aumber | .com

Build apache2:
export CPPFLAGS=-I/usr/kerberos/include
>./configure –enable-mod-shared=all –enable-ssl
>make all
>make CPPFLAGS=-I/usr/kerberos/include
>make install
All installed in /usr/local/apache2

Build mod_php:
http://www.php.net/downloads.php
>export CPPFLAGS=-I/usr/kerberos/include
>./configure –with-apxs2=/usr/local/apache2/bin/apxs –with-mysql –prefix=/usr/local/apache2/php –with-config-file-path=/usr/local/apache2/php –enable-force-cgi-redirect –disable-cgi –with-zlib –with-gettext –with-gdbm –with-openssl
>make
>make install
Edit httpd.conf and add:
LoadModule php4_module modules/libphp4.so
AddType application/x-httpd-php .php
DirectoryIndex index.php

Build Python:
wget http://www.python.org/ftp/python/2.4.1/Python-2.4.1.tgz
>./configure –prefix=/usr/local
>make
>make install

Build mod_python:
>./configure –prefix=/usr/local/apache2/mod_python –with-python=/usr/local/bin/python2.4 –with-apxs=/usr/local/apache2/bin/apxs
>make
>make install
Edit httpd.conf and add:
LoadModule python_module modules/mod_python.so

Setup MoinMoin:
>python -v setup.py –quiet install –record=install.log
>export PREFIX=/usr
>export SHARE=$PREFIX/share/moin
>export WIKILOCATION=/var/www/moin/mywiki
>export INSTANCE=mywiki
>export USER=apache
>export GROUP=apache
>cd $WIKILOCATION
>mkdir $INSTANCE
>cp -R $SHARE/data $INSTANCE
>cp -R $SHARE/underlay $INSTANCE
>cp $SHARE/config/wikiconfig.py $INSTANCE
>chown -R $USER.$GROUP $INSTANCE
>chmod -R ug+rwX $INSTANCE
>chmod -R o-rwx $INSTANCE
>cd $WIKILOCATION/$INSTANCE
>mkdir cgi-bin
>cp $SHARE/server/moin.cgi cgi-bin
>chown -R $USER.$GROUP cgi-bin
>chmod -R ug+rx cgi-bin
>chmod -R o-rwx cgi-bin
>moin.cgi - sys.path.insert(0, ‘/var/www/moin/mywiki’)
Run wikiconfig.py - specify fullpath for data and instance
data_dir = ‘/var/www/moin/mywiki/data/’
data_underlay_dir = ‘/var/www/moin/mywiki/underlay/’
url_prefix = ‘/wiki’
acl_rights_default = u”All:read”
acl_rights_before = u”AumberBhatti:read,write,delete,revert,admin”
Edit httpd.conf:
Options ExecCGI
Alias /wiki/ “/usr/local/share/moin/htdocs/”
#ScriptAlias / “/var/www/moin/mywiki/cgi-bin/moin.cgi”

RewriteEngine on
RewriteRule ^/wiki/ - [last]
RewriteRule ^/robots.txt - [last]
RewriteRule ^/favicon.ico - [last]
RewriteRule ^/?(.*) /var/www/moin/mywiki/cgi-bin/moin.cgi/$1 [last,type=application/x-httpd-cgi]

[TESTED ON THE FOLLOWING DISTROS/VERSIONS]

1. Red Hat Enterprise Linux WS release 3 (Taroon Update 1)
Kernel 2.4.21-9.0.1.ELsmp, clamav-70-rc, sendmail-8.12.10-1,
2. Fedora Core release 1 (Yarrow)
Kernel 2.4.22-1.2188.nptl, clamav-70, sendmail-8.12.10-1.1.1

#####
These instructions document the installation and configuration of ClamAV 0.70-rc on Red Hat ES Release 3.
I will use the Sendmail libmilter APIs to integrate ClamAV with the MTA.

Note: it is assumed that sendmail is already installed and configured.

RHES’s default sendmail installation does not include libmilter (however, sendmail itself is compiled with milter support), you will need to obtain the sendmail source files. Check rpmfind for rpm’s.

