My Private Blog

Tuesday, December 28, 2010

Generic Linux Server - Based on Ubuntu 10.04 LTS

Generic Linux Server - Based on Ubuntu 10.04 LTS

This document describes how to install Generic Linux Server. This document is work in progress since March of 2001.

It is intended to be my private collections of notes and different bits of useful information collected over years from various sources from Internet, books, etc. Also it my be found useful for everybody who is interested in creating safe and stable basic Linux server which can then be adapted for more specific tasks. Internet access is required to complete the installation.

Get the Ubuntu Server 10.04 LTS Installation CD

  • First thing to do is to download Ubuntu Server installation CD suitable for your hardware platform.

  • CDs can be downloaded from http://releases.ubuntu.com/

  • Burn the CD image to a CD-R.

Installing Ubuntu Server 10.04 LTS

  • Boot up from the Ubuntu Server Installation CD you created.


  • Select 'Install to Hard Disk'

  • After system has booted up, the Ubuntu installation system starts.

  • In first screen you need to select installation language:

  • Select your language:

  • Choose a keyboard layout:

  • Setup starts to inspect your hardware setup:

  • If your network doesn't have DHCP, you can configure network manually:

  • Insert the hostname for your system, for example 'winkle':

  • Insert your domain name, for example 'example.com':

  • Next thing to do is a disk partitioning.


Insert your Ubuntu install CD into your system and boot from it.

Select your language:



Then select Install Ubuntu Server:



Choose your language again (?

Then select your location:

Choose a keyboard layout (you will be asked to press a few keys, and the installer will try to detect your keyboard layout based on the keys you pressed):

The installer checks the installation CD, your hardware, and configures the network with DHCP if there is a DHCP server in the network:






I generally partition in the following manner:

Partition

Bootable

Size

FS

Mount-point

Note

1

Y

500MB

ext3

/boot

needs enough space to ensure that kernel upgrades don’t fill it

2

N

1-2x system memory, usually 2-8GB

swap

swap

may as well have a ton of it

3

N

Usualy 10% of your harddrive

xfs

/root

To separate /root file system from the root file system

4

Y

the rest

xfs

/


The reason for the partitions I do use are as follows:

  1. /boot needs to be at the beginning of the disk to ensure compatibility with BIOSes and bootloaders; it should also be ext3 for bootloader and rescue CD purposes

  2. /root needs to be in separate file space for security reasons

I use XFS because it seems better than JFS, ext3 and ResierFS to me.

  • Select your timezone.

  • Create a new user

  • Base system installation procedure starts:

  • Remove installation CD and reboot system:

  • Base system installation is finished

System will reboot

Enable The root Account



Ubuntu disables the root user account by default.
Because we must run all the steps from this tutorial as root user, we must enable the root account now.To enable it,

login as winkle, then run

$ sudo passwd root

to set the root password. Afterwards we become root by running

$ su -

First update the 'apt' repositories so we can then upgrade the system.

Updating 'apt' repositories

Update the apt repositories so to include main, restricted,backports, universe and multiverse. Also disable cdrom access. This is done by editing '/etc/apt/sources.list'.

# nano -w /etc/apt/sources.list

Here is example

root@server:~# cat /etc/apt/sources.list

#
# deb cdrom:[Ubuntu-Server 6.06.2 _Dapper Drake_ - Release amd64 (20080110.1)]/dapper main restricted
#deb cdrom:[Ubuntu-Server 6.06.2 _Dapper Drake_ - Release amd64 (20080110.1)]/ dapper main restricted
deb http://ca.archive.ubuntu.com/ubuntu/ dapper main restricted
deb-src http://ca.archive.ubuntu.com/ubuntu/ dapper main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://ca.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
deb-src http://ca.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
## Uncomment the following two lines to add software from the 'universe'
## repository.
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb http://ca.archive.ubuntu.com/ubuntu/ dapper universe multiverse
deb-src http://ca.archive.ubuntu.com/ubuntu/ dapper universe multiverse
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://ca.archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse
deb-src http://ca.archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu dapper-security main restricted
deb-src http://security.ubuntu.com/ubuntu dapper-security main restricted
deb http://security.ubuntu.com/ubuntu dapper-security universe
deb-src http://security.ubuntu.com/ubuntu dapper-security universe

Now update repositories.

# apt-get update

Now the repositories are complete we can proceed with an system upgrade.

# apt-get upgrade -y

Now reboot. The reason for this is kernel image was updated and needs to take effect.

# shutdown -r now

Login as root

Installing MC - GNU Midnight Commander

GNU Midnight Commander is a file manager for free operating systems. Being a text mode application, GNU Midnight Commander can be used locally or remotely, on the console or under X Window System. By using full screen space of the terminals, it provides an intuitive user interface to the operating system, aiming to be a useful tool for users with any level of experience, from a newbie to a guru.

# apt-get install mc -y

Now change midnight commander settings so that startup folder is in the current folder, not at root.

# mv /usr/share/mc/bin/mc.sh /usr/share/mc/bin.mc.sh.norun
# cat /usr/share/mc/bin.mc.sh.norun >> /etc/bash.bashrc

SSH

SSH is a protocol designed to provide remote secure access for administration purpose. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.Ubuntu does not install OpenSSH by default, therefore we do it now. Run

apt-get install ssh openssh-server -y

Configure the /etc/ssh/sshd_config file

# nano -w /etc/ssh/sshd_config file

Changing the default SSH port

Change the default SSH port (22) to stop the brute force attacks (most of them).

ServerKeyBits

The option ServerKeyBits specifies how many bits to use in the server key. Change dafault value to 1024. These bits are used when the daemonstarts to generate its RSA key

Disabling root login

Disable root access login. Administrators should have to login under non privileged user name (winkle) first & then su to root.

