July 2018
M T W T F S S
« Jun    
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Categories

WordPress Quotes

Life shrinks or expands in proportion to one's courage.
Anais Nin

Recent Comments

July 2018
M T W T F S S
« Jun    
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Short Cuts

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (30)
Ansibile (18)
Apache (125)
Asterisk (2)
cassandra (2)
Centos (208)
Centos RHEL 7 (254)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (24)
Eassy (11)
EXCHANGE (3)
Fedora (6)
ftp (5)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
horoscope (23)
Hyper-V (10)
IIS (15)
IPTABLES (15)
JAVA (6)
JBOSS (32)
jenkins (1)
Kubernetes (2)
Ldap (5)
Linux (189)
Linux Commands (167)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (21)
MYSQL (82)
Nagios (5)
NaturalOil (13)
Nginx (29)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (34)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
SCALEIO (1)
Security on Centos (29)
SFTP (1)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
swap (3)
TIPS on Linux (28)
tomcat (59)
Uncategorized (29)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)
ZIMBRA (17)

WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.

Who's Online

24 visitors online now
4 guests, 20 bots, 0 members

Hit Counter provided by dental implants orange county

Installing Qmail on a CentOS 5.8 system

Reference from : http://www.ekrfs.com.au/qmr/home

BEST OF ALL REFERENCE IS:  http://qmail.jms1.net/        i Love this author.

 

I have compressed most of the required files into one file called qmr1.tar.gz and qmr2.tar.gz.  You will need to download both then put them in the /downloads/qmr directory that you need to create on your Centos or Fedora box.

Attachments are:

qmr1.tar

qmr2.tar

If you are looking at installing Qmail on a CentOS 5.8 system, you are at the right place.  You can either follow the directions on the pages underCentOS 5.5 or just download the pdf install guide (under Qmail Files page).

Either way, you should end up with a great working system.  I caution you to please look at the screen output whilst doing the install.  If you see errors pop up, google them to solve before moving on.  If you do not, you will likely have problems later on.  Each program interacts with other programs and if something is broken, the other bits will likely fail as well.

 

Remember to use your logs as well.  They are a great way of detecting problems or success.

 

 

 

Part 1 – Checklist

1.      Make sure you have Fedora installed.  SELINUX is a huge problem with qmail and I had to firstly put it in permissive mode and then disable it altogether.  I do however have a firewall on my router.  Security is another topic.

2.      Make sure you have the following (on your system)
(Command line is “rpm –qa | grep pkgname”)

Eg        rpm –qa | grep php
a.       http

b.      php

c.       perl

d.      perl-suidperl

e.       gcc

f.       gcc-c++

g.      mysql

h.      openssl

i.        openssl-devel

j.        wget

k.      Personally I use midnight commander so I also install mc

l.        patch

 

3.      If any are missing, install them.  For example, to install php, type:

yum install php

4.      Make sure you update your entire system with “yum update” after all this.

I then run
perl –MCPAN –e shell (and go with it)
When you get cpan>
type “install Bundle::CPAN”
when you get it again, type “install CDB_File”

Type exit when it comes up CPAN3>

This last bit takes a while and you have to answer a few questions – I just hit enter to accept the default Yes answers.

This last bit is needed for Spamassassin.

 

Required Files to complete Setup

These can all be downloaded from the “QMR Files” page.

Firstly however, create a directory for all the files to go into:

mkdir /downloads/qmr

 

 

Part 2 – Run Script to create the necessary users etc for qmail install

Run the following script to create all the necessary users and folders / files and also to patch qmail with John Simpsons latest patch (currently 7.10).  You should go check that this is still the latest and if not, edit the script and download the latest patch.

cd /downloads/qmr/scripts/install
qmr_install_with_jms1.script             
           

This script will:

Make some necessary directories
Create necessary users and groups
Unpack qmail-1.03 and patch it with John Simpsons 7.10 patch
Unpack ucspi-tcp and daemontools and put them in the correct places on the system
Create logging directories and supervise script directories

Part 3 – Install Qmail (with John Simpsons patches already done)

Then go to the /qmail-1.03-jms1-7.10 directory.

make man && make setup check

Qmail is now installed but you still have a lot to do.  When finished, type

./config-fast rmohan.com

For example
./config-fast rmohan.com 

# make clean

We are now done getting qmail setup (for now)!

 

Part 4 – Install ucspi-tcp

            cd /usr/src/qmail/ucspi-tcp-0.88

We must also patch this file.

patch < /downloads/qmr/patches/ucspi-tcp-0.88.errno.patch

It will display “pathching file error.h” – this is what we want (even though logically it sounds bad, it is not)

  make && make setup check

That is all for this.  Now to install qmail…

 

Part 5 – Install Daemontools

cd /package/admin/daemontools-0.76/src

We must patch this file as well

patch < /downloads/qmr/patches/daemontools-0.76.errno.patch

It will display “pathching file error.h” – this is what we want (even though logically it sounds bad, it is not)

cd ..

package/install

That’s it.

Part 6 – Install Ezmlm-idx

cd /downloads/qmr
tar zxvf ezmlm-idx-7.0.2.tar.gz
cd ezmlm-idx-7.0.2
make && make setup

 

Part 7 – Install Autorespond

cd /downloads/qmr
tar zxvf autorespond-2.0.5.tar.gz
cd autorespond-2.0.5
make && make install

 

Part 8 – Qmail-updater

cd /var/qmail/supervise

mkdir –m 1755 qmail-updater

mkdir –m 755 qmail-updater/log

cd qmail-updater/log

cp /downloads/qmr/service-any-log-run run

chmod 755 run

cd ..

cp /downloads/qmr/pipe-watcher pipe-watcher

cp /downloads/qmr/update-qmail update-qmail

cp /downloads/qmr/service-qmail-updater-run run

chmod 755 pipe-watcher update-qmail run

The last step here is to link the qmail-updater directory in the /service directory so daemontools can run it.

ln –s /var/qmail/supervise/qmail-updater /service/

Wait a few seconds then run:

svstat /service/qmail-updater /service/qmail-updater/log

You should see output showing up for more than 3 seconds for both.

 

 

Part 9 – Install Vpopmail with onchange

First we need to install Skel

cd ~vpopmail
tar zxvf /downloads/qmr/skel.tgz
chown –R vpopmail:vchkpw skel
chmod –R 700 skel/
chmod 0600 skel/.qmail skel/mailfilter

We want to install vpopmail with the onchange function enabled. The latest version is 5.4.30 currently.

cd /downloads/qmr
tar zxvf vpopmail-5.4.30.tar.gz
cd vpopmail-5.4.30
./configure –enable-logging=p –enable-onchange-script

make install-strip

If that all run without errors, vpopmail is configured and installed.  Now we must get the onchange function working.

            cd /~vpopmail/etc
cp /downloads/qmr/onchange onchange

This is the script that vpopmail will execute when a user or domain is added or deleted from the system.  You need to now set permissions:

chown vpopmail:vchkpw ~vpopmail/etc/onchange
chmod 750 ~vpopmail/etc/onchange
chmod +x ~vpopmail/etc/onchange

Now that the onchange script is in place we can test it with the qmail-updater log file.  Open up another session (Ctrl+Alt+F2) and type

            tail –f /service/qmail-updater/log/main/current

Go back to the original session (ctrl+Alt+F1) and add a domain and user and you should see your log file in the other session change – stuff goes in it.

            cd ~vpopmail/bin
./vadddomain rmohan.com
./vadduser test@rmohan.com password

If the log file fills up with stuff, congratulations.

We need to make a slight modification to the vchkpw file to make it work with SMTP with ssl work.

cd ~vpopmail/bin
chmod 6711 vchkpw
chown vpopmail:vchkpw vchkpw

 

Part 10 – Validrccptto and Auth

We must then create the validrcptto and auth files which reside in /var/qmail/control.

To do this, we use the mkvalidrcptto and mkauth scripts.

cd /usr/local/bin

            wget http://qmail.jms1.net/scripts/mkvalidrcptto

            wget http://qmail.jms1.net/scripts/mkauth

            chmod 755 mkvalidrcptto mkauth

Then we run the scripts:

mkvalidrcptto –c /var/qmail/control/validrcptto.cdb

mkauth –c /var/qmail/control/auth.cdb

To test

ps axww | grep readproctitle

the output should be something like

0:0 read……..service errors……………………
………………………………………………………………….
………………………………………………………………….

 

Part 11 – Install Maildrop

You need maildrop aside from anything else, for qmail-scanner – which needs reformime.

Before you install maildrop, you need to install “pcre”.  Download the file to the qmr directory.

tar zxvf pcre-8.12

cd /downloads/qmr/pcre-8.12
./configure
make
make install
make clean

Then

cd /downloads/qmr
tar xvf maildrop-2.5.5.tar.bz2
cd maildrop-2.5.5
./configure –enable-maildrop-uid=root –enable-maildrop-gid=vchkpw
make install clean
We now add logging options to maildrop.

cd /var/qmail/supervise
mkdir –m 1755 maildrop-logger
mkdir –m 755  maildrop-logger/log
cd maildrop-logger/log
cp /downloads/qmr/service-any-log-run run
chmod 755 run
cd ..
cp /downloads/qmr/log-maildrop log-maildrop
cp /downloads/qmr/pipe-watcher pipe-watcher
cp /downloads/qmr/maildrop-logger-run run
chmod 755 pipe-watcher log-maildrop run
touch /tmp/log-maildrop
chown vpopmail:vchkpw /tmp/log-maildrop

Now we start the maildrop-logger service

ln –s /var/qmail/supervise/maildrop-logger /service/

Wait a bit then check

svstat /service/maildrop-logger /service/maildrop-logger/log

Again, it all should be running for more than 3 seconds

Part 12 – Uninstall Sendmail

To find out the version numbers to remove type

rpm –qa | grep sendmail

Then

/etc/rc.d/init.d/sendmail stop

Then

rpm –e –nodeps sendmail-x.x.x          (version number from results above)
rpm –e –nodeps sendmail-cf-x.x.x      (version number from results above)

We now need to establist an artificial sendmail path – or a symbolic link to Qmails sendmail.  This is needed to ensure the whole system is able to send mail.

ln –s /var/qmail/bin/sendmail /usr/lib/sendmail
ln –s /var/qmail/bin/sendmail /usr/sbin/sendmail

That’s it for this step.

 

Part 13 – Install Dovecot

Do not try to install any courier stuff as they do not support vpopmail any more.

The latest stable version is dovecot-1.2.12.  As always check this is the latest stable version. I did try the later version of 2.0.11 but that caused issues so I used 1.2.12.  Your choice !

cd /downloads/qmr
tar xzf dovecot-1.2.12.tar.gz
cd dovecot-1.2.12
cp /downloads/qmr/configure.dovecot configure.dovecot
chmod 755 configure.dovecot
./configure.dovecot

make
make install

There seems to be a few directories either weren’t created, or were created with bad permissions. The following commands fixed the problems:

mkdir -m 0755 /usr/local/var /usr/local/var/run /usr/local/var/run/dovecot

chmod go=u-w /usr/local/share /usr/local/share/doc

chmod -R go=u-w /usr/local/lib/dovecot /usr/local/libexec/dovecot /usr/local/share/doc/dovecot

The next step is to create a new non-root userid which is used to process authentication requests.

This command is specific to Linux, and will probably need to be adjusted for other systems. The idea is to create a userid which cannot log in, which has no valid shell, and has no home directory- one which, if somebody were to “hack” into it, wouldn’t be able to do much.

useradd -M -d /nohome -s /bin/false -c ‘Dovecot user’ dovecot

________________________________________

Configuring Dovecot

Dovecot itself is configured using a single control file, which will is in
/usr/local/etc/dovecot.conf
When you install the software, it creates a dovecot-example.conf file in this directory, and the directions with the software tell you to rename or copy the file to dovecot.conf and then customize it.

There is a customised dovecot.conf file (thanks to John Simpson). Note that an invalid IP, so you will need to customize the file before using it- either that, or use the dovecot-example.conf file and build your own configuration.

