config webserver tutorial

Linux Web Server and Domain Conﬁguration Tutorial http://www.yolinux.com/TUTORIALS/LinuxTutori...
Home (/) > Tutorials (/TUTORIALS/) > Linux Website Configuration (/TUTORIALS/LinuxTutorialWebSiteConfig.html)
Linux Internet Web Server and Domain

Configuration Tutorial
HowTo Create an Apache based Linux website server
Create a web server with Linux, Apache, FTP and bind DNS: This tutorial covers the Linux server configuration
required to host a website. The Apache web server, FTP server and DNS configuration are covered. The
Apache web server is required to serve the web pages, the FTP server is required for users to upload content
(http://www.yolinux.com/) and the DNS server is required to resolve the domain names so that a URL entered into a web browser will point
to your web server and properly serve the correct pages. The configurations presented will include virtual hosting
which will allow a single Linux server to support multiple web site domains.
Tutorial topics:
# Linux Apache web (httpd) server
configuration
# Linux FTPd server and FTP user
accounts
# vsFTPd and FTP user account
configuration
# wu-FTPd and FTP user account
configuration
# Basic "user account" configuration for
maximum security on an Internet based
web server
# Linux DNS (Domain Name Server)
configuration using Bind version 8 or 9
(named)
# Web Server Load Balancing
# Managing web server daemons
(services)
# Links and Resources
Also see: Web Site Security Tutorial

(LinuxTutorialInternetSecurity.html) - YoLinux
Internet Server Security Tutorial
search | Home Page (/) | Linux Tutorials (/TUTORIALS/) | Terms (/YoLinux-Terms.html) | Privacy Policy (/privacy.html) |
Search Advertising (/YoLinux-Advertising.html) | Contact (/YoLinuxEmailForm.html) |
Related YoLinux Tutorials:

Web Site Prerequisites:
°Apache login authentication
This tutorial assumes that a computer has Linux installed and running. See RedHat Installation
(LinuxTutorialApacheAddingLoginSiteProtection.htm
(LinuxTutorialRedHatInstallation.html) for the basics. A connection to the internet is also assumed. A connection of
128 Mbits/sec or greater will yield the best results. ISDN, DSL, cable modem or better are all suitable. A 56k
°Securing Linux (LinuxTutorialInternetSecurity.html
modem will work but the results will be mediocre at best. The tasks must also be performed with the root user
°Linux Security Tools (LinuxSecurityTools.html
login and password.
°Linux Networking (LinuxTutorialNetworking.html
No single distribution seems to have an advantage. A Ubuntu, SuSe, Fedora, Red Hat or CentOS distribution will
include all of the software you will need to configure a web server. If using Red Hat Enterprise Linux, both the
°Linux Sys Admin (LinuxTutorialSysAdmin.html
Workstation or the Server edition will support your needs except that the Workstation edition will not include the
°Internet Gateway
vsFTP package. It will have to be compiled from source or use sftp.
(LinuxTutorialIptablesNetworkGateway.html
Software Prerequisites: The Apache web server (httpd), FTP (requires xinetd or inetd) and Bind (named)
°YoLinux Tutorials Index (/TUTORIALS/
software packages with their dependencies are all required. One can use the rpm command to verify installation:
Fedora Core 1+, Red Hat Enterprise 4/5, CentOS 4/5:
rpm -q httpd bind bind-chroot bind-utils system-config-bind xinetd vsftpd
RPMs added FC2+: system-config-httpd

RPMs added FC3+: httpd-suexec
1 of 51 01/07/2016 11:19 AM
Red Hat 9.0
Need rpm -q httpd bind xinetd vsftpd
faster A Red Hat 8.0 wu-ftpd RPM may be installed (Newer version 2.6.2 or later with security fix wu-ftpd-
2.6.2-11) or install from source (http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/wily/wu-ftpd/wily
DNS? /files) (rev 14).
Red Hat 8.0

High-performa rpm -q httpd bind xinetd wu-ftpd
nce DNS
Red Hat 7.x:
cache, low rpm -q apache bind inetd wu-ftpd
TCO DNS
cache from Use wu-ftpd version 2.6.2 or later to avoid security problems.
$3,461. SuSE 9.3:
Contact us. rpm -ivh apache2 apache2-prefork bind bind-chrootenv bind-utils vsftpd
Note: The apache2-MPM is a generic term for Apache installation options for "Multi-Processing Modules
(MPM)s "prefork" or "worker". If you try and only install apache2 you will get the following error:
apache2-MPM is needed by apache2-2.0.53-9
Also see Apache.org: MPMs (http://httpd.apache.org/docs/2.0/mpm.html)
Ubuntu (natty 11.04) / Debian:
apt-get install apache2

apt-get install bind9
apt-get install vsftpd
Ubuntu (dapper 6.06/hardy 8.04) / Debian:
apt-get install apache2 apache2-common apache2-mpm-prefork apache2-utils

Ads by Google apt-get install bind9
apt-get install vsftpd
► Linux Tutorial
► Linux Web Server One should also have a working knowledge of the Linux init process so that these services are initiated upon
► Linux Install system boot. See the YoLinux init process tutorial (LinuxTutorialInitProcess.html) for more info.
Free Information Technology Apache HTTP Web server configuration:

Magazines and Document This tutorial is for the Apache HTTP web server (Version 1.3 and 2.0). See the YoLinux list of Linux HTTP servers
Downloads (LinuxHttpServers.html) for a list of other web servers for the Hyper Text Transport Protocol.
The Apache web server configuration file is: /etc/httpd/conf/httpd.conf
Web pages are served from the directory as configured by the DocumentRoot directive. The default directory
location is:
Linux distribution Apache web server "DocumentRoot"
(http://yolinux.tradepub.com/ Red Hat 7.x-9, Fedora Core, Red Hat Enterprise 4/5/6, CentOS 4/5/6 /var/www/html/
Red Hat 6.x and older /home/httpd/html/
Suse 9.x /srv/www/htdocs/
Ubuntu (dapper 6.06) / Debian /var/www/html
Ubuntu (hardy 8.04/natty 11.04) / Debian /var/www
The default home page for the default configuration is index.html. Note the pages should not be owned by
user apache as this is the process owner of the httpd web server daemon. If the web server process is
comprimised, it should not be allowed to alter the files. The files should of course be readable by user apache.
Apache may be configured to run as a host for one web site in this fashion or it may be configured to serve for
multiple domains. Serving for multiple domains may be achieved in two ways:
Virtual hosts: One IP address but multiple domains - "Name based" virtual hosting.
Multiple IP based virtual hosts: One IP address for each domain - "IP based" virtual hosting.
2 of 51 01/07/2016 11:19 AM
The default configuration will allow one to have multiple user accounts under one domain by using a reference to
the user account: http://www.domain.com/~user1/. If no domain is registered or configured, the IP
address may also be used: http://XXX.XXX.XXX.XXX/~user1/.
[Potential Pitfall] The default umask for directory creation is correct by default but if not use: chmod 755
/home/user1/public_html
[Potential Pitfall] When creating new "Directory" configuration directives, I found that placing them by the
existing "Directory" directives to be a bad idea. It would not use the .htaccess file. This was because the
statement defining the use of the .htaccess file was after the "Directory" statement. Previously in RH 6.x the
files were separated and the order was defined a little different. I now place new "Directory" statements near
the end of the file just before the "VirtualHost" statements.
For users of Red Hat 7.1, the GUI configuration tool apacheconf was introduced for the crowd who like to use
pretty point and click tools.
Files used by Apache:
Start/stop/restart script:
Red Hat/Fedora/CentOS: /etc/rc.d/init.d/httpd
SuSE 9.3: /etc/init.d/apache2
Ubuntu (dapper 6.06/hardy 8.04/natty 11.04) / Debian: /etc/init.d/apache2
Apache main configuration file:
Red Hat/Fedora/CentOS: /etc/httpd/conf/httpd.conf
SuSE: /etc/apache2/httpd.conf
(Need to add directive: ServerName host-name)
Ubuntu (dapper 6.06/hardy 8.04/natty 11.04) / Debian: /etc/apache2/apache2.conf
Apache suplementary configuration files:
Red Hat/Fedora/CentOS: /etc/httpd/conf.d/component.conf
SuSE: /etc/apache2/conf.d/component.conf
Ubuntu (dapper 6.06/hardy 8.04/natty 11.04) / Debian:
Virtual domains: /etc/apache2/sites-enabled/domain
(Create soft link from /etc/apache2/sites-enabled/domain to /etc/apache2
/sites-available/domain to turn on. Use command a2ensite)
Additional configuration directives: /etc/apache2/conf.d/
Modules to load: /etc/apache2/mods-available/
(Soft link to /etc/apache2/mods-enabled/ to turn on)
Ports to listen to: /etc/apache2/ports.conf
/var/log/httpd/access_log and error_log - Red Hat/Fedora Core Apache log files
(Suse: /var/log/apache2/)
Start/Stop/Restart scripts: The script is to be run with the qualifiers start, stop, restart or status.
i.e. /etc/rc.d/init.d/httpd restart. A restart allows the web server to start again and read the
configuration files to pick up any changes. To have this script invoked upon system boot issue the command
chkconfig --add httpd. See Linux Init Process Tutorial (LinuxTutorialInitProcess.html) for a more complete
discussion.
Also Apache control tool: /usr/sbin/apachectl start
Apache Control Command: apachectl:
Red Hat / Fedora Core / CentOS: apachectl directive

Ubuntu dapper 6.06 / hardy 8.04 / natty 11.04 / Debian: apachectl (softlink to apache2ctl) or
apache2ctl directive
Directive Description
start Start the Apache httpd daemon. Gives an error if it is already running.
stop Stops the Apache httpd daemon.
graceful Gracefully restarts the Apache httpd daemon. If the daemon is not running, it is started. This differs
from a normal restart in that currently open connections are not aborted.
graceful-stop Gracefully stops the Apache httpd daemon. This differs from a normal restart in that currently open
connections are not aborted.
restart Restarts the Apache httpd daemon. If the daemon is not running, it is started. This command
automatically checks the configuration files as in configtest before initiating the restart to make sure
the daemon doesn't die.
status Displays a brief status report.
3 of 51 01/07/2016 11:19 AM
Directive Description
fullstatus Displays a full status report from mod_status. Requires mod_status enabled on your server and a
text-based browser such as lynx available on your system. The URL used to access the status
report can be set by editing the STATUSURL variable in the script.
configtest Run a configuration file syntax test.
-t
Apache control tool: apachectl (http://man.yolinux.com/cgi-bin/man2html?cgi_command=apachectl) - man page
Apache Configuration Files:
/etc/httpd/conf/httpd.conf: is used to configure Apache. In the past it was broken down into
three files. These may now be all concatenated into one file. See Apache online documentation
(http://www.apache.org/docs/) for the full manual.
/etc/httpd/conf.d/application.conf: All configuration files in this directory are included during
Apache start-up. Used to store application specific configurations.
/etc/sysconfig/httpd: Holds environment variables used when starting Apache.
Basic settings: Change the default value for ServerName www.<your-domain.com>
Giving Apache access to the file system: It is prudent to limit Apache's view of the file system to only those
directories necessary. This is done with the directory statement. Start by denying access to everything, then grant
access to the necessary directories.
Deny access completely to file system root ("/") as the default:
Deny first, then grant permissions:
1 <Directory />
2 Options None
3 AllowOverride None
4 </Directory>
Set default location of system web pages and allow access: (Red Hat/Fedora/CentOS)
1 DocumentRoot "/var/www/html"
2
3 <Directory "/var/www/html">
4 Options Indexes FollowSymLinks
6 Order allow,deny
7 Allow from all
8 </Directory>
Grant access to a user's web directory: public_html

Enabling Red Hat / Fedora Linux, Apache public_html user directory access:
This will allow users to serve content from their home directories under the subdirectory "/home/userid
/public_html/" by accessing the URL http://hostname/~userid/
File: /etc/httpd/conf/httpd.conf
4 of 51 01/07/2016 11:19 AM
LoadModule userdir_module modules/mod_userdir.so
...
...
<IfModule mod_userdir.c>
#UserDir disable - Add comment to this line
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disable" line above, and uncomment
# the following line instead:
UserDir public_html # Uncomment this line
</IfModule>
...
...
<Directory /home/*/public_html>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
Change to a comment (add "#" at beginning of line) from Fedora Core default UserDir disable and
assign the directory public_html as a web server accessible directory.
OR
Assign a single user the specific ability to share their directory:
1 <Directory /home/user1/public_html>
3 order allow,deny
4 allow from all
5 Options Indexes Includes FollowSymLinks
6 </Directory>
Allows the specific user, "user1" only, the ability to serve the directory /home/user1/public_html/
Also use SELinux command to set the security context: setsebool httpd_enable_homedirs true
Directory permissions: The Apache web server daemon must be able to read your web pages in order to
feed their contents to the network. Use an appropriate umask and file protection. Allow access to web
directory: chmod ugo+rx -R public_html.
Note that the user's directory also has to have the appropriate permissions as it is the parent of
public_html.
Default permissions on user directory: ls -l /home
drwx------ 20 user1 user1 4096 Mar 5 12:16 user1
Allow the web server access to operate the parent directory: chmod ugo+x /home/user1
d-wx--x--x 20 user1 user1 4096 Mar 5 12:16 user1
One may also use groups to control permisions. See the YoLinux tutorial on managing groups
(LinuxTutorialManagingGroups.html).
Enabling Ubuntu's Apache public_html user directory access:

