1. Set up a Dial-in Server using Redhat Linux.
2. Configuring Apache for Server Side Includes. 
3. Configure ipchains, firewall.
4. LDAP in Solaris 2.6
5. Sendmail Configuration
6. Configuring XDMCP
7. Root Raid1
8. OpenBSD console install floppy

I have never really tried to set up a dial-in server using internal modem, so follow at your own risk. This has worked for me and still works for me beautifully.

Step 1:  Install mgetty if you haven't done that already. If you have the RedHat cdrom or an iso image, use those, if not get it from here.

1. After installing it using rpm or compiling the binary edit /etc/mgetty+sendfax/mgetty.config file, and add the following three lines for each serial port that you plan on using for dialing in. In my case I am configuring port ttyS0 for dialing in purposes.

# for your modem
port ttyS0
init-chat "" ATZ  OK  AT&F1MOE1Q0S0=0  OK
ANSWER-CHAT ""  ATA  CONNECT \C \R

The above lines are most probably already in the config file, just make sure that they are not commented out. The above lines are generic and should work for any modem.

2. Edit /etc/mgetty+sendfax/login.config file. Search for the line that starts with AutoPPP and make sure that it is not commented and change it according to the your specifications.

If you want user's to have a predefined login name then it should be
 

/AutoPPP/

-

a_ppp

/etc/ppp/ppplogin

and if you want to use users login name as mentioned in /etc/passwd then it should be
 

/AutoPPP/

-

-

/etc/ppp/ppplogin

3. In /etc/inittab file, add the following lines after 6:2345:respawn:/sbin/mingetty tty6 for each modem port that you configure your mgetty.conf file. In my case I added the following line:

7:2345:respawn:/sbin/mgetty -x 3 ttyS0

4. Connect the modem to the serial ports, and then initialize mgetty with "init q" command. Just make sure that your modem is turned ON before you enter the init command or you will get a lot of error in your /var filesystem. I know because I did that and my 100Mb /var filesystem was soon out of space because of that. Another thing that you can do to avoid this is to make sure that you have commented out any ports that you are not using in /etc/inittab and in /etc/mgetty+sendfax/mgetty.config files.

Step 2:  Install PPP

1. Install PPP, again either from the cdrom or the iso image that you have. If you don't have either of them, download it from any of the RedHat mirrors.

2.  Edit /etc/ppp/options file to be something like the following. If the file does not exist create it.

-detach
crtscts
netmask 255.255.255.192
asyncmap 0
modem
proxyarp

Use appropriate netmask for your network.

3. Now edit /etc/ppp/ppplogin file, again, if it does not exist create it.

#!/bin/sh
mesg n
stty -echo
/usr/sbin/pppd silent auth -chap +pap login

Save it and make the file executable.

We are going to be using pap authentication but will be using the /etc/passwd file.

4. For each serial port that is going to be used, create a corresponding file. ie /etc/ppp/options.ttyXX file.
In my case this file would be /etc/ppp/options.ttyS0 In each such file put the following line:

acesrwild:ppp_user

where acesrwild is the hostname of your dial-in server and ppp_user is some name that you have invented for the virtual host that will be dialing in. This virtual host will be added to the /etc/hosts file along with its ipaddress. Just make sure that you are not using the same virtual hosts more than once for the same serial port.

5. Edit /etc/ppp/pap-secrets file and add a line for each user that will be dialing-in. Since I am doing this at my own network, I can assign Class A ipaddresses. If you don't plan on using Class A ipaddresses then you need to have some free ipaddresses and permission for their use. The file is made up of client, server, secret and IP addresses format. This file is used to restrict who can dial in and from where.

In my case I have the following entries:
 

#client	server	secret	IP
foulplay	*	""	10.0.0.45
vegan	*	""	10.0.0.47

Or if you want you can have it so that anybody can dial-in and get authenticated using the passwd file from anywhere and will serve you no matter what IP address you come from.

In this case the above file would look like:
 

#client	server	secret	IP
*	*	""	*

6. Set setuid to root for /usr/sbin/pppd program by
#chmod u+s /usr/sbin/pppd

7. Edit /etc/hosts file to include the ip addresses assigned to your PPP hostnames that you created. Use the ip addresses that you assigned above.

10.0.0.45            ppp_user
10.0.0.47            ppp_user2

Step 3: User configuration
Add users to your /etc/passwd that you wish by using the following command:

#useradd foulplay

If you want foulplay to have both "ppp" and "shell" account give them "/home/foulplay" home directory, and "/usr/bin/bash" as their shell. If you want them to have only ppp access then change shell to be "/etc/ppp/ppplogin".

That's it.

If you are into web design or support a web server of your own, I strongly suggest enabling it, and here's the how.

Use these steps if you want to use SSI globally.

1. Edit your srm.conf file located either at /etc/httpd/conf/ or at /usr/local/apache/conf/ depending on how you installed Apache. In the newer versions of Apache (>=1.3.6 I believe) all the configurations are done via a single file called httpd.conf again located in either of the above two locations.

If you are using srm.conf or httpd.conf, search and uncomment the following two lines:

AddType test/html .shtml
AddHandler server-parsed .shtml

2. Now edit access.conf file. Again if you have installed a newer version of Apache, you will need to edit httpd.conf file only. Search for Document Root and modify the OPTIONS line to be as follows:

Options Indexes FollowSymLinks Includes

3. Again either in your srm.conf or httpd.conf search for DirectoryIndex and make it look like:

DirectoryIndex index.html index.shtml index.php3
 

Use these steps to configure only a particular directory for SSI.

Create a file called .htaccess in the chosen directory and add the following lines:

AddType test/html .shtml
AddHandler server-parsed .shtml
Options Indexes FollowSymLinks Includes

Now restart Apache either by /etc/rc.d/init.d/httpd restart or /usr/local/apache/bin/apachectl restart.

That's it, you have enabled SSI in Apache. Enjoy.

Step 1: Installing required files ie: ipchains, ipmasqdm (for port forwarding), identd (for irc) and kernel configure for ip forwarding. Install ipchains using your cdrom, iso image or downloading off the various internet sites. One good place would be off a RedHat mirror. You can get ipmasqadm from here. Follow the directions to install it by doing a "make install" as root. Then if you plan on using irc you will also need a identd server.

Step 2: Configuring ipchains
Ipchains is a firewall administration program much like the ipfwadm back couple of years ago. Its basically used to administer the traffic that will be allowed through the firewall. Its also a great program for masquerade a bunch of computers as a single IP address on the internet.

I would suggest creating a file that will be called during bootup process that would setup your ipchains rule during the computer boot-up process. Create a file called firewall or anything that you want and save it at /etc/rc.d/init.d with the following lines:

#!/bin/sh
ipchains -A forward -j MASQ -s 0.0.0.0/0 -d 0.0.0.0/0

Save it and make it executable.

In the above line of command we are creating a rule called "forward" which would also "masquerade" and allow traffic to and from any network. "-s" would allow any source ip addresses to get to the internet and "-d" would allow it to get to any destination addresses.

If you are paranoid about security you can set it up to be more restricted by changing the 0's to your network ie 10.0.0.0/255.0.0.0

Now that you have this file, create a link in /etc/rc.d/rc3.d to the above newly created file. You could also add the ipchains line to rc.local file, but by saving it in a separate file would allow you to restart ipchains with newer rules whenever you want without disturbing the rest of the system.

#ln -s ../init.d/firewall S92firewall

You have configured your firewall for masquerading and now the rest of your network can get on the internet through your firewall/router.

Step 3: Configuring ipmasqadm
If you plan to have a web, ftp, email, and other servers that you want the public to access you will need this program. It is a transparent port forwarding program that can forward any incoming requests on a particular port to any other computer on the same or different port.

To install this, though you need to install your kernel source. It needs the source. Once you have the kernel source, untar the file and then do "make install" in the corresponding directory. 'make install' will create a file called ipmasqadm under /usr/sbin. Make sure that this file exists.

Now go back to /etc/rc.d/init.d and create another file called ports or something like that to start the 'port forwarding' process during boot-up. Add the following lines to this file:

#!/bin/sh
CURRENTIP=`/sbin/ifconfig eth0 | grep inet | cut -c 21-33 | cut -f 1 -d P`
/usr/sbin/ipmasqadm portfw -f
/usr/sbin/ipmasqadm portfw -a -P tcp -L $CURRENTIP 80 -R 10.0.1.2 80
/usr/sbin/ipmasqadm portfw -a -P tcp -L $CURRENTIP 21 -R 10.0.1.2 21

Save it and make it executable.

I am assigned a dynamic ipaddress through my ISP so I get my "CURRENTIP". If you are not assigned a dynamic IP, then you don't need to add that line. If you do have a static IP address then remove the "CURRENTIP" line and replace all instances of $CURRENTIP with your static IP.

The next line flushes any old portforwarding rules that might be still lingering around.

In the following two lines you are actually creating the two rules of forwarding any incoming traffics on ports 80 and 21 to the computer with IP address of 10.0.1.2 on its respective ports.

The rule is as follows. Using the ipmasqadm program I am setting up a portforwarding rule to allow any connections using the tcp protocol from my $CURRENTIP and redirect it to an IP address inside my computer on the same port.

If you want to add your email port to the list follow the same syntax:
/usr/sbin/ipmasqadm portfw -a -P tcp -L <your external IP> 110 -R <your internal IP> 110

Now check if the rules are in place by:

#/usr/sbin/ipmasqadm portfw -l (lower case L)

The above command will show you all the rules that are in place.

If you wish to remove a particular rule, replace the "-a" with "-d" and leave the rest of the line the way it is.

That's it for port forwarding.

Step 4: Configuring identd
Installing identd is the simplest of all. There are no searching the internet for relevant documents required. Just follow the instructions to the point as mentioned in the install file. Once you have done as mentioned in the install file you will need to do just one more thing before you can fire up your irc client. For some reason this affects only Linux machines and not windows. My guess is because the built in identd server in Micro$oft based clients, namely mirc.

While editing your /etc/inetd.conf file make sure that you add the "-r" option along with -i and -y.
This is what mine looks like:

auth    stream  tcp     nowait  root    /usr/local/sbin/ident2  ident2 -i -r -y .ident

Told you this was the easiest.

Now you have a working firewall and a router. Just leave it on and forget about it. From my experience I would suggest rebooting the machine every three months or so. This not because of Linux needs it, but it just to clean up and to keep it running smoothly, especially if you site gets a high number of hits.  Just think of it like changing oil in your car.

My setup involves Solaris 2.6 on a Sparcstation 4 with 75Mb of RAM. I am using Netscapes LDAP server version 4.0. I would suggest using the Netscape document located on their site. Just because they have done a wonderful job of writing the document. And also because I don't think by writing something of my own is going to come close to the Netscape's and also I am not sure it would serve a lot of people, if any at all.

By default sendmail will not cater for any other domains other than itself. By removing the filter you are inviting the public to use your email server to send their emails to others. And you don't want to do that, especially of people plan to use to crack into your site or if they plan to send out spam email.

The main configuration file is called sendmail.cf and is usually located in /etc. Just go through it and use your commonsense and don't forget to read the comments within the file.

In this file just make sure that the following line is not commented out.

Kaccess hash -o /etc/mail/access

Now open /etc/mail/access and edit it to include domains or IP addresses for whom sendmail should relay the emails, and for whom it should not. The syntax of this file is:

domain or ip address                rule

In my case it will look something like this:
 

foulplay.org	RELAY
left.foulplay.org	RELAY
right.foulplay.org	RELAY

If you do not have too many machines or if you want only a few of the machines of the network to be allowed to relay then edit the file to look like:
 

127.0.0.1	RELAY
10.0.0.1	RELAY
10.0.0.3	RELAY
10.0.1.4	RELAY

If you feel uncomfortable for whatever reason, there is an excellent program called webadmin with which you will be able to configure sendmail and server via your browser.

Become root and open /etc/X11/xdm/xdm-config in your favourite editor. Comment out the line containing DisplayManager.requestPort: 0 by putting a "!" in front of it.

Now edit /etc/X11/gdm/gdm.conf and under "[xdmcp]" and "[debug]" change Enable from "0" to "1".

If you are using kde then you need to edit /usr/share/config/kdm/kdmrc. Under the [Xdmcp] heading change to and/or uncomment Enable = true and Port = 177.

Finally boot into init level 5 and you are all set.

Step 2: You know the drive that will be used as the secondory, lets label it as /dev/hdg. For the sake of performance on ide systems, it is sugessted to have one drive on one channel. One drive per channel is the rule. Format your drive to replicate the partitions on your primary drive, lets label the primary as /dev/hda. I suggest using sectors to partition it rather than the default cylinders.

Here's an output of my partitions. NOTICE that my boot device (/dev/hda1 and /dev/hdg1) are of type fd. You need this if your /boot is not on a separate partition.

Step 4: In this step you will actually create the md device. Create the device by executing mkraid -f /dev/md2. Executing it will prompt you to pass option --really-force. I would suggest reading the warning as an FYI.

This command will create a degraded raid1. As this is only a device entry, nothing is actually being written to either of the two devices.

Step 5: Create a filesystem on the newly created /dev/md2. Since, your root device is not part of the raid yet, your data is still safe. The primary disk is unused as its marked as a failed-disk. Run mkfs.ext2 /dev/md2 to format your raid1 device.

Step 6: Now we mount /dev/md2 as /altroot (or any other mount point of your choice). Just make sure you mount it from / and not from within a folder.

Step 7: Before we copy our data across we need to edit our lilo.conf and make it point to the new raid device. The two lines that need to change are highlighted.

Step 8: Here we phsycally copy data from primary to secondary device. Do NOT use dd. Using dd will screw up your raid device causing you to run fsck on each and every boot sequence. Here's the command to use cpio. find . -xdev | cpio -pm /altroot

Step 9: Edit your /etc/fstab to reflect your new raid devices. Reboot the system to boot into using your secondary device. In this case /dev/hdg. After a succussful reboot add the old primary drive to the raid. Edit /etc/raidtab and remove the failed-disk line. Then use the raidhotadd tool to enable the drive.

Syntax to do this is raidhotadd /dev/md2 /dev/hda7.

You can check the process by doing a cat /proc/mdstat. You should see something like this.

Thats it. You can go and get some sleep now. Hope this was helpful to you. If you have any questions email me.