# Changes to the /etc/ssh/sshd_config file

Port 38475
ServerKeyBits 1024
PermitRootLogin no
AllowUsers winkle

Remove sudoers entries

# visudo

Sudoers file /etc/sudoers should something look like this

root@server:~# cat /etc/sudoers
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults
Defaults !lecture,tty_tickets,!fqdn
# User privilege specification
root ALL=(ALL) ALL

Configure The Network

Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):

nano -w /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 208.233.68.149
netmask 255.255.255.240
gateway 208.233.68.145

Then restart your network:

# /etc/init.d/networking restart


Then edit /etc/resolv.conf

#nano -w /etc/resolv.conf

Make it look like this:

search example.com
nameserver 208.233.3.3
nameserver 208.233.5.5

Then edit /etc/hosts.

# nano -w /etc/hosts

Make it look like this:

127.0.0.1 localhost.localdomain localhost
208.233.68.149 server.example.com server

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Now run

# hostname
# hostname -f

Both should show server.example.com. If they do not, reboot the system:

# shutdown -r now

Afterwards, run

# hostname
# hostname -f

again. Now they should show server.example.com.

Installing DNS resolver

Having a local DNS cache is highly recommended, this can have a big effect on the server performance. djbdns is a replacement for BIND. It is secure, reliable, small, fast, etc etc etc. dnscache is a recursive resolver, intended to be listed in /etc/resolv.conf's "nameserver" entry. It makes DNS queries via UDP and TCP as needed. daemontools manages all the djbdns services and daemons.

First run:

# apt-get install daemontools-installer djbdns-installer -y

Then build daemontools run:

# build-daemontools

(just hit [Enter] at any questions it asks)

Then build djbdns, run:

# build-djbdns

(just hit [Enter] at any questions it asks)

Configure the dnscache program, run:

# dnscache-conf dnscache dnslog /etc/dnscache

Create a symlink to the dnscache program in the /service directory so svscan will start it, run:

# ln -s /etc/dnscache /service

Wait at least 5 seconds, then see if the dnscache service is running, run:

# svstat /service/dnscache

Create a new resolv.conf (pointing to ourselves as the DNS server), run:

# echo "domain example.com" > /etc/resolv.conf
# echo "nameserver 127.0.0.1" >> /etc/resolv.conf

Test that you are able to resolve a host name on the Internet, run:

# dnsip www.cnn.com

Tail the log file to verify dnscache is working, run:

#tail -40 /service/dnscache/log/main/current

NTP

NTP is a protocol designed to synchronize the clocks of computers over a network.
Lots of server processes depend on the system clock for proper operation, so it is crucial to have NTP running and to select servers that are reliable and close to you from a network standpoint.

First get ntp client, run:

#apt-get install ntp ntpupdate -y

Then create script to update system clock, run:

# cd /etc/init.d
# touch ntp-update.sh
# chmod 755 ntp-update.sh

Edit
ntp-update.sh, run:

# nano -w /etc/init.d/ntp-update.sh

Here is example of ntp-update.sh file

#!/bin/sh -e
#
sleep 5
ntpdate -u 0.north-america.pool.ntp.org
hwclock --adjust
hwclock --systohc
# wait 1 hour
sleep 3600
/etc/init.d/ntp-update.sh &

Then edit /etc/rc.local, run:

nano -w /etc/rc.local

Here is example of rc.local file

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

#
# NTP script
#
/etc/init.d/ntp-update.sh &
#
exit 0



Postfix on a null client

A null client is a machine that can only send mail. It receives no mail from the network, and it does not deliver any mail locally. A null client typically uses POP, IMAP or NFS for mailbox access.

In this example we assume that the Internet domain name is "example.com" and that the machine is named "nullclient.example.com". As usual, the examples show only parameters that are not left at their default settings.

1 /etc/postfix/main.cf:
2 myorigin = $mydomain
3 relayhost = $mydomain
4 inet_interfaces = loopback-only
5 local_transport = error:local delivery is disabled
6
7 /etc/postfix/master.cf:
8 Comment out the local delivery agent entry

Translation:

  • Line 2: Send mail as "user@example.com" (instead of "user@nullclient.example.com"), so that nothing ever has a reason to send mail to "user@nullclient.example.com".

  • Line 3: Forward all mail to the mail server that is responsible for the "example.com" domain. This prevents mail from getting stuck on the null client if it is turned off while some remote destination is unreachable.

  • Line 4: Do not accept mail from the network.

  • Lines 5-8: Disable local mail delivery. All mail goes to the mail server as specified in line 3.


Local Mail Delivery with Postfix

From ArchWiki

Jump to: navigation, search
Tango-go-next.png This article is a candidate for moving.
It is suggested that this page or section be moved to Postfix. (Discuss)
Tango-go-next.png

The goal of this article is to setup Postfix for local mailbox delivery only. See: Postfix for a virtual mail delivery configuration.

Contents

[hide]

Postfix Installation

Install postfix package with pacman:

# pacman -S postfix

Make sure that the following shows up in /etc/passwd

postfix:x:73:73::/var/spool/postfix:/bin/false

Make sure that the following shows up in /etc/group

postdrop:x:75:
postfix:x:73:
Note: Even though Postfix can be made to run in a chroot, this document does not currently cover such setups.

Postfix Configuration

Step 1: Edit /etc/postfix/main.cf

The only things you need to change are as follows. Uncomment them and modify them to the specifics listed below. Everything else can be left as installed by pacman.

inet_interfaces = loopback-only
mynetworks_style = host
append_dot_mydomain = no
default_transport = error: Local delivery only!

If you want to control where the mail gets delivered and which mailbox format is to be used, you can do this by setting

home_mailbox = /some/path

or

mail_spool_directory some/path

mail_spool_directory is an absolute path where all mail goes, while home_mailbox specifies a mailbox relative to the user's home directory. If the path ends with a slash ('/'), messages are stored in Maildir format (direcory tree, one message per file); if it doesn't, the mbox format is used (all mail in one file).

Examples:

mail_spool_directory = /var/mail  (1)
home_mailbox = Maildir/ (2)

1) All mail will be stored in /var/mail, mbox format

2) Mail will be saved in ~/Maildir, Maildir format

Step 2: Edit /etc/rc.conf

Add postfix to the daemons list. Make sure you put it after the network has started.

