Linux System Administration

BUY THIS BOOK

Print Book $44.99

Print+PDF $58.49

PDF $35.99

Safari Books Online

What is this?

Print Book £31.99

What is this?

Looking to Reprint or License this content?

Tell a friend

Linux System Administration By Tom Adelstein, Bill Lubanovic
March 2007
Pages: 296

Cover | Table of Contents | Colophon

Chapter 1: Requirements for a Linux System Administrator

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

We like Linux. Of all the Unix and Unix-like systems we've used, many now forgotten, Linux is our favorite. It's an excellent server platform, a good desktop, and the center of much innovation in the current computing world.

Linux probably has the broadest reach of any operating system, from tiny systems the size of phone jacks, to cell phones, to supercomputer clusters bigger than your high school. It has infiltrated the fields of telecommunications, embedded systems, satellites, medical equipment, military systems, computer graphics, and—last but not least—desktop computing.

In a relatively short time, Linux progressed from a Finnish hacker's hobby to a top-tier enterprise-level system backed by high rollers such as IBM and Oracle. The user base has grown from about 30,000 people in 1995 to hundreds of millions today. During the Internet boom of the 1990s, many Unix administrators were surprised to find that Linux on PC hardware could outperform more expensive Unix workstations and servers. Many Windows and Novell administrators saw that Linux could handle DNS, email, and file services more reliably and with less support personnel than their current platforms. The growth of the Internet, and especially the Web, fueled a rapid expansion in the use of Linux servers and the need for people to manage them.

This book is for Linux system administrators. However, you may be a grizzled Unix veteran, a brave MCSE, or a stoic mainframer. You're exploring new territory and need a map and compass. Some of the ground will be familiar, but some will be terra incognita. This book covers many topics that have only recently joined the mainstream, for instance load-balanced clusters and virtualization.

The success of the Internet and open source software is changing business. Google, Amazon, eBay, and others have built huge server farms with commodity hardware and relatively few administrators compared to traditional mainframe and PC installations. The skills needed to develop and maintain such distributed systems and applications are not taught in schools but learned from experience, sometimes bitter and sometimes sweet.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

About This Book

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

System administration books used to be fairly predictable. They showed you how to manage users, filesystems, devices, processes, printers, networks, and so on. They did not tell you what to do when new problems emerged. If your web site became popular, you had to learn quickly about proxy servers, different levels of caching, load balancing, distributed authentication, and other complex issues. If you added a database, you soon needed to scale it and learn to avoid SQL injection attacks. Overnight, sites became mission critical, and you needed the ability to make hot backups on 24 × 7 systems.

If you've been through these fire drills, you may have become tired of doing everything the hard way, facing new technical challenges nearly every day with few sources of help. Technical documentation—whether for commercial or open source software—rarely keeps up with the technology, and the gap seems to be widening. For example, open source directory servers have become important for managing computers, users, and resources. The original RFC-compliant protocols underlie many commercial products, but good documentation for community projects is surprisingly scarce.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

How Can We Help?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Linux people are problem solvers. A typical Linux power user can put together a small server, get a dedicated Internet pipe with static IP addresses into her home, register a domain name, and build a server on the Internet. If you fall into this category, you can simply plow through the other topics in this book and expand your job possibilities.

To some of you, however, all that may sound like the equivalent of rappelling down a 10,000-foot mountain. If you're one of them, just start somewhere. As the saying goes, you eat an elephant one bite at a time, and damn the torpedoes.

You may have certifications for operating systems other than Linux. While you're applying patches and hot fixes, your boss may ask you to deploy an Apache server, or handle your own DNS lookups, or replace Exchange with Zimbra.

Whether you just want to learn or actually have to learn, you'll likely need some help climbing the Linux power user curve. That's exactly what we're here for: to help you explore the Linux system landscape without all the hardships our fore-fathers experienced.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Where Do You Start?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

This book summarizes the steps you need to follow to build standalone servers. If you need to build a mail server, create a web server and blogging system, or set up a gateway for your LAN, you can jump right into the middle of the book. You don't have to read Linux System Administration from cover to cover.