Ubuntu has broken out the Apache loadable module directives into the directory /etc/apache2/mods-
available/. To enable an Apache module, generate soft links to the directory /etc/apache2
/sites-enabled/ by using the commands a2enmod/a2dismod to enable/disable Apache modules.
Example:
[root@node2]# a2enmod
A list of available modules is displayed. Enter "userdir" as the module to enable.
Restart Apache with the following command: /etc/init.d/apache2 force-reload
5 of 51 01/07/2016 11:19 AM
Note: This is the same as manually generating the following two soft links:
ln -s /etc/apache2/mods-available/userdir.conf /etc/apache2/mods-
enabled/userdir.conf
ln -s /etc/apache2/mods-available/userdir.load /etc/apache2/mods-
enabled/userdir.load
Man page: a2enmod/a2dismod (http://man.yolinux.com/cgi-bin/man2html?cgi_command=a2enmod)
[Potential Pitfall]: If the Apache web server can not access the file you will get the error "403 Forbidden"
"You don't have permission to access file-name on this server." Note the default permissions on a user
directory when first created with "useradd" are:
drwx------ 3 userx userx

You must allow the web server running as user "apache" to access the directory if it is to display pages held
there.
Fix with command: chmod ugo+rx /home/userx

drwxr-xr-x 3 userx userx
SELinux security contexts:

Fedora Core 3 and Red Hat Enterprise Linux 4 introduced SELinux (Security Enhanced Linux) security policies
and context labels.
To view the security context labels applied to your web page files use the command: ls -Z
The system enables/disables SELinux policies in the file /etc/selinux/config
SELinux can be turned off by setting the directive SELINUX. (Then reboot the system):
SELINUX=disabled
or using the command setenforce 0 to temporarily disable SELinux until the next reboot.
When using SELinux security features, the security context labels must be added so that Apache can read your
files. The default security context label used is inherited from the directory for newly created files. Thus a copy
(cp) must be used and not a move (mv) when placing files in the content directory. Move does not create a new
file and thus the file does not recieve the directory security context label. The context labels used for the default
Apache directories can be viewed with the command: ls -Z /var/www
The web directories of users (i.e. public_html) should be set with the appropriate context label
(httpd_sys_content_t).
Assign a security context for web pages: chcon -R -h -t httpd_sys_content_t /home/user1

/public_html
Options:
-R: Recursive. Files and directories in current directory and all subdirectories.
-h: Affect symbolic links.
-t: Specify type of security context.
Use the following security contexts:
Context Type Description

httpd_sys_content_t Used for static web content. i.e. HTML web pages.
httpd_sys_script_exec_t Use for executable CGI scripts or binary executables.
httpd_sys_script_rw_t CGI is allowed to alter/delete files of this context.
httpd_sys_script_ra_t CGI is allowed to read or append files of this context.
httpd_sys_script_ro_t CGI is allowed to read files and directories of this context.
Set the following options: setsebool httpd-option true
(or set to false)
Policy Description
httpd_enable_cgi Allow httpd cgi support.
httpd_enable_homedirs Allow httpd to read home directories.
httpd_ssi_exec Allow httpd to run SSI executables in the same domain as system CGI scripts.
Then restart Apache:
Red Hat/Fedora/Suse and all System V init script based Linux systems: /etc/init.d/httpd restart
Red Hat/Fedora: service httpd restart
6 of 51 01/07/2016 11:19 AM
The default SE boolean values are specified in the file: /etc/selinux/targeted/booleans
For more on SELinux see the YoLinux Systems Administration tutorial (LinuxTutorialSysAdmin.html#SELINUX).
Virtual Hosts:
The Apache web server allows one to configure a single computer to represent multiple websites as if they were
on separate hosts. There are two methods available and we describe the configuration of each. Choose one
method for your domain:
Name based virtual host: (most common) A single computer with a single IP adress supporting multiple web
domains. The web browser using the http protocol, identifies the domain being addressed.
IP based virtual host: The virtual hosts can be configured as a single multi-homed computer with multiple IP
addresses on a single network card, with each IP address representing a different web domain. This has
the appearance of a web domain supported by a dedicated computer because it has a dedicated IP
address.
Configuring a "name based" virtual host:

A virtual host configuration allows one to host multiple web site domains on one server. (This is not required for a
dedicated linux server which hosts a single web site.)
NameVirtualHost XXX.XXX.XXX.XXX
<VirtualHost XXX.XXX.XXX.XXX>
ServerName www.your-domain.com - CNAME (DNS alias www) specified in (/var/name
d/...)
ServerAlias your-domain.com - Allows requests without the "www" prefix.
ServerAdmin user1@your-domain.com
DocumentRoot /home/user1/public_html
ErrorLog logs/your-domain.com-error_log
TransferLog logs/your-domain.com-access_log
</VirtualHost>
Notes:
You can specify more than one IP address. i.e. if web server is also being used as a firewall/gateway and
you have an external internet IP address as well as a local network IP address.
NameVirtualHost 192.168.XXX.XXX
<VirtualHost XXX.XXX.XXX.XXX 192.168.XXX.XXX>

...
..
See the YoLinux Tutorial on configuring a network gateway/firewall using iptables and NAT
(LinuxTutorialIptablesNetworkGateway.html).
Use your IP address for XXX.XXX.XXX.XXX, actual domain name and e-mail address.
One can use DNS views to provide different local network DNS results.
Note that I configure Apache for both requests http://www.domain-name.com and http://domain-name.com.
Once virtual hosts are configured, your default system domain (/var/www/html) will stop working. Your
default domain now must be configured as a virtual domain.
7 of 51 01/07/2016 11:19 AM
<Directory "/var/www/html">
... This part remains the same

..
</Directory>
# Default for when no domain name is given (i.e. access by IP address)
<VirtualHost *:80>
DocumentRoot /var/www/html
ErrorLog logs/error_log
TransferLog logs/access_log
</VirtualHost>
# Add a VirtualHost definition for your domain which was once the system default
.
ServerName www.your-domain.com
ServerAlias your-domain.com
DocumentRoot /var/www/html
ErrorLog logs/error_log
TransferLog logs/access_log
</VirtualHost>
...
..
Forwarding to a primary URL. It is best to avoid the appearance of duplicated web content from two URLs
such as http://www.your-domain.com and http://your-domain.com. Supply a forwarding Apache "Redirect".
ServerName www.your-domain.com - Note that no aliases are listed
...
...
</VirtualHost>
# Add a VirtualHost definition to forward to your primary URL
ServerName your-domain.com
ServerAlias other-domain.com
ServerAlias www.other-domain.com
Redirect permanent / http://www.your-domain.com.com/
</VirtualHost>
...
..
Note:
See the YoLinux.com Apache "Redirect" Tutorial (ApacheRedirect.html)
More virtual host examples. (http://www.apache.org/docs/vhosts/examples.html)
When specifying more domains, they may all use the same IP address or some/all may use their own unique IP
address. Specify a "NameVirtualHost" for each IP address.
After the Apache configuration files have been edited, restart the httpd daemon: /etc/rc.d/init.d/httpd
restart (Red Hat) or /etc/init.d/apache2 restart (Ubuntu / Debian)
Apache virtual domain configuration with Ubuntu Dapper/Hardy:

Ubuntu separates out each virtual domain into a separate configuration file held in the directory /etc/apache2
/sites-available/. When the site domain is to become active, a soft link is created to the directory
8 of 51 01/07/2016 11:19 AM
/etc/apache2/sites-enabled/.
Example: /etc/apache2/sites-available/supercorp
01 <VirtualHost XXX.XXX.XXX.XXX>
02 ServerName supercorp.com
03 ServerAlias www.supercorp.com
04 ServerAdmin webmaster@localhost
05
06 DocumentRoot /home/supercorp/public_html/home
07 <Directory "/">
08 Options FollowSymLinks
10 </Directory>
11 <Directory /home/supercorp/public_html/home>
12 Options Indexes FollowSymLinks MultiViews
13 IndexOptions SuppressLastModified SuppressDescription
14 AllowOverride All
15 Order allow,deny
16 allow from all
17 </Directory>
18
19 ScriptAlias /cgi-bin/ /home/supercorp/cgi-bin/
20 <Directory "/home/supercorp/cgi-bin/">
22 Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
23 Order allow,deny
24 Allow from all
25 </Directory>
26
27 ErrorLog /var/log/apache2/supercorp.com-error.log
28
29 # Possible values include: debug, info, notice, warn, error,
30 # crit, alert, emerg.
31 LogLevel warn
32 CustomLog /var/log/apache2/supercorp.com-access.log combined
33 ServerSignature On
34 </VirtualHost>
Enable domain:
Create soft link:
Manually: ln -s /etc/apache2/sites-available/supercorp /etc/apache2
/sites-enabled/supercorp
Use Ubuntu scripts a2ensite/a2dissite. Type command and it will prompt you as to which site
you would like to enable or disable.
Restart Apache:
apache2ctl graceful
or
/etc/init.d/apache2 restart
or
/etc/init.d/apache2 reload
Also note that Apache modules can also be enabled/disabled with scripts a2enmod/a2dismod.
Man pages:
a2ensite/a2dissite (http://man.yolinux.com/cgi-bin/man2html?cgi_command=a2enmod) (Ubuntu: Apache 2

enable/disable site)
apache2ctl (http://man.yolinux.com/cgi-bin/man2html?cgi_command=apache2ctl)
Configuring an "IP based" virtual host:

One may assign multiple IP addresse to a single network interface. See the YoLinux networking tutorial: Network
Aliasing (LinuxTutorialNetworking.html#NETWORKALIASING). Each IP address may then be it's own virtual
server and individual domain. The downside of the "IP based" virtual host method is that you have to possess
multiple/extra IP addresses. This usually costs more. The standard name based virtual hosting method above is
more popular for this reason.
9 of 51 01/07/2016 11:19 AM
NameVirtualHost * - Indicates all IP addresses
<VirtualHost *>
ServerAdmin user0@default-domain.com
</VirtualHost>
<VirtualHost XXX.XXX.XXX.101>
ServerAdmin user1@domain-1.com
</VirtualHost>
<VirtualHost XXX.XXX.XXX.102>
ServerAdmin user1@domain-2.com
</VirtualHost>
The default <VirtualHost *> block will be used as the default for all IP addresses not specified explicitly. This
default IP (*) may not work for https URL's.
CGI: (Common Gateway Interface)

CGI is a program executable which dynamically generates a web page by writing to stdout. CGI is permitted by
either of two configuration file directives:
ScriptAlias:
Red Hat 7.x-9, Fedora core: ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
Red Hat 6.x and older: ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"
Suse 9.x: ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
Ubuntu (dapper/hardy/natty) / Debian: ScriptAlias /cgi-bin/ "/usr/lib/cgi-bin/"
or
Options +ExecCGI:
<Directory /var/www/cgi-bin>
Options +ExecCGI
</Directory>
The executable program files must have execute privileges, executable by the process owner (Red Hat 7+/Fedora
Core: apache. Older use nobody) under which the httpd daemon is being run.
Configuring CGI To Run With User Privileges:

The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from
the user ID of the calling web-server. Normally, when a CGI or SSI program executes, it runs as the same user
who is running the web server.
ServerName node1.your-domain.com - Allows requests by domain nam
e without the "www" prefix.
ServerAlias your-domain.com www.your-domain.com - CNAME (alias www) specified in
Bind configuration file (/var/named/...)
DocumentRoot /home/user1/public_html/your-domain.com
ErrorLog logs/your-domain.com-error_log
TransferLog logs/your-domain.com-access_log
SuexecUserGroup user1 user1

<Directory /home/user1/public_html/your-domain.com/>
Options +ExecCGI +Indexes
AddHandler cgi-script .cgi
</Directory>
</VirtualHost>
10 of 51 01/07/2016 11:19 AM
ERROR Pages:
You can specify your own web pages instead of the default Apache error pages:
ErrorDocument 404 /Error404-missing.html
Create the file Error404-missing.html in your "DocumentRoot" directory.

Handle all errors with a forwarding page:
ErrorDocument 400 /error.shtml

Sample file error.shtml (in your "DocumentRoot" directory).



<h2>Page does not found!</h2>

<META HTTP-EQUIV="Refresh" Content="1; URL=http://www.megacorp.com/">
PHP:
If the appropriate php, perl and httpd RPM's are installed, the default Red Hat Apache configuration and modules
will support PHP content. RPM Packages (RHEL4):
php: HTML-embedded scripting language

php-pear: PEAR is a framework and distribution system for reusable PHP components.
php-mysql: MySQL database support.
php-ldap: Lightweight Directory Access Protocol (LDAP) support
Apache configuration:
Add php default page index.php to apache config file: /etc/httpd/conf/httpd.conf
...
DirectoryIndex index.html index.htm index.php
...
PHP Configuration File:

RHEL4 - PHP 4.3: /etc/php.ini
Ubuntu Daper 6.06/6.11: /etc/php5/apache2/php.ini
[PHP]
engine = On
...
...
display_errors = Off
include_path = ".:/php/includes"
...
...
memory_limit = 32M ; Default is typically 8MB which is too low.
...
...
[MySQL]
...
...
mysql.default_host = superserver ; Hostname of the computer
mysql.default_user = dbuser
...
Small portion of file shown.
11 of 51 01/07/2016 11:19 AM
Note that changes will not take effect until the apache web server daemon is restarted.
Test you PHP capabilities with this test file: /home/user1/public_html/test.php
<?php
phpinfo();
?>
OR (older format)
<?
phpinfo();
?>
Test: http://localhost/~user1/test.php
For more info see YoLinux list of PHP information web sites (WebPageScripting.html#PHP).
Running Multiple instances of httpd:

The Apache web server daemon (httpd) can be started with the command line option "-f" to specify a unique
configuration file for each instance. Configure a unique IP address for each instance of Apache. See the YoLinux
Networking Tutorial (LinuxTutorialNetworking.html#NETWORKALIASING) to specify multiple IP addresses for one
NIC (Network Interface Card). Use the Apache configuration file directive Listen XXX.XXX.XXX.XXX, where
the IP address is unique for each instance of Apache.
Apache Man Pages:

httpd (http://man.yolinux.com/cgi-bin/man2html?cgi_command=httpd) - Apache Hypertext Transfer Protocol
Server
apachectl (http://man.yolinux.com/cgi-bin/man2html?cgi_command=apachectl) - Apache HTTP Server
Control Interface
ab (http://man.yolinux.com/cgi-bin/man2html?cgi_command=ab) - Apache HTTP server benchmarking tool
htdigest (http://man.yolinux.com/cgi-bin/man2html?cgi_command=htdigest) - manage user files for digest
authentication
htpasswd (http://man.yolinux.com/cgi-bin/man2html?cgi_command=htpasswd) - Manage user files for basic
authentication
logresolve (http://man.yolinux.com/cgi-bin/man2html?cgi_command=logresolve) - Resolve IP-addresses to
hostnames in Apache log files
rotatelogs (http://man.yolinux.com/cgi-bin/man2html?cgi_command=rotatelogs) - Piped logging program to
rotate Apache logs
Also see the local online Apache configuration manual: http://localhost/manual/ (http://localhost/manual/).
Apache Red Hat / Fedora Core GUI configuration:

GUI configuration tool:
Red Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-httpd

Red Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-httpd
12 of 51 01/07/2016 11:19 AM
Adding web site login and password protection: See the YoLinux tutorial on web site password protection
(LinuxTutorialApacheAddingLoginSiteProtection.html).
Log file analysis:
Scanning the Apache web log files will not provide meaningfull statistics unless they are graphed or presented in
an easy to read fashion. The following packages to a good job of presenting site statistics.
Analog (http://www.analog.cx/) - Also see Report Magic for Analog (http://www.reportmagic.org/)

Webalizer (http://www.webalizer.com/)
AWStats (http://awstats.sourceforge.net/) - (requires PERL)
Web site statistic services:
eXTReMe Tracking (http://www.extremetracking.com/)
Load testing your server:
PureLoad (http://www.ideit.com/products/pureload/) - JAVA load testing and reporting tool.

WebPerformance Trainer (http://www.webperfcenter.com/) - Load Testing Tools.
Apache Links:
CgiWrap (http://cgiwrap.sourceforge.net/) - setuid wrapper that allows users to install and execute their own
cgi scripts that get executed as their own userid
WWWThreads.org (http://www.wwwthreads.org/) - Commercial product - Advanced Web Conferencing
Software
Configuring https (mod_ssl):
Mod_SSL.org: Home Page (http://www.modssl.org/)
Mod_SSL.org: Mod_SSL HowTo (http://www.modssl.org/docs/2.8/ssl_howto.html)
Mod_SSL.org: Steps to create SSL server certificate (http://www.modssl.org/docs/2.8
/ssl_faq.html#cert-real)
Log file analysis using Analog:

Installation:
Red Hat / Fedora: yum install analog

Ubuntu / Debian: apt-get install analog
Installation packages also available from the Analog downloads page (http://www.analog.cx/download.html).
Configuration file: /etc/analog.cfg
13 of 51 01/07/2016 11:19 AM
LOGFILE /var/log/httpd/your-domain.com-access_log* http://www.your-domain.com

UNCOMPRESS *.gz,*.Z "gzip -cd"
SUBTYPE *.gz,*.Z
#
OUTFILE /home/user1/public_html/analog/Report.html
#
HOSTNAME "YourDomain.com"
HOSTURL http://www.your-domain.com
....
...
..
REQINCLUDE pages # Request page stats only

ALL ON
LANGUAGE US-ENGLISH
One can view the settings which be used with your configuration file (also good for debugging): analog
-settings
Make Analog images available to the users report: ln -s /usr/share/analog/images/* /home/user1
/public_html/analog
Log file location:
Red Hat / Fedora: /var/log/httpd/

Ubuntu / Debian: /var/log/apache2/
The Directive ALL ON turns on all of the following:

Analog Directive Description
MONTHLY ON one line for each month
WEEKLY ON one line for each week
DAILYREP ON one line for each day
DAILYSUM ON one line for each day of the week
HOURLYREP ON one line for each hour of the day
GENERAL ON the General Summary at the top
REQUEST ON which files were requested
FAILURE ON which files were not found
DIRECTORY ON Directory Report
HOST ON which computers requested files
ORGANISATION ON which organisations they were from
DOMAIN ON which countries they were in
REFERRER ON where people followed links from
FAILREF ON where people followed broken links from
SEARCHQUERY ON the phrases and words they used...
SEARCHWORD ON ...to find you from search engines
BROWSERSUM ON which browser types people were using
OSREP ON and which operating systems
FILETYPE ON types of file requested
SIZE ON sizes of files requested
STATUS ON number of each type of success and failure
Cron job to handle multiple domains: /etc/cron.daily/analog
#!/bin/sh
cp /opt/etc/analog-domain1.com.cfg /etc/analog.cfg
/usr/bin/analog
cp /opt/etc/analog-domain2.com.cfg /etc/analog.cfg
/usr/bin/analog
...
14 of 51 01/07/2016 11:19 AM
Links:
Analog home page (http://www.analog.cx/)
Analog command reference (http://www.analog.cx/docs/quickref.html)
Measuring Web Server Performance:

See the YoLinux.com web server benchmarking tutorial (WebServerBenchmarking.html).
FTPd and FTP user account configuration:

Many FTP programs exist. This example covers the popular vsftpd (http://vsftpd.beasts.org/) (Red Hat default 9.0,
Fedora Core, Suse) and wu-ftpd (http://wu-ftpd.therockgarden.ca/) (Washington University) program which comes
standard with RedHat (last shipped with RedHat 8.0 but can be installed on any Linux system). (RPM: wu-ftpd)
There are other FTP programs including proFtpd (http://www.proftpd.org) (supports LDAP authentication, Apache
like directives, full featured ftp server software), bftpd (http://www.bftpd.org/), pure-ftpd (http://www.pureftpd.org/)
(free BSD and optional on Suse), etc ...
For hostile environments set up a chrooted environment for an sftp encrypted connection and the rssh
restricted shell for OpenSSH. See the YoLinux.com internet security tutorial for Linux sftp and rssh
configuration (LinuxTutorialInternetSecurity.html#RSSH)
Also see the preferred chrooted sftp configuration for OpenSSH 4.9+ (SFTP-Server-Chroot-Configuration.html)
FTPd and SELinux: To allow FTPd daemon access and FTP access to users home directories:
setsebool (http://man.yolinux.com/cgi-bin/man2html?cgi_command=setsebool)
-P allow_ftpd_full_access=1
Other wise you will get an error in /var/log/messages:
SELinux is preventing the ftp daemon from writing files outside the home directo
ry (./public_html).
setsebool -P ftp_home_dir 1
Follow with the command service vsftpd restart
FTPd configuration tutorials:
# vsFTPd: Configuration
# WU-FTPd: Configuration
# FTP Clients: Links
vsFTPd and FTP user account configuration:

The vsFTPd ftp server was first made available in Red Hat 9.0. It has been adopted by Suse and OpenBSD as
well. This is currently the recomended FTP daemon for use on FTP servers.
Enable vsftpd:
Red Hat/Fedora Core/CentOS: VsFTPd is a stand alone service and by the default Fedora Core installation,
not controlled by xinetd as is the wu-ftpd default installation.
Thus start service: service vsftpd start (or: /etc/init.d/vsftpd start)
Configure vsftpd to start upon system boot: chkconfig --add vsftpd
SuSE: By default, the vsftpd is an xinetd controlled service. To enable FTP server services edit the file
/etc/xinetd.d/vsftpd and change:
disable = yes
to:
disable = no
Restart the xinetd daemon: /etc/init.d/xinetd restart
Note: vsftpd can also be run as a stand-alone service to achieve a faster response time.
Ubuntu (dapper/hardy/natty) / Debian:

Install: apt-get install vsftpd
VsFTPd is a stand alone service.
Start: /etc/init.d/vsftpd start
Stop: /etc/init.d/vsftpd stop
Restart: /etc/init.d/vsftpd restart
(Use this command after making configuration file changes)
15 of 51 01/07/2016 11:19 AM
For more on starting/stopping/configuring Linux services, see the YoLinux tutorial on the Linux init process and
service activation (LinuxTutorialInitProcess.html).
Configuration files:
vsFTPd configuration file:
Fedora Core / Red Hat: /etc/vsftpd/vsftpd.conf
S.u.S.e. / Ubuntu (dapper/hardy/natty) / Debian: /etc/vsftpd.conf
Default for Fedora Core 3:
16 of 51 01/07/2016 11:19 AM
anonymous_enable=YES - Anonymous FTP allowed by default if you commen

t this out.
Default directory used: /var/ftp
local_enable=YES - Uncomment this to allow local users to log in

with FTP.
Must also set SELinux boolean: setsebool -P ft
p_home_dir 1
write_enable=YES - Uncomment this to enable any form of FTP write

or upload command.
local_umask=022 - Default is 077. Umask 022 is used by most othe

r ftpd's.
#anon_upload_enable=YES - Uncomment to allow the anonymous FTP user to u

pload files.
Requires the above global write enabled. Direc
tory must also be writable by user.
#anon_mkdir_write_enable=YES - Uncomment this to allow the anonymous FTP user
to be able to create new directories.
dirmessage_enable=YES - Activate directory messages.

Messages given to remote users when they enter
certain directories
xferlog_enable=YES - Activate logging of uploads/downloads.
connect_from_port_20=YES - PORT transfer connections originate from port

20 (ftp-data)
#chown_uploads=YES - Uploaded anonymous files set to a specified ow

ner. (not root)
#chown_username=whoever
#xferlog_file=/var/log/vsftpd.log - Specify logfile explicitly. Default is /var/

log/vsftpd.log
xferlog_std_format=YES - Output to log file in standard ftpd xferlog fo

rmat
#idle_session_timeout=600 - Set timing out for an idle session.
#data_connection_timeout=120 - Set timing out for an idle data connection. Po

rt 20
#nopriv_user=ftpsecure - Run ftp server as an isolated and unprivileged

user.
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it, may confu
se older FTP clients.
#async_abor_enable=YES
#ascii_upload_enable=YES - Improve performance by disabling ASCII mode.

Disables command "ascii" and "SIZE /big/file".
#ascii_download_enable=YES
#ftpd_banner=Welcome to YoLinux - Customize the login banner string.
#deny_email_enable=YES - Disallow specified anonymous e-mail addresses.

Used to combat certain DoS attacks.
#banned_email_file=/etc/vsftpd.banned_emails (Ubuntu default. Red Hat: /etc/vsf
tpd/banned_emails)
#chroot_list_enable=YES - List users chroot()'d to their home directory.

