Computer Professional

Life: Miss You ..DAD

2011-10-06T04:22:00.000-07:00

Life: Miss You ..DAD: I miss the moment when you were there I miss the moment the way you care I miss the moment You holded my hand when i fall I miss the mo...

Dell/EMC CX4-240

2009-12-12T11:08:00.000-08:00

High performance storage with connectivity flexibility

The CX4-240 offers remarkable flexibility and investment protection and increased connectivity options and capacity over the CX4-120. It is ideal for heavy transaction processing such as high speed large block data transfers, backup-to-disk, audio/video streaming, replication and departmental applications.

* Supports up to 240 Hard Drives
* Stores up to 234TB of data
* Customized connectivity with up to 512 hosts in a SAN and 8 I/O slots
* All of these connectivity options are available on the same array:
8Gbit Fibre Channel (FC),
4Gbit FC,
10Gbit iSCSI, and
1Gbit iSCSI

UltraFlexTM modular I/O technology enables you to easily add more ports to your array, either Fibre Channel (FC) or iSCSI, as your needs change. You can also easily add future network technologies, such as FCoE once it is available, giving you remarkable flexibility and investment protection. The innovations built into the new Dell/EMC CX4 arrays extend beyond just flexible I/O to include virtual provisioning, support for enterprise flash drives (EFD), enhanced tiering options, features, such as drive spin down and variable speed fans, that enable greener storage by helping to reduce power consumption, and design improvements for performance and availability. In addition, management and reporting features on the CX4 have been enhanced to help you reduce time and effort required for managing your storage in virtualized server environments.
Virtual provisioning

Employ virtual provisioning to help reduce acquisition and operational costs while helping to improve capacity utilization. This can result in fewer drives and can help reduce hardware costs, management time, and power consumption.
Innovation
Cost effective scalability

Cost effective scalability

The CX4-240 array can scale from 5 to 240 drives, connect to as many as 512 highly available hosts in a SAN and store up to 234TB of data, and the extensive support matrix makes it easy to add storage in heterogeneous environments. The CX4 helps ease growing pains allowing you to easily add more capacity, whether it is 10K or 15K FC, 7.2K or 5.4K (energy efficient) SATA or flash drives, as your storage needs change. UltraFlex technology enables you to increase the ports on your array through up to 8 hot-pluggable I/O modules. In addition, the new enterprise flash drives (EFD) option adds a new level of performance for critical applications where 1 EFD can equal up to the performance of 30 Fibre Channel drives. Plus, if you outgrow your CX4-240, data-in-place upgrades are available to move up to an array with higher capacity and performance within the CX4 family.

Green storage

Innovations built into the new CX4 arrays help to reduce power consumption and cooling requirements.

* The new energy efficient 5,400 RPM SATA drives typically consume up to 32% less power1 than a standard 7,200 RPM SATA drive letting you select drives that use less power and help meet your access requirements.The addition of these and other drives creates new tiering options enabling you to use more efficient design in managing how and where your data is stored which offers the potential to reduce power and cooling needs.
* EFD drives, thanks to their higher performance characteristics, can often replace the need for large numbers of spinning drives.
* Drive spin down comes standard on the CX4, and enables you to easily set policies for your SATA drives in the array to power them down when not in use, helping to reduce power consumption and cooling requirements.
* Virtual provisioning is designed to reduce the total number of drives needed, and thus help reduce the power and cooling required for your storage solution.
* The CX4 includes adaptive fan technology where fans spin only at the speed that is needed to keep it cool, potentially further reducing power requirements.

Systems and data management

The same applications that provide advanced data protection, data path management, optimization, replication and migration that were available on previous CX series arrays are also supported on the CX4 arrays. These include SnapViewTM , MirrorViewTM , SAN CopyTM , Replication ManagerTM , PowerPathTM , Navisphere® Analyzer and Navisphere Quality of Service ManagerTM . The array is managed using the powerful and intuitive management interface, Navisphere Manager, which has formed the core of CX array management since its inception.
Seamless integration

With Dell/EMC storage arrays, you can easily deploy, expand, and re-deploy storage. Migrating data seamlessly between different classes of drives and RAID types can help in delivering the optimal combination of performance and availability for your unique needs. And with Virtual LUN technology, data migration takes place dynamically and effortlessly, helping avoid disruption in your environment. Dell/EMC storage arrays support the EMC data replication and migration applications, MirrorviewTM and SAN CopyTM . These optional tools let you remotely mirror data from one array to another to help meet disaster recovery goals or to simply move data across arrays.

iSCSI Support

iSCSI using traditional 1Gbit IP connections to connect the Dell/EMC CX4 storage array to server hosts is an ideal choice for a remote server environment or limited budgets. The greater bandwidth of 10Gbit iSCSI will be beneficial to customers who are building out new storage infrastructure or who want to consolidate numerous 1Gbit iSCSI hosts to a single 10Gbit connection. With CX4 arrays, you have the flexibility to choose either iSCSI or Fibre Channel connections and how many iSCSI and FC ports you may want now or later.
Solutions

Dell/EMC storage arrays are integrated into Dell’s Microsoft® Exchange® , Microsoft SQL Server® , and Oracle® solutions, which offer tested and validated reference architectures to help solve your messaging and database challenges.

Dell/EMC CX4-120 SAN Storage

2009-12-12T11:05:00.000-08:00

Scalable multi-protocol storage

The CX4-120 is an ideal product for customers who require increased capacity and modularity in a small, but scalable footprint with outstanding data protection and high availability in the mid-range storage market.

* Supports up to 120 Hard Drives
* Stores up to 120TB of data
* Customized connectivity with up to 256 hosts in a SAN and 6 I/O slots
* All of these connectivity options are available on the same array:
8Gbit Fibre Channel (FC),
4Gbit FC,
10Gbit iSCSI, and
1Gbit iSCSI

Innovation

UltraFlexTM modular I/O technology enables you to easily add more ports to your array, either Fibre Channel (FC) or iSCSI, as your needs change. You can also easily add future network technologies, such as FCoE once it is available, giving you remarkable flexibility and investment protection. The innovations built into the new Dell/EMC CX4 arrays extend beyond just flexible I/O to include virtual provisioning, support for enterprise flash drives (EFD), enhanced tiering options, features, such as drive spin down and variable speed fans, that enable greener storage by helping to reduce power consumption, and design improvements for performance and availability. In addition, management and reporting features on the CX4 have been enhanced to help you reduce time and effort required for managing your storage in virtualized server environments.

Virtual provisioning

Employ virtual provisioning to help reduce acquisition and operational costs while helping to improve capacity utilization. This can result in fewer drives and can help reduce hardware costs, management time, and power consumption.

Cost effective scalability

The CX4-120 array can scale from 5 to 120 drives, connect to as many as 256 highly available hosts in a SAN and store up to 120TB of data, and the extensive support matrix makes it easy to add storage in heterogeneous environments. The CX4 helps ease growing pains allowing you to easily add more capacity, whether it is 10K or 15K FC, 7.2K or 5.4K (energy efficient) SATA or flash drives, as your storage needs change. UltraFlex technology enables you to increase the ports on your array through up to 6 hot-pluggable I/O modules. In addition, the new enterprise flash drives (EFD) option adds a new level of performance for critical applications where 1 EFD can equal up to the performance of 30 Fibre Channel drives. Plus, if you outgrow your CX4-120, data-in-place upgrades are available to move up to an array with higher capacity and performance within the CX4 family.
Green storage

Innovations built into the new CX4 arrays help to reduce power consumption and cooling requirements.

* The new energy efficient 5,400 RPM SATA drives typically consume up to 32% less power1 than a standard 7,200 RPM SATA drive letting you select drives that use less power and help meet your access requirements.The addition of these and other drives creates new tiering options enabling you to use more efficient design in managing how and where your data is stored which offers the potential to reduce power and cooling needs.
* EFD drives, thanks to their higher performance characteristics, can often replace the need for large numbers of spinning drives.
* Drive spin down comes standard on the CX4, and enables you to easily set policies for your SATA drives in the array to power them down when not in use, helping to reduce power consumption and cooling requirements.
* Virtual provisioning is designed to reduce the total number of drives needed, and thus help reduce the power and cooling required for your storage solution.
* The CX4 includes adaptive fan technology where fans spin only at the speed that is needed to keep it cool, potentially further reducing power requirements.

Green storage

nnovations built into the new CX4 arrays help to reduce power consumption and cooling requirements.

The new energy efficient 5,400 RPM SATA drives typically consume up to 32% less power¹ than a standard 7,200 RPM SATA drive letting you select drives that use less power and help meet your access requirements.The addition of these and other drives creates new tiering options enabling you to use more efficient design in managing how and where your data is stored which offers the potential to reduce power and cooling needs.
EFD drives, thanks to their higher performance characteristics, can often replace the need for large numbers of spinning drives.
Drive spin down comes standard on the CX4, and enables you to easily set policies for your SATA drives in the array to power them down when not in use, helping to reduce power consumption and cooling requirements.
Virtual provisioning is designed to reduce the total number of drives needed, and thus help reduce the power and cooling required for your storage solution.
The CX4 includes adaptive fan technology where fans spin only at the speed that is needed to keep it cool, potentially further reducing power requirements.

Systems and data management

The same applications that provide advanced data protection, data path management, optimization, replication and migration that were available on previous CX series arrays are also supported on the CX4 arrays. These include SnapViewTM , MirrorViewTM , SAN CopyTM , Replication ManagerTM , PowerPathTM , Navisphere® Analyzer and Navisphere Quality of Service ManagerTM . The array is managed using the powerful and intuitive management interface, Navisphere Manager, which has formed the core of CX array management since its inception.
Seamless integration

With Dell/EMC storage arrays, you can easily deploy, expand, and re-deploy storage. Migrating data seamlessly between different classes of drives and RAID types can help in delivering the optimal combination of performance and availability for your unique needs. And with Virtual LUN technology, data migration takes place dynamically and effortlessly, helping avoid disruption in your environment. Dell/EMC storage arrays support the EMC data replication and migration applications, MirrorviewTM and SAN CopyTM . These optional tools let you remotely mirror data from one array to another to help meet disaster recovery goals or to simply move data across arrays.

iSCSI Support

iSCSI using traditional 1Gbit IP connections to connect the Dell/EMC CX4 storage array to server hosts is an ideal choice for a remote server environment or limited budgets. The greater bandwidth of 10Gbit iSCSI will be beneficial to customers who are building out new storage infrastructure or who want to consolidate numerous 1Gbit iSCSI hosts to a single 10Gbit connection. With CX4 arrays, you have the flexibility to choose either iSCSI or Fibre Channel connections and how many iSCSI and FC ports you may want now or later.
Solutions

Dell/EMC storage arrays are integrated into Dell’s Microsoft® Exchange® , Microsoft SQL Server® , and Oracle® solutions, which offer tested and validated reference architectures to help solve your messaging and database challenges.

Managed Dedicated Host Codero Commits to Renewable Energy

2009-12-12T11:03:00.001-08:00

With the recent purchase of 12,600 MWh in renewable energy credits (RECs), Codero now supplies 100% green power to its data centers in Phoenix, AZ and San Diego, CA and headquarters location in Overland Park, KS. Through this long-term commitment, Codero becomes the largest dedicated server and managed hosting provider in the industry to offer green hosting solutions across its entire operations. The new Green with Codero Initiative means any small- to medium-sized business can power their websites and online stores using green energy.
“Green hosting is an important step forward in our evolution as a company,” notes Phil Spencer, CEO of Codero. “Through innovative practices and opportunities like the Green-e program, our customers can make smarter energy choices for their online businesses – and that benefits all of us.”
Codero’s broad commitment to greening its operations was made possible through Ecoelectrons Renewable Energy, which specializes in helping corporations reduce their carbon footprint through the purchase of Green-e certified RECs. Green-e is the nation’s leading independent consumer protection program for the sale of renewable energy and greenhouse gas reductions in the retail market. In addition, Codero has joined USEPA’s Green Power Partnership as a Leadership Club member to support others within the industry and abroad to achieve more sustainable practices.
“EPA is pleased to welcome Codero to the Green Power Partnership. We applaud their commitment to using green power to reduce greenhouse gas emissions,” says Susan Wickwire, Chief of the Energy Supply and Industry Branch at USEPA.
Codero joins a growing list of companies and organizations taking action to reduce their greenhouse gas emissions. A member of Green-e Energy’s Marketplace program, the company now displays the Green-e logo on its website and other communication materials; this national symbol identifies Codero as an environmental leader in purchasing 100% certified renewable energy. As part of the company’s REC purchase, energy is sourced from the Pioneer Prairie Wind Farm, in Howard County, IA, and confirmed by the Center for Resource Solutions, the nation’s leading independent certification and verification program for renewable energy

New Service from Purity Networks Offers Affordable Email Protection

2009-12-12T11:02:00.001-08:00

Purity Networks announced today the general availability of its new UserProtect service, offering the powerful email protection of Purity Networks’ other email services at an affordable, per user pricing.
The UserProtect service provides users with the full range of Purity Networks’ email protection services, including protection from spam, viruses, phishing and other malware, priced on a per user, unlimited volume basis. Prices start at just $10.95 per user per year with volume discounts available and monthly billing options are available to accounts with 10 users or more.
Account administrators will love the ease of use of the Purity Networks Account Manager. It gives administrators the ability to manage their users and their account settings from a powerful, feature-rich management console. The forthcoming new version of Purity Networks RESTful API will make integration with existing infrastructure effortless.
“With the release of UserProtect, we now offer our customers a choice of which pricing model best meets their needs,” said George A. Roberts IV, President and CEO of Purity Networks. “UserProtect offers per user, flat rate pricing and our ServerProtect and DomainProtect offer volume-based pricing.”
Purity Networks backs all of its services with a 30 day, 100% money-back satisfaction guarantee. A 99.9% uptime guarantee and a 24-hour support response guarantee are also provided to all customers at no additional charge.

About Purity Networks

2009-12-12T11:01:00.002-08:00

Purity Networks is an internet security services and hardware company based out of the Chicago area. Founded by the creators of the HostingCon tradeshow, Purity Networks is focused on providing products and services that give people and companies the freedom to use the internet without worrying about spam, viruses and other malware

Reseller Program for Hosted Exchange 2010 Launched By InterMedia

2009-12-12T11:01:00.001-08:00

Intermedia, today opened its industry-first hosted Exchange 2010 service to its existing and future partners. These managed service providers, value-added resellers and other technology providers can sell and support hosted Exchange 2010 under their own brand as members of Intermedia’s Private Label Partner Program.

Intermedia launched the first hosted Exchange 2010 service on November 9 and remains the only provider of hosted Exchange 2010. The service includes a 100 percent Data Protection Guarantee in addition to Intermedia’s longstanding 99.999 percent uptime service level agreement. Intermedia is able to credibly offer the Data Protection Guarantee, which is enforced by stiff financial penalties, because of the proprietary architecture the company developed to work with hosted Exchange 2010.

“With Intermedia, I can offer clients Exchange 2010 with a 100 percent Data Protection Guarantee, giving me an edge over competitors that offer only Exchange 2007,” says Etorre Dragone, president, Micro Technology Groupe. “I’m always looking for new solutions to help me expand my customer base – Exchange 2010 is definitely one that will help me close more deals with new prospects. Intermedia has proven to be a leader and a valued partner that focuses on offering us the latest in technology, security and reliability so that we can have best-of-breed offerings for our customers.”

According to an Osterman Research survey commissioned by Intermedia, nearly 50 percent of IT decision makers surveyed were on an Exchange 2003 or older platform. Of all IT decision makers surveyed, nearly 65 percent were likely to deploy Exchange 2010 within the next six months – supporting the notion that customers are eager for the new platform.

Intermedia private label partners generate recurring revenue from existing and new customers with high margin Exchange hosting services – all under their own brand – while Intermedia maintains, monitors and upgrades all hardware and software. Intermedia also offers an Affiliate Program for partners that prefer to promote Intermedia solutions and earn a commission for each sale they make. All partners can sell Intermedia’s full suite of hosted communications and collaboration software, including Office Communications Server 2007, SharePoint 3.0 WSS and both Exchange 2010 and Exchange 2007. Intermedia enables resellers to sell not only Microsoft products, but a full ecosystem of related offerings including full support for Blackberry Enterprise Server, fax lines and more.

Intermedia combines proprietary technology with Microsoft Exchange 2010 so customers and partners can have the most robust offering. Additional features of Intermedia’s hosted Exchange 2010 include:

* Choice of datacenter location per mailbox: Partners can choose, on a mailbox level basis, where their customers’ Exchange account data will be stored in order to minimize latency. Partners with customers that are spread throughout the U.S. will enjoy the ability to host some of their mailboxes on the East coast and some of them on the West coast.* New Outlook Web Application (OWA): Partners’ customers will enjoy the ability to access email, instant messaging, SMS text messaging and more – all in one place and through all major web browsers.* Improved ActiveSync: All the latest features of Exchange are available to any mobile device that has Windows Mobile 6.1 or later.

Intermedia has offered private label Exchange hosting since 2001 and has over 4,000 partners – from one-person firms to some of the world’s largest IT names.

ABOUT INTERMEDIA
Intermedia is the premier provider of communications services, including hosted Microsoft Exchange, to small- and mid-sized businesses. For an affordable monthly fee, customers get business email, telephony, smartphones, instant messaging, fax and other communications delivered as a service with 24×7 support. Intermedia also empowers thousands of smaller VARs and MSPs – as well as select Fortune 500 companies

Click To Client, LLC changes name to The Marketing Zen Group

2009-12-12T11:00:00.000-08:00

An announcement from Click To Client, LLC officials state that the company will now be known as The Marketing Zen Group .
The Marketing Zen Group which provides full scale online marketing services to clients around the world has been formally launched. Formerly known as Click To Client, LLC, the company has recently expanded their service offerings and increased their internal team size.
“With our continued focus on providing comprehensive online marketing services, we felt we needed a name to accurately reflect that growth and commitment. One of the key things we hear from clients is that we make online marketing easy for them, and we truly believe there is a Zen to online marketing” stated Shama Kabani, President of The Marketing Zen Group.
The Marketing Zen Group’s primary services include serving as an outsourced marketing department, web design and development, search engine optimization, and social media marketing.. Their clients include K9Cuisine.com, Easy Sale, Inc, Arthur Murray Studios, and David Bach.
For more information, contact:
Marjorie R. Asturias
Media Relations and Accounts Supervisor
Email: marjorie@marketingzen.com
Phone: 1888- 460-6008

An announcement from Click To Client, LLC officials State

2009-12-12T10:59:00.000-08:00

SoftLayer Technologies™, the innovative on-demand data center services provider, today announced the opening of three new data center pods in the company’s Dallas, Seattle, and Washington, D.C., data center facilities. The new pods add capacity for 20,000 additional servers, bringing SoftLayer’s total capacity to more than 45,000 physical machines.
The new pods are part of SoftLayer’s unique approach to data center design. Each of the company’s geographically diverse data centers consists of multiple pods built to identical specifications with the same best-in-class methodologies. This level of standardization across all its geographic locations enables SoftLayer to optimize key data center performance variables, including space, power, network, personnel, and internal infrastructure.
SoftLayer’s milestones in 2009 included:
* More than 5,700 active customers across 110+ countries* More than 23,000 deployed servers* Placement in Gartner’s Magic Quadrant for Web Hosting and Cloud Infrastructure Services* Introduction of CloudLayer™ line of cloud services, including CloudLayer Storage, CloudLayer CDN, CloudLayer Computing, and Bare Metal Cloud™* Industry’s first deployment of Intel® Nehalem microarchitecture* IPv6 support across all data centers* Multiple carrier additions across all data centers for a total of 290Gbps
“We continue gaining momentum every year. We broke more projections and records this year than last, and 2010 will bring even more of the same,” said Lance Crosby, CEO of SoftLayer. “These three new pods meet the customer demand increases that we expect in the very near future. And they are only preliminary measures in our growth strategy for 2010. We have some big plans which we can’t wait to share with everyone.”
About SoftLayer Technologies
Headquartered in Plano, Texas, SoftLayer provides best-in-class, on-demand IT services on a global basis from facilities in Dallas, Seattle, and Washington, DC. SoftLayer integrates and automates all IT elements to innovate industry-leading services—including cloud, dedicated, and virtual computing environments

The Planet Extends High-Performance SAN to Dedicated Hosting Customers

2009-12-12T10:58:00.000-08:00

The Planet, a global leader in IT hosting, today announced the availability of the Dell PowerVault MD3000i, a high-performance storage area network (SAN) disk array. Ideal for multi-server environments such as virtual and private racks, the MD3000i offers a cost-effective and scalable storage solution.

The MD3000i uses iSCSI Ethernet technology to enable shared storage across multiple servers, eliminating the need to build out a costly fiber channel infrastructure. Up to 16 servers can share the MD3000i, which has 15 internal drive slots for a total storage capacity up to 15 terabytes (TB). In the event more capacity is required, companies can add up to two MD1000 storage arrays to the MD3000i for an additional 45TB.“One of the most critical business challenges customers face today is data storage, and all too often it’s also one of the most costly,” said Rob Walters, director of product management for The Planet. “The MD3000i lowers the barrier to entry for high-performance, consolidated storage, and also provides a clear path for expansion for companies that expect to see their storage requirements grow.”

About the Dell PowerVault MD3000iThe iSCSI SAN array provides a scalable and low-cost storage solution, which continually protects daily operations and enables an easy path for expansion:Cost-effective: The MD3000i, The Planet’s lowest-priced SAN, can be shared by as many as 16 servers, which eliminates the high cost of buying individual storage devices for each server.

Scalable: In addition to its 15 internal drive slots, customers can add up to two 15-drive MD1000 disk arrays to the MD3000i, for up to 45TB of storage.

Capable: With its large capacity and high availability, the MD3000i is ideal for businesses running performance-intensive applications, databases, and file or archive storage.

For more information, visit the Web site at http://www.theplanet.com/storage-area-network/.Through Dec. 31, the company is offering a promotion on the MD3000i and MD1000. Customers will receive either the SAN or DAS enclosure free with purchase of 15 1TB or 300GB hard drives, a savings up to $650 per month.

Latest Open-Xchange Makes Webmail and Social Network Integration Easy

2009-12-12T10:57:00.002-08:00

Open-Xchange, a leading provider of open source groupware, today announced enhancements that simplify the aggregation of e-mail and contact information, giving users access to their data anywhere, anytime and with any device.

To improve ease-of use, the latest enhancements introduce a wizard that eases the setup for new and existing Open-Xchange users. The wizard configures the subscriptions of external mail accounts from Google, GMX, Web.de and many others, along with social and business networks like Facebook, LinkedIn, Xing and others, as well as the push synchronization of mobile phones.

“Open-Xchange creates a data hub that gives end users control over their data,” said Rafael Laguna, CEO of Open-Xchange. “Using open and standardized data formats provides users and organizations with the freedom and security to use social web services for the benefit of their business, without many of the lock-in dangers inherent in such social web services.”
Additional new features include:
• New team calendar view
• Usability improvements in the AJAX User Interface
• Enhanced OXtender for Microsoft Outlook
• New On-Line help and manuals

Open-Xchange is used by more than 15 million users worldwide as hosted and on-premise business-class e-mail and groupware. On-premise customers can update their installations immediately with the new version of Open-Xchange 6.14; Software as a Service customers will benefit from the new features as soon as their provider updates their accounts.

Anyone can try the latest Open-Xchange improvements for free at a special preview website, http://ox.io.

A detailed description of all new features of Open-Xchange can be seen athttp://software.open-xchange.com/OX6/doc/feature_overview_6_14_20091105.pdf.
About Open-Xchange
Open-Xchange is the innovator of scalable and integrated open source e-mail and collaboration solutions for enterprises, academic institutions, and government authorities. The company provides on-premise versions called Open-Xchange Server Edition and Open-Xchange Appliance Edition, along with Open-Xchange Hosting Edition, which enables web hosting companies to provide an easy-to-use and feature-rich application delivered as Software as a Service (SaaS). The Open-Xchange Hosting Edition is architected to integrate into a hosting provider’s existing infrastructure, such as authentication, provisioning, billing, and e-mail storage and does not require that these systems be replaced.

Intel® Turbo Memory with User Pinning

2009-12-04T09:38:00.001-08:00

Enhancing system performance through memory innovation

Intel® Turbo Memory with User Pinning brings mobile and desktop systems performance to new heights through the innovative extension of Flash Memory architectures into computing platforms. User pinning offers more options to the user to improve system applications launch time and responsiveness.

User pinning

The new user pinning capability feature, via the Intel® Turbo Memory Dashboard, allows the user to choose and control which applications or files are loaded into the Intel® Turbo Memory cache for performance acceleration. Custom pinning profiles can be created to pin applications or files that match the user's activity, such as PC gaming, office work, or home tasks

Performance

Intel® NAND Flash Memory, working with the Microsoft Windows Vista* ReadyBoost* and ReadyDrive* technologies, adds a new low-latency, non-volatile memory cache between the system memory and the hard drive. This enables fast access to critical data and applications.

Fast application load times, hibernation and resume
Fast overall application responsiveness
Fast boot time
Quick access to frequently used applications and/or files from user pinning
Enhanced data loss protection using RAID 1, 5 and 10

Platform compatibility

Intel® Turbo Memory cards are compatible with Intel® Centrino® and Intel® Centrino® 2 processor technology for notebook PCs and Intel® Core™2 processor family with Series 4 chip sets for business desktop PCs and digital home media.

Be sure to ask for Intel® Turbo Memory with User Pinning and Intel® Turbo Memory Dashboard when purchasing your next Intel-based PC.

Intel® X25-M and X18-M Mainstream SATA Solid-State Drives

2009-12-04T09:37:00.003-08:00

High-performance storage for notebook and desktop PCs – now on 34nm NAND flash memory featuring the Intel® SSD Toolbox

Intel® Solid State Drives (Intel® SSDs) represent a revolutionary breakthrough that delivers a giant leap in storage performance. Intel Solid State Drives are designed to satisfy the most demanding gamers, media creators, and technology enthusiasts. These new drives bring a high level of performance and reliability to notebook and desktop PC storage, at a fraction of the cost of the previous generation of Intel® Solid State Drives (Intel® SSD) products.

Wait less. Do more.

Why wait for a traditional hard disk drive to spin up? Unlike traditional hard disk drives, Intel Solid State Drives have no moving parts, resulting in a quiet, cool, highly rugged storage solution that also offers faster system responsiveness. And for laptop PCs, the lower power needs of Intel SSDs translate to longer battery life and lighter notebooks. Higher performance with more durability means you can be truly mobile with confidence.

Better by design

Drawing from decades of memory engineering experience, and now on new, industry-leading compute-quality 34nm NAND flash memory manufacturing processes, Intel® Mainstream SATA Solid-State Drives are designed to deliver outstanding performance, featuring the latest-generation native SATA interface with an advanced architecture employing 10 parallel NAND flash channels equipped with multi-level cell NAND flash memory. With powerful Native Command Queuing to enable up to 32 concurrent operations, Intel Mainstream SATA SSDs deliver higher input/output per second and throughput performance than other SSDs on the market today – and drastically outperform traditional hard disk drives. These drives also feature low write amplification and a unique wear-leveling design for higher reliability, meaning Intel drives not only perform better – they last longer.

Featuring the Intel® SSD Toolbox with Intel® SSD Optimizer

The Intel® SSD Toolbox with Intel® SSD Optimizer provides a set of applications to easily manage the health and optimize the performance of your Intel SSD. The Intel SSD Toolbox includes a powerful set of management, information, and diagnostic tools, and is designed to work best with 34nm Intel SSDs. The Intel SSD Optimizer utilizes the new ATA Data Set Management Command (Trim Attribute) to help maintain your SSDs performance at "fresh-out-of-the-box" levels, and is specifically designed to run with Microsoft Windows 7*. The Intel SSD Optimizer also works with Microsoft Windows Vista* and XP* operating systems as well.

Two options. No worries.

Intel® Mainstream SATA Solid-State Drives are available in either 2.5in (Intel® X25-M Mainstream SATA Solid-State Drive) or 1.8in (Intel® X18-M Mainstream SATA Solid-State Drive) standard hard drive form factors. And all Intel Mainstream SSDs are tested and validated on the latest Intel-based mobile and desktop platforms for your peace of mind.

Intel® X25-E Extreme SATA Solid-State Drive

2009-12-04T09:37:00.001-08:00

xtreme performance, reliability, and power savings for servers, storage and workstations

The Intel® Extreme SATA Solid-State Drive (SSD) offers outstanding performance and reliability, delivering the highest IOPS per watt for servers, storage and high-end workstations.

Reduce your Total Cost of Ownership (TCO)

Enterprise applications place a premium on performance, reliability, power consumption and space. Unlike traditional hard disk drives, Intel Solid-State Drives have no moving parts, resulting in a quiet, cool storage solution that also offers significantly higher performance than traditional server drives. Imagine replacing up to 50 high-RPM hard disk drives with one Intel® X25-E Extreme SATA Solid-State Drive in your servers — handling the same server workload in less space, with no cooling requirements and lower power consumption. That space and power savings, for the same server workload, will translate to a tangible reduction in your TCO.

Better by design

Drawing from decades of memory engineering experience, the Intel X25-E Extreme SATA Solid-State Drive is designed to deliver outstanding performance and reliability, featuring the latest-generation native SATA interface with an advanced architecture employing 10 parallel NAND flash channels equipped with single-level cell NAND flash memory for even greater overall performance and reliability. With powerful Native Command Queuing to enable up to 32 concurrent operations, these Intel SSDs deliver higher Input/Output Operations per Second (IOPS) and throughput performance than other SSDs on the market today - and drastically outperform traditional hard disk drives. These Intel drives also feature low write amplification and a unique wear-leveling design for higher reliability, meaning Intel drives not only perform better - they last longer.

Validated and tested by Intel, on Intel

All Intel® X25-E Extreme SATA Solid-State Drives are tested and validated on the latest Intel-based server and workstation platforms, for your peace of mind.

Intel® Desktop Board DP55SB

2009-12-04T09:35:00.001-08:00

Small is the new big with the Intel® Desktop Board DP55SB, delivering incredible performance in a microATX form factor. Enjoy great over-clocking hardware and software while boasting new features like Bluetooth* technology with support for ATI Crossfire* and NVIDIA SLI* technology for amazing graphics performance.

