Tuesday, November 28, 2006
Sixth - Certificates, etc
I haven't actually figured out the certificates yet, so I am using the "default" ones that came with Dovecot, Postfix, and Apachy...
I did find several instructional web sites and followed a few...you have to create self signed keys and certificates (key and cert fies) for Dovecot and the TLS settings.
Apache needs PEM files, and SSH needs PUB files...
Create them all...
Then install a few program:
fail2ban - a "firewall" that protects your ports
and anything else you think you need...
I did find several instructional web sites and followed a few...you have to create self signed keys and certificates (key and cert fies) for Dovecot and the TLS settings.
Apache needs PEM files, and SSH needs PUB files...
Create them all...
Then install a few program:
fail2ban - a "firewall" that protects your ports
and anything else you think you need...
Fifth - Email
Now, I was clueless about web servers (other than the microsquat crapware) untill I started my journey into Linux...and I was even more clueless about setting up and running a mail server...
There are things like MTAs (Mail Transfere Agents) and MDAs, (Mail Dilevery Agents)...
So in doing my research, I found 2 programs, Postfix (there is a great book, "Postfix: The Definitive Guide (Paperback) by Kyle D Dent") and Dovecot, and I am sure O'Reilly has a book on that too, but it was easy in comparrison...
Postfix is an MTA and Dovecot is an MDA.
There is also something called "Procmail" but I have no idea what it is...
You can also use SquirrelMail for webmail access (remember, you now have your own Web Server up and running...) - I haven't done the SquirrelMail thing yet, but I will soon...
Postfix was easy enough to set up, but there were some config issues. The information you can find on the web and on IRC is easy to understand and, if you follow the advice, will get you running.
Dovecot was easy enough to set up. Once postfix was running, everything else was easy...Dovecot will support POP3 and IMAP, but because of security reasons, I suggest you use IMAP...
I am still having issues with IMAP, I won't be shy about telling you the things I like and hate about any of the programs I use...but with IMAP you have the ability to have multiple folders on the server, so you can create rules and move mail around. Mine, however, won't let me create sub folders to my folders...a pain to be sure.
I found out that this is actually fixed in a newer version of Postfix and a setting...there is a setting for outlook and outlook express too, use them both for mixed networks.
But other than that, local folders work, so I have Thunderbird (easy and simple) running as the client, and I get all my email at 4 different addresses and 2 different sources...
My son and wife have email on this box as well.
There are settings to handle all the aliasing to get email from all your owned domains and any user on your box...
Really good stuff.
There are things like MTAs (Mail Transfere Agents) and MDAs, (Mail Dilevery Agents)...
So in doing my research, I found 2 programs, Postfix (there is a great book, "Postfix: The Definitive Guide (Paperback) by Kyle D Dent") and Dovecot, and I am sure O'Reilly has a book on that too, but it was easy in comparrison...
Postfix is an MTA and Dovecot is an MDA.
There is also something called "Procmail" but I have no idea what it is...
You can also use SquirrelMail for webmail access (remember, you now have your own Web Server up and running...) - I haven't done the SquirrelMail thing yet, but I will soon...
Postfix was easy enough to set up, but there were some config issues. The information you can find on the web and on IRC is easy to understand and, if you follow the advice, will get you running.
Dovecot was easy enough to set up. Once postfix was running, everything else was easy...Dovecot will support POP3 and IMAP, but because of security reasons, I suggest you use IMAP...
I am still having issues with IMAP, I won't be shy about telling you the things I like and hate about any of the programs I use...but with IMAP you have the ability to have multiple folders on the server, so you can create rules and move mail around. Mine, however, won't let me create sub folders to my folders...a pain to be sure.
I found out that this is actually fixed in a newer version of Postfix and a setting...there is a setting for outlook and outlook express too, use them both for mixed networks.
But other than that, local folders work, so I have Thunderbird (easy and simple) running as the client, and I get all my email at 4 different addresses and 2 different sources...
My son and wife have email on this box as well.
There are settings to handle all the aliasing to get email from all your owned domains and any user on your box...
Really good stuff.
Fourth - Web Serving
I think I have told you all about how much money I was spending on a monthly basis to get email and web services, if not, it was $50 a month. This might be fine and good as I had like 4 domain names, and 6 email addresses...but $50 a month = $600 a year.
So, as I set up this linux server, I decided to include the Web Server, HTTPD or Apache...
This was actually simple.
Install the Apache server or HTTPD
I took the HTTPD.conf file from a friend who is also using linux and Apache. I found out that I have to use what is called "virtual server" to have multiple web domains on one machine (one IP address)...his config file happen to also have virtual domains.
There are at least 2 files that have to be set up. The httpd.conf and the virtual domain files. Since I don't know squat about this, I have to learn. The way I learn best is to imitate...