If "NO", list users not chroot()'d.
17 of 51 01/07/2016 11:19 AM
#chroot_list_file=/etc/vsftpd.chroot_list (Ubuntu default. Red Hat: /etc/vsf

tpd/chroot_list)
ls_recurse_enable=YES - Allow "ls -R" recursive directory list. Defaul

t is disabled.
pam_service_name=vsftpd
userlist_enable=YES - (Ubuntu Default) Deny users specified in file

/etc/vsftpd.user_list
If "userlist_enable=NO" then allow specified u
sers.
Red Hat: /etc/vsftpd/user_list
#deny_email_enable=YES - Disallow specified anonymous e-mail addresses.
Used to combat certain DoS attacks.
listen=YES - Enable for standalone mode as opposed to an xi

netd service.
Must set SELinux boolean: setsebool -P ftpd_is
_daemon 1
tcp_wrappers=YES
Restart the FTP service if the config file is changed: service vsftpd restart (or: /etc/init.d
/vsftpd restart)
[Potential Pitfall]: vsftp does NOT support comments on the same line as a directive. i.e.:
directive=XXX # comment
vsftp.conf man page (http://vsftpd.beasts.org/vsftpd_conf.html)
Specify list of local users chrooted to their home directories:

Red Hat: /etc/vsftpd/vsftpd/chroot_list
Ubuntu: /etc/vsftpd/vsftpd.chroot_list
(Requires: chroot_list_enable=NO)
user1
user2
...
user-n
If userlist_enable=YES, then specify users not to be chroot'd..
Specify list of users:

Red Hat: /etc/vsftpd/user_list
Ubuntu: /etc/vsftpd.user_list
(Deny list of users requires: userlist_enable=YES)
Also see PAM configuration below.
root
bin
daemon
adm
lp
sync
shutdown
halt
...
If userlist_enable=NO, then specify valid users.
PAM configuration file Fedora Core 3: /etc/pam.d/vsftpd
18 of 51 01/07/2016 11:19 AM
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ft
pusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
This causes PAM to check /etc/vsftpd.ftpusers for users who are denied. This duplicates
/etc/vsftpd.user_list. Speciy user in both files as PAM is independent of vsftpd configuration.
PAM authentication configuration file: ftpusers

Red Hat: /etc/vsftpd/ftpusers
Ubuntu: /etc/vsftpd.ftpusers
root
bin
daemon
adm
lp
sync
shutdown
halt
...
...
...
user6 - Users to deny
user8
...
...
Logrotate configuration file: /etc/logrotate.d/vsftpd.log
/var/log/xferlog {
# ftpd doesn't handle SIGHUP properly
nocompress
missingok
}
Sample vsFTPd configurations:
Anonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf
19 of 51 01/07/2016 11:19 AM
# Access rights
anonymous_enable=YES - Turn on anonymous FTP
chown_uploads=YES - Uploaded files owned by an assigned user
chown_username=ftp - Uploaded files owned by this assigned user
local_enable=NO
write_enable=NO - No upload of files system changes allowed
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
anon_world_readable_only=YES
connect_from_port_20=YES
force_dot_files=NO
guest_enable=NO
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
anon_max_rate=50000
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
Anonymous logins use the login name "anonymous" and then the user supplies their email address as a
password. Any password will be accepted. Used to allow the public to download files from an ftp server.
Generally, no upload is permitted.
Web hosting configuration: /etc/vsftpd/vsftpd.conf
20 of 51 01/07/2016 11:19 AM
# Access rights
anonymous_enable=NO
local_enable=YES - Allow users to ftp to their home
directories
write_enable=YES - Allow users to STOR, DELE, RNFR
, RNTO, MKD, RMD, APPE and SITE
local_umask=022
# Security
connect_from_port_20=YES
force_dot_files=NO
guest_enable=NO - Don't remap user name
ftpd_banner=Welcome to Super Duper Hosting - Customize the login banner strin
g.
chroot_local_user=YES - Limit user to browse their own d
irectory only
chroot_list_enable=YES - Enable list of system / power us
ers
chroot_list_file=/etc/vsftpd.chroot_list - Actual list of system / power us
ers
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
dirmessage_enable=YES - Message greeting held in file .m
essage or specify with message_file=...
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
#
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list

Ubuntu typically: /etc/vsftpd.chroot_list
(Requires: chroot_list_enable=NO)
user1
user2
...
user-n
If userlist_enable=YES, then specify users not to be chroot'd..
[Potential Pitfall]: Mispelling a directive will cause vsftpd to fail with little warning.
File: .message
A NOTE TO USERS UPLOADING FILES:

File names may consist of letters (a-z, A-Z), numbers (0-9),
an under score ("_"), dash ("-") or period (".") only.
The file name may not begin with a period or dash.
Test if vsftp is listening: netstat -a | grep ftp
21 of 51 01/07/2016 11:19 AM
[root]# netstat -a | grep ftp

tcp 0 0 *:ftp *:* LISTEN
Links:
vsFTPd Home Page (http://vsftpd.beasts.org/)
Sample configurations (ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.0.3/EXAMPLE/)
vsftp.conf Man page (http://vsftpd.beasts.org/vsftpd_conf.html)
WU-FTPd and FTP user account configuration:

The wu-ftpd FTP server can be downloaded (binary or source) from http://wu-ftpd.therockgarden.ca/ (http://wu-
ftpd.therockgarden.ca/) (at one time: http://wu-ftpd.org).
There are three kinds of FTP logins that wu-ftpd provides:
anonymous FTP - one logs in with the username 'anonymous'

real FTP - log in with a real username and password and has access to the entire disk structure.
guest FTP - one logs in with a real user name and password, but the user is chroot'ed to his home directory
and cannot escape from it. They are constrained to their home directory which also means that they don't
have access to /bin/ls and other commands on the server. Thus a local minimalist environment must be set
up.
This tutorial covers "guest" FTP configuration.
The file /etc/ftpaccess (http://man.yolinux.com/cgi-bin

/man2html?cgi_command=ftpaccess) controls the configuration of ftp.
22 of 51 01/07/2016 11:19 AM
# Don't allow system accounts to log in over ftp

deny-uid %-99 %65534-
deny-gid %-99 %65534-
class all real,guest *

email webmaster@your-domain.com
loginfails 5
readme README* login

readme README* cwd=*
message /welcome.msg login
message .message cwd=*
compress yes all

tar yes all
chmod no guest,anonymous
delete no anonymous # delete files permission?
overwrite no anonymous # overwrite files permission?
rename no anonymous # rename files permission?
delete yes guest # delete files permission?
overwrite yes guest # overwrite files permission?
rename yes guest # rename files permission?
umask no guest # umask permission?
log transfers anonymous,real inbound,outbound
shutdown /etc/shutmsg
passwd-check rfc822 warn
# Must also create message file /etc/pathmsg of the guest directory.

# In this case it refers to /home/user1/public_html/etc/pathmsg.
path-filter guest /etc/pathmsg ^[-A-Za-z0-9_\.]*$ ^\. ^-
limit all 2
noretrieve passwd .htaccess core - Do not allow users to download files of thes
e names
limit-time * 20
byte-limit in 5000 - Limit file size
guestuser * - System user default categorized as a "guest". A "real" user can r
oam the system. Guestuser is chrooted.
realgroup regularuserx regularusery - Assign real user privileges to members of gr
oups "regularuserx" and "regularusery".
Visibility of the whole file system and subject t
o regular UNIX file permissions
realuser user4 - Assign real user privileges to user id "user
4".
restricted-uid user1 user2 user3 - Restricts FTP to the specified directories

guest-root /home/user1/public_html user1
Note:
user1, user2 and user3 refer to login accounts. Use the appropriate login name.
The above configuration disables anonymous FTP which allows anyone to perform an FTP login with the id
anonymous and an email address as a password. To enable anonymous FTP, change the class directive
to:
class all real,guest,anonymous *
GUI FTP configuration tools:

/usr/bin/kwuftpd
/sbin/linuxconf
(Note: Linuxconf is no longer included with Red Hat 7.3 and later)
23 of 51 01/07/2016 11:19 AM
Red Hat Linux assigns users a user id and group id which is the same. This means that it does not matter if
you use a realuser or realgroup directive as they will act the same.
Red Hat Linux 7.1 and later uses the xinet daemon to manage ftp connections. Thus xinetd must be running
and configured to support ftp. The configuration file is /etc/xinetd.d/wu-ftpd. The command
chkconfig wu-ftpd on will make the ftp server available. See xinet configuration
(LinuxTutorialInternetSecurity.html#SECURITY) for more info.
Allow overide of deny-uid and/or deny-gid:
allow-uid user-to-allow
allow-gid group-to-allow
Optional configuration:
Create a group ftpchroot
Add users to this group
Use directive: guestgroup ftpchroot
[Potential Pitfall]: Flakey ftp behavior, timeouts, etc?? FTP works best with name resolution of the computer it is
communicating with. This requires proper /etc/resolve.conf and name server (bind) configuration,
/etc/hosts or NIS/NFS configuration.
File /home/user1/public_html/etc/pathmsg:
A NOTE TO USERS UPLOADING FILES:

File names may consist of letters (a-z, A-Z), numbers (0-9),
an under score ("_"), dash ("-") or period (".") only.
The file name may not begin with a period or dash.
You have tried to upload a file with an inappropriate name.
The whole point of the chroot directory is to make the user's home directory appear to be the root of the filesystem
(/) so one could not wander around the filesystem. Configuration of /etc/ftpaccess will limit the user to their
respective directories while still offering access to /bin/ls and other system commands used in FTP operation.
As root:
cd /home/user1
mkdir public_html
chown $1.$1 public_html
touch .rhosts - Security protection
chmod ugo-xrw .rhosts
Man Pages:
Server:
ftpd (http://man.yolinux.com/cgi-bin/man2html?cgi_command=ftpd) - Internet File Transfer Protocol server
File Formats:
/etc/ftpaccess (http://man.yolinux.com/cgi-bin/man2html?cgi_command=ftpaccess) - Configuration file for
ftpd
/etc/ftpservers (http://man.yolinux.com/cgi-bin/man2html?cgi_command=ftpservers) - ftpd virtual hosting
configuration file. (optional)
/etc/ftphosts (http://man.yolinux.com/cgi-bin/man2html?cgi_command=ftphosts) - allow or deny access to
certain accounts from various hosts. (optional)
/etc/ftpconversions (http://man.yolinux.com/cgi-bin/man2html?cgi_command=ftpconversions) - ftpd
conversions database (for tar and compression)
/var/log/xferlog (http://man.yolinux.com/cgi-bin/man2html?cgi_command=xferlog) - FTP server logfile
ftp (http://man.yolinux.com/cgi-bin/man2html?cgi_command=ftp) - File Transfer Client program
Configuration files: (RH 8.0+)

PAM configuration file: /etc/pam.d/ftp
24 of 51 01/07/2016 11:19 AM
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers
onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
Xinetd configuration file: /etc/xinetd.d/wu-ftpd
service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.ftpd
server_args = -l -a
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
}
Note: wu-FTPd is controlled by xinetd and not a stand alone service like vsFTPd.
Logrotate configuration file: /etc/logrotate.d/ftpd
/var/log/xferlog {
nocompress
}
More information:
WU-FTPD release (http://www.wfms.org/wu-ftpd/)
dkftpbench (http://www.kegel.com/dkftpbench/) - FTP benchmark program to give you an idea as to how
many simultaneous dialup clients a server can support.
FTP and text file type conversions: End Of Line Characters (http://peterbenjamin.com/seminars
/crossplatform/texteol.html) - by Peter Benjamin
Man pages on related FTP commands and files:

chroot (http://man.yolinux.com/cgi-bin/man2html?cgi_command=chroot) - Run with a special root directory
ftpcount (http://man.yolinux.com/cgi-bin/man2html?cgi_command=ftpcount) - Show number of concurrent
users.
ftpshut (http://man.yolinux.com/cgi-bin/man2html?cgi_command=ftpshut) - close down the ftp servers at a
given time
ftprestart (http://man.yolinux.com/cgi-bin/man2html?cgi_command=ftprestart) - Restart previously shutdown
ftp servers
ftpwho (http://man.yolinux.com/cgi-bin/man2html?cgi_command=ftpwho) - show current process information
for each ftp user
privatepw (http://man.yolinux.com/cgi-bin/man2html?cgi_command=privatepw) - Change WU-FTPD Group
Access File Information (admin command)
Other FTP daemons:

CrushFTP (http://www.crushftp.com/) - Java/cross platform
WS_FTP (http://ipswitch.com/Products/file-transfer.html)
FTP Pitfalls:
If you get the following error:
ftp> ls
227 Entering Passive Mode (208,188,34,109,208,89)
ftp: connect: No route to host
This means you have firewall issues most probably on the FTP server itself. Start by removing the firewall
25 of 51 01/07/2016 11:19 AM
"iptables" rules: iptables -F Add rules until you discover what is causing the problem.
Passive mode:
Passive mode can also help one past the rules:
ftp> passive
Passive mode on.
This toggles passive mode on and off. When on, FTP will be limited to ports specified in the vsftpd configuration
file: vsftpd.conf with the parameters pasv_min_port and pasv_max_port
Firewall connection tracking module:
# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp

IPTABLES_MODULES="ip_conntrack_ftp"
NAT firewall modules:

You can also try adding ip_nat_ftp to the list of autoloaded modules: (This will also load the dependancy:
ip_conntrack_ftp.)
# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp

IPTABLES_MODULES="ip_nat_ftp"
Then restart the firewall: /etc/init.d/iptables condrestart

FTP will change ports during use. The ip_conntrack_ftp module will consider each connection "RELATED".
If iptables allows RELATED and ESTABLISHED connections then FTP will work. i.e. rule: /etc/sysconfig
/iptables
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
FTP fails because it can not change to the users home directory:
Error:
[user1@nodex ~]$ ftp node.domain.com

