others.

9.6.1

Why Peer?

The primary function of an inter-cache protocol is to stop object duplication, increasing hit rates. If you have a large network with widely separated caches, you may wish to store objects in each cache even if one of your other caches has it: by keeping objects close to your users, you reduce their network latency (even if you end up wasting disk space in the process.) Inter-branch trafc can be reduced by placing a cache at each branch. Since caches can avoid duplicating objects between them, each disk you add to a cache adds space to the overall hierarchy, increasing your hierarchy hit-rate. This is a lot better than simply having caches at branches which do not communicate with one another, since with that setup you end up with multiple copies of each cache object; one per server. Clients can also be congured to query another branchs cache if their local one goes down, adding redundancy. If overloaded, a central cache machine can become a network bottleneck. Unlike one cache machine, caches in a hierarchy can be close to all parts of the network; they can also handle a much larger load (with a near-linear increase in performance with each added machine). Loaded caches can thus be replaced with clusters of low-load caches, without wasting disk space. Integrating your caches into a public cache hierarchy can increase your hit rate (since you increase your effective disk space by accessing other machines object stores.) By choosing peers carefully, you can reduce latency, or reduce costs by saving Internet bandwidth (if communicating with your peers is cheaper than going direct to the source.) On the other hand, communicating with peers via loaded (or high-latency) line can slow down your cache. Its best to check your peer response times periodically to check if the peering arrangement is benecial.

50

Chapter 9. Squid Proxy Server

9.6.2

Peer Conguration

You use the cache_peer option to congure the peers that Squid will communicate with. Other options are then used to select which peer to pass a request to. The cache_peer Option When communicating with a peer, Squid needs some basic information about how to talk to the machine; the hostname, what ports to send queries to, and so forth. The cache_peer cong line does this. Lets look at an example line: The cache_peer option is split into ve elds. The rst eld (cache.domain.example) is the hostname or IP of the cache that is to be queried. The second eld indicates the type of relationship, and must be set to either parent or sibling or multicast. The third eld sets the HTTP port of the destination server, while the fourth sets the ICP (UDP) query port. The fth eld can contain more than zero or more keywords, although we only use one in the example above; the keyword default sets that the cache will be used as the default path to the outside world. If you compiled Squid to support HTCP, your cache will automatically attempt to connect to TCP port 4827 (there is currently no option to change this port value). Cache digests are transferred via the HTTP port specied on the cache_peer line. So in most of the cases, you need to enter something like this (one or all), cache_peer proxy.visolve.com parent 3128 3130 default cache_peer 172.16.1.57 parent 3128 3130 proxy-only cache_peer 172.16.1.123 sibling 3129 5500 weight=2

Chapter

10

Network File System

Network File System (NFS) allows the users to use the le system of a remote computer on the same network like a local le system. The users can mount the remote le system on the local machine and access the les stored there or open the les with any external program. It is a server/client architecture where the server provides disk space for clients and the clients use the shared space as if it is a local space. An use of NFS could be management of user home directories in a network. The home directories can be created in the server, all user data will be on the server. So a user can access its data from any local machine.

10.1

NFS in Linux

To get the benits of NFS a server program and a client program are required. In Linux nfs-kernel-server is a widely used NFS server. And for client support the client machines should have the nfs-common packages installed. The server can be installed with the following command: sudo apt-get install nfs-kernel-server

10.2

NFS Server Conguration

The server is congured to share a number of directories to the hosts. A number of options are available to use with each share. The clients mount the shared directory from their local machine to a local mount point.

10.2.1

Conguration Files

Three conguraiton les are associated with NFS conguration: 1. /etc/exports 2. /etc/hosts.allow 3. /etc/hosts.deny The last two les are for security settings only. The last two les are not NFS specic. 51

52

Chapter 10. Network File System

10.2.2

Sharing Directories

For the subsequent sections we shall make the following assumptions: A directory named /var/cache/shared is created in the server. This will be shared among the clients. Servers IP address is 192.168.200.100 The network address of the network is 192.168.200.0/24 Valid hosts are ranged from 192.168.200.1 - 192.168.200.254 A directory named /var/cache/mp has been created in one of the client machines to act as a local mount point The /etc/exports le contains a list of entries. Each entry corresponds to a shared directory. Each entry is formatted as: <directory_path> share_address1(list_of_options), share_address2(list_of_options), ... Here, directory path The path of the directory on the server that is to be shared share address IP address / host name of the machine that will get share of the directory. Instead of specifying a specic machine a network address can be used to share the directory to all the hosts on the network. list of options This is a comma separated list of options which describes what type of access the client(s) will get. The available options for a share are: ro Read only share. The client(s) will not be able to write anything in the shared folder. This is the default sharing behaviour. rw Read and write access to the client(s) on the share no subtree check In case of partially shared volumes a routine called subtree checking veries if a requested le is in the appropriate volume. This option enables this check. This may speed up the service when entire volume is shared. no root squash If this is selected, then root on the client machine will have the same level of access to the les in the shared folder as root on the server. By default this option is not enabled. sync By default, the writing of le is performed in a asynchronous manner. Though is improves performance but this may cause data corruption if server reboots. This option prevents this incident. Now if we want to share our desired directory to the host 192.168.200.10 with both read-write access, no subtree checking and to the host 192.168.200.20 with read only access, synchronous write then our entry in the /etc/exports le would be like following:

10.3. Security /var/cache/share 192.168.200.10(rw,no_subtree_check), 192.168.200.20(ro,sync) If we want to share the directory to all hosts in the network then we can specify that as: /var/cache/share 192.168.200.0/255.255.255.0(rw,no_subtree_check,sync) or /var/cache/share 192.168.200.0/24(rw,no_subtree_check,sync) We can also use wildcard characters to specify a class of hosts that will get the share. For, example the following entry will share the directory with the hosts who have an IP address which starts with a 2 in the host part. /var/cache/share 192.168.200.2*(rw,no_subtree_check,sync) Using only * in the share address part will cause the folder to be shared with all the hosts. The next step is to make the directories added in the le available for share. This can be accomplished by the following command: sudo exportfs -ra This will make the directory available for share to the clients. The clients can mount the directory in their local le system with the following command: sudo mount <server_ip>:<server_folder_path> <mount_point> For our example it would look like: sudo mount 192.168.200.100:/var/cache/shared /var/cache/mp

53

10.3

Security

The /etc/hosts.allow and /etc/hosts.deny les can be used to control access to daemons running in the server. The following actions are made when server receives any request: 1. The hosts.allow le is checked to see if the requesting client matches any rule listed there. If a match is found then the client is allowed to get that service. 2. If no rules matched then the hosts.deny le is checked. If a match is found the request is denied. 3. If no match in either le is found then access is given Both the les have the same structure. Which is:

54

Chapter 10. Network File System <list of services> : <client IP addresses, or network address> The necessary services for NFS are portmap, mountd, statd, nfsd, lockd, rquotad. To allow client request to these services from all the hosts add the following line in the hosts.allow le: portmap mountd nfsd statd lockd rquotad : ALL Adding ALL : ALL will allow all the hosts to access all the services on the server. To allow specic hosts (e.g 192.168.200.10 and 192.168.200.20 only) or network members to access these services in the server add the following line in the hosts.allow file portmap mountd nfsd statd lockd rquotad : 192.168.200.10, 192.168.200.20 And also add the following line to the hosts.deny le to restrict all other hosts to access these services: portmap mountd nfsd statd lockd rquotad : 192.168.200.0/24

Chapter

11

Web Server
11.1 Introduction HTTPD Apache2 Web Server

Apache is the most commonly used Web Server on Linux systems. Web Servers are used to serve Web Pages requested by client computers. Clients typically request and view Web Pages using Web Browser applications such as Firefox, Opera, or Mozilla. Users enter a Uniform Resource Locator (URL) to point to a Web server by means of its Fully Qualied Domain Name (FQDN) and a path to the required resource. For example, to view the home page of the Ubuntu Web site a user will enter only the FQDN. To request specic information about paid support, a user will enter the FQDN followed by a path. The most common protocol used to transfer Web pages is the Hyper Text Transfer Protocol (HTTP). Protocols such as Hyper Text Transfer Protocol over Secure Sockets Layer (HTTPS), and File Transfer Protocol (FTP), a protocol for uploading and downloading les, are also supported. Apache Web Servers are often used in combination with the MySQL database engine, the HyperText Preprocessor (PHP) scripting language, and other popular scripting languages such as Python and Perl. This conguration is termed LAMP (Linux, Apache, MySQL and Perl/Python/PHP) and forms a powerful and robust platform for the development and deployment of Web-based applications.

11.2

Browsing the Web

When you connect to the URL of someones home page - say the notional http://www.butterthlies.com/ you send a message across the Internet to the machine at that address. That machine, you hope, is up and running, its Internet connection is working, and it is ready to receive and act on your message. URL stands for Universal Resource Locator. A URL such as http://www.butter-thlies.com/ comes in three parts: <method>://<host>/<absolute path URL (apURL)> So, in our example, <method> is http, meaning that the browser should use HTTP (Hypertext Transfer Protocol); <host> is www.butterthlies.com; and <apURL> is /, meaning the top directory of the host. Using HTTP/1.1, your browser might send the following request: GET / HTTP/1.1 Host: www.butterthlies.com 55

56

Chapter 11. Web Server The request arrives at port 80 (the default HTTP port) on the host www.butterthlies.com. The message is again in three parts: a method (an HTTP method, not a URL method), that in this case is GET, but could equally be PUT, POST, DELETE, or CONNECT; the Uniform Resource Identier (URI) /; and the version of the protocol we are using. It is then up to the web server running on that host to make something of this message. It is worth saying here that the whole business of a web server is to translate a URL either into a lename, and then send that le back over the Internet, or into a program name, and then run that program and send its output back. That is the meat of what it does: all the rest is trimming.

11.3

Installation

The Apache2 web server is available in Ubuntu Linux. To install Apache2, at a terminal prompt enter the following command: sudo apt-get install apache2

11.4

Conguration

Apache2 is congured by placing directives in plain text conguration les. These les can be found in /etc/apache2. These directives are separated between the following les and directories: apache2.conf: the main Apache2 conguration le. Contains settings that are global to Apache2. conf.d: contains conguration les which apply globally to Apache2. Other packages that use Apache2 to serve content may add les, or symlinks, to this directory. envvars: le where Apache2 environment variables are set. httpd.conf: historically the main Apache2 conguration le, named after the httpd daemon. The le can be used for user specic conguration options that globally effect Apache2. mods-available: this directory contains conguration les to both load modules and congure them. Not all modules will have specic conguration les, however. mods-enabled: holds symlinks to the les in /etc/apache2/mods-available. When a module conguration le is symlinked it will be enabled the next time apache2 is restarted. ports.conf: houses the directives that determine which TCP ports Apache2 is listening on. sites-available: this directory has conguration les for Apache2 Virtual Hosts. Virtual Hosts allow Apache2 to be congured for multiple sites that have separate congurations. sites-enabled: like mods-enabled, sites-enabled contains symlinks to the /etc/apache2/sitesavailable directory. Similarly when a conguration le in sites-available is symlinked, the site congured by it will be active once Apache2 is restarted. In addition, other conguration les may be added using the Include directive, and wildcards can be used to include many conguration les. Any directive may be placed in any of these conguration les. Changes to the main conguration les are only recognized by Apache2 when it is started or restarted. The server also reads a le containing mime document types; the lename is set by the TypesCong directive, and is /etc/mime.types by default.

11.5. Apache Directives

57

11.5

Apache Directives

Apache HTTP Server is the most commonly used web server software for dedicated servers. One of its features that makes it particularly versatile is the ability to add directives to the conguration le. System administrators can add directives to the servers primary conguration le, and the sys admin can also use a directive to grant individual directive privileges to users by way of .htaccess les on shared hosting accounts. Directives have the following format: DirectiveName Variable The directive name usually has the rst letter of each word capitalized, and the name never has spaces. The variable may be a boolean indicator, integer, or string. For example, the Bind Address directive would look like: BindAddress 192.168.254.254 On the other hand, the Error Document directive has three components: the directive, the error code, and the URL to the document. For example: ErrorDocument 404 http://www.domain.tld/errordocs/404.html Directives added to the Apache conguration le will affect the entire server. There are hundreds of Apache directives at your disposal.

11.6

Important Directives

11.6.1 <VirtualHost>
<VirtualHost host[:port]> ... </VirtualHost> Server config The <VirtualHost> directive within a Cong le acts like a tag in HTML: it introduces a block of text containing directives referring to one host; when were nished with it, we stop with </VirtualHost>. For example: <VirtualHost www.butterthlies.com> ServerAdmin sales@butterthlies.com DocumentRoot /usr/www/site.virtual/htdocs/customers ServerName www.butterthlies.com ErrorLog /usr/www/site.virtual/name-based/logs/error_log TransferLog /usr/www/site.virtual/name-based/logs/access_log </VirtualHost> <VirtualHost> also species which IP address were hosting and, optionally, the port. If port is not specied, the default port is used, which is either the standard HTTP port, 80, or the port specied in a Port directive. host can also be default, in which case it matches anything no other<VirtualHost> section matches.

58

Chapter 11. Web Server

11.6.2 <Directory>
<Directory dir> ... </Directory> The <Directory> directive allows you to apply other directives to a directory or a group of directories. It is important to understand that dir refers to absolute directories, so that <Directory /> operates on the whole lesystem, not the DocumentRoot and below. dir can include wildcards - that is, ? to match a single character, * to match a sequence, and [ ] to enclose a range of characters. For instance, [a-d] means any one of a, b, c, d. If the character appears in front of dir, the name can consist of complete regular expressions.

11.6.3 <IfModule>
<IfModule [!]module-name> ... </IfModule> The <IfModule> directive enables a block, provided the named module was compiled or dynamically loaded into Apache. If the ! prex is used, the block is enabled if the named module was not compiled or loaded. <IfModule> blocks can be nested. The module-name should be the name of the modules source le, e.g. mod_log_config.c.

11.7
11.7.1

Other Directives
DocumentRoot

On an Apache HTTP Server, you can control where the server looks for live HTML documents; in other words, your web pages or content management system. Most web-based control panels set this up for you by default when virtual hosts are created, and changing the panels settings could very well break your system. The DocumentRoot directive species where Apache2 should look for the les that make up the site. The default value is /var/www. No site is congured there, but if you uncomment the RedirectMatch directive in /etc/apache2/apache2.conf requests will be redirected to /var/www/apache2-default where the default Apache2 site awaits. Change this value in your sites virtual host le, and remember to create that directory if necessary! But if you are not running a control panel or are only running a single website on your dedicated server, you may want to have your HTML documents in a custom directory of your choice. The default documents directory depends on the Linux distribution. Common default locations are /var/www, /var/www/html, /home/user/www/html, /home/user/public_html, /home/user/www/htdocs, and many others. To change your Apache installations document root, enter the following in your apache conguration le, DocumentRoot directory-path Replace directory-path with the actual path to the directory you want to use. For example, you could use:

11.7. Other Directives DocumentRoot /var/www/public_html Make sure you do not use a trailling slash in the path. With the above conguration, the index.html le at /var/www/public_html/index.html will appear on the web as http://www.yourdomain.com/index.html. Finally, make sure the directory you set as the document directory is readable but not writable to outside users.

59

11.7.2

ServerAdmin

The ServerAdmin directive species the email address to be advertised for the servers administrator. The default value is webmaster@localhost. This should be changed to an email address that is delivered to you (if you are the servers administrator). If your website has a problem, Apache2 will display an error message containing this email address to report the problem to. Find this directive in your sites conguration le in /etc/apache2/sites-available. The ServerAdmin sets the contact address that the server includes in any error messages it returns to the client. If the httpd doesnt recognize the supplied argument as an URL, it assumes, that its an emailaddress and prepends it with mailto: in hyperlink targets. However, its recommended to actually use an email address, since there are a lot of CGI scripts that make that assumption. If you want to use an URL, it should point to another server under your control. Otherwise users may not be able to contact you in case of errors. It may be worth setting up a dedicated address for this, e.g. ServerAdmin www-admin@foo.example.com as users do not always mention that they are talking about the server!

11.7.3

Listen

The Listen directive species the port, and optionally the IP address, Apache2 should listen on. If the IP address is not specied, Apache2 will listen on all IP addresses assigned to the machine it runs on. The default value for the Listen directive is 80. Change this to 127.0.0.1:80 to cause Apache2 to listen only on your loopback interface so that it will not be available to the Internet, to (for example) 81 to change the port that it listens on, or leave it as is for normal operation. This directive can be found and changed in its own le, /etc/apache2/ports.conf. When Apache starts, it binds to some port and address on the local machine and waits for incoming requests. By default, it listens to all addresses on the machine. However, it may need to be told to listen on specic ports, or only on selected addresses, or a combination of both. This is often combined with the Virtual Host feature, which determines how Apache responds to different IP addresses, hostnames and ports. The Listen directive tells the server to accept incoming requests only on the specied ports or addressand-port combinations. If only a port number is specied in the Listen directive, the server listens to the given port on all interfaces. If an IP address is given as well as a port, the server will listen on the given port and interface. Multiple Listen directives may be used to specify a number of addresses and ports to listen on. The server will respond to requests from any of the listed addresses and ports. For example, to make the server accept connections on both port 80 and port 8000, on all interfaces, use: Listen 80 Listen 8000

60

Chapter 11. Web Server To make the server accept connections on port 80 for one interface, and port 8000 on another, use Listen 192.0.2.1:80 Listen 192.0.2.5:8000

11.7.4

ServerName

The ServerName directive is optional and species what hostname and port that the server uses to identify itself. The ServerName directive sets the request scheme, hostname and port that the server uses to identify itself. This is used when creating redirection URLs. Additionally, ServerName is used (possibly in conjunction with ServerAlias) to uniquely identify a virtual host, when using name-based virtual hosts. For example, if the name of the machine hosting the web server is simple.example.com, but the machine also has the DNS alias www.example.com and you wish the web server to be so identied, the following directive should be used: ServerName www.example.com If no ServerName is specied, then the server attempts to deduce the hostname by performing a reverse lookup on the IP address. If no port is specied in the ServerName, then the server will use the port from the incoming request. For optimal reliability and predictability, you should specify an explicit hostname and port using the ServerName directive. The default virtual host has no ServerName directive specied, so it will respond to all requests that do not match a ServerName directive in another virtual host. If you have just acquired the domain name ubunturocks.com and wish to host it on your Ubuntu server, the value of the ServerName directive in your virtual host conguration le should be ubunturocks.com. Add this directive to the new virtual host le you created earlier (/etc/apache2/sites-available/mynewsite). You may also want your site to respond to www.ubunturocks.com, since many users will assume the www prex is appropriate. Use the ServerAlias directive for this. You may also use wildcards in the ServerAlias directive. For example, the following conguration will cause your site to respond to any domain request ending in .ubunturocks.com. ServerAlias *.ubunturocks.com

11.8

Options Directive

The Options directive controls which server features are available in a particular directory. option can be set to None, in which case none of the extra features are enabled, or one or more of the following: All All options except for MultiViews. This is the default setting. ExecCGI Execution of CGI scripts using mod_cgi is permitted. FollowSymLinks The server will follow symbolic links in this directory. Even though the server follows the symlink it does not change the pathname used to match against Directory sections.

