Many other configuration directives for sshd are available for changing the
server application's behavior to fit your needs. Be advised, however, if your
only method of access to a server is ssh, and you make a mistake in configuring
sshd via the /etc/ssh/sshd_config file, you may find you are locked out of the
server upon restarting it, or that the sshd server refuses to start due to an incorrect
configuration directive, so be extra careful when editing this file on a remote
server.
4.4. References
OpenSSH Website [http://www.openssh.org/]
Advanced OpenSSH Wiki Page [https://wiki.ubuntu.com/AdvancedOpenSSH]
5. FTP Server
File Transfer Protocol (FTP) is a TCP protocol for uploading and downloading files
between computers. FTP works on a client/server model. The server component is called
an FTP daemon. It continuously listens for FTP requests from remote clients. When a
request is received, it manages the the login and sets up the connection. For the duration of
the session it executes any of commands sent by the FTP client.
Access to an FTP server can be managed in two ways:
• Anonymous
• Authenticated
In the Anonymous mode, remote clients can access the FTP server by using the default
user account called 'anonymous" or "ftp" and sending an email address as the password.
In the Authenticated mode a user must have an account and a password. User access to the
FTP server directories and files is dependent on the permissions defined for the account
used at login. As a general rule, the FTP daemon will hide the root directory of the FTP
server and change it to the FTP Home directory. This hides the rest of the file system from
remote sessions.
5.1. vsftpd - FTP Server Installation
vsftpd is an FTP daemon available in Ubuntu. It is easy to install, set up, and maintain. To
install vsftpd you can run the following command:
sudo apt-get install vsftpd
5.2. vsftpd - FTP Server Configuration
You can edit the vsftpd configuration file, /etc/vsftpd.conf, to change the default
settings. By default only anonymous FTP is allowed. If you wish to disable this option, you
should change the following line:
anonymous_enable=YES
to
anonymous_enable=NO
By default, local system users are not allowed to login to FTP server. To change this
setting, you should uncomment the following line:
#local_enable=YES
By default, users are allowed to download files from FTP server. They are not allowed to
upload files to FTP server. To change this setting, you should uncomment the following
line:
#write_enable=YES
Similarly, by default, the anonymous users are not allowed to upload files to FTP server.
To change this setting, you should uncomment the following line:
#anon_upload_enable=YES
The configuration file consists of many configuration parameters. The information about
each parameter is available in the configuration file. Alternatively, you can refer to the man
page, man 5 vsftpd.conf for details of each parameter.
Once you configure vsftpd you can start the daemon. You can run following command to
run the vsftpd daemon:
sudo /etc/init.d/vsftpd start
Please note that the defaults in the configuration file are set as they are for
security reasons. Each of the above changes makes the system a little less secure,
so make them only if you need them.
6. Network File System (NFS)
NFS allows a system to share directories and files with others over a network. By using
NFS, users and programs can access files on remote systems almost as if they were local
files.
Some of the most notable benefits that NFS can provide are:
• Local workstations use less disk space because commonly used data can be stored on a
single machine and still remain accessible to others over the network.
• There is no need for users to have separate home directories on every network machine.
Home directories could be set up on the NFS server and made available throughout the
network.
• Storage devices such as floppy disks, CDROM drives, and USB Thumb drives can be
used by other machines on the network. This may reduce the number of removable
media drives throughout the network.
6.1. Installation
At a terminal prompt enter the following command to install the NFS Server:
sudo apt-get install nfs-kernel-server
6.2. Configuration
You can configure the directories to be exported by adding them to the /etc/exports file.
For example:
/ubuntu *(ro,sync,no_root_squash)
/home *(rw,sync,no_root_squash)
You can replace * with one of the hostname formats. Make the hostname declaration as
specific as possible so unwanted systems cannot access the NFS mount.
To start the NFS server, you can run the following command at a terminal prompt:
sudo /etc/init.d/nfs-kernel-server start
6.3. NFS Client Configuration
Use the mount command to mount a shared NFS directory from another machine, by
typing a command line similar to the following at a terminal prompt:
sudo mount example.hostname.com:/ubuntu /local/ubuntu
The mount point directory /local/ubuntu must exist. There should be no files or
subdirectories in the /local/ubuntu directory.
An alternate way to mount an NFS share from another machine is to add a line to the
/etc/fstab file. The line must state the hostname of the NFS server, the directory on the
server being exported, and the directory on the local machine where the NFS share is to be
mounted.
The general syntax for the line in /etc/fstab file is as follows:
example.hostname.com:/ubuntu /local/ubuntu nfs rsize=8192,wsize=8192,timeo=14,intr
6.4. References
Linux NFS faq [http://nfs.sourceforge.net/]
7. Dynamic Host Configuration Protocol (DHCP)
The Dynamic Host Configuration Protocol (DHCP) is a network service that enables host
computers to be automatically assigned settings from a server as opposed to manually
configuring each network host. Computers configured to be DHCP clients have no control
over the settings they receive from the DHCP server, and the configuration is transparent to
the computer's user.
The most common settings provided by a DHCP server to DHCP clients include:
• IP-Address and Netmask
• DNS
• WINS
However, a DHCP server can also supply configuration properties such as:
• Host Name
• Domain Name
• Default Gateway
• Time Server
• Print Server
The advantage of using DHCP is that changes to the network, for example a change in
the address of the DNS server, need only be changed at the DHCP server, and all network
hosts will be reconfigured the next time their DHCP clients poll the DHCP server. As an
added advantage, it is also easier to integrate new computers into the network, as there is
no need to check for the availability of an IP address. Conflicts in IP address allocation are
also reduced.
A DHCP server can provide configuration settings using two methods:
MAC Address
This method entails using DHCP to identify the unique hardware address of each
network card connected to the network and then continually supplying a constant
configuration each time the DHCP client makes a request to the DHCP server using
that network device.
Address Pool
This method entails defining a pool (sometimes also called a range or scope) of
IP addresses from which DHCP clients are supplied their configuration properties
dynamically and on a fist come first serve basis. When a DHCP client is no longer on
the network for a specified period, the configuration is expired and released back to the
address pool for use by other DHCP Clients.
Ubuntu is shipped with both DHCP server and client. The server is dhcpd (dynamic host
configuration protocol daemon). The client provided with Ubuntu is dhclient and should be
installed on all computers required to be automatically configured. Both programs are easy
to install and configure and will be automatically started at system boot.
7.1. Installation
At a terminal prompt, enter the following command to install dhcpd:
sudo apt-get install dhcpd
You will see the following output, which explains what to do next:
Please note that if you are installing the DHCP server for the first
time you need to configure. Please stop (/etc/init.d/dhcp
stop) the DHCP server daemon, edit /etc/dhcpd.conf to suit your needs
and particular configuration, and restart the DHCP server daemon
(/etc/init.d/dhcp start).
You also need to edit /etc/default/dhcp to specify the interfaces dhcpd
should listen to. By default it listens to eth0.
NOTE: dhcpd's messages are being sent to syslog. Look there for
diagnostics messages.
Starting DHCP server: dhcpd failed to start - check syslog for diagnostics.
7.2. Configuration
The error message the installation ends with might be a little confusing, but the following
steps will help you configure the service:
Most commonly, what you want to do is assign an IP address randomly. This can be done
with settings as follows:
# Sample /etc/dhcpd.conf
# (add your comments here)
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
option domain-name-servers 192.168.1.1, 192.168.1.2;
option domain-name "mydomain.org";
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.100;
range 192.168.1.150 192.168.1.200;
}
This will result in the DHCP server giving a client an IP address from the range
192.168.1.10-192.168.1.100 or 192.168.1.150-192.168.1.200. It will lease an IP address
for 600 seconds if the client doesn't ask for a specific time frame. Otherwise the maximum
(allowed) lease will be 7200 seconds. The server will also "advise" the client that it
should use 255.255.255.0 as its subnet mask, 192.168.1.255 as its broadcast address,
192.168.1.254 as the router/gateway and 192.168.1.1 and 192.168.1.2 as its DNS servers.
If you need to specify a WINS server for your Windows clients, you will need to include
the netbios-name-servers option, e.g.
option netbios-name-servers 192.168.1.1;
Dhcpd configuration settings are taken from the DHCP mini-HOWTO, which can be found
here [http://www.tldp.org/HOWTO/DHCP/index.html].
7.3. References
DHCP FAQ [http://www.dhcp-handbook.com/dhcp_faq.html]
8. Domain Name Service (DNS)
Domain Name Service (DNS) is an Internet service that maps IP addresses and fully
qualified domain names (FQDN) to one another. In this way, DNS alleviates the need to
remember IP addresses. Computers that run DNS are called name servers. Ubuntu ships
with BIND (Berkley Internet Naming Daemon), the most common program used for
maintaining a name server on GNU/Linux.
8.1. Installation
At a terminal prompt, enter the following command to install dns:
sudo apt-get install bind
8.2. Configuration
The DNS configuration files are stored in the /etc/bind directory. The primary
configuration file is /etc/bind/named.conf. The content of the default configuration file
is shown below:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind/README.Debian for information on the
// structure of BIND configuration files in Debian for BIND versions 8.2.1
// and later, *BEFORE* you customize this configuration file.
//
include "/etc/bind/named.conf.options";
// reduce log verbosity on issues outside our control
logging {
category lame-servers { null; };
category cname { null; };
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// add local zone definitions here
include "/etc/bind/named.conf.local";
The include line specifies the filename which contains the DNS options. The directory line
in the options file tells DNS where to look for files. All files BIND uses will be relative to
this directory.
The file named /etc/bind/db.root describes the root name servers in the world. The
servers change over time and must be maintained now and then.
The zone section defines a master server, and it is stored in a file mentioned against file
tag. Every zone file contains 3 resource records (RRs): an SOA RR, an NS RR and a PTR
RR. SOA is short of Start of Authority. The "@" is a special notation meaning the origin.
NS is the Name Server RR. PTR is Domain Name Pointer. To start the DNS server, run the
following command from a terminal prompt:
sudo /etc/init.d/bind start
You can refer to the documentation mentioned in the references section for details.
8.3. References
DNS HOWTO [http://www.tldp.org/HOWTO/DNS-HOWTO.html]
9. CUPS - Print Server
The primary mechanism for Ubuntu printing and print services is the Common UNIX
Printing System (CUPS). This printing system is a freely available, portable printing layer
which has become the new standard for printing in most GNU/Linux distributions.
CUPS manages print jobs and queues and provides network printing using the standard
Internet Printing Protocol (IPP), while offering support for a very large range of printers,
from dot-matrix to laser and many in between. CUPS also supports PostScript Printer
Description (PPD) and auto-detection of network printers, and features a simple web-based
configuration and administration tool.
9.1. Installation
To install CUPS on your Ubuntu computer, simply use sudo with the the apt-get command
and give the packages to install as the first parameter. A complete CUPS install has many
package dependencies, but they may all be specified on the same command line. Enter the
following at a terminal prompt to install CUPS:
sudo apt-get install cupsys cupsys-client
Upon authenticating with your user password, the packages should be downloaded and
installed without error. Upon the conclusion of installation, the CUPS server will be
started automatically. For troubleshooting purposes, you can access CUPS server errors
via the error log file at: /var/log/cups/error_log. If the error log does not show enough
information to troubleshoot any problems you encounter, the verbosity of the CUPS log
can be increased by changing the LogLevel directive in the configuration file (discussed
below) to "debug" or even "debug2", which logs everything, from the default of "info". If
you make this change, remember to change it back once you've solved your problem, to
prevent the log file from becoming overly large.
9.2. Configuration
The Common UNIX Printing System server's behavior is configured through the directives
contained in the file /etc/cups/cupsd.conf. The CUPS configuration file follows the
same syntax as the primary configuration file for the Apache HTTP server, so users
familiar with editing Apache's configuration file should feel at ease when editing the CUPS
configuration file. Some examples of settings you may wish to change initially will be
presented here.
Prior to editing the configuration file, you should make a copy of the original file
and protect it from writing, so you will have the original settings as a reference,
and to reuse as necessary.
Copy the /etc/cups/cupsd.conf file and protect it from writing with the
following commands, issued at a terminal prompt:
sudo cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.original
sudo chmod a-w /etc/cups/cupsd.conf.original
• ServerAdmin: To configure the email address of the designated administrator
of the CUPS server, simply edit the /etc/cups/cupsd.conf configuration file
with your preferred text editor, and modify the ServerAdmin line accordingly. For
example, if you are the Administrator for the CUPS server, and your e-mail address is
'bjoy@somebigco.com', then you would modify the ServerAdmin line to appear as such:
ServerAdmin bjoy@somebigco.com
For more examples of configuration directives in the CUPS server configuration file,
view the associated system manual page by entering the following command at a terminal
prompt:
man cupsd.conf
Whenever you make changes to the /etc/cups/cupsd.conf configuration file,
you'll need to restart the CUPS server by typing the following command at a
terminal prompt:
sudo /etc/init.d/cupsys restart
Some other configuration for the CUPS server is done in the file
/etc/cups/cups.d/ports.conf:
• Listen: By default on Ubuntu, the CUPS server installation listens only on the
loopback interface at IP address 127.0.0.1. In order to instruct the CUPS server to
listen on an actual network adapter's IP address, you must specify either a hostname,
the IP address, or optionally, an IP address/port pairing via the addition of a Listen
directive. For example, if your CUPS server resides on a local network at the IP
address 192.168.10.250 and you'd like to make it accessible to the other systems on
this subnetwork, you would edit the /etc/cups/cups.d/ports.conf and add a Listen
directive, as such:
Listen 127.0.0.1:631 # existing loopback Listen
Listen /var/run/cups/cups.sock # existing socket Listen
Listen 192.168.10.250:631 # Listen on the LAN interface, Port 631 (IPP)
In the example above, you may comment out or remove the reference to the Loopback
address (127.0.0.1) if you do not wish cupsd to listen on that interface, but would
rather have it only listen on the Ethernet interfaces of the Local Area Network (LAN).
To enable listening for all network interfaces for which a certain hostname is bound,
including the Loopback, you could create a Listen entry for the hostname socrates as
such:
Listen socrates:631 # Listen on all interfaces for the hostname 'socrates'
or by omitting the Listen directive and using Port instead, as in:
Port 631 # Listen on port 631 on all interfaces
9.3. References
CUPS Website [http://www.cups.org/]
10. HTTPD - Apache2 Web Server
Apache is the most commonly used Web Server on GNU/Linux systems. Web Servers are
used to serve Web Pages requested by client computers. Clients typically request and view
Web Pages using Web Browser applications such as Firefox, Opera, or Mozilla.
Users enter a Uniform Resource Locator (URL) to point to a Web server by means
of its Fully Qualified Domain Name (FQDN) and a path to the required resource. For
example, to view the home page of the Ubuntu Web site [http://www.ubuntu.com] a
user will enter only the FQDN. To request specific information about paid support
[http://www.ubuntu.com/support/supportoptions/paidsupport], a user will enter the FQDN
followed by a path.
The most common protocol used to transfer Web pages is the Hyper Text Transfer Protocol
(HTTP). Protocols such as Hyper Text Transfer Protocol over Secure Sockets Layer
(HTTPS), and File Transfer Protocol (FTP), a protocol for uploading and downloading
files, are also supported.
Apache Web Servers are often used in combination with the MySQL database engine, the
HyperText Preprocessor (PHP) scripting language, and other popular scripting languages
such as Python and Perl. This configuration is termed LAMP (Linux, Apache, MySQL
and Perl/Python/PHP) and forms a powerful and robust platform for the development and
deployment of Web-based applications.
10.1. Installation
The Apache2 web server is available in Ubuntu Linux. To install Apache2:
• At a terminal prompt enter the following command:
sudo apt-get install apache2
10.2. Configuration
Apache is configured by placing directives in plain text configuration files. The main
configuration file is called apache2.conf. In addition, other configuration files may be
added using the Include directive, and wildcards can be used to include many configuration
files. Any directive may be placed in any of these configuration files. Changes to the main
configuration files are only recognized by Apache2 when it is started or restarted.
The server also reads a file containing mime document types; the filename is set by the
TypesConfig directive, and is mime.types by default.
The default Apache2 configuration file is /etc/apache2/apache2.conf . You can edit this
file to configure the Apache2 server. You can configure the port number, document root,
modules, log files, virtual hosts, etc.
10.2.1. Basic Settings
This section explains Apache2 server essential configuration parameters. Refer to the
Apache2 Documentation [http://httpd.apache.org/docs/2.0/] for more details.
• Apache2 ships with a virtual-host-friendly default configuration. That is, it is configured
with a single default virtual host (using the VirtualHost directive) which can modified
or used as-is if you have a single site, or used as a template for additional virtual hosts
if you have multiple sites. If left alone, the default virtual host will serve as your default
site, or the site users will see if the URL they enter does not match the ServerName
directive of any of your custom sites. To modify the default virtual host, edit the file
/etc/apache2/sites-available/default. If you wish to configure a new virtual host
or site, copy that file into the same directory with a name you choose. For example, sudo
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/mynewsite Edit
the new file to configure the new site using some of the directives described below.
• The ServerAdmin directive specifies the email address to be advertised for the server's
administrator. The default value is webmaster@localhost. This should be changed to
an email address that is delivered to you (if you are the server's administrator). If your
website has a problem, Apache2 will display an error message containing this email
address to report the problem to. Find this directive in your site's configuration file in
/etc/apache2/sites-available.
• The Listen directive specifies the port, and optionally the IP address, Apache2 should
listen on. If the IP address is not specified, Apache2 will listen on all IP addresses
assigned to the machine it runs on. The default value for the Listen directive is 80.
Change this to 127.0.0.1:80 to cause Apache2 to listen only on your loopback interface
so that it will not be available to the Internet, to (for example) 81 to change the port
that it listens on, or leave it as is for normal operation. This directive can be found and
changed in its own file, /etc/apache2/ports.conf
• The ServerName directive is optional and specifies what FQDN your site should answer
to. The default virtual host has no ServerName directive specified, so it will respond to
all requests that do not match a ServerName directive in another virtual host. If you have
just acquired the domain name ubunturocks.com and wish to host it on your Ubuntu
server, the value of the ServerName directive in your virtual host configuration file
should be ubunturocks.com. Add this directive to the new virtual host file you created
earlier (/etc/apache2/sites-available/mynewsite).
You may also want your site to respond to www.ubunturocks.com, since
many users will assume the www prefix is appropriate. Use the ServerAlias
directive for this. You may also use wildcards in the ServerAlias directive. For
example, ServerAlias *.ubunturocks.com will cause your site to respond to
any domain request ending in .ubunturocks.com.
• The DocumentRoot directive specifies where Apache should look for the files that
make up the site. The default value is /var/www. No site is configured there, but if you
uncomment the RedirectMatch directive in /etc/apache2/apache2.conf requests
will be redirected to /var/www/apache2-default where the default Apache2 site awaits.
Change this value in your site's virtual host file, and remember to create that directory if
necessary!
The /etc/apache2/sites-available directory is not parsed by Apache2.
Symbolic links in /etc/apache2/sites-enabled point to "available" sites. Use
the a2ensite (Apache2 Enable Site) utility to create those symbolic links,
like so: sudo a2ensite mynewsite where your site's configuration file is
/etc/apache2/sites-available/mynewsite. Similarly, the a2dissite utility
should be used to disable sites.
10.2.2. Default Settings
This section explains configuration of the Apache2 server default settings. For example,
if you add a virtual host, the settings you configure for the virtual host take precedence
for that virtual host. For a directive not defined within the virtual host settings, the default
value is used.
• The DirectoryIndex is the default page served by the server when a user requests an
index of a directory by specifying a forward slash (/) at the end of the directory name.