Features and benefits

Form factor	MicroATX (9.60 inches by 9.60 inches [243.84 millimeters by 243.84 millimeters])
Processor	View supported processors for the most current list of compatible processors. At product launch, this desktop board supports: Intel® Core™ i7-800 processor series in an LGA1156 socket Intel® Core™ i5–700 processor series in an LGA1156 socket
Memory	Four 240-pin DDR3 SDRAM Dual Inline Memory Module (DIMM) sockets Support for DDR3 1600+π¹/1333/1066 MHz DIMMs Support for up to 16 GBπ² of system memory
Chipset	Intel® P55 Express Chipset
Audio	Intel® High Definition Audio◊ subsystem in the following configuration: 10-channel (7.1+ 2 independent multi-streaming) audio subsystem with five analog audio outputs and two optical S/PDIF digital audio for input and output using the Realtek * ALC889 audio codec
Video	Nvidia SLI* and ATI CrossFire* technology support enables two graphics cards to work together for ultimate 3D gaming performance and visual quality
LAN support	Intel® PRO 10/100/1000 Network Connection (82578DC)
Peripheral interfaces	Thirteen USB 2.0 ports (8 external ports, 1 onboard, 2 internal headers) Six Serial ATA 3.0 Gb/s ports including 1 eSATA port Two IEEE-1394a ports (1 external port, 1 internal header) Consumer IR receiver and emitter (via internal headers) Integrated Bluetooth* Technology Module
Expansion capabilities	One primary PCI Express* 2.0 x 16 bus add- in card connector One PCI Express* 2.0 x8 bus add-in card connector, bifurcated from the primary PCI Express 2.0 x16 Two PCI Express* 2.0 x 1 connectors

Related products

Processors	Intel® Core™ i7 Processors Intel® Core™ i5 Processors
Chipset	Intel® P55 Express Chipset

Intel® Desktop Board DP55KG

2009-12-04T09:33:00.000-08:00

Intel® Desktop Board DP55KGenlarge image

Designed by enthusiasts for enthusiasts, the Intel® Desktop Board DP55KG delivers incredible performance. Enjoy great over-clocking hardware and software while boasting new features like Bluetooth* technology. Support for ATI Crossfire* and NVIDIA SLI* technology rounds off the platform with amazing graphics performance.

Features and benefits
Form factor ATX (12.00 inches by 9.60 inches [304.80 millimeters by 243.84 millimeters])
Processor

View supported processors for the most current list of compatible processors.

At product launch, this desktop board supports:

* Intel® Core™ i7-800 processor series in an LGA1156 socket
* Intel® Core™ i5-700 processor series in an LGA1156 socket

Memory

* Four 240-pin DDR3 SDRAM Dual Inline Memory Module (DIMM) sockets
* Support for DDR3 1600+1/1333/1066 MHz DIMMs
* Support for up to 16 GBΣ of system memory

Chipset

* Intel® P55 Express Chipset

Audio

Intel® High Definition Audio◊ subsystem in the following configuration:

* 10-channel (7.1+ 2 independent multi-streaming) audio subsystem with five analog audio outputs and two optical S/PDIF digital audio for input and output using the Realtek * ALC889 audio codec

Video Nvidia SLI* and ATI CrossFire* technology support enables two graphics cards to work together for ultimate 3D gaming performance and visual quality
LAN support Intel® PRO 10/100/1000 Network Connection (82578DC)
Peripheral interfaces

* Thirteen USB 2.0 ports (8 external ports, 1 onboard, 2 internal headers)
* Eight Serial ATA 3.0 Gb/s ports including 2 eSATA ports
* Two IEEE-1394a ports (1 external port, 1 internal header)
* Consumer IR receiver and emitter (via internal headers)
* Integrated Bluetooth Technology Module

Expansion capabilities

* One primary PCI Express* 2.0 x16 bus add-in card connector
* One PCI Express* 2.0 x8 bus add-in card connector, bifurcated from the primary PCI Express 2.0 x16
* One PCI Express* 2.0 x4 connector
* Two PCI Express* 2.0 x1 connectors
* Two PCI Conventional bus connectors

Related products
Processors

* Intel® Core™ i7 processors
* Intel® Core™ i5 processors

Chipset

* Intel® P55 Express Chipset

How to:Configure/Setup Your VPN(server side) on Windows Server 2003 R2

2009-12-04T09:30:00.000-08:00

Hello everyone, in this short article we will learn how to configure VPN on server side. In this sample I will give quick tutorial (based on real experiment) how to configure/setup VPN server on Windows server 2003 R2 and also the business behind it how to make money from your VPN.

First before we start please read the requirements:

1. Computer with Microsoft windows server 2003 R2 operating system
2. 2 LAN card, 1 is OK
3. Static public IP

OK, if you meet all the requirements let’s start to configure it.

1. Start -> Run -> type “services.msc”

Select Routing and Remote Access from the services list, See it’s Properties switch start-up to Automatic then start this service.

ist-vpn-1

2. Start -> Settings -> Control Panel -> Administrative Tools -> Routing and Remote Access.

3. Right click on the computer then select the option Configure and Enable Remote and Routing Access.

4. Follow the Configuration Wizard

* Click Next
* From the configuration list select Custom Configuration and hit Next
* Select VPN Access and NAT and Basic Firewall Option, hit Next
* Click on Finish tab.

4. Configure NAT (Network Address Translation)

* Go to Routing and Remote Access panel
* Expand computer name (Local)
* Expand IP Routing
* Right Click on NAT/Basic Firewall
* Use New Interface to add the network translation.

ist-vpn-2

5. It’s Done, now your VPN server is ready, the last thing is add user to connect to your VPN by Start -> Run -> Type “lusrmgr.msc“

ist-vpn-3

Dude now it’s really done just configure on your client side and you’re connected! Now learn the business behind it, I know not much people are looking for VPN service but if they really need it they will buy it. There is some website out there sell VPN service with high price, said strongvpn.com smallvpn.com you can sell your own VPN and make money from it. Why? Because everything is money (evil laugh) if you know how to managed and optimize it.

How to get started on this business? to low the cost I recommended you to buy VPS or Dedicated Server then configure/setup your VPN, sell it to people! you make money and smile :P If you guys/gals need VPS/Dedicated Server fell free to contact me I sold it *lol stop promote yourself*

What is Web Hosting

2009-12-04T09:28:00.000-08:00

If you want to take part in the internet as a business, information resource, directory, or as a hobbyist wanting to share data, information and knowledge with the many people and communities on the internet, you have to contain this in a central spot on the internet. You have to own a piece of space in cyberspace.

Web hosting empowers you and anyone with a computer and internet connection to own a piece of cyberspace. In your space, you can have news, bulletins, documents, data, files (your web site) and your own post office (mail server) to accept mail, all in the context of you or your business. This is your space and to get this space you either have to own a piece of the physical internet with a network connection to the internet backbone and computer(s) operating as server(s) offering access to your files and post office, for people on the internet to view your web site or send and receive email with you.

The cost of owning a direct connection to the backbone and a server dedicated to a web site and email is out of reach for the average business and especially general members of the internet. Even running a web site and mail server on your own computer when it is connected to the internet requires a lot of technical ability and knowledge. The internet itself has to be your business for either of these options to be viable.

In our modern society, for every person in business or with a career in most industries today, it is imperative to have a place in cyberspace, not just to be competitive but to survive. web hosting companies were born out of this great need to provide an environment for the masses to own a piece of cyberspace, to offer an environment where people could have their piece of cyberspace on the internet 24/7 without the great cost. web hosting companies developed a model where they could split up areas on the servers connected to the backbone and ?rent? this space, cutting the costs across many people sharing the server and backbone connection to the internet.

In a web-hosting environment, you are offered a web site to place your files, data, documents, and bulletins for people to access with their web browser and an email server for you to send and receive email messages. The web host will also provide you a means to get an address for people to get to your web site with a web browser and post email to you.

To obtain space in a web hosting environment you become a member and agree to terms and conditions of renting the space ? just as if you were to rent a house or commercial premises for your business. Once you agree and become a member, you are given an access code, a key, to your piece of cyberspace. This key, in the form of a login and password, allows you to connect to the web hosting server and up-load (transfer to) your web site so it can be accessed on the internet. Your login and password is also used to connect to a mail server to create and administer mailboxes to send and receive email for you, your staff, or family members.

Just like when you rent a house or commercial premises for your business, you have so many rooms, bathrooms, and floor space to use. In a web-hosting environment, your area is defined as disk space and network transfer.

Disk space is measured in Megabytes (MB) or Gigabytes (GB). Megabyte roughly means 1,024,000 characters and Gigabyte roughly means 1,024 Million characters. Imagine a character as one key on your key board. These amounts determine how many files, documents, or data you can have on your web site.

Network Transfer is also measured in Megabytes or gigabytes which determines how much data (how many of your files, documents or data) can be downloaded (transferred to) people accessing your web site. The more people, or the more data each person accesses on your web site the more data is transferred on the network.

The more disk space and network transfer you use the greater percentage of the web-hosting environment you are using ? therefore the higher the rent.

Just as no office building and home is the same, neither is every web-hosting environment. Some offices have stairs, others have lifts, some houses have ensuites, swimming pools, and gardens, ? and others do not. Web-hosting environments are much the same, some offer bare structures to do just the basics and others offer an array of features and facilities to help you do just about everything you could ever need or want. Some of the features and facilities likely to be offered are ranges of software to use, components, databases, and server side script processing.

The similarity of renting an office or home to renting space in a web-hosting environment is even more similar. With some buildings a gardener and/or a guard is available to look after the gardening or provide security. In a web-hosting environment, you have support people to help you do what you need to do on your web site to make it grow and there are server administrators to protect and secure your web-hosting space.

When you rent a building there are key parts needed to work or live in the space, like rooms, offices, kitchens, toilets, and bathrooms. In your web-hosting environment, you will find equally important components that are required to make the space workable. The core components in a web-hosting environment are:

Web Server

The web server is a relatively simple piece of software that accepts requests over HTTP (Hypertext Transfer Protocol) and delivers HTML pages and Image files.

FTP Server

FTP is the means of which a web master can transfer files to and from the server. To put your HTML and image files on a server you will generally use FTP to upload (transfer to) your files to the server running the web server.

Mail Server

The mail server consists of two parts POP (Post Office Protocol) and SMTP (Simple Mail Transfer Protocol). POP is where email is received into your mailbox and SMTP is what is used to send and receive email between mail servers.

Database Server

If you are using server side scripting on your web server (you use something like Microsoft Internet Information Server) then instead of providing ?static? data only on web pages you can provide data from a database allowing your users to search and view the data in different and dynamic way. Also, a Database server is used to gather data from visitors to your site; orders, feedback, discussions and the like.

Each one of the above components are software programs running on servers in the web-hosting environment. You can interact with each of these with special software programs you use on your computer. The main ones being:

Web Browser

When viewing the web you use a web browser like Internet Explorer. Many web hosting companies provide a ?Control Panel? to administer your web host account, which you use with your web browser. Most allow you to configure most aspects of your account using a simple web browser.

Web site/page editor

Today many web servers allow editing of WebPages over HTTP (hypertext transfer protocol) based on Microsoft FrontPage technology. These special editors allow you to essentially look at your web site as if you were using a web browser and edit the pages directly as you see them using WYSWIG (What you see if what you get) technology. Most web hosting environments support this, and if you are starting out, make sure it is available. One tip: make sure the web host providing this really does understand this technology ? it is the main area of which many hacks and security intrusions occur.

FTP Client

This is a very simple piece of software that allows you to view the server folders and files in your web host account as if they were files and folders on your own computer. You can then drag and drop files between you computer and your web host account.

Email Client

If you are on the internet you would already be using an email client to send and receive your email. The most common are Outlook Express, Eudora and Web based mail clients like Hotmail.

Database Administration Client

The most common databases used with web servers are Microsoft SQL Server (available only on Windows) and MySQL (commonly found on Linux and UNIX but also available on Windows). SQL Server comes with it's own administration client where you can view your databases, edit them, backup data and do all the administration functions you need. MySQL has an active online community where there is a range of administration clients available.

Choosing a web host is, again, similar to choosing a house to live in or commercial premises to do business. You need to define what it is you require: how much space you need and what features and facilities you need.

If you have been reading this article because this is new to you, then it is likely at this stage you only need minimal space and basic facilities. Once you have worked with the basic facilities you will learn more and become aware of greater facilities and features and then you can simple move from one web ?hosting environment to another ? paying more or paying less. Moving in cyberspace is much easier, faster, and more seamless than physically moving house or commercial premises.

Initially you may use the web-hosting environment offered by your ISP (internet Service provider), the company you use to connect to the internet. But remember these companies main business is connecting many thousands of people to the internet ? not managing web hosting environments. You will generally find they offer less than basic facilities and minimal space.

If you are just starting out with your first web site the first major choice you will be faced with is ?Unix? or ?Windows?. For a person just starting out on the internet, both are equally capable and will offer the facilities you need to have your place in cyberspace.

If you have a web designer or technical person to help you, you only need to consider how much space you really need. With this simple idea in mind, when you are just starting out, owning your piece of cyberspace will not cost anymore than $8 per month. Many web-hosting companies will offer what you need for as little as $3 per month (usually paid yearly).

If you are going alone and doing it all yourself you may want to consider an account with a web hosting company that offers and prides itself on it's support and customer service, 24/7 support access and the experience, knowledge and skill of it's server administrators. Remember, these are the gardeners and the guards who take care of your environment.

Web hosting is very simple and straightforward an once you obtain your space in cyberspace you will never want to let it go and you can easily move it where you want as a turtle carries it's shell on it's back. Always remember you are not stuck in the first web-hoisting environment you choose.

Web hosting isyour space in cyberspace and it is imperative to have a place in cyberspace in our modern society, just as it is to have an office to do business.

Web hosting service

2009-12-04T09:24:00.000-08:00

web hosting service is a type of Internet hosting service that allows individuals and organizations to make their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own or lease for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation.

Service scope

The scope of hosting services varies widely. The most basic is web page and small-scale file hosting, where files can be uploaded via File Transfer Protocol (FTP) or a Web interface. The files are usually delivered to the Web "as is" or with little processing. Many Internet service providers (ISPs) offer this service free to their subscribers. People can also obtain Web page hosting from other, alternative service providers. Personal web site hosting is typically free, advertisement-sponsored, or cheap. Business web site hosting often has a higher expense.

Single page hosting is generally sufficient only for personal web pages. A complex site calls for a more comprehensive package that provides database support and application development platforms (e.g. PHP, Java, Ruby on Rails, ColdFusion, and ASP.NET). These facilities allow the customers to write or install scripts for applications like forums and content management. For e-commerce, SSL is also highly recommended.

The host may also provide an interface or control panel for managing the Web server and installing scripts as well as other services like e-mail. Some hosts specialize in certain software or services (e.g. e-commerce). They are commonly used by larger companies to outsource network infrastructure to a hosting company.
[edit] Hosting reliability and uptime
Question book-new.svg
This section does not cite any references or sources.
Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (March 2009)
Multiple racks of servers.

Hosting uptime refers to the percentage of time the host is accessible via the internet. Many providers state that they aim for at least 99.9% uptime (roughly equivalent to 45 minutes of downtime a month, or less), but there may be server restarts and planned (or unplanned) maintenance in any hosting environment, which may or may not be considered part of the official uptime promise.

Many providers tie uptime and accessibility into their own service level agreement (SLA). SLAs sometimes include refunds or reduced costs if performance goals are not met.
[edit] Types of hosting
A typical server "rack," commonly seen in colocation centres.

Internet hosting services can run Web servers; see Internet hosting services.

Hosting services limited to the Web:

Many large companies who are not internet service providers also need a computer permanently connected to the web so they can send email, files, etc. to other sites. They may also use the computer as a website host so they can provide details of their goods and services to anyone interested. Additionally these people may decide to place online orders.

* Free web hosting service: Free web hosting is offered by different companies with limited services, sometimes advertisement-supported web hosting, and is often limited when compared to paid hosting.
* Shared web hosting service: one's website is placed on the same server as many other sites, ranging from a few to hundreds or thousands. Typically, all domains may share a common pool of server resources, such as RAM and the CPU. The features available with this type of service can be quite extensive. A shared website may be hosted with a reseller.
* Reseller web hosting: allows clients to become web hosts themselves. Resellers could function, for individual domains, under any combination of these listed types of hosting, depending on who they are affiliated with as a provider. Resellers' accounts may vary tremendously in size: they may have their own virtual dedicated server to a collocated server. Many resellers provide a nearly identical service to their provider's shared hosting plan and provide the technical support themselves.
* Virtual Dedicated Server: also known as a Virtual Private Server (VPS for short) divides server resources into virtual servers, where resources can be allocated in a way that does not directly reflect the underlying hardware. VPS will often be allocated resources based on a one server to many VPSs relationship, however virtualisation may be done for a number of reasons, including the ability to move a VPS container between servers. The users may have root access to their own virtual space. This is also known as a virtual private server or VPS. Customers are sometimes responsible for patching and maintaining the server.
* Dedicated hosting service: the user gets his or her own Web server and gains full control over it (root access for Linux/administrator access for Windows); however, the user typically does not own the server. Another type of Dedicated hosting is Self-Managed or Unmanaged. This is usually the least expensive for Dedicated plans. The user has full administrative access to the box, which means the client is responsible for the security and maintenance of his own dedicated box.
* Managed hosting service: the user gets his or her own Web server but is not allowed full control over it (root access for Linux/administrator access for Windows); however, they are allowed to manage their data via FTP or other remote management tools. The user is disallowed full control so that the provider can guarantee quality of service by not allowing the user to modify the server or potentially create configuration problems. The user typically does not own the server. The server is leased to the client.
* Colocation web hosting service: similar to the dedicated web hosting service, but the user owns the colo server; the hosting company provides physical space that the server takes up and takes care of the server. This is the most powerful and expensive type of the web hosting service. In most cases, the colocation provider may provide little to no support directly for their client's machine, providing only the electrical, Internet access, and storage facilities for the server. In most cases for colo, the client would have his own administrator visit the data center on site to do any hardware upgrades or changes.
* Cloud hosting: is a new type of hosting platform that allows customers powerful, scalable and reliable hosting based on clustered load-balanced servers and utility billing. Removing single-point of failures and allowing customers to pay for only what they use versus what they could use.
* Clustered hosting: having multiple servers hosting the same content for better resource utilization. Clustered Servers are a perfect solution for high-availability dedicated hosting, or creating a scalable web hosting solution. A cluster may separate web serving from database hosting capability.
* Grid hosting: this form of distributed hosting is when a server cluster acts like a grid and is composed of multiple nodes.
* Home server: usually a single machine placed in a private residence can be used to host one or more web sites from a usually consumer-grade broadband connection. These can be purpose-built machines or more commonly old PCs. Some ISPs actively attempt to block home servers by disallowing incoming requests to TCP port 80 of the user's connection and by refusing to provide static IP addresses. A common way to attain a reliable DNS hostname is by creating an account with a dynamic DNS service. A dynamic DNS service will automatically change the IP address that a URL points to when the IP address changes.

Some specific types of hosting provided by web host service providers:

Obtaining hosting

Web hosting is often provided as part of a general Internet access plan; there are many free and paid providers offering these services.

A customer needs to evaluate the requirements of the application to choose what kind of hosting to use. Such considerations include database server software, scripting software, and operating system. Most hosting providers provide Linux-based web hosting which offers a wide range of different software. A typical configuration for a Linux server is the LAMP platform: Linux, Apache, MySQL, and PHP/Perl/Python. The webhosting client may want to have other services, such as email for their business domain, databases or multi-media services for streaming media. A customer may also choose Windows as the hosting platform. The customer still can choose from PHP, Perl, and Python but may also use ASP .Net or Classic ASP.

Web hosting packages often include a Web Content Management System, so the end-user doesn't have to worry about the more technical aspects. These Web Content Management systems are great for the average user, but for those who want more control over their website design, this feature may not be adequate. You can always use any content management system on your servers and modify them at your will. A few good examples include wordpress, Joomla, Drupal and mediawiki.

One may also search the Internet to find active webhosting message boards and forums that may provide feedback on what type of webhosting company may suit his/her needs.

Domain Name Server (DNS) Configuration and Administration

2009-12-04T09:23:00.000-08:00

At my place of employment, we are using Linux as a DNS server. It performs exceptionally well. This section will address configuration of DNS tables for these services using the BIND 8.x package which comes standard with the Red Hat distribution.

Note: Note: Red Hat versions 5.1 and earlier used the BIND 4.x package, which used a slightly different format for its configuration file. BIND 8.x offers more functionality over that offered by BIND 4.x, and as 4.x is no longer being developed, you should probably consider upgrading your BIND package to the latest version. Simply install the BIND RPM package (see Section 10.1 for details on using the RPM utility), then convert your configuration file to the new format.

Fortunately, converting your existing BIND 4.x configuration file to be compliant with BIND 8.x is easy! In the documentation directory provided as part of BIND (for example, ``/usr/doc/bind-8.1.2/'' for BIND version 8.1.2), there exists a file called ``named-bootconf.pl'', which is an executable Perl program. Assuming you have Perl installed on your system, you can use this program to convert your configuration file. To do so, type the following commands (as root):

cd /usr/doc/bind-8.1.2
./named-bootconf.pl < /etc/named.boot > /etc/named.conf
mv /etc/named.boot /etc/named.boot-obsolete

You should now have an ``/etc/named.conf'' file which should work with BIND 8.x "out-of-the-box". Your existing DNS tables will work as-is with the new version of BIND, as the format of the tables remains the same.

Configuration of DNS services under Linux involves the following steps:

1.

To enable DNS services, the ``/etc/host.conf'' file should look like this:

# Lookup names via /etc/hosts first, then by DNS query
order hosts, bind
# We don't have machines with multiple addresses
multi on
# Check for IP address spoofing
nospoof on
# Warn us if someone attempts to spoof
alert on

The extra spoof detection adds a bit of a performance hit to DNS lookups (although negligible), so if you're not too worried about this you may wish to disable the "nospool" and "alert" entries.
2.

Configure the ``/etc/hosts'' file as needed. Typically there doesn't need to be much in here, but for improved performance you can add any hosts you access often (such as local servers) to avoid performing DNS lookups on them.
3.

The ``/etc/named.conf'' file should be configured to point to your DNS tables according to the example below.

Note: (Note: IP addresses shown are examples only and must be replaced with your own class addresses!):

options {
// DNS tables are located in the /var/named directory
directory "/var/named";

// Forward any unresolved requests to our ISP's name server
// (this is an example IP address only -- do not use!)
forwarders {
123.12.40.17;
};

/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

// Enable caching and load root server info
zone "named.root" {
type hint;
file "";
};

// All our DNS information is stored in /var/named/mydomain_name.db
// (eg. if mydomain.name = foobar.com then use foobar_com.db)
zone "mydomain.name" {
type master;
file "mydomain_name.db";
allow-transfer { 123.12.41.40; };
};

// Reverse lookups for 123.12.41.*, .42.*, .43.*, .44.* class C's
// (these are example Class C's only -- do not use!)
zone "12.123.IN-ADDR.ARPA" {
type master;
file "123_12.rev";
allow-transfer { 123.12.41.40; };
};

// Reverse lookups for 126.27.18.*, .19.*, .20.* class C's
// (these are example Class C's only -- do not use!)
zone "27.126.IN-ADDR.ARPA" {
type master;
file "126_27.rev";
allow-transfer { 123.12.41.40; };
};

Tip: Tip: Make note of the allow-transfer options above, which restricts DNS zone transfers to a given IP address. In our example, we are allowing the host at 123.12.41.40 (probably a slave DNS server in our domain) to request zone transfers. If you omit this option, anyone on the Internet will be able to request such transfers. As the information provided is often used by spammers and IP spoofers, I strongly recommend you restrict zone transfers except to your slave DNS server(s), or use the loopback address, ``127.0.0.1'' instead.

4.

Now you can set up your DNS tables in the ``var/named/'' directory as configured in the ``/etc/named.conf'' file in step three. Configuring DNS database files for the first time is a major undertaking, and is beyond the scope of this document. There are several guides, online and in printed form that should be referred to. However, several examples are provided below.

Sample entries in the ``/var/named/mydomain_name.db'' forward lookup file:

; This is the Start of Authority (SOA) record. Contains contact
; & other information about the name server. The serial number
; must be changed whenever the file is updated (to inform secondary
; servers that zone information has changed).
@ IN SOA mydomain.name. postmaster.mydomain.name. (
19990811 ; Serial number
3600 ; 1 hour refresh
300 ; 5 minutes retry
172800 ; 2 days expiry
43200 ) ; 12 hours minimum

; List the name servers in use. Unresolved (entries in other zones)
; will go to our ISP's name server isp.domain.name.com
IN NS mydomain.name.
IN NS isp.domain.name.com.

; This is the mail-exchanger. You can list more than one (if
; applicable), with the integer field indicating priority (lowest
; being a higher priority)
IN MX mail.mydomain.name.

; Provides optional information on the machine type & operating system
; used for the server
IN HINFO Pentium/350 LINUX

; A list of machine names & addresses
spock.mydomain.name. IN A 123.12.41.40 ; OpenVMS Alpha
mail.mydomain.name. IN A 123.12.41.41 ; Linux (main server)
kirk.mydomain.name. IN A 123.12.41.42 ; Windows NT (blech!)

; Including any in our other class C's
twixel.mydomain.name. IN A 126.27.18.161 ; Linux test machine
foxone.mydomain.name. IN A 126.27.18.162 ; Linux devel. kernel

; Alias (canonical) names
gopher IN CNAME mail.mydomain.name.
ftp IN CNAME mail.mydomain.name.
www IN CNAME mail.mydomain.name.

Sample entries in the ``/var/named/123_12.rev'' reverse lookup file:

; This is the Start of Authority record. Same as in forward lookup table.
@ IN SOA mydomain.name. postmaster.mydomain.name. (
19990811 ; Serial number
3600 ; 1 hour refresh
300 ; 5 minutes retry
172800 ; 2 days expiry
43200 ) ; 12 hours minimum

; Name servers listed as in forward lookup table
IN NS mail.mydomain.name.
IN NS isp.domain.name.com.

; A list of machine names & addresses, in reverse. We are mapping
; more than one class C here, so we need to list the class B portion
; as well.
40.41 IN PTR spock.mydomain.name.
41.41 IN PTR mail.mydomain.name.
42.41 IN PTR kirk.mydomain.name.

; As you can see, we can map our other class C's as long as they are
; under the 123.12.* class B addresses
24.42 IN PTR tsingtao.mydomain.name.
250.42 IN PTR redstripe.mydomain.name.
24.43 IN PTR kirin.mydomain.name.
66.44 IN PTR sapporo.mydomain.name.

; No alias (canonical) names should be listed in the reverse lookup
; file (for obvious reasons).

Any other reverse lookup files needed to map addresses in a different class B (such as 126.27.*) can be created, and would look much the same as the example reverse lookup file above.
5.

Make sure the named daemon is running. This daemon is usually started from the ``/etc/rc.d/init.d/named'' file upon system boot. You can also start and stop the daemon manually; type ``named start'' and ``named stop'', respectively.
6.

Whenever changes are made to the DNS tables, the DNS server should be restarted by typing ``/etc/rc.d/init.d/named restart''. You may then wish to test your changes by using a tool such as "nslookup" to query the machine you have added or changed.

Server and Domain Isolation

2009-12-04T09:21:00.000-08:00

Server and Domain Isolation

With the explosive growth and adoption of pervasive, highly-connected networks, administrators are faced with a potentially paradoxical situation: to provide greater accessibility while maintaining security. Even though more ubiquitous connectivity can yield numerous business benefits—like productivity gains and operational cost savings—it has the potential to introduce new risks to the organization’s networked infrastructure. This can include costly virus attacks, rogue users and devices, and unauthorized access to sensitive information.

A Server and Domain Isolation solution based on Microsoft Windows Internet Protocol security (IPsec) and the Active Directory directory service enables administrators to dynamically segment their Windows environment into more secure and isolated logical networks based on policy and without costly changes to their network infrastructure or applications. This creates an additional layer of policy-driven protection, and helps better protect against costly network attacks, helps prevent unauthorized access to trusted networked resources, achieve regulatory compliance, and reduce operational costs.

Server and Domain Isolation

Figure 1: Server and Domain Isolation
View full-size image
Overview Resources

* Introduction to Server and Domain Isolation
This document describes how using Server and Domain Isolation can provide additional security for network traffic and resources; decrease your exposure to network attacks based on viruses, worms, and malicious users; and adhere to requirements to secure and encrypt data traffic.
* Server and Domain Isolation Datasheet
Learn more about how Server and Domain Isolation can help you reduce the risk of network-based threats and safeguard sensitive data, all while maximizing your existing information technology (IT) investments.
* Server Isolation with Microsoft Windows Explained
This white paper provides a detailed overview of server isolation. It explains how server isolation protects isolated servers and the benefits of deploying server isolation. It also provides a brief overview of how to deploy server isolation .
* Domain Isolation with Microsoft Windows Explained
This white paper provides a detailed overview of domain isolation. It explains how domain isolation protects domain member computers and the benefits of deploying domain isolation. It also provides a brief overview of how to deploy domain isolation.
* TechNet Webcast: Protecting Critical Systems and Data with Server and Domain Isolation
This webcast details how Server and Domain Isolation can be leveraged by customers using Windows XP, Windows Server 2003, or Windows 2000. This webcast also explains the roadmap for future uses of IPsec, including its use as an enforcement method for Network Access Protection.

Demos and Solution Evaluation Resources

* Server and Domain Isolation Demo
Get hands-on experience with Server and Domain Isolation for Windows XP and Windows Server 2003, and learn how this cost-effective end-point authentication solution can help you reduce the risk of network-based threats and safeguard sensitive data.

Case Studies

* Major Japanese Municipal Principal Government Achieves Security Compliance at Nil Cost
Learn more about how the City of Sapporo, Japan, with 12,000 users working in almost 870 departments, implemented Server and Domain Isolation for cost-effective end-point authentication. The solution has improved information security and reduced the risk of unauthorized access to confidential data on the organization’s Intranet.
* Improving Security with Domain Isolation: Microsoft IT Implements IPsec
This article describes how Microsoft IT is using IPsec to deploy Domain Isolation on the Microsoft global enterprise network.

Deployment Resources

* Step-by-Step Guide to Deploying Policies for Windows Firewall with Advanced Security
This step-by-step guide illustrates how to deploy Active Directory Group Policy objects (GPOs) to configure Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008. You get hands-on experience in a lab environment using Group Policy Management tools to create and edit GPOs that implement typical firewall settings. You also configure GPOs to implement common server and domain isolation scenarios.
* Server and Domain Isolation Using IPsec and Group Policy
This Microsoft Solutions guide describes how to deploy server isolation to ensure that a server accepts network connections only from trusted domain members or a specific group of domain members, and domain isolation to isolate domain members from untrusted connections.
* Simple Policy Update for Windows Server 2003 and Windows XP
This update for Windows Server 2003 and Windows XP helps simplify the creation and maintenance of IP filters in IPsec policy, reducing the number of filters that are required for a Server and Domain Isolation deployment. The Simple Policy update removes the requirement for explicit network infrastructure permit filters and introduces enhanced fallback to clear behavior.
* Simplifying IPsec Policy with the Simple Policy Update
This article describes how the Simple Policy Update for Windows Server 2003 and Windows XP helps simplify policy creation and maintenance for Server and Domain Isolation deployments.
* Domain Isolation Planning Guide for IT Managers
This white paper includes an overview of the deployment process, a step-by-step guide to the planning process, and links to resources that you can use to plan and design your deployment. It does not explain how to deploy domain isolation.
* A Guide to Domain Isolation for Security Architects
This white paper describes the implications of deploying domain isolation in an enterprise environment and explains how to assess the enterprise environment and plan domain isolation.
* Setting up IPsec Server and Domain Isolation in a Test Lab
This white paper demonstrates how to set up IPsec Server and Domain Isolation in a limited test environment. It provides procedures for setting up a basic deployment, which you can use as the basis for your own deployment.
* Interoperability Considerations for IPsec Server and Domain Isolation
This white paper describes interoperability between IPsec-protected hosts running Windows Server 2003, Windows XP with Service Pack 2 (SP2), and Windows 2000 Server with Service Pack 4 (SP4) in a Server or Domain Isolation scenario and hosts that cannot use IPsec, including computers running earlier versions of Windows or non-Microsoft operating systems.
* Managing Intra-Windows Compatibility for IPsec
This white paper includes information about managing IPsec compatibility among the IPsec-capable Windows operating systems.
* How to Isolate Servers using Internet Protocol Security
This TechNet Support webcast describes how to use IPsec to isolate and help protect Microsoft Windows servers in an Active Directory environment.

Domain Name Service DNS Setup & Configuration in Unix

2009-12-04T09:20:00.000-08:00

1.0 Introduction

s . Domain name system is a hierarchical system where we have a top level domain serving sub domain and clients with names & ip address.

The system that runs the name services to resolve names into ipaddresses is called name server and the sofware is generally BIND (Berkley Internet Domain) .

Core process of DNS is a daemon called named . Depending on the role assigned the name servers can be a primary, secondry or caching only. Secondry server takes over when primary is down and is updated automatically . Caching server provide only the caching information to the clients

Each of domain or sub domain have information (in zone files or data files) about its clients and is called authorative for these clients . For other clients for which it doesn't have any information or it is not authorative , it passes query to its higher domain .

The client knows about their name servers through a file called resolve.conf which contains addresses of the name servers (Primary secondary and Caching) along with their domain name.

The main files in serve are named.conf which contains server parameters and reference to other data files containing client information.

2.0 Requirements :

1) BIND (Berkely Internet Domain) software . Source code can be downloaded and compiled for your platform from internet at www.isc.org However BIND may be available in precompiled version along with OS so check your OS if it is already there . The situation you may want to compile from source code is that you want to cutomize it differently by giving different configuration options at compiling time

2) Root cache file from internic at ftp://internic.com/pub/root

3) C Compiler to compile the bind source distribution .

3.0 Installation and configuration

Download the BIND software from from www.isc.org if you want to build it from source code.
Make a directory to store and compile dns disyribution source say /usr/dns/src
Unzip the distribution using gzip command

#gzip -d bind-9.2.5.tar.gz
unpack using tar
#tar xvf bind-9.2.5.tar
compilation require a c compiler if you don't have one you can download from gnu site (www.gnu.org).
#./configure
#make
#make install
make install will ultimately place named , configuration file named.conf and related commands in /etc and /usr/local/bin directory .

4.0 named.conf file
This is the main configuration file in BIND which defines the name servers and zones with the name and ip address of the hosts.

The named.conf has a number of options for starting the name server which can be configured as per requirement .A list of complete options can be seen using man named command.

By default you will find zone files for local host by the name localhost and 127.0.0.in-addr.arpa . For additional zones you need to create the the files and put a reference in named.conf .

Below is a basic functional named.conf file which is installed after the BIND 8..2.P5 is installed This can be used for starting name server , all you need to do is to put your hosts entries in the zone files referenced here .You will find explanation of terms used in this configuration file after this listing of named.conf.

// This is a configuration file for named (from BIND 8.1 or later).
// It would normally be installed as /etc/named.conf.

options { directory "/var/named";
check-names master warn; /* default. */
datasize 20M;
deallocate-on-exit yes;
listen-on {10.20.30.100;
};
forward first;
};
zone "localhost" IN {
type master;
file "/var/named/localhost.zone";
check-names fail;
allow-update { none; };
allow-transfer { any; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "/var/named/127.0.0.zone";
check-names fail;
allow-update { none; };
allow-transfer { any; };
};
zone "." IN {
type hint;
file "/var/named/root.hint";
};
logging {
channel xfer-log {
file "/var/tmp/bind-xfer.log" versions unlimited size 10m;
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; }

category load { xfer-log; };
};
zone "30.20.10.in-addr.arpa" IN {
type master;
file "/var/named/100.30.20.10.zone";
check-names fail;
allow-update { none; };
allow-transfer { any; };
};
zone "mydomain.com" {
type master;
file "/var/named/mydomain.com.hosts";
};

Explanation of the terms used in named.conf above

4.1 options statement
The options lists working directory for the named - the name server daemon to read the configurations files and port to listen on (default is port 53) .

{ directory "/var/named";

This directive defines the working dir of the name server where main configuration file named.conf will be located

check-names master warn; /* default. */

The ``check-names'' directive tells BIND to check names in master zone and give a warning in system's log files if there is any discrepancy. Names are considered good if they match RFC 952's expectations (if they are host names), or if they consist only of printable ASCII characters (if they are not host names).

Other options are fail and ignore in that case bind will follow these directives

datasize 20M;

datasize The maximum amount of data memory the server may
use. The default is system dependent.

deallocate-on-exit yes;

deallocate the memory on exit otherwise it will be left to os to clear the memory.

listen-on {10.20.30.100};

Host address and port for listening ; if port is not mentioned it is default 53.

forward first

Forwarding
Forwarding is can be used for two main scenario
1. Creating a large site wide cache on different servers thereby using less network bandwidth.
2. For servers which do not have a direct access to the internet but have to lookup for the external names.
Forwarding occurs only for names for which the server is not authoritative, and it does not have the answer in its cache.
forward
This option specify where to query the name first - 'first' directive will cause query to send to forwarder first and check itself if it fails .'Only' - directive will query the forwarders only .
forwarders
Specifies the IP addresses to be used for forwarding. The default is no forwarding .

4.2 Zones statements

zone "localhost" IN {
type master;
file "/var/named/localhost.zone";
check-names fail;
allow-update { none; };
allow-transfer { any; };
};

Zone statement declares a zone name , its type - master , slave or stub , files containing the zone data .and options relating to zone - update , checking , transfer etc.

localhost and 0.0.127.in-addr.arpa are default for the localhost and points to file of this name

Zone types

There are three types of zone .

master : This is the master copy of the data in a zone.
slave - This is a replica of a master zone. The masters list specifies one or more IP addresses that the slave contacts to update its copy of the zone. If file is specified, then the replica will be written to the file. Use of file is recommended, since it often speeds server startup and
eliminates a needless waste of bandwidth.
stub - A stub zone is like a slave zone, except that it replicates only the NS records of a master zone instead of the entire zone.
hint - The initial set of root name servers is specified using a hint zone. When the server starts up, it
uses the root hints to find a root name server and get the most recent list of root name servers.

previous releases of BIND used the term primary for a master zone, secondary for a slave
zone, and cache for a hint zone.

Zone Directives

allow-update
Specifies which hosts are allowed to submit dynamic DNS updates to the server. The default is to deny updates from all hosts.
allow-transfer
Specifies which hosts are allowed to receive zone transfers from the server. allow-transfer may also be specified in the zone section, in which case it overrides the options allow-transfer statement. If not specified, the default is to allow transfers from all hosts.
zone "." refers to the root file for the domains - and contains references to the root servers at network solutions to resolve the names which are beyond the current domain . you can download the root cache file from ftp://internic.com/pub/root

4.3 Logging statement

logging {
channel xfer-log {
file "/var/tmp/bind-xfer.log" versions unlimited size 10m;
print-category yes;
print-severity yes;
print-time yes;
severity info;
};

The logging statement specifies logging channel/s which logs various categories of messages . In statement above a channel xfer-log - a user defined name , is defined. Each time name server is started it starts writing to the defined log file , size limits the maximum size of log file and once the limit is reached it stops writing the file. Each individual start or restart of named causes a new version of log file to be created. Version statement defines how many versions are allowed for the log file , unlimited option will allow any number of version,

Only one logging statement is used to define as many channels and categories as are wanted. If there are multiple logging statements in a configuration, the first definition determines the logging and warnings are issued for the other logging statements .

If there is no logging statement, the default logging configuration is used which is

logging {
category default { default syslog; default_debug;};
category panic { default syslog; default_stderr;};
category packet { default_debug;};
category eventlib { default_debug;};
};

The default debug file is named.run .

Channel Phrase

All log output goes to one or more "channels"; you can make as many of them as you want. Every channel definition must include a clause that says whether messages selected for the channel go to a file, to a particular syslog facility, or are discarded. It can optionally also limit the message severity level that will be accepted by the channel (default is "info"), and whether to include a named-generated time stamp, the category name and/or severity level (default is not to include any).

The word null as the destination option for the channel will cause all messages sent to it to be discarded; other options for the channel are meaningless.

The file clause defines size and versions of the file which will be saved each time the file is opened. if the file ever exceeds the size, then named will just not write anything more to it . The default behavior is to not limit the size of the file.

As per selection the log messages will either go to syslog() or a file and severity level determines which type of messages goes there . Default severity level is info. and it can be critical , error , debug and dynamic.

Note that only syslog messages can go to syslog .

Print-time , print-category - logs the time & category of the messages . The print- options can be used in any combination but will always be printed in the following order: time, category, severity.

category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; }

These directives put diffrent categories of log messages in to xfer-log channel

Category option mentions the category of the log and file name for logging

logging {
channel xfer-log {
file "/var/tmp/bind-xfer.log" versions unlimited size 10m;
print-category yes;
print-severity yes;
print-time yes;
severity info;
};

this defines a channel called xfer-log with various options.

these categories directs various types of logs into the channel

5.0 ZONE files

Zone files are used to define the name and ip addresses of the hosts in a domain .Generally two zone files are defined for a particular zone - one file maps the the name to the ipaddress of the host machines and other is used for reverse lookup i.e. ipaddress to name .address .

Each master zone file should begin with an SOA (Start of Authority) record for
the zone. The SOA specifies a serial number, which should be changed
each time the master file is changed. it is 32 bit size field . Slave servers check the serial no. at refresh time and if the detect changed serial no in master zone transfer is carried out to keep its zone files updated.

If a master server cannot be contacted within the interval given by the expire time, all data from the zone is discarded by slave servers.
The minimum value is the time-to-live (``TTL'') used by records in the file with no explicit time-to-live value.

The details of all type of records used in a zone file are given below

Type of records
SOA marks the start of a zone of authority (domain of originating host, domain address of maintainer, a serial number and the following parameters in seconds: refresh, retry, expire and minimum TTL. (see RFC 883)).
NULL a null resource record (no format or data)
RP a Responsible Person for some domain name
PTR a domain name pointer (domain)
HINFO host information (cpu_type OS_type)
A a host address (dotted quad)
NS an authoritative name server (domain)
MX a mail exchanger (domain), preceded by a preference value (0..32767), with lower numeric values representing higher logical preferences.
CNAME the canonical name for an alias (domain)

Following are the three functional zone files representing local host and a master zone.

The explanation of the terms are at the end.

/var/named/localhost

localhost. 1D IN SOA localhost.mydomainr.com. hostmaster.mydomain.com. (
42 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
localhost. NS dns
localhost. A 127.0.0.1

/var/named/ 0.0.127.in-addr.arpa

0.0.127.in-addr.arpa IN SOA localhost. root.localhost. (
42 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

0.0.127.in-addr.arpa IN NS dns.mydomain.com
1.0.0.127.in-addr.arpa. PTR localhost

/var/named/mydomain.com

mydomain.com. IN SOA dns.mydomain.com hostmaster.dns. (
200010016 ;serial
10800
3600
3600
86400 )
mydomain.com. 1D IN NS dns.mydomain.com.
IN MX 20 mx1.domaingateway.net.
IN MX 10 mail-in.mydomain.com.

;mydomain hosts below
www IN CNAME mydomain.com.
localhost IN A 127.0.0.1
mail IN A xxx.xxx.xxx.xxx
ns1 IN A xxx.xxx.xxx.xxx
dns IN A xxx.xxx.xxx.xxx
news IN A xxx.xxx.xxx.xxx

root cache file

localhost. NS dns

this is declaration of the type of localhost it declares that local host is a name server with hostname dns

localhost. A 127.0.0.1

this declares the address of local host.

0.0.127.in-addr.arpa IN NS dns.mydomain.com
1.0.0.127.in-addr.arpa. PTR localhost

Similarly in reverse zone map file reverse address is declared as ns record of name dns and a pointer record ptr , points this rev address to the localhost.

Resource records normally end at the end of a line, but may be continued across lines between opening and closing parentheses. Comments are introduced by semicolons and continue to the end of the line.Note that there are other resource record types, not shown where. You should consult the BIND Operations Guide (BOG') for the complete list. Some resource record types may have been standardized in newer RFC's but not yet implemented in this version of BIND.

6.0 Client Configuration

Each client need a configuration file /etc/resolv.conf which informs it about the domain name server . This is a editable text file with following entries :

domainname yourdomainname.com
nameserver 10.20.30.40
nameserver 10.20.30.41

7.0 Signals

The following signals have the specified effect when sent to the server process named using the kill command.

SIGHUP
Causes server to read named.boot and reload the database. If the server is built with the FORCED_RELOAD compile-time option, then SIGHUP will
also cause the server to check the serial number on
all secondary zones. Normally the serial numbers
are only checked at the SOA-specified intervals.
SIGINT :
Dumps the current data base and cache to
/var/named/named_dump.db
SIGIOT :
Dumps statistics data into /var/named/named.stats .if the server is compiled with -DSTATS. Statistics data is appended to the file. Some systems use SIGABRT rather than SIGIOT for this.
SIGSYS :
Dumps the profiling data in /var/named if the
server is compiled with profiling (server forks, chdirs and exits).
SIGTERM:
Dumps the primary and secondary database files.
Used to save modified data on shutdown if the
server is compiled with dynamic updating enabled.
SIGUSR1:
Turns on debugging; each SIGUSR1 increments debug level. (SIGEMT on older systems without SIGUSR1)
SIGUSR2:
Turns off debugging completely. (SIGFPE on older
systems without SIGUSR2)
SIGWINCH
Toggles logging of all incoming queries via sys-
log(8) (requires server to have been built with the
QRYLOG option)

8.0 Next Steps

This article tried to cover a domain name server setup process . DNS subject is very vast and not everything can be covered in a article . If you wish to learn more about DNS there are some good books available for online buying from Amazon.com . You should have following two books in your bookself if you are going to setup and maintain the DNS servers under unix environment.

Linux Internet Web Server and Domain Configuration Tutorial

2009-12-04T09:18:00.000-08:00

Prerequisites:

This tutorial assumes that a computer has Linux installed and running. See RedHat Installation for the basics. A connection to the internet is also assumed. A connection of 128 Mbits/sec or greater will yield the best results. ISDN, DSL, cable modem or better are all suitable. A 56k modem will work but the results will be mediocre at best. The tasks must also be performed with the root user login and password.

Software Prerequisites: The Apache web server (httpd), FTP (requires xinetd or inetd) and Bind (named) software packages with their dependencies are all required. One can use the rpm command to verify installation:

Fedora Core 1+, Red Hat Enterprise 4/5, CentOS 4/5:
```
   rpm -q httpd bind bind-chroot bind-utils system-config-bind xinetd vsftpd
```
RPMs added FC2+: system-config-httpd
RPMs added FC3+: httpd-suexec
Red Hat 9.0
```
   rpm -q httpd bind xinetd vsftpd
```
A Red Hat 8.0 wu-ftpd RPM may be installed (Newer version 2.6.2 or later with security fix wu-ftpd-2.6.2-11+) or install from source.
Red Hat 8.0
```
   rpm -q httpd bind xinetd wu-ftpd
```
Red Hat 7.x:
```
   rpm -q apache bind inetd wu-ftpd
```
Use wu-ftpd version 2.6.2 or later to avoid security problems.
SuSE 9.3:
```
   rpm -ivh apache2 apache2-prefork bind bind-chrootenv bind-utils vsftpd
```
Note: The apache2-MPM is a generic term for Apache installation options for "Multi-Processing Modules (MPM)s "prefork" or "worker". If you try and only install apache2 you will get the following error:
```
   apache2-MPM is needed by apache2-2.0.53-9
```
Also see Apache.org: MPMs

Ubuntu (dapper 6.06/hardy 8.04) / Debian:

   apt-get install apache2

  apt-get install apache2-common

  apt-get install apache2-mpm-prefork

  apt-get install apache2-utils

  apt-get install bind9

  apt-get install vsftpd

One should also have a working knowledge of the Linux init process so that these services are initiated upon system boot. See the YoLinux init process tutorial for more info.

Apache HTTP Web server configuration:

This tutorial is for the Apache HTTP web server (Version 1.3 and 2.0). See the YoLinux list of Linux HTTP servers for a list of other web servers for the Hyper Text Transport Protocol.

The Apache configuration file is: /etc/httpd/conf/httpd.conf

Web pages are served from the directory as configured by the DocumentRoot directive. The default directory location is:

Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4/5, CentOS 4/5: /var/www/html/
Red Hat 6.x and older: /home/httpd/html/
Suse 9.x: /srv/www/htdocs/
Ubuntu (dapper 6.06/hardy 8.04) / Debian: /var/www/html

The default home page for the default configuration is index.html. Note the pages should not be owned by user apache as this is the process owner of the httpd web server daemon. If the web server process is comprimised, it should not be allowed to alter the files. The files should of course be readable by user apache.

Apache may be configured to run as a host for one web site in this fashion or it may be configured to serve for multiple domains. Serving for multiple domains may be achieved in two ways:

Virtual hosts: One IP address but multiple domains - "Name based" virtual hosting.
Multiple IP based virtual hosts: One IP address for each domain - "IP based" virtual hosting.

The default configuration will allow one to have multiple user accounts under one domain by using a reference to the user account: http://www.domain.com/~user1/. If no domain is registered or configured, the IP address may also be used: http://XXX.XXX.XXX.XXX/~user1/.

[Potential Pitfall] The default umask for directory creation is correct by default but if not use: chmod 755 /home/user1/public_html

[Potential Pitfall] When creating new "Directory" configuration directives, I found that placing them by the existing "Directory" directives to be a bad idea. It would not use the .htaccess file. This was because the statement defining the use of the .htaccess file was after the "Directory" statement. Previously in RH 6.x the files were separated and the order was defined a little different. I now place new "Directory" statements near the end of the file just before the "VirtualHost" statements.

For users of Red Hat 7.1, the GUI configuration tool apacheconf was introduced for the crowd who like to use pretty point and click tools.

Files used by Apache:

Start/stop/restart script:
- Red Hat/Fedora/CentOS: /etc/rc.d/init.d/httpd
- SuSE 9.3: /etc/init.d/apache2
- Ubuntu (dapper 6.06/hardy 8.04) / Debian: /etc/init.d/apache2
Apache main configuration file:
- Red Hat/Fedora/CentOS: /etc/httpd/conf/httpd.conf
- SuSE: /etc/apache2/httpd.conf
  (Need to add directive: ServerName host-name)
- Ubuntu (dapper 6.06/hardy 8.04) / Debian: /etc/apache2/apache2.conf
Apache suplementary configuration files:
- Red Hat/Fedora/CentOS: /etc/httpd/conf.d/component.conf
- SuSE: /etc/apache2/conf.d/component.conf
- Ubuntu (dapper 6.06/hardy 8.04) / Debian:
  - Virtual domains: /etc/apache2/sites-enabled/domain
    (Create soft link from /etc/apache2/sites-enabled/domain to /etc/apache2/sites-available/domain to turn on. Use command a2ensite)
  - Additional configuration directives: /etc/apache2/conf.d/
  - Modules to load: /etc/apache2/mods-available/
    (Soft link to /etc/apache2/mods-enabled/ to turn on)
  - Ports to listen to: /etc/apache2/ports.conf
/var/log/httpd/access_log and error_log - Red Hat/Fedora Core Apache log files
(Suse: /var/log/apache2/)

Start/Stop/Restart scripts: The script is to be run with the qualifiers start, stop, restart or status.
i.e. /etc/rc.d/init.d/httpd restart. A restart allows the web server to start again and read the configuration files to pick up any changes. To have this script invoked upon system boot issue the command chkconfig --add httpd. See Linux Init Process Tutorial for a more complete discussion.

Also Apache control tool: /usr/sbin/apachectl start

Apache Control Command: apachectl:

Red Hat / Fedora Core / CentOS: apachectl directive
Ubuntu dapper 6.06 / hardy 8.04 / Debian: apache2ctl directive

Directive	Description
start	Start the Apache httpd daemon. Gives an error if it is already running.
stop	Stops the Apache httpd daemon.
graceful	Gracefully restarts the Apache httpd daemon. If the daemon is not running, it is started. This differs from a normal restart in that currently open connections are not aborted.
restart	Restarts the Apache httpd daemon. If the daemon is not running, it is started. This command automatically checks the configuration files as in configtest before initiating the restart to make sure the daemon doesn't die.
status	Displays a brief status report.
fullstatus	Displays a full status report from mod_status. Requires mod_status enabled on your server and a text-based browser such as lynx available on your system. The URL used to access the status report can be set by editing the STATUSURL variable in the script.
configtest -t	Run a configuration file syntax test.

Apache Configuration Files:

/etc/httpd/conf/httpd.conf: is used to configure Apache. In the past it was broken down into three files. These may now be all concatenated into one file. See Apache online documentation for the full manual.
/etc/httpd/conf.d/application.conf: All configuration files in this directory are included during Apache start-up. Used to store application specific configurations.
/etc/sysconfig/httpd: Holds environment variables used when starting Apache.

Basic settings: Change the default value for ServerName www.<your-domain.com>

Giving Apache access to the file system: It is prudent to limit Apache's view of the file system to only those directories necessary. This is done with the directory statement. Start by denying access to everything, then grant access to the necessary directories.

Deny access completely to file system root ("/") as the default:

Deny first, then grant permissions:

  



  Options None

  AllowOverride None

Set default location of system web pages and allow access: (Red Hat/Fedora/CentOS)

  

DocumentRoot "/var/www/html"





  Options Indexes FollowSymLinks

  AllowOverride None

  Order allow,deny

  Allow from all

Grant access to a user's web directory: public_html

Enabling Red Hat / Fedora Linux, Apache public_html user directory access:

This will allow users to serve content from their home directories under the subdirectory "/home/userid/public_html/" by accessing the URL http://hostname/~userid/

File: /etc/httpd/conf/httpd.conf

LoadModule userdir_module modules/mod_userdir.so



...

...





   #UserDir disable             - Add comment to this line

   #

   # To enable requests to /~user/ to serve the user's public_html

   # directory, remove the "UserDir disable" line above, and uncomment

   # the following line instead:

   UserDir public_html          # Uncomment this line





...

...





   AllowOverride FileInfo AuthConfig Limit

   Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

   

       Order allow,deny

       Allow from all

   

   

       Order deny,allow

       Deny from all

Change to a comment (add "#" at beginning of line) from Fedora Core default UserDir disable and assign the directory public_html as a web server accessible directory.
OR
Assign a single user the specific ability to share their directory:

 user1/public_html>

  AllowOverride None

  order allow,deny

  allow from all

  Options Indexes Includes FollowSymLinks

Allows the specific user, "user1" only, the ability to serve the directory /home/user1/public_html/

Also use SELinux command to set the security context: setsebool httpd_enable_homedirs true

File permissions: The Apache web server daemon must be able to read your web pages in order to feed thier contents to the network. Use an appropriate umask and file protection. This works: chmod ugo+r -R public_html
One may also use groups to control permisions. See the YoLinux tutorial on managing groups.

Enabling Ubuntu's Apache public_html user directory access:
Ubuntu has broken out the Apache loadable module directives into the directory /etc/apache2/mods-available/. To enable an Apache module, generate soft links to the directory /etc/apache2/sites-enabled/ by using the commands a2enmod/a2dismod to enable/disable Apache modules.
Example:
- [root@node2]# a2enmod
  A list of available modules is displayed. Enter "userdir" as the module to enable.
- Restart Apache with the following command: /etc/init.d/apache2 force-reload
Note: This is the same as manually generating the following two soft links:
- ln -s /etc/apache2/mods-available/userdir.conf /etc/apache2/mods-enabled/userdir.conf
- ln -s /etc/apache2/mods-available/userdir.load /etc/apache2/mods-enabled/userdir.load
Man page: a2enmod/a2dismod
[Potential Pitfall]: If the Apache web server can not access the file you will get the error "403 Forbidden" "You don't have permission to access file-name on this server." Note the default permissions on a user directory when first created with "useradd" are:

drwx------ 3 userx userx
You must allow the web server running as user "apache" to access the directory if it is to display pages held there.
Fix with command: chmod ugo+rx /home/userx
drwxr-xr-x 3 userx userx

SELinux security contexts:

Fedora Core 3 and Red Hat Enterprise Linux 4 introduced SELinux (Security Enhanced Linux) security policies and context labels.
To view the security context labels applied to your web page files use the command: ls -Z

The system enables/disables SELinux policies in the file /etc/selinux/config
SELinux can be turned off by setting the directive SELINUX. (Then reboot the system):

SELINUX=disabled

or using the command setenforce 0 to temporarily disable SELinux until the next reboot.

When using SELinux security features, the security context labels must be added so that Apache can read your files. The default security context label used is inherited from the directory for newly created files. Thus a copy (cp) must be used and not a move (mv) when placing files in the content directory. Move does not create a new file and thus the file does not recieve the directory security context label. The context labels used for the default Apache directories can be viewed with the command: ls -Z /var/www
The web directories of users (i.e. public_html) should be set with the appropriate context label (httpd_sys_content_t).

Assign a security context for web pages: chcon -R -h -t httpd_sys_content_t /home/user1/public_html
Options:

-R: Recursive. Files and directories in current directory and all subdirectories.
-h: Affect symbolic links.
-t: Specify type of security context.

Use the following security contexts:

Context Type	Description
`httpd_sys_content_t`	Used for static web content. i.e. HTML web pages.
`httpd_sys_script_exec_t`	Use for executable CGI scripts or binary executables.
`httpd_sys_script_rw_t`	CGI is allowed to alter/delete files of this context.
`httpd_sys_script_ra_t`	CGI is allowed to read or append files of this context.
`httpd_sys_script_ro_t`	CGI is allowed to read files and directories of this context.

Set the following options: setsebool httpd-option true
(or set to false)

Policy	Description
`httpd_enable_cgi`	Allow httpd cgi support.
`httpd_enable_homedirs`	Allow httpd to read home directories.
`httpd_ssi_exec`	Allow httpd to run SSI executables in the same domain as system CGI scripts.

Then restart Apache:

Red Hat/Fedora/Suse and all System V init script based Linux systems: /etc/init.d/httpd restart
Red Hat/Fedora: service httpd restart

The default SE boolean values are specified in the file: /etc/selinux/targeted/booleans

For more on SELinux see the YoLinux Systems Administration tutorial.

Virtual Hosts:

The Apache web server allows one to configure a single computer to represent multiple websites as if they were on separate hosts. There are two methods available and we describe the configuration of each. Choose one method for your domain:

Name based virtual host: (most common) A single computer with a single IP adress supporting multiple web domains. The web browser using the http protocol, identifies the domain being addressed.
IP based virtual host: The virtual hosts can be configured as a single multi-homed computer with multiple IP addresses on a single network card, with each IP address representing a different web domain. This has the appearance of a web domain supported by a dedicated computer because it has a dedicated IP address.

Configuring a "name based" virtual host:

A virtual host configuration allows one to host multiple web site domains on one server. (This is not required for a dedicated linux server which hosts a single web site.)

NameVirtualHost XXX.XXX.XXX.XXX



XXX.XXX.XXX.XXX>

  ServerName www.your-domain.com          - CNAME (bind DNS alias www) specified in Bind configuration file (/var/named/...)

  ServerAlias your-domain.com             - Allows requests by domain name without the "www" prefix.

  ServerAdmin user1@your-domain.com

  DocumentRoot /home/user1/public_html

  ErrorLog logs/your-domain.com-error_log

  TransferLog logs/your-domain.com-access_log

Notes:

You can specify more than one IP address. i.e. if web server is also being used as a firewall/gateway and you have an external internet IP address as well as a local network IP address.

NameVirtualHost XXX.XXX.XXX.XXX

NameVirtualHost 192.168.XXX.XXX



XXX.XXX.XXX.XXX 192.168.XXX.XXX>

  ...

  ..

See the YoLinux Tutorial on configuring a network gateway/firewall using iptables and NAT.

