Debian Tutorials

Installing the GeoIP Apache module

aip — Sat, 27 Feb 2010 15:22:09 +0000

This module allows you to determine which country, region, city, postal code, area code the visitor is coming from.

1. Install the module

apt-get install libapache2-mod-geoip

2. Restart Apache

/etc/init.d/apache2 restart

3. Create a new PHP file to test the module (pico /var/www/test.php or any file you can access on your server)

print_r($_SERVER); ?>

4. Navigate to the new file in a web browser (http://yourserver/test.php)

The response will be something like this:

Array ( [GEOIP_COUNTRY_CODE] => GB [GEOIP_COUNTRY_NAME] => United Kingdom ... )

Installing and configuring PPTP VPN server on lenny

aip — Wed, 17 Feb 2010 22:21:36 +0000

If you would like to setup a Virtual Private Network (VPN) for Windows clients, PPTP is a great choice. It's easy to set up on the server and you don't need any additional software for the Windows clients to connect.

1. Install the required packages

apt-get install pptpd

2. Configure the IP range assigned to clients (pico /etc/pptpd.conf)

localip 192.168.1.2 remoteip 192.168.1.10-20

Using this config the clients are assigned any IP address between and including 192.168.1.10 and 192.168.1.20.

3. Restart the PPTP daemon

/etc/init.d/pptpd restart

4. Create a user allowed to connect (pico /etc/ppp/chap-secrets)

user1 pptpd secretpassword *

Passwords are not encrypted. This allows the a user with the username: user1 and the password: secretpassword to login from any ip address.

5. Enable IP forward at startup to allow the VPN clients to connect to the server's local network. (pico /etc/sysctl.conf)

net.ipv4.ip_forward=1

Also run this command to activate the IP forward instantly:

echo 1 > /proc/sys/net/ipv4/ip_forward

6. Create a routing rule to allow the VPN clients to route network traffic through the server.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Read this tutorial to learn how to create iptables rules on startup:
Loading iptables rules on startup

Install XCache

aip — Fri, 29 Jan 2010 23:08:53 +0000

XCache is a fast, stable PHP opcode cacher that has been tested and is now running on production servers under high load. It overcomes a lot of problems that has been with other competing opcachers such as being able to be used with new PHP versions.

1. Installing the XCache package

apt-get install php5-xcache

2. Restart Apache

/etc/init.d/apache2 restart

That's it. XCache is now installed.

Blacklisting e-mail addresses using MailScanner

aip — Sat, 16 Jan 2010 21:53:30 +0000

1. Create a new file containing the blacklisted e-mail addresses (pico /etc/MailScanner/rules/spam.blacklist.rules)

FromOrTo: user1@domain.com yes FromOrTo: user2@domain.net yes FromOrTo: default no

2. Configure MailScanner to handle all messages in the blacklist as spam (pico /etc/MailScanner/MailScanner.conf)

Replace this line: Is Definitely Spam = no with this: Is Definitely Spam = %rules-dir%/spam.blacklist.rules

3. Restart MailScanner

/etc/init.d/mailscanner restart

Installing suPHP

aip — Fri, 01 Jan 2010 22:05:02 +0000

suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter.

1. Install suPHP

apt-get install libapache2-mod-suphp

2. Disable the php5 apache module

a2dismod php5

3. Restart Apache

/etc/init.d/apache2 restart

4. You can test if suPHP is working correctly by creating a php file containing the following lines:

system('id'); ?>

The script will return user/group id and name. Make sure you set the file owner to a user/group with id greater than 99.

Scan your web server for vulnerabilities with Nikto

aip — Mon, 28 Dec 2009 09:49:56 +0000

Nikto is a web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers.

1. Install Nikto

apt-get install nikto

2. Test the local web server

nikto -h localhost

Nikto also supports testing on different ports. Click here for Nikto usage information.

Installing and configuring Squid proxy server

aip — Fri, 25 Dec 2009 23:05:25 +0000

Squid is a caching proxy supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.

1. Install the Squid package

apt-get install squid

2. Allow your ip network to use the proxy server (pico /etc/squid/squid.conf). Append lines similar to these to your config

file:

acl mynetwork src 192.168.1.0/255.255.255.0 http_access allow mynetwork

Replace 192.168.1.0/255.255.255.0 with the network that should be able to use the proxy.

3. Don't forward client ip information (optional)

forwarded_for off

4. Restart the daemon

/etc/init.d/squid restart

5. Configure your web browser or application your would like to use the proxy server to connect to serverip at port 3128.

Simple load balancing using Pound

aip — Mon, 21 Dec 2009 20:30:47 +0000

The Pound program is a reverse proxy, load balancer and HTTPS front-end for Web server(s). Pound was developed to enable distributing the load among several Web-servers and to allow for a convenient SSL wrapper for those Web servers that do not offer it natively.

1. Install the pound package

apt-get install pound

2. Configure the load balancing. Replace everything below and including ListenHTTP with something like this: (pico /etc/pound/pound.cfg)

ListenHTTP Address 0.0.0.0 Port 80 xHTTP 0 Service HeadRequire "Host: .*www.google.com.*" BackEnd Address 209.85.227.103 Port 80 End BackEnd Address 209.85.227.104 Port 80 End BackEnd Address 209.85.227.105 Port 80 End BackEnd Address 209.85.227.106 Port 80 End End End

In this example we'll be listening for www.google.com and forward requests to 4 of Google's web servers/clusters. You can of course replace the domain with one of your own and point it to any servers. The servers can be on different networks, using different platforms and you can even forward different paths to different servers. Ex. www.google.com/apps could be forwarded to 1.2.3.4 while www.google.com is forwarded to 2.3.4.5. Click here for more details about Pound

3. Enable the Pound service (pico /etc/default/pound)

startup=1

4. Restart Pound

/etc/init.d/pound start

You must point the dns record for www.google.com to your server's IP address. You could use the hosts file to do this or use another domain.

Installing and configuring MailScanner for virus and spam filtering (Postfix, ClamAV, SpamAssassin, Razor)

aip — Thu, 19 Nov 2009 20:57:29 +0000

MailScanner is an e-mail security and anti-spam package for e-mail gateway systems. MailScanner is highly configurable using a very easy-to-use system of rulesets. Virtually every configuration option can, for example, be controlled on a per-user, per-domain or per-IP basis.

It's assumed that you have already installed and configured Postfix according to this tutorial:
Installing Postfix with MySql backend and SASL for SMTP authentication

1. Install required packages (ClamAV, SpamAssassin, Razor and required libs for MailScanner)

apt-get install clamav clamav-base clamav-freshclam libclamav6 spamassassin razor unzip libarchive-zip-perl libconvert-tnef-perl libhtml-parser-perl libmime-tools-perl libmime-perl libcompress-zlib-perl libconvert-binhex-perl libdbd-sqlite3-perl libfilesys-df-perl libsys-syslog-perl libsys-hostname-long-perl libmailtools-perl libole-storage-lite-perl

2. Download MailScanner

wget http://ftp.us.debian.org/debian/pool/main/m/mailscanner/mailscanner_4.74.16-1_all.deb

3. Install MailScanner

dpkg -i mailscanner_4.74.16-1_all.deb

4. Enable MailScanner (pico /etc/default/mailscanner)

run_mailscanner=1

5. Edit MailScanner configuration (pico /etc/MailScanner/MailScanner.conf)

Run As User = postfix Run As Group = postfix Incoming Queue Dir = /var/spool/postfix/hold Outgoing Queue Dir = /var/spool/postfix/incoming MTA = postfix Always Include SpamAssassin Report = yes Send Notices = no Spam List = RFC-IGNORANT-DSN SORBS-SMTP spamhaus-ZEN spamcop.net CBL Spam Lists To Reach High Score = 2 High SpamAssassin Score = 8 Rebuild Bayes Every = 86400 Wait During Bayes Rebuild = yes High Scoring Spam Actions = delete

6. Create razorhome, discover razor servers and register for identify

razor-admin -create razor-admin -register

7. Make Postfix put all messages on hold to allow MailScanner to scan the messages (pico /etc/postfix/main.cf)

header_checks = regexp:/etc/postfix/header_checks

8. Create the header checks file referenced by previous line (pico /etc/postfix/header_checks)

/^Received:/ HOLD

9. Restart MailScanner and Postfix

/etc/init.d/mailscanner restart postfix reload

Disable root login to SSH

aip — Mon, 09 Nov 2009 20:44:31 +0000

Allowing root logins to your SSH damon is a big security threat. If the SSH port is open, hackers will probably at some time attempt to brute force your root password. It's a good idea to disable root logins to SSH and instead use a normal user to login and type "su -" to enter the super user shell or sudo to perform tasks that require root privileges.

1. Open the SSH daemon config file and change this line: (pico /etc/ssh/sshd_config)

PermitRootLogin no

2. Restart the SSH daemon

/etc/init.d/ssh restart