For example, when a user requests the page http://www.example.com/this_directory/,
he or she will get either the DirectoryIndex page if it exists, a server-generated directory
list if it does not and the Indexes option is specified, or a Permission Denied page if
neither is true. The server will try to find one of the files listed in the DirectoryIndex
directive and will return the first one it finds. If it does not find any of these files and
if Options Indexes is set for that directory, the server will generate and return a list,
in HTML format, of the subdirectories and files in the directory. The default value,
found in /etc/apache2/apache2.conf is " index.html index.cgi index.pl index.php
index.xhtml". Thus, if Apache2 finds a file in a requested directory matching any of
these names, the first will be displayed.
• The ErrorDocument directive allows you to specify a file for Apache to use for
specific error events. For example, if a user requests a resource that does not
exist, a 404 error will occur, and per Apache2's default configuration, the file
/usr/share/apache2/error/HTTP_NOT_FOUND.html.var will be displayed.
That file is not in the server's DocumentRoot, but there is an Alias directive in
/etc/apache2/apache2.conf that redirects requests to the /error directory to
/usr/share/apache2/error/. To see a list of the default ErrorDocument directives, use this
command: grep ErrorDocument /etc/apache2/apache2.conf
• By default, the server writes the transfer log to the file /var/log/apache2/access.log.
You can change this on a per-site basis in your virtual host configuration files
with the CustomLog directive, or omit it to accept the default, specified in
/etc/apache2/apache2.conf. You may also specify the file to which errors are logged,
via the ErrorLog directive, whose default is /var/log/apache2/error.log. These
are kept separate from the transfer logs to aid in troubleshooting problems with your
Apache2 server. You may also specify the LogLevel (the default value is "warn") and the
LogFormat (see /etc/apache2/apache2.conf for the default value).
• Some options are specified on a per-directory basis rather than per-server. Option is one
of these directives. A Directory stanza is enclosed in XML-like tags, like so:
<Directory /var/www/mynewsite>
...
</Directory>
The Options directive within a Directory stanza accepts one or more of the following
values (among others), separated by spaces:
• ExecCGI - Allow execution of CGI scripts. CGI scripts are not executed if this option
is not chosen.
Most files should not be executed as CGI scripts. This would be very
dangerous. CGI scripts should kept in a directory separate from and outside
your DocumentRoot, and only this directory should have the ExecCGI
option set. This is the default, and the default location for CGI scripts is
/usr/lib/cgi-bin.
• Includes - Allow server-side includes. Server-side includes allow an HTML file
to include other files. This is not a common option. See the Apache2 SSI Howto
[http://httpd.apache.org/docs/2.0/howto/ssi.html] for mor information.
• IncludesNOEXEC - Allow server-side includes, but disable the #exec and #include
commands in CGI scripts.
• Indexes - Display a formatted list of the directory's contents, if no DirectoryIndex
(such as index.html) exists in the requested directory.
For security reasons, this should usually not be set, and certainly should not
be set on your DocumentRoot directory. Enable this option carefully on a
per-directory basis only if you are certain you want users to see the entire
contents of the directory.
• Multiview - Support content-negotiated multiviews; this option is disabled
by default for security reasons. See the Apache2 documentation on this option
[http://httpd.apache.org/docs/2.0/mod/mod_negotiation.html#multiviews].
• SymLinksIfOwnerMatch - Only follow symbolic links if the target file or directory
has the same owner as the link.
10.2.3. Virtual Hosts Settings
Virtual hosts allow you to run different servers for different IP addresses, different host
names, or different ports on the same machine. For example, you can run the website for
http://www.example.com and http://www.anotherexample.com on the same Web server
using virtual hosts. This option corresponds to the <VirtualHost> directive for the default
virtual host and IP-based virtual hosts. It corresponds to the <NameVirtualHost> directive
for a name-based virtual host.
The directives set for a virtual host only apply to that particular virtual host. If a directive is
set server-wide and not defined within the virtual host settings, the default setting is used.
For example, you can define a Webmaster email address and not define individual email
addresses for each virtual host.
Set the DocumentRoot directive to the directory that contains the root document (such as
index.html) for the virtual host. The default DocumentRoot is /var/www.
The ServerAdmin directive within the VirtualHost stanza is email the address used in the
footer of error pages if you choose to show a footer with an email address on the error
pages.
0 comments:
Post a Comment