Use your IP address for XXX.XXX.XXX.XXX, actual domain name and e-mail address.
One can use DNS views to provide different local network DNS results.
Note that I configure Apache for both requests http://www.domain-name.com and http://domain-name.com.

Once virtual hosts are configured, your default system domain (/var/www/html) will stop working. Your default domain now must be configured as a virtual domain.





  ...  This part remains the same

  ..







# Default for when no domain name is given (i.e. access by IP address)



*:80>

  ServerAdmin user1@your-domain.com

  DocumentRoot /var/www/html

  ErrorLog logs/error_log

  TransferLog logs/access_log





# Add a VirtualHost definition for your domain which was once the system default.



XXX.XXX.XXX.XXX>

  ServerName www.your-domain.com

  ServerAlias your-domain.com

  ServerAdmin user1@your-domain.com

  DocumentRoot /var/www/html

  ErrorLog logs/error_log

  TransferLog logs/access_log





  ...

  ..

Forwarding to a primary URL. It is best to avoid the appearance of duplicated web content from two URLs such as http://www.your-domain.com and http://your-domain.com. Supply a forwarding Apache "Redirect".

XXX.XXX.XXX.XXX>

  ServerName www.your-domain.com   - Note that no aliases are listed

  ...

  ...





# Add a VirtualHost definition to forward to your primary URL



XXX.XXX.XXX.XXX>

  ServerName your-domain.com

  ServerAlias other-domain.com

  ServerAlias www.other-domain.com

  Redirect permanent / http://www.your-domain.com.com/





  ...

  ..

Note:

See the YoLinux.com Apache "Redirect" Tutorial

More virtual host examples.

When specifying more domains, they may all use the same IP address or some/all may use their own unique IP address. Specify a "NameVirtualHost" for each IP address.

After the Apache configuration files have been edited, restart the httpd daemon: /etc/rc.d/init.d/httpd restart (Red Hat) or /etc/init.d/apache2 restart (Ubuntu / Debian)

Apache virtual domain configuration with Ubuntu Dapper/Hardy:

Ububntu separates out each virtual domain into a separate configuration file held in the directory /etc/apache2/sites-available/. When the site domain is to become active, a soft link is created to the directory /etc/apache2/sites-enabled/.

Example: /etc/apache2/sites-available/supercorp

XXX.XXX.XXX.XXX>

       ServerName supercorp.com

       ServerAlias www.supercorp.com

       ServerAdmin webmaster@localhost



       DocumentRoot /home/supercorp/public_html/home

       

               Options FollowSymLinks

               AllowOverride None

       

       

               Options Indexes FollowSymLinks MultiViews

               IndexOptions SuppressLastModified SuppressDescription

               AllowOverride All

               Order allow,deny

               allow from all

       



       ScriptAlias /cgi-bin/ /home/supercorp/cgi-bin/

       

               AllowOverride None

               Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

               Order allow,deny

               Allow from all

       



       ErrorLog /var/log/apache2/supercorp.com-error.log



       # Possible values include: debug, info, notice, warn, error,

       # crit, alert, emerg.

       LogLevel warn

       CustomLog /var/log/apache2/supercorp.com-access.log combined

       ServerSignature On

Enable domain:

Create soft link:
- Manually: ln -s /etc/apache2/sites-available/supercorp /etc/apache2/sites-enabled/supercorp
- Use Ubuntu scripts a2ensite/a2dissite. Type command and it will prompt you as to which site you would like to enable or disable.
Restart Apache:
- apache2ctl graceful
  or
- /etc/init.d/apache2 restart
  or
- /etc/init.d/apache2 reload

Also note that Apache modules can also be enabled/disabled with scripts a2enmod/a2dismod.

Man pages:

a2ensite/a2dissite (Ubuntu: Apache 2 enable/disable site)
apache2ctl

Configuring an "IP based" virtual host:

One may assign multiple IP addresse to a single network interface. See the YoLinux networking tutorial: Network Aliasing. Each IP address may then be it's own virtual server and individual domain. The downside of the "IP based" virtual host method is that you have to possess multiple/extra IP addresses. This usually costs more. The standard name based virtual hosting method above is more popular for this reason.

  

NameVirtualHost *              - Indicates all IP addresses



*>

  ServerAdmin user0@default-domain.com

  DocumentRoot /home/user0/public_html





XXX.XXX.XXX.101>

  ServerAdmin user1@domain-1.com

  DocumentRoot /home/user1/public_html





XXX.XXX.XXX.102>

  ServerAdmin user1@domain-2.com

  DocumentRoot /home/user2/public_html

The default block will be used as the default for all IP addresses not specified explicitly. This default IP (*) may not work for https URL's.

CGI: (Common Gateway Interface)

CGI is a program executable which dynamically generates a web page by writing to stdout. CGI is permitted by either of two configuration file directives:

ScriptAlias:
- Red Hat 7.x-9, Fedora core: ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
- Red Hat 6.x and older: ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"
- Suse 9.x: ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
- Ubuntu (dapper/hardy) / Debian: ScriptAlias /cgi-bin/ "/usr/lib/cgi-bin/"
or
Options +ExecCGI:
Options +ExecCGI

The executable program files must have execute privileges, executable by the process owner (Red Hat 7+/Fedora Core: apache. Older use nobody) under which the httpd daemon is being run.

Configuring CGI To Run With User Privileges:

The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.

   NameVirtualHost XXX.XXX.XXX.XXX



  XXX.XXX.XXX.XXX>

  ServerName node1.your-domain.com                         - Allows requests by domain name without the "www" prefix.

  ServerAlias your-domain.com www.your-domain.com          - CNAME (alias www) specified in Bind configuration file (/var/named/...)

  ServerAdmin user1@your-domain.com

  DocumentRoot /home/user1/public_html/your-domain.com

  ErrorLog logs/your-domain.com-error_log

  TransferLog logs/your-domain.com-access_log



  SuexecUserGroup user1 user1

  user1/public_html/your-domain.com/>

     Options +ExecCGI +Indexes

     AddHandler cgi-script .cgi

ERROR Pages:

You can specify your own web pages instead of the default Apache error pages:

   ErrorDocument 404 /Error404-missing.html

Create the file Error404-missing.html in your "DocumentRoot" directory.

PHP:

If the appropriate php, perl and httpd RPM's are installed, the default Red Hat Apache configuration and modules will support PHP content. RPM Packages (RHEL4):

php: HTML-embedded scripting language
php-pear: PEAR is a framework and distribution system for reusable PHP components.
php-mysql: MySQL database support.
php-ldap: Lightweight Directory Access Protocol (LDAP) support

Apache configuration:

Add php default page index.php to apache config file: /etc/httpd/conf/httpd.conf

...



DirectoryIndex index.html index.htm index.php



...

PHP Configuration File:

RHEL4 - PHP 4.3: /etc/php.ini
Ubuntu Daper 6.06/6.11: /etc/php5/apache2/php.ini

[PHP]

engine = On

...

...

display_errors = Off

include_path = ".:/php/includes"

...

...

memory_limit = 32M   ; Default is typically 8MB which is too low.

...

...



[MySQL]

...

...

mysql.default_host = superserver    ; Hostname of the computer

mysql.default_user = dbuser

...

Small portion of file shown.
Note that changes will not take effect until the apache web server daemon is restarted.

Test you PHP capabilities with this test file: /home/user1/public_html/test.php

  phpinfo();

?>

OR (older format)

  phpinfo();

?>

Test: http://localhost/~user1/test.php

For more info see YoLinux list of PHP information web sites.

Running Multiple instances of `httpd`:

The Apache web server daemon (httpd) can be started with the command line option "-f" to specify a unique configuration file for each instance. Configure a unique IP address for each instance of Apache. See the YoLinux Networking Tutorial to specify multiple IP addresses for one NIC (Network Interface Card). Use the Apache configuration file directive Listen XXX.XXX.XXX.XXX, where the IP address is unique for each instance of Apache.

Apache Man Pages:

httpd - Apache Hypertext Transfer Protocol Server
apachectl - Apache HTTP Server Control Interface
ab - Apache HTTP server benchmarking tool
htdigest - manage user files for digest authentication
htpasswd - Manage user files for basic authentication
logresolve - Resolve IP-addresses to hostnames in Apache log files
rotatelogs - Piped logging program to rotate Apache logs

Also see the local online Apache configuration manual: http://localhost/manual/.

Apache Red Hat / Fedora Core GUI configuration:

GUI configuration tool:

Red Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-httpd
Red Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-httpd

Adding web site login and password protection: See the YoLinux tutorial on web site password protection.

Log file analysis:

Scanning the Apache web log files will not provide meaningfull statistics unless they are graphed or presented in an easy to read fashion. The following packages to a good job of presenting site statistics.

Analog - Also see Report Magic for Analog
Webalizer
AWStats - (requires PERL)

Web site statistic services:

eXTReMe Tracking

Load testing your server:

PureLoad - JAVA load testing and reporting tool.
WebPerformance Trainer - Load Testing Tools.

Apache Links:

CgiWrap - setuid wrapper that allows users to install and execute their own cgi scripts that get executed as their own userid
Thumbprint - CGI for viewing a directory of images as thumbnails
WWWThreads.org - Commercial product - Advanced Web Conferencing Software
Configuring https (mod_ssl):

Log file analysis using Analog:

Installation:

Red Hat / Fedora: yum install analog
Ubuntu / Debian: apt-get install analog

Installation packages also available from the Analog downloads page.

Configuration file: /etc/analog.cfg

LOGFILE /var/log/httpd/your-domain.com-access_log* http://www.your-domain.com

UNCOMPRESS *.gz,*.Z "gzip -cd"

SUBTYPE *.gz,*.Z

#

OUTFILE /home/user1/public_html/analog/Report.html

#

HOSTNAME "YourDomain.com"

HOSTURL  http://www.your-domain.com



....

...

..



REQINCLUDE pages                  # Request page stats only

ALL ON

LANGUAGE US-ENGLISH

One can view the settings which be used with your configuration file (also good for debugging): analog -settings

Make Analog images available to the users report: ln -s /usr/share/analog/images/* /home/user1/public_html/analog

Log file location:

Red Hat / Fedora: /var/log/httpd/
Ubuntu / Debian: /var/log/apache2/

The Directive ALL ON turns on all of the following:

Analog Directive	Description
`MONTHLY ON`	one line for each month
`WEEKLY ON`	one line for each week
`DAILYREP ON`	one line for each day
`DAILYSUM ON`	one line for each day of the week
`HOURLYREP ON`	one line for each hour of the day
`GENERAL ON`	the General Summary at the top
`REQUEST ON`	which files were requested
`FAILURE ON`	which files were not found
`DIRECTORY ON`	Directory Report
`HOST ON`	which computers requested files
`ORGANISATION ON`	which organisations they were from
`DOMAIN ON`	which countries they were in
`REFERRER ON`	where people followed links from
`FAILREF ON`	where people followed broken links from
`SEARCHQUERY ON`	the phrases and words they used...
`SEARCHWORD ON`	...to find you from search engines
`BROWSERSUM ON`	which browser types people were using
`OSREP ON`	and which operating systems
`FILETYPE ON`	types of file requested
`SIZE ON`	sizes of files requested
`STATUS ON`	number of each type of success and failure

Cron job to handle multiple domains: /etc/cron.daily/analog

#!/bin/sh

cp /opt/etc/analog-domain1.com.cfg      /etc/analog.cfg

/usr/bin/analog

cp /opt/etc/analog-domain2.com.cfg      /etc/analog.cfg

/usr/bin/analog



...

Links:

Measuring Web Server Performance:

See the YoLinux.com web server benchmarking tutorial.

FTPd and FTP user account configuration:

Many FTP programs exist. This example covers the popular vsftpd (Red Hat default 9.0, Fedora Core, Suse) and wu-ftpd (Washington University) program which comes standard with RedHat (last shipped with RedHat 8.0 but can be installed on any Linux system). (RPM: wu-ftpd) There are other FTP programs including proFtpd (supports LDAP authentication, Apache like directives, full featured ftp server software), bftpd, pure-ftpd (free BSD and optional on Suse), etc ...

FTPd and SELinux: To allow FTPd daemon access to users home directories: setsebool -P ftp_home_dir 1
Follow with the command service vsftpd restart

FTPd configuration tutorials:

# vsFTPd: Configuration
# WU-FTPd: Configuration
# FTP Clients: Links

vsFTPd and FTP user account configuration:

The vsFTPd ftp server was first made available in Red Hat 9.0. It has been adopted by Suse and OpenBSD as well. This is currently the recomended FTP daemon for use on FTP servers.

Enable vsftpd:

Red Hat/Fedora Core/CentOS: VsFTPd is a stand alone service and by the default Fedora Core installation, not controlled by xinetd as is the wu-ftpd default installation.
Thus start service: service vsftpd start (or: /etc/init.d/vsftpd start)
Configure vsftpd to start upon system boot: chkconfig --add vsftpd
SuSE: By default, the vsftpd is an xinetd controlled service. To enable FTP server services edit the file /etc/xinetd.d/vsftpd and change:
disable = yes
to:
disable = no
Restart the xinetd daemon: /etc/init.d/xinetd restart
Note: vsftpd can also be run as a stand-alone service to achieve a faster response time.
Ubuntu (dapper/hardy) / Debian:
- Install: apt-get install vsftpd
- VsFTPd is a stand alone service.
  - Start: /etc/init.d/vsftpd start
  - Stop: /etc/init.d/vsftpd stop
  - Restart: /etc/init.d/vsftpd restart
    (Use this command after making configuration file changes)

For more on starting/stopping/configuring Linux services, see the YoLinux tutorial on the Linux init process and service activation.

Configuration files:

vsFTPd configuration file:

Fedora Core / Red Hat: /etc/vsftpd/vsftpd.conf
S.u.S.e. / Ubuntu (dapper/hardy) / Debian: /etc/vsftpd.conf

Default for Fedora Core 3:

anonymous_enable=YES - Anonymous FTP allowed by default if you comment this out. Default directory used: /var/ftp

local_enable=YES - Uncomment this to allow local users to log in with FTP.

Must also set SELinux boolean: setsebool -P ftp_home_dir 1

write_enable=YES - Uncomment this to enable any form of FTP write or upload command.

local_umask=022 - Default is 077. Umask 022 is used by most other ftpd's.

#anon_upload_enable=YES - Uncomment to allow the anonymous FTP user to upload files.

Requires the above global write enabled. Directory must also be writable by user.

#anon_mkdir_write_enable=YES - Uncomment this to allow the anonymous FTP user to be able to create new directories.

dirmessage_enable=YES - Activate directory messages.

Messages given to remote users when they enter certain directories

xferlog_enable=YES - Activate logging of uploads/downloads.

connect_from_port_20=YES - PORT transfer connections originate from port 20 (ftp-data)

#chown_uploads=YES - Uploaded anonymous files set to a specified owner. (not root)

#chown_username=whoever

#xferlog_file=/var/log/vsftpd.log - Specify logfile explicitly. Default is /var/log/vsftpd.log

xferlog_std_format=YES - Output to log file in standard ftpd xferlog format

#idle_session_timeout=600 - Set timing out for an idle session.

#data_connection_timeout=120 - Set timing out for an idle data connection. Port 20

#nopriv_user=ftpsecure - Run ftp server as an isolated and unprivileged user.

# Enable this and the server will recognise asynchronous ABOR requests. Not

# recommended for security (the code is non-trivial). Not enabling it, may confuse older FTP clients.

#async_abor_enable=YES

#ascii_upload_enable=YES - Improve performance by disabling ASCII mode. Disables command "ascii" and "SIZE /big/file".

#ascii_download_enable=YES

#ftpd_banner=Welcome to YoLinux - Customize the login banner string.

#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DoS attacks.

#banned_email_file=/etc/vsftpd.banned_emails (Ubuntu default. Red Hat: /etc/vsftpd/banned_emails)

#chroot_list_enable=YES - List users chroot()'d to their home directory. If "NO", list users not chroot()'d.

#chroot_list_file=/etc/vsftpd.chroot_list (Ubuntu default. Red Hat: /etc/vsftpd/chroot_list)

ls_recurse_enable=YES - Allow "ls -R" recursive directory list. Default is disabled.

pam_service_name=vsftpd

userlist_enable=YES - (Ubuntu Default) Deny users specified in file /etc/vsftpd.user_list

If "userlist_enable=NO" then allow specified users.

Red Hat: /etc/vsftpd/user_list

#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DoS attacks.

listen=YES - Enable for standalone mode as opposed to an xinetd service.

Must set SELinux boolean: setsebool -P ftpd_is_daemon 1

tcp_wrappers=YES

Restart the FTP service if the config file is changed: service vsftpd restart (or: /etc/init.d/vsftpd restart)

[Potential Pitfall]: vsftp does NOT support comments on the same line as a directive. i.e.:

directive=XXX # comment

vsftp.conf man page

Specify list of local users chrooted to their home directories:
- Red Hat: /etc/vsftpd/vsftpd/chroot_list
- Ubuntu: /etc/vsftpd/vsftpd.chroot_list
(Requires: chroot_list_enable=YES)
user1
user2
...
user-n
If userlist_enable=NO, then specify users not to be chroot'd..
Specify list of users:
- Red Hat: /etc/vsftpd/user_list
- Ubuntu: /etc/vsftpd.user_list
(Deny list of users requires: userlist_enable=YES)
Also see PAM configuration below.
root
bin
daemon
adm
lp
sync
shutdown
halt
...
If userlist_enable=NO, then specify valid users.

PAM configuration file Fedora Core 3: /etc/pam.d/vsftpd

#%PAM-1.0

auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed

auth       required     pam_stack.so service=system-auth

auth       required     pam_shells.so

account    required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth

This causes PAM to check /etc/vsftpd.ftpusers for users who are denied. This duplicates /etc/vsftpd.user_list. Speciy user in both files as PAM is independent of vsftpd configuration.

PAM authentication configuration file: ftpusers

Red Hat: /etc/vsftpd/ftpusers
Ubuntu: /etc/vsftpd.ftpusers

root

bin

daemon

adm

lp

sync

shutdown

halt

...

...

...

user6     - Users to deny

user8

...

...

Logrotate configuration file: /etc/logrotate.d/vsftpd.log

/var/log/xferlog {

   # ftpd doesn't handle SIGHUP properly

   nocompress

   missingok

}

Sample vsFTPd configurations:

Anonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf

# Access rights

anonymous_enable=YES          - Turn on anonymous FTP

chown_uploads=YES             - Uploaded files owned by an assigned user

chown_username=ftp            - Uploaded files owned by this assigned user

local_enable=NO

write_enable=NO               - No upload of files system changes allowed

anon_upload_enable=NO

anon_mkdir_write_enable=NO

anon_other_write_enable=NO

# Security

anon_world_readable_only=YES

connect_from_port_20=YES

force_dot_files=NO

guest_enable=NO

hide_ids=YES

pasv_min_port=50000

pasv_max_port=60000

# Features

xferlog_enable=YES

ls_recurse_enable=NO

ascii_download_enable=NO

async_abor_enable=YES

# Performance

one_process_model=NO

idle_session_timeout=120

data_connection_timeout=300

accept_timeout=60

connect_timeout=60

max_per_ip=4

anon_max_rate=50000



pam_service_name=vsftpd

userlist_enable=YES

#enable for standalone mode

listen=YES

tcp_wrappers=YES

Anonymous logins use the login name "anonymous" and then the user supplies their email address as a password. Any password will be accepted. Used to allow the public to download files from an ftp server. Generally, no upload is permitted.

Web hosting configuration: /etc/vsftpd/vsftpd.conf

# Access rights

anonymous_enable=NO

local_enable=YES                              - Allow users to ftp to their home directories

write_enable=YES                              - Allow users to STOR,  DELE, RNFR, RNTO, MKD, RMD, APPE and SITE

local_umask=022

# Security

connect_from_port_20=YES

force_dot_files=NO

guest_enable=NO                               - Don't remap user name

ftpd_banner=Welcome to Super Duper Hosting    - Customize the login banner string.

chroot_local_user=YES                         - Limit user to browse their own directory only

chroot_list_enable=YES                        - Enable list of system / power users

chroot_list_file=/etc/vsftpd.chroot_list      - Actual list of system / power users

hide_ids=YES

pasv_min_port=50000

pasv_max_port=60000

# Features

xferlog_enable=YES

ls_recurse_enable=NO

ascii_download_enable=NO

async_abor_enable=YES

dirmessage_enable=YES                         - Message greeting held in file .message or specify with message_file=...

# Performance

one_process_model=NO

idle_session_timeout=120

data_connection_timeout=300

accept_timeout=60

connect_timeout=60

max_per_ip=4

#

pam_service_name=vsftpd

userlist_enable=YES

#enable for standalone mode

listen=YES

tcp_wrappers=YES

Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list
Ubuntu typically: /etc/vsftpd.chroot_list
(Requires: chroot_list_enable=YES)

user1

user2

...

user-n

If userlist_enable=NO, then specify users not to be chroot'd..

[Potential Pitfall]: Mispelling a directive will cause vsftpd to fail with little warning.

File: .message

A NOTE TO USERS UPLOADING FILES:

  File names may consist of letters (a-z, A-Z), numbers (0-9),

  an under score ("_"), dash ("-") or period (".") only.

  The file name may not begin with a period or dash.

Test if vsftp is listening: netstat -a | grep ftp

[root]# netstat -a | grep ftp

tcp        0      0 *:ftp                       *:*                         LISTEN

Links:

WU-FTPd and FTP user account configuration:

The wu-ftpd FTP server can be downloaded (binary or source) from it's home page at http://wu-ftpd.org.

There are three kinds of FTP logins that wu-ftpd provides:

anonymous FTP - one logs in with the username 'anonymous'
real FTP - log in with a real username and password and has access to the entire disk structure.
guest FTP - one logs in with a real user name and password, but the user is chroot'ed to his home directory and cannot escape from it. They are constrained to their home directory which also means that they don't have access to /bin/ls and other commands on the server. Thus a local minimalist environment must be set up.

This tutorial covers "guest" FTP configuration.

The file /etc/ftpaccess controls the configuration of ftp.

   # Don't allow system accounts to log in over ftp

  deny-uid %-99 %65534-

  deny-gid %-99 %65534-



  class   all   real,guest  *

  email webmaster@your-domain.com

  loginfails 5



  readme  README*    login

  readme  README*    cwd=*

  message /welcome.msg            login

  message .message                cwd=*



  compress        yes             all

  tar             yes             all

  chmod           no              guest,anonymous

  delete          no              anonymous    # delete files permission?

  overwrite       no              anonymous    # overwrite files permission?

  rename          no              anonymous    # rename files permission?

  delete          yes             guest        # delete files permission?

  overwrite       yes             guest        # overwrite files permission?

  rename          yes             guest        # rename files permission?

  umask           no              guest        # umask permission?



  log transfers anonymous,real inbound,outbound



  shutdown /etc/shutmsg



  passwd-check rfc822 warn



  # Must also create message file /etc/pathmsg of the guest directory.

  # In this case it refers to /home/user1/public_html/etc/pathmsg.

  path-filter  guest /etc/pathmsg  ^[-A-Za-z0-9_\.]*$  ^\.  ^-

  limit all 2

  noretrieve passwd .htaccess core    - Do not allow users to download files of these names

  limit-time * 20

  byte-limit in 5000                  - Limit file size

  guestuser *      - Set system user default to be categorized as a "guest". A "real" user can roam the system. Guestuser is chrooted.

  realgroup regularuserx regularusery - Assign real user privileges to members of groups "regularuserx" and "regularusery".

                                        Visibility of the whole file system and subject to regular UNIX file permissions

  realuser user4                      - Assign real user privileges to user id "user4". 



  restricted-uid user1 user2 user3    - Restricts FTP to the specified directories

  guest-root /home/user1/public_html user1

  guest-root /home/user2/public_html user2

  guest-root /home/user3/public_html user3

Note:

user1, user2 and user3 refer to login accounts. Use the appropriate login name.
The above configuration disables anonymous FTP which allows anyone to perform an FTP login with the id anonymous and an email address as a password. To enable anonymous FTP, change the class directive to:

class all real,guest,anonymous *
GUI FTP configuration tools:
- /usr/bin/kwuftpd
- /sbin/linuxconf
  (Note: Linuxconf is no longer included with Red Hat 7.3 and later)
Red Hat Linux assigns users a user id and group id which is the same. This means that it does not matter if you use a realuser or realgroup directive as they will act the same.
Red Hat Linux 7.1 and later uses the xinet daemon to manage ftp connections. Thus xinetd must be running and configured to support ftp. The configuration file is /etc/xinetd.d/wu-ftpd. The command chkconfig wu-ftpd on will make the ftp server available. See xinet configuration for more info.

Allow overide of deny-uid and/or deny-gid:

     allow-uid user-to-allow

    allow-gid group-to-allow

Optional configuration:
- Create a group ftpchroot
- Add users to this group
- Use directive: guestgroup ftpchroot

[Potential Pitfall]: Flakey ftp behavior, timeouts, etc?? FTP works best with name resolution of the computer it is communicating with. This requires proper /etc/resolve.conf and name server (bind) configuration, /etc/hosts or NIS/NFS configuration.

File /home/user1/public_html/etc/pathmsg:

   A NOTE TO USERS UPLOADING FILES:

  File names may consist of letters (a-z, A-Z), numbers (0-9),

  an under score ("_"), dash ("-") or period (".") only.

  The file name may not begin with a period or dash.

  You have tried to upload a file with an inappropriate name.

The whole point of the chroot directory is to make the user's home directory appear to be the root of the filesystem (/) so one could not wander around the filesystem. Configuration of /etc/ftpaccess will limit the user to their respective directories while still offering access to /bin/ls and other system commands used in FTP operation.

As root:

   cd /home/user1

  mkdir public_html

  chown $1.$1 public_html

  touch .rhosts             - Security protection

  chmod ugo-xrw .rhosts

Man Pages:

Server:

ftpd - Internet File Transfer Protocol server

File Formats:

/etc/ftpaccess - Configuration file for ftpd
/etc/ftpservers - ftpd virtual hosting configuration file. (optional)
/etc/ftphosts - allow or deny access to certain accounts from various hosts. (optional)
/etc/ftpconversions - ftpd conversions database (for tar and compression)
/var/log/xferlog - FTP server logfile
ftp - File Transfer Client program

Configuration files: (RH 8.0+)

PAM configuration file: /etc/pam.d/ftp

#%PAM-1.0

auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

auth       required     pam_stack.so service=system-auth

auth       required     pam_shells.so

account    required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth

Xinetd configuration file: /etc/xinetd.d/wu-ftpd

service ftp

{

       disable = no

       socket_type             = stream

       wait                    = no

       user                    = root

       server                  = /usr/sbin/in.ftpd

       server_args             = -l -a

       log_on_success          += DURATION USERID

       log_on_failure          += USERID

       nice                    = 10

}

Note: wu-FTPd is controlled by xinetd and not a stand alone service like vsFTPd.

Logrotate configuration file: /etc/logrotate.d/ftpd
/var/log/xferlog {
nocompress
}

More information:

WU-FTPD Development Group Home Page
More resources
Academ Consulting
FTP FAQ - Koos van den Hout's
dkftpbench - FTP benchmark program to give you an idea as to how many simultaneous dialup clients a server can support.
FTP and text file type conversions: End Of Line Characters - by Peter Benjamin
Chrooted sftp (ssl) project

Man pages on related FTP commands and files:

chroot - Run with a special root directory
ftpcount - Show number of concurrent users.
ftpshut - close down the ftp servers at a given time
ftprestart - Restart previously shutdown ftp servers
ftpwho - show current process information for each ftp user
privatepw - Change WU-FTPD Group Access File Information (admin command)

Other FTP daemons:

FTP4All
CrushFTP - Java/cross platform
WS_FTP

FTP Pitfalls:

If you get the following error:

ftp> ls

227 Entering Passive Mode (208,188,34,109,208,89)

ftp: connect: No route to host

This means you have firewall issues most probably on the FTP server itself. Start by removing the firewall "iptables" rules: iptables -F Add rules until you discover what is causing the problem.

Passive mode:

Passive mode can also help one past the rules:

ftp> passive

Passive mode on.

This toggles passive mode on and off. When on, FTP will be limited to ports specified in the vsftpd configuration file: vsftpd.conf with the parameters pasv_min_port and pasv_max_port

Firewall connection tracking module:

# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp

IPTABLES_MODULES="ip_conntrack_ftp"

NAT firewall modules:

You can also try adding ip_nat_ftp to the list of autoloaded modules: (This will also load the dependancy: ip_conntrack_ftp.)

# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp

IPTABLES_MODULES="ip_nat_ftp"

Then restart the firewall: /etc/init.d/iptables condrestart

FTP will change ports during use. The ip_conntrack_ftp module will consider each connection "RELATED". If iptables allows RELATED and ESTABLISHED connections then FTP will work. i.e. rule: /etc/sysconfig/iptables

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

FTP fails because it can not change to the users home directory:

Error:

[user1@nodex ~]$ ftp node.domain.com

Connected to XXX.XXX.XXX.XXX.

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (XXX.XXX.XXX.XXX:user1):

331 Please specify the password.

Password:

500 OOPS: cannot change directory:/home/user1

Login failed.

ftp> bye

This is often a result of SELinux preventing the vsftpd process from accesing the user's home directory. As root, grant access with the following command:
setsebool -P ftp_home_dir 1
Followed by: service vsftpd restart

Test your vsftpd SELinux settings: getsebool -a | grep ftp

allow_ftpd_anon_write --> off

allow_ftpd_full_access --> off

allow_ftpd_use_cifs --> off

allow_ftpd_use_nfs --> off

allow_tftp_anon_write --> off

ftp_home_dir --> on

ftpd_disable_trans --> off

ftpd_is_daemon --> on

httpd_enable_ftp_server --> off

tftpd_disable_trans --> off

FTPd SELinux man page

FTP Linux clients:

kbear: GUI KDE based client. Connect to multiple servers, transfer files, directory browsing, file content browsing. Comes with S.U.S.e. Linux.
gftp: GUI GTK+ Multithreaded client. File transfer directory browsing and compare. Multiple protocols: FTP, FTPS (control connection only), HTTP, HTTPS, SSH and FSP protocols. Proxy support. Comes with Red Hat / Fedora Core.
ftp: (/usr/kerberos/bin/ftp) kerberos enabled console ftp client. (RPM package FC3: krb5-workstation)

Basic user security:

When hosting web sites, there is no need to grant a shell account which only allows the server to have more potential security holes. Current systems can specify the user to have only FTP access with no shell by granting them the "shell" /sbin/nologin provided with the system or the "ftponly" shell described below. The shell can be specified in the file /etc/passwd of when creting a user with the command adduser -s /sbin/nologin user-id

[Potential Pitfall]: Red Hat 7.3 server with wu-ftp server 2.6.2-5 does not support this configuration to prevent shell access. It requires users to have a real user shell. i.e. /bin/bash It works great in older and current Red Hat versions. If it works for you, use it, as it is more secure to deny the user shell access. You can always deny telnet access. You should NOT be using this problem ridden version of ftpd. Use the latest wu-ftpd-2.6.2-11 which supports users with shell /opt/bin/ftponly

[Potential Pitfall]: Ubuntu Dapper/Hardy - Setting the shell to the preconfigured shell /bin/false will NOT allow vsftp access. One must create the shell "ftponly" as defined below to allow vsftp access with no shell.

Disable remote telnet login access allowing FTP access only:

Change the shell for the user in /etc/passwd from /bin/bash to be /opt/bin/ftponly.

...

user1:x:502:503::/home/user1:/opt/bin/ftponly

...

Create file: /opt/bin/ftponly.
Protection set to -rwxr-xr-x 1 root root
with the command: chmod ugo+x /opt/bin/ftponly
Contents of file:

   #!/bin/sh

#

# ftponly shell

#

trap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15

#

Admin=root@your-domain.com

#System=`/bin/hostname`@`/bin/domainname`

#

/bin/echo

/bin/echo "********************************************************************"

/bin/echo "    You are NOT allowed interactive access."

/bin/echo

/bin/echo "     User accounts are restricted to ftp and web access."

/bin/echo

/bin/echo "  Direct questions concerning this policy to $Admin."

/bin/echo "********************************************************************"

/bin/echo

#

# C'ya

#

exit 0

The last step is to add this to the list of valid shells on the system.
Add the line /opt/bin/ftponly to /etc/shells.

Sample file contents: /etc/shells

/bin/bash

/bin/bash1

/bin/tcsh

/bin/csh

/opt/bin/ftponly

See man page on /etc/shells.

An alternative would be to assign the shell /bin/false or /sbin/nologin which became available in later releases of Red Hat, Debian and Ubuntu. In this case the shell /bin/false or /sbin/nologin would have to be added to /etc/shells to allow them to be used as a valid shell for FTP while disabling ssh or telnet access.

Set file quotas to limit user account.

For more on Linux security see the: YoLinux.com Internet web site Linux server security tutorial

Domain Name Server (DNS) configuration using Bind version 8 or 9:

Two of the most popular ways to configure the program Bind (Berkeley Internet Domain software) to perform DNS services is in the role of (1) ISP or (2) Web Host.

In an ISP configuration for clients (web surfers) conected to the internet, the DNS server must resolve IP addresses for any URL the user wishes to visit. (See DNS caching server)
In a purely web hosting configuration, Bind will only resolve for the IP addresses of the domains which are being hosted. This is the configuration which will be discussed and is often called an "Authoritative-only Nameserver".

When resolving IP addresses for a domain, Internic is expecting a "Primary" and a "Secondary" DNS name server. (Sometimes called Master and Slave) Each DNS name server requires the file /etc/named.conf and the files it points to. This is typically two separate computer systems hosted on two different IP addresses. It is not necesary that the Linux servers be dedicated to DNS as they may run a web server, mail server, etc.

Note on Bind versions: Red Hat versions 6.x used Bind version 8. Release 7.1 of Red Hat began using Bind version 9 and the GUI configuration tool bindconf was introduced for those of you that like a pretty point and click interface for configuration.

Installation Packages:

Red Hat / Fedora Core / CentOS: bind, bind-chroot, bind-libs, bind-utils, system-config-bind
- bind-chroot: Security jail for operation of bind.
- bind-utils: Utility commands like nslookup, host, dig
- system-config-bind: GUI config tool system-config-bind and related configuration files (/etc/security/console.apps/bindconf).
- caching-nameserver: We will not be covering this as it is not required for web hosting. This is used by internet providers so their clients can cache the DNS entries of the sites they are visiting.
Ubuntu (dapper/hardy) / Debian: bind9

Configuration files:

Red Hat / Fedora / CentOS:

File	Description	Directory	Chrooted Directory
named.conf	Primary/Secondary DNS server configuration. (See default file `/usr/share/doc/bind-9.X.X/sample/etc/named.conf`)	/etc/	/var/named/chroot/etc/
named.root.hints	Configuration for recursive service. Required for all zones. (See default file `/usr/share/doc/bind-9.X.X/sample/etc/named.root.hints`)	/etc/	/var/named/chroot/etc/
named	Red Hat system variables.	/etc/sysconfig/	no change
rndc.key	Primary/Secondary DNS server configuration.	/etc/	/var/named/chroot/etc/
Zone files	Configuration files for each domain. Create this file to resolve host name internet queries i.e. define IP address of web (www) and mail servers in the domain.	/var/named/	/var/named/chroot/var/named/

Debian / Ubuntu:

File	Description	Directory	Chrooted Directory
named.conf named.conf.options named.conf.local	Primary/Secondary DNS server configuration.	/etc/bind/	/var/bind/chroot/etc/bind/
rndc.key	Primary/Secondary DNS server configuration.	/etc/	/var/bind/chroot/etc/
Zone files	Configuration files for each domain.	/var/bind/data/	/var/bind/chroot/var/bind/data/

Primary server (master):

File: named.conf

Red Hat / Fedora Core / CentOS: /etc/named.conf (chroot dir: /var/named/chroot/etc/named.conf) and /etc/sysconfig/named for system variables.
Ubuntu / Debian: /etc/bind/named.conf Place local definitions in /etc/bind/named.conf.options and /etc/bind/named.conf.local

Simple example: (no views)

options {                                     - Ubuntu stores options in /etc/bind/named.conf.options

       version "Bind";                       - Don't disclose real version to hackers

       directory "/var/named";               - Specified so relative path names can be used. Full path names still allowed.

       allow-transfer { XXX.XXX.XXX.XXX; };  - IP address of secondary DNS

       recursion no;

       auth-nxdomain no;                     - conform to RFC1035. (default)

       fetch-glue no;                  - Bind 8 only! Not used by version 9

};



zone "localhost" {

       type master;

       file "/etc/bind/db.local";

};

zone "0.0.127.in-addr.arpa" {

       type master;

       file "/etc/bind/db.127";

};



zone "your-domain.com"{                 - Ubuntu separates the zone definitions into /etc/bind/named.conf.local 

       type master;                    - Specify master, slave, forward or hint

       file "data/named.your-domain.com";

       notify yes;                     - slave servers are notified when the zone is updated.

       allow-update { none; };         - deny updates from other hosts (default: none)

       allow-query { any; };           - allow clients to query this server (default: any)

};

zone "your-domain-2.com"{

       type master;

       file "data/named.your-domain-2.com";

       notify yes;

};

Note:

The omission of zone ".". Required if providing a recursive service.
Ubuntu includes the separated file of zone directives using the directive:
include "/etc/bind/named.conf.local";

BIND Views: The BIND naming service can support "views" which allow various sub-networks (i.e. private internal or public external networks) to have a different domain name resolution result.

If no views are specified then use the configuration shown above.
The match-up between the "view" and the view client which receives the DNS information is specified by the match-clients statement.
If even one view is specified, then ALL zones MUST be associated with a "view".
Bind 9 allows for views which allow different zones to be served to different types of clients, localhost, private networks and public networks. This maps to the three view names "localhost_resolver", "internal" and "external":
- localhost_resolver: Supports name resolution for the system (localhost) using BIND. Support for use of bind also has to be configured in /etc/nsswitch.conf
- internal: User specified Local Area Network (LAN). If not used to support a local private LAN, remove (or comment out) this view.
- external: The general public internet defined as client "any".
If you are only setting up a caching name server, then only specify the view "localhost_resolver" (delete all other views).
In order to support a DNS for internet domains using views, one will have to configure an "external" view

Typical Red Hat Enterprise 5 example: (Bind 9.3.4 with three "views")

options

{

       directory "/var/named"; // the default

       dump-file               "data/cache_dump.db";

       statistics-file         "data/named_stats.txt";

       memstatistics-file      "data/named_mem_stats.txt";



};

logging

{

   //  By default, SELinux policy does not allow named to modify the /var/named

   //  directory, so put the default debug log file in data/ :



       channel default_debug {

               file "data/named.run";

               severity dynamic;

       };

};

view "localhost_resolver"

{

   //  This view sets up named to be a localhost resolver ( caching only nameserver ).

   //  If all you want is a caching-only nameserver, then you need only define this view:

   match-clients           { localhost; };

   ...

};

view "internal"

{

   // This view will contain zones you want to serve only to "internal" clients

   // that connect via your directly attached LAN interfaces - "localnets" .

   // For local private LAN. Not covered in this tutorial.

   // Delete this view if web hosting with no local LAN.

   match-clients           { localnets; };

   ...

};

key ddns_key

{

       algorithm hmac-md5;

       secret "use /usr/sbin/dns-keygen to generate TSIG keys";

};

view    "external"

{

   // This view will contain zones you want to serve only to "external"

   // public internet clients. This is covered below.

   match-clients           { any; };

   ...

   ..

};

Default configuration files: Red Hat may supply the default configuration in: /usr/share/doc/bind-9.X.X/sample/etc/named.conf

cp /usr/share/doc/bind-9.X.X/sample/etc/named.conf /var/named/chroot/etc
cp /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints /var/named/chroot/etc
chcon -u system_u -r object_r -t named_conf_t /var/named/chroot/etc/named.conf /var/named/chroot/etc/named.root.hints

view "localhost_resolver": If supporting a caching DNS server (not required to support a web domain) you will also need the files:

cp /usr/share/doc/bind-9.X.X/sample/etc/named.rfc1912.zones /var/named/chroot/etc
cp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zones /var/named/chroot/var/named
also from /usr/share/doc/bind-9.X.X/sample/var/named/: localhost.zones, named.local, named.zero, named.broadcast, named.ip6.local, named.root

view "external": (master) - details -

view    "external"

{

/* This view will contain zones you want to serve only to "external" clients

* that have addresses that are not on your directly attached LAN interface subnets:

*/

       match-clients           { any; };

       match-destinations      { any; };

       allow-transfer { XXX.XXX.XXX.XXX; };  - IP address of secondary DNS



       recursion no;

       // you'd probably want to deny recursion to external clients, so you don't

       // end up providing free DNS service to all takers



       // all views must contain the root hints zone:

       include "/etc/named.root.hints";



       // These are your "authoritative" external zones, and would probably

       // contain entries for just your web and mail servers:



       zone "your-domain.com" {

               type master;

               file "/var/named/data/external/named.your-domain.com";

               notify yes;

               allow-update { none; };

       };



       // You can also add the zones as a separate file like they do in Ubuntu by adding the following statement

       include "/etc/named.conf.local";     

};

DNS key:

Use the following command /usr/sbin/dns-keygen to create a key. Add this key to the "secret" statement as follows:

key ddns_key

{

       algorithm hmac-md5;

       secret "XlYKYLF5Y7YOYFFFY6YiYYXyFFFFBYYYYFfYYYJiYFYFYYLVrnrWrrrqrrrq";

};

Man Pages:

named.conf

Forward Zone File: /var/named/named.your-domain.com

Red Hat 9 / CentOS 3: /var/named/named.your-domain.com
Red Hat EL4/5, Fedora 3+, CentOS 4/5: [Chrooted] /var/named/chroot/var/named/data/named.your-domain.com
Red Hat EL4/5, Fedora 3+, CentOS 4/5: /var/named/data/named.your-domain.com
Ubuntu / Debian: /etc/bind/data/named.your-domain.com

$TTL 604800         - Bind 9 (and some of the later versions of Bind 8) requires $TTL statement. Measured in seconds. This value is 7 days.

your-domain.com.    IN      SOA  ns1.your-domain.com.  hostmaster.your-domain.com. (

  2000021600 ; serial     - Many people use year+month+day+integer as a system. Never greater than 2147483647 for a 32 bit processor.

  86400 ; refresh         - How often secondary servers (in seconds) should check in for changes in serial number. (86400 sec = 24 hrs)

  7200 ; retry            - How long secondary server should wait for a retry if contact failed.

  1209600 ; expire        - Secondary server to purge info after this length of time.

  86400 ) ; default_ttl   - How long data is held in cache by remote servers.

      IN A       XXX.XXX.XXX.XXX  - Note that this is the default IP address of the domain.

                                    I put the web server IP address here so that domain.com points to the same servers as www.domain.com

;

; Name servers for the domain

;

      IN NS         ns1.your-domain.com.

      IN NS         ns2.your-domain.com.

;

; Mail server for domain

;

      IN MX    5    mail               - Identify "mail" as the node handling mail for the domain. Do NOT specify an IP address!

;

; Nodes in domain

;

node1  IN A          XXX.XXX.XXX.XXX    - Note that this is the IP address of node1

ns1    IN A          XXX.XXX.XXX.XXX    - Optional: For hosting your own primary name server. Note that this is the IP address of ns1

ns2    IN A          XXX.XXX.XXX.XXX    - Optional: For hosting your own secondary name server. Note that this is the IP address of ns2

mail   IN A          XXX.XXX.XXX.XXX    - Identify the IP address for node mail.

      IN MX    5    XXX.XXX.XXX.XXX    - Identify the IP address for mail server named "mail".

;

; Aliases to existing nodes in domain

;

www    IN CNAME      node1              - Define the webserver "www" to be node1.

ftp    IN CNAME      node1              - Define the ftp server to be node1.

MX records for 3rd party off-site mail servers:

your-domain.com.    IN MX  10 mail1.offsitemail.com.

your-domain.com.    IN MX  20 mail2.offsitemail.com.

Append to the above file.

Initial configuration: Note that Red Hat may supply the default zone configuration in: /usr/share/doc/bind-9.X.X/sample/var/named/

cp /usr/share/doc/bind-9.X.X/sample/var/named/localhost.zone /var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zone /var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.broadcast /var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.ip6.local /var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.zero /var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.local /var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.root /var/named/chroot/var/named/data/
cd /var/named/chroot/var/named/data/
chcon -u system_u -r object_r -t named_cache_t localhost.zone localdomain.zone named.broadcast named.ip6.local named.zero named.root named.local

A file suffix of "zone" is also common i.e. your-domain.com.zone

Secondary server (slave):

File: named.conf

Red Hat / Fedora Core / CentOS: /etc/named.conf
Ubuntu / Debian: /etc/bind/named.conf
Simple example with no views:

options {                               - Ubuntu stores options in /etc/bind/named.conf.options

       version "Bind";                 - Don't disclose real version to hackers

       directory "/var/named";

       allow-transfer { none; };       - Slave is not transfering updates to anyone else

       recursion no;

       auth-nxdomain no;               - conform to RFC1035. (default)

       fetch-glue no;                  - Bind 8 only! Not used by version 9

};

zone "localhost" {

       type master;

       file "/etc/bind/db.local";       - Ubutu: /etc/bind/db.local, Red Hat: /var/named/named.local

};

zone "0.0.127.in-addr.arpa" {

       type master;

       file "/etc/bind/db.127";

};



zone "your-domain.com"{

       type slave;         

       file "named.your-domain.com";   - Specify slaves/named.your-domain.com for RHEL4/5 chrooted bind

       masters { XXX.XXX.XXX.XXX; };   - IP address of primary DNS

};

zone "your-domain-2.com"{

       type slave;         

       file "named.your-domain-2.com";

       masters { XXX.XXX.XXX.XXX; };

};

view "external": (slave)

view    "external"

{

       match-clients           { any; };

       match-destinations      { any; };

       allow-transfer { none; };  - Slave does not transfer to anyone, slave receives

       recursion no;

       include "/etc/named.root.hints";



       zone "your-domain.com" {

               type slave;

               file "/var/named/slaves/external/named.your-domain.com";

               notify no;                  - Slave does not notify, slave is notified by master

               masters { XXX.XXX.XXX.XXX; }; - State IP of master server

       };

};

Note: RHEL4/5, CentOS 4/5, Fedora 3+ use chrooted directory structure permissions which require the use of the slaves subdirectory /var/named/slaves

Slave Zone Files: These are transfered from master to slave and chached by slave. There is no need to generate a zone file on the slave.

Additional Information:

[Potential Pitfall]: Ubuntu dapper/hardy - Path names used can not violate Apparmor security rules as defined in /etc/apparmor.d/usr.sbin.named. Note that the slave files are typically named "/var/lib/bind/named.your-domain.com" as permitted by the security configuration.

[Potential Pitfall]: Ubuntu dapper/hardy - Create log file and set ownership and permission for file not created by installation:

touch /var/log/bindlog
chown root.bind /var/log/bindlog
chmod 664 /var/log/bindlog

[Potential Pitfall]: Error in /var/log/messages:

transfer of 'yolinux.com/IN' from XXX.XXX.XXX.XXX#53: failed while receiving responses: permission denied

Named needs write permission on the directory containing the file. This condition often occurs for a new "slave" or "secondary" name server where the zone files do not yet exist.
The default (RHEL4/5, CentOS 4/5, Fedora Core 3+, ...):

drwxr-x--- 4 root named 4096 Aug 25 2004 named
drwxrwx--- 2 named named 4096 Sep 17 20:37 slaves

Fix: In named.conf specify that the slaves to go to slaves directory /var/named/chroot/var/named/slaves with the directive:

file "slaves/named.your-domain.com";

Bind Defaults:

Uses port 53 if none is specified with the listen-on port statement.
Bind will use random ports above port 1024 for queries. For use with firewalls expecting all DNS traffic on port 53, specify the following option statement in /etc/named.conf
query-source address * port 53;
query-source-v6 port 53;
Logging is to /var/log/messages

After the configuration files have been edited, restart the name daemon.

/etc/init.d/named restart

(Note: Ubuntu / Debian restart: /etc/init.d/bind9 restart)

Bind zone transfers work best if the clocks of the two systems are synchronised. See the YoLinux SysAdmin Tutorial: Time and ntpd

File: /var/named/named.your-domain.com This is created for you by Bind on the slave (secondary) server when it replicates from Primary server.

DNS GUI configuration:

Red Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-bind
Red Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-bind

Test DNS:

Must install packages:

Red Hat / Fedora Core / SuSE: bind-utils
Ubuntu (dapper/hardy) / Debian: bind9-host

Test the name server with the host command in interactive mode:

   host  node.domain-to-test.com your-nameserver-to-test.domain.com

Note: The name server may also be specified by IP address.

Test the name server with the nslookup command in interactive mode:

   nslookup

  > server your-nameserver-to-test.domain.com

  > node.domain-to-test.com

  > exit

Test the MX record if appropriate:

   nslookup -querytype=mx domain-to-test.com

 

  OR



  host -t mx domain-to-test.com

Test using the dig command:

   dig @name-server domain-to-query



  OR



  dig @IP-address-of-name-server domain-to-query

Test your DNS with the following DNS diagnostics web site: DnsStuff.com

Extra logging to monitor Bind:

Add the following to your /etc/named.conf file.

logging {

       channel bindlog {

                          file "/var/log/bindlog"  versions 5 size 1m;     - Keep five old versions of the log-file (rotates logs)

                          print-time yes;

                          print-category yes;

                          print-severity yes;

                       };

/*      If you want to enable debugging, eg. using the 'rndc trace' command,

*      named will try to write the 'named.run' file in the $directory (/var/named).

*      By default, SELinux policy does not allow named to modify the /var/named directory,

*      so put the default debug log file in data/ :

*/

       channel default_debug {

               file "data/named.run";

               severity dynamic;

       };

       category xfer-out { bindlog; };         - Zone transfers

       category xfer-in  { bindlog; };         - Zone transfers

       category security { bindlog; };         - Approved/unapproved requests



//      The following logging statements, panic, insist and response-checks are valid for Bind 8 only. Do not user for version 9.

       category panic { bindlog; };            - System shutdowns

       category insist { bindlog; };           - Internal consistency check failures

       category response-checks { bindlog; };  - Messages

};

Chroot Bind for extra security:

Note: Most modern Linux distributions default to a "chrooted" installation. This technique runs the Bind name service with a view of the filesystem which changes the definition of the root directory "/" to a directory in which Bind will operate. i.e. /var/named/chroot.

The following example uses the Red Hat RPM bind-8.2.3-0.6.x.i386.rpm. Applies to Bind version 9 as well.

The latest RedHat bind updates run the named as user "named" to avoid a lot of earlier hacker exploits. To chroot the process is to create an even more secure environment by limiting the view of the system that the process can access. The process is limited to the chrooted directory assigned.

The chroot of the named process to a directory under a given user will prevent the possibility of an exploit which at one time would result in root access. The original default RedHat configuration (6.2) ran the named process as root, thus if an exploit was found, the named process will allow the hacker to use the privileges of the root user. (no longer true)

Named Command Sytax:

   named -u user -g group -t directory-to-chroot-to

Example:

    named -u named -g named -t /opt/named

When chrooted, the process does not have access to system libraries thus a local lib directory is required with the appropriate library files - theoretically. This does not seem to be the case here and as noted above in chrooted FTP. It's a mystery to me but it works???? Another method to handle libraries is to re-compile the named binary with everything statically linked. Add -static to the compile options. The chrooted process should also require a local /etc/named.conf etc... but doesn't seem to???

Script to create a chrooted bind environment:



#!/bin/sh

cd /opt

mkdir named

cd named

mkdir etc

mkdir bin

mkdir var

cd var

mkdir named

mkdir run

cd ..

chown -R named.named bin etc var

You can probably stop here. If your system acts like a chrooted system should, then continue with the following:



cp -p /etc/named.conf etc

cp -p /etc/localtime  etc

cp -p /bin/false bin

echo "named:x:25:25:Named:/var/named:/bin/false" > etc/passwd

echo "named:x:25:" > etc/group

touch  var/run/named.pid



if [ -f /etc/namedb ]

then

  cp -p /etc/namedb etc/namedb

fi



mkdir dev

cd dev



# Create a character unbuffered file.

mknod -m ugo+rw null c 1 3    



cd ..

chown -R named.named bin etc var

Add changes to the init script: /etc/rc.d/init.d/named

#!/bin/bash

#

# named           This shell script takes care of starting and stopping

#                 named (BIND DNS server).

#

# chkconfig: - 55 45

# description: named (BIND) is a Domain Name Server (DNS) \

# that is used to resolve host names to IP addresses.

# probe: true



# Source function library.

. /etc/rc.d/init.d/functions



# Source networking configuration.

. /etc/sysconfig/network



# Check that networking is up.

[ ${NETWORKING} = "no" ] && exit 0



[ -f /etc/sysconfig/named ] && . /etc/sysconfig/named  - Added in Red Hat version 7.1



[ -f /usr/sbin/named ] || exit 0



[ -f /etc/named.conf ] || exit 0



RETVAL=0



start() {

       # Start daemons.

       echo -n "Starting named: "

       daemon named -u named -g named -t /opt/named   - Change made here

	RETVAL=$?

	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named

	echo

	return $RETVAL

}

stop() {

       # Stop daemons.

       echo -n "Shutting down named: "

       killproc named

	RETVAL=$?

	[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named

       echo

	return $RETVAL

}

rhstatus() {

	/usr/sbin/ndc status

	return $?

}	

restart() {

	stop

	start

}	

reload() {

	/usr/sbin/ndc reload

	return $?

}

probe() {

	# named knows how to reload intelligently; we don't want linuxconf

	# to offer to restart every time

	/usr/sbin/ndc reload >/dev/null 2>&1 || echo start

	return $?

} 



# See how we were called.

case "$1" in

	start)

		start

		;;

	stop)

		stop

		;;

	status)

		rhstatus

		;;

	restart)

		restart

		;;

	condrestart)

		[ -f /var/lock/subsys/named ] && restart || :

		;;

	reload)

		reload

		;;

	probe)

		probe

		;;

	*)

       	echo "Usage: named {start|stop|status|restart|condrestart|reload|probe}"

		exit 1

esac



exit $?

Note: The current version of bind from the RedHat errata updates and security fixes (http://www.redhat.com/support/errata/) runs the named process as user "named" in the home (not chrooted) directory /var/named with no shell available. (named -u named) This should be secure enough. Proceed with a chrooted installation if your are paranoid.

See:

Securing DNS: How to use chroot bind features

Chrooted DNS configuration:

Modern releases of Linux (i.e. Fedore Core 3, Red Hat Enterprise Linux 4) come preconfigured to use "chrooted" bind. This security feature forces even an exploited version of bind to only operate within the "chrooted" jail /var/named/chroot which contains the familiar directories:

/var/named/chroot/etc: Configuration files
/var/named/chroot/dev: devices used by bind:
- /dev/null
- /dev/random
- /dev/zero
(Real devices created with the mknod command.)
/var/named/chroot/var: Zone files and configuration information.

These directories are generated and configured by the Red Hat/Fedora RPM package "bind-chroot".

If building from source you will have to generate this configuration manually:

mkdir -p /var/named/chroot
mkdir /var/named/chroot/dev
mknod /var/named/chroot/dev/null c 1 3
mknod /var/named/chroot/dev/zero c 1 5
mknod /var/named/chroot/dev/random c 1 8
chmod 666 -R /var/named/chroot/dev
mkdir -p /var/named/chroot/etc
ln -s /var/named/chroot/etc/named.conf /etc/named.conf
mkdir -p /var/named/chroot/var/named
ln -s /var/named/chroot/var/named/named.XXXX /var/named/named.XXXX
ln -s /var/named/chroot/var/named/named.YYYY /var/named/named.YYYY
...
mkdir -p /var/named/chroot/var/named/slaves
mkdir -p /var/named/chroot/var/named/data
mkdir -p /var/named/chroot/var/run
mkdir -p /var/named/chroot/var/tmp
chown -R named:named /var/named/chroot
chown -R root:named /var/named/chroot/var/named

Load Balancing of servers using Bind: DNS Round-Robin

This will populate name servers around the world with different IP addresses for your web server www.your-domain.com

            www0   IN  A       XXX.XXX.XXX.1

           www1   IN  A       XXX.XXX.XXX.2

           www2   IN  A       XXX.XXX.XXX.3

           www3   IN  A       XXX.XXX.XXX.4

           www4   IN  A       XXX.XXX.XXX.5

           www5   IN  A       XXX.XXX.XXX.6



           www    IN  CNAME   www0.your-domain.com.

                  IN  CNAME   www1.your-domain.com.

                  IN  CNAME   www2.your-domain.com.

                  IN  CNAME   www3.your-domain.com.

                  IN  CNAME   www4.your-domain.com.

                  IN  CNAME   www5.your-domain.com.

                  IN  CNAME   www6.your-domain.com.

Also see lbnamed: lbnamed load balancing named

Bind/DNS Links:

Internet Software Consortium (ISC) Home Page - ISC Bind Home
Bind FAQ, pitfalls and answers
Zytrax Bind 9 manual - Bind for rocket scientists
comp.protocols.tcp-ip.domains FAQ - HTML version
More on load balancing and round robin schemes
LDP DNS-HOWTO
ACME: DNS resources
DNS Security presentation - Cricket Liu (coauthor of DNS and Bind)
DNS Security Paper - Craig Rowland
GraniteCanyon.com: Free DNS hosting - If you don't want to set it up, have someone do it for you.
EveryDNS.net - Free DNS
DNS2GO - Domain hosting for DHCP clients.
Secondary.com - Free secondary names server hosting (five or fewer domains)
TZO.com - Dynamic, secondary DNS services.
UltraDNS.com - Outsourced DNS management and service
OpenDNS.com - Can allow forwarding to OpenDNS servers.
Add to "options" section: forwarders { 208.67.222.222; 208.67.222.220; };
DynDNS.org
Command: ipcheck.py -i eth0 DynDNS-user-id password node.dnsalias.net
Then add script update.dyndns.ip to directory /etc/cron.daily/ to update IP.
This host must also be allowed access through any firewall rules.
DynDNS/TODD - Dynamic DNS for those with dynamic IP addresses. (i.e. dial-up game servers etc.)

Domain name registration:

Domain Name Registrars:
- NetworkSolutions.com
- Register.com
- Registrar.GoDaddy.com - Domain name registration for only $8.95/year!!!
- Dotster.com - Domain name registration for only $14.95/year
- DomainsNext.com - $11.95/year
- EasyDNS.com - $25.00/year
- Aplus.net - Domain Registration $7.95/year - Not good
- Gandi.net - European
AfterNic.com - Domain name exchange and auction.
BuyDomains.com - Buy a domain name that a squatter is holding.

Note that the Name registrations policies for the registrars are stated at ICANN.org.

You must renew with the same registrar within five days BEFORE the expiration date. There is no rule for afterwards.
Most free a domain name 30 days after it expires.

Web Server Load Balancing:

Load balancing becomes important if your traffic volume becomes too great for either your server or network connection or both. Multiple options are available for load balancing.

DNS round-robin: Discussed above, this uses DNS to point users to random server in a list of appropriate servers. This spreads the load among the servers in the list.
Use a Linux Virtual Server to Create a Load Balance Cluster. See next section below.
Run a reverse proxy. See nginx ("engine X"). From a single external internet network connection, route http, smtp, imap or pop3 traffic to various servers on an internal network. Results are pushed back to the nginx proxy for routing to the internet (no caching).
Run the Apache httpd web server module "mod_proxy" to offload processing of dynamic content to another web server. This acts as a reverse proxy, routing external traffic to various servers on an internal network.

Using a Linux Virtual Server to Create a Load Balance Cluster:

You can use a single Linux server to forward requests to a cluster of servers using iptables for IP masquerading and IPVsadm to scale your load. The load balancing server receiving and routing the requests is called the "Linux Virtual Server" (LVS). The LVS receives the requests which are passed to the real servers which process and reply to the request. This reply is forwarded to the client by the LVS.

