Basic DNS Server Configuration^№207.1

Implementations of DNS (Domain Name System) name server software

• BIND (on Unix and Linux platforms most often referred to as named (name daemon)
• dnsmasq
• djbdns
• PowerDNS
• Unbound (popular on the ‘BSDs’)

Comparison of DNS server software at en.wikipedia.org

Configuring a named server (BIND)

svc named (name daemon) is an Internet domain name server

.. and the de facto standard on Unix-like operating systems.

Part of the BIND 9 distribution from ISC.

Online resource: man named(8) at man.NetBSD.org

file /etc/named.conf is the main configuration file for named

/etc/bind/named.conf on Debian.

Online resource: man named.conf(5) at man.NetBSD.org

Example configuration of a (master) named:

# file:  named.conf
# brief: main configuration file for named(8)
# -------------------------------------------
options {
    listen-on port 53 {
        127.0.0.1;
        10.0.8.216;
    };
  
    listen-on-v6 port 53 { none; };
    forwarders {                      # own nameserver
        9.9.9.9;                      # definitions
        1.1.1.1;
        10.0.1.253;
    };
    
    forward first;                    # ask defined DNS first
    recursion yes;                    # generally allow
    allow-recursion { 10.0.8.0/24; }; # restrict recursion requests PRÜFUNG
    allow-query { CALLER; };          # access rights
    #minimal-responses yes;           # reduced answer
    directory "/var/cache/bind";      # zone file root dir (Debian)
    also-notify { 10.0.8.121; };      # slave addresses
    dnssec-enable yes;
    dnssec-validation yes;
};

acl CALLER {
    10.0.8.0/24;
    localhost;
};

logging {
    channel QUERY1 {
        file "/var/log/bind/queries1.log";
        severity info;
        print-time yes;
        print-category yes;
        print-severity yes;
    };
    
    category queries { QUERY1; };
};

zone "example.com" IN /* default */ { # forward lookup zone
    type master;
    file "example.com.zone.signed";   # signed (for transferring)
    allow-transfer { key example.tsig.key; };
    notify yes;                       # to notify slave nameservers
};

zone "0.168.192.in-addr.arpa" IN {    # reverse lookup zone
    type master;
    file "0.168.192.in-addr.arpa.zone";
    allow-transfer { key example.tsig.key; };
};

include "/etc/bind/example.tsig.key";

# EOF /etc/bind/named.conf ---------------------------------------

Example configuration of a secondary zone in a named.conf of a slave server:

# file:  named.conf
# brief: bind configuration file (slave side)
# -------------------------------------------
options {
    listen-on port 53 {
        127.0.0.1;
        10.0.8.121;
    };
    directory "/var/named";
    allow-query { any; };
};

zone "example.com" IN {
    type slave;
    masters { 10.0.8.216; };
    file "example.com.zone";
    allow-query { any; };
};

zone "0.168.192.in-addr.arpa" IN {
    type slave;
    masters { 10.0.8.216; };
    file "0.168.192.in-addr.arpa.zone";
    allow-query { any; };
};
 
server 10.0.8.216 {
    keys { example.tsig.key; };
};

include "/etc/named/example.tsig.key";

# EOF /etc/named.conf -----------------------

cmd /usr/sbin/rndc remotely controls name servers

Important subcommands:

• reload reloads configuration and zone files
• status queries status
• flush flushes the cache
• freeze freezes writes on zone files (e. g. to modify them manually)
• thaw unfreezes

Online resource: man rndc(8) at man.NetBSD.org

cmd kill terminates or signals processes

cmd host is a DNS lookup utility

cmd dig is another DNS lookup utility

Create and Maintain DNS Zones^№207.2

dir /var/named/ normally holds the zone files of a DNS server

or /var/cache/bind/ (on Debian et al)

Zone File Syntax

Example zone file with full syntax:

; file:            example.com.zone
; brief:           DNS zone file (extensive syntax)
; ------------------------------------------------------------------------------
; reference        ttl  class type rr rdata            email address
; @ ZONE           $TTL                                (dot instead of @)
example.com.       2D   IN    SOA     sub.example.com. hostmaster.example.com. 201810101 2D 2H 1W 2H
example.com.       2D   IN    NS      sub.example.com.      ; own ns instance (1st NS same as SOA)
example.com.       2D   IN    MX      10 smtp1.example.com. ; mail exchange - contacted first!
example.com.       2D   IN    MX      20 smtp2.example.com. ; mail exchange (higher priority)

sub.example.com.   2D   IN    A       192.168.0.100
smtp1.example.com. 2D   IN    A       192.168.0.101
smtp2.example.com. 2D   IN    A       192.168.0.102
test1.example.com. 2D   IN    A       192.168.0.1
test2.example.com. 2D   IN    A       192.168.0.2
test2.example.com. 2D   IN    AAAA    2001:db8::1
www.example.com.   2D   IN    CNAME   sub.example.com.
ftp.example.com.   2D   IN    CNAME   sub.example.com.
; EOF /var/cache/bind/example.com.zone ---------------