I set mine up to look like his. It took me a while to understand all the settings I had to change to make his (a debian server) to match mine (a fedora server) and to match my machine settings (my server name and domains, IP address, firewall, etc)
With the help of the already in existence files and the setup info on the web, I got most everything set up, but it still wasn't working.
It turns out there was a problem with folder permissions. A friend hacked it out in under a minute.
This was something new to me, but files, directories and all things linux have permissions for both users and groups. A security thing.
Once that was done everything started to work just fine. I now have 3 of my Domains hosted at home, the 4th is not mine to host, it belongs to South Ogden CERT...we will have to find a new solution for them.
So now, all I have to do is put my webs back on the new server, and start serving up the stuff I had before...I still have a lot of content to add...but, well, that is how it goes when you don't have any time.
In any case, there are some great resources at Apachy.org on setting up your web server...if I can do it, ANYONE can...
So, as I set up this linux server, I decided to include the Web Server, HTTPD or Apache...
This was actually simple.
Install the Apache server or HTTPD
I took the HTTPD.conf file from a friend who is also using linux and Apache. I found out that I have to use what is called "virtual server" to have multiple web domains on one machine (one IP address)...his config file happen to also have virtual domains.
There are at least 2 files that have to be set up. The httpd.conf and the virtual domain files. Since I don't know squat about this, I have to learn. The way I learn best is to imitate...
I set mine up to look like his. It took me a while to understand all the settings I had to change to make his (a debian server) to match mine (a fedora server) and to match my machine settings (my server name and domains, IP address, firewall, etc)
With the help of the already in existence files and the setup info on the web, I got most everything set up, but it still wasn't working.
It turns out there was a problem with folder permissions. A friend hacked it out in under a minute.
This was something new to me, but files, directories and all things linux have permissions for both users and groups. A security thing.
Once that was done everything started to work just fine. I now have 3 of my Domains hosted at home, the 4th is not mine to host, it belongs to South Ogden CERT...we will have to find a new solution for them.
So now, all I have to do is put my webs back on the new server, and start serving up the stuff I had before...I still have a lot of content to add...but, well, that is how it goes when you don't have any time.
In any case, there are some great resources at Apachy.org on setting up your web server...if I can do it, ANYONE can...
Thursday, November 16, 2006
Third Item - Internal Network Protection
I don't think I would have believed it, but I have experienced it. People trying to hack my system...like I have something they want, like my system is something special...
The reality is, most attacks are from kids who are bored. They have bots that walk the network looking for open ports on all available IP Addresses. When They find one that is open, they play with it. This "playing" might be benign, or it might be malicious. Why take the chance...?
So I figured I should secure my network.
I put in a Linux powered router from Linksys, a WRVS4400N Wireless Router with Wireless A/B/G/N capability. It is also seriously security minded.
Trust me, don't skimp on this hardware. Spend the money.
I would suggest at least 2 layers of protection, a good hardware firewall/router and a good software firewall. Linux has several nice features, including restriction of individual ports, and a better user/password setup than that which Windows uses. There are other features that protect your Linux system.
Most of that is done without your knowledge, as the system requires logins to access...
SSH also allows for using certificates only, but I haven't gone into that yet. Better, download and install Fail2Ban...this is a cool utility that scans different services (their logs) and looks for failed access attempts. You can set it for the number of attempts...then it sets a lock against the IP address in the IPTables, for a limited time (that way, you IPTables file doesn't grow to the size of your hard disk)
With all the logged activity against my server, I have wondered what I could do about it. So I think I will work out a system that will email the fail2ban info to te technical contact email of the whois log. Try doing THAT with Windows Servers...
There are many things you can do for security via. obscurity...
Don't use the normal internal IP that is offered by your DHCP (router) server, 192.168.0.0. Use something different, 192.168.41.0 for instance.
Disable the Guest accounts.
Require a certificate when using SSH
Disable FTP
With Wireless, don't broadcast your SSID, use WPA or something similar that requires a key or certificate
Lock your wireless down to MAC Addresses of the allowed machines (and even wired, if you can)...
Don't use your name as a login...and don't use dictionary passwords...
There are more items, but they don't count for my network, because my DHCP isn't the Linux Box...but if it were,
you can have trusted and untrusted sides to your network, both wired and wireless. You can set up vlans and other inter network security.
Create a virtual machine, or honeypot, and a IP tracer for Intrusion Protection...
The reality is, most attacks are from kids who are bored. They have bots that walk the network looking for open ports on all available IP Addresses. When They find one that is open, they play with it. This "playing" might be benign, or it might be malicious. Why take the chance...?
So I figured I should secure my network.
I put in a Linux powered router from Linksys, a WRVS4400N Wireless Router with Wireless A/B/G/N capability. It is also seriously security minded.
