::Duffeaap.com

Motivation
Consider
Expectation
Requirements
Download
Install
Packages
Configuration
Basic
Network
Network config file





ADSL setup
ADSL settings
DHCP

IPTables

Samba

Apache

SSHD



CRON

Crontab

Tripwire
FTP Daemon

Motivation

Consider
After years of promising myself to understand Linux it was only in December 2000 that I started using Redhat 7.0. I signed up for ADSL from MXStream / XS4All and needed a server to stay online 24/7 Server Uptime. What better time to start with Linux? I write this document since the how-to's are often outdated and too detailed. They are perfect if you want to know more than is absolutely required.

You are probably here because you want a step-by-step explanation on how to create such a creature of your own. No problem, I will do my best to help you out. However, I will expect you to understand what you are doing. By no means am I an expert, but I have had to figure it out the hard way. Google and Google Groups are your best friends in this quest. You will need free time. Not months, but do not expect a GUI interface where you click it all together in a day. Things will go wrong.. If you do NOT have a permanent connection to the Internet, reconsider using a server. Then again if you do not have a cable/adsl/T1+ connection, reconsider.
Expectation

You are probably here because you want a step-by-step explanation on how to create such a creature of your own. No problem, I will do my best to help you out. However, I will expect you to understand what you are doing. By no means am I an expert, but I have had to figure it out the hard way. Google and Google Groups are your best friends in this quest. You will need free time. Not months, but do not expect a GUI interface where you click it all together in a day. Things will go wrong.. If you do NOT have a permanent connection to the Internet, reconsider using a server. Then again if you do not have a cable/adsl/T1+ connection, reconsider.

Expectation

Requirements
I expect that you have an 'old' system lying around. It will be used as a server. It will be dedicated to running Linux for Internet serving purposes. You are not using a RAID system. It is an x86 compatible system. If your scenario varies, you will not find all the required INSTALLATION information in this document. Configuration will be largely identical.

1) Time 2) A Chip: Pentium I 100Mhz works. I would use a Pentium II 266Mhz. AMD, Cyrix, etc. work fine. 3) RAM: 16MB or more. Prefer 64MB. 4) Harddrive: 800MB or more. Prefer 2GB. Those are still around a lot. 5) 2 UTP Network cards. 5) Preferred for installation purposes: CDROM, Floppy, Keyboard, Mouse, Monitor. 6) Linux Redhat 7.2 Now I cannot help you get 1-5. About point 6. Buy it, borrow it, copy it, download it, steal it. Those are your options.
Download

1) Time 2) A Chip: Pentium I 100Mhz works. I would use a Pentium II 266Mhz. AMD, Cyrix, etc. work fine. 3) RAM: 16MB or more. Prefer 64MB. 4) Harddrive: 800MB or more. Prefer 2GB. Those are still around a lot. 5) 2 UTP Network cards. 5) Preferred for installation purposes: CDROM, Floppy, Keyboard, Mouse, Monitor. 6) Linux Redhat 7.2 Now I cannot help you get 1-5. About point 6. Buy it, borrow it, copy it, download it, steal it. Those are your options.

Download

Install
Download from: Red Hat Linux 7.2 Burn the ISO to CD using Nero Burning ROM under Windows. You can also get Red Hat Linux 7.3.

There are several ways you can install Redhat. Your best way depends on your available system. Scenario 1: You have an old system. It cannot boot from CDROM. You must create boot floppy's. Read this: RH Floppy Install Boot from Floppy 1 and follow instructions. Use the CDROM when demanded. Scenario 2: You have a newer system. Boot from the CDROM. Scenario 3: You have no CDROM drive and/or floppy. Borrow them. It really helps. Other distributions such as SuSe and Debian are installable using FTP and ~6 floppy's. Very nice, but Redhat does not. You will not need the CDROM and Floppy drive later. I will not help you through each screen. I suspect you have installed Windows before, so this is really not much different. Choose graphical mode. Set your language and time. Choose to install Redhat as a server. We do not want Xwindow with Gnome or KDE. Let RedHat setup do the hard drive partitioning for you. It is most likely fine. You might want to check for sure. Redhat creates a / and /swap partition. If you want other partitions (/home, for instance) you will have to manually adjust the settings. I expect that you can figure that out yourself.
Packages

There are several ways you can install Redhat. Your best way depends on your available system. Scenario 1: You have an old system. It cannot boot from CDROM. You must create boot floppy's. Read this: RH Floppy Install Boot from Floppy 1 and follow instructions. Use the CDROM when demanded. Scenario 2: You have a newer system. Boot from the CDROM. Scenario 3: You have no CDROM drive and/or floppy. Borrow them. It really helps. Other distributions such as SuSe and Debian are installable using FTP and ~6 floppy's. Very nice, but Redhat does not. You will not need the CDROM and Floppy drive later. I will not help you through each screen. I suspect you have installed Windows before, so this is really not much different. Choose graphical mode. Set your language and time. Choose to install Redhat as a server. We do not want Xwindow with Gnome or KDE. Let RedHat setup do the hard drive partitioning for you. It is most likely fine. You might want to check for sure. Redhat creates a / and /swap partition. If you want other partitions (/home, for instance) you will have to manually adjust the settings. I expect that you can figure that out yourself.

Packages

Redhat works with RPM packages. They are very handy for the lazy and the relatively unsuspicious. RPMs are ready to be installed software packages. Just type: rpm -i and you have the software installed. Preferably you spend quite a bit of time choosing the packages you want RedHat to install. Installing only what you require will make your server cleaner, securer, more understandable and generally Better. Complete the installation and reboot. If everything is OK, you should be at the user prompt. Login as root and with the password you entered at the setup. Use a difficult password and never tell anyone. Not even friends who know linux, hehe. Really!
Configuration

Redhat works with RPM packages. They are very handy for the lazy and the relatively unsuspicious. RPMs are ready to be installed software packages. Just type: rpm -i and you have the software installed. Preferably you spend quite a bit of time choosing the packages you want RedHat to install. Installing only what you require will make your server cleaner, securer, more understandable and generally Better. Complete the installation and reboot. If everything is OK, you should be at the user prompt. Login as root and with the password you entered at the setup. Use a difficult password and never tell anyone. Not even friends who know linux, hehe. Really!

Configuration

Basic
In this part I am going to explain each configuration file that I use for each piece of software running on my server. This is against all rules of security and sanity, but that is something I could never find on the Internet.

Network

Network config file
We start with basic network capability. You should also read the home-network mini-HOWTO home-network mini-HOWTO First we need to make sure networking is turned on. Edit the file /etc/sysconfig/network and make sure the following lines exist:


# File: /etc/sysconfig/network NETWORKING=yes FORWARD_IPV4=yes HOSTNAME="my_machine_name"


All the network interface settings for Red Hat and Red Hat derivatives are contained in files in the /etc/sysconfig/network-scripts directory. Enter that directory, and create a new file ifcfg-eth1. Put the following into the ifcfg-eth1 file:


# File: /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 IPADDR=192.168.1.1 ONBOOT=yes


For the network card that goes to the ADSL modem use eth0


# File: /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 IPADDR=10.0.0.150 ONBOOT=yes

ADSL setup
I have the local network set up as shown in this picture. >Home Network Image 1-8 Clients can run at 10/100 Mbit/s switched locally. The Internet gateway is the Redhat Linux server (from here on known as the "RHServer") which connects to an ADSL modem. The clients receive an IP address from the DHCP Daemon on the RHServer.

ADSL settings

DHCP


The Dynamic Host Configuration Protocol lets clients get the correct network settings automatically from a DHCP Daemon (server).

# file: /etc/dhcpd.conf # Clients will keep their IP address for at least this many seconds default-lease-time 7200; # Clients will retrieve a new IP address from the DHCP daemon after this many seconds max-lease-time 86400; # Clients will get this subnet-mask option subnet-mask 255.255.255.0; # Clients will get this broadcast address option broadcast-address 192.168.84.255; # This is the gateway address (IP of RHServer) option routers 192.168.84.1; # These are the DNS servers # The first one is the RHServer which will also run a DNS daemon # The second and third DNS servers are my ADSL providers' option domain-name-servers 192.168.84.1, 194.109.6.66, 194.109.9.99; # Set the subnet settings for the ADSL modem side. Network card: ETH0 subnet 10.0.0.0 netmask 255.255.255.0 { # Only one IP address is required for this side range 10.0.0.150 10.0.0.150; } # These are the variable IP addresses for visitors subnet 192.168.84.0 netmask 255.255.255.0 { range 192.168.84.110 192.168.84.120; } # Define the individual IP addresses for each client host <yourmachinename> { hardware ethernet 00:00:00:68:d1:f5; fixed-address 192.168.84.104; } host <yourmachinename2> { hardware ethernet 00:00:00:B8:5B:45; fixed-address 192.168.84.105; }
IPTables

# file: /etc/dhcpd.conf
# Clients will keep their IP address for at least this many seconds
default-lease-time 7200;

# Clients will retrieve a new IP address from the DHCP daemon after this many seconds
max-lease-time 86400;

# Clients will get this subnet-mask
option subnet-mask 255.255.255.0;

# Clients will get this broadcast address
option broadcast-address 192.168.84.255;

# This is the gateway address (IP of RHServer)
option routers 192.168.84.1;

# These are the DNS servers
# The first one is the RHServer which will also run a DNS daemon
# The second and third DNS servers are my ADSL providers'
option domain-name-servers 192.168.84.1, 194.109.6.66, 194.109.9.99;

# Set the subnet settings for the ADSL modem side. Network card: ETH0
subnet 10.0.0.0 netmask 255.255.255.0 {

# Only one IP address is required for this side
   range 10.0.0.150 10.0.0.150;
}

# These are the variable IP addresses for visitors
subnet 192.168.84.0 netmask 255.255.255.0 {
   range 192.168.84.110 192.168.84.120;
}

# Define the individual IP addresses for each client
host <yourmachinename> {
   hardware ethernet 00:00:00:68:d1:f5;
   fixed-address 192.168.84.104;
}	
host <yourmachinename2> {
   hardware ethernet 00:00:00:B8:5B:45;
   fixed-address 192.168.84.105;
}

IPTables


I have not taken the time to build my own IPTables Firewall script, so instead I use the ADSL4Linux/BovenDelft script. It can be found here here It is very simple to install and run. My configuration file is as follows:

# File: /etc/adslfirewall.conf # # This is the configuration file of the firewall delivered by ADSL4Linux # # Created by: # M.J. Prinsen - dompie@mail.com # http://www.adsl4linux.nl # # # $Id: adslfirewall.conf,v 1.15 2001/11/12 20:53:21 dompie Exp $ # #---------------- # Initialisation #---------------- export ext_if=ppp+ # If you have a static IP-address use this export ext_ip=213.84.25.152 # Uncomment this line if you have a dynamic IP-address and comment the line above !!! # Also say dyn_ip=y if you have a dynamic IP-address # export ext_ip=`/sbin/ifconfig ppp0 \| awk '/inet addr:/ { print $2 }' \| awk '{ split($0,ip,":") } END { print ip[2] }'`; dyn_ip=n # Assign the internal IP's export local_if=eth1 # example: local_if="eth1" export local_ip=192.168.84.1 # example: local_ip="192.168.1.1" export local_net=192.168.84.0/24 # example: local_net="192.168.1.0/24" # Assign modem IP export modem_ip=10.0.0.138 export modem_net=10.0.0.0/24 export modem_eth=eth0 # example: modem_eth="eth0" export modem_ethip=10.0.0.150 # example: modem_ethip="10.0.0.100" # Broadcast address export broadcast=255.255.255.255 # Ports export unpriv_ports="1024:65535" # Assign ntp IP export ntp_ip="194.109.6.65" # example: ntp_ip="194.109.6.65 195.121.1.66" #(ntp.xs4all.nl / ntp.planet.nl) # more than one ntp-server allowed # Assign masqueraded machine IP # Set this to an IP-address of a client-machine that is running VNC export masq_machine_ip=192.168.84.105 # Private network classes class_a="10.0.0.0/8" class_b="172.16.0.0/12" class_c="192.168.0.0/16" class_d="224.0.0.0/4" class_e="240.0.0.0/5" #------------------------------- # Enable features and services #------------------------------- # Features load_modules=n # > Load kernel modules - if not compiled within the kernel initialize_kernel=y # > Enable kernel specific firewall rules and ip_forward accept_pings=y # > Accept all icmp or choose only to accept pings from www.watchmyserver.com (195.179.115.45) mangle_tos=y # > Optimize out- and throughput refuse_common_ports=y # > Especially necessary to set this feature when opening ALL unpriv_ports block_trojans=y # > Especially necessary to set this feature when opening ALL unpriv_ports check_flags_packets=y # > Especially necessary to set this feature when opening ALL unpriv_ports spoofing_protection=y # > Generic spoofing protection abnamro=n # > Route HomeNet through firewall :) vnc_with_server=n # > It is more secure to establish a VNC-connection with Linux server via a SSH-tunnel # Establish an unencrypted VNC-connection with Linux server # Default display :1 vnc_with_masq_machine=n # > Set masq_machine_ip as well (see above) # It is more secure to establish a VNC-connection with Linux server # Default display :10 (only iptables) private_rules=y # > If you feel the need for private firewall rules. # > Add path to file with private firewall rules, permission chmod 0700 path_private_rules=/usr/local/sbin/privaterules ip_block=n # > If you want to block certain IP-numbers permanently # > Add path to file with IP-numbers to block permanently, permission chmod 0700 # Example: "xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy zzz.zzz.zzz.zzz" path_ip_block_file=/usr/local/sbin/ipblockfile icq_filetransfer_all=n # > Caution!!! Setting this to "y" will open ALL unpriv_ports icq_filetransfer_friends=n # > Restricted ICQ filetransfer based on IP-address # Fill in IP-addresses below icq_friends="" # > Example: icq_friends="194.109.1.65 213.121.1.86" # Services ftp_active=y # > Enable active FTP - port 20 ftp_passive=y # > Enable passive FTP - port 21 ftp_client=n # > Enable active FTP with a FTP client to a remote server (only ipchains) ssh=y # > Enable SSH - port 22 telnet=y # > Enable Telnet - port 23 - caution! not really secure (plain passwords) smtp=y # > Enable SMTP (mailserver) - port 25 dns=y # > Enable DNS - port 53 - when running an own DNS-server only dhcp=y # > Enable DHCP - port 67 - when running an own DHCP-server only http=y # > Enable HTTP - port 80 - when running an own webserver https=y # > Enable HTTPS - port 443 - when running an own webserver with SSL pop3=n # > Enable POP3 - port 110 - when running a POP3-server pop3s=n # > Enable POP3 - port 995 - when running a POP3-server with SSL auth=n # > Enable ident - port 113 - when running a ident-server ntp_tcp=n # > Enable NTP - port 123 - when running a time-server # Set ntp_ip as well (see above) ntp_udp=n # > Enable NTP - port 123 - when running a time-server (often only UDP is enough) # Set ntp_ip as well (see above) imap=y # > Enable IMAP - port 143 - when running a IMAP-server imaps=n # > Enable IMAP - port 143 - when running a IMAP-server with SSL webmin=n # > Enable Webmin - port 10000 - only if using webmin on remote location # That's it! Run the firewall and check your options!
Samba

