How to Configure Samba in Debian / Ubuntu
What is Samba?
Samba is a suite of Unix applications that speak the SMB (Server Message Block) protocol. Many operating systems, including Windows and OS/2, use SMB to perform client-server networking. By supporting this protocol, Samba allows Unix servers to get in on the action, communicating with the same networking protocol as Microsoft Windows Products.
Samba Debian Package
This package contains all the components necessary to turn your Debian GNU/Linux box into a powerful file and printer server.
Currently, the Samba Debian packages consist of the following:
samba - LanManager-like file and printer server for Unix.
samba-common - Samba common files used by both the server and the client.
smbclient - LanManager-like simple client for Unix.
swat - Samba Web Administration Tool
samba-doc - Samba documentation.
smbfs - Mount and umount commands for the smbfs (kernels 2.2.x and above).
libpam-smbpass - pluggable authentication module for SMB password database
libsmbclient - Shared library that allows applications to talk to SMB servers
libsmbclient-dev - libsmbclient shared libraries
winbind: Service to resolve user and group information from Windows NT servers
python2.3-samba: Python bindings that allow access to various aspects of Samba
It is possible to install a subset of these packages depending on your particular needs. For example, to access other SMB servers you should only need the smbclient and samba-common packages.
Install Samba in Debian
#apt-get install samba samba-client
Now it will ask you some basic question about the samba configuration like
workgroup or domain name you want,other questions enter the correct information which one suits for your need.
Preparing directories and users
Create directories for Samba to use with Windows
#mkdir samba
Now we need to create users to access this directiory
#useradd ruchi
Now create a password for this user
#smbpasswd -a ruchi
configure samba configuration file
Samba configuration file located at /etc/samba/smb.conf
In this file main section is Global where you can define all parameters and the example as follows
[global]
workgroup = debian
netbios name = debianserver
server string = %h server (Samba %v)
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
Now you need to configure the share directory(ex:-samba) for users below is the example.
[SAMBA]
path=/samba
browseable=yes
writeable=yes
valid users = ruchi
admin users = debain
If you want to check your configuration file is correct you need to run the following command
#testparm
Now you need to restart the samba to take the new changes effect
#/etc/init.d/samba restart
If you want more configuration option check man page of smb.conf
How to Configure Shorewall in Debian/Ubuntu
What is Shorewall?
The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.
Download, Features and Documentation Shorewall
http://www.shorewall.net/
END
How to Configure Proftp Server in Debian/Ubuntu
Proftp Supported Platforms
Simple steps which can be taken to tighten security include
FTP, as has been mentioned in an earlier chapter has two main methods of operation, passive and active. Passive mode support is difficult in the extreme to support within a firewall, it requires the tracking of port 21 connections in and outbound and opening up complete tcp holes for that connection on the fly and tearing down once the control socket is closed. Active support is brainlessly simple by comparison, opening ports 20 and 21 is sufficient, nothing more complex is required.
DisplayConnect /ftp/ftp.virtualhost/login.msg
DisplayLogin /etc/proftp.msg
Samba is a suite of Unix applications that speak the SMB (Server Message Block) protocol. Many operating systems, including Windows and OS/2, use SMB to perform client-server networking. By supporting this protocol, Samba allows Unix servers to get in on the action, communicating with the same networking protocol as Microsoft Windows Products.
Samba Debian Package
This package contains all the components necessary to turn your Debian GNU/Linux box into a powerful file and printer server.
Currently, the Samba Debian packages consist of the following:
samba - LanManager-like file and printer server for Unix.
samba-common - Samba common files used by both the server and the client.
smbclient - LanManager-like simple client for Unix.
swat - Samba Web Administration Tool
samba-doc - Samba documentation.
smbfs - Mount and umount commands for the smbfs (kernels 2.2.x and above).
libpam-smbpass - pluggable authentication module for SMB password database
libsmbclient - Shared library that allows applications to talk to SMB servers
libsmbclient-dev - libsmbclient shared libraries
winbind: Service to resolve user and group information from Windows NT servers
python2.3-samba: Python bindings that allow access to various aspects of Samba
It is possible to install a subset of these packages depending on your particular needs. For example, to access other SMB servers you should only need the smbclient and samba-common packages.
Install Samba in Debian
#apt-get install samba samba-client
Now it will ask you some basic question about the samba configuration like
workgroup or domain name you want,other questions enter the correct information which one suits for your need.
Preparing directories and users
Create directories for Samba to use with Windows
#mkdir samba
Now we need to create users to access this directiory
#useradd ruchi
Now create a password for this user
#smbpasswd -a ruchi
configure samba configuration file
Samba configuration file located at /etc/samba/smb.conf
In this file main section is Global where you can define all parameters and the example as follows
[global]
workgroup = debian
netbios name = debianserver
server string = %h server (Samba %v)
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
Now you need to configure the share directory(ex:-samba) for users below is the example.
[SAMBA]
path=/samba
browseable=yes
writeable=yes
valid users = ruchi
admin users = debain
If you want to check your configuration file is correct you need to run the following command
#testparm
Now you need to restart the samba to take the new changes effect
#/etc/init.d/samba restart
If you want more configuration option check man page of smb.conf
Testing your samba
configuration
You want to test your samba configuration for users ruchi run the following command
#smbclient -L //debianserver -U ruchi
Configuring the Windows workstation
authenticate each workstation
logon to the Windows workstation as any user with administrative priviliges
[Windows 2000] Start -> Settings -> Control Panel -> System -> Network Identification -> Properties -> Member of -> Domain -> type the domain name as specified in the 'workgroup' section of smb.conf -> ok
enter the root username and password for the Samba file server
if you simply wish to transfer existing users from a workstation, then if a user exists on the Samba file server and on the workstation, at this point you could log them into the Samba file server and their profile from the workstation would be copied to the Samba file server when they log out
References
http://www.samba.org
You want to test your samba configuration for users ruchi run the following command
#smbclient -L //debianserver -U ruchi
Configuring the Windows workstation
authenticate each workstation
logon to the Windows workstation as any user with administrative priviliges
[Windows 2000] Start -> Settings -> Control Panel -> System -> Network Identification -> Properties -> Member of -> Domain -> type the domain name as specified in the 'workgroup' section of smb.conf -> ok
enter the root username and password for the Samba file server
if you simply wish to transfer existing users from a workstation, then if a user exists on the Samba file server and on the workstation, at this point you could log them into the Samba file server and their profile from the workstation would be copied to the Samba file server when they log out
References
http://www.samba.org
END
===================================================================================
What is Shorewall?
The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.
Download, Features and Documentation Shorewall
http://www.shorewall.net/
Note:-
Before installing shorewall we need to uninstall "ipchains" if
you installed in your machine by running this command
# apt-get remove ipchains
Install shorewall in Debian
#apt-get install shorewall
At this point apt may tell you it has to install a couple extra supporting package along with shorewall. This is normal and you should accept the prompt to allow it to install everything.
You probably noticed a warning message at the end of the Shorewall installation telling you the program will not start unless you change the /etc/default/shorewall file.You can do this in following way
# vi /etc/default/shorewall
Now simply change
startup = 0
to
startup = 1
save, and exit.
Shorewall configuration files are stored in two separate places
/etc/shorewall stores all the program configuration files.
/usr/share/shorewall stores supporting files and action files.
Configuring Shorewall in Debian
If you want to configure shorewall you need to copy the sample configuration file from
/usr/share/doc/shorewall/default-config.You can do this by the following command
#cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/
Now you have configuration files located at /etc/shorewall
Zones Configuration
First edit the zones file to specify the different network zones, these are just labels that you will use in the other files. Consider the Internet as one zone, and a private network as another zone. If you have this then the zones file would look like this:
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Private net
There is another zone that is not put in this zones file, called the "firewall zone" or "fw". This is already defined in /etc/shorewall.conf
If you want more information about Zones check here
Interfaces Configuration
The next file to edit is the interfaces file to specify the interfaces on your machine. Here you will connect the zones that you defined in the previous step with an actual interface. The third field is the broadcast address for the network attached to the interface ("detect" will figure this out for you). Finally the last fields are options for the interface. The options listed below are a good starting point,
net eth0 detect routefilter,norfc1918,logmartians,nosmurfs,tcpflags,blacklist
loc eth1 detect tcpflags
If you want more information about interfaces check here
# apt-get remove ipchains
Install shorewall in Debian
#apt-get install shorewall
At this point apt may tell you it has to install a couple extra supporting package along with shorewall. This is normal and you should accept the prompt to allow it to install everything.
You probably noticed a warning message at the end of the Shorewall installation telling you the program will not start unless you change the /etc/default/shorewall file.You can do this in following way
# vi /etc/default/shorewall
Now simply change
startup = 0
to
startup = 1
save, and exit.
Shorewall configuration files are stored in two separate places
/etc/shorewall stores all the program configuration files.
/usr/share/shorewall stores supporting files and action files.
Configuring Shorewall in Debian
If you want to configure shorewall you need to copy the sample configuration file from
/usr/share/doc/shorewall/default-config.You can do this by the following command
#cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/
Now you have configuration files located at /etc/shorewall
Zones Configuration
First edit the zones file to specify the different network zones, these are just labels that you will use in the other files. Consider the Internet as one zone, and a private network as another zone. If you have this then the zones file would look like this:
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Private net
There is another zone that is not put in this zones file, called the "firewall zone" or "fw". This is already defined in /etc/shorewall.conf
If you want more information about Zones check here
Interfaces Configuration
The next file to edit is the interfaces file to specify the interfaces on your machine. Here you will connect the zones that you defined in the previous step with an actual interface. The third field is the broadcast address for the network attached to the interface ("detect" will figure this out for you). Finally the last fields are options for the interface. The options listed below are a good starting point,
net eth0 detect routefilter,norfc1918,logmartians,nosmurfs,tcpflags,blacklist
loc eth1 detect tcpflags
If you want more information about interfaces check here
Policy Configuration
The next file defines your firewall default policy. The default policy is used if no other rules apply. Often you will set the default policy to REJECT or DROP as the default, and then configure specifically what ports/services are allowed in the next step, and any that you do not configure are by default rejected or dropped according to this policy. An example policy (based on the zones and interfaces we used above) would be:
fw net ACCEPT
fw loc ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
This policy says: by default accept any traffic originating from the machine (fw) to the internet and to the local network. Anything that comes in from the internet destined to either the machine or the local network should be dropped and logged to the syslog level "info". The last line closes everything else off, and probably wont ever be touched. Note: DROP rules are dropped quietly, and REJECTs send something back letting the originator know they've been rejected.
If you want more information about policy check here
Rules Configuration
The most important file is the rules. This is where you set what is allowed or not. Any new connection that comes into your firewall passes over these rules, if none of these apply, then the default policy will apply. Note: This is only for new connections, existing connections are automatically accepted. The comments in the file give you a good idea of how things work, but the following will provided an example that can give you a head-start:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net fw icmp 8
ACCEPT fw net icmp
ACCEPT net fw tcp ssh,www,https,smtp,pop3,pop3s,imap2,imaps,submission
ACCEPT net fw udp https
ACCEPT net:216.162.217.194 fw tcp munin
This example can be written in long-hand as, "Accept any pings (icmp) from the internet to the machine, accept any tcp connections from the internet that are on any of the ports referenced in /etc/services for the services
ssh(22),www(80),https(443), etc. Also accept from the internet the udp connections to https(443). While you are at it, accept only tcp connections from the IP 216.162.217.194 coming from the internet to the munin port (1040).
If you want more information about rules check here
The next file defines your firewall default policy. The default policy is used if no other rules apply. Often you will set the default policy to REJECT or DROP as the default, and then configure specifically what ports/services are allowed in the next step, and any that you do not configure are by default rejected or dropped according to this policy. An example policy (based on the zones and interfaces we used above) would be:
fw net ACCEPT
fw loc ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
This policy says: by default accept any traffic originating from the machine (fw) to the internet and to the local network. Anything that comes in from the internet destined to either the machine or the local network should be dropped and logged to the syslog level "info". The last line closes everything else off, and probably wont ever be touched. Note: DROP rules are dropped quietly, and REJECTs send something back letting the originator know they've been rejected.
If you want more information about policy check here
Rules Configuration
The most important file is the rules. This is where you set what is allowed or not. Any new connection that comes into your firewall passes over these rules, if none of these apply, then the default policy will apply. Note: This is only for new connections, existing connections are automatically accepted. The comments in the file give you a good idea of how things work, but the following will provided an example that can give you a head-start:
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net fw icmp 8
ACCEPT fw net icmp
ACCEPT net fw tcp ssh,www,https,smtp,pop3,pop3s,imap2,imaps,submission
ACCEPT net fw udp https
ACCEPT net:216.162.217.194 fw tcp munin
This example can be written in long-hand as, "Accept any pings (icmp) from the internet to the machine, accept any tcp connections from the internet that are on any of the ports referenced in /etc/services for the services
ssh(22),www(80),https(443), etc. Also accept from the internet the udp connections to https(443). While you are at it, accept only tcp connections from the IP 216.162.217.194 coming from the internet to the munin port (1040).
If you want more information about rules check here
Now you need to restart your shorewall to take
your new changes effect by running this command
#/etc/init.d/shorewall start
If there was a syntax error in your configuration you will get an error saying so and you should have a read of
/var/log/shorewall-init.log to figure out why.
If everything does start up, you should make sure that you aren't blocking something that you don't mean to, you can do that by looking at your firewall logs.
If you want to know more about the shorewall log files click here
Shorewall Web interface or GUI tool
We have a webmin interface for shorewall to configure through GUI.You can download from here.
http://www.webmin.com/download/modules/shorewall.wbm.gz
#/etc/init.d/shorewall start
If there was a syntax error in your configuration you will get an error saying so and you should have a read of
/var/log/shorewall-init.log to figure out why.
If everything does start up, you should make sure that you aren't blocking something that you don't mean to, you can do that by looking at your firewall logs.
If you want to know more about the shorewall log files click here
Shorewall Web interface or GUI tool
We have a webmin interface for shorewall to configure through GUI.You can download from here.
http://www.webmin.com/download/modules/shorewall.wbm.gz
If you want to configure shorewall through
webmin interface click
here
References
http://www.cyberdogtech.com/firewalls/firewall/
References
http://www.cyberdogtech.com/firewalls/firewall/
END
================================================
What is ProFTPD?
ProFTPD is a ftp server written for use
on Unix and Unix-a-like operating systems, there is no support
for native use under Microsoft Windows.
Proftp Server
Features
ProFTPD offers the
following features:
- Single main configuration file, with directives and directive groups which are intuitive to any administrator who has ever used the Apache web server.
- Per directory ".ftpaccess" configuration similar to Apache's ".htaccess".
- Easy to configure multiple virtual FTP servers and anonymous FTP services.
- Designed to run either as a stand-alone server or from inetd/xinetd, depending on system load.
- Anonymous FTP root directories do not require any specific directory structure, system binaries or other system files.
- No SITE EXEC command. In modern Internet environments, such commands are a security nightmare. ProFTPD does not execute any external programs at any time. The source is available (and must always be available) for administrators to audit.
- Hidden directories and files, based on Unix-style permissions or user/group ownership.
- Runs as a configurable non-privileged user in stand-alone mode in order to decrease chances of attacks which might exploit its "root" abilities. Note: This feature is dependent on the capabilities of the host Unix system.
- Logging and utmp/wtmp support. Logging is compatible with the wu-ftpd standard, with extended logging available.
- Shadow password suite support, including support for expired accounts.
- Modular design, allowing server to be extended easily with modules. Modules have been written for SQL databases, LDAP servers, SSL/TLS encryption, RADIUS support, etc.
- IPv6 support.
Proftp Supported Platforms
ProFTPD is known to compile and run on the following platforms.
AIX
|
BSD/OS
|
Cygwin
|
Digital Unix
|
DG/UX
|
HP/UX
|
IRIX
|
Linux
|
Mac OS X
|
SCO
|
FreeBSD
|
NetBSD
|
OpenBSD
|
Solaris
|
SunOS
|
Linux for IBM
S/390, zSeries
|
Proftpd
Installation in Debian
apt-get install proftpd
it
will ask you if you want to install it with inetd or standalone.
inetd is for occasional use (it will be loaded on demand).You
need to select standalone and click ok button.
.For security reasons you can add the
following lines to
/etc/proftpd.conf:
DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."
For more Security configuration click here
and
restart Proftpd:
/etc/init.d/proftpd restart
For More
Examples for more configuration
click
here
Permitting Anonymous Access
To
permit anonymous access to your server you will need to
uncomment the configuration options which are already present in
the standard /etc/proftpd.conf
file.
<Anonymous ~ftp>
User ftp
Group nogroup
# We want clients to be
able to login with "anonymous" as well as "ftp"
UserAlias
anonymous ftp
# Cosmetic changes, all
files belongs to ftp user
DirFakeUser on ftp
DirFakeGroup on ftp
RequireValidShell
off
# Limit the maximum
number of anonymous logins
MaxClients
10
# We want 'welcome.msg'
displayed at login, and '.message' displayed
# in each newly chdired
directory.
DisplayLogin
welcome.msg
DisplayFirstChdir
.message
# Limit WRITE
everywhere in the anonymous chroot
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
</Anonymous>
This
configuration setting allows users to login with either
anonymous, or ftp, as username and they will be able to read
from /home/ftp.
They
will be unable to upload new content, or delete existing files.
They will be given only read-only access to the server.
For More Proftp Server
Configuration Directive List
click here
Proftpd Sever log files
located at /var/log/xferlog
If you want Proftp server web
interface or GUI tools click here
Configuring Proftp Server Security
Securing ftp servers
Proftpd provides for some additional security by it's use of chroot(), user and IP access limits, command and path filters to limit what and where files can be uploaded and it's attention to when root privs are needed and when they are not. However a buffer overflow in the wrong place and it's possible that the server is compromised beyond hope.Simple steps which can be taken to tighten security include
- Log to a separate machine
- Traffic filtering upstream of the server
- chroot() all sessions
- Don't give a valid shell where it's not needed
- Run an intrusion detection system
- If possible place the OS itself on a bootable CDrom
- Tripwire
- Decent backups
Daemon security
Recently (between versions 1.2.0pre3 -
1.2.0pre7) there have been a number of buffer overflow type
security problems with ProFTPD, with the coming release of
pre7 these should be under control. Though no absolute
statement can be given on the security of the software (this
is true for every piece of software out there). A
significant amount of effort has been put into removing the
more 'dangerous' system calls which are prone to overflow
attacks.
There is a known security problem with ALL
unix FTP daemons, which requires the daemon to retain root
privileges even after a client has fully authenticated. In
ProFTPD versions 1.0.x, a decision was made to ignore
RFC959's port 20 requirements in the interests of security.
This approach has now been abandoned in favour of a more rfc
compliant approach.
ProFTPD takes a middle road in terms of
security. It only uses root privileges where required and
drops to the UID defined in the config file at all other
times. Times when root is required include, binding to ports
< 1024, setting resource limits, reading configuration
information and some network code.
Password Issues
One of the biggest security problems about the whole FTP protocol is the need to have the password transmitted in clear text across the network. In effect the username and passowrd pair are available at all times during the authentication sequence, resulting in this information being available to crackers and sniffers alike.Encrypted passwords
Currently (as of 1.2.0pre9) Proftpd does not support encrypted passwords for authentication. Development for this feature is scheduled for post 1.2.0rel1, and it will remove the absolute need to send the password in clear text over the network. There are some additional approaches involving ssh (secure shell) which I will not cover in detail in this text which can be used to secure a ftp session without encrypted keys.FTP as root
This is a bad idea simply because it's a major security risk to send the root passowrd in clear text over any network. If there is a need to get files onto a server there are always better ways of achieving it than connecting via ftp as root.
Other
approaches
If you really must ftp as root
then our thoughts go with you on this dangerous
journey as you add "RootLogin on" to your proftpd
configuration and may your god go with you.- rcp
- ssh/scp
- ftp as a safe user and change the ownership later.
Server attacks
As with all server processes the primary method of cracking remains the buffer overflow. Due to the nature of the protocol and the requirement for root level privileges this leaves ftp daemons open to attack. Buffer overflows are the result of weak programming where boundary condition checks have been skipped or "unsafe" system calls have been used. These allow a fixed length storage area to be overflowed, this overflow can then be used as the transport to allow the execution of arbitary commands as the root user. In combination this is known as a "root exploit".Stack smashing protection
What about using Stackguard?
Stackguard is a gcc variant which can protect programs from stack-smashing attacks, programs compiled using Stackguard dies without executing the stack code. While this approach is a good first line of defense against future problems it's not a complete cure-all. Some of the buffer overflows were found on static variables, which are not protected by stack protection mechanisms.Libsafe
Libsafe implements a 'middleware' layer which sits between the OS and the daemon process and protects against buffer overflows. This is achieved by intercepting all calls known to be vulnerable to overflow. http://www.bell-labs.com/org/11356/html/security.htmlRunning Proftpd as non-root
Running ProFTPD as a non-root user gives only a marginal security improvement on the normal case and adds some functional problems. Such as not being able to bind to ports 20 or 21, unless it's spawned from inetd. The inability to bind to ports 20 and 21 makes this approach useless for commercial hosting environments where the customers are expecting the connection to be on a "standard" port.Firewall issues
Generally ftp and firewalls are quite capable of co-existing on the same or separate networks with the minimum of fuss. The source of problems stem from the fundamental design of ftp and it's twin socket approach to data transfer. Firewalls, good ones at least, approach security by assuming everything is hostile and then starting to open up holes to trusted ports and destinations.FTP, as has been mentioned in an earlier chapter has two main methods of operation, passive and active. Passive mode support is difficult in the extreme to support within a firewall, it requires the tracking of port 21 connections in and outbound and opening up complete tcp holes for that connection on the fly and tearing down once the control socket is closed. Active support is brainlessly simple by comparison, opening ports 20 and 21 is sufficient, nothing more complex is required.
ProFTPD behind a firewall
Due to the multiple socket and semi-random port assignment nature of the ftp protocol Because of the bi-socket nature of the ftp protocol additional care must be taken when setting up ProFTPD behind a firewall. Setting the firewall to allow the control socket through is easy enough, allow tcp packets destined for port 21 on the target server. However the data socket in passive mode may be targetted on a random port number on the server side resulting in either a highly complex or very weak firewall. The PassivePorts directive allows the admin to specify the range of ports the server will use to service ftp-data connections, this range can then be configured on the firewall.Security by obscurity and warnings
Good security practice works on a
combination of locking down all the holes as tightly as
possible and letting as little information about the
network out as possible. Additionally some legal systems
require that explicit warnings are put up letting the
casual connecting host know that unauthorised access is
not permitted. To provide these features Proftpd
supplies a number of directives which control the
message presented to the user.
How can I prevent the server version from being displayed
Setting SeverIdent to "off" should turn off the information about what type of server is running. To have maximum effect this directive should either be in the Global context or included in every virtual host block and the default block.ServerIdent on "test.co.uk server"
ServerIdent off
ServerIdent on ""
I want to show a message prior to login
Use the DisplayConnect directive to specify a file containing a message to be displayed prior to login.DisplayConnect /ftp/ftp.virtualhost/login.msg
I want to display a message after login
Use the DisplayLogin directive, this sends a specified ASCII file to the connected user.DisplayLogin /etc/proftp.msg
Can I have a custom welcome response?
Use the AccessGrantMsg directive,
this sends a simple single line message back to the
user after a successful authentication. Magic
cookies appear to be honoured in this directive.
AccessGrantMsg "Guest access
granted for %u."
Note, this directive has an
overriding default and needs to be specified in both
VirtualHost and Anonymous blocks.
END
================================================
How to Configure Webmin & Quota in debian / Ubuntu
What is Webmin?
Webmin is a web-based interface for system administration for
Unix. Using any browser that supports tables and forms (and Java
for the File Manager module), you can setup user accounts,
Apache, DNS, file sharing and so on.
Webmin consists of a
simple web server, and a number of CGI programs which directly
update system files like
/etc/inetd.conf
and
/etc/passwd.
The web server and all CGI programs are written in Perl version
5, and use no non-standard Perl modules.
Installing Webmin in Debian
#apt-get
install webmin webmin-core
After installation If
you want to access webmin from any machine in your network edit
the /etc/webmin/ miniserv.conf file
change the “allow” option
Allow=127.0.0.1
To
Allow=0.0.0.0
Once you change this and
save your file and restart the webmin using following command
/etc/init.d/webmin
restart
Go to your browser and
type:-
https://ipaddress:10000 and you can login using the debian
linux root as username and password for root.
If you ou need any
webmin modules for you software check
here
Update Webmin online
from your machine
Click on Webmin Configuration under webmin tab from here click on Upgrade Webmin and select the Latest version from www.webmin.com option now click on upgrade webmin button this will start the webmin upgrade from webmin site
Downloading http://www.webmin.com/download
Downloading http://easynews.dl.sourceforge
Received 1024 bytes (0 %)
Received 1033216 bytes (10 %)
Received 2065408 bytes (20 %)
Received 3097600 bytes (30 %)
Received 4130816 bytes (40 %)
Received 5163008 bytes (50 %)
Received 6195200 bytes (60 %)
Received 7227392 bytes (70 %)
Received 8260608 bytes (80 %)
Received 9292800 bytes (90 %)
Received 10324511 bytes (100 %)
.. Download complete.
No package signature verification done.
Running setup.sh script to upgrade Webmin .. Please wait a minute until it is complete before continuing.
Other available options
From local file
From uploaded file
From ftp or http URL
Click on Webmin Configuration under webmin tab from here click on Upgrade Webmin and select the Latest version from www.webmin.com option now click on upgrade webmin button this will start the webmin upgrade from webmin site
Downloading http://www.webmin.com/download
Downloading http://easynews.dl.sourceforge
Received 1024 bytes (0 %)
Received 1033216 bytes (10 %)
Received 2065408 bytes (20 %)
Received 3097600 bytes (30 %)
Received 4130816 bytes (40 %)
Received 5163008 bytes (50 %)
Received 6195200 bytes (60 %)
Received 7227392 bytes (70 %)
Received 8260608 bytes (80 %)
Received 9292800 bytes (90 %)
Received 10324511 bytes (100 %)
.. Download complete.
No package signature verification done.
Running setup.sh script to upgrade Webmin .. Please wait a minute until it is complete before continuing.
Other available options
From local file
From uploaded file
From ftp or http URL
Quota
configuration in debian
When you run a
multi-user system it's possible for a single user to the system,
by filling their home directory with a lot of files, and filling
a disk so that other users have no space of their own. Quotas
are a system of preventing this. It's possible to setup limits
on the amount of space a single user, or a single group, can
use.
Using quotas on
Debian is very Easy as the Debian kernel packages all have quote
support compiled in.
There are two ways to
use quotes:
- Per user
- Per group
When using per-user
quotas you are effectively giving a limit on how much disk space
the specific user may consume. In the case of per-group quotas
you're giving a limit on the total disk usage of all members in
that group combined.
Generally I find it much
more useful to apply quotas on a per-user basis, as this way you
dont have to work out which memeber of a group is consuming all
the space.
To setup quota usage on
your system you'll need to do three things:
- Mount your filesystems with quota support
- Install the quota software
- Configure your limits
Installing Quota in debian
#apt-get install quota quotatool
As you installed the
software you will have been prompted to see if you wish to email
your users when their quotas are exceeded, this is their soft
limit.
Edit
/etc/fstab
to look like this (I added
,usrquota,grpquota
to the partition with the mount point
/):
# /etc/fstab: static file system information.
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/sda1 / ext3 defaults,errors=remount-ro,usrquota,grpquota 0 1
/dev/sda5 none swap sw 0 0
/dev/hdc /media/cdrom0 iso9660 ro,user,noauto 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto 0 0
Then run:
touch /quota.user /quota.group
chmod 600 /quota.*
mount -o remount /
quotacheck -avugm
quotaon –avug
chmod 600 /quota.*
mount -o remount /
quotacheck -avugm
quotaon –avug
If you want to manage quotas with
graphical webinterface you need to install quota webmin module
To Install webmin module for quotas
#apt-get install webmin-quota
Now you login in to the webmin and you can
see quota configuration
How to check Warnquota is configured
or not?
- email warnings are
triggered by warnquota
- warnquota takes its configuration in /etc/warnquota.conf
- warnquota is ran daily by default : /etc/cron.daily/quota
Here is my /etc/warnquota.conf
MAIL_CMD = "/usr/sbin/sendmail -t"
FROM = "your.address@your.domain.com"
SUBJECT = You have exceeded your quota
CC_TO = "your.address@your.domain.com"
SUPPORT = "support.address@your.domain.com"
PHONE = "01 02 03 04 05"
MESSAGE = "quota exceed for this user"
SIGNATURE = "Your signature"
Try dpkg-reconfigure -plow quota, it should ask you questions
about warnquota configuration.
BTW, if your use of quota is critical, test it before production
or with a test account by lowering quota to a very small level
and by running manually /etc/cron.daily/quota.
- warnquota takes its configuration in /etc/warnquota.conf
- warnquota is ran daily by default : /etc/cron.daily/quota
Here is my /etc/warnquota.conf
MAIL_CMD = "/usr/sbin/sendmail -t"
FROM = "your.address@your.domain.com"
SUBJECT = You have exceeded your quota
CC_TO = "your.address@your.domain.com"
SUPPORT = "support.address@your.domain.com"
PHONE = "01 02 03 04 05"
MESSAGE = "quota exceed for this user"
SIGNATURE = "Your signature"
Try dpkg-reconfigure -plow quota, it should ask you questions
about warnquota configuration.
BTW, if your use of quota is critical, test it before production
or with a test account by lowering quota to a very small level
and by running manually /etc/cron.daily/quota.
END
================================================
good Stuff
ReplyDelete