Connected to XXX.XXX.XXX.XXX.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (XXX.XXX.XXX.XXX:user1):
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/user1
Login failed.
ftp> bye
This is often a result of SELinux preventing the vsftpd process from accesing the user's home directory. As root,
grant access with the following command:
setsebool -P ftp_home_dir 1
Followed by: service vsftpd restart
Test your vsftpd SELinux settings: getsebool -a | grep ftp
allow_ftpd_anon_write --> off

allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_tftp_anon_write --> off
ftp_home_dir --> on
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off
FTPd SELinux man page (http://man.yolinux.com/cgi-bin/man2html?cgi_command=ftpd_selinux)
FTP Linux clients:
26 of 51 01/07/2016 11:19 AM
gftp (http://www.gftp.org/): GUI GTK+ Multithreaded client. File transfer directory browsing and compare.
Multiple protocols: FTP, FTPS (control connection only), HTTP, HTTPS, SSH and FSP protocols. Proxy
support. Comes with Red Hat / Fedora Core.
KFTPgrabber (http://www.kde.org/applications/internet/kftpgrabber/): GUI KDE based client.simultaneous
FTP sessions in separate tabs. Ability to limit upload and download speed.
kbear (http://sourceforge.net/projects/kbear/): GUI KDE based client. Connect to multiple servers, transfer
files, directory browsing, file content browsing. Comes with S.U.S.e. Linux.
ftp (http://man.yolinux.com/cgi-bin/man2html?cgi_command=ftp): (/usr/kerberos/bin/ftp) kerberos
enabled console ftp client. (RPM package FC3: krb5-workstation)
Basic user security:

When hosting web sites, there is no need to grant a shell account which only allows the server to have more
potential security holes. Current systems can specify the user to have only FTP access with no shell by granting
them the "shell" /sbin/nologin provided with the system or the "ftponly" shell described below. The shell can
be specified in the file /etc/passwd of when creting a user with the command adduser -s
/sbin/nologin user-id
[Potential Pitfall]: Red Hat 7.3 server with wu-ftp server 2.6.2-5 does not support this configuration to prevent shell
access. It requires users to have a real user shell. i.e. /bin/bash It works great in older and current Red Hat
versions. If it works for you, use it, as it is more secure to deny the user shell access. You can always deny telnet
access. You should NOT be using this problem ridden version of ftpd. Use the latest wu-ftpd-2.6.2-11 which
supports users with shell /opt/bin/ftponly
[Potential Pitfall]: Ubuntu Dapper/Hardy - Setting the shell to the preconfigured shell /bin/false will NOT allow
vsftp access. One must create the shell "ftponly" as defined below to allow vsftp access with no shell.
1. Disable remote telnet login access allowing FTP access only:

Change the shell for the user in /etc/passwd from /bin/bash to be /opt/bin/ftponly.
...
user1:x:502:503::/home/user1:/opt/bin/ftponly
...
Create file: /opt/bin/ftponly.

Protection set to -rwxr-xr-x 1 root root
with the command: chmod ugo+x /opt/bin/ftponly
Contents of file:
01 #!/bin/sh
02 #
03 # ftponly shell
04 #
05 trap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15
06 #
07 Admin=root@your-domain.com
08 #System=`/bin/hostname`@`/bin/domainname`
09 #
10 /bin/echo
11 /bin/echo
"********************************************************************"
12 /bin/echo " You are NOT allowed interactive access."
13 /bin/echo
14 /bin/echo " User accounts are restricted to ftp and web access."
15 /bin/echo
16 /bin/echo " Direct questions concerning this policy to $Admin."
17 /bin/echo
"********************************************************************"
18 /bin/echo
19 #
20 # C'ya
21 #
22 exit 0
The last step is to add this to the list of valid shells on the system.
Add the line /opt/bin/ftponly to /etc/shells.
Sample file contents: /etc/shells
27 of 51 01/07/2016 11:19 AM
/bin/bash
/bin/bash1
/bin/tcsh
/bin/csh
/opt/bin/ftponly
See man page on /etc/shells (http://man.yolinux.com/cgi-bin/man2html?cgi_command=shells).

An alternative would be to assign the shell /bin/false or /sbin/nologin which became available in
later releases of Red Hat, Debian and Ubuntu. In this case the shell /bin/false or /sbin/nologin
would have to be added to /etc/shells to allow them to be used as a valid shell for FTP while disabling
ssh or telnet access.
2. Set file quotas to limit user account. (LinuxTutorialQuotas.html)
For more on Linux security see the: YoLinux.com Internet web site Linux server security tutorial
(LinuxTutorialInternetSecurity.html)
Domain Name Server (DNS) configuration using Bind version 8 or 9:

Two of the most popular ways to configure the program Bind (Berkeley Internet Domain software) to perform DNS
services is in the role of (1) ISP or (2) Web Host.
1. In an ISP configuration for clients (web surfers) conected to the internet, the DNS server must resolve IP
addresses for any URL the user wishes to visit. (See DNS caching server (http://tldp.yolinux.com/HOWTO
/DNS-HOWTO.html#s3))
2. In a purely web hosting configuration, Bind will only resolve for the IP addresses of the domains which are
being hosted. This is the configuration which will be discussed and is often called an "Authoritative-only
Nameserver".
When resolving IP addresses for a domain, Internic is expecting a "Primary" and a "Secondary" DNS name server.
(Sometimes called Master and Slave) Each DNS name server requires the file /etc/named.conf and the files it
points to. This is typically two separate computer systems hosted on two different IP addresses. It is not necesary
that the Linux servers be dedicated to DNS as they may run a web server, mail server, etc.
Note on Bind versions: Red Hat versions 6.x used Bind version 8. Release 7.1 of Red Hat began using Bind
version 9 and the GUI configuration tool bindconf was introduced for those of you that like a pretty point and
click interface for configuration.
Installation Packages:
Red Hat / Fedora Core / CentOS: bind, bind-chroot, bind-libs, bind-utils, system-
config-bind
bind-chroot: Security jail for operation of bind.
bind-utils: Utility commands like nslookup, host, dig
system-config-bind: GUI config tool system-config-bind and related configuration files
(/etc/security/console.apps/bindconf).
caching-nameserver: We will not be covering this as it is not required for web hosting. This is used by
internet providers so their clients can cache the DNS entries of the sites they are visiting.
Ubuntu (dapper/hardy/natty) / Debian: bind9
Configuration files:
Red Hat / Fedora / CentOS:
Chrooted
File Description Directory
Directory
named.conf Primary/Secondary DNS server configuration. /etc/ /var/named
(See default file /usr/share/doc/bind-9.X.X/sample /chroot/etc/
/etc/named.conf)
named.root.hints Configuration for recursive service. Required for all zones. /etc/ /var/named
(See default file /usr/share/doc/bind-9.X.X/sample /chroot/etc/
/etc/named.root.hints)
named Red Hat system variables. /etc/sysconfig/ no change
rndc.key Primary/Secondary DNS server configuration. /etc/ /var/named
/chroot/etc/
28 of 51 01/07/2016 11:19 AM
Chrooted
File Description Directory
Directory
Zone files Configuration files for each domain. Create this file to resolve /var/named/ /var/named
host name internet queries i.e. define IP address of web (www) /chroot
and mail servers in the domain. /var/named/
Debian / Ubuntu:
File Description Directory Chrooted Directory
named.conf Primary/Secondary DNS server configuration. /etc/bind/ /var/bind/chroot/etc/bind/
named.conf.options
named.conf.local
rndc.key Primary/Secondary DNS server configuration. /etc/ /var/bind/chroot/etc/
Zone files Configuration files for each domain. /var/bind/data/ /var/bind/chroot/var/bind/data/
Primary server (master):

File: named.conf Red Hat / Fedora Core / CentOS: /etc/named.conf (chroot dir: /var/named/chroot
/etc/named.conf) and /etc/sysconfig/named for system variables.
Ubuntu / Debian: /etc/bind/named.conf Place local definitions in /etc/bind/named.conf.options
and /etc/bind/named.conf.local
Simple example: (no views)
options { - Ubuntu stores options in /etc/bind/na

med.conf.options
version "Bind"; - Don't disclose real version to hacker
s
directory "/var/named"; - Specified so relative path names can
be used. Full path names still allowed.
allow-transfer { XXX.XXX.XXX.XXX; }; - IP address of secondary DNS
recursion no;
auth-nxdomain no; - conform to RFC1035. (default)
fetch-glue no; - Bind 8 only! Not used by version 9
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "your-domain.com"{ - Ubuntu separates the zone definitions into

/etc/bind/named.conf.local
type master; - Specify master, slave, forward or hint
file "data/named.your-domain.com";
notify yes; - slave servers are notified when the zone is
updated.
allow-update { none; }; - deny updates from other hosts (default: non
e)
allow-query { any; }; - allow clients to query this server (default
: any)
};
zone "your-domain-2.com"{
type master;
file "data/named.your-domain-2.com";
notify yes;
};
Note:
The omission of zone ".". Required if providing a recursive service.
Ubuntu includes the separated file of zone directives using the directive:
include "/etc/bind/named.conf.local";
29 of 51 01/07/2016 11:19 AM
BIND Views: The BIND naming service can support "views" which allow various sub-networks (i.e. private internal
or public external networks) to have a different domain name resolution result.
If no views are specified then use the configuration shown above.
The match-up between the "view" and the view client which receives the DNS information is specified by the
match-clients statement.
If even one view is specified, then ALL zones MUST be associated with a "view".
Bind 9 allows for views which allow different zones to be served to different types of clients, localhost,
private networks and public networks. This maps to the three view names "localhost_resolver",
"internal" and "external":
localhost_resolver: Supports name resolution for the system (localhost) using BIND. Support for use
of bind also has to be configured in /etc/nsswitch.conf
internal: User specified Local Area Network (LAN). If not used to support a local private LAN, remove
(or comment out) this view.
external: The general public internet defined as client "any".
If you are only setting up a caching name server, then only specify the view "localhost_resolver" (delete all
other views).
In order to support a DNS for internet domains using views, one will have to configure an "external" view
Typical Red Hat Enterprise 5 example: (Bind 9.3.4 with three "views")
30 of 51 01/07/2016 11:19 AM
options
{
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
logging
{
// By default, SELinux policy does not allow named to modify the /var/named
// directory, so put the default debug log file in data/ :
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view "localhost_resolver"
{
// This view sets up named to be a localhost resolver ( caching only nameserver
).
// If all you want is a caching-only nameserver, then you need only define this
view:
match-clients { localhost; };
...
};
view "internal"
{
// This view will contain zones you want to serve only to "internal" clients
// that connect via your directly attached LAN interfaces - "localnets" .
// For local private LAN. Not covered in this tutorial.
// Delete this view if web hosting with no local LAN.
match-clients { localnets; };
...
};
key ddns_key
{
algorithm hmac-md5;
secret "use /usr/sbin/dns-keygen to generate TSIG keys";
};
view "external"
{
// This view will contain zones you want to serve only to "external"
// public internet clients. This is covered below.
match-clients { any; };
...
..
};
Default configuration files: Red Hat may supply the default configuration in: /usr/share/doc/bind-
9.X.X/sample/etc/named.conf
cp /usr/share/doc/bind-9.X.X/sample/etc/named.conf /var/named/chroot/etc
cp /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints /var/named
/chroot/etc
chcon -u system_u -r object_r -t named_conf_t /var/named/chroot
/etc/named.conf /var/named/chroot/etc/named.root.hints
view "localhost_resolver": If supporting a caching DNS server (not required to support a web domain) you will
also need the files:
cp /usr/share/doc/bind-9.X.X/sample/etc/named.rfc1912.zones /var/named
/chroot/etc
cp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zones /var/named
/chroot/var/named
also from /usr/share/doc/bind-9.X.X/sample/var/named/: localhost.zones,
31 of 51 01/07/2016 11:19 AM
named.local, named.zero, named.broadcast, named.ip6.local, named.root
view "external": (master) - details -
view "external"
{
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not on your directly attached LAN interface subnets:
*/
match-destinations { any; };
allow-transfer { XXX.XXX.XXX.XXX; }; - IP address of secondary DNS
recursion no;
// you'd probably want to deny recursion to external clients, so you don't
// end up providing free DNS service to all takers
// all views must contain the root hints zone:

include "/etc/named.root.hints";
// These are your "authoritative" external zones, and would probably

// contain entries for just your web and mail servers:
zone "your-domain.com" {
type master;
file "/var/named/data/external/named.your-domain.com";
notify yes;
allow-update { none; };
};
// You can also add the zones as a separate file like they do in Ubuntu by ad
ding the following statement
include "/etc/named.conf.local";
};
DNS key:
Use the following command /usr/sbin/dns-keygen to create a key. Add this key to the "secret" statement as
follows:
key ddns_key
{
algorithm hmac-md5;
secret "XlYKYLF5Y7YOYFFFY6YiYYXyFFFFBYYYYFfYYYJiYFYFYYLVrnrWrrrqrrrq";
};
Man Pages:
named.conf (http://man.yolinux.com/cgi-bin/man2html?cgi_command=named.conf)
Forward Zone File: /var/named/named.your-domain.com
Red Hat 9 / CentOS 3: /var/named/named.your-domain.com