# File: /etc/adslfirewall.conf
#
# This is the configuration file of the firewall delivered by ADSL4Linux
#
# Created by:
# M.J. Prinsen - dompie@mail.com
# http://www.adsl4linux.nl
#
#
# $Id: adslfirewall.conf,v 1.15 2001/11/12 20:53:21 dompie Exp $
#

#----------------
# Initialisation
#----------------

export ext_if=ppp+

# If you have a static IP-address use this
export ext_ip=213.84.25.152

# Uncomment this line if you have a dynamic IP-address and comment the line above !!!
# Also say dyn_ip=y if you have a dynamic IP-address
# export ext_ip=`/sbin/ifconfig ppp0 | awk '/inet addr:/ { print $2 }' | awk '{ split($0,ip,":") } END { print ip[2] }'`;
dyn_ip=n

# Assign the internal IP's
export local_if=eth1			# example: local_if="eth1"
export local_ip=192.168.84.1			# example: local_ip="192.168.1.1"
export local_net=192.168.84.0/24			# example: local_net="192.168.1.0/24"

# Assign modem IP
export modem_ip=10.0.0.138
export modem_net=10.0.0.0/24
export modem_eth=eth0			# example: modem_eth="eth0"
export modem_ethip=10.0.0.150			# example: modem_ethip="10.0.0.100"

# Broadcast address
export broadcast=255.255.255.255

# Ports
export unpriv_ports="1024:65535"

# Assign ntp IP 
export ntp_ip="194.109.6.65"			# example: ntp_ip="194.109.6.65 195.121.1.66"  
						#(ntp.xs4all.nl / ntp.planet.nl)
						# more than one ntp-server allowed

# Assign masqueraded machine IP
# Set this to an IP-address of a client-machine that is running VNC
export masq_machine_ip=192.168.84.105

# Private network classes
class_a="10.0.0.0/8"
class_b="172.16.0.0/12"
class_c="192.168.0.0/16"
class_d="224.0.0.0/4"
class_e="240.0.0.0/5"


#-------------------------------
# Enable features and services 
#-------------------------------
# Features
load_modules=n			# > Load kernel modules - if not compiled within the kernel
initialize_kernel=y		# > Enable kernel specific firewall rules and ip_forward
accept_pings=y			# > Accept all icmp or choose only to accept pings from www.watchmyserver.com (195.179.115.45)
mangle_tos=y			# > Optimize out- and throughput
refuse_common_ports=y	  	# > Especially necessary to set this feature when opening ALL unpriv_ports
block_trojans=y	  		# > Especially necessary to set this feature when opening ALL unpriv_ports
check_flags_packets=y		# > Especially necessary to set this feature when opening ALL unpriv_ports
spoofing_protection=y		# > Generic spoofing protection
abnamro=n			# > Route HomeNet through firewall :)
vnc_with_server=n	  	# > It is more secure to establish a VNC-connection with Linux server via a SSH-tunnel
			  	#   Establish an unencrypted VNC-connection with Linux server
			  	#   Default display :1
vnc_with_masq_machine=n		# > Set masq_machine_ip as well (see above)
				#   It is more secure to establish a VNC-connection with Linux server
				#   Default display :10 (only iptables)

private_rules=y			# > If you feel the need for private firewall rules.
				# > Add path to file with private firewall rules, permission chmod 0700
path_private_rules=/usr/local/sbin/privaterules

ip_block=n			# > If you want to block certain IP-numbers permanently
				# > Add path to file with IP-numbers to block permanently, permission chmod 0700
				#   Example: "xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy zzz.zzz.zzz.zzz"
path_ip_block_file=/usr/local/sbin/ipblockfile

icq_filetransfer_all=n		# > Caution!!! Setting this to "y" will open ALL unpriv_ports
icq_filetransfer_friends=n	# > Restricted ICQ filetransfer based on IP-address
				#   Fill in IP-addresses below
icq_friends=""			# > Example: icq_friends="194.109.1.65 213.121.1.86"  


# Services
ftp_active=y			# > Enable active FTP - port 20
ftp_passive=y			# > Enable passive FTP - port 21
ftp_client=n			# > Enable active FTP with a FTP client to a remote server (only ipchains)
ssh=y				# > Enable SSH - port 22
telnet=y			# > Enable Telnet - port 23 - caution! not really secure (plain passwords)
smtp=y				# > Enable SMTP (mailserver) - port 25
dns=y				# > Enable DNS - port 53 - when running an own DNS-server only
dhcp=y				# > Enable DHCP - port 67 - when running an own DHCP-server only
http=y				# > Enable HTTP - port 80 - when running an own webserver
https=y				# > Enable HTTPS - port 443 - when running an own webserver with SSL
pop3=n				# > Enable POP3 - port 110 - when running a POP3-server
pop3s=n				# > Enable POP3 - port 995 - when running a POP3-server with SSL
auth=n				# > Enable ident - port 113 - when running a ident-server
ntp_tcp=n			# > Enable NTP - port 123 - when running a time-server
				#   Set ntp_ip as well (see above)
ntp_udp=n			# > Enable NTP - port 123 - when running a time-server (often only UDP is enough)
				#   Set ntp_ip as well (see above) 
imap=y				# > Enable IMAP - port 143 - when running a IMAP-server
imaps=n				# > Enable IMAP - port 143 - when running a IMAP-server with SSL
webmin=n			# > Enable Webmin - port 10000 - only if using webmin on remote location		

# That's it! Run the firewall and check your options!

Samba

uses the SMB Protocol to allow connections to and from MS-Windows machines. In my case the RHServer is the Primary Domain Controller (PDC) in the LAN. The clients in the network login to the RHServer and can then use the shared directories on the RHServer. A logon-script is then run that maps the drives and sets the time. Samba runs as smbd and nmbd, and is started from the /etc/rc.d/init.d/smbd script. The settings that I use are shown in the following smb.conf file:

uses the SMB Protocol to allow connections to and from MS-Windows machines. In my case the RHServer is the Primary Domain Controller (PDC) in the LAN. The clients in the network login to the RHServer and can then use the shared directories on the RHServer. A logon-script is then run that maps the drives and sets the time. Samba runs as smbd and nmbd, and is started from the /etc/rc.d/init.d/smbd script. The settings that I use are shown in the following smb.conf file:

# File: /etc/samba/smb.conf # Global parameters [global] # The RHServer workgroup name workgroup = <yourworkgroup> # The RHServer name netbios name = <your RHServer Name> # The RHServer description server string = <your RHServer description> # Support Wins wins support = yes # Use this IP address interfaces = 192.168.1.1/24 # Share directories at the user level security = user # Use encrypted passwords encrypt passwords = Yes update encrypted = Yes # Find the allowable users in this file username map = /etc/samba/smbusers # Write logging information to the username.log files log file = /var/log/samba/%m.log # Unlimited log file size.. logrotate takes care of this max log size = 0 # Set some optimalization info socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # Use domain logons domain logons = yes # Let the RHServer force itself (overruling the clients) to be a Master Browser os level = 34 # The RHServer is also a time server time server = yes # Enable being a Master Browser local master = Yes # Let the RHServer force itself (overruling the clients) to be a Master Browser (again) preferred master = Yes # The RHServer is the domain master domain master = Yes # All the users in the @adm group are Samba administrators domain admin group = @adm # Use the username.bat file for each user logon script = %U.bat # I prefer not using proxies dns proxy = No # Use this account for guests/anonnymous users on the LAN guest account = pcguest # Default hide hidden files for the clients hide dot files = yes # Only allow internal IP addresses to use Samba hosts allow = 192.168.84. 127. # There is no printer connected # printing = lprng # Create a Share to the user's home dir [homes] # Guests do not have a home directory guest ok = no # Users may write to their home directory read only = no # Files are created with read/write/executable flags only for the user create mask = 0700 # Same for directories directory mask = 0700 # Do not use optimistic locking oplocks = false # Do not use locking locking = no # Define the location where the logon scripts are located [netlogon] comment = NINBIG domain logon service path = /etc/samba/logon public = No writeable = No browseable = No # Create our first share. This one is read-only for guests [music] comment = NINBIG's music path = /mnt/bigdisk2/music writeable = No guest ok = Yes # This is similar to the Share above except all users in the Samba group can read/write here. # Files are created as group Samba and read/write for this group. Read only for all other users. # Directories must always be executable or they cannot be opened. [music4us] comment = NINBIG's music path = /mnt/bigdisk2/music writeable = Yes guest ok = No browseable = No valid users = @samba force group = samba create mask = 0664 directory mask = 0775 # This is the writable upload dir for FTP and local anonymous SAMBA users [upload] comment = NINBIG's upload path = /mnt/bigdisk/upload writeable = Yes guest ok = Yes # A share restricted to one person [duffeaap] comment = Duffeaap.com path = /mnt/bigdisk2/www/duffeaap writeable = Yes guest ok = No browseable = No valid users = duffeaap create mask = 0644 directory mask = 0775 # A non-writable share for one person. See the CRON section for more details. [backupdennis] comment = Backup van Duffeaap path = /mnt/bigdisk2/backup/duffeaap writeable = No guest ok = No browseable = No valid users = duffeaap
Apache

# File: /etc/samba/smb.conf

# Global parameters
[global]
# The RHServer workgroup name
	workgroup = <yourworkgroup>
# The RHServer name
	netbios name = <your RHServer Name>
# The RHServer description
	server string = <your RHServer description>
# Support Wins
	wins support = yes
# Use this IP address
	interfaces = 192.168.1.1/24
# Share directories at the user level
	security = user
# Use encrypted passwords
	encrypt passwords = Yes
	update encrypted = Yes
# Find the allowable users in this file
	username map = /etc/samba/smbusers
# Write logging information to the username.log files
	log file = /var/log/samba/%m.log
# Unlimited log file size.. logrotate takes care of this
	max log size = 0
# Set some optimalization info
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Use domain logons
	domain logons = yes
# Let the RHServer force itself (overruling the clients) to be a Master Browser
	os level = 34
# The RHServer is also a time server
	time server = yes
# Enable being a Master Browser
	local master = Yes
# Let the RHServer force itself (overruling the clients) to be a Master Browser (again)
	preferred master = Yes
# The RHServer is the domain master
	domain master = Yes
# All the users in the @adm group are Samba administrators
	domain admin group = @adm
# Use the username.bat file for each user
	logon script = %U.bat
# I prefer not using proxies
	dns proxy = No
# Use this account for guests/anonnymous users on the LAN
	guest account = pcguest
# Default hide hidden files for the clients
	hide dot files = yes
# Only allow internal IP addresses to use Samba
	hosts allow = 192.168.84. 127.
# There is no printer connected
#	printing = lprng

# Create a Share to the user's home dir
[homes]
# Guests do not have a home directory
	guest ok = no
# Users may write to their home directory
	read only = no
# Files are created with read/write/executable flags only for the user
	create mask = 0700
# Same for directories
	directory mask = 0700
# Do not use optimistic locking
	oplocks = false
# Do not use locking
	locking = no

# Define the location where the logon scripts are located
[netlogon]
	comment = NINBIG domain logon service
	path = /etc/samba/logon
	public = No
	writeable = No
	browseable = No

# Create our first share. This one is read-only for guests
[music]
	comment = NINBIG's music
	path = /mnt/bigdisk2/music
	writeable = No
	guest ok = Yes

# This is similar to the Share above except all users in the Samba group can read/write here.
# Files are created as group Samba and read/write for this group. Read only for all other users.
# Directories must always be executable or they cannot be opened.
[music4us]
	comment = NINBIG's music
	path = /mnt/bigdisk2/music
	writeable = Yes
	guest ok = No
	browseable = No
	valid users = @samba
	force group = samba
	create mask = 0664
	directory mask = 0775

# This is the writable upload dir for FTP and local anonymous SAMBA users
[upload]
	comment = NINBIG's upload
	path = /mnt/bigdisk/upload
	writeable = Yes
	guest ok = Yes

# A share restricted to one person
[duffeaap]
	comment = Duffeaap.com
	path = /mnt/bigdisk2/www/duffeaap
	writeable = Yes
	guest ok = No
	browseable = No
	valid users = duffeaap
	create mask = 0644
	directory mask = 0775

# A non-writable share for one person. See the CRON section for more details.
[backupdennis]
	comment = Backup van Duffeaap
	path = /mnt/bigdisk2/backup/duffeaap
	writeable = No
	guest ok = No
	browseable = No
	valid users = duffeaap

Apache

Apache is by far the most popular world wide web daemon in the world. With around 60% market share and holding strong, despite Microsoft's attempts with IIS. Apache is well-known for its stability and customizability, which I think is a word. I've cut out the original comments to allow for a shorter and clearer config file. I will only comment when there are lines which I have changed with respect to the original httpd.conf file.

Apache is by far the most popular world wide web daemon in the world. With around 60% market share and holding strong, despite Microsoft's attempts with IIS. Apache is well-known for its stability and customizability, which I think is a word. I've cut out the original comments to allow for a shorter and clearer config file. I will only comment when there are lines which I have changed with respect to the original httpd.conf file.

# File: /etc/httpd/conf/httpd.conf ### Section 1: Global Environment ServerType standalone ServerRoot "/etc/httpd" LockFile /var/lock/httpd.lock PidFile /var/run/httpd.pid ScoreBoardFile /var/run/httpd.scoreboard Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 15 MinSpareServers 5 MaxSpareServers 20 StartServers 8 MaxClients 150 MaxRequestsPerChild 100 # Enter your external IP address and port Listen 213.84.25.152:80 # Modules LoadModule vhost_alias_module modules/mod_vhost_alias.so LoadModule env_module modules/mod_env.so LoadModule config_log_module modules/mod_log_config.so LoadModule agent_log_module modules/mod_log_agent.so LoadModule referer_log_module modules/mod_log_referer.so LoadModule mime_module modules/mod_mime.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule status_module modules/mod_status.so LoadModule info_module modules/mod_info.so LoadModule includes_module modules/mod_include.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule dir_module modules/mod_dir.so LoadModule cgi_module modules/mod_cgi.so LoadModule asis_module modules/mod_asis.so LoadModule imap_module modules/mod_imap.so LoadModule action_module modules/mod_actions.so LoadModule userdir_module modules/mod_userdir.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule access_module modules/mod_access.so LoadModule auth_module modules/mod_auth.so LoadModule anon_auth_module modules/mod_auth_anon.so LoadModule db_auth_module modules/mod_auth_db.so LoadModule expires_module modules/mod_expires.so LoadModule headers_module modules/mod_headers.so LoadModule setenvif_module modules/mod_setenvif.so # This module I added to limit the bandwidth of Apache LoadModule bandwidth_module modules/mod_bandwidth.so <IfDefine HAVE_PERL> LoadModule perl_module modules/libperl.so </IfDefine> <IfDefine HAVE_PHP> LoadModule php_module modules/mod_php.so </IfDefine> <IfDefine HAVE_PHP3> LoadModule php3_module modules/libphp3.so </IfDefine> <IfDefine HAVE_PHP4> LoadModule php4_module modules/libphp4.so </IfDefine> <IfDefine HAVE_DAV> LoadModule dav_module modules/libdav.so </IfDefine> <IfDefine HAVE_ROAMING> LoadModule roaming_module modules/mod_roaming.so </IfDefine> <IfDefine HAVE_SSL> LoadModule ssl_module modules/libssl.so </IfDefine> ClearModuleList AddModule mod_vhost_alias.c AddModule mod_env.c AddModule mod_log_config.c AddModule mod_log_agent.c AddModule mod_log_referer.c AddModule mod_mime.c AddModule mod_negotiation.c AddModule mod_status.c AddModule mod_info.c AddModule mod_include.c AddModule mod_autoindex.c AddModule mod_dir.c AddModule mod_cgi.c AddModule mod_asis.c AddModule mod_imap.c AddModule mod_actions.c AddModule mod_userdir.c AddModule mod_alias.c AddModule mod_rewrite.c AddModule mod_access.c AddModule mod_auth.c AddModule mod_auth_anon.c AddModule mod_auth_db.c AddModule mod_expires.c AddModule mod_headers.c AddModule mod_so.c AddModule mod_setenvif.c # Add the bandwidth module here again. The order here is important! AddModule mod_bandwidth.c <IfDefine HAVE_PERL> AddModule mod_perl.c </IfDefine> <IfDefine HAVE_PHP> AddModule mod_php.c </IfDefine> <IfDefine HAVE_PHP3> AddModule mod_php3.c </IfDefine> <IfDefine HAVE_PHP4> AddModule mod_php4.c </IfDefine> <IfDefine HAVE_DAV> AddModule mod_dav.c </IfDefine> <IfDefine HAVE_ROAMING> AddModule mod_roaming.c </IfDefine> <IfDefine HAVE_SSL> AddModule mod_ssl.c </IfDefine> ### Section 2: 'Main' server configuration # Listen onport 80 - The default http port Port 80 # Run the daemon under this user User apache Group apache # The general e-mail address for this server ServerAdmin postmaster@duffeaap.com # The name of the server ServerName www.duffeaap.com # Location of default html documents DocumentRoot "/var/www/html" # These aliases are used for webmail. Alias /mail /var/www/html/horde/imp Alias /horde/ /var/www/html/horde/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory "/var/www/html"> Options Indexes Includes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> # These security settings are for the webmail components # We do not want people wandering around the configuration files <Directory "/var/www/html/horde/config"> order deny,allow deny from all </Directory> <Directory "/var/www/html/horde/lib"> order deny,allow deny from all </Directory> <Directory "/var/www/html/horde/locale"> order deny,allow deny from all </Directory> <Directory "/var/www/html/horde/templates"> order deny,allow deny from all </Directory> <Directory "/var/www/html/horde/imp/config"> order deny,allow deny from all </Directory> <Directory "/var/www/html/horde/imp/lib"> order deny,allow deny from all </Directory> <Directory "/var/www/html/horde/imp/locale"> order deny,allow deny from all </Directory> <Directory "/var/www/html/horde/imp/templates"> order deny,allow deny from all </Directory> UserDir public_html # Order of the default documents DirectoryIndex index.html index.htm index.shtml index.php index.php4 index.php3 index.cgi AccessFileName .htaccess <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> UseCanonicalName On TypesConfig /etc/mime.types DefaultType text/plain ErrorLog /var/log/httpd/error_log LogLevel warn # I prefer to catch extended logging of page requests LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent ServerSignature On Alias /icons/ "/var/www/icons/" <Directory "/var/www/icons"> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory> ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" <Directory "/var/www/cgi-bin"> AllowOverride None Options ExecCGI Order allow,deny Allow from all </Directory> IndexOptions FancyIndexing AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip AddIconByType (TXT,/icons/text.gif) text/* AddIconByType (IMG,/icons/image2.gif) image/* AddIconByType (SND,/icons/sound2.gif) audio/* AddIconByType (VID,/icons/movie.gif) video/* AddIcon /icons/binary.gif .bin .exe AddIcon /icons/binhex.gif .hqx AddIcon /icons/tar.gif .tar AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip AddIcon /icons/a.gif .ps .ai .eps AddIcon /icons/layout.gif .html .shtml .htm .pdf AddIcon /icons/text.gif .txt AddIcon /icons/c.gif .c AddIcon /icons/p.gif .pl .py AddIcon /icons/f.gif .for AddIcon /icons/dvi.gif .dvi AddIcon /icons/uuencoded.gif .uu AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl AddIcon /icons/tex.gif .tex AddIcon /icons/bomb.gif core AddIcon /icons/back.gif .. AddIcon /icons/hand.right.gif README AddIcon /icons/folder.gif ^^DIRECTORY^^ AddIcon /icons/blank.gif ^^BLANKICON^^ DefaultIcon /icons/unknown.gif ReadmeName README HeaderName HEADER IndexIgnore .??* ~ # HEADER* README* RCS CVS ,v ,t AddEncoding x-compress Z AddEncoding x-gzip gz tgz AddLanguage en .en AddLanguage fr .fr AddLanguage de .de AddLanguage da .da AddLanguage el .el AddLanguage it .it LanguagePriority en fr de <IfModule mod_php4.c> AddType application/x-httpd-php .php4 .php3 .phtml .php AddType application/x-httpd-php-source .phps </IfModule> <IfModule mod_php3.c> AddType application/x-httpd-php3 .php3 AddType application/x-httpd-php3-source .phps </IfModule> <IfModule mod_php.c> AddType application/x-httpd-php .phtml </IfModule> AddType application/x-tar .tgz AddType text/html .shtml AddHandler server-parsed .shtml AddHandler imap-file map BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 <IfModule mod_perl.c> Alias /perl/ /var/www/perl/ <Location /perl> SetHandler perl-script PerlHandler Apache::Registry Options +ExecCGI </Location> </IfModule> Alias /doc/ /usr/share/doc/ <Location /doc> order deny,allow deny from all allow from localhost Options Indexes FollowSymLinks </Location> # Define the settings for the bandwidth module # Turn the module on BandWidthModule on <Directory "/mnt/bigdisk2/www"> # For this directory limit all files to 20KB/s BandWidth all 20000 </Directory> ### Section 3: Virtual Hosts # Define the virtual host address NameVirtualHost 213.84.25.152:80 NameVirtualHost 192.168.84.1:80 # I run about 6 websites with domain names on one server. # To do this you must use virtual hosts. # With an http request the requested domain name is also sent to the http daemon. (contrary to an FTP connection!) # This means that Apache can distinguish different domain names on 1 IP address. <VirtualHost 213.84.25.152 192.168.84.1> # The content for www.duffeaap.com can be found at this physical location DocumentRoot /mnt/bigdisk2/www/duffeaap # The name of this virtual host ServerName www.duffeaap.com # I use seperate log files for each virtual host, so stats can be made up easily. # You must turn off general logging above. CustomLog /var/log/httpd/access_log_duffeaap combined # For the root of this virtual host allow directory browsing and symbolic links <Directory /> Options Indexes FollowSymLinks </Directory> # For the PHPMYSQL tool allow only access from 1 IP address. This is my Win2K workstation. <Directory /mnt/bigdisk2/www/duffeaap/phpmysql> Order Deny,Allow Deny from all Allow from 192.168.84.105 </Directory> # Redirect requests for http://www.duffeaap.com/mail to the SSL part at: https://www.duffeaap.com/mail # This is for the webmail component Redirect /mail/ https://www.duffeaap.com/mail </VirtualHost> # Just another virtual host for an example. <VirtualHost 213.84.25.152 192.168.84.1> DocumentRoot /mnt/bigdisk2/www/fearnloathing ServerName www.fearnloathing.com CustomLog /var/log/httpd/access_log_fearnloathing combined <Directory /> Options Indexes FollowSymLinks </Directory> Redirect /mail/ https://www.fearnloathing.com/mail </VirtualHost> # SSL settings. <IfDefine HAVE_SSL> # The default sSL port Listen 443 <VirtualHost _default_:443> # This is also the location of the webmail components DocumentRoot "/var/www/html" SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key <Files ~ "\.(cgi\|shtml)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".MSIE." nokeepalive ssl-unclean-shutdown CustomLog /var/log/httpd/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> </IfDefine>
SSHD