We start you working right away, presenting a step-by-step guide to building a Linux server in Chapter 2. You can choose whatever path works for you, whether it involves creating a highly available cluster for web services, server consolidation through virtualization using Xen or VMware, or setting up a server for local area networks.

Running a modern operating system is incredibly cheap. You can set up a sophisticated learning center for yourself on hardware that many sites would consider obsolete and give away for free. We started with a used box powered by an Intel CPU two generations older than current models, added older versions of hard drives and memory, and went with a no-frills, free version of Linux.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Do You Need a Book?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Technical books have waned in popularity as the Internet has matured. To write a successful book today, the author has to provide significant value to the reader. An interesting story about one of the first e-commerce sites on the Web helps explain the value a book should deliver. A cheesecake company put up an advertisement in the earliest days of the Web. According to the story, several months passed and the company didn't receive a single order. In an unusual move, the president of the company published the company's secret cheesecake recipe. Within hours, he began receiving calls on his toll-free line. People began ordering cheesecakes in large numbers. Consumers looked at the recipe, considered the effort required to make their own cheesecakes, and saw the value in buying them from the company.

Many of the ingredients for this book were scattered across the Internet, in mailing lists, forums, and discussion groups, while others were mined from books, periodicals, and the experiences of colleagues. We solved a number of problems whose solutions were completely undocumented in the course of researching this book, and we pass our lessons on to you.

Many excellent project sites have inadequate documentation. Developers work hard to provide excellent software for free, but prose often trails code for many reasons: lack of time, lack of resources, lack of interest, language barriers, and so on. Together with our readers, editors, and reviewers, we hope we've decreased entropy slightly in this little corner of the computing world.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Who Needs You?

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

A few years ago, most Linux system administrators would have told you that they didn't choose their careers—Linux chose them. In the old days, Linux was like an adolescent Unix. Most Linux system administrators learned the ropes on single workstations and very small networks. Linux inherited some servers from Unix (BIND, Sendmail, Apache), but little office software and few applications. Today, Linux system administration involves thousands of packages and interoperability with other operating systems.

Who needs Linux administrators? The NASA Center for Computational Sciences (NCCS) at the Goddard Space Flight Center does. Its Linux-based high-performance computing (HPC) clusters are designed to dramatically increase throughput for applications ranging from studying weather and climate variability to simulating astrophysical phenomena. Linux supplements NCCS architecture designed to scale to as many as 40 trillion floating-point operations per second (TFLOPS) in its full configuration.

Linux runs more of the world's top supercomputers than any other operating system. In fact, as of this writing Linux runs an astonishing 75 percent of the top 500 supercomputers on the planet. According to department heads at the Lawrence Livermore National Laboratory in Livermore, CA, Linux runs 10 of their massive systems, all of which are on the TOP500 List. Those systems include BlueGene/L, the world's most powerful supercomputer, and Thunder, which currently ranks nineteenth (http://www.top500.org/list/2006/11/100 ).

Linux administrators are in high demand. To give you an idea of what's expected of them, we looked at a small selection of the tens of thousands of ads for Linux system administrators on a national job listing agency's web site. Here's a tiny snapshot of some of the jobs' responsibilities:

Administer and manage large Linux server environment, with an emphasis on performance monitoring, tuning, and management.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

What System Managers Should Know About Linux

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

One of the first things an information technology manager should know is that Linux is not Unix. While Linux can certainly run the vast majority of Unix programs, it also has a wider range of applications in both public and private networks.

Linux administrators can configure distributions by choosing from a vast number of components that do similar jobs. For example, with almost every Unix distribution, Sendmail is the only choice of mail transfer agent (MTA). But with Linux, you can choose from a number of comparable MTAs, depending on whether you want a corporate workgroup application, a large-scale directory-driven corporate mail backbone, or a simple web application for handling "contact us" forms.

A further testament to Linux's flexibility is that it's the first operating system IBM has ever employed that runs on all of its hardware platforms, from the xSeries Intel class server, through the pSeries and iSeries, to the S/390 and zSeries mainframes.

