The Perfect Setup - Debian Woody (3.0) - Page 4

2 Installing and Configuring the Rest of the System

Configure additional IP Addresses

If you have more than one IP address you can add your additional IP addresses by editing /etc/network/interfaces. It will look similar to this:

# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

# The loopback interface
auto lo
iface lo inet loopback

# The first network card - this entry was created during the Debian installation
# (network, broadcast and gateway are optional)
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

If you want to add the IP address 192.168.0.101 to the interface eth0 you should change the file to look like this:

# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

# The loopback interface
auto lo
iface lo inet loopback

# The first network card - this entry was created during the Debian installation
# (network, broadcast and gateway are optional)
auto eth0
iface eth0 inet static
address 192.168.0.100
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

auto eth0:0
iface eth0:0 inet static
address 192.168.0.101
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

Then restart your network:

/etc/init.d/networking restart


Setting the Hostname

echo server1.example.com > /etc/hostname
/bin/hostname -F /etc/hostname


Install/Remove some Software

Add

deb http://backports.debian.skynet.be woody cyrus-sasl2

to /etc/apt/sources.list and run

apt-get update
apt-get install wget bzip2 rdate fetchmail libdb3++-dev unzip zip ncftp xlispstat libarchive-zip-perl zlib1g-dev libpopt-dev nmap openssl (1 line!)
apt-get remove lpr nfs-common portmap pidentd pcmcia-cs pppoe pppoeconf ppp pppconfig

update-rc.d -f exim remove
update-inetd --remove daytime
update-inetd --remove telnet
update-inetd --remove time
update-inetd --remove finger
update-inetd --remove talk
update-inetd --remove ntalk
update-inetd --remove ftp
update-inetd --remove discard
<- Yes [y]

/etc/init.d/inetd reload


Quota

apt-get install quota quotatool

Edit /etc/fstab to look like this (I added ,usrquota,grpquota to partition /dev/hda6):

# /etc/fstab: static file system information.
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/hda1 /boot ext3 errors=remount-ro 0 1
/dev/hda5 none swap sw 0 0
proc /proc proc defaults 0 0
/dev/fd0 /floppy auto user,noauto 0 0
/dev/cdrom /cdrom iso9660 ro,user,noauto 0 0
/dev/hda6 / ext3 defaults,usrquota,grpquota 0 2

Then run:

touch /quota.user /quota.group
chmod 600 /quota.*
mount -o remount /
quotacheck -avugm

quotaon -avug


DNS-Server

apt-get install bind9

For security reasons we want to run BIND chrooted so we have to do the following steps:

/etc/init.d/bind9 stop

Edit the startup script /etc/init.d/bind9 so that the daemon will run as the unprivileged user 'nobody', chrooted to /var/lib/named. Modify the line: OPTS="" so that it reads OPTS="-u nobody -t /var/lib/named":

#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin

# for a chrooted server: "-u nobody -t /var/lib/named"
OPTS="-u nobody -t /var/lib/named"

test -x /usr/sbin/named || exit 0

case "$1" in
start)
echo -n "Starting domain name service: named"
start-stop-daemon --start --quiet \
--pidfile /var/run/named.pid --exec /usr/sbin/named -- $OPTS
echo "."
;;

stop)
echo -n "Stopping domain name service: named"
/usr/sbin/rndc stop
echo "."
;;

reload)
/usr/sbin/rndc reload
;;

restart|force-reload)
$0 stop
sleep 2
$0 start
;;

*)
echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2
exit 1
;;
esac

exit 0

Create the necessary directories under /var/lib:

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir /var/lib/named/var/run

Then move the config directory from /etc to /var/lib/named/etc:

mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when bind is upgraded in the future):

ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R nobody:nogroup /var/lib/named/var/*
chown -R nobody:nogroup /var/lib/named/etc/bind

We need to modify the startup script /etc/init.d/sysklogd of sysklogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads: SYSLOGD="-a /var/lib/named/dev/log":

#! /bin/sh
# /etc/init.d/sysklogd: start the system log daemon.

PATH=/bin:/usr/bin:/sbin:/usr/sbin

pidfile=/var/run/syslogd.pid
binpath=/sbin/syslogd

test -x $binpath || exit 0

# Options for start/restart the daemons
# For remote UDP logging use SYSLOGD="-r"
#
SYSLOGD="-a /var/lib/named/dev/log"

create_xconsole()
{
if [ ! -e /dev/xconsole ]; then
mknod -m 640 /dev/xconsole p
else
chmod 0640 /dev/xconsole
fi
chown root.adm /dev/xconsole
}

running()
{
# No pidfile, probably no daemon present
#
if [ ! -f $pidfile ]
then
return 1
fi

pid=`cat $pidfile`

# No pid, probably no daemon present
#
if [ -z "$pid" ]
then
return 1
fi

cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -1`

# No syslogd?
#
if [ "$cmd" != "$binpath" ]
then
return 1
fi

return 0
}

case "$1" in
start)
echo -n "Starting system log daemon: syslogd"
create_xconsole
start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
echo "."
;;
stop)
echo -n "Stopping system log daemon: syslogd"
start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
echo "."
;;
reload|force-reload)
start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
;;
restart)
echo -n "Stopping system log daemon: syslogd"
start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
echo "."
sleep 1
echo -n "Starting system log daemon: syslogd"
start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
echo "."
;;
reload-or-restart)
if running
then
start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
else
start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
fi
;;
*)
echo "Usage: /etc/init.d/sysklogd {start|stop|reload|restart|force-reload|reload-or-restart}"
exit 1
esac

exit 0

Restart the logging daemon:

/etc/init.d/sysklogd restart

Start up BIND, and check /var/log/syslog for any errors:

/etc/init.d/bind9 start

Share this page:

6 Comment(s)

Add comment

Comments

From: tado at: 2005-04-07 10:33:50

Hi,

are there any advantages using maildir and not mailbox format?

Thanks, Tado

From: at: 2005-04-08 09:22:21

Yes, Maildir stores each email in a separate file whereas mbox uses on big file to store all messages. That means if an email is corrupted you lose all your mails if you use mbox.

And if you use mbox each time a user fetches his mails over POP3, the whole mbox is copied to another file from which the mails are retrieved. This means that if a user has a quota limit, this limit has to be at least twive the size of his mbox file. This does not happen if you use Maildir because then no files are copied.

Thomas

From: Anonymous at: 2006-01-24 04:28:24

apt-cache search mb2md

From: Anonymous at: 2006-03-22 23:22:50

If you get:


couldn't open pid file '/var/run/bind/run/named.pid': No such file or directory


then you might try something like:


chown -R nobody:nogroup /var/run/bind


From: Anonymous at: 2006-03-22 23:29:43

My version of /etc/mysql/my.cnf seems to read like this:


# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 127.0.0.1


The article should probably be updated accordingly. I am ignoring the entry and continuing with the article.

From: dan at: 2009-05-30 17:30:53

That would almost certainly be the more practical approach, though at 7 CDs I wouldn't be keen to do it, and I'm a notorious Debian pusher. Of course I'm also pretty lazy... There's rather a gap between fetching packages over the wire (works great if you have the bandwidth for it!) and getting the whole distro on CDs (or DVD - wasn't there an unoffical jigdo setup for Woody DVDs?).