Red Hat EL4/5, Fedora 3+, CentOS 4/5: [Chrooted] /var/named/chroot/var/named
/data/named.your-domain.com
Red Hat EL4/5, Fedora 3+, CentOS 4/5: /var/named/data/named.your-domain.com
Ubuntu / Debian: /etc/bind/data/named.your-domain.com
32 of 51 01/07/2016 11:19 AM
$TTL 604800 - Bind 9 (and some of the later versions of Bind 8) requires $TTL
statement.
Measured in seconds. This value is 7 days.
your-domain.com. IN SOA ns1.your-domain.com. hostmaster.your-domain.com. (
2000021600 ; serial - Many people use year+month+day+integer as a system.
86400 ; refresh - How often secondary servers (in seconds) should check in
for changes in serial number. (86400 sec = 24 hrs)
7200 ; retry - How long secondary server should wait for a retry if con
tact failed.
1209600 ; expire - Secondary server to purge info after this length of time
.
86400 ) ; default_ttl - How long data is held in cache by remote servers.
IN A XXX.XXX.XXX.XXX - Note that this is the default IP address of the
domain.
I put the web server IP address here so that dom
ain.com points to the same servers as www.domain.com
;
; Name servers for the domain
;
IN NS ns1.your-domain.com.
IN NS ns2.your-domain.com.
;
; Mail server for domain
;
IN MX 5 mail - Identify "mail" as the node handling mail f
or the domain. Do NOT specify an IP address!
;
; Nodes in domain
;
node1 IN A XXX.XXX.XXX.XXX - Note that this is the IP address of node1
ns1 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own primary name
server. Note that this is the IP address of ns1
ns2 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own secondary na
me server. Note that this is the IP address of ns2
mail IN A XXX.XXX.XXX.XXX - Identify the IP address for node mail.
IN MX 5 XXX.XXX.XXX.XXX - Identify the IP address for mail server nam
ed "mail".
;
; Aliases to existing nodes in domain
;
www IN CNAME node1 - Define the webserver "www" to be node1.
ftp IN CNAME node1 - Define the ftp server to be node1.
DNS record types and format:
DNS
Description and Format
record
33 of 51 01/07/2016 11:19 AM
DNS
Description and Format
record
SOA Start of Authority: Primary domain server and contact info
Note that there is a period following the primary domain server and contact email.
Note that the email address is in the form where the first period represents the "@" symbol of the
email address.
your-domain.com in SOA ns1.your-domain.com. webmaster.your-domain.com.
or
@ in SOA ns1.your-domain.com. webmaster.your-domain.com.
[Potential Pitfall]: Incorrect specification of the primary name server may result in the following
message in /var/log/messages:
view localhost_resolver: received notify for zone 'your-domain.com': not aut

horitative
SOA
Description
attribute
serial Never use a value greater than 2147483647 for a 32 bit processor.
Increment to a higher value to indicate an update to the slave server.
refresh Time increment (seconds) between update checks of the serial number with the
primary server
retry Time elapsed before a slave will contact the primary server if a connection failed
expire Time till primary server information is considered invalid and should be refreshed if
there is a new DNS query
minimum Time for DNS servers should hold domain information in their cache before purging
IN Indicate Internet.
NS Specify the Authoratative Name servers for the domain.
A Specify the IP address associated with the host name.
Format: hostname IN A XXX.XXX.XXX.XXX
Note that in my example, no hostname is specified for the first record. This will define the default for
the domain.
CNAME Specify an alias for the host name.
MX Mail exchange record. Specify a priority number for the primary and back-up mail servers. The lowest
number indicates the default mail server for the domain
PTR Used to specify the reverse DNS lookup
MX records for 3rd party off-site mail servers:
your-domain.com. IN MX 10 mail1.offsitemail.com.
your-domain.com. IN MX 20 mail2.offsitemail.com.
Append to the above example file.
Initial configuration: Note that Red Hat may supply the default zone configuration in: /usr/share
/doc/bind-9.X.X/sample/var/named/
cp /usr/share/doc/bind-9.X.X/sample/var/named/localhost.zone /var/named
/chroot/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zone /var/named
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.broadcast /var/named
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.ip6.local /var/named
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.zero /var/named/chroot
/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.local /var/named/chroot
/var/named/data/
cp /usr/share/doc/bind-9.X.X/sample/var/named/named.root /var/named/chroot
34 of 51 01/07/2016 11:19 AM
/var/named/data/
cd /var/named/chroot/var/named/data/
chcon -u system_u -r object_r -t named_cache_t localhost.zone
localdomain.zone named.broadcast named.ip6.local named.zero named.root
named.local
A file suffix of "zone" is also common i.e. your-domain.com.zone
Secondary server (slave):

File: named.conf Red Hat / Fedora Core / CentOS: /etc/named.conf
Ubuntu / Debian: /etc/bind/named.conf
Simple example with no views:
options { - Ubuntu stores options in /etc/bind/named.co

nf.options
version "Bind"; - Don't disclose real version to hackers
directory "/var/named";
allow-transfer { none; }; - Slave is not transfering updates to anyone els
e
recursion no;
auth-nxdomain no; - conform to RFC1035. (default)
fetch-glue no; - Bind 8 only! Not used by version 9
};
zone "localhost" {
type master;
file "/etc/bind/db.local"; - Ubutu: /etc/bind/db.local, Red Hat: /var/n
amed/named.local
};
zone "0.0.127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "your-domain.com"{
type slave;
file "named.your-domain.com"; - Specify slaves/named.your-domain.com for RH
EL4/5 chrooted bind
masters { XXX.XXX.XXX.XXX; }; - IP address of primary DNS
};
zone "your-domain-2.com"{
type slave;
file "named.your-domain-2.com";
masters { XXX.XXX.XXX.XXX; };
};
view "external": (slave)
view "external"
{
match-destinations { any; };
allow-transfer { none; }; - Slave does not transfer to anyone, slave receive
s
recursion no;
include "/etc/named.root.hints";
zone "your-domain.com" {
type slave;
file "/var/named/slaves/external/named.your-domain.com";
notify no; - Slave does not notify, slave is notifie
d by master
masters { XXX.XXX.XXX.XXX; }; - State IP of master server
};
};
Note: RHEL4/5, CentOS 4/5, Fedora 3+ use chrooted directory structure permissions which require the use of the
35 of 51 01/07/2016 11:19 AM
slaves subdirectory /var/named/slaves
Slave Zone Files: These are transfered from master to slave and cached by slave. There is no need to generate
a zone file on the slave.
Additional Information:
Man page on named.conf (http://man.yolinux.com/cgi-bin/man2html?cgi_command=named.conf)
Man page on named DNS server (http://man.yolinux.com/cgi-bin/man2html?cgi_command=named(8))
Full DNS manual (http://www.zytrax.com/books/dns/)
[Potential Pitfall]: Ubuntu dapper/hardy/natty - Path names used can not violate Apparmor security rules as
defined in /etc/apparmor.d/usr.sbin.named. Note that the slave files are typically named "/var/lib
/bind/named.your-domain.com" as permitted by the security configuration.
[Potential Pitfall]: Ubuntu dapper/hardy/natty - Create log file and set ownership and permission for file not created
by installation:
touch /var/log/bindlog
chown root.bind /var/log/bindlog
chmod 664 /var/log/bindlog
[Potential Pitfall]: Error in /var/log/messages:
transfer of 'yolinux.com/IN' from XXX.XXX.XXX.XXX#53: failed while receiving response

s: permission denied
Named needs write permission on the directory containing the file. This condition often occurs for a new "slave" or
"secondary" name server where the zone files do not yet exist.
The default (RHEL4/5, CentOS 4/5, Fedora Core 3+, ...):
drwxr-x--- 4 root named 4096 Aug 25 2004 named
drwxrwx--- 2 named named 4096 Sep 17 20:37 slaves
Fix: In named.conf specify that the slaves to go to slaves directory /var/named/chroot/var/named

/slaves with the directive:
file "slaves/named.your-domain.com";
Bind Defaults:
Uses port 53 if none is specified with the listen-on port statement.

Bind will use random ports above port 1024 for queries. For use with firewalls expecting all DNS traffic on
port 53, specify the following option statement in /etc/named.conf
query-source address * port 53;

query-source-v6 port 53;
Logging is to /var/log/messages
After the configuration files have been edited, restart the name daemon.
/etc/init.d/named restart
(Note: Ubuntu / Debian restart: /etc/init.d/bind9 restart)
Bind zone transfers work best if the clocks of the two systems are synchronised. See the YoLinux SysAdmin
Tutorial: Time and ntpd (LinuxTutorialSysAdmin.html#TIME)
File: /var/named/named.your-domain.com This is created for you by Bind on the slave (secondary) server when
it replicates from Primary server.
DNS GUI configuration:
Red Hat EL 4/5, Fedora 2-10: /usr/bin/system-config-bind

Red Hat 8/9, Fedora Core 1: /usr/bin/redhat-config-bind
36 of 51 01/07/2016 11:19 AM
Test DNS:
Must install packages:
Red Hat / Fedora Core / SuSE: bind-utils

Ubuntu (dapper/hardy/natty) / Debian: bind9-host
Test the name server with the host (http://man.yolinux.com/cgi-bin/man2html?cgi_command=host) command in

interactive mode:
host node.domain-to-test.com your-nameserver-to-test.domain.com
Note: The name server may also be specified by IP address.
37 of 51 01/07/2016 11:19 AM
or
Test the name server with the nslookup (http://man.yolinux.com/cgi-bin/man2html?cgi_command=nslookup)

command in interactive mode:
nslookup
> server your-nameserver-to-test.domain.com
> node.domain-to-test.com
> exit
Test the MX record if appropriate:
nslookup -querytype=mx domain-to-test.com
OR
host -t mx domain-to-test.com
Test using the dig (http://man.yolinux.com/cgi-bin/man2html?cgi_command=dig) command:
dig @name-server domain-to-query
OR
dig @IP-address-of-name-server domain-to-query
Test your DNS with the following DNS diagnostics web site: DnsStuff.com (http://dnsstuff.com/)
Extra logging to monitor Bind:

Add the following to your /etc/named.conf file.
logging {
channel bindlog {
// Keep five old versions of the log-file (rotates logs)
file "/var/log/bindlog" versions 5 size 1m;
print-time yes;
print-category yes;
print-severity yes;
};
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named dire
ctory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
category xfer-out { bindlog; }; - Zone transfers
category xfer-in { bindlog; }; - Zone transfers
category security { bindlog; }; - Approved/unapproved requests
// The following logging statements, panic, insist and response-checks are

// valid for Bind 8 only. Do not user for version 9.
category panic { bindlog; }; - System shutdowns
category insist { bindlog; }; - Internal consistency check failures
category response-checks { bindlog; }; - Messages
};
38 of 51 01/07/2016 11:19 AM
Chroot Bind for extra security:

Note: Most modern Linux distributions default to a "chrooted" installation. This technique runs the Bind name
service with a view of the filesystem which changes the definition of the root directory "/" to a directory in which
Bind will operate. i.e. /var/named/chroot.
The following example uses the Red Hat RPM bind-8.2.3-0.6.x.i386.rpm. Applies to Bind version 9 as
well.
The latest RedHat bind updates run the named as user "named" to avoid a lot of earlier hacker exploits. To chroot
the process is to create an even more secure environment by limiting the view of the system that the process can
access. The process is limited to the chrooted directory assigned.
The chroot of the named process to a directory under a given user will prevent the possibility of an exploit which at
one time would result in root access. The original default RedHat configuration (6.2) ran the named process as
root, thus if an exploit was found, the named process will allow the hacker to use the privileges of the root user.
(no longer true)
Named Command Sytax:
named -u user -g group -t directory-to-chroot-to
Example:
named -u named -g named -t /opt/named
When chrooted, the process does not have access to system libraries thus a local lib directory is required with the
appropriate library files - theoretically. This does not seem to be the case here and as noted above in chrooted
FTP. It's a mystery to me but it works???? Another method to handle libraries is to re-compile the named binary
with everything statically linked. Add -static to the compile options. The chrooted process should also require a
local /etc/named.conf etc... but doesn't seem to???
Script to create a chrooted bind environment:
#!/bin/sh
cd /opt
mkdir named
cd named
mkdir etc
mkdir bin
mkdir var
cd var
mkdir named
mkdir run
cd ..
chown -R named.named bin etc var
You can probably stop here. If your system acts like a chrooted system should, then continue with the following:
39 of 51 01/07/2016 11:19 AM
cp -p /etc/named.conf etc
cp -p /etc/localtime etc
cp -p /bin/false bin
echo "named:x:25:25:Named:/var/named:/bin/false" > etc/passwd
echo "named:x:25:" > etc/group
touch var/run/named.pid
if [ -f /etc/namedb ]
then
cp -p /etc/namedb etc/namedb
fi
mkdir dev
cd dev
# Create a character unbuffered file.