If you want a Linux administrator and you use large IBM systems, your canidate will have to know mainframe architecture and be familiar with terms like "DASD" for hard drive storage, "IPL" for booting up the system, "catalog" for a directory, and "command list" for a shell script. But don't sell Linux administrators short. We once attended a two-day seminar with a group of Linux administrators who went out the day after the class and started deploying Linux on bare-metal IBM zSeries computers.

If Linux people have anything to offer, it's that they learn quickly, adapt quickly, and have a broad knowledge base you will not find with other technologists. They can learn to run your Microsoft boxes in less time than it takes an MCSE to learn a single Linux task.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

What's Next

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

We know you don't like slow-paced learning and scads of fussy background (in fact, we're amazed you've read this far in the chapter), so we want to get started as quickly as possible. We want to provide a working server that will perform many Linux jobs you can learn and use. For this reason, we'll start out with an Internet-ready server in the next chapter. You're going to want Internet tools such as a web server and email no matter how you use your server (probably even if it serves only a LAN), and those tools will be useful to you from the start.

The rest of the book expands on some of the same topics and introduces others that you might not encounter every day. Linux System Administration is a combined cookbook and travelogue; you can enjoy a hearty breakfast while you're covering ground. We usually explain topics at the beginning of a chapter and follow with concise steps and applications of those topics. If you just want to follow the step-by-step instructions, go for it. You can figure out what you're doing later. We feel that our approach will keep you headed in the right direction.

Onward and upward. Excelsior!

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 2: Setting Up a Linux Multifunction Server

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

There's a real difference between reading about something and doing it. That's why schools provide laboratories for so many of their courses. If you plan on learning Linux system administration, you need a server. So, the first task in this book involves building a basic server environment. Once you've built one, you'll have a good foundation for practicing and learning Linux.

The Linux operating system resembles the wheelbase of a car, which can take on an enormous variety of different functions depending on the choice of chassis and features. As you add services such as email or a database, the system takes on a different character. Do you need a web server, a development platform, a gateway, or a file and print server? Whatever you need requires a core, which this chapter provides.

We're going to start with a server you might find on the Internet, hosting web sites. Why, you might ask? Because you can adapt an Internet server to do many additional tasks, such as managing user authentication, providing print and file services, handling local email, and providing remote access. You can take the server to a web hosting facility, plug it in, and begin offering web services. You can even keep it in your own home, if you obtain a static IP address from your ISP.

Setting up a server on the Internet may change your perspective about computing. Deploying a wide area network (WAN) differs from using Linux as a desktop, a file and print server, or a simple firewall.

First-time administrators may experience some confusion while configuring the server, due to unfamiliar terms and concepts. You won't have the X Window System's convenient graphical interface, and you'll have to issue commands instead of clicking on icons. Your work will be done in console mode, from the command-line interface.

As part of our strategy to teach you administration, we'll show you how to put a web-based tool on your system in the next chapter (service providers use this web-based tool to manage Linux servers they lease to hosting customers). So, not everything you do will be limited to a black and white screen.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Server Requirements

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

You can use almost any distribution of Linux to configure a web server. In this exercise, we'll use Debian. We chose Debian because we wanted to use a stable distribution of Linux. The main commercial distributions—Red Hat Enterprise Linux and Novell's SUSE Linux Enterprise Server—have price tags that put them out of the reach of most users, but you can obtain Debian for free. Also, Red Hat and SUSE use proprietary management tools that create difficulties in transferring knowledge about Linux. You can learn more about standard Linux behavior by using Debian than by using either SUSE or Red Hat.

To set up a Linux Internet server, you will need a connection to the Internet and a static IP address. If you cannot obtain a static IP address, you can set up the system with the address leased to you by your ISP and configure it statically. Make sure you know how long the lease runs, in case you have to change the IP address while your system is running.

You'll also need a computer with at least a Pentium III CPU, a minimum of 256 MB of RAM, and a 10 GB hard drive. Obviously, a newer CPU and additional memory will provide better performance.

This chapter is based on Debian's stable version. We strongly suggest using a CD with the Netinstall kernel. The Debian web site (http://www.debian.org) provides downloadable CD images.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Installing Debian

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

We assume you know how to do a net installation of Linux. You'll just need a few pointers to set up your base box.

After you boot into the Debian CD-ROM disk, you will see a login screen. Make sure to type in linux26 to get the most recent Version 2.6 kernel instead of the older version 2.4.

The installer will guide you through a series of installation screens. When you reach the screen called "Configure the Network," Debian first suggests configuring your network with DHCP. You can do that if you have DHCP available. If you do not, Debian will default to a screen that allows you to configure your network manually. You will be asked to provide the hostname of the server, a domain name, a gateway, an IP address, a netmask, and a nameserver. If you have a registered domain and a static IP address, you're ready to go. If you don't have a registered domain name, you will need one.

You can obtain a domain name from a number of sources for as little as $3.00. Search the Internet using the keywords "domain registration." You will see a number of registrars listed. Many vendors provide their services at low prices, and some offer free domain name services. You need two registered DNS servers to obtain a domain name initially. You may also find your registrar's DNS service handy if you do not have another physical server to provide for secondary domain services. Every domain you register requires a primary DNS server and a backup or secondary DNS server.

Now that you have configured your network, you can continue with the installation tasks that complete the base system. The Debian installation script will lead you through the next sections.

Right away, you will reach the hard disk partitioning screens. For the purposes of this book, just create one big partition with the mount point / (just a slash) and a swap partition. Choose the option to put all files in one partition. Finally, choose the finish partitioning option and write the results to disk.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Logging in Remotely

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

When you finish your installation, you should log into the server from a remote console on your desktop. We recommend you do further administration from another system (even a laptop), because a secure server normally runs in what is called headless mode—that is, it has no monitor or keyboard. Get used to administering your server like this, as if you were at a production site. On the remote machine you need only an SSH client, which virtually all Linux distributions have and which can be downloaded for other operating systems as well.

The following printout is typical of what you'll encounter the first time you SSH to your new Linux server:

$ ssh admin@server1.centralsoft.org
The authenticity of host 'server1.centralsoft.org (70.253.158.42)' can't
be established.
RSA key fingerprint is 9f:26:c7:cc:f2:f6:da:74:af:fe:15:16:97:4d:b3:e6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server1.centralsoft.org,70.253.158.42' (RSA)
to the list of known hosts.
Password: enter password for admin user here
Linux server1 2.6.8-2-386 #1 Thu May 19 17:40:50 JST 2005 i686 GNU/Linux

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Last login: Sun Dec 25 19:07:38 2005 from 70.255.197.162
admin@server1:~$

At this point, you have established a remote connection and can perform tasks as if you were looking at your system from the monitor of your server. If you wish, you can remove any monitor, keyboard, and mouse you have connected to your server.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Configuring the Network

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

If you used DHCP during the Debian installation, you should now configure your server with a static IP address so you can perform the testing required later in the chapter. If you had a public IP address and configured it as static, you can skip to the next section.

If you installed Debian with a DHCP client from your router or Internet service provider, you need to reconfigure networking. This is a valuable lesson in its own right for exploring Linux network configuration.

To change the settings to use a static IP address, you'll need to become root and edit the file /etc/network/interfaces to suit your needs. As an example, we'll use the IP address 70.153.258.42.

Our configuration file starts out looking like this:

# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
# The loopback interface
auto lo
iface lo inet loopback
# The first network card - this entry was created during the Debian
# installation
# (network, broadcast, and gateway are optional)
# The primary network interface
iface eth0 inet dhcp

To add the IP address 70.153.258.42 to the interface eth0, we must change the file to look like this (you'll have to obtain some of the information from your ISP):

# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
# The loopback interface
auto lo
iface lo inet loopback
# The first network card - this entry was created during the Debian
# installation
# (network, broadcast, and gateway are optional)
auto eth0
iface eth0 inet static
        address 70.153.258.42
        netmask 255.255.255.248
        network 70.153.258.0
        broadcast 70.153.258.47
        gateway 70.153.258.46

After editing the /etc/network/interfaces file, restart the network by entering:

# /etc/init.d/networking restart

You will then need to edit /etc/resolv.conf and add nameservers to resolve Internet hostnames to their corresponding IP addresses. Though we have yet to configure our own nameserver, we will do so later in this chapter. At this point, we will simply set up a minimal DNS server. The other nameservers should specify the IP addresses of the DNS servers offered by your ISP. Our

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Changing the Default Debian Packages

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

We started with the packages the Debian maintainers place in their distribution by default. As noted earlier, we need to make some changes—notably, in order to use Postfix. While you might think we're second-guessing the good work of the Debian team, that's not quite the case.