11.9. Order allow,deny Note also, that this option gets ignored if set inside a Location section. Omitting this option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable. Includes Server-side includes provided by mod_include are permitted. IncludesNOEXEC Server-side includes are permitted, but the #exec cmd and #exec cgi are disabled. It is still possible to #include virtual CGI scripts from ScriptAliased directories. Indexes If a URL which maps to a directory is requested, and there is no DirectoryIndex (e.g., index.html) in that directory, then mod_autoindex will return a formatted listing of the directory. MultiViews Content negotiated MultiViews are allowed using mod_negotiation. SymLinksIfOwnerMatch The server will only follow symbolic links for which the target le or directory is owned by the same user id as the link. Normally, if multiple Options could apply to a directory, then the most specic one is used and others are ignored; the options are not merged. (See how sections are merged.) However if all the options on the Options directive are preceded by a + or - symbol, the options are merged. Any options preceded by a + are added to the options currently in force, and any options preceded by a - are removed from the options currently in force. Warning Mixing Options with a + or - with those without is not valid syntax, and is likely to cause unexpected results. For example, without any + and - symbols: <Directory /web/docs> Options Indexes FollowSymLinks </Directory> <Directory /web/docs/spec> Options Includes </Directory> then only Includes will be set for the /web/docs/spec directory. However if the second Options directive uses the + and - symbols: <Directory /web/docs> Options Indexes FollowSymLinks </Directory> <Directory /web/docs/spec> Options +Includes -Indexes </Directory> then the options FollowSymLinks and Includes are set for the /web/docs/spec directory.

61

11.9 Order allow,deny

Order allow,deny is a setting in your Apache web server conguration that is used to restrict access to certain directories (folders) or even globally. Conguring who can access your directories is very important for your web site security. Order allow,deny is one way to restrict who can see what.

62

Chapter 11. Web Server Order allow,deny directive supports or better said combines the basic Allow and Deny directives into a more sophisticated conguration setting. The Allow directive affects which hosts can access an area of the server. Access is usually controlled by hostname, IP address, or IP address range. This Deny directive restricts access to the server. Restrictions can be based again on hostname, IP address, or environment variables. The Order directive used in the Order allow,deny directive is a bit tricky and has two seemingly unrelated functions: The Order directive sets the default access state which means that it controls the order in which the Allow and Deny directives are processed, and Congures how the Allow and Deny directives interact with each other, in other words, it sets the default policy for connections that do not match either of the Allow or Deny rules. You can see the Order directive used in two ways. Order allow,deny and Order deny,allow Order allow,deny tells your web server that the Allow rules are processed before the Deny rules. If the client does not match the Allow rule or it does match the Deny rule, then the client will be denied access. Order deny, allow means that the deny rules are processed before the allow rules. If the client does not match the deny rule or it does match the allow rule, then it will be granted access. Example: Allow from example.com All hosts from this domain will be allowed, for example abc.example.com as well as www. example.com. Host from www.abcexample.com would not be allowed. Allow from 10.1.2.3 Allow from 10.1 You can dene the access level also by providing the IP address. In the rst example, just the host with just that IP address would be allowed access. In the second example, all hosts from all subnets within 10.1.x.x would be allowed access. The Deny directive works the same way. Now that we know how Allow and Deny works, lets take a look at how Order allow,deny works. <Directory "/www"> Order Allow,Deny Deny from all Allow from all </Directory> In this case, all clients would be denied access. Why? Because Apache rst evaluates the Allow directive rules and then the Deny directive rules, so Allow from all would be executed rst and then the Deny from all would take place. Now the same example with the Order allow,deny swapped.

11.10. Virtual Host <Directory "/www"> Order Deny,Allow Deny from all Allow from all </Directory> The conguration above would result in all clients being allowed access because the Deny from all rule would be processed rst and the Allow from all rule would be processed second. Now, lets get more specic. The following example could be used for specialized and restricted servers, for example some kind of intranet site. <Directory "/www"> Order Deny,Allow Deny from all Allow from example.com </Directory> This is a bit expanded application of the Order directive. This conguration would restrict everyone from accessing the /www directory but hosts in the example.com domain. Abc.example.com would be allowed access, www.myexample.com would be restricted. Now, lets say you want to do the opposite. You want to restrict someone from some specic domain (perhaps someone who is attacking your web site) and allow everyone else. <Directory "/www"> Order Allow,Deny Allow from all Deny from www.myexample.com </Directory> The conguration provided above would give access to everyone and restrict all hosts from the www.myexample.com domain. Now, what happens if you forget to provide specic rules and use just the Order allow,deny directive alone? <Directory /www> Order Allow,Deny </Directory> The presence of an Order directive can affect access to a part of the server even in the absence of accompanying Allow and Deny directives. That is because when you specify the Order allow,deny you also control the default access state. The example above will Deny all access to the /www directory because the default access state is set to Deny.

63

11.10

Virtual Host

As a person can be known by many names, so can a Web server support multiple Web sites. In the Apache conguration le, each alternate identity, and probably the main one as well, is known as a virtual host (sometimes written as vhost) identied with a <VirtualHost> container directive. Depending on the name used to access the Web server, Apache responds appropriately. If you want to have a single system support multiple Web sites, you must congure Apache appropriately.

64

Chapter 11. Web Server Apache2 ships with a virtual-host-friendly default conguration. That is, it is congured with a single default virtual host (using the VirtualHost directive) which can modied or used as-is if you have a single site, or used as a template for additional virtual hosts if you have multiple sites. If left alone, the default virtual host will serve as your default site, or the site users will see if the URL they enter does not match the ServerName directive of any of your custom sites. To modify the default virtual host, edit the le /etc/apache2/sites-available/default. There are two different types of virtual host supported by Apache. The rst type, called address-based or IP-based, is tied to the numeric network address used to reach the system, rather like telephone numbers. The other type of virtual host is called name-based because the servers response depends on the name by which it was called. Just as multiple people may share a single telephone number, multiple Web sites can share the same IP address. However, all IP addresses shared by multiple Apache virtual hosts need to be declared with a NameVirtualHost directive. In the most simple of Apache congurations, there are no virtual hosts. Instead, all of the directives in the conguration le apply universally to the operation of the server. The environment dened by the directives outside any <VirtualHost> containers is sometimes called the default server, main server, or perhaps the global server. There is no ofcial name for it, but it can become a factor when adding virtual hosts to your conguration. But what happens if you add a <VirtualHost> container to such a conguration? How are those directives outside the container interpreted, and what is their effect on the virtual host? The answer is not a simple one: essentially, the effect is specic to each conguration directive. Some get inherited by the virtual hosts, some get reset to a default value, and some pretend theyve never been used before. Youll need to consult the documentation for each directive to know for sure. There are two primary forms of virtual hosts: IP-based virtual hosts, where each virtual host has its own unique IP address; and name-based virtual hosts, where more than one virtual host runs on the same IP address but with different names.

11.10.1

Setting Up Name-Based Virtual Hosts

You have only one IP address, but you want to support more than one Web site on your system. Use the NameVirtualHost *:80 directive in conjunction with <VirtualHost> sections: ServerName 127.0.0.1 NameVirtualHost *:80 <VirtualHost *:80> ServerName TheSmiths.name DocumentRoot "/var/www/TheSmiths" </VirtualHost> <VirtualHost *:80> ServerName JohnSmith.name DocumentRoot "/var/www/JustJohnSmith" </VirtualHost> With IP addresses increasingly hard to come by, name-based virtual hosting is the most common way to run multiple Web sites on the same Apache server. The previous recipe works for most users in most virtual hosting situations. The *:80 in the previous rules means that the specied hosts run on all addresses. For a machine with only a single address, this means that it runs on that address but will also run on the loopback, or localhost address. Thus if you are sitting at the physical server system, you can view the Web site.

11.11. Adding Virtual Hosts to Ubuntu Apache The argument to the <VirtualHost> container directive needs to match the argument in a NameVirtualHost directive. Putting the hostname here may cause Apache to ignore the virtual host on server startup, and requests to this virtual host may unexpectedly go somewhere else. If your name server is down or otherwise unresponsive at the time that your Apache server is starting up, then Apache cant match the particular VirtualHost section to the NameVirtualHost directive to which it belongs. Requests for which there is not a virtual host listed will go to the rst virtual host listed in the conguration le. In the case of the previous example, requests coming to the server using hostnames that are not explicitly mentioned in one of the virtual hosts will be served by the TheSmiths.name virtual host. It is particularly instructive to run httpd -S and observe the virtual host conguration as Apache understands it, to see if it matches the way that you understand it. httpd -S returns the virtual host conguration, showing which hosts are name-based, which are IP-based, and what the defaults are. Multiple names can be listed for a particular virtual host using the ServerAlias directive, as shown here: ServerName TheSmiths.name ServerAlias www.TheSmiths.name Smith.Family.name It is important to understand that virtual hosts render the server listed in the main body of your conguration le (the main or default server mentioned earlier) no longer accessibleyou must create a virtual host section explicitly for that host. List this host rst, if you want it to be the default one. Adding name-based virtual hosts to your Apache conguration does not magically add entries to your DNS server. You must still add records to your DNS server so that the names resolve to the IP address of the server system. When users type your server name(s) into their browser location bars, their computers rst contact a DNS server to look up that name and resolve it to an IP address. If there is no DNS record, then their browsers cant nd your server. For more information on conguring your DNS server, consult the documentation for the DNS software you happen to be running, or talk to your ISP if youre not running your own DNS server. Default Virtual Host <VirtualHost *:80> ServerName default DocumentRoot /www/htdocs ErrorDocument 404 /site_list.html </VirtualHost> This is in the context of name-based virtual hosts, so it is assumed that you have other virtual hosts that are also using the <VirtualHost *:80> notation. We have used the default name for clarity. Its a good idea to list explicitly all valid hostnames either as ServerNames or ServerAliases, so that nobody ever winds up at the default site. However, if someone accesses the site directly by IP address, or if a hostname is added to the address in question before the appropriate virtual host is created, the user still gets useful content.