DAEMONS=(syslog-ng network netfs crond postfix)

Step 3: Edit /etc/postfix/aliases

Namely, put a username in for the the following, substituting the correct username you desire (actual system account required) for USER

# Person who should get root's mail. Don't receive mail as root!
root: USER

Run the following command as root. This creates the map file that postfix understands.

postalias /etc/postfix/aliases

In addition, create the file .forward in /root.

nano /root/.forward

In it, specify the user to whom root mail should be forwarded, e.g. user@localhost.

Step 4: Start the daemon

postfix check

If postfix check returns no errors, then start the daemon.

/etc/rc.d/postfix start

Check /var/log/mail.log for any errors.

Step 5: Test

Try sending an email. Even from yourself to yourself should be a good test.

mail -s test user
this is a test email.
.

Now check your mail using whatever client you desire.

Step 6: Test some more!

Make sure root mail forwards to the desired user; use the same test as above, but substitute root for user.

Adding a second postfix instance

Wednesday, March 10 2004 14:33

Introduction

Postfix has no inherent ability to distinguish inbound mail from outbound. However, with a few changes it can be made to do so.

One way is to add a second smtpd process in main.cf that accepts outbound mail on a second IP address. This is described in the "Filtering mail from outside users only" section of Postfix After-Queue Content Filter.

The method described in the after-queue document allows you have a few differences between handling of inbound and outbound mail, most notably filter inbound mail but not filter outbound. However, the method does not allow every Postfix setting to differ.

For simple requirements, turning off filtering of outbound mail may be all you need. However, Most environments require several different settings: filtering, header and body checks, spam checks and so on. Most settings are difficult or impossible to differentiate for inbound and outbound mail using the after-queue content filtering technique.

A more flexible approach is to create a complete second separate instance of Postfix. That instance accepts mail on a separate IP address, and has separate versions of main.cf, master.cf, maps and a separate spool directory. With a second instance, every Postfix setting can be unique for inbound and outbound mail. Most people also find that using two instances is easier to understand and easier to maintain.

Postfix is exceptionally well designed and resource friendly, so running a second instance doesn't consume a large amount of server resources. Two (or more) instances can easily co-exist on the same server.

This is a quick guide to creating a second instance of Postfix to handle outbound e-mail. We assume you already have a working installation of Postfix functioning on your mail server. Please do not attempt to follow these instructions until you have a single instance installed and working. Preserve your sanity: get a basic installation of Postfix working first before you add a second instance.

What's involved

Creating a second instance of Postfix from an existing one involves the following steps:

  1. Add an IP address to the server
  2. Copy the /etc/postfix directory and all files
  3. Create an additional spool directory
  4. Edit the config files
  5. Create startup and administration scripts

Step one: Add an IP address

The second instance of Postfix will be used for all outbound e-mail. Users will configure their e-mail clients to connect to that IP as their "SMTP server".

Follow the procedure appropriate to your server's version of Unix or Linux to add a second IP. The new IP can exist on the same network card as the first (eg. as device eth0:1 on Linux or hme0:1 on Solaris) or can be tied to a second NIC, whichever best suits your requirements.

If the new IP address is visible from the Internet, you may also want to add firewall settings so that only internal users can access it. The Postfix mynetworks setting should prevent outsiders abusing your outbound instance, but it's safer to prevent all outside access via firewalling.

The new IP address must resolve to a name. Either add a name for it in your DNS, or add an entry in the server's /etc/hosts file. Postfix will not work unless the IP address resolves to a name on the server Postfix is installed on.

As an alternative, the new instance can share the same IP but receive mail on a port other than port 25. We won't show that here, but it's an alternative to be aware of.

Step two: copy /etc/postfix

Copy your existing /etc/postfix directory to /etc/postfix-out:

cp -rp /etc/postfix /etc/postfix-out

The new directory should have all the files with the same ownership and permissions as the original.

To make the next step easier, edit file /etc/postfix-out/main.cf. Change the following setting or add it if it does not exist:

queue_directory = /var/spool/postfix-out

Save the changes to the file before proceeding to the next step.

Step three: create an additional spool directory

Each instance of Postfix must have it's own mail spool directory. To avoid file conflicts, the default directory /var/spool/postfix must not be shared among instances.

Create a directory named /var/spool/postfix-out and let Postfix create the appropriate subdirectories and permissions:

mkdir /var/spool/postfix-out
postfix -c /etc/postfix-out check

The result should be directory /var/spool/postfix-out containing something similar to the following:

drwxr-xr-x   14 root     root          336 Jan 30 10:20 .
drwxr-xr-x 15 root root 384 Jan 30 10:20 ..
drwx------ 2 postfix root 48 Jan 30 10:20 active
drwx------ 2 postfix root 48 Jan 30 10:20 bounce
drwx------ 2 postfix root 48 Jan 30 10:20 corrupt
drwx------ 2 postfix root 48 Jan 30 10:20 defer
drwx------ 2 postfix root 48 Jan 30 10:20 deferred
drwx------ 2 postfix root 48 Jan 30 10:20 flush
drwx------ 2 postfix root 48 Jan 30 10:20 incoming
drwx-wx--- 2 postfix postdrop 48 Jan 30 10:20 maildrop
drwxr-xr-x 2 root root 48 Jan 30 10:20 pid
drwx------ 2 postfix root 48 Jan 30 10:20 private
drwx--x--- 2 postfix postdrop 48 Jan 30 10:20 public
drwx------ 2 postfix root 48 Jan 30 10:20 saved

If directory /var/spool/postfix contains directories named etc, usr and lib, your first Postfix instance was probably installed chrooted: if those directories exist, manually copy them to /var/spool/postfix-out:

cp -rp /var/spool/postfix/etc  /var/spool/postfix-out
cp -rp /var/spool/postfix/usr /var/spool/postfix-out
cp -rp /var/spool/postfix/lib /var/spool/postfix-out

Step four: edit the config files

Edit the file /etc/postfix/main.cf and add the following near the bottom of the file:

alternate_config_directories = /etc/postfix-out

The above setting is required to inform the Postfix daemons about the second instance.