The Debian team has chosen to install, by default, services appropriate for a LAN, such as the Network File System (NFS). But we're putting our server on the Internet, so we'll want to delete NFS and some other services, while adding others such as OpenSSL.

To retrieve the files needed for this chapter, execute the following command:

# apt-get install wget bzip2 rdate fetchmail libdb3++-dev \
unzip zip ncftp xlispstat libarchive-zip-perl \
zlib1g-dev libpopt-dev nmap openssl lynx fileutils

You will then see Debian downloading files in your console. Soon, the downloading activity will stop and you will see a question such as the following asking you if you want to continue:

0 upgraded, 42 newly installed, 0 to remove and 0 not upgraded.
Need to get 12.2MB of archives.
After unpacking 35.8MB of additional disk space will be used.
Do you want to continue? [Y/n]

Entering Y will complete the installation of the additional files.

Next, you will want to remove services you will not use. Execute the following command, and you will see the output that follows:

# apt-get remove lpr nfs-common portmap pidentd pcmcia-cs \
pppoe pppoeconf ppp pppconfig
Reading Package Lists... Done
Building Dependency Tree... Done
Package pcmcia-cs is not installed, so not removed
The following packages will be REMOVED:
  lpr nfs-common pidentd portmap ppp pppconfig pppoe pppoeconf
0 upgraded, 0 newly installed, 8 to remove and 0 not upgraded.
Need to get 0B of archives.
After unpacking 3598kB disk space will be freed.
Do you want to continue? [Y/n] Y
(Reading database ... 22425 files and directories currently installed.)
Removing lpr ...
Stopping printer spooler: lpd .
Removing nfs-common ...
Stopping NFS common utilities: statd.
Removing pidentd ...
Removing portmap ...
Stopping portmap daemon: portmap.
Removing pppoeconf ...
Removing pppoe ...
Removing pppconfig ...
Removing ppp ...
Stopping all PPP connections...done.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Setting Up Quotas

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Apache's web server gives Linux the ability to provide virtual hosting—that is, your server can host several web sites with domain names that differ from the name of the physical server. In the web server configuration file, you can define different domains using virtual hosting clauses. For example, even though the domain name used in this book is centralsoft.org, we could have mothersmagic.com, wildbills.info, or any other domain we register and use the same IP address.

We cover this concept thoroughly in Chapter 6. For now, just think of the IP address like the telephone number for a house where several different people live. When a browser accesses port 80, it can reach whatever domain you set up.

Linux provides a means to manage disk usage for multiple domains via a facility called quotas. Originally, Unix provided quotas on user accounts so they wouldn't take up too much room on a server. For instance, if you had 50 users sharing disk space on a file server, without a quota system one user could fill up the disk, causing all of the users' applications to refuse to save any more data.

A quota facility forces users to stay under their disk consumption limits, taking away their ability to consume unlimited disk space on a system. The system keeps track of quotas per user and per filesystem. If you have more than one filesystem where users can create files, set up the facility for each filesystem separately.

You can use the same quota system to limit the space allocated to a domain you host. Various tools allow you to administer and automate quota policies on your system. In this part of the server setup, you'll add a quota facility so you can use it later.

First, install the quota packages using apt-get:

# apt-get install quota quotatool

You will encounter a question that reads:

Enable this option if you want the warnquota utility to be run daily to alert users
when they are over quota.
Send daily reminders to users over quota?
<Yes>                       <No>

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Providing Domain Name Services

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In Chapter 3, you will learn how to manage domain names for your server and for any virtual domains residing on your system. For now, we will set up a minimal configuration for BIND, the ubiquitous DNS server.

Debian provides a stable version of BIND in its repositories. We'll install and set up BIND and secure it in a chroot environment, meaning it won't be able to see or access files outside its own directory tree. This is an important security technique. The term chroot refers to the trick of changing the root filesystem (the / directory) that a process sees, so that most of the system is effectively inaccessible to it.