Example zone file with shortened syntax:

; file:         example.com.zone
; brief:        DNS zone file (shortened syntax)
; ----------------------------------------------
$TTL 2D
@     IN SOA   sub hostmaster (
               2020110302    ; serial
               2D            ; refresh
               2H            ; retry
               1W            ; expiration
               2H            ; negative TTL
               )
         NS    sub           ; own ns instance
         MX    10 mail       ; mail exchange
sub      A     192.168.0.100
smtp1    A     192.168.0.101
smtp2    A     192.168.0.102
test1    A     192.168.0.1
test2    A     192.168.0.2
test2    AAAA  2001:db8::1
www      CNAME sub
ftp      CNAME sub

additional ORIGINs and a key for encrypted zone transfer:

$ORIGIN berlin.example.com.
droban   A     10.0.8.205
dit      A     10.0.8.214
dmattmac A     10.0.8.215
deblex   A     10.0.8.216
dwerner  A     10.0.8.217
werner   CNAME dwerner
trainer  CNAME dwerner
netbsd   A     10.0.8.235
droland  A     10.0.8.243

$ORIGIN hamburg.example.com.
dmara    A     10.0.8.220

$INCLUDE "example.com.+003+53497.key"

; EOF /var/cache/bind/example.com.zone ---------

Example zone file for reverse lookup:

; file:  0.168.192.in-addr.arpa.zone
; brief: DNS zone file
; -----------------------------------------------------------
$TTL 2D
@   IN SOA sub.example.com. hostmaster 2018010101 1H 1W 1H 1H
       NS  sub.example.com.
1      PTR test1.example.com.
2      PTR test2.example.com.
100    PTR sub.example.com. 
101    PTR smtp1.example.com.
102    PTR smtp2.example.com.

; EOF /var/cache/bind/0.168.192.in-addr.arpa.zone -----------

• only three possible resource record types: SOA, NS and PTR

Resource Record Format

ASCII: <name> [<ttl>] [<class>] <type> [<rdlength>] <rdata>

• <name> is the domain name of the regarding object
• <ttl> is the time to live in seconds (optional)
• <class> marks the protocol group (optional)
• <type> describes the resource record type
• <rdlength> is the length of data describing the resource record (optional)
• <rdata> (resource) data describing the resource record

cmd named-checkconf is the named configuration file syntax checking tool

Online resource: man named-checkconf(8) at man.NetBSD.org

cmd named-checkzone checks zone files for validity or converts them

named-compilezone is similiar, but dumps the zone content to a specified file.

Online resource: man named-checkzone(8) at man.NetBSD.org

Masterfile Format

From BIND 9.9 on zone files can be converted from ASCII to RAW and back.

Tool compilezone can be used.

Example for converting from RAW to text:

$ named-compilezone -f raw -F text -o expl.net.txt expl.net expl.net.raw

• -f is input format
• -F is output format
• -o is output file
• expl.net is the zone name

cmd dig is a DNS lookup utility

cmd nslookup queries Internet name servers interactively

Online resource: man nslookup(8) at man.NetBSD.org

cmd host is another DNS lookup utility

Securing a DNS Server^№207.3

file /etc/named configures a named server

file /etc/passwd is the local source of password information

DNSSEC

cmd dnssec-keygen is a DNSSEC key generation tool

Online resource: man dnssec-keygen(8) at man.NetBSD.org

cmd dnssec-signzone is a DNSSEC zone signing tool

Online resource: man dnssec-signzone(8) at man.NetBSD.org

Basic Apache Configuration^№208.1

file /etc/httpd/httpd.conf is the (default) main configuration file

Alternative paths for configuration files:

• /etc/apache2/apache2.conf (on Debian based distributions),
• /etc/apache2/httpd.conf,
• /etc/httpd/conf/httpd.conf (on Red Hat based distributions).

Must contain valid Directives.

Server must be restarted after every change.

Most often the configuration file is split into single files below the main configuration directories.

