BIND, for /Berkeley Internet Name Domain, or named, is the most
commonly used DNS server on the Internet, especially on Unix-like
systems, where it is a /de facto/ standard.  I have found many reasons for a BIND DNS Caching server, and a few of them are email servers to prevent the load from spilling onto your dns servers, apache web servers for the same reason, and for my internal home server just so I can clear my BIND DNS caching server when I want.  I especially like having my own BIND DNS caching server when I am working on a clients DNS so once I make the changes I can clear my cache on my DNS server, and test the change. Lets get started on how to install a BIND DNS Caching server on Ubuntu 9.04.

1.) Install BIND 9 and the BIND 9 utils using apt-get for our BIND DNS caching server.

sudo apt-get update
sudo apt-get install bind9 bind9utils

2.) Point your /etc/resolv.conf to the new servers ip address.

vi /etc/resolv.conf
add “nameserver xxx.xxx.xxx.xxx” to the file

3.) Test your BIND DNS caching server.
dig www.wantlinux.net

You should notice a response the “Query time: 18 msec” from the output of the dig command. Once you make note of the response time repeat the dig command and your response time to decrease drastically. Congratulations your BIND DNS caching server is working. For example my second output was “Query time: 2 msec”. A 16 ms increase in DNS queries might not seem like alot, but when you use spamassassin with DNS options turned on you can make 10-30 DNS queries per email. It adds up quickly when your email server receives 4 messages a second.

Other options for your BIND DNS caching server would be to use your ISP’s dns servers as forwarders, but this does not give you the flexibility of clearing your DNS server cache whenever you want.  If you clear your cache you do not clear your ISP’s DNS cache and you will get the same DNS response. 

Note that BIND caches DNS information to RAM and not disk. In most cases this will not be a problem since most machines have plenty of memory and old records are purged from memory after a period of time. However, if you expect your server to get a lot of traffic you may want to periodically flush the cache using the following command.
sudo rndc -s localhost flush

or set the maximum amount of memory to use (in essence forcing overflow data to be deleted before it expires) by setting the max-cache-size option in the configuration file.

I have used alot of diffierent firewall scripts over the years, and I
have fell in love with the following script wriiten by Tero Karvinen It
is a simple Iptables firewall script and it is easy to maintain. Not
alot of variables, and totally customizable. Why would I want anything
else. I have below my mail servers Iptables firewall configuration with
a state hitcount to slow down potential spammers, I have it set for a
mail server that accepts 16 messages a second. That is 1.3 million
emails a day. So the iptables firewall script works. Here is how to
install it.

1.) Copy the following lines.
——————————————————————
#!/bin/sh
# Cleanup old rules # All the time firewall is in a secure, closed state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables –flush # Flush all rules, but keep policies
iptables –delete-chain
## Workstation Minimal firewall ###
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i lo –source 127.0.0.1 –destination 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state –state “ESTABLISHED,RELATED” -j ACCEPT
iptables -A INPUT -p icmp –icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp –icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
####### HOLES ####### Edit holes below, then run this script again
# munin
iptables -A INPUT -p TCP -s 192.168.1.16/32 –destination-port 4949 -j ACCEPT
# mysql
iptables -A INPUT -p TCP -s 192.168.1.0.0/24 –destination-port 3306 -j ACCEPT
# nagios
iptables -A INPUT -p TCP -s 192.168.1.16/32 –destination-port 5666 -j ACCEPT
# sshd
iptables -A INPUT -p TCP -s 192.168.1.0/24 –destination-port 22 -j ACCEPT
iptables -A INPUT -p TCP -s 10.0.0.0/24 –destination-port 22 -j ACCEPT
# smtp
iptables -A INPUT -p TCP –dport 25 -j ACCEPT
iptables -I INPUT -p TCP –dport 25 -i eth0 -m state –state NEW -m recent –set
iptables -I INPUT -p TCP –dport 25 -i eth0 -m state –state NEW -m recent –update –seconds 600 –hitcount 45 -j DROP
# pop
iptables -A INPUT -p TCP -s 0/0 –destination-port 110 -j ACCEPT
# imap
iptables -A INPUT -p TCP -s 0/0 –destination-port 143 -j ACCEPT
# 587
iptables -A INPUT -p TCP -s 0/0 –destination-port 587 -j ACCEPT
##################### Edit above
# iptables -A INPUT -j LOG -m limit –limit 40/minute
iptables -A INPUT -j DROP
# Save
# iptables-save > /etc/sysconfig/iptables
echo “: Done.”#!/bin/sh
————————————————————————
2.) Open /etc/init.d/firewall.sh with your favorite editor.

$ sudo vi /etc/init.d/firewall.sh

3.) Paste script into your editor, and edit the ports to your liking. Make sure your are in insert mode in vi before you paste.

4.) Change permissions to all execute on the file.

$ sudo chmod 744 /etc/init.d/firewall.sh

5.) Start the script

$ sudo /etc/init.d/firewall.sh

6.) Add the script to start-up

$ sudo update-rc.d firewall.sh defaults

Please let me know if you have any questions about this really easy and nice Ubuntu iptables firewall script. Like I said I have tried a bunch and this is the best iptables firewall script I have found.

I have found myself searching the internet for the correct configuration for Linux subinterfaces.  A subinterface is a division of one physical interface into multiple logical interfaces.  So why would we do that?  I use subinterfaces for hosting multiple SSL sites, DSR returns for localhost for my load balancers, and anything else you would need multiple ips on the same physical interface.  In Ubuntu it is easy to add subinterfaces I have never had to add a temporary subinterface in Ubuntu but I guess I figure it is easier to just add it to the system and restart networking.  Here is how to add a Ubuntu subinterface with ifconfig.

Adding a Ubuntu subinterface without restarting networking.

1. Add the interface and ip with one step

$ sudo ifconfig eth0:0 192.168.1.253 netmask 255.255.255.0

2. Turn the ip address up

$ sudo ifconfig eth0:0 up

3.  Check and make sure it is in ifconfig

$ ifconfig -a

eth0      Link encap:Ethernet  HWaddr 00:30:48:28:65:2b
inet addr:192.168.1.5  Bcast:192.168.1.255  Mask:255.255.255.0
inet6 addr: fe80::230:48ff:fe28:652b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:101278725 errors:10 dropped:0 overruns:0 frame:10
TX packets:96594294 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3734515707 (3.7 GB)  TX bytes:1773845088 (1.7 GB)

eth0:0    Link encap:Ethernet  HWaddr 00:30:48:28:65:2b
inet addr:192.168.1.253  Bcast:192.168.1.255  Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

4. Remember the subinterface is gone unless you add it to /etc/network/interfaces.

Adding a Ubuntu subinterface permanently.

Now that you have added the subinterface without restarting networking, and or rebooting we need to add the ip address to the configuration file on Ubuntu so the new ip address will be on the system when you do some upgrades and need to reboot

1.  Open the /etc/network/interfaces file with your favorite editor

$ sudo vi /etc/network/interfaces

2. Add the following lines below your physical interface to create the subinterface on reboot.

auto eth0:0
iface eth0:0 inet static
address 192.168.1.253
netmask 255.255.255.0

3. You can always add more Ubuntu subinterfaces by changing eth0:0 to eth0:1 and eth0:2 and so on.

Here is  and example of my complete /etc/network/interfaces file with Ubuntu subinterfaces.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.5
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

auto eth0:0
iface eth0:0 inet static
address 66.37.141.237
netmask 255.255.255.0

I always thought that RBL were a cost effective way to get rid of SPAM. The more email I can drop at the RBL level with postfix the less Spamassassin processing I have to do. Since running spamassassin at a business level requires alot of horsepower and memory I like to clean up the know offenders at the postfix level. RBL blacklist.

The first thing you have to do is get a blackhole email built and out on the internet hide it in websites owned by your company with policy statements or whatever you need to help you sleep at night. Make sure the email has never been used before on your domain, and the email address is working. For this case I am using postfix maildirs cause it separates the messages for cleaner processing, and filing.

Next install rbldns on ubuntu I am testing out Jaunty Jackalope right now, but it will work for 7.04 and forward.

sudo apt-get install rbldnsd

sudo vi /etc/default/rbldnsd

If everything is commented add to the bottom of the file.

RBLDNSD=”dsbl -r/var/lib/rbldns/ -c60 -b10.0.0.1\
rbl.example.com:ip4set:rbl.example.com.db \

Create db file

echo “:127.0.0.2:http://www.example.com/removal.php?ip=$” > /var/lib/rbldnsd/rbl.example.com.db

You can add a url or whatever in the http section I have above. Next add an ip address or two to the file. I assume you have a couple if you have gotten this far.

echo “10.0.0.1″ >> /var/lib/rbldnsd/rbl.example.com.db

and so on and so on.

Restart Rbldnsd

sudo /etc/init.d/rbldnsd

Test Rbl server.

dig 1.0.0.10.rbl.example.com

I should respond with something like the following.

$ dig 1.0.0.10.rbl.example.com

; < <>> DiG 9.5.1-P1 < <>> 1.0.0.10.rbl.example.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 62354
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;1.0.0.10.rbl.example.com. IN A

;; ANSWER SECTION:
1.0.0.10.rbl.example.com. 2100 IN A 127.0.0.2

;; AUTHORITY SECTION:
rbl.example.com. 600 IN NS rbl.example.com.

;; Query time: 588 msec
;; SERVER: 10.0.0.55#53(10.0.0.55)
;; WHEN: Wed Mar 18 09:53:14 2009
;; MSG SIZE rcvd: 80

Yay you have a working rbldnsd install. Now what right. well remember that email address you setup I bet is has an email. Maybe? Well now you just have to extract the senders email address and put it in the /var/lib/rbldnsd/rbl.example.com.db file.

I have a script to automatically extract the ip and add it to the file, but my rbl server can't access my email directory so it is over complicated. So I will give you the make part of the script.

sudo grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' /home/test.example.com/Maildir/new/*|grep -v 127.0.0.1|awk -F[ '{print $2}'|sed s/\]\)//| grep -v 66.37 |grep -v 66.7.175| awk '{print $1}'|sed s/\]//|grep -v ^$| sed s/\>//|sort| uniq|sort >> /var/lib/rbldns/rbl.example.com.db

I have a few scripts to clean that up some, but you get the point. I am going to test sa2dnsbl, but I have the feeling it will block to much.

Today I ran into an issue with a hacked email account and of course I use postfix and sasl so I starting writing a grep command for my mail.log. I needed to find how many times each sasl user had logged into the system, and from what ip address. The command to tell how many times an account has logged in today and from what ip address using postfix standard logs is below.

sudo grep sasl /var/log/mail.log| awk -F[ '{print $3}'| sed s/],//|awk ‘{print $1 ” ” $3}’|awk -F= ‘{print $1 ” ” $2}’|awk ‘{print $1 ” ” $3}’|sort | uniq -c| sort -n

Over the years of trying to keep denial of service attacks, and a bunch of other people out there trying to take my server down I have developed some one liners that I would like to share with you. I have one liners on Ubuntu Linux that show the amount of connections incoming to your server counts them, and orders them from lowest to highest.

$ netstat -an |grep SERVER_IP:25| awk ‘{print $5}’| awk -F: ‘{print $1}’| sort | uniq -c| sort -n

Example output:
1 192.168.0.1
2 172.31.31.2
3 10.0.0.1
4 10.10.1.5

Here is a one liner that shows the amount of client connections(client=)(email sent) to your postfix server has received in since your last log rotation. Like the previous script this one sorts the IP’s lowest amount of connections to highest.

$ sudo grep client= /var/log/mail.log|grep -v 127.0.0.1|grep -v sasl| awk -F[ '{print $3}'| sed s/]//g| sort | uniq -c | sort -n

Example output:

1 192.168.0.1
2 172.31.31.2
3 10.0.0.1
4 10.10.1.5

Here is another one line script to sort the amount connections to your postfix server. It is different then above. These are connections that are could have sent an email, or not have sent an email. I like to check this just to see if an ip address is abusing my server without sending email. Like the last two scripts the output is in order from lowest to highest.

$ sudo grep “connect from” /var/log/mail.log| grep -v 127.0.0.1|grep -v disconnect| awk -F[ '{print $3}'| sed s/]//| sort | uniq -c | sort -n

Example output:

1 192.168.0.1
2 172.31.31.2
3 10.0.0.1
4 10.10.1.5

Over the years I have had many samba shares for the house for tv shows I am unable to watch via tv, and I have them all stored on a Linux server with 4 500GB drives in a RAID 5 configuration. I always use 3ware contollers for RAID on Linux. The reasoning for this is that they are hardware RAID which allows me to move the data from one machine to the other easily, and the kernel driver is built into most Linux kernels. You want to install Ubuntu server with 20 GB for root or / and 100MB for boot or /boot, and the rest of the data in /home. You can change this up, but just to make is simple I put the 1480GB in /home. The next step after you have installed Ubuntu server on the machine is to upgrade the server, and install samba and ssh on the server. Login locally on the Ubuntu server, and type the following to setup Samba.

$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ sudo apt-get install samba openssh-server

If this is your first time using samba you might also want to install Samba SWAT. Samba SWAT is a web interface on your machine that allows you to install manage Samba via a web interface on port 901.

$ sudo apt-get install swat xinetd

Now that you have everything installed you just have to get the configuration correct. I have a basic setup that will get you going, and then I will show you how to configure Samba SWAT. You should be able to get it all working from there. Make sure your /etc/smb.conf file only contains the following config.

$ vi /etc/samba/smb.conf
# Global parameters
[global]
workgroup = WORKGROUP
server string = Samba
security = SHARE
encrypt passwords = true

[shared]
path = /home/shared
read only = No
guest only = Yes
guest ok = Yes

Save the file, and make the directory in /home.
$ sudo mkdir /home/shared

This configuration will allow everyone to view, and edit files on the Ubuntu server. Only the files in /home/shared.

To change your configuration using SWAT open a browser, and access the machine in a browser using the following url.

http://IPADDRESS:901

It will ask you to login, and I like to use root, just so I don’t have any permissions issues.

I sometimes forget what options I need to change to up max open files, and stuff like that. This is a simple page to help me, and hopefully it helps you. To change sysctl options on boot you will have to change the /etc/sysctl.conf, and add whatever options you want to the file. To see your current sysctl options just use sysctl -a like so.

$ sysctl -a

$ vi /etc/sysctl.conf

Here is what you add to max open files, threads, and inodes on your system.
fs.file-max=16384
fs.inode-max = 65536
kernel.threads-max=2048

Here are some sysctl options that I have used before to help the networking on a Linux server. I have never really been able to really see the difference, but some admins swear by them. Well we know some people are crazy. Like windows administrators.

net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_syncookies = 1
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216

After editing your sysctl.conf file you will have to run the following command to update the machine so the options take effect immediately.

$ /sbin/sysctl -p

Well feel free to add comments, and other helpful hints.

So I was building a server the other day, and had to set the duplex and speed on the machine. I was getting errors on the switch between the eth0. On linux I use mii-tool or ethtool package which allows me to change and view the negotiated speed of eth0, and very useful for forcing specific Ethernet speed and duplex settings.

Your ethernet card might not work with one of the tools, so I suggest you install the both ethtool, and mii-tool. There are three tasks to get this setup when your machine boots. Install mii-tool and ethtool, change the speed and duples settins, and finally script in /etc/init.d to run at boot.

Install mii-tool and ethtool tools

If you are using Debian or Ubuntu Linux you can install both of these package with following command:# apt-get install ethtool net-tools

Task: Get speed and other information for eth0

Type following command as root user:
$ ethtool eth0
Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 32
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: pumbg
Wake-on: d
Current message level: 0×00000007 (7)
Link detected: yes

Or use mii-tool command as follows:
$ mii-tool eth0
eth0: negotiated 100baseTx-FD flow-control, link ok

Change the speed and duplex settings

Setup eth0 negotiated speed with mii-tool
Disable autonegotiation, and force the MII to either 100baseTx-FD, 100baseTx-HD, 10baseT-FD, or 10baseT-HD:
$ mii-tool 10baseT/Half
$ mii-tool 10baseT/Full
$ mii-tool 100baseT/Half
$ mii-tool 100baseT/Full
$ mii-tool 1000baseT/Half
$ mii-tool 1000baseT/Full

Setup eth0 negotiated speed with ethtool
$ ethtool -s eth0 speed 100 duplex full
$ ethtool -s eth0 speed 10 duplex half

To make these settings permanent you need to create a script into the directory /etc/init.d/ directory and run update-rc.d command to update the script.

Install script to make changes permanent

$ vi /etc/init.d/100Mbs
or
$ sudo vi /etc/init.d/100Mbs

#!/bin/sh
ETHTOOL=”/usr/sbin/ethtool”
DEV=”eth0″
SPEED=”100 duplex full”
case “$1″ in
start)
echo -n “Setting eth0 speed 100 duplex full…”;
$ETHTOOL -s $DEV speed $SPEED;
echo ” done.”;;
stop)
;;
esac
exit 0

Save and close the file. Setup executable permission:
$ chmod +x /etc/init.d/100Mbs
or
$ sudo chmod +x /etc/init.d/100Mbs

Now run script when Debian or Ubuntu Linux boots up. Use update-rc.d command install System-V style init script links:
$ update-rc.d 100Mbs defaults
or
$ sudo update-rc.d 100Mbs defaultsOutput:

Adding system startup for /etc/init.d/100Mbs …
/etc/rc0.d/K20100Mbs -> ../init.d/100Mbs
/etc/rc1.d/K20100Mbs -> ../init.d/100Mbs
/etc/rc6.d/K20100Mbs -> ../init.d/100Mbs
/etc/rc2.d/S20100Mbs -> ../init.d/100Mbs
/etc/rc3.d/S20100Mbs -> ../init.d/100Mbs
/etc/rc4.d/S20100Mbs -> ../init.d/100Mbs
/etc/rc5.d/S20100Mbs -> ../init.d/100Mbs

Reboot the system to take effect or just type scrit name:
$ /etc/init.d/100Mbs start
or
$ sudo /etc/init.d/100Mbs start

Read man page of mii-tool and ethtool for more information.

I like to test all my new mail servers with telnet making sure they are not open relays, and that the amavis and clamav processes are working correctly. I just check after I send a message in the logs.

$ telnet 192.168.0.4 25
RESPONSE 220 192.168.0.4 is a mail server
helo wantlinux.net
RESPONSE 250 mail.example.com
mail from:
RESPONSE 250 2.1.0 Ok
rcpt to:
RESPONSE 250 2.1.5 Ok
data
RESPONSE 354 End data with .
Hello webmaster@example.com. How are you?
sincerely,
webmaster@wantlinux.net
.
RESPONSE 250 2.0.0 Ok: queued as ##########
quit

I thought it was hard to remember all that, but once you use it a few times you will not be looking up this information anymore. I telnet to email servers all the time for testing purposes, and I have never had an issue. If you use windows just open up a command prompt, and try the commands. If it doesn’t work download a Ubuntu or other Linux image and install it. Like always leave a comment if you have questions.