###
Software (your versions may differ):
clamav-0.70-rc.tar.gz
sendmail-8.12.10-1.src.rpm

###
Sendmail libmilter:
> rpm ivh sendmail8.12.10-1.src.rpm
> cd /usr/src/redhat/SOURCES/sendmail-8.12.10/libmilter
> sh Build install

Note: RH9/Fedora(?) do not extract source tree, you must ‘tar zxvf’ the sendmail .tar.gz located in /usr/src/redhat/SOURCES

Note: RHES’s default installation does not include vacation for sendmail, now would be a good time to install vacation also:
> cd /usr/src/redhat/SOURCES/sendmail-8.12.10/vacation
> sh Build install

###
ClamAV:

Create user and group for clamav:
>groupadd -g 601 clamav
>useradd -u 601 -g 601 -d /usr/local/share/clamav -s /bin/false clamav

> cd /usr/local/src/clamav-0.70-rc
> ./configure—enable-milter—sysconfdir=/etc; make; make install

Configure /etc/clamav.conf:
Comment the “Example� line:

1. Example
Included/uncommented the following:
LocalSocket /tmp/clamd
StreamSaveToDisk
StreamMaxLength 10M
MaxThreads 10
ReadTimeout 500 <—USE FOR clamav-70
ThreadTimeout 500 <—USE ONLY for clamav-70-rc, deprecated
User clamav
ScanMail
ScanArchive
ArchiveMaxFileSize 10M

###
Setup init.d to include clamd:
> cp /usr/local/src/clamav-0.70-rc/contrib/init/RedHat/clamd /etc/init.d/
> chmod 755 /etc/init.d/clamd

###
Setup init.d to include clamav-milter:
> cp /usr/local/src/clamav-0.70-rc/contrib/init/RedHat/clamav-milter /etc/init.d/
> chmod 755 /etc/init.d/clamav-milter

###
Customize clamav-milter start arguments:
> pico w /etc/init.d/clamavmilter
Find the ‘daemon’ line in the ‘start()’ section and add the following:
daemon clamav-milter P local:/var/run/clamav/clamav.sock—dontscan-on-error -ol—noreject

###
Setup the socket directory:
> mkdir /var/run/clamav
> chown clamav:clamav clamav

###
Setup system boot scripts in /etc/rc.d/:
IMPORTANT: clamd must be started before clamav-milter
> ln -s /etc/init.d/clamd /etc/rc2.d/S20clamd
> ln -s /etc/init.d/clamd /etc/rc3.d/S98clamd
> ln -s /etc/init.d/clamd /etc/rc4.d/S98clamd
> ln -s /etc/init.d/clamd /etc/rc5.d/S98clamd
> ln -s /etc/init.d/clamd /etc/rc0.d/K20clamd
> ln -s /etc/init.d/clamd /etc/rc1.d/K20clamd
> ln -s /etc/init.d/clamd /etc/rc6.d/K20clamd
> ln s /etc/init.d/clamavmilter /etc/rc2.d/S91clamav-milter
> ln s /etc/init.d/clamavmilter /etc/rc3.d/S99clamav-milter
> ln s /etc/init.d/clamavmilter /etc/rc4.d/S99clamav-milter
> ln s /etc/init.d/clamavmilter /etc/rc5.d/S99clamav-milter
> ln s /etc/init.d/clamavmilter /etc/rc0.d/K30clamav-milter
> ln s /etc/init.d/clamavmilter /etc/rc1.d/K30clamav-milter
> ln s /etc/init.d/clamavmilter /etc/rc6.d/K30clamav-milter

###
Configure sendmail.mc to include clamav milter support:
> pico -w /etc/mail/sendmail.mc
Add the following lines:
INPUT_MAIL_FILTER(`clamav’, `S=local:/var/run/clamav/clamav.sock, F=T, T=S:4m;R:4m’)
define(`confINPUT_MAIL_FILTERS’, `clamav’)dnl

> mv /etc/mail/sendmail.cf /etc/mail/sendmail.cf.sav
> m4 /etc/mail/sendmail.mc > sendmail.cf

###
Now start the daemons in the following order:
> /etc/init.d/sendmail start
> /etc/init.d/clamd start
> /etc/init.d/clamav-milter start
> /etc/init.d/sendmail restart

Check /var/log/maillog and /var/log/messages for errors.

###
Update clamav database:
> pico -w /etc/cron.daily/freshclam

Add the following:

#!/bin/bash
/usr/local/bin/freshclam > /dev/null 2>&1

>chmod 755 /etc/cron.daily/freshclam

###
Now, all messages are scanned for viruses/worms. If an infected message is sent by a user of the system relayed via SMTP, clamav-milter will not allow the message to be sent, instead, the user will receive a “virus detected� error within their email client.

If an incoming message is sent to a user of the system, the message will be discarded (/dev/null), notification will be sent to postmaster@localhost. You may customize the handling of infected messages in /etc/clamd.conf. Also, you should NOT send notification to the sender or receiver of the message if an infected message is detected, this is because the headers are usually spoofed, and doing so will only generate unnecessary email traffic.

[DONE]

To get vsftpd to work on Red Hat 9, follow the previous HOWTO
but make the following changes:

The vsftpd.conf file is now located in /etc/vsftpd/vsftpd.conf

When creating the xinetd vsftpd file, include the server_args line (this will let vsftpd know that the vsftpd.conf file is now in the subdir):

Edit /etc/xinetd.d/vsftpd to contain:
service ftp
{

disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
server_args = /etc/vsftpd/vsftpd.conf
nice = 10
per_source = 5
instances = 50
log_on_success += PID HOST DURATION
log_on_failure += HOST
}

Then, edit the ‘Listen=YES’ line of the /etc/vsftpd/vsftpd.conf file to:
Listen=NO

I am using vsftpd-1.1.3-8.i386.rpm, this is an updated rpm from RH that re-enables TCPWrapper support.

[DONE]

[These instructions are for Red Hat 9 and jabber-1.4.2 source]

The latest jabber server fails to compile on RH9. The following is howto make it work:

In /usr/lib make create these symlinks (if not there already):
libcrypto.so -> ../../lib/libcrypto.so.0.9.7a
libcrypto.so.2 -> ../../lib/libcrypto.so.0.9.7a

libssl.so -> ../../lib/libssl.so.0.9.7a
libssl.so.2 -> ../../lib/libssl.so.0.9.7a

Then run:
./configure —enable-ssl

Edit the platform-settings file in the jabber package to include the kerberos include dir. Append
-I/usr/kerberos/include
to the end of the CFLAGS and CCFLAGS lines.

Then, just follow the jabber documentation to compile/install:
make
edit .xml file

[These instructions work with Red Hat 9 using the RPM versions listed below
I’ve also used psad-1.1.1, works fine. Later versions of psad don’t permanently block offending IPs, so I’ve not upgraded.]

HOWTO: Install/Config bridge with netfilter (iptables)

Q: Why am I using a bridge?
A: I have a LAN, with ‘real’, named ips. I don’t want to assign the machines inside the firewall private ips. I don’t have any control over routing, all routing is done externally. I don’t want to change ANYTHING on the internal lan.

So…I Google’d and stumbled across the Linux Bridge Project…it is perfect.

My LAN setup is:

EXTERNAL
|

Bridge/Firewall
|

GigaSwitch
|

Client A…Client B…Client C…etc.

Here is how to get bridge-ing to work:

Note: try the prebuilt kernel first, if it works, great, otherwise you’ll have to compile/patch your own.

#####RPM PREBUILT KERNEL#####
Download the prebuilt kernel. Obtain the one with netfilter, this will implement iptables.
kernel-2.4.18-10brnf0.0.7.i686.rpm
Also, get the bridge-utils-0.9.6-1.i386.rpm

rpm -ivh —oldpackage kernel2.4.18-10brnf0.0.7.i686.rpm
rpm -ivh bridgeutils-0.9.6-1.i386.rpm

reboot, select new kernel

#####

#####COMPILE KERNEL WITH BRIDGE PATCH#####
Get the kernel bridge patch: bridge-nf-0.0.7-against-2.4.19.diff
Get the kernel source rpm (hey, why not?), i got the newest one from RedHat
kernel-source-2.4.20-18.9
Also, get the bridge-utils-0.9.6-1.i386.rpm

rpm -ivh bridgeutils-0.9.6-1.i386.rpm

To compile/patch the kernel:
rpm -ivh kernelsource-2.4.20-18.9
This will place the source in: /usr/src/linux-2.4.20-18.9

cd kernel-source-2.4.20-18.9
cp bridge-nf-0.0.7-against-2.4.19.diff /usr/src/linux-2.4.20-18.9
patch p1 -b < bridgenf-0.0.7-against-2.4.19.diff
make clean
make mrproper
make menuconfig (dont run X11 on firewall, so no make xconfig!)

Go through the kernel components, and select what you need.

make dep
make bzimage
make modules

copy /usr/src/linux-2.4.20-18.9/arch/i386/boot/bzImage to /boot/vmlinuz-2.4.20-18.9-mybridge

cd /usr/src/linux-2.4.20-18.9
make modules_install

copy /usr/src/linux-2.4.20-18.9/System.map to /boot/System.map-2.4.20-18.9-mybridge

/sbin/new-kernel-pkg —install —mkinitrd —depmod 2.4.20-18.9-mybridge
Check /etc/grub.conf to see if the bridge kernel is the default boot.

reboot

#####

Turn off networking:
/etc/init.d/network off

Flush iptables rules:
iptables -F
iptables -X

‘chkconfig off’ almost everything (we really dont want RH to make iptables rules on startup)

ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up

brctl addbr mybridge

brctl addif mybridge eth0
brctl addif mybridge eth1

ifconfig mybridge up

Keep all the settings on client machines the same (isp gateway/dns/ip/etc).
Simply connect the clients to the switch, and you should get external connection.
From outside of the firewall, you should be able to get to the clients.

If you want to give the bridge an IP in order to ssh (for administration):
ifconfig mybridge x.x.x.x netmask x.x.x.x

You may need to add the default route:
ip route add default via x.x.x.x

Now, after bridge is setup, get an iptables rules script.

Edit the scipt, change to fit particular network, and then run it (depending on format):
chmod 755 fw_script ; ./fw_script
or
iptables-restore < fw_script

After setup/administration of the bridge is complete, disable remote access to the bridge:
ifconfig mybridge 0.0.0.0

To get Port Scan Attack Detector to work with bridge, install as described in previous post.
Change the following (this is because iptables LOGs are different with bridge, need to modify psad/kmsgsd to look for the ‘right’ things in log file):

#####/usr/sbin/kmsgsd#####

#First:
my $LOCAL_IPS = $Config_href->{‘LOCAL_IPS’};

#Second:

### main loop
for (;;) {
open FIFO, “< $PSAD_FIFO� or die “Can’t open file : $!n�;
my $service = ; ### don’t chomp for better performance
if (defined $service

1. Need to get rid of this line so MAC is not searched for
2. && ($service =~ /Packetslog/ || $service =~ /IN.+?OUT.+?MAC/)
&& ($service =~ /Packetslog/ || $service =~ /IN.+?OUT/)
&& $service =~ /$FW_MSG_SEARCH/
3. We need this for looking for scans on local IPs (see below)
&& $service =~ /$LOCAL_IPS/) {

### log to the fwdata file

#####/usr/sbin/psad#####

##First:
sub check_fw() {
my $line = shift;

### Pound out all this crap, force iptables without checking MAC condition

### ipchains log messages do not have a MAC address field

#if ($line !~ /MAC=/) {

1. $USE_IPCHAINS = 1;

#} else {
$USE_IPTABLES = 1;

#}
}

#####

##Second:

1. Change the autoblock rule to FORWARD instead of $inchain (INPUT)
system “$Cmds{‘iptables’} -I FORWARD 1 -s $src � .

#####/etc/psad/psad.conf

1. List inside IPs here, so we only look for port scans on these
2. Dont forget the ; at the end!
LOCAL_IPS 1.2.3.4|4.3.2.1;

Note: new versions of psad has integrated some of the above changes, so they may not be needed.