The first thing you’ll need to do is adjust the “first_valid_uid” and “last_valid_uid” values in the file. Find the numeric uid of the vpopmail user…

id -u vpopmail

My result was 508

To copy the dovecot.conf file (mentioned above, then

cd /usr/local/etc
cp /downloads/qmr/dovecot.conf dovecot.conf
chown root:root dovecot.conf

If the IMAP servers will ONLY be used for vpopmail accounts, make sure both of these values are set to that number (in this case, 508.) Also make sure both lines are un-commented (i.e. remove the “#” in front of the “last_valid_uid” line.)

## Mail processes

verbose_proctitle = yes

first_valid_uid = 508
last_valid_uid = 508

You also need to change the ip addresses too your own.  – (at ssl_listen twice)                                eg 192.168.1.6

Building the daemontools service(s)

This shows how to set up a daemontools service which starts the main dovecot process, which will listen for incoming IMAP and/or POP3 connections as specified in the dovecot.conf file.

On my server, all of my daemontools physical service directories are in the
/var/qmail/supervise directory.

Your own server may be different- the physical directory can be anywhere on the system, except within the “/service” directory itself.

cd /var/qmail/supervise
mkdir -m 0755 dovecot dovecot/log
cd dovecot/log
cp /downloads/qmr/service-any-log-run run
chmod 0755 run
cd ..
cp /downloads/qmr/service-dovecot-run run
chmod 0755 run
Use your text editor of choice.

Like the other “service-blah-run” scripts, this one consists of configuration variables at the top, followed by code to build the final command line, and then run it. The variables are:

•           IP is the IP address you want to listen on. You can set it to “0” if you want it to listen on every IP attached to your system, however I don’t normally recommend doing things that way.

•           PORT is the TCP port number you want to listen on. The standard values are 143 for IMAP, 993 for SSL-IMAP, 110 for POP3, and 995 for SSL-POP3.

I DO NOT RECOMMEND RUNNING NON-SSL POP3 OR IMAP SERVICES on any unsecured network (i.e. on the open Internet) because the authentication methods for both POP3 and IMAP involve sending the password across the wire in plain text. Remember, if some “bad person” happens to get one of your users’ passwords, they not only have access to that user’s email, they will probably have the ability to use that ID and password with an SMTP AUTH command, and use your server as a relay.

•           MAX is the maximum number of concurrent connections allowed by this service. If this is blank, a default value of 40 will be used instead.

•           ACCESS_CDB gives the name of a .cdb file made by tcprules, which controls which clients are and are not allowed to connect. Note that if you plan to use rules involving remote userids (very few people do, because they are so easily forged) you will need to remove the “R” from the options of tcpserver and/or sslserver within the script itself.

•           SVC_LOGIN is the full pathname of the service you wish to run. Normally this will be “imap-login” or “pop3-login”.

•           IS_SSL should be set to a number greater than zero if this is to be an SSL-secured service. This tells the script to use sslserver instead of tcpserver, exports the CERTFILE variable (needed by sslserver), and adds a flag to the end of the command line which tells imap-login or pop3-login that the connection is already encrypted.

•           CERTFILE should be set to the full pathname to the .pem file containing the server’s encryption key. You can point this to the same servercert.pem file used by qmail-smtpd if you like.

________________________________________

Start up Dovecot

This is just like starting up any other daemontools service – create a symlink from /service/something to the physical service directory, wait about ten seconds, and make sure it’s running.

ln -s /var/qmail/supervice/dovecot/service/

Wait about ten seconds…

svstat /service/dovecot /service/dovecot/log
/service/dovecot: up (pid 23841) 8 seconds
/service/dovecot/log: up (pid 23843) 8 seconds

As we have not yet set up the certfile, the service will not run properly.  If you check the log file in /var/qmail/supervise/dovecot/log/main/current

It will show an error about the certificate file.

Fixing that is next…

 

Part 14 – Install UCSPI-SSL create Certificates

Now we need to install ucspi-ssl so qmail will accept smtp connections with ssl.

cd /package
tar zxvf /downloads/qmr/ucspi-ssl-0.70.tar.gz
cd host/superscript.com/net/ucspi-ssl-0.70

Compile the package

package/compile

Run some tests:  Note There are some fatal cypher errors and broken pipe errors only, that is ok – ignore them.

package/rts

Install the package

package/install

That is that.  Now we need to create the key:

cd /var/qmail/control
openssl req –newkey rsa:1024 –x509 –nodes –days 3650 –out servercert.pem –keyout servercert.pem

Answer the questions and make sure the Common Name is the name of your mail server!!

Now we give proper ownership

chown root:nofiles servercert.pem

The “nofiles” group is the group which qmaild belongs to.  This combination of ownership and permissions allows qmail-smtpd to read the key but not change or delete it.

chmod 640 servercert.pem
cp servercert.pem clientcert.pem
chown root:qmail clientcert.pem
chmod 640 clientcert.pem

 

You can now go back and check that dovecot is working:

svstat /service/dovecot /service/dovecot/log
/service/dovecot: up (pid 23841) 8 seconds
/service/dovecot/log: up (pid 23843) 8 seconds

 

 

Part 14 – Finalise the qmail installation

There is a bit in this but it is not too difficult.  I have modified a script from the old qmailrocks site to suit Fedora.  To start with run a script which will:

  1. Copy all the supervise scripts to their correct locations
  2. Copy qmail.rc and qmailctl to the propper locations and create the necessary symbolic links.
  3. Set all needed permissions on the supervise scripts

Ok.  To get things going:

cd / downloads/qmr/scripts/finalise
chmod 755 finalize_linux.script
./finalize_linux.script

 

Configuring Qmail

 

Now we will need to edit a few files to make them work on the new system for this new server.

cd /var/qmail/supervise/qmail-pop3d
We need to edit the run file.

vi run               (or mc or whatever editor)
Change the mail server name (line 4 at the end) to your mail server.  Eg mail.test.com.au /

cd /var/qmail/supervise/qmail-smtpd
vi run

IP=1.2.3.4       (change this to your ip address obviously)
Port=25 (set the port number we will be listening on)
SSL=0 (This says do not run an SSL-only service)
FORCE_TLS=0 (Refuse to accept mail from clients who have not done STARTTLS)
DENY_TLS=0 (Do not refuse to process the STARTTLS command)
AUTH=0 (We are turning off auth on port 25 and only allow incomming mail)
Require_Auth=0 (Refuse to accept mail from clients who have not done AUTH).

You must also uncomment the following line of the smtp run file or else no mail will be scanned by qmail scanner. Make it this:

QMAILQUEUE=”$VQ/bin/qmail-scanner-queue.pl”

Now we need to set up some qmail aliases.  Replace postmaster@test.com.au with the addres you want the mail to go to:

echo postmaster@test.com.au > /var/qmail/alias/.qmail-root
echo postmaster@test.com.au > /var/qmail/alias/.qmail-postmaster
echo postmaster@test.com.au > /var/qmail/alias/.qmail-mailer-daemon

Now we set up selective relaying.

mkdir /etc/tcp
cd /etc/tcp
cp /downloads/qmr/etc-tcp-makefile Makefile

Now create the smtp file.  Add your ip address.  If your ip address was
192.168.1.1, then it will go like this:

vi /etc/tcp/smtp

Add the following to the new file:

192.168.1.:allow,RELAYCLIENT=””
:allow

save this and then run:

gmake

You should get output saying

tcprules smtp.cdb smtp.tmp < smtp
chmod 644 smtp.cdb smtp

 

Setting up smtp with SSL

We need to edit the file

vi /var/qmail/supervise/qmail-smtpd-ssl/run

Set the following values:

IP=1.2.3.4       (change this to your own ip address obviously)
Port=465 (set the port number we will be listening on)
SSL=1 (This says to run an SSL-only service)
FORCE_TLS=0 (Ignored for ssl services)
DENY_TLS=0 (Ignored for ssl services)
AUTH=1 (Allow the AUTH command)
Require_Auth=1 (Refuse to accept mail from clients who have not done AUTH).

You must also uncomment the following line of the smtp run file or else no mail will be scanned by qmail scanner. Make it this:

QMAILQUEUE=”$VQ/bin/qmail-scanner-queue.pl”

Save the file  then…

Creating the smtpssl file

cd /etc/tcp
vi smtpssl

in this new file, simply put the following and then save it.

:allow

Now you need to edit the Makefile and add smtpssl.cdb after smtp.cdb, save and exit.  Now run:

gmake

The final step is to start the service running:

ln –s /var/qmail/supervise/qmail-smtpd-ssl /service/

Now check that the service is running ok by:

svstat /service/qmail-smtpd-ssl /service/qmail-smtpd-ssl/log

As usual, if you see the output is up for more than 3 seconds, all is OK

Now we want to start qmail:

qmailctl start

You should get output like:

Starting qmail…

Starting qmail-send
Starting qmail-smtpd
Starting qmail-pop3d

To check to make sure it is running ok type:

qmailctl stat

As long as everything is up for more that say 3 seconds you have succeeded.  Well done.

That is all that finished.

You could just operate a mail server with what you now have but lets install programs to make life much easier.  For example, you could easily just manage all your mail accounts and domains with vpopmail.  But using qmailadmin and vqadmin is much nicer and easier.  Squirrelmail makes life easier for all your users as they can get their mail via a web browser.  Clamav checks for viruses in mail and spamassassin gets rid of a lot of spam.

Anyway lets get on with it…..

 

Part 16 – Install Spamassassin

I have done this in two different ways – both worked. You can compile from source then install or

The simplist way is just use yum to install it:

yum install spamassassin

Then go and edit /etc/mail/spamassassin/local.cf

All you have to put in this file is

required_score 3.2       (that is what I use)

And if you want you can create a whitelist of good known email addresses – eg friends

whitelist_from good@emailaddress.com.au

Now to set it up under daemontools.

mkdir –m 1755 /var/qmail/supervise/spamd
mkdir –m 755 /var/qmail/supervise/spamd/log
cd /var/qmail/supervise/spamd
cp /downloads/qmr/spamd-run run
chmod 755 run
cd log
cp /downloads/qmr/service-any-log-run run
chmod 755 run

All we need to do now is create the service:

ln –s /var/qmail/supervise/spamd /service/

Wait a bit then:

svstat /service/spamd /service/spamd/log

Again, make sure the service is up for more than say 3 seconds.  If issues, stop the service and then restart it.

I also then type

sa-update

to update spamassassin
That’s it for spamassassin.

 

Part 17 – Install Clamav – Updated March 2012
For the first time install of Clamav, you need to create a new user and group to your system:

groupadd clamav
groupadd qscand
useradd –g clamav –s /bin/false –c “Clam Antivirus” clamav
useradd –g qscand –s /bin/false –c “Qscand” qscand

Now you need to download Clamav from clamav.net.  Get the latest stable version which is currently 0.97.3

cd /downloads/qmr
wget http://downloads.sourceforge.net/clamav/clamav-0.97.3.tar.gz
tar zxvf clamav-x.x.x.tar.gz
cd clamav-x.x.x
./configure
make
make check
make install
make clean

Now you need to create the clamd and freshclam service scripts.

cd /var/qmail/supervise

mkdir –m 1755 clamd
mkdir –m 0755 clamd/log
cd clamd
cp /downloads/qmr/service-clamd-run run
chmod 755 run
cd log
cp /downloads/qmr/service-any-log-run run
chmod 755 run

cd /var/qmail/supervise

mkdir –m 1755 freshclam
mkdir –m 0755 freshclam/log
cd freshclam
cp /downloads/qmr/service-freshclam-run run
chmod 755 run
cd log
cp /downloads/qmr/service-any-log-run run
chmod 755 run

 

Now we need to edit the clamd.conf file so it will run correctly via daemontools.

chmod 744 /usr/local/etc/clamd.conf
vi /usr/local/etc/clamd.conf                 (or type mc and use midnight commander if you like)

#Example – must be commented out

#LogFile – comment out

#LogSysLog no – comment out

#PidFile /var/run/clamav – comment out

DatabaseDirectory /usr/local/share/clamav

LocalSocket /tmp/clamd.socket – uncomment this

FixStaleSocket yes – optional

User qscand

Foreground yes – this is absolutely required to run via daemontools

chown –R qscand:qscand /usr/local/share/clamav

 

Configuring freshclam

The freshclam program checks for updated virus definition files and, if it finds them, downloads and installs them automatically. It then sends a message to clamd, telling it to read the new definitions into memory, and can also call another program that we specify. We will be using this “call another program” capability to inform qmail-scanner and/or simscan to update its version database, so the headers that they add to email messages will have accurate version numbers.

To configure freshclam, we will edit a file called freshclam.conf, which will be found in the same directory where we found the clamd.conf file (above.) This is a list of the changes we need to make:

chmod 744 /usr/local/etc/freshclam.conf

vi /usr/local/etc/freshclam.conf           (or use mc as above)

 

#Example – comment out
DatabaseDirectory /usr/local/share/clamav
#UpdateLogFile – comment out
#LogSyslog – no
#Pidfile – comment out
DatabaseOwner qscand
checks 24
Foreground yes

Set up the services to start

ln –s /var/qmail/supervise/clamd /service/
ln –s /var/qmail/supervise/freshclam /service/

Now check the services are running:

svstat /service/clamd /service/clamd/log

and then

svstat /service/freshclam /service/freshclam/log

make sure each is up for more than 3 seconds and all is ok.  That is it for Clamav.

 

 

Part 18 – Install Qmail-scanner

The latest version (currently) is 2.10 as at March 2012 – you need to google the file to download

cd /downloads/qmr

tar zxvf qmailscanner-2.10.tar.gz

cd qmailscanner-2.10

cp /downloads/qmr/qms-config qms-config

Now you need to change the qms-config to match your settings. The bits in bold must be changed to your domain specific settings. If you have multiple domain names, in local-domains, separate them by a comma (no space).

When you have made your changes, then make it executable and give it a test run:

chmod 755 qms-config

./qms-config

When it asks you Continue? ([Y] / [N]) go ahead and hit Y

It will ask this twice.  If all goes well you will get Finished. and a bit more without error messages.

If the above worked, then you will need to actually install:

./qms-config install

 

Updating the qmail-scanner version files

The first one is the command that updates your version files.  It updates your headers when you upgrade ClamAV or SpamAssassin.  It also helps keep the /var/spool/qscan folder clear when SMTP sessions are dropped.

Put this one in a cron and run it once a day.

setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl –z

Anytime you update qmail-scanner you should also run

setuidgid qscand /var/qmail/bin/qmail-scanner-queue.pl –g

One final ownership check

chown –R qscand:qscand /var/spool/qscan


Testing Qmail-scanner

Now before we finish, we need to test that it works.  Make sure you have set up your main domain and email accounts (in particular the domain that you set the aliases to earlier) as these are where the test emails will go. Then run the following:

/downloads/qmmr/qmail-scanner-2.0.8/contrib/test_installation.sh –doit

When this runs, it will send 4 messages – 2 with viruses, one standard message and a piece of junk mail. So when this runs, you should have 1 in /var/spool/qscan/quarantine/viruses/new , 1 message in /var/spool/qscan/quarantine/policy/new , 1 message in ~vpopmail/domains/domainXXX/postmaster/Maildir/new and 1 in your ~vpopmail/domains/domainXXX/postmaster/Maildir/.Spam/new folder (or this will be in your maildir).

All you need to do to finish is to restart qmail:

qmailctl restart

That’s Qmail-scanner installed!  Well done.

 

Part 19 – Install VqAdmin

VqAdmin is a nice simple web based interface that lets us manage Vpopmail.  You can create new domains, new users, net quotas and more.

cd /downloads/qmr

tar zxvf vqadmin-X.x.x

cd vqadmin-X.x.x

./configure –enable-cgibindir=/var/www/cgi-bin –enable-htmldir=/var/www/html

(If the paths above are not the same on your system, change them to match)

make && make install-strip

If the installation is successful, VqAdmin will install itself in the cgi-bin directory of your website.

Now you need to edit your apache file (or httpd.conf file).

vi /etc/httpd/conf/httpd.conf

Now, on about line 325 (of mine anyway) you need to change it to
AllowOverride ALL

Also on about line 265, make sure your servername is defined.

Insert (on mine I did it on line 575 but that does not really matter)

<Directory “/var/www/cgi-bin/vqadmin”>
deny from all
Options ExecCGI
AllowOverride AuthConfig
Order deny,allow
</Directory>

That’s that bit done.

cd /var/www/cgi-bin/vqadmin

Now you need to create a .htaccess file to password protect the vqadmin interface.  There should already be a .htaccess file in the vqadmin directory, so all you need to do is configure it.

vi .htaccess

AuthType Basic
AuthUserFile /etc/httpd/conf/.htpasswd        (in fact you can put this wherever you like)
AuthName vQadmin
require valid-user
satisy any

Now change ownership

chown apache .htaccess

chmod 644 .htaccess

Now you need to create a corresponding .htpasswd file that will contain the username and encrypted password for the VqAdmin administrator.

htpasswd –bc /etc/httpd/conf/.htpasswd admin admin-password

chmod 644 /etc/httpd/conf/.htpasswd

Make sure you leave the user admin as admin else it won’t work.  Obviously the admin-password should be a password.

Now we need to restart apache.

apachectl stop

apachectl start

If all has gone well, in you web browser, put:

http://www.rmohan.com/cgi-bin/vqadmin/vqadmin.cgi

Enter admin and whatever password you created and hey presto.  You can now add domains, users etc.  If you get errors such as 500 Internal Server error, check permissions with vqadmin.cgi file.

 

 

Part 19 – Installing Qmailadmin

This provides us with a nice web based interface for administering mail accounts once they are set up through Vpopmail or VqAdmin.

cd /downloads/qmr

tar zxvf qmailadmin-X.xx.x

cd qmailadmin-X.x.x

./configure –enable-cgibindir=/var/www/cgi-bin –enable-htmldir=/var/www/html –enable-modify-spam –enable-ezmlm.idx

make && make install-strip

Now to make sure when we add new users via qmailadmin that we want Spam Fighting turned on by default edit the following:

vi /usr/local/share/qmailadmin/html/add_user.html

find the line
<input type=”checkbox” name=”spamcheck”>

Change it to:
<input type=”checkbox” name=”spamcheck” checked>

That it for the install.

Now open your web browser and go to:

http://www.rmohan.com/cgi-bin/qmailadmin

You all done here.

 

Part 21 – install Squirrelmail.

Squirrelmail is a web based program that allows you to access your email via a web browser.

First you must check that you have PHP uploads turned on.

vi /etc/php.ini

The line you want to check / edit is:

file_uploads = On

That’s that.  Now on to installing Squirrelmail.

cd /var/www/html
tar zxvf /downloads/qmr/squirrelmail-X.x.x.tar.gz

Now rename the untared folder to something more friendly…

mv squirrelmail-X.x.x webmail

Now we configure squirrelmail..

mkdir /var/local/squirrelmail
mkdir /var/local/squirrelmail/data
chown –R apache:apache /var/local/squirrelmail/data

cd webmail/config
./conf.pl

This will run the squirrelmail setup scriot which allows you to customise the installation and set your server settings.  Most of the important things are in area #2 which is called “Server Settings”.

You will be presented with a menu. Under 1 – Organization Preferences, Any one of the setings inside this window are optional. When you are done, hit S to save and then hit Enter and then hit R to go back to the Main Menu.

Now we want to go to 2 – Server settings. Hit 1 for Domain and hit Enter on the keyboard. You can type the name of the server or the local IP or public IP, whichever you prefer. If your mailserver is behind a router/firewall, I use the local IP. If you are on the public side of things, the hostname or the static IP will work fine.

Under Server settings we want to use the following. Please change x.x.x.x to the IP of your mail server:

1.  Domain                 : x.x.x.x
2.  Invert Time            : false
3.  Sendmail or SMTP       : Sendmail

A.  Update IMAP Settings   : localhost:143 (other)
B.  Change Sendmail Config : /var/qmail/bin/sendmail

Hit Y and then hit Enter. Hit S to save and then hit Enter again. Hit Q to quit and exit the menu.

If you like there are other features you can customise but not critical.  Once you are done here, we must configure Apache to serve our new webmail interface.

Open up the httpd.conf file and add the following down the bottom under Virtual Domains..

vi /etc/httpd/conf/httpd.conf

<VirtualHost 1.2.3.4:80>
ServerName mail.rmohan.com
ServerAlias mail.*
ServerAdmin postmaster@rmohan.com
DocumentRoot /var/www/html
</VirtualHost>

 

Now all you need to do is restart apache

apachectl stop
apachectl start

Now in your browser:

http://www.rmohan.com/webmail

That is it.  You now have a great qmail server with lots of useful extras.

Now for Maintenance of everything we have set up…

 

 

Part 22 – notes on Changing and Maintaining your new Qmail Server

Services

To start, stop or restart a service (run under daemontools – ie the ones in the /service directory):

To stop

svc –d /service/name               (d is for down)

eg        svc /-d /service/spamd             will stop spamd

To start

svc –u /service/name               (u is for up)

To restart

svc –t /service/name

To check all your services at once

svstat /service/* /service/*/log

 

Qmail-Scanner

I wanted the subject line to be altered with spam messages.  To do this, you need to edit the qmail-scanner-queue.pl file in /var/qmail/bin…

in this file on my system (line 258) says:

my $spamc_subject=’***Spam***’ ;

I set it to delete messages more than 5 over my limit of 3.2.  You can edit this two lines below

my $sa_quaratnine_over=’5’ ;

This is all I did.

 

 

Update Clamav

This would be the cause of most pain as it changes every 3 months or so.  To see info about freshclam and if it is current type:    freshclam -v

Or you can look in the file /service/freshclam/log/main/current and see if clamav is outdated.  It will say so in the log.  To upgrade your clamav, go to the clamav site and download the latest stable source file:

http://www.clamav.net/lang/en/download.sources

Now download the latest and put it in your downloads directory.  For example, to download 96.1 version,

cd /downloads
wget http://downloads.sourceforge.net/clamav/clamav-0.97.3.tar.gz
tar zxvf clamav-0.97.3.tar.gz
cd /clamav-0.97.3

I then backup the clamd.conf and freshclam.conf files to be sure.

cd/downloads
cp /usr/local/etc/freshclam.conf freshclam.conf
cp /usr/local/etc/clamd.conf clamd.conf

You must then stop qmail and clamav and also freshclam…

qmailctl stop
svc –d /service/clamd
svc –d /service/freshclam

Now we start the upgrade:

./configure
make                            (This can take some time)
make check                 (Same – make sure the tests passed – ie no errors)
make install
make clean

Check the conf files and if they are still the same (they should be unaltered).

Start up the services again:
qmailctl start
svc –u /service/clamd
svc –u /service/freshclam

You must now update qmail-scanner database
setuidgid /var/qmail/bin/qmail-scanner-queue.pl –g

and also update the version number
setuidgid /var/qmail/bin/qmail-scanner-queue.pl –z

Now type freshclam –v and you will see the new version number.  That’s it for updating clamav.  I just did this exactly and it worked perfectly on my system.

 

 

Dual MTA Qmail

Dual MTA Qmail

 

Recently i installed two qmails in a single server to handle mails from inner and outer domains. I will be posting a step by step tutorial of the same in the coming days.

Why dual MTA?

Basically i wanted two different queues to handle mails in different ways.
Queue 1) To get the mails(incoming) and pass it on to queue 2.
Queue 2) Will receive mails only from queue 1, runs virus scan, spamassassin and delivers mails to local or remote mail boxes(outgoing).

While i could have achieved the same functionality with single queue i doubted it may not suit my needs in the future. Say if the server can handle 250 mails and the queue is already full then we may see some delay in receiving mails from remote machines and/or may completely loose some mails. More over I don’t have to change the incoming queue’s setup and continue receiving mails until i needed. It provides me the flexibility to pass the message to different server/s altogether whenever needed.

