5.3. Setting up servers.
Section contents:
5.3.1. Generic method.
To have a working server you need a program listening to clients requests called
Disk And Execution Monitor or daemon for short,
it may need some arguments to be passed (where to get configuration files,to
be run as whose name,...,etc), since servers should be up just by turning on
your computer, distributions put servers to executed with suitable arguments
by one of the boot scripts services, refere to '4.3. Linux under microscope.' section,
those scripts accept 'start', 'stop', 'restart', and 'status' as it's argument,
for example if we have a service called 'foo', you may start this service
any time using '/etc/init.d/foo start'.
When you change any service configuration that need to be restarted
using something like '/etc/init.d/foo restart',
if this service conflicts with another one and it should be turned off,
use something like '/etc/init.d/foo stop'
before you run the other one. To know if 'foo' server is up or down try
'/etc/init.d/foo status'.
If some server is not on by defualt at some run levels and you want it to
be there, rename it to start with 'S' instead of 'K' in the directory
corresponding to that runlevel
'cd /etc/rc.d/rc5.d && mv K75foo S24foo'
usually your distribution offer a user-friendly tool to do that
try 'main menu -> settings -> services',
there is also a menu driven text-based program called 'ntsysv'
will help too.
To know how to configure 'apache httpd' the first thing you should
thing of is the manual pages but usually this won't help much
since distribution change those files (using compile time options or patches)
so ask your package manager see section '3.4. Installing pre-compiled software packages',
for example in RPM based distributions :
but what to write in those files then you manual pages will be very useful
place to start, also most servers install documentations and configuration
template in subdirectory of '/usr/share/docs',
ask your package manager, for example in RPM systems:
those template are a heavly commented general purose configuration files,
all you need to edit a few lines and comments like
"in case of FOO uncomment next line", tell you to remove the leading '#'
of the next line.
Just copy and paste those template files in the requered location.
If you try evert thing but nothing work this could be because of
the firewall try to turn it off for a while then try to
bring it back with different rules, also the reason could be
that a 'super service' like xinetd (a way to secure week servers)
or portmap (this is used by all RPCs like NIS and NFS)
make sure that this super service is up see subsection 5.3.8.
or because of host based denial controlled by 'hosts.allow' and 'hosts.deny' files.
5.3.2. HTTP Web servers.
Apache, The world best omnipresent web server,
if you want to publish a web site without paying for hosting service,
you may make your machine a web server only you have to pay
for normal Internet connection and domain name (if you want or else
you could use the IP address given by your ISP but it could change)
after you make sure that your ISP allow that.
Most web sites on earth depends on Apache, it works on many platforms,
it's very fast an old recycled Pentuim I could offer a nice static site
(html and image files)
but dynamic sites using CGI (php,perl,python,...etc) need a better machine.
Mose famous sites depends on Apache like 'www.Amazon.com', 'lycos.co.uk', and
'www.google.com'. Apache only opens one single port
usually 80 (could be 8080 or 8088),unlike Microsoft IIS which
opens a handfull of ports which make it more easy to break in.
Ziff-Davis has made a compared Apache and other web servers see
www5.zdnet.com/products/content/pcmg/1709/305867.html.
After you install Apache package(s) (which could be named something else like 'http2')
and you start this service using 'service httpd start'
(on RedHat)
or '/etc/init.d/httpd start' (on all distributions)
and make it start automatically using your distribution service manager,
for example 'chkconfig --levels 345 httpd2 on' (on RedHat),
you should put your web page files ('html' files) on the directory '/var/http/www/html',
now open your web browser and type 'http://127.0.0.1/' or 'http://localhost/'
on the address
(sure, you may use your IP address as seen in 'ifconfig' output),
usually distributions put a test page and tells you which directory
you should put your web files you want to publish,
if you face some problems and you can't open your page with the browser
it's maybe the proxy or the files permission (use 'ls -l' and 'chmod').
You may see 'apache' documentation using the following URL:
'http://localhost/manual/index.html',
it could be in other package.
Apache configurattion file is '/etc/httpd2.conf'
it also could be '/etc/httpd/conf/httpd2.conf',
you may configure apache easly using 'webmin' you activate this
service in 'xinetd' as we did with 'CUPS' and 'swap',
then just open your browser and type the address and 'webmin' port number
usually 'http://localhost:10000/'
 Tip
We talk about Apache version 2 if you are using version 1 then it's file is 'httpd.conf'.
<Directory /var/www/html>
# Order Deny,Allow means Default is allow
Order Deny,Allow
Allow from all
</Directory>
<Directory /var/www/html/sercret>
# Order Allow,Deny means Default is deny
Order Allow,Deny
Allow from 127.0.0.1
Allow from mynet.com
# Allow any 192.168.5.X
Allow from 192.168.5.0/24
# allow any 10.1.X.Y
Allow from 10.1
</Directory>
# this is .htaccess
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
# add "Allow from MY_IP" here
You may see Apache log files and reports in a nice figures and charts
using 'webalizer' package, after you run 'webalizer' see 'index.html' in
usage directory ie. '/var/www/usage/index.html'
or the URL 'http://localhost/usage', another program
called 'analog' do the same task which could be enhanced with
another package called Report Magic ('rmagic' for short)
to produce better reports, other tools for analyzing log files to produce
reports like 'lire' (see 'www.logreport.org'),
the raw log files could be viewed graphically using your distribution tools
or through a specialized program like logwatch.
You may have the fastest ever known web server, first let Apache
listen to port number 8080, then install 'tux' web server,
(some times it's called RedHat Content Accelerator)
to listen to port number 80, 'tux' is much much faster than any
known web server (including Apache), but we need apache to do CGI,
'tux' break world records:
The reason it's a kernel space module that uses an atomic operations!
and some helping user space programs, they create no temporary files,
no intermediate recalculations, and no wast of memory.
There are many more (less known) web servers like 'thttpd'
tiny, light, fast, that support CGI! remember that Apache
is the most famous heavy weight web server
but it need not be the best for your needs.
5.3.3. Email servers.
To run an email server you only need to install server packages
(and run the service),
you don't need to touch voodoo-like configuration files
(some configurations back to the 'UUCP' ages).
The oldest, most famous MTA (also called SMTP server) is 'sendmail', it has alot of features
like aliasing for example you could have 'ahmad@mail.mynet.edu'
when Ahmad is a user on other host called 'support.mynet.edu'
his mail should be forwarded to his host, and since it has many complex
features that back to the UUCP era (before the existence of the Internet)
it has very complex configuration file syntax that is not edited directely
but produced from other configuration by m4 macro processor!
that's why distributions avoid installing it (complexity means insecurity)
but it do exists on most ditriibution CDs without being installed (except RedHat
which comes with both sendmail and postfix and provide a tool to switch between them).
'postfix' is the second most used SMTP servers (Mandrake default SMTP server),
There are many substitutes like 'smail', 'courier-mta' and 'qmail'
the last one is a new secure design but it's not common,
it's less likely to be found as precompiled package.
All those have a very complicated configuration files, thank God
we don't have to edit them, email servers is a dangerous risk,
if you don't need email server don't install it.
Debian Reference recommends using 'exim' and 'postfix'
and avoiding 'sendmail' and 'qmail'.
The favorite MTA in Debian exim4 (package name 'exim4-daemon-heavy' )
it's easly configured than others (also can be configured using Debian specific tool 'exim4-config'),
it supports postgreSQL,MySQL and LDAP, and has many features like
virus scanners and SPAM assassin.
Remember that all email servers are inherently insecure.
About 'IMAP' and 'POP' remote mail boxes those can be found in one daemon
named 'imapd' (provided bay a package called 'cyrus-imapd' in Fedora)
which support both IMAP and POP. Debian provide Courier Mail Server
on 'courier-base' package which
is 'IMAP','POP3' and even 'ESMTP' daemons.
Courier Mail Server could be administrated and configured
through a web interface if 'courier-webadmin' is installed,
it is capable of changing the
settings of the MTA, IMAP, POP and Webmail servers and the LDAP,
MySQL and PostgreSQL authentication modules. Only the installed
parts of the Courier Mail Server show up in the web administration frontend.
Debian has a package for a POP3 mail server called 'popa3d',
light, fast and secure, it's designed for OpenWall (known for security researches).
You may create self signed certification for SSL security like:
bash# cd /usr/share/ssl/certs && make imapd.pem
You could write a web page that enable users to read their mailbox
and send emails with a web browser (not MUA), you could use PHP
(or any CGI) to write the web application from scratch
or use any of the following:
- sqWebMail ('sqwebmail'): webmail server interface (for Courier Mail Server and others)
- SquirrelMail ('squirrelmail'): webmail interface written in PHP4
based on IMAP and SMTP,
pages are rendered in pure HTML 4.0 (with no Javascript) for maximum
compatibility across browsers. It provide strong MIME support,
address books, and folder manipulation.
- IMP ('imp3'): a webmail system written on PHP and based on IMAP.
nice support for non-english languages.
- Open WebMail 'openwebmail': a webmail system written in 'perl'
designed to manage very large mail folder files in a memory efficient way.
- phpGroupWare ('phpgroupware' -email,-calendar,-todo,-addressbook,-notepad,-manual)
is a fully web based groupware system. It includes applications
such as webmail, calendar, todo list, address book, file manager, notepad.
- iLoHaMail ('ilohamail'): a Light weight yet full featured multilingual web-based IMAP/POP3 webmail that is easy to use.
many features includes Activity Logging,Spam Prevention, MySQL support,
GPG support, Themes, 'aspell' spell checker, folders, inline images,
Contacts list (address book), calendar, Search messages
- The Web Information Gateway ('twig' see www.informationgateway.org):
a web groupware system written on PHP.
The main goal was to provide an IMAP client, but it now offers agenda, news-reader,
bookmarks, contact list and other features.
It supports either MySQL or PostgreSQL.
You could could use host based access control (or firewall)
to allow only local access to mail ports so that users
could access to their accounts through webmail system,
this what most free mail providers do.
'fetchmail' is client to download mail from remote boxes like IMAP and POP,
'procmail' can process,filter...etc emails, it could be used to create
a mailing list.
Mailing Lists becomes more easy with The GNU Mailing List Manager 'mailman'
visit www.list.org.
Ecartis mailing lists ('ecartis') is another server, they both
provide a web-based interface to subscripe or browse the archive.
5.3.4. Gateway and web proxy.
If you want to connect all (or some) hosts in your LAN to the Internet,
using one link, the first way is called 'Internet gateway'
where you make a host connected to the Internet and call it 'gateway',
it's firewall should allow forwarding (see next section), it should be the default route
of other hosts. the other method is called proxy web cache.
The most famous Unix proxy web cache is 'squid' server,
this server not only allow clients to access Internet, but also
it offer faster connection, for example if two clients ask
for the same file it will download it once, and keep it
for other request, the file 'squid.conf' control
the port number it uses (by default it's 3128), you also
can sepecify the maximum disk space, memory,... etc to use.
If you just want to share internet access through a proxy
and you are not interested in all those features of 'squid'
try another less famous proxy servers like 'tinyproxy'
a lightweight, non-caching, optionally anonymizing HTTP proxy.