Configuration on Debian:

Installed Apache modules can be found below subdir ./conf-available/.

Single configurations can be found below respective subdirs.

A *.conf file below subdir [conf|mods|sites]-available/ needs to be activated by creating an associated link below subdir [conf|mods|sites]-enabled/ either manually or via following commands:

• cmd a2en[conf|mod|site FILE[S] to ‘enable’ (i. e. set the respective link to) given FILEs containing the Directive definitions (e. g. a2enmod mpm_prefork)
• cmd a2dis[conf|mod|site to ‘disable’ the given FILEs

Examples for valid entries containing Directive definitions:

E. g. module mpm_prefork (on Debian found in file ./mods-available/mpm_prefork.conf):

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxRequestWorkers: maximum number of server processes allowed to start
# MaxConnectionsPerChild: maximum number of requests a server process serves
  
<IfModule mpm_prefork_module>
    StartServers             5
    MinSpareServers          5
    MaxSpareServers         10
    MaxRequestWorkers      150
    MaxConnectionsPerChild   0
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

E. g. a Directive to define a main server name either in file apache2.conf or in a file (e. g.) servername.conf (most likely) below subdir ./conf-available/:

ServerName 127.0.0.1

E. g. two Directive options nested in another Directive being valid for dir example/ to grant access to index files like index.html:

<Directory "/var/www/example">
    Options indexes
    Require all granted
</Directory>

E. g. setting an alias for a subdir example/:

Alias /alias/ /var/www/example/

E. g. a (main) Directive to listen at port 8030:

Listen 8030

E. g. enabling a virtual host ‘ip10’ (its directory name defined in a main Directive) to get addressed via a different IP:

# example IP 10.10.8.216
<VirtualHost 10.10.8.216:*>
    DocumentRoot /var/www/vhost_ip10/
</VirtualHost>

E. g. enabling a virtual host ‘port8030’ (main Directive) to get addressed via port 8030, defining a root dir, a redirect and log files in nested ‘Directives’:

<VirtualHost *:8030>
    DocumentRoot /var/www/vhost_port8030
    Redirect     permanent /subdir http://target.url
      
    # log files and log levels
    LogLevel     info
    ErrorLog     ${APACHE_LOG_DIR}/vhost_port8030_error.log
    CustomLog    ${APACHE_LOG_DIR}/vhost_port8030_custom.log combined
</VirtualHost>

• possible log directives: CustomLog, TransferLog, ErrorLog
• log formating directive: LogFormat

E. g. enabling a virtual host ‘example’ to get addressed via names:

<VirtualHost *:80>
    DocumentRoot /var/www/vhost_example
    ServerName   example.server         # comma separated list
    ServerAlias  alias1.server
    ServerAlias  alias2
</VirtualHost>

E. g. granting access to the subdir secret/ of a virtual host ‘example’ inside its DocumentRoot only for users listed in file .htpasswd inside the same directory and only when accessing from a certain subnet
(filename .htpasswd is free of choice and gets generated via command htpasswd:

<Directory "/var/www/vhost_example/secret">
    AllowOverride none
    AuthName      "Please enter user name and password"
    AuthUserFile  /var/www/vhost_example/secret/.htpasswd
    #AuthGroupFile
    AuthType      basic
    <RequireAll>
        Require   valid-user
        Require   ip 10.0.8.0/24
    </RequireAll>
</Directory>

E. g. restricting access (and much more possible) to the same subdir secret/ by providing an appropriate file .htaccess in the same directory:

<Directory "/var/www/vhost_example/secret">
    AllowOverride AuthConfig
</Directory>

E. g. main Directive to let a vHost ‘example’ supply files via HTTPS:

</VirtualHost *:443>
    DocumentRoot            /var/www/vhost_example
    ServerName              example.server
     
    SSLEngine               on
    SSLCertificateFile      /etc/apache2/ssl/example_server_cert.pem
    SSLCertificateKeyFile   /etc/apache2/ssl/example_server_key.pem
    SSLCertificateChainFile /etc/apache2/ssl/demoCA/cacert.pem
</VirtualHost>

• SSL certificates are provided below dir .ssl/ and can be generated via the CA.pl interface

cmd htpasswd manages user files for basic authentication

Online resource: documentation at httpd.apache.org

Important options:

• -c FILENAME USER creates a database FILENAME (or overwrites an existing FILENAME) with first user USER
• -D FILENAME USER deletes a USER in FILENAME
• -p saves password as plain text

file /<dir>/.htaccess provides access to users listed in a file .htpasswd

Example for an .htaccess file:

# file:      .htaccess
AuthName     "Please provide user and password"
AuthUserFile /var/www/vhost_example/secret/.htpasswd
AuthType     basic
Require      valid-user
# EOF /var/www/vhost_example/secret/.htaccess

Modules to control access:

• mod_auth_basic to authenticate via plain text,
• mod_authz_host to authenticate via hostname or IP,
• and mod_access_compat is a predecessor of the former with less directives

Directives to specify authentication files:

• AuthUserFile
• AuthGroupFile

cmd apachectl controls Apache HTTP servers

Or apache2ctl on most systems running Apache 2.

Important options:

• -t checks the syntax of the whole configuration
• -M prints module information
• -S prints information about configured sites

Important subcommands:

• graceful gracefully restarts the server
• configtest (or option -t) checks the syntax of the whole configuration

Online resource: man apache2ctl(8) at unix.com

E. g. output for the aforementioned configuration:

# apachectl -S
VirtualHost configuration:
10.10.8.216:*          server.ip10 (/etc/apache2/sites-enabled/vhost_ip10.conf:1)
*:80                   is a NameVirtualHost
         default server 127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost 127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost example.server (/etc/apache2/sites-enabled/vhost_example.conf:1)
                 alias alias1.server
                 alias alias2
*:443                  example.server (/etc/apache2/sites-enabled/vhost_example_ssl.conf:1)
*:8030                 127.0.0.1 (/etc/apache2/sites-enabled/vhost_port8030.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"

Apache Configuration for HTTPS^№208.2

/etc/ssl/, /etc/pki/

openssl

cmd /usr/local/bin/CA.pl is a frontend for openssl

Used to interactively generate certificates.

Example path (varies by distribution).

SSLEngine, SSLCertificateKeyFile, SSLCertificateFile

SSLCACertificateFile, SSLCACertificatePath

SSLProtocol, SSLCipherSuite, ServerTokens, ServerSignature, TraceEnable

Implementing a Proxy Server^№208.3

file /etc/squid/squid.conf is the main configuration file

Example configuration:

# file:  squid.conf
# brief: configuration file for squid(8) HTTP proxy server
# --------------------------------------------------------
# standard port
http_port 3128
# caching in memory
cache_mem 512 MB

# caching on disk
# directive type dir              size-in-MB level-1-dirs level-2-dirs
cache_dir   ufs  /var/cache/squid 1024       16           256

# authentication
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm "Please authenticate"
auth_param basic credentialsttl 8 hours

# ACLs sources
acl localnet src 10.0.8.0/24
acl test     src 127.0.0.0/8

# ACLs destinations
acl heise.de dst 193.99.144.80/32
acl heise.de dst 193.99.144.85/32

# ACLs proxy_auth 
acl users proxy_auth REQUIRED

# ACLs with regex defined in file deny.list
acl deny.list url_regex "/etc/squid/deny.list"

# access rules
http_access deny  deny.list
http_access deny  heise.de
http_access allow users
http_access allow localnet
http_access allow test
# to catch every request not filtered above
http_access deny  all

# EOF /etc/squid/squid.conf ----------------------

• acl (access control list) entries define certain request types
• http_access entries allow or deny the defined ACLs, evaluated from the first to the last

cmd squid controls the squid server

Important options:

• -z creates missing cache dir structures
  (directory names below $cache_dir named by hex numbers
• -f specifies configuration file other than default /etc/squid/squid.conf
• -N starts in no deamon mode (foreground)
• -k sends certain signals (e. g. check, interrupt, shutdown, parse (the config and check syntax) or kill

SAMBA Server Configuration^№209.1

daemon smbd provides file and print services

Implements user authentication and authorization if used with stand-alone servers.

daemon nmbd provides NetBIOS name resolution

Can be used as a WINS server replacement.

daemon winbindd administrates user and group information of an Active Directory Domain

Can be used as a WINS server replacement.

dir /etc/samba/ holds all configuration of Samba and related services

Example configuration of smb.conf (basic):

# file:  smb.conf
# brief: configuration for Samba(8)
# ---------------------------------
; semicolon can be used to comment too
# Global parameters
[global]
    netbios name    = EXAMPLE.COM
    realm           = AD.EXAMPLE.COM
    server role     = active directory domain controller
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
    workgroup       = OFFICE1

[netlogon]
    path            = /var/lib/samba/sysvol/ad.example.com/scripts
    read only       = No

