Charity admin
From ProgClub
(Redirected from Charity Admin)
This page chronicles the administrative changes to charity.progclub.org. If you make an administrative change you should document the change here. Changes are logged here in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the Administrative reference for other information.
John 2014-06-06
Install ViewVC
root@charity:/# apt-get install statsvn viewvc viewvc-query
John 2014-04-10
Whitelist John's IP in fail2ban
# vim /etc/fail2ban/jail.conf
ignoreip = 127.0.0.1 60.240.67.126
# reboot
Allow SSH only for members of sudo group
Following these instructions:
root@charity:/etc/ssh# vim sshd_config
AllowGroups sudo
jj5@charity:~$ sudo service ssh restart
John 2014-04-07
Git repos via HTTPS
Following these instructions:
root@charity:~# apt-get install git-core apache2 apache2-utils openssl root@charity:~# mkdir /var/git root@charity:~# cd /var/git root@charity:/var/git# mkdir test.git root@charity:/var/git# cd test.git/ root@charity:/var/git/test.git# git init --bare root@charity:/var/git/test.git# chown -R www-data:www-data .
Edit /etc/apache2/sites-enabled/default-ssl:
SetEnv GIT_PROJECT_ROOT /var/git
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
<Location /git/>
AuthType Basic
AuthName "ProgClub git"
AuthUserFile /etc/apache2/git.passwd
<LimitExcept GET HEAD>
Require valid-user
</LimitExcept>
</Location>
<Directory /usr/lib/git-core/>
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>
root@charity:/etc/apache2/sites-enabled# apache2ctl graceful
And to set up a git repo for Chris:
root@charity:/var/git# mkdir pccipher-firefox-addon.git root@charity:/var/git# cd pccipher-firefox-addon.git/ root@charity:/var/git/pccipher-firefox-addon.git# git init --bare Initialized empty Git repository in /var/git/pccipher-firefox-addon.git/ root@charity:/var/git/pccipher-firefox-addon.git# chown -R www-data:www-data .
John 2012-10-30
Postfix RBL client restrictions
Better late than never! Modified /etc/postfix/main.cf to change this:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
To this:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client list.dsbl.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, permit
Then:
root@charity:/etc/postfix# postfix reload
Hopefully that will stop a lot of the spam!
John 2012-07-31 16:22
Installing dpkg-dev
jj5@charity:~/mailman$ apt-get source mailman Reading package lists... Done Building dependency tree Reading state information... Done NOTICE: 'mailman' packaging is maintained in the 'Svn' version control system at: svn://svn.debian.org/svn/pkg-mailman/trunk Need to get 8,303kB of source archives. Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main mailman 1:2.1.13-1ubuntu0.2 (dsc) [2,078B] Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main mailman 1:2.1.13-1ubuntu0.2 (tar) [8,167kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main mailman 1:2.1.13-1ubuntu0.2 (diff) [134kB] Fetched 8,303kB in 1s (4,601kB/s) sh: dpkg-source: not found Unpack command 'dpkg-source -x mailman_2.1.13-1ubuntu0.2.dsc' failed. Check if the 'dpkg-dev' package is installed. E: Child process failed jj5@charity:~/mailman$ ll total 8.0M drwxr-xr-x 2 jj5 sudo 4.0K 2012-07-31 16:22 ./ drwxr-xr-x 25 jj5 sudo 4.0K 2012-07-31 16:22 ../ -rw-r--r-- 1 jj5 sudo 132K 2011-02-23 07:08 mailman_2.1.13-1ubuntu0.2.diff.gz -rw-r--r-- 1 jj5 sudo 2.1K 2011-02-23 07:08 mailman_2.1.13-1ubuntu0.2.dsc -rw-r--r-- 1 jj5 sudo 7.8M 2010-01-18 19:05 mailman_2.1.13.orig.tar.gz jj5@charity:~/mailman$ sudo apt-get install dpkg-dev Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: build-essential fakeroot liblzma1 xz-utils Suggested packages: debian-keyring debian-maintainers The following NEW packages will be installed: build-essential dpkg-dev fakeroot liblzma1 xz-utils 0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded. Need to get 1,146kB of archives. After this operation, 3,330kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main liblzma1 4.999.9beta+20091116-1 [151kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main xz-utils 4.999.9beta+20091116-1 [233kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main dpkg-dev 1.15.5.6ubuntu4.5 [654kB] Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main build-essential 11.4build1 [7,278B] Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main fakeroot 1.14.4-1ubuntu1 [101kB] Fetched 1,146kB in 1s (1,033kB/s) Selecting previously deselected package liblzma1. (Reading database ... 37323 files and directories currently installed.) Unpacking liblzma1 (from .../liblzma1_4.999.9beta+20091116-1_amd64.deb) ... Selecting previously deselected package xz-utils. Unpacking xz-utils (from .../xz-utils_4.999.9beta+20091116-1_amd64.deb) ... Selecting previously deselected package dpkg-dev. Unpacking dpkg-dev (from .../dpkg-dev_1.15.5.6ubuntu4.5_all.deb) ... Selecting previously deselected package build-essential. Unpacking build-essential (from .../build-essential_11.4build1_amd64.deb) ... Selecting previously deselected package fakeroot. Unpacking fakeroot (from .../fakeroot_1.14.4-1ubuntu1_amd64.deb) ... Processing triggers for man-db ... Setting up liblzma1 (4.999.9beta+20091116-1) ... Setting up xz-utils (4.999.9beta+20091116-1) ... Setting up dpkg-dev (1.15.5.6ubuntu4.5) ... Setting up build-essential (11.4build1) ... Setting up fakeroot (1.14.4-1ubuntu1) ... update-alternatives: using /usr/bin/fakeroot-sysv to provide /usr/bin/fakeroot (fakeroot) in auto mode. Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ added alternatives/faked.1.gz added alternatives/faked.es.1.gz added alternatives/faked.fr.1.gz added alternatives/faked.sv.1.gz added alternatives/fakeroot added alternatives/fakeroot.1.gz added alternatives/fakeroot.es.1.gz added alternatives/fakeroot.fr.1.gz added alternatives/fakeroot.sv.1.gz added dpkg/shlibs.default added dpkg/shlibs.override Committed revision 157.
John 2012-03-01 07:25
Subscribing root@charity to log@progclub.org mailing list
Had a problem with some of the email being delivered to the log@progclub.org mailing list getting flagged as spam, but it's legitimate log email. I decided to subscribe the sender to the list so that it received its spam bonus so that future mail didn't get flagged as spam. The email address reported by the process that sends the logs is root@charity, which mailman won't accept because it's a badly formed email address. I asked about how to fix this problem and received an answer, so following those instructions:
jj5@charity:~$ note Subscribing root@charity to log@progclub.org mailing list Session: /home/jj5/.session/2012/03/01/2012-03-01-073135 Note: Subscribing root@charity to log@progclub.org mailing list
jj5@charity:~$ sudo -u list -s list@charity:~$ cd /var/lib/mailman/
list@charity:/var/lib/mailman$ bin/withlist log
Loading list log (unlocked)
The variable `m' is the log MailList instance
>>> m.addNewMember('root@charity')
Traceback (most recent call last):
File "<console>", line 1, in <module>
File "/var/lib/mailman/Mailman/OldStyleMemberships.py", line 173, in addNewMember
assert self.__mlist.Locked()
AssertionError
>>>
Finalizing
That was a mistake, forgot the -l flag.
list@charity:/var/lib/mailman$ bin/withlist -l log
Loading list log (locked)
The variable `m' is the log MailList instance
>>> m.addNewMember('root@charity')
>>> m.Save()
>>>
Unlocking (but not saving) list: log
Finalizing
list@charity:/var/lib/mailman$ note Third line of withlist commands was Ctrl+D. Note: Third line of withlist commands was Ctrl+D.
list@charity:/var/lib/mailman$ note Reviewed https://www.progclub.org/cgi-bin/mailman/admin/log/members and set root@chairty to nomail. Note: Reviewed https://www.progclub.org/cgi-bin/mailman/admin/log/members and set root@chairty to nomail.
John 2012-02-28 13:50
Configuring etckeeper email commit notifications
Following these instructions.
jj5@charity:~$ echo $SESSION_PATH /home/jj5/.session/2012/02/28/2012-02-28-134559 jj5@charity:~$ note Configuring etckeeper email commit notifications Note: Configuring etckeeper email commit notifications
jj5@charity:~$ sudo -s root@charity:~# cd /srv root@charity:/srv# mkdir bzr root@charity:/srv# cd bzr
root@charity:/srv/bzr# bzr branch lp:bzr-hookless-email You have not informed bzr of your Launchpad ID, and you must do this to write to Launchpad or access private data. See "bzr help launchpad-login". Branched 30 revision(s).
root@charity:/srv/bzr# cd bzr-hookless-email/ root@charity:/srv/bzr/bzr-hookless-email# bzr pull Using saved parent location: http://bazaar.launchpad.net/~bzr/bzr-hookless-email/trunk-2a/ No revisions to pull.
root@charity:/srv/bzr/bzr-hookless-email# cd /etc/cron.d root@charity:/etc/cron.d# vim etckeeper-commit-notification root@charity:/etc/cron.d# cat etckeeper-commit-notification */5 * * * * root /srv/bzr/bzr-hookless-email/bzr_hookless_email.py -e log@progclub.org -r /etc
John 2012-02-28 12:43
Installing and configuring logcheck
root@charity:/etc# apt-get install logcheck syslog-summary Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libipc-signal-perl libmime-types-perl libproc-waitstat-perl logcheck-database logtail mime-construct python-magic Suggested packages: python-magic-dbg The following NEW packages will be installed: libipc-signal-perl libmime-types-perl libproc-waitstat-perl logcheck logcheck-database logtail mime-construct python-magic syslog-summary 0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded. Need to get 361kB of archives. After this operation, 1,982kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libipc-signal-perl 1.00-6 [7,016B] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libmime-types-perl 1.28-1 [31.5kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libproc-waitstat-perl 1.00-4 [7,806B] Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main mime-construct 1.10 [19.4kB] Get:5 http://archive.ubuntu.com/ubuntu/ lucid-updates/main logtail 1.3.7ubuntu2 [57.8kB] Get:6 http://archive.ubuntu.com/ubuntu/ lucid-updates/main logcheck 1.3.7ubuntu2 [75.7kB] Get:7 http://archive.ubuntu.com/ubuntu/ lucid-updates/main logcheck-database 1.3.7ubuntu2 [115kB] Get:8 http://archive.ubuntu.com/ubuntu/ lucid/universe syslog-summary 1.14-1 [10.2kB] Get:9 http://archive.ubuntu.com/ubuntu/ lucid/main python-magic 5.03-5ubuntu1 [35.7kB] Fetched 361kB in 1s (306kB/s) Committing to: /etc/ modified group modified group- modified gshadow modified gshadow- modified apt/apt.conf.d/50unattended-upgrades modified bind/named.conf.options modified fail2ban/jail.local modified logwatch/conf/logwatch.conf Committed revision 144. Selecting previously deselected package libipc-signal-perl. (Reading database ... 33389 files and directories currently installed.) Unpacking libipc-signal-perl (from .../libipc-signal-perl_1.00-6_all.deb) ... Selecting previously deselected package libmime-types-perl. Unpacking libmime-types-perl (from .../libmime-types-perl_1.28-1_all.deb) ... Selecting previously deselected package libproc-waitstat-perl. Unpacking libproc-waitstat-perl (from .../libproc-waitstat-perl_1.00-4_all.deb) ... Selecting previously deselected package mime-construct. Unpacking mime-construct (from .../mime-construct_1.10_all.deb) ... Selecting previously deselected package logtail. Unpacking logtail (from .../logtail_1.3.7ubuntu2_all.deb) ... Selecting previously deselected package logcheck. Unpacking logcheck (from .../logcheck_1.3.7ubuntu2_all.deb) ... Selecting previously deselected package logcheck-database. Unpacking logcheck-database (from .../logcheck-database_1.3.7ubuntu2_all.deb) ... Selecting previously deselected package syslog-summary. Unpacking syslog-summary (from .../syslog-summary_1.14-1_all.deb) ... Selecting previously deselected package python-magic. Unpacking python-magic (from .../python-magic_5.03-5ubuntu1_amd64.deb) ... Processing triggers for man-db ... Setting up libipc-signal-perl (1.00-6) ... Setting up libmime-types-perl (1.28-1) ... Setting up libproc-waitstat-perl (1.00-4) ... Setting up mime-construct (1.10) ... Setting up logtail (1.3.7ubuntu2) ... Setting up logcheck (1.3.7ubuntu2) ... Adding user logcheck to group adm Setting up logcheck-database (1.3.7ubuntu2) ... Setting up syslog-summary (1.14-1) ... Setting up python-magic (5.03-5ubuntu1) ... Committing to: /etc/ modified .etckeeper modified aliases modified aliases.db modified group modified group- modified gshadow modified gshadow- modified passwd modified passwd- modified shadow modified shadow- added syslog-summary added cron.d/logcheck added logcheck/cracking.d added logcheck/cracking.ignore.d added logcheck/header.txt added logcheck/logcheck.conf added logcheck/logcheck.logfiles added logcheck/violations.d added logcheck/cracking.d/kernel added logcheck/cracking.d/rlogind added logcheck/cracking.d/rsh added logcheck/cracking.d/smartd added logcheck/cracking.d/tftpd added logcheck/cracking.d/uucico added logcheck/ignore.d.paranoid/bind added logcheck/ignore.d.paranoid/cron added logcheck/ignore.d.paranoid/incron added logcheck/ignore.d.paranoid/logcheck added logcheck/ignore.d.paranoid/postfix added logcheck/ignore.d.paranoid/ppp added logcheck/ignore.d.paranoid/pureftp added logcheck/ignore.d.paranoid/qpopper added logcheck/ignore.d.paranoid/squid added logcheck/ignore.d.paranoid/ssh added logcheck/ignore.d.paranoid/stunnel added logcheck/ignore.d.paranoid/sysklogd added logcheck/ignore.d.paranoid/telnetd added logcheck/ignore.d.paranoid/tripwire added logcheck/ignore.d.paranoid/usb added logcheck/ignore.d.server/acpid added logcheck/ignore.d.server/amandad added logcheck/ignore.d.server/anacron added logcheck/ignore.d.server/anon-proxy added logcheck/ignore.d.server/apache added logcheck/ignore.d.server/apcupsd added logcheck/ignore.d.server/arpwatch added logcheck/ignore.d.server/automount added logcheck/ignore.d.server/bind added logcheck/ignore.d.server/bluez-utils added logcheck/ignore.d.server/courier added logcheck/ignore.d.server/cpqarrayd added logcheck/ignore.d.server/cpufreqd added logcheck/ignore.d.server/cracklib added logcheck/ignore.d.server/cron added logcheck/ignore.d.server/cron-apt added logcheck/ignore.d.server/cups-lpd added logcheck/ignore.d.server/cvs-pserver added logcheck/ignore.d.server/cvsd added logcheck/ignore.d.server/cyrus added logcheck/ignore.d.server/dcc added logcheck/ignore.d.server/ddclient added logcheck/ignore.d.server/dhclient added logcheck/ignore.d.server/dhcp added logcheck/ignore.d.server/dictd added logcheck/ignore.d.server/dkfilter added logcheck/ignore.d.server/dkim-filter added logcheck/ignore.d.server/dnsmasq added logcheck/ignore.d.server/dovecot added logcheck/ignore.d.server/dspam added logcheck/ignore.d.server/epmd added logcheck/ignore.d.server/exim4 added logcheck/ignore.d.server/fcron added logcheck/ignore.d.server/ftpd added logcheck/ignore.d.server/gnu-imap4d added logcheck/ignore.d.server/gps added logcheck/ignore.d.server/grinch added logcheck/ignore.d.server/horde3 added logcheck/ignore.d.server/hplip added logcheck/ignore.d.server/hylafax added logcheck/ignore.d.server/ikiwiki added logcheck/ignore.d.server/imap added logcheck/ignore.d.server/imapproxy added logcheck/ignore.d.server/imp added logcheck/ignore.d.server/imp4 added logcheck/ignore.d.server/innd added logcheck/ignore.d.server/ipppd added logcheck/ignore.d.server/isdnlog added logcheck/ignore.d.server/isdnutils added logcheck/ignore.d.server/jabberd added logcheck/ignore.d.server/kernel added logcheck/ignore.d.server/klogind added logcheck/ignore.d.server/krb5-kdc added logcheck/ignore.d.server/libpam-mount added logcheck/ignore.d.server/logcheck added logcheck/ignore.d.server/login added logcheck/ignore.d.server/maradns added logcheck/ignore.d.server/mldonkey-server added logcheck/ignore.d.server/mon added logcheck/ignore.d.server/mountd added logcheck/ignore.d.server/nagios added logcheck/ignore.d.server/netconsole added logcheck/ignore.d.server/nfs added logcheck/ignore.d.server/nntpcache added logcheck/ignore.d.server/nscd added logcheck/ignore.d.server/nslcd added logcheck/ignore.d.server/openvpn added logcheck/ignore.d.server/otrs added logcheck/ignore.d.server/passwd added logcheck/ignore.d.server/pdns added logcheck/ignore.d.server/perdition added logcheck/ignore.d.server/policyd added logcheck/ignore.d.server/popa3d added logcheck/ignore.d.server/postfix added logcheck/ignore.d.server/postfix-policyd added logcheck/ignore.d.server/ppp added logcheck/ignore.d.server/pptpd added logcheck/ignore.d.server/procmail added logcheck/ignore.d.server/proftpd added logcheck/ignore.d.server/puppetd added logcheck/ignore.d.server/pure-ftpd added logcheck/ignore.d.server/pureftp added logcheck/ignore.d.server/qpopper added logcheck/ignore.d.server/rbldnsd added logcheck/ignore.d.server/rpc_statd added logcheck/ignore.d.server/rsnapshot added logcheck/ignore.d.server/rsync added logcheck/ignore.d.server/sa-exim added logcheck/ignore.d.server/samba added logcheck/ignore.d.server/saned added logcheck/ignore.d.server/sasl2-bin added logcheck/ignore.d.server/saslauthd added logcheck/ignore.d.server/schroot added logcheck/ignore.d.server/scponly added logcheck/ignore.d.server/slapd added logcheck/ignore.d.server/smartd added logcheck/ignore.d.server/smbd_audit added logcheck/ignore.d.server/smokeping added logcheck/ignore.d.server/snmpd added logcheck/ignore.d.server/snort added logcheck/ignore.d.server/spamc added logcheck/ignore.d.server/spamd added logcheck/ignore.d.server/squid added logcheck/ignore.d.server/ssh added logcheck/ignore.d.server/stunnel added logcheck/ignore.d.server/su added logcheck/ignore.d.server/sudo added logcheck/ignore.d.server/sympa added logcheck/ignore.d.server/syslogd added logcheck/ignore.d.server/teapop added logcheck/ignore.d.server/telnetd added logcheck/ignore.d.server/tftpd added logcheck/ignore.d.server/thy added logcheck/ignore.d.server/ucd-snmp added logcheck/ignore.d.server/upsd added logcheck/ignore.d.server/uptimed added logcheck/ignore.d.server/userv added logcheck/ignore.d.server/vsftpd added logcheck/ignore.d.server/watchdog added logcheck/ignore.d.server/webmin added logcheck/ignore.d.server/wu-ftpd added logcheck/ignore.d.server/xinetd added logcheck/ignore.d.workstation/automount added logcheck/ignore.d.workstation/bind added logcheck/ignore.d.workstation/bluetooth-alsa added logcheck/ignore.d.workstation/bluez-utils added logcheck/ignore.d.workstation/bonobo added logcheck/ignore.d.workstation/dhcpcd added logcheck/ignore.d.workstation/francine added logcheck/ignore.d.workstation/gconf added logcheck/ignore.d.workstation/gdm added logcheck/ignore.d.workstation/hald added logcheck/ignore.d.workstation/hcid added logcheck/ignore.d.workstation/ifplugd added logcheck/ignore.d.workstation/ippl added logcheck/ignore.d.workstation/kdm added logcheck/ignore.d.workstation/kernel added logcheck/ignore.d.workstation/libpam-gnome-keyring added logcheck/ignore.d.workstation/logcheck added logcheck/ignore.d.workstation/login added logcheck/ignore.d.workstation/net-acct added logcheck/ignore.d.workstation/nntpcache added logcheck/ignore.d.workstation/polypaudio added logcheck/ignore.d.workstation/postfix added logcheck/ignore.d.workstation/ppp added logcheck/ignore.d.workstation/proftpd added logcheck/ignore.d.workstation/pump added logcheck/ignore.d.workstation/sendfile added logcheck/ignore.d.workstation/squid added logcheck/ignore.d.workstation/udev added logcheck/ignore.d.workstation/wdm added logcheck/ignore.d.workstation/winbind added logcheck/ignore.d.workstation/wpasupplicant added logcheck/ignore.d.workstation/xdm added logcheck/ignore.d.workstation/xlockmore added logcheck/ignore.d.workstation/xscreensaver added logcheck/violations.d/kernel added logcheck/violations.d/logcheck added logcheck/violations.d/smartd added logcheck/violations.d/su added logcheck/violations.d/sudo added logcheck/violations.ignore.d/logcheck-su added logcheck/violations.ignore.d/logcheck-sudo added syslog-summary/ignore.rules Committed revision 145.
root@charity:/etc# cd /etc/logcheck root@charity:/etc/logcheck# ls cracking.d ignore.d.paranoid logcheck.conf violations.ignore.d cracking.ignore.d ignore.d.server logcheck.logfiles header.txt ignore.d.workstation violations.d
root@charity:/etc/logcheck# vim logcheck.conf root@charity:/etc/logcheck# cat logcheck.conf # The following variable settings are the initial default values, # which can be uncommented and modified to alter logcheck's behaviour # Controls the format of date-/time-stamps in subject lines: # Alternatively, set the format to suit your locale #DATE="$(date +'%Y-%m-%d %H:%M')" # Controls the presence of boilerplate at the top of each message: # Alternatively, set to "0" to disable the introduction. # # If the files /etc/logcheck/header.txt and /etc/logcheck/footer.txt # are present their contents will be read and used as the header and # footer of any generated mails. #INTRO=1 # Controls the level of filtering: # Can be Set to "workstation", "server" or "paranoid" for different # levels of filtering. Defaults to server if not set. REPORTLEVEL="server" # Controls the address mail goes to: # *NOTE* the script does not set a default value for this variable! # Should be set to an offsite "emailaddress@some.domain.tld" SENDMAILTO="log@progclub.org" # Send the results as attachment or not. # 0=not as attachment; 1=as attachment # Default is 0 MAILASATTACH=0 # Should the hostname in the subject of generated mails be fully qualified? FQDN=1 # Controls whether "sort -u" is used on log entries (which will # eliminate duplicates but destroy the original ordering); the # default is to use "sort -k 1,3 -s": # Alternatively, set to "1" to enable unique sorting #SORTUNIQ=0 # Controls whether /etc/logcheck/cracking.ignore.d is scanned for # exceptions to the rules in /etc/logcheck/cracking.d: # Alternatively, set to "1" to enable cracking.ignore support #SUPPORT_CRACKING_IGNORE=0 # Controls the base directory for rules file location # This must be an absolute path #RULEDIR="/etc/logcheck" # Controls if syslog-summary is run over each section. # Alternatively, set to "1" to enable extra summary. # HINT: syslog-summary needs to be installed. SYSLOGSUMMARY=1 # Controls Subject: lines on logcheck reports: #ATTACKSUBJECT="Security Alerts" #SECURITYSUBJECT="Security Events" #EVENTSSUBJECT="System Events" # Controls [logcheck] prefix on Subject: lines #ADDTAG="no" # Set a different location for temporary files than /tmp # this is useful if your /tmp is small and you are getting # errors such as: # cp: writing `/tmp/logcheck.y12449/checked': No space left on device # /usr/sbin/logcheck: line 161: cannot create temp file for here document: No space left on device # mail: /tmp/mail.RsXXXXpc2eAx: No space left on device # Null message body; hope that's ok # # If this is happening, likely you will want to change the following to be some other # location, such as /var/tmp TMP="/tmp"
Then you need to patch syslog-summary to change the python2.5 env to python2:
root@charity:/# vim /usr/bin/syslog-summary root@charity:/# head /usr/bin/syslog-summary #!/usr/bin/env python2
John 2012-02-28 11:50
Configuring new log@progclub mailing list
Added a new mailing list for logs at ProgClub and configured fail2ban to use it:
root@charity:/etc/fail2ban# vim jail.local root@charity:/etc/fail2ban# head jail.local [DEFAULT] ignoreip = 127.0.0.1 bantime = 3600 maxretry = 3 destemail = log@progclub.org banaction = iptables-multiport mta = sendmail action = %(action_mwl)s [ssh] enabled = true root@charity:/etc/fail2ban# /etc/init.d/fail2ban restart * Restarting authentication failure monitor fail2ban [ OK ]
Also configured logwatch to use it:
root@charity:/etc/logwatch/conf# vim logwatch.conf root@charity:/etc/logwatch/conf# grep log@ logwatch.conf MailTo = log@progclub.org
And also configured Unattended Upgrades to use it:
root@charity:/etc/apt/apt.conf.d# vim 50unattended-upgrades root@charity:/etc/apt/apt.conf.d# grep log@ 50unattended-upgrades Unattended-Upgrade::Mail "log@progclub.org";
One other thing to note is that the 'root' email alias (where Cron sends its email) has been changed for all hosts to forward to log@progclub instead of admin@progclub.
John 2012-02-28 06:48
Disabling EDNS in bind9
Following these instructions from Justin:
root@charity:/etc/bind# vim named.conf.options
root@charity:/etc/bind# cat named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
//0.0.0.0;
10.183.96.229;
10.183.96.34;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
server ::/0 {
edns no;
}
server 0.0.0.0/0 {
edns no;
}
root@charity:/etc/bind# /etc/init.d/bind9 restart * Stopping domain name service... bind9 [ OK ] * Starting domain name service... bind9 [ OK ]
John 2012-02-13 16:30
Installing bind
jj5@charity:~$ sudo -s root@charity:~# apt-get install bind9 Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: bind9utils Suggested packages: bind9-doc resolvconf ufw The following NEW packages will be installed: bind9 bind9utils 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 461kB of archives. After this operation, 1,421kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main bind9utils 1:9.7.0.dfsg.P1-1ubuntu0.4 [118kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main bind9 1:9.7.0.dfsg.P1-1ubuntu0.4 [343kB] Fetched 461kB in 1s (433kB/s) Committing to: /etc/ modified aliases.db Committed revision 136. Preconfiguring packages ... Selecting previously deselected package bind9utils. (Reading database ... 33316 files and directories currently installed.) Unpacking bind9utils (from .../bind9utils_1%3a9.7.0.dfsg.P1-1ubuntu0.4_amd64.deb) ... Selecting previously deselected package bind9. Unpacking bind9 (from .../bind9_1%3a9.7.0.dfsg.P1-1ubuntu0.4_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up bind9utils (1:9.7.0.dfsg.P1-1ubuntu0.4) ... Setting up bind9 (1:9.7.0.dfsg.P1-1ubuntu0.4) ... Adding group `bind' (GID 112) ... Done. Adding system user `bind' (UID 109) ... Adding new user `bind' (UID 109) with group `bind' ... Not creating home directory `/var/cache/bind'. wrote key file "/etc/bind/rndc.key" # * Starting domain name service... bind9 [ OK ] Committing to: /etc/ modified .etckeeper added bind modified group modified group- modified gshadow modified gshadow- modified passwd modified passwd- modified shadow modified shadow- added apparmor.d/usr.sbin.named added bind/bind.keys added bind/db.0 added bind/db.127 added bind/db.255 added bind/db.empty added bind/db.local added bind/db.root added bind/named.conf added bind/named.conf.default-zones added bind/named.conf.local added bind/named.conf.options added bind/rndc.key added bind/zones.rfc1918 added default/bind9 added init.d/bind9 added network/if-down.d/bind9 added network/if-up.d/bind9 added ppp/ip-down.d/bind9 added ppp/ip-up.d/bind9 added rc0.d/K85bind9 added rc1.d/K85bind9 added rc2.d/S15bind9 added rc3.d/S15bind9 added rc4.d/S15bind9 added rc5.d/S15bind9 added rc6.d/K85bind9 added ufw/applications.d/bind9 Committed revision 137.
root@charity:~# cd /etc/bind root@charity:/etc/bind# cp db.127 db.10
root@charity:/etc/bind# vim db.10
root@charity:/etc/bind# cat db.10
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
22.97.183 IN PTR sixsigma.blackbrick.com.
27.97.183 IN PTR hope.progclub.net.
45.97.183 IN PTR honesty.progclub.net.
44.97.183 IN PTR charity.progclub.org.
229.96.183 IN PTR courtesy.blackbrick.com.
34.96.183 IN PTR modesty.blackbrick.com.
214.96.183 IN PTR devotion.blackbrick.com.
10.96.183 IN PTR respect.blackbrick.com.
21.96.183 IN PTR trust.blackbrick.com.
22.96.183 IN PTR humility.blackbrick.com.
23.96.183 IN PTR courage.blackbrick.com.
24.96.183 IN PTR empathy.jj5.net.
root@charity:/etc/bind# vim named.conf.local
root@charity:/etc/bind# cat named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "10.in-addr.arpa" {
type master;
file "/etc/bind/db.10";
};
root@charity:/etc/bind# vim named.conf.options
root@charity:/etc/bind# cat named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
//0.0.0.0;
10.183.96.229;
10.183.96.34;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
root@charity:/etc/bind# /etc/init.d/bind9 restart * Stopping domain name service... bind9 [ OK ] * Starting domain name service... bind9 [ OK ]
root@charity:/etc/bind# vim /etc/resolv.conf root@charity:/etc/bind# cat /etc/resolv.conf nameserver 127.0.0.1 #nameserver 67.207.128.4 #nameserver 67.207.128.5
John 2012-02-12 04:01
Changing spam header checks to simplify reporting
jj5@charity:~$ cd /etc/postfix/ jj5@charity:/etc/postfix$ ls dynamicmaps.cf postfix-files spamalias tls_per_site main.cf postfix-script spamalias.db tls_per_site.db master.cf post-install spamheadercheck transport old sasl sql transport.db
jj5@charity:/etc/postfix$ cat spamheadercheck /^X-Spam-Status: Yes/ FILTER spamtnsp:local
jj5@charity:/etc/postfix$ sudo vim spamheadercheck
jj5@charity:/etc/postfix$ cat spamheadercheck /^X-Spam-Flag: YES/ FILTER spamtnsp:local
jj5@charity:/etc/postfix$ sudo postfix reload postfix/postfix-script: refreshing the Postfix mail system
John 2012-02-12 02:07
Fixing spamd aliases for delivery of spam to spamd account
jj5@charity:~$ sudo vim /etc/postfix/spamalias
jj5@charity:~$ cat /etc/postfix/spamalias *: spamd
jj5@charity:~$ sudo postalias /etc/postfix/spamalias
jj5@charity:~$ sudo postfix reload postfix/postfix-script: refreshing the Postfix mail system
John 2012-02-08 15:29
Fixing up NFS dns_resolve fixups
Just changing the implementation of my fixups for the NFS dns_resolve directory permissions. Rather than copying a script into each run level just using a script in /etc/rc.local.
