HENRY SETUP *********** Computer Hardware +++++++++++++++++ Motherboard: P133, ASUSTEK P/I-P55TP4XEG Motherboard, Intel 82430FX chipset, 32MB RAM. Video Controller: Diamond Steath 64, S3 764, 2 MB RAM. Ethernet Controller: Genius GE2500II PCI (N2K Compatible) ne2k-pci.c:v0.99L 2/7/98 D. Becker/P. Gortmaker http://cesdis.gsfc.nasa.gov/linux/drivers/ne2k-pci.html ne2k-pci.c: PCI NE2000 clone 'RealTek RTL-8029' at I/O 0xe400, IRQ 12. eth0: PCI NE2000 found at 0xe400, IRQ 12, 00:C0:DF:A8:25:A7. Sound Card: Sound Blaster 16 IO 0x220 MIDI IO 0x330 IRQ 5 Low DMA 1 High DMA 5 Serial Ports ttyS0 0x3f8 4 16550 spare ttyS1 0x2f8 3 16550 gpm -t MouseSystems ttyS2 0x3e8 9 16551 spare ttyS3 0x2e8 11 16551 spare Parallel Port Enhanced, IO 0x3f8, IRQ 7 IDE Controller / HDD: ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 ide1 at 0x170-0x177,0x376 on irq 15 hda: WDC AC31600H, 1549MB w/128kB Cache, CHS=787/64/63 hdb: FUJITSU MPC3064AT, 6187MB w/0kB Cache, CHS=788/255/63 hdc: ATAPI 8X CD-ROM drive, 256kB Cache Hard Disk partitioning ________________________________________ root@henry:~>fdisk -l /dev/hdb Disk /dev/hdb: 255 heads, 63 sectors, 788 cylinders Units = cylinders of 16065 * 512 bytes Device Boot Start End Blocks Id System /dev/hdb1 1 17 136521 82 Linux swap /dev/hdb2 18 788 6193057+ 83 Linux ------------------------------------------ >>>>>>>>>>>>>>>>>>>>>>/etc/fstab /dev/hdb2 / ext2 defaults 1 1 /dev/hdb1 swap swap defaults 0 0 /dev/fd0 /mnt/floppy ext2 noauto,owner 0 0 gateway:/ /nfsmnts/gateway nfs defaults 0 0 none /proc proc defaults 0 0 none /dev/pts devpts gid=5,mode=620 0 0 <<<<<<<<<<<<<<<<<<<<< rqd prompt # display boot prompt timeout=50 # default timeout 5 secs image=/boot/bzImage label=l root=/dev/hdb2 append="mem=96m" read-only image=/boot/vmlinuz label=o root=/dev/hdb2 read-only image=/usr/src/linux/arch/i386/boot/bzImage label=n root=/dev/hdb2 append="mem=96m" read-only other=/dev/hda1 label=w table=/dev/hda ---------------------------------------------------- NOTES: 1. If this is the first build of the kernel you will need to copy bzImage to /boot for things to work. cp /usr/src/linux/arch/i386/boot/bzImage /boot/bzImage 2. Besides booting to the DOS partition labeled 'w' There are 2 Linux boot options 'l' The default linux boot 'n' The new boot option which points to the location that 'make bzImage' writes the image. 'o' The original kernel - just in case! 'w' That other OS. Therefore to test a new image without destroying the previous working image, after running lilo we can boot to 'l-new' and if there are problems we can reboot back to 'l'. You may need to move the orig modules back. If everything works well, then cp /usr/src/linux/arch/i386/boot/bzImage /boot/bzImage and rerun lilo. 3. It is always necessary to rerun lilo after any changes to any of the boot images. 4. 'reboot' the system - remember to sync a few times first. I've actually done aliases in root's .bashrc file for both init and reboot putting a few sync's in front. 5. note appending "mem=96m", because thats the amount of memory in henry, but linux on its own sees 64M by default. The kernel should examine the memory directly rather that trying to find it's value from the bios. SETTING THE SERIAL PORTS UP CORRECTLY ************************************* This box has four serial ports the latter two operating off interrupts 9 and 11. The autoprobing function in the kernel does not probe for interrupts as this could create problems. Anyway I think autoprobing is a bad idea. Those responsible for looking after boxes should know were everything (peripherals included) and how to access them. As the kernel boots, it throws up the following info as seen on dmesg. ---------------------------------------------------------- Serial driver version 4.27 with SHARE_IRQ enabled ttyS00 at 0x03f8 (irq = 4) is a 16550A ttyS01 at 0x02f8 (irq = 3) is a 16550A ttyS02 at 0x03e8 (irq = 4) is a 16550A ttyS03 at 0x02e8 (irq = 3) is a 16550A ---------------------------------------------------------- Which is great, in terms of io addresses, but makes totally the wrong assumptions about the interrupt vectors of the last two serial ports. RedHat Linux has a fix for this and that is to create a file /etc/rc.d/rc.serial, that uses the setserial command to specify the address and irq's to the kernel. setserial is called from rc.local. This is what I have written /etc/rc.d/rc.serial ------------------------------------------------------------ #!/bin/sh echo "Serial port reconfiguration:" /bin/setserial /dev/ttyS0 port 0x3f8 irq 4 uart 16550A spd_vhi /bin/setserial /dev/ttyS1 port 0x2f8 irq 3 uart 16550A spd_vhi /bin/setserial /dev/ttyS2 port 0x3e8 irq 9 uart 16550A spd_vhi /bin/setserial /dev/ttyS3 port 0x2e8 irq 11 uart 16550A spd_vhi action "`/bin/setserial -b /dev/ttyS0`" /bin/true action "`/bin/setserial -b /dev/ttyS1`" /bin/true action "`/bin/setserial -b /dev/ttyS2`" /bin/true action "`/bin/setserial -b /dev/ttyS3`" /bin/true ------------------------------------------------------------- The last four statements are used to print out the statuw on the screen showing the [ OK ] on the RHS. Also note that ttyS2 irq 9 shows up as irq 2 which is the hardware reassignment of irq 9 in the cascaded interrupt controllers on PC's. While we are about it we should ensure that all files in /etc/rc.d have 750 permissions. Use 'chmod 750 rc rc.*' in /etc/rc.d. While we are sorting out the /etc/sysconfig/ that RedHat uses, use chkconfig to enable and disable the requisite daemons. henry's configuration is: --------------------------------------------------------- root@henry:~>chkconfig --list keytable 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:on 2:on 3:on 4:on 5:on 6:off xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off httpd 0:off 1:off 2:off 3:on 4:on 5:on 6:off apmd 0:off 1:off 2:on 3:off 4:on 5:off 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:off 5:on 6:off named 0:off 1:off 2:off 3:on 4:off 5:on 6:off dhcpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off innd 0:off 1:off 2:off 3:off 4:off 5:off 6:off pcmcia 0:off 1:off 2:on 3:off 4:on 5:off 6:off nfs 0:off 1:off 2:off 3:on 4:off 5:on 6:off nfslock 0:off 1:off 2:off 3:on 4:off 5:on 6:off kudzu 0:off 1:off 2:off 3:off 4:on 5:off 6:off linuxconf 0:off 1:off 2:on 3:on 4:on 5:on 6:off lpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off inet 0:off 1:off 2:off 3:on 4:on 5:on 6:off identd 0:off 1:off 2:off 3:off 4:off 5:off 6:off pulse 0:off 1:off 2:off 3:off 4:off 5:off 6:off portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off postgresql 0:off 1:off 2:off 3:on 4:on 5:on 6:off pxe 0:off 1:off 2:off 3:off 4:off 5:off 6:off rstatd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rusersd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rwhod 0:off 1:off 2:off 3:off 4:off 5:off 6:off smb 0:off 1:off 2:off 3:on 4:off 5:on 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off xntpd 0:off 1:off 2:off 3:on 4:off 5:on 6:off ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off ldap 0:off 1:off 2:off 3:off 4:off 5:off 6:off mcserv 0:off 1:off 2:off 3:off 4:off 5:off 6:off yppasswdd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ypserv 0:off 1:off 2:off 3:off 4:off 5:off 6:off ------------------------------------------------------- Your results may vary depending on the rpm packages you selected to install or have installed, which options you may want selected. GETTING NETWORK INTERFACE AND TCP/IP WORKING ******************************************** Okay, we