[sysvol]
    path            = /var/lib/samba/sysvol
    read only       = No
    
# EOF /etc/samba/smb.conf -----------

Example configuration of smb.conf to act as a fileserver:

# file:  smb.conf.fileserver
# brief: configuration file for Samba(8)
#        acting as a fileserver
# --------------------------------------
[global]
    comment          = for all shares
    server role      = standalone server
    workgroup        = ADMINDOM_XP
    server string    = %h Samba xp
    netbios name     = samba_xp
    log file         = /var/log/samba/samba-%I.log
    log level        = 3
    security         = user
    #smb ports       = 445 ..
    #disable netbios = yes

[homes]
    comment          = sharing of home directories
    browseable       = yes
    read only        = no
    create mask      = 0700
    directory mask   = 0700
    valid users      = %S  # maps username to share name
    hide dot files   = yes
    hide files       = /Doc*/V*/Desktop\/build.st/
    veto files       = /Pi*/

# EOF /etc/samba/smb.conf ------------------------------

cmd nmblookup to lookup NetBIOS names

Synopsis: -A IP WORKGROUP|NETBIOS shows all default variables

cmd testparm checks the configuration

Option -v shows all default variables.

cmd smbcontrol sends messages to smbd, nmbd or winbindd processes

Synopsis: smbcontrol [all|nmbd|smbd|winbindd] SUBCOMMAND

cmd smbpassword changes user passwords

cmd smbstatus reports on current Samba connections

cmd samba-tool is a ‘new’ tool to control Samba servers.

Subcommand: domain provision

cmd net (Samba) is a another tool of the Samba suite.

Administrates Samba and remote CIFS servers.

Subcommand: net ads join let the server join a domain.

cmd smbclient to access SMB/CIFS resources on servers

Options:

• -L IP lists all information about given server (IP)
• -N logs in as nobody (anonymous)

cmd mount.cifs to mount CIFS shares

Option: -o username=USER,password=PASSWORD if authentication is needed.

dir /var/log/samba/ holds the Samba logs

NFS Server Configuration^№209.2

file /etc/exports defines remote mountpoints for NFS mount requests

Online resources:

• man exports(5) at man7.org
• man exports(5) at man.NetBSD.org

cmd exportfs^{Linux specific} maintains the current table of exported NFS file systems

Online resource: man exportfs(8) at man7.org

cmd nfsd serves NFS shares ^{BSD specific}

Online resource: man nfsd(8) at man.NetBSD.org

cmd showmount shows mount information for an NFS server

Online resources:

• man showmount(8) at man7.org
• man showmount(8) at man.NetBSD.org

cmd nfsstat displaysNFS statistics

Online resources:

• man nfsstat(8) at man7.org
• man nfsstat(1) at man.NetBSD.org

file /proc/mounts

file /etc/fstab

cmd rpcinfo reportsRPC (Remote Procedure Call) information

Option -p lists used ports.

Online resources:

• man rpcinfo(8) at man7.org
• man rpcinfo(8) at man.NetBSD.org

daemon mountd services remote NFS mount requests

Online resources:

• man rpc.mountd(8) at man7.org
• man mountd(8) at man.NetBSD.org

daemon portmapper

DHCP Configuration^№210.1

file /etc/dhcpd.conf configures a DHCP daemon

Example configuration:

# file:            dhcpd.conf
# brief:           minimal DHCP server configuration
# --------------------------------------------------
default-lease-time 300;
max-lease-time     7200;

subnet         10.254.239.0 netmask 255.255.255.224 {
     range     10.254.239.10 10.254.239.20;
     interface "enp0s3.1";

     # client side options - PRÜFUNGSRELEVANT
     option routers             10.254.239.1;
     option domain-name         "example.org";
     option domain-name-servers 10.1.0.2, 10.0.1.253;

     # security
     deny unknown-clients; # PRÜFUNG
}

# definition of known clients, i. e. hosts
host myhost1 { hardware ethernet 08:00:27:bb:37:03; }
host myhost2 { hardware ethernet 08:00:27:bb:37:39; }

# fixed IP per client
host myhost3 { hardware ethernet 08:00:27:bb:37:09;
               fixed-address     10.254.239.9; #PRÜFUNG
}