If you just want to surf the web anonymously give 'anon-proxy'
a try, it's local proxy that use a client for Java Anon Proxy (JAP)
to encrypt requests several times then they are sent through
a chain of intermediate servers (see 'http://anon.inf.tu-dresden.de').
Socks proxy could work as a web proxy but it use a protocol different than HTTP,
it works as a proxy for many services (like chating).
'danted' is a socks proxy daemon found on 'dante-server' package.
5.3.5. Remote file sharing.
About FISH and scp,see next subsection for how to set 'ssh' server.
and for Samba and Mircosoft networks see the following subsection,
and we have talked about HTTP, so we have now to talk about NFS and FTP.
To share a directory like '/misc/export1
on your local host with other NFS clients we call that exporting.
The file that controls that is '/etc/exports',
also it controls to share it in read only mode or read and write mode
for each host (no passwords, just who can and who can't),
for example:
/misc/export1 somename.mynet.com(rw) othernet.net(rw) (ro)
Tip
Distributions offer tools like 'system-config-nfs' in Fedora
but all what it does is to edit '/etc/exports'.
You should run NFS related daemons like nfsd,mountd and portmap
and allow it in the firewall
(port numbers 2049, 635 and 111 in order, run 'rpcinfo -p' to get those numbers)
and you should allow them in '/etc/hosts.allow',
see 5.3.9 subsection.
Tip
There is a small NFS server, it's very fast little kernel module,
it's called on Debian 'nfs-kernel-server'.
There are many FTP servers, the best maybe 'vsftpd' which mean
Very Secure FTP Daemon, but most famous one in Unix 'wu-ftpd'
(the real name is 'in.ftpd' and it's running via 'xinetd'),
Debian comes with a package for 'proftpd' (before others)
which support many features like vistual hosting and Apache-like configuration
file (besides '.ftpaccess' file in a way like '.htaccess' in apache).
FTP is unecrypted protocol so you may like to have anonymous only access
in this case 'Apache' and 'tux' could offer this.
There are two types of FTP: 'active FTP' and 'passive FTP'
according to which decide ftp-data port number (the server or the client).
On active FTP, the client ftp-data port number is assigned to a random high port
while the server ftp-data port number is always 20,
the opposite happen in passive FTP, the server ftp-data port number
is assigned at run time and told to the client through ftp-control session,
see diagram below:
{active FTP}
client:X --->[I'm on port X give me that file]---> server:21 (ftp-control)
client:X <-->[connection est]<--> server:20 (ftp-data)
{passive FTP}
client:X --->[give me that file in passive way]---> server:21 (ftp-control)
client:X <---[call me on port Y]---< server:21 (ftp-control)
client:X <-->[connection est]<--> server:Y (ftp-passive-data)
Tip
Securing a passive FTP server was almost impossible (because port numbers are not given)
but it's now easy using 'IP Tables NetFilters' on 2.4 Linux kernel (or later)
since port numbers could be known by tracing ftp-control dialog,
the newly opened ftp-data ports are marked 'RELATED' to those in ftp-data
which is known (21), see next section.
A replacement for FTP is to use the secure FTP client 'sftp'
(which is part of OpenSSH) but it needs an SSH server.
You should note that the Very Secure FTP 'vsftp' server
is your first choice ftp server, it does not contian any buffer overflow bugs...etc,
and it's faster, but this does not change the fact that it send passwords unencrypted.
To run FTP server you should make sure to check PAM setting
and 'ftpusers' file which is a list of users allowed/denied
from accessing FTP.
5.3.6. Secure remote shell (ssh) server and virtual private networks (VPN).
To have a secure remote server, you just have to run 'sshd' and this is usually
done by the distribution. This daemon is listening on port number 22 make
sure you firewall allow using this port, which is also usually done by
the distribution.
To make more secure connection between two host using 'ssh', it offer you
a method that send no passwords (even encrypted)
which protect you from many risks, it uses a special authentication method
based on key pairs (two keys for each user) one is private (secrete)
that only it's owner has (the file mode should be '0666')
and the other is public you distribute copies of it on each host.
Key based authentication is done without asking you for password
but by checking the existance of the private key (the private key file is
the identification of it's owner),
when you access to a remote shell server that has your public key,
it will encrypt a random data using the public key and it asks you
to decrypt them using your private key as a proof of your ID,
if someone was spying on the connection he will catch an enrypted random
data and a reply with decrypted random data, no password or keys were sent.
There are two types of keys 'rsa' and 'dsa, you may use any one you
like, in our examples we used 'rsa' if you want the other one
replace each with 'dsa', to create 'rsa' key pairs run the following as the
user you like :
you will be asked to enter 'pass-phrase' which is a password but longer
for double protection (and you may leave it empty, your ID will be proved
using the key only). This will generate the private file '~/.ssh/id_rsa'
and the public '~/.ssh/id_rsa.pub'
the last one should be add to end of '~/.ssh/authorized_keys'
in the remote machine(not the one you create them on),
the next command collect public keys on remote hosts and send them to standard output
where HOST is the address/name of the host you want to get it's public keys,
if you want to add them so they could login to your host
with their private key and pass-phrase(if any) not password,
type at your host:
bash$ ssh-keyscan HOST >> ~/.ssh/authorized_keys
bash$ cat ~/.ssh/id_rsa.pub | ssh USER@HOST "cat - >>~/.ssh/authorized_keys"
'ssh' can create a secure tunnel 'stunnel', which mean to encapsulate
an insecure connection through a secure SSH connection.
Simply say that you want to check your POP3 mail (port 110 on the server),
use your 'ssh' client to ask the 'sshd' on the mail server
to create the tunnel for 1000 second using something like
'ssh -C -f -L 1100:mail.somewhere.com:110 mail.somewhere.com sleep 1000'
(option 'C' to compress, 'f' to fork in background)
if you don't like to specify time use something like
'ssh -C -L 1100:mail.somewhere.com:110 mail.somewhere.com'
and when you finish type 'exit' to close the tunnel.
open your email user agent like 'kmail' and tell it to use port number 1100
on our local host, because the tunnel is created between port 1100 in your host
and 110 on the mail server host.
There are a separated program called 'stunnel' which do the same thing,
first you create SSL certifications then you specify which local port (with 'd' option)
to be tunneled to which remote port (with 'r'), like this example:
bash# cd /usr/share/ssl/certs && make stunnel.pem
bash# stunnel -d 993 -r imapd
Virtual Private Network (VPN) mean that you connect two far networks (or a network and a host)
using an Internet link (a LAN in Tokyo and another in Paris),
although each uses LAN reserved (private) address,
they will be visible to each other but not to the rest of Internet.
There are many methods to create VPNs, one involves
'ssh' and 'ppp' to create compressed and secure VPN.
The idea is simple, 'pppd' connects to the Internet
and converts pockets to stream and 'ssh' sends this
stream to the Internet (public) address of the other node
where 'sshd' there runs 'ppp' to split it back to pockets
as this diagram, see VPN ppp-ssh HOWTO.
ppp ssh internet ppp
(pocket) --> (stream) --> (encrypted) ->-///->- sshd (stream) --> (pocket)
- 'cipe-source' - CIPE VPN over UDP
compile a new kernel, run 'make-kpkg --revision number modules_image'
and you will get a cipe package for your kernel.
- 'openvpn' - VPN over a single UDP port, TLS-based session authentication and SSL key exchange
- 'freeswan' - IPSEC (Internet Protocol SECurity) FreeSWan VPN (needs some kernel patch, debian is ready)
- 'openswan' - IPSEC SWAN VPN
- 'webmin-freeswan' - a plugin for the webmin to configure FreeSWan IPSEC VPN.
- 'pptpd' (PoPToP daemon) - Point to Point Tunneling Server compatible with Microsoft VPN clients
the needed kernel patch is 'kernel-patch-mppe'
- 'vpnc' - Cisco-compatible VPN client
- 'tinc' - a VPN daemon to create an entire (moderately sized) VPN with only one daemon per
participating computer (SSL for security).
- 'ike-scan' - Discover and fingerprint IKE hosts (IPsec VPN Servers)
5.3.7. Samba and Microsoft networks.
The service of samba differ from distribution to another, it could be
smb, samba or smbd. Make sure that the service is running '/etc/init.d/smb start'.
You should create some Samba users using 'smbpasswd', use 'a' option
to add a new user, and without it you change the password,
at least you should create a root user
(it should be different than your real root password)
bash# smbpasswd -a root
password: ********
re-enter password: ********
bash# smbpasswd -a ali
password: ********
re-enter password: ********
[global]
# ...
encrypt passwords=yes
smb passwd file=/etc/smbpasswd
os level = 34
# ...
[global]
workgroup=MYGROUPNAME
netbios name = LINUXBOX
server string = Linux BOX
encrypt passwords = Yes
map to guest = Bad Password
passwd program = /usr/bin/passwd
unix password sync = Yes
max log size = 50
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
domain logons = Yes
os level = 64
lm announce = True
preferred master = True
domain master = True
dns proxy = No
# ...
[anyname]
comment = Shared stuff
path=/home/ali/share
public=yes
writeable=yes
printable=no
# writelist= @mygroup
You may administrate Samba using 'swat' web tool, first
you should enable this service behind a super service
in old distributions that use 'inetd' you add
this line to '/etc/services' file (you need to be root)
and this to '/etc/inetd.conf'
swat stream tcp nowait.400 root /usr/sbin/swat swat
#/etc/xinetd.d/swat
service swat
{
port = 901
socket_type = stream
wait = no
only_from = 127.0.0.1
user = root
server = /usr/sbin/swat
log_on_failure += USERID
disable = no
}
Open any web browser and type tthe URL 'http://localhost:901/'
this will open 'swat' manager (we assume it's working on the default port number 901)
this page could be use to configure any thing related to Samba.
To add a Windows 2000 client to a Samba domain do the following
- Right click 'My Computer'
- Select 'Properties'
- Click on 'Network Identification notebook' tab
- Click 'Properties'
- Next to 'Computer Name' type 'WIN2KBOX'
- Next to 'Domain:' type the domain you name Samba then click 'OK'
- You will be asked for the user name and password of Samba
- click 'OK' and restart your computer.
5.3.8. 'xinetd' Super service.
This super service! is so called because it's used by other
services(daemons) it's a replacement for inetd (Internet daemon),
you should run dangerous risky servers behind it, not only it
could allow only specific hosts to access those services,
it also could control number of requests, we have used it with
web based administration tools like 'cups-lpd' for printers,'webmin'
for Apache and 'swat' fo Samba. You need xinetd when
you need a service to be allowed only for local host
127.0.0.1 (or LAN) but for other hosts
this service port will be closed, no one could use it to try buffer overflow
attacks, specially for ports less that 1024 than only root can open them
the super service open this post (as root) but the sub service is running
as regular user, thats why we say 'xinetd' super service is designed with
security in mind, it also control service load and create log files.
That is why FTP ('in.ftpd' to be more specific) is run as a sub service
of xinetd.
In 'inetd' is configured using two files, one is '/etc/services'
that specify the port number and service name as in 'swat 901/tcp' for example.