[DONE]

[These instructions work with RH 8 & 9]

This is HOWTO setup sendmail and imap on RH 8. I am using the rpm’s since I don’t need to do anything ‘special’ that needs the source.

rpm’s –
aumber:~>rpm -qa | grep sendmail
sendmail-8.12.5-7
sendmail-cf-8.12.5-7
imap-2001a-15
spamassassin-2.31-16

In the file /etc/mail/sendmail.mc
find this line and comment it using sendmail comment (dnl):
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)

Run sendmail m4 to save the changes into the sendmail config file:
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

In the file /etc/mail/relay-domains
add all the domains/hosts/IP’s that you want to allow IMAP from
(this is for smtp relaying).

In /etc/hosts.allow add the following to allow anyone from anywhere to send us mail, and IMAP to the machine (you could just change imapd line to particular hosts, but I’m not that paranoid):
sendmail: ALL
imapd: ALL

Turn on imap from xinetd:
/etc/xinetd.d/imap
disable=no

Start up sendmail and spamassassin:
/etc/init.d/sendmail start
/etc/init.d/spamassassin start

For spamassassin, you need to put the following in the user’s .procmailrc file so incoming mail for the user gets ‘scanned’:
:0fw
| /usr/bin/spamc -s 256000

:0:

* ^X-Spam-Status: Yes
spam

To allow mail from certain domains NOT to be marked as spam, edit the user_prefs file in the user home dir:

~/.spamassassin/user_prefs:
whitelist_from *@alloweddomain.com

[DONE]

[These instructions work with Red Hat Linux release 7.3 & 8.0,
using the RPM for vsftpd-1.1.0-1]

vsftpd is a ‘secure, fast’ FTP daemon/server

I am using the rpm since no special compiling is needed.
rpm : vsftpd-1.1.0-1

The is vsftpd’s xinetd listing (cat /etc/xinetd.d/vsftpd):
service ftp
{

disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
nice = 10
per_source = 5
instances = 50
log_on_success += PID HOST DURATION
log_on_failure += HOST
}

The following is vsftpd’s TCP Wrapper entry (/etc/hosts.allow):
vsftpd:

To setup virtual users, begin by creating a login/passwd file.
Make a plain txt file (i.e. logins.txt) containing username and passwd on seperate lines. For example:
foo
bar

Issue the db command to create a hashed file.
db_load -T -t hash -f logins.txt /etc/vsftpd_login.db

Set the correct file permissions on the passwd file:
chmod 600 /etc/vsftpd_login.db

Replace /etc/pam.d/vsftpd with same filename containing:

#%PAM-1.0
auth required /lib/security/pam_userdb.so db=/etc/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd_login

Setup the location for virtual user dir
useradd -d /home/ftpsite virtualusername

For my setup, /etc/passwd looks like the following:
virtualusername:x:505:505::/ftpuploads:/sbin/nologin

Edit vsftpd’s config file (/etc/vsftpd.conf):
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=077
chroot_local_user=YES
pam_service_name=vsftpd
user_config_dir=/etc/vsftpd_user_conf
guest_enable=YES
guest_username=virtual (or whatever you setup)

Create the user configuration dir. This is where per-user config files are placed:
mkdir /etc/vsftpd_user_conf

Create a file with the same name as the vitualusername that was created above.
/etc/vsftpd_user_conf/foo (foo is from logins.txt):
anon_world_readable_only=NO
write_enable=YES
anon_upload_enable=YES
anon_umask=007

restart xinetd

If you have a firewall, enable highport access to the IP’s that you allow to connect via vsftpd.

[DONE]

[These instructions work on RH 8 using scponly-3.5.tar source]

./configure —enable-chrooted-binary —disable-wildcards
(I disable wildcard since i dont ‘trust’ the code)

make; make install
might get gcc warnings, but thats ok.

add to /etc/shells:
/usr/local/sbin/scponlyc

make jail

prompts for what dir? /home/
prompts for what user?

passwd

make jail will start doing some copying and will give errors, do following to complete:

cd /home//lib
cp /lib/i686/libc.so.6 .
cd /home//usr/lib
cp /usr/kerberos/lib/libcom_err.so.3 .
cp /usr/kerberos/lib/libk5crypto.so.3 .
cp /usr/kerberos/lib/libkrb5.so.3 .