This feature is available with the Linux 2.4/2.6 kernel. (If compiling kernel: Networking Options + IP: Virtual Server Configuration)

Configuration: This example will load balance http traffic to three web servers and ftp traffic to a fourth server.

Enable Forwarding: (Also see YoLinux Networking Tutorial: Enable Forwarding)
```
echo "1" > /proc/sys/net/ipv4/ip_forward

             
```
Enable IP Masquerading:
```
iptables -t nat -P POSTROUTING DROP

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

   
```
For more on IP Masquerading, iptables and subnet addresses, see the YoLinux network gateway tutorial.
Enable virtual server:
- Create virtual service and choose scheduler for http (80) and ftp (21):
```
ipvsadm -A -t 66.218.88.103:80 -s wlc

ipvsadm -A -t 66.218.88.103:21 -s wrr

   
```
  Command directives:
  - A: Add a virtual service defined by IP address, port number, and protocol.
  - -t: Use TCP service host:port
  - -s: scheduler:
    rr: Robin Robin: distributes jobs equally amongst the avail- able real servers.
    wrr: Weighted Round Robin.
    lc: Least-Connection: assigns more jobs to real servers with fewer active jobs.
    wlc: (Default) Weighted Least-Connection: assigns more jobs to servers with fewer jobs and relative to the real server's weight.
    lblc, lblcr, dh, sh, sed, nq. See man page.
- Configure load balancing cluser.
```
ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.1:80 -m

ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.2:80 -m -w 2

ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.3:80 -m

ipvsadm -a -t 66.218.88.103:21 -r 176.168.1.4:21 -m

   
```
  Command directives:
  - -r: Real server.
  - -m: Use masquerading also known as network address translation (NAT)
  - -w: Weight is an integer specifying the capacity of a server rela- tive to the others in the pool. The valid values of weight are 0 through to 65535. The default is 1.

Links:

LinuxVirtualServer.org
iptables - Administration tool for IPv4 packet filtering and NAT
ipvsadm - Administer the routing table on a Linux Virtual Server.

Managing Web Server Daemons:

To view if these services are running, type ps -aux and look for the httpd, inetd and named services (daemons). These are background processes necessary to perform the server tasks.

   root       681  0.0  0.5  2304  744 ?        S    Sep09   0:01 named

  nobody   28123  0.0  1.1  3036 1420 ?        S    Oct06   0:00 httpd

  nobody   28186  0.0  0.7  3044  896 ?        S    Oct06   0:00 httpd

  root       385  0.0  0.1  1136  232 ?        S    Sep09   0:00 inetd

A new installation will most likely NOT start the named background process which may be started manually after configuration.
See the YoLinux Init Process Tutorial for more information.
The inetd (or xinetd) background process is the Internet daemon which starts FTP when an ftp request is made.

Sys Admin Script:

Script to prepare an account: (Red Hat/Fedora)

#!/bin/sh

# Author Greg Ippolito

# Requires: /opt/etc/AccountDefaults/pathmsg favicon.ico  mwh-mini_tr.gif etc.

#           /opt/bin/ftponly

#   You must be root to run this script.

#

if [ $# -eq 0 ]

then

  echo "Enter user id as a command argument"

else if [ -r /home/$1 ]

then

  echo "User's home directory already exists"

else

  echo "1)  Create user."

  adduser -m $1



  echo "2)  Set user Password."

  passwd $1



  echo "3)  Add read access to user directory so apache can read it."

  cd /home

  chmod ugo+rx $1

  cd $1



  echo "4)  Create web directories."

  mkdir public_html

  chown $1.$1 public_html

  chcon -R -h -u system_u -r object_r -t httpd_sys_content_t public_html

  cd public_html

  mkdir images

  chown $1.$1 images

  chcon -R -h -u system_u -r object_r -t httpd_sys_content_t images



  # Block potential for unauthenticated logins

  cd ../

  touch .rhosts

  chmod ugo-xrw .rhosts



  echo "5)  Create default web page"

  sed "/HEADING/s!HEADING!$1!" /opt/etc/AccountDefaults/default-index.html > index.html

  cp -p /opt/etc/AccountDefaults/favicon.ico .

  cp -p /opt/etc/AccountDefaults/default-logo.gif ./images

  cp -p /opt/etc/AccountDefaults/robots.txt .

  chown $1.$1 index.html favicon.ico robots.txt

  chcon -R -h -t httpd_sys_content_t index.html favicon.ico robots.txt

  chcon -R -h -t httpd_sys_content_t images/default-logo.gif



  echo "6)  Edit /etc/passwd file - change user shell to /opt/bin/ftponly"

  cp -p  /etc/passwd /etc/passwd-`date +%m%d%y`

  sed "/^$1/s!/bin/bash!/opt/bin/ftponly!" /etc/passwd-`date +%m%d%y` > /etc/passwd



#wu-ftp# Requires: /etc/ftpaccess guestuser restrict-uid

#wu-ftp#   echo "7)  Add user to /etc/ftpaccess file"

#wu-ftp#   cp -p  /etc/ftpaccess /etc/ftpaccess-`date +%m%d%y`

#wu-ftp#   sed "/^guestuser/s!guestuser !guestuser $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess

#wu-ftp#   sed "/^restricted-uid/s!restricted-uid !restricted-uid $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess

#wu-ftp#   echo "guest-root /home/$1/public_html $1" >> /etc/ftpaccess



  echo "7)  Add user to vsftpd chroot list

  cat `echo $1` >> /etc/vsftpd/vsftpd.chroot_list



  echo "8)  Setting Disk Quotas to default 50Mb limit:"

#  Use user johndoe as a prototype.

  edquota -p johndoe $1



  echo "9)  Admin Follow-up:"

  echo "     Modify quota.user if different than default"

  echo "     Make changes to Bind names services on dns1 and dns2 if necessary"

  echo "       Change /etc/http/conf/httpd.conf or

  echo "       add config to /etc/http/conf.d/ if using a new domain name"

  echo "       Add e-mail aliases to mail server if necessary"

fi

fiPrerequisites:

Fedora Core 1+, Red Hat Enterprise 4/5, CentOS 4/5:
```
   rpm -q httpd bind bind-chroot bind-utils system-config-bind xinetd vsftpd
```
RPMs added FC2+: system-config-httpd
RPMs added FC3+: httpd-suexec
Red Hat 9.0
```
   rpm -q httpd bind xinetd vsftpd
```
A Red Hat 8.0 wu-ftpd RPM may be installed (Newer version 2.6.2 or later with security fix wu-ftpd-2.6.2-11+) or install from source.
Red Hat 8.0
```
   rpm -q httpd bind xinetd wu-ftpd
```
Red Hat 7.x:
```
   rpm -q apache bind inetd wu-ftpd
```
Use wu-ftpd version 2.6.2 or later to avoid security problems.
SuSE 9.3:
```
   rpm -ivh apache2 apache2-prefork bind bind-chrootenv bind-utils vsftpd
```
Note: The apache2-MPM is a generic term for Apache installation options for "Multi-Processing Modules (MPM)s "prefork" or "worker". If you try and only install apache2 you will get the following error:
```
   apache2-MPM is needed by apache2-2.0.53-9
```
Also see Apache.org: MPMs

Ubuntu (dapper 6.06/hardy 8.04) / Debian:

   apt-get install apache2

  apt-get install apache2-common

  apt-get install apache2-mpm-prefork

  apt-get install apache2-utils

  apt-get install bind9

  apt-get install vsftpd

One should also have a working knowledge of the Linux init process so that these services are initiated upon system boot. See the YoLinux init process tutorial for more info.

Apache HTTP Web server configuration:

This tutorial is for the Apache HTTP web server (Version 1.3 and 2.0). See the YoLinux list of Linux HTTP servers for a list of other web servers for the Hyper Text Transport Protocol.

The Apache configuration file is: /etc/httpd/conf/httpd.conf

Web pages are served from the directory as configured by the DocumentRoot directive. The default directory location is:

Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4/5, CentOS 4/5: /var/www/html/
Red Hat 6.x and older: /home/httpd/html/
Suse 9.x: /srv/www/htdocs/
Ubuntu (dapper 6.06/hardy 8.04) / Debian: /var/www/html

Apache may be configured to run as a host for one web site in this fashion or it may be configured to serve for multiple domains. Serving for multiple domains may be achieved in two ways:

Virtual hosts: One IP address but multiple domains - "Name based" virtual hosting.
Multiple IP based virtual hosts: One IP address for each domain - "IP based" virtual hosting.

[Potential Pitfall] The default umask for directory creation is correct by default but if not use: chmod 755 /home/user1/public_html

For users of Red Hat 7.1, the GUI configuration tool apacheconf was introduced for the crowd who like to use pretty point and click tools.

Files used by Apache:

Start/stop/restart script:
- Red Hat/Fedora/CentOS: /etc/rc.d/init.d/httpd
- SuSE 9.3: /etc/init.d/apache2
- Ubuntu (dapper 6.06/hardy 8.04) / Debian: /etc/init.d/apache2
Apache main configuration file:
- Red Hat/Fedora/CentOS: /etc/httpd/conf/httpd.conf
- SuSE: /etc/apache2/httpd.conf
  (Need to add directive: ServerName host-name)
- Ubuntu (dapper 6.06/hardy 8.04) / Debian: /etc/apache2/apache2.conf
Apache suplementary configuration files:
- Red Hat/Fedora/CentOS: /etc/httpd/conf.d/component.conf
- SuSE: /etc/apache2/conf.d/component.conf
- Ubuntu (dapper 6.06/hardy 8.04) / Debian:
  - Virtual domains: /etc/apache2/sites-enabled/domain
    (Create soft link from /etc/apache2/sites-enabled/domain to /etc/apache2/sites-available/domain to turn on. Use command a2ensite)
  - Additional configuration directives: /etc/apache2/conf.d/
  - Modules to load: /etc/apache2/mods-available/
    (Soft link to /etc/apache2/mods-enabled/ to turn on)
  - Ports to listen to: /etc/apache2/ports.conf
/var/log/httpd/access_log and error_log - Red Hat/Fedora Core Apache log files
(Suse: /var/log/apache2/)

Also Apache control tool: /usr/sbin/apachectl start

Apache Control Command: apachectl:

Red Hat / Fedora Core / CentOS: apachectl directive
Ubuntu dapper 6.06 / hardy 8.04 / Debian: apache2ctl directive

Directive	Description
start	Start the Apache httpd daemon. Gives an error if it is already running.
stop	Stops the Apache httpd daemon.
graceful	Gracefully restarts the Apache httpd daemon. If the daemon is not running, it is started. This differs from a normal restart in that currently open connections are not aborted.
restart	Restarts the Apache httpd daemon. If the daemon is not running, it is started. This command automatically checks the configuration files as in configtest before initiating the restart to make sure the daemon doesn't die.
status	Displays a brief status report.
fullstatus	Displays a full status report from mod_status. Requires mod_status enabled on your server and a text-based browser such as lynx available on your system. The URL used to access the status report can be set by editing the STATUSURL variable in the script.
configtest -t	Run a configuration file syntax test.

Apache Configuration Files:

/etc/httpd/conf/httpd.conf: is used to configure Apache. In the past it was broken down into three files. These may now be all concatenated into one file. See Apache online documentation for the full manual.
/etc/httpd/conf.d/application.conf: All configuration files in this directory are included during Apache start-up. Used to store application specific configurations.
/etc/sysconfig/httpd: Holds environment variables used when starting Apache.

Basic settings: Change the default value for ServerName www.<your-domain.com>

Deny access completely to file system root ("/") as the default:

Deny first, then grant permissions:

  



  Options None

  AllowOverride None

Set default location of system web pages and allow access: (Red Hat/Fedora/CentOS)

  

DocumentRoot "/var/www/html"





  Options Indexes FollowSymLinks

  AllowOverride None

  Order allow,deny

  Allow from all

Grant access to a user's web directory: public_html

Enabling Red Hat / Fedora Linux, Apache public_html user directory access:

This will allow users to serve content from their home directories under the subdirectory "/home/userid/public_html/" by accessing the URL http://hostname/~userid/

File: /etc/httpd/conf/httpd.conf

LoadModule userdir_module modules/mod_userdir.so



...

...





   #UserDir disable             - Add comment to this line

   #

   # To enable requests to /~user/ to serve the user's public_html

   # directory, remove the "UserDir disable" line above, and uncomment

   # the following line instead:

   UserDir public_html          # Uncomment this line





...

...





   AllowOverride FileInfo AuthConfig Limit

   Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

   

       Order allow,deny

       Allow from all

   

   

       Order deny,allow

       Deny from all

 user1/public_html>

  AllowOverride None

  order allow,deny

  allow from all

  Options Indexes Includes FollowSymLinks

Allows the specific user, "user1" only, the ability to serve the directory /home/user1/public_html/

Also use SELinux command to set the security context: setsebool httpd_enable_homedirs true

Enabling Ubuntu's Apache public_html user directory access:
Ubuntu has broken out the Apache loadable module directives into the directory /etc/apache2/mods-available/. To enable an Apache module, generate soft links to the directory /etc/apache2/sites-enabled/ by using the commands a2enmod/a2dismod to enable/disable Apache modules.
Example:
- [root@node2]# a2enmod
  A list of available modules is displayed. Enter "userdir" as the module to enable.
- Restart Apache with the following command: /etc/init.d/apache2 force-reload
Note: This is the same as manually generating the following two soft links:
- ln -s /etc/apache2/mods-available/userdir.conf /etc/apache2/mods-enabled/userdir.conf
- ln -s /etc/apache2/mods-available/userdir.load /etc/apache2/mods-enabled/userdir.load
Man page: a2enmod/a2dismod
[Potential Pitfall]: If the Apache web server can not access the file you will get the error "403 Forbidden" "You don't have permission to access file-name on this server." Note the default permissions on a user directory when first created with "useradd" are:

drwx------ 3 userx userx
You must allow the web server running as user "apache" to access the directory if it is to display pages held there.
Fix with command: chmod ugo+rx /home/userx
drwxr-xr-x 3 userx userx

SELinux security contexts:

The system enables/disables SELinux policies in the file /etc/selinux/config
SELinux can be turned off by setting the directive SELINUX. (Then reboot the system):

SELINUX=disabled

or using the command setenforce 0 to temporarily disable SELinux until the next reboot.

Assign a security context for web pages: chcon -R -h -t httpd_sys_content_t /home/user1/public_html
Options:

-R: Recursive. Files and directories in current directory and all subdirectories.
-h: Affect symbolic links.
-t: Specify type of security context.

Use the following security contexts:

Context Type	Description
`httpd_sys_content_t`	Used for static web content. i.e. HTML web pages.
`httpd_sys_script_exec_t`	Use for executable CGI scripts or binary executables.
`httpd_sys_script_rw_t`	CGI is allowed to alter/delete files of this context.
`httpd_sys_script_ra_t`	CGI is allowed to read or append files of this context.
`httpd_sys_script_ro_t`	CGI is allowed to read files and directories of this context.

Set the following options: setsebool httpd-option true
(or set to false)

Policy	Description
`httpd_enable_cgi`	Allow httpd cgi support.
`httpd_enable_homedirs`	Allow httpd to read home directories.
`httpd_ssi_exec`	Allow httpd to run SSI executables in the same domain as system CGI scripts.

Then restart Apache:

Red Hat/Fedora/Suse and all System V init script based Linux systems: /etc/init.d/httpd restart
Red Hat/Fedora: service httpd restart

The default SE boolean values are specified in the file: /etc/selinux/targeted/booleans

For more on SELinux see the YoLinux Systems Administration tutorial.

Virtual Hosts:

Name based virtual host: (most common) A single computer with a single IP adress supporting multiple web domains. The web browser using the http protocol, identifies the domain being addressed.
IP based virtual host: The virtual hosts can be configured as a single multi-homed computer with multiple IP addresses on a single network card, with each IP address representing a different web domain. This has the appearance of a web domain supported by a dedicated computer because it has a dedicated IP address.

Configuring a "name based" virtual host:

A virtual host configuration allows one to host multiple web site domains on one server. (This is not required for a dedicated linux server which hosts a single web site.)

NameVirtualHost XXX.XXX.XXX.XXX



XXX.XXX.XXX.XXX>

  ServerName www.your-domain.com          - CNAME (bind DNS alias www) specified in Bind configuration file (/var/named/...)

  ServerAlias your-domain.com             - Allows requests by domain name without the "www" prefix.

  ServerAdmin user1@your-domain.com

  DocumentRoot /home/user1/public_html

  ErrorLog logs/your-domain.com-error_log

  TransferLog logs/your-domain.com-access_log

Notes:

You can specify more than one IP address. i.e. if web server is also being used as a firewall/gateway and you have an external internet IP address as well as a local network IP address.

NameVirtualHost XXX.XXX.XXX.XXX

NameVirtualHost 192.168.XXX.XXX



XXX.XXX.XXX.XXX 192.168.XXX.XXX>

  ...

  ..

See the YoLinux Tutorial on configuring a network gateway/firewall using iptables and NAT.

Use your IP address for XXX.XXX.XXX.XXX, actual domain name and e-mail address.
One can use DNS views to provide different local network DNS results.
Note that I configure Apache for both requests http://www.domain-name.com and http://domain-name.com.

Once virtual hosts are configured, your default system domain (/var/www/html) will stop working. Your default domain now must be configured as a virtual domain.





  ...  This part remains the same

  ..







# Default for when no domain name is given (i.e. access by IP address)



*:80>

  ServerAdmin user1@your-domain.com

  DocumentRoot /var/www/html

  ErrorLog logs/error_log

  TransferLog logs/access_log





# Add a VirtualHost definition for your domain which was once the system default.



XXX.XXX.XXX.XXX>

  ServerName www.your-domain.com

  ServerAlias your-domain.com

  ServerAdmin user1@your-domain.com

  DocumentRoot /var/www/html

  ErrorLog logs/error_log

  TransferLog logs/access_log





  ...

  ..

XXX.XXX.XXX.XXX>

  ServerName www.your-domain.com   - Note that no aliases are listed

  ...

  ...





# Add a VirtualHost definition to forward to your primary URL



XXX.XXX.XXX.XXX>

  ServerName your-domain.com

  ServerAlias other-domain.com

  ServerAlias www.other-domain.com

  Redirect permanent / http://www.your-domain.com.com/





  ...

  ..

Note:

See the YoLinux.com Apache "Redirect" Tutorial

More virtual host examples.

When specifying more domains, they may all use the same IP address or some/all may use their own unique IP address. Specify a "NameVirtualHost" for each IP address.

After the Apache configuration files have been edited, restart the httpd daemon: /etc/rc.d/init.d/httpd restart (Red Hat) or /etc/init.d/apache2 restart (Ubuntu / Debian)

Apache virtual domain configuration with Ubuntu Dapper/Hardy:

Example: /etc/apache2/sites-available/supercorp

XXX.XXX.XXX.XXX>

       ServerName supercorp.com

       ServerAlias www.supercorp.com

       ServerAdmin webmaster@localhost



       DocumentRoot /home/supercorp/public_html/home

       

               Options FollowSymLinks

               AllowOverride None

       

       

               Options Indexes FollowSymLinks MultiViews

               IndexOptions SuppressLastModified SuppressDescription

               AllowOverride All

               Order allow,deny

               allow from all

       



       ScriptAlias /cgi-bin/ /home/supercorp/cgi-bin/

       

               AllowOverride None

               Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

               Order allow,deny

               Allow from all

       



       ErrorLog /var/log/apache2/supercorp.com-error.log



       # Possible values include: debug, info, notice, warn, error,

       # crit, alert, emerg.

       LogLevel warn

       CustomLog /var/log/apache2/supercorp.com-access.log combined

       ServerSignature On

Enable domain:

Create soft link:
- Manually: ln -s /etc/apache2/sites-available/supercorp /etc/apache2/sites-enabled/supercorp
- Use Ubuntu scripts a2ensite/a2dissite. Type command and it will prompt you as to which site you would like to enable or disable.
Restart Apache:
- apache2ctl graceful
  or
- /etc/init.d/apache2 restart
  or
- /etc/init.d/apache2 reload

Also note that Apache modules can also be enabled/disabled with scripts a2enmod/a2dismod.

Man pages:

a2ensite/a2dissite (Ubuntu: Apache 2 enable/disable site)
apache2ctl

Configuring an "IP based" virtual host:

  

NameVirtualHost *              - Indicates all IP addresses



*>

  ServerAdmin user0@default-domain.com

  DocumentRoot /home/user0/public_html





XXX.XXX.XXX.101>

  ServerAdmin user1@domain-1.com

  DocumentRoot /home/user1/public_html





XXX.XXX.XXX.102>

  ServerAdmin user1@domain-2.com

  DocumentRoot /home/user2/public_html

The default block will be used as the default for all IP addresses not specified explicitly. This default IP (*) may not work for https URL's.

CGI: (Common Gateway Interface)

CGI is a program executable which dynamically generates a web page by writing to stdout. CGI is permitted by either of two configuration file directives:

ScriptAlias:
- Red Hat 7.x-9, Fedora core: ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
- Red Hat 6.x and older: ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"
- Suse 9.x: ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
- Ubuntu (dapper/hardy) / Debian: ScriptAlias /cgi-bin/ "/usr/lib/cgi-bin/"
or
Options +ExecCGI:
Options +ExecCGI

The executable program files must have execute privileges, executable by the process owner (Red Hat 7+/Fedora Core: apache. Older use nobody) under which the httpd daemon is being run.

Configuring CGI To Run With User Privileges:

   NameVirtualHost XXX.XXX.XXX.XXX



  XXX.XXX.XXX.XXX>

  ServerName node1.your-domain.com                         - Allows requests by domain name without the "www" prefix.

  ServerAlias your-domain.com www.your-domain.com          - CNAME (alias www) specified in Bind configuration file (/var/named/...)

  ServerAdmin user1@your-domain.com

  DocumentRoot /home/user1/public_html/your-domain.com

  ErrorLog logs/your-domain.com-error_log

  TransferLog logs/your-domain.com-access_log



  SuexecUserGroup user1 user1

  user1/public_html/your-domain.com/>

     Options +ExecCGI +Indexes

     AddHandler cgi-script .cgi

ERROR Pages:

You can specify your own web pages instead of the default Apache error pages:

   ErrorDocument 404 /Error404-missing.html

Create the file Error404-missing.html in your "DocumentRoot" directory.

PHP:

If the appropriate php, perl and httpd RPM's are installed, the default Red Hat Apache configuration and modules will support PHP content. RPM Packages (RHEL4):

php: HTML-embedded scripting language
php-pear: PEAR is a framework and distribution system for reusable PHP components.
php-mysql: MySQL database support.
php-ldap: Lightweight Directory Access Protocol (LDAP) support

Apache configuration:

Add php default page index.php to apache config file: /etc/httpd/conf/httpd.conf

...



DirectoryIndex index.html index.htm index.php



...

PHP Configuration File:

RHEL4 - PHP 4.3: /etc/php.ini
Ubuntu Daper 6.06/6.11: /etc/php5/apache2/php.ini

[PHP]

engine = On

...

...

display_errors = Off

include_path = ".:/php/includes"

...

...

memory_limit = 32M   ; Default is typically 8MB which is too low.

...

...



[MySQL]

...

...

mysql.default_host = superserver    ; Hostname of the computer

mysql.default_user = dbuser

...

Small portion of file shown.
Note that changes will not take effect until the apache web server daemon is restarted.

Test you PHP capabilities with this test file: /home/user1/public_html/test.php

  phpinfo();

?>

OR (older format)

  phpinfo();

?>

Test: http://localhost/~user1/test.php

For more info see YoLinux list of PHP information web sites.

Running Multiple instances of `httpd`:

Apache Man Pages:

httpd - Apache Hypertext Transfer Protocol Server
apachectl - Apache HTTP Server Control Interface
ab - Apache HTTP server benchmarking tool
htdigest - manage user files for digest authentication
htpasswd - Manage user files for basic authentication
logresolve - Resolve IP-addresses to hostnames in Apache log files
rotatelogs - Piped logging program to rotate Apache logs

Also see the local online Apache configuration manual: http://localhost/manual/.

Apache Red Hat / Fedora Core GUI configuration:

GUI configuration tool:

Red Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-httpd
Red Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-httpd

Adding web site login and password protection: See the YoLinux tutorial on web site password protection.

Log file analysis:

Analog - Also see Report Magic for Analog
Webalizer
AWStats - (requires PERL)

Web site statistic services:

eXTReMe Tracking

Load testing your server:

PureLoad - JAVA load testing and reporting tool.
WebPerformance Trainer - Load Testing Tools.

Apache Links:

CgiWrap - setuid wrapper that allows users to install and execute their own cgi scripts that get executed as their own userid
Thumbprint - CGI for viewing a directory of images as thumbnails
WWWThreads.org - Commercial product - Advanced Web Conferencing Software
Configuring https (mod_ssl):

Log file analysis using Analog:

Installation:

Red Hat / Fedora: yum install analog
Ubuntu / Debian: apt-get install analog

Installation packages also available from the Analog downloads page.

Configuration file: /etc/analog.cfg

LOGFILE /var/log/httpd/your-domain.com-access_log* http://www.your-domain.com

UNCOMPRESS *.gz,*.Z "gzip -cd"

SUBTYPE *.gz,*.Z

#

OUTFILE /home/user1/public_html/analog/Report.html

#

HOSTNAME "YourDomain.com"

HOSTURL  http://www.your-domain.com



....

...

..



REQINCLUDE pages                  # Request page stats only

ALL ON

LANGUAGE US-ENGLISH

One can view the settings which be used with your configuration file (also good for debugging): analog -settings

Make Analog images available to the users report: ln -s /usr/share/analog/images/* /home/user1/public_html/analog

Log file location:

Red Hat / Fedora: /var/log/httpd/
Ubuntu / Debian: /var/log/apache2/

The Directive ALL ON turns on all of the following:

Analog Directive	Description
`MONTHLY ON`	one line for each month
`WEEKLY ON`	one line for each week
`DAILYREP ON`	one line for each day
`DAILYSUM ON`	one line for each day of the week
`HOURLYREP ON`	one line for each hour of the day
`GENERAL ON`	the General Summary at the top
`REQUEST ON`	which files were requested
`FAILURE ON`	which files were not found
`DIRECTORY ON`	Directory Report
`HOST ON`	which computers requested files
`ORGANISATION ON`	which organisations they were from
`DOMAIN ON`	which countries they were in
`REFERRER ON`	where people followed links from
`FAILREF ON`	where people followed broken links from
`SEARCHQUERY ON`	the phrases and words they used...
`SEARCHWORD ON`	...to find you from search engines
`BROWSERSUM ON`	which browser types people were using
`OSREP ON`	and which operating systems
`FILETYPE ON`	types of file requested
`SIZE ON`	sizes of files requested
`STATUS ON`	number of each type of success and failure

Cron job to handle multiple domains: /etc/cron.daily/analog

#!/bin/sh

cp /opt/etc/analog-domain1.com.cfg      /etc/analog.cfg

/usr/bin/analog

cp /opt/etc/analog-domain2.com.cfg      /etc/analog.cfg

/usr/bin/analog



...

Links:

Measuring Web Server Performance:

See the YoLinux.com web server benchmarking tutorial.

FTPd and FTP user account configuration:

FTPd and SELinux: To allow FTPd daemon access to users home directories: setsebool -P ftp_home_dir 1
Follow with the command service vsftpd restart

FTPd configuration tutorials:

# vsFTPd: Configuration
# WU-FTPd: Configuration
# FTP Clients: Links

vsFTPd and FTP user account configuration:

The vsFTPd ftp server was first made available in Red Hat 9.0. It has been adopted by Suse and OpenBSD as well. This is currently the recomended FTP daemon for use on FTP servers.

Enable vsftpd:

Red Hat/Fedora Core/CentOS: VsFTPd is a stand alone service and by the default Fedora Core installation, not controlled by xinetd as is the wu-ftpd default installation.
Thus start service: service vsftpd start (or: /etc/init.d/vsftpd start)
Configure vsftpd to start upon system boot: chkconfig --add vsftpd
SuSE: By default, the vsftpd is an xinetd controlled service. To enable FTP server services edit the file /etc/xinetd.d/vsftpd and change:
disable = yes
to:
disable = no
Restart the xinetd daemon: /etc/init.d/xinetd restart
Note: vsftpd can also be run as a stand-alone service to achieve a faster response time.
Ubuntu (dapper/hardy) / Debian:
- Install: apt-get install vsftpd
- VsFTPd is a stand alone service.
  - Start: /etc/init.d/vsftpd start
  - Stop: /etc/init.d/vsftpd stop
  - Restart: /etc/init.d/vsftpd restart
    (Use this command after making configuration file changes)

For more on starting/stopping/configuring Linux services, see the YoLinux tutorial on the Linux init process and service activation.

Configuration files:

vsFTPd configuration file:

Fedora Core / Red Hat: /etc/vsftpd/vsftpd.conf
S.u.S.e. / Ubuntu (dapper/hardy) / Debian: /etc/vsftpd.conf

Default for Fedora Core 3:

anonymous_enable=YES - Anonymous FTP allowed by default if you comment this out. Default directory used: /var/ftp

local_enable=YES - Uncomment this to allow local users to log in with FTP.

Must also set SELinux boolean: setsebool -P ftp_home_dir 1

write_enable=YES - Uncomment this to enable any form of FTP write or upload command.

local_umask=022 - Default is 077. Umask 022 is used by most other ftpd's.

#anon_upload_enable=YES - Uncomment to allow the anonymous FTP user to upload files.

Requires the above global write enabled. Directory must also be writable by user.

#anon_mkdir_write_enable=YES - Uncomment this to allow the anonymous FTP user to be able to create new directories.

dirmessage_enable=YES - Activate directory messages.

Messages given to remote users when they enter certain directories

xferlog_enable=YES - Activate logging of uploads/downloads.

connect_from_port_20=YES - PORT transfer connections originate from port 20 (ftp-data)

#chown_uploads=YES - Uploaded anonymous files set to a specified owner. (not root)

#chown_username=whoever

#xferlog_file=/var/log/vsftpd.log - Specify logfile explicitly. Default is /var/log/vsftpd.log

xferlog_std_format=YES - Output to log file in standard ftpd xferlog format

#idle_session_timeout=600 - Set timing out for an idle session.

#data_connection_timeout=120 - Set timing out for an idle data connection. Port 20

#nopriv_user=ftpsecure - Run ftp server as an isolated and unprivileged user.

# Enable this and the server will recognise asynchronous ABOR requests. Not

# recommended for security (the code is non-trivial). Not enabling it, may confuse older FTP clients.

#async_abor_enable=YES

#ascii_upload_enable=YES - Improve performance by disabling ASCII mode. Disables command "ascii" and "SIZE /big/file".

#ascii_download_enable=YES

#ftpd_banner=Welcome to YoLinux - Customize the login banner string.

#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DoS attacks.

#banned_email_file=/etc/vsftpd.banned_emails (Ubuntu default. Red Hat: /etc/vsftpd/banned_emails)

#chroot_list_enable=YES - List users chroot()'d to their home directory. If "NO", list users not chroot()'d.

#chroot_list_file=/etc/vsftpd.chroot_list (Ubuntu default. Red Hat: /etc/vsftpd/chroot_list)

ls_recurse_enable=YES - Allow "ls -R" recursive directory list. Default is disabled.

pam_service_name=vsftpd

userlist_enable=YES - (Ubuntu Default) Deny users specified in file /etc/vsftpd.user_list

If "userlist_enable=NO" then allow specified users.

Red Hat: /etc/vsftpd/user_list

#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DoS attacks.

listen=YES - Enable for standalone mode as opposed to an xinetd service.

Must set SELinux boolean: setsebool -P ftpd_is_daemon 1

tcp_wrappers=YES

Restart the FTP service if the config file is changed: service vsftpd restart (or: /etc/init.d/vsftpd restart)

[Potential Pitfall]: vsftp does NOT support comments on the same line as a directive. i.e.:

directive=XXX # comment

vsftp.conf man page

Specify list of local users chrooted to their home directories:
- Red Hat: /etc/vsftpd/vsftpd/chroot_list
- Ubuntu: /etc/vsftpd/vsftpd.chroot_list
(Requires: chroot_list_enable=YES)
user1
user2
...
user-n
If userlist_enable=NO, then specify users not to be chroot'd..
Specify list of users:
- Red Hat: /etc/vsftpd/user_list
- Ubuntu: /etc/vsftpd.user_list
(Deny list of users requires: userlist_enable=YES)
Also see PAM configuration below.
root
bin
daemon
adm
lp
sync
shutdown
halt
...
If userlist_enable=NO, then specify valid users.

PAM configuration file Fedora Core 3: /etc/pam.d/vsftpd

#%PAM-1.0

auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed

auth       required     pam_stack.so service=system-auth

auth       required     pam_shells.so

account    required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth

This causes PAM to check /etc/vsftpd.ftpusers for users who are denied. This duplicates /etc/vsftpd.user_list. Speciy user in both files as PAM is independent of vsftpd configuration.

PAM authentication configuration file: ftpusers

Red Hat: /etc/vsftpd/ftpusers
Ubuntu: /etc/vsftpd.ftpusers

root

bin

daemon

adm

lp

sync

shutdown

halt

...

...

...

user6     - Users to deny

user8

...

...

Logrotate configuration file: /etc/logrotate.d/vsftpd.log

/var/log/xferlog {

   # ftpd doesn't handle SIGHUP properly

   nocompress

   missingok

}

Sample vsFTPd configurations:

Anonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf

# Access rights

anonymous_enable=YES          - Turn on anonymous FTP

chown_uploads=YES             - Uploaded files owned by an assigned user

chown_username=ftp            - Uploaded files owned by this assigned user

local_enable=NO

write_enable=NO               - No upload of files system changes allowed

anon_upload_enable=NO

anon_mkdir_write_enable=NO

anon_other_write_enable=NO

# Security

anon_world_readable_only=YES

connect_from_port_20=YES

force_dot_files=NO

guest_enable=NO

hide_ids=YES

pasv_min_port=50000

pasv_max_port=60000

# Features

xferlog_enable=YES

ls_recurse_enable=NO

ascii_download_enable=NO

async_abor_enable=YES

# Performance

one_process_model=NO

idle_session_timeout=120

data_connection_timeout=300

accept_timeout=60

connect_timeout=60

max_per_ip=4

anon_max_rate=50000



pam_service_name=vsftpd

userlist_enable=YES

#enable for standalone mode

listen=YES

tcp_wrappers=YES

Web hosting configuration: /etc/vsftpd/vsftpd.conf

# Access rights

anonymous_enable=NO

local_enable=YES                              - Allow users to ftp to their home directories

write_enable=YES                              - Allow users to STOR,  DELE, RNFR, RNTO, MKD, RMD, APPE and SITE

local_umask=022

# Security

connect_from_port_20=YES

force_dot_files=NO

guest_enable=NO                               - Don't remap user name

ftpd_banner=Welcome to Super Duper Hosting    - Customize the login banner string.

chroot_local_user=YES                         - Limit user to browse their own directory only

chroot_list_enable=YES                        - Enable list of system / power users

chroot_list_file=/etc/vsftpd.chroot_list      - Actual list of system / power users

hide_ids=YES

pasv_min_port=50000

pasv_max_port=60000

# Features

xferlog_enable=YES

ls_recurse_enable=NO

ascii_download_enable=NO

async_abor_enable=YES

dirmessage_enable=YES                         - Message greeting held in file .message or specify with message_file=...

# Performance

one_process_model=NO

idle_session_timeout=120

data_connection_timeout=300

accept_timeout=60

connect_timeout=60

max_per_ip=4

#

pam_service_name=vsftpd

userlist_enable=YES

#enable for standalone mode

listen=YES

tcp_wrappers=YES

Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list
Ubuntu typically: /etc/vsftpd.chroot_list
(Requires: chroot_list_enable=YES)

user1

user2

...

user-n

If userlist_enable=NO, then specify users not to be chroot'd..

[Potential Pitfall]: Mispelling a directive will cause vsftpd to fail with little warning.

File: .message

A NOTE TO USERS UPLOADING FILES:

  File names may consist of letters (a-z, A-Z), numbers (0-9),

  an under score ("_"), dash ("-") or period (".") only.

  The file name may not begin with a period or dash.

Test if vsftp is listening: netstat -a | grep ftp

[root]# netstat -a | grep ftp

tcp        0      0 *:ftp                       *:*                         LISTEN

Links:

WU-FTPd and FTP user account configuration:

The wu-ftpd FTP server can be downloaded (binary or source) from it's home page at http://wu-ftpd.org.

There are three kinds of FTP logins that wu-ftpd provides:

anonymous FTP - one logs in with the username 'anonymous'
real FTP - log in with a real username and password and has access to the entire disk structure.
guest FTP - one logs in with a real user name and password, but the user is chroot'ed to his home directory and cannot escape from it. They are constrained to their home directory which also means that they don't have access to /bin/ls and other commands on the server. Thus a local minimalist environment must be set up.

This tutorial covers "guest" FTP configuration.

The file /etc/ftpaccess controls the configuration of ftp.

   # Don't allow system accounts to log in over ftp

  deny-uid %-99 %65534-

  deny-gid %-99 %65534-



  class   all   real,guest  *

  email webmaster@your-domain.com

  loginfails 5



  readme  README*    login

  readme  README*    cwd=*

  message /welcome.msg            login

  message .message                cwd=*



  compress        yes             all

  tar             yes             all

  chmod           no              guest,anonymous

  delete          no              anonymous    # delete files permission?

  overwrite       no              anonymous    # overwrite files permission?

  rename          no              anonymous    # rename files permission?

  delete          yes             guest        # delete files permission?

  overwrite       yes             guest        # overwrite files permission?

  rename          yes             guest        # rename files permission?

  umask           no              guest        # umask permission?



  log transfers anonymous,real inbound,outbound



  shutdown /etc/shutmsg



  passwd-check rfc822 warn



  # Must also create message file /etc/pathmsg of the guest directory.

  # In this case it refers to /home/user1/public_html/etc/pathmsg.

  path-filter  guest /etc/pathmsg  ^[-A-Za-z0-9_\.]*$  ^\.  ^-

  limit all 2

  noretrieve passwd .htaccess core    - Do not allow users to download files of these names

  limit-time * 20

  byte-limit in 5000                  - Limit file size

  guestuser *      - Set system user default to be categorized as a "guest". A "real" user can roam the system. Guestuser is chrooted.

  realgroup regularuserx regularusery - Assign real user privileges to members of groups "regularuserx" and "regularusery".

                                        Visibility of the whole file system and subject to regular UNIX file permissions

  realuser user4                      - Assign real user privileges to user id "user4". 



  restricted-uid user1 user2 user3    - Restricts FTP to the specified directories

  guest-root /home/user1/public_html user1

  guest-root /home/user2/public_html user2

  guest-root /home/user3/public_html user3

Note:

user1, user2 and user3 refer to login accounts. Use the appropriate login name.
The above configuration disables anonymous FTP which allows anyone to perform an FTP login with the id anonymous and an email address as a password. To enable anonymous FTP, change the class directive to:

class all real,guest,anonymous *
GUI FTP configuration tools:
- /usr/bin/kwuftpd
- /sbin/linuxconf
  (Note: Linuxconf is no longer included with Red Hat 7.3 and later)
Red Hat Linux assigns users a user id and group id which is the same. This means that it does not matter if you use a realuser or realgroup directive as they will act the same.
Red Hat Linux 7.1 and later uses the xinet daemon to manage ftp connections. Thus xinetd must be running and configured to support ftp. The configuration file is /etc/xinetd.d/wu-ftpd. The command chkconfig wu-ftpd on will make the ftp server available. See xinet configuration for more info.

Allow overide of deny-uid and/or deny-gid:

     allow-uid user-to-allow

    allow-gid group-to-allow

Optional configuration:
- Create a group ftpchroot
- Add users to this group
- Use directive: guestgroup ftpchroot

File /home/user1/public_html/etc/pathmsg:

   A NOTE TO USERS UPLOADING FILES:

  File names may consist of letters (a-z, A-Z), numbers (0-9),

  an under score ("_"), dash ("-") or period (".") only.

  The file name may not begin with a period or dash.

  You have tried to upload a file with an inappropriate name.

As root:

   cd /home/user1

  mkdir public_html

  chown $1.$1 public_html

  touch .rhosts             - Security protection

  chmod ugo-xrw .rhosts

Man Pages:

Server:

ftpd - Internet File Transfer Protocol server

File Formats:

/etc/ftpaccess - Configuration file for ftpd
/etc/ftpservers - ftpd virtual hosting configuration file. (optional)
/etc/ftphosts - allow or deny access to certain accounts from various hosts. (optional)
/etc/ftpconversions - ftpd conversions database (for tar and compression)
/var/log/xferlog - FTP server logfile
ftp - File Transfer Client program

Configuration files: (RH 8.0+)

PAM configuration file: /etc/pam.d/ftp

#%PAM-1.0

auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

auth       required     pam_stack.so service=system-auth

auth       required     pam_shells.so

account    required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth

Xinetd configuration file: /etc/xinetd.d/wu-ftpd

service ftp

{

       disable = no

       socket_type             = stream

       wait                    = no

       user                    = root

       server                  = /usr/sbin/in.ftpd

       server_args             = -l -a

       log_on_success          += DURATION USERID

       log_on_failure          += USERID

       nice                    = 10

}

Note: wu-FTPd is controlled by xinetd and not a stand alone service like vsFTPd.

Logrotate configuration file: /etc/logrotate.d/ftpd
/var/log/xferlog {
nocompress
}

More information:

WU-FTPD Development Group Home Page
More resources
Academ Consulting
FTP FAQ - Koos van den Hout's
dkftpbench - FTP benchmark program to give you an idea as to how many simultaneous dialup clients a server can support.
FTP and text file type conversions: End Of Line Characters - by Peter Benjamin
Chrooted sftp (ssl) project

Man pages on related FTP commands and files:

chroot - Run with a special root directory
ftpcount - Show number of concurrent users.
ftpshut - close down the ftp servers at a given time
ftprestart - Restart previously shutdown ftp servers
ftpwho - show current process information for each ftp user
privatepw - Change WU-FTPD Group Access File Information (admin command)

Other FTP daemons:

FTP4All
CrushFTP - Java/cross platform
WS_FTP

FTP Pitfalls:

If you get the following error:

ftp> ls

227 Entering Passive Mode (208,188,34,109,208,89)

ftp: connect: No route to host

This means you have firewall issues most probably on the FTP server itself. Start by removing the firewall "iptables" rules: iptables -F Add rules until you discover what is causing the problem.

Passive mode:

Passive mode can also help one past the rules:

ftp> passive

Passive mode on.

This toggles passive mode on and off. When on, FTP will be limited to ports specified in the vsftpd configuration file: vsftpd.conf with the parameters pasv_min_port and pasv_max_port

Firewall connection tracking module:

# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp

IPTABLES_MODULES="ip_conntrack_ftp"

NAT firewall modules:

You can also try adding ip_nat_ftp to the list of autoloaded modules: (This will also load the dependancy: ip_conntrack_ftp.)

# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp

IPTABLES_MODULES="ip_nat_ftp"

Then restart the firewall: /etc/init.d/iptables condrestart

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

FTP fails because it can not change to the users home directory:

Error:

[user1@nodex ~]$ ftp node.domain.com

Connected to XXX.XXX.XXX.XXX.

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (XXX.XXX.XXX.XXX:user1):

331 Please specify the password.

Password:

500 OOPS: cannot change directory:/home/user1

Login failed.

ftp> bye

Test your vsftpd SELinux settings: getsebool -a | grep ftp

allow_ftpd_anon_write --> off

allow_ftpd_full_access --> off

allow_ftpd_use_cifs --> off

allow_ftpd_use_nfs --> off

allow_tftp_anon_write --> off

ftp_home_dir --> on

ftpd_disable_trans --> off

ftpd_is_daemon --> on

httpd_enable_ftp_server --> off

tftpd_disable_trans --> off

FTPd SELinux man page

FTP Linux clients:

kbear: GUI KDE based client. Connect to multiple servers, transfer files, directory browsing, file content browsing. Comes with S.U.S.e. Linux.
gftp: GUI GTK+ Multithreaded client. File transfer directory browsing and compare. Multiple protocols: FTP, FTPS (control connection only), HTTP, HTTPS, SSH and FSP protocols. Proxy support. Comes with Red Hat / Fedora Core.
ftp: (/usr/kerberos/bin/ftp) kerberos enabled console ftp client. (RPM package FC3: krb5-workstation)

Basic user security:

Disable remote telnet login access allowing FTP access only:

Change the shell for the user in /etc/passwd from /bin/bash to be /opt/bin/ftponly.

...

user1:x:502:503::/home/user1:/opt/bin/ftponly

...

Create file: /opt/bin/ftponly.
Protection set to -rwxr-xr-x 1 root root
with the command: chmod ugo+x /opt/bin/ftponly
Contents of file:

   #!/bin/sh

#

# ftponly shell

#

trap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15

#

Admin=root@your-domain.com

#System=`/bin/hostname`@`/bin/domainname`

#

/bin/echo

/bin/echo "********************************************************************"

/bin/echo "    You are NOT allowed interactive access."

/bin/echo

/bin/echo "     User accounts are restricted to ftp and web access."

/bin/echo

/bin/echo "  Direct questions concerning this policy to $Admin."

/bin/echo "********************************************************************"

/bin/echo

#

# C'ya

#

exit 0

The last step is to add this to the list of valid shells on the system.
Add the line /opt/bin/ftponly to /etc/shells.

Sample file contents: /etc/shells

/bin/bash

/bin/bash1

/bin/tcsh

/bin/csh

/opt/bin/ftponly

See man page on /etc/shells.

Set file quotas to limit user account.

For more on Linux security see the: YoLinux.com Internet web site Linux server security tutorial

Domain Name Server (DNS) configuration using Bind version 8 or 9:

Two of the most popular ways to configure the program Bind (Berkeley Internet Domain software) to perform DNS services is in the role of (1) ISP or (2) Web Host.

In an ISP configuration for clients (web surfers) conected to the internet, the DNS server must resolve IP addresses for any URL the user wishes to visit. (See DNS caching server)
In a purely web hosting configuration, Bind will only resolve for the IP addresses of the domains which are being hosted. This is the configuration which will be discussed and is often called an "Authoritative-only Nameserver".

Installation Packages:

Red Hat / Fedora Core / CentOS: bind, bind-chroot, bind-libs, bind-utils, system-config-bind
- bind-chroot: Security jail for operation of bind.
- bind-utils: Utility commands like nslookup, host, dig
- system-config-bind: GUI config tool system-config-bind and related configuration files (/etc/security/console.apps/bindconf).
- caching-nameserver: We will not be covering this as it is not required for web hosting. This is used by internet providers so their clients can cache the DNS entries of the sites they are visiting.
Ubuntu (dapper/hardy) / Debian: bind9

Configuration files:

Red Hat / Fedora / CentOS:

File	Description	Directory	Chrooted Directory
named.conf	Primary/Secondary DNS server configuration. (See default file `/usr/share/doc/bind-9.X.X/sample/etc/named.conf`)	/etc/	/var/named/chroot/etc/
named.root.hints	Configuration for recursive service. Required for all zones. (See default file `/usr/share/doc/bind-9.X.X/sample/etc/named.root.hints`)	/etc/	/var/named/chroot/etc/
named	Red Hat system variables.	/etc/sysconfig/	no change
rndc.key	Primary/Secondary DNS server configuration.	/etc/	/var/named/chroot/etc/
Zone files	Configuration files for each domain. Create this file to resolve host name internet queries i.e. define IP address of web (www) and mail servers in the domain.	/var/named/	/var/named/chroot/var/named/

Debian / Ubuntu:

File	Description	Directory	Chrooted Directory
named.conf named.conf.options named.conf.local	Primary/Secondary DNS server configuration.	/etc/bind/	/var/bind/chroot/etc/bind/
rndc.key	Primary/Secondary DNS server configuration.	/etc/	/var/bind/chroot/etc/
Zone files	Configuration files for each domain.	/var/bind/data/	/var/bind/chroot/var/bind/data/

Primary server (master):

File: named.conf

Simple example: (no views)

options {                                     - Ubuntu stores options in /etc/bind/named.conf.options

       version "Bind";                       - Don't disclose real version to hackers

       directory "/var/named";               - Specified so relative path names can be used. Full path names still allowed.

       allow-transfer { XXX.XXX.XXX.XXX; };  - IP address of secondary DNS

       recursion no;

       auth-nxdomain no;                     - conform to RFC1035. (default)

       fetch-glue no;                  - Bind 8 only! Not used by version 9

};



zone "localhost" {

       type master;

       file "/etc/bind/db.local";

};

zone "0.0.127.in-addr.arpa" {

       type master;

       file "/etc/bind/db.127";

};



zone "your-domain.com"{                 - Ubuntu separates the zone definitions into /etc/bind/named.conf.local 

       type master;                    - Specify master, slave, forward or hint

       file "data/named.your-domain.com";

       notify yes;                     - slave servers are notified when the zone is updated.

       allow-update { none; };         - deny updates from other hosts (default: none)

       allow-query { any; };           - allow clients to query this server (default: any)

};

zone "your-domain-2.com"{

       type master;

       file "data/named.your-domain-2.com";

       notify yes;

};

Note:

The omission of zone ".". Required if providing a recursive service.
Ubuntu includes the separated file of zone directives using the directive:
include "/etc/bind/named.conf.local";

BIND Views: The BIND naming service can support "views" which allow various sub-networks (i.e. private internal or public external networks) to have a different domain name resolution result.

If no views are specified then use the configuration shown above.
The match-up between the "view" and the view client which receives the DNS information is specified by the match-clients statement.
If even one view is specified, then ALL zones MUST be associated with a "view".
Bind 9 allows for views which allow different zones to be served to different types of clients, localhost, private networks and public networks. This maps to the three view names "localhost_resolver", "internal" and "external":
- localhost_resolver: Supports name resolution for the system (localhost) using BIND. Support for use of bind also has to be configured in /etc/nsswitch.conf
- internal: User specified Local Area Network (LAN). If not used to support a local private LAN, remove (or comment out) this view.
- external: The general public internet defined as client "any".
If you are only setting up a caching name server, then only specify the view "localhost_resolver" (delete all other views).
In order to support a DNS for internet domains using views, one will have to configure an "external" view

Typical Red Hat Enterprise 5 example: (Bind 9.3.4 with three "views")

options

{

       directory "/var/named"; // the default

       dump-file               "data/cache_dump.db";

       statistics-file         "data/named_stats.txt";

       memstatistics-file      "data/named_mem_stats.txt";



};

logging

{

   //  By default, SELinux policy does not allow named to modify the /var/named

   //  directory, so put the default debug log file in data/ :



       channel default_debug {

               file "data/named.run";

               severity dynamic;

       };

};

view "localhost_resolver"

{

   //  This view sets up named to be a localhost resolver ( caching only nameserver ).

   //  If all you want is a caching-only nameserver, then you need only define this view:

   match-clients           { localhost; };

   ...

};

view "internal"

{

   // This view will contain zones you want to serve only to "internal" clients

   // that connect via your directly attached LAN interfaces - "localnets" .

   // For local private LAN. Not covered in this tutorial.

   // Delete this view if web hosting with no local LAN.

   match-clients           { localnets; };

   ...

};

key ddns_key

{

       algorithm hmac-md5;

       secret "use /usr/sbin/dns-keygen to generate TSIG keys";

};

view    "external"

{

   // This view will contain zones you want to serve only to "external"

   // public internet clients. This is covered below.

   match-clients           { any; };

   ...

   ..

};

Default configuration files: Red Hat may supply the default configuration in: /usr/share/doc/bind-9.X.X/sample/etc/named.conf

cp /usr/share/doc/bind-9.X.X/sample/etc/named.conf /var/named/chroot/etc
cp /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints /var/named/chroot/etc
chcon -u system_u -r object_r -t named_conf_t /var/named/chroot/etc/named.conf /var/named/chroot/etc/named.root.hints

view "localhost_resolver": If supporting a caching DNS server (not required to support a web domain) you will also need the files:

cp /usr/share/doc/bind-9.X.X/sample/etc/named.rfc1912.zones /var/named/chroot/etc
cp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zones /var/named/chroot/var/named
also from /usr/share/doc/bind-9.X.X/sample/var/named/: localhost.zones, named.local, named.zero, named.broadcast, named.ip6.local, named.root

view "external": (master) - details -

view    "external"

{

/* This view will contain zones you want to serve only to "external" clients

* that have addresses that are not on your directly attached LAN interface subnets:

*/

       match-clients           { any; };

       match-destinations      { any; };

       allow-transfer { XXX.XXX.XXX.XXX; };  - IP address of secondary DNS



       recursion no;

       // you'd probably want to deny recursion to external clients, so you don't

       // end up providing free DNS service to all takers



       // all views must contain the root hints zone:

       include "/etc/named.root.hints";



       // These are your "authoritative" external zones, and would probably

       // contain entries for just your web and mail servers:



       zone "your-domain.com" {

               type master;

               file "/var/named/data/external/named.your-domain.com";

               notify yes;

               allow-update { none; };

       };



       // You can also add the zones as a separate file like they do in Ubuntu by adding the following statement

       include "/etc/named.conf.local";     

};

DNS key:

Use the following command /usr/sbin/dns-keygen to create a key. Add this key to the "secret" statement as follows:

key ddns_key

{

       algorithm hmac-md5;

       secret "XlYKYLF5Y7YOYFFFY6YiYYXyFFFFBYYYYFfYYYJiYFYFYYLVrnrWrrrqrrrq";

};

Man Pages:

named.conf

Forward Zone File: /var/named/named.your-domain.com

$TTL 604800         - Bind 9 (and some of the later versions of Bind 8) requires $TTL statement. Measured in seconds. This value is 7 days.

your-domain.com.    IN      SOA  ns1.your-domain.com.  hostmaster.your-domain.com. (

  2000021600 ; serial     - Many people use year+month+day+integer as a system. Never greater than 2147483647 for a 32 bit processor.

  86400 ; refresh         - How often secondary servers (in seconds) should check in for changes in serial number. (86400 sec = 24 hrs)

  7200 ; retry            - How long secondary server should wait for a retry if contact failed.

  1209600 ; expire        - Secondary server to purge info after this length of time.

  86400 ) ; default_ttl   - How long data is held in cache by remote servers.

      IN A       XXX.XXX.XXX.XXX  - Note that this is the default IP address of the domain.

                                    I put the web server IP address here so that domain.com points to the same servers as www.domain.com

;

; Name servers for the domain

;

      IN NS         ns1.your-domain.com.

      IN NS         ns2.your-domain.com.

;

; Mail server for domain

;

      IN MX    5    mail               - Identify "mail" as the node handling mail for the domain. Do NOT specify an IP address!

;

; Nodes in domain

;

node1  IN A          XXX.XXX.XXX.XXX    - Note that this is the IP address of node1

ns1    IN A          XXX.XXX.XXX.XXX    - Optional: For hosting your own primary name server. Note that this is the IP address of ns1

ns2    IN A          XXX.XXX.XXX.XXX    - Optional: For hosting your own secondary name server. Note that this is the IP address of ns2

mail   IN A          XXX.XXX.XXX.XXX    - Identify the IP address for node mail.

      IN MX    5    XXX.XXX.XXX.XXX    - Identify the IP address for mail server named "mail".

;

; Aliases to existing nodes in domain

;

www    IN CNAME      node1              - Define the webserver "www" to be node1.

ftp    IN CNAME      node1              - Define the ftp server to be node1.

MX records for 3rd party off-site mail servers:

your-domain.com.    IN MX  10 mail1.offsitemail.com.

your-domain.com.    IN MX  20 mail2.offsitemail.com.

Append to the above file.

Initial configuration: Note that Red Hat may supply the default zone configuration in: /usr/share/doc/bind-9.X.X/sample/var/named/

cp /usr/share/doc/bind-9.X.X/sample/var/named/localhost.zone /var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zone /var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.broadcast /var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.ip6.local /var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.zero /var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.local /var/named/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.root /var/named/chroot/var/named/data/
cd /var/named/chroot/var/named/data/
chcon -u system_u -r object_r -t named_cache_t localhost.zone localdomain.zone named.broadcast named.ip6.local named.zero named.root named.local

A file suffix of "zone" is also common i.e. your-domain.com.zone

Secondary server (slave):

File: named.conf

Red Hat / Fedora Core / CentOS: /etc/named.conf
Ubuntu / Debian: /etc/bind/named.conf
Simple example with no views:

options {                               - Ubuntu stores options in /etc/bind/named.conf.options

       version "Bind";                 - Don't disclose real version to hackers

       directory "/var/named";

       allow-transfer { none; };       - Slave is not transfering updates to anyone else

       recursion no;

       auth-nxdomain no;               - conform to RFC1035. (default)

       fetch-glue no;                  - Bind 8 only! Not used by version 9

};

zone "localhost" {

       type master;

       file "/etc/bind/db.local";       - Ubutu: /etc/bind/db.local, Red Hat: /var/named/named.local

};

zone "0.0.127.in-addr.arpa" {

       type master;

       file "/etc/bind/db.127";

};



zone "your-domain.com"{

       type slave;         

       file "named.your-domain.com";   - Specify slaves/named.your-domain.com for RHEL4/5 chrooted bind

       masters { XXX.XXX.XXX.XXX; };   - IP address of primary DNS

};

zone "your-domain-2.com"{

       type slave;         

       file "named.your-domain-2.com";

       masters { XXX.XXX.XXX.XXX; };

};

view "external": (slave)

view    "external"

{

       match-clients           { any; };

       match-destinations      { any; };

       allow-transfer { none; };  - Slave does not transfer to anyone, slave receives

       recursion no;

       include "/etc/named.root.hints";



       zone "your-domain.com" {

               type slave;

               file "/var/named/slaves/external/named.your-domain.com";

               notify no;                  - Slave does not notify, slave is notified by master

               masters { XXX.XXX.XXX.XXX; }; - State IP of master server

       };

};

Note: RHEL4/5, CentOS 4/5, Fedora 3+ use chrooted directory structure permissions which require the use of the slaves subdirectory /var/named/slaves

Slave Zone Files: These are transfered from master to slave and chached by slave. There is no need to generate a zone file on the slave.

Additional Information:

[Potential Pitfall]: Ubuntu dapper/hardy - Create log file and set ownership and permission for file not created by installation:

touch /var/log/bindlog
chown root.bind /var/log/bindlog
chmod 664 /var/log/bindlog

[Potential Pitfall]: Error in /var/log/messages:

transfer of 'yolinux.com/IN' from XXX.XXX.XXX.XXX#53: failed while receiving responses: permission denied

drwxr-x--- 4 root named 4096 Aug 25 2004 named
drwxrwx--- 2 named named 4096 Sep 17 20:37 slaves

Fix: In named.conf specify that the slaves to go to slaves directory /var/named/chroot/var/named/slaves with the directive:

file "slaves/named.your-domain.com";

Bind Defaults:

Uses port 53 if none is specified with the listen-on port statement.
Bind will use random ports above port 1024 for queries. For use with firewalls expecting all DNS traffic on port 53, specify the following option statement in /etc/named.conf
query-source address * port 53;
query-source-v6 port 53;
Logging is to /var/log/messages

After the configuration files have been edited, restart the name daemon.

/etc/init.d/named restart

(Note: Ubuntu / Debian restart: /etc/init.d/bind9 restart)

Bind zone transfers work best if the clocks of the two systems are synchronised. See the YoLinux SysAdmin Tutorial: Time and ntpd

File: /var/named/named.your-domain.com This is created for you by Bind on the slave (secondary) server when it replicates from Primary server.

DNS GUI configuration:

Red Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-bind
Red Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-bind

Test DNS:

Must install packages:

Red Hat / Fedora Core / SuSE: bind-utils
Ubuntu (dapper/hardy) / Debian: bind9-host

Test the name server with the host command in interactive mode:

   host  node.domain-to-test.com your-nameserver-to-test.domain.com

Note: The name server may also be specified by IP address.