The other file is '/etc/inetd.conf'
which specify the server and some options in the form
swat stream tcp nowait.400 root /usr/sbin/swat swat
# this is a comment
service foo
{
# disable = yes mean it's OFF
disable = no
# you may put the port here
port = 901
# hosts or nets that this server is visible like 172.19.0.0/16
# everywhere is 0.0.0.0/32
only_from = 127.0.0.1
# the user to run it and the path to it
user = root
server = /usr/sbin/foo
server_args = -f
# what to log += mean add to default
log_on_failure += USERID
# 30 new connection per second
cps = 30
socket_type = stream
wait = no
}
5.3.9. Host based denial of services.
As in 'xinetd' and any server linked with libwrap or so called the TCP wrapper,
we allow or deny a service not based on password but based on the
host asking for this service
(if you have an old server that does not support TCP wrappers,
you don't need to rewrite it, just run it behind 'xinetd' )
All those services are controlled with two files
'hosts.allow' and 'hosts.deny'
which allow or deny that service for some host,
it's in the following syntax:
daemons... : hosts... : [ spawn shell_command ]
ALL : ALL EXCEPT 10.0.0.0/8
ALL EXCEPT in.ftpd : 192.168.0.
Tip
Changes in 'hosts.allow' or 'hosts.deny' takes effect when you save the file, there is no
nead to restart any service, including 'xinetd'.
5.3.10. User accounts server.
In places where each user should be able to use any machine,
using his own login name and password on each, like in Universities,
we can accomplish that by copying 'passwd' and 'shadow' files manually to each
host, so that we have exact accounts on each machine, but problems
could happen when a user changes his password it should be updated
on all hosts, we could use 'rsync' but this is not efficient.
We keep the users database on a server (user accounts server),
in Windows terminology we call it 'Domain controller' and in Unix
we call it Information/Directory server.
The are many protocols do this mission
Tip
After you install Fedora and boot for the first time it will ask you
if you want this machine to be a client of which user account servers
and what protocols each uses.
The least secure is Network Information Server - NIS,
which should be behind firewall and paranoid 'host.allow' configuration
to make sure those sensitive information does not go out of our LAN,
use NIS only when you are forced to do that
(for example you have an old UNIX that does not support any thing else)
not only because it use no encrpytion and gives password (hash)
to any one who ask for it.
Another way is 'kerbose' which does some encryption but it does not
support PAM completely, this mean we have to rewrite some programs
to use 'kerbose'. Samba is another good one that
enable Linux (and Unix) to be a client or a server (Domain controller)
as we discuss it before, you may need to edit your PAM configurations.
The best known one is LDAP (OpenLDAP to be specific) it's compitable with
PAM, you have to create/edit PAM configuration files for each program
(or just the system wide authentication PAM file, if any),
LDAP has many graphical configuration tools for clients and servers,
in KDE we have 'kldap' and 'kdiradm' and for gnome 'gq', 'directory-administrator' and 'diradmin'.
For command line lovers, we have 'ldaptor-utils' package (name from Debian)
which provide tools just like usual Unix tools prefixed with 'ldaptor-'
for example 'ldaptor-passwd',
another command line tools called 'migrationtools'
which provide migration tools from existing information services
(Unix files,NIS,NetInfo,...etc) to LDAP.
LDAP which mean Lightweight Directory Access Protocol, where 'directory'
mean a database that is frequently read but in rare cases new records are added,
and like phone directory it has specific fixed non related fields,
It can be used for other purpose.
LDAP supports clusters which mean to have multiple synchronized servers
if any one get down this won't effect the network.
LDAP daemon is called 'slapd' and it's configured with 'slapd.conf'.
In some distributions (like RedHat) it's enough to run 'authconfig'
on each client and then you select and configure which method you use
NIS, LDAP, ... etc, to do that manually edit '/etc/nsswitch.conf'
to be: (this example is for LDAP and the commented is for NIS)
#/etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
# for nis uncomment these
#host: files nis dns
#passwd: files nis
#shadow: files nis
#group: files nis
auth sufficient pam_smbpass.so nullok use_authtok try_first_pass auth sufficient pam_ldap.so try_first_pass
5.3.11. 'DHCP' and 'DNS' server.
The oldest way to map IP addresses to clients dynamically is RARP
and it's ARP tables. To do that you run 'rarpd' daemon
which reads the file '/etc/ethers'
this file contain the hardware MAC address of each ethernet and what IP address to give it
on one line. To edit this table at run time you use 'arp' tool like this
'arp -s AB:89:01:23:45:67 192.168.1.90'
to reload 'ethers' file, you just type 'arp -f'.
Dynamic Host Configuration Protocol (DHCP) server
is the newest way to automatically map addresses and configure hosts,
no need to enter values manually. It's a new but compitable implementation of the older
BOOTP protocol with more features.
Tip
There is a tiny 'dhcp-client' called 'pump' from RedHat, it's used
in installation boot floppies.
DHCP server gives IP addresses to it's clients, first
a client sends a broadcasting request to port 67, and it wait for answer
on port 68 using UDP, it uses broadcasting addresses
0.0.0.0 and 255.255.255.255
since it has no address and does not know where is the DHCP server.
The configuraton file of DHCP server is '/etc/dhcpd.conf' or
'/etc/dhcp3/dhcpd.conf', in which we specify which class
of address to give (A,B or C), what range to use,the gateway of router
address and the name server, also you want to give a special host
an address based on it's MAC.
This an example of this file:
# dhcpd.conf - long sample many lines are optional.
option domain-name "myfoo.net";
option domain-name-servers ns1.myfoo.net;
option subnet-mask 255.255.255.0;
default-lease-time 600;
max-lease-time 7200;
server-name "fooserver";
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.200 192.168.1.253;
option routers 192.168.1.1;
}
host fooclient {
server-name "fooserver";
next-server fooserver;
hardware ethernet AB:89:01:23:45:67;
fixed-address 192.168.1.90;
}
Domain Name Server (DNS) is a server
that solves name to address (or the opposite) conversion requests.
It keeps two tables on if for searching for names and the other is for
addresses. When you type 'www.google.com' in your browser
it will send a request "What is 'www.google.com' in numbers?" to the DNS of your LAN (or ISP)
and it forward the request to world nearest DNS server
(each DNS saves a list or other world DNS in a table called hints)
To diagnose DNS servers with 'dig' tool type 'dig foo.mynet.com'
it will ask DNS to solve 'foo.mynet.com' to address and
prints each DNS reply and time it take to reply,
to do the opposite type 'dig -x 192.168.20.1'
you may use 'dig' to create an updated 'hints' file which contian
world Internet DNS servers using something like
'dig @a.root-servers.net . ns >root.hints'
it's output is redirected to create 'root.hints' file,
it uses one of the Internet DNS servers called 'a.root-servers.net'
to get the others, I think you may use it by address like this
'dig @198.41.0.4 . ns >root.hints',
the file looks like this:
; <<>> DiG 8.1 <<>> @A.ROOT-SERVERS.NET.
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
;; QUERY SECTION:
;; ., type = NS, class = IN
;; ANSWER SECTION:
. 6D IN NS G.ROOT-SERVERS.NET.
. 6D IN NS J.ROOT-SERVERS.NET.
. 6D IN NS K.ROOT-SERVERS.NET.
. 6D IN NS L.ROOT-SERVERS.NET.
. 6D IN NS M.ROOT-SERVERS.NET.
. 6D IN NS A.ROOT-SERVERS.NET.
. 6D IN NS H.ROOT-SERVERS.NET.
. 6D IN NS B.ROOT-SERVERS.NET.
. 6D IN NS C.ROOT-SERVERS.NET.
. 6D IN NS D.ROOT-SERVERS.NET.
. 6D IN NS E.ROOT-SERVERS.NET.
. 6D IN NS I.ROOT-SERVERS.NET.
. 6D IN NS F.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4
J.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.10
K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129
L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12
M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33
A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4
H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53
B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107
C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12
D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90
E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10
I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17
F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241
;; Total query time: 215 msec
;; FROM: foobar.com to SERVER: A.ROOT-SERVERS.NET. 198.41.0.4
;; WHEN: Fri Oct 15 01:22:51 2004
;; MSG SIZE sent: 17 rcvd: 436
Tip
Host names are not case sensitive, 'A.ROOT-SERVERS.NET' is the same 'A.Root-Servers.NeT'
but when you type a URL, directory names after the host name is case sensitive.
DNS server in GNU/Linux systems is BIND it came from BSD
it's full name is Berkeley Internet Name Domain, the daemon name is 'named',
world largest companies,organizations, and I could say army involved in
developing this server, see the 'README' on '/usr/share/doc'.
There is a lesser known server called Dents we will not talk about.
The configuration file of bind's named daemon is '/etc/named.conf'
and it could be somewhere else in your distribution.
This file looks like this:
#/etc/named.conf
options {
directory "/var/named";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};
key "rndc_key" {
algorithm hmac-md5;
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
; generated with:
; dnssec-keygen -a hmac-md5 -b bitsno -n HOST keyfile
};
zone "." {
type hint;
file "root.hints";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "zone/127.0.0";
};
zone "mydomain.com" {
type master;
file "zone/mydomain.com";
};
zone "0.168.192.in-addr.arpa" {
type master;
file "zone/192.168.0";
};
.
We will talk later about '0.0.127.in-addr.arpa',
let's talk about 'mydomain.com' zone,
we have 'type master; file "zone/mydomain.com";'
which specify that our 'named' is a master DNS for 'mydomain.com',
and the file '/var/named/zone/mydomain.com'
is the name to address database, it should look like this:
$TTL 3D
@ IN SOA mydomain.com. root.mydomain.com. (
2004101506 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
; ^----- time in H,W,D are hour,week,day
IN NS mydomain.com.
IN NS ns.otherdomain.net.
IN MX 10 mydomain.com. ; Primary Mail Exchanger
IN TXT "MyDomain(tm) Inc limited"
localhost IN A 127.0.0.1
router IN A 192.168.0.1
IN TXT "Our proxy and firewall"
mydoeain.com. IN A 192.168.0.2
ns IN A 192.168.0.3
IN TXT "me The DNS"
www IN A 192.168.0.4
IN TXT "Our apache server"
ftp IN CNAME mydomain.com.
mail IN CNAME mydomain.com.
news IN CNAME mydomain.com.
funn IN A 192.168.0.5
;
; Workstations
;
lab1pc1 IN A 192.168.0.101
IN MX 10 mydomain.com. ; Primary Mail Host
lab1pc2 IN A 192.168.0.102
IN MX 10 mydomain.com. ; Primary Mail Host
lab2pc1 IN A 192.168.0.151
IN MX 10 mydomain.com. ; Primary Mail Host
| SOA | Start of authority. |
| A | Address. |
| TXT | Text, a comment. |
| CNAME | Canonical name, and alias. |
| MX | Mail exchange, we to deliver mail, smaller number higher priority. |
| NS | Name server, this host is for a DNS. |
| PTR | Pointer, used in reverse solving. |
note the '.' at the end of names which mean it's an absolute name,
assume there is no '.' in
if there is no '.' like in 'ftp.mydomain.com' then it will be relative which mean
it's equivalent to 'ftp.mydomain.com.mydomain.com.'!
to add more host names use A like last two lines, which mean
that 'lab2pc1' or absolutely 'lab2pc1.mydomain.com.'
is '192.168.0.151'.
