How to Set-Up a Home Server

[charleychacko]

1. Requirements
For my server I had the following requirements:

It should be completely silent. It is placed in my study, which doubles as a guest bedroom. So a noisy fan is not acceptable;
It should be possible to set it up and manage from my laptop via a serial cable. I did want to place it in a left over corner, where I do not have the space available for a big monitor and a keyboard.

2. The Hardware
As hardware I have used:

VIA EPIA VE5000 Motherboard;
Kingston Low Profile 256MB PC133 SDRAM;
Seagate ST340810A 40GB Harddisk;
Teac CD224E Slim CD-ROM;
Cubid 2688R Mini-ITX Case.
This hardware can be bought at You are not allowed to view links.
Register or Login.

The VIA EPIA VE5000 Motherboard does not need a CPU fan. It provides:

533MHz VIA Eden Processor (Pentium compatible);
1 Ethernet Port;
1 Serial Port;
1 Parallel Port;
2 USB 1.1 ports;
1 Microphone, 1 Line-In and 1 Line-Out Port;
1 PS2 Mouse Port;
1 PS2 Keyboard Port;
On-Board Video Adapter.
Of these I only needed the Ethernet Port and the Serial Port.

The Cubid 2688R Mini-ITX Case is a small 30x28x6cm box. It contains a fan-less 50W power supply, which gets its power from a 12V DC input. It comes with an external 100-240V AC to 12V DC power adapter similar to the ones used with laptops.



Picture 1: My server.

To set-up the BIOS, I needed to connect a monitor and a keyboard. This is the only time the monitor and keyboard are needed. Installation of the operating system can be done using the serial port (if you already have a serial boot disk).

I configured the BIOS to boot from CD-ROM and alternatively, when no bootable CD-ROM is detected, to boot from harddisk.

Another important setting is the jumper setting which makes the system to reboot automatically after a power failure. By default the motherboard waited for somebody to press the front power switch before booting up. For a server this is not a good idea.

3. The Operating System
I not even considered Windows, since it is neither free nor well designed. Since I did want to have a free operating system, the choice was between one of the many Linux distributions and FreeBSD Unix. They are basically all variants of the same flavour.

I have chosen Red Hat Linux 8.0. This was because Red Hat Linux 8.0 is shipped with a lot of software and is well documented. Release 8.0 was the latest release when I made my choice. For more information on Red Hat Linux see You are not allowed to view links.
Register or Login.

Red Hat Linux 8.0 is downloadable for free from many internet mirror sites. (E.g. from  ftp://download.xs4all.nl/pub/mirror/redhat/linux/8.0/en/iso/i386/.)

One needs to download CD image files, which can be burned onto a CD using standard CD burning software. This can be done under Windows. Linux is not needed to create the set of CDs.

One needs to have the following 3 files / disks:

psyche-i386-disc1.iso,
psyche-i386-disc2.iso,
psyche-i386-disc3.iso.
Two more files / disks containing source code are available:

psyche-i386-disc4.iso,
psyche-i386-disc5.iso.
Disk #1 is bootable. It starts a user-friendly set-up program (Anconda), which guides the user through the installation process. This program will later prompt for disk #2 and disk #3. Even if you select a complete installation it will never prompt for disk #4 and disk #5.

There is one problem. The standard distribution of Red Hat Linux 8.0 used the video adapter and the keyboard as console. So a monitor and a keyboard must be connected to the system. To be able to use the serial port instead, I had to patch disk #1, so that it uses the serial port as console.


4. Serial Console Patch
To create a patched disk #1, a standard Linux system must be set-up first, using a monitor and a keyboard.

The original bootable disk #1 must be placed in the CD-ROM drive and mounted with the following command:

mount /dev/cdrom /mnt/cdrom
The contents must be copied to a temporary directory. Hidden files must be copied as well. This is done with the following commands:

mkdir tempcddir
cp -r /mnt/cdrom/* tempcddir
cp -r /mnt/cdrom/.discinfo tempcddir
The boot configuration file must be edited:

vi tempcddir/isolinux/isolinux.cfg
After editing it contains the following lines:

default linux
prompt 1
timeout 100
serial 0 19200
label linux
  kernel vmlinuz
  append initrd=initrd.img lang= devfs=nomount ramdisk_size=9216 text console=ttyS0,19200n8
The files containing the boot messages are removed because they mess-up the serial console:

rm tempcddir/isolinux/*.msg
The CD contains images for boot floppies. Similar changes must be made to these floppies. They can be edited by mounting the image files. First a directory is created to which the image files can be mounted:

mkdir tempfddir
Modification of the file tempcddir/isolinux/boot.img:
mount -t vfat -o loop tempcddir/images/boot.img tempfddir
cp tempcddir/isolinux/isolinux.cfg tempfddir/syslinux.cfg
rm tempfddir/*.msg
umount tempfddir
Modification of the file tempcddir/isolinux/bootnet.img:
mount -t vfat -o loop tempcddir/images/bootnet.img tempfddir
cp tempcddir/isolinux/isolinux.cfg tempfddir/syslinux.cfg
rm tempfddir/*.msg
umount tempfddir
Modification of the file tempcddir/isolinux/pcmcia.img:
mount -t vfat -o loop tempcddir/images/pcmcia.img tempfddir
cp tempcddir/isolinux/isolinux.cfg tempfddir/syslinux.cfg
rm tempfddir/*.msg
umount tempfddir
Finally a readme file is created:

vi tempcddir/README-Serial-Console-Modifications
With the following command a new CD image is created, which can be burned again onto a CD using standard CD burning software (either under Linux or under Windows):

mkisofs -o cdfile.iso -b isolinux/isolinux.bin -no-emul-boot \
-boot-load-size 4 -boot-info-table -R -J -T tempcddir
Note that I did not test the boot floppy images. In my system there are no floppy drives.


5. Serial Cable
To connect my server to my laptop a cross-over cable is needed, connecting TXD of the server to RXD of the laptop, and RXD of the server to TXD of the laptop. The hardware handshake signals are looped back. Figure 1 shows the cable pinning.
 