# EOF /etc/dhcp/dhcpd.conf ------------------------------

file /etc/dhcpd.conf

• example configuration:

file /var/lib/dhcp/dhcpd.leases

DHCP Log messages in syslog or systemd journal

arp

dhcpd

• DHCP server behind a router needs a proxy: dhcrelay -i DEV IP-DHCP-SERVER

radvd

radvd.conf

LDAP Client Usage^№210.3

ldapsearch

• ldapsearch -x -b "dc=local,dc=site" -LLL "uid=ckent" -D "cn=ldapadmin,dc=local,dc=site" [-w PASSWORD] [-H ldap://localhost]
• -x -b "" -LLL -s base + | less
• -x -b "dc=local,dc=site" -LLL "(|(sn=kiu)(sn=ripley)" sn cn # PN (polish
• wie kann man externe Daten in eine Datenbank einbinden
  • -tt notation
• additional operational attributes with a subsequent +

cmd ldappasswd used to change passwords for LDAP

entries #### ldapadd * ldapadd -x -D "cn=ldapadmin,dc=local,dc=dite" -W -f struktur_9000.ldif

ldapdelete

Configuring an OpenLDAP Server^№210.4

• OpenLDAP Admin Guide
• Directory Information Tree (DIT)
• root Directory Entry (rootDSE)

slapd

slapd-config

• cn=config base configuration file
• slaptest -f FILE -u

LDIF

• human readable (lightweight directory interface format) - protokollkonform
• dn: cn=“Clark Kent”, c=“Dtl.”, ou=“verkauf”, o=“lizenzen”
• root Directory Service Entry (rootDSE)

slapadd

slapcat

slapindex

/var/lib/ldap/

loglevel

Using E-mail Servers^№211.1

Configuration files and commands for postfix

/etc/postfix/

• master.cf configures processes
• postconf -M checks syntax of master.cf
• postconf -n lists config of main.cf
• postfix reload
• main.cf configures mail
  • online resources: man postconf(5)
• postfix check checks syntax of main.cf
• configuration of relay
  • postmap hash:sasl_password
  • postmap hash:sender_canonical

/var/spool/postfix/

• check mail queue
  • mailq
  • sendmail -bp
  • postqueue -p
• qshape?

sendmail emulation layer commands

/etc/aliases

• newaliases to rebuild the aliases database

mail-related logs in /var/log/

Managing E-Mail Delivery^№211.2

Conditions and comparison operators

keep, fileinto, redirect, reject, discard, stop

Dovecot vacation extension

Managing Mailbox Access^№211.3

/etc/dovecot/

• accepts plain, digest-md5 and cram-md5 for authentication
• online resources: ̀Dovecot manual

dovecot.conf

doveconf

• -n #### doveadm
• doveadm reload
• doveadm who - who is logged in

dovecot-sieve

• applied to an email when delivered to a mailbox
• logical operators “anyof”, “allof”
• require fileinto
• filter modules:
  • reject
  • vacation
  • stop
  • keep
  • discard
  • redirect

Configuring a Router^№212.1

/proc/sys/net/ipv4/

/proc/sys/net/ipv6/

/etc/services

iptables

• predefined chains: INPUT, FORWARD, OUTPUT
  • OPTIONs:
  • ip[6]tables -I INPUT -p tcp --dport=22 -j DROP
  • ip[6]tables-save -f FILE
  • ip[6]tables-restore FILE

ip6tables

Securing FTP Servers^№212.2

vsftpd

• xfer_enable=YES
• cmd vsftpwho

Important Pure-FTPd Command Line Options

Secure Shell^№212.3

cmd ssh

• ssh -Nf -L localhost:40000:targethost:80 USER@RELAYINGHOST
• curl -4 http://localhost:40000

sshd

/etc/ssh/sshd_config

• e. g. configuration:

  ListenAaddress 10.0.8.250
  PermitRootLogin
  AllowUsers ..
  AllowGroups ..
  PasswordAuthentication
  Protocol 2, 1 # 

/etc/ssh/

Private and public key files

PermitRootLogin, PubKeyAuthentication, AllowUsers, PasswordAuthentication, Protocol

Security Tasks^№212.4

telnet

nmap

fail2ban

# file:  sshd.conf
# brief: 

# name of jail should match the filename
[sshd]
# activation
enabled = true
# port of which is to close
port = ssh
# filter name for log file
filter = sshd
# log file to be filtered
logpath = /var/log/auth.log
# maximum tries
maxretry = 2
# minimum waiting time in sec
bantime = 120

# EOF /etc/fail2ban/jail.d/sshd.conf

• https://www.linux-magazine.com/Online/Features/Intrusion-Detection-with-fail2ban

nc

iptables