Next, edit the file /etc/postfix-out/main.cf and change the following setting:

inet_interfaces = second-IP-address-NAME

Note: in the above you must specify the DNS name of the second IP address, not the IP address. If the IP address does not have a DNS name, add an entry for it to /etc/hosts so it can be resolved locally on the server.

You should also remove settings such as reject_maps_rbl and content filtering that only need to be applied to inbound e-mail, and change syslog_facility so logging of outbound mail sent to a different file than inbound.

You might also want to change the setting myhostname so the second instance uses a name difference than the first (eg. "mx1-out"). This is required if the two instances will exchange mail with each other, otherwise Postfix will complain mail "loops back to myself".

Lastly, you can force mail being sent from the outbound instance to send using the same IP address as the inbound instance. This is useful when the mail server is behind a firewall and you want only one IP address to communicate with the Internet. To send mail on a different IP, add the setting smtp_bind_address to main.cf similar to the following:

smtp_bind_address = 192.168.1.1

(Of course, replace the IP address above with your own server's inbound SMTP IP address)

Step five: Create startup and administration scripts

Startup script

The second instance can be started using the normal postfix start command, except you must point to the other configuration directory. For example:
postfix -c /etc/postfix-out start

To create a startup script for the second instance, either edit your existing Postfix startup script and add the above command after the existing postfix start command, or copy the existing startup script to a new name and change the copy. If you copy the start script, be sure to also follow your operating system's instructions for installing a new init script (for example, chkconfig on Redhat Linux, update-rc.d on Debian Linux).

Some example startup scripts:

Script Second instance script Redhat Linux 8.x (2k)
Script two instance script Debian Linux 3.x (1k)

Helpful scripts

Most, but not all, postfix commands accept the -c parameter to point to another instance. For example, postconf -c /etc/postfix-out prints configuration settings for the second instance. However, some commands, notably the frequently used "mailq" and "sendmail" ignore the -c parameter.

A work-around you can exploit is the fact that all Postfix commands use the MAIL_CONFIG environment variable to locate configuration files. Set MAIL_CONFIG to /etc/postfix-out and commands will use the main.cf in that directory instead of the default.

You can create shell script wrappers to set MAIL_CONFIG then execute the command. For example, the following shell script "outq" displays the mail queue for the postfix-out instance:

#!/bin/sh
export MAIL_CONFIG=/etc/postfix-out
/usr/bin/mailq

Working with the inbound and outbound instances is easier if you create similar "second instance" shell scripts for commonly used commands such as "postconf", "postfix flush" and "postfix reload".

For mail originating from the mail server itself, you might want to create a small shell script wrapper for "sendmail" so mail originating on the server itself uses the outbound instance. To do this, rename the Postfix "sendmail" binary to sendmail.postfix then create a shell script in the same directory named "sendmail" containing the following:

#!/bin/sh
export MAIL_CONFIG=/etc/postfix-out
/usr/sbin/sendmail.postfix $*

If you do this, you should also want to change the sendmail_path setting in /etc/postfix/main.cf to point to /usr/sbin/sendmail.postfix so your wrapper script won't get overwritten next time you install a Postfix upgrade.

Final notes

The above describes the minimum steps required to create a second Postfix instance.

Many other changes to /etc/postfix-out/main.cf may be desired depending on your requirements. For example, you could add a header_checks table to remove internal IP address and host information from outbound mail, or reject mail addressed to non-work-related destinations. Each instance has it's own main.cf and other files, so you are free to customize one instance without affecting the other.

When upgrading Postfix, you only need to run the normal "make upgrade" script. Both instances share the same Postfix binaries so upgrading one instance also upgrades the others. However, beware that when an upgrade requires changes to main.cf or master.cf, you will have to perform those changes manually for both instances.




SMAIL


Most of the services on server are sending messages to local root account. The best way to deal with thous messages is to send them out. For that reason we have to setup email account outside of organization ( on yahoo or gmail, etc) something like example-co-root@gmail.com and setup forwarding of all messages to your admin account admin@example.com. This way you will have redundancy even if your mal server is down or unaccessible. On this account messages from all server in your organization will be received and stored.


Smail is an implementation of an Electronic Mail Transport Agent (MTA), i.e. a program used for sending and receiving electronic mail, for Unix-like (POSIX compatible) systems.


Smail's job is to accept mail messages from local files or programs running on the local machine (such as any mail user agent), or from remote hosts by way of network protocols such as SMTP or UUCP, and deliver those messages to the appropriate destinations, be they to remote hosts or to files or programs on the local machine. Smail-3 can also gateway e-mail traffic bi-directionally between disparate underlying mail transport systems, for example between SMTP and UUCP.


To install and configure smail run:

# apt-get --purge install smail

Here is example of install and setup:

Reading package lists... Done
Building dependency tree... Done
smail is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Need to get 0B of archives.
After unpacking 0B of additional disk space will be used.
Setting up smail (3.2.0.115-5.1) ...

I can do certain kinds of automatic configuration of your mail system, by
asking you a number of questions. Later you may want to confirm and/or correct
your answers. In any case, comprehensive information on configuring Smail is
in smail(5) and in /usr/share/doc/smail/ .

You must choose one of the options below:
(1) Internet site: you send and receive Internet mail on this
machine, using SMTP over TCP/IP, select this if you have a smarthost
reachable over SMTP.
(2) UUCP to smarthost (upstream site):
You send and receive mail via UUCP; outbound mail is sent to your
smarthost (probably your service provider) for routing and delivery.
(3) No mail is to be delivered or routed here. Any mail generated on this
system is sent to a central mail switch using SMTP. This configuration is
for workstation, which have mounted /var/mail from a central server.
(4) Local delivery only:
You are not on a network. Mail for local users is delivered.
(5) No configuration will be done now; your mail system will be broken and
should not be used. Use /usr/sbin/smailconfig as root, later.
Select a number from 1 to 4, from the list above.
Enter value (default=`4', `x' to restart): 1


What is the `visible' mail name of your system ?
This will appear on From: lines of outgoing messages.
Enter value (default=`server.example.com', `x' to restart): ip149.example.com

Does this system have any other names which may appear on incoming
mail messages, apart from the visible name above (ip149.example.com)
and the system's hostname (server.example.com) ?
If so enter them here, separated with spaces or commas. If there are
none, say `none'.
Enter value (default=`none', `x' to restart): none

Do you have a smarthost available (and accessible via SMTP) ?

A smarthost is a system to which you forward mail you don't want to
deliver yourself; it presumably has better connectivity or routing
information than you do. Commercial providers usually provide a
smarthost for their customers, and large organisations will often have
a site mail switch which can be used. Use of a smarthost is strongly
recommended (you'll be able to specify exactly when to use it soon).

If a smarthost is available please enter its name (otherwise, `none').
Enter value (`x' to restart): none

Do you want to relay mail from anybody ?

If you allow relay from somewhere, that machine will send it's mail
to this server for delivery, you will become it's smarthost.
You can specify the word 'localnet', that will dinamically match
the net of your localhost, or you can specify the net by it's ip
number and using wildcards. (Example: 192.168.1.*).
If you want to relay to everyone, just write 'all'.
Beware, allowing everyone to relay from your machine, will let
spamers send their junk-mail througth your machine, making you
responsible for that. You shouldn't allow mail relaying from
unknown machines.
You can especify more than one net separating the ip numbers by ':'
Enter value (default=`127.0.0.1', `x' to restart):127.0.0.1

Mail for the `postmaster' and `root' accounts is usually redirected
to one or more user accounts, of the actual system administrators.
By default, I'll set things up so that mail for `postmaster' and for
various system accounts is redirected to `root', and mail for `root'
is redirected to a real user. This can be changed by editing /etc/aliases.

Note that postmaster-mail should usually be read on the system it is
directed to, rather than being forwarded elsewhere, so (at least one of)
the users you choose should not redirect their mail off this machine.

Which user account(s) should system administrator mail go to ?
Enter one or more usernames separated by spaces or commas . Enter
`none' if you want to leave this mail in `root's mailbox - NB this
is strongly discouraged. Also, note that usernames should be lowercase !
Enter value (`x' to restart): none


The following configuration has been entered:

Mail generated on this system will have `ip149.example.com' used
as the host part (after the @) in the From: field and similar places.

Message-ID's, Received lines, etc. will use the system's canonical
hostname, which is currently set to server.example.com.

The following hostname(s) will be recognised as referring to this system:
mail.areyouverified.com, ip149.example.com

Mail for postmaster, root, etc. will be sent to root.

Local mail is delivered.

Outbound remote mail is looked up in the Internet DNS, and delivered
using that data if any is found; failing that messages are bounced.
Mail for the non-DNS UUCP and BITNET domains are sent to the backbone
sites uu.net and cunyvm.cuny.edu for routing, respectively.

Is this OK ? Hit Return or type `y' to confirm it and install,
or `n' to make changes (in which case we'll go round again, giving you
your previous answers as defaults. (y/n) y

You have to select a method starting smail:
The decision as to whether to use a smail daemon, or the inet
daemon depends upon how much mail passes through your site and whether
or not you can always spare 300K of virtual memory.
(1) Generate a line in /etc/inetd.conf. For every remote-connections a
smail session is started. It is the standard.
(2) To invoke a smail daemon at system boot time.
Select a number from 1 to 2, from the list above.
Enter value (default=`1', `x' to restart): 1
Current crontab entry for smail:
# Default `mail' user's crontab, supplied Smail for Debian Linux.
# See /usr/doc/smail/copyright for details, or read smail(5) for details of
# how to configure Smail. Autoconfiguration done by /usr/sbin/smailconfig.
# (min, hour) (dm,m,dw) (command)
3,23,43 * * * * runq

Configuration installed.


Would you like to send a test message now ? Select one of:

Return or Y Yes, test offsite delivery with a message to Harald Alvestrand's
Linux Counter project - you should then receive an autoreply
to postmaster@ip149.example.com.

Do not use this option until mail routing to your machine has
been properly enabled, please !

L Just a local message from root@ip149.example.com
to postmaster@ip149.example.com.

N No, thanks. (You can do this later using /usr/sbin/smailtest.)

Send a test message now ? (y/l/n) l

Test message sent.

Good. You have a recent smail configuration
You have selected to start smail in inetd.conf

You have mail in /var/mail/root

After installation and configuration you have to add root account forwarding in /etc/aliases

# echo "root:
example-co-root@gmail.com" >> /etc/aliases
# newaliases

Now test is it working, run:

# /usr/sbin/smailtest --localonly

Here is example file

Would you like to send a test message from `root' to `postmaster' ?
Send a test message now ? (y/n) y

Check your
example-co-root@gmail.com you should receive test message.


SYSTEM LOG


Update /etc/logrotate.conf, run:

nano -w /etc/logrotate.conf

Here is example file:

# see "man logrotate" for details
# rotate log files daily
daily


# keep 52 weeks worth of backlogs
rotate 365

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
compress

# packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
missingok
monthly
create 0664 root utmp
rotate 1
}

/var/log/btmp {
missingok
monthly
create 0664 root utmp
rotate 1
}

# system-specific logs may be configured here

Install logcheck

# apt-get install logcheck -y

Install logwwatch

# apt-get install logwatch -y

Install MUNIN

# apt-get install munin munin-node

Configure MUNIN

# nano -w /etc/munin/munin.conf

Change lines from:

# a simple host tree
[localhost.localdomain]

to:

# a simple host tree
[server.example.com]

Restart munin

# /etc/init.d/munin-node restart


Then install thttpd

# apt-get install thttpd thttpd-util

Configure thttpd

# nano -w /etc/thttpd/thttpd.conf

Change

port = 38964

and change

dir = /var/www/munin

Ensure that port is not firewaled

Check is it working go to http://server.example.com:38964


32 bit extensions

If you are running 64 bit Linux install the 32-bit Extensions to allow 64-bit Linux to run 32-bit applications.


apt-get install ia32-libs linux32 -y


Monday, May 19, 2008

*NIX Academy

UNIX (since 1969) and Linux (since1991) have been around for a long time, but only
recently have they started to become a threat to the Microsoft reign. Unix and Linux
have similar properties but the biggest difference is that Linux is FREE (no license fee)
version - including source code - that is being widely implemented around the world. Yet
so many people do not understand this powerful operating system. While there are
many companies producing Linux distributions, there is nobody training people in how
to become fully qualified Linux professional and administrator of ALL aspects of using
and working with Linux. *NIX Academy is proposing to offer exactly that, a course that
will train people how to become fully qualified Linux professionals and administrators.
*NIX Academy has been established to help prepare students to learn Linux from the
bottom to the top. Not just learn to install it, but how to develop, program, compile and
use Linux. It's not enough to know how to install Linux from a distribution, but we need
to learn how to work with the roots of Linux.
After finishing this program student should be able to create a Linux distribution for any
specific task (router, web server, desktop, cluster , etc), to be able to maintain,
troubleshoot and administrate those systems and any other vendor distribution. They
will be able to grow and adapt with Linux systems. Training is going to be vendor
neutral.

Tuesday, February 12, 2008

Generic Linux Server - Based on Ubuntu 6.06.2 LTS

This document describes how to install Generic Linux Server. This document is work in progress since March of 2001.

It is intended to be my private collections of notes and deferent bits of useful informations collected over years from various sources from Internet, books, etc. Also it my be found useful for everybody who is interested in creating safe and stable basic Linux server which can then be adapted for more specific tasks. Internet access is required to complete the installation.

Get the Ubuntu Server 6.06.2 LTS Installion CD

  • First thing to do is to download Ubuntu Server installation CD suitable for your hardware platform.

  • CDs can be downloaded from http://releases.ubuntu.com/

  • Burn the CD image to a CD-R.

Installing Ubuntu Server 6.06.2 LTS

  • Boot up from the Ubuntu Server Installation CD you created.

  • Select 'Install to Hard Disk'

  • After system has booted up, the Ubuntu installation system starts.

  • In first screen you need to select installation language:

  • Select your language:

  • Choose a keyboard layout:

  • Setup starts to inspect your hardware setup:

  • If your network doesn't have DHCP, you can configure network manually:

  • Insert the hostname for your system, for example 'winkle':

  • Insert your domain name, for example 'example.com':

  • Next thing to do is a disk partitioning.

I generally partition in the following manner:

Partition

Bootable

Size

FS

Mount-point

Note

1

Y

500MB

ext3

/boot

needs enough space to ensure that kernel upgrades don’t fill it

2

N

1-2x system memory, usually 2-8GB

swap

swap

may as well have a ton of it

3

N

Usualy 10% of your harddrive

xfs

/root

To separate /root file system from the root file system

4

Y

the rest

xfs

/


The reason for the partitions I do use are as follows:

  1. /boot needs to be at the beginning of the disk to ensure compatibility with BIOSes and bootloaders; it should also be ext3 for bootloader and rescue CD purposes

  2. /root needs to be in separate file space for security reasons

I use XFS because it seems better than JFS, ext3 and ResierFS to me.

  • Select your timezone.

  • Create a new user

  • Base system installation procedure starts:

  • Remove installation CD and reboot system:

  • Base system installation is finished

System will reboot

Enable The root Account



Ubuntu disables the root user account by default.
Because we must run all the steps from this tutorial as root user, we must enable the root account now.To enable it,

login as winkle, then run

$ sudo passwd root

to set the root password. Afterwards we become root by running

$ su -

First update the 'apt' repositories so we can then upgrade the system.

Updating 'apt' repositories

Update the apt repositories so to include main, restricted,backports, universe and multiverse. Also disable cdrom access. This is done by editing '/etc/apt/sources.list'.

# nano -w /etc/apt/sources.list

Here is example

root@server:~# cat /etc/apt/sources.list

#
# deb cdrom:[Ubuntu-Server 6.06.2 _Dapper Drake_ - Release amd64 (20080110.1)]/dapper main restricted
#deb cdrom:[Ubuntu-Server 6.06.2 _Dapper Drake_ - Release amd64 (20080110.1)]/ dapper main restricted
deb http://ca.archive.ubuntu.com/ubuntu/ dapper main restricted
deb-src http://ca.archive.ubuntu.com/ubuntu/ dapper main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://ca.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
deb-src http://ca.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
## Uncomment the following two lines to add software from the 'universe'
## repository.
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## universe WILL NOT receive any review or updates from the Ubuntu security
## team.
deb http://ca.archive.ubuntu.com/ubuntu/ dapper universe multiverse
deb-src http://ca.archive.ubuntu.com/ubuntu/ dapper universe multiverse
## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://ca.archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse
deb-src http://ca.archive.ubuntu.com/ubuntu/ dapper-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu dapper-security main restricted
deb-src http://security.ubuntu.com/ubuntu dapper-security main restricted
deb http://security.ubuntu.com/ubuntu dapper-security universe
deb-src http://security.ubuntu.com/ubuntu dapper-security universe

Now update repositories.

# apt-get update

Now the repositories are complete we can proceed with an system upgrade.

# apt-get upgrade -y

Now reboot. The reason for this is kernel image was updated and needs to take effect.

# shutdown -r now

Login as root

Installing MC - GNU Midnight Commander

GNU Midnight Commander is a file manager for free operating systems. Being a text mode application, GNU Midnight Commander can be used locally or remotely, on the console or under X Window System. By using full screen space of the terminals, it provides an intuitive user interface to the operating system, aiming to be a useful tool for users with any level of experience, from a newbie to a guru.

# apt-get install mc -y

Now change midnight commander settings so that startup folder is in the current folder, not at root.

# mv /usr/share/mc/bin/mc.sh /usr/share/mc/bin.mc.sh.norun
# cat /usr/share/mc/bin.mc.sh.norun >> /etc/bash.bashrc

SSH

SSH is a protocol designed to provide remote secure access for administration purpose. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.Ubuntu does not install OpenSSH by default, therefore we do it now. Run

apt-get install ssh openssh-server -y

Configure the /etc/ssh/sshd_config file

# nano -w /etc/ssh/sshd_config file

Changing the default SSH port

Change the default SSH port (22) to stop the brute force attacks (most of them).

ServerKeyBits

The option ServerKeyBits specifies how many bits to use in the server key. Change dafault value to 1024. These bits are used when the daemonstarts to generate its RSA key

Disabling root login

Disable root access login. Administrators should have to login under non privileged user name (winkle) first & then su to root.

# Changes to the /etc/ssh/sshd_config file

Port 38475
ServerKeyBits 1024
PermitRootLogin no
AllowUsers winkle

Remove sudoers entries

# visudo

Sudoers file /etc/sudoers should something look like this

root@server:~# cat /etc/sudoers
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults
Defaults !lecture,tty_tickets,!fqdn
# User privilege specification
root ALL=(ALL) ALL

Configure The Network

Because the Ubuntu installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.0.100):

nano -w /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 208.233.68.149
netmask 255.255.255.240
gateway 208.233.68.145

Then restart your network:

# /etc/init.d/networking restart


Then edit /etc/resolv.conf

#nano -w /etc/resolv.conf

Make it look like this:

search example.com
nameserver 208.233.3.3
nameserver 208.233.5.5

Then edit /etc/hosts.

# nano -w /etc/hosts

Make it look like this:

127.0.0.1 localhost.localdomain localhost
208.233.68.149 server.example.com server

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Now run

# hostname
# hostname -f

Both should show server.example.com. If they do not, reboot the system:

# shutdown -r now

Afterwards, run

# hostname
# hostname -f

again. Now they should show server.example.com.

Installing DNS resolver

Having a local DNS cache is highly recommended, this can have a big effect on the server performance. djbdns is a replacement for BIND. It is secure, reliable, small, fast, etc etc etc. dnscache is a recursive resolver, intended to be listed in /etc/resolv.conf's "nameserver" entry. It makes DNS queries via UDP and TCP as needed. daemontools manages all the djbdns services and daemons.

First run:

# apt-get install daemontools-installer djbdns-installer -y

Then build daemontools run:

# build-daemontools

(just hit [Enter] at any questions it asks)

Then build djbdns, run:

# build-djbdns

(just hit [Enter] at any questions it asks)

Configure the dnscache program, run:

# dnscache-conf dnscache dnslog /etc/dnscache

Create a symlink to the dnscache program in the /service directory so svscan will start it, run:

# ln -s /etc/dnscache /service

Wait at least 5 seconds, then see if the dnscache service is running, run:

# svstat /service/dnscache

Create a new resolv.conf (pointing to ourselves as the DNS server), run:

# echo "domain example.com" > /etc/resolv.conf
# echo "nameserver 127.0.0.1" >> /etc/resolv.conf

Test that you are able to resolve a host name on the Internet, run:

# dnsip www.cnn.com

Tail the log file to verify dnscache is working, run:

#tail -40 /service/dnscache/log/main/current

NTP

NTP is a protocol designed to synchronize the clocks of computers over a network.
Lots of server processes depend on the system clock for proper operation, so it is crucial to have NTP running and to select servers that are reliable and close to you from a network standpoint.

First get ntp client, run:

#apt-get install ntp ntpupdate -y

Then create script to update system clock, run:

# cd /etc/init.d
# touch ntp-update.sh
# chmod 755 ntp-update.sh

Edit
ntp-update.sh, run:

# nano -w /etc/init.d/ntp-update.sh

Here is example of ntp-update.sh file

#!/bin/sh -e
#
sleep 5
ntpdate -u 0.north-america.pool.ntp.org
hwclock --adjust
hwclock --systohc
# wait 1 hour
sleep 3600
/etc/init.d/ntp-update.sh &

Then edit /etc/rc.local, run:

nano -w /etc/rc.local

Here is example of rc.local file

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

#
# NTP script
#
/etc/init.d/ntp-update.sh &
#
exit 0

SMAIL


Most of the services on server are sending messages to local root account. The best way to deal with thous messages is to send them out. For that reason we have to setup email account outside of organization ( on yahoo or gmail, etc) something like example-co-root@gmail.com and setup forwarding of all messages to your admin account admin@example.com. This way you will have redundancy even if your mal server is down or unaccessible. On this account messages from all server in your organization will be received and stored.


Smail is an implementation of an Electronic Mail Transport Agent (MTA), i.e. a program used for sending and receiving electronic mail, for Unix-like (POSIX compatible) systems.


Smail's job is to accept mail messages from local files or programs running on the local machine (such as any mail user agent), or from remote hosts by way of network protocols such as SMTP or UUCP, and deliver those messages to the appropriate destinations, be they to remote hosts or to files or programs on the local machine. Smail-3 can also gateway e-mail traffic bi-directionally between disparate underlying mail transport systems, for example between SMTP and UUCP.


To install and configure smail run:

# apt-get --purge install smail

Here is example of install and setup:

Reading package lists... Done
Building dependency tree... Done
smail is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Need to get 0B of archives.
After unpacking 0B of additional disk space will be used.
Setting up smail (3.2.0.115-5.1) ...

I can do certain kinds of automatic configuration of your mail system, by
asking you a number of questions. Later you may want to confirm and/or correct
your answers. In any case, comprehensive information on configuring Smail is
in smail(5) and in /usr/share/doc/smail/ .

You must choose one of the options below:
(1) Internet site: you send and receive Internet mail on this
machine, using SMTP over TCP/IP, select this if you have a smarthost
reachable over SMTP.
(2) UUCP to smarthost (upstream site):
You send and receive mail via UUCP; outbound mail is sent to your
smarthost (probably your service provider) for routing and delivery.
(3) No mail is to be delivered or routed here. Any mail generated on this
system is sent to a central mail switch using SMTP. This configuration is
for workstation, which have mounted /var/mail from a central server.
(4) Local delivery only:
You are not on a network. Mail for local users is delivered.
(5) No configuration will be done now; your mail system will be broken and
should not be used. Use /usr/sbin/smailconfig as root, later.
Select a number from 1 to 4, from the list above.
Enter value (default=`4', `x' to restart): 1


What is the `visible' mail name of your system ?
This will appear on From: lines of outgoing messages.
Enter value (default=`server.example.com', `x' to restart): ip149.example.com

Does this system have any other names which may appear on incoming
mail messages, apart from the visible name above (ip149.example.com)
and the system's hostname (server.example.com) ?
If so enter them here, separated with spaces or commas. If there are
none, say `none'.
Enter value (default=`none', `x' to restart): none

Do you have a smarthost available (and accessible via SMTP) ?