The next zone '0.168.192.in-addr.arpa' and the zone we left
'0.0.127.in-addr.arpa' both are for reverse solving
they are for addresses in the form
'192.168.0.X' and '127.0.0.X'
(written backword),ARPA is Advanced Research Project Agency the mother of the Internet.
the option 'file "zone/192.168.0"'
specify that the file '/var/named/zone/192.168.0'
is the reverse solving table, in this table we put values
of X in '192.168.0.X' and to what host name it refere, like this
$TTL 3D
@ IN SOA mydomain.com. root.mydomain.com. (
2004101506 ; serial
28800 ; Refresh, seconds
7200 ; Retry
604800 ; Expire
86400) ; Minimum TTL
; ^----- time in second
IN NS mydomain.com.
IN NS ns.otherdomain.net.
; Servers
1 IN PTR router.mydomain.com.
2 IN PTR mydomain.com.
2 IN PTR ftp.mydomain.com.
2 IN PTR mail.mydomain.com.
2 IN PTR news.mydomain.com.
3 IN PTR ns.mydomain.com.
4 IN PTR www.mydomain.com.
5 IN PTR funn.mydomain.com.
; Workstations
101 IN PTR lab1pc1.mydomain.com.
102 IN PTR lab1pc2.mydomain.com.
151 IN PTR lab2pc1.mydomain.com.
5.3.12. 'ppp' server, like ISPs
In this subsection we will learn how to set your machine for
dial in, this mean other hosts could dialup your phone number
the same way they connect to dialup ISP, then they send user and password,
then they get an IP address, and use your host as router, how to be an ISP ?
this what we are going to learn.
This is not common but in rare case you may like to dail your office from home
(if local phone call cost is less that Internet calls plus subscription cost)
You should install 'getty' that supports 'AutoPPP' like 'mgetty'
and make sure that this 'getty' not any other 'getty' is used like 'mingetty',
look to your 'inittab' file and it's configured with your serial modem,
and make sure 'AutoPPP' option is there on 'login.config',
and the file '/etc/ppp/option' contian 'auth' and 'lock' lines
and you specify your two DNS servers for Windows clients like this:
# /etc/ppp/options
# Specify which DNS Servers the incoming Win95 or WinNT Connection should use
# Two Servers can be remotely configured
ms-dns 192.168.1.1
ms-dns 192.168.1.2
# ...
# /etc/ppp/pap-secrets
# Every regular user can use PPP and has to use passwords from /etc/passwd
* hostname "" *
# other accounts that should not be able to use pppd, we give no address '-'.
guest hostname "*" -
# /etc/ppp/chap-secrets
clientname servername "secret challenge" 28.30.120.1 *
servername clientname "answer" -
# /etc/ppp/chap-secrets
clientname servername "secret challenge" -
servername clientname "answer" *
5.3.13. Supercomputer and cluster networks.
With Linux one could form a supercomputer cluster without rewriting
or even recompiling applications, if you want to try that you could
test it without installing Linux!! let's take a general idea about
parallel processing.
Many parallel-processing supercomputer companies died,
Intel stopped making parallel supercomputers,
they are expensive and rise the risk of signle point of failure.
Parallel-processing is still alive, a supercomputer performence
could be formed from off-the-shelf components, a recent PC CPU could provide
thousands of MIPS (Million instruction per second), so a system of many PC CPU
could be the answer.
When you type 'ps -ax' you will notice that most processes
are sleeping 'S' (eg. waiting for data from hard disk),
have you noticed that the last number of the output of 'uptime' tool
(load average for the past 15 minutes) is smaller than the previous
two percents (for the past 1 and 5 minutes) ?
type 'cat /proc/uptime' and notice how close
the whole uptime (first number) with the second number that is the idle
time (the time that the CPU was doing nothing) ?
If you have a 1GHz CPU then each program should slow down and
wait for RAM (the memory bus speed) and slow down to wait hard drive,
that's why most processes are sleeping most of the time,
if you replace this CPU with a 2GHz CPU then the performence won't
be doubled, usually you will get a bit higher than usual performance,
on real multi tasking systems like Linux you will get more higher performance
because when a process sleeps waiting for something the kernel switch to other process.
If you need more and more performance as in researches, virtual reality
as in some engineering fluid simulation (wind tunnels) or larg databases,
the fastest CPU on earth is not the solution, but a better soltion is
multiprocessor systems even if those multiple CPUs are cheap PCs, this technology
is called Symmetric Multi Processing (SMP)
(a special mother board and some usual Intel or AMD CPUs)
when the first CPU is waiting for the hard disk, the other CPU
is available. You need a special OS, Linux of course,
but the kernel should be compiled with SMP option on
(distributions usually don't install it by default, it's shipped
on other package may be called 'kernel-smp'),
program you use should support multi-threads or forks many processes
in order to gain better performence.
If your system is slow because slow IDE hard drives then SMP is not the solution,
(IDE hard drives can't handle multiple requests)
but if it's slow because you have many processes or threads then SMP will help.
Using SCSI hard disks with SMP is a very good combination,
SCSI unlike IDE, can handle multiple requests
(SCSI is also useful in monoprocessor systems MP).
The file '/proc/cpuinfo' display CPUs as seen from kernel.
bash# cat /proc/cpuinfo
processor : 0
cpu : 686
model : 3
vendor_id : GenuineIntel
[...]
bogomips : 267.06
processor : 1
cpu : 686
model : 3
vendor_id : GenuineIntel
[...]
bogomips : 267.06
SMP is an example of shared memory parallel processing model.
Anoher model of parallel processing is called distributed memory
like Beowulf clusters (named after a legendary hero in ancient peom)
designed by Donald Becker at NASA.
Unlike SMP, CPUs need not share the same memory, in this model we
have a fast small local network of PCs, each PC has it's own CPU and memory,
this network is called a cluster and each host is called a node,
the aim of the cluster is to combine the power of it's nodes
in a Parallel Virtual Machine (PVM), for example
a cluster of four PIV 1.2GHz 256 MB of RAM called a 4.8GHz 1GB RAM cluster!
(but it won't reach that limit this is just a name)
this is implemented through Message Passing Interface (MPI)
where nodes sends messages containing instuctions and data to other nodes
to be executed there. The same why some people call a calculator
or a mobile a computer while others don't, some people call a simple
NIS and NFS cluster a Beowulf while others don't, some people only
call that name on those cluster based on the original NASA's Beowulf design.
Programs have to be designed or rewritten to use special libraries
like PVM (libpvm3) and MPI,
for example a parallel version of PovRay 3D renderer called 'pvmpov' which
do the same complex high quality renderening much faster by distributing
the task on many nodes of a PVM cluster.
Those libraries are for C language, where the programmer redesign his
code, sometimes it's easer to use other languages like parallelized version
of FORTRAN or 'python-mpi' (which uses 'mpich').
There are two ways of arranging such networks, the first is called
Parallel Virtual Machine where nodes are put in one box
having no keyboards, no monitors and maybe no hard drive (disk-less)
they are called dumb nodes, except for one node (called master node)
which access to others nodes through remote shells (eg. 'rsh' since
encryption is not needed if all wires are inside the same box)
or use one keyboard, one mouse and one monitor for all nodes
using a KVM (Keyboard, Video, Mouse) switch,
all this to save all the power of the cluster to the master node.
see accompanied picture for a home-built cluster taken from Wikipedia, the free encyclopedia.
|
 Home-built cluster
|
The second is called Cluster of Workstations (COW) or Network of Workstations (NOW)
where each node works indepedentely with the ability to run
processes on other nodes. The most simple COW is using NIS and NFS, where users
are shared using NIS and files with NFS (at least '/home' and '/usr/local'
or sharing all the root file system), more complex clusters utilize MPI or PVM
libraries. The Berkeley NOW project which could be found on http://now.cs.berkeley.edu
is an example of such clusters.
Another way to classify clusters is to the following levels:
- Fail-over Clusters:
when some process on a node fails another try to take over (just like backup battary, spare wheel)
- Load-balancing Clusters:
distribute load on many nodes, sends next instructions, requests or process
to least busy node (it could act as Fail-over Cluster) also
a process could migrate from an overloaded busy node to a less
busy one to make balance of load.
- High Performance Computing (HPC) Clusters (eg. Beowulf Clusters)
independent routines spread on different many nodes instead of waiting
on queue for the next least busy, here programs have got to be rewritten
with MPI or PVM libraries, you have to analyze the code into
independent parallelized parts and aggregation points ...etc
The dream of having parallel compting without rewriting programs
has become a reality with OpenMosix project, a Linux kernel patch
that use message passing, process migration and an optimized network
file system (oMFS) to have a load-balancing high performance computing
Beowulf cluster in which it takes many compters, to give users and applications the
illusion of a single computer with many CPUs. This mean you have to get a
kernel source and a patch corresponding to it then recompile the kernel
and install some user-space tools and reboot, then edit configuration
files to add nodes. There are precompiled patched kernel packages
(eg. RPM files) so all you have to do is to install those packages on each node.
Cluster Knoppix live-CD distribution combine the power of OpenMosix and the
flexibility and ease of Knoppix where you don't have to install or configure
any thing, make some copies of it and boot them on each computer
and they all become a super cluster, that smiple! Cluster Knoppix
uses OpenMosix auto-discovery daemon ('omdiscd') to scale
the cluster by adding new nodes.
Once you have a running OpenMosix Linux kernel you well get
the usual GNU/Linux but because the transparent process-migration
feature, when you run an application on any busy node it migrate
to run on a lesser busy node so that the system runs smoother.
Because of the OpenMosix file system a node through
'/mfs/N/' (where 'mfs' is it's mount point
and 'N' is the ID number of the node)
for example '/mfs/3/home/ahmad/myfile.txt' will be
'/home/ahmad/myfile.txt on node 3.
The configuration is simple create or edit '/etc/openmosix.map'
(on each host) to specify a node ID number for each hosts that form the cluster,
the syntax of each line is ID HOST COUNT
where ID is a unique number for that node, HOST is a host name or address
of the node and COUNT (called range-size in documentations) should be 1 unless
you want to add more than node in a signle line by specifying their
starting ID, starting address and their number, for example
#!/etc/openmosix.map
1 192.168.1.1 1
2 192.168.1.12 3
one last step is to add entry for the OpenMosix file system
in the '/etc/fstab' file of each node,
the line looks like this (you could do that with 'each' and '>>'):
mfs_mnt /mfs mfs dfsa=1 0 0
Adding all CPUs and RAM together is an ideal assumption,
on reality message passing communication impose overhead bacause of network
latency and bandwidth limitations, another aspect that reduces cluster
performence is short life time of a process which ends before it's efficient
for migration. A process that does not fork subprocesses or threads
and consumes alot of memory and CPU time will gain nothing from the cluster.
Fact quoted from Linux Parallel Processing HOWTO by Hank Dietz:
"A standard single CPU application will run no faster than a single CPU application on multiple processors".
Single Instruction Multiple Data (SIMD) type of programs
like programs that process arrays, bitmap images, sound, ...etc.
will act faster if rewritten using a language or library that
supports parallel processing.
References:
- Linux Parallel Processing HOWTO by Hank Dietz
- openMosix HOWTO by Kris Buytaert
- Beowulf HOWTO by Jacek Radajewski and Douglas Eadline.
|
Best viewed with free web browsers
You may get more high quality software
from here for free
Generously Hosted by www.JadMadi.net
|