65

11.10.2

Setting Up Address-Based Virtual Hosts

If you have multiple IP addresses assigned to your system, and you want to support one Web site on each.

11.11

Adding Virtual Hosts to Ubuntu Apache

Now that I have Ubuntu installed and the Apache server working, I need to congure some Virtual Hosts. I have several names registered at dyndns.com that all point to the same IP. Right after you get Apache

66

Chapter 11. Web Server going, it defaults to serving from a default location, in this case /var/www. Any http requests coming into the box are all routed to that directory. But Apache can support multiple virtual hosts. So if I route say example1.dnsalias.com and example2.dynalias.com to my IP via dyndns.com, I want them to be each served from their own directory. The default /var/www has system ownership and would need to be changed. So Im going to create a directory for each site under my user directory. So Ill create /home/bruce/sites/example1 and /home/bruce/sites/example2 to host the les for each site. As mentioned earlier, if you look in the sites-available, youll nd a le called default. This represents the default Apache serving conguration. Copy this le twice to serve as a basis for the new conguration les. sudo cp default example1 and sudo cp default example2. You need to make two or three changes to each of these les, and add one line. Theres a line in the le tagged ServerAdmin. If you want, you can make the value a real e-mail address. There are also two lines labeled Document Root and another in a <Directory> statement that have the path to the directory being served in this case, it should be /var/www/. Change both of those to the directory that will contain the new site les. Now after the ServerAdmin line add a new line: ServerName example1.dynalias.com and again with example2 le. Use whatever actual domain names youve registered with dyndns.com or other dynamic name server youre using. So now in addition to the /etc/apache2/sites-available/default le, youll have two more les example1 and example2, which have been modied to point to the actual hosting directories, and with the appropriate domain names. Now we have to tell Apache to serve the new domains. Ubuntu has a couple of convenience commands to enable and disable sites. So, to enable the new sites, enter sudo a2ensite example1 and again sudo a2ensite example2. These commands copy the conguration les you created into the /etc/apache2/sites-enabled directory.

11.12

Apache Modules

Apache is a modular server. This implies that only the most basic functionality is included in the core server. Extended features are available through modules which can be loaded into Apache. By default, a base set of modules is included in the server at compile-time. If the server is compiled to use dynamically loaded modules, then modules can be compiled separately, and added at any time using the LoadModule directive. Otherwise, Apache must be recompiled to add or remove modules. Ubuntu compiles Apache2 to allow the dynamic loading of modules. Conguration directives may be conditionally included on the presence of a particular module by enclosing them in an <IfModule> block. You can install additional Apache2 modules and use them with your Web server. For example, run the following command from a terminal prompt to install the MySQL Authentication module: $ sudo apt-get install libapache2-mod-auth-mysql See the /etc/apache2/mods-available directory, for additional modules. Use the a2enmod utility to enable a module: $ sudo a2enmod auth_mysql Similarly, a2dismod will disable a module: $ sudo a2dismod auth_mysql

11.13. HTTPS Conguration

67

11.13

HTTPS Conguration

The mod_ssl module adds an important feature to the Apache2 server - the ability to encrypt communications. Thus, when your browser is communicating using SSL, the https:// prex is used at the beginning of the Uniform Resource Locator (URL) in the browser navigation bar. The mod_ssl module is available in apache2-common package. Execute the following command from a terminal prompt to enable the mod_ssl module: $ sudo a2enmod ssl There is a default HTTPS conguration le in /etc/apache2/sites-available/default-ssl. For Apache to provide HTTPS, a certicate and key le are also needed. The default HTTPS conguration will use a certicate and key generated by the ssl-cert package. They are good for testing, but the auto-generated certicate and key should be replaced by a certicate specic to the site or server. To congure Apache for HTTPS, enter the following: $ sudo a2ensite default-ssl The directories /etc/ssl/certs and /etc/ssl/private are the default locations. If you install the certicate and key in another directory make sure to change SSLCerticateFile and SSLCerticateKeyFile appropriately. With Apache now congured for HTTPS, restart the service to enable the new settings: Depending on how you obtained your certicate you may need to enter a passphrase when Apache starts. You can access the secure server pages by typing https://your_hostname/url/ in your browser address bar.

68

Chapter 11. Web Server

Chapter

12

DNS Server Conguration

The Domain Name System (DNS) is a hierarchical naming system built for computers, services, or any resource connected to the Internet or a private network. Each host in the internet or a private network has an unique address associated with it namely the IP address. And a Domain Name is a name assigned to a single host or a group of host in a network. It is easier to remember the name www.google.com than to remember an IP address like 64.233.183.106. DNS server makes it easy for us to use domain names instead of IP addresses. It takes the responsibility of translating the domain name into IP address.

12.1

How a Name Gets Resolved

DNS is a hierarchical naming system. A domaing name encapsulates a group of resources in a network. Each domain can be sub-divided into sub-domains. In this way the domains and sub-domains form a rooted tree. There is a number of DNS server associated with each domain. The root in the DNS tree is called the root domain, and the associated servers are called the root servers. Currently, there are 13 root servers located in different parts of the world. The children of the root servers / root domain are called top level DNS servers / top level domain. A domain name of a specic resource is obtained by going from the root of the tree to that resource and concatenate (separated with a .) the names obtained in the path. The root server is denoted with a . and is usually omitted from the domain name. For example: The name www.buet.ac.bd is resolved in the following steps: A request is sent to one of the 13 root servers for resolving the name www.buet.ac.bd; The root server contains the information of the top level domains only (e.g. com, net, org, bd etc.). The root server nds that the right most token is bd, so the root server forwards the request to the bd DNS server. The bd server contains a limited number of records mapping names to IP addresses. It searches its records for the next token ac. If it nds a match then forwards the result to that DNS server. Similary the DNS server of ac.bd searches its records for the entry buet and forwards the request to the corresponding server upon a match. In the nal step the DNS server of buet.ac.bd searches its records for the entry www and returns the IP address of the host if a match is found. Figure 12.1 illustrates the DNS hierarchy. Figure

69

70

Chapter 12. DNS Server Conguration

Figure 12.1: DNS Hierarchy

12.2

Useful Denitions

Zone: A Zone is an alternate name of a domain. With respect to DNS servers, a zone can be dened as a group of records mapping host names to IP addresses in a domain. For example: example.test can be considered as a zone. This may contain hosts like mail.exmaple.test, nameserver.example.test etc. A zone would be a collection of all these hosts for this domain. Caching Only DNS Server A Caching Only DNS Server does not contain address records of any zone. It forwards a name resolution request to another DNS server and remembers the result. When the same query comes to it again it returns the result from the cache. This type of DNS server can be useful for reducing network trafc or in solwer internet connection. Zone Server: A Zone Server contains address records for a zone. It can resolve names from its own database. This type of DNS server is usually used by organizations where they have separate servers for different purpose. For example, a organization has a domain myorg.org; It may have its web server with name www.myorg.org, mail server with name mail.myorg.org etc. Then it needs to have a DNS server which would be able to serve different addresses of the zone myorg.org. Reverse DNS Lookup: Finding a domain name corresponding to an IP address is called reverse DNS lookup. To enable reverse DNS lookup reverse zones are added in the zome server.

12.3

DNS Server in Linux

BIND - The Berkely Internet Naming Daemon is the most popular DNS server in Linux. Its latest version is BIND 9.x, released by ISC (Internet System Consortium. BIND 9 has features like IPv6 support, multiprocessor support, support for DNSSEC (DNS Security Extensions) etc. Other than BIND several

12.4. Conguring Types of BIND other DNS servers are availble for Linux such as pdnsd, dnscache etc. The rest of the chapter will focus on BIND 9.

71

12.3.1

Installation

In order to install BIND install the bind9 package with the following command: sudo apt-get install bind9 For testing and troubleshooting of the server install the dnsutils package with the following command: sudo apt-get install dnsutils

12.3.2

Conguration Files

BIND9 conguration les are stored in the /etc/bind directory. The main conguration les are: /etc/bind/named.conf The main conguration le of BIND 9. By default this le contains a set of include directives which include the other conguration le. This is done to organize the conguration options in relevant les. /etc/bind/named.conf.options contains global options for BIND 9. /etc/bind/named.conf.local contains the zone declarations. The le db.root contains the address of the 13 root DNS servers. There are also a number of sample zone denition les provided with the installaiton of bind9, e.g. db.empty, db.local etc.

12.4

Conguring Types of BIND

BIND 9 can be congured in one of the three possible ways: 1. Caching only server 2. Primary master server 3. Secondary server The subsequent sections describe the different congurations. There is one important thing to note. Whenever a change is a made to any of the conguration les the bind9 daemon needs to be restarted to take the change effect. This can be accomplished by the following command: sudo /etc/init.d/bind9 restart

12.5

Conguration as Caching Only Server

In this conguration BIND9 does not store any zones. It forwards all the name resolution request coming to it to another DNS server and remembers the answer of that query. Next time when the same query appears again it just returns the cached result.

72

Chapter 12. DNS Server Conguration To congure BIND9 as caching only server open the /etc/bind/named.conf.options le with a text editor of your choice and add the following block: forwarders { ISPs DNS ADDRESS; } For example: forwarders { 8.8.8.8; } #Dont forget to put the semicolon

12.6

Conguration as Primary Master Server

When congured as primary master BIND 9 can serve DNS records for a registered domain name. A registered domain name can have a number of resources within it which needs to be individually named. A primary master serevr contains a group of records for such a domain name. These group of records are also known as zones (See 12.2). There are two steps to add a zone. 1. Add a zone in the /etc/bind/named.conf.local le (Zone Declaration). 2. Create a zone denition le for the newly added zone. The zone denition le will contain all the necessary records for that zone. 3. Add a reverse zone and corresponding reverse zone denition le for reverse DNS lookup. In a reverse zone there are mapping of IP addresses to host names.1 For the subsequent part of this section we shall assume that a new domain name myzone.test has been registred with the network 123.123.0.0/16. We shall need to setup a DNS server for this zone which would resolve the following names to the associated addresses. myzone.test > 123.123.123.123 www.myzone.test > 123.123.123.123 mail.myzone.test > 123.123.123.124 ns.myzone.test > 123.123.123.125 printer.myzone.test > 123.123.123.123 Moreover, the rst three entries are also the webserver, mail server and nameserver of the domain respectively.
1

This step is optional and can be ommitted if not requried

12.6. Conguration as Primary Master Server

73

12.6.1

Zone Declaration

A new zone is added to the /etc/bind/named.conf.local le. The syntax of adding a new zone is: zone <zone name>{ type master; file <path of zone definition file>; }; Add this block at the end of /etc/bind/named.conf.local le. The points to note here is: The type directive determines whether the server is master or slave. The file directive species the zone denition le, i.e where the records are dened. The zone name must be followed by a ., for our example the zone name would be myzone.test. There is no hard and fast rule for naming the zone denition le. A good practice is to name the le like <zone name>.db or db.zone name For our example the block would look like: zone myzone.test.{ type master; file /etc/bind/zones/myzone.test.db; };

12.6.2

Create a Zone Denition File

First, we shall create a folder named zones in the /etc/bind directory. Now, we shall now create and open a new zone denition le for our newly added zone in the new directory with the following command: sudo gedit /etc/bind9/zones Or, we can also use an existing zone denition le like db.local as a template. To do this we copy the db.local le into the newly created zones folder by the following command: sudo cp /etc/bind9/db.local /etc/bind9/zones/myzone.test.db A zone denition le contains two parts. A block with some numeric parameters and a group of records corresponding to different hosts in the zone. The rst block of zone denition le looks as follows: $TTL <TTL amount> @ IN SOA <nameserver of the zone>. <email address of zone administrator>.( <serial number> <refresh time> <retry interval> <expiry time>

74 <negetive cache TTL ); The points to note here are:

Chapter 12. DNS Server Conguration

Email address of the zone administrator is usually of the form root@<zone name> or admin@<zone name. In the zone denition le the @ symbol in the email address is replaced by the . symbol. A convention for the serial number eld is to use the last modication date in YYYYMMDD format. This eld is for reference purpose only. The other timing elds are used with their default values and is not required to change usually. The values in tehse elds are interpreted as second. These elds has the following meaning: refresh time The time interval for slaves to check for updated zone in master. retry interval The interval at which slave makes another attempt if the rst attempt was failed. expiry time The interval that the slave will wait before it discards a zone entirely as it cannot reach the master. negetive cache TTL The time that a remote DNS server keeps the DNS record of a query. The ; symbol was used in the named.conf.local or named.conf.options le for end-of-line marker. But in this le this symbol is used for comment. Any string after this symbol at that line is ignored and considered as comment. This block is followed by a sequence of DNS records. DNS records are used for mapping names to addresses, identify nameservers, mail servers etc. A DNS record has the following form: name IN record-type record-content name is usually a host / computers name. And there are many possibilities for the record-type. Some useful record types are: A-record An A-record (Address record) uses hostname as name and provides an IP address as the record-content. The hostname can be specied with the domain name with a following period, e.g. www.myzone.test. or using only the name of the host, e.g. www NS-record Name server (NS) records specify the name servers for a domain. Normally, at least one NS record will point to the same computer as was listed as the master name server in the SOA record. The name of an NS record is normally either @ or your domain name alone, and the record-contents eld usually lists an A record that denes a name server. MX-record A mail exchanger (MX) record provides information on a mail server for the zone. This entry uses either @ or the domain name alone as the name. The record-contents eld has two components: a priority code and a hostname. Higher priority code means lower priority. If there is only one mail server in the domain there is no signicance of the priority code. CNAME-record Canonical name (CNAME) records link one hostname to another one. The record-content can be specied in the same way as the name is specied in an A record.

12.6. Conguration as Primary Master Server PTR-record Pointer (PTR) records are used in the reverse zone denition le. It uses part of the IP address as name and uses the hostname as record-content. For each A-record in the zone denition le there should one PTR-record in the reverse zone denition le. Now, coming back to our example, if we want to specify the mail server and nameserver of our domain we shall need the following records: @ IN MX 100 mail.myzone.test. @ IN NS ns.myzone.test. To resolve our required hostnames within the domain we shall need to add some A-records. These will look like: @ IN A 123.123.123.123 www IN A 123.123.123.123 mail IN A 123.123.123.124 ns IN A 123.123.123.125 printer IN A 123.123.123.123 The A-records can also be written in the following way: @ IN A 123.123.123.123 www.myzone.test. IN A 123.123.123.123 mail.myzone.test. IN A 123.123.123.124 ns.myzone.test. IN A 123.123.123.125 printer.myzone.test. IN A 123.123.123.123 CNAME-records can be used to avoid rewriting any duplicate IP addresses. The group of records can be rewriten as: addr IN A 123.123.123.123 @ IN CNAME addr www IN CNAME addr mail IN A 123.123.123.124 ns IN A 123.123.123.125 printer IN CNAME addr So, our zone denition le for our domain myzone.test would look like this: $TTL 38400 @ IN SOA ns.myzone.test. root.myzone.test.( 20110101; serial 28800; refresh time 3600; retry interval 604800; expire time 38400; negetive cache TTL ); @ IN MX 100 mail.myzone.test. @ IN NS ns.myzone.test. @ IN A 123.123.123.123 www IN A 123.123.123.123 mail IN A 123.123.123.124 ns IN A 123.123.123.125 printer IN A 123.123.123

75

76

Chapter 12. DNS Server Conguration

12.6.3

Reverse zone declaration adn denition

Like a zone a reverse zone is also added to the /etc/bind/named.conf.local le. The syntax of adding a reverse zone is: zone <nonzero part of zones network address reversed>.in-addr.arpa{ type master; file <path of reverse zone definition file>; }; Add this block at the end of /etc/bind/named.conf.local le. The points to note here is: The file directive species the reverse zone denition le, i.e where the reverse records are dened. If the network address of the domain is say, 172.16.0.0/16 then the reverse zones name would be 16.172.in-addr.arpa. Same naming convention as zone denition le can be adopted for naming reverse zone denition les. For our example the block would look like: zone 16.172.in-addr.arpa{ type master; file /etc/bind/zones/16.172.in-addr.arpa.db; }; After adding this block we create the reverse zone denition le. This le has the same structure as the zone denition le. Except that, The nameserver should be specied using a NS record with no name part. It does not contain any A-record. For each A-record in the zone denition le there should be a corresponding PTR-record in this le. The name part of the PTR-record is the host part of the IP address. Our reverse zone denition le would look like: @ IN SOA ns.myzone.test. root.myzone.test.( 20110101; serial 28800; refresh time 3600; retry interval 604800; expire time 38400; negetive cache TTL ); IN NS ns.myzone.test. 123.123 IN PTR www 123.123 IN PTR printer 123.125 IN PTR ns 123.124 IN PTR mail

12.7

Secondary Master Server

A secondary master server increases the availability of DNS service. If the primary server crashes, then the secondary server will provide DNS service. A secondary server conguration contains the same steps

12.8. Testing and Troubleshooting as that of the primary server. But there are some small changes that needs to be made in the conguration les. The changes are: In the primary server zone transfer has to be enabled, so that a zone can be transfered to the secondary by primary. To do this add the following line within the zone (and reverse zone) declaration block (in the /etc/bind/named.conf.local le) in the primary server. allow-transfer { <ip_of_secondary_server>; }; In the zone / reverse zone declaration block of primary server the statement notify yes; will cause automatic notication of zone change to the secondary by the primary server. In the secondary server the zone denition le of any zone shuold be placed in /var/cache/bind directory. In the secondary server the zone declaration block should contain the following directive to specify its master. masters { <ip_of_primary_server>; };

77

12.8

Testing and Troubleshooting

There are several tools in the dnsutils package to test the functionality of DNS server. After creating a zone denition le the le can be tested for errors with the named-checkzone tool. This can be done with the follwing command: named-checkzone <zone_name> <zone_definition_file> For example: named-checkzone myzone.test /etc/bind/zones/myzone.test.db After proper conguration and restarting the server the dig tool or nslookup tool can be used to test whether the DNS server can properly resolve names. But before that edit the /etc/resolv.conf le and add the line nameserver 127.0.0.1 to the end of the le to let the system use the local DNS server. If the zones are congured properly then dig myzone.test would show all the details of the zone that has been added and nslookup www.myzone.test will show the IP address of the corresponding host. For testing reverse zone use the -x option with dig tool. e.g. dig -x 123.123.123.123. All the error messages generated by the BIND9 server is written into syslog. After restarting the server if the server fails to restart or any sort of error occurs those can be viewed by tail /var/log/syslog command.