# File: /etc/httpd/conf/httpd.conf

### Section 1: Global Environment

ServerType standalone
ServerRoot "/etc/httpd"
LockFile /var/lock/httpd.lock
PidFile /var/run/httpd.pid
ScoreBoardFile /var/run/httpd.scoreboard
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 20
StartServers 8
MaxClients 150
MaxRequestsPerChild 100
# Enter your external IP address and port
Listen 213.84.25.152:80

# Modules
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule env_module         modules/mod_env.so
LoadModule config_log_module  modules/mod_log_config.so
LoadModule agent_log_module   modules/mod_log_agent.so
LoadModule referer_log_module modules/mod_log_referer.so
LoadModule mime_module        modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule status_module      modules/mod_status.so
LoadModule info_module        modules/mod_info.so
LoadModule includes_module    modules/mod_include.so
LoadModule autoindex_module   modules/mod_autoindex.so
LoadModule dir_module         modules/mod_dir.so
LoadModule cgi_module         modules/mod_cgi.so
LoadModule asis_module        modules/mod_asis.so
LoadModule imap_module        modules/mod_imap.so
LoadModule action_module      modules/mod_actions.so
LoadModule userdir_module     modules/mod_userdir.so
LoadModule alias_module       modules/mod_alias.so
LoadModule rewrite_module     modules/mod_rewrite.so
LoadModule access_module      modules/mod_access.so
LoadModule auth_module        modules/mod_auth.so
LoadModule anon_auth_module   modules/mod_auth_anon.so
LoadModule db_auth_module     modules/mod_auth_db.so
LoadModule expires_module     modules/mod_expires.so
LoadModule headers_module     modules/mod_headers.so
LoadModule setenvif_module    modules/mod_setenvif.so
# This module I added to limit the bandwidth of Apache
LoadModule bandwidth_module   modules/mod_bandwidth.so
<IfDefine HAVE_PERL>
LoadModule perl_module        modules/libperl.so
</IfDefine>
<IfDefine HAVE_PHP>
LoadModule php_module         modules/mod_php.so
</IfDefine>
<IfDefine HAVE_PHP3>
LoadModule php3_module        modules/libphp3.so
</IfDefine>
<IfDefine HAVE_PHP4>
LoadModule php4_module        modules/libphp4.so
</IfDefine>
<IfDefine HAVE_DAV>
LoadModule dav_module         modules/libdav.so
</IfDefine>
<IfDefine HAVE_ROAMING>
LoadModule roaming_module     modules/mod_roaming.so
</IfDefine>
<IfDefine HAVE_SSL>
LoadModule ssl_module         modules/libssl.so
</IfDefine>


ClearModuleList
AddModule mod_vhost_alias.c
AddModule mod_env.c
AddModule mod_log_config.c
AddModule mod_log_agent.c
AddModule mod_log_referer.c
AddModule mod_mime.c
AddModule mod_negotiation.c
AddModule mod_status.c
AddModule mod_info.c
AddModule mod_include.c
AddModule mod_autoindex.c
AddModule mod_dir.c
AddModule mod_cgi.c
AddModule mod_asis.c
AddModule mod_imap.c
AddModule mod_actions.c
AddModule mod_userdir.c
AddModule mod_alias.c
AddModule mod_rewrite.c
AddModule mod_access.c
AddModule mod_auth.c
AddModule mod_auth_anon.c
AddModule mod_auth_db.c
AddModule mod_expires.c
AddModule mod_headers.c
AddModule mod_so.c
AddModule mod_setenvif.c
# Add the bandwidth module here again. The order here is important!
AddModule mod_bandwidth.c
<IfDefine HAVE_PERL>
AddModule mod_perl.c
</IfDefine>
<IfDefine HAVE_PHP>
AddModule mod_php.c
</IfDefine>
<IfDefine HAVE_PHP3>
AddModule mod_php3.c
</IfDefine>
<IfDefine HAVE_PHP4>
AddModule mod_php4.c
</IfDefine>
<IfDefine HAVE_DAV>
AddModule mod_dav.c
</IfDefine>
<IfDefine HAVE_ROAMING>
AddModule mod_roaming.c
</IfDefine>
<IfDefine HAVE_SSL>
AddModule mod_ssl.c
</IfDefine>

### Section 2: 'Main' server configuration
# Listen onport 80 - The default http port
Port 80
# Run the daemon under this user
User apache
Group apache
# The general e-mail address for this server
ServerAdmin postmaster@duffeaap.com
# The name of the server
ServerName www.duffeaap.com
# Location of default html documents
DocumentRoot "/var/www/html"
# These aliases are used for webmail.
Alias /mail /var/www/html/horde/imp
Alias /horde/ /var/www/html/horde/

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

<Directory "/var/www/html">
    Options Indexes Includes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

# These security settings are for the webmail components
# We do not want people wandering around the configuration files
<Directory "/var/www/html/horde/config">
    order deny,allow
    deny from all
</Directory>
<Directory "/var/www/html/horde/lib">
    order deny,allow
    deny from all
</Directory>
<Directory "/var/www/html/horde/locale">
    order deny,allow
    deny from all
</Directory>
<Directory "/var/www/html/horde/templates">
    order deny,allow
    deny from all
</Directory>
<Directory "/var/www/html/horde/imp/config">
    order deny,allow
    deny from all
</Directory>
<Directory "/var/www/html/horde/imp/lib">
    order deny,allow
    deny from all
</Directory>
<Directory "/var/www/html/horde/imp/locale">
    order deny,allow
    deny from all
</Directory>
<Directory "/var/www/html/horde/imp/templates">
    order deny,allow
    deny from all
</Directory>

UserDir public_html

# Order of the default documents
DirectoryIndex index.html index.htm index.shtml index.php index.php4 index.php3 index.cgi
AccessFileName .htaccess

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

UseCanonicalName On
TypesConfig /etc/mime.types
DefaultType text/plain

ErrorLog /var/log/httpd/error_log

LogLevel warn

# I prefer to catch extended logging of page requests
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

ServerSignature On

Alias /icons/ "/var/www/icons/"

<Directory "/var/www/icons">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options ExecCGI
    Order allow,deny
    Allow from all
</Directory>

