Serverdienste und Konfigurationen

  • amavis an postfix mit spamassassin, razor, pyzor, antivirus
  • postfixadmin mit mysql virtual host, postfix mit smtp-auth, dovecot
  • bind9 - DNS-Server (ISC)
  • maradns - DNS-Server (simple, security-aware)
  • apache2 - Web-Server mit php und mysql (LAMP)
  • modlogan - Webserver Loganalyzer
  • NTP - Zeitsynchronisation mit einer dcf-77 Funkuhr
  • unrealircd - IRC-Server
  • subversion - Versionskontrolle (svn)
  • lighttpd - schlanker Webserver mit php
  • exim - und dovecot mit gemeinsamer Passwortdatei

Die hier aufgeführten Beschreibungen beziehen sich auf Debian, sollten sich aber auch relativ leicht auf andere Distributionen anwenden lassen. Angaben zu einem lokalen LAN beziehen sich auf 192.168.57.0.


procmail

# $HOME/.procmailrc
SHELL=/bin/sh
PATH=/bin:/usr/bin
MAILDIR=$HOME/Maildir/
LOGFILE=/var/log/procmail.log
LOGABSTRACT="all"
VERBOSE="off"

# SYSTEM
:0
* ^From:.*hostname.my.dyndns.domain|^From:.*@localhost
.system/

# debian-security
:0
* ^List-Id: <debian-security-announce.lists.debian.org>
.debian_security/

# SPAM
:0
* ^X-Spam-Status: Yes
.SPAM/

# ....

# REST: was bis hier nicht gefiltert wurde landet in der inbox
:0
*
$HOME/Maildir/

 

fetchmail

# /etc/fetchmailrc
# Dienst prüft alle 900 Sekunden nach Mail
set daemon 900
# user/password - Nutzername/Passwort auf dem MailServer
# linuxuser - durch lokalen Nutzernamen ersetzen
# keep - Mails auf dem Server lassen (optional)
# ssl - ssl für die Kommunikation verwenden (optional)
poll pop3.mailserver.linux protocol POP3 user "benutzername" password "geheim" is linuxuser keep ssl
# Server Zertifikate überprüfen - falls ssl genutzt wird
sslcertck
sslcertpath /etc/ssl/certs

 

samba

# /etc/samba/smb.conf
[global]
   panic action = /usr/share/samba/panic-action %d
   workgroup = myworkgroup
   server string = be nice

   load printers = no # dafür gibt es cups ;)
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   large readwrite = yes
   unix extensions = no
   follow symlinks = yes
   wide links = yes

   # charset
   unix charset = ISO8859-15
   dos charset = CP850
   display charset = ISO8859-15

   # log
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0

   # security/user
   security = user
   guest account = nobody
   map to guest = Bad User
   invalid users = root
   encrypt passwords = true
   passdb backend = tdbsam guest

   # interfaces/listen
   interfaces = 192.168.57.2
   bind interfaces only = yes
   hosts allow = 192.168.57.0/255.255.255.0
   hosts deny = 0.0.0.0/0

   # browsing - Konfiguration als wins und so, dass möglichst immer master browser
   local master = yes
   os level = 254
   domain master = yes
   preferred master = yes
   wins support = yes
   wins proxy = yes
   dns proxy = yes
   name resolve order = wins bcast host

   message command = /bin/mail -s 'message from %f on %m' frank < %s; rm %s
   obey pam restrictions = yes
   time server = yes

[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   create mask = 0640
   directory mask = 0750

[files]
        path = /home/share/files
        comment = verschiedenes
        browseable = yes
        read only = yes
        public = yes
        write list = @users
        create mask = 0644
        max connections = 10

 

nfs-server

# /etc/exports
/home/share/upload 192.168.57.0/255.255.255.0(rw,async,all_squash) \
 192.168.57.111(rw,async,anonuid=1000,anongid=1000)
/home/share/download 192.168.57.0/255.255.255.0(ro,sync,all_squash)

 

cups

Erlaubt allen Clients im lokalen Netz das drucken.
# /etc/cups/cupsd.conf
AccessLog /var/log/cups/access.log
DefaultCharset notused
DefaultLanguage de
ErrorLog /var/log/cups/error.log
LogLevel info
Printcap /var/run/cups/printcap
#ServerCertificate /etc/ssl/CAcert/server.crt
#ServerKey /etc/ssl/CAcert/server.key
Listen 192.168.57.2:631
Listen 127.0.0.1:631
Browsing Off

<Location />
   Order Deny,Allow
   Deny From All
   Allow From 127.0.0.1
   Allow From 192.168.57.0/24
</Location>

<Location /jobs>
   Allow From 192.168.57.111
</Location>

<Location /admin>
   AuthType Basic
   AuthClass System
</Location>

 

squid mit bannerfilter

Um bannerfilter oder einen anderen Redirector mit squid zu nutzen bedarf es folgender Anpassung von /etc/squid/squid.conf.
redirect_program /usr/local/bannerfilter/redirector.pl
Details zur Konfiguration gibts es auf http://phroggy.com/bannerfilter/
/etc/squid/squid.conf
http_port 192.168.57.3:3128
icp_port 0
htcp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
acl localnet dst 192.168.57.0/24
no_cache deny QUERY
no_cache deny localnet
no_cache deny uninet
cache_mem 32 MB
maximum_object_size 32768 KB
cache_dir ufs /var/spool/squid 1000 16 256
ftp_user anonymous@guest
ftp_passive on
hosts_file /etc/hosts
redirect_program /usr/local/bannerfilter/redirector.pl
redirect_children 6
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
acl client1 src 192.168.57.111
acl client2 src 192.168.57.112
http_access allow client1
http_access allow client2
http_access deny all
http_reply_access allow all
icp_access deny all
miss_access allow client1
miss_access allow client2
miss_access deny all
cache_mgr proxy@domain.tld
forwarded_for off
cachemgr_passwd disable all
coredump_dir /var/spool/squid

 

dircproxy

# dircproxyrc
# beispielconfig für freenode und #lugum
connection {
   password "-dircproxy-crpyted-password-"
   server "kornbluth.freenode.net"
   server "irc.freenode.net"
   server_port 6667
   join "#lugum"
   #from "192.168.57.0/24"
   away_message "nicht da, keine zeit, zu genervt ..."
   chan_log_recall 256
   chan_log_timestamp yes
   server_throttle 1024:10
   server_autoconnect yes
   initial_modes "eiw"
   drop_modes "oOws"
   quit_message "over and out"
   ctcp_replies no
}

 

slapd

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
# /etc/ldap/slapd.conf

#######################################################################
# Global Directives:

# Features to permit
# Allow LDAPv2 binds
#allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema

# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck     on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd.args

# Read slapd.conf(5) for possible values
loglevel        0

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_bdb

#password-hash {MD5}
#password-hash {CLEARTEXT}

sasl-host my.dyndns.domain
sasl-realm hostname.my.dyndns.domain

sasl-regexp uid=(.*),cn=hostname.my.dyndns.domain,cn=DIGEST-MD5,cn=auth uid=$1,ou=staff,o=people

#disallow bind_anon

# TLS
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCertificateFile /etc/ssl/CAcert/server.crt
TLSCertificateKeyFile /etc/ssl/CAcert/server.key
TLSCACertificateFile /etc/ssl/CAcert/CAcert.crt
TLSVerifyClient try

#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        bdb

# The base of your directory in database #1
suffix          "o=people"

# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

# Indexing options for database #1
index           objectClass eq
# indexed attribute definitions
#index cn,sn,uid pres,eq,sub
index   cn,sn,mail      pres,eq,approx,sub

# Save the time that the entry gets modified, for database #1
lastmod         on

# Where to store the replica logs for database #1
# replogfile    /var/lib/ldap/replog

#rootdn "uid=admin,cn=hostname.my.dyndns.domain,cn=digest-md5,cn=auth"
#rootpw {SSHA}ssha-crypted-pw

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword
        by dn="cn=admin,o=people" write
        by anonymous auth
        by self write
        by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base=""
        by * read

# additional access rules
access to dn.subtree="ou=friends,o=people"
       by dn="cn=*,ou=staff,o=people" write
       by self write
       by * read

access to dn.subtree="ou=others,o=people"
       by dn="uid=sasluser,ou=staff,o=people" write
       by * auth

access to dn.subtree="ou=staff,o=people"
       by dn="cn=*,ou=staff,o=people" read
       by self write
       by * auth

# admin has full access, sasluser can read
# everyone else do not have access
access to *
       by dn="cn=admin,o=people"  write
       by dn="uid=sasluser,ou=staff,o=people" read
       by self write
       by * auth

 

apcupsd

# /etc/apcupsd/apcupsd.conf
UPSNAME Back-UPS_RS_500
UPSCABLE usb
UPSTYPE usb
DEVICE /dev/usb/hiddev[0-15]
LOCKFILE /var/lock
ONBATTERYDELAY 6
BATTERYLEVEL 5
MINUTES 3
TIMEOUT 0
ANNOY 300
ANNOYDELAY 60
NOLOGON disable
KILLDELAY 0
NETSERVER on
NISIP 127.0.0.1
NISPORT 3551
EVENTSFILE /var/log/apcupsd.events
EVENTSFILEMAX 10
UPSCLASS standalone
UPSMODE disable
STATTIME 0
STATFILE /var/log/apcupsd.status
LOGSTATS off
DATATIME 0

 

analog

Damit die folgende Konfig Sinn macht, muss natürlich auch der apache ein combined-log schreiben. Diese Kombination läuft einmal die Woche, vor logrotate.
# /etc/analog.cfg
LOGFORMAT COMBINED
LOGFILE /var/log/apache2/access.log
HOSTNAME "my.dyndns.domain"
HOSTURL http://my.dyndns.domain/
OUTFILE /home/www/user/analog/webstat_%Y%M%D.html
IMAGEDIR /analog/
PNGIMAGES OFF
CHARTDIR /user/analog/images/%Y%M%D_
LOCALCHARTDIR /home/www/user/analog/images/%Y%M%D_
STYLESHEET /includes/css/analog.css
DIRSUFFIX index.html
UNCOMPRESS *.gz "gzip -cd"
CACHEFILE /var/cache/analog/stats_*
CACHEOUTFILE /var/cache/analog/stats_%Y%M%D
#....

 

fwlogwatch

resolve_hosts = no
resolve_services = no
# bei Verwendung von ulogd
input = /var/log/ulog/syslogemu.log
# n = netfilter, iptables
parser = n
pidfile = /var/run/fwlogwatch.pid

 

smartd

Der Parameter "-I 194" lässt smartd die Temperatur ignorieren.
# /etc/smartd.conf
/dev/hda -a -I 194
/dev/hdc -a -I 194
/dev/hde -a -I 194

 

hdparm

Bevor man Werte mit hdparm setzt sollte man überprüfen, was die Festplatte unterstützt.
$ hdparm -I /dev/hda
Anschliessend könnte eine Konfiguration folgendermassen aussehen:
# /etc/hdparm.conf
command_line {
        hdparm -q -m16 -q -F -q -W1 -q -c1 -q -d1 /dev/hda
        hdparm -q -m16 -q -F -q -W1 -q -c1 -q -d1 /dev/hdc
        hdparm -q -m16 -q -F -q -W1 -q -c1 -q -d1 /dev/hde
}

 

Alternativen:

  • dns: bind, maradns, pdns-backend-mysql, mydns-mysql, djbdns-installer, totd, posadis, nsd
  • mta: postfix, qmail, exim, sendmail
  • ftp: vsftpd, proftpd, wu-ftpd, pure-ftpd, oftpd
  • sys log-analyzer: logcheck, logwatch, logtool, syslog-summary
  • firewall log-analyzer: fwlogwatch, wflogs, adcfw-log, fwanalog
  • web log-analyzer: analog, awstats, webalizer, modlogan, visitors, wwwstat, awffull
  • mta log-analyzer: anteater, isoqlog, pflogsumm
  • squid log-analyzer: sarg, srg, calamaris, squidview, squidtaild
  • log-analyzer: lire, swatch
  • ids: snort, prelude, hardened-nids
  • integrity: tripwire, samhain, aide, osiris, fcheck, isic (ip stack)
  • security: checksecurity, bastille, chkrootkit, hardened-environment, tiger, mod-security-common
  • portscan: portsentry, psad, scanlogd
  • mail-scanner: amavisd-new, mailscanner
  • kostenlose virenscanner: f-prot, bit-defender, antivir, clamav
  • proxy filter/scanner: dansguardian, bannerfilter, adzapper, jesred, squidguard
  • mailing list: listserv, majordomo, mailman, smartlist, minimalist, ecartis, mlmmj, enemies-of-carlotta, sympa
  • groupware: egroupware, phpgroupware, opengroupware, weborganizer, moregroupware, phproject
  • system monitoring: munin, mrtg, cacti/collectd, ganglia, sysstat
  • server monitoring: nagios, mon, opennms, dmachinemon, monit, spong
© 2001 - 2024 Frank Remetter