12.9

Security of BIND DNS Server

The communication between the primary and secondary DNS servers should be secured. Otherwise malacious attacks (e.g cache poisoning, spoong) could affect the way a DNS server behaves. The communication can be made secure by using RSA public key encryption method. Zones transferred from primary to secondary should be signed with a key and the secondary should be able to verify it. Making the communication between primary and secondary secure consists of a number of steps. The reminder of this section describes the steps that should be taken to make the communication secure.

78

Chapter 12. DNS Server Conguration

12.9.1

Create a RSA Key

The dnssec-keygen tool can be used to generate a 128 bit key. Type the following command in the shell to generate the key: dnssec-keygen -a HMAC-MD5 -b 128 -n HOST rndc-key The -a option species which algorithm to use and -b option species the key length. This will generate two les in the current working directory. They are: 1. Krndc-key.+157+64252.key Contains the public key. The .key le contains a DNS KEY record that can be inserted into a zone le. 2. Krndc-key.+157+64252.private Contains the private key. The .private le contains algorithm-specic elds.

12.9.2

Add the Key

The next step is to add the key informaiton to both priamry and secondary. create tsig.key le in the /etc/bind directory in the primary server. The le is structured as:
key "<NAME>" { algorithm <key_generation_algorithm>; secret "<the_generated_public_key>"; }; # Secondary server IP X.Y.Z.W server X.Y.Z.W { keys { <NAME of the key block>; }; }; ################################ # If there is a 3rd server with IP P.Q.R.S #server P.Q.R.S { # keys { # <NAME of the key block>; # }; #}; ################################

The points to note here are: The key generation algorithm is specied in the -a option of dnssec-keygen command. In our case it is hmac-md5 The public key can be found in the .key le generated by dnssec-keygen. NAME can be any name of your choice. This NAME can be later used to use the declared key in the key block The next step is to include this le in the bind9 main conguration le. Open the named.conf le and add the line include /etc/bind/tsig.key at the end. From the command line now run rndc reload. In the secondary server follow the same steps as in the primary server. But in the server block put the IP address of the primary server. And also include the created le in secondary servers named.conf le also. And in the zone declaration at secondary server include the line allow-transfer key <NAME>;, where NAME is the name of the key given in the tsig.key le.

Chapter

13

FTP Server
13.1 Introduction

File Transfer Protocol (RFC959) has been around for many years as one of the older more reliable methods for transferring data les and is still being used extensively by many organisations today. The Very Secure FTP Daemon (vsftpd) is one of the more popular and robust FTP servers available for the Linux community. The vsftpd server has had one major design rule from its initial development, enforcing high security requirements. The server can operate in a chroot jail and now supports TLS/SSL encryption (from Version 2). The initially installed conguration provides full download access for anonymous users. This chapter will cover some of the basic conguration parameters for the server and identify some settings to improve security for authorised access only. It will also look at enabling TLS/SSL encryption to provide a level of safety for your transfer requirements. FTP Security Extensions are discussed in RFC2228.

13.2

Installation

sudo apt-get install vsftpd This installs ssl-cert, openssl and vsftpd, only with anonymous login and just for downloads from a jailed /home/ftp/. It also adds user ftp to group ftp.

13.3

Basic Conguration

The default vsftpd conguration le is /etc/vsftpd.conf. You need to edit this le using text editor.

13.3.1

Running Mode

The vsftpd server can run in standalone mode or be supported by inetd/xinetd. To enable standalone mode set, listen=YES

79

80

Chapter 13. FTP Server

13.3.2

Banners

To display a banner to every new user that connects, set the banner_file parameter and place a suitable message inside the designated le. banner_file=/etc/vsftpd/welcome.banner Using the ftpd_banner parameter allows you to quickly set a single line welcome string for when new users connect. ftpd_banner=Welcome to my vsFTPd Server. If you are doing any FTP mirroring and you host les from several different organisations, you can set an individual message that will be displayed when the user lists the contents of each different directory. dirmessage_enable=YES The default message le for each directory is .message, adjust this setting if you wish to use a different lename. message_file=.message

13.3.3

Permissions

The umask parameters dene the chmod value (permissions) of the les when they are uploaded to the FTPs lesystem. To calculate the permission value, start at 777, then substract the umask value. So if a anon_umask value is set at 077, then the le will have the permissions of 700 on the le system (this may prevent the le from later being downloaded depending on lesystem permissions). anon_umask=077 local_umask=022

13.3.4

Logging

Adjust these to enable transfer logging. xferlog_enable=YES The default log le in /var/log/vsftpd.log. This may be adjusted using xferlog_file.

13.4

Controlling User Access

In vsftpds initial state anonymous users are are allowed full download access to all the resources available through the FTP server, and adjustments to the conguration are required to enforce a more secure environment.

13.4. Controlling User Access

81

13.4.1

Anonymous Users

The default setting for allowing anonymous users is YES. To disable anonymous access it is not enough to comment out the following parameter, it MUST be changed to NO, otherwise anonymous still has access. anonymous_enable=YES anonymous_enable=NO If the FTP server is going to be accessible to the general public, then the anonymous account can be granted the rights to upload les to the server and create new directories inside the FTP root directory. Give serious consideration to these abilities before implementing them. anon_upload_enable=YES anon_mkdir_write_enable=YES Always avoid where possible, allowing anonymous users the ability to upload les to the FTP server. This has the potential to allow users of pirate software to abuse your system for further distribution. Always check the les on a regular basis for any sign of abuse. By default VSFTPD expects les for anonymous FTP to be placed in the /var/ftp directory. You can change this by modifying the anon_root directive. There is always the risk with anonymous FTP that users will discover a way to write les to your anonymous FTP directory. You run the risk of lling up your /var partition if you use the default setting. It is best to make the anonymous FTP directory reside in its own dedicated partition. To restrict the upload rate of connected anonymous users, set the anon_max_rate to an appropriate value for your connection. The rate at which system account users can upload can also be restricted using the local_max_rate parameter. Rates are in bytes per second, 0 is disabled. anon_max_rate=10485760 local_max_rate=0 You may for some reason decide to limit the amount of users that connect to your server at anytime, and how many simultaneous connections can be maintained from each IP address. max_clients=500 max_per_ip=4

13.4.2

System Accounts

Normally any user that has an account on the local system can log in using their account details and access their les. As a security measure, not all system accounts should be allowed to do this. Any user account that is listed in the /etc/vsftpd.ftpuser le will not be granted log in access through the server daemon. This le is normally used for system accounts (root, bin etc..) and bad people. Do not put anonymous in /etc/vsftpd.ftpuser le, it does nothing. Anonymous access must be disabled with anonymous_enable=NO parameter. To create a selective list for system user accounts that can access the FTP server. userlist_enable=YES userlist_file=/etc/vsftpd/user_list

82

Chapter 13. FTP Server If you need to stop all system user accounts from being able to log in to the FTP, then disable the following. local_enable=YES write_enable=YES System user accounts normally have the ability to browse the complete lesystem as though they were logged onto the terminal (depending on directory permissions). To block all users from this activity, they can be chroot jailed into their home directories. This means they will be locked inside their own home directories and cant view or access the rest of the lesystem. chroot_local_user=YES Using chroot_local_user is handy for allowing users to access their public_html directories on a publicly shared web server. Users can also be selectively jailed to their home directories. chroot_list_enable=YES chroot_list_file=/etc/vsftpd/chroot_list If chroot_list_enable=YES, then the /etc/vsftpd.chroot_list le contains a selective list of users that are jailed to their home directories. If chroot_local_user=YES is also set, then the entries in the /etc/vsftpd.chroot_list are users that are not jailed; the opposite effect.

13.5

Enabling TLS/SSL Encryption

The release of vsftpd version 2 brought some major updates to the FTP package and the most notable is the inclusion of TLS/SSL encryption for securing authentication and data transfers between clients and server. You should only enable TLS/SSL if you really need it. If you only intend to cater for anonymous users on your server, then you should not implement encryption. To enable the TLS/SSL security controls, the vsftpd version must have been compiled with its support. To nd out if your version has been compiled with SSL support, execute the following command at the prompt. sudo ldd /usr/sbin/vsftpd | grep ssl If the command displays the libssl line in its output, then your version is ready to support TLS/SSL. If libssl is not in the output then your version of vsftpd does not support encryption, you will either have to recompile the source code yourself, or convince your distribution developers to consider it for inclusion. libssl.so.6 => /lib/libssl.so.6 (0x001bf000) Before the server is able to do any encryption, it requires the generation of a private key and a digital certicate. During the key generation process you will be asked several questions in regards of server name, organisational name, country code. Preferred Method cd /etc/pki/tls/certs sudo make vsftpd.pem

13.5. Enabling TLS/SSL Encryption Alternate Method openssl req -x509 -nodes -days 730 -newkey rsa:1024 \ -keyout /etc/pki/tls/certs/vsftpd.pem \ -out /etc/pki/tls/certs/vsftpd.pem Both commands above are suitable for creating your certicates. The bottom command creates an X509 SSL certicate with a life of 2 years (-days 730).
Country Name (2 letter code) [GB]:AU State or Province Name (full name) [Berkshire]:QLD Locality Name (eg, city) [Newbury]:Brisbane Organization Name (eg, company) [My Company Ltd]:Miles Brennan Organizational Unit Name (eg, section) []:Home Linux Server Common Name (eg, your name or your servers hostname) []:galaxy.example.com Email Address []:sysadmin@example.com

83

If you are using the server for legitimate business use and you want to provide a level of security assurance to your customers, then you should use a key that has been signed by a Certicate Authority. The contents of the /etc/pki/tls/certs/vsftpd.pem le should be checked to ensure is has a private key and digital certicate. If any of the identifying details in the X509 change or have been entered incorrectly, you can easily regenerate new keys until the details are correct. The vsftpd.pem le should also be secured so only root has access to the le. This does not affect the server if it is running as a non privileged account, as the keys are loaded before dropping into non privileged mode. cat /etc/pki/tls/certs/vsftpd.pem openssl x509 -in /etc/pki/tls/certs/vsftpd.pem -noout -text chmod 600 /etc/pki/tls/certs/vsftpd.pem The conguration le now needs to be adjusted to include the support for TSL/SSL encryption. The following details are the recommended parameters required. ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=NO force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem The service should now be restarted for the changes to take effect. TLS/SSL Enabled FTP Clients The Linux based gFTP client is enabled for TLS/SSL connections, however it initially rejects self-signed server certicates. This can be xed by disabling the Verify SSL Peer setting in options. When making connections, be sure to select the FTPS protocol.

84

Chapter 13. FTP Server

Chapter

14

Dynamic Host Conguration Protocol (DHCP) Server

14.1 Introduction

The Dynamic Host Conguration Protocol (DHCP) is an auto conguration protocol used on IP networks. Computers that are connected to IP networks must be congured before they can communicate with other computers on the network. DHCP allows a computer to be congured automatically, eliminating the need for intervention by a network administrator. It also provides a central database for keeping track of computers that have been connected to the network. This prevents two computers from accidentally being congured with the same IP address. In the absence of DHCP, hosts may be manually congured with an IP address. Alternatively IPv6 hosts may use stateless address autoconguration to generate an IP address. IPv4 hosts may use link-local addressing to achieve limited local connectivity. In addition to IP addresses, DHCP also provides other conguration information, particularly the IP addresses of local caching DNS resolvers. Hosts that do not use DHCP for address conguration may still use it to obtain other conguration information. There are two versions of DHCP, one for IPv4 and one for IPv6. While both versions bear the same name and perform much the same purpose, the details of the protocol for IPv4 and IPv6 are sufciently different that they can be considered separate protocols

14.2

History

DHCP was rst dened as a standards track protocol in RFC 1531 in October 1993, as an extension to the Bootstrap Protocol (BOOTP). The motivation for extending BOOTP was that BOOTP required manual intervention to add conguration information for each client, and did not provide a mechanism for reclaiming disused IP addresses. Much work was done to clarify the protocol as it gained popularity, and in 1997 RFC 2131 was released, and remains as of 2011 the standard for IPv4 networks. DHCPv6 is documented in RFC 3315. RFC 3633 added a DHCPv6 mechanism for prex delegation. DHCPv6 was further extended to provide conguration information to clients congured using stateless address autoconguration in RFC 3736. The BOOTP protocol itself was rst dened in RFC 951 as a replacement for the Reverse Address Resolution Protocol (RARP). The primary motivation for replacing RARP with BOOTP was that RARP was a data link layer protocol. This made implementation difcult on many server platforms, and 85

86

Chapter 14. Dynamic Host Conguration Protocol (DHCP) Server required that a server be present on each individual network link. BOOTP introduced the innovation of a relay agent, which allowed the forwarding of BOOTP packets off the local network using standard IP routing, thus one central BOOTP server could serve hosts on many IP subnets.

14.3

Technical Overview

Dynamic Host Conguration Protocol automates network-parameter assignment to network devices from one or more DHCP servers. Even in small networks, DHCP is useful because it makes it easy to add new machines to the network. When a DHCP-congured client (a computer or any other network-aware device) connects to a network, the DHCP client sends a broadcast query requesting necessary information from a DHCP server. The DHCP server manages a pool of IP addresses and information about client conguration parameters such as default gateway, domain name, the name servers, other servers such as time servers, and so forth. On receiving a valid request, the server assigns the computer an IP address, a lease (length of time the allocation is valid), and other IP conguration parameters, such as the subnet mask and the default gateway. The query is typically initiated immediately after booting, and must complete before the client can initiate IP-based communication with other hosts. Depending on implementation, the DHCP server may have three methods of allocating IP-addresses: Dynamic Allocation: A network administrator assigns a range of IP addresses to DHCP, and each client computer on the LAN is congured to request an IP address from the DHCP server during network initialization. The request-and-grant process uses a lease concept with a controllable time period, allowing the DHCP server to reclaim (and then reallocate) IP addresses that are not renewed. Automatic Allocation: The DHCP server permanently assigns a free IP address to a requesting client from the range dened by the administrator. This is like dynamic allocation, but the DHCP server keeps a table of past IP address assignments, so that it can preferentially assign to a client the same IP address that the client previously had. Static Allocation: The DHCP server allocates an IP address based on a table with MAC address/IP address pairs, which are manually lled in (perhaps by a network administrator). Only requesting clients with a MAC address listed in this table will be allocated an IP address. This feature (which is not supported by all DHCP servers) is variously called Static DHCP Assignment (by DD-WRT), xed-address (by the dhcpd documentation), Address Reservation (by Netgear), DHCP reservation or Static DHCP (by Cisco/Linksys), and IP reservation or MAC/IP binding (by various other router manufacturers).

14.4

Installation

At a terminal prompt, enter the following command to install dhcpd: sudo apt-get install dhcp3-server At the end of the installation (perhaps) you will see errors like these:
Generating /etc/default/dhcp3-server... Starting DHCP server: dhcpd3 failed to start - check syslog for diagnostics. invoke-rc.d: initscript dhcp3-server, action "start" failed.

14.5. Conguration That is alright because we did not have the chance yet to congure our DHCP server. You will need to change the default conguration by editing /etc/dhcp3/dhcpd.conf to suit your needs and particular conguration. You also need to edit /etc/default/dhcp3-server to specify the interfaces dhcpd should listen to. By default it listens to eth0.

87

14.5
14.5.1

Conguration
Conguration Parameters

The parameters specied are explained below.

Parameter ddns-update-style ignore client-updates lease-file-name

Denition Type of DDNS update to use with local DNS Server Ignore all client requests for DDNS update File name that stores list of active IP lease allocations Set as master server, protects against rogue DHCP servers and miscongured clients Species the Internet Domain Name to append to a clients hostname The DNS servers the clients should use for name resolution The default time in seconds that the IP is leased The max time in seconds that the IP is leased Species the Gateway for the client to use The subnet mask specic to the lease range The broadcast address specic to the lease range Network Time Protocol servers available to the clients The NetBIOS name server (WINS) The NetBIOS name resolution method (8=hybrid) The range of valid IP addresses available for client offer

authoritative

option domain-name

option domain-name-servers

default-lease-time max-lease-time option routers option subnet-mask option broadcast-address option ntp-servers

option netbios-name-server option netbios-node-type range

88

Chapter 14. Dynamic Host Conguration Protocol (DHCP) Server

14.5.2

Select Interface card

Edit the le /etc/default/dhcp3-server INTERFACES="eth0"

14.5.3

Congure Subnet

Here is an example for congured subnets. ddns-update-style none; option domain-name-servers 145.253.2.75, 193.174.32.18; default-lease-time 86400; max-lease-time 604800; authoritative; subnet 172.16.0.0 netmask 255.255.0.0 { range 172.16.210.100 172.16.210.200; option subnet-mask 255.255.0.0; option broadcast-address 172.16.210.255; option routers 172.16.20.10; }

Chapter

15

Mail Server
Setting up a Mail Server in Linux consits of setting up a number of components individually. A working mail server has two major components. 1. Mail Transfer Agent (MTA): MTA is software that transfers electronic mail messages from one computer to another using a clientserver application architecture. An MTA implements both the client (sending) and server (receiving) portions of the Simple Mail Transfer Protocol (SMTP). 2. Mail Delivery Agent (MDA): MDA is a computer software component that is responsible for the delivery of e-mail messages to a local recipients mailbox. Within the Internet mail architecture, local message delivery is achieved through a process of handling messages from the MTA, and storing mail into the recipients mailbox. In this chapter our main focus would be to congure these components and setup a mail server. In addition to these we shall also see how we can setup a web mail system that can be accessed by a browser from anywhere.

15.1

Mail Transfer Agent Setup

Most popular MTA in Linux is Postfix. There are also other MTAs such as esmtp, exim, sendmail etc. We shall focus on the installation and conguration of Postfix.

15.1.1

Installation

Postx can be installed using the following command: sudo apt-get install postfix sudo apt-get install mailx Start the postfix damemon with the following command: sudo /etc/init.d/postfix start Restart the daemon with the follwing command: sudo /etc/init.d/postfix restart Always restart the daemon whenever any conguration change is made. 89

90

Chapter 15. Mail Server

15.1.2

Conguration File

The main conguration le for postx is /etc/postfix/main.cf. To change any conguration this le needs to be edited. Another way of conguring postfix is to use the postconf command with the -e option. This command when used with -e option edits the main.cf le with the supplied arguments.

15.1.3

Creating Users

A mail server has a number of users associated with it. If the mail servers domain name is example.test and it has a user named alice then the users email address would be alice@example.test. If an email is sent to address alice@example.test that will be stored withing the mail server located at example.test. To create an user account use the following command on the server: sudo useradd -m -d /home/<user_name> -s /bin/bash <user_name> sudo passwd <user_name> [Enter the newly created users password] This will create a user named user name in the server with the email address <user name>@server domain.

15.1.4

Changing The Mailbox Type

By default all the emails that a user receives on the server is concatenated and stored into a le named mbox located at that users home directory. There is another format for storing message know as Maildir format. Maildir is a directory that has three sub-directories named tmp, new, and cur. Maildir is a more preferred format becaues Courier IMAP / POP MDAs support Maildir style mailbox. To change the mailbox type add the following line to the main.cf le. home_mailbox = Maildir/ mailbox_command = or run the following command in the shell sudo postconf -e "home_mailbox = Maildir/" sudo postconf -e "mailbox_command ="

15.1.5

Add Networks and Domains to Postx

By default postx recognizes the locahost network (127.0.0.0/8) only. You can add your network (say 192.168.200.0/24) by running the following command in the shell: sudo postconf -e "mynetworks = 127.0.0.0/8, 192.168.200.0/24" You can also add your domain with the following command:
sudo postconf -e "mydestination = localhost.localdomain, <your_domain>"

15.1. Mail Transfer Agent Setup

91

15.1.6

Enable Mail Transfer from Internet

By default postfix does not provide support for transfering mail to / from internet. This can be enabled by the following command: sudo postconf -e "inet_interfaces = all" And to enable support for both IPv4 and IPv6 use the following command: sudo postconf -e "inte_protocols = all"

15.1.7

Test Conguration

You can test the conguraiton by connecting to the MTA using the netcat or telnet tool. You can do this by: netcat localhost 25 or telnet localhost 25 25 is the portnumber of smtp service. If everything is ne then you shall see the following output followed by a blinking cursor. Trying 127.0.0.1... Connected to <your_domain> Escape character is ]. 220 localhost.localdomain ESMTP Postfix (Ubuntu) Type the following code in the telent terminal to send an email to user alice on the server. from: root@localhost rcpt to: alice@localhost data Subject: My first mail on Postfix Hi, Are you there? regards, Admin . quit Now log into alices account by su alice and type the mail command. Then youll see an output something like the following: Mail version 8.1.2 01/15/2001. Type ? for help. "/var/mail/alice": 1 messages 1 new >N 2 root@localhost Mon Mar 6 12:51 15/487 My first mail & This lists the mail that was just sent.

92

Chapter 15. Mail Server

15.2

Mail Delivery Agent

There are a number of MDAs available for Linux. Such as: dovecot, Courier IMAP, Couirer POP, procmail etc. Courier IMAP and Courier POP are two very popular MDAs. The IMAP MDA is used along with webmail systems. These packages can be installed with the following commands: sudo apt-get install courier-pop sudo apt-get install courier-imap The operating of courier requires no extra conguration. To test if courier is properly running you can send an email from the terminal like in 15.1.7. But from alices account type in the shell: netcat localhost 110 (143 for IMAP) If MDA is properly working then youll be given the console of POP. You have the following commands available to retrive / list messages. USER name PASS string QUIT STAT LIST[msg] RETR msg DELE msg QUIT

15.3

Webmail

Webmail is software which allows you to view email from any computer, anywhere in the world, through your web browser. Webmail is not a server. It is a collection of software which provides a web based front end for accessing email functionalities. There are a number of webmail systems available such ase Openwebmail, Squirrelmail etc. We shall see how to setup Squirrelmail in Linux.

15.3.1

Installation and Required Components

In order to run, you need to rst set up a number of things: A working Mail Transfer Engine (Postx) A working (IMAP) Mail Delivery Agent(CourierIMAP) A working Apache installation with PHP With these components ready you can install Squirrelmail Install it with the following command: sudo apt-get install squirrelmail

15.4. Virus Scanning and Spam Filtering

93

15.3.2

Conguration

Squirrelmail conguration consits of conguring two different components: 1. Conguring Apache: Squirrelmail is written in PHP, so it should be hosted on a PHP enabled web server. We assume that the system has apache2 package installed along with PHP support. Squirrelmail comes with a sample apache conguration le in /etc/squirrelmail/apache.conf. To use this le to enable squirrelmail hosting on the webserver follow the follwoing steps:
sudo cp /etc/squirrelmail/apache.conf /etc/apache2/sites-available/squirrelmail sudo a2ensite squirrelmail

2. Congure Squirrelmail: Squirrelmail comes with a menu based conguration tool named squirrelmail-configure. All the options are not required to be edited. It is a good idea to to edit the necessary options, until you have squirrelmail working, because it is easier to see what might be wrong. After squirrelmail is working, you can customise all the options! It is a good idea to check the following options though: In Menu 2 (mail server settings), although you shouldnt have to edit these, just check they are correct. You can use an IMAP server if you like, but if squirrelmail is running on the same machine as your mail server, it is faster and perfectly safe to use IMAP (you can congure your imap server to ensure that it only listens on localhost if you like). Check that your mail settings are: (a) A. Update IMAP Settings : localhost:143 (other) (b) B. Update SMTP Settings : localhost:25 In Menu 4 (general settings), it is a good idea to enable option 11 (Allow server-side sorting).

15.4

Virus Scanning and Spam Filtering

There are some third party tools available for integrating virus scanning and spam ltering into mail server. In this section we shall study spamassasin for spam ltering and clamav for virus scanning. These tools can be individually installed and congured to be integrated into the mail server. There is another tool named amavis which makes the conguration of these two. Amavis itself congures the two tools for the users. The users need to congure amavis only. These tools can be installed with the following command:
sudo apt-get install amavisd-new spamassasin clamav-daemon

Install the optional packages for better spam detection (who does not want better spam detection?):
sudo apt-get install libnet-dns-perl libmail-spf-query-perl pyzor razor

Install these optional packages to enable better scanning of attached archive les: sudo apt-get install arj bzip2 cabextract cpio file gzip lha nomarch pax rar unrar unzip unzoo zip zoo

94

Chapter 15. Mail Server

15.4.1

Clamav Conguration

The default behaviour of Clamav will t our needs. A daemon is launched (clamd) and signatures are fetched every day. For more Clamav conguration options, check the conguration les in /etc/clamav. Add clamav user to the amavis group and vice versa in order for Clamav to have access to scan les: sudo adduser clamav amavis sudo adduser amavis clamav

15.4.2

Congure Spamassain

Spamasssassin autodetects optional components and will use them if they are present. Edit /etc/default/spamassassinto activate the Spamassassin daemon change ENABLED=0 to ENABLED=1 And to enable automatic rule updates change CRON=0 at the bottom to CRON=1 Now start Spamassassin: sudo /etc/init.d/spamassassin start

15.4.3

Amavis Conguration

Activate spam and antivirus detection in Amavis by editing 15-content filter mode le located in the /etc/amavis/conf.d/ folder. Add the follwoing lines in the le (if not already present): use strict; @bypass_virus_checks_maps = ( \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); @bypass_spam_checks_maps = ( \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); 1; After making these changes restart amavis, spamassasin and clamav

15.4.4

Postx Conguration

Add the following line to main.cf le of postfix: content_filter = smtp-amavis:[127.0.0.1]:10024 And add the following lines to master.cf le of postfix smtp-amavis unix -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 2 smtp

15.4. Virus Scanning and Spam Filtering -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks, no_unknown_recipient_checks Also add the following two lines immediately below the pickup transport service: -o content_filter= -o receive_override_options=no_header_body_checks This will prevent messages that are generated to report on spam from being classied as spam. After making these changes restart postfix and then content ltering with spam and virus detection is enabled.

95

96

Chapter 15. Mail Server

Chapter

16

MySQL Database Server

MySQL is a widely used database server. MySQL is free of cost. MySQL comes with both backend servers and client components.

16.1

Installation

MySQL can be installed with the following command: sudo apt-get install mysql-server During the installation process you will be prompted to enter a password for the MySQL root user. The root user in MySQL is the most privilleged user. Once the installation is complete, the MySQL server should be started automatically. You can run the following command from a terminal prompt to check whether the MySQL server is running: sudo netstat -tap | grep mysql When you run this command, you should see the following line or something similar: tcp 0 0 localhost.localdomain:mysql *:* LISTEN The mysql-doc-5.0 package contains the documentation of MySQL. After installing this package the HTML formatted documentation can be found at /usr/share/doc/mysql-doc-5.0/refman-5.0-en.html-chapter/. Open the index.html le to see the documentation homepage. The server installation also comes with the client. The client can be used to log into the server and make any necessary changes there. To access the server mysql -u root -p The -u options species the user to log in and -p option prompts for the password.

16.2

Basic Conguration

The basic settings can be congured by editing the /etc/mysql/my.cnf le. To congure MySQL to listen for connections from network hosts, change the bind-address directive to the servers IP address: 97

98 bind-address = <IP_OF_SERVER>

Chapter 16. MySQL Database Server

If localhost / 127.0.0.1 is used as bind address then the server will listen from localhost only. By default MySQL listens to port number 3306. This can be changed by editing the port vaiable in this le. port=<PORT_NUMBER_TO_USE>

16.3

Creating a Database

To create a database rst log into the server using the mysql client tool. Then type the following SQL command in the terminal: CREATE DATABASE <DATABASE_NAME>; To use any database for further data entry , query use the follwoing comamnd: USE <DATABASE_NAME>;

16.4

Adding a User

A database server can have a number of users with different level of access to it. We can create users in MySQL server and assign them different level of access. To create a user log into the server using the client tool and enter the following command:
CREATE USER <USERNAME>@<SERVER_ADDRESS> IDENTIFIED BY <PASSWORD>;

16.5

Changing User Password

To change the password of any user enter the following command in the mysql terminal:
SET PASSWORD FOR <USERNAME>@<SERVER_NAME> = PASSWORD(DESIRED_PASSWORD);

16.6

Access Control

To grant any privillege to any user use the following command:

GRANT [PERMISSION1],[PERMISSION2]..[PERMISSIONK] ON <DATABASE>.<TABLE> TO <USER>@<SERVER_ADDRESS>;

To grant all privilleges use ALL PRIVILLEGES instead of the list of permissions. To see the privilleges granted to any user use the following command: SHOW GRANTS FOR USER@SERVER_ADDRESS Any privillege can be taken away from the user using the REVOKE statement. This statement has the same format as of the GRANT statement.