Trust me, don't skimp on this hardware. Spend the money.
I would suggest at least 2 layers of protection, a good hardware firewall/router and a good software firewall. Linux has several nice features, including restriction of individual ports, and a better user/password setup than that which Windows uses. There are other features that protect your Linux system.
Most of that is done without your knowledge, as the system requires logins to access...
SSH also allows for using certificates only, but I haven't gone into that yet. Better, download and install Fail2Ban...this is a cool utility that scans different services (their logs) and looks for failed access attempts. You can set it for the number of attempts...then it sets a lock against the IP address in the IPTables, for a limited time (that way, you IPTables file doesn't grow to the size of your hard disk)
With all the logged activity against my server, I have wondered what I could do about it. So I think I will work out a system that will email the fail2ban info to te technical contact email of the whois log. Try doing THAT with Windows Servers...
There are many things you can do for security via. obscurity...
Don't use the normal internal IP that is offered by your DHCP (router) server, 192.168.0.0. Use something different, 192.168.41.0 for instance.
Disable the Guest accounts.
Require a certificate when using SSH
Disable FTP
With Wireless, don't broadcast your SSID, use WPA or something similar that requires a key or certificate
Lock your wireless down to MAC Addresses of the allowed machines (and even wired, if you can)...
Don't use your name as a login...and don't use dictionary passwords...
There are more items, but they don't count for my network, because my DHCP isn't the Linux Box...but if it were,
you can have trusted and untrusted sides to your network, both wired and wireless. You can set up vlans and other inter network security.
Create a virtual machine, or honeypot, and a IP tracer for Intrusion Protection...
Wednesday, November 15, 2006
Second Item - Linux
After I got the hardware running, I had to decide what distro of Linux to use. I wouldn't be laughing too hard if I were you...
This is more difficult that you might think!
Take a look at this WIKI site, see for yourself...
http://en.wikipedia.org/wiki/List_of_Linux_distributions
Now, YOU pick one...
Ok...so once I decided that I would like to stick with what I know: (Red Hat or in this case...) Fedora...they were ready to pop-out Core 6, but I never trust new versions of software...so I am using Core 5.
The installation went off without a hitch...it sees 200 gb of Hard Disk space, and utilizes the memory just fine, I was able to select the custom styled install and add all the server components: FTP, HTTP, SQL, DHCP, DNS, Postfix, Dovecot, etc...
I originally wanted to do a RAID, but the hardware cost as much as this whole system...there is a breaking point for my pocketbook.
Lucky for me, all I had to do is tell the installer to use all available HDD space, and it filled it the way it saw best, using the LVM stuff (I don't fully understand, but it is something like RAID, only, not RAID...)
And I also installed many of the unnecessaries, mostly because I didn't know what I would want, or even if I would be using this machine for more than a server...
Due to my comfort level and inexperience with things like this, I even included the GUI, so I could see what I am doing...unfortunately, it didn't help much...
So, never mind that...the point is, this setup was easy and painless.
The more difficult part is still to come. Setting up the programs to work...
This is more difficult that you might think!
Take a look at this WIKI site, see for yourself...
http://en.wikipedia.org/wiki/List_of_Linux_distributions
Now, YOU pick one...
Ok...so once I decided that I would like to stick with what I know: (Red Hat or in this case...) Fedora...they were ready to pop-out Core 6, but I never trust new versions of software...so I am using Core 5.
The installation went off without a hitch...it sees 200 gb of Hard Disk space, and utilizes the memory just fine, I was able to select the custom styled install and add all the server components: FTP, HTTP, SQL, DHCP, DNS, Postfix, Dovecot, etc...
I originally wanted to do a RAID, but the hardware cost as much as this whole system...there is a breaking point for my pocketbook.
Lucky for me, all I had to do is tell the installer to use all available HDD space, and it filled it the way it saw best, using the LVM stuff (I don't fully understand, but it is something like RAID, only, not RAID...)
And I also installed many of the unnecessaries, mostly because I didn't know what I would want, or even if I would be using this machine for more than a server...
Due to my comfort level and inexperience with things like this, I even included the GUI, so I could see what I am doing...unfortunately, it didn't help much...
So, never mind that...the point is, this setup was easy and painless.
The more difficult part is still to come. Setting up the programs to work...
First Item - Machines & Hardware
As mentioned previously, I built a machine that I am now using as a server.
I picked up an old DELL Precision 220. At the time it had 256 mb ram, a 20 gb SCSI HDD, and a single P3-733 processor. It isn't a particularly hefty machine, but it was adequate for storing most of my work items.
I took and spent some time on E-Bay (we love E-Bay) and found a second proc with the same model number and step. I also picked up the voltage regulator required to convert one of these machines into a dual proc. Then I picked up another 256 mb RDRAM for it.
On DigitalDeals.net I found a couple of 100 gb HDD, IDE not SCSI, but my MoBo has both buses. So I got them for $30 each.
So, all in total, maybe $400 for a fairly decent system.
Now, you could try to run a Windows Server on this hardware, but I would simply say, "Good Luck"...
I worked for Microsoft for 6 years, and I wouldn't try it. Besides, if Microsoft cannot trust their data to Windows Server, why should I?
I also picked up a good hardware firewall, a Linksys WRVS4400N.
I got it all put together, and installed Fedora Core 5. This was the easy part...yah, the hard part is still to come.
1 - Setting up the Web Server
2 - Setting up the Email Server
3 - All the other things I forgot
I picked up an old DELL Precision 220. At the time it had 256 mb ram, a 20 gb SCSI HDD, and a single P3-733 processor. It isn't a particularly hefty machine, but it was adequate for storing most of my work items.
I took and spent some time on E-Bay (we love E-Bay) and found a second proc with the same model number and step. I also picked up the voltage regulator required to convert one of these machines into a dual proc. Then I picked up another 256 mb RDRAM for it.
On DigitalDeals.net I found a couple of 100 gb HDD, IDE not SCSI, but my MoBo has both buses. So I got them for $30 each.
So, all in total, maybe $400 for a fairly decent system.
Now, you could try to run a Windows Server on this hardware, but I would simply say, "Good Luck"...
I worked for Microsoft for 6 years, and I wouldn't try it. Besides, if Microsoft cannot trust their data to Windows Server, why should I?
I also picked up a good hardware firewall, a Linksys WRVS4400N.
I got it all put together, and installed Fedora Core 5. This was the easy part...yah, the hard part is still to come.
1 - Setting up the Web Server
2 - Setting up the Email Server
3 - All the other things I forgot
What I decided to do with Linux
So, its been a while...
I decided to go with Fedora Core on my work machine, and while it feels more polished than SUSE, I am still having a variety of troubles with it...like, I cannot get any of the special features to work, even though my hardware supports it. I guess I just haven't figured it out yet, but hay, I'm just learning.
Since I have started working with Linux at work, and getting to a point where I can use the 15 years knowledge I have of operating systems in general, I decided it was time to start migrating systems at home to some distro or another. First, I would like to set up a server.
Why?
Well, I am spending a lot of money on web hosting and email and internet access, etc. And I need to find a way to cut some costs. So, if I host all my stuff on my own machine, well, I save money...
I chose Fedora Core 5 for my server. I took my old Dell Precision 220, (Dual Proc PIII-733, 2 x 100 gb HDD, 512 RDRAM), and I turned it into a server. I will go into the setup later.
The whole idea is to make a machine that I can use to host my own services, save a little money, build my resume, learn something new, etc.
I was paying a good company $50 a month for email and web hosting of my 3 domains. This adds up quickly...$600 a year. But you cannot forget the costs of the internet connection itself, at $45 a month...or $540 a year. Over a $1000 a year for internet and services.
Now, sure, I would just use comcast, and have email and a personal page, and a blog, etc...most of the other types of services, and they can be had for free. But I run a home business, and I need a web page and domains and emails...
Well... now I have taken Linux, my old Dell, and set things up on it, and have Dynamic DNS for $75 a year...a savings of over $500.
Details to follow
I decided to go with Fedora Core on my work machine, and while it feels more polished than SUSE, I am still having a variety of troubles with it...like, I cannot get any of the special features to work, even though my hardware supports it. I guess I just haven't figured it out yet, but hay, I'm just learning.
Since I have started working with Linux at work, and getting to a point where I can use the 15 years knowledge I have of operating systems in general, I decided it was time to start migrating systems at home to some distro or another. First, I would like to set up a server.
Why?
Well, I am spending a lot of money on web hosting and email and internet access, etc. And I need to find a way to cut some costs. So, if I host all my stuff on my own machine, well, I save money...
I chose Fedora Core 5 for my server. I took my old Dell Precision 220, (Dual Proc PIII-733, 2 x 100 gb HDD, 512 RDRAM), and I turned it into a server. I will go into the setup later.
The whole idea is to make a machine that I can use to host my own services, save a little money, build my resume, learn something new, etc.
I was paying a good company $50 a month for email and web hosting of my 3 domains. This adds up quickly...$600 a year. But you cannot forget the costs of the internet connection itself, at $45 a month...or $540 a year. Over a $1000 a year for internet and services.
Now, sure, I would just use comcast, and have email and a personal page, and a blog, etc...most of the other types of services, and they can be had for free. But I run a home business, and I need a web page and domains and emails...
Well... now I have taken Linux, my old Dell, and set things up on it, and have Dynamic DNS for $75 a year...a savings of over $500.
Details to follow
