Upload
darren-arnold
View
273
Download
2
Embed Size (px)
Citation preview
DNS Setup
DNS CONFIGURATION
DNS Configuration
DNS Setup
named daemon is used
A DNS Server may be caching/master/slave server
The named.ca file has information of all Root Servers.
There is a Forward Zone file and a Reverse Zone file for every domain.
Configuration file:
/var/named/chroot/etc/named.conf
Forward Zone File:
/var/named/chroot/var/named/<forward_zone_file>
Reverse Zone File:
/var/named/chroot/var/named/<reverse_zone_file>
Sample Master named.confDNS Setup
zone "." { type hint; file "named.ca";};zone "0.0.127.in-addr.arpa" { type master; file "named.local"; allow-query {any;};};zone "iitk.ac.in" { type master; file "hosts.db"; allow-query {any;};};zone "95.200.203.IN-ADDR.ARPA" { type master; file "hosts.rev.203.200.95"; allow-query {any;};};
zone "iitk.ernet.in" {
type slave;
file "hosts.iitk.ernet.in";
masters { 202.141.40.10; };
allow-query {any;};
Sample Forward Zone File
DNS Setup
$TTL 86400
@ IN SOA ns1.iitk.ac.in. root.ns1.iitk.ac.in. (
200605091 ; Serial
10800 ; Refresh - 3 hours
3600 ; Retry - 1 hour
1209600 ;Expire - 1 week
43200 ) ; Minimum TTL for negative answers - 12 hours
IN NS ns1.iitk.ac.in.
IN NS ns2.iitk.ac.in.
IN MX 5 mail0.iitk.ac.in.
IN MX 10 mail1.iitk.ac.in.
IN MX 20 mail2.iitk.ac.in.
$ORIGIN iitk.ac.in.
ns1 IN A 203.200.95.142
mail0 IN A 203.200.95.144
proxy IN CNAME mail0
Sample Reverse Zone FileDNS Setup
$TTL 86400$ORIGIN 200.203.in-addr.arpa.95 IN SOA ns1.iitk.ac.in. root.ns1.iitk.ac.in. ( 200605091 ; Serial 10800 ; Refresh - 5 minutes 3600 ; Retry - 1 minute 1209600 ; Expire - 1 weeks 43200 ) ; Minimum TTL for negative answers - 12 hours IN NS ns1.iitk.ac.in. IN NS ns2.iitk.ac.in.
$ORIGIN 95.200.203.in-addr.arpa.;;142 IN PTR ns1.iitk.ac.in.144 IN PTR mail0.iitk.ac.in.
Configuring Local ResolverDNS Setup
/etc/resolv.conf
server 127.0.0.1
Test DNSDNS Setup
nslookup
host
dig
Test your DNS with the following DNS diagnostics web site: dnsstuff.com
Apache Setup
APACHE SETUP
Web ServerWeb Server Setup
Apache Web Server is used
Daemon is httpd (service httpd start/stop/restart)
Files used by ApacheWeb Server Setup
Configuration file: /etc/httpd/conf/httpd.conf
Log files: /var/log/httpd/access_log and /var/log/httpd/error_log
Modules /etc/httpd/modules
Default Document Root /var/www/html
Default CGI Root /var/www/cgi-bin
Apache Configuration Directives
Web Server Setup
Server Name
Min and Max Servers
Document Root
CGI Enable/Disable
User Directory
Directory Index
Mime Types
Modules
Access Restrictions
Secure Server
Virtual Hosting
Basic SettingsWeb Server Setup
Change the default value for ServerName www.<your-domain.com> in httpd.conf and put the website content in /var/www/html
Additionally you can configure Name based Virtual Hosting (allow more than one websites to run on the same server)
Virtual HostingWeb Server Setup
NameVirtualHost *:80
<VirtualHost *:80>
ServerName server-name
DocumentRoot path-to-virtual-document-root
</VirtualHost>
<VirtualHost *:80>
ServerName server-name
DocumentRoot path-to-virtual-document-root
</VirtualHost>
Squid Setup
SQUID SETUP
Obtaining Squid
Squid Setup
Source code (in C) from www.squid-cache.org
Binary executables
Linux (comes with RedHat and others)
FreeBSD
Windows
Pre-installed in Fedora/Enterprise Linux
Basic Settings
Squid Setup
Edit the /etc/squid/squid.conf file to configure squid
Configuration options:
Disk Cache size and location
Authentication
Allowed Hosts
Any other access restrictions (sites, content, size, time of access etc.) using ACL
service squid start/stop/restart
Disc Requirements
Squid Setup
Squid makes very heavy use of disc because of heavy read/write in cache
Needs discs with low seek times
SCSI is better
Can spread cache over 2 or more discs
Raid not recommended
Cached data is not critical
Calculating Disc Space
Squid Setup
Recommend keeping at least 2 days worth of objects
10 days may be better
Example:
256Kbps link loaded 10 hrs/day ~= 1GB
assume 50% cacheable - .5GB / day
2 days objects - 1GB
10 days objects - 5 GB
Squid.conf Basic Configuration
Squid Setup
cache_dir ufs /var/spool/squid/cache 100 16 256
auth_param basic program /usr/lib/squid/ncsa_auth /etc/shadow
acl sidbiusers proxy_auth required
http_access allow sidbiusers
acl our_network src 172.28.250.0/24
http_access allow our_network
(Note: use squid –z for the first time to create the cache directory and its subdirectories)
Sendmail Setup
SENDMAIL SETUP
Sendmail ConfigurationMail Server Setup
Daemon: sendmailConfiguration File: /etc/mail/sendmail.mcEdit the following lines
LOCAL_DOMAIN(`localhost.localdomain')dnl(Replace localhost.localdomain by the domain name for which the mail server is being configured)DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl(comment this line by adding dnl at the start of the line)
dnl MASQUERADE_AS(`mydomain.com')dnl (remove dnl & replace mydomain.com by the domain name)
Sendmail Configuration
Sendmail Setup
Add the range of IP addresses of your network in access file
(e.g. 172.31. Relay)
Run “make –C /etc/mail” command to compile sendmail.mc and generate sendmail.cf file.
Restart sendmail and watch for errors
PoP & IMAP Server
Sendmail Setup
PoP3 & IMAP Server can be started using dovecot server. (service dovecot start)
Firewall
FIREWALL
Basic Setup
Firewall
Internet
Database
ApplicationWeb Server
Firewall
Firewall RulesIP Address of Source (Allow from Trusted Sources)
IP Address of Destination (Allow to trusted Destinations)
Application Port Number (Allow Mail but restrict Telnet)
Direction of Traffic (Allow outgoing traffic but restrict incoming traffic)
Firewall
Firewall ImplementationHardware Firewall: Dedicated Hardware Box (Cisco PIX, Netscreen )
Software Firewall: Installable on a Server ( )
Host OSs (Windows XP/Linux) also provide software firewall features to protect the host
These days Firewalls provide IDS/IPS (Intrusion Detection System/Intrusion Prevention System) services also.
Firewall
LINUX Firewall
Linux Security
Use GUI (Applications ->System Settings-> Security Level) to activate the firewall
Allow standard services and any specific port based application
All other services and ports are blocked
LINUX Firewall
Linux Security