How the setup will look like?

Queue 1: Two qmail-smtpd instances one listening on port 25 and the other listening on port 465(SSL).
port 25 – To receive mails from public domains such as yahoo/google.
port 465 – For internal users to send mails(auth + encryption).

Queue 2: qmail-smtpd listens on port 2000. Receives mail only from localhost(127.0.0.1). Calls qmailscanner and have it scanned with clamav & spamassassin. If it has virus the mail is quarantined. If tagged SPAM then the mail’s subject is prepend with [SPAM] and delivered to user’s mail box. If the user is local, the mail will be delivered to Junk directory.

Also there were some specific needs for me. We had many aliases in the server and only certain people must be able to send mail to those aliases. While this can be done with mailing list software like ezmlm i thought of discovering more. When a unauthorized user sends a mail to particular alias it will send a mail to the moderator. I wanted the mail to be bounced back to the sender(ezmlm has that option) and also give my own message for the bounce(reason). I wrote my own perl script to achieve this and it was simple enough. Ezmlm is also installed in my server and serving other purposes.

Enough for tonight. I will be posting

For the inside queue(that scans and delivers mail) i followed the instructions from qmailrocks. Disk space, pre-installation check list & other instructions are here

Note: I installed vpopmail without mysql since the number of domains i manage is small. If you are going to have more than 10 domains consider using vpopmail with mysql backend. Remember to replace all example.net entries with your own domain. For hostnames enter the FQDN of your server.

After installing qmailrocks, make sure that mails to & from your domain works. The qmail installation from qmailrocks listens on port 25, alter it to listen on port 2000.

Last few lines in ‘/var/qmail/supervise/qmail-smtpd/run’ looks like this

# tail -4 /var/qmail/supervise/qmail-smtpd/run

 /usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 127.0.0.1 2000 \ /var/qmail/bin/qmail-smtpd your.hostname.here \ /home/vpopmail/bin/vchkpw /usr/bin/true 2>&1 

With the above setting, the QMR installation will serve us as a separate queue which will scan any mail that comes to it. Now we have everything setup to install our other queue.

Note: I used /var/qmail-inside as my qmail directory(for all incoming mails). You can choose any other directory you want. Also for this queue i patched qmail with jms’s combined patch set 6cd

Below are the steps:

 cd /usr/local/src wget ftp://ftp.jp.qmail.org/qmail/qmail-1.03.tar.gz wget http://qmail.jms1.net/patches/qmail-1.03-jms1.6cd.patch wget http://untroubled.org/qmail-qfilter/qmail-qfilter-2.1.tar.gz wget http://qmail.jms1.net/scripts/service-qmail-send-run wget http://qmail.jms1.net/scripts/service-qmail-smtpd-run tar zxfv qmail-1.03.tar.gz mv qmail-1.03 qmail-inside cd qmail-inside/ 

Edit conf-qmail and change the directory entry from /var/qmail to /var/qmail-inside

 echo 211 > conf-split echo 255 > conf-spawn patch < /usr/local/src/qmail-1.03-jms1.6cd.patch make setup check 

Next we have to copy create necessary control files for qmail. Copying all the control files from the /var/qmail/control will do. But we have remove some unwanted files too. virtualdomains file has the names of the virtual domains created with vpopmail. However, having this file means that the mail will be directly delivered to the vpopmail user rather than passing it to out other queue.

 cd /var/qmail-inside/control/ cp /var/qmail/control/* /var/qmail-inside/control/ rm -f virtualdomains.lock locals.lock rcpthosts.lock clientcert.pem rm -f virtualdomains 

It is better to link some files directly from /var/qmail so that when there are new virtual domains we don’t have to change the file each time we add a new virtual domain.

 /var/qmail-inside/control rm -f rcpthosts ln -s /var/qmail/control/rcpthosts rm -f plusdomain ln -s /var/qmail/control/plusdomain 

Now we are gonna created necessary aliases and cbd file.

 cd /var/qmail-inside/alias echo "postmaster" > .qmail-root echo "postmaster@example.net" > .qmail-postmaster echo "postmaster" > .qmail-mailer-daemon cp .qmail-root .qmail-abuse echo "127.0.0.1:allow,RELAYCLIENT=\"\"" > /etc/tcp.smtp.inside tcprules /etc/tcp.smtp.inside.cdb /etc/tcp.smtp.inside.tmp < /etc/tcp.smtp.inside 

Next step is to create all supervise and log directories

 mkdir -p /var/qmail-inside/supervise/qmail-inside-send/log mkdir -p /var/qmail-inside/supervise/qmail-smtpd-25/log mkdir -p /var/qmail-inside/supervise/qmail-smtpd-465/log chmod +t /var/qmail-inside/supervise/qmail-inside-send chmod +t /var/qmail-inside/supervise/qmail-smtpd-25 chmod +t /var/qmail-inside/supervise/qmail-smtpd-465 mkdir -p /var/log/qmail-inside/qmail-inside-send mkdir -p /var/log/qmail-inside/qmail-smtpd-25 mkdir -p /var/log/qmail-inside/qmail-smtpd-465 chown -R qmaill /var/log/qmail-inside/ chown vpopmail.qmail servercert.pem 

Create run files for both smtpd instances:
vi /var/qmail-inside/supervise/qmail-smtpd-25/log/run

 #!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t s2500000 /var/log/qmail-inside/qmail-smtpd-25 

vi /var/qmail-inside/supervise/qmail-inside-send/log/run

 #!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog t /var/log/qmail-inside/qmail-inside-send 

Now we are going to create the supervise directories:

 cd /var/qmail-inside/supervise cp /usr/local/src/service-qmail-smtpd-run qmail-smtpd-25/ cp /usr/local/src/service-qmail-smtpd-run qmail-smtpd-465/ cp /usr/local/src/service-qmail-send-run qmail-inside-send/ cp qmail-smtpd-25/log/run qmail-smtpd-465/log/ 

vi qmail-smtpd-465/log/run

change the directory qmail-smtpd-25 to qmail-smtpd-465

 chmod 755 qmail-smtpd-465/log/run qmail-smtpd-25/log/run\ qmail-inside-send/log/run cd /var/qmail-inside/supervise/qmail-inside-send/ mv service-qmail-send-run run 

Edit the file run: vi run

and change the following entries

 VQ=/var/qmail to VQ=/var/qmail-inside 

and save the file

 chmod 755 run cd ../qmail-smtpd-25/ mv service-qmail-smtpd-run run vi run 

Change the following:

 VQ="/var/qmail-inside" SMTP_CDB="/etc/tcp.smtp.inside.cdb" GREETDELAY=30 IP=0 uncomment RBLSMTPD_PROG, RBL_BAD , save the file and make it executable. # chmod 755 run 

We have to install sslserver for enabling secured smtp connections(i configured it to listen on port 465).

Installing sslserver

 cd /usr/local/src/ wget http://www.superscript.com/ucspi-ssl/ucspi-ssl-0.70.tar.gz cd /package/ tar zxfv /usr/local/src/ucspi-ssl-0.70.tar.gz cd host/superscript.com/net/ucspi-ssl-0.70 package/compile package/rts # output should be empty package/install cd /var/qmail-inside/supervise/qmail-smtpd-465/ mv service-qmail-smtpd-run run vi run 

change the following

 VQ="/var/qmail-inside" SMTP_CDB="/etc/tcp.smtp.cdb" QUSER=vpopmail IP=0 PORT=465 SSL=1 AUTH=1 REQUIRE_AUTH=1 

Save the file

 chmod 755 run cd /var/qmail-inside/control/ echo ":127.0.0.1:2000" > smtproutes cd /service/ ln -s /var/qmail-inside/supervise/qmail-smtpd-25/ ln -s /var/qmail-inside/supervise/qmail-inside-send/ ln -s /var/qmail-inside/supervise/qmail-smtpd-465/ 

ps -ef|grep qmail-inside

will show that the processes are started and running. Check the corresponding services logs and make sure that they don’t throw errors.

If you followed the above steps word by word then, log files for the above services will be at: /var/log/qmail-inside/qmail-smtpd-25/current and /var/log/qmail-inside/qmail-smtpd-465/current

Errors and fixes:
When configuring your mail client to send mail you get auth failure. You have to use useid@example.net as username. Also make sure that SSLis enbaled and the port is set as 465.

Qmail SMTP Access Control with tcp.smtp

Qmail SMTP Access Control with tcp.smtp

Before we can start using qmail smtpd service, we need to define some access control.

This can be done with file

/etc/tcp.smtp

To allow relaying from localhost, you have to add

127.:allow,RELAYCLIENT=””

This setting wil allow Qmail SMTP server to send email from any IP starting with 127.X.X.X

IP 127.0.0.1 is used by localhost

If you need to allow relay from IP address 200.200.200.100 and localhost, Add following

127.:allow,RELAYCLIENT=””
203.200.10.91:allow,RELAYCLIENT=””

Now you need to use tcprules command to add the rule to qmail database (/etc/tcp.smtp.cdb).

# tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp

Deleting mails from qmail queue

Following commands can delete all mails from your qmail mail server queue.

qmailctl stop
find /var/qmail/queue/mess -type f -exec rm {} \;
find /var/qmail/queue/info -type f -exec rm {} \;
find /var/qmail/queue/local -type f -exec rm {} \;
find /var/qmail/queue/intd -type f -exec rm {} \;
find /var/qmail/queue/todo -type f -exec rm {} \;
find /var/qmail/queue/remote -type f -exec rm {} \;
qmailctl start

 

 

 

Center for Internet Security Benchmark for Apache Web Server

Center for Internet Security Benchmark for Apache Web Server

Pre-configuration Checklist
It is important to realize that “Web Security” extends beyond the Web Server itself. There are many different web security vulnerabilities, which do not directly involve the web server itself. In order to truly secure a web infrastructure, many different information technology divisions must work together. These include, but are not limited to Firewalls, Intrusion Detection Systems, DNS, Networks Branch, etc… Take the time to build relationships with these groups and discuss web security issues. Hopefully, you will be able to identify deficiencies in your environment and fix them prior to exploitation attempts. The benchmark reader should review this sample checklist prior to applying the CIS Apache Benchmark. Reviewed and implement my company’s security policies as they relate to web security. Implemented a secure network infrastructure by controlling access to/from your web server by using: Firewalls, Routers and Switches. Implemented a Network Intrusion Detection System to monitor attacks against the web server. Implemented load-balancing/failover capability in case of Denial of Service or server shutdown. Implemented a disk space monitoring process and log rotation mechanism. The WHOIS Domain information registered for our web presence does not reveal sensitive personnel information, which may be leveraged for Social Engineering (Individual POC Names), War Dialing (Phone Numbers) and Brute Force Attacks (Email addresses matching actual system usernames). Domain Name Service (DNS) servers have been properly secured to prevent domain hi-jacking via cache poisoning, etc… Harden the Underlying Operating System of the web server. This should include minimizing listening network services, applying proper patches and hardening the configurations. Educated developers about writing secure code.
o OWASP Top Ten – http://www.owasp.org/index.php/OWASP_Top_Ten_Project
o WASC Threat Classification – http://www.webappsec.org/projects/threat/
1 Level 1 Apache Benchmark Settings
The Prudent Level of Minimum Due Care
Level-I Benchmark settings/actions meet the following criteria.
1. System administrators with any level of security knowledge and experience can understand and perform the specified actions.
2. The action is unlikely to cause an interruption of service to the operating system or the applications that run on the system.
3. The actions can be automatically monitored, and the configuration verified, by Scoring Tools that are available from the Center or by CIS-certified Scoring Tools.
Many organizations running the CIS scoring tools report that compliance with a CIS “Level-1” benchmark produces substantial improvement in security for their systems connected to the Internet.
1.1 Installation
Question Are you planning to use the precompiled Apache httpd binary that is available by default with many Unix Operating Systems or a commercial version supplied by a Vendor (such as WebLogic or Oracle’s Application Server 9iAS/10G)?
If you answered yes, then continue with the section. If you answered no, or in the event vendor binaries are not available or suitable, recommended instructions for downloading, building from the source and installing are included this sample chapter from Apache Security[1] by Ivan Ristic – http://www.apachesecurity.net/download/apachesecurity-ch02.pdf. Description The CIS Apache Benchmark recommends using the Apache binary provided by your vendor for most situations. The benefits of using the vendor supplied binaries include[2]: Ease of installation as it will just work, straight out of the box. It is customized for your OS environment. It will be tested and have gone though QA procedures. Everything you need is likely to be included, probably including some third party modules. Many OS vendors ship Apache with mod_ssl and OpenSSL and PHP, mod_perl and ModSecurity for example. Your vendor will tell you about security issues in all those bits, you have to look in less places. Updates to fix security issues will be easy to apply. The vendor will have already verified the problem, checked the signature on the Apache download, worked out the impact and so on. You may be able to get the updates automatically, reducing the window of risk.
There are times when compilation from source code will be necessary or advantageous, however for most situations the vendor binaries will provide better security by ensuring that updates are applied according to the existing update process. Which Apache Version to use? There are currently three different Apache forks: 1.3.x, 2.0.x and 2.2.x. At the time of this writing, the current stable versions are 1.3.37, 2.0.59 and 2.2.4. There may be restrictions as to which version of Apache you must use, however if it is at all possible it is recommended that you use the 2.2.x fork. The main reasons are security related as this is the current branch where the majority of improvements are made. Additionally, in order to use the ModSecurity 2.x web application firewall package, you must be using either the 2.0.x or 2.2.x version. Action Install the Apache Software using vendor provided binaries if available For Red Hat/Fedora: # yum install httpd2 For Debian systems: # apt-get install apache2-mpm-prefork
1.2 ModSecurity Overview
Important Note ModSecurity has quickly matured over the years and has become the most widely deployed web application firewall. Due to the fact that is open source and free, coupled with its flexible rules language and extensive logging capabilities, the CIS Apache Benchmark highly recommends that all Apache deployments install it. We do however realize that not all deployments will be able to use this application. It is for this reason that many sections will be providing both an Apache and a ModSecurity setting that can be used to mitigate the issues. There were many previous benchmark sections that attempted to leverage Apache modules and directives to achieve a specific security goal. Some of these settings worked to a certain degree however some were not flexible enough to fully handle the issue. ModSecurity, on the other hand, is able to better address these issues. It is for this reason that most of these benchmark settings will include an analogous ModSecurity feature or ruleset in addition to the standard Apache directive or configuration. We will still provide the Apache directive examples, however we will include information about its limitations and a rationale for using ModSecurity. Description
ModSecurity is an open-source, free web application firewall module that integrates into the Apache web server. The project website is www.modsecurity.org. It is available under the open source GPL license, with optional commercial support and licensing
(from Breach Security – www.breach.com). There are two versions of the module, one for each major Apache branch, and they are almost identical in functionality. In the Apache 2 version, mod_security uses the advanced filtering API available in that version, making interception of the response body possible. The Apache 2 version is also more efficient in terms of memory consumption. In short, ModSecurity does the following: Intercepts HTTP requests before they are fully processed by the web server Intercepts the request body (e.g., the POST payload) Intercepts, stores, and optionally validates uploaded files Performs optional anti-evasion actions Performs request analysis by processing a set of rules defined in the configuration Intercepts HTTP responses before they are sent back to the client (Apache 2 only) Performs response analysis by processing a set of rules defined in the configuration Takes one of the predefined actions or executes an external script when a request or a response fails analysis (a process called detection) Depending on the configuration, a failed request may be prevented from being processed, and a failed response may be prevented from being seen by the client (a process called prevention) Performs audit logging
In this section, we will cover the essentials for installation and configuration. For a detailed reference manual, visit the project documentation area at http://www.modsecurity.org/documentation/. Action
In order to ensure that you are using the latest and greatest version, you should download the ModSecurity source code from the project website – http://www.modsecurity.org/download/index.html. As of this writing, the current version is 2.1.2. Follow the steps outlined in the Installation section of the Reference Manual – http://www.modsecurity.org/documentation/modsecurity-apache/2.1.2/modsecurity2-apache-reference.html#02-installation
If you run into any issues with installation, configuration or usage, you should sign up on the ModSecurity users mail-list here – https://lists.sourceforge.net/lists/listinfo/mod-security-users.
1.3 ModSecurity Core Rules Overview
Description
ModSecurity is a web application firewall engine. Being the Swiss army knife of application firewalls it can do everything but requires rules to tell it what to do. In order to enable users to take full advantage of ModSecurity out of the box, ModSecurity includes the Core Rule Set, an open source rule set licensed under GPLv2. ModSecurity Core Rule Set works with ModSecurity 2.1 and above.
Unlike intrusion detection and prevention systems, which rely on signature specific to known vulnerabilities, the Core Rules is based on generic rules in order to provide protection from zero day and unknown vulnerabilities often found in web applications, which are in most cases custom coded.
As a generic negative security rule set, the Core Rule Set is only one layer in your application protection. You can learn more about the pros and cons of a negative security model in the presentation “The Core Rule Set: Generic detection of application layer”, presented at OWASP Europe 2007. In addition to the Core Rule Set you may want to harden your Apache installation, for which you can consult Ivan Ristic’s book, Apache Security. You may also consider writing custom rules for providing a positive security envelope to your application or critical parts of it. Breach Security can provide you with training and professional services to assist you in doing that. On additional methodologies which complement the Core Rule Set including positive security and virtual patching you can read in Ryan Barnett’s book, Preventing Web Attacks with Apache Why The Core Rule Set? The focus of the core rule set is to be a “rule set” rather than a set of rules. What makes a rule set different than a set of rules? Performance – The Core Rule Set is optimized for performance. The amount and content of the rules used predominantly determines the performance impact of ModSecurity, so the performance optimization of the rule set is very important. Quality – While there will always be false positives, a lot of effort is put into trying to make the Core Rule Set better. Some of the things done are:
o Regression tests – a regression test is used to ensure that every new version shipped does not break anything. Actually every report of a false positive, once solved, gets into the regression test.
o Real traffic testing – A large amount of real world capture files have been converted to tests and sent through ModSecurity to detect potential false positives. Generic Detection – The core rule set is tuned to detect generic attacks and does not include specific rules for known vulnerabilities. Due to this feature the core rule set has better performance, is more “plug and play” and requires less updates. Event Information – Each rule in the Core Rule Set has a unique ID and a textual message. In the future rules are also going to be classified using a new tag action in ModSecurity, as well as longer information regarding each rule using comments in the files themselves. Plug and Play – The Core Rule Set is designed to be as plug and play as possible. Since its performance is good and it employs generic detection, and since the number of false positives is getting lower all the time, the Core Rule Set can be installed as is with little twisting and tweaking.
Content In order to provide generic web applications protection, the Core Rules use the following techniques:
Protocol compliance: HTTP request validation – This first line of protection ensures that all abnormal HTTP requests are detected. This line of defense eliminates a large number of automated and non targeted attacks as well as protects the web server itself. HTTP protocol anomalies – Common HTTP usage patterns are indicative of attacks. Global constraints – Limiting the size and length of different HTTP protocol attributes, such as the number and length of parameters and the overall length of the request. Ensuring that these attributed are constrained can prevent many attacks including buffer overflow and parameter manipulation. HTTP Usage policy – validate requests against a predefined policy, setting limitations request properties such as methods, content types and extensions.
Attack Detection: Malicious client software detection – Detect requests by malicious automated programs such as robots, crawlers and security scanners. Malicious automated programs collect information from a web site, consume bandwidth and might also search for vulnerabilities on the web site. Detecting malicious crawlers is especially useful against comments spam. Generic Attack Detection – Detect application level attacks such as described in the OWASP top 10. These rules employ context based patterns match over normalized fields. Detected attacks include:
o SQL injection and Blind SQL injection.
o Cross Site Scripting (XSS).
o OS Command Injection and remote command access.
o File name injection.
o ColdFusion, PHP and ASP injection.
o E-Mail Injection
o HTTP Response Splitting.
o Universal PDF XSS. Trojans & Backdoors Detection – Detection of attempts to access Trojans & backdoors already installed on the system. This feature is very important in a hosting environment when some of this backdoors may be uploaded in a legitimate way and used maliciously.
Other: Error Detection – Prevent application error messages and code snippets from being sent to the user. This makes attacking the server much harder and is also a last line of defense if an attack passes through. XML Protection – The Core Rule Set can be set to examine XML payload for most signatures. Search Engine Monitoring – Log access by search engines crawlers to the web site.
Action

CIS_Apache_Benchmark_v2.1

Security Configuration Benchmark For Red Hat Enterprise Linux 5

CIS Red Hat Enterprise Linux 5 Benchmark
Introduction
Red Hat Enterprise Linux version 5 (RHEL5) is the new server-class release from Red Hat, Inc, that stabilizes SELinux, has been Common Criteria evaluated at EAL4+ and brings further stability and robustness to the enterprise level with this OS. Security hardening remains a vital element to the defense-in-depth approach for all computing elements within the enterprise.. The Center for Internet Security proudly brings the latest consensus-achieved security hardening recommendations in this Benchmark and accompanying scoring tool.
The content and intent of this Benchmark is to drive you, the reader to be more informed in regards to actions necessary for hardening and securing Red Hat Enterprise Linux systems. It is not going to provide non-security hardening information and guidance just for the sake of providing it. Some basics of a particular function might be touched upon, but this is usually for the relevance it directly provides to the security hardening actions at hand.
Please enjoy this edition of the Center for Internet Security Benchmark to harden Red Hat Enterprise Linux version 5.

 

CIS_RHEL_5.0-5.1_Benchmark_v.1.1.2

 

VPN Server With OpenVPN

Depending on your circumstances you may want to run the VPN from your home, or you may want to rent a VPS to run it from. If you’re just trying to get into your home network, an SSH tunnel might be easier; I will write something about SSH tunneling later. For the purposes of this guide, there’s no difference between using a spare machine at your house or a VPS/Dedi other than port forwarding on the router. The configuration will be based on a machine running CentOS 5, with nano as the editor. It really doesn’t matter what Linux distribution you use, or what editor. I also use wget for downloading. You can use Links, lynx, or any method you want to get the files.

OpenVPN is being used for a number of reasons:

  1. It’s extensively used privately and publicly.
  2. It’s well supported
  3. It uses OpenSSL instead of more complicated PKI certificate systems. (Don’t confuse this with a Microsoft SSTP VPN, they aren’t the same thing)
  4. This type of VPN can be tunneled through a proxy or NAT device easily.
  5. It is a very capable VPN application, allowing for a large number of configuration scenarios including site to site, client to server, client to site, and reverse connections.
Now, there is one huge drawback… It uses its own special set of protocols, and cannot be intermixed with other VPN clients or servers. An OpenVPN client cannot connect to an IPSec, PPTP, or SSTP VPN, and only OpenVPN clients can connect to OpenVPN servers. That being said, there are several third party clients available for OpenVPN, for all platforms. I will list the various options at the end of the article.

Please read the entire guide before beginning the installation.

1. Downloading and installing OpenVPN

#rpm -i openvpn-as-1.8.3-CentOS5.i386.rpm

I’m just downloading and installing one of the RPMs, but you can easily build from source if that’s your style. The package should also be in most distro software repositories as well. The basic installation is insanely simple, just download and install the package. The installation will let you know that you need to change the password using “passwd openvpn”, and that web UIs are available at https://serveraddress:943/ and https://serveraddress:943/admin for the user and admin logins respectively.

2. Configuration of the VPN Server.

If you haven’t already set the password, please do so now.

#passwd openvpn

Changing password for user openvpn

New UNIX password:

BAD PASSWORD: it is based on a dictionary word

Retype UNIX password:

passwd: all authentication tokens updated successfully

I used “password” for my password, I’d advise that you actually use a strong password.

OpenVPN is now running on your server. Everything can be configured via the web interface available at https://server:943/admin. The user name is openvpn, and the password is whatever you have set. A basic VPN is already in place using default certificates, PAM authentication, and a relatively secure client configuration.  I’m not going to cover some of the more advanced configurations here, such as site to site via an intermediary server, LDAP interoperability, or layer 2 tunneling.

If you’re having trouble reaching the VPN administration page, you’ll need to check your firewall settings. I’m not going to go through iptables commands, but you need to make sure that the bare minimum is present. The administration page provides a simple means to configure everything from client IP ranges to ciphers and authentication. The only thing you might *need* to change is the IP range.

#!/bin/bash

###### TURN ON PORT FORWARDING ########
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -v -F;
iptables -F -t mangle
iptables -F -t nat;
iptables -v -A INPUT -i lo -j ACCEPT;

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
# iptables -t nat -A POSTROUTING -s 192.168.25.0/24 -o tun0 -j MASQUERADE

# iptables -A INPUT -i tun0 -j ACCEPT
# iptables -A OUTPUT -o tun0 -j ACCEPT
# iptables -A FORWARD -i tun0 -j ACCEPT
# iptables -I FORWARD -i em1 -o tun0 -j ACCEPT
# iptables -I FORWARD -i tun0 -o em1 -j ACCEPT

########### BASIC RULE SET #############
iptables -v -P INPUT DROP # Default Policy DROP
# iptables -v -A INPUT -m state –state RELATED,ESTABLISHED -j LOG –log-prefix “ACCEPT”
iptables -v -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT; # ACCEPT ESTABLISHED
iptables -A INPUT -p tcp -m state –state NEW –dport 80 -i em1 -j ACCEPT
iptables -A INPUT -i em1 -p tcp –dport 993 -m state –state NEW,ESTABLISHED -j ACCEPT #ALLOW SSL
iptables -A INPUT -i em1 -p tcp –dport 1194 -m state –state NEW,ESTABLISHED -j ACCEPT #ALLOW OPENVPN

########## CONNECTION LIMIT LOG/DROP ############
iptables -A INPUT -p tcp -i em1 -m state –state NEW -m recent –set
iptables -A INPUT -p tcp -i em1 -m state –state NEW -m recent –update –seconds 30 –hitcount 10 -j LOG –log-level 4 –log-prefix “LIMIT:”
iptables -A INPUT -p tcp -i em1 -m state –state NEW -m recent –update –seconds 30 –hitcount 10 -j DROP

########### DROP SPOOFED PACKETS ###############
iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j LOG –log-level 4 –log-prefix “SPOOF PACKETS:”
iptables -A INPUT -s 127.0.0.0/8 ! -i lo -j DROP

########### LOG/DROP NEW CONNECTIONS ##############
# iptables -A INPUT -p tcp -m state –state NEW -j LOG # LOG NEW TCP CONNECTIONS
# iptables -A INPUT -p tcp -m state –state NEW -j DROP # BLOCK NEW TCP CONNECTIONS

######### LOG/DROP FTP SSH AND SEDMAIL ############
iptables -v -A INPUT -p tcp -s 0/0 –dport 21 -j LOG # LOG FTP ATTEMPTS
iptables -v -A INPUT -p tcp -s 0/0 –dport 21 -j REJECT –reject-with tcp-reset # RESET FTP
iptables -v -A INPUT -p tcp -s 0/0 –dport 22 -j LOG # LOG SSH ATTEMPTS
iptables -v -A INPUT -p tcp -s 0/0 –dport 22 -j DROP # BLOCK SSH
iptables -v -A INPUT -p tcp -s 0/0 –dport 25 -j LOG # LOG SENDMAIL
iptables -v -A INPUT -p tcp -s 0/0 –dport 25 -j DROP # BLOCK SENDMAIL

########### INPUT THAT IS NEEDED #################
iptables -v -A INPUT -m state -m tcp –proto tcp –dport 80 –state NEW -j ACCEPT; # HTTP
iptables -v -A INPUT -m state -m udp –proto udp –dport 53 –state NEW -j ACCEPT; # DNS
iptables -v -A INPUT -m state -m tcp –proto tcp –dport 53 –state NEW -j ACCEPT; # DNS

iptables -v -A INPUT -m state -m tcp –proto tcp –dport 22 –state NEW -j ACCEPT; # SSH

iptables -v -A INPUT -m state -m tcp –proto tcp –dport 443 –state NEW -j ACCEPT; # HTTPS

########### DENY FRAGMENT PACKETS ###############
iptables -A INPUT -i em1 -f -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “FRAG DROP:”
iptables -A INPUT -i em1 -f -j DROP

########### DROPS BAD PACKETS ###############
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
iptables -A INPUT -i em1 -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i em1 -p tcp –tcp-flags ALL ALL -j DROP

iptables -A INPUT -i em1 -p tcp –tcp-flags ALL NONE -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “NULL DROP:”
iptables -A INPUT -i em1 -p tcp –tcp-flags ALL NONE -j DROP # NULL packets

iptables -A INPUT -i em1 -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

iptables -A INPUT -i em1 -p tcp –tcp-flags SYN,FIN SYN,FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “XMAS DROP:”
iptables -A INPUT -i em1 -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS

iptables -A INPUT -i em1 -p tcp –tcp-flags FIN,ACK FIN -m limit –limit 5/m –limit-burst 7 -j LOG –log-level 4 –log-prefix “FIN DROP:”
iptables -A INPUT -i em1 -p tcp –tcp-flags FIN,ACK FIN -j DROP # FIN packet scans

iptables -A INPUT -i em1 -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

########### LIMIT PING ATTEMPTS ###################
iptables -A INPUT -p icmp -m icmp -m limit –limit 1/second -j ACCEPT

########### BLOCK CERTAIN ICMP ###################
iptables -v -A INPUT -p icmp -j ACCEPT # ACCEPT ICMP PACKETS
iptables -v -A INPUT -p icmp –icmp-type echo-request -j DROP # BLOCK ICMP ECHO

########## BLOCK INVALID ICMP #####################
iptables -v -A INPUT -i em1 -m state -p icmp –state INVALID -j DROP # BLOCK INVALID ICMP
iptables -v -A FORWARD -i em1 -m state -p icmp –state INVALID -j DROP # BLOCK INVALID ICMP
iptables -A OUTPUT -o em1 -m state -p icmp –state INVALID -j DROP # BLOCK INVALID ICMP
iptables -A FORWARD -o em1 -m state -p icmp –state INVALID -j DROP # BLOCK INVALID ICMP

############ BLOCK STEALTH SCAN ###################
iptables -N st_scan # STEALTH SCAN CHAIN
iptables -A st_scan -p tcp –tcp-flags SYN,FIN,RST,ACK RST,ACK -j RETURN # BLOCK STEALTH SCAN
iptables -A st_scan -j LOG –log-level 4 –log-prefix “STEALTH SCAN:” # LOG STEALTH SCAN
iptables -A st_scan -j DROP # DROP STEALTH SCAN

########## PORTSCAN RULE SETUP ###################
iptables -N port-scan # BEGIN PORTSCAN RULES
iptables -A port-scan -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j RETURN #BLOCK PSCAN
iptables -A port-scan -j LOG –log-level 4 –log-prefix “PORT SCAN:” # LOG PORT SCAN
iptables -A port-scan -j DROP # DROP PORT SCAN

########## LOG ALL DROPPED PACKETS #################
iptables -N logdrop
iptables -A logdrop -j LOG –log-level 4 –log-prefix “DROPPED:” # LOG DROPPED PACKETS
iptables -A logdrop -j DROP

iptables -v -A INPUT -j REJECT; # REJECT EVERYTHING ELSE

######## OUTPUT FOR SERVICES NEEDED ########

iptables -v -P OUTPUT ACCEPT # Default Policy Accept
iptables -v -A OUTPUT -o lo -j ACCEPT;
iptables -v -A OUTPUT -o em1 -j ACCEPT;
iptables -v -A OUTPUT -m tcp –proto tcp –dport 80 -j ACCEPT; # HTTP
iptables -v -A OUTPUT -m tcp –proto tcp –dport 443 -j ACCEPT; # HTTPS
iptables -v -A OUTPUT -m tcp –proto tcp –dport 445 -j ACCEPT; # SMB
iptables -v -A OUTPUT -m tcp –proto tcp –dport 53 -j ACCEPT; # DNS
iptables -v -A OUTPUT -m udp –proto udp –dport 53 -j ACCEPT; # DNS
iptables -v -A OUTPUT -m tcp –proto tcp –dport 5222 -j ACCEPT; #Google Talk or Jabber
iptables -v -A OUTPUT -m tcp –proto tcp –dport 5050 -j ACCEPT; #Yahoo
iptables -v -A OUTPUT -m tcp –proto tcp –dport 6667 -j ACCEPT; #IRC
iptables -v -A OUTPUT -m tcp –proto tcp –dport 7777 -j ACCEPT; #Jabber file Transfers
iptables -A OUTPUT -o em1 -p tcp –dport 31337 –sport 31337 -j DROP # BLOCK BACKDOOR
iptables -v -A OUTPUT -j REJECT;

######### DEFAULT DROPS #######

iptables -v -P FORWARD DROP # Default Policy DROP
iptables -A FORWARD -p tcp -i em1 -m state –state NEW -m recent –set
iptables -A FORWARD -p tcp -i em1 -m state –state NEW -m recent –update –seconds 30 –hitcount 10 -j DROP
iptables -A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT # SYN FLOOD PROTECT
iptables -A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT # DEATH BY PING
iptables -A FORWARD -p tcp -i em1 –dport 31337 –sport 31337 -j DROP # BLOCK BACKDOOR
iptables -v -A FORWARD -j REJECT; # DEFAULT REJECT

######### IPTABLES SAVE ##################

iptables-save > /tmp/iptables;

iptables-restore < /tmp/iptables;

/etc/init.d/iptables save

JBoss AS Clustering

Java

Download
wget http://download.oracle.com/otn-pub/java/jdk/6u33-b04/jdk-6u33-linux-i586.bin

Create a bash script to set JAVA_HOME and add Java executables to the path.

vim /etc/profile.d/java.sh

export JAVA_HOME=/opt/jdk1.6.0_26/
export PATH=$JAVA_HOME/bin:$PATH

5. Source you new script so exports take effect

source /etc/profile.d/java.sh

6. Setup Java to be used by the alternatives system (if you want, or if you have an existing install of Java on your box.

alternatives –install /usr/bin/java java /opt/jdk1.6.0_04/bin/java 2

7. Set this new alternatives as the current configuration

alternatives –config java

 

 

 

Download and Install JBoss AS:

Download packaged distribution from http://www.jboss.org/jbossas/downloads
Unpack the compressed archive into a directory of your choice. e.g. /usr/jboss

Clustering in JBoss AS:

A cluster is a set of nodes that communicate with each other and work toward a common goal.
JBoss currently provides full clustering support. Replication of HTTP sessions for web applications is also available.Can also be integrated to an external balancer.

A Cluster provide these functionalities:
  • Scalability (can we handle more users? can we add hardware to our system?)
  • Load Balancing (share the load between servers)
  • High Availability (our application has to be uptime close to 100%)
  • Fault Tolerance (High Availability and Reliability)
  • Clustering support for stateless session beans, stateful session beans, entity beans and JNDI.

 

Partitions

As previously discussed, a cluster is a set of nodes. In JBoss, a node is a JBoss server instance. Thus, to build a cluster, several JBoss instances have to be grouped in what we call a partition.
The partition is the central concept for clustering in JBoss. Partitions are the basic building block of clustering in JBoss.
On a same network, we may have different partitions. In order to differentiate them, each partition must have an individual name.

 

Simple Web Architecture:

 

 

Simple web architecture is not scalable. Additional users can only be handled by improving the performance of the server (e.g.adding additional CPUs, more memory). No fault tolerance. If the JBoss AS server goes down, the entire service becomes unavailable.

External Load Balancer Architecture:
Add one or many web servers to balance the load to multiple JBoss AS nodes typically running on separate physical servers. Additional user load can be handled by adding another server running JBoss AS. If any one of the JBoss AS nodes fail, the service is still available through other JBoss AS servers.

A cluster is defined by:

  • Multicast Address
  • Multicast Post
  • Cluster Name
  • Multicast is the protocol which allow nodes inside to a cluster to communicate without knowing each other. Communication between nodes is provided by JGroups, which is library for multicast communication.

General configuration for the following examples:
Preparing a set of servers to act as a JBoss AS cluster involves a few simple steps:
Copy the all directory and create two directory node1 and node2 as below,

 

General configuration for the following examples:
Preparing a set of servers to act as a JBoss AS cluster involves a few simple steps:
Copy the all directory and create two directory node1 and node2 as below,

$ cd /usr/jboss/server
$ cp -r all jboss1
$ cp -r all
jboss2
$ cp -r all jboss3

Requirements Of Jboss Cluster:
Cluster Name
Multicast Address
Cluster Name
ServerPeerID (its unique id for JBoss Messaging.)
In this scenario we have 3 nodes with different ports on same server. Assume the machine has the 192.168.0.101 address assigned. The 3 JBoss instances(jboss1, jboss2 & jboss3) is created under folder /app/jboss/server as jboss1, jboss2 & jboss3. The ServerPeerID for the jboss1 is 1, for jboss2 is 2 & for jboss3 is 3. We have decided to set cluster name as “TestPartition” and to use 239.255.0.10 as our multicast address.

 

 

Launch a JBoss AS Cluster:

Now just start JBoss AS cluster nodes one by one as below,
For jboss1
$JBOSS_HOME/bin/run.sh -c jboss1 -b 0.0.0.0 -g TestPartition -u 239.255.0.10 -Djboss.messaging.ServerPeerID=1 -Djboss.service.binding.set=ports-default

For jboss2
$JBOSS_HOME/bin/run.sh -c jboss2 -b 0.0.0.0 -g TestPartition -u 239.255.0.10
-Djboss.messaging.ServerPeerID=2 -Djboss.service.binding.set=ports-02

For jboss3
$JBOSS_HOME/bin/run.sh -c jboss3 -b 0.0.0.0 -g TestPartition -u 239.255.0.10
-Djboss.messaging.ServerPeerID=3 -Djboss.service.binding.set=ports-03

In above scripts
The -c switch says to use the config “-c node1”.
The -g switch sets the cluster name “-u TestPartition”.
The -u switch sets the multicast address that will be used for intra-cluster communication
“-u 239.255.0.10”.
The -b switch sets the address on which sockets will be bound “-b 0.0.0.0”.
The -Djboss.messaging.ServerPeerID from which JBoss Messaging gets its unique id “-Djboss.messaging.ServerPeerID=1”.
The -Djboss.service.binding.set switch sets the port set for instance
“-Djboss.service.binding.set=ports-default”.
Ports sets are as below.
Ports-default = 8080
Ports-01 = 8180
ports-02 = 8280
ports-03 = 8380

Thats it, You have complete your JBoss AS clustering part.

Load Balancing Using Apache & mod_jk

Apache is a well-known web server which can be extended by plugging in modules. One of these modules, mod_jk, has been specifically designed to allow the forwarding of requests from Apache to a Servlet container. Furthermore, it is also able to load-balance HTTP calls to a set of Servlet containers while maintaining sticky sessions.

Advantages of Fronting with a Web Server :
Performance: dynamic vs. static content
Scalability & High Availability: load balancing and fail over
Security: web servers are simpler and easier to protect
Stability: proven, more robust
Features: URL rewriting, fine-grained access control, etc.
Fronting with Apache HTTPD:

Steps for Fronting with Apache HTTPD:
Download & compile Apache HTTPD
Download & compile mod_jk with Apache
AJP Connector on JBoss AS already enabled
Access web apps through Apache
Mod_jk (version 1.2.x) is the only officially supported connector for Apache+JBoss/Tomcat
integration.

Steps to install mod_jk
First of all, make sure that you have Apache installed. You can download Apache directly from Apache web site at http://httpd.apache.org. Installation of mod_jk is pretty straightforward and requires no specific configuration. Installation steps are as below,

$tar -zxvf tomcat-connectors-1.2.30-src.tar.gz
$cd tomcat-connectors-1.2.30-src/native
$./configure –with-apxs=$APACHE_HOME/bin/apxs
$make
$sudo make install

Configure Apache to load mod_jk :
Include configuration file of mod_jk in $APACHE_HOME/conf/httpd.conf.
Add below line
Include conf/mod_jk.conf

Configuring mod_jk.conf:
Create <apache-dir>/conf/mod_jk.conf & configure as below.
# Load mod_jk module
LoadModule jk_module $APACHE_HOME/modules/mod_jk.so
# Where to find workers.properties
JkWorkersFile $APACHE_HOME/conf/workers.properties
# Where to find mod_jk.log file
JkLogFile /log/mod_jk.log
#Log level
JkLogLevel info
# Select the log format
JkLogStampFormat “[%a %b %d %H:%M:%S %Y]”
# JkRequestLogFormat
JkRequestLogFormat “%w %V %T”
# Add shared memory. This is needed for for load balancing to work properly
JkShmFile /log/jk.shm
# JkOptions indicates to send SSK KEY SIZE
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
# Add jkstatus for managing runtime data
<Location /jkstatus/>
JkMount jkstatus
Order deny,allow
Deny from all
Allow from {HOST_IP}
</Location>
# Mount your applications
JkMountCopy All
JkMount /jmx-console jboss
JkMount /jmx-console/* jboss
JkMount /admin-console jboss
JkMount /admin-console/* jboss
JkMount /jkstatus jkstatus

Define a JBoss AS instance in $APACHE_HOME/conf/workers.properties

worker.list=jboss,jkstatus
#For Node1
worker.jboss1.type=ajp13
worker.jboss1.host=HOST_IP
worker.jboss1.port=8009
worker.jboss1.lbfactor=1
#For Node2
worker.jboss2.type=ajp13
worker.jboss2.host=HOST_IP
worker.jboss2.port=8109
worker.jboss2.lbfactor=1
#For Node3
worker.jboss3.type=ajp13
worker.jboss3.host=HOST_IP
worker.jboss3.port=8209
worker.jboss3.lbfactor=1

worker.jboss.type=lb
worker.jkstatus.type=status
worker.jboss.sticky_session=1
worker.jboss.balance_workers=jboss1,jboss2,jboss3

Configuring JBoss to work with mod_jk
Finally, we must configure the JBoss AS instances on all clustered nodes so that they can
expect requests forwarded from the mod_jk loadbalancer. On each clustered JBoss node, we have to
name the node according to the name specified in workers.properties.

$vim JBOSS_HOME/server/jboss1/deploy/jbossweb.sar/server.xml

Search for line <Engine name=”jboss.web” defaultHost=”localhost”> & add jvmRoute as below.

<Engine name=”jboss.web” defaultHost=”localhost” jvmRoute=”jboss1″>

Save & close the file. Make same changes on jboss2 & jboss3.

You also need to be sure the AJP connector in server.xml is enabled (i.e., uncommented). It is
enabled by default. Here your jboss instance is listening on ajp port (8009), you can disable http port
(8080).

<!– An AJP 1.3 Connector on port 8009 –>
<Connector protocol=”AJP/1.3″ port=”8009″ address=”${jboss.bind.address}”
redirectPort=”8443″ />

Now restart jboss1, jboss2 & jboss3.
Also restart apache server & check logs.
Access the the url for jmx-console as http://HOST_IP/jmx-console & http://HOST_IP/jkstatus

Central Syslog Server

It’s so easy if you want to have logs centrally. So you need to decide which server will be syslog server, and then do this:

1. On the server edit: /etc/sysconfig/syslog

Make the settings like:

SYSLOGD_OPTIONS=”-m 0 -r”

2. On the client edit: /etc/syslog.conf

Add this line:

*.*                                @syslog_server_ip_address

Thats all, your clients will send logs to central location, and also if you have other default configuration, they will log locally.

Open Source Alternatives for Server Software

According to a recent study by Stanford University consulting professor Jonathon Koomey, there are approximately 31.6 million servers installed around the world, including about 11.5 million in the United States. If organizations had to use only proprietary software for all of those systems, the resulting costs would be astronomical.

Fortunately, the open source community has a huge selection of server software that can lower those costs significantly. For this list, we focused on some of the top open source tools that offer alternatives to proprietary server software. We’ve organized them into categories to make browsing the list easier.
As always, if you’d like to suggest additional open source server software that you think should have been included on the list, please feel free to add it in the comments section below.

Content Management Systems

1. Joomla Replaces OpenText,Sitecore CMS, Kentico
The “world’s most popular open source CMS,” Joomla runs 2.7 percent of the websites on the Internet, including sites for Harvard University, Citibank, IHOP and the Guggenheim Museum. It provides both a repository to manage your Web content and a platform to build your own Web applications. Operating System: OS Independent

2. Drupal Replaces OpenText,Sitecore CMS, Kentico
Well-known users of this very popular CMS include the White House, the Economist, Fast Company and the World Wildlife Fund. It’s highly flexible, robust and can be used for “everything from personal blogs to enterprise applications.” Operating System: OS Independent

3. XOOPS Replaces OpenText,Sitecore CMS, Kentico
This award-winning Web content management system offers ease of use and a modular design. It’s driven by a MySQL database and includes advanced user management features. Operating System: OS Independent

4. Alfresco Replaces SharePoint, Documentum, Open Text
Alfresco combines document management, Web content management, records management and collaboration into a single package. In addition to the free community version, it also comes in paid Enterprise and Cloud versions. Operating System: Windows, Linux

5. DotNetNuke Replaces OpenText,Sitecore CMS, Kentico
Used by 700,000 websites, DotNetNuke claims to be “the leading open source Web content management system for ASP.NET.” It comes in a free community edition and paid professional editions; in addition, more than 10,000 modules and skins are also available for purchase. Operating System: Windows

6. Get Simple Replaces OpenText,Sitecore CMS, Kentico
Downloaded more than 60,000 times, this CMS is growing in popularity, particularly among SMBs. As you might guess from the name, its claim to fame is its simplicity and intuitive interface. Operating System: Linux

7. Liferay Replaces SharePoint, WebSphere
Liferay includes content and document management, Web publishing, shared workspaces, collaboration, social networking and identity management capabilities. It advertises itself as simpler than WebSphere and more flexible than Sharepoint. It’s also available in a commercially supported enterprise edition. Operating System: OS Independent

8. Magnolia Replaces SharePoint, OpenText,Sitecore CMS, Kentico
Boasting Fortune 500 and government users in more than 100 countries, Magnolia was designed to make it easy for business users to enter and edit Web content. Commercially supported versions are available with prices that vary based on the SLA. Operating System: Windows, Linux

9. WebGUI Replaces OpenText,Sitecore CMS, Kentico
WebGUI calls itself an “all-in-one CMS,” and it offers both Web content management and a Web application development platform. In order to help users learn the software, the site offers a video tutorial and weekly training webinars. Operating System: Windows, Linux/Unix, OS X

10. Owl Intranet Knowledgebase Replaces: Interspire Knowledge Manager
Owl lets you create a knowledgebase or FAQ site. It’s available in both a regular version and an “ultralite” version that does not use a database. Operating System: Windows, Linux

Databases

11. MySQL Replaces Microsoft SQL Server
The “world’s most popular open source database,” Oracle-owned MySQL boasts high performance, high reliability and ease of use. In addition to the free community version, it’s available in paid standard, enterprise and cluster carrier grade versions. Operating System: Windows, Linux, OS X

12. PostgreSQL Replaces Microsoft SQL Server
PostgreSQL calls itself “the world’s most advanced open source database.” Key features include Multi-Version Concurrency Control (MVCC), point-in-time recovery, online/hot backups, asynchronous replication, nested transactions (savepoints) and write ahead logging for fault tolerance. Operating System: Windows, Linux, OS X

13. Firebird Replaces Microsoft SQL Server
Under development since 1981, Firebird is a mature RDBMS that boasts excellent concurrency, scalability and performance. Notable features include multi-generation architecture, high compatibility with ANSI SQL, logging and monitoring capabilities, online backup, full text search and more. Operating System: Windows, Linux, Unix, OS X, Solaris

E-Commerce

14. Magento Replaces Big Commerce, Volusion, Yahoo Merchant
Magento is the e-commerce platform of choice for more than 100,000 merchants, including Dockers, Ford, the North Face, Samsung, Oneida and others. In addition to the free community version, it also comes in paid professional and enterprise versions, and it’s also available as a turn-key hosted solution for small businesses. Operating System: Windows, Linux, OS X

15. PrestaShop Replaces Big Commerce, Volusion, Yahoo Merchant
Award-winning PrestaShop is used by more than 95,000 Internet sites around the world. Commercial support and training are available, but prices are given in Euros. Operating System: Windows, Linux, OS X

16. Zen Cart Replaces Big Commerce, Volusion, Yahoo Merchant
Designed in part by ecommerce shop owners, Zen Cart is very user friendly, and the Web site offers simple instructions that begin with the basics: “Get a server.” It includes features like multiple payment methods, multiple shipping options, a newsletter manager, coupons, quantity discounts and more. Operating System: OS Independent

Mail Server

17. Zimbra Replaces Microsoft Exchange
Now owned by VMware, Zimbra offers a flexible but simple mail server with a low total cost of ownership. In addition to the free community version, it’s also available in paid appliance and network editions, and a desktop e-mail client is available as well. Operating System: Linux, Unix, OS X

18. Citadel Replaces Microsoft Exchange
This turn-key mail server supports e-mail, group calendars, contacts, IM, a wiki and more, all accessible through a Web interface. It’s also available on a hosted basis. Operating System: Linux

19. Postfix Replaces Microsoft Exchange
Estimates suggest that around 20 percent of all mail servers use Posftix, making it the most popular currently. Postfix was originally created by IBM Research as a better alternative to Sendmail, and it has also been known as “IBM Secure Mailer” and “VMailer.” Operating System: Linux, Unix, OS X, Solaris

20. Sendmail Replaces Microsoft Exchange
Although its popularity has declined in recent years, Sendmail still accounts for about 16 percent of the mail servers in use. Supported hard appliances and virtual appliances are also available under the brand name Sentrion. Operating System: Linux

21. Exim Replaces Microsoft Exchange
Developed at the University of Cambridge, Exim is a highly configurable mail transport agent. It can handle thousands of e-mails per hour, but if queues are exceptionally large, it does not perform as well as some of the other options on the list. Operating System: Linux, Unix

File Transfer

22. FileZilla Replaces CuteFTP, FTP Commander
FileZilla allows you to set up your own FTP server on a Windows machine. It supports FTP, FTPS and SFTP, and the same project also offers a cross-platform FTP client. Operating System: Windows

Operating System

23. Ubuntu Server Replaces Windows Server
Now one of the most popular flavors of Linux, Ubuntu has a reputation for being easy to use and manage. It comes with built-in KVM virtualization capabilities, and it works with Ubuntu Enterprise Cloud to allow you to create a private cloud.

24. Red Hat Enterprise Linux Server Replaces Windows Server
One of the most well-known enterprise distributions of Linux, Red Hat is known for its reliability, scalability and security. It includes integrated virtualization, the LAMP stack, the Eclipse IDE, and advanced management tools. Note that Red Hat requires a commercial support package.

25. SUSE Enterprise Linux Server Replaces Windows Server
Used by more than 13,000 businesses around the world, SUSE counts the London Stock Exchange, Office Depot, Sony and Walgreens among its high-profile users. In addition to the standard version, it also comes in System z, desktop, SAP, JeOS and other versions. As with Red Hat, SUSE requires commercial support; if you prefer an unsupported, free version, try openSUSE (below).

26. openSUSE Replaces Windows Server
For those who don’t want commercial support, the free openSUSE also comes in a server version. However, it does not have as many features and options as the commercial version.

27. Mandriva Enterprise Server Replaces Windows Server
Mandriva calls itself the “simple, high-performance, accessible Linux server.” It provides Web, messaging, files, printing, virtualization and directory services. Note that the enterprise server version of Mandriva requires a fee.

28. Illumos/OpenIndiana Replaces Oracle Solaris
When Oracle discontinued development of OpenSolaris, some of the developers who had been working on the project forked it to the Illumos project, where development and bug fixes continue. If you are looking for a free version of Solaris, this is the option for you. To download the software, visit the OpenIndiana page above.

Security

29. ASSP Replaces GFI Mail Essentials, Barracuda Spam and Virus Firewall, Abaca Email Protection Gateway
Short for “Anti-Spam SMTP Proxy,” ASSP stops spam at your mail server. Key features include easy browser-based setup, support for most mail servers, automatic whitelisting, virus scanning through ClamAV, Bayesian filters, community-based gray-listing and more. Operating System: OS Independent

30. Devil-Linux Replaces Barricuda NG Firewall, Check Point Appliances
This Linux distribution functions as both a network firewall and an application server. It also includes many open source network and sever monitoring tools. Operating System: Linux

31. P3Scan Replaces GFI Mail Essentials, Barracuda Spam and Virus Firewall, Abaca Email Protection Gateway
This transparent proxy server works with Clam AV and other anti-virus software to scan incoming and outgoing e-mail for viruses, worms, trojans, spam and harmful attachments. Operating System: Linux

Small Business Server

32.Zentyal Replaces Windows Small Business Server
With Zentyal, you get a gateway, an infrastructure manager, a unified threat manager, an office server and/ or a unified communication server all in one package. Professional support, training and add-ons are also available on the site. Operating System: Linux

33.SME Server Replaces Windows Small Business Server
Based on the CentOS distribution of Linux, SME offers file and print sharing, mail server, network firewall, remote access, a Web application server and more. It boasts thousands of users, good security and user-friendly setup and operation. Operating System: Linux

Server Log File Monitoring and Analysis

34. AWStats Replaces Sawmill, TriGeo
AWStats uses the log files from your Web, streaming, FTP or mail server to create easy-to-read graphical reports. It runs from the command line or as a CGI. Operating System: Windows, Linux, OS X

35. Analog Replaces Sawmill, TriGeo
The self-proclaimed “most popular logfile analyzer in the world,” Analog quickly generates usage statistics for Web servers. It can be used in conjunction with Report Magic to create more attractive graphs. Note that this project has not been updated in a while, but it is still used to analyze traffic on many servers. Operating System: Windows, Linux, OS X

36. Webalizer Replaces Sawmill, TriGeo
Like AWStats and Analyzer, Webalyzer analyzes the statistics from Web servers. By default, it creates yearly and monthly usage reports which can be viewed from any browser. Operating System: Windows, Linux, OS X

37. Snare Replaces LogLogic, SenSage Log Management
The Snare project encompasses a number of different tools and agents, all of which assist in the filtering, collection and monitoring of server log files. Commercial support and the proprietary Snare Server are also available on the same site. Operating System: Windows, Linux, OS X, others

Storage

38. FreeNAS Replaces Isilon products, IPDATA appliances, Netgear ReadyNAS
Based on BSD, this app allows you to create network attached storage for sharing files across Windows, OS X, Linux and Unix-like systems. Key features include a Web-based interface, the Zettabyte File System, snapshots, thin provisioning and more. Operating System: FreeBSD.

39. Gluster Replaces Isilon products, IPDATA appliances, Netgear ReadyNAS
Very recently acquired by Red Hat, Gluster offers open source file systems for public and private cloud-based storage. Used with commodity hardware, the Gluster file system can create network storage solutions that scale out to 72 brontobytes. (The number of bytes in a brontobyte is a one followed by 27 zeros.) Operating System: Linux

40. Openfiler Replaces IPDATA appliances, Netgear ReadyNAS
Downloaded more than 250,000 times, Openfiler offers both file-based Network Attached Storage and block-based Storage Area Networking. Key features include volume-based partitioning, iSCSI (target and initiator), scheduled snapshots, resource quota, and a unified interface for share management. Operating System: Linux

Virtualization

41. Xen Replaces VMware products, Microsoft Hyper-V
Used by many commercial cloud services, the Xen hypervisor is included in most Linux distributions and is also available as an appliance. Many commercial virtualization products, including the Citrix XenServer, are built on top of Xen. Operating System: Windows, Linux, Solaris, others

42. VirtualBox Replaces VMware products, Microsoft Hyper-V
VirtualBox offers virtualization for x86 and AMD64/Intel64 servers and desktops. Pre-built VirtualBox appliances are available for download from Oracle. Operating System: Windows, Linux, OS X, Solaris, others

43. OpenVZ Replaces VMware products, Microsoft Hyper-V
OpenVZ takes a different approach to virtualization: unlike VMware, VirtualBox and many other virtualization solutions which use VMs, OpenVZ offers container-based virtualization through VEs or VPSs. Commercial products based on OpenVZ are sold as Parallels Virtuozzo Containers. Operating System: Linux

44. KVM Replaces VMware products, Microsoft Hyper-V
Short for “Kernel-based Virtual Machine,” KVM allows users to run multiple Linux or Windows virtual machines on a single server. Like Xen, it’s included in many Linux distributions. Operating System: Windows, Linux

Web Servers

45. Apache HTTP Server Replaces Microsoft IIS, Oracle iPlanet Web Server
Used by 63 percent of all websites, Apache has been the most popular Web server for more than a decade. It prides itself on being secure, efficient and extensible. Operating System: Windows, Linux, OS X

46. Nginx Replaces Microsoft IIS, Oracle iPlanet Web Server
Nginx (pronounced “engine X”) is both an HTTP and a mail proxy server. Currently powering about 8 percent of all websites, it’s the third most popular Web server. Operating System: Windows, Linux, OS X

47. Apache Tomcat Replaces Microsoft IIS, Oracle iPlanet Web Server
Often used alongside the Apache HTTP server, Tomcat offers a “pure Java” HTTP web server for running Java code. Well-known websites that use Tomcat include Walmart, E*Trade, The Weather Channel and many others. Operating System: Operating System: Windows, Linux, OS X

48. XAMPP Replaces Microsoft IIS, Oracle iPlanet Web Server
Most of them time when you want to install the Apache Web server, you’ll also need other tools, like MySQL, PHP and Perl. This group of downloads bundles together all of those tools—along with a variety of other open source software that’s helpful for running a Web server—in an easy-to-deploy package customized for each of the major operating systems. Operating System: Windows, Linux, OS X, Solaris

49. WampServer Replaces Microsoft IIS, Oracle iPlanet Web Server
This is another project that bundles together Apache, MySQL and PHP into an easy-to-install package. However, this one only supports Windows. Operating System: Windows

50. AppServ Replaces Microsoft IIS, Oracle iPlanet Web Server
The goal of the App Serv project is simple: allow users to set up a Web server with Apache, MySQL and PHP in one minute or less. Note that this project originated in Thailand so some of the English documentation reads a little strange. Operating System: Windows, Linux

Wiki/Collaboration

51. DokuWiki Replaces: Confluence, SamePage
If you just need a simple wiki, DokuWiki is easy-to-use, standards compliant and doesn’t require a separate database. Commercial support is available through a variety of third-party companies. Operating System: OS Independent

52. MediaWiki Replaces: Confluence, SamePage
Best known as Wikipedia’s software, MediaWiki can handle extremely large projects with terabytes of data and thousands of hits per second. It’s extremely customizable and is fairly simple for end users to learn. Operating System: Windows, Linux/Unix, OS X

53. MindTouch Core Replaces: Sharepoint, IBM Lotus
Althought it’s a little tough to find the open source version of MindTouch on the company’s website, the source code for the core wiki program is still available for a free download. According to the website, it’s been ranked the number one open source collaboration tool. The company offers several other products based on the open source engine. Operating System: Windows, Linux

54. TikiWiki Replaces: Confluence, SamePage
More than just a wiki, TikiWiki also offers support for forums, blogs, image galleries, map servers, RSS feeds, bug trackers and more. It has been downloaded more than 900,000 times and currently powers tens of thousands of websites. Operating System: OS Independent

Page 164 of 180« First...102030...162163164165166...170180...Last »