mknod -m ugo+rw null c 1 3
cd ..
chown -R named.named bin etc var
Add changes to the init script: /etc/rc.d/init.d/named
01 #!/bin/bash
02 #
03 # named This shell script takes care of starting and stopping
04 # named (BIND DNS server).
05 #
06 # chkconfig: - 55 45
07 # description: named (BIND) is a Domain Name Server (DNS) \
08 # that is used to resolve host names to IP addresses.
09 # probe: true
10
11 # Source function library.
12 . /etc/rc.d/init.d/functions
13
14 # Source networking configuration.
15 . /etc/sysconfig/network
16
17 # Check that networking is up.
18 [ ${NETWORKING} = "no" ] && exit 0
19
20 [ -f /etc/sysconfig/named ] && . /etc/sysconfig/named
21
22 [ -f /usr/sbin/named ] || exit 0
23
24 [ -f /etc/named.conf ] || exit 0
25
26 RETVAL=0
27
28 start() {
29 # Start daemons.
30 echo -n "Starting named: "
31 daemon named -u named -g named -t /opt/named # Change made here
32 RETVAL=$?
33 [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named
34 echo
35 return $RETVAL
36 }
37 stop() {
38 # Stop daemons.
39 echo -n "Shutting down named: "
40 killproc named
41 RETVAL=$?
42 [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named
43 echo
44 return $RETVAL
45 }
46 rhstatus() {
47 /usr/sbin/ndc status
48 return $?
49 }
50 restart() {
51 stop
40 of 51 01/07/2016 11:19 AM
52 start
53 }
54 reload() {
55 /usr/sbin/ndc reload
56 return $?
57 }
58 probe() {
59 # named knows how to reload intelligently; we don't want linuxconf
60 # to offer to restart every time
61 /usr/sbin/ndc reload >/dev/null 2>&1 || echo start
62 return $?
63 }
64
65 # See how we were called.
66 case "$1" in
67 start)
68 start
69 ;;
70 stop)
71 stop
72 ;;
73 status)
74 rhstatus
75 ;;
76 restart)
77 restart
78 ;;
79 condrestart)
80 [ -f /var/lock/subsys/named ] && restart || :
81 ;;
82 reload)
83 reload
84 ;;
85 probe)
86 probe
87 ;;
88 *)
89 echo "Usage: named
{start|stop|status|restart|condrestart|reload|probe}"
90 exit 1
91 esac
92
93 exit $?
Note: The current version of bind from the RedHat errata updates and security fixes (http://www.redhat.com
/support/errata/ (http://www.redhat.com/support/errata/)) runs the named process as user "named" in the home
(not chrooted) directory /var/named with no shell available. (named -u named) This should be secure
enough. Proceed with a chrooted installation if your are paranoid.
See:
Securing DNS: How to use chroot bind features (http://www.psionic.com/papers/dns)
Chrooted DNS configuration:
Modern releases of Linux (i.e. Fedore Core 3, Red Hat Enterprise Linux 4) come preconfigured to use "chrooted"
bind. This security feature forces even an exploited version of bind to only operate within the "chrooted" jail
/var/named/chroot which contains the familiar directories:
/var/named/chroot/etc: Configuration files

/var/named/chroot/dev: devices used by bind:
/dev/null
/dev/random
/dev/zero
(Real devices created with the mknod command.)
/var/named/chroot/var: Zone files and configuration information.
These directories are generated and configured by the Red Hat/Fedora RPM package "bind-chroot".
If building from source you will have to generate this configuration manually:
mkdir -p /var/named/chroot
mkdir /var/named/chroot/dev
mknod /var/named/chroot/dev/null c 1 3
41 of 51 01/07/2016 11:19 AM
mknod /var/named/chroot/dev/zero c 1 5
mknod /var/named/chroot/dev/random c 1 8
chmod 666 -R /var/named/chroot/dev
mkdir -p /var/named/chroot/etc
ln -s /var/named/chroot/etc/named.conf /etc/named.conf
mkdir -p /var/named/chroot/var/named
ln -s /var/named/chroot/var/named/named.XXXX /var/named/named.XXXX
ln -s /var/named/chroot/var/named/named.YYYY /var/named/named.YYYY
...
mkdir -p /var/named/chroot/var/named/slaves
mkdir -p /var/named/chroot/var/named/data
mkdir -p /var/named/chroot/var/run
mkdir -p /var/named/chroot/var/tmp
chown -R named:named /var/named/chroot
chown -R root:named /var/named/chroot/var/named
Load Balancing of servers using Bind: DNS Round-Robin

This will populate DNS caching name servers around the world with different IP addresses for your web server
www.your-domain.com
File: /var/named/data/named.your-domain.com
$TTL 604800
your-domain.com. IN SOA ns1.your-domain.com. hostmaster.your-domain.com.
...
...
www IN A 192.168.1.1
www IN A 192.168.1.2
www IN A 192.168.1.3
www IN A 192.168.1.4
www IN A 192.168.1.5
www IN A 192.168.1.6
Note:
This example will resolve the www.your-domain.com URL to each of the IP addresses listed, one at a time
for each request. First request will resolve to 192.168.1.1, the second request will resolve to 192.168.1.2,
etc.
A perfectly even load balance is not possible becaused network service providers run DNS caching servers
which hold the resolved IP address for a different number of users.
Using multiple CNAME's to rotate records is no longer permissible in bind9.
Listing a record multiple times with the same IP address will not change the load sharing. Bind will ignore
duplicate records.
Reducing the time to live (TTL) will cause load sharing to take place more frequently thus responding to a
change in servers more quickly.
Also see lbnamed: lbnamed load balancing named (http://www.stanford.edu/~riepel/lbnamed/)
Bind/DNS Links:
Internet Software Consortium (ISC) Home Page (http://www.isc.org) - ISC Bind Home (http://www.isc.org
/downloads/BIND/)
Zytrax Bind 9 manual (http://www.zytrax.com/books/dns/) - Bind for rocket scientists
comp.protocols.tcp-ip.domains FAQ (http://www.intac.com/%7Ecdp/cptd-faq/) - HTML version
mod_rewrite: page forwarding, load balancing and round robin schemes (http://httpd.apache.org/docs/2.2
/rewrite/)
LDP DNS-HOWTO (http://tldp.yolinux.com/HOWTO/DNS-HOWTO.html)
DNS Security best practices (http://www.cricketondns.com/archives.cfm/category/dns-best-practices) -
Cricket Liu (coauthor of DNS and Bind)
DNS Security Paper (http://www.psionic.com/papers/dns/) - Craig Rowland
EveryDNS.net (http://www.everydns.net/) - Free DNS
42 of 51 01/07/2016 11:19 AM
Secondary.com (http://www.secondary.com/) - Free secondary names server hosting (five or fewer

domains)
TZO.com (http://www.tzo.com) - Dynamic, secondary DNS services.
OpenDNS.com (http://www.opendns.com/) - Can allow forwarding to OpenDNS servers.
Add to "options" section: forwarders { 208.67.222.222; 208.67.222.220; };
DynDNS: dyn.com (http://dyn.com)
Command: ipcheck.py -i eth0 DynDNS-user-id password node.dnsalias.net
Then add script update.dyndns.ip to directory /etc/cron.daily/ to update IP.
This host must also be allowed access through any firewall rules.
DynDNS.com (http://www.dyndns.com/) - Dynamic DNS for those with dynamic IP addresses. (i.e. dial-up
game servers etc.)
Domain name registration:

Domain Name Registrars:
NetworkSolutions.com (http://www.networksolutions.com)
Register.com (http://www.register.com)
Registrar.GoDaddy.com (https://registrar.godaddy.com/) - Domain name registration for only
$8.95/year!!!
Dotster.com (http://www.dotster.com/) - Domain name registration for only $14.95/year
DomainsNext.com (http://www.domainsnext.com) - $11.95/year
EasyDNS.com (http://www.easydns.com) - $25.00/year
Gandi.net (http://www.gandi.net) - European
AfterNic.com (http://www.afternic.com/) - Domain name exchange and auction.
BuyDomains.com (http://www.buydomains.com) - Buy a domain name that a squatter is holding.
Note that the Name registrations policies for the registrars are stated at ICANN.org (http://www.icann.org).
You must renew with the same registrar within five days BEFORE the expiration date. There is no rule for
afterwards.
Most free a domain name 30 days after it expires.
Web Server Load Balancing:

Load balancing becomes important if your traffic volume becomes too great for either your server or network
connection or both. Multiple options are available for load balancing.
DNS round-robin: Discussed above, this uses DNS to point users to random server in a list of appropriate
servers. This spreads the load among the servers in the list.
Use a Linux Virtual Server to Create a Load Balance Cluster. See next section below.
Run a reverse proxy. See nginx (http://nginx.net/) ("engine X"). From a single external internet network
connection, route http, smtp, imap or pop3 traffic to various servers on an internal network. Results are
pushed back to the nginx proxy for routing to the internet (no caching).
Run the Apache httpd web server module "mod_proxy" (http://httpd.apache.org/docs/2.0
/mod/mod_proxy.html) to offload processing of dynamic content to another web server. This acts as a
reverse proxy, routing external traffic to various servers on an internal network.
Using a Linux Virtual Server to Create a Load Balance Cluster:

You can use a single Linux server to forward requests to a cluster of servers using iptables for IP masquerading
and IPVsadm to scale your load. The load balancing server receiving and routing the requests is called the "Linux
Virtual Server" (LVS). The LVS receives the requests which are passed to the real servers which process and
reply to the request. This reply is forwarded to the client by the LVS.
This feature is available with the Linux 2.4/2.6 kernel. (If compiling kernel: Networking Options + IP: Virtual Server
Configuration)
Configuration: This example will load balance http traffic to three web servers and ftp traffic to a fourth server.
Enable Forwarding: (Also see YoLinux Networking Tutorial: Enable Forwarding

(LinuxTutorialNetworking.html#FORWARDING))
echo "1" > /proc/sys/net/ipv4/ip_forward
Enable IP Masquerading:
43 of 51 01/07/2016 11:19 AM
iptables -t nat -P POSTROUTING DROP

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
For more on IP Masquerading, iptables and subnet addresses, see the YoLinux network gateway tutorial
(LinuxTutorialIptablesNetworkGateway.html).
Enable virtual server:
Create virtual service and choose scheduler for http (80) and ftp (21):
ipvsadm -A -t 66.218.88.103:80 -s wlc

ipvsadm -A -t 66.218.88.103:21 -s wrr
Command directives:
A: Add a virtual service defined by IP address, port number, and protocol.
-t: Use TCP service host:port
-s: scheduler:
rr: Robin Robin: distributes jobs equally amongst the available real servers.
wrr: Weighted Round Robin.
lc: Least-Connection: assigns more jobs to real servers with fewer active jobs.
wlc: (Default) Weighted Least-Connection: assigns more jobs to servers with fewer jobs
and relative to the real server's weight.
lblc, lblcr, dh, sh, sed, nq. See man page.
Configure load balancing cluser.
ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.1:80 -m

ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.2:80 -m -w 2
ipvsadm -a -t 66.218.88.103:80 -r 176.168.1.3:80 -m
ipvsadm -a -t 66.218.88.103:21 -r 176.168.1.4:21 -m
Command directives:
-r: Real server.
-m: Use masquerading also known as network address translation (NAT)
-w: Weight is an integer specifying the capacity of a server relative to the others in the pool.
The valid values of weight are 0 through to 65535. The default is 1.
Links:
LinuxVirtualServer.org (http://www.linuxvirtualserver.org/)
iptables (http://man.yolinux.com/cgi-bin/man2html?cgi_command=iptables) - Administration tool for IPv4
packet filtering and NAT
ipvsadm (http://man.yolinux.com/cgi-bin/man2html?cgi_command=ipvsadm) - Administer the routing table
on a Linux Virtual Server.
Managing Web Server Daemons:

To view if these services are running, type ps -aux and look for the httpd, inetd and named services (daemons).
These are background processes necessary to perform the server tasks.
root 681 0.0 0.5 2304 744 ? S Sep09 0:01 named

nobody 28123 0.0 1.1 3036 1420 ? S Oct06 0:00 httpd
nobody 28186 0.0 0.7 3044 896 ? S Oct06 0:00 httpd
root 385 0.0 0.1 1136 232 ? S Sep09 0:00 inetd
A new installation will most likely NOT start the named background process which may be started manually after
configuration.
See the YoLinux Init Process Tutorial (LinuxTutorialInitProcess.html) for more information.
The inetd (or xinetd) background process is the Internet daemon which starts FTP when an ftp request is made.
Sys Admin Script:

Script to prepare an account: (Red Hat/Fedora)
44 of 51 01/07/2016 11:19 AM
#!/bin/sh
# Author Greg Ippolito
# Requires: /opt/etc/AccountDefaults/pathmsg favicon.ico mwh-mini_tr.gif etc.
# /opt/bin/ftponly
# You must be root to run this script.
#
if [ $# -eq 0 ]
then
echo "Enter user id as a command argument"
else if [ -r /home/$1 ]
then
echo "User's home directory already exists"
else
echo "1) Create user."
adduser -m $1
echo "2) Set user Password."

passwd $1
echo "3) Add read access to user directory so apache can read it."
cd /home
chmod ugo+rx $1
cd $1
echo "4) Create web directories."