We will also configure BIND to run as a non-root user. That way, if someone gains access to BIND, she won't gain root privileges or be able to control other processes.

To install BIND on your Debian server, run this command:

# apt-get install bind9

Debian downloads and configures the file as an Internet service. You will see the following messages on your console:

Setting up bind9 (9.2.4-1)
Adding group 'bind' (104)
Done.
Adding system user 'bind'
Adding new user 'bind' (104) with group 'bind'.
Not creating home directory.
Starting domain name service: named.

You will see similar output as you install or remove other services with the apt-get utility.

To put BIND in a secured environment, you need to create a directory where the service can run unexposed to other processes. You will also run it as an unprivileged user, but only root will be able to access that directory.

First stop the service by running the following command:

# /etc/init.d/bind9 stop

Next, edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Change the line:

OPTS="-u bind"

so that it reads:

OPTIONS="-u bind -t /var/lib/named"

To provide a complete environment for running BIND, create the necessary directories under

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Adding a Relational Database: MySQL

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Web sites and web service applications use relational databases to embed objects into web pages. This allows for rapid scaling of web site requests. Web browsers can stimulate 30 requests at once, increasing loads on CPUs, memory, and disk access. Relational databases, in combination with a web server, can efficiently construct complex web pages on the fly.

We do not cover the complex topic of database administration in this book. However, Linux system administrators often find that developers expect them to set up databases for development use, so we will demonstrate how to configure your Linux server box with the one of the popular open source databases: MySQL. To make effective use of the database, you will need to know how to:

Install and start MySQL.
Create a MySQL root user.
Create a regular MySQL user, which the application will use to access the database.
Perform backups and restorations of databases.

To install the database server, a convenient client program that you can use to administer the server, and the library needed by both, issue this command:

# apt-get install mysql-server mysql-client libmysqlclient12-dev

Debian will download MySQL from its repositories and begin the installation process. You'll see the following messages:

Install Hints
MySQL will only install if you have a NON-NUMERIC hostname that is
resolvable via the /etc/hosts file. E.g. if the "hostname" command
returns "myhostname" then there must be a line like "10.0.0.1
myhostname".
A new mysql user "debian-sys-maint" will be created. This mysql account
is used in the start/stop and cron scripts. Don't delete.
Please remember to set a PASSWORD for the MySQL root user! If you use a
/root/.my.cnf, always write the "user" and the "password" lines in
there, never only the password!
See /usr/share/doc/mysql-server/README.Debian for more information.
<Ok>

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Configuring Mail Securely with Postfix, POP3, and IMAP

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In this section, we'll add email transport and delivery agents and implement tight control over the systems environment. We will demonstrate how to authenticate bona fide users of an email system and prevent fraudulent access to email facilities.

For more than 25 years, Sendmail has served as the Internet's primary MTA. Many applications written for Linux expect to find Sendmail running on the server. Written before the Internet became open to the public, however, Sendmail has many of the security problems listed on the Common Vulnerabilities and Exposures (CVE) list hosted at http://cve.mitre.org.

Fortunately, other MTAs have emerged to take Sendmail's place. The main problem these MTAs face is the expectation by core applications that Sendmail will be present on the Linux server. To get around this, MTAs such as Postfix and Exim must be able to appear to applications as if they are Sendmail. We call these drop-in replacements, and they can run in a Sendmail mode.

Postfix is our preferred replacement for Sendmail. Postfix is faster than Sendmail, has a more secure, modular architecture, and offers many of the features required by a high-volume mail provider. Postfix doesn't provide deprecated protocols, but uses the Internet-standard Simple Mail Transport Protocol (SMTP), and it has the lowest number of items on the CVE list. For all of these reasons, we'll use Postfix rather than Sendmail as our MTA.

Securing email involves keeping unauthorized users off the server altogether (so they can't use it to send unsolicited bulk email), making sure that nobody can spoof legitimate users, and protecting the content of each email from being snooped on or changed in transit.

Weak email security makes it easy for imposters to spoof users. To promote authentication, we will install Postfix with Transport Layer Security (TLS), a protocol better known as the Secure Sockets Layer (SSL). This prevents the sending of clear-text passwords from an email client to the server.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Putting Apache to Work

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

As mentioned earlier in this chapter, we're including a web server in our initial setup because it's important for you to learn some basic server administration, and because the server can be a useful host for other tools. At the end of this chapter we'll use it to serve up web statistics generated by Webalizer.

In November 2006, Netcraft published a report stating that 60 percent of the web sites on the Internet use Apache. That makes it more widely used than all other web servers combined.

Apache is well integrated with most Linux distributions. In this section we will follow a familiar pattern and install and configure Apache by running the following command:

# apt-get install apache2 apache2-doc
Setting up ssl-cert (1.0-11) ...
Setting up apache2-utils (2.0.54-5) ...
Setting up apache2-common (2.0.54-5) ...
Setting Apache2 to Listen on port 80. If this is not desired, please edit
/etc/apache2/ports.conf as desired. Note that the Port directive no longer
works.
Module userdir installed; run /etc/init.d/apache2 force-reload to enable.
Setting up apache2-mpm-worker (2.0.54-5) ...
Starting web server: Apache2.
Setting up apache2 (2.0.54-5) ...
Setting up apache2-doc (2.0.54-5) ...

Once Debian finishes installing the apache httpd server, run:

# apt-get install libapache2-mod-php4 libapache2-mod-perl2 \
php4 php4-cli php4-common php4-curl php4-dev php4-domxml \
php4-gd php4-imap php4-ldap php4-mcal php4-mhash php4-mysql \
php4-odbc php4-pear php4-xslt curl libwww-perl imagemagick

This command fetches and configures 48 files, so it will take a while. Once it's done, you can move to the next step.

Change the DirectoryIndex directive in the /etc/apache2/apache2.conf file from:

DirectoryIndex index.html index.cgi index.pl index.php index.xhtml

to:

DirectoryIndex index.html index.htm index.shtml index.cgi index.php
index.php3 index.pl index.xhtml

Next, add # marks as shown, to comment out the following lines in the /etc/mime.types

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Adding FTP Services with ProFTPD

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Along with the httpd server for displaying web pages in a browser, you'll want to implement a File Transfer Protocol (FTP) server. We will use the open source tool ProFTPD for this purpose because it is popular, secure, and configurable.

The FTP server uses a single main configuration file, with directives and directive groups that any administrator who has ever used the Apache web server will understand. ProFTPD has per-directory .ftpaccess configuration files similar to Apache's .htaccess files, which force users to enter their user IDs and passwords to access individual directories.

ProFTPD allows you to configure multiple virtual FTP servers and anonymous FTP services. It does not execute any external programs at any time and runs as an unprivileged user.

Install ProFTPD by executing this command:

# apt-get install proftpd

Figure 2-9 shows the screen you'll see once Debian downloads and begins installing ProFTPD. ProFTPD can be run either standalone or as a service from inetd. For security reasons, we'll run ProFTPD in standalone mode.

Figure 2-9: Debian configuration screen for ProFTPd

Next, add the following lines to your /etc/proftpd.conf file:

DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."

Now, as we have done with other processes, restart ProFTPD using this command:

# /etc/init.d/proftpd restart

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Summarizing Your Web Statistics with Webalizer

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Webalizer develops statistical reports for web server logfiles. You can use it with a standard web browser, and it produces detailed, easily configurable usage reports in HTML format.

The Debian project includes Webalizer in its stable repositories, so you can install it with this command:

# apt-get install webalizer

During the installation you'll need to verify the installation directory (/var/www/webalizer), the name to be used in the titles of the statistical reports (you could specify your domain name, for instance), and the location of the web server's log file (which on our system is /var/log/apache/access.log.1):

Which directory should webalizer put the output in?
/var/www/webalizer
Enter the title of the reports webalizer will generate.
Usage Statistics for server1.centralsoft.org
What is the filename of the rotated webserver log?
/var/log/apache/access.log.1

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Synchronizing the System Clock

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Computer systems' clocks tend to drift. Therefore, a fairly basic configuration task is to connect your system to a Network Time Protocol (NTP) server that will keep it within a couple of seconds of the correct time.

To synchronize your system clock with an NTP server, add the following lines to /var/spool/cron/crontabs/root:

# update time with NTP server
0 3,9,15,21 * * * /usr/sbin/rdate 128.2.136.71 | logger -t NTP

If the file doesn't exist, you can create it with the command:

# touch /var/spool/cron/crontabs/root

The IP address 128.2.136.71 belongs to Carnegie Mellon University's public time server. You can use a different time server if you wish.

Modify permissions on the crontab file by running:

# chmod 600 /var/spool/cron/crontabs/root

and restart the cron service by running:

# /etc/init.d/cron restart

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Installing Perl Modules Needed by SpamAssassin

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Many tools depend on the Perl programming language or offer a Perl interface to let you customize them (although other languages are gaining adherents in the open source and Unix worlds). SpamAssassin, a critical tool for mail administrators (and even mail users), is one program we'll use in this book that relies on Perl. As a system administrator, even if you don't want to program in Perl, you should be able to download Perl modules from the most popular and trusted repository, the Comprehensive Perl Archive Network (CPAN).

To give you a feel for installing Perl modules, we'll add a few now using the Perl CPAN shell. This is an environment for searching the archive and installing modules from it.

Log into your command line as root and run the following command to start the Perl CPAN shell:

server1:/home/admin# perl -MCPAN -e shell
/etc/perl/CPAN/Config.pm initialized.

Answer all the questions by pressing the Return key to accept the defaults. Then run the following commands to install the modules we'll use in the next chapter:

> install HTML::Parser
> install DB_File
> install Net::DNS

At the enable tests? prompt, answer no.

If a module already exists on your system, you will see a message like HTML::Parser is up to date. When a module installs successfully, you will see /usr/bin/make install - OK.

Once you're done, simply enter q to leave Perl and return to the system prompt.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

What's Next

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Now that you have completed the tasks associated with setting up your server, you will want to start using it in a production mode. You will need to set up your DNS services and notify the registrar where you set up your domain (the subject of the next chapter). Once you're done with DNS configuration, you can install a web-based application (we'll use ISPConfig) and begin to explore how web applications work.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Chapter 3: The Domain Name System

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

This chapter shows you how to build a Domain Name System (DNS) server using BIND. When you finish this material you should understand how to install, configure, maintain, and troubleshoot a server for any domain you register. We'll begin with an introduction to DNS, which you can skip if you'd rather move directly to the step-by-step installation and configuration section. If you run into problems, you may want to come back and read and/or review the earlier material.

If you do any research on the Internet's DNS, you are certain to encounter the claim that DNS is the world's largest database. Comparing it to a database like Oracle or MySQL is misleading, though. In fact, DNS is the world's largest distributed digital directory. Like an online telephone directory, you use it to match names with numbers—but with DNS, the numbers are the IP addresses of the multitude of servers connected to the Internet, including those that manage small web sites and gigantic server farms like Google and Amazon.

Like the public library with its master collection of phone books separated by states, DNS separates domains into categories. The master collection of categories lives in what we call root directories. This collection is divided into top-level domains (TLDs), in much the same way that the master collection of phone books is divided into states. Instead of looking for a telephone number with a New York area code, DNS looks for names than end in suffixes like .edu, .org, .com, .net, .mil, .de, .fr, and so on. The domains within each TLD eventually lead to an address you can use to communicate with a server.

The DNS (originally defined in RFC 882 in 1983, and later revised as RFCs 1034 and 1035) introduced various ideas for managing the mapping of common Internet names to IP addresses. The system distributes data and the naming of hosts hierarchically in a domain name space. Each domain resembles a branch of a tree and each branch contains sub-branches. Programs called nameservers provide information about their parts of the tree, and

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

DNS Basics

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Hierarchical naming schemes like DNS prevent duplication of data. Each domain is unique, and you can have as many servers as you like within a domain—simply prefix their hostnames to the domain name. A site that controls centralsoft.org, for example, might have any number of hosts with names like server1.centralsoft.org, ldap.centralsoft.org, and mail.centralsoft.org

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Getting into the BIND

Content preview·Buy PDF of this chapter|