Test the name server with the nslookup command in interactive mode:

   nslookup

  > server your-nameserver-to-test.domain.com

  > node.domain-to-test.com

  > exit

Test the MX record if appropriate:

   nslookup -querytype=mx domain-to-test.com

 

  OR



  host -t mx domain-to-test.com

Test using the dig command:

   dig @name-server domain-to-query



  OR



  dig @IP-address-of-name-server domain-to-query

Test your DNS with the following DNS diagnostics web site: DnsStuff.com

Extra logging to monitor Bind:

Add the following to your /etc/named.conf file.

logging {

       channel bindlog {

                          file "/var/log/bindlog"  versions 5 size 1m;     - Keep five old versions of the log-file (rotates logs)

                          print-time yes;

                          print-category yes;

                          print-severity yes;

                       };

/*      If you want to enable debugging, eg. using the 'rndc trace' command,

*      named will try to write the 'named.run' file in the $directory (/var/named).

*      By default, SELinux policy does not allow named to modify the /var/named directory,

*      so put the default debug log file in data/ :

*/

       channel default_debug {

               file "data/named.run";

               severity dynamic;

       };

       category xfer-out { bindlog; };         - Zone transfers

       category xfer-in  { bindlog; };         - Zone transfers

       category security { bindlog; };         - Approved/unapproved requests



//      The following logging statements, panic, insist and response-checks are valid for Bind 8 only. Do not user for version 9.

       category panic { bindlog; };            - System shutdowns

       category insist { bindlog; };           - Internal consistency check failures

       category response-checks { bindlog; };  - Messages

};

Chroot Bind for extra security:

The following example uses the Red Hat RPM bind-8.2.3-0.6.x.i386.rpm. Applies to Bind version 9 as well.

Named Command Sytax:

   named -u user -g group -t directory-to-chroot-to

Example:

    named -u named -g named -t /opt/named

Script to create a chrooted bind environment:



#!/bin/sh

cd /opt

mkdir named

cd named

mkdir etc

mkdir bin

mkdir var

cd var

mkdir named

mkdir run

cd ..

chown -R named.named bin etc var

You can probably stop here. If your system acts like a chrooted system should, then continue with the following:



cp -p /etc/named.conf etc

cp -p /etc/localtime  etc

cp -p /bin/false bin

echo "named:x:25:25:Named:/var/named:/bin/false" > etc/passwd

echo "named:x:25:" > etc/group

touch  var/run/named.pid



if [ -f /etc/namedb ]

then

  cp -p /etc/namedb etc/namedb

fi



mkdir dev

cd dev



# Create a character unbuffered file.

mknod -m ugo+rw null c 1 3    



cd ..

chown -R named.named bin etc var

Add changes to the init script: /etc/rc.d/init.d/named

#!/bin/bash

#

# named           This shell script takes care of starting and stopping

#                 named (BIND DNS server).

#

# chkconfig: - 55 45

# description: named (BIND) is a Domain Name Server (DNS) \

# that is used to resolve host names to IP addresses.

# probe: true



# Source function library.

. /etc/rc.d/init.d/functions



# Source networking configuration.

. /etc/sysconfig/network



# Check that networking is up.

[ ${NETWORKING} = "no" ] && exit 0



[ -f /etc/sysconfig/named ] && . /etc/sysconfig/named  - Added in Red Hat version 7.1



[ -f /usr/sbin/named ] || exit 0



[ -f /etc/named.conf ] || exit 0



RETVAL=0



start() {

       # Start daemons.

       echo -n "Starting named: "

       daemon named -u named -g named -t /opt/named   - Change made here

	RETVAL=$?

	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named

	echo

	return $RETVAL

}

stop() {

       # Stop daemons.

       echo -n "Shutting down named: "

       killproc named

	RETVAL=$?

	[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named

       echo

	return $RETVAL

}

rhstatus() {

	/usr/sbin/ndc status

	return $?

}	

restart() {

	stop

	start

}	

reload() {

	/usr/sbin/ndc reload

	return $?

}

probe() {

	# named knows how to reload intelligently; we don't want linuxconf

	# to offer to restart every time

	/usr/sbin/ndc reload >/dev/null 2>&1 || echo start

	return $?

} 



# See how we were called.

case "$1" in

	start)

		start

		;;

	stop)

		stop

		;;

	status)

		rhstatus

		;;

	restart)

		restart

		;;

	condrestart)

		[ -f /var/lock/subsys/named ] && restart || :

		;;

	reload)

		reload

		;;

	probe)

		probe

		;;

	*)

       	echo "Usage: named {start|stop|status|restart|condrestart|reload|probe}"

		exit 1

esac



exit $?

See:

Securing DNS: How to use chroot bind features

Chrooted DNS configuration:

/var/named/chroot/etc: Configuration files
/var/named/chroot/dev: devices used by bind:
- /dev/null
- /dev/random
- /dev/zero
(Real devices created with the mknod command.)
/var/named/chroot/var: Zone files and configuration information.

These directories are generated and configured by the Red Hat/Fedora RPM package "bind-chroot".

If building from source you will have to generate this configuration manually:

mkdir -p /var/named/chroot
mkdir /var/named/chroot/dev
mknod /var/named/chroot/dev/null c 1 3
mknod /var/named/chroot/dev/zero c 1 5
mknod /var/named/chroot/dev/random c 1 8
chmod 666 -R /var/named/chroot/dev
mkdir -p /var/named/chroot/etc
ln -s /var/named/chroot/etc/named.conf /etc/named.conf
mkdir -p /var/named/chroot/var/named
ln -s /var/named/chroot/var/named/named.XXXX /var/named/named.XXXX
ln -s /var/named/chroot/var/named/named.YYYY /var/named/named.YYYY
...
mkdir -p /var/named/chroot/var/named/slaves
mkdir -p /var/named/chroot/var/named/data
mkdir -p /var/named/chroot/var/run
mkdir -p /var/named/chroot/var/tmp
chown -R named:named /var/named/chroot
chown -R root:named /var/named/chroot/var/named

Load Balancing of servers using Bind: DNS Round-Robin

This will populate name servers around the world with different IP addresses for your web server www.your-domain.com

            www0   IN  A       XXX.XXX.XXX.1

           www1   IN  A       XXX.XXX.XXX.2

           www2   IN  A       XXX.XXX.XXX.3

           www3   IN  A       XXX.XXX.XXX.4

           www4   IN  A       XXX.XXX.XXX.5

           www5   IN  A       XXX.XXX.XXX.6



           www    IN  CNAME   www0.your-domain.com.

                  IN  CNAME   www1.your-domain.com.

                  IN  CNAME   www2.your-domain.com.

                  IN  CNAME   www3.your-domain.com.

                  IN  CNAME   www4.your-domain.com.

                  IN  CNAME   www5.your-domain.com.

                  IN  CNAME   www6.your-domain.com.

Also see lbnamed: lbnamed load balancing named

Bind/DNS Links:

Internet Software Consortium (ISC) Home Page - ISC Bind Home
Bind FAQ, pitfalls and answers
Zytrax Bind 9 manual - Bind for rocket scientists
comp.protocols.tcp-ip.domains FAQ - HTML version
More on load balancing and round robin schemes
LDP DNS-HOWTO
ACME: DNS resources
DNS Security presentation - Cricket Liu (coauthor of DNS and Bind)
DNS Security Paper - Craig Rowland
GraniteCanyon.com: Free DNS hosting - If you don't want to set it up, have someone do it for you.
EveryDNS.net - Free DNS
DNS2GO - Domain hosting for DHCP clients.
Secondary.com - Free secondary names server hosting (five or fewer domains)
TZO.com - Dynamic, secondary DNS services.
UltraDNS.com - Outsourced DNS management and service
OpenDNS.com - Can allow forwarding to OpenDNS servers.
Add to "options" section: forwarders { 208.67.222.222; 208.67.222.220; };
DynDNS.org
Command: ipcheck.py -i eth0 DynDNS-user-id password node.dnsalias.net
Then add script update.dyndns.ip to directory /etc/cron.daily/ to update IP.
This host must also be allowed access through any firewall rules.
DynDNS/TODD - Dynamic DNS for those with dynamic IP addresses. (i.e. dial-up game servers etc.)

Domain name registration:

Domain Name Registrars:
- NetworkSolutions.com
- Register.com
- Registrar.GoDaddy.com - Domain name registration for only $8.95/year!!!
- Dotster.com - Domain name registration for only $14.95/year
- DomainsNext.com - $11.95/year
- EasyDNS.com - $25.00/year
- Aplus.net - Domain Registration $7.95/year - Not good
- Gandi.net - European
AfterNic.com - Domain name exchange and auction.
BuyDomains.com - Buy a domain name that a squatter is holding.

Note that the Name registrations policies for the registrars are stated at ICANN.org.

You must renew with the same registrar within five days BEFORE the expiration date. There is no rule for afterwards.
Most free a domain name 30 days after it expires.

Web Server Load Balancing:

Load balancing becomes important if your traffic volume becomes too great for either your server or network connection or both. Multiple options are available for load balancing.

DNS round-robin: Discussed above, this uses DNS to point users to random server in a list of appropriate servers. This spreads the load among the servers in the list.
Use a Linux Virtual Server to Create a Load Balance Cluster. See next section below.
Run a reverse proxy. See nginx ("engine X"). From a single external internet network connection, route http, smtp, imap or pop3 traffic to various servers on an internal network. Results are pushed back to the nginx proxy for routing to the internet (no caching).
Run the Apache httpd web server module "mod_proxy" to offload processing of dynamic content to another web server. This acts as a reverse proxy, routing external traffic to various servers on an internal network.

Using a Linux Virtual Server to Create a Load Balance Cluster:

This feature is available with the Linux 2.4/2.6 kernel. (If compiling kernel: Networking Options + IP: Virtual Server Configuration)

Configuration: This example will load balance http traffic to three web servers and ftp traffic to a fourth server.

Enable Forwarding: (Also see YoLinux Networking Tutorial: Enable Forwarding)
```
echo "1" > /proc/sys/net/ipv4/ip_forward

             
```
Enable IP Masquerading:
```
iptables -t nat -P POSTROUTING DROP

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

   
```
For more on IP Masquerading, iptables and subnet addresses, see the YoLinux network gateway tutorial.
Enable virtual server:
- Create virtual service and choose scheduler for http (80) and ftp (21):
```
ipvsadm -A -t 66.218.88.103:80 -s wlc

ipvsadm -A -t 66.218.88.103:21 -s wrr

   
```
  Command directives:
  - A: Add a virtual service defined by IP address, port number, and protocol.
  - -t: Use TCP service host:port
  - -s: scheduler:
    rr: Robin Robin: distributes jobs equally amongst the avail- able real servers.
    wrr: Weighted Round Robin.
    lc: Least-Connection: assigns more jobs to real servers with fewer active jobs.
    wlc: (Default) Weighted Least-Connection: assigns more jobs to servers with fewer jobs and relative to the real server's weight.
    lblc, lblcr, dh, sh, sed, nq. See man page.
- Configure load balancing cluser.
```
ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.1:80 -m

ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.2:80 -m -w 2

ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.3:80 -m

ipvsadm -a -t 66.218.88.103:21 -r 176.168.1.4:21 -m

   
```
  Command directives:
  - -r: Real server.
  - -m: Use masquerading also known as network address translation (NAT)
  - -w: Weight is an integer specifying the capacity of a server rela- tive to the others in the pool. The valid values of weight are 0 through to 65535. The default is 1.

Links:

LinuxVirtualServer.org
iptables - Administration tool for IPv4 packet filtering and NAT
ipvsadm - Administer the routing table on a Linux Virtual Server.

Managing Web Server Daemons:

To view if these services are running, type ps -aux and look for the httpd, inetd and named services (daemons). These are background processes necessary to perform the server tasks.

   root       681  0.0  0.5  2304  744 ?        S    Sep09   0:01 named

  nobody   28123  0.0  1.1  3036 1420 ?        S    Oct06   0:00 httpd

  nobody   28186  0.0  0.7  3044  896 ?        S    Oct06   0:00 httpd

  root       385  0.0  0.1  1136  232 ?        S    Sep09   0:00 inetd

Sys Admin Script:

Script to prepare an account: (Red Hat/Fedora)

#!/bin/sh

# Author Greg Ippolito

# Requires: /opt/etc/AccountDefaults/pathmsg favicon.ico  mwh-mini_tr.gif etc.

#           /opt/bin/ftponly

#   You must be root to run this script.

#

if [ $# -eq 0 ]

then

  echo "Enter user id as a command argument"

else if [ -r /home/$1 ]

then

  echo "User's home directory already exists"

else

  echo "1)  Create user."

  adduser -m $1



  echo "2)  Set user Password."

  passwd $1



  echo "3)  Add read access to user directory so apache can read it."

  cd /home

  chmod ugo+rx $1

  cd $1



  echo "4)  Create web directories."

  mkdir public_html

  chown $1.$1 public_html

  chcon -R -h -u system_u -r object_r -t httpd_sys_content_t public_html

  cd public_html

  mkdir images

  chown $1.$1 images

  chcon -R -h -u system_u -r object_r -t httpd_sys_content_t images



  # Block potential for unauthenticated logins

  cd ../

  touch .rhosts

  chmod ugo-xrw .rhosts



  echo "5)  Create default web page"

  sed "/HEADING/s!HEADING!$1!" /opt/etc/AccountDefaults/default-index.html > index.html

  cp -p /opt/etc/AccountDefaults/favicon.ico .

  cp -p /opt/etc/AccountDefaults/default-logo.gif ./images

  cp -p /opt/etc/AccountDefaults/robots.txt .

  chown $1.$1 index.html favicon.ico robots.txt

  chcon -R -h -t httpd_sys_content_t index.html favicon.ico robots.txt

  chcon -R -h -t httpd_sys_content_t images/default-logo.gif



  echo "6)  Edit /etc/passwd file - change user shell to /opt/bin/ftponly"

  cp -p  /etc/passwd /etc/passwd-`date +%m%d%y`

  sed "/^$1/s!/bin/bash!/opt/bin/ftponly!" /etc/passwd-`date +%m%d%y` > /etc/passwd



#wu-ftp# Requires: /etc/ftpaccess guestuser restrict-uid

#wu-ftp#   echo "7)  Add user to /etc/ftpaccess file"

#wu-ftp#   cp -p  /etc/ftpaccess /etc/ftpaccess-`date +%m%d%y`

#wu-ftp#   sed "/^guestuser/s!guestuser !guestuser $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess

#wu-ftp#   sed "/^restricted-uid/s!restricted-uid !restricted-uid $1 !" /etc/ftpaccess-`date +%m%d%y` > /etc/ftpaccess

#wu-ftp#   echo "guest-root /home/$1/public_html $1" >> /etc/ftpaccess



  echo "7)  Add user to vsftpd chroot list

  cat `echo $1` >> /etc/vsftpd/vsftpd.chroot_list



  echo "8)  Setting Disk Quotas to default 50Mb limit:"

#  Use user johndoe as a prototype.

  edquota -p johndoe $1



  echo "9)  Admin Follow-up:"

  echo "     Modify quota.user if different than default"

  echo "     Make changes to Bind names services on dns1 and dns2 if necessary"

  echo "       Change /etc/http/conf/httpd.conf or

  echo "       add config to /etc/http/conf.d/ if using a new domain name"

  echo "       Add e-mail aliases to mail server if necessary"

fi

fi

FYI: Sample robots.txt files:

Setting Up the Domain Name System for Active Directory

2009-12-04T09:16:00.000-08:00

Summary

The Domain Name System (DNS) is the Active Directory locator in Windows 2000. Active Directory clients and client tools use DNS to locate domain controllers for administration and logon. You must have a DNS server installed and configured for Active Directory and the associated client software to function correctly. This article guides you through the required DNS configuration.

NetBIOS name resolution (WINS server, LMHosts file, or NetBIOS broadcast) is still required for earlier versions of Windows to resolve network resources on an Active Directory domain.

NOTE: A Windows 2000 Server CD-ROM is required to complete Setup. Installing the operating system from a network share does not work in some scenarios.

Experienced DNS administrators are encouraged to read the steps involved in configuration, and modify them to suit different scenarios. The steps in this article outline a single, simple configuration and do not represent the only possible configuration.

MORE INFORMATION
DNS Server Requirements Microsoft recommends that you use Microsoft DNS Server...

DNS Server Requirements

Microsoft recommends that you use Microsoft DNS Server as supplied with Windows 2000 Server as your DNS server. However, Microsoft DNS is not required. The DNS server that you use:

Must support the SRV RR (RFC 2052).
Supports the dynamic update protocol (RFC 2136).

Version 8.1.2 and later of BIND (a popular DNS server implementation) supports both the SRV RR and dynamic update. (Version 8.1.1 does support dynamic updates but it has flaws that were fixed in 8.1.2.) If you are using a version of BIND that does not support dynamic update, you need to manually add records to the DNS server.

NOTE: Microsoft DNS, as included with Microsoft Windows NT 4.0 Server, does not support the SRV record. Use DNS Server that is provided with Windows 2000 Server.

Starting with a Windows 2000-Based Stand-Alone Server

This server becomes a DNS server for your network. You can also promote it to the domain controller role at a later time.

In the first step, you assign this server a static Internet Protocol (IP) configuration. DNS servers should not use dynamically assigned IP addresses, because a dynamic change of address could cause clients to lose contact with the DNS server.

Configure TCP/IP

Click Start, point to Settings and then click Control Panel.
Double-click Network and Dial-up Connections.
Right-click Local Area Connection, and then click Properties.
Click Internet Protocol (TCP/IP), and then click Properties.
Assign this server a static IP address, subnet mask, and gateway address.
Click Advanced.
Click the DNS Tab.
Select "Append primary and connection specific DNS suffixes"
Check "Append parent suffixes of the primary DNS suffix"
Check "Register this connection's addresses in DNS"

If this Windows 2000-based DNS server is on an intranet, it should only point to its own IP address for DNS; do not enter IP addresses for other DNS servers here. If this server needs to resolve names on the Internet, it should have a forwarder configured.
Click OK to close the Advanced TCP/IP Settings properties.
Click OK to accept the changes to your TCP/IP configuration.
Click OK to close the Local Area Connections properties.

NOTE: If you receive a warning from the DNS Caching Resolver service, click OK to dismiss the warning. The caching resolver is trying to contact the DNS server, but you have not finished configuring the server.
Continue to the next step to install Microsoft DNS Server.

Install Microsoft DNS Server

Click Start, point to Settings, and then click Control Panel.
Double-click Add/Remove Programs.
Click Add and Remove Windows Components.
The Windows Components Wizard starts. Click Next.
Click Networking Services, and then click Details.
Click to select the Domain Name System (DNS) check box, and then click OK.
Click OK to start server Setup. The DNS server and tool files are copied to your computer.
Continue to the next step to configure the DNS server.

Configure the DNS Server Using DNS Manager

These steps guide you through configuring DNS by using the DNS Manager snap-in in Microsoft Management Console (MMC).

Click Start, point to Programs, point to Administrative Tools, and then click DNS Manager. You see two zones under your computer name: Forward Lookup Zone and Reverse Lookup Zone.
The DNS Server Configuration Wizard starts. Click Next.
Right-click Forward Lookup Zone, and then click Properties.
Choose your DNS server to be a root server. Click Next.
Choose to add a forward lookup zone. Click Next.
The new forward lookup zone must be a primary zone so that it can accept dynamic updates. Click Primary, and then click Next.
The new zone contains the locator records for this Active Directory domain. The name of the zone must be the same as the name of the Active Directory domain, or be a logical DNS container for that name.

For example, if the Active Directory domain is named "support.microsoft.com", legal zone names are "support.microsoft.com", "microsoft.com", or "com". Type the name of the zone, and then click Next.

NOTE: If you name the zone "com" we will believe that we are authoritative for the "com" domain and never forward any requests that we can not answer out to the real "com" domain servers. The same would be true if you named it "microsoft.com", you would never use your forwarder to resolve requests from the real "microsoft.com" servers.
Accept the default name for the new zone file. Click Next.
Choose not to add a reverse lookup zone now. Click Next.

NOTE: Experienced DNS administrators may want to create a reverse lookup zone, and are encouraged to explore this branch of the wizard.
Click Finish to complete the Server Configuration Wizard.
After the Server Configuration Wizard is finished, DNS Manager starts. Proceed to the next step to enable dynamic update on the zone you just added.

Enable Dynamic Update on the Forward Lookup Zone

In DNS Manager, expand the DNS Server object. Expand the Forward Lookup Zones folder.
Right-click the zone you created, and then click Properties.
On the General tab, click to select the Allow Dynamic Update check box, and then click OK to accept the change.
DNS server configuration is finished. Proceed to the next step if you want to promote this DNS server to be the first domain controller in the enterprise. This is the recommended path.
If you decide to use a different computer as your first domain controller, the configuration instructions in the previous sections of this article apply to that domain controller after you have installed Windows 2000.

Promote This Server to Domain Controller (Optional--Recommended)

Promote this server to the domain controller role by using the Dcpromo.exe utility.

For additional information about promoting and demoting domain controllers, click the article number below to view the article in the Microsoft Knowledge Base:

238369 (http://support.microsoft.com/kb/238369/EN-US/ ) How to Promote and Demote Domain Controllers in Windows 2000

After the server has been promoted to the domain controller role, the DNS server can use the Active Directory Storage Integration feature (this is the recommended path). Proceed to the next step if you want to use Active Directory Storage Integration for DNS.

Enable Active Directory Integrated DNS (Optional--Recommended)

Active Directory Integrated DNS uses the directory for the storage and replication of DNS zone databases. If you decide to use Active Directory Integrated DNS, DNS runs on one or more domain controllers and you do not need to set up a separate DNS replication topology.

In DNS Manager, expand the DNS Server object.
Expand the Forward Lookup Zones folder.
Right-click the zone you created, and then click Properties.
On the General tab, the Zone Type value is set to Primary. Click Change to change the zone type.
In the Change Zone Type dialog box, click DS Integrated Primary, and then click OK.
The DNS server writes the zone database into Active Directory.
Right-click the zone named ".", and then click Properties.
On the General tab, the Zone Type value is set to Primary. Click Change to change the zone type.
In the Change Zone Type dialog box, DS Integrated Primary, and then click OK.

APPLIES TO

Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server

Website Domain Name Configuration

2009-12-04T09:12:00.001-08:00

Domain Name Configuration
Before understanding how to configure a domain name, one should know how a domain name works. There are three parts to setting up a domain name for a website - (i) registering the domain name with a domain registrar, (ii) setting up the domain name entry in a DNS server, and finally (iii) configuring the web server to listen to the requests for the domain name. A request for the domain (e.g. http://websitegear.com) starts at one of the registrar's server, which then routes it to a DNS server containing the DNS information for the domain. Once the DNS record for the domain resolves the domain name to a particular IP address, the request is sent to the web server listening to that IP address. The web server can now delegate the request to the particular website based on the domain name in the host header of the request object.

Registering A Domain Name
A domain name needs to be registered with one of the ICANN (http://www.icann.org) approved domain registrars for a yearly registration fee. One of the cheapest registrar with all the required features is GoDaddy.com (http://www.godaddy.com). There are registrars for each country specific domain names (such as .co.uk for United Kingdom, .nl for Netherlands). One should choose a domain name very carefully. After deciding on an available domain name, one has to provide the following information during the registration process:

Domain name owner credentials (name, company name, address, phone, email address etc.)

Administrative contact credentials

Technical contact credentials

Domain Name System (DNS) server details

The DNS server (also known as name server) is usually provided by the web hosting company. The DNS server should have entries of the domain name as explained in the next section. At least a primary (e.g. ns1.websitegear.net) and a secondary (e.g. ns2.websitegear.net) name server addresses are required. DNS server setup requires extra knowledge and is not within the scope of this article.

Domain Setup On DNS Server
The domain setup on the DNS server can be done after the domain is registered, however, the domain name will not work until the DNS setup is completed. A DNS server maps a domain name to IP address(es) of the web server and mail server so that a client can connect to the webserver or mail server using the domain name and not the IP address. A forward lookup zone is created for the domain name in the DNS server. Start of authority (SOA), Name server (NS), Hostname (A), Canonical Names (CNAME) and Mail eXchange (MX) entries are added to the forward lookup zone as shown below for a domain "foodomain.com" with name servers "ns1.dnsserver.com" and "ns1.dnsserver.com".

Start Of Authority (SOA) Record: The SOA record is very important because it denotes the official DNS record for the domain name. There can be only one SOA record for each domain in a zone file.

@ IN SOA ns1.dnsserver.com. hostmaster.dnsserver.com. (
20041014 ; serial number
900 ; refresh
600 ; retry
86400 ; expire
3600 ) ; default TTL

Address (A) Record Entry: The address (A) record is added to the forward lookup zone of the domain and it is associated with the IP addresses of the web server, which will handle the requests for the domain. There can be multiple A records, in which case, it will use the round robin DNS load balancing mechanism to assign the requests.

foodomain.com IN A 123.2.33.45.
foodomain.com IN A 123.2.33.46.

Alias (CNAME) Entry: A canonical name (CNAME) record maps an alias to the real name, Note that an alias for www is setup as a CNAME, so that requests to www.domain.com is sent to the same website that handles the requests for domain.com.

www IN CNAME foodomain.com.

Name Server (NS) Record: The NS record is used to define the name servers for the domain. It may seem unnecessary to keep a record of the name server in the DNS entry because the name server lookup is already present in the registrar records, where the lookup for the domain starts. This record is needed, incase, someone requires to know the name servers for this domain. The NS records are mapped to CNAME entries (ns1 and ns2 in the example below).

foodomain.com IN NS ns1.dnsserver.com.
foodomain.com IN NS ns2.dnsserver.com.

Mail Exchanger (MX) Setup: The mail exchanger domain configuration is required if an email server is setup to handle the domain mail accounts. For example, an email address like joe@foodomain.com will require a domain setup for resolving the mail server for foodomain.com. The setup is similar to the CNAME setup but with MX records. There can be multiple MX records (e.g. for backup mail servers).

foodomain.com IN MX 10 mail.foodomain.com.

Note: Test the DNS setup of the domain using DNSReport.com. This site provides a detailed report of any DNS misconfigurations and possible solutions.

Configuring Web Server For Domain
Once the DNS server is setup to send the request for the domain to the corresponding IP address, the work of the web server begins. The web server needs to be configured appropriately to handle the request for the domain based on either the IP address or the host header entry. Host headers are commonly used by web servers to host multiple domains on one IP address.

Microsoft Windows IIS : In case of Internet Information Server (IIS), create a new web site for the domain using the IIS Manager, and add the domain (e.g. domain.com) as a new host header value listening to the same IP address as specified in the DNS entry. The port is set to 80 (the default for http requests). The host header can be added by clicking on the advanced tab next to the IP address configuration for that web site application. Set the home directory for the domain web site to the directory (e.g. C:\Inetpub\wwwroot\). Add another host header entry for www.foodomain.com so that anyone can access the website when typing with www in the beginning.

Apache Web Server : In case of Apache web server, the subdomain is configured by virtual host entries in httpd.conf as shown below.

Listen 80
NameVirtualHost *

ServerName www.domain.com
DocumentRoot /home/httpd/htdocs/

ServerName domain.com
DocumentRoot /home/httpd/htdocs/

Conclusion
Domain configuration starts with an entry with a domain registrar, and the registrar record maps the domain to name servers, which contains the detailed DNS entries for the domain. The lookup for the domain name at the designated DNS server resolves the domain to an IP address of the web server. The web server in turn delegates the requests based on its configuration for the domain.

Computer Professional

Life: Miss You ..DAD

Dell/EMC CX4-240

Dell/EMC CX4-120 SAN Storage

Managed Dedicated Host Codero Commits to Renewable Energy

New Service from Purity Networks Offers Affordable Email Protection

About Purity Networks

Reseller Program for Hosted Exchange 2010 Launched By InterMedia

Click To Client, LLC changes name to The Marketing Zen Group

An announcement from Click To Client, LLC officials State

The Planet Extends High-Performance SAN to Dedicated Hosting Customers

Latest Open-Xchange Makes Webmail and Social Network Integration Easy

Intel® Turbo Memory with User Pinning

Enhancing system performance through memory innovation

User pinning

Performance

Platform compatibility

Intel® X25-M and X18-M Mainstream SATA Solid-State Drives

Intel® X25-E Extreme SATA Solid-State Drive

Intel® Desktop Board DP55SB

Features and benefits

Related products

Intel® Desktop Board DP55KG

How to:Configure/Setup Your VPN(server side) on Windows Server 2003 R2

What is Web Hosting

Web hosting service

Domain Name Server (DNS) Configuration and Administration

Server and Domain Isolation

Domain Name Service DNS Setup & Configuration in Unix

Linux Internet Web Server and Domain Configuration Tutorial

Grant access to a user's web directory: public_html

SELinux security contexts:

Virtual Hosts:

Configuring a "name based" virtual host:

Apache virtual domain configuration with Ubuntu Dapper/Hardy:

Configuring an "IP based" virtual host:

CGI: (Common Gateway Interface)

Configuring CGI To Run With User Privileges:

ERROR Pages:

PHP:

Running Multiple instances of httpd:

Apache Man Pages:

Apache Red Hat / Fedora Core GUI configuration:

Configuration files:

Man Pages:

Configuration files: (RH 8.0+)

More information:

Man pages on related FTP commands and files:

Other FTP daemons:

Passive mode:

Firewall connection tracking module:

NAT firewall modules:

FTP fails because it can not change to the users home directory:

Configuration files:

Primary server (master):

Secondary server (slave):

Test DNS:

Extra logging to monitor Bind:

Chroot Bind for extra security:

Load Balancing of servers using Bind: DNS Round-Robin

Bind/DNS Links:

Domain name registration:

Grant access to a user's web directory: public_html

SELinux security contexts:

Virtual Hosts:

Configuring a "name based" virtual host:

Apache virtual domain configuration with Ubuntu Dapper/Hardy:

Configuring an "IP based" virtual host:

CGI: (Common Gateway Interface)

Configuring CGI To Run With User Privileges:

ERROR Pages:

PHP:

Running Multiple instances of httpd:

Apache Man Pages:

Apache Red Hat / Fedora Core GUI configuration:

Configuration files:

Man Pages:

Configuration files: (RH 8.0+)

More information:

Man pages on related FTP commands and files:

Running Multiple instances of `httpd`:

Running Multiple instances of `httpd`:

MORE INFORMATION
DNS Server Requirements Microsoft recommends that you use Microsoft DNS Server...