jj5@charity:~$ sudo -s root@charity:~# cd /etc/rc0.d/ root@charity:/etc/rc0.d# ls K09apache2 K20nslcd README K18krb5-admin-server K20postfix S10unattended-upgrades K18krb5-kdc K20saslauthd S20sendsigs K20courier-authdaemon K20spampd S30urandom K20courier-imap K20xinetd S31umountnfs.sh K20courier-imap-ssl K21spamassassin S35networking K20courier-pop K80nfs-kernel-server S40umountfs K20courier-pop-ssl K80slapd S60umountroot K20nscd K99fail2ban S90halt root@charity:/etc/rc0.d# cd ../rc1.d/ root@charity:/etc/rc1.d# ls K09apache2 K20courier-pop K20rsync K80slapd K18krb5-admin-server K20courier-pop-ssl K20saslauthd K89racoon K18krb5-kdc K20mailman K20spampd K99fail2ban K20courier-authdaemon K20nscd K20xinetd README K20courier-imap K20nslcd K21spamassassin S30killprocs K20courier-imap-ssl K20postfix K80nfs-kernel-server S90single root@charity:/etc/rc1.d# cd ../rc2.d/ root@charity:/etc/rc2.d# ls README S20courier-pop S20spampd S18krb5-admin-server S20courier-pop-ssl S20xinetd S18krb5-kdc S20mailman S50rsync S19slapd S20nfs-kernel-server S91apache2 S19spamassassin S20nscd S99fail2ban S20courier-authdaemon S20nslcd S99fixup-nfs-dns_resolve.sh S20courier-imap S20postfix S99ondemand S20courier-imap-ssl S20saslauthd S99rc.local root@charity:/etc/rc2.d# cat S99fixup-nfs-dns_resolve.sh #!/bin/bash chmod u+x /var/lib/nfs/rpc_pipefs/cache/dns_resolve root@charity:/etc/rc2.d# rm S99fixup-nfs-dns_resolve.sh root@charity:/etc/rc2.d# cd ../rc3.d/ root@charity:/etc/rc3.d# ls README S20courier-pop S20spampd S18krb5-admin-server S20courier-pop-ssl S20xinetd S18krb5-kdc S20mailman S50rsync S19slapd S20nfs-kernel-server S91apache2 S19spamassassin S20nscd S99fail2ban S20courier-authdaemon S20nslcd S99fixup-nfs-dns_resolve.sh S20courier-imap S20postfix S99ondemand S20courier-imap-ssl S20saslauthd S99rc.local root@charity:/etc/rc3.d# rm S99fixup-nfs-dns_resolve.sh root@charity:/etc/rc3.d# cd ../rc4.d/ root@charity:/etc/rc4.d# ls README S20courier-pop S20spampd S18krb5-admin-server S20courier-pop-ssl S20xinetd S18krb5-kdc S20mailman S50rsync S19slapd S20nfs-kernel-server S91apache2 S19spamassassin S20nscd S99fail2ban S20courier-authdaemon S20nslcd S99fixup-nfs-dns_resolve.sh S20courier-imap S20postfix S99ondemand S20courier-imap-ssl S20saslauthd S99rc.local root@charity:/etc/rc4.d# rm S99fixup-nfs-dns_resolve.sh root@charity:/etc/rc4.d# cd ../rc5.d/ root@charity:/etc/rc5.d# ls README S20courier-pop S20spampd S18krb5-admin-server S20courier-pop-ssl S20xinetd S18krb5-kdc S20mailman S50rsync S19slapd S20nfs-kernel-server S91apache2 S19spamassassin S20nscd S99fail2ban S20courier-authdaemon S20nslcd S99fixup-nfs-dns_resolve.sh S20courier-imap S20postfix S99ondemand S20courier-imap-ssl S20saslauthd S99rc.local root@charity:/etc/rc5.d# rm S99fixup-nfs-dns_resolve.sh root@charity:/etc/rc5.d# cd ../rc6.d/ root@charity:/etc/rc6.d# ls K09apache2 K20nslcd README K18krb5-admin-server K20postfix S10unattended-upgrades K18krb5-kdc K20saslauthd S20sendsigs K20courier-authdaemon K20spampd S30urandom K20courier-imap K20xinetd S31umountnfs.sh K20courier-imap-ssl K21spamassassin S35networking K20courier-pop K80nfs-kernel-server S40umountfs K20courier-pop-ssl K80slapd S60umountroot K20nscd K99fail2ban S90reboot root@charity:/etc/rc6.d# cd ../init.d root@charity:/etc/init.d# vim rc.local root@charity:/etc/init.d# cd .. root@charity:/etc# vim rc.local
Added:
chmod u+x /var/lib/nfs/rpc_pipefs/cache/dns_resolve
root@charity:/etc# ll rc.local -rwxr-xr-x 1 root root 359 2012-02-08 15:28 rc.local*
John 2012-01-31 18:30
Preparing for Slicehost DataCenter migration
jj5@charity:~$ sudo -s root@charity:~# vim /etc/exports root@charity:~# cat /etc/exports # /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) # /export 172.19.0.0/16(rw,fsid=0,insecure,no_subtree_check,async,no_root_squash) 67.207.0.0/16(rw,fsid=0,insecure,no_subtree_check,async,no_root_squash) 10.183.0.0/16(rw,fsid=0,insecure,no_subtree_check,async,no_root_squash) /export/home 172.19.0.0/16(rw,hide,insecure,no_subtree_check,async,no_root_squash) 67.207.0.0/16(rw,hide,insecure,no_subtree_check,async,no_root_squash) 10.183.0.0/16(rw,hide,insecure,no_subtree_check,async,no_root_squash)
root@charity:~# vim /etc/hosts.allow root@charity:~# cat /etc/hosts.allow # /etc/hosts.allow: list of hosts that are allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # # Example: ALL: LOCAL @some_netgroup # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu # # If you're going to protect the portmapper use the name "portmap" for the # daemon name. Remember that you can only use the keyword "ALL" and IP # addresses (NOT host or domain names) for the portmapper, as well as for # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8) # for further information. # # hope.progclub.net ALL: 172.19.1.28 ALL: 10.183.97.27 ALL: 67.207.130.204 # honesty.progclub.net ALL: 172.19.1.46 ALL: 10.183.97.45 ALL: 67.207.129.103
root@charity:~# vim /etc/iptables.up.rules root@charity:~# cat /etc/iptables.up.rules *filter # Allow all loopback (lo0) traffic -A INPUT -i lo -j ACCEPT # Drop all traffic to 127/8 that does use lo0 -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allows SMTP access -A INPUT -p tcp --dport 25 -j ACCEPT # Allows pop and pops connections -A INPUT -p tcp --dport 110 -j ACCEPT -A INPUT -p tcp --dport 995 -j ACCEPT # Allows imap and imaps connections -A INPUT -p tcp --dport 143 -j ACCEPT -A INPUT -p tcp --dport 993 -j ACCEPT # Allow SSH connections -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow svnserve -A INPUT -p tcp --dport 3690 -j ACCEPT # Accept anything from hope -A INPUT -s 67.207.130.204 -j ACCEPT -A INPUT -s 172.19.1.28 -j ACCEPT -A INPUT -s 10.183.97.27 -j ACCEPT # Accept anything from honesty -A INPUT -s 67.207.129.103 -j ACCEPT -A INPUT -s 172.19.1.46 -j ACCEPT -A INPUT -s 10.183.97.45 -j ACCEPT # Allow MySQL connections from John's house -A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT # Hell, allow anything from John's house -A INPUT -s 60.240.67.126/32 -j ACCEPT # Allow MySQL connections from localhost -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT # Allow IPSec traffic #-A INPUT -p 50 -j ACCEPT #-A INPUT -p 51 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 #-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
John 2012-01-29 03:26
Hiding "Automatically removed objectClass from template" warnings in phpLDAPadmin
Per the instructions at Why do i get Automatically removed objectClass from template when creating or editing? I suppressed warnings about missing objectClass/attributes. The problem is that there are templates for these in phpLDAPadmin but they don't exist in the LDAP schema. To suppress warnings:
# vim /var/www/www.progclub.org/pcldap/config/config.php
/* Hide the warnings for invalid objectClasses/attributes in templates. */ $config->custom->appearance['hide_template_warning'] = true;
John 2012-01-09 01:08
Fixing NFS dns_resolver cache permissions
There was a problem with the the /var/lib/nfs/rpc_pipefs/cache/dns_resolve directory being that there was no execute permission set on it so it could not be opened after rsync had copied it. Apparently this is a virtual file system that has something to do with NFS, so I created an S99fixup-nfs-dns_resolve.sh script and put it in /etc/rd2.d, /etc/rc3.d, /etc/rc4.d, and /etc/rc5.d. The script adds execute permission to the directory so it can be opened.
#!/bin/bash chmod u+x /var/lib/nfs/rpc_pipefs/cache/dns_resolve
John 2011-12-11 02:04
Configuring svnserve
# apt-get install xinetd # vim /etc/xinetd.d/svnserve # cat /etc/xinetd.d/svnserve
service svn
{
port = 3690
socket_type = stream
protocol = tcp
wait = no
user = www-data
server = /usr/bin/svnserve
server_args = -i -r /var
}
# vim /etc/iptables.up.rules
# Allow svnserve -A INPUT -p tcp --dport 3690 -j ACCEPT
jj5@charity:~/bin$ fw.restart Reloading firewall rules...
John 2011-12-08 21:18
Enabling Web DAV
root@charity:/etc/apache2# a2enmod dav_fs Considering dependency dav for dav_fs: Module dav already enabled Enabling module dav_fs. Run '/etc/init.d/apache2 restart' to activate new configuration! root@charity:/etc/apache2# apache2ctl graceful
John 2011-12-08 19:43
Installing logwatch
Following these instructions.
jj5@charity:~$ sudo apt-get install logwatch Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libdate-manip-perl libyaml-syck-perl Suggested packages: fortune-mod The following NEW packages will be installed: libdate-manip-perl libyaml-syck-perl logwatch 0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded. Need to get 2,916kB of archives. After this operation, 17.3MB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libyaml-syck-perl 1.07-1build1 [82.1kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libdate-manip-perl 6.05-1 [2,433kB ] Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main logwatch 7.3.6.cvs20090906-1ubuntu2.1 [402kB] Fetched 2,916kB in 11s (248kB/s) Committing to: /etc/ modified apt/apt.conf.d/10periodic modified apt/apt.conf.d/50unattended-upgrades modified postfix/main.cf Committed revision 106. Selecting previously deselected package libyaml-syck-perl. (Reading database ... 29703 files and directories currently installed.) Unpacking libyaml-syck-perl (from .../libyaml-syck-perl_1.07-1build1_amd64.deb) ... Selecting previously deselected package libdate-manip-perl. Unpacking libdate-manip-perl (from .../libdate-manip-perl_6.05-1_all.deb) ... Selecting previously deselected package logwatch. Unpacking logwatch (from .../logwatch_7.3.6.cvs20090906-1ubuntu2.1_all.deb) ... Processing triggers for man-db ... Setting up libyaml-syck-perl (1.07-1build1) ... Setting up libdate-manip-perl (6.05-1) ... Setting up logwatch (7.3.6.cvs20090906-1ubuntu2.1) ... Committing to: /etc/ added logwatch added cron.daily/00logwatch added logwatch/conf added logwatch/scripts added logwatch/conf/logfiles added logwatch/conf/services added logwatch/scripts/services Committed revision 107.
jj5@charity:~$ cd /var/cache jj5@charity:/var/cache$ ls apache2 apt debconf etckeeper ldconfig man nscd spampd jj5@charity:/var/cache$ sudo mkdir logwatch jj5@charity:/var/cache$ sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
jj5@charity:/var/cache$ sudo vim /etc/logwatch/conf/logwatch.conf
MailTo = admin@blackbrick.com Detail = High
jj5@charity:/var/cache$ sudo cp /usr/share/logwatch/default.conf/logfiles/http.conf /etc/logwatch/conf/logfiles/
John 2011-12-08 18:14
Installing unattended upgrades
Following these instructions.
root@charity:~# apt-get install unattended-upgrades Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: bsd-mailx The following NEW packages will be installed: unattended-upgrades 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 20.8kB of archives. After this operation, 250kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main unattended-upgrades 0.55ubuntu6 [20.8kB] Fetched 20.8kB in 0s (43.7kB/s) Preconfiguring packages ... Selecting previously deselected package unattended-upgrades. (Reading database ... 29671 files and directories currently installed.) Unpacking unattended-upgrades (from .../unattended-upgrades_0.55ubuntu6_all.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up unattended-upgrades (0.55ubuntu6) ... update-rc.d: warning: unattended-upgrades start runlevel arguments (none) do not match LSB Default-Start values (0 6) update-rc.d: warning: unattended-upgrades stop runlevel arguments (0 6) do not match LSB Default-Stop values (none) Broadcast message from root@charity (unknown) at 6:56 ... The system is going down for power off NOW! Committing to: /etc/ added pm added apt/apt.conf.d/50unattended-upgrades added init.d/unattended-upgrades added logrotate.d/unattended-upgrades added pm/sleep.d added pm/sleep.d/10_unattended-upgrades-hibernate added rc0.d/S10unattended-upgrades added rc6.d/S10unattended-upgrades Committed revision 104.
jj5@charity:~$ sudo apt-get install bsd-mailx [sudo] password for jj5: Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: bsd-mailx 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 162kB of archives. After this operation, 311kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main bsd-mailx 8.1.2-0.20090911cvs-2ubuntu1 [162kB] Fetched 162kB in 10s (15.0kB/s) Selecting previously deselected package bsd-mailx. (Reading database ... 29689 files and directories currently installed.) Unpacking bsd-mailx (from .../bsd-mailx_8.1.2-0.20090911cvs-2ubuntu1_amd64.deb) ... Processing triggers for man-db ... Setting up bsd-mailx (8.1.2-0.20090911cvs-2ubuntu1) ... update-alternatives: using /usr/bin/bsd-mailx to provide /usr/bin/mailx (mailx) in auto mode. update-alternatives: warning: not replacing /usr/bin/mail with a link. update-alternatives: warning: not replacing /usr/share/man/man1/mail.1.gz with a link. Committing to: /etc/ added mail.rc added alternatives/Mail added alternatives/Mail.1.gz added alternatives/mail added alternatives/mail.1.gz modified alternatives/mailx modified alternatives/mailx.1.gz Committed revision 105.
root@charity:/etc/apt/apt.conf.d# vim 50unattended-upgrades
root@charity:/etc/apt/apt.conf.d# cat 50unattended-upgrades
// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
"Ubuntu lucid-security";
"Ubuntu lucid-updates";
};
// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. The package 'mailx'
// must be installed or anything that provides /usr/bin/mail.
//Unattended-Upgrade::Mail "root@localhost";
Unattended-Upgrade::Mail "admin@progclub.org";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
root@charity:/etc/apt/apt.conf.d#
root@charity:/etc/apt/apt.conf.d# vim 10periodic root@charity:/etc/apt/apt.conf.d# cat 10periodic APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";
John 2011-11-30 15:51
Web-site goes HTTPS
Found this article which suggested the following in /etc/apache2/sites-enabled/default
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://www.progclub.org%{REQUEST_URI}
This has two benefits. One is that all web requests will be redirected to the secure site, and the second is that all HTTP requests will be redirected to the canonical domain.
John 2011-11-30 06:57
Getting rid of =3D in svn-mailer commit hook
Found this article which suggested editing svn-mailer config file /etc/pcrepo-mailer.conf and adding:
[defaults] mail_transfer_encoding = 8bit
John 2011-11-27 13:37
Fixing NFSv4 (nfs4) IDMAP problem
There was a problem with the idmap service whereby NFS clients where reporting user and group of nobody and nogroup. The problem was with the idmap configuration. I found this article which suggested adding the Method=nsswitch setting in the [Transalation] section, so I edited the /etc/idmapd.conf file on all the servers to be the following:
[General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = progclub.org [Mapping] Nobody-User = nobody Nobody-Group = nogroup [Translation] Method=nsswitch
Note that I specified the domain progclub.org too, rather than localdomain. I don't think that was necessary, I think the important bit was Method=nsswitch. It's all working properly now and ls -al reports correct user and group.
John 2011-09-19 23:39
Installing PHP SQLite
root@charity:~# apt-get install php5-sqlite Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: php5-sqlite 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 55.3kB of archives. After this operation, 225kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5-sqlite 5.3.2-1ubuntu4.9 [55.3kB] Fetched 55.3kB in 0s (108kB/s) Committing to: /etc/ modified php5/conf.d/imap.ini modified php5/conf.d/mcrypt.ini Committed revision 91. Selecting previously deselected package php5-sqlite. (Reading database ... 29504 files and directories currently installed.) Unpacking php5-sqlite (from .../php5-sqlite_5.3.2-1ubuntu4.9_amd64.deb) ... Processing triggers for libapache2-mod-php5 ... * Reloading web server config apache2 [ OK ] Setting up php5-sqlite (5.3.2-1ubuntu4.9) ... Committing to: /etc/ added php5/conf.d/pdo_sqlite.ini added php5/conf.d/sqlite.ini added php5/conf.d/sqlite3.ini Committed revision 92.
root@charity:~# apache2ctl graceful
John 2011-09-05 01:48
Removing 'nofollow' from list archvies
root@charity:/var/lib/mailman/templates/en# vim article.html
Changed:
<META NAME="robots" CONTENT="index,nofollow">
To:
<META NAME="robots" CONTENT="index,follow">
John 2011-09-02 17:10
Installing roundcube
root@charity:~/bin# mysql -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 17222 Server version: 5.1.41-3ubuntu12.10 (Ubuntu) Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> create database roundcubedb /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */; Query OK, 1 row affected (0.00 sec) mysql> grant all privileges on roundcubedb.* to roundcube@localhost identified by 'secret'; Query OK, 0 rows affected (0.16 sec) mysql> quit Bye
root@charity:~/bin# mysql -p roundcubedb < /var/www/www.progclub.org/pcwebmail/roundcube/SQL/mysql.initial.sql Enter password:
John 2011-08-27 16:37
Updating fail2ban jail.conf
/etc/fail2ban/jail.conf was updated to enable fail2ban filtering on most services, and to send abuse reports to admin@progclub.org.
John 2011-08-27 09:07
Fixing missing /etc/postfix/spamalias.db error
I was seeing entries like this in /var/log/mail.log:
Aug 21 09:36:53 charity postfix/local[5094]: fatal: open database /etc/postfix/spamalias.db: No such file or directory Aug 21 09:36:54 charity postfix/master[3001]: warning: process /usr/lib/postfix/local pid 5094 exit status 1 Aug 21 09:36:54 charity postfix/master[3001]: warning: /usr/lib/postfix/local: bad command startup -- throttling
I took a wild guess and ran:
root@charity:/etc/postfix# postalias spamalias
That created a spamalias.db file. Hopefully that fixes the problem.
John 2011-08-21 02:13
Installing spamassassin
Following these instructions.
root@charity:~# apt-get install spamassassin spamc Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: binutils gcc gcc-4.4 libc-dev-bin libc6-dev libdigest-hmac-perl libdigest-sha1-perl liberror-perl libfont-afm-perl libgomp1 libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl libio-socket-inet6-perl libmail-spf-perl libmailtools-perl libnet-dns-perl libnet-ip-perl libnetaddr-ip-perl libsocket6-perl libsys-hostname-long-perl liburi-perl libwww-perl linux-libc-dev manpages-dev re2c Suggested packages: binutils-doc gcc-multilib autoconf automake1.9 libtool flex bison gdb gcc-doc gcc-4.4-multilib libmudflap0-4.4-dev gcc-4.4-doc gcc-4.4-locales libgcc1-dbg libgomp1-dbg libmudflap0-dbg libcloog-ppl0 libppl-c2 libppl7 glibc-doc libdata-dump-perl libcrypt-ssleay-perl libio-socket-ssl-perl razor libnet-ident-perl pyzor libmail-dkim-perl The following NEW packages will be installed: binutils gcc gcc-4.4 libc-dev-bin libc6-dev libdigest-hmac-perl libdigest-sha1-perl liberror-perl libfont-afm-perl libgomp1 libhtml-format-perl libhtml-parser-perl libhtml-tagset-perl libhtml-tree-perl libio-socket-inet6-perl libmail-spf-perl libmailtools-perl libnet-dns-perl libnet-ip-perl libnetaddr-ip-perl libsocket6-perl libsys-hostname-long-perl liburi-perl libwww-perl linux-libc-dev manpages-dev re2c spamassassin spamc 0 upgraded, 29 newly installed, 0 to remove and 0 not upgraded. Need to get 13.0MB of archives. After this operation, 45.6MB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libfont-afm-perl 1.20-1 [14.3kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main liburi-perl 1.52-1 [96.8kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libhtml-tagset-perl 3.20-2 [13.5kB] Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main libhtml-parser-perl 3.64-1 [114kB] Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main libhtml-tree-perl 3.23-1 [209kB] Get:6 http://archive.ubuntu.com/ubuntu/ lucid/main libhtml-format-perl 2.04-2 [39.6kB] Get:7 http://archive.ubuntu.com/ubuntu/ lucid/main libmailtools-perl 2.05-1 [98.0kB] Get:8 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libwww-perl 5.834-1ubuntu0.1 [401kB] Get:9 http://archive.ubuntu.com/ubuntu/ lucid-updates/main binutils 2.20.1-3ubuntu7.1 [1,658kB] Get:10 http://archive.ubuntu.com/ubuntu/ lucid/main libgomp1 4.4.3-4ubuntu5 [25.5kB] Get:11 http://archive.ubuntu.com/ubuntu/ lucid/main gcc-4.4 4.4.3-4ubuntu5 [2,877kB] Get:12 http://archive.ubuntu.com/ubuntu/ lucid/main gcc 4:4.4.3-1ubuntu1 [5,064B] Get:13 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libc-dev-bin 2.11.1-0ubuntu7.8 [224kB] Get:14 http://archive.ubuntu.com/ubuntu/ lucid-updates/main linux-libc-dev 2.6.32-33.72 [841kB] Get:15 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libc6-dev 2.11.1-0ubuntu7.8 [2,706kB] Get:16 http://archive.ubuntu.com/ubuntu/ lucid/main libdigest-sha1-perl 2.12-1build1 [26.7kB] Get:17 http://archive.ubuntu.com/ubuntu/ lucid/main libdigest-hmac-perl 1.01-7 [10.6kB] Get:18 http://archive.ubuntu.com/ubuntu/ lucid/main liberror-perl 0.17-1 [23.8kB] Get:19 http://archive.ubuntu.com/ubuntu/ lucid/main libsocket6-perl 0.23-1 [28.4kB] Get:20 http://archive.ubuntu.com/ubuntu/ lucid/main libio-socket-inet6-perl 2.54-1.1 [15.1kB] Get:21 http://archive.ubuntu.com/ubuntu/ lucid/main libnetaddr-ip-perl 4.024+dfsg-1build1 [98.0kB] Get:22 http://archive.ubuntu.com/ubuntu/ lucid/main libnet-ip-perl 1.25-2 [30.3kB] Get:23 http://archive.ubuntu.com/ubuntu/ lucid/main libnet-dns-perl 0.65-1build1 [278kB] Get:24 http://archive.ubuntu.com/ubuntu/ lucid/main libmail-spf-perl 2.007-1 [125kB] Get:25 http://archive.ubuntu.com/ubuntu/ lucid/main libsys-hostname-long-perl 1.4-2 [11.4kB] Get:26 http://archive.ubuntu.com/ubuntu/ lucid/main manpages-dev 3.23-1 [1,547kB] Get:27 http://archive.ubuntu.com/ubuntu/ lucid/main re2c 0.13.5-1build1 [221kB] Get:28 http://archive.ubuntu.com/ubuntu/ lucid/main spamassassin 3.3.1-1 [1,232kB] Get:29 http://archive.ubuntu.com/ubuntu/ lucid/main spamc 3.3.1-1 [70.6kB] Fetched 13.0MB in 7s (1,831kB/s) Committing to: /etc/ modified pcrepo-mailer.conf Committed revision 72. Selecting previously deselected package libfont-afm-perl. (Reading database ... 25257 files and directories currently installed.) Unpacking libfont-afm-perl (from .../libfont-afm-perl_1.20-1_all.deb) ... Selecting previously deselected package liburi-perl. Unpacking liburi-perl (from .../liburi-perl_1.52-1_all.deb) ... Selecting previously deselected package libhtml-tagset-perl. Unpacking libhtml-tagset-perl (from .../libhtml-tagset-perl_3.20-2_all.deb) ... Selecting previously deselected package libhtml-parser-perl. Unpacking libhtml-parser-perl (from .../libhtml-parser-perl_3.64-1_amd64.deb) ... Selecting previously deselected package libhtml-tree-perl. Unpacking libhtml-tree-perl (from .../libhtml-tree-perl_3.23-1_all.deb) ... Selecting previously deselected package libhtml-format-perl. Unpacking libhtml-format-perl (from .../libhtml-format-perl_2.04-2_all.deb) ... Selecting previously deselected package libmailtools-perl. Unpacking libmailtools-perl (from .../libmailtools-perl_2.05-1_all.deb) ... Selecting previously deselected package libwww-perl. Unpacking libwww-perl (from .../libwww-perl_5.834-1ubuntu0.1_all.deb) ... Selecting previously deselected package binutils. Unpacking binutils (from .../binutils_2.20.1-3ubuntu7.1_amd64.deb) ... Selecting previously deselected package libgomp1. Unpacking libgomp1 (from .../libgomp1_4.4.3-4ubuntu5_amd64.deb) ... Selecting previously deselected package gcc-4.4. Unpacking gcc-4.4 (from .../gcc-4.4_4.4.3-4ubuntu5_amd64.deb) ... Selecting previously deselected package gcc. Unpacking gcc (from .../gcc_4%3a4.4.3-1ubuntu1_amd64.deb) ... Selecting previously deselected package libc-dev-bin. Unpacking libc-dev-bin (from .../libc-dev-bin_2.11.1-0ubuntu7.8_amd64.deb) ... Selecting previously deselected package linux-libc-dev. Unpacking linux-libc-dev (from .../linux-libc-dev_2.6.32-33.72_amd64.deb) ... Selecting previously deselected package libc6-dev. Unpacking libc6-dev (from .../libc6-dev_2.11.1-0ubuntu7.8_amd64.deb) ... Selecting previously deselected package libdigest-sha1-perl. Unpacking libdigest-sha1-perl (from .../libdigest-sha1-perl_2.12-1build1_amd64.deb) ... Selecting previously deselected package libdigest-hmac-perl. Unpacking libdigest-hmac-perl (from .../libdigest-hmac-perl_1.01-7_all.deb) ... Selecting previously deselected package liberror-perl. Unpacking liberror-perl (from .../liberror-perl_0.17-1_all.deb) ... Selecting previously deselected package libsocket6-perl. Unpacking libsocket6-perl (from .../libsocket6-perl_0.23-1_amd64.deb) ... Selecting previously deselected package libio-socket-inet6-perl. Unpacking libio-socket-inet6-perl (from .../libio-socket-inet6-perl_2.54-1.1_all.deb) ... Selecting previously deselected package libnetaddr-ip-perl. Unpacking libnetaddr-ip-perl (from .../libnetaddr-ip-perl_4.024+dfsg-1build1_amd64.deb) ... Selecting previously deselected package libnet-ip-perl. Unpacking libnet-ip-perl (from .../libnet-ip-perl_1.25-2_all.deb) ... Selecting previously deselected package libnet-dns-perl. Unpacking libnet-dns-perl (from .../libnet-dns-perl_0.65-1build1_amd64.deb) ... Selecting previously deselected package libmail-spf-perl. Unpacking libmail-spf-perl (from .../libmail-spf-perl_2.007-1_all.deb) ... Selecting previously deselected package libsys-hostname-long-perl. Unpacking libsys-hostname-long-perl (from .../libsys-hostname-long-perl_1.4-2_all.deb) ... Selecting previously deselected package manpages-dev. Unpacking manpages-dev (from .../manpages-dev_3.23-1_all.deb) ... Selecting previously deselected package re2c. Unpacking re2c (from .../re2c_0.13.5-1build1_amd64.deb) ... Selecting previously deselected package spamassassin. Unpacking spamassassin (from .../spamassassin_3.3.1-1_all.deb) ... Selecting previously deselected package spamc. Unpacking spamc (from .../spamc_3.3.1-1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up libfont-afm-perl (1.20-1) ... Setting up liburi-perl (1.52-1) ... Setting up libhtml-tagset-perl (3.20-2) ... Setting up libhtml-parser-perl (3.64-1) ... Setting up libhtml-tree-perl (3.23-1) ... Setting up libhtml-format-perl (2.04-2) ... Setting up libmailtools-perl (2.05-1) ... Setting up libwww-perl (5.834-1ubuntu0.1) ... Setting up binutils (2.20.1-3ubuntu7.1) ... Setting up libgomp1 (4.4.3-4ubuntu5) ... Setting up gcc-4.4 (4.4.3-4ubuntu5) ... Setting up gcc (4:4.4.3-1ubuntu1) ... Setting up libc-dev-bin (2.11.1-0ubuntu7.8) ... Setting up linux-libc-dev (2.6.32-33.72) ... Setting up libc6-dev (2.11.1-0ubuntu7.8) ... Setting up libdigest-sha1-perl (2.12-1build1) ... Setting up libdigest-hmac-perl (1.01-7) ... Setting up liberror-perl (0.17-1) ... Setting up libsocket6-perl (0.23-1) ... Setting up libio-socket-inet6-perl (2.54-1.1) ... Setting up libnetaddr-ip-perl (4.024+dfsg-1build1) ... Setting up libnet-ip-perl (1.25-2) ... Setting up libnet-dns-perl (0.65-1build1) ... Setting up libmail-spf-perl (2.007-1) ... Setting up libsys-hostname-long-perl (1.4-2) ... Setting up manpages-dev (3.23-1) ... Setting up re2c (0.13.5-1build1) ... Setting up spamassassin (3.3.1-1) ... SpamAssassin Mail Filter Daemon: disabled, see /etc/default/spamassassin Setting up spamc (3.3.1-1) ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ added mail added spamassassin added alternatives/c89 added alternatives/c89.1.gz added alternatives/c99 added alternatives/c99.1.gz added alternatives/cc added alternatives/cc.1.gz added cron.daily/spamassassin added default/spamassassin added init.d/spamassassin added mail/spamassassin added rc0.d/K21spamassassin added rc1.d/K21spamassassin added rc2.d/S19spamassassin added rc3.d/S19spamassassin added rc4.d/S19spamassassin added rc5.d/S19spamassassin added rc6.d/K21spamassassin added spamassassin/65_debian.cf added spamassassin/init.pre added spamassassin/local.cf added spamassassin/sa-update-hooks.d added spamassassin/v310.pre added spamassassin/v312.pre added spamassassin/v320.pre added spamassassin/v330.pre Committed revision 73.
root@charity:~# groupadd spamd root@charity:~# useradd -g spamd -s /bin/false -d /var/log/spamassassin spamd root@charity:~# mkdir /var/log/spamassassin root@charity:~# chown spamd:spamd /var/log/spamassassin
root@charity:~# vim /etc/default/spamassassin root@charity:~# cat /etc/default/spamassassin # /etc/default/spamassassin # Duncan Findlay # WARNING: please read README.spamd before using. # There may be security risks. # Change to one to enable spamd ENABLED=1 # JE: 2011-08-21: http://townx.org/blog/elliot/simple_spamassassin_setup_with_postfix_and_dovecot_on_ubuntu_breezy SAHOME="/var/log/spamassassin/" # Options # See man spamd for possible options. The -d option is automatically added. # SpamAssassin uses a preforking model, so be careful! You need to # make sure --max-children is not set to anything higher than 5, # unless you know what you're doing. #OPTIONS="--create-prefs --max-children 5 --helper-home-dir" OPTIONS="--create-prefs --max-children 2 --username spamd -H ${SAHOME} -s ${SAHOME}spamd.log" # Pid file # Where should spamd write its PID to file? If you use the -u or # --username option above, this needs to be writable by that user. # Otherwise, the init script will not be able to shut spamd down. PIDFILE="/var/run/spamd.pid" # Set nice level of spamd #NICE="--nicelevel 15" # Cronjob # Set to anything but 0 to enable the cron job to automatically update # spamassassin's rules on a nightly basis CRON=0
root@charity:~# /etc/init.d/spamassassin start Starting SpamAssassin Mail Filter Daemon: spamd.
root@charity:~# vim /etc/postfix/master.cf
root@charity:~# cat /etc/postfix/master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
-o content_filter=spamassassin
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
# JE: 2011-08-21: http://townx.org/blog/elliot/simple_spamassassin_setup_with_postfix_and_dovecot_on_ubuntu_breezy
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -e
/usr/sbin/sendmail -oi -f $(sender) $(recipient)
root@charity:~# /etc/init.d/postfix reload * Reloading Postfix configuration... [ OK ]
Following these instructions I edited /etc/mailman/mm_cfg.py to uncomment the following line:
GLOBAL_PIPELINE.insert(1, 'SpamAssassin')
root@charity:~# userdel spamd root@charity:~# groupdel spamd groupdel: group 'spamd' does not exist root@charity:~# groupadd -g 50001 spamd root@charity:~# useradd -u 50001 -g spamd -s /sbin/nologin -d /var/lib/spamassassin spamd root@charity:~# mkdir /var/lib/spamassassin root@charity:~# chown spamd:spamd /var/lib/spamassassin
Having trouble... trying these instructions to use spampd.
jj5@charity:~$ sudo -s [sudo] password for jj5: root@charity:~# vim /etc/aliases
root@charity:~# newaliases root@charity:~# vim /etc/postfix/master.cf root@charity:~# vim /etc/postfix/main.cf root@charity:~# apt-get install spampd Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libio-multiplex-perl libnet-cidr-perl libnet-server-perl Suggested packages: libio-socket-ssl-perl The following NEW packages will be installed: libio-multiplex-perl libnet-cidr-perl libnet-server-perl spampd 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 234kB of archives. After this operation, 860kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libio-multiplex-perl 1.10-1 [22.9kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libnet-cidr-perl 0.13-1 [14.6kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libnet-server-perl 0.97-1ubuntu1 [141kB] Get:4 http://archive.ubuntu.com/ubuntu/ lucid/universe spampd 2.30-22 [55.6kB] Fetched 234kB in 0s (237kB/s) Committing to: /etc/ modified .etckeeper modified aliases modified aliases.db modified group modified group- modified gshadow modified gshadow- modified passwd modified passwd- modified shadow modified shadow- modified default/spamassassin modified mailman/mm_cfg.py modified postfix/main.cf modified postfix/master.cf missing postfix/mysql-domains.cf modified postfix/mysql-domains.cf missing postfix/mysql-email.cf modified postfix/mysql-email.cf missing postfix/mysql-forwards.cf modified postfix/mysql-forwards.cf missing postfix/mysql-mailboxes.cf modified postfix/mysql-mailboxes.cf added postfix/old added postfix/old/mysql-domains.cf added postfix/old/mysql-email.cf added postfix/old/mysql-forwards.cf added postfix/old/mysql-mailboxes.cf modified spamassassin/local.cf Committed revision 74. Selecting previously deselected package libio-multiplex-perl. (Reading database ... 29433 files and directories currently installed.) Unpacking libio-multiplex-perl (from .../libio-multiplex-perl_1.10-1_all.deb) ... Selecting previously deselected package libnet-cidr-perl. Unpacking libnet-cidr-perl (from .../libnet-cidr-perl_0.13-1_all.deb) ... Selecting previously deselected package libnet-server-perl. Unpacking libnet-server-perl (from .../libnet-server-perl_0.97-1ubuntu1_all.deb) ... Selecting previously deselected package spampd. Unpacking spampd (from .../spampd_2.30-22_all.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up libio-multiplex-perl (1.10-1) ... Setting up libnet-cidr-perl (0.13-1) ... Setting up libnet-server-perl (0.97-1ubuntu1) ... Setting up spampd (2.30-22) ... * Starting spam checking proxy daemon spampd [ OK ] Committing to: /etc/ modified .etckeeper modified group modified group- modified gshadow modified gshadow- modified passwd modified passwd- modified shadow modified shadow- added spampd.conf added default/spampd added init.d/spampd added rc0.d/K20spampd added rc1.d/K20spampd added rc2.d/S20spampd added rc3.d/S20spampd added rc4.d/S20spampd added rc5.d/S20spampd added rc6.d/K20spampd Committed revision 75.
root@charity:~# vim /etc/postfix/spamheadercheck root@charity:~# cat /etc/postfix/spamheadercheck /^X-Spam-Status: Yes/ FILTER spamtnsp:local
root@charity:~# vim /etc/postfix/spamalias root@charity:~# cat /etc/postfix/spamalias jj5: spamd
John 2011-08-19 21:41
Installing Mailman
Following these instructions.
jj5@charity:~/bin/pcrepo/hooks$ sudo -s [sudo] password for jj5: root@charity:~/bin/pcrepo/hooks# apt-get install mailman Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: pwgen Suggested packages: spamassassin lynx listadmin The following NEW packages will be installed: mailman pwgen 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 9,699kB of archives. After this operation, 45.0MB of additional disk space will be used. Do you want to continue [Y/n]?
Package configuration âââââââââââââââââââââââââââ⤠Configuring mailman âââââââââââââââââââââââââââ â â â For each supported language, Mailman stores default language specific â â texts in /etc/mailman/LANG/ giving them conffile like treatment with the â â help of ucf. This means approximately 150kB for each supported language â â on the root file system. â â â â If you need a different set of languages at a later time, just run â â dpkg-reconfigure mailman. â â â â NOTE: Languages enabled on existing mailing lists are forcibly â â re-enabled when deselected and mailman needs at least one language for â â displaying its messages. â â â â <Ok> â â â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Package configuration
âââââââââ⤠Configuring mailman ââââââââââ
â Languages to support: â
â â
â [ ] ar (Arabic) â
â [ ] ca (Catalan) â
â [ ] cs (Czech) â
â [ ] da (Danish) â
â [ ] de (German) â
â [*] en (English) â
â [ ] es (Spanish) â
â [ ] et (Estonian) â
â [ ] eu (Basque) â
â [ ] fi (Finnish) â
â [ ] fr (French) â
â [ ] hr (Croatian) â
â â
â â
â <Ok> â
â â
âââââââââââââââââââââââââââââââââââââââââ
Package configuration ââââââââââââââââââââââââââ⤠Configuring mailman ââââââââââââââââââââââââââââ â â â Missing site list â â â â Mailman needs a so-called "site list", which is the list from which â â password reminders and such are sent out from. This list needs to be â â created before mailman will start. â â â â To create the list, run "newlist mailman" and follow the instructions â â on-screen. Note that you also need to start mailman after that, using â â /etc/init.d/mailman start. â â â â <Ok> â â â ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main pwgen 2.06-1ubuntu2 [21.7kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main mailman 1:2.1.13-1ubuntu0.2 [9,677kB] Fetched 9,699kB in 3s (2,449kB/s) Committing to: /etc/ modified .etckeeper modified apache2/sites-available/default-ssl modified courier/imapd-ssl modified courier/pop3d-ssl modified postfix/main.cf Committed revision 69. Preconfiguring packages ... Selecting previously deselected package pwgen. (Reading database ... 21355 files and directories currently installed.) Unpacking pwgen (from .../pwgen_2.06-1ubuntu2_amd64.deb) ... Selecting previously deselected package mailman. Unpacking mailman (from .../mailman_1%3a2.1.13-1ubuntu0.2_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up pwgen (2.06-1ubuntu2) ... Setting up mailman (1:2.1.13-1ubuntu0.2) ... Looking for enabled languages (this may take some time) ... done. Installing site language en ............................................ done. Configuring mailman for domain progclub.org ... Upgrading from version 0x0 to 0x2010df0 getting rid of old source files * Site list for mailman missing (looking for list named 'mailman'). * Please create it; until then, mailman will refuse to start. Committing to: /etc/ modified .etckeeper added mailman added cron.d/mailman added init.d/mailman added logrotate.d/mailman added mailman/apache.conf added mailman/en added mailman/leftover added mailman/mm_cfg.py added mailman/postfix-to-mailman.py added mailman/qmail-to-mailman.py added mailman/en/admindbdetails.html added mailman/en/admindbpreamble.html added mailman/en/admindbsummary.html added mailman/en/adminsubscribeack.txt added mailman/en/adminunsubscribeack.txt added mailman/en/admlogin.html added mailman/en/approve.txt added mailman/en/archidxentry.html added mailman/en/archidxfoot.html added mailman/en/archidxhead.html added mailman/en/archlistend.html added mailman/en/archliststart.html added mailman/en/archtoc.html added mailman/en/archtocentry.html added mailman/en/archtocnombox.html added mailman/en/article.html added mailman/en/bounce.txt added mailman/en/checkdbs.txt added mailman/en/convert.txt added mailman/en/cronpass.txt added mailman/en/disabled.txt added mailman/en/emptyarchive.html added mailman/en/headfoot.html added mailman/en/help.txt added mailman/en/invite.txt added mailman/en/listinfo.html added mailman/en/masthead.txt added mailman/en/newlist.txt added mailman/en/nomoretoday.txt added mailman/en/options.html added mailman/en/postack.txt added mailman/en/postauth.txt added mailman/en/postheld.txt added mailman/en/private.html added mailman/en/probe.txt added mailman/en/refuse.txt added mailman/en/roster.html added mailman/en/subauth.txt added mailman/en/subscribe.html added mailman/en/subscribeack.txt added mailman/en/unsub.txt added mailman/en/unsubauth.txt added mailman/en/userpass.txt added mailman/en/verify.txt added rc1.d/K20mailman added rc2.d/S20mailman added rc3.d/S20mailman added rc4.d/S20mailman added rc5.d/S20mailman Committed revision 70.
root@charity:~/bin/pcrepo/hooks# newlist mailman Enter the email of the person running the list: jj5@progclub.org Initial mailman password: To finish creating your mailing list, you must edit your /etc/aliases (or equivalent) file by adding the following lines, and possibly running the `newaliases' program: ## mailman mailing list mailman: "|/var/lib/mailman/mail/mailman post mailman" mailman-admin: "|/var/lib/mailman/mail/mailman admin mailman" mailman-bounces: "|/var/lib/mailman/mail/mailman bounces mailman" mailman-confirm: "|/var/lib/mailman/mail/mailman confirm mailman" mailman-join: "|/var/lib/mailman/mail/mailman join mailman" mailman-leave: "|/var/lib/mailman/mail/mailman leave mailman" mailman-owner: "|/var/lib/mailman/mail/mailman owner mailman" mailman-request: "|/var/lib/mailman/mail/mailman request mailman" mailman-subscribe: "|/var/lib/mailman/mail/mailman subscribe mailman" mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman" Hit enter to notify mailman owner...
John 2011-08-19 18:34
Configuring SSL certificate
In /etc/postfix/main.cf:
smtpd_tls_cert_file = /home/apache/certs/progclub.org.crt smtpd_tls_key_file = /home/apache/certs/progclub.key
Had to create .pem file with:
# cd /home/apache/certs # cat progclub.org.crt progclub.key > progclub.org.pem # chmod o= progclub.org.pem
In /etc/courier/imapd-ssl:
TLS_CERTFILE=/home/apache/certs/progclub.org.pem TLS_TRUSTCERTS=/home/apache/certs/gd_bundle.crt
In /etc/courier/pop3d-ssl:
TLS_CERTFILE=/home/apache/certs/progclub.org.pem TLS_TRUSTCERTS=/home/apache/certs/gd_bundle.crt
Had to restart postfix with:
# postfix reload
And restart courier with jj5-bin restart-courier script:
$ restart-courier
John 2011-08-19 01:48
Installing PHP mail
root@charity:~# apt-cache search php mail | less
root@charity:~# apt-get install php-mail Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: php-net-smtp php-net-socket php-pear php5-cli Suggested packages: php5-dev The following NEW packages will be installed: php-mail php-net-smtp php-net-socket php-pear php5-cli 0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded. Need to get 3,310kB of archives. After this operation, 11.0MB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5-cli 5.3.2-1ubuntu4.9 [2,907kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php-pear 5.3.2-1ubuntu4.9 [355kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid/universe php-mail 1.1.14-2 [23.2kB] Get:4 http://archive.ubuntu.com/ubuntu/ lucid/universe php-net-socket 1.0.9-2 [9,098B] Get:5 http://archive.ubuntu.com/ubuntu/ lucid/universe php-net-smtp 1.3.1-1 [16.0kB] Fetched 3,310kB in 1s (1,853kB/s) Committing to: /etc/ modified .etckeeper added pcrepo-mailer.conf modified courier/authmysqlrc modified pam.d/smtp modified postfix/main.cf added postfix/sql modified postfix/sasl/smtpd.conf added postfix/sasl/smtpd.conf.bak-2011-08-19-0104 added postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf added postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf added postfix/sql/mysql_virtual_alias_domain_maps.cf added postfix/sql/mysql_virtual_alias_maps.cf added postfix/sql/mysql_virtual_domains_maps.cf added postfix/sql/mysql_virtual_mailbox_limit_maps.cf added postfix/sql/mysql_virtual_mailbox_maps.cf Committed revision 67. Selecting previously deselected package php5-cli. (Reading database ... 21114 files and directories currently installed.) Unpacking php5-cli (from .../php5-cli_5.3.2-1ubuntu4.9_amd64.deb) ... Selecting previously deselected package php-pear. Unpacking php-pear (from .../php-pear_5.3.2-1ubuntu4.9_all.deb) ... Selecting previously deselected package php-mail. Unpacking php-mail (from .../php-mail_1.1.14-2_all.deb) ... Selecting previously deselected package php-net-socket. Unpacking php-net-socket (from .../php-net-socket_1.0.9-2_all.deb) ... Selecting previously deselected package php-net-smtp. Unpacking php-net-smtp (from .../php-net-smtp_1.3.1-1_all.deb) ... Processing triggers for man-db ... Setting up php5-cli (5.3.2-1ubuntu4.9) ... Creating config file /etc/php5/cli/php.ini with new version update-alternatives: using /usr/bin/php5 to provide /usr/bin/php (php) in auto mode. Setting up php-pear (5.3.2-1ubuntu4.9) ... Setting up php-mail (1.1.14-2) ... Setting up php-net-socket (1.0.9-2) ... Setting up php-net-smtp (1.3.1-1) ... Committing to: /etc/ added pear added alternatives/php added alternatives/php.1.gz added pear/pear.conf added php5/cli added php5/cli/conf.d added php5/cli/php.ini Committed revision 68.
John 2011-08-18 19:05
Installing postfixadmin
root@charity:/var/log# apt-get install php5-imap Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libc-client2007e mlock Suggested packages: uw-mailutils The following NEW packages will be installed: libc-client2007e mlock php5-imap 0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded. Need to get 810kB of archives. After this operation, 1,810kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe mlock 8:2007e~dfsg-3.1 [34.6kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe libc-client2007e 8:2007e~dfsg-3.1 [734kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid/universe php5-imap 5.3.2-0ubuntu2 [41.2kB] Fetched 810kB in 1s (624kB/s) Committing to: /etc/ modified iptables.up.rules modified courier/authdaemonrc modified courier/authmysqlrc modified mysql/my.cnf Committed revision 65. Selecting previously deselected package mlock. (Reading database ... 20755 files and directories currently installed.) Unpacking mlock (from .../mlock_8%3a2007e~dfsg-3.1_amd64.deb) ... Selecting previously deselected package libc-client2007e. Unpacking libc-client2007e (from .../libc-client2007e_8%3a2007e~dfsg-3.1_amd64.deb) ... Selecting previously deselected package php5-imap. Unpacking php5-imap (from .../php5-imap_5.3.2-0ubuntu2_amd64.deb) ... Processing triggers for man-db ... Processing triggers for libapache2-mod-php5 ... * Reloading web server config apache2 [ OK ] Setting up mlock (8:2007e~dfsg-3.1) ... Setting up libc-client2007e (8:2007e~dfsg-3.1) ... Setting up php5-imap (5.3.2-0ubuntu2) ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ added php5/conf.d/imap.ini Committed revision 66. root@charity:/var/log#
jj5@charity:~$ mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 152 Server version: 5.1.41-3ubuntu12.10 (Ubuntu) Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> grant all on pcmaildb.* to pcmail@localhost; Query OK, 0 rows affected (0.00 sec) mysql> flush priviliges; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'priviliges' at line 1 mysql> flush privileges; Query OK, 0 rows affected (0.00 sec)
jj5@charity:~$ release pcmail "Releasing stock Postfix Admin 2.3.3" Releasing pcmail Checking availability of release: https://www.progclub.org/svn/pcrepo/pcmail/tags/release/2011/08/18/01 Committed revision 326. svn: URL 'latest' does not exist Committed revision 327.
John 2011-08-18 16:24
Configuring email
Following these instructions.
root@charity:~/bin# hostname -f charity.progclub.org
root@charity:~/bin# ifconfig
eth0 Link encap:Ethernet HWaddr 40:40:b3:fc:05:28
inet addr:67.207.128.184 Bcast:67.207.128.255 Mask:255.255.255.0
inet6 addr: fe80::4240:b3ff:fefc:528/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:71245 errors:0 dropped:0 overruns:0 frame:0
TX packets:54383 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10572039 (10.5 MB) TX bytes:49196127 (49.1 MB)
Interrupt:24
eth1 Link encap:Ethernet HWaddr 40:40:8d:45:53:e9
inet addr:172.19.1.45 Bcast:172.19.255.255 Mask:255.255.0.0
inet6 addr: fe80::4240:8dff:fe45:53e9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1038 errors:0 dropped:0 overruns:0 frame:0
TX packets:897 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:153708 (153.7 KB) TX bytes:194246 (194.2 KB)
Interrupt:25
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3307 errors:0 dropped:0 overruns:0 frame:0
TX packets:3307 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:479108 (479.1 KB) TX bytes:479108 (479.1 KB)
root@charity:~/bin# dig -x 67.207.128.184 ; <<>> DiG 9.7.0-P1 <<>> -x 67.207.128.184 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31526 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;184.128.207.67.in-addr.arpa. IN PTR ;; ANSWER SECTION: 184.128.207.67.in-addr.arpa. 86400 IN PTR charity.progclub.org. ;; AUTHORITY SECTION: 128.207.67.in-addr.arpa. 25951 IN NS NS2.SLICEHOST.NET. 128.207.67.in-addr.arpa. 25951 IN NS NS1.SLICEHOST.NET. ;; ADDITIONAL SECTION: NS1.SLICEHOST.NET. 1811 IN A 67.23.4.57 NS2.SLICEHOST.NET. 2443 IN A 173.45.224.132 ;; Query time: 11 msec ;; SERVER: 67.207.128.4#53(67.207.128.4) ;; WHEN: Thu Aug 18 06:39:10 2011 ;; MSG SIZE rcvd: 160
root@charity:~/bin# groupadd -g 50000 vmail
root@charity:~/bin# useradd -s /usr/sbin/nologin -g vmail -u 50000 vmail -d /home/vmail -m
root@charity:~/bin# aptitude install postfix postfix-mysql mysql-server postfix-tls libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl telnet mailx
Reading package lists... Done
Building dependency tree
Reading state information... Done
Initializing package states... Done
Writing extended state information... Done
"mailx" is a virtual package provided by:
mailutils heirloom-mailx bsd-mailx
You must choose one to install.
The following NEW packages will be installed:
db4.8-util{a} libpam-mysql libpq5{a} libsasl2-modules-sql libsqlite0{a}
postfix postfix-mysql sasl2-bin telnet
0 packages upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,213kB of archives. After unpacking 6,250kB will be used.
Do you want to continue? [Y/n/?]
Package configuration âââââââââââââââââââââââââ⤠Postfix Configuration âââââââââââââââââââââââââ â â â Please select the mail server configuration type that best meets your â â needs. â â â â No configuration: â â Should be chosen to leave the current configuration unchanged. â â Internet site: â â Mail is sent and received directly using SMTP. â â Internet with smarthost: â â Mail is received directly using SMTP or by running a utility such â â as fetchmail. Outgoing mail is sent using a smarthost. â â Satellite system: â â All mail is sent to another machine, called a 'smarthost', for â â delivery. â â Local only: â â The only delivered mail is the mail for local users. There is no â â network. â â â â <Ok> â â â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Package configuration
âââââââ⤠Postfix Configuration ââââââââ
â General type of mail configuration: â
â â
â No configuration â
â * Internet Site â
â Internet with smarthost â
â Satellite system â
â Local only â
â â
â â
â <Ok> <Cancel> â
â â
ââââââââââââââââââââââââââââââââââââââââ
Package configuration ââââââââââââââââââââââââââ⤠Postfix Configuration âââââââââââââââââââââââââââ â The "mail name" is the domain name used to "qualify" _ALL_ mail â â addresses without a domain name. This includes mail to and from <root>: â â please do not make your machine send out mail from root@example.org â â unless root@example.org has told you to. â â â â This name will also be used by other programs. It should be the single, â â fully qualified domain name (FQDN). â â â â Thus, if a mail address on the local host is foo@example.org, the â â correct value for this option would be example.org. â â â â System mail name: â â â â progclub.org_____________________________________________________________ â â â â <Ok> <Cancel> â â â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Writing extended state information... Done Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main telnet 0.17-36build1 [72.2kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main db4.8-util 4.8.24-1ubuntu1 [136kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libpq5 8.4.8-0ubuntu0.10.04 [92.0kB] Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main libsqlite0 2.8.17-6build2 [193kB] Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main libsasl2-modules-sql 2.1.23.dfsg1-5ubuntu1 [71.5kB] Get:6 http://archive.ubuntu.com/ubuntu/ lucid/main sasl2-bin 2.1.23.dfsg1-5ubuntu1 [166kB] Get:7 http://archive.ubuntu.com/ubuntu/ lucid/universe libpam-mysql 0.7~RC1-4build1 [34.6kB] Get:8 http://archive.ubuntu.com/ubuntu/ lucid-updates/main postfix 2.7.0-1ubuntu0.2 [1,404kB] Get:9 http://archive.ubuntu.com/ubuntu/ lucid-updates/main postfix-mysql 2.7.0-1ubuntu0.2 [44.5kB] Fetched 2,213kB in 1s (1,297kB/s) Committing to: /etc/ modified group modified group- modified gshadow modified gshadow- modified passwd modified passwd- modified shadow modified shadow- Committed revision 60. Preconfiguring packages ... Selecting previously deselected package telnet. (Reading database ... 19681 files and directories currently installed.) Unpacking telnet (from .../telnet_0.17-36build1_amd64.deb) ... Selecting previously deselected package db4.8-util. Unpacking db4.8-util (from .../db4.8-util_4.8.24-1ubuntu1_amd64.deb) ... Selecting previously deselected package libpq5. Unpacking libpq5 (from .../libpq5_8.4.8-0ubuntu0.10.04_amd64.deb) ... Selecting previously deselected package libsqlite0. Unpacking libsqlite0 (from .../libsqlite0_2.8.17-6build2_amd64.deb) ... Selecting previously deselected package libsasl2-modules-sql. Unpacking libsasl2-modules-sql (from .../libsasl2-modules-sql_2.1.23.dfsg1-5ubuntu1_amd64.deb) ... Selecting previously deselected package sasl2-bin. Unpacking sasl2-bin (from .../sasl2-bin_2.1.23.dfsg1-5ubuntu1_amd64.deb) ... Selecting previously deselected package libpam-mysql. Unpacking libpam-mysql (from .../libpam-mysql_0.7~RC1-4build1_amd64.deb) ... Selecting previously deselected package postfix. Unpacking postfix (from .../postfix_2.7.0-1ubuntu0.2_amd64.deb) ... Selecting previously deselected package postfix-mysql. Unpacking postfix-mysql (from .../postfix-mysql_2.7.0-1ubuntu0.2_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up telnet (0.17-36build1) ... update-alternatives: using /usr/bin/telnet.netkit to provide /usr/bin/telnet (telnet) in auto mode. Setting up db4.8-util (4.8.24-1ubuntu1) ... Setting up libpq5 (8.4.8-0ubuntu0.10.04) ... Setting up libsqlite0 (2.8.17-6build2) ... Setting up libsasl2-modules-sql (2.1.23.dfsg1-5ubuntu1) ... Setting up sasl2-bin (2.1.23.dfsg1-5ubuntu1) ... update-rc.d: warning: saslauthd stop runlevel arguments (0 1 6) do not match LSB Default-Stop values (1) * To enable saslauthd, edit /etc/default/saslauthd and set START=yes Setting up libpam-mysql (0.7~RC1-4build1) ... Setting up postfix (2.7.0-1ubuntu0.2) ... Adding group `postfix' (GID 109) ... Done. Adding system user `postfix' (UID 107) ... Adding new user `postfix' (UID 107) with group `postfix' ... Not creating home directory `/var/spool/postfix'. Creating /etc/postfix/dynamicmaps.cf Adding tcp map entry to /etc/postfix/dynamicmaps.cf Adding group `postdrop' (GID 110) ... Done. setting myhostname: charity.progclub.org setting alias maps setting alias database changing /etc/mailname to progclub.org setting myorigin setting destinations: progclub.org, charity.progclub.org, localhost.progclub.org, localhost setting relayhost: setting mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 setting mailbox_size_limit: 0 setting recipient_delimiter: + setting inet_interfaces: all /etc/aliases does not exist, creating it. WARNING: /etc/aliases exists, but does not have a root alias. Postfix is now set up with a default configuration. If you need to make changes, edit /etc/postfix/main.cf (and others) as needed. To view Postfix configuration values, see postconf(1). After modifying main.cf, be sure to run '/etc/init.d/postfix reload'. Running newaliases * Stopping Postfix Mail Transport Agent postfix [ OK ] * Starting Postfix Mail Transport Agent postfix [ OK ] Setting up postfix-mysql (2.7.0-1ubuntu0.2) ... Adding mysql map entry to /etc/postfix/dynamicmaps.cf Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ modified .etckeeper added aliases added aliases.db modified group modified group- modified gshadow modified gshadow- added mailname added pam-mysql.conf modified passwd modified passwd- added postfix added ppp added resolvconf added sasldb2 modified shadow modified shadow- added alternatives/telnet added alternatives/telnet.1.gz added default/saslauthd added init.d/postfix added init.d/saslauthd added network/if-down.d/postfix added network/if-up.d/postfix added postfix/dynamicmaps.cf added postfix/main.cf added postfix/master.cf added postfix/post-install added postfix/postfix-files added postfix/postfix-script added postfix/sasl added ppp/ip-down.d added ppp/ip-up.d added ppp/ip-down.d/postfix added ppp/ip-up.d/postfix added rc0.d/K20postfix added rc0.d/K20saslauthd added rc1.d/K20postfix added rc1.d/K20saslauthd added rc2.d/S20postfix added rc2.d/S20saslauthd added rc3.d/S20postfix added rc3.d/S20saslauthd added rc4.d/S20postfix added rc4.d/S20saslauthd added rc5.d/S20postfix added rc5.d/S20saslauthd added rc6.d/K20postfix added rc6.d/K20saslauthd added resolvconf/update-libc.d added resolvconf/update-libc.d/postfix added rsyslog.d/postfix.conf added ufw/applications.d/postfix Committed revision 61. Reading package lists... Done Building dependency tree Reading state information... Done Reading extended state information Initializing package states... Done Writing extended state information... Done
root@charity:~/bin# mail jj5@jj5.net bash: mail: command not found
root@charity:~/bin# apt-get install mail Reading package lists... Done Building dependency tree Reading state information... Done E: Couldn't find package mail
root@charity:~/bin# apt-get install mailutils Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: guile-1.8-libs libgsasl7 libmailutils2 libntlm0 Suggested packages: mailutils-mh The following NEW packages will be installed: guile-1.8-libs libgsasl7 libmailutils2 libntlm0 mailutils 0 upgraded, 5 newly installed, 0 to remove and 0 not upgraded. Need to get 2,480kB of archives. After this operation, 7,983kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main guile-1.8-libs 1.8.7+1-3ubuntu1 [752kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe libntlm0 1.1-1 [19.6kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid/universe libgsasl7 1.4.4-1ubuntu1 [191kB] Get:4 http://archive.ubuntu.com/ubuntu/ lucid/universe libmailutils2 1:2.1+dfsg1-4ubuntu1 [1,089kB] Get:5 http://archive.ubuntu.com/ubuntu/ lucid/universe mailutils 1:2.1+dfsg1-4ubuntu1 [427kB] Fetched 2,480kB in 1s (1,621kB/s) Selecting previously deselected package guile-1.8-libs. (Reading database ... 19967 files and directories currently installed.) Unpacking guile-1.8-libs (from .../guile-1.8-libs_1.8.7+1-3ubuntu1_amd64.deb) ... Selecting previously deselected package libntlm0. Unpacking libntlm0 (from .../libntlm0_1.1-1_amd64.deb) ... Selecting previously deselected package libgsasl7. Unpacking libgsasl7 (from .../libgsasl7_1.4.4-1ubuntu1_amd64.deb) ... Selecting previously deselected package libmailutils2. Unpacking libmailutils2 (from .../libmailutils2_1%3a2.1+dfsg1-4ubuntu1_amd64.deb) ... Selecting previously deselected package mailutils. Unpacking mailutils (from .../mailutils_1%3a2.1+dfsg1-4ubuntu1_amd64.deb) ... Processing triggers for man-db ... Setting up guile-1.8-libs (1.8.7+1-3ubuntu1) ... Setting up libntlm0 (1.1-1) ... Setting up libgsasl7 (1.4.4-1ubuntu1) ... Setting up libmailutils2 (1:2.1+dfsg1-4ubuntu1) ... Setting up mailutils (1:2.1+dfsg1-4ubuntu1) ... update-alternatives: using /usr/bin/frm.mailutils to provide /usr/bin/frm (frm) in auto mode. update-alternatives: using /usr/bin/from.mailutils to provide /usr/bin/from (from) in auto mode. update-alternatives: warning: not replacing /usr/bin/from with a link. update-alternatives: warning: not replacing /usr/share/man/man1/from.1.gz with a link. update-alternatives: using /usr/bin/messages.mailutils to provide /usr/bin/messages (messages) in auto mode. update-alternatives: using /usr/bin/movemail.mailutils to provide /usr/bin/movemail (movemail) in auto mode. update-alternatives: using /usr/bin/readmsg.mailutils to provide /usr/bin/readmsg (readmsg) in auto mode. update-alternatives: using /usr/bin/dotlock.mailutils to provide /usr/bin/dotlock (dotlock) in auto mode. update-alternatives: using /usr/bin/mail to provide /usr/bin/mailx (mailx) in auto mode. Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ added alternatives/dotlock added alternatives/dotlock.1.gz added alternatives/frm added alternatives/frm.1.gz added alternatives/from added alternatives/from.1.gz added alternatives/mailx added alternatives/mailx.1.gz added alternatives/messages added alternatives/messages.1.gz added alternatives/movemail added alternatives/movemail.1.gz added alternatives/readmsg added alternatives/readmsg.1.gz Committed revision 62.
root@charity:~/bin# mail jj5@jj5.net Cc: Subject: test just testing . . .
Note: needed to press Ctrl+D to finish the email and send.
root@charity:~/bin# mysqladmin -u root -p create pcmaildb Enter password:
Decided to call the mail user pcmail.
root@charity:~/bin# deluser vmail Removing user `vmail' ... Warning: group `vmail' has no more members. Done.
root@charity:~/bin# delgroup vmail The group `vmail' does not exist.
root@charity:~/bin# rm -rf /home/vmail
root@charity:~/bin# groupadd -g 50000 pcmail
root@charity:~/bin# useradd -s /usr/sbin/nologin -g pcmail -u 50000 pcmail -d /home/pcmail -m
root@charity:~/bin# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 3492
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create user 'pcmail'@'localhost' identified by 'secret';
Query OK, 0 rows affected (0.15 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.11 sec)
mysql> grant select, insert, update, delete on `pcmaildb`.* to 'pcmail'@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
mysql> use pcmaildb
Database changed
mysql> CREATE TABLE domains (
-> domain varchar(50) NOT NULL,
-> PRIMARY KEY (domain)
-> )
-> TYPE=MyISAM;
Query OK, 0 rows affected, 1 warning (0.06 sec)
mysql> CREATE TABLE users (
-> email varchar(80) NOT NULL,
-> password varchar(20) NOT NULL,
-> PRIMARY KEY (email)
-> )
-> TYPE=MyISAM;
Query OK, 0 rows affected, 1 warning (0.01 sec)
mysql> CREATE TABLE forwards (
-> source varchar(80) NOT NULL,
-> destination TEXT NOT NULL,
-> PRIMARY KEY (source)
-> )
-> TYPE=MyISAM;
Query OK, 0 rows affected, 1 warning (0.01 sec)
mysql> quit;
Bye
root@charity:~/bin# vim /etc/postfix/mysql-domains.cf root@charity:~/bin# cat /etc/postfix/mysql-domains.cf user = pcmail password = secret dbname = pcmaildb query = SELECT domain AS virtual FROM domains WHERE domain='%s' hosts = 127.0.0.1
root@charity:~/bin# vim /etc/postfix/mysql-forwards.cf root@charity:~/bin# cat /etc/postfix/mysql-forwards.cf user = pcmail password = secret dbname = pcmaildb query = SELECT destination FROM forwards WHERE source='%s' hosts = 127.0.0.1
root@charity:~/bin# vim /etc/postfix/mysql-mailboxes.cf root@charity:~/bin# cat /etc/postfix/mysql-mailboxes.cf user = pcmail password = secret dbname = pcmaildb query = SELECT CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/') FROM users WHERE email='%s' hosts = 127.0.0.1
root@charity:~/bin# vim /etc/postfix/mysql-email.cf root@charity:~/bin# cat /etc/postfix/mysql-email.cf user = pcmail password = secret dbname = pcmaildb query = SELECT email FROM users WHERE email='%s' hosts = 127.0.0.1
root@charity:~/bin# chmod o= /etc/postfix/mysql-*
root@charity:~/bin# chgrp postfix /etc/postfix/mysql-*
root@charity:~/bin# vim /etc/postfix/main.cf
root@charity:~/bin# cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = charity.progclub.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = progclub.org, charity.progclub.org, localhost.progclub.org, localhost
mydestination =
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-forwards.cf, mysql:/etc/postfix/mysql-email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-mailboxes.cf
virtual_mailbox_base = /home/pcmail
virtual_uid_maps = static:50000
virtual_gid_maps = static:50000
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
root@charity:~/bin# vim /etc/default/saslauthd root@charity:~/bin# cat /etc/default/saslauthd # # Settings for saslauthd daemon # Please read /usr/share/doc/sasl2-bin/README.Debian for details. # # Should saslauthd run automatically on startup? (default: no) START=yes # Description of this saslauthd instance. Recommended. # (suggestion: SASL Authentication Daemon) DESC="SASL Authentication Daemon" # Short name of this saslauthd instance. Strongly recommended. # (suggestion: saslauthd) NAME="saslauthd" # Which authentication mechanisms should saslauthd use? (default: pam) # # Available options in this Debian package: # getpwent -- use the getpwent() library function # kerberos5 -- use Kerberos 5 # pam -- use PAM # rimap -- use a remote IMAP server # shadow -- use the local shadow password file # sasldb -- use the local sasldb database file # ldap -- use LDAP (configuration is in /etc/saslauthd.conf) # # Only one option may be used at a time. See the saslauthd man page # for more information. # # Example: MECHANISMS="pam" MECHANISMS="pam" # Additional options for this mechanism. (default: none) # See the saslauthd man page for information about mech-specific options. MECH_OPTIONS="" # How many saslauthd processes should we run? (default: 5) # A value of 0 will fork a new process for each connection. THREADS=5 # Other options (default: -c -m /var/run/saslauthd) # Note: You MUST specify the -m option or saslauthd won't run! # # WARNING: DO NOT SPECIFY THE -d OPTION. # The -d option will cause saslauthd to run in the foreground instead of as # a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish # to run saslauthd in debug mode, please run it by hand to be safe. # # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information. # See the saslauthd man page and the output of 'saslauthd -h' for general # information about these options. # # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd" #OPTIONS="-c -m /var/run/saslauthd" OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
root@charity:~/bin# mkdir -p /var/spool/postfix/var/run/saslauthd
root@charity:~/bin# vim /etc/pam.d/smtp root@charity:~/bin# cat /etc/pam.d/smtp auth required pam_mysql.so user=pcmail passwd=secret host=127.0.0.1 db=pcmaildb table=users usercolumn=email passwdcolumn=password crypt=1 account sufficient pam_mysql.so user=pcmail passwd=secret host=127.0.0.1 db=pcmaildb table=users usercolumn=email passwdcolumn=password crypt=1
root@charity:~/bin# vim /etc/postfix/sasl/smtpd.conf root@charity:~/bin# cat /etc/postfix/sasl/smtpd.conf pwcheck_method: saslauthd mech_list: plain login allow_plaintext: true auxprop_plugin: mysql sql_hostnames: 127.0.0.1 sql_user: pcmail sql_passwd: secret sql_database: pcmaildb sql_select: select password from users where email = '%u'
root@charity:~/bin# adduser postfix sasl Adding user `postfix' to group `sasl' ... Adding user postfix to group sasl Done.
root@charity:~/bin# /etc/init.d/postfix restart * Stopping Postfix Mail Transport Agent postfix [ OK ] * Starting Postfix Mail Transport Agent postfix [ OK ]
root@charity:~/bin# /etc/init.d/saslauthd restart * Stopping SASL Authentication Daemon saslauthd [ OK ] * Starting SASL Authentication Daemon saslauthd [ OK ]
root@charity:~/bin# make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/certs/mailcert.pem
Package configuration âââââââââââââââââââââ⤠Configure an SSL Certificate. ââââââââââââââââââââââ â Please enter the host name to use in the SSL certificate. â â â â It will become the 'commonName' field of the generated SSL certificate. â â â â Host name: â â â â charity.progclub.org____________________________________________________ â â â â <Ok> <Cancel> â â â ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
root@charity:~/bin# vim /etc/postfix/main.cf
root@charity:~/bin# cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_use_tls=yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/certs/mailcert.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = charity.progclub.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
#mydestination = progclub.org, charity.progclub.org, localhost.progclub.org, localhost
mydestination =
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-forwards.cf, mysql:/etc/postfix/mysql-email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-mailboxes.cf
virtual_mailbox_base = /home/pcmail
virtual_uid_maps = static:50000
virtual_gid_maps = static:50000
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
root@charity:~/bin# aptitude install courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done
The following NEW packages will be installed:
courier-authdaemon courier-authlib{a} courier-authlib-mysql
courier-authlib-userdb{a} courier-base{a} courier-imap courier-imap-ssl
courier-pop courier-pop-ssl courier-ssl{a} expect{a} gamin{a}
libgamin0{a} tcl8.5{a}
0 packages upgraded, 14 newly installed, 0 to remove and 0 not upgraded.
Need to get 3,150kB of archives. After unpacking 9,093kB will be used.
Do you want to continue? [Y/n/?]
Package configuration ââââââââââââââââââââââââ⤠Configuring courier-base âââââââââââââââââââââââââ â â â Courier uses several configuration files in /etc/courier. Some of these â â files can be replaced by a subdirectory whose contents are concatenated â â and treated as a single, consolidated, configuration file. â â â â The web-based administration provided by the courier-webadmin package â â relies on configuration directories instead of configuration files. If â â you agree, any directories needed for the web-based administration tool â â will be created unless there is already a plain file in place. â â â â Create directories for web-based administration? â â â â <Yes> * <No> â â â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Package configuration âââââââââââââââââââââââââ⤠Configuring courier-ssl ââââââââââââââââââââââââââ â â â SSL certificate required â â â â POP and IMAP over SSL requires a valid, signed, X.509 certificate. â â During the installation of courier-pop-ssl or courier-imap-ssl, a â â self-signed X.509 certificate will be generated if necessary. â â â â For production use, the X.509 certificate must be signed by a recognized â â certificate authority, in order for mail clients to accept the â â certificate. The default location for this certificate is â â /etc/courier/pop3d.pem or /etc/courier/imapd.pem. â â â â <Ok> â â â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
...
modified passwd- modified shadow modified shadow- modified default/saslauthd added pam.d/smtp modified postfix/main.cf added postfix/mysql-domains.cf added postfix/mysql-email.cf added postfix/mysql-forwards.cf added postfix/mysql-mailboxes.cf added postfix/sasl/smtpd.conf added ssl/certs/ef2ba030 added ssl/certs/f1b0694b added ssl/certs/mailcert.pem Committed revision 63. Preconfiguring packages ... Selecting previously deselected package tcl8.5. (Reading database ... 20285 files and directories currently installed.) Unpacking tcl8.5 (from .../tcl8.5_8.5.8-2_amd64.deb) ... Selecting previously deselected package expect. Unpacking expect (from .../expect_5.44.1.14-5_amd64.deb) ... Selecting previously deselected package courier-authlib. Unpacking courier-authlib (from .../courier-authlib_0.62.4-1_amd64.deb) ... Selecting previously deselected package courier-authdaemon. Unpacking courier-authdaemon (from .../courier-authdaemon_0.62.4-1_amd64.deb) ... Selecting previously deselected package courier-authlib-mysql. Unpacking courier-authlib-mysql (from .../courier-authlib-mysql_0.62.4-1_amd64.deb) ... Selecting previously deselected package courier-authlib-userdb. Unpacking courier-authlib-userdb (from .../courier-authlib-userdb_0.62.4-1_amd64.deb) ... Selecting previously deselected package gamin. Unpacking gamin (from .../gamin_0.1.10-1ubuntu3_amd64.deb) ... Selecting previously deselected package libgamin0. Unpacking libgamin0 (from .../libgamin0_0.1.10-1ubuntu3_amd64.deb) ... Selecting previously deselected package courier-base. Unpacking courier-base (from .../courier-base_0.63.0-2.1ubuntu1_amd64.deb) ... Selecting previously deselected package courier-pop. Unpacking courier-pop (from .../courier-pop_0.63.0-2.1ubuntu1_amd64.deb) ... Selecting previously deselected package courier-ssl. Unpacking courier-ssl (from .../courier-ssl_0.63.0-2.1ubuntu1_amd64.deb) ... Selecting previously deselected package courier-pop-ssl. Unpacking courier-pop-ssl (from .../courier-pop-ssl_0.63.0-2.1ubuntu1_amd64.deb) ... Selecting previously deselected package courier-imap. Unpacking courier-imap (from .../courier-imap_4.6.0-2.1ubuntu1_amd64.deb) ... Selecting previously deselected package courier-imap-ssl. Unpacking courier-imap-ssl (from .../courier-imap-ssl_4.6.0-2.1ubuntu1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up tcl8.5 (8.5.8-2) ... update-alternatives: using /usr/bin/tclsh8.5 to provide /usr/bin/tclsh (tclsh) in auto mode. Setting up expect (5.44.1.14-5) ... Setting up courier-authlib (0.62.4-1) ... Setting up courier-authdaemon (0.62.4-1) ... * Starting Courier authentication services authdaemond [ OK ] Setting up courier-authlib-mysql (0.62.4-1) ... Setting up courier-authlib-userdb (0.62.4-1) ... Setting up gamin (0.1.10-1ubuntu3) ... Setting up libgamin0 (0.1.10-1ubuntu3) ... Setting up courier-base (0.63.0-2.1ubuntu1) ... update-alternatives: using /usr/bin/deliverquota.courier to provide /usr/bin/deliverquota (deliverquota) in auto mode. update-alternatives: using /usr/share/man/man5/maildir.courier.5.gz to provide /usr/share/man/man5/maildir.5.gz (maildir.5.gz) in auto mode. update-alternatives: using /usr/bin/maildirmake.courier to provide /usr/bin/maildirmake (maildirmake) in auto mode. update-alternatives: using /usr/share/man/man7/maildirquota.courier.7.gz to provide /usr/share/man/man7/maildirquota.7.gz (maildirquota.7.gz) in auto mode. update-alternatives: using /usr/bin/makedat.courier to provide /usr/bin/makedat (makedat) in auto mode. Setting up courier-pop (0.63.0-2.1ubuntu1) ... * Starting Courier POP3 server... [ OK ] Setting up courier-ssl (0.63.0-2.1ubuntu1) ... Setting up courier-pop-ssl (0.63.0-2.1ubuntu1) ... cp: not writing through dangling symlink `/usr/lib/courier/pop3d.pem' chmod: cannot operate on dangling symlink `/usr/lib/courier/pop3d.pem' chown: cannot dereference `/usr/lib/courier/pop3d.pem': No such file or directory Generating a 1024 bit RSA private key ..................++++++ ..++++++ writing new private key to '/usr/lib/courier/pop3d.pem' ----- 1024 semi-random bytes loaded Generating DH parameters, 512 bit long safe prime, generator 2 This is going to take a long time ... subject= /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3 SSL key/CN=localhost/emailAddress=postmaster@example.com notBefore=Aug 18 07:52:20 2011 GMT notAfter=Aug 17 07:52:20 2012 GMT SHA1 Fingerprint=58:34:37:7E:FA:90:CF:48:17:38:4F:58:B5:CA:18:68:1C:77:78:A3 * Starting Courier POP3-SSL server... [ OK ] Setting up courier-imap (4.6.0-2.1ubuntu1) ... * Starting Courier IMAP server... [ OK ] Setting up courier-imap-ssl (4.6.0-2.1ubuntu1) ... cp: not writing through dangling symlink `/usr/lib/courier/imapd.pem' chmod: cannot operate on dangling symlink `/usr/lib/courier/imapd.pem' chown: cannot dereference `/usr/lib/courier/imapd.pem': No such file or directory Generating a 1024 bit RSA private key ... writing new private key to '/usr/lib/courier/imapd.pem' ----- 1024 semi-random bytes loaded Generating DH parameters, 512 bit long safe prime, generator 2 This is going to take a long time ... subject= /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated IMAP SSL key/CN=localhost/emailAddress=postmaster@example.com notBefore=Aug 18 07:52:22 2011 GMT notAfter=Aug 17 07:52:22 2012 GMT SHA1 Fingerprint=B6:BE:6F:60:FE:40:EC:88:7A:C8:6E:92:F9:EE:E8:5C:42:72:CA:03 * Starting Courier IMAP-SSL server... [ OK ] Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ modified .etckeeper added courier added gamin added alternatives/deliverquota added alternatives/deliverquota.8.gz added alternatives/maildir.5.gz added alternatives/maildirmake added alternatives/maildirmake.1.gz added alternatives/maildirquota.7.gz added alternatives/makedat added alternatives/makedat.1.gz added alternatives/tclsh added alternatives/tclsh.1 added courier/authdaemonrc added courier/authmysqlrc added courier/imapd added courier/imapd-ssl added courier/imapd.cnf added courier/imapd.pem added courier/pop3d added courier/pop3d-ssl added courier/pop3d.cnf added courier/pop3d.pem added courier/shared added courier/shared/index added gamin/gaminrc added init.d/courier-authdaemon added init.d/courier-imap added init.d/courier-imap-ssl added init.d/courier-pop added init.d/courier-pop-ssl added logcheck/violations.ignore.d added logcheck/ignore.d.server/courier-imap added logcheck/ignore.d.server/courier-imap-ssl added logcheck/ignore.d.server/courier-pop added logcheck/ignore.d.server/courier-pop-ssl added logcheck/violations.ignore.d/courier-imap added logcheck/violations.ignore.d/courier-imap-ssl added logcheck/violations.ignore.d/courier-pop added logcheck/violations.ignore.d/courier-pop-ssl added pam.d/imap added pam.d/pop3 added rc0.d/K20courier-authdaemon added rc0.d/K20courier-imap added rc0.d/K20courier-imap-ssl added rc0.d/K20courier-pop added rc0.d/K20courier-pop-ssl added rc1.d/K20courier-authdaemon added rc1.d/K20courier-imap added rc1.d/K20courier-imap-ssl added rc1.d/K20courier-pop added rc1.d/K20courier-pop-ssl added rc2.d/S20courier-authdaemon added rc2.d/S20courier-imap added rc2.d/S20courier-imap-ssl added rc2.d/S20courier-pop added rc2.d/S20courier-pop-ssl added rc3.d/S20courier-authdaemon added rc3.d/S20courier-imap added rc3.d/S20courier-imap-ssl added rc3.d/S20courier-pop added rc3.d/S20courier-pop-ssl added rc4.d/S20courier-authdaemon added rc4.d/S20courier-imap added rc4.d/S20courier-imap-ssl added rc4.d/S20courier-pop added rc4.d/S20courier-pop-ssl added rc5.d/S20courier-authdaemon added rc5.d/S20courier-imap added rc5.d/S20courier-imap-ssl added rc5.d/S20courier-pop added rc5.d/S20courier-pop-ssl added rc6.d/K20courier-authdaemon added rc6.d/K20courier-imap added rc6.d/K20courier-imap-ssl added rc6.d/K20courier-pop added rc6.d/K20courier-pop-ssl Committed revision 64. Reading package lists... Done Building dependency tree Reading state information... Done Reading extended state information Initializing package states... Done Writing extended state information... Done
root@charity:~/bin# vim /etc/courier/authdaemonrc root@charity:~/bin# cat /etc/courier/authdaemonrc ##VERSION: $Id: authdaemonrc.in,v 1.13 2005/10/05 00:07:32 mrsam Exp $ # # Copyright 2000-2005 Double Precision, Inc. See COPYING for # distribution information. # # authdaemonrc created from authdaemonrc.dist by sysconftool # # Do not alter lines that begin with ##, they are used when upgrading # this configuration. # # This file configures authdaemond, the resident authentication daemon. # # Comments in this file are ignored. Although this file is intended to # be sourced as a shell script, authdaemond parses it manually, so # the acceptable syntax is a bit limited. Multiline variable contents, # with the \ continuation character, are not allowed. Everything must # fit on one line. Do not use any additional whitespace for indentation, # or anything else. ##NAME: authmodulelist:2 # # The authentication modules that are linked into authdaemond. The # default list is installed. You may selectively disable modules simply # by removing them from the following list. The available modules you # can use are: authuserdb authpam authpgsql authldap authmysql authcustom authpipe #authmodulelist="authpam" authmodulelist="authmysql" ##NAME: authmodulelistorig:3 # # This setting is used by Courier's webadmin module, and should be left # alone authmodulelistorig="authuserdb authpam authpgsql authldap authmysql authcustom authpipe" ##NAME: daemons:0 # # The number of daemon processes that are started. authdaemon is typically # installed where authentication modules are relatively expensive: such # as authldap, or authmysql, so it's better to have a number of them running. # PLEASE NOTE: Some platforms may experience a problem if there's more than # one daemon. Specifically, SystemV derived platforms that use TLI with # socket emulation. I'm suspicious of TLI's ability to handle multiple # processes accepting connections on the same filesystem domain socket. # # You may need to increase daemons if as your system load increases. Symptoms # include sporadic authentication failures. If you start getting # authentication failures, increase daemons. However, the default of 5 # SHOULD be sufficient. Bumping up daemon count is only a short-term # solution. The permanent solution is to add more resources: RAM, faster # disks, faster CPUs... daemons=5 ##NAME: authdaemonvar:2 # # authdaemonvar is here, but is not used directly by authdaemond. It's # used by various configuration and build scripts, so don't touch it! authdaemonvar=/var/run/courier/authdaemon ##NAME: DEBUG_LOGIN:0 # # Dump additional diagnostics to syslog # # DEBUG_LOGIN=0 - turn off debugging # DEBUG_LOGIN=1 - turn on debugging # DEBUG_LOGIN=2 - turn on debugging + log passwords too # # ** YES ** - DEBUG_LOGIN=2 places passwords into syslog. # # Note that most information is sent to syslog at level 'debug', so # you may need to modify your /etc/syslog.conf to be able to see it. DEBUG_LOGIN=0 ##NAME: DEFAULTOPTIONS:0 # # A comma-separated list of option=value pairs. Each option is applied # to an account if the account does not have its own specific value for # that option. So for example, you can set # DEFAULTOPTIONS="disablewebmail=1,disableimap=1" # and then enable webmail and/or imap on individual accounts by setting # disablewebmail=0 and/or disableimap=0 on the account. DEFAULTOPTIONS="" ##NAME: LOGGEROPTS:0 # # courierlogger(1) options, e.g. to set syslog facility # LOGGEROPTS="" ##NAME: LDAP_TLS_OPTIONS:0 # # Options documented in ldap.conf(5) can be set here, prefixed with 'LDAP'. # Examples: # #LDAPTLS_CACERT=/path/to/cacert.pem #LDAPTLS_REQCERT=demand #LDAPTLS_CERT=/path/to/clientcert.pem #LDAPTLS_KEY=/path/to/clientkey.pem
root@charity:~/bin# vim /etc/courier/authmysqlrc root@charity:~/bin# cat /etc/courier/authmysqlrc MYSQL_SERVER 127.0.0.1 MYSQL_USERNAME pcmail MYSQL_PASSWORD secret MYSQL_PORT 0 MYSQL_DATABASE pcmaildb MYSQL_USER_TABLE users MYSQL_CRYPT_PWFIELD password MYSQL_UID_FIELD 50000 MYSQL_GID_FIELD 50000 MYSQL_LOGIN_FIELD email MYSQL_HOME_FIELD "/home/pcmail" MYSQL_MAILDIR_FIELD CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/')
root@charity:~/bin# sudo /etc/init.d/courier-authdaemon restart * Stopping Courier authentication services authdaemond [ OK ] * Starting Courier authentication services authdaemond [ OK ]
root@charity:~/bin# sudo /etc/init.d/courier-imap restart * Stopping Courier IMAP server... [ OK ] * Starting Courier IMAP server... [ OK ]
root@charity:~/bin# sudo /etc/init.d/courier-imap-ssl restart * Stopping Courier IMAP-SSL server... [ OK ] * Starting Courier IMAP-SSL server... [ OK ]
root@charity:~/bin# sudo /etc/init.d/courier-pop restart * Stopping Courier POP3 server... [ OK ] * Starting Courier POP3 server... [ OK ]
root@charity:~/bin# sudo /etc/init.d/courier-pop-ssl restart * Stopping Courier POP3-SSL server... [ OK ] * Starting Courier POP3-SSL server... [ OK ]
root@charity:~/bin# vim /etc/iptables.up.rules
# Allows SMTP access -A INPUT -p tcp --dport 25 -j ACCEPT # Allows pop and pops connections -A INPUT -p tcp --dport 110 -j ACCEPT -A INPUT -p tcp --dport 995 -j ACCEPT # Allows imap and imaps connections -A INPUT -p tcp --dport 143 -j ACCEPT -A INPUT -p tcp --dport 993 -j ACCEPT
root@charity:~/bin# iptables-restore < /etc/iptables.up.rules
root@charity:~/bin# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 3590 Server version: 5.1.41-3ubuntu12.10 (Ubuntu) Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use pcmaildb; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> insert into domains (domain) values ( 'progclub.org' ); Query OK, 1 row affected (0.01 sec) mysql> insert into domains (domain) values ( 'progclub.net' ); Query OK, 1 row affected (0.00 sec) mysql> insert into domains (domain) values ( 'progclub.com' ); Query OK, 1 row affected (0.00 sec) mysql> insert into users ( email, password ) values ( 'jj5@progclub.org', encrypt( 'secret' ) ); Query OK, 1 row affected (0.11 sec) mysql> quit; Bye
root@charity:~/bin# postfix reload postfix/postfix-script: refreshing the Postfix mail system
root@charity:~/bin# ll /home/pcmail total 20 drwxr-xr-x 2 pcmail pcmail 4096 2011-08-18 07:10 ./ drwxr-xr-x 11 root root 4096 2011-08-18 07:10 ../ -rw-r--r-- 1 pcmail pcmail 220 2010-04-19 02:15 .bash_logout -rw-r--r-- 1 pcmail pcmail 3103 2010-04-19 02:15 .bashrc -rw-r--r-- 1 pcmail pcmail 675 2010-04-19 02:15 .profile
root@charity:~/bin# mail jj5@progclub.org Cc: Subject: test testing
Note: Ctrl+D to end and send.
Works!
Bah! The instructions I followed were shit. Had to completely reconfigure to integrate with Postfix Admin. Followed these instructions.
John 2011-08-18 06:11
Installing awstats
jj5@charity:~$ apt-cache search awstats awstats - powerful and featureful web server log analyzer jj5@charity:~$ sudo -s [sudo] password for jj5: Sorry, try again. [sudo] password for jj5: root@charity:~# apt-get install awstats Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libnet-xwhois-perl Suggested packages: libnet-dns-perl libnet-ip-perl libgeo-ipfree-perl The following NEW packages will be installed: awstats libnet-xwhois-perl 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 974kB of archives. After this operation, 5,341kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main awstats 6.9~dfsg-1ubuntu3.10.04.1 [951kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libnet-xwhois-perl 0.90-3 [23.0kB] Fetched 974kB in 1s (714kB/s) Bad group for maybe chgrp UNKNOWN './ldap/friggles.ldif' Committing to: /etc/ modified passwd modified passwd- modified shadow modified shadow- Committed revision 55. Selecting previously deselected package awstats. (Reading database ... 18938 files and directories currently installed.) Unpacking awstats (from .../awstats_6.9~dfsg-1ubuntu3.10.04.1_all.deb) ... Selecting previously deselected package libnet-xwhois-perl. Unpacking libnet-xwhois-perl (from .../libnet-xwhois-perl_0.90-3_all.deb) ... Processing triggers for man-db ... Setting up awstats (6.9~dfsg-1ubuntu3.10.04.1) ... Setting up libnet-xwhois-perl (0.90-3) ... Bad group for maybe chgrp UNKNOWN './ldap/friggles.ldif' Committing to: /etc/ added awstats added awstats/awstats.conf added awstats/awstats.conf.local added cron.d/awstats Committed revision 56.
John 2011-08-15 00:30
Following these instructions.
root@charity:~# apt-get install nfs-kernel-server Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libevent-1.4-2 libgssglue1 libnfsidmap2 librpcsecgss3 nfs-common portmap The following NEW packages will be installed: libevent-1.4-2 libgssglue1 libnfsidmap2 librpcsecgss3 nfs-common nfs-kernel-server portmap 0 upgraded, 7 newly installed, 0 to remove and 0 not upgraded. Need to get 592kB of archives. After this operation, 1,802kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libevent-1.4-2 1.4.13-stable-1 [61.4kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libgssglue1 0.1-4 [24.4kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libnfsidmap2 0.23-2 [32.1kB] Get:4 http://archive.ubuntu.com/ubuntu/ lucid/main librpcsecgss3 0.19-2 [36.3kB] Get:5 http://archive.ubuntu.com/ubuntu/ lucid-updates/main portmap 6.0.0-1ubuntu2.1 [39.0kB] Get:6 http://archive.ubuntu.com/ubuntu/ lucid-updates/main nfs-common 1:1.2.0-4ubuntu4.1 [229kB] Get:7 http://archive.ubuntu.com/ubuntu/ lucid-updates/main nfs-kernel-server 1:1.2.0-4ubuntu4.1 [170kB] Fetched 592kB in 1s (502kB/s) Committing to: /etc/ modified group modified group- modified gshadow modified gshadow- modified passwd- modified shadow- Committed revision 50. Preconfiguring packages ... Selecting previously deselected package libevent-1.4-2. (Reading database ... 18813 files and directories currently installed.) Unpacking libevent-1.4-2 (from .../libevent-1.4-2_1.4.13-stable-1_amd64.deb) ... Selecting previously deselected package libgssglue1. Unpacking libgssglue1 (from .../libgssglue1_0.1-4_amd64.deb) ... Selecting previously deselected package libnfsidmap2. Unpacking libnfsidmap2 (from .../libnfsidmap2_0.23-2_amd64.deb) ... Selecting previously deselected package librpcsecgss3. Unpacking librpcsecgss3 (from .../librpcsecgss3_0.19-2_amd64.deb) ... Selecting previously deselected package portmap. Unpacking portmap (from .../portmap_6.0.0-1ubuntu2.1_amd64.deb) ... Selecting previously deselected package nfs-common. Unpacking nfs-common (from .../nfs-common_1%3a1.2.0-4ubuntu4.1_amd64.deb) ... Selecting previously deselected package nfs-kernel-server. Unpacking nfs-kernel-server (from .../nfs-kernel-server_1%3a1.2.0-4ubuntu4.1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up libevent-1.4-2 (1.4.13-stable-1) ... Setting up libgssglue1 (0.1-4) ... Setting up libnfsidmap2 (0.23-2) ... Setting up librpcsecgss3 (0.19-2) ... Setting up portmap (6.0.0-1ubuntu2.1) ... portmap start/running, process 3401 Setting up nfs-common (1:1.2.0-4ubuntu4.1) ... Creating config file /etc/idmapd.conf with new version Creating config file /etc/default/nfs-common with new version Adding system user `statd' (UID 106) ... Adding new user `statd' (UID 106) with group `nogroup' ... Not creating home directory `/var/lib/nfs'. statd start/running, process 3618 gssd stop/pre-start, process 3648 idmapd stop/pre-start, process 3681 Setting up nfs-kernel-server (1:1.2.0-4ubuntu4.1) ... Creating config file /etc/exports with new version Creating config file /etc/default/nfs-kernel-server with new version * Not starting NFS kernel daemon: no support in current kernel. Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ added exports added gssapi_mech.conf added idmapd.conf modified passwd modified passwd- modified shadow modified shadow- added default/nfs-common added default/nfs-kernel-server added default/portmap added init/gssd.conf added init/idmapd.conf added init/portmap-boot.conf added init/portmap-wait.conf added init/portmap.conf added init/rpc_pipefs.conf added init/statd-mounting.conf added init/statd.conf added init.d/gssd added init.d/idmapd added init.d/nfs-kernel-server added init.d/portmap added init.d/portmap-boot added init.d/portmap-wait added init.d/rpc_pipefs added init.d/statd added init.d/statd-mounting added rc0.d/K80nfs-kernel-server added rc1.d/K80nfs-kernel-server added rc2.d/S20nfs-kernel-server added rc3.d/S20nfs-kernel-server added rc4.d/S20nfs-kernel-server added rc5.d/S20nfs-kernel-server added rc6.d/K80nfs-kernel-server Committed revision 51.
root@charity:~# reboot
jj5@charity:~$ sudo -s [sudo] password for jj5: root@charity:~# ls bin pcrepo try viewvc-1.0.12.tar.gz ipsec-tools.conf progrock viewvc-1.0.12 root@charity:~# cd / root@charity:/# ls bin dev home lib64 mnt proc sbin srv tmp var boot etc lib media opt root selinux sys usr root@charity:/# mkdir /export root@charity:/# mkdir /export/home root@charity:/# mount --bind /home /export/home root@charity:/# vim /etc/fstab root@charity:/# cat /etc/fstab proc /proc proc defaults 0 0 /dev/sda1 / ext3 defaults,errors=remount-ro,noatime 0 1 /dev/sda2 none swap sw 0 0 /home /export/home none bind 0 0
root@charity:/# vim /etc/default/nfs-common root@charity:/# cat /etc/default/nfs-common # If you do not set values for the NEED_ options, they will be attempted # autodetected; this should be sufficient for most people. Valid alternatives # for the NEED_ options are "yes" and "no". # Do you want to start the statd daemon? It is not needed for NFSv4. NEED_STATD= # Options for rpc.statd. # Should rpc.statd listen on a specific port? This is especially useful # when you have a port-based firewall. To use a fixed port, set this # this variable to a statd argument like: "--port 4000 --outgoing-port 4001". # For more information, see rpc.statd(8) or http://wiki.debian.org/?SecuringNFS STATDOPTS= # Do you want to start the idmapd daemon? It is only needed for NFSv4. NEED_IDMAPD=yes # Do you want to start the gssd daemon? It is required for Kerberos mounts. NEED_GSSD=
root@charity:/# vim /etc/exports root@charity:/# cat /etc/exports # /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) # /export 172.19.0.0/16(rw,fsid=0,insecure,no_subtree_check,async) /export/home 172.19.0.0/16(rw,nohide,insecure,no_subtree_check,async)
root@charity:/# /etc/init.d/nfs-kernel-server restart * Stopping NFS kernel daemon [ OK ] * Unexporting directories for NFS kernel daemon... [ OK ] * Not starting NFS kernel daemon: no support in current kernel.
Following these suggestions:
root@charity:/etc# vim /etc/init.d/nfs-kernel-server
#if [ -f /proc/kallsyms ] && ! grep -qE ' nfsd_serv ' /proc/kallsyms; then if [ -f /proc/kallsyms ] && ! grep -qE 'init_nf(sd| )' /proc/kallsyms; then
Nah, screw that. How about this!?:
#if [ -f /proc/kallsyms ] && ! grep -qE ' nfsd_serv ' /proc/kallsyms; then #log_warning_msg "Not starting $DESC: no support in current kernel." #exit 0 #fi
root@charity:/etc# /etc/init.d/nfs-kernel-server restart * Stopping NFS kernel daemon [ OK ] * Unexporting directories for NFS kernel daemon... [ OK ] * Exporting directories for NFS kernel daemon... [ OK ] * Starting NFS kernel daemon [ OK ]
jj5@charity:/export/home$ vim /etc/iptables.up.rules
# Accept anything from hope -A INPUT -s 67.207.130.204 -j ACCEPT -A INPUT -s 172.19.1.28 -j ACCEPT # Accept anything from honesty -A INPUT -s 67.207.129.103 -j ACCEPT -A INPUT -s 172.19.1.46 -j ACCEPT
root@charity:/export/home# cat /etc/hosts.allow # /etc/hosts.allow: list of hosts that are allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # # Example: ALL: LOCAL @some_netgroup # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu # # If you're going to protect the portmapper use the name "portmap" for the # daemon name. Remember that you can only use the keyword "ALL" and IP # addresses (NOT host or domain names) for the portmapper, as well as for # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8) # for further information. # ALL: 172.19.1.28 ALL: 172.19.1.46
root@charity:/export/home# cat /etc/fstab proc /proc proc defaults 0 0 /dev/sda1 / ext3 defaults,errors=remount-ro,noatime 0 1 /dev/sda2 none swap sw 0 0 /home /export/home none bind 0 0
root@charity:/export/home# cat /etc/exports # /etc/exports: the access control list for filesystems which may be exported # to NFS clients. See exports(5). # # Example for NFSv2 and NFSv3: # /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check) # # Example for NFSv4: # /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check) # /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check) # /export 172.19.0.0/16(rw,fsid=0,insecure,no_subtree_check,async) /export/home 172.19.0.0/16(rw,nohide,insecure,no_subtree_check,async)
John 2011-08-14 23:04
Kerberos client configuration
Basically the same as on hope.
jj5@charity:~$ sudo -s [sudo] password for jj5: root@charity:~# apt-get install krb5-user krb5-config libpam-krb5 Reading package lists... Done Building dependency tree Reading state information... Done krb5-user is already the newest version. krb5-user set to manually installed. krb5-config is already the newest version. krb5-config set to manually installed. The following NEW packages will be installed: libpam-krb5 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 73.8kB of archives. After this operation, 193kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libpam-krb5 4.2-1 [73.8kB] Fetched 73.8kB in 0s (120kB/s) Committing to: /etc/ modified krb5kdc/kadm5.acl modified ldap/ldap.conf modified ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif Committed revision 45. Selecting previously deselected package libpam-krb5. (Reading database ... 18809 files and directories currently installed.) Unpacking libpam-krb5 (from .../libpam-krb5_4.2-1_amd64.deb) ... Processing triggers for man-db ... Setting up libpam-krb5 (4.2-1) ... Committing to: /etc/ modified pam.d/common-account modified pam.d/common-auth modified pam.d/common-password modified pam.d/common-session modified pam.d/common-session-noninteractive Committed revision 46.
root@charity:~# hostname -f charity.progclub.org
root@charity:~# apt-get install libnss-ldapd libsasl2-modules-gssapi-mit kstart Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libpam-ldapd nscd nslcd The following NEW packages will be installed: kstart libnss-ldapd libpam-ldapd libsasl2-modules-gssapi-mit nscd nslcd 0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded. Need to get 532kB of archives. After this operation, 1,311kB of additional disk space will be used. Do you want to continue [Y/n]?
Package configuration ââââââââââââââââââââââââââ⤠Configuring NSLCD ââââââââââââââââââââââââââââ â Please enter the Uniform Resource Identifier of the LDAP server. The â â format is 'ldap://<hostname_or_IP_address>:<port>/'. Alternatively, â â 'ldaps://' or 'ldapi://' can be used. The port number is optional. â â â â When using an ldap or ldaps scheme it is recommended to use an IP â â address to avoid failures when domain name services are unavailable. â â â â Multiple URIs can be be specified by separating them with spaces. â â â â LDAP server URI: â â â â ldaps://charity.progclub.org/_________________________________________ â â â â <Ok> <Cancel> â â â ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Package configuration ââââââââââââââââââââââââââââ⤠Configuring NSLCD âââââââââââââââââââââââââââââ â Please enter the distinguished name of the LDAP search base. Many sites â â use the components of their domain names for this purpose. For example, â â the domain "example.net" would use "dc=example,dc=net" as the â â distinguished name of the search base. â â â â LDAP server search base: â â â â dc=progclub,dc=org_______________________________________________________ â â â â <Ok> <Cancel> â â â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Package configuration ââââââââââââââââââââââââââââ⤠Configuring NSLCD âââââââââââââââââââââââââââââ â â â When an encrypted connection is used, a server certificate can be â â requested and checked. Please choose whether lookups should be â â configured to require a certificate, and whether certificates should be â â checked for validity: â â * never: no certificate will be requested or checked; â â * allow: a certificate will be requested, but it is not â â required or checked; â â * try: a certificate will be requested and checked, but if no â â certificate is provided it is ignored; â â * demand: a certificate will be requested, required, and checked. â â If certificate checking is enabled, at least one of the tls_cacertdir or â â tls_cacertfile options must be put in /etc/nslcd.conf. â â â â <Ok> â â â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Package configuration
âââââââ⤠Configuring NSLCD âââââââââ
â Check server's SSL certificate: â
â â
â never â
â * allow â
â try â
â demand â
â â
â â
â <Ok> <Cancel> â
â â
ââââââââââââââââââââââââââââââââââââ
Package configuration ââââââââââââââââââââââââ⤠Configuring libnss-ldapd ââââââââââââââââââââââââââ â For this package to work, you need to modify your /etc/nsswitch.conf to â â use the ldap datasource. â â â â You can select the services that should have LDAP lookups enabled. The â â new LDAP lookups will be added as the last datasource. Be sure to review â â these changes. â â â â Name services to configure: â â â â â â [*] aliases â â [*] ethers â â [*] group â â [*] hosts â â [*] netgroup â â [*] networks â â [*] passwd â â [*] protocols â â [*] rpc â â [*] services â â [*] shadow â â â â â â <Ok> â â â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe kstart 3.16-3 [58.3kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe libsasl2-modules-gssapi-mit 2.1.23.dfsg1-5ubuntu1 [73.1kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/universe nscd 2.11.1-0ubuntu7.8 [212kB] Get:4 http://archive.ubuntu.com/ubuntu/ lucid/universe nslcd 0.7.2 [120kB] Get:5 http://archive.ubuntu.com/ubuntu/ lucid/universe libnss-ldapd 0.7.2 [41.8kB] Get:6 http://archive.ubuntu.com/ubuntu/ lucid/universe libpam-ldapd 0.7.2 [27.6kB] Fetched 532kB in 1s (431kB/s) Preconfiguring packages ... Selecting previously deselected package kstart. (Reading database ... 18820 files and directories currently installed.) Unpacking kstart (from .../kstart_3.16-3_amd64.deb) ... Selecting previously deselected package libsasl2-modules-gssapi-mit. Unpacking libsasl2-modules-gssapi-mit (from .../libsasl2-modules-gssapi-mit_2.1.23.dfsg1-5ubuntu1_amd64.deb) ... Selecting previously deselected package nscd. Unpacking nscd (from .../nscd_2.11.1-0ubuntu7.8_amd64.deb) ... Selecting previously deselected package nslcd. Unpacking nslcd (from .../archives/nslcd_0.7.2_amd64.deb) ... Selecting previously deselected package libnss-ldapd. Unpacking libnss-ldapd (from .../libnss-ldapd_0.7.2_amd64.deb) ... Selecting previously deselected package libpam-ldapd. Unpacking libpam-ldapd (from .../libpam-ldapd_0.7.2_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up kstart (3.16-3) ... Setting up libsasl2-modules-gssapi-mit (2.1.23.dfsg1-5ubuntu1) ... Setting up nscd (2.11.1-0ubuntu7.8) ... * Starting Name Service Cache Daemon nscd [ OK ] Setting up nslcd (0.7.2) ... Warning: The home dir /var/run/nslcd/ you specified can't be accessed: No such file or directory Adding system user `nslcd' (UID 105) ... Adding new group `nslcd' (GID 108) ... Adding new user `nslcd' (UID 105) with group `nslcd' ... Not creating home directory `/var/run/nslcd/'. * Starting LDAP connection daemon nslcd [ OK ] Setting up libnss-ldapd (0.7.2) ... /etc/nsswitch.conf: enable LDAP lookups for aliases /etc/nsswitch.conf: enable LDAP lookups for ethers /etc/nsswitch.conf: enable LDAP lookups for group /etc/nsswitch.conf: enable LDAP lookups for hosts /etc/nsswitch.conf: enable LDAP lookups for netgroup /etc/nsswitch.conf: enable LDAP lookups for networks /etc/nsswitch.conf: enable LDAP lookups for passwd /etc/nsswitch.conf: enable LDAP lookups for protocols /etc/nsswitch.conf: enable LDAP lookups for rpc /etc/nsswitch.conf: enable LDAP lookups for services /etc/nsswitch.conf: enable LDAP lookups for shadow * Restarting Name Service Cache Daemon nscd [ OK ] Setting up libpam-ldapd (0.7.2) ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ modified .etckeeper modified group modified group- modified gshadow modified gshadow- added nscd.conf added nslcd.conf modified nsswitch.conf modified passwd modified passwd- modified shadow modified shadow- added init.d/nscd added init.d/nslcd modified pam.d/common-account modified pam.d/common-auth modified pam.d/common-password modified pam.d/common-session modified pam.d/common-session-noninteractive added rc0.d/K20nscd added rc0.d/K20nslcd added rc1.d/K20nscd added rc1.d/K20nslcd added rc2.d/S20nscd added rc2.d/S20nslcd added rc3.d/S20nscd added rc3.d/S20nslcd added rc4.d/S20nscd added rc4.d/S20nslcd added rc5.d/S20nscd added rc5.d/S20nslcd added rc6.d/K20nscd added rc6.d/K20nslcd Committed revision 47.
root@charity:~# cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns ldap networks: files ldap protocols: db files ldap services: db files ldap ethers: db files ldap rpc: db files ldap netgroup: nis ldap aliases: ldap
root@charity:~# vim /etc/nslcd.conf root@charity:~# cat /etc/nslcd.conf # /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldaps://charity.progclub.org/ # The search base that will be used for all queries. base dc=progclub,dc=org # The LDAP protocol version to use. #ldap_version 3 # The DN to bind with for normal lookups. #binddn cn=annonymous,dc=example,dc=net #bindpw secret # SSL options #ssl off tls_reqcert allow # The search scope. #scope sub # JE: 2011-08-14: added sasl_mech sasl_mech GSSAPI
root@charity:~# pam-auth-update
Package configuration ââââââââââââââââââââââââââââââââââââ⤠ââââââââââââââââââââââââââââââââââââââ â Pluggable Authentication Modules (PAM) determine how authentication, â â authorization, and password changing are handled on the system, as well â â as allowing configuration of additional actions to take when starting â â user sessions. â â â â Some PAM module packages provide profiles that can be used to â â automatically adjust the behavior of all PAM-using applications on the â â system. Please indicate which of these behaviors you wish to enable. â â â â PAM profiles to enable: â â â â [*] Kerberos authentication â â [*] Unix authentication â â [ ] LDAP Authentication â â â â â â <Ok> <Cancel> â â â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
root@charity:~# service nslcd restart
* Restarting LDAP connection daemon nslcd
nslcd: /etc/nslcd.conf:30: option sasl_mech is currently not fully supported (please report any successes)
[ OK ]
root@charity:~# vim /etc/pam.d/common-password root@charity:~# cat /etc/pam.d/common-password # # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix. # Explanation of pam_unix options: # # The "sha512" option enables salted SHA512 passwords. Without this option, # the default is Unix crypt. Prior releases used the option "md5". # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. # # See the pam_unix manpage for other options. # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) #password requisite pam_krb5.so minimum_uid=1000 #password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 # here's the fallback if no module succeeds #password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around #password required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config password sufficient pam_krb5.so minimum_uid=1000 password required pam_unix.so obscure try_first_pass sha512
Actually... wait. What am I doing? I think we'll keep admin logins separate, and use LDAP for user machines only.
jj5@charity:~$ sudo pam-auth-update [sudo] password for jj5:
Package configuration
ââââââââââââââââââââââââââââââââââââ⤠ââââââââââââââââââââââââââââââââââââââ
â â
â One or more of the files â
â /etc/pam.d/common-{auth,account,password,session} have been locally â
â modified. Please indicate whether these local changes should be â
â overridden using the system-provided configuration. If you decline this â
â option, you will need to manage your system's authentication â
â configuration by hand. â
â â
â Override local changes to /etc/pam.d/common-*? â
â â
â * <Yes> <No> â
â â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Package configuration ââââââââââââââââââââââââââââââââââââ⤠ââââââââââââââââââââââââââââââââââââââ â Pluggable Authentication Modules (PAM) determine how authentication, â â authorization, and password changing are handled on the system, as well â â as allowing configuration of additional actions to take when starting â â user sessions. â â â â Some PAM module packages provide profiles that can be used to â â automatically adjust the behavior of all PAM-using applications on the â â system. Please indicate which of these behaviors you wish to enable. â â â â PAM profiles to enable: â â â â [ ] Kerberos authentication â â [*] Unix authentication â â [ ] LDAP Authentication â â â â â â <Ok> <Cancel> â â â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
root@charity:/etc/skel# apt-get remove libpam-krb5 libnss-ldapd libsasl2-modules-gssapi-mit kstart nscd nslcd
Package configuration ââââââââââââââââââââââââââ⤠Removing libnss-ldapd âââââââââââââââââââââââââââ â â â The following services are still configured to use LDAP for lookups: â â passwd, group, shadow, hosts, networks, protocols, services, ethers, â â rpc, netgroup, aliases â â but the libnss-ldapd package is about to be removed. â â â â You are advised to remove the entries if you don't plan on using LDAP â â for name resolution any more. Not removing ldap from nsswitch.conf â â should, for most services, not cause problems, but host name resolution â â could be affected in subtle ways. â â â â You can edit /etc/nsswitch.conf by hand or choose to remove the entries â â automatically now. Be sure to review the changes to /etc/nsswitch.conf â â if you choose to remove the entries now. â â â â <Ok> â â â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
Package configuration
âââââââ⤠Removing libnss-ldapd âââââââââ
â â
â Remove LDAP from nsswitch.conf now? â
â â
â * <Yes> <No> â
â â
ââââââââââââââââââââââââââââââââââââââââ
Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: kstart libnss-ldapd libpam-krb5 libpam-ldapd libsasl2-modules-gssapi-mit nscd nslcd 0 upgraded, 0 newly installed, 7 to remove and 0 not upgraded. After this operation, 1,503kB disk space will be freed. Do you want to continue [Y/n]? Committing to: /etc/ modified group modified group- modified gshadow modified gshadow- modified nslcd.conf modified passwd modified passwd- modified shadow modified shadow- modified pam.d/common-account added pam.d/common-account.pam-old modified pam.d/common-auth added pam.d/common-auth.pam-old modified pam.d/common-password added pam.d/common-password.pam-old modified pam.d/common-session modified pam.d/common-session-noninteractive added pam.d/common-session-noninteractive.pam-old added pam.d/common-session.pam-old Committed revision 48. (Reading database ... 18880 files and directories currently installed.) Removing kstart ... Removing libnss-ldapd ... /etc/nsswitch.conf: disable LDAP lookups for passwd /etc/nsswitch.conf: disable LDAP lookups for group /etc/nsswitch.conf: disable LDAP lookups for shadow /etc/nsswitch.conf: disable LDAP lookups for hosts /etc/nsswitch.conf: disable LDAP lookups for networks /etc/nsswitch.conf: disable LDAP lookups for protocols /etc/nsswitch.conf: disable LDAP lookups for services /etc/nsswitch.conf: disable LDAP lookups for ethers /etc/nsswitch.conf: disable LDAP lookups for rpc /etc/nsswitch.conf: disable LDAP lookups for netgroup /etc/nsswitch.conf: disable LDAP lookups for aliases Removing libpam-krb5 ... Removing libpam-ldapd ... Removing libsasl2-modules-gssapi-mit ... Removing nscd ... * Stopping Name Service Cache Daemon nscd [ OK ] Removing nslcd ... * Stopping LDAP connection daemon nslcd [ OK ] Processing triggers for man-db ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place Processing triggers for ureadahead ... Committing to: /etc/ modified nsswitch.conf Committed revision 49.
John 2011-08-14 21:39
Configuring slapd indexes
Per these instructions:
root@charity:/etc/ldap# vim slapd.d/cn\=config/olcDatabase\=\{1\}hdb.ldif
olcDbIndex: gidNumber eq
root@charity:/etc/ldap# /etc/init.d/slapd restart Stopping OpenLDAP: slapd. Starting OpenLDAP: slapd.
John 2011-08-14 19:00
Configuring KDC ACLs
root@charity:/etc/krb5kdc# vim kadm5.acl
*/admin@PROGCLUB.ORG * jj5@PROGCLUB.ORG * tasaio@PROGCLUB.ORG * sanguinev@PROGCLUB.ORG * friggles@PROGCLUB.ORG * jedd@PROGCLUB.ORG *
root@charity:~# /etc/init.d/krb5-admin-server restart * Restarting Kerberos administrative servers kadmind
John 2011-08-13 15:09
Installing ViewVC
jj5@charity:~$ release pcview "First release. Just a copy of ViewVC 1.0.12." Releasing pcview Checking availability of release: https://www.progclub.org/svn/pcrepo/pcview/tags/release/2011/08/13/01 Committed revision 184. Committed revision 185. Committed revision 186.
jj5@charity:~$ sudo -s root@charity:~# cd /var/www root@charity:/var/www# svn co https://www.progclub.org/svn/pcrepo/pcview/tags/latest www.progclub.org-pcview
root@charity:/var/www# vim /etc/iptables.up.rules
# Hell, allow anything from John's house -A INPUT -s 60.240.67.126/32 -j ACCEPT
root@charity:/var/www# iptables -F root@charity:/var/www# iptables-restore < /etc/iptables.up.rules root@charity:/var/www# cd www.progclub.org-pcview/ root@charity:/var/www/www.progclub.org-pcview# bin/standalone.py -r /var/svn/pcrepo bash: bin/standalone.py: Permission denied root@charity:/var/www/www.progclub.org-pcview# cd bin root@charity:/var/www/www.progclub.org-pcview/bin# ls asp cvsdbadmin make-database standalone.py cgi loginfo-handler mod_python svndbadmin root@charity:/var/www/www.progclub.org-pcview/bin# ll total 92 drwxr-xr-x 6 root root 4096 2011-08-13 05:11 ./ drwxr-xr-x 9 root root 4096 2011-08-13 05:11 ../ drwxr-xr-x 3 root root 4096 2011-08-13 05:11 asp/ drwxr-xr-x 3 root root 4096 2011-08-13 05:11 cgi/ -rw-r--r-- 1 root root 4476 2011-08-13 05:11 cvsdbadmin -rw-r--r-- 1 root root 10476 2011-08-13 05:11 loginfo-handler -rw-r--r-- 1 root root 4726 2011-08-13 05:11 make-database drwxr-xr-x 3 root root 4096 2011-08-13 05:11 mod_python/ -rw-r--r-- 1 root root 26993 2011-08-13 05:11 standalone.py drwxr-xr-x 6 root root 4096 2011-08-13 05:11 .svn/ -rw-r--r-- 1 root root 10749 2011-08-13 05:11 svndbadmin root@charity:/var/www/www.progclub.org-pcview/bin# chmod -R a+x * root@charity:/var/www/www.progclub.org-pcview# bin/standalone.py -r /var/svn/pcrepo : No such file or directory
No fun!
root@charity:/var/www/www.progclub.org-pcview# chmod a+x viewvc-install root@charity:/var/www/www.progclub.org-pcview# ./viewvc-install : No such file or directory
Argh!
Time to ask for help.
Wait... this explains it, WinZip fucked my line endings!
jj5@charity:~$ sudo -s [sudo] password for jj5: root@charity:~# wget http://viewvc.tigris.org/files/documents/3330/47621/viewvc-1.0.12.tar.gz --2011-08-13 05:53:37-- http://viewvc.tigris.org/files/documents/3330/47621/viewvc-1.0.12.tar.gz Resolving viewvc.tigris.org... 204.16.104.146 Connecting to viewvc.tigris.org|204.16.104.146|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 523289 (511K) [application/x-gzip] Saving to: `viewvc-1.0.12.tar.gz' 100%[======================================>] 523,289 528K/s in 1.0s 2011-08-13 05:53:38 (528 KB/s) - `viewvc-1.0.12.tar.gz' saved [523289/523289]
root@charity:~# tar xvf viewvc-1.0.12.tar.gz root@charity:~# cd /var/www root@charity:/var/www# svn co https://www.progclub.org/svn/pcrepo/pcview/trunk www.progclub.org-pcview-dev root@charity:/var/www# cd www.progclub.org-pcview-dev/ root@charity:/var/www/www.progclub.org-pcview-dev# ls bin docs README viewvc.conf.dist CHANGES INSTALL templates viewvc-install COMMITTERS lib templates-contrib windows cvsgraph.conf.dist LICENSE.html TODO root@charity:/var/www/www.progclub.org-pcview-dev# cp -R ~/viewvc-1.0.12/* . root@charity:/var/www/www.progclub.org-pcview-dev# svn ci -m "Fixed line endings for ViewVC" root@charity:/var/www/www.progclub.org-pcview-dev# exit exit jj5@charity:~$ release pcview "Fixed line endings." Releasing pcview Checking availability of release: https://www.progclub.org/svn/pcrepo/pcview/tags/release/2011/08/13/01 Checking availability of release: https://www.progclub.org/svn/pcrepo/pcview/tags/release/2011/08/13/02 Committed revision 188. Committed revision 189. Committed revision 190. jj5@charity:~$ sudo -s root@charity:~# cd /var/www/www.progclub.org-pcview root@charity:/var/www/www.progclub.org-pcview# update bash: update: command not found root@charity:/var/www/www.progclub.org-pcview# svn update root@charity:/var/www/www.progclub.org-pcview# cd bin root@charity:/var/www/www.progclub.org-pcview/bin# ll total 92 drwxr-xr-x 6 root root 4096 2011-08-13 05:59 ./ drwxr-xr-x 9 root root 4096 2011-08-13 05:59 ../ drwxr-xr-x 3 root root 4096 2011-08-13 05:59 asp/ drwxr-xr-x 3 root root 4096 2011-08-13 05:59 cgi/ -rw-r--r-- 1 root root 4319 2011-08-13 05:59 cvsdbadmin -rw-r--r-- 1 root root 10159 2011-08-13 05:59 loginfo-handler -rw-r--r-- 1 root root 4572 2011-08-13 05:59 make-database drwxr-xr-x 3 root root 4096 2011-08-13 05:59 mod_python/ -rw-r--r-- 1 root root 26350 2011-08-13 05:59 standalone.py drwxr-xr-x 6 root root 4096 2011-08-13 05:59 .svn/ -rw-r--r-- 1 root root 10437 2011-08-13 05:59 svndbadmin root@charity:/var/www/www.progclub.org-pcview/bin# chmod -R a+x * root@charity:/var/www/www.progclub.org-pcview/bin# cd .. root@charity:/var/www/www.progclub.org-pcview# bin/standalone.py -r /var/svn/pcrepo server ready at http://localhost:7467/viewvc
root@charity:/var/www/www.progclub.org-pcview# chmod a+x viewvc-install root@charity:/var/www/www.progclub.org-pcview# ./viewvc-install This is the ViewVC 1.0.12 installer. It will allow you to choose the install path for ViewVC. You will now be asked some installation questions. Defaults are given in square brackets. Just hit [Enter] if a default is okay. Installation path [/usr/local/viewvc-1.0.12]: DESTDIR path (generally only used by package maintainers) []:
...
ViewVC file installation complete.
Consult the INSTALL document for detailed information on completing the
installation and configuration of ViewVC on your system. Here's a brief
overview of the remaining steps:
1) Edit the /usr/local/viewvc-1.0.12/viewvc.conf file.
2) Either configure an existing web server to run
/usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi.
Or, copy /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi to an
already-configured cgi-bin directory.
Or, use the standalone server provided by this distribution at
/usr/local/viewvc-1.0.12/bin/standalone.py.
root@charity:/var/www/www.progclub.org-pcview# cd /usr/local/viewvc-1.0.12/ root@charity:/usr/local/viewvc-1.0.12# ls bin cvsgraph.conf.dist templates viewvc.conf cvsgraph.conf lib templates-contrib viewvc.conf.dist root@charity:/usr/local/viewvc-1.0.12# vim viewvc.conf
root@charity:/usr/local/viewvc-1.0.12# cd /etc/apache2/sites-available/ root@charity:/etc/apache2/sites-available# vim default
ScriptAlias /pcview-view /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi ScriptAlias /pcview-query /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi
root@charity:/etc/apache2/sites-available# apache2ctl graceful
GET: http://www.progclub.org/pcview-view
An Exception Has Occurred
Python Traceback
Traceback (most recent call last):
File "/usr/local/viewvc-1.0.12/lib/viewvc.py", line 3761, in main
request.run_viewvc()
File "/usr/local/viewvc-1.0.12/lib/viewvc.py", line 258, in run_viewvc
import vclib.svn
File "/usr/local/viewvc-1.0.12/lib/vclib/svn/__init__.py", line 27, in <module>
from svn import fs, repos, core, delta
ImportError: No module named svn
Google that.
What causes "Error: ImportError: No module named svn"? ViewVC uses Subversion's Python bindings to interact with and pull information out of your Subversion repositories. These bindings are not, however, generally provided as part of the ViewVC distribution — you have to install them yourself some other way. (For more information, contact the Subversion community.) The error you see is Python being asked to import the Subversion Python bindings and being unable to do so, typically because the bindings modules aren't found in the Python library search path.
Not very helpful dear.
root@charity:/usr/local/viewvc-1.0.12# apt-cache search python svn python-svn - A(nother) Python interface to Subversion python-svn-dbg - A(nother) Python interface to Subversion (debug extension) python-rope - Python refactoring library svn-workbench - A Workbench for Subversion bzr - easy to use distributed version control system bzr-doc - easy to use distributed version control system (documentation) python-subversion - Python bindings for Subversion python-subversion-dbg - Python bindings for Subversion (debug extension) root@charity:/usr/local/viewvc-1.0.12# apt-get install python-subversion Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: python-subversion-dbg The following NEW packages will be installed: python-subversion 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 755kB of archives. After this operation, 3,449kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main python-subversion 1.6.6dfsg-2ubuntu1.3 [755kB] Fetched 755kB in 1s (525kB/s) Committing to: /etc/ modified iptables.up.rules modified apache2/sites-available/default Committed revision 41. Selecting previously deselected package python-subversion. (Reading database ... 18330 files and directories currently installed.) Unpacking python-subversion (from .../python-subversion_1.6.6dfsg-2ubuntu1.3_amd64.deb) ... Setting up python-subversion (1.6.6dfsg-2ubuntu1.3) ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place Processing triggers for python-support ... root@charity:/usr/local/viewvc-1.0.12#
GET: http://www.progclub.org/pcview-view
Works!
Just tidy that up a bit:
root@charity:/usr/local/viewvc-1.0.12# vim /etc/apache2/sites-available/default
ScriptAlias /pcview /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi ScriptAlias /pcview-query /usr/local/viewvc-1.0.12/bin/cgi/query.cgi
root@charity:/usr/local/viewvc-1.0.12# apache2ctl graceful
Actually,
ScriptAlias /pcrepo /usr/local/viewvc-1.0.12/bin/cgi/viewvc.cgi #ScriptAlias /pcview-query /usr/local/viewvc-1.0.12/bin/cgi/query.cgi
So that's: http://www.progclub.org/pcrepo
jj5@charity:~$ sudo -s root@charity:~# cd /var/www/www.progclub.org root@charity:/var/www/www.progclub.org# vim robots.txt
Disallow: /pcrepo/
That ought to do it. Wait...
root@charity:~# apt-cache search enscript enscript - converts text to Postscript, HTML or RTF with syntax highlighting root@charity:~# apt-get install enscript Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libpaper-utils libpaper1 Suggested packages: gv postscript-viewer lpr The following NEW packages will be installed: enscript libpaper-utils libpaper1 0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded. Need to get 482kB of archives. After this operation, 2,707kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libpaper1 1.1.23+nmu1build1 [21.2kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main enscript 1.6.5-1 [442kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid/main libpaper-utils 1.1.23+nmu1build1 [18.3kB] Fetched 482kB in 1s (372kB/s) Committing to: /etc/ modified apache2/sites-available/default Committed revision 42. Preconfiguring packages ... Selecting previously deselected package libpaper1. (Reading database ... 18382 files and directories currently installed.) Unpacking libpaper1 (from .../libpaper1_1.1.23+nmu1build1_amd64.deb) ... Selecting previously deselected package enscript. Unpacking enscript (from .../enscript_1.6.5-1_amd64.deb) ... Selecting previously deselected package libpaper-utils. Unpacking libpaper-utils (from .../libpaper-utils_1.1.23+nmu1build1_amd64.deb) ... Processing triggers for man-db ... Setting up libpaper1 (1.1.23+nmu1build1) ... Creating config file /etc/papersize with new version Setting up enscript (1.6.5-1) ... Setting up libpaper-utils (1.1.23+nmu1build1) ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ added enscript.cfg added libpaper.d added papersize Committed revision 43.
root@charity:~# cd /usr/local/viewvc-1.0.12/ root@charity:/usr/local/viewvc-1.0.12# vim viewvc.conf
# should we use 'enscript' for syntax coloring? use_enscript = 1
root@charity:/usr/local/viewvc-1.0.12# locate enscript bash: locate: command not found root@charity:/usr/local/viewvc-1.0.12# whereis enscript enscript: /usr/bin/enscript /etc/enscript.cfg /usr/share/enscript /usr/share/man/man1/enscript.1.gz root@charity:/usr/local/viewvc-1.0.12# vim viewvc.conf
# # if the enscript program is not on the path, set this value # #enscript_path = enscript_path = /usr/bin/
root@charity:/usr/local/viewvc-1.0.12# apt-cache search syntax highlight | grep highlight
root@charity:/usr/local/viewvc-1.0.12# apt-get install highlight Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: highlight-common The following NEW packages will be installed: highlight highlight-common 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 490kB of archives. After this operation, 1,864kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe highlight-common 2.12-1 [196kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe highlight 2.12-1 [294kB] Fetched 490kB in 1s (394kB/s) Selecting previously deselected package highlight-common. (Reading database ... 18593 files and directories currently installed.) Unpacking highlight-common (from .../highlight-common_2.12-1_all.deb) ... Selecting previously deselected package highlight. Unpacking highlight (from .../highlight_2.12-1_amd64.deb) ... Processing triggers for man-db ... Setting up highlight-common (2.12-1) ... Setting up highlight (2.12-1) ... Committing to: /etc/ added highlight added highlight/filetypes.conf Committed revision 44.
root@charity:/usr/local/viewvc-1.0.12# vim viewvc.conf
# should we use 'enscript' for syntax coloring? use_enscript = 0
...
# should we use 'highlight' for syntax coloring? # NOTE: use_enscript has to be 0 or enscript will be used instead use_highlight = 1
John 2011-08-12 15:53
Installing bc
jj5@charity:~/bin$ sudo apt-get install bc [sudo] password for jj5: Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: bc 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 112kB of archives. After this operation, 328kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main bc 1.06.95-2 [112kB] Fetched 112kB in 0s (115kB/s) Selecting previously deselected package bc. (Reading database ... 18313 files and directories currently installed.) Unpacking bc (from .../bc_1.06.95-2_amd64.deb) ... Processing triggers for man-db ... Setting up bc (1.06.95-2) ...
John 2011-08-09 20:05
Configuring Pcldap project
root@charity:/var/www/www.progclub.org/# svn co https://www.progclub.org/svn/pcrepo/pcldap/trunk pcldap root@charity:/var/www/www.progclub.org/# svn co https://www.progclub.org/svn/pcrepo/pcldap/trunk pcldap-dev root@charity:/var/www/www.progclub.org# cd pcldap root@charity:/var/www/www.progclub.org/pcldap# ls config hooks index.php lib locale templates VERSION doc htdocs INSTALL LICENSE queries tools root@charity:/var/www/www.progclub.org/pcldap# cd config/ root@charity:/var/www/www.progclub.org/pcldap/config# ls config.php.example root@charity:/var/www/www.progclub.org/pcldap/config# cp config.php.example config.php root@charity:/var/www/www.progclub.org/pcldap/config# apt-get install php5-ldap Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: php5-ldap 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 19.9kB of archives. After this operation, 115kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5-ldap 5.3.2-1ubuntu4.9 [19.9kB] Fetched 19.9kB in 0s (37.0kB/s) Committing to: /etc/ modified network/interfaces added network/interfaces2011-08-09_01:48 Committed revision 39. Selecting previously deselected package php5-ldap. (Reading database ... 18310 files and directories currently installed.) Unpacking php5-ldap (from .../php5-ldap_5.3.2-1ubuntu4.9_amd64.deb) ... Processing triggers for libapache2-mod-php5 ... * Reloading web server config apache2 [ OK ] Setting up php5-ldap (5.3.2-1ubuntu4.9) ... Committing to: /etc/ added php5/conf.d/ldap.ini Committed revision 40. root@charity:/var/www/www.progclub.org/pcldap/config# apache2ctl graceful
John 2011-08-08 16:43
Updating robots.txt file for pcwiki
Added the following to /var/www/www.progclub.org/robots.txt
Disallow: /pcwiki/
John 2011-08-06 15:30
Installing OpenLDAP
Following these instructions. Oh, no, wait. These instructions.
jj5@charity:~$ sudo apt-get install slapd ldap-utils [sudo] password for jj5: Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libdb4.7 libltdl7 libperl5.10 libslp1 odbcinst odbcinst1debian1 unixodbc Suggested packages: slpd openslp-doc libmyodbc odbc-postgresql tdsodbc unixodbc-bin The following NEW packages will be installed: ldap-utils libdb4.7 libltdl7 libperl5.10 libslp1 odbcinst odbcinst1debian1 slapd unixodbc 0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded. Need to get 3,302kB of archives. After this operation, 8,253kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libdb4.7 4.7.25-9 [653kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main libltdl7 2.2.6b-2ubuntu1 [296kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libperl5.10 5.10.1-8ubuntu2.1 [1,202B] Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libslp1 1.2.1-7.6ubuntu0.1 [54.5kB] Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main odbcinst 2.2.11-21 [35.5kB] Get:6 http://archive.ubuntu.com/ubuntu/ lucid/main odbcinst1debian1 2.2.11-21 [66.6kB] Get:7 http://archive.ubuntu.com/ubuntu/ lucid/main unixodbc 2.2.11-21 [209kB] Get:8 http://archive.ubuntu.com/ubuntu/ lucid-updates/main slapd 2.4.21-0ubuntu5.5 [1,637kB] Get:9 http://archive.ubuntu.com/ubuntu/ lucid-updates/main ldap-utils 2.4.21-0ubuntu5.5 [348kB] Fetched 3,302kB in 2s (1,595kB/s) Committing to: /etc/ modified shadow Committed revision 35. Preconfiguring packages ... Selecting previously deselected package libdb4.7. (Reading database ... 17937 files and directories currently installed.) Unpacking libdb4.7 (from .../libdb4.7_4.7.25-9_amd64.deb) ... Selecting previously deselected package libltdl7. Unpacking libltdl7 (from .../libltdl7_2.2.6b-2ubuntu1_amd64.deb) ... Selecting previously deselected package libperl5.10. Unpacking libperl5.10 (from .../libperl5.10_5.10.1-8ubuntu2.1_amd64.deb) ... Selecting previously deselected package libslp1. Unpacking libslp1 (from .../libslp1_1.2.1-7.6ubuntu0.1_amd64.deb) ... Selecting previously deselected package odbcinst. Unpacking odbcinst (from .../odbcinst_2.2.11-21_amd64.deb) ... Selecting previously deselected package odbcinst1debian1. Unpacking odbcinst1debian1 (from .../odbcinst1debian1_2.2.11-21_amd64.deb) ... Selecting previously deselected package unixodbc. Unpacking unixodbc (from .../unixodbc_2.2.11-21_amd64.deb) ... Selecting previously deselected package slapd. Unpacking slapd (from .../slapd_2.4.21-0ubuntu5.5_amd64.deb) ... Selecting previously deselected package ldap-utils. Unpacking ldap-utils (from .../ldap-utils_2.4.21-0ubuntu5.5_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up libdb4.7 (4.7.25-9) ... Setting up libltdl7 (2.2.6b-2ubuntu1) ... Setting up libperl5.10 (5.10.1-8ubuntu2.1) ... Setting up libslp1 (1.2.1-7.6ubuntu0.1) ... Setting up ldap-utils (2.4.21-0ubuntu5.5) ... Setting up odbcinst (2.2.11-21) ... Setting up odbcinst1debian1 (2.2.11-21) ... Setting up unixodbc (2.2.11-21) ... Setting up slapd (2.4.21-0ubuntu5.5) ... Creating new user openldap... done. Creating initial slapd configuration... done. Starting OpenLDAP: slapd. Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ modified .etckeeper added ODBCDataSources modified group modified group- modified gshadow modified gshadow- added odbc.ini modified passwd modified passwd- modified shadow modified shadow- added apparmor.d/usr.sbin.slapd added default/slapd added init.d/slapd added ldap/sasl2 added ldap/schema added ldap/slapd.d added ldap/schema/README added ldap/schema/collective.schema added ldap/schema/corba.schema added ldap/schema/core.ldif added ldap/schema/core.schema added ldap/schema/cosine.ldif added ldap/schema/cosine.schema added ldap/schema/duaconf.schema added ldap/schema/dyngroup.schema added ldap/schema/inetorgperson.ldif added ldap/schema/inetorgperson.schema added ldap/schema/java.schema added ldap/schema/ldapns.schema added ldap/schema/misc.ldif added ldap/schema/misc.schema added ldap/schema/nis.ldif added ldap/schema/nis.schema added ldap/schema/openldap.ldif added ldap/schema/openldap.schema added ldap/schema/pmi.schema added ldap/schema/ppolicy.schema added ldap/slapd.d/cn=config added ldap/slapd.d/cn=config.ldif added ldap/slapd.d/cn=config/cn=schema added ldap/slapd.d/cn=config/cn=schema.ldif added ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif added ldap/slapd.d/cn=config/olcDatabase={0}config.ldif added ldap/slapd.d/cn=config/cn=schema/cn={0}core.ldif added rc0.d/K80slapd added rc1.d/K80slapd added rc2.d/S19slapd added rc3.d/S19slapd added rc4.d/S19slapd added rc5.d/S19slapd added rc6.d/K80slapd Committed revision 36.
jj5@charity:~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config"
jj5@charity:~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=nis,cn=schema,cn=config"
jj5@charity:~$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config"
root@charity:~# cd /etc/ldap root@charity:/etc/ldap# ls ldap.conf sasl2 schema slapd.d root@charity:/etc/ldap# vim backend.progclub.org.ldif
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb
# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=progclub,dc=org
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=progclub,dc=org
olcRootPW: <secret>
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=progclub,dc=org" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=progclub,dc=org" write by * read
root@charity:/etc/ldap# sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.progclub.org.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=module,cn=config" adding new entry "olcDatabase=hdb,cn=config"
root@charity:/etc/ldap# vim frontend.progclub.org.ldif
# Create top-level object in domain dn: dc=progclub,dc=org objectClass: top objectClass: dcObject objectclass: organization o: ProgClub dc: ProgClub description: ProgClub # Admin user. dn: cn=admin,dc=progclub,dc=org objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: <secret> dn: ou=people,dc=progclub,dc=org objectClass: organizationalUnit ou: people dn: ou=groups,dc=progclub,dc=org objectClass: organizationalUnit ou: groups dn: uid=jj5,ou=people,dc=progclub,dc=org objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: jj5 sn: Elliot givenName: John cn: John Elliot displayName: John Elliot uidNumber: 1000 gidNumber: 10000 userPassword: <secret> gecos: John Elliot loginShell: /bin/bash homeDirectory: /home/jj5 shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: jj5@jj5.net postalCode: 2774 #l: #o: mobile: +61 4 3505 7839 homePhone: +61 4 4739 2150 title: ProgClub Founder postalAddress: initials: JE dn: cn=administrators,ou=groups,dc=progclub,dc=org objectClass: posixGroup cn: administrators gidNumber: 10000
root@charity:/etc/ldap# sudo ldapadd -x -D cn=admin,dc=progclub,dc=org -W -f frontend.progclub.org.ldif
Enter LDAP Password:
adding new entry "dc=progclub,dc=org"
adding new entry "cn=admin,dc=progclub,dc=org"
adding new entry "ou=people,dc=progclub,dc=org"
adding new entry "ou=groups,dc=progclub,dc=org"
adding new entry "uid=jj5,ou=people,dc=progclub,dc=org"
ldap_add: Invalid syntax (21)
additional info: l: value #0 invalid per syntax
root@charity:/etc/ldap# vim frontend.progclub.org.ldif
root@charity:/etc/ldap# sudo ldapadd -x -D cn=admin,dc=progclub,dc=org -W -f frontend.progclub.org.ldif
Enter LDAP Password:
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed
root@charity:/etc/ldap# sudo ldapadd -x -D cn=admin,dc=progclub,dc=org -W -f frontend.progclub.org.ldif
Enter LDAP Password:
adding new entry "dc=progclub,dc=org"
ldap_add: Already exists (68)
Had to fixup a mistake, created frontend.progclub.org.ldif.end with the data that hadn't made it into LDAP.
root@charity:/etc/ldap# sudo ldapadd -x -D cn=admin,dc=progclub,dc=org -W -f frontend.progclub.org.ldif.end Enter LDAP Password: adding new entry "uid=jj5,ou=people,dc=progclub,dc=org" adding new entry "cn=administrators,ou=groups,dc=progclub,dc=org"
root@charity:/etc/ldap# ldapsearch -xLLL -b "dc=progclub,dc=org" uid=jj5 sn givenName cn dn: uid=jj5,ou=people,dc=progclub,dc=org sn: Elliot givenName: John cn: John Elliot
Works!
friggles@charity:/etc/ldap$ sudo ldapadd -x -D cn=admin,dc=progclub,dc=org -W -f friggles.ldif Enter LDAP Password: adding new entry "uid=friggles,ou=people,dc=progclub,dc=org"
jj5@charity:~$ sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
[sudo] password for jj5:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}hdb,cn=config
jj5@charity:~$ sudo ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: uidNumber eq
modifying entry "olcDatabase={1}hdb,cn=config"
^+D
root@charity:/etc/ldap# vim uid_index.ldif
root@charity:/etc/ldap# cat uid_index.ldif
dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: uid eq,pres,sub
root@charity:/etc/ldap# ldapmodify -Y EXTERNAL -H ldapi:/// -f uid_index.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
root@charity:/etc/ldap# vim schema_convert.conf root@charity:/etc/ldap# cat schema_convert.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/collective.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/ppolicy.schema
root@charity:/etc/ldap# mkdir /tmp/ldif_output
root@charity:/etc/ldap# slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={5}dyngroup,cn=schema,cn=config" > /tmp/cn=dyngroup.ldif
root@charity:/etc/ldap# slapcat -f schema_convert.conf -F /tmp/ldif_output -n 0 | grep dyngroup
dn: cn={5}dyngroup,cn=schema,cn=config
cn: {5}dyngroup
root@charity:/etc/ldap# vim /tmp/cn\=dyngroup.ldif
dn: cn=dyngroup,cn=schema,cn=config ... cn: dyngroup
root@charity:/etc/ldap# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=dyngroup.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=dyngroup,cn=schema,cn=config"
root@charity:/etc/ldap# ldapsearch -c -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase=config olcAccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
root@charity:/etc/ldap# ldapsearch -c -Y EXTERNAL -H ldapi:/// -LLL -b cn=config olcDatabase={1}hdb olcAccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword by dn="cn=admin,dc=progclub,dc=org" write
by anonymous auth by self write by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by dn="cn=admin,dc=progclub,dc=org" write by * read
root@charity:/etc/ldap# apt-get install gnutls-bin Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: gnutls-bin 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 144kB of archives. After this operation, 549kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe gnutls-bin 2.8.5-2 [144kB] Fetched 144kB in 1s (142kB/s) Committing to: /etc/ modified .etckeeper added ldap/backend.progclub.org.ldif added ldap/friggles.ldif added ldap/frontend.progclub.org.ldif added ldap/frontend.progclub.org.ldif.end added ldap/schema_convert.conf added ldap/uid_index.ldif added ldap/slapd.d/cn=config/cn=module{0}.ldif added ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif added ldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif added ldap/slapd.d/cn=config/cn=schema/cn={2}nis.ldif added ldap/slapd.d/cn=config/cn=schema/cn={3}inetorgperson.ldif added ldap/slapd.d/cn=config/cn=schema/cn={4}dyngroup.ldif Committed revision 37. Selecting previously deselected package gnutls-bin. (Reading database ... 18289 files and directories currently installed.) Unpacking gnutls-bin (from .../gnutls-bin_2.8.5-2_amd64.deb) ... Processing triggers for man-db ... Setting up gnutls-bin (2.8.5-2) ...
root@charity:/etc/ldap# sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem" Generating a 2048 bit RSA private key...
root@charity:/etc/ldap# vim /etc/ssl/ca.info root@charity:/etc/ldap# cat /etc/ssl/ca.info cn = ProgClub ca cert_signing_key
root@charity:/etc/ldap# certtool --generate-self-signed --load-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/ca.info --outfile /etc/ssl/certs/cacert.pem
Generating a self signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 4e3ce51d
Validity:
Not Before: Sat Aug 06 06:54:21 UTC 2011
Not After: Sun Aug 05 06:54:21 UTC 2012
Subject: CN=ProgClub
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
b6:b1:59:be:2c:5c:3b:81:6c:6e:d1:e6:0e:98:92:20
cd:b5:a4:4d:f9:9c:b5:7d:ee:54:85:f1:fd:76:09:c2
06:5d:55:98:13:a2:d3:19:c2:d1:a2:84:d0:8a:93:9c
77:50:3b:52:89:c4:8c:97:65:d9:3e:67:44:b1:8a:d7
75:2c:5b:0c:92:50:9b:4d:2e:08:08:4e:8a:39:1f:c7
ce:d5:30:6e:c1:ff:51:80:f0:00:ee:f2:e6:9d:3f:f4
88:41:f9:54:f1:6d:4c:9e:3f:a2:24:9e:73:5f:bf:63
50:37:0b:df:17:b1:a3:1a:27:07:4e:5e:df:5a:d7:96
62:7c:68:c4:21:ab:f2:2c:f5:af:27:f8:ba:bd:6a:5f
07:a3:14:b2:99:97:cb:75:fa:f5:e5:da:de:37:61:bd
2a:fb:a9:10:4a:a9:1a:d8:b3:8d:d8:a6:d3:90:6d:c0
35:5a:6e:d7:01:5c:73:d3:b7:6e:3c:e0:21:d9:58:55
05:e5:d1:3b:4c:43:96:52:d0:80:a5:55:36:82:3f:d5
11:10:71:66:4d:75:32:56:dc:f3:d0:05:b9:de:f3:bf
29:52:30:a1:87:66:e2:6a:56:24:61:5c:48:6c:43:10
cc:80:e2:5a:45:56:c0:ac:a0:a6:0c:9b:d1:84:a9:a9
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Usage (critical):
Certificate signing.
Subject Key Identifier (not critical):
d433db6e317b06dcd2eba88b7954afcaef1d2e18
Other Information:
Public Key Id:
d433db6e317b06dcd2eba88b7954afcaef1d2e18
Signing certificate...
root@charity:/etc/ldap# sh -c "certtool --generate-privkey > /etc/ssl/private/charity_slapd_key.pem" Generating a 2048 bit RSA private key...
root@charity:/etc/ldap# vim /etc/ssl/charity.info root@charity:/etc/ldap# cat /etc/ssl/charity.info organization = ProgClub cn = charity.progclub.org tls_www_server encryption_key signing_key
root@charity:/etc/ldap# certtool --generate-certificate --load-privkey /etc/ssl/private/charity_slapd_key.pem --load-ca-certificate /etc/ssl/certs/cacert.pem --load-ca-privkey /etc/ssl/private/cakey.pem --template /etc/ssl/charity.info --outfile /etc/ssl/certs/charity_slapd_cert.pem
Generating a signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 4e3ce62a
Validity:
Not Before: Sat Aug 06 06:58:50 UTC 2011
Not After: Sun Aug 05 06:58:50 UTC 2012
Subject: O=ProgClub,CN=charity.progclub.org
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
cd:05:34:13:ac:58:0b:f7:bf:08:df:30:48:66:38:9c
93:a0:d9:92:ca:67:db:a9:5b:fb:57:02:b1:f9:fa:b8
74:5f:b0:37:f8:3b:c2:6d:17:39:1f:53:cc:cd:35:e0
64:11:e3:05:6c:17:5e:a4:bb:11:ae:75:bf:e9:f5:39
0d:be:92:98:fc:15:88:15:ff:62:db:74:49:bc:6f:7b
b4:07:59:44:ef:4d:7c:30:b8:68:46:75:7d:20:a6:70
3e:0f:ca:c6:2e:77:e0:a9:08:2d:25:64:69:9a:42:ef
92:7e:86:88:20:fa:4e:38:58:43:59:1d:54:80:15:e9
d1:00:ff:21:63:2c:10:a8:86:27:04:84:f6:5f:f2:7b
9e:df:9b:47:27:af:3d:2f:22:b2:79:f3:c5:89:61:38
38:26:19:40:2e:fe:cc:da:b8:78:82:4e:4e:fe:ac:ee
b4:c5:8b:72:14:92:96:0f:95:33:b3:8c:5f:84:ec:49
84:9a:ff:24:ff:7b:62:ab:91:e2:df:76:f7:0b:33:4a
69:6c:e7:f4:65:4a:da:2e:04:e0:b2:ce:4d:a9:48:59
38:28:08:e1:23:41:05:25:c6:71:76:5e:91:d7:c9:fd
53:4d:54:36:56:73:d8:1b:a1:90:12:43:90:3b:41:5f
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Server.
Key Usage (critical):
Digital signature.
Key encipherment.
Subject Key Identifier (not critical):
92543d9cae79eaeb4d0e1f0484a24527ec6d8bd4
Authority Key Identifier (not critical):
d433db6e317b06dcd2eba88b7954afcaef1d2e18
Other Information:
Public Key Id:
92543d9cae79eaeb4d0e1f0484a24527ec6d8bd4
Signing certificate...
root@charity:/etc/ldap# ldapmodify -Y EXTERNAL -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem - add: olcTLSCertificateFile olcTLSCertificateFile: /etc/ssl/certs/charity_slapd_cert.pem - add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ssl/private/charity_slapd_key.pem modifying entry "cn=config" ^+D
root@charity:/etc/ldap# vim /etc/default/slapd
#SLAPD_SERVICES="ldap:/// ldapi:///" SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
root@charity:/etc/ldap# adduser openldap ssl-cert Adding user `openldap' to group `ssl-cert' ... Adding user openldap to group ssl-cert Done. root@charity:/etc/ldap# chgrp ssl-cert /etc/ssl/private/charity_slapd_key.pem root@charity:/etc/ldap# chmod g+r /etc/ssl/private/charity_slapd_key.pem
root@charity:/etc/ldap# /etc/init.d/slapd restart Stopping OpenLDAP: slapd. Starting OpenLDAP: slapd.
John 2011-08-06 05:35
Enabling mod_rewrite in Apache
root@charity:/var/www/www.progclub.org/pcblog# a2enmod rewrite Enabling module rewrite. Run '/etc/init.d/apache2 restart' to activate new configuration! root@charity:/var/www/www.progclub.org/pcblog# apache2ctl graceful
That was after configuring a .htaccess file for pcblog:
jj5@charity:~$ cat /var/www/www.progclub.org/pcblog/.htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /blog/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /blog/index.php [L]
</IfModule>
John 2011-08-05 23:15
Installing php5-mcrypt
root@charity:/var/www/www.progclub.org# apt-get install php5-mcrypt Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libmcrypt4 Suggested packages: libmcrypt-dev mcrypt The following NEW packages will be installed: libmcrypt4 php5-mcrypt 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 104kB of archives. After this operation, 365kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe libmcrypt4 2.5.8-3.1 [87.6kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/universe php5-mcrypt 5.3.2-0ubuntu1 [16.7kB] Fetched 104kB in 0s (110kB/s) Committing to: /etc/ modified group modified group- modified gshadow modified gshadow- modified passwd modified passwd- modified shadow modified shadow- Committed revision 32. Selecting previously deselected package libmcrypt4. (Reading database ... 17926 files and directories currently installed.) Unpacking libmcrypt4 (from .../libmcrypt4_2.5.8-3.1_amd64.deb) ... Selecting previously deselected package php5-mcrypt. Unpacking php5-mcrypt (from .../php5-mcrypt_5.3.2-0ubuntu1_amd64.deb) ... Processing triggers for libapache2-mod-php5 ... * Reloading web server config apache2 [ OK ] Setting up libmcrypt4 (2.5.8-3.1) ... Setting up php5-mcrypt (5.3.2-0ubuntu1) ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ added php5/conf.d/mcrypt.ini Committed revision 33.
John 2011-08-05 22:24
Creating pcblog database and user
root@charity:/var/www/www.progclub.org# mysql -uroot -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1030 Server version: 5.1.41-3ubuntu12.10 (Ubuntu) Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> create user 'pcblog'@'%' identified by 'uiq82r3wy'; Query OK, 0 rows affected (0.09 sec) mysql> create database pcblog; Query OK, 1 row affected (0.09 sec) mysql> select host, user from user; +---------------------------+------------------+ | host | user | +---------------------------+------------------+ | % | pcblog | | 127.0.0.1 | root | | 60-240-67-126.tpgi.com.au | pcwiki | | charity | root | | localhost | debian-sys-maint | | localhost | pcwiki | | localhost | root | +---------------------------+------------------+ 7 rows in set (0.01 sec) mysql> grant all privileges on pcblog.* to 'pcblog'@'%' with grant option; Query OK, 0 rows affected (0.14 sec) mysql> flush privileges; Query OK, 0 rows affected (0.02 sec) mysql> quit Bye
John 2011-08-05 17:32
Adding user jedd
jj5@charity:~$ sudo adduser jedd
[sudo] password for jj5:
Adding user `jedd' ...
Adding new group `jedd' (1006) ...
Adding new user `jedd' (1006) with group `jedd' ...
Creating home directory `/home/jedd' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jedd
Enter the new value, or press ENTER for the default
Full Name []: Jedd Rashbrooke
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
jj5@charity:~$ sudo adduser jedd sudo
Adding user `jedd' to group `sudo' ...
Adding user jedd to group sudo
Done.
John 2011-08-05 16:59
Disabling IPSec
Can't get IPSec to work. Commented out /etc/network/if-up.d/ip and removed the policies from /etc/ipsec-tools.conf.
John 2011-08-05 16:10
Trying to get kadmin to work from Hope
Found this.
root@charity:~# kadmin.local -p jj5/admin -q "addprinc -randkey host/hope.progclub.net" Authenticating as principal jj5/admin with password. WARNING: no policy specified for host/hope.progclub.net@PROGCLUB.ORG; defaulting to no policy Principal "host/hope.progclub.net@PROGCLUB.ORG" created.
root@charity:~# kadmin.local -p jj5/admin -q "ktadd -k /etc/krb5.keytab host/hope.progclub.net" Authenticating as principal jj5/admin with password. Entry for principal host/hope.progclub.net with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/hope.progclub.net with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/hope.progclub.net with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/hope.progclub.net with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
Ah, I was confused.
root@charity:/etc# rm krb5.keytab
John 2011-08-05 14:57
Changing jj5/admin password in Kerberos
This is so my password will be different from the Linux system password, so I can tell if the system is logging me in with my Kerberos credentials (when I configure SSH to use Kerberos, for example).
jj5@charity:~$ kadmin -p jj5/admin Couldn't open log file /var/log/krb5.log: Permission denied Authenticating as principal jj5/admin with password. Password for jj5/admin@PROGCLUB.ORG: kadmin: cpw jj5/admin Enter password for principal "jj5/admin@PROGCLUB.ORG": Re-enter password for principal "jj5/admin@PROGCLUB.ORG": Password for "jj5/admin@PROGCLUB.ORG" changed. kadmin: quit
Adding user jj5
jj5@charity:~$ kadmin -p jj5/admin Couldn't open log file /var/log/krb5.log: Permission denied Authenticating as principal jj5/admin with password. Password for jj5/admin@PROGCLUB.ORG: kadmin: addprinc jj5 WARNING: no policy specified for jj5@PROGCLUB.ORG; defaulting to no policy Enter password for principal "jj5@PROGCLUB.ORG": Re-enter password for principal "jj5@PROGCLUB.ORG": Principal "jj5@PROGCLUB.ORG" created. kadmin: quit
John 2011-08-05 00:26
Kerberizing Apache
Following these instructions.
jj5@charity:~$ sudo -s [sudo] password for jj5: root@charity:~# kadmin.local Authenticating as principal root/admin@PROGCLUB.ORG with password. kadmin.local: addprinc -randkey HTTP/charity.progclub.org WARNING: no policy specified for HTTP/charity.progclub.org@PROGCLUB.ORG; defaulting to no policy Principal "HTTP/charity.progclub.org@PROGCLUB.ORG" created. kadmin.local: ktadd -k /etc/apache2/apache2.keytab HTTP/charity.progclub.org Entry for principal HTTP/charity.progclub.org with kvno 2, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/apache2/apache2.keytab. Entry for principal HTTP/charity.progclub.org with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/apache2/apache2.keytab. Entry for principal HTTP/charity.progclub.org with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/apache2/apache2.keytab. Entry for principal HTTP/charity.progclub.org with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/apache2/apache2.keytab. kadmin.local: quit root@charity:~# chown www-data:www-data /etc/apache2/apache2.keytab root@charity:~# chmod 400 /etc/apache2/apache2.keytab root@charity:~# apt-get install libapache2-mod-auth-kerb Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: libapache2-mod-auth-kerb 0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded. Need to get 20.3kB of archives. After this operation, 119kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libapache2-mod-auth-kerb 5.3-5build2 [20.3kB] Fetched 20.3kB in 0s (36.1kB/s) Committing to: /etc/ modified .etckeeper modified krb5.conf added apache2/apache2.keytab added krb5kdc/kadm5.acl modified krb5kdc/kdc.conf added krb5kdc/stash Committed revision 28. Selecting previously deselected package libapache2-mod-auth-kerb. (Reading database ... 17919 files and directories currently installed.) Unpacking libapache2-mod-auth-kerb (from .../libapache2-mod-auth-kerb_5.3-5build2_amd64.deb) ... Setting up libapache2-mod-auth-kerb (5.3-5build2) ... Enabling module auth_kerb. Run '/etc/init.d/apache2 restart' to activate new configuration! Committing to: /etc/ added apache2/mods-available/auth_kerb.load added apache2/mods-enabled/auth_kerb.load Committed revision 29. root@charity:~# cd /etc/apache2/sites-available/ root@charity:/etc/apache2/sites-available# vim default-ssl
<Directory /var/www/www.progclub.org/test>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealm PROGCLUB.ORG
Krb5Keytab /etc/apache2/apache2.keytab
#KrbMethodK5Passwd off #optional--makes GSSAPI SPNEGO a requirement
Require valid-user
</Directory>
root@charity:/etc/apache2/sites-available# cd /var/www/www.progclub.org/ root@charity:/var/www/www.progclub.org# mkdir test root@charity:/var/www/www.progclub.org# cd test root@charity:/var/www/www.progclub.org/test# vim index.php
<?php phpinfo(); ?>
root@charity:/var/www/www.progclub.org/test# apache2ctl graceful
John 2011-08-04 21:21
Installing Kerberos
Following these instructions.
jj5@charity:~$ sudo -s [sudo] password for jj5: root@charity:~# nslookup charity.progclub.org bash: nslookup: command not found root@charity:~# apt-get install nslookup Reading package lists... Done Building dependency tree Reading state information... Done E: Couldn't find package nslookup root@charity:~# apt-cache search nslookup dnsutils - Clients provided with BIND root@charity:~# apt-get install dnsutils Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: bind9-host geoip-database libbind9-60 libdns64 libgeoip1 libisc60 libisccc60 libisccfg60 liblwres60 Suggested packages: rblcheck geoip-bin The following NEW packages will be installed: bind9-host dnsutils geoip-database libbind9-60 libdns64 libgeoip1 libisc60 libisccc60 libisccfg60 liblwres60 0 upgraded, 10 newly installed, 0 to remove and 2 not upgraded. Need to get 2,024kB of archives. After this operation, 4,866kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libgeoip1 1.4.6.dfsg-17 [109kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libisc60 1:9.7.0.dfsg.P1-1ubuntu0.3 [170kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libdns64 1:9.7.0.dfsg.P1-1ubuntu0.3 [692kB] Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libisccc60 1:9.7.0.dfsg.P1-1ubuntu0.3 [29.9kB] Get:5 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libisccfg60 1:9.7.0.dfsg.P1-1ubuntu0.3 [53.1kB] Get:6 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libbind9-60 1:9.7.0.dfsg.P1-1ubuntu0.3 [34.7kB] Get:7 http://archive.ubuntu.com/ubuntu/ lucid-updates/main liblwres60 1:9.7.0.dfsg.P1-1ubuntu0.3 [48.5kB] Get:8 http://archive.ubuntu.com/ubuntu/ lucid-updates/main bind9-host 1:9.7.0.dfsg.P1-1ubuntu0.3 [68.6kB] Get:9 http://archive.ubuntu.com/ubuntu/ lucid-updates/main dnsutils 1:9.7.0.dfsg.P1-1ubuntu0.3 [162kB] Get:10 http://archive.ubuntu.com/ubuntu/ lucid/main geoip-database 1.4.6.dfsg-17 [658kB] Fetched 2,024kB in 8s (227kB/s) Selecting previously deselected package libgeoip1. (Reading database ... 17754 files and directories currently installed.) Unpacking libgeoip1 (from .../libgeoip1_1.4.6.dfsg-17_amd64.deb) ... Selecting previously deselected package libisc60. Unpacking libisc60 (from .../libisc60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ... Selecting previously deselected package libdns64. Unpacking libdns64 (from .../libdns64_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ... Selecting previously deselected package libisccc60. Unpacking libisccc60 (from .../libisccc60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ... Selecting previously deselected package libisccfg60. Unpacking libisccfg60 (from .../libisccfg60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ... Selecting previously deselected package libbind9-60. Unpacking libbind9-60 (from .../libbind9-60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ... Selecting previously deselected package liblwres60. Unpacking liblwres60 (from .../liblwres60_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ... Selecting previously deselected package bind9-host. Unpacking bind9-host (from .../bind9-host_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ... Selecting previously deselected package dnsutils. Unpacking dnsutils (from .../dnsutils_1%3a9.7.0.dfsg.P1-1ubuntu0.3_amd64.deb) ... Selecting previously deselected package geoip-database. Unpacking geoip-database (from .../geoip-database_1.4.6.dfsg-17_all.deb) ... Processing triggers for man-db ... Setting up libgeoip1 (1.4.6.dfsg-17) ... Setting up libisc60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ... Setting up libdns64 (1:9.7.0.dfsg.P1-1ubuntu0.3) ... Setting up libisccc60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ... Setting up libisccfg60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ... Setting up libbind9-60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ... Setting up liblwres60 (1:9.7.0.dfsg.P1-1ubuntu0.3) ... Setting up bind9-host (1:9.7.0.dfsg.P1-1ubuntu0.3) ... Setting up dnsutils (1:9.7.0.dfsg.P1-1ubuntu0.3) ... Setting up geoip-database (1.4.6.dfsg-17) ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place root@charity:~# nslookup charity.progclub.org Server: 67.207.128.4 Address: 67.207.128.4#53 Non-authoritative answer: Name: charity.progclub.org Address: 67.207.128.184
root@charity:~# nslookup 67.207.128.184 Server: 67.207.128.4 Address: 67.207.128.4#53 Non-authoritative answer: 184.128.207.67.in-addr.arpa name = charity.progclub.org. Authoritative answers can be found from: 128.207.67.in-addr.arpa nameserver = NS2.SLICEHOST.NET. 128.207.67.in-addr.arpa nameserver = NS1.SLICEHOST.NET. NS1.SLICEHOST.NET internet address = 67.23.4.57 NS2.SLICEHOST.NET internet address = 173.45.224.132
root@charity:~# apt-get install krb5-kdc krb5-admin-server Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: krb5-config krb5-user libgssrpc4 libkadm5clnt-mit7 libkadm5srv-mit7 libkdb5-4 Suggested packages: openbsd-inetd inet-superserver krb5-kdc-ldap krb5-doc The following NEW packages will be installed: krb5-admin-server krb5-config krb5-kdc krb5-user libgssrpc4 libkadm5clnt-mit7 libkadm5srv-mit7 libkdb5-4 0 upgraded, 8 newly installed, 0 to remove and 2 not upgraded. Need to get 777kB of archives. After this operation, 2,187kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libgssrpc4 1.8.1+dfsg-2ubuntu0.9 [82.2kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libkadm5clnt-mit7 1.8.1+dfsg-2ubuntu0.9 [62.8kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libkdb5-4 1.8.1+dfsg-2ubuntu0.9 [62.3kB] Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libkadm5srv-mit7 1.8.1+dfsg-2ubuntu0.9 [76.8kB] Get:5 http://archive.ubuntu.com/ubuntu/ lucid/main krb5-config 2.2 [23.0kB] Get:6 http://archive.ubuntu.com/ubuntu/ lucid-updates/main krb5-user 1.8.1+dfsg-2ubuntu0.9 [137kB] Get:7 http://archive.ubuntu.com/ubuntu/ lucid-updates/universe krb5-kdc 1.8.1+dfsg-2ubuntu0.9 [219kB] Get:8 http://archive.ubuntu.com/ubuntu/ lucid-updates/universe krb5-admin-server 1.8.1+dfsg-2ubuntu0.9 [113kB] Fetched 777kB in 1s (560kB/s) Preconfiguring packages ... Selecting previously deselected package libgssrpc4. (Reading database ... 17824 files and directories currently installed.) Unpacking libgssrpc4 (from .../libgssrpc4_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ... Selecting previously deselected package libkadm5clnt-mit7. Unpacking libkadm5clnt-mit7 (from .../libkadm5clnt-mit7_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ... Selecting previously deselected package libkdb5-4. Unpacking libkdb5-4 (from .../libkdb5-4_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ... Selecting previously deselected package libkadm5srv-mit7. Unpacking libkadm5srv-mit7 (from .../libkadm5srv-mit7_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ... Selecting previously deselected package krb5-config. Unpacking krb5-config (from .../krb5-config_2.2_all.deb) ... Selecting previously deselected package krb5-user. Unpacking krb5-user (from .../krb5-user_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ... Selecting previously deselected package krb5-kdc. Unpacking krb5-kdc (from .../krb5-kdc_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ... Selecting previously deselected package krb5-admin-server. Unpacking krb5-admin-server (from .../krb5-admin-server_1.8.1+dfsg-2ubuntu0.9_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up libgssrpc4 (1.8.1+dfsg-2ubuntu0.9) ... Setting up libkadm5clnt-mit7 (1.8.1+dfsg-2ubuntu0.9) ... Setting up libkdb5-4 (1.8.1+dfsg-2ubuntu0.9) ... Setting up libkadm5srv-mit7 (1.8.1+dfsg-2ubuntu0.9) ... Setting up krb5-config (2.2) ... Setting up krb5-user (1.8.1+dfsg-2ubuntu0.9) ... Setting up krb5-kdc (1.8.1+dfsg-2ubuntu0.9) ... krb5kdc: cannot initialize realm PROGCLUB.ORG - see log file for details Setting up krb5-admin-server (1.8.1+dfsg-2ubuntu0.9) ... kadmind: No such file or directory while initializing, aborting Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ modified .etckeeper added krb5.conf added krb5kdc added default/krb5-admin-server added default/krb5-kdc added init.d/krb5-admin-server added init.d/krb5-kdc added krb5kdc/kdc.conf added rc0.d/K18krb5-admin-server added rc0.d/K18krb5-kdc added rc1.d/K18krb5-admin-server added rc1.d/K18krb5-kdc added rc2.d/S18krb5-admin-server added rc2.d/S18krb5-kdc added rc3.d/S18krb5-admin-server added rc3.d/S18krb5-kdc added rc4.d/S18krb5-admin-server added rc4.d/S18krb5-kdc added rc5.d/S18krb5-admin-server added rc5.d/S18krb5-kdc added rc6.d/K18krb5-admin-server added rc6.d/K18krb5-kdc Committed revision 27.
Package configuration âââââââââââââââââââââ⤠Configuring krb5-admin-server âââââââââââââââââââââââ â â â Setting up a Kerberos Realm â â â â This package contains the administrative tools required to run the â â Kerberos master server. â â â â However, installing this package does not automatically set up a â â Kerberos realm. This can be done later by running the "krb5_newrealm" â â command. â â â â Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the â â administration guide found in the krb5-doc package. â â â â <Ok> â â â ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
root@charity:~# dpkg-reconfigure krb5-kdc
Package configuration ââââââââââââââââââââââââââ⤠Configuring krb5-kdc ââââââââââââââââââââââââââââ â â â The Kerberos Key Distribution Center (KDC) configuration files, in â â /etc/krb5kdc, may be created automatically. â â â â By default, an example template will be copied into this directory with â â local parameters filled in. â â â â Administrators who already have infrastructure to manage their Kerberos â â configuration may wish to disable these automatic configuration changes. â â â â Create the Kerberos KDC configuration automatically? â â â â <Yes> <No> â â â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
<Yes>
krb5kdc: cannot initialize realm PROGCLUB.ORG - see log file for details
root@charity:~# cd /var/log root@charity:/var/log# ls apache2 dmesg kern.log mysql.log syslog.2.gz apt dmesg.0 kern.log.1 mysql.log.1.gz syslog.3.gz auth.log dmesg.1.gz lastlog mysql.log.2.gz syslog.4.gz auth.log.1 dmesg.2.gz lpr.log mysql.log.3.gz syslog.5.gz boot dmesg.3.gz mail.err mysql.log.4.gz syslog.6.gz bootstrap.log dmesg.4.gz mail.info mysql.log.5.gz syslog.7.gz btmp dpkg.log mail.log mysql.log.6.gz udev btmp.1 dpkg.log.1 mail.warn mysql.log.7.gz user.log daemon.log fail2ban.log messages news wtmp daemon.log.1 fail2ban.log.1 messages.1 pycentral.log wtmp.1 debug faillog mysql syslog debug.1 fsck mysql.err syslog.1
Where is the KBR log!?
root@charity:/etc# cat krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
default_realm = PROGCLUB.ORG
[realms]
PROGCLUB.ORG = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
root@charity:/etc# reboot
Broadcast message from jj5@charity
(/dev/pts/0) at 11:49 ...
The system is going down for reboot NOW!
root@charity:/etc/krb5kdc# vim kadm5.acl
# This file is the access control list for krb5 administration. # When this file is edited run /etc/init.d/krb5-admin-server restart to activate # One common way to set up Kerberos administration is to allow any principal # ending in /admin is given full administrative rights. # To enable this, uncomment the following line: */admin@PROGCLUB.ORG *
root@charity:/etc/krb5kdc# krb5_newrealm This script should be run on the master KDC/admin server to initialize a Kerberos realm. It will ask you to type in a master key password. This password will be used to generate a key that is stored in /etc/krb5kdc/stash. You should try to remember this password, but it is much more important that it be a strong password than that it be remembered. However, if you lose the password and /etc/krb5kdc/stash, you cannot decrypt your Kerberos database. Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'PROGCLUB.ORG', master key name 'K/M@PROGCLUB.ORG' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Now that your realm is set up you may wish to create an administrative principal using the addprinc subcommand of the kadmin.local program. Then, this principal can be added to /etc/krb5kdc/kadm5.acl so that you can use the kadmin program on other computers. Kerberos admin principals usually belong to a single user and end in /admin. For example, if jruser is a Kerberos administrator, then in addition to the normal jruser principal, a jruser/admin principal should be created. Don't forget to set up DNS information so your clients can find your KDC and admin servers. Doing so is documented in the administration guide.
root@charity:/etc/krb5kdc# kadmin -p admin/admin Authenticating as principal admin/admin with password. kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
root@charity:/etc# /etc/init.d/k killprocs krb5-admin-server krb5-kdc root@charity:/etc# /etc/init.d/krb5-kdc restart * Restarting Kerberos KDC krb5kdc ...done. root@charity:/etc# /etc/init.d/krb5-admin-server restart * Restarting Kerberos administrative servers kadmind root@charity:/etc#
root@charity:/var/lib/krb5kdc# kadmin -p admin/admin Authenticating as principal admin/admin with password. kadmin: Client not found in Kerberos database while initializing kadmin interface
root@charity:/var/lib/krb5kdc# kadmin.local
Authenticating as principal root/admin@PROGCLUB.ORG with password.
kadmin.local: addprinc jj5/admin@PROGCLUB.ORG
WARNING: no policy specified for jj5/admin@PROGCLUB.ORG; defaulting to no policy
Enter password for principal "jj5/admin@PROGCLUB.ORG":
Re-enter password for principal "jj5/admin@PROGCLUB.ORG":
Principal "jj5/admin@PROGCLUB.ORG" created.
kadmin.local: quit
root@charity:/var/lib/krb5kdc# kadmin -p jj5/admin
Authenticating as principal jj5/admin with password.
Password for jj5/admin@PROGCLUB.ORG:
kadmin: ?
Available kadmin requests:
add_principal, addprinc, ank
Add principal
delete_principal, delprinc
Delete principal
modify_principal, modprinc
Modify principal
change_password, cpw Change password
get_principal, getprinc Get principal
list_principals, listprincs, get_principals, getprincs
List principals
add_policy, addpol Add policy
modify_policy, modpol Modify policy
delete_policy, delpol Delete policy
get_policy, getpol Get policy
list_policies, listpols, get_policies, getpols
List policies
get_privs, getprivs Get privileges
ktadd, xst Add entry(s) to a keytab
ktremove, ktrem Remove entry(s) from a keytab
lock Lock database exclusively (use with extreme caution!)
unlock Release exclusive database lock
list_requests, lr, ? List available requests.
quit, exit, q Exit program.
kadmin: listprincs
K/M@PROGCLUB.ORG
jj5/admin@PROGCLUB.ORG
kadmin/admin@PROGCLUB.ORG
kadmin/changepw@PROGCLUB.ORG
kadmin/charity.progclub.org@PROGCLUB.ORG
kadmin/history@PROGCLUB.ORG
krbtgt/PROGCLUB.ORG@PROGCLUB.ORG
kadmin: quit
root@charity:/etc# cat krb5.conf
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
default_realm = PROGCLUB.ORG
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
PROGCLUB.ORG = {
kdc = kerberos.progclub.org:88
admin_server = kerberos.progclub.org
default_domain = progclub.org
}
[domain_realm]
.progclub.org = PROGCLUB.ORG
progclub.org = PROGCLUB.ORG
.progclub.com = PROGCLUB.ORG
progclub.com = PROGCLUB.ORG
.progclub.info = PROGCLUB.ORG
progclub.info = PROGCLUB.ORG
.progclub.net = PROGCLUB.ORG
progclub.net = PROGCLUB.ORG
.progclub.co = PROGCLUB.ORG
progclub.co = PROGCLUB.ORG
.progclub.mobi = PROGCLUB.ORG
progclub.mobi = PROGCLUB.ORG
[login]
krb4_convert = true
krb4_get_tickets = false
root@charity:/etc# kadmin -p jj5/admin kadmin: cpw jj5/admin Enter password for principal "jj5/admin@PROGCLUB.ORG": Re-enter password for principal "jj5/admin@PROGCLUB.ORG": Password for "jj5/admin@PROGCLUB.ORG" changed. kadmin: quit
John 2011-08-03 07:42
Adding user friggles
jj5@charity:~$ sudo adduser friggles
[sudo] password for jj5:
Adding user `friggles' ...
Adding new group `friggles' (1005) ...
Adding new user `friggles' (1005) with group `friggles' ...
Creating home directory `/home/friggles' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for friggles
Enter the new value, or press ENTER for the default
Full Name []: <full name>
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
jj5@charity:~$ sudo gpasswd -a friggles sudo Adding user friggles to group sudo
John 2011-08-01 00:12
Configured /wiki URLs
Decided that 'wiki' rather than 'pc' is more appropriate in the URLs for ProgClub. Updated the Apache web-site configuration files, patched LocalSettings.php in the pcwiki directory, and updated the root redirection script. The old 'pc' links will remain functional.
John 2011-07-31 19:47
Adding user jav
jj5@charity:~$ sudo adduser jav
[sudo] password for jj5:
Adding user `jav' ...
Adding new group `jav' (1004) ...
Adding new user `jav' (1004) with group `jav' ...
Creating home directory `/home/jav' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jav
Enter the new value, or press ENTER for the default
Full Name []: <full name>
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
John 2011-07-30 17:15
Configuring IPSec
jj5@charity:~$ sudo -s [sudo] password for jj5: root@charity:~# apt-get install racoon Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: racoon 0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded. Need to get 0B/433kB of archives. After this operation, 1,217kB of additional disk space will be used. Committing to: /etc/ modified ipsec-tools.conf modified iptables.up.rules Committed revision 22. Preconfiguring packages ... Selecting previously deselected package racoon. (Reading database ... 17754 files and directories currently installed.) Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up racoon (1:0.7.1-1.6ubuntu1) ... Starting IKE (ISAKMP/Oakley) server: racoon. Processing triggers for libc-bin ... ldconfig deferred processing now taking place
root@charity:~# cd /etc/network/if-pre-up.d/ root@charity:/etc/network/if-pre-up.d# ll total 16 drwxr-xr-x 2 root root 4096 2011-07-26 17:49 ./ drwxr-xr-x 6 root root 4096 2010-04-22 19:09 ../ -rwxr-xr-x 1 root root 344 2011-05-17 07:41 ethtool* -rwxr-xr-x 1 root root 58 2011-07-26 17:49 iptables* root@charity:/etc/network/if-pre-up.d# cat iptables #!/bin/sh /sbin/iptables-restore < /etc/iptables.up.rules root@charity:/etc/network/if-pre-up.d# vim ip
#!/bin/sh # Hope ip route add 67.207.130.204 dev eth0 advmss 200 # Honesty ip route add 67.207.129.103 dev eth0 advmss 200
root@charity:/etc/network/if-pre-up.d# chmod +x ip root@charity:/etc/network/if-pre-up.d# cd /etc/ root@charity:/etc# vim iptables.up.rules
*filter # Allow all loopback (lo0) traffic -A INPUT -i lo -j ACCEPT # Drop all traffic to 127/8 that does use lo0 -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH connections -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Accept anything from hope -A INPUT -s 67.207.130.204 -j ACCEPT # Accept anything from honesty -A INPUT -s 67.207.129.103 -j ACCEPT # Allow MySQL connections from John's house -A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT # Allow MySQL connections from localhost -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT # Allow IPSec traffic #-A INPUT -p 50 -j ACCEPT #-A INPUT -p 51 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 #-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
root@charity:/etc# vim ipsec-tools.conf
#!/usr/sbin/setkey -f
# Charity/Hope security policy
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
esp/transport//require
ah/transport//require;
# Charity/Honesty security policy
spdadd 67.207.128.184 67.207.129.103 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 67.207.129.103 67.207.128.184 any -P in ipsec
esp/transport//require
ah/transport//require;
root@charity:/etc# vim racoon/psk.txt
# Hope 67.207.130.204 <secret> # Honesty 67.207.129.103 <secret>
root@charity:/etc# vim racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote anonymous {
exchange_mode main,aggressive;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
generate_policy off;
}
sainfo anonymous {
pfs_group modp768;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
#log debug2;
root@charity:/etc# /etc/init.d/racoon stop Stopping IKE (ISAKMP/Oakley) server: racoon. root@charity:/etc# /etc/init.d/setkey restart Reloading IPsec SA/SP database: done. root@charity:/etc# /etc/init.d/racoon start Starting IKE (ISAKMP/Oakley) server: racoon. root@charity:/etc# ll racoon/psk.txt -rw------- 1 root root 92 2011-07-30 07:37 racoon/psk.txt root@charity:/etc# etckeeper commit "Configured IPSec" Committing to: /etc/ modified ipsec-tools.conf modified ipsec-tools.conf.bak modified iptables.up.rules added network/if-pre-up.d/ip modified racoon/psk.txt modified racoon/racoon.conf Committed revision 23. root@charity:/etc/racoon# /etc/network/if-pre-up.d/ip RTNETLINK answers: File exists
Now off to configure hope and...
...damn, it didn't work. Oh well, no racoon for you!
root@charity:~# apt-get remove racoon Reading package lists... Done Building dependency tree Reading state information... Done The following packages will be REMOVED: racoon 0 upgraded, 0 newly installed, 1 to remove and 2 not upgraded. After this operation, 1,217kB disk space will be freed. Do you want to continue [Y/n]? (Reading database ... 17818 files and directories currently installed.) Removing racoon ... Stopping IKE (ISAKMP/Oakley) server: racoon. Processing triggers for ureadahead ... Processing triggers for man-db ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place
root@charity:~# cp /etc/ipsec-tools.conf.bak /etc/ipsec-tools.conf root@charity:~# dd if=/dev/random count=24 bs=1 | xxd -ps root@charity:~# dd if=/dev/random count=24 bs=1 | xxd -ps root@charity:~# dd if=/dev/random count=24 bs=1 | xxd -ps root@charity:~# dd if=/dev/random count=24 bs=1 | xxd -ps root@charity:~# dd if=/dev/random count=20 bs=1 | xxd -ps root@charity:~# dd if=/dev/random count=20 bs=1 | xxd -ps root@charity:~# dd if=/dev/random count=20 bs=1 | xxd -ps root@charity:~# dd if=/dev/random count=20 bs=1 | xxd -ps root@charity:~# vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# Flush the SAD and SPD
flush;
spdflush;
# Charity/Hope configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.130.204 esp 1 -E aes-cbc
0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
add 67.207.130.204 67.207.128.184 esp 2 -E aes-cbc
0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
# AH SAs using 160 bit long keys
add 67.207.128.184 67.207.130.204 ah 3 -A hmac-sha1
0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
add 67.207.130.204 67.207.128.184 ah 4 -A hmac-sha1
0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
esp/transport//require
ah/transport//require;
# Charity/Honesty configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.129.103 esp 5 -E aes-cbc
0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
add 67.207.129.103 67.207.128.184 esp 6 -E aes-cbc
0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
# AH SAs using 160 bit long keys
add 67.207.128.184 67.207.129.103 ah 7 -A hmac-sha1
0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
add 67.207.129.103 67.207.128.184 ah 8 -A hmac-sha1
0xdeadb33fdeadb33fdeadb33fdeadb33fdeadb33f;
# Security policies
spdadd 67.207.128.184 67.207.129.103 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 67.207.129.103 67.207.128.184 any -P in ipsec
esp/transport//require
ah/transport//require;
root@charity:~# /etc/init.d/setkey restart Reloading IPsec SA/SP database: done. root@charity:~# cd /etc/network root@charity:/etc/network# mv if-pre-up.d/ip if-up.d/ root@charity:/etc/network# if-up.d/ip root@charity:/etc# etckeeper commit "Configured IPSec" Committing to: /etc/ modified ipsec-tools.conf missing network/if-pre-up.d/ip modified network/if-pre-up.d/ip added network/if-up.d/ip Committed revision 24.
That should do it. Off to configure the other end... on hope and honesty...
...works!
John 2011-07-30 09:38
Configuring racoon
See this article for a run-down.
# vim /etc/racoon/psk.txt
# Hope 67.207.130.204 <secret>
# vim /etc/racoon/racoon.conf
remote 67.207.130.204 {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
generate_policy off;
}
sainfo address 67.207.130.204[any] any address 67.207.130.204/32[any] any {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
# vim /etc/ipsec-tools.conf
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
esp/transport//require
ah/transport//require;
root@charity:/etc/racoon# /etc/init.d/racoon stop Stopping IKE (ISAKMP/Oakley) server: racoon. root@charity:/etc/racoon# /etc/init.d/setkey restart Reloading IPsec SA/SP database: done. root@charity:/etc/racoon# /etc/init.d/racoon start Starting IKE (ISAKMP/Oakley) server: racoon.
Still no dice... :(
John 2011-07-29 23:59
Installing racoon
Having trouble getting IPSec to work, gonna try installing racoon and giving that a go.
root@charity:/etc# apt-get install racoon Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: racoon 0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded. Need to get 433kB of archives. After this operation, 1,217kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main racoon 1:0.7.1-1.6ubuntu1 [433kB] Fetched 433kB in 1s (329kB/s) Committing to: /etc/ modified .etckeeper modified ipsec-tools.conf added ipsec-tools.conf.bak Committed revision 19. Preconfiguring packages ... Selecting previously deselected package racoon. (Reading database ... 17749 files and directories currently installed.) Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up racoon (1:0.7.1-1.6ubuntu1) ... Generating /etc/default/racoon... Starting IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ modified .etckeeper added racoon added default/racoon added init.d/racoon added racoon/psk.txt added racoon/racoon-tool.conf added racoon/racoon.conf added rc1.d/K89racoon added rcS.d/S40racoon Committed revision 20.
The install promped for Package configuration information, and I choose the 'direct' configuration method (the default) over 'racoon-tool', the other option.
┌──────────────────────────┤ Configuring racoon ├──────────────────────────┐ │ Racoon can be configured two ways, either by directly editing │ │ /etc/racoon/racoon.conf or using the racoon-tool administrative front │ │ end. racoon-tool is now deprecated and is only available for backward │ │ compatibility. New installations should always use the "direct" method. │ │ │ │ Configuration mode for racoon IKE daemon. │ │ │ │ direct │ │ racoon-tool │ │ │ │ │ │ <Ok> │ │ │ └──────────────────────────────────────────────────────────────────────────┘
John 2011-07-28 11:32
Firstly some house-keeping
$ cd /etc $ sudo bzr status [sudo] password for jj5: modified: shadow $ sudo etckeeper commit "Changed password for jj5" Committing to: /etc/ modified shadow Committed revision 13.
Installing IPSec
See this article for instructions.
$ sudo apt-get install ipsec-tools Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: ipsec-tools 0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded. Need to get 111kB of archives. After this operation, 274kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main ipsec-tools 1:0.7.1-1.6ubuntu1 [111kB] Fetched 111kB in 0s (116kB/s) Selecting previously deselected package ipsec-tools. (Reading database ... 17714 files and directories currently installed.) Unpacking ipsec-tools (from .../ipsec-tools_1%3a0.7.1-1.6ubuntu1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up ipsec-tools (1:0.7.1-1.6ubuntu1) ...
Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ added ipsec-tools.conf added default/setkey added init.d/setkey added rcS.d/S37setkey Committed revision 14.
To generate two 128-bit 'ah' keys:
$ dd if=/dev/random count=16 bs=1| xxd -ps $ dd if=/dev/random count=16 bs=1| xxd -ps
To generate two 192-bit 'esp' keys:
$ dd if=/dev/random count=24 bs=1| xxd -ps $ dd if=/dev/random count=24 bs=1| xxd -ps
Then edit the ipsec-tools.conf file,
$ sudo vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# NOTE: Do not use this file if you use racoon with racoon-tool # utility. racoon-tool will setup SAs and SPDs automatically using # /etc/racoon/racoon-tool.conf configuration. #
# Flush the SAD and SPD flush; spdflush;
# AH SAs using 128 bit long keys
add 67.207.128.184 67.207.130.204 ah 0x200 -A hmac-md5
0x<ah_1>;
add 67.207.130.204 67.207.128.184 ah 0x300 -A hmac-md5
0x<ah_2>;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.130.204 esp 0x201 -E 3des-cbc
0x<esp_1>;
add 67.207.130.204 67.207.128.184 esp 0x301 -E 3des-cbc
0x<esp_2>;
# Security policies
spdadd 67.207.128.184 67.207.130.204 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P in ipsec
esp/transport//require
ah/transport//require;
Make sure the ipsec-tools.conf file is not world-readable:
$ sudo chmod 750 ipsec-tools.conf
Now I'll go and setup the other side of the connection...
Then,
$ sudo /etc/init.d/setkey start * Loading IPsec SA/SP database from /etc/ipsec-tools.conf: [ OK ] $ sudo etckeeper commit "Configured IPSec between charity and hope" Committing to: /etc/ modified .etckeeper modified ipsec-tools.conf Committed revision 15.
Done!
...or, not-so-done. After testing discovered that IPTables was getting in the way of IPSec traffic.
John 2011-07-27 12:01
Public read-only svn access via HTTPS and HTTP
See this article for the general idea.
# cd /etc/apache2/ # vim dav_svn.ro.authz
[/] * = r
# vim dav_svn.rw.authz
[/] jj5 = rw
# vim sites-available/default-ssl
<Location /svn> DAV svn SVNParentPath /var/svn AuthType Basic AuthName "Subversion Repository" AuthUserFile /etc/apache2/dav_svn.passwd AuthzSVNAccessFile /etc/apache2/dav_svn.rw.authz Require valid-user </Location>
<Location /svnro> DAV svn SVNParentPath /var/svn AuthzSVNAccessFile /etc/apache2/dav_svn.ro.authz </Location>
# vim sites-available/default
<Location /svnro> DAV svn SVNParentPath /var/svn AuthzSVNAccessFile /etc/apache2/dav_svn.ro.authz </Location>
# apache2ctl graceful # etckeeper commit "Public read-only svn access" Committing to: /etc/ added apache2/dav_svn.ro.authz added apache2/dav_svn.rw.authz modified apache2/sites-available/default modified apache2/sites-available/default-ssl Committed revision 12.
John 2011-07-27 06:12
Installing Subversion with HTTPS support
See this article for a primer.
# apt-get install subversion libapache2-svn Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: libneon27-gnutls libsvn1 Suggested packages: db4.8-util subversion-tools The following NEW packages will be installed: libapache2-svn libneon27-gnutls libsvn1 subversion 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 1,595kB of archives. After this operation, 7,250kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main libneon27-gnutls 0.29.0-1 [136kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libsvn1 1.6.6dfsg-2ubuntu1.3 [906kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/universe libapache2-svn 1.6.6dfsg-2ubuntu1.3 [168kB] Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main subversion 1.6.6dfsg-2ubuntu1.3 [385kB] Fetched 1,595kB in 1s (866kB/s) Selecting previously deselected package libneon27-gnutls. (Reading database ... 17613 files and directories currently installed.) Unpacking libneon27-gnutls (from .../libneon27-gnutls_0.29.0-1_amd64.deb) ... Selecting previously deselected package libsvn1. Unpacking libsvn1 (from .../libsvn1_1.6.6dfsg-2ubuntu1.3_amd64.deb) ... Selecting previously deselected package libapache2-svn. Unpacking libapache2-svn (from .../libapache2-svn_1.6.6dfsg-2ubuntu1.3_amd64.deb) ... Selecting previously deselected package subversion. Unpacking subversion (from .../subversion_1.6.6dfsg-2ubuntu1.3_amd64.deb) ... Processing triggers for man-db ... Setting up libneon27-gnutls (0.29.0-1) ...
Setting up libsvn1 (1.6.6dfsg-2ubuntu1.3) ...
Setting up libapache2-svn (1.6.6dfsg-2ubuntu1.3) ... Considering dependency dav for dav_svn: Enabling module dav. Enabling module dav_svn. Run '/etc/init.d/apache2 restart' to activate new configuration!
Setting up subversion (1.6.6dfsg-2ubuntu1.3) ... Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ added emacs added subversion added apache2/mods-available/dav_svn.conf added apache2/mods-available/dav_svn.load added apache2/mods-enabled/dav.load added apache2/mods-enabled/dav_svn.conf added apache2/mods-enabled/dav_svn.load added bash_completion.d/subversion added emacs/site-start.d added emacs/site-start.d/50psvn.el added subversion/config added subversion/servers Committed revision 9.
# apache2ctl graceful # cd /var # ls backups cache crash lib local lock log mail opt run spool tmp www # mkdir svn # cd svn # svnadmin create pcrepo # ls pcrepo # chown -R www-data:www-data pcrepo/ # chmod -R g+ws pcrepo/ # htpasswd -c /etc/apache2/dav_svn.passwd jj5 New password: Re-type new password: Adding password for user jj5 # vim /etc/apache2/sites-enabled/000-default-ssl
Add the following,
<Location /svn> DAV svn SVNParentPath /var/svn AuthType Basic AuthName "Subversion Repository" AuthUserFile /etc/apache2/dav_svn.passwd Require valid-user </Location>
# apache2ctl graceful
$ pwd /home/jj5 $ mkdir test $ cd test $ svn co https://www.progclub.org/svn/pcrepo . Authentication realm: <https://www.progclub.org> Subversion Repository Password for 'jj5': Checked out revision 0.
Works!
Migrating mediawiki-1.17.0 to pcwiki, and checking into svn
$ cd .. $ mv test pcrepo $ ls bin pcrepo $ cd pcrepo/ $ mkdir pcwiki $ cd pcwiki/ $ mkdir trunk $ mkdir branches $ mkdir tags $ cp -R /var/www/www.progclub.org/mediawiki-1.17.0/* trunk/ $ ls branches tags trunk $ cd trunk/ $ ls api.php images maintenance RELEASE-NOTES api.php5 img_auth.php math resources bin img_auth.php5 mw-config serialized cache includes opensearch_desc.php skins config index.php opensearch_desc.php5 StartProfiler.sample COPYING index.php5 php5.php5 thumb.php CREDITS INSTALL profileinfo.php thumb.php5 docs languages README trackback.php extensions load.php redirect.php trackback.php5 FAQ load.php5 redirect.php5 UPGRADE HISTORY LocalSettings.php redirect.phtml wiki.phtml $ rm LocalSettings.php $ cd ../.. $ svn add pcwiki/ $ svn ci -m "Checking in original mediawiki files" $ sudo etckeeper commit "Subversion HTTPS" [sudo] password for jj5: Committing to: /etc/ added apache2/dav_svn.passwd modified apache2/sites-available/default-ssl Committed revision 10.
Then using TortoiseSVN on my workstation I checked out,
https://www.progclub.org/svn/pcrepo/pcwiki/trunk
into
C:\Inetpub\wwwroot\pcwiki
Copied in LocalSettings.php, added it to the ignore list, and checked in.
# cd /var/www/www.progclub.org/ # svn co https://www.progclub.org/svn/pcrepo/pcwiki/trunk pcwiki # cp mediawiki-1.17.0/LocalSettings.php pcwiki/ # cd /etc/apache2/sites-enabled/ # vim 000-default
Changed alias on line 17,
Alias /pc /var/www/www.progclub.org/pcwiki/index.php
# vim 000-default-ssl
Changed alias on line 17,
Alias /pc /var/www/www.progclub.org/pcwiki/index.php
# apache2ctl graceful # etckeeper commit "pcwiki web" Committing to: /etc/ modified apache2/sites-available/default modified apache2/sites-available/default-ssl Committed revision 11.
Reloaded a page from the web-site, and everything seems to be working well.
Copied in changes for mediawiki skin oldskool on my workstation and checked in to svn. There seems to be a new-line thing going on whereby every file got updated with different line-feed sequence (I'm guessing \r\n rather than just \n) -- it changed nearly every file, but I just checked it in anyway.
# cd /var/www/www.progclub.org/pcwiki # svn update
Reloaded a page from the web-site, and everything seems to be in order.
# cd /var/www/www.progclub.org/ # svn co https://www.progclub.org/svn/pcrepo/pcwiki/trunk pcwiki-dev # cp pcwiki/LocalSettings.php pcwiki-dev/ # cd pcwiki-dev/ # vim LocalSettings.php (reconfigured style and script path) # svn update
John 2011-07-27 04:44
Configuring MySQL for (not too) public access
# cd /etc/mysql # vim my.cnf
Changed from line 52,
#bind-address = 127.0.0.1 bind-address = 67.207.128.184
# service mysql restart mysql start/running, process 2598
# etckeeper commit "Bound MySQL to public IP address" Committing to: /etc/ modified mysql/my.cnf Committed revision 7.
# vim /etc/iptables.up.rules
# Allows MySQL connections from John's house -A INPUT -s <John's IP>/32 -p tcp -m tcp --dport 3306 -j ACCEPT # Allows MySQL connections from localhost -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT
# iptables -F # iptables-restore < /etc/iptables.up.rules # etckeeper commit "Updated firewall rules -- MySQL from John's house" Committing to: /etc/ modified iptables.up.rules Committed revision 8.
# mysql -uroot -p mysql> use mysql; mysql> select host, user from user mysql> create user 'pcwiki'@'<John's house>' identified by '<password>'; mysql> grant all privileges on pcwiki.* to 'pcwiki'@'<John's house>' with grant option; mysql> flush privileges;
My development version of MediaWiki can now connect to the production database!
John 2011-07-27 04:09
Installing fail2ban
See Fail2ban for information about installing and configuring the program.
# apt-get install fail2ban Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: whois Suggested packages: python-gamin mailx The following NEW packages will be installed: fail2ban whois 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 129kB of archives. After this operation, 1032kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://archive.ubuntu.com/ubuntu/ lucid/universe fail2ban 0.8.4-1ubuntu1 [96.0kB] Get:2 http://archive.ubuntu.com/ubuntu/ lucid/main whois 5.0.0ubuntu3 [32.6kB] Fetched 129kB in 1s (123kB/s) Selecting previously deselected package fail2ban. (Reading database ... 17493 files and directories currently installed.) Unpacking fail2ban (from .../fail2ban_0.8.4-1ubuntu1_all.deb) ... Selecting previously deselected package whois. Unpacking whois (from .../whois_5.0.0ubuntu3_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up fail2ban (0.8.4-1ubuntu1) ...
Setting up whois (5.0.0ubuntu3) ... Processing triggers for python-central ... Committing to: /etc/ added fail2ban added default/fail2ban added fail2ban/action.d added fail2ban/fail2ban.conf added fail2ban/filter.d added fail2ban/jail.conf added fail2ban/action.d/complain.conf added fail2ban/action.d/dshield.conf added fail2ban/action.d/hostsdeny.conf added fail2ban/action.d/ipfilter.conf added fail2ban/action.d/ipfw.conf added fail2ban/action.d/iptables-allports.conf added fail2ban/action.d/iptables-multiport-log.conf added fail2ban/action.d/iptables-multiport.conf added fail2ban/action.d/iptables-new.conf added fail2ban/action.d/iptables.conf added fail2ban/action.d/mail-buffered.conf added fail2ban/action.d/mail-whois-lines.conf added fail2ban/action.d/mail-whois.conf added fail2ban/action.d/mail.conf added fail2ban/action.d/mynetwatchman.conf added fail2ban/action.d/sendmail-buffered.conf added fail2ban/action.d/sendmail-whois-lines.conf added fail2ban/action.d/sendmail-whois.conf added fail2ban/action.d/sendmail.conf added fail2ban/action.d/shorewall.conf added fail2ban/filter.d/apache-auth.conf added fail2ban/filter.d/apache-badbots.conf added fail2ban/filter.d/apache-nohome.conf added fail2ban/filter.d/apache-noscript.conf added fail2ban/filter.d/apache-overflows.conf added fail2ban/filter.d/common.conf added fail2ban/filter.d/courierlogin.conf added fail2ban/filter.d/couriersmtp.conf added fail2ban/filter.d/cyrus-imap.conf added fail2ban/filter.d/exim.conf added fail2ban/filter.d/gssftpd.conf added fail2ban/filter.d/lighttpd-fastcgi.conf added fail2ban/filter.d/named-refused.conf added fail2ban/filter.d/pam-generic.conf added fail2ban/filter.d/php-url-fopen.conf added fail2ban/filter.d/postfix.conf added fail2ban/filter.d/proftpd.conf added fail2ban/filter.d/pure-ftpd.conf added fail2ban/filter.d/qmail.conf added fail2ban/filter.d/sasl.conf added fail2ban/filter.d/sieve.conf added fail2ban/filter.d/sshd-ddos.conf added fail2ban/filter.d/sshd.conf added fail2ban/filter.d/vsftpd.conf added fail2ban/filter.d/webmin-auth.conf added fail2ban/filter.d/wuftpd.conf added fail2ban/filter.d/xinetd-fail.conf added init.d/fail2ban added logrotate.d/fail2ban added rc0.d/K99fail2ban added rc1.d/K99fail2ban added rc2.d/S99fail2ban added rc3.d/S99fail2ban added rc4.d/S99fail2ban added rc5.d/S99fail2ban added rc6.d/K99fail2ban Committed revision 6.
# iptables -L ... Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere
Then I tried dud logins from loki.progsoc.uts.edu.au, and
# iptables -L ... Chain fail2ban-ssh (1 references) target prot opt source destination DROP all -- loki.progsoc.uts.edu.au anywhere RETURN all -- anywhere anywhere
Which is what we wanted to see.
John 2011-07-27 03:41
Configuring IPTables
See this article for information on configuring IPTables.
# vim /etc/iptables.up.rules
*filter # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allows SSH connections -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
# iptables-restore < /etc/iptables.up.rules # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:30000 ACCEPT icmp -- anywhere anywhere icmp echo-request LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix `iptables denied: ' REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere
# vim /etc/network/if-pre-up.d/iptables
#!/bin/sh /sbin/iptables-restore < /etc/iptables.up.rules
# chmod +x /etc/network/if-pre-up.d/iptables # etckeeper commit "Configured IPTables" Committing to: /etc/ added iptables.up.rules added network/if-pre-up.d/iptables Committed revision 4.
The commands for modifying IPTables firewall rules are now:
# vim /etc/iptables.up.rules # /sbin/iptables -F # /sbin/iptables-restore < /etc/iptables.up.rules # etckeeper commit "Updated firewall rules"
John 2011-07-27 03:33
Disabling root SSH login
Per the instructions Disabling Direct Root Login (SSH),
$ sudo -s # cd /etc/ssh # vim sshd_config
Changed line 26 to,
PermitRootLogin no
Then,
$ sudo service ssh restart $ sudo etckeeper commit "Disabled root logins"
John 2011-07-27 03:27
Configuring the system locale
Per the instructions,
$ sudo /usr/sbin/locale-gen en_AU.UTF-8 Generating locales... en_AU.UTF-8... done Generation complete. $ sudo /usr/sbin/update-locale LANG=en_AU.UTF-8 $ sudo etckeeper commit "Set system locale"
John 2011-07-27 03:20
Configuring jj5's environment
Per the instructions about configuring the Environment, I added,
# JE 2011-07-27 03:16 export EDITOR=/usr/bin/vim
to end of /home/jj5/.profile
and ran,
$ sudo update-alternatives --config editor There are 3 choices for the alternative editor (providing /usr/bin/editor).
Selection Path Priority Status ------------------------------------------------------------ * 0 /bin/nano 40 auto mode 1 /bin/nano 40 manual mode 2 /usr/bin/vim.basic 30 manual mode 3 /usr/bin/vim.tiny 10 manual mode
Press enter to keep the current choice[*], or type selection number: 2 update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/editor (editor) in manual mode.
to configure the visudo editor. (Forgot to commit with etckeeper!)
John 2011-07-27 01:20
Creating a favicon.ico
MediaWiki is configured to use one, and web-browsers are requesting it, and it's 404ing, so best if I put a file there. Used iconj to generate a favicon.ico file, and used WinSCP to copy it to /var/www/www.progclub.org/favicon.ico on Charity.
Was having a problem with the favicon.ico loading in firefox, so I generated a new one with favicon.cc. I don't actually think the favicon.ico file was the problem though. But the change has been made now, and there's no point reverting it, because it's all working.
John 2011-07-27 01:01
Configuring robots.txt
Having some trouble with search engine looking for URLs from the previous domain owners. Going to setup a robots.txt file to try and fix up what I can there. Found 6 methods to control what and how your content appears in search engines to help guide me.
# cd /var/www/www.progclub.org/ # vim robots.txt
User-agent: * Disallow: /stories/ Disallow: /story/ Disallow: /members/ Disallow: /vehicles/
Will expand on this as other URLs that need addressing become apparent in the logs.
Watching the Apache web-logs
Created /home/jj5/bin/spy to setup a window to watch the web-logs.
#!/bin/bash sudo tail -f /var/log/apache2/access.log /var/log/apache2/ssl_access.log
John 2011-07-26 22:25
Adding user key720
# adduser key720
Adding user `key720' ...
Adding new group `key720' (1003) ...
Adding new user `key720' (1003) with group `key720' ...
Creating home directory `/home/key720' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for key720
Enter the new value, or press ENTER for the default
Full Name []: <name>
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
Also added Key to the wiki.
Tasaio 2011-07-26 21:39
Setting up Etckeeper
$ sudo apt-get install etckeeper
That's really all there is to it. There's an auto commit every day, an autocommit whenever you apt-get install something and you can manually commit your changes using:
$ sudo etckeeper commit "Changed foo to achieve bar"
See the commit log for a file with:
$ sudo bzr log /etc/passwd
This means we should be able to see with reasonable accuracy what changed when, and as long as people commit their changes (and use sudo rather than abusing sudo su or the like), we'll even know who did it. Useful for quickly rolling back silly changes and catching those changes people forget to log on the wiki.
John 2011-07-26 09:55
Adding user sanguinev
# adduser sanguinev
Adding user `sanguinev' ...
Adding new group `sanguinev' (1002) ...
Adding new user `sanguinev' (1002) with group `sanguinev' ...
Creating home directory `/home/sanguinev' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for sanguinev
Enter the new value, or press ENTER for the default
Full Name []: Thomas
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
# gpasswd -a sanguinev sudo Adding user sanguinev to group sudo
Added a wiki user too.
John 2011-07-26 09:13
Adding user jj5
root@charity:~# adduser jj5
Adding user `jj5' ...
Adding new group `jj5' (1000) ...
Adding new user `jj5' (1000) with group `jj5' ...
Creating home directory `/home/jj5' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jj5
Enter the new value, or press ENTER for the default
Full Name []: John Elliot
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
root@charity:~# gpasswd -a jj5 sudo Adding user jj5 to group sudo
That was easy. PuTTY says it works!
Adding user tasaio
root@charity:~# adduser tasaio
Adding user `tasaio' ...
Adding new group `tasaio' (1001) ...
Adding new user `tasaio' (1001) with group `tasaio' ...
Creating home directory `/home/tasaio' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for tasaio
Enter the new value, or press ENTER for the default
Full Name []: Justin
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
root@charity:~# gpasswd -a tasaio sudo
Adding user tasaio to group sudo
That was easy too! Will create a wiki user for him too.
John 2011-07-26 08:47
I could be accused of ignorance. When I created my key file for the CSR request I nominated a pass-phrase. This phrase is required to be entered every time you restart Apache. Gah! Until I can figure out a way to fix it I've created a script in /sbin called restart-apache which enters the key's pass-phrase automatically.
# cd /sbin # vim restart-apache
#!/bin/bash echo <the pass phrase> | apache2ctl graceful
# chmod u+x restart-apache # restart-apache
Works swimmingly. Will reboot to see what happens when apache tries to load from a boot.
Apache chokes on boot. Found this article, which suggests,
# cd ~ # cp progclub.key progclub.key.pass-phrase # openssl rsa -in progclub.key.pass-phrase -out progclub.key # chmod 400 progclub.* # reboot
Hopefully Apache comes back up this time... yep!
Will keep the restart-apache script in sbin, but will remove the part that specified the key pass-phrase.
John 2011-07-26 06:20
Getting an HTTPS certificate
Searched for certificate sni cheap, found Go Daddy SSL Certificate. Decided on the Multiple Domains UCC - A$82.93/yr setup, which looks like it will suit us. Picked up to 5 domains for 3 years. It offered me free .mobi registration, so I added progclub.mobi. I then also added progclub.biz and progclub.co, I'm a sucker. Registration information recorded in Blackbrick Account Manager. Setup the nameservers for the new domains to point to ns*.slicehost.net via My Account.
Had to generate a Certificate Signing Request (CSR) per these instructions (for Apache 2.x).
# cd ~ # openssl genrsa -des3 -out progclub.key 2048 # openssl req -new -key progclub.key -out progclub.csr
See Blackbrick Account Manager for full details.
Certificate Type
- Hosting: Third Party Hosting
- Domain Name: www.progclub.org
- Certificate Issuing Organization: Go Daddy
- Subject Alt Names: www.progclub.net www.progclub.mobi www.progclub.info www.progclub.co
You're through!
Your certificate will be issued shortly.
You can monitor the progress of your certificate application by going to the Pending Requests folder and clicking your Common Name. When we are through verifying your application, you will receive an email with further instructions.
Downloaded the progclub.org.zip that was eventually generated, and used WinSCP to copy it to root's home directory on charity. Found info about Installing an SSL Certificate in Apache.
# cd /etc/apache2/sites-available/ # vim default-ssl
Set,
ServerAdmin jj5@jj5.net DocumentRoot /var/www/www.progclub.org
# cd ~ # ls progclub.csr progclub.key progclub.org.zip # unzip progclub.org.zip -bash: unzip: command not found # apt-get install unzip Reading package lists... Done Building dependency tree Reading state information... Done Suggested packages: zip The following NEW packages will be installed: unzip 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 189kB of archives. After this operation, 406kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main unzip 6.0-1build1 [189kB] Fetched 189kB in 0s (195kB/s) Selecting previously deselected package unzip. (Reading database ... 15343 files and directories currently installed.) Unpacking unzip (from .../unzip_6.0-1build1_amd64.deb) ... Processing triggers for man-db ... Setting up unzip (6.0-1build1) ... # unzip progclub.org.zip Archive: progclub.org.zip inflating: gd_bundle.crt inflating: progclub.org.crt # ls gd_bundle.crt progclub.csr progclub.key progclub.org.crt progclub.org.zip # cd /etc/apache2/sites-available/ # vim default-ssl
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateFile /root/progclub.org.crt #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key SSLCertificateKeyFile /root/progclub.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt SSLCertificateChainFile /root/gd_bundle.crt
Saved changes.
# a2ensite default-ssl # /etc/init.d/apache2 reload * Reloading web server config apache2 [ OK ] # a2enmod ssl Enabling module ssl. See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. Run '/etc/init.d/apache2 restart' to activate new configuration! # /etc/init.d/apache2 restart
Navigated to https://www.progclub.org/, and it worked!
# cd /etc/apache2/sites-enabled/ # vim 000-default-ssl
Alias /pc /var/www/www.progclub.org/mediawiki-1.17.0/index.php
The secure wiki is now working!
John 2011-07-25 17:53
Installing MediaWiki
Found the MediaWiki download page, which references mediawiki-1.17.0.tar.gz.
# cd /var/www/www.progclub.org/ # wget http://download.wikimedia.org/mediawiki/1.17/mediawiki-1.17.0.tar.gz # ls index.html mediawiki-1.17.0.tar.gz test.php # tar xzf mediawiki-1.17.0.tar.gz # ls index.html mediawiki-1.17.0 mediawiki-1.17.0.tar.gz test.php # rm mediawiki-1.17.0.tar.gz # cd mediawiki-1.17.0/ # ls COPYING bin languages redirect.php5 CREDITS cache load.php redirect.phtml FAQ config load.php5 resources HISTORY docs maintenance serialized INSTALL extensions math skins README images mw-config thumb.php RELEASE-NOTES img_auth.php opensearch_desc.php thumb.php5 StartProfiler.sample img_auth.php5 opensearch_desc.php5 trackback.php UPGRADE includes php5.php5 trackback.php5 api.php index.php profileinfo.php wiki.phtml api.php5 index.php5 redirect.php
Didn't find a LocalSettings.php, which is what I was expecting, so reading INSTALL.
# less INSTALL
It told me to navigate to the setup page. The setup page complained about a missing LocalSettings.php, so they haven't changed that after all. Clicked on setup the wiki.
Specified,
* Your language: en - English * Wiki language: en - English
Clicked continue, and amoung it's checks was a complaint:
Could not find a suitable database driver! You need to install a database driver for PHP. The following database types are supported: MySQL, PostgreSQL, Oracle, SQLite.
If you are on shared hosting, ask your hosting provider to install a suitable database driver. If you compiled PHP yourself, reconfigure it with a database client enabled, for example using ./configure --with-mysql. If you installed PHP from a Debian or Ubuntu package, then you also need install the php5-mysql module.
So,
# apt-get install php5-mysql # apache2ctl graceful
Then reloaded the config page,
The environment has been checked. You can install MediaWiki.
Clicked continue, and got the Connect to database page. Looks like I'm going to need a database user for the wiki, so
# mysql -h localhost -u root --password=<password> Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 36 Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create user 'pcwiki'@'localhost' identified by '<password>'; Query OK, 0 rows affected (0.00 sec)
mysql> exit Bye
Back on the config page:
* Database type: MySQL * Database host: localhost * Database name: pcwiki * Database table prefix: pcwiki__ * Database username: pcwiki * Database password: <password>
Clicked continue, and got the Database settings page. Specified,
* Database account for web access: Use the same account as for installation * Storage engine: InnoDB (the default, other choice was MyISAM) * Database character set: UTF-8 (not the default, the default choice was Binary)
Clicked continue, and got the Name page. Specified,
* Name of wiki: ProgClub * Project namespace: Same as the wiki name: ProgClub
Configuration for the Administrator account,
* Your name: John * Password: <password> * Password again: <password> * E-mail address: jj5@jj5.net
You are almost done! You can now skip the remaining configuration and install the wiki right now.
Chose Ask me more questions, and got the Options page. Specified,
* User rights profile: Traditional wiki * Copyright and license: No license footer
* Enable outbound e-mail: true * Return e-mail address: wiki@progclub.org * Enable user-to-user e-mail: true * Enable user talk page notification: true * Enable watchlist notification: true * Enable e-mail authentication: true
* Enable file uploads: true * Directory for deleted files: /var/www/www.progclub.org/mediawiki-1.17.0/images/deleted * Logo URL: /res/img/logo.png
* Settings for object caching: No caching
Clicked Continue, and got the confirmation page. Clicked Continue again. Got an error because the database user couldn't create the database. Created the database manually,
# mysql -h localhost -u root --password=<password> Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 43 Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> create database `pcwiki`; Query OK, 1 row affected (0.00 sec)
mysql> exit Bye
Decided it would be easier to let MediaWiki create the database, so went back and specified the database config details to use the root user. I will change this to be the pcwiki user manually after the database has been created.
Setting up database... done Creating tables... done Creating database user... done Populating default interwiki table... done Initializing statistics... done Generating secret keys... done Creating administrator user account... done Creating main page with default content... done
Clicked continue,
Congratulations! You have successfully installed MediaWiki.
The installer has generated a LocalSettings.php file. It contains all your configuration.
You will need to download it and put it in the base of your wiki installation (the same directory as index.php). The download should have started automatically.
If the download was not offered, or if you cancelled it, you can restart the download by clicking the link below: Download LocalSettings.php
Note: If you do not do this now, this generated configuration file will not be available to you later if you exit the installation without downloading it.
When that has been done, you can enter your wiki.
Downloaded the LocalSettings.php file and copied it to /var/www/www.progclub.org/mediawiki.1.17.0
Edited LocalSettings.php and changed the database user:
$wgDBuser = "pcwiki"; $wgDBpassword = "<password>";
Also added an article path:
$wgArticlePath = "/pc/$1";
Also need to grant access for pcwiki user:
# mysql -h localhost -u root --password=<password> Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 54 Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> grant all privileges on pcwiki.* to pcwiki@localhost; Query OK, 0 rows affected (0.11 sec)
mysql> exit Bye
Then need to edit apache conf file to include the pc alias:
# cd /etc/apache2/sites-enabled/ # vim 000-default
added,
Alias /pc /var/www/www.progclub.org/mediawiki-1.17.0/index.php
then,
# apache2ctl graceful
Also,
# cd /var/www/www.progclub.org/ # mkdir res # mkdir res/img
Then uploaded a logo.png to there with WinSCP. The logo settings hadn't been properly specified in the generated LocalSettings.php file, so,
# cd /var/www/www.progclub.org/mediawiki-1.17.0/ # vim LocalSettings.php
and changed the logo setting,
$wgLogo = "/res/img/logo.png";
Checked the wiki, and it's all working nicely.
John 2011-07-25 17:12
Preparing WWW hosting
# cd /var/www # mkdir www.progclub.org # mv index.html test.php www.progclub.org/ # ls # cd www.progclub.org/ # ls index.html test.php
Everything is in order.
# cd /etc/apache2/sites-enabled/ # ls 000-default # vim 000-default
Specified ServerAdmin,
ServerAdmin jj5@progclub.org
Changed document root,
DocumentRoot /var/www/www.progclub.org/
Changed the <Directory /var/www/> section to,
<Directory /var/www/www.progclub.org/>
Saved changes and quit vim. Restarted apache,
# apache2ctl graceful
Apache complained,
apache2: Could not reliably determine the server's fully qualified domain name, using charity.progclub.org for ServerName
Searched for "apache2: Could not reliably determine the server's fully qualified domain name, using " and found an answer.
Ran,
# hostname charity.progclub.org
which I guess is a better way to set the hostname than editing /etc/hostname like I did. :P
Ran,
# apache2ctl graceful
again, and got the same error,
apache2: Could not reliably determine the server's fully qualified domain name, using charity.progclub.org for ServerName
Tried a reboot to see if the hostname is updated after that,
# reboot
Still having problems with,
# apache2ctl graceful
So read more of the answer, and then,
# hostname charity # vim /etc/hosts
Specified the file contents as
127.0.0.1 localhost localhost.localdomain 67.207.128.184 charity charity.progclub.org
Then rebooted,
# reboot
Ran hostname and got,
# hostname charity.progclub.org
So edited /etc/hostname and specified
charity
Rebooted,
# reboot
Searched for "/etc/hostname", and found an answer. Short name goes in /etc/hostname, so we should be configured correctly now. Apache is still complaining though,
# apache2ctl graceful apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName
and it's using the IP address rather than charity.progclub.org now. Will manually specify ServerName in /etc/apache2/sites-enabled/000-default
# cd /etc/apache2/sites-enabled/ # vim 000-default
Added,
ServerName charity.progclub.org
Ran,
# apache2ctl graceful
again, and got the same friggin' error! More web-searching... found a different answer, tried editing /etc/hosts to put the names the other way around,
# vim /etc/hosts
127.0.0.1 localhost.localdomain localhost 67.207.128.184 charity.progclub.org charity
Rebooted,
# reboot
Tried apache2ctl again,
# apache2ctl graceful
And got no error! Yay!
Checked
* www.progclub.org
and found everything to be working. Web hosting is now configured.
John 2011-07-25 17:11
PHP software installation
I created a test.php file at /var/www/test.php to see if PHP was working out-of-the-box. I navigated to test.php to check, and it tried to download the PHP file, so I guess PHP isn't installed.
The test.php file I used was,
<? phpinfo(); ?>
Searched for PHP installation candidate,
# apt-cache search php5 | less
Found php5, which looks promising.
# apt-get install php5
The following extra packages will be installed: apache2-mpm-prefork libapache2-mod-php5 php5-common Suggested packages: php-pear php5-suhosin The following packages will be REMOVED: apache2-mpm-worker The following NEW packages will be installed: apache2-mpm-prefork libapache2-mod-php5 php5 php5-common 0 upgraded, 4 newly installed, 1 to remove and 0 not upgraded. Need to get 3544kB of archives. After this operation, 9568kB of additional disk space will be used. Do you want to continue [Y/n]?
Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main apache2-mpm-prefork 2.2.14-5ubuntu8.4 [2420B] Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5-common 5.3.2-1ubuntu4.9 [551kB] Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main libapache2-mod-php5 5.3.2-1ubuntu4.9 [2990kB] Get:4 http://archive.ubuntu.com/ubuntu/ lucid-updates/main php5 5.3.2-1ubuntu4.9 [1112B] Fetched 3544kB in 1s (1913kB/s) dpkg: apache2-mpm-worker: dependency problems, but removing anyway as you requested: apache2 depends on apache2-mpm-worker (= 2.2.14-5ubuntu8.4) | apache2-mpm-prefork (= 2.2.14-5ubuntu8.4) | apache2-mpm-event (= 2.2.14-5ubuntu8.4) | apache2-mpm-itk (= 2.2.14-5ubuntu8.4); however: Package apache2-mpm-worker is to be removed. Package apache2-mpm-prefork is not installed. Package apache2-mpm-event is not installed. Package apache2-mpm-itk is not installed. (Reading database ... 15291 files and directories currently installed.) Removing apache2-mpm-worker ... * Stopping web server apache2 apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName ... waiting . [ OK ] Selecting previously deselected package apache2-mpm-prefork. (Reading database ... 15283 files and directories currently installed.) Unpacking apache2-mpm-prefork (from .../apache2-mpm-prefork_2.2.14-5ubuntu8.4_amd64.deb) ... Selecting previously deselected package php5-common. Unpacking php5-common (from .../php5-common_5.3.2-1ubuntu4.9_amd64.deb) ... Selecting previously deselected package libapache2-mod-php5. Unpacking libapache2-mod-php5 (from .../libapache2-mod-php5_5.3.2-1ubuntu4.9_amd64.deb) ... Selecting previously deselected package php5. Unpacking php5 (from .../php5_5.3.2-1ubuntu4.9_all.deb) ... Setting up apache2-mpm-prefork (2.2.14-5ubuntu8.4) ... * Starting web server apache2 apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName [ OK ] Setting up php5-common (5.3.2-1ubuntu4.9) ... Setting up libapache2-mod-php5 (5.3.2-1ubuntu4.9) ... Creating config file /etc/php5/apache2/php.ini with new version * Reloading web server config apache2 apache2: Could not reliably determine the server's fully qualified domain name, using 67.207.128.184 for ServerName [ OK ] Setting up php5 (5.3.2-1ubuntu4.9) ...
Noticed the complaining about the server's fully qualified domain name, so
# vim /etc/hostname
and changed from
charity
to
charity.progclub.org
Then I rebooted,
# reboot
Logged in again and checked the hostname,
# hostname
which was correctly reported as,
charity.progclub.org
Then I navigated to the test.php page, and got back the phpinfo().
John 2011-07-25 16:40
Apache and MySQL software installation
Searched for MySQL software,
# apt-cache search mysql | less
Found mysql-server, which looks like a good candidate.
Searched for Apache software,
# apt-cache search apache2 | less
Found apache2, which looks like a good candidate.
# apt-get install apache2 mysql-server
The following extra packages will be installed: apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libdbd-mysql-perl libdbi-perl libexpat1 libhtml-template-perl libmysqlclient16 libnet-daemon-perl libplrpc-perl mysql-client-5.1 mysql-client-core-5.1 mysql-common mysql-server-5.1 mysql-server-core-5.1 psmisc ssl-cert Suggested packages: www-browser apache2-doc apache2-suexec apache2-suexec-custom ufw dbishell libipc-sharedcache-perl tinyca mailx The following NEW packages will be installed: apache2 apache2-mpm-worker apache2-utils apache2.2-bin apache2.2-common libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libdbd-mysql-perl libdbi-perl libexpat1 libhtml-template-perl libmysqlclient16 libnet-daemon-perl libplrpc-perl mysql-client-5.1 mysql-client-core-5.1 mysql-common mysql-server mysql-server-5.1 mysql-server-core-5.1 psmisc ssl-cert
Configuring mysql-server-5.1
Dpkg showed a configuration screen for configuring the root password. I set one.
Apache and MySQL software installation, continued
I rebooted after installing the above software,
# reboot
I checked the Apache installation by navigating to www.progclub.org and It Works!
John 2011-07-25 16:34
SSH'ed in as root and ran:
# apt-get update # apt-get dist-upgrade # reboot
John 2011-07-25 16:00
Had to stuff around with resetting the root password on charity, but remote logins via SSH are working now for root.
John 2011-07-25 15:52
Configured the name server with progclub.org, progclub.net and progclub.info DNS zones on slicehost. The SliceManager should be used to maintain the DNS records for progclub.