A smarthost is a system to which you forward mail you don't want to
deliver yourself; it presumably has better connectivity or routing
information than you do. Commercial providers usually provide a
smarthost for their customers, and large organisations will often have
a site mail switch which can be used. Use of a smarthost is strongly
recommended (you'll be able to specify exactly when to use it soon).

If a smarthost is available please enter its name (otherwise, `none').
Enter value (`x' to restart): none

Do you want to relay mail from anybody ?

If you allow relay from somewhere, that machine will send it's mail
to this server for delivery, you will become it's smarthost.
You can specify the word 'localnet', that will dinamically match
the net of your localhost, or you can specify the net by it's ip
number and using wildcards. (Example: 192.168.1.*).
If you want to relay to everyone, just write 'all'.
Beware, allowing everyone to relay from your machine, will let
spamers send their junk-mail througth your machine, making you
responsible for that. You shouldn't allow mail relaying from
unknown machines.
You can especify more than one net separating the ip numbers by ':'
Enter value (default=`127.0.0.1', `x' to restart):127.0.0.1

Mail for the `postmaster' and `root' accounts is usually redirected
to one or more user accounts, of the actual system administrators.
By default, I'll set things up so that mail for `postmaster' and for
various system accounts is redirected to `root', and mail for `root'
is redirected to a real user. This can be changed by editing /etc/aliases.

Note that postmaster-mail should usually be read on the system it is
directed to, rather than being forwarded elsewhere, so (at least one of)
the users you choose should not redirect their mail off this machine.

Which user account(s) should system administrator mail go to ?
Enter one or more usernames separated by spaces or commas . Enter
`none' if you want to leave this mail in `root's mailbox - NB this
is strongly discouraged. Also, note that usernames should be lowercase !
Enter value (`x' to restart): none


The following configuration has been entered:

Mail generated on this system will have `ip149.example.com' used
as the host part (after the @) in the From: field and similar places.

Message-ID's, Received lines, etc. will use the system's canonical
hostname, which is currently set to server.example.com.

The following hostname(s) will be recognised as referring to this system:
mail.areyouverified.com, ip149.example.com

Mail for postmaster, root, etc. will be sent to root.

Local mail is delivered.

Outbound remote mail is looked up in the Internet DNS, and delivered
using that data if any is found; failing that messages are bounced.
Mail for the non-DNS UUCP and BITNET domains are sent to the backbone
sites uu.net and cunyvm.cuny.edu for routing, respectively.

Is this OK ? Hit Return or type `y' to confirm it and install,
or `n' to make changes (in which case we'll go round again, giving you
your previous answers as defaults. (y/n) y

You have to select a method starting smail:
The decision as to whether to use a smail daemon, or the inet
daemon depends upon how much mail passes through your site and whether
or not you can always spare 300K of virtual memory.
(1) Generate a line in /etc/inetd.conf. For every remote-connections a
smail session is started. It is the standard.
(2) To invoke a smail daemon at system boot time.
Select a number from 1 to 2, from the list above.
Enter value (default=`1', `x' to restart): 1
Current crontab entry for smail:
# Default `mail' user's crontab, supplied Smail for Debian Linux.
# See /usr/doc/smail/copyright for details, or read smail(5) for details of
# how to configure Smail. Autoconfiguration done by /usr/sbin/smailconfig.
# (min, hour) (dm,m,dw) (command)
3,23,43 * * * * runq

Configuration installed.


Would you like to send a test message now ? Select one of:

Return or Y Yes, test offsite delivery with a message to Harald Alvestrand's
Linux Counter project - you should then receive an autoreply
to postmaster@ip149.example.com.

Do not use this option until mail routing to your machine has
been properly enabled, please !

L Just a local message from root@ip149.example.com
to postmaster@ip149.example.com.

N No, thanks. (You can do this later using /usr/sbin/smailtest.)

Send a test message now ? (y/l/n) l

Test message sent.

Good. You have a recent smail configuration
You have selected to start smail in inetd.conf

You have mail in /var/mail/root

After installation and configuration you have to add root account forwarding in /etc/aliases

# echo "root:
example-co-root@gmail.com" >> /etc/aliases
# newaliases

Now test is it working, run:

# /usr/sbin/smailtest --localonly

Here is example file

Would you like to send a test message from `root' to `postmaster' ?
Send a test message now ? (y/n) y

Check your
example-co-root@gmail.com you should receive test message.


SYSTEM LOG


Update /etc/logrotate.conf, run:

nano -w /etc/logrotate.conf

Here is example file:

# see "man logrotate" for details
# rotate log files daily
daily


# keep 52 weeks worth of backlogs
rotate 365

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
compress

# packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
missingok
monthly
create 0664 root utmp
rotate 1
}

/var/log/btmp {
missingok
monthly
create 0664 root utmp
rotate 1
}

# system-specific logs may be configured here

Install logcheck

# apt-get install logcheck -y

Install logwwatch

# apt-get install logwatch -y

Install MUNIN

# apt-get install munin munin-node

Configure MUNIN

# nano -w /etc/munin/munin.conf

Change lines from:

# a simple host tree
[localhost.localdomain]

to:

# a simple host tree
[server.example.com]

Restart munin

# /etc/init.d/munin-node restart


Then install thttpd

# apt-get install thttpd thttpd-util

Configure thttpd

# nano -w /etc/thttpd/thttpd.conf

Change

port = 38964

and change

dir = /var/www/munin

Ensure that port is not firewaled

Check is it working go to http://server.example.com:38964


32 bit extensions

If you are running 64 bit Linux install the 32-bit Extensions to allow 64-bit Linux to run 32-bit applications.


apt-get install ia32-libs linux32 -y