6. My Network Configuration
I got a single public IP address 213.84.70.99 from my internet provider. My internet provider (forward and reverse) maps this IP address to the name ipd5544663.xs4all.nl.

My home network is connected to the internet via an Alcatel Speedtouch 510 ADSL modem. This modem provides Network Address Translation (NAT), Dynamic Host Configuration (DHCP) and a name server (DNS). It can connect to up to 4 ethernet devices via it's build-in hub.

My home network uses internal IP addresses, which can not be reached directly from the internet:

10.0.0.138 is the internal IP address of my ADSL modem. The name server in the ADSL modem (forward and reverse) maps this to fwiarda-adsl.fwiarda-lan;
10.0.0.201 is the internal IP address of my laptop. The name server in my ADSL modem (forward and reverse) maps this to fwiarda-pc.fwiarda-lan;
10.0.0.254 is the internal IP address op my server. The name server in my ADSL modem (forward and reverse) maps this to fwiarda-server.fwiarda-lan.
When IP packages pass through the ADSL modem, these internal IP addresses are translated into my public IP address and back. For traffic originating from my home network, the network address translator knows from which internal IP address the session originates. That way it is later able to send the response back to the right internal IP address.

For traffic originating from the internet, the network address translator has a table telling which protocols are handled by which internal IP address. If it receives an IP package of which the protocol is not listed in the table, they are discarded. By doing so it provides firewall functionality as a by-product of the network address translation. The network address translation table in my ADSL modem is configuered to forward the  following protocols to my server (IP address 10.0.0.254):

FTP (TCP port 21);
Secure telnet (TCP port 22);
Telnet (TCP port 23);
SMTP (TCP port 25);
DNS (TCP and UDP port 53);
HTTP (TCP port 80);
POP3 (TCP port 110);
IMAP (TCP port 143).
For more information about Network Address Translation see "RFC3022" ([1]).

 
7. Installing Red Had Linux 8.0
To install Red Hat Linux 8.0 I connect my laptop with the serial cross-over cable to the serial port of the server. At my laptop run a VT100 terminal emulator (Kermit 95). The serial port settings are 19200 baud, no-parity and 8 data bits.

NOTE: Unless indicated otherwise, the remainder of this description is valid as well when you want a standard installation which uses the monitor and keyboard as console. Just, use the original disk #1 instead of the patched disk #1.

The patched disk #1 is placed in the CD-ROM drive, and the server is reset. Linux boots and the Red Hat installation program Anaconda starts automatically. Choose the following configuration options:

Installation language set to English;
Generic 2 button mouse (PS/2) which emulates 3 buttons. This does not really matter since we use the serial port as console, but it is handy if for some reason we do connect a monitor, a keyboard and a mouse;
Server installation;
With disk druid 2 partitions are created. The first with mount point /, file system type ext3, 37000 Mb fixed size, forced to be primary partition. The second with the mount point not applicable, file system type swap, filling all available size, not forced to be primary partition;
Boot loader LILO;
Boot loader configuration console=ttyS0,19200n8. (NOTE: This field must be left empty for a standard installation using the monitor and keyboard as console instead of the serial port.) Do not force use of IBA32;
Boot loader configuration * linux /dev/hda1;
Boot loader configuration /dev/hda Master Boot Record;
Ethernet configured not to use BOOTP/DHCP and to activate on boot. IP address set to 10.0.0.254, net mask set to 255.0.0.0, default gateway set to 10.0.0.138 and primary DNS set to 10.0.0.254.
Hostname set to server.fwiarda.com;
No firewall;
Language support English (USA) only;
Hardware clock set to GMT. Time zone set to Europe/Amsterdam;
Root password set;
All fields for an additional user left empty;
All packages selected;
Defaults for video card;
Defaults for monitor;
Accept defaults for X customisation, except the default login type, which is changed to text.
Now we can reboot the system. After reboot it starts up with a login prompt. Further configuration must be done while logged in as root.


8. Making a Backup First
In the remainder of this page we do edit a lot of files. It is a good practice to make a backup copy of the original file with a .old extension before editing.

The system configuration is basically determined by the files in the /etc tree. The whole tree can be backed up to a file /root/etc.tar with the command:

tar -xf /root/etc.tar /etc


9. Fixing the LILO Boot Loader
The first thing one has to do is editing the file /etc/lilo.conf to make a minor fix to the LILO boot loader. (NOTE: For a standard installation using the monitor and keyboard as console instead of the serial port this changs shall not be made.)

Before booting the system the LILO boot loader prompts the user for boot parameters. During this very first phase of the boot, the baud rate has not yet been set correctly, causing the initial prompt to be garbled. We fix this by changing the line serial=0 into serial=0,19200n8.

Now the file /etc/lilo.conf contains the following lines:

prompt
timeout=50
default=linux
boot=/dev/hda
map=/boot/map
install=/boot/boot.b
serial=0,19200n8
lba32

image=/boot/vmlinuz-2.4.18-14
   label=linux
   initrd=/boot/initrd-2.4.18-14.img
   read-only
   append="root=LABEL=/ console=ttyS0,19200n8"
The command lilo is executed to write the changes we made to the master boot record.

10. Personal Fine Tuning of Red Hat Linux 8.0
The changes in this section are fine tunings which are a matter of personal taste. The system will work fine without them.

