Anmelden Seite Diskussion Versionen Go to the site toolbox

Rootserver

Aus CrazyLinux

der Server soll hauptsächlich als Web- und Mailserver dienen.

Inhalt

1 Grundkonfiguration

1.1 HDParm

1.2 Softwareraid

1.3 HDDTemp

1.4 NTP-Date

1.5 smartmontools

aktuelle Festplatten unterstützen smart, damit kann man den 'Gesundheitsstatus' abfragen:

/etc/smartd.conf 

...
#DEVICESCAN
# First two SCSI disks.  This will monitor everything that smartd can
# monitor.  Do extended self-tests Wednesdays at 6pm and Sundays at 1 am
/dev/sda -d ata -s L/. ./. ./3/18
/dev/sdb -d ata -s L/. ./. ./7/01
...

1.6 cron-apt

Per Cron werde die Paketlisten aktualisiert und es gibt ein syslog-Eintrag, falls es neue Updates gibt.

2 Dienste

2.1 Cron

root-crontabs: 

30      07      *       *       *       /home/www/_server/bin/webtraffic.pl
30      05      *       *       *       /home/www/_server/bin/webalizer.sh
01      08      *       *       *       /usr/bin/graphdefang.pl -quiet
4      06      *       *       *       /home/backup/bin/packagelist.sh

2.2 Webserver

2.2.1 PHP4

2.2.2 Mod-Security

2.2.3 Webstatistiken

2.2.4 Mod-PAM

2.3 Mailserver

2.3.1 Sendmail

Sendmail-Config inkl.

    • Spamschutz mit spamassassin
    • Virenscan mit ClamAV
    • Razor
    • Smtp_Auth
    • Mimedefang, Sendmail-Filter, um Spam/Virenschutz einzubauen
    • SSL/TLS


2.4 Sendmail

2.4.1 Config

Die /etc/mail/sendmail.mc muss entsprechend angepaßt werden: 

divert(-1)dnl
#-----------------------------------------------------------------------------
# $Sendmail: debproto.mc,v 8.13.4 2005-06-03 16:49:22 cowboy Exp $
#
# Copyright (c) 1998-2005 Richard Nelson.  All Rights Reserved.
#
# cf/debian/sendmail.mc.  Generated from sendmail.mc.in by configure.
#
# sendmail.mc prototype config file for building Sendmail 8.13.4
#
# Note: the .in file supports 8.7.6 - 9.0.0, but the generated
#       file is customized to the version noted above.
#
# This file is used to configure Sendmail for use with Debian systems.
#
# If you modify this file, you will have to regenerate /etc/mail/sendmail.cf
# by running this file through the m4 preprocessor via one of the following:
#       * `sendmailconfig`
#       * `make`
#       * `m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf`
# The first two options are preferred as they will also update other files
# that depend upon the contents of this file.
#
# The best documentation for this .mc file is:
# /usr/share/doc/sendmail-doc/cf.README.gz
#
#-----------------------------------------------------------------------------
divert(0)dnl
#
#   Copyright (c) 1998-2005 Richard Nelson.  All Rights Reserved.
#
#  This file is used to configure Sendmail for use with Debian systems.
#
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
include(`/etc/mail/tls/starttls.m4')dnl
include(`/etc/mail/sasl/sasl.m4')dnl
define(`confAUTH_OPTIONS', `A p')dnl
VERSIONID(`$Id: sendmail.mc, v 8.13.4-3 2005-06-03 16:49:22 cowboy Exp $')
define(`confSMTP_LOGIN_MSG', `gretchen.dyndns.info Mailserver; $b')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
dnl undefine(`confHOST_STATUS_DIRECTORY')dnl        #DAEMON_HOSTSTATS=
dnl # Items controlled by /etc/mail/sendmail.conf - DO NOT TOUCH HERE
dnl #
dnl # General defines
dnl #
dnl # SAFE_FILE_ENV: [undefined] If set, sendmail will do a chroot()
dnl #   into this directory before writing files.
dnl #   If *all* your user accounts are under /home then use that
dnl #   instead - it will prevent any writes outside of /home !
dnl #   define(`confSAFE_FILE_ENV',             `')dnl
dnl #
dnl # Daemon options - restrict to servicing LOCALHOST ONLY !!!
dnl # Remove `, Addr=' clauses to receive from any interface
dnl # If you want to support IPv6, switch the commented/uncommentd lines
FEATURE(`no_default_msa')dnl
dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MTA-v4, Port=smtp')dnl
dnl DAEMON_OPTIONS(`Family=inet6, Name=MSP-v6, Port=submission, Addr=::1')dnl
DAEMON_OPTIONS(`Family=inet,  Name=MSP-v4, Port=submission')dnl
dnl DAEMON_OPTIONS(`Family=inet, Port=465, Name=MTA-SSL, M=s')dnl
dnl #
dnl # Be somewhat anal in what we allow
define(`confPRIVACY_FLAGS',dnl
`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
dnl #
dnl # Define connection throttling and window length
define(`confCONNECTION_RATE_THROTTLE', `50')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
define(`confDOMAIN_NAME', `gretchen.dyndns.info')dnl
FEATURE(`use_cw_file')dnl
# Anti Spam

FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl
FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected due to sending server misconfiguration - see http://www.ordb.org/faq/\#why_rejected"')dnl
FEATURE(`dnsbl',`sbl.spamhaus.org',`Rejected - see http://spamhaus.org/')dnl
FEATURE(`dnsbl',`list.dsbl.org',`"550 Rejected - see http://dsbl.org/listing?"$&{client_addr}')dnl
FEATURE(`dnsbl',`multihop.dsbl.org',`"550 Rejected - see http://dsbl.org/listing?"$&{client_addr}')dnl
FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} " found in dnsbl.sorbs.net"')dnl
dnl #FEATURE(`dnsbl', `blacklist.spambag.org', `"571 SPAM MAIL REJECTED from "$&{client_name}" by blacklist.spambag.org! Please see http://www.spambag.org for details.'")dnl
FEATURE(`dnsbl', `ix.dnsbl.manitu.net', `"571 SPAM MAIL REJECTED from "$&{client_name}" by ix.dnsbl.manitu.net! Please see http://ix.dnsbl.manitu.net for details.'")dnl
dnl #FEATURE(`dnsbl', `countries.blackholes.us', `"Spam blocked! See http://www.blackholes.us/"')dnl
FEATURE(`dnsbl',`rsbl.aupads.org',`"550 Mail from " $&{client_addr} " refused: spam site. See http://www.aupads.org/cgi-bin/rsbl-lookup?host_to_find="$&{client_addr}""')dnl
FEATURE(`dnsbl',`orvedb.aupads.org',`"550 Mail from " $&{client_addr} " refused: open relay. See: http://www.aupads.org/cgi-bin/ordb-lookup?host_to_find="$&{client_add}""')dnl
FEATURE(`dnsbl',`duinv.aupads.org',`"550 Mail from host " $&{client_addr} " refused: We do not accept deliveries direct from remote dialups. Use your ISPs local SMTP server or authenticate via POP3 first. See http://www.aupads.org/cgi-bin/duinv-lookup?host_to_find="$&{client_addr}""')dnl
dnl #FEATURE(rhsbl,`dsn.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} " refused. MX of domain do not accept bounces. This violates RFC 821/2505/2821 - see http://www.rfc-ignorant.org/"')
dnl #FEATURE(rhsbl,`postmaster.rfc-ignorant.org',`"550 Mail from domain " $`'&{RHS} " refused. MX of domain does not have a working postmaster address - see http://www.rfc-ignorant.org/"')

FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')dnl
dnl # The access db is the basis for most of sendmail's checking
dnl #FEATURE(`access_db', , `skip')dnl
FEATURE(`access_db')dnl
FEATURE(blacklist_recipients)dnl
dnl #
dnl # The greet_pause feature stops some automail bots - but check the
dnl # provided access db for details on excluding localhosts...
FEATURE(`greet_pause', `1000')dnl 1 seconds
dnl #
dnl # Delay_checks allows sender<->recipient checking
FEATURE(`delay_checks', `friend', `n')dnl
dnl #
dnl # If we get too many bad recipients, slow things down...
define(`confBAD_RCPT_THROTTLE',`3')dnl
dnl #
dnl # Stop connections that overflow our concurrent and time connection rates
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:1m;R:1m')dnl
dnl  specify the sender email address for all outgoing mail from the local
dnl  machine. most people also want to use "masquerade_envelope" to also
dnl  change the envelope addresses.
dnl  use "allmasquerade" to also change the recipient addresse. don't use
dnl  this feature, if you don't have the full /etc/aliases and the full
dnl  /etc/passwd on your host.
FEATURE(`masquerade_envelope')dnl
dnl #MASQUERADE_AS(`gretchen.dyndns.info')dnl
FEATURE(`always_add_domain')dnl
dnl #
dnl # If you're on a dialup link, you should enable this - so sendmail
dnl # will not bring up the link (it will queue mail for later)
dnl define(`confCON_EXPENSIVE',`True')dnl
dnl #
dnl # Default Mailer setup
MAILER_DEFINITIONS
MAILER(`local')dnl
MAILER(`smtp')dnl

sendmail.cf generieren und neu starten 

hostname:/etc/mail# sendmailconfig

2.4.2 sasl

sasl wird für smtp_auth benötigt. Paket libsasl2-modules installieren, sonst gehts nicht!

/etc/defaults/saslauthd 

# This needs to be uncommented before saslauthd will be run automatically
START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"
MECHANISMS="pam"

/etc/mail/sasl/sasl.m4 

...
dnl # Define the REALM passed to sasl (8.13.0+)
ifelse(eval(sm_version_math >= 527616), `1', `dnl
define(`confAUTH_REALM', `mygretchen.de')dnl   # <= EDIT
')dnl
dnl # Available Authentication methods
dnl #
define(`confAUTH_MECHANISMS',dnl
`LOGIN PLAIN')dnl   # <= EDIT
define(`confAUTH_REALM', `mygretchen.de')dnl   # <= EDIT
TRUST_AUTH_MECH(`DILOGIN PLAIN LOGIN')dnl   # <= EDIT
...

/etc/mail/sasl/Sendmail.conf.2 


auto_transition: true
pwcheck_method: saslauthd
allowanonymouslogin: 0
allowplaintext: 1
mech_list: EXTERNAL LOGIN PLAIN

2.4.3 Antispam

Fertige Filterlisten gibts unter http://www.rulesemporium.com/

Exit0

Weitere Rules

Howtos_Spam_Assassin_Rules_Du_Jour_Configuration

Installation von DCC und Einbindung in SpamAssassin

2.4.4 Testen

sendmail -bv root
hostname:/etc/mail# sendmail -bv root
sadmin... deliverable: mailer local, user xy

2.4.5 Backup-Mailexchanger

einfach die Domain in /etc/mail/relay-domains eintragen weitere Infos gibts unter 

http://www.sendmail.org/%7Eca/email/chk-89f.html#RELAYING
http://www.sendmail.org/tips/relaying.html

2.4.6 Statistiken

http://www.enderunix.org/isoqlog/

2.4.7 Whitelisten

Falls ein Provider versehentlicht auf eine Blacklist gekommen ist, ist es möglich, diesen Absender als Whitelist einzutragen: in /etc/mail/access 

connect:returns.groups.yahoo.com OK

2.5 Tools

2.6 graphdefang

http://www.bl.org/~jpk/graphdefang/ Webbasierende Lösung (Perl/PHP), um Statistiken aus Mimedefang/Mail-Log zu erstellen Als Cronjob 

01      08      *       *       *       /usr/bin/graphdefang.pl -quiet


die Bilder werden in /var/lib/graphdefang/ abgelegt. Fürs CorporateDesign kann man die index.php anpassen: 

...
<?php
# CONFIGURE ME!!!
$OUTPUT_DIR = '/var/lib/graphdefang';
include "/home/www/mygretchen.de/htdocs/inc/header.php";

?>

<center>
...

2.7 Links

http://www.sendmail.org/m4/features.html
http://www.sendmail.org/m4/anti_spam.html
http://www.completewhois.com/rbl_lookup.htm
http://www.linux-fuer-alle.de/doc_show.php?docid=239&catid=15
http://www.nl.sorbs.net/mailsystems/sendmail.shtml
http://www.heise.de/ix/nixspam/dnsbl/
http://www.rfc-ignorant.org/how_to_domain.php
http://www.sendmail.org/tips/virtual-hosting.html

2.7.1 Mimedefang

2.7.2 Courier IMAP/POP3

2.7.3 Webmail

2.7.3.1 Horde

2.7.4 Virusscanner

2.7.4.1 ClamAV

2.7.5 Spamschutz

2.7.5.1 Spamassissin

2.7.5.2 DCC-Distributed Checksum Clearinghouse

2.7.5.3 Blacklists

2.7.5.4 Pyzor

2.7.5.5 Razor

2.7.6 Statistiken

2.8 Mysql-Server

2.8.1 PHPMyAdmin

2.8.2 mysqldumper

2.9 File-Zugriff

2.9.1 PureFTP

3 Monitoring

3.1 Cacti

3.2 Munin

3.3 SNMP

/etc/snmp/snmpd.conf 

...
smuxsocket 127.0.0.1

# Check the / partition and make sure it contains at least 10 megs.
disk / 10000

# Check for loads:
load 12 14 14
...

Integration von Qmail-Stats gibt's bei Cacti

3.4 IP-Accounting

3.5 graphdefang

4 Security

4.1 Chkrootkit

4.2 Checksecurity

4.3 John

John ist ein Passwort-cracker und versucht lokale einfache Passwörter zu knacken, und sendet bei Erfolg dem User eine Mail /etc/cron.d/john: 

00 1    * * *   root    [ -x /usr/share/john/cronjob ] && nice /usr/share/john/cronjob start
00 7    * * *   root    [ -x /usr/share/john/cronjob ] && /usr/share/john/cronjob stop

4.4 Logcheck

4.5 Firewall

4.5.1 Shorewall

4.6 Tiger

5 Backup

Backup ist natürlich auch notwendig. Auch wenn das System sich auf einem gespiegelten Raid befindet, so hilft das nicht gegen Datenverlust, sondern nur vor Hardwareausfall. Deshalb müssen die folgenden Sachen gesichert werden. Backup-Dir ist /home/backup. Unter /home/backup/bin/ liegen die (Cron)Scripte.

6 rsnapshot

6.1 Serverkonfiguration

  • /etc (via rsnapshot-cron). Config ist /etc/rsnapshot.conf, alles default-werte, sonst diese Änderungen. Im root-Dir liegen dann die Backups der letzten Woche: 
# All snapshots will be stored under this root directory.
snapshot_root   /home/backup/rsnapshot/
interval        daily   7
backup  /etc/           gretchen/
backup  /home/          gretchen/

und das dazugehörige cronscript /etc/cron.d/rsnapshot: 

30 3    * * *           root    /usr/bin/rsnapshot daily
  • Partitionstabelle liegen unter /home/backup/server (manuell erstellt, fdisk)
  • Liste der installierten Packeten /home/backup/server/package.list (cron, /home/backup/bin/packagelist.sh): 
#!/bin/sh
/usr/bin/dpkg -l>/home/backup/server/package.list

6.2 User-Homes und sonstige Userdaten

  • /homes HomeDirs inkl. www via rsnapshot, Aufbewarungszeit 1 Woche
  • /var u.a. die Mysql-Datenfiles sowie Emails TODO
  • /usr u.a. cacti/horde TODO

7 SQL-Export

der Export wird via SQLDumper (im AdminBereich unter Verwaltung) täglich per cron dürchgeführt. Jede DB hat ein eigene Datei. Die Files liegen unter /home/backup/mysql und werden jeweils 10 Tage aufgehoben.


8 Tools

8.1 rsnapshot

Von „http://crazylinux.de/Rootserver

Site Toolbox:

Meine Werkzeuge
Creative Commons-Lizenz
 Diese Seite wurde zuletzt am 14. Dezember 2006 um 00:12 Uhr geändert. - Diese Seite wurde bisher 596-mal abgerufen. - Impressum - Über CrazyLinux
Bienenwachskerzen Baumkerzenhalter