now have a successful build of the kernel. We first check our ethernet interface. Using 'dmesg | less' we should see somewhere in the listing the following: --------------------------------------------------------------- ne2k-pci.c:vpre-1.00e 5/27/99 D. Becker/P. Gortmaker http://cesdis.gsfc.nasa.gov /linux/drivers/ne2k-pci.html ne2k-pci.c: PCI NE2000 clone 'RealTek RTL-8029' at I/O 0xe400, IRQ 12. eth0: RealTek RTL-8029 found at 0xe400, IRQ 12, 00:C0:DF:A8:25:A7. --------------------------------------------------------------- This lets us know we can see the ethernet card. Now we can get TCP/IP configured. I prefer to edit the files maually rather use netcfg or other gui/fancy tools. Good ref's are the Net-HOWTO, LDP Network Administration guide, and the RedHat Installation Manual Ch 11.3 /etc/HOSTNAME ----------------------------- henry.novatek.co.nz ---------------------------- /etc/hosts #NOTE There are two options here. The first option is if we have not # configured our local name server, and depending on our ISP's # name server. ------------------------------------------------------------------- 127.0.0.1 localhost localhost.localdomain 24.113.94.87 cr324145-a cr324145-a.rchmd1.bc.wave.home.com 192.168.0.254 gateway gateway.novatek.co.nz 192.168.0.1 hercules hercules.novatek.co.nz 192.168.0.2 spare1 spare1.novatek.co.nz 192.168.0.3 henry henry.novatek.co.nz 192.168.0.4 spare2 spare2.novatek.co.nz 192.168.0.5 beatroot beatroot.novatek.co.nz 192.168.0.6 hershel hershel.novatek.co.nz --------------------------------------------------------- Alternaltively if we have configured a name server (named) then it is only necessary to include the local host in /etc/hosts. There are some exceptions to this, as is noted in the DNS description below. /etc/networks ------------------------------- loopback 127.0.0.0 localnet 192.168.0.0 ------------------------------- /etc/host.conf ------------------------ order hosts,bind multi on ---------------------- /etc/resolv.conf If we do not use a local nameserver (caching) or otherwise then use the following file. ----------------------------------------- domain novatek.co.nz search novatek.co.nz nameserver 24.113.94.87 nameserver 199.239.20.4 nameserver 140.200.128.13 ---------------------------------------- # Alternative /resolv.conf - used when we have our own local name # server setup on this host. ---------------------------------------- domain novatek.co.nz search henry.novatek.co.nz novatek.co.nz nameserver 127.0.0.1 --------------------------------------- I recommend keeping two files /etc/resolv.conf.dns and /etc/resolv.conf.nodns and depending on what we are configuring copy the appropriate file to /etc/resolv.conf. /etc/sysconfig/network ------------------------------- NETWORKING=yes FORWARD_IPV4=false HOSTNAME=`cat /etc/HOSTNAME` GATEWAY=192.168.0.254 GATEWAYDEV=eth0 #NISDOMAIN= ------------------------------- Note this host is on the private network 192.168.0.0 which has gateway.novatek.co.nz (192.168.0.254) as the gateway to the internet. /etc/sysconfig/network-scripts/ifcfg-eth0 ------------------------------------------- DEVICE=eth0 IPADDR=192.168.0.3 NETMASK=255.255.255.0 NETWORK=192.168.0.0 BROADCAST=192.168.0.255 ONBOOT=yes BOOTPROTO=none USERCTL=no ------------------------------------------ We can optimize IP window size per TrintyOS Ch16. Original /etc/sysconfig/network-scripts/ifup from line 105 -------------------------------------------------------------------- ifconfig ${DEVICE} ${IPADDR} netmask ${NETMASK} broadcast ${BROADCAST} # don't re-add subnet route on 2.2 kernels, but add a route # to a non-local subnet. # stupid hack, but it should work if [ "$ISALIAS" = no ] && [ -z "`route -n | sed "s/ .*//" | grep ${NETWORK}`" ]; then route add -net ${NETWORK} netmask ${NETMASK} ${DEVICE} else route add -host ${IPADDR} ${DEVICE} fi # this is broken! it's only here for compatibility with old RH systems if [ "${GATEWAY}" != "" -a "${GATEWAY}" != "none" ]; then route add default gw ${GATEWAY} metric 1 ${DEVICE} fi . /etc/sysconfig/network if [ "${GATEWAY}" != "" ]; then if [ "${GATEWAYDEV}" = "" -o "${GATEWAYDEV}" = "${DEVICE}" ]; then # set up default gateway route add default gw ${GATEWAY} ${DEVICE} DEFGW=${GATEWAY} fi fi if [ "$BOOTPROTO" = bootp -a "$ISALIAS" = no ]; then if [ -n "$GATEWAYS" ]; then for gw in $GATEWAYS; do if [ $gw != "${DEFGW}" ]; then route add default gw $gw ${DEVICE} fi done fi -------------------------------------------------------------------- changed to -------------------------------------------------------------------- ifconfig ${DEVICE} ${IPADDR} netmask ${NETMASK} broadcast ${BROADCAST} # don't re-add subnet route on 2.2 kernels, but add a route # to a non-local subnet. # stupid hack, but it should work if [ "$ISALIAS" = no ] && [ -z "`route -n | sed "s/ .*//" | grep ${NETWORK}`" ]; then route add -net ${NETWORK} netmask ${NETMASK} window 8192 ${DEVICE} else route add -host ${IPADDR} window 8192 ${DEVICE} fi # this is broken! it's only here for compatibility with old RH systems if [ "${GATEWAY}" != "" -a "${GATEWAY}" != "none" ]; then route add default gw ${GATEWAY} window 8192 metric 1 ${DEVICE} fi . /etc/sysconfig/network if [ "${GATEWAY}" != "" ]; then if [ "${GATEWAYDEV}" = "" -o "${GATEWAYDEV}" = "${DEVICE}" ]; then # set up default gateway route add default gw ${GATEWAY} window 8192 ${DEVICE} DEFGW=${GATEWAY} fi fi if [ "$BOOTPROTO" = bootp -a "$ISALIAS" = no ]; then if [ -n "$GATEWAYS" ]; then for gw in $GATEWAYS; do if [ $gw != "${DEFGW}" ]; then route add default gw $gw window 8192 ${DEVICE} fi done fi ------------------------------------------------------------------- Now restart networking /etc/rc.d/init.d/network restart NOTE it might be a good idea to reboot if the HOSTNAME has changed. Check that everything is working with ifconfig and netstat -rn ------------------------------------------------------------------- eth0 Link encap:Ethernet HWaddr 00:C0:DF:A8:25:A7 inet addr:192.168.0.3 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:46429 errors:0 dropped:0 overruns:0 frame:0 TX packets:32301 errors:0 dropped:0 overruns:0 carrier:0 collisions:84 txqueuelen:100 Interrupt:12 Base address:0xe400 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:245 errors:0 dropped:0 overruns:0 frame:0 TX packets:245 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 ------------------------------------------------------------------- netstat -rn ------------------------------------------------------------------- Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.0.3 0.0.0.0 255.255.255.255 UH 0 8192 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 8192 0 lo 0.0.0.0 192.168.0.254 0.0.0.0 UG 0 8192 0 eth0 ------------------------------------------------------------------- Check that things are working okay. ping the gateway, then ping beyond the gateway the outside network. SETTING UP THE REMOTE PRINTER ***************************** We have a printer on our gateway box and want to connect to it. The printer on gateway has also been set up for Samba access to be able to print from the Windows boxes. For this Linux box we choose to use Remote Unix printing rather than Samba. The reason for this is that we have a minimal Samba install on gateway which is likely to be tweaked in the future. Such tweaking could disrupt smb services, whereas using Remote Unix print is only dependent on Unix. I use printtool to to set up the printer, and here is the resulting output in /etc/printcap ---------------------------------------------- # # Please don't edit this file directly unless you know what you are doing! # Be warned that the control-panel printtool requires a very strict format! # Look at the printcap(5) man page for more info. # # This file can be edited with the printtool in the control-panel. ##PRINTTOOL3## REMOTE cdj550 300x300 letter {} DeskJet550 24 1 hp850c-high:\ :sd=/var/spool/lpd/hp850c-high:\ :mx#0:\ :sh:\ :rm=gateway:\ :rp=hp850c:\ :if=/var/spool/lpd/hp850c-high/filter: ##PRINTTOOL3## REMOTE cdj550 300x300 letter {} DeskJet550 3 1 hp850c:\ :sd=/var/spool/lpd/hp850c:\ :mx#0:\ :sh:\ :rm=gateway:\ :rp=hp850c:\ :if=/var/spool/lpd/hp950c/filter: ##PRINTTOOL3## REMOTE cdj550 300x300 letter {} DeskJet550 3 1 hp850c-2up:\ :sd=/var/spool/lpd/hp850c-2up:\ :mx#0:\ :sh:\ :rm=gateway:\ :rp=hp850c:\ :if=/var/spool/lpd/hp850c-2up/filter: ---------------------------------------------- Note: I have not got the different printer filters to work. They all behave the same way. This is an exercise for the future. Next we need to open up the printer server to this host. So we go to gateway and update its /etc/hosts.lpd file to include 'hal-9000' on a separate line. We also need to ensure that the PRINTER environment variable is set to hp850c. More about this later in the setting up of /etc/profile. GETTING A CACHING NAMESERVER WORKING ************************************ using bind-8.2.1-3.rpm Refs: DNS Howto V2.2, Feb 99. DNS and Bind, Second Ed, ORA. Redhat Linux Unleashed 3rd Ed. Bind documentation in ifconfig http://www.isc.org/view.cgi?/products/BIND/docs/config/index.phtml TrinityOS Ch.24 "http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS.wri" As root install the rpm. There is a lot of variation in terms of naming zone db files. The convention that I will adopt is to 1) Use the /var/named directory as default, 2) prefix all files with a db. 3) Topmost file called db.root (aka root.hints / named.ca / etc.) 4) Primary zone db files in /var/named/primary and secondary zone db files in /var/named/secondary - per the ORA book pg 142. All a caching name server does, is find ip addresses for name queries and caches them. This makes following lookups much faster. Ensure things are correctly configured to use bind as our resolver. a. /etc/host.conf -------------------------------------------- order hosts,bind multi on -------------------------------------------- What does this mean: This is a standard file that tells the DNS resolver (bind (named) in our case) that is should first look in the hosts file to lookup an ip address for a name, and only if it is not there, then to use the bind nameserver. 'multi on' means that this host can have more than one ip address - ie it can be multihomed. This statement is necessary for every configuration except a stand-alone machine as any machine connected to a network has a minimum of two addresses 127.0.0.1 and the network address. b. /etc/resolv.conf ------------------------------------------- domain novatek.co.nz search henry.novatek.co.nz novatek.co.nz nameserver 127.0.0.1 ------------------------------------------- What does this mean: Tells the resolver that the domain is novatek.co.nz. The 'domain' statement is redundant when the domain name is also present in the 'search' statement. (I include it for completeness). The purpose of the 'search' statement is to provide the nameserver a list of postfix options to append to hostnames that do not end with a period "." in the zone database files (/var/named/db.* files for example - see below). The 'nameserver' statement in this case points to our localhost nameserver. See comment on setting up Network above. c. /etc/nsswitch.conf ---------------------- In this file ensure that their is a 'hosts:' statement that speicifies files ahead of dns. The statement in my file is: hosts: files nisplus nis dns This file is an integral part of NIS, and appears as if it is required by the glib6 library. I wonder if host.conf is still required if we are using nsswitch.conf. A chocolate fish for the first person to let me know and why. Also info on the Name Services Switch in glib6 can be found in `info libc "NSS Configuration File"' d. /etc/hosts ------------------------------------------------ 127.0.0.1 localhost localhost.localdomain 192.168.0.254 gateway gateway.novatek.co.nz 192.168.0.3 ftp www ftp.novatek.co.nz www.novatek.co.nz ------------------------------------------------ The reason for forcing gateway to look at 192.168.0.254, is that since gateway is dual-homed, dns will provide both addresses, and many programs pick up the external interface address. From the inside network using a protocol to the external interface of gateway, that is being port forwarded to an internal host, does not work (www and ftp protocols). The reason for the third line in /etc/hosts is that in the DNS, ftp and www are directed to 24.113.94.87 and gateway port forwards them to 192.168.0.3. However on gateway without this setting, if we attempt to connect to www or ftp we will connect to the external port of gateway. For ftp protocol we will get gateway instead of being forwarded to 192.168.0.3, and www protocol will fail, no httpd running on gateway. First edit /etc/named.conf -------------------------------------------- # /etc/named.conf options { // Root directory for master (db) files. directory "/var/named"; // If a lookup is not in our cache, query these nameservers // (usually our ISP's) our ISP's nameservers before attempting // to resolve. forward first; forwarders { 192.168.0.254; }; // may be required if this name server is behind a firewall // query-source address * port 53; }; // The next two zones are the minimum required for a caching nameserver. zone "." { type hint; file "db.root"; }; zone "0.0.127.in-addr.arpa" { type master; notify no; file "db.127.0.0"; }; ------------------------------------------------ What does this all mean: +++++++++++++++++++++++ Options { directory "/var/named"; . . . makes /var/named the top level directory for all zone database files. These are the files referred to with the 'file' directive in the zone statements. The "forward first; forwarders . . " options, instruct the nameserver to interogate the cache's of the nameserver's listed in 'forwarders' for entries not found in this cache. Only if entries are not found in all these cache's will the nameserver search from the root. This reduces overall dns traffic. The root zone "." is where all name look ups commence. It is the only zone where the type is "hint". The meaning of hint is (from http://www.isc.org/view.cgi?/products/BIND/docs/config/zone.phtml) "The initial set of root nameservers is specified using a hint zone. When the server starts up, it uses the root hints to find a root nameserver and get the most recent list of root nameservers." The information on how to find the root nameservers and get desired info from them is specified in the file 'db.root' which is kept in /var/named/db.root . The "0.0.127.in-addr.arpa" zone is required to achieve reverse lookups (ie. derive "localhost" when "127.0.0.1" is specified. It is a "master" type as this DNS server is the only one that has access to the "localhost" and 127.0.0.0 network (anything else wouldn't make sense). The information required to do the reverse lookups is found in /var/named/db.0.0.127. NOTE: Be extra cautious about editing the zone db files - the location of periods is crucial to correct operation. Next we create the /var/named/db.root file. ++++++++++++++++++++++++++++++++++++++++++ This is done by getting it from a credible name server on the internet. This is done by doing the following (as root of course): 'dig @a.root-servers.net . ns > /var/named/db.root' This process should be every month or so to ensure we are up to date. - See maintenance below. /var/named/db.root ------------------------------------------------------ ; <<>> DiG 8.2 <<>> @a.root-servers.net . ns ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUERY SECTION: ;; ., type = NS, class = IN ;; ANSWER SECTION: . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4 H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53 C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12 G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4 F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241 B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107 J.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.10 K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129 L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12 M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33 I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17 E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10 D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90 ;; Total query time: 131 msec ;; FROM: henry.novatek.co.nz to SERVER: a.root-servers.net 198.41.0.4 ;; WHEN: Mon Aug 16 22:36:43 1999 ;; MSG SIZE sent: 17 rcvd: 436 ----------------------------------------------------------------- What does this mean: Looking at the first 13 entries following ;; ANSWER SECTION This tells us that there are 13 nameservers that can answer for the root domain "." (that is where the .com, .edu, .nz, .ca, and so on servers are). The ttl of 6 days behaves slightly differently to other cached data. Here, instead of the data being discarded after its ttl expires, it initiates a new request to refresh its data. Looking at the following 13 "A" records. These assign the specific IP addresses to the designated name servers. These records have a ttl (refresh -not discard only in this instance) of 41days 16hours - somewhat longer than the "NS" records. I guess this means that these nameservers have less likelihood of changing their IP addresses, than the root topology of the internet changing. Makes sense - doesn't it? In addition to this file behaving differently to other db zones, it is the only db file that does not have a SOA (Start of Authority) RR (Resource Record). That is because a SOA RR is used to indicate that this nameserver is the best (authorative) server for the zone defined in the zone db file. Any server, other than the root servers, cannot be authorative for the root zone. Finally onto the last file /var/named/db.127.0.0 ---------------------------------------------------- $TTL 1D @ IN SOA henry.novatek.co.nz. hostmaster.novatek.co.nz. ( 1999022700 ; Serial 8H ; Refresh 2H ; Retry 1W ; Expire 1D ) ; Minimum IN NS henry.novatek.co.nz. 1 IN PTR localhost. -------------------------------------------------------- What this means: The "$TTL 1D" at the start sets the default time to live for all RR when they are cache'd in other (non-authorative) nameservers. We select 1 day. The purpose of a SOA record is to indicate to the nameserver that it is the best (authorative) nameserver for the zone (127.0.0.x in this case). The first name after 'SOA' is the hostname, the second is the mail address (substitute @ for first .). The serial number is a unique counter yyyymmddnn comprising a date followed by two digits. Each time this file is updated the date should be updated and nn represents the nth update on that day. Refresh is the time between slave refreshes. If the refresh fails, retry is the period between further attempts to update. Expire is the time since last refresh that the info cached at the slave will keep the data before discarding it. TLL is the minimum time to live value given with each DNS request. The requestor will cache the DNS request for this period before discarding it. The NS RR indicates that this host is the nameserver. The PTR record indicates that "1" (127.0.0.1) points back to the local host. Now we are ready to test our Caching name server configuration. In one window do a 'tail -f /var/log/messages', and in another window, simply as root, '/etc/rc.d/init.d/named restart In the logging window, you should see - ------------------------------------------------------------ Aug 16 23:05:55 henry named[1307]: starting. named 8.2.1 Fri Jul 9 13:48:52 CST 1999 ^Iroot@nickpc.tyee.vtc.edu.hk:/usr/lib/src/redhat/BUILD/bind-8.2.1/src/bin/named Aug 16 23:05:55 henry named[1307]: hint zone "" (IN) loaded (serial 0) Aug 16 23:05:55 henry named[1307]: master zone "0.0.127.in-addr.arpa" (IN) loaded (serial 1999022700) Aug 16 23:05:55 henry named[1307]: listening on [127.0.0.1].53 (lo) Aug 16 23:05:55 henry named[1307]: listening on [192.168.0.3].53 (eth0) Aug 16 23:05:55 henry named[1307]: Forwarding source address is [0.0.0.0].1028 Aug 16 23:05:55 henry named[1308]: Ready to answer queries. --------------------------------------------------------------- Now continuing with the testing. The documentation suggest just running 'nslookup'. However if there was perhaps a 'named' running previously (perhaps even configured incorrectly) it could have picked up and cached another nameserver (likely your ISP's from resolv.conf), and it will take time to flush that out of the cache. The following sequence of commands demonstrates it is working. ----------------------------------------------- root@gateway:/etc>nslookup Default Server: proxy1.rdc1.bc.wave.home.com Address: 24.2.10.33 > ^d root@gateway:/etc>nslookup - localhost. Default Server: localhost Address: 127.0.0.1 > ora.com Server: localhost Address: 127.0.0.1 Name: ora.com Address: 204.148.40.9 > ora.com Server: localhost Address: 127.0.0.1 Non-authoritative answer: Name: ora.com Address: 204.148.40.9 > 127.0.0.1 Server: localhost Address: 127.0.0.1 Name: localhost Address: 127.0.0.1 > ^d --------------------------------------------- Note that the second time ora.com is queried, we get the localhost's nameserver's cached result. Also the reverse lookup for localhost works. d. DNS Periodic Maintenance ++++++++++++++++++++++++++++ Once DNS is running, we need to periodically (say, once a month) update the hints database. The following script is plagiarised from the DNS HOWTO and TrinityOS. /var/named/update-db.root ------------------------------------------------------------------ #!/bin/sh # # Update the nameserver cache information file once per month. # This is run automatically by a cron entry. # export PATH=/sbin:/usr/sbin:/bin:/usr/bin: cd /var/named dig @c.root-servers.net . ns > root.hints 2> result DIG_OUTCOME=FAIL if [ `grep -c SERVFAIL root.hints` = 0 ] && [ `grep -c ROOT-SERVERS root.hints` -gt 0 ] then DIG_OUTCOME=SUCCESS mv -f db.root db.root.old cp -f root.hints db.root chown root:root db.root chmod 444 db.root echo -n "Restarting named: " >> result /etc/rc.d/init.d/named restart >> result fi ( echo "To: hostmaster " echo "From: system " echo "Subject: DNS monthly hints.db update status: $DIG_OUTCOME." echo cat root.hints result echo ) | /usr/sbin/sendmail -t rm -f result root.hints exit 0 --------------------------------------------------------------- Now make the file rwx only by root. 'chmod 700 /var/named/update-db.root' And put it in the monthly cron job. ' 'ln -s /var/named/update-db.root /etc/cron.monthly/update-db.root' SOME BASIC SECURITY ******************* Most from TrinityOS Section 8, Security-HOWTO, What I have written for gateway, etc. New release updates - Policy Suggestion +++++++++++++++++++++++++++++++++++++++ See notes for Gateway. Disable CTRL ALT DEL ++++++++++++++++++++ Do this as root. comment out #ca::ctrlaltdel:/sbin/shutdown -t3 -r now in /etc/inittab then do a 'telinit q' to re-initialise. TCP WRAPPERS ++++++++++++ One can never be safe enough. TCP Wrappers provide an additional level of security on all inetd services using tcpd. This is my tcp configuration. Look at the man pages for tcpd, hosts.deny and hosts.allow, as well as TrinityOS. Firstly comment out those services in /etc/inetd that you do not want to support. /etc/hosts.deny ----------------------------------------------------------------------- # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap! # Opt for a mostly closed policy. - More secure ALL: ALL ----------------------------------------------------------------------- /etc/hosts.allow ----------------------------------------------------------------------- # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # Give complete access for all to the local host ALL: 127.0.0.1, 192.168.0.3 # Defind access rules for hosts on local network. # hershel and both interfaces of gateway are trusted to access this host. ALL: hershel.novatek.co.nz, 24.113.94.87, 192.168.0.254 # Give ftp (port 21) and http (port 80) to all. in.ftpd: ALL in.httpd: ALL ---------------------------------------------------------------------- Notes: Eventhough we have a trusted private network, it is wise to only permit access on an as required basis. To get the the new settings activated 'killall -HUP inetd' as root. Root Access to the Following Files ++++++++++++++++++++++++++++++++++ Courtesy of TrinityOS.wri Section 8, with some changes that I have commented. I pasted these commands into a file, made it executable and ran it. ./secure -------------------------------------------------------- # Files in /bin chmod 750 /bin/bru chmod 750 /bin/linuxconf chmod 750 /bin/mount chmod 750 /bin/mt chmod 750 /bin/setserial chmod 750 /bin/umount # Files in /sbin chmod 750 /sbin/accton chmod 750 /sbin/badblocks chmod 750 /sbin/ctrlaltdel chmod 750 /sbin/chkconfig chmod 750 /sbin/chkraid chmod 750 /sbin/debugfs chmod 750 /sbin/depmod chmod 750 /sbin/dhcpcd chmod 750 /sbin/dump* chmod 750 /sbin/fdisk chmod 750 /sbin/fsck* chmod 750 /sbin/ftl* chmod 750 /sbin/getty chmod 750 /sbin/halt chmod 750 /sbin/hdparm chmod 750 /sbin/hwclock chmod 750 /sbin/ide_info chmod 750 /sbin/if* chmod 750 /sbin/init chmod 750 /sbin/insmod chmod 750 /sbin/ipfwadm chmod 750 /sbin/ipx* chmod 750 /sbin/isapnp chmod 750 /sbin/kerneld chmod 750 /sbin/killall* chmod 750 /sbin/lilo chmod 750 /sbin/mgetty chmod 750 /sbin/mingetty chmod 750 /sbin/mk* chmod 750 /sbin/mod* chmod 750 /sbin/netreport chmod 750 /sbin/pam* chmod 750 /sbin/pcinitrd chmod 750 /sbin/pnpdump chmod 750 /sbin/portmap chmod 750 /sbin/quotaon chmod 750 /sbin/raidadd chmod 750 /sbin/restore chmod 750 /sbin/runlevel chmod 750 /sbin/stinit chmod 750 /sbin/swapon chmod 750 /sbin/tune2fs chmod 750 /sbin/uugetty chmod 750 /sbin/vgetty # Files in /usr/bin chmod 750 /usr/bin/control-panel chmod 750 /usr/bin/comanche chmod 750 /usr/bin/eject chmod 750 /usr/bin/glint # Lets not be too zealous with the gnome files! chmod 755 /usr/bin/gnome* chmod 750 /usr/bin/gpasswd chmod 750 /usr/bin/ipx* chmod 750 /usr/bin/kernelcfg chmod 755 /usr/bin/lp* chmod 4751 /usr/bin/lpr # I changed lpr to have other xeq perms because # altho' suid root, all users require printing. chmod 750 /usr/bin/mformat chmod 750 /usr/bin/minicom chmod 750 /usr/bin/mtools chmod 750 /usr/bin/netcfg chmod 750 /usr/bin/rusers chmod 750 /usr/bin/rwall chmod 750 /usr/bin/uucp # Files in /usr/sbin chmod 750 /usr/sbin/am* chmod 750 /usr/sbin/at* chmod 750 /usr/sbin/automount chmod 750 /usr/sbin/bootp* chmod 750 /usr/sbin/crond chmod 750 /usr/sbin/dhc* chmod 750 /usr/sbin/dip chmod 750 /usr/sbin/dump* chmod 750 /usr/sbin/edquota chmod 750 /usr/sbin/exportfs chmod 750 /usr/sbin/fixmount chmod 750 /usr/sbin/ftpshut chmod 750 /usr/sbin/gated chmod 750 /usr/sbin/group* chmod 750 /usr/sbin/grp* chmod 750 /usr/sbin/imapd chmod 750 /usr/sbin/in.* #give in.identd other xeq access chmod 751 /usr/sbin/in.identd chmod 750 /usr/sbin/inetd chmod 750 /usr/sbin/ipop* chmod 750 /usr/sbin/klogd chmod 750 /usr/sbin/logrotate chmod 750 /usr/sbin/lp* chmod 755 /usr/sbin/lsof chmod 750 /usr/sbin/makemap chmod 750 /usr/sbin/mk-amd-map chmod 750 /usr/sbin/mouseconfig chmod 750 /usr/sbin/named* chmod 750 /usr/sbin/nmbd chmod 750 /usr/sbin/newusers chmod 750 /usr/sbin/ntp* chmod 750 /usr/sbin/ntsysv chmod 750 /usr/sbin/pppd chmod 750 /usr/sbin/pnpprobe chmod 750 /usr/sbin/pw* chmod 750 /usr/sbin/quota* chmod 750 /usr/sbin/rdev chmod 750 /usr/sbin/rdist chmod 750 /usr/sbin/repquota chmod 750 /usr/sbin/rhbackup chmod 750 /usr/sbin/rotatelogs chmod 750 /usr/sbin/rpc* chmod 750 /usr/sbin/rwhod chmod 750 /usr/sbin/samba chmod 750 /usr/sbin/setup chmod 750 /usr/sbin/showmount chmod 750 /usr/sbin/smb* chmod 750 /usr/sbin/sndconfig chmod 750 /usr/sbin/snmp* chmod 750 /usr/sbin/squid chmod 750 /usr/sbin/syslogd chmod 750 /usr/sbin/taper chmod 750 /usr/sbin/tcpd* chmod 750 /usr/sbin/time* chmod 750 /usr/sbin/tmpwatch chmod 750 /usr/sbin/tunelp chmod 750 /usr/sbin/user* chmod 750 /usr/sbin/uu* chmod 750 /usr/sbin/vi* chmod 750 /usr/sbin/wire-test chmod 750 /usr/sbin/xntp* chmod 750 /etc/rc.d/rc chmod 750 /etc/rc.d/rc.* ----------------------------------------------- It does not hurt to run this script occasionally, expecially with upgrades and changes. Some Changes to rc.local ++++++++++++++++++++++++ /etc/rc.d/rc.local ------------------------------------------------------------ #!/bin/sh # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. if [ -f /etc/redhat-release ]; then R=$(cat /etc/redhat-release) arch=$(uname -m) a="a" case "_$arch" in _a*) a="an";; _i*) a="an";; esac # This will overwrite /etc/issue at every boot. So, make any changes you # want to make to /etc/issue here or you will lose them when you reboot. # NOTE: we do not want users on the net with bad intent to know the OS and # version at the log in prompt. echo "" > /etc/issue echo "Novatek Electronics Limited" >> /etc/issue echo "***************************" >> /etc/issue echo "" >> /etc/issue cp -f /etc/issue /etc/issue.net echo "$R" >> /etc/issue echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue echo "" >> /etc/issue echo "\l@$(uname -n)" >> /etc/issue echo "telnet@$(uname -n)" >> /etc/issue.net echo "" >> /etc/issue echo "" >> /etc/issue.net fi --------------------------------------------------------------------- Notes on rc.local 1. Heed the security advice not to let any telnet users know the package, release, and version that they are logging into - further limit exploitation of package/release/version specific holes. FTP SERVER ********** 1. Use the latest version of wu-ftp. The other files /etc/ftp* okay, only update /etc/ftpaccess for better security and control. 2. /etc/ftpaccess ------------------------------------ class all real,guest,anonymous * email ftpmaster@novatek.co.nz loginfails 3 banner /etc/msgs/ftpbanner greeting brief readme README* login readme README* cwd=* message /welcome.msg login message .message cwd=* limit all 20 Any /etc/msgs/ftptoomany compress yes all tar yes all chmod no guest,anonymous delete no guest,anonymous overwrite no guest,anonymous rename no guest,anonymous upload /home/ftp * no upload /home/ftp /incoming yes ftp ftp 0666 log commands real log transfers anonymous,real inbound,outbound passwd-check rfc822 enforce ----------------------------------------------------- So, what have I done. Look at "man ftpaccess" We only define one class 'all' for all three types of accessors real, guest and anonymous. We give ourselves a reasonalble email address. Limit to three unsuccessful logins before being disconnected. The greeting is brief, so as not to identify which and the version of ftp software. The banner (before the login message, is short, sweet and welcoming. See below. It lets the remote user know his credentials are being logged. The readme and message - we do not need too much messaging. This is only an ftp site. After limiting a maximum of 20 users we set up privilages such that all can tar and compress, and only real users can chmod, delete overwrite and rename - not guests or anonymous. For guest and anonymous, uploads are only to incoming. For security we want to log all login attempts, and transfers. We also want to enforce password checking for what it is worth. The messages files are: WWW SERVER ********** in this case not that all external www accesses to the external gateway interface are being port forwarded to this www server. Using apache version 1.3.11-3 Out the box the set up is adequate for startup. I did the followingi too: created a group 'www' of gid '60' in /etc/group. I then added the users who are permitted to update this 'www' group to this line. The line in /etc/group is: ----------------------- www::60:jon,vanessa ----------------------- I then changed the group ID of the /home/httpd directory to www. chgrp -R www /home/httpd/* chmod -R g+w /home/httpd/* So now users jon and vanessa have group access to the httpd directory which conviently gives them write access to update files / pages using ftp. I made some changes in /etc/httpd/conf/httpd.conf, they are: ------------------------------------------ ServerAdmin webkeeper@novatek.co.nz ServerName www.novatek.co.nz ------------------------------------------ For the security aware, (and shouldn't we all be), we want to hide the identity and version of the server. We do this with: ----------------------- ServerSignature Off ---------------------- This is not total robust security, as the server signature is still exchanged in the client server connection handshake! >>>>>>>>>>>>>>>>>>>>>>>>>>>>> E\0\0(\220K@\0@\6&\197\192\168\0\3\24q^\163\0PLG\148\197\158<\170\132%]P\16\28\132 \22\0\0 15:36:58.994725 eth0 < 24.113.94.163.19529 > 192.168.0.3.www: S 2522918840:2522918840(0) win 512 E\0\0,\236p\0\0\63\6W\156\24q^\163\192\168\0\3LI\0P\150\96\175\184\0\0\0\0\96\2\2\0\203\180\0\0\2\4\5\1807\27 15:36:58.994849 eth0 > 192.168.0.3.www > 24.113.94.163.19529: S 2533346150:2533346150(0) ack 2522918841 win 7300 (DF) E\0\0,\220a@\0@\6&\171\192\168\0\3\24q^\163\0PLI\150\255\203f\150\96\175\185\96\18\28\132N\185\0\0\2\4\5\180 15:36:59.038991 eth0 < 24.113.94.163.19529 > 192.168.0.3.www: . 1:1(0) ack 1 win 32120 (DF) E\0\0(\236r@\0\63\6\23\158\24q^\163\192\168\0\3LI\0P\150\96\175\185\150\255\203gP\16}x\5\130\0\\0\27[7m 15:36:59.039987 eth0 < 24.113.94.163.19529 > 192.168.0.3.www: P 1:332(331) ack 1 win 32120 (DF) E\0\1s\236s@\0\63\6\22R\24q^\163\192\168\0\3LI\0P\150\96\175\185\150\255\203gP\24}x\126B\0\0GET / HTTP/1.0 Host: www.cmex.org Accept: text/html, text/plain, text/sgml, video/mpeg, image/jpeg, image/tiff, image/x-rgb, image/png, image/x-xbitmap, image/x-xbm, image/gif, application/postscript, \42/\42;q=0.01 Accept-Encoding: gzip, compress Accept-Language: en Negotiate: trans User-Agent: Lynx/2.8rel.2 libwww-FM/2.14 15:36:59.040105 eth0 > 192.168.0.3.www > 24.113.94.163.19529: . 1:1(0) ack 332 win 7300 (DF) E\0\0(\220b@\0@\6&\174\192\168\0\3\24q^\163\0PLI\150\255\203g\150\96\177\4P\16\28\132e+\0\0 15:36:59.045489 eth0 > 192.168.0.3.www > 24.113.94.163.19529: P 1:1461(1460) ack 332 win 7300 (DF) E\0\5\220\220d@\0@\6 \248\192\168\0\3\24q^\163\0PLI\150\255\203g\150\96\177\4P\24\28\132\180\96\0\0HTTP/1.1 200 OK Date: Sat, 19 Feb 2000 23:36:59 GMT Server: Apache/1.3.11 (Unix) (Red Hat/Linux) Last-Modified: Sat, 19 Feb 2000 05:54:24 GMT ETag: "1421e-c98-38ae3010" Accept-Ranges: bytes Content-Length: 3224 Connection: close Content-Type: text/html . . . . . . . <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Virtual Hosting *************** Note: have a look at the virtual configuration sheet. It has a more comprehensive virtual hosting approach. This writeup was done first, then I did the virtual hosting sheet, which builds on this. Choose a location on the disk to house the virtual hosts. I'm using "/usr/local/www/" (created as root). All the virtual hosts are in subdirectories off this directory root. I also have added users with the same names as the virtual host subdirectories. I've made the ownership of the subdirectory belong to the added user. eg: mkdir /usr/local/www/cmex # need to be root to do this. mkdir /usr/local/www/cmex/cgi-bin adduser cmex passwd cmex chown cmex:www /usr/local/www/cmex chown cmex:www /usr/local/www/cmex/cgi-bin chmod 755 /usr/local/www/cmex chmod 755 /usr/local/www/cmex/cgi-bin User cmex can put and edit its html files in this directory. Now with explained we need to make the corresponding config changes in the config file. Look at www.apache.org's documentation on virtual hosting to further understand this. >>>>>>>>>>>>>>>>>>>>>>>>>>/etc/httpd/conf/httpd.conf . . . . . # Comment out ServerAdmin and ServerName #ServerAdmin webkeeper@novatek.co.nz #ServerName novatek.co.nz #DocumentRoot "/usr/local/www/" # # Include UserDir and Directory as follows. UserDir permits # /~ to get the the appropriate directory. Options FollowSymLinks AllowOverride None # UserDir /usr/local/www Options MultiViews Includes FollowSymLinks ExecCGI AllowOverride All Order allow,deny Allow from all Order deny,allow Deny from all # # Ensure UseCanocialName On UseCanonicalName On # . . . . . . . . # # Add a LogFormat that includes the virtual host in the record. This # is my preference rather than separate log files. Also the logrotate's # default setup only sees a default access_log and error_log LogFormat "%V %h %l %u %t \"%r\" %>s %b" vcommon CustomLog /var/log/httpd/access_log vcommon # . . . . . . . # NameVirtualHost 192.168.0.3:80 DocumentRoot "/usr/local/www/novatek" ServerName www.novatek.co.nz ServerPath "/usr/local/www/novatek" ServerAdmin webkeeper@novatek.co.nz ScriptAlias /cgi-bin/ /usr/local/www/novatek/cgi-bin DocumentRoot "/usr/local/www/cmex" ServerName www.cmex.org ServerPath "/usr/local/www/cmex" ServerAdmin webkeeper@cmex.org ScriptAlias /cgi-bin/ /usr/local/www/cmex/cgi-bin DocumentRoot "/usr/local/www/jon" ServerName jon.novatek.co.nz ServerPath "/usr/local/www/jon" ServerAdmin jon@novatek.co.nz ScriptAlias /cgi-bin/ /usr/local/www/jon/cgi-bin <<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>/etc/fstab /dev/hdb2 / ext2 defaults 1 1 /dev/hdb1 swap swap defaults 0 0 /dev/hda1 /c vfat defaults 0 0 none /proc proc defaults 0 0 none /dev/pts devpts gid=5,mode=620 0 0 <<<<<<<<<<<<<<<>>>>>>>>>>>>>>/etc/auto.master /mnt /etc/auto.misc -t 60 <<<<<<<<<<<<<<>>>>>>>>>>>>>>/etc/auto.misc cd -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom fd -fstype=auto :/dev/fd0 gateway -ro,soft,intr gateway:/ hal-9000 -ro,soft,intr hal-9000:/ hercules -ro,soft,intr hercules:/ <<<<<<<<<<<<<< . . . ------------------------ checkout hosts.allow, on the hosts to ensure that they permit portmap access from hal-9000. ------------------------- portmap: 192.168.0.3 ------------------------- then stop and restart the following daemons on the host. /etc/rc.d/init.d/nfs stop /etc/rc.d/init.d/portmap stop /etc/rc.d/init.d/nfslock stop /etc/rc.d/init.d/portmap start /etc/rc.d/init.d/nfs start /etc/rc.d/init.d/nfslock start killall -HUP inetd Now to check that it works by changing to any of the automounted nfs directories. One of the reasons for making the nfs mounts automounts is that the hosts maynot always be present. SOME BASIC SETUP COSMETICS ************************** Look at: Config-HOWTO HOWTO/mini/Colour-ls Keyboard-and-Console-HOWTO Remember current version of X 3.3.3.1-52 1. Not used ---------------------------------- 2. Taming bash --------------- look at the color ls mini howto, and the Config-HOWTO /etc/profile ------------------------------------------------ # /etc/profile # System wide environment and startup programs # Functions and aliases go in /etc/bashrc # Users can override these settings and/or add others in their # $HOME/.bash_profile PATH="$PATH:/usr/X11R6/bin:/usr/local/bin" PS1="\u@\h:\w>" PS2=". . .>" ulimit -c 1000000 if [ `id -gn` = `id -un` -a `id -u` -gt 14 ]; then umask 002 else umask 022 fi USER=`id -un` LOGNAME=$USER MAIL="/var/spool/mail/$USER" NNTPSERVER=news.rchmd1.bc.wave.home.com VISUAL=vi EDITOR=vi HOSTNAME=`/bin/hostname` HISTSIZE=1000 HISTFILESIZE=1000 INPUTRC=/etc/inputrc PRINTER=hp850c export PATH PS1 HOSTNAME HISTSIZE HISTFILESIZE USER LOGNAME MAIL INPUTRC export NNTPSERVER VISUAL EDITOR PRINTER # enable colour ls eval `dircolors /etc/DIR_COLORS -b` #export LS_OPTIONS='-s -F -T 0 --color=yes' #LS_COLORS="di=33;1" ; export LS_COLORS # customize less LESS='-M-Q' LESSEDIT="%E ?lt+%lt. %f" LESSOPEN="| lesspipe.sh %s" LESSCHARSET=latin1 LESSCHARDEF=8bcccbcc13b.4b95.33b. # show colours in ls -l | less export LESS LESSEDIT LESSOPEN LESSCHARSET LESSCHARDEF for i in /etc/profile.d/*.sh ; do if [ -x $i ]; then . $i fi done unset i # call fortune, if available if [ -x /usr/games/fortune ] ; then echo ; /usr/games/fortune ; echo fi ---------------------------------------------------- /etc/bashrc ------------------------------------------------- # /etc/bashrc # System wide functions and aliases # Environment stuff goes in /etc/profile # For some unknown reason bash refuses to inherit # PS1 in some circumstances that I can't figure out. # Putting PS1 here ensures that it gets loaded every time. PS1="\u@\h:\w>" PS2=". . .>" alias ls="ls --color=auto -s -F -T 0" alias dir="dir --full-time --color=auto -a -l -F -T 0" alias lo="logout" alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' alias md='mkdir' # The following line gets backspace and delete to behave like backspace # used with "xterm*ttyModes: erase ^?" in ~/.Xdefaults. Pipe stdout # and stderr to /dev/null to avoid showing error messages when xmodmap -e "keysym BackSpace = Delete" > /dev/null 2> /dev/null ------------------------------------------------ /etc/inputrc ------------------------------------------------- set meta-flag on set input-meta on set convert-meta off set output-meta on "\e0d": backward-word "\e0c": forward-word "\e[h": beginning-of-line "\e[f": end-of-line "\e[1~": beginning-of-line "\e[4~": end-of-line "\e[5~": beginning-of-history "\e[6~": end-of-history "\e[3~": delete-char "\e[2~": quoted-insert ------------------------------------------------ /etc/skel/.bashrc ------------------------------------------------ # .bashrc # User specific aliases and functions # Source global definitions if [ -f /etc/bashrc ]; then . /etc/bashrc fi ------------------------------------------------- /etc/skel/.bash_profile -------------------------------------------------- # .bash_profile # Get the aliases and functions if [ -f ~/.bashrc ]; then . ~/.bashrc fi # User specific environment and startup programs PATH=$PATH:$HOME/bin BASH_ENV=$HOME/.bashrc USERNAME="" export USERNAME BASH_ENV PATH -------------------------------------------------- Using lesspipe.sh as a frontend processer to list .tar, .gzip, rpm contents, etc. etc. - Works in conjunction with the LESSOPEN env var defined in profile above. Ensure /usr/local/bin is in the $PATH. ------------------------------------------------------------- #!/bin/sh # This is a preprocessor for 'less'. It is used when this environment # variable is set: LESSOPEN="|lesspipe.sh %s" lesspipe() { case "$1" in *.tar) tar tf $1 2>/dev/null ;; # View contents of .tar and .tgz files *.tgz|*.tar.gz|*.tar.Z|*.tar.z) tar ztf $1 2>/dev/null ;; *.Z|*.z|*.gz) gzip -dc $1 2>/dev/null ;; # View compressed files correctly *.zip) unzip -l $1 2>/dev/null ;; # View archives *.arj) unarj -l $1 2>/dev/null ;; *.rpm) rpm -qpil $1 2>/dev/null ;; *.cpio) cpio --list -F $1 2>/dev/null ;; *.1|*.2|*.3|*.4|*.5|*.6|*.7|*.8|*.9|*.n|*.man) FILE=`file -L $1` FILE=`echo $FILE | cut -d ' ' -f 2` if [ "$FILE" = "troff" ]; then groff -s -p -t -e -Tascii -mandoc $1 fi ;; *) file $1 | grep text > /dev/null ; if [ $? = 1 ] ; then # it's not some kind of text strings $1 fi ;; esac } lesspipe $1 ---------------------------------------------------------- 3. Taming xterm and other X packages ------------------------------------- I normally telnet to host and su - to root, and configure remotely. Often I loose track of which xterm belongs to which host, especially inside vi. A simple way of keeping track, is to have the root xterms in different colors, setup in /root/.Xdefaults for the respective host. Run 'showrgb | less' to select colors, I am not putting the output here, it is over 750 lines long. Tip. Have a look at /usr/X11R6/man/whatis to findout about X related commands. /etc/skel/.Xdefaults -------------------------------------------------- ! Parts (C) 1996 By Greg J. Badros ! You may use this file as specified under the GNU General Public License !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! emacs, xemacs emacs*Background: DarkSlateGray emacs*Foreground: Wheat emacs*pointerColor: Orchid emacs*cursorColor: Orchid emacs*bitmapIcon: on emacs*font: fixed emacs.geometry: 80x25 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! xterm (and friends) XTerm*highlightSelection: true ! Uncomment this to use color for the bold attribute XTerm*VT100*colorBDMode: on XTerm*VT100*colorBD: blue ! Uncomment this to use color for underline attribute XTerm.VT100*colorULMode: on XTerm.VT100*underLine: off XTerm*VT100*colorUL: magenta ! Uncomment this to display the scrollbar XTerm*scrollBar: true ! This resource specifies whether or not to ignore the 'alternate screen' ! of applications such as vi. When it is on, these applications will restore ! the contents of the screen when they are exited to what they were before ! they were started. When it is off, the contents of vi will remain on the ! screen after the program is quit. XTerm.VT100.titeInhibit: true ! Uncomment this to turn off color mode in your xterms !XTerm.VT100*colorMode: off XTerm.VT100*dynamicColors: on ! Number of lines of scrollback to save XTerm*saveLines: 1500 xterm*reverseWrap: true *visualBell: true *scrollTtyOutput: False *scrollKey: True Scrollbar.JumpCursor: True ------------------------------------------------------ root/.Xdefaults (for root) ------------------------------------------------------ #ifdef COLOR *customization: -color #endif emacs*Background: DarkSlateGray emacs*Foreground: Wheat emacs*pointerColor: Orchid emacs*cursorColor: Orchid emacs*bitmapIcon: on emacs*font: fixed emacs.geometry: 80x25 Seyon.modems: /dev/modem xterm*background: Black xterm*foreground: Wheat xterm*cursorColor: Orchid xterm*reverseVideo: false xterm*scrollBar: true xterm*saveLines: 5000 xterm*reverseWrap: true xterm*font: fixed xterm*fullCursor: true xterm*scrollTtyOutput: off xterm*scrollKey: on #xterm*VT100.Translations: #override\n\ # Prior : scroll-back(1,page)\n\ # Next : scroll-forw(1,page) xterm*titleBar: true -------------------------------------------------- Note that I've changed the color of the root screen from the defaults. This is because I often am logged in as root to two or more private hosts, and differing colors is a great way to identify which xterms belong to which hosts. Unresolved Stuff with Console and Keyboard ++++++++++++++++++++++++++++++++++++++++++ I have not got a satisfactory answer for delete and backspace The current config makes the delete and backspace key work like the backspace key, on xterms. Then in programs like Netscape, both keys behave like delete???? If Linux wants to get Workstation market share, it will need to clean this one up. MAIL SETUP ********** SAMBA SETUP PRINTING CLIENT FAX CLIENT TO HYLAFAX NIS *** Note that NIS, NFS, and adding users configuration are all interrelated. Its a good idea to familiarise with all to appreciate the interaction. Refs NIS Howto Why would we want NIS +++++++++++++++++++++ NIS provides a centralised generic client / server database system. This system has found favour for sharing passwd and group files across hosts on a network. Practically this means a user can use the same login on the (NIS client) hosts, and this information only needs to be maintained in one place (NIS server). Our NIS requirements are modest - a few users, therfore not requiring the security of NIS+. Also we can get by with one Master server, we do not need slave servers (just yet). Where NIS becomes attractive, is when working in conjunction with NFS. Irrespective of which host a "nis'd" user logs in, the login to that user's home directory using an NFS mount. Thus a user has access to his or files on the 'home' host. Setting up the server +++++++++++++++++++++ We need to edit /etc/sysconfig/network and add the following line to it ---------------------------- NISDOMAIN=nis.novatek.co.nz ------------------------------ It is not necessary for the NIS domain name to be the same as our actual domain name. Sun recommends it for simplicity of configuration, Linux recommends against it for security. My "effective" compromise is to prefix the dns domain name with nis. Instead of restarting networks (/etc/rc.d/init.d/network restart) with this change the same effect is achieved by executing 'ypdomainname nis.novatek.co.nz'. The next step was to run the /usr/lib/yp/ypinit -m. It took a couple of times before It would compile. I needed to change some of the settings in the /var/yp/Makefile: ------------------------------- . . . . . . #MERGE_GROUP=true MERGE_GROUP=false . . . . . . . #all: passwd group hosts rpc services netid protocols netgrp mail \ # #shadow publickey # networks ethers bootparams amd.home \ # auto.master auto.home passwd.adjunct all: passwd group hosts rpc services netid protocols mail \ #shadow publickey # networks ethers bootparams amd.home \ auto.master auto.home passwd.adjunct . . . . . . ------------------------------ The commented lines are the originals, and the uncommented lines are the replacements that make things work. Ie not merging shadow groups and no database for netgrps. change /etc/hosts nsswitch.conf DHCP XNTP Software updated since Redhat 6.0 Release ***************************************** TIPS AND TRICKS *************** CONFIGURING GNOME / ENLIGHTENMENT ********************************* /etc/skel/.Xclients ------------------------ #!/bin/bash /usr/X11R6/bin/xearth -proj merc -pos 'fixed 0 -123' -day 55 -night 29 -term 100 -nomarkers & exec /usr/bin/gnome-session ------------------------ As you can see, ie use gnome and add xearth as a background. The reason for putting this file in /etc/skel is that this is the default windows manager that is called when startx is issued. For .Xclient in the root directory, I added 'xhost +localhost' just beneath '#!/bin/sh'. This is to get the screensaver to run. It runs as nobody:nobody which does not have root privilages. INSTALLING XEMACS ***************** Got the RH 6.1 RPM's from xemacs, in fact I got the most recent ones from ftp.rpmfind.com/rawhide . . . xemacs-21.1.4-2. I installed it and got a strange warning concerning lock-directories whenever I fired up xemacs Searched comp.emacs.xemacs archive at www.xemacs.org and found: To: xemacs@xemacs.org Subject: Re: RH rpm problems From: Jeff Hutchison Date: 03 Nov 1999 09:48:56 -0500 Newsgroups: comp.emacs.xemacs Organization: http://extra.newsguy.com References: Xref: wodc7nx0 comp.emacs.xemacs:3165 Graham Gough writes: [snip] > I thought I'd try the rpm from the 6.1 distribution to see if that > worked any better and indeed my mail problem no longer occurred, but > this time I got > > WARNING: > Couldn't find obvious defaults for: > lock-directory > Perhaps some directories don't exist, or the XEmacs executable, > /usr/bin/xemacs > is in a strange place? > > There does appear to a problem with the xemacs rpms, has anyone else > had similar experiences? I've looked on Deja, but could find anything. I created a directory called /var/lock/xemacs and gave it the same permissions as /tmp (1777). Stopped the message, but I never see anything in the directory. Getting Remote XDM serving working ********************************** Redhat's Gnome does not use xdm, they use a program called gdm. Using the out the box configuration, (RH6.1), the last line of /etc/inittab will be: >>>>>>>>>>>>>>>>> x:5:respawn:/etc/X11/prefdm -nodaemon <<<<<<<<<<<<<<<<< prefdm calls gdm if the standard Gnome configuration is used. Make the following changes to inittab: 1. Remove the -nodaemon on 'x:5:respawn:/etc/X11/prefdm' 2. Change the default level to 5: 'id:5:initdefault:' Then make the following changes to /etc/X11/gdm/gdm.conf to make sure the [xdmcp] section looks like: [xdmcp] Enable=1 HonorIndirect=0 MaxPending=4 MaxPendingIndirect=4 MaxSessions=16 MaxWait=30 MaxWaitIndirect=30 Port=177 Getting autorpm working *********************** I wanted a tool that could look at the latest rpms in rawhide (Redhat's bleeding edge), and advise me of what rpms have updated since the last check, and download the changed files. In effect I am mirroring rawhide's bleeding edge installation image, plus getting a periodic email advising me of the changes. I got the latest autorpm from: http://www.kaybee.org/~kirk/html/linux.html, and installed it. I then went to /etc/autorpm.d/ and edited autorpm.conf as follows: >>>>>>>>>>>>>>>>>>>>>>>/etc/autorpm.d/autorpm.conf # `man autorpm.conf` for details # Try connecting to FTP sites 10 times with 20-500 seconds delay between each try. FTP_Retries ("10"); FTP_Retry_Delay ("20", "500"); Report_Queues_To (""); ftp ("ftp://rpmfind.net/linux/rawhide/1.0/i386/") { Report_To ("root"); Recursive (Yes); Recursive_Compare_To_Dir ("/usr/local/ftp/novatek/pub/redhat/latest/i386"); action (updated) { Report (Yes); Delete_Old_Version (Yes); Recursive_Store ("/usr/local/ftp/novatek/pub/redhat/latest/i386"); } action (new) { Report (Yes); Recursive_Store ("/usr/local/ftp/novatek/pub/redhat/latest/i386"); } } <<<<<<<<<<<<<<<<<<<<<<<<