The following lines are added to /etc/bashrc:

# Make sure newly created files are writable only by the file's owner.
# The Red Hat default is that they are writable for everyone in the
# same group as the owner.
umask 022

# These changes reflect my personal taste.
alias info="info --vi-keys"
alias l.="ls --color=never -p -a"
alias ll="ls --color=never -p -l"
alias ls="ls --color=never -p"
alias vi="/bin/vi"

# Make DOS commands work under Linux as well.
alias copy="cp"
alias del="rm"
alias dir="ls -l"
alias md="mkdir"
alias ren="mv"
alias rd="rmdir"
alias cls="clear"
The following lines are added to /etc/profile:

# Define keys for command line editing.
bind -f /etc/inputrc

# Get rid of stange characters in man pages.
LANG=en_US
export LANG

# Define the prompt to be "user@host:directory $".
PS1='\u@\h:\w \$ '
export PS1

# A VT100 is a subset of of the ansi definition and more reliable.
if [ $TERM = ansi ] ; then TERM=vt100 ; fi
export TERM

# I like vi to use autoindent mode.
EXINIT='set autoindent'
export EXINIT

# Man shall look for man pages in /usr/local/share/man as well.
MANPATH=/usr/share/man:/usr/local/share/man
export MANPATH


I like to have Windows style command line editing. To enable this the file /etc/inputrc must contain the following lines:

# Enable Windows style command line editing.
set completion-ignore-case on
set mark-directories off
set match-hidden-files off
TAB: menu-complete

# Mapping of some keys that where not mapped well.
"\C-?": delete-char
"\e[5~": beginning-of-history
"\e[6~": end-of-history

# A VT100 does not have a Home, End, PgUp and PgDn key. In my
# terminal emulator I programmed the vi key sequences for these
# actions under the these keys.
"\e0": beginning-of-line
"\e$": end-of-line
"\e\C-u": beginning-of-history
"\e\C-d": end-of-history
The file /etc/mail.rc has been edited to contain the following lines:

# Ask for the mail subject when accepting mail from a terminal.
set asksub

# Terminate mail input with a line containing a single dot.
set dot

# Retain read messages in the system mailbox instead of moving them
# to the mbox file.
set hold

# Don't save a message to the file dead.letter when input of the message
# is aborted with ctrl-C.
set nosave

# Don't display Received headers.
ignore Received

[charleychacko]

11. Creating Additional User Accounts
Two additional user accounts are created.

The account server is used for administrative purposes, like storing the web pages with usage statistics.

The account fwiarda is my personal account. My personal web site is stored under this account. I do receive my personal e-mail on this account. I mount the home directory of this account as an additional drive on my PC.

Creating the additional accounts is done by issuing the following comands:

useradd server -c "Server Administration"
useradd fwiarda -c "Frits Wiarda"
chmod 755 /home/server
chmod 755 /home/fwiarda
passwd server
passwd fwiarda
Note that with the chmod commands I make users home directories readable for all. The default for Red hat Linux 8.0 is that users home directories are strictly private. I consider this not handy since my users are myself in different roles, and now and then perhaps a well trusted friend.

I create a link /home/root as an alias to the root's home directory. I make the root's home directory world readable as well. Issuing the following commands does this:

ln -s /root /home/root
chmod 755 /root

12. Crontab
After installation the root mail is flooded with mail containing all kind of periodic reports. So I consider it desirable to clean all crontabs, and then add the things I consider useful.

Crontab is a feature which periodically executes certain tasks. There are two types of crontabs, user crontabs and system crontabs.

User crontabs are managed with the command crontab. After installation a crontab exists for the user mailman. This crontab is removed with the command:

crontab -u mailman -r
System crontabs are managed by editing the file /etc/crontab. By default this file contains 4 entries which periodically executes all executable files in the directories /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly. A 5th entry exists which calls the Multi Router Traphic Grapher, which we do not need. The file /etc/crontab is edited to contain the following lines:

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/root

0 * * * * root run-parts /etc/cron.hourly
10 0 * * * root run-parts /etc/cron.daily
20 0 * * 0 root run-parts /etc/cron.weekly
30 0 1 * * root run-parts /etc/cron.monthly
The directories containing the files to be executed periodically are cleaned with the following commands:

mv /etc/cron.hourly /etc/cron.hourly.old
mv /etc/cron.daily /etc/cron.daily.old
mv /etc/cron.weekly /etc/cron.weekly.old
mv /etc/cron.monthly /etc/cron.monthly.old
mkdir /etc/cron.hourly
mkdir /etc/cron.daily
mkdir /etc/cron.weekly
mkdir /etc/cron.monthly
A file /etc/cron.daily/cleanup has been created containing the following
lines:

#!/bin/bash
/usr/sbin/tmpwatch 24 /tmp
/usr/sbin/tmpwatch 24 /var/spool/squirrelmail/attach
After editing the permissions for this file have been changed with the
command:
chmod 755 /etc/cron.daily/cleanup


13. Telnet
By default telnet is disabled on Red Hat Linux 8.0. To enable it edit the file /etc/xinetd.d/telnet and change disable = yes into disable = no. The change becomes effective after the xinet-daemon has been restarted, or after a system reboot.

By default Red Hat Linux 8.0 disallows root login via telnet, since it is considered insecure because telnet uses unencrypted password verification. However on a home network behind a firewall security is not an issue. To enable root login via telnet add the following lines to the file /etc/securetty:

pts/0
pts/1
pts/2
pts/3
pts/4
pts/5
pts/6
pts/7
pts/8
pts/9
pts/10
pts/11

14. FTP
By default FTP is disabled on Red Hat Linux 8.0. To enable it edit the file /etc/xinetd.d/wu-ftpd and change disable = yes into disable = no. The change becomes effective after the xinet-daemon has been restarted, or after a system reboot.

To configure FTP the file /etc/ftpaccess is edited and shall contain the following lines:

class all real,guest,anonymous *
email fwiarda@fwiarda.com
hostname server.fwiarda.com
log transfers anonymous,guest,real inbound,outbound
By default Red Hat Linux 8.0 disallows root login via FTP, since it is considered insecure because FTP uses unencrypted password verification. On the other hand it allows by default anonymous login, which is of no use to a personal web server. To change this the file /etc/ftpusers is. The entry root is removed. An en entry ftp is added.


15. DNS
By default DNS is disabled on Red Hat Linux 8.0. To enable it the following commands must be executed:

mv /etc/rc.d/rc2.d/K45named /etc/rc.d/rc2.d/S45named
mv /etc/rc.d/rc3.d/K45named /etc/rc.d/rc3.d/S45named
mv /etc/rc.d/rc4.d/K45named /etc/rc.d/rc4.d/S45named
mv /etc/rc.d/rc5.d/K45named /etc/rc.d/rc5.d/S45named
The renaming of these files makes that the DNS server is started during system boot.

A directory /etc/named is created to store our zone files. I do not like the Red Hat Linux 8.0 default /var/named. Having all configuration files in the /etc tree makes it easier to backup the servers configuration.

The root hints file /var/named/named.ca is copied to /etc/named/named.root. This file contains references to the internet's master name servers. It is advisable to check yearly for updates of this file at You are not allowed to view links.
Register or Login.

For each domain for which we have the authority, we have to create a zone file resolving that domain.

Since my server is connected to the internet via a network address translating (NAT) ADSL modem, different IP addresses are needed to approach my server from the internet and from my home network. From the internet my server has to be approached with the public IP address 213.84.70.99 provided by my internet service provider. The ADSL modem translates this address into the internal IP address 10.0.0.254. If I approach my server from my internal home network, I have to use the internal IP address 10.0.0.254 directly.

Since my DNS has to return an internal IP address to clients locally on my home network (e.g. my laptop), different views are created. My DNS will return different information to request from local clients compared  to requests from clients on the internet. 

Ofcause the above requires that I specify my own DNS server 10.0.0.254 as the prefered DNS in the network configuration of all my local clients. That can be done either by editing the network settings for each client, or by editing the settings for the DHCP server in the ADSL modem (not possible on older Alcatel SpeedTouch 510 models).

My DNS has to do the following:

The domain fwiarda.com must be resolved for requests from both local clients and from the internet;
The sub-domain ipd5544663.xs4all.nl must be resolved for requests from local clients. Requests from the internet are handled by my internet service provider XS4ALL. They are not willing to delegate authority for this sub-domain. Neither is it necessary for me to have that authority. After all I do not use any sub-sub-domains to this sub-domain;
Requests for the top-level domain fwiarda-lan from local clients must be forwarded to the name server in my ADSL modem. On the internet the top-level domain fwiarda-lan does not exist, neither are my internal hosts somebody else's business;
Requests for the reverse domain 10.in-addr.arpa from local clients must be forwarded to the name server in my ADSL modem. This way the IP addresses of my internal hosts can be reverse mapped to hostnames like fwiarda-pc.fwiarda-lan. On the internet I do not have authority for the reverse domain 10.in-addr.arpa (the IP addresses 10.x.x.x are reserved for private networks not visible on the internet), neither are my internal IP addresses somebody else's business.
To cater for the above, the file /etc/named.conf must contain the following lines:

options {
   directory "/etc/named";
   max-cache-size 1m;
};

view "local" IN {
   match-clients { localnets; };
   recursion yes;
   zone "fwiarda.com." IN {
      type master;
      file "fwiarda.com.lzone";
   };
   zone "ipd5544663.xs4all.nl." IN {
      type master;
      file "ipd5544663.xs4all.nl.lzone";
   };
   zone "fwiarda-lan." IN {
      type forward;
      forwarders { 10.0.0.138; };
   };
   zone "10.in-addr.arpa." IN {
      type forward;
      forwarders { 10.0.0.138; };
   };
   zone "." IN {
      type hint;
      file "named.root";
   };
};

view "world" IN {
   match-clients { any; };
   recursion yes;
   zone "fwiarda.com." IN {
      type master;
      file "fwiarda.com.zone";
   };
   zone "." IN {
      type hint;
      file "named.root";
   };
};
The zone file fwiarda.com.lzone resolving local requests for the fwiarda.com  domain contains the following lines:
$TTL 12h

@  IN  SOA   ns.fwiarda.com.   fwiarda.xs4all.nl. (
                                  2003032901 ; serial
                                  1h ; refresh
                                  20m ; retry
                                  10d ; expire
                                  12h ) ; time to live

@ IN  NS    ns.fwiarda.com.

@ IN  A     10.0.0.254

@ IN  MX    0    mail.fwiarda.com.

ftp.fwiarda.com.               IN  A   10.0.0.254
mail.fwiarda.com.              IN  A   10.0.0.254
ns.fwiarda.com.                IN  A   10.0.0.254
pc.fwiarda.com.                IN  A   10.0.0.201
telnet.fwiarda.com.            IN  A   10.0.0.254
server.fwiarda.com.            IN  A   10.0.0.254
You are not allowed to view links.
Register or Login

www.fwiarda.com

.               IN  A   10.0.0.254

mail.fwiarda.com.       IN  MX  0    mail.fwiarda.com.
The zone file ipd5544663.xs4all.nl.lzone resolving local requests for the ipd5544663.xs4all.nl sub-domain contains the following lines:

$TTL 12h

@  IN  SOA   ns.fwiarda.com.   fwiarda.xs4all.nl. (
                                  2003032901 ; serial
                                  1h ; refresh
                                  20m ; retry
                                  10d ; expire
                                  12h ) ; time to live

@  IN  NS    ns.fwiarda.com.

@  IN  A     10.0.0.254
The zone file fwiarda.com.zone resolving requests from the internet for the fwiarda.com domain contains the following lines:
$TTL 12h

@  IN  SOA   ns.fwiarda.com.   fwiarda.xs4all.nl. (
                                  2003032901 ; serial
                                  1h ; refresh
                                  20m ; retry
                                  10d ; expire
                                  12h ) ; time to live

@ IN  NS    ns.fwiarda.com.

@ IN  A     213.84.70.99

@ IN  MX    0    mail.fwiarda.com.

ftp.fwiarda.com.               IN  A   213.84.70.99
mail.fwiarda.com.              IN  A   213.84.70.99
ns.fwiarda.com.                IN  A   213.84.70.99
pc.fwiarda.com.                IN  A   213.84.70.99
telnet.fwiarda.com.            IN  A   213.84.70.99
server.fwiarda.com.            IN  A   213.84.70.99
You are not allowed to view links.
Register or Login

www.fwiarda.com

.               IN  A   213.84.70.99

mail.fwiarda.com.       IN  MX  0    mail.fwiarda.com.
Note that I have not used my regular e-mail address fwiarda@fwiarda.com in the SOA record , but the e-mail address fwiarda@xs4a11.n1 (which is written in SOA format as fwiarda.xs4all.nl), which I got from my internet service provider XS4ALL. If there are problems with my name server or my domain, it is likely that my e-mail address is experiencing problems as well. Therefore I use my e-mail address fwiarda@xs4a11.n1 for things like domain registration and maintenance. Normally this address is forwarded to my regular e-mail address fwiarda@fwiarda.com, but when I am experiencing problems I can cancel this forward and use the fwiarda@xs4a11.n1 address to communicate with the helpdesk.

The changes in this section become effective after the named-daemon is started manually or after a system reboot.

For more information about DNS see "DNS and BIND" ([2]);


16. E-Mail
By default POP3 and IMAP are disabled on Red Hat Linux 8.0. To enable it edit the files /etc/xinetd.d/ipop3 and /etc/xinetd.d/imap and change in both files disable = yes into disable = no. The change becomes effective after the xinet-daemon has been restarted, or after a system reboot.

To mail delivery I have edited the file /etc/sysconfig/sendmail, and changed QUEUE=1h into QUEUE=10m. This change makes that the mail queue is processed every 10 minutes instead of every hour.

I have edited the file /etc/mail/sendmail.mc. to contain the following
lines:

include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
OSTYPE(`linux')dnl
VERSIONID(`linux setup for Red Hat Linux')dnl
define(`confAUTH_MECHANISMS',`GSSAPI LOGIN PLAIN')dnl
define(`confCW_FILE',`/etc/mail/local-host-names')dnl
define(`confDOMAIN_NAME',`mail.fwiarda.com')dnl
define(`confDONT_BLAME_SENDMAIL',`GroupWritableDirPathFile')dnl
define(`confDONT_BLAME_SENDMAIL',`GroupWritableDirPathFileSafe')dnl
define(`confDONT_BLAME_SENDMAIL',`GroupWritableForwardFile')dnl
define(`confDONT_BLAME_SENDMAIL',`GroupWritableForwardFileSafe')dnl
define(`confDONT_BLAME_SENDMAIL',`GroupWritableIncludeFile')dnl
define(`confDONT_BLAME_SENDMAIL',`GroupWritableIncludeFileSafe')dnl
define(`confDOUBLE_BOUNCE_ADDRESS',`null')dnl
define(`confFORWARD_PATH',`$z/.forward')dnl
define(`confMAX_MESSAGE_SIZE',`0')dnl
define(`confTO_QUEUERETURN',`12h')dnl
define(`confTO_QUEUEWARN',`30m')dnl
define(`ALIAS_FILE',`/etc/mail/aliases')dnl
TRUST_AUTH_MECH(`GSSAPI LOGIN PLAIN')dnl
FEATURE(`allmasquerade')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`limited_masquerade')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`virtusertable',`hash /etc/mail/virtusertable.db')dnl
MASQUERADE_AS(`mail.fwiarda.com')dnl
MASQUERADE_DOMAIN(`server.fwiarda.com')dnl
MAILER(`smtp')dnl
After editing the file the following command must be executed:

m4 /etc/mail/sendmail.mc >/etc/mail/sendmail.cf
I have edited the file /etc/mail/submit.mc to contain the following
lines:

include(`/usr/share/sendmail-cf/m4/cf.m4')
OSTYPE(`linux')dnl
VERSIONID(`linux setup for Red Hat Linux')dnl
define(`confCF_VERSION',`Submit')dnl
define(`confPID_FILE',`/var/run/sm-client.pid')dnl
define(`confTIME_ZONE',`USE_TZ')dnl
dnl define(`confDIRECT_SUBMISSION_MODIFIERS',`C')
FEATURE(`msp')dnl
After editing the file the following command has been executed:

m4 /etc/mail/submit.mc >/etc/mail/submit.cf
I have edited the file /etc/mail/local-host-names to contain the following lines:

server.fwiarda.com
mail.fwiarda.com
ipd5544663.xs4all.nl
[213.84.70.99]
fwiarda-server.fwiarda-lan
[10.0.0.254]
fwiarda.com
I have edited the file /etc/mail/aliases to contain the following lines:

adm:          bounce
amanda:       bounce
apache:       bounce
bin:          bounce
canna:          bounce
desktop:       bounce
ftp:          bounce
games:          bounce
gdm:          bounce
gopher:       bounce
halt:          bounce
ident:          bounce
ldap:          bounce
lp:          bounce
mail:          bounce
mailman:       bounce
mailnull:       bounce
mysql:          bounce
named:          bounce
netdump:       bounce
news:          bounce
nfsnobody:       bounce
nobody:       bounce
nscd:          bounce
ntp:          bounce
pcap:          bounce
postfix:       bounce
postgres:       bounce
privoxy:       bounce
pvm:          bounce
radvd:          bounce
rpc:          bounce
rpcuser:       bounce
rpm:          bounce
shutdown:       bounce
smmsp:          bounce
squid:          bounce
sshd:          bounce
sync:          bounce
uucp:          bounce
vcsa:          bounce
webalizer:       bounce
wnn:          bounce
xfs:          bounce

mailer-daemon:       /dev/null
null:          /dev/null
root:          fwiarda

abuse:          fwiarda
administrator:       fwiarda
hostmaster:       fwiarda
postmaster:       fwiarda
webmaster:       fwiarda

server               bounce
I have edited the file /etc/mail/virtusertable to contain the following lines:

bounce@fwiarda.com      bounce
fwiarda@fwiarda.com      fwiarda
null@fwiarda.com      null

abuse@fwiarda.com      fwiarda
administrator@fwiarda.com   fwiarda
hostmaster@fwiarda.com      fwiarda
postmaster@fwiarda.com      fwiarda
webmaster@fwiarda.com      fwiarda
@fwiarda.com         error:5.1.6:550 Mail to fwiarda@fwiarda.com instead

When hosting additional e-mail domains, a tab-separated list of e-mail addresses and the local mailboxes or aliases on which they must be mapped must be added to the file /etc/mail/virtusertable. Leaving the part of the e-mail address before the @ sign away maps the entire domain. Note that all domains for which e-mail can be received must be listed in the file /etc/mail/local-host-names.

For more information about e-mail see the book titled "Sendmail" ([3]).

[charleychacko]

17. Filtering Spam
I use spamassassin to tag spam for mail send to my personal mail account. My spamassassin configuration file /etc/mail/spamassassin/local.cf contains the following lines:

report_header 1
rewrite_subject 0
defang_mime 0

Besides the lines above, I have added some personal rules to the file /etc/mail/spamassassin/local.cf . These rules are outside the scope of this document.

I have created a file /etc/mail/spamassassin/whitelist.cf  containing the e-mail addresses of my contacts in lines like:

whitelist_from user@domain

I have created a file /etc/mail/spamassassin/blacklist.cf  containing the e-mail addresses of people from who I do not want to receive e-mail in lines like:

blacklist_from user@domain

I have written a procmail script which moves spam to a seperate mailbox ~/mail/Spam. The suspected spammer will receive a mail that his e-mail has been deleted. In this mail he is informed that he can bypass the spam filter by starting the subject field with the keyword NOSPAM. Real spammers do not read bounced messages. But legitimate senders whose mail is accidentally tagged as spam will do.

The procmail script is self documenting. It is available at You are not allowed to view links.
Register or Login. Beware DOS to Unix text file conversion (CR-LF to LF) when downloading it. Copy it to /usr/local/bin/spamfilter. The file must be executable for everybody. This can be done with the command:

chmod 755 /usr/local/bin/spamfilter
To have all my e-mail filtered, I have created a /home/fwiarda/.forward containing the following line:

"|/usr/local/bin/spamfilter email=fwiarda@fwiarda.com"
Note that sendmail requires the /home/fwiarda/.forward file to be owned by fwiarda and not being world readable. When the file has been created by root, the following commands fix this:

chmod 644 /home/fwiarda/.forward
chown fwiarda /home/fwiarda/.forward
chgrp fwiarda /home/fwiarda/.forward

18. Auto-Replying to E-Mail

Red Hat Linux 8.0 does not come with a vacation program, to auto-reply to your mail. I have written a perl script myself, which mimics the Unix vacation program.

In most aspects this script is stripped down in functionality compared to the Unix vacation program. However, with the handling of .forward files it is more advanced. If a .forward file already exists and contains forwards to something else then vacation, it adds a line to the original .forward file instead of overwriting it. Later, when vacation is disabled, this line is deleted again. This behaviour leaves other forwards intact.

The script is self documenting. It is available at You are not allowed to view links.
Register or Login. Beware DOS to Unix text file conversion (CR-LF to LF) when downloading it. Copy it to /usr/local/bin/vacation. The file must be executable for everybody. This can be done with the command:

chmod 755 /usr/local/bin/vacation


19. Web Server
By default the Apache web server is disabled at Red Hat Linux 8.0. To enable it the following commands must be executed:

mv /etc/rc.d/rc1.d/K15httpd /etc/rc.d/rc1.d/K86httpd
mv /etc/rc.d/rc2.d/K15httpd /etc/rc.d/rc2.d/S86httpd
mv /etc/rc.d/rc3.d/K15httpd /etc/rc.d/rc3.d/S86httpd
mv /etc/rc.d/rc4.d/K15httpd /etc/rc.d/rc4.d/S86httpd
mv /etc/rc.d/rc5.d/K15httpd /etc/rc.d/rc5.d/S86httpd
mv /etc/rc.d/rc6.d/K15httpd /etc/rc.d/rc6.d/K86httpd
The renaming of these files makes that the Apache web server is started during system boot. Note that we also rename the files from *15* into *86* This ensures the Apache web server is started after the name server has been started. In that case it is not able to resolve the host names used in it's configuration file.

The following lines must be added to or changed in the main server configuration section of /etc/httpd/conf/httpd.conf:

# Set my e-mail address as the server administrators e-mail.
ServerAdmin "fwiarda@fwiarda.com"
# Set the name of the server.
ServerName "server.fwiarda.com"
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# We configure the default to be a very relaxed set of features,
# so we do not have to switch them on seperately for each virtual
# server.
<Directory "/">
   Options All
   AllowOverride All
   Order allow,deny
   Allow from all
</Directory>

# We set the documents defining a directory index.
DirectoryIndex "index.htm" "index.html" "index.txt" "index.cgi" "index.php"

# The default is to present a test page if there is no index file in
# the document root directory. We like Apache to display the directory
# contents instead, by commenting the corresponding directives out.
#<LocationMatch "^/$>
#    Options -Indexes
#    ErrorDocument 403 /error/noindex.html
#</LocationMatch>

# We define the format of directory listings.
IndexOptions FancyIndexing NameWidth=* FoldersFirst SuppressDescription

# We disable headers and readme files in directory listings by commenting
# the corresponding directives out.
#ReadmeName README.html
#HeaderName HEADER.html

# All files ending with .cgi are scripts, even if they are not placed
# in a special directory for cgi-scripts.
AddHandler cgi-script .cgi

# We set .htaccess to be the file from which access permission can be
# overriden.
AccessFileName ".htaccess"

# We do not want .htaccess, .htpasswd and .htgroup files to be displayed.
<Files ~ "^\.ht">
   Order allow,deny
   Deny from all
</Files>

# We lookup the hostnames for the IP addresses to which
# we provide pages. This makes our log files more readable.
HostnameLookups On

# We set the error log file.
ErrorLog "/var/log/httpd/error_log"

# We set the access log file.
CustomLog "/var/log/httpd/access_log" combined

# We don't want to have the server name below directory indexes generated
# by Apache.
ServerSignature Off

# Disable You are not allowed to view links.
Register or Login to be the Apache
# manual, by commenting the corresponding directives out.
#Alias /manual "/var/www/manual"
#
#<Directory "/var/www/manual">
#   Options Indexes FollowSymLinks MultiViews
#    AllowOverride None
#    Order allow,deny
#    Allow from all
#</Directory>
# Disable You are not allowed to view links.
Register or Login to be a server # wide script directory. #ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
These settings are valid for all virtual hosts. The following lines have been added to or changed in the virtual host section of /etc/httpd/conf/httpd.conf:

# We define we are going to use name based virtual hosting.
NameVirtualHost "10.0.0.254"

# This entry is the default entry. It is used when the hostname in the
# URL is not known to us. Hackers just trying our IP address end-up here.
# We will always return an empty page with mime-type text/plain. All
# settings for this entry are taken form the main server configuration
# section above.
<VirtualHost "10.0.0.254">
   <Directory "/dev">
      ForceType text/plain
   </Directory>
   AliasMatch .* "/dev/null"
</VirtualHost>

# The entry for calls to You are not allowed to view links.
Register or Login . It accesses
# SquirrelMail, a web based mail client which is part of the Red Hat
# Linux 8.0 distribution. Since it is a web site on it's own,
# it has it's own error log and access log files.
<VirtualHost "10.0.0.254">
   ServerName "mail.fwiarda.com"
   DocumentRoot "/usr/share/squirrelmail"
   ErrorLog "/var/log/httpd/mail.fwiarda.com.error_log"
   CustomLog "/var/log/httpd/mail.fwiarda.com.access_log" combined
</VirtualHost>

# The entry for calls to You are not allowed to view links.
Register or Login .
# It has it's own error log and access log files.
<VirtualHost "10.0.0.254">
   ServerName "server.fwiarda.com"
   DocumentRoot "/home/server/www"
   ErrorLog "/var/log/httpd/server.fwiarda.com.error_log"
   CustomLog "/var/log/httpd/server.fwiarda.com.access_log" combined
</VirtualHost>

# The entry for calls to my personal web site
# You are not allowed to view links.
Register or Login . It has it's own document root, and it's
# own, error log and access log files.
<VirtualHost "10.0.0.254">
   ServerName "You are not allowed to view links.
Register or Login

www.fwiarda.com

"
   ServerAlias "You are not allowed to view links.
Register or Login

www.fwiarda.com

"
   DocumentRoot "/home/fwiarda/www"
   ErrorLog "/var/log/httpd/www.fwiarda.com.error_log"
   CustomLog "/var/log/httpd/www.fwiarda.com.access_log" combined
</VirtualHost>
Since we have defined You are not allowed to view links.
Register or Login to access SquirrelMail, I considered it not necessary that You are not allowed to view links.
Register or Login accesses SquirrelMail as well. The /etc/httpd/conf.d/squirrelmail.conf has been edited to delete the line:

Alias /webmail /usr/share/squirrelmail
The document root directory, the directory containing the log files, and all the directories above them, must be searchable and readable for the user apache. To be able to test this, it practical to login as user apache. However, by default no login shell is assigned to the user apache. We fix this editing the file /etc/passwd and changing the line:

apache:x:48:48:Apache:/var/www:/sbin/nologin
into:

apache:x:48:48:Apache:/var/www:/bin/bash
When logged-in as root, we can now log-in as apache by issuing the following command:

su - apache
If there is any flaw in file access permission settings, they will become clearly noticeable.

The web site You are not allowed to view links.
Register or Login is used for accessing the access and error logs, and the usage statistics of my server. The directory /home/server/www is the document root for this web site. It must be created, as well as sub-directories for usage statistics and a link to the directory containing the servers log files:

mkdir /home/server/www
mkdir /home/server/www/usage
mkdir /home/server/www/usage/mail.fwiarda.com
mkdir /home/server/www/usage/server.fwiarda.com
ln -s /var/log/httpd /home/server/www/log
chmod 755 /var/log/httpd
I do not want everybody to have access to my logs and usage statistics. Therefore  a file /home/server/www/.htaccess is created, containing the following lines:

AuthUserFile /home/server/www/.htpasswd
AuthName "Server Administrator"
AuthType Basic
<Limit GET POST>
   require valid-user
</Limit>
A file /home/server/www/.htpasswd is created by issuing the following commands:

htpasswd /home/server/www/.htpasswd root
htpasswd /home/server/www/.htpasswd fwiarda
The htpasswd program prompts for the appropriate passwords.

The ownership of the /home/server/www tree shall belong to the user server. If this directory tree has been created while being logged-in as root, the ownership must be transferred with the following command:

chown -R server:server /home/server/www
For more information about the Apache web server see "Apache; The Definitive Guide" ([4]).

20. Web Usage Statistics
 Webalizer is a tool for generating usage statistics for web pages.

The file /etc/webalizer.conf is edited, to ensure the following parameters are defined or commented out:

# We will specify the log file at the command line.
# The entry LogFile is commented out.
#LogFile /var/log/httpd/access_log
# We will specify the output directory at the command line.
# The entry OutputDir is commented out.
#OutputDir .
# The file webalizer.hist in the output directory will
# contain the data for previous months.
HistoryName webalizer.hist
# We only process entries not yet processed before. We
# retrieve the old usage information form the files
# webalizer.hist and webalizer.current
Incremental yes
# The file webalizer.current in the output directory will
# contain the data for the current month.
IncrementalName webalizer.current
# For debugging purposes we enable log messages. When
# webalizer is called from a script, we suppres all messages
# by adding the -Q option at the command line.
Quiet no
A file /etc/cron.daily/webalizer is created. This file is executed daily since it resides in the /etc/cron.daily directory. It must contain the following lines:

#!/bin/bash
if [ -s /var/log/httpd/server.fwiarda.com.access_log ] ; then
   /usr/bin/webalizer -Q \
      -n server.fwiarda.com \
      -r server.fwiarda.com \
      -o /home/server/www/usage/server.fwiarda.com \
      /var/log/httpd/server.fwiarda.com.access_log
fi
if [ -s /var/log/httpd/mail.fwiarda.com.access_log ] ; then
   /usr/bin/webalizer -Q \
      -n mail.fwiarda.com \
      -r mail.fwiarda.com \
      -o /home/server/www/usage/mail.fwiarda.com \
      /var/log/httpd/mail.fwiarda.com.access_log
fi
if [ -s /var/log/httpd/www.fwiarda.com.access_log ] ; then
   /usr/bin/webalizer -Q \
      -n You are not allowed to view links.
Register or Login

www.fwiarda.com

\
      -r You are not allowed to view links.
Register or Login

www.fwiarda.com

\
      -r fwiarda.com \
      -o /home/server/www/usage/www.fwiarda.com \
      /var/log/httpd/www.fwiarda.com.access_log
fi
exit 0
After editing this file must be made executable with the command:

chmod 755 /etc/cron.daily/webalizer

21. Samba
By default samba is disabled at Red Hat Linux 8.0. To enable it the following commands must be executed:

mv /etc/rc.d/rc2.d/K35smb /etc/rc.d/rc2.d/S35smb
mv /etc/rc.d/rc3.d/K35smb /etc/rc.d/rc3.d/S35smb
mv /etc/rc.d/rc4.d/K35smb /etc/rc.d/rc4.d/S35smb
mv /etc/rc.d/rc5.d/K35smb /etc/rc.d/rc5.d/S35smb
The file /etc/samba/smb.conf is edited and shall contain the following lines:

[global]
workgroup = fwiarda-group
netbios name = fwiarda-server
server string = Frits Wiarda's Server
encrypt passwords = yes
security = user
time service = yes

[fwiarda]
path = /home/fwiarda
comment = /home/fwiarda
read only = no
guest ok = no
create mask = 644
force create mode = 644
directory mask = 755
force directory mode = 755
Samba uses the passwords from file /etc/smbpasswd instead of /etc/passwd or /etc/shadow. That means separate passwords for samba must be created. This is done with the following comand:

smbpasswd -a fwiarda
The smbpasswd program prompts for the appropriate password.

For more information on samba see "Using Samba" ([5]).

22. Disabling Start-Up of Unused Services
 Linux knows different run levels:

Run level 0. Halt the system;
Run level 1. Single user mode;
Run level 2. Multi user mode without NFS;
Run level 3. Multi user mode with NFS;
Run level 4. Unused;
Run level 5. X11 graphical user interface;
Run level 6 . Reboot the system.
When the system boots, it reads from the file /etc/inittab to which run level it should switch. It will then run the startup scripts for this run level (see /etc/rc.d/rc?.d).

We will use the unused run level 4. To have the system boot in run level 4, we edit /etc/inittab changing the initdefault line into:

id:4:initdefault:
With the following rename we make that only the services we need are started:

mv /etc/rc.d/rc4.d/S05kudzu      /etc/rc.d/rc4.d/K05kudzu
mv /etc/rc.d/rc4.d/S08ip6tables  /etc/rc.d/rc4.d/K08ip6tables
mv /etc/rc.d/rc4.d/S08ipchains   /etc/rc.d/rc4.d/K08ipchains
mv /etc/rc.d/rc4.d/S08iptables   /etc/rc.d/rc4.d/K08iptables
mv /etc/rc.d/rc4.d/S09isdn       /etc/rc.d/rc4.d/K09isdn
mv /etc/rc.d/rc4.d/S13portmap    /etc/rc.d/rc4.d/K13portmap
mv /etc/rc.d/rc4.d/S14nfslock    /etc/rc.d/rc4.d/K14nfslock
mv /etc/rc.d/rc4.d/S17keytable   /etc/rc.d/rc4.d/K17keytable
mv /etc/rc.d/rc4.d/S24pcmcia     /etc/rc.d/rc4.d/K24pcmcia
mv /etc/rc.d/rc4.d/S25netfs      /etc/rc.d/rc4.d/K25netfs
mv /etc/rc.d/rc4.d/S26apmd       /etc/rc.d/rc4.d/K26apmd
mv /etc/rc.d/rc4.d/S28autofs     /etc/rc.d/rc4.d/K28autofs
mv /etc/rc.d/rc4.d/S56rawdevices /etc/rc.d/rc4.d/K56rawdevices
mv /etc/rc.d/rc4.d/S84privoxy    /etc/rc.d/rc4.d/K84privxy
mv /etc/rc.d/rc4.d/S85gpm        /etc/rc.d/rc4.d/K85gpm
mv /etc/rc.d/rc4.d/S90canna      /etc/rc.d/rc4.d/K90canna
mv /etc/rc.d/rc4.d/S90xfs        /etc/rc.d/rc4.d/K90xfs
mv /etc/rc.d/rc4.d/S95anacron    /etc/rc.d/rc4.d/K95anacron
mv /etc/rc.d/rc4.d/S95atd        /etc/rc.d/rc4.d/K95atd
mv /etc/rc.d/rc4.d/S97rhnsd      /etc/rc.d/rc4.d/K97rhnsd
mv /etc/rc.d/rc4.d/S98wine       /etc/rc.d/rc4.d/K98wine
mv /etc/rc.d/rc4.d/S99mdmonitor  /etc/rc.d/rc4.d/K99mdmonitor
The command ls /etc/rc.d/rc4.d/S* will list all the services that will be started at run level 4:

S00microcode_ctl
S10network
S12syslog
S20random
S35smb
S45named
S55sshd
S56xinetd
S60lpd
S80sendmail
S86httpd
S90crond
S99local

23. NAT Settings ADSL Modem
To be able to reach my server from the internet, the some NAT settings must me made in the ADSL modem. 

The easiest option is to set  the default  address to which IP packages from the internet must be routed to the servers internal IP address 10.0.0.254. Now  all IP packages from the internet are send to the server.

The best option is to list explicitly for which TCP and UDP ports IP packages must be routed to the servers internal IP address 10.0.0.254. Other IP packages can be discarded, making life for hackers more difficult. The ports which must be opened are:

TCP port 21 for FTP;
TCP port 22 for secure telnet (SSH);
TCP port 23 for telnet;
TCP port 25 for SMTP;
Both UDP and TCP port 53 for DNS;
TCP port 80 for HTTP;
TCP port 110 for POP3;
TCP port 143 for IMAP.


Glossary and Abbreviations
BOOTP BOOTstrap Protocol.
   
DHCP Dynamic Host Configuration Protocol.
   
DNS Domain Name System.
   
FTP File Transfer Protocol.
   
HTML HyperText Mark-up Language.
   
HTTP HyperText Transfer Protocol.
   
IMAP Internet Mail Access Protocol.
   
IP Internet Protocol.
   
LPD Line Printer Daemon.
   
POP3 Post Office Protocol version 3.
   
NAT Network Address Translation.
   
RFC Request For Comment.
   
SMTP Simple Mail Transfer Protocol.