IndexOptions FancyIndexing

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

DefaultIcon /icons/unknown.gif

ReadmeName README
HeaderName HEADER

IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

AddEncoding x-compress Z
AddEncoding x-gzip gz tgz

AddLanguage en .en
AddLanguage fr .fr
AddLanguage de .de
AddLanguage da .da
AddLanguage el .el
AddLanguage it .it

LanguagePriority en fr de

<IfModule mod_php4.c>
  AddType application/x-httpd-php .php4 .php3 .phtml .php
  AddType application/x-httpd-php-source .phps
</IfModule>

<IfModule mod_php3.c>
  AddType application/x-httpd-php3 .php3
  AddType application/x-httpd-php3-source .phps
</IfModule>

<IfModule mod_php.c>
  AddType application/x-httpd-php .phtml
</IfModule>

AddType application/x-tar .tgz

AddType text/html .shtml
AddHandler server-parsed .shtml
AddHandler imap-file map

BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0


<IfModule mod_perl.c>
  Alias /perl/ /var/www/perl/
  <Location /perl>
    SetHandler perl-script
    PerlHandler Apache::Registry
    Options +ExecCGI
  </Location>
</IfModule>

Alias /doc/ /usr/share/doc/
<Location /doc>
  order deny,allow
  deny from all
  allow from localhost
  Options Indexes FollowSymLinks
</Location>

# Define the settings for the bandwidth module
# Turn the module on
BandWidthModule on
<Directory "/mnt/bigdisk2/www">
# For this directory limit all files to 20KB/s
	BandWidth all 20000 
</Directory>

### Section 3: Virtual Hosts
# Define the virtual host address

NameVirtualHost 213.84.25.152:80
NameVirtualHost 192.168.84.1:80

# I run about 6 websites with domain names on one server.
# To do this you must use virtual hosts.
# With an http request the requested domain name is also sent to the http daemon. (contrary to an FTP connection!)
# This means that Apache can distinguish different domain names on 1 IP address.

<VirtualHost 213.84.25.152 192.168.84.1>
# The content for www.duffeaap.com can be found at this physical location
	DocumentRoot /mnt/bigdisk2/www/duffeaap
# The name of this virtual host
	ServerName www.duffeaap.com
# I use seperate log files for each virtual host, so stats can be made up easily.
# You must turn off general logging above.
	CustomLog /var/log/httpd/access_log_duffeaap combined
# For the root of this virtual host allow directory browsing and symbolic links
	<Directory />
		Options Indexes FollowSymLinks
	</Directory>
# For the PHPMYSQL tool allow only access from 1 IP address. This is my Win2K workstation.
	<Directory /mnt/bigdisk2/www/duffeaap/phpmysql>
		Order Deny,Allow
		Deny from all
		Allow from 192.168.84.105
	</Directory>
# Redirect requests for http://www.duffeaap.com/mail to the SSL part at: https://www.duffeaap.com/mail
# This is for the webmail component
	Redirect /mail/ https://www.duffeaap.com/mail
</VirtualHost>

# Just another virtual host for an example.
<VirtualHost 213.84.25.152 192.168.84.1>
	DocumentRoot /mnt/bigdisk2/www/fearnloathing
	ServerName www.fearnloathing.com
	CustomLog /var/log/httpd/access_log_fearnloathing combined
	<Directory />
		Options Indexes FollowSymLinks
	</Directory>
	Redirect /mail/ https://www.fearnloathing.com/mail
</VirtualHost>

# SSL settings.
<IfDefine HAVE_SSL>

# The default sSL port
Listen 443

<VirtualHost _default_:443>

# This is also the location of the webmail components
DocumentRoot "/var/www/html"

SSLEngine on

SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

<Files ~ "\.(cgi|shtml)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

CustomLog /var/log/httpd/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

</IfDefine>

SSHD


The Secure SHell Daemon is the preferred method of remote login to the server. SSH can also be used for secure file transfer. As you can see below I use very little functionality of SSHD. A very good SSH client for windows clients is Putty

# File: /etc/ssh/sshd_config # This is the default SSHD port Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 # Determine which users may have SSH access to the RHServer AllowUsers myuser # Remote root access should be turned off. PermitRootLogin no # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding yes X11DisplayOffset 10 PrintMotd yes #PrintLastLog no KeepAlive yes # Logging SyslogFacility AUTHPRIV LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #ChallengeResponseAuthentication no # Uncomment to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes #CheckMail yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes Subsystem sftp /usr/libexec/openssh/sftp-server

# File: /etc/ssh/sshd_config

# This is the default SSHD port
Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600

# Determine which users may have SSH access to the RHServer
AllowUsers myuser
# Remote root access should be turned off.
PermitRootLogin no
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
#PrintLastLog no
KeepAlive yes

# Logging
SyslogFacility AUTHPRIV
LogLevel INFO
#obsoletes QuietMode and FascistLogging

RhostsAuthentication no
#
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#
RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Uncomment to disable s/key passwords 
#ChallengeResponseAuthentication no

# Uncomment to enable PAM keyboard-interactive authentication 
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

#CheckMail yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem	sftp	/usr/libexec/openssh/sftp-server

The telnet daemon is the old-fashioned way of logging into a prompt on a server. Telnet does not encrypt or authenticate anything between the host and the client and is thus stamped very insecure. If you installed telnet (which is the default), then you are all set to be 'script-kiddied' Scriptkid from China. Please read the XinetD section on how to turn the telnet daemon off or restrict access.

The telnet daemon is the old-fashioned way of logging into a prompt on a server. Telnet does not encrypt or authenticate anything between the host and the client and is thus stamped *very* insecure. If you installed telnet (which is the default), then you are all set to be 'script-kiddied' Scriptkid from China. Please read the XinetD section on how to turn the telnet daemon off or restrict access.

CRON
Secure HTTP is done by a module in Apache. Anyone who cares about their online-security and privacy to some extent will want to use HTTPS. When I type in my credit card number at Amazon I prefer that noone can view that. On the RHServer I use HTTPS only for webmail. For public pages it would be nonsense to use encryption.


Cron is a utility for automating tasks. Just like the scheduler or AT under windows. Since this is a server, it should also make backups. See below for more explanation:

# File: /etc/cron.d/backupscript # Use SMB mount to connect to a share on a windows network client called RARO. # See the Samba docs for more details mount.smbfs //raro/my_documents /mnt/raro -o password=mypasswd # Copy everything that has been updated (the -u flag) to the ronald folder cp -u -a /mnt/raro/* /mnt/bigdisk2/backup/ronald # unmount the share umount /mnt/raro # Copy the updated MySQL databases to the backup directory cp -u -a /var/lib/mysql /mnt/bigdisk2/backup/linux # Copy all updated configuration and homes to the backup directory cp -u -a /etc /mnt/bigdisk2/backup/linux cp -u -a /home /mnt/bigdisk2/backup/linux # Copy the root directory, mail spool, mail program (exim) config, and DNS config files cp -u -a /var/spool /mnt/bigdisk2/backup/linux cp -u -a /root /mnt/bigdisk2/backup/linux cp -u -a /usr/exim /mnt/bigdisk2/backup/linux cp -u -a /var/named /mnt/bigdisk2/backup/linux
Crontab

# File: /etc/cron.d/backupscript
# Use SMB mount to connect to a share on a windows network client called RARO.
# See the Samba docs for more details
mount.smbfs //raro/my_documents /mnt/raro -o password=mypasswd
# Copy everything that has been updated (the -u flag) to the ronald folder
cp -u -a /mnt/raro/* /mnt/bigdisk2/backup/ronald
# unmount the share
umount /mnt/raro

# Copy the updated MySQL databases to the backup directory
cp -u -a /var/lib/mysql /mnt/bigdisk2/backup/linux
# Copy all updated configuration and homes to the backup directory
cp -u -a /etc /mnt/bigdisk2/backup/linux
cp -u -a /home /mnt/bigdisk2/backup/linux
# Copy the root directory, mail spool, mail program (exim) config, and DNS config files
cp -u -a /var/spool /mnt/bigdisk2/backup/linux
cp -u -a /root /mnt/bigdisk2/backup/linux
cp -u -a /usr/exim /mnt/bigdisk2/backup/linux
cp -u -a /var/named /mnt/bigdisk2/backup/linux

Crontab

The backupscript file contains sensitive non-encrypted passwords of client machines. Make sure the backupscript is set to 'r-x------' for user root. The /mnt/bigdisk2/backup/raro directory is set 'r-x------' only for user ronald. The root user can always place the files back if anything happens to the client machine. The /mnt/bigdisk2/backup/linux directory is set 'r-x------' only for user root. You can use the crontab function to enter execution data into the /etc/crontab file. You could also edit the crontab file manually. This is my crontab file:

The backupscript file contains sensitive non-encrypted passwords of client machines. Make sure the backupscript is set to 'r-x------' for user root. The /mnt/bigdisk2/backup/raro directory is set 'r-x------' only for user ronald. The root user can always place the files back if anything happens to the client machine. The /mnt/bigdisk2/backup/linux directory is set 'r-x------' only for user root. You can use the crontab function to enter execution data into the /etc/crontab file. You could also edit the crontab file manually. This is my crontab file:

# File: /etc/crontab # Use this shell SHELL=/bin/bash # Set this path PATH=/sbin:/bin:/usr/sbin:/usr/bin # Send output to this user MAILTO=root # Set the home directory HOME=/ # This is very specific for Redhat # At every hour run this cron file 01 * * * * root run-parts /etc/cron.hourly # At 4:02 AM run this every day 02 4 * * * root run-parts /etc/cron.daily # At 4:22 on every sunday run this 22 4 * * 0 root run-parts /etc/cron.weekly # AT 4:24 on the first day of the month run this 42 4 1 * * root run-parts /etc/cron.monthly # Check every 15 minutes to see if the ADSL connection is still up /15 * * * root /etc/ppp/pingscript >> /dev/null # Run the above backupscript file at 5:30 AM every day. 30 5 * * * root /etc/cron.d/backupscript
Tripwire

# File: /etc/crontab
# Use this shell
SHELL=/bin/bash
# Set this path
PATH=/sbin:/bin:/usr/sbin:/usr/bin
# Send output to this user
MAILTO=root
# Set the home directory
HOME=/

# This is very specific for Redhat
# At every hour run this cron file
01 * * * * root run-parts /etc/cron.hourly
# At 4:02 AM run this every day
02 4 * * * root run-parts /etc/cron.daily
# At 4:22 on every sunday run this
22 4 * * 0 root run-parts /etc/cron.weekly
# AT 4:24 on the first day of the month run this
42 4 1 * * root run-parts /etc/cron.monthly

# Check every 15 minutes to see if the ADSL connection is still up
*/15 * * * * root /etc/ppp/pingscript >> /dev/null
# Run the above backupscript file at 5:30 AM every day.
30 5 * * * root /etc/cron.d/backupscript

Tripwire

Tripwire is an intrusion detection tool. You really should install this as soon as possible. Basically it stores all file and directory statistics in a database. When any changes occur it will send an email to the set email address. Tripwire is run in the cron.daily file and will send a daily report to the local administrator. The exact functioning and installation of tripwire is beyond the scope of this document. Change the /etc/tripwire/twpol.txt file to match your own system. If you want to reset the report use: tripwire --update -r /var/log/tripwire/reports/(the latest report)
FTP Daemon

Tripwire is an intrusion detection tool. You really should install this as soon as possible. Basically it stores all file and directory statistics in a database. When any changes occur it will send an email to the set email address. Tripwire is run in the cron.daily file and will send a daily report to the local administrator. The exact functioning and installation of tripwire is beyond the scope of this document. Change the /etc/tripwire/twpol.txt file to match your own system. If you want to reset the report use: tripwire --update -r /var/log/tripwire/reports/(the latest report)

FTP Daemon


The File Transfer Protocol (FTP) is the method of choice for sending and receiving files. Redhat comes with WU-FTP. Unfortunately this FTP daemon has been proven rather insecure in the past. My choice has gone to PROFTPD ProFTPD. ProFTPD is a tremendously versatile program. It allows for hundreds of settings. I only use a small number of them as you can see below:

# File: /etc/proftpd.conf

# The description when people connect
ServerName		"NINBIG FTP Server"
# I use xinetd (extended internet daemon) to control the FTP Daemon. Read the Xinetd section for more info.
ServerType		inetd
#ServerType		standalone
# Enable the FTP Daemon
DefaultServer		on

# Run FTP on the default port 21
Port 			21

# Default read only access for user and others
Umask 			022
# Run the daemon process as this user and group
User			nobody
Group			nobody

# Disconnect the client after this many seconds
TimeoutStalled		7200

# Each user lands in a seperate directory
DefaultRoot		/mnt/bigdisk2/www/kentyman kent
DefaultRoot		/mnt/bigdisk2/www/fearnloathing ronald
DefaultRoot		/ nin
DefaultRoot		/mnt ftp

# From the DefaultRoot directory each user has full file control.
<Directory /*>
  AllowOverwrite	on
</Directory>

# Allow only webmasters and the nin and ftp user to login
<Limit Login>
  DenyGroup !webmasters,!nin,!ftp
</Limit>

# I only want people I know to be able to log in.
# I use the user ftp (which has a password, but no home directory/shell access)
# For the FTP user set the following 'anonymous' settings:
<Anonymous /mnt>
# Allow anyone as user FTP to log in
   <Limit LOGIN>
      AllowAll
   </Limit>
# Maximum upload speed is 5KB/s
   RateReadBPS			5000
# Only one user may log in at a time
   MaxClients			1 "Sorry, max %m user -- try again later"
# This runs under the user ftp and group ftp
   User				ftp
   Group			ftp
# The password for the ftp user must be entered. This ensures that no real anonymous people log in.
   AnonRequirePassword		on

# First we deny all read and write access. Browsing/Listing is allowed.
   <Limit READ WRITE>
      DenyAll
   </Limit>

# Content in the temp directory is not allowed to be browsed
   <Directory /mnt/bigdisk/temp>
      <Limit DIRS>
         DenyAll
      </Limit>
   </Directory>

# The FTP user can read any file in the stuff directory
   <Directory /mnt/bigdisk2/stuff/*>
      <Limit READ>
         AllowAll
      </Limit>
   </Directory>

# Like the temp dir, the CDRom and floppy drives are off-limit. Actually they have physically been removed.
   <Directory /mnt/cdrom>
      <Limit DIRS>
         DenyAll
      </Limit>
   </Directory>

   <Directory /mnt/floppy>
      <Limit DIRS>
         DenyAll
      </Limit>
   </Directory>

# This is the only writable directory. Deny any reading, but storing files is allowed.
   <Directory /mnt/bigdisk/upload/*>
      <Limit READ>
         DenyAll
      </Limit>
      <Limit STOR>
         AllowAll
      </Limit>
   </Directory>

</Anonymous>