mkdir public_html
chown $1.$1 public_html
chcon -R -h -u system_u -r object_r -t httpd_sys_content_t public_html
cd public_html
mkdir images
chown $1.$1 images
chcon -R -h -u system_u -r object_r -t httpd_sys_content_t images
# Block potential for unauthenticated logins

cd ../
touch .rhosts
chmod ugo-xrw .rhosts
echo "5) Create default web page"

sed "/HEADING/s!HEADING!$1!" /opt/etc/AccountDefaults/default-index.html > index.h
tml
cp -p /opt/etc/AccountDefaults/favicon.ico .
cp -p /opt/etc/AccountDefaults/default-logo.gif ./images
cp -p /opt/etc/AccountDefaults/robots.txt .
chown $1.$1 index.html favicon.ico robots.txt
chcon -R -h -t httpd_sys_content_t index.html favicon.ico robots.txt
chcon -R -h -t httpd_sys_content_t images/default-logo.gif
echo "6) Edit /etc/passwd file - change user shell to /opt/bin/ftponly"

cp -p /etc/passwd /etc/passwd-`date +%m%d%y`
sed "/^$1/s!/bin/bash!/opt/bin/ftponly!" /etc/passwd-`date +%m%d%y` > /etc/passwd
#wu-ftp# Requires: /etc/ftpaccess guestuser restrict-uid

#wu-ftp# echo "7) Add user to /etc/ftpaccess file"
#wu-ftp# cp -p /etc/ftpaccess /etc/ftpaccess-`date +%m%d%y`
#wu-ftp# sed "/^guestuser/s!guestuser !guestuser $1 !" /etc/ftpaccess-`date +%m%d%y
` > /etc/ftpaccess
#wu-ftp# sed "/^restricted-uid/s!restricted-uid !restricted-uid $1 !" /etc/ftpacces
s-`date +%m%d%y` > /etc/ftpaccess
#wu-ftp# echo "guest-root /home/$1/public_html $1" >> /etc/ftpaccess
echo "7) Add user to vsftpd chroot list

cat `echo $1` >> /etc/vsftpd/vsftpd.chroot_list
echo "8) Setting Disk Quotas to default 50Mb limit:"

# Use user johndoe as a prototype.
edquota -p johndoe $1
45 of 51 01/07/2016 11:19 AM
echo "9) Admin Follow-up:"

echo " Modify quota.user if different than default"
echo " Make changes to Bind names services on dns1 and dns2 if necessary"
echo " Change /etc/http/conf/httpd.conf or
echo " add config to /etc/http/conf.d/ if using a new domain name"
echo " Add e-mail aliases to mail server if necessary"
fi
fi
FYI: Sample robots.txt files:
yolinux.com/robots.txt (http://www.yolinux.com/robots.txt)
USC.edu/robots.txt (http://www.usc.edu/robots.txt)
Useful links and resources:

Linux Init Process (LinuxTutorialInitProcess.html) - YoLinux.com tutorial
Setting up an Apache redirect (ApacheRedirect.html) - YoLinux.com tutorial
Apache Documentation (http://www.apache.org/docs/)
LDP HowTo Guides:
DNS-HOWTO (http://tldp.yolinux.com/HOWTO/DNS-HOWTO.html) - DNS administration - Nicolai
Langfeldt
Securing-Domain-HOWTO (http://tldp.yolinux.com/HOWTO/Securing-Domain-HOWTO.html)
ISP-Setup-RedHat (http://tldp.yolinux.com/HOWTO/ISP-Setup-RedHat.html) - Using Linux to host an
ISP - Anton Chuvakin
Linux Networking Overview HOWTO (http://tldp.yolinux.com/HOWTO/Networking-Overview-
HOWTO.html) - Daniel Lopez Ridruejo
Virtual-Services-HOWTO (http://tldp.yolinux.com/HOWTO/Virtual-Services-HOWTO.html) - DNS,
FTP, Apache, Mail (POP, Qmail, Sendmail), Syslogd and Samba
WWW-HOWTO (http://tldp.yolinux.com/HOWTO/WWW-HOWTO.html) - Setting up Apache services
WWW-mSQL-HOWTO (http://tldp.yolinux.com/HOWTO/WWW-mSQL-HOWTO.html)
List of Internet Exchanges (http://www.bgp4.as/internet-exchanges) - [map and list
(http://www.datacentermap.com/ixps.html)] An Internet Exchange (IX) is a junction between multiple
principle Internet communication lines. A colo hosted at or close to an IX will have your best ability to handle
traffic and your lowest latencies.
description of IX (http://en.wikipedia.org/wiki/Internet_exchange_point)
Setting up a mail server (LinuxTutorialMailMTA.html) - YoLinux Tutorial
Books:
"Ubuntu Unleashed 2013 edition:"

Covering 12.10 and 13.04 (8th Edition) (http://www.amazon.com
by Matthew Helmke, Andrew Hudson and Paul
Hudson
/gp/redirect.html?ie=UTF8&location=http:
Sams Publishing, ISBN# 0672336243
//www.amazon.com/exec/obidos
(Dec 15, 2012)
/ASIN/0672336243/&tag=yolinux-20)

by Matthew Helmke, Andrew Hudson and Paul
Hudson
Sams Publishing, ISBN# 0672335786
(Jan 16, 2012)
46 of 51 01/07/2016 11:19 AM

by Matthew Helmke, Ryan Troy, Andrew
Hudson and Paul Hudson
Surfing Turtle Press, ISBN# 0672333449
(Dec 24, 2010)
"Fedora 18 Desktop Handbook"

by Richard Petersen (http://www.amazon.com
(Mar 6, 2013)
"Fedora 18 Networking and Servers"

(March 29, 2013)
"Fedora 14 Desktop Handbook"

(Nov 30, 2010)
"Fedora 14 Administration and Security"

(Jan 6, 2011)
"Fedora 14 Networking and Servers"

(Dec 26, 2010)
"Practical Guide to Ubuntu Linux (Versions 8.10

and 8.04)" (http://www.amazon.com
by Mark Sobell
Prentice Hall PTR, ISBN# 0137003889
2 edition (January 9, 2009)
"Fedora 10 and Red Hat Enterprise Linux Bible"

by Christopher Negus (http://www.amazon.com
Wiley, ISBN# 0470413395
47 of 51 01/07/2016 11:19 AM
"Red Hat Fedora 6 and Enterprise Linux Bible"

by Christopher Negus (http://www.amazon.com
Sams, ISBN# 047008278X
/ASIN/047008278X/&tag=yolinux-20)
"Fedora 7 & Red Hat Enterprise Linux: The

Complete Reference" (http://www.amazon.com
by Richard Petersen
Sams, ISBN# 0071486429
"Red Hat Fedora Core 6 Unleashed"

by Paul Hudson, Andrew Hudson (http://www.amazon.com
Sams, ISBN# 0672329298
"Red Hat Linux Fedora 3 Unleashed"

by Bill Ball, Hoyt Duff (http://www.amazon.com
Sams, ISBN# 0672327082
"Red Hat Linux 9 Unleashed"

by Bill Ball, Hoyt Duff (http://www.amazon.com
Sams, ISBN# 0672325888
May 8, 2003
I have the Red Hat 6 version and I have found it
to be very helpful. I have found it to be way
more complete than the other Linux books. It is
the most complete general Linux book in
publication. While other books in the
"Unleashed" series have dissapointed me, this
book is the best out there.
"Apache Server Bible 2"

by Mohammed J. Kabir (http://www.amazon.com
ISBN # 0764548212, Hungry Minds
This book is very complete covering all aspects
in detail. It is not your basic reprint of the
apache.org documents like so many others.
"Pro DNS and Bind"

by Ronald Aitchison (http://www.amazon.com
Apress, ISBN# 1590594940
(http://www.addthis.com/bookmark.php?v=250&pub=yolinux)
48 of 51 01/07/2016 11:19 AM
Advertisements
Jobs
QA Analyst - Telecom
(http://www.jobthread.com
/jt/jobs
/widget_click.php?id=c0e4b3&
job_id=9950163)
Mississauga, ON,
Canada
Direct IT Recruiting INC.
Java Entwickler (w/m)
/jt/jobs
job_id=9889733)
Düsseldorf, Nordrhein-
Westfalen,...
Robert Half
Software Developers
(C# .NET)...
/jt/jobs
job_id=9950320)
Knutsford, Cheshire,
United Kingdom
- The Resourcing Hub
IT-Allrounder (w/m)
Linux
/jt/jobs
job_id=9818368)
Darmstadt, Hessen,
Germany
Robert Half
49 of 51 01/07/2016 11:19 AM
Database Systems
Administrator (DBA,...
/jt/jobs
job_id=9545271)
Milton Keynes,
Buckinghamshire,...
White Clarke Group
Java Developer(Angular
J.S)
/jt/jobs
job_id=9806513)
Jersey City, NJ
Libsys INC
Web Developer
/jt/jobs
job_id=9837251)
Altrincham, Cheshire,
United Kingdom
Parity Professionals
Senior Java Developer
(Java,...
/jt/jobs
job_id=9881702)
Warwick, Warwickshire,
United Kingdom
First Utility
Softwareentwickler
(m/w)...
/jt/jobs
job_id=9546114)
Köln, Nordrhein-
Westfalen, Germany
FERCHAU Engineering
GmbH
c++ developer
/jt/jobs
job_id=9870585)
Hilversum, Noord-
Holland, Netherlands
Darwin Recruitment NL
POST A JOB >

(HTTP://WWW.JOBTHREAD.COM/)
POWERED BY JOBTHREAD
(http://www.lpmagazine.org)
YoLinux.com Home Page to top of page

(http://www.yolinux.com)
4 (http://www.addthis.com
YoLinux Tutorial Index StumbleUpon
/bookmark.php?v=250&
(http://www.yolinux.com/TUTORIALS/) | 640
pub=yolinux)
Terms (http://www.yolinux.com/YoLinux-
50 of 51 01/07/2016 11:19 AM
Terms.html)
Privacy Policy (http://www.yolinux.com
/privacy.html) | Advertise with us
(http://www.yolinux.com/YoLinux-
Advertising.html) | Feedback Form
(http://www.yolinux.com
/YoLinuxEmailForm.html) |
Unauthorized copying or redistribution
prohibited.
Copyright © 2000 - 2014 by Greg Ippolito
51 of 51 01/07/2016 11:19 AM

config webserver tutorial

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

config webserver tutorial

Uploaded by

Copyright:

Available Formats

Linux Web Server and Domain Conﬁguration Tutorial http://www.yolinux.com/TUTORIALS/LinuxTutori...

Linux Internet Web Server and Domain

Also see: Web Site Security Tutorial

Related YoLinux Tutorials:

Fedora Core 1+, Red Hat Enterprise 4/5, CentOS 4/5:

rpm -q httpd bind bind-chroot bind-utils system-config-bind xinetd vsftpd

RPMs added FC2+: system-config-httpd

Red Hat 9.0

Need rpm -q httpd bind xinetd vsftpd

DNS? /files) (rev 14).

Red Hat 8.0

$3,461. SuSE 9.3:

apache2-MPM is needed by apache2-2.0.53-9

Also see Apache.org: MPMs (http://httpd.apache.org/docs/2.0/mpm.html)

Ubuntu (natty 11.04) / Debian:

apt-get install apache2

Ubuntu (dapper 6.06/hardy 8.04) / Debian:

apt-get install apache2 apache2-common apache2-mpm-prefork apache2-utils

Free Information Technology Apache HTTP Web server configuration:

The Apache web server configuration file is: /etc/httpd/conf/httpd.conf

Linux distribution Apache web server "DocumentRoot"

Files used by Apache:

Also Apache control tool: /usr/sbin/apachectl start

Apache Control Command: apachectl:

Red Hat / Fedora Core / CentOS: apachectl directive

Apache Configuration Files:

Basic settings: Change the default value for ServerName www.<your-domain.com>

Deny access completely to file system root ("/") as the default:

Deny first, then grant permissions:

Grant access to a user's web directory: public_html

LoadModule userdir_module modules/mod_userdir.so

Enabling Ubuntu's Apache public_html user directory access:

drwx------ 3 userx userx

Fix with command: chmod ugo+rx /home/userx

SELinux security contexts:

Assign a security context for web pages: chcon -R -h -t httpd_sys_content_t /home/user1

Use the following security contexts:

Context Type Description

The default SE boolean values are specified in the file: /etc/selinux/targeted/booleans

Configuring a "name based" virtual host:

<VirtualHost XXX.XXX.XXX.XXX 192.168.XXX.XXX>

... This part remains the same

# Default for when no domain name is given (i.e. access by IP address)

# Add a VirtualHost definition to forward to your primary URL

More virtual host examples. (http://www.apache.org/docs/vhosts/examples.html)

Apache virtual domain configuration with Ubuntu Dapper/Hardy:

a2ensite/a2dissite (http://man.yolinux.com/cgi-bin/man2html?cgi_command=a2enmod) (Ubuntu: Apache 2

Configuring an "IP based" virtual host:

NameVirtualHost * - Indicates all IP addresses

CGI: (Common Gateway Interface)

Configuring CGI To Run With User Privileges:

SuexecUserGroup user1 user1

ErrorDocument 404 /Error404-missing.html

Create the file Error404-missing.html in your "DocumentRoot" directory.

ErrorDocument 400 /error.shtml

Sample file error.shtml (in your "DocumentRoot" directory).

php: HTML-embedded scripting language

Add php default page index.php to apache config file: /etc/httpd/conf/httpd.conf

DirectoryIndex index.html index.htm index.php

PHP Configuration File:

Small portion of file shown.

Running Multiple instances of httpd:

Apache Man Pages: