четверг, августа 31, 2006

Nagios

поставил систему мониторинга серверов Nagios. http://nagios.org
весчь =) сижу счаааастливый =))))) теперь при падение одного из серверов или сервиса мы сервере мне тут же приходит смс'ка =)

четверг, августа 24, 2006

Postfix, Cyrus, Mysql, Amavisd-new, Spamassassin

Установка Postfix под Trustix как почтовый сервак.
http://www.trustix.org/wiki/index.php/Postfix%2C_Cyrus%2C_Mysql%2C_Amavisd-new%2C_Spamassassin


Install following packages from Trustix distro and Community contrib:
amavisd-new
amavisd-new-config
apache
clamav
cyrus-imapd
cyrus-sasl
cyrus-sasl-plain
mysql
mysql-client
mysql-devel
mysql-libs
mysql-shared
openssl-devel
perl-mail-spamassassin
php
php-mysql
postfix
postfix-conf
postfix-mysql
spamassassin
squirrelmail
zlib-devel
pam_mysql (TSL 3.0 community or from http://sf.net/projects/pam-mysql/)

Make changes in /etc/pam.d/pop

#%PAM-1.0
auth sufficient /lib/security/pam_mysql.so host=localhost user=postfix passwd=pass db=mail table=cyrup_accounts usercolumn=account passwdcolumn=password where=enabled=1 crypt=4 sqlLog=0
account required /lib/security/pam_mysql.so host=localhost user=postfix passwd=pass db=mail table=cyrup_accounts usercolumn=account passwdcolumn=password where=enabled=1 crypt=4 sqlLog=0

Make soft links from /etc/pam.d/pop to /etc/pam.d/imap /etc/pam.d/postfix /etc/pam.d/sieve

Setup MySQL and add this lines to config:
/etc/my.cnf

[mysqld]
skip-networking
max_connections = 300

Setup Cyrus and adjust following lines:
/etc/cyrus-imapd/cyrus.conf

lmtpunix cmd="lmtpd" listen="/var/run/lmtp" prefork=0
/etc/cyrus-imapd/imapd.conf

# server conf
umask: 077
autocreatequota: 0
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
singleinstancestore: yes
sieve_maxscriptsize: 64
sieve_maxscripts: 5
lmtp_over_quota_perm_failure: 1 # 550 on quota overrun if run over LMTP
# user conf
virtdomains: userid # for accounts like user@domai.tld
defaultdomain: domain.tld # for accounts like user@domai.tld
servername: host.domain.tld
postmaster: postmaster
admins: cyrus
# directory and file locations
configdirectory: /var/spool/cyrus-imap
partition-default: /var/spool/cyrus-imap
sievedir: /var/spool/cyrus-imap/sieve
sendmail: /usr/sbin/sendmail
# authentication
allowanonymouslogin: no
allowplaintext: yes
sasl_mech_list: plain
sasl_minimum_layer: 0
sasl_pwcheck_method: saslauthd
sasl_sql_select: dummy
tls_ca_file: /etc/ssl/certs/imap.pem
tls_cert_file: /etc/ssl/certs/imap.pem
tls_key_file: /etc/ssl/certs/imap.pem

Download and setup Cyrup from http://cyrup.sf.net for webinterface
copy scripts/mysql-* from cyrup to /etc/postfix/

Setup Postfix and adjust following lines:
/etc/sasl/postfix.conf

# use the sasl authentication daemon, for e.g. pam
pwcheck_method: saslauthd
mech_list: plain login
sql_select: dummy

Create directory for local accounts (from /etc/passwd)

mkdir /var/mail/
/etc/postfix/master.cf

smtp inet n - n - - smtpd
-o receive_override_options=no_address_mappings
localhost:10025 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

smtp-amavis unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o disable_dns_lookups=yes
-o lmtp_send_xforward_command=yes
/etc/postfix/main.cf

myhostname = hostname.domain.tld
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost
mynetworks = $config_directory/mynetworks
mynetworks_style = host
relay_domains = $mydestination
mail_spool_directory = /var/mail
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.pem
smtp_tls_key_file = $smtp_tls_cert_file
smtp_use_tls = yes
message_size_limit = 10000000
disable_vrfy_command = yes
smtpd_client_restrictions =
smtpd_helo_required = yes
mail_name = mailer
smtpd_banner = $myhostname ESMTP $mail_name
show_user_unknown_table_name = no
unknown_local_recipient_reject_code = 550
smtpd_recipient_restrictions = reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_non_fqdn_sender,
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unknown_hostname,
reject_unauth_destination,
reject_unknown_recipient_domain,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client relays.ordb.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
hash:/etc/postfix/access
smtpd_sender_restrictions = hash:/etc/postfix/access,
reject_unlisted_sender,
reject_unknown_sender_domain
virtual_transport = lmtp:unix:/var/run/lmtp
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-aliases.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-aliases.cf,
mysql:/etc/postfix/mysql-virtual-maillists.cf,
mysql:/etc/postfix/mysql-virtual-default_rcpt.cf,
$alias_maps
virtual_alias_recursion_limit = 100
alias_maps = hash:/etc/postfix/aliases
local_recipient_maps = unix:passwd.byname, $alias_maps
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes
content_filter=smtp-amavis:[127.0.0.1]:10024

Setup amavisd-new and adjust following lines:
/etc/amavisd.conf

$myproduct_name = "virus/spam checker";
$mydomain = 'domain.tld';
$forward_method = 'smtp:[127.0.0.1]:10025';
@local_domains_maps = ( read_hash("/etc/postfix/local.domains") );
$insert_received_line = 0
@mynetworks = qw( 127.0.0.0/8 ::1 ); # Add Your local network IPs here
$log_level = 0;
$final_virus_destiny = D_DISCARD;
$warnvirussender = 1;
$warnspamsender = 1;
$warnbannedsender = 1;
$warnbadhsender = 1;
$virus_admin = 'admin@domain.tld';
$spam_admin = 'admin@domain.tld';
$virus_quarantine_to = 'virus-quarantine';
$banned_quarantine_to = 'banned-quarantine';
$bad_header_quarantine_to = 'bad-header-quarantine';
$spam_quarantine_to = 'spam-quarantine';
$sa_spam_subject_tag = '[SPAM] ';
$banned_filename_re =
[ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],
$sa_spam_level_char = '*';
$sa_tag_level_deflt = 1.0;
$sa_tag2_level_deflt = 3.0;
$sa_kill_level_deflt = 6.31;
$sa_dsn_cutoff_level = 8.0;
$first_infected_stops_scan = 1;
/etc/spamassassin/local.cf

skip_rbl_checks 1
use_bayes 1
auto_learn 1

Create and put certificates to /etc/ssl/certs/imap.pem and /etc/ssl/certs/smtpd.pem

Adjust system startup, run this commands

chkconfig mysql on
chkconfig httpd on
chkconfig saslauthd on
chkconfig cyrus on
chkconfig freshclam on
chkconfig clamd on
chkconfig freshclam on
chkconfig amavisd on

Setup and configure apache web server

Adjust apache to run with SSL
/etc/sysconfig/httpd

HTTPDARGS=" -DSSL"

Adjust PHP to support MySql
/etc/httpd/php.ini:

extension=mysql.so

Adjust saslauthd
/etc/sysconfig/saslauthd

SASL_AUTHMECH=pam
SASLAUTHD_OPTS=" -n 0 -r "

Adjust sysctl:
/etc/sysctl.conf

# Allowed local port range
net.ipv4.ip_local_port_range = 32768 61000

Add to root's crontab this line:

02 1 * * * root /usr/sbin/tmpwatch --nodirs 960 /var/spool/amavis/virusmails/

Download and install avelsieve plugin from http://www.squirrelmail.org/

In case of plain text password usage followed changes are needed:

Packages to be additionally installed:

cyrus-sasl-sql
cyrus-sasl-md5

Saslauthd isn't needed anymore

Comment out "smtpd_tls_auth_only = yes" in /etc/postfix/main.cf
cyrup/includes/config.inc.php

define( "PASSWORD_CRYPT", 0 );
/etc/pam.d/pop

#%PAM-1.0
auth sufficient /lib/security/pam_mysql.so host=localhost user=postfix passwd=pass db=mail table=cyrup_accounts usercolumn=account passwdcolumn=password where=enabled=1 crypt=0 sqlLog=0
account required /lib/security/pam_mysql.so host=localhost user=postfix passwd=pass db=mail table=cyrup_accounts usercolumn=account passwdcolumn=password where=enabled=1 crypt=0 sqlLog=0
/etc/cyrus-imapd/imapd.conf

sasl_pwcheck_method: auxprop
sasl_mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

/etc/sasl/postfix.conf

pwcheck_method: auxprop
auxprop_plugin: sql
sql_engine: mysql
sql_user: postfix
sql_passwd: pass
sql_hostnames: localhost
sql_database: mail
sql_statement: SELECT password FROM cyrup_accounts WHERE account = '%u' AND enabled = '1'
sql_usessl: no
/usr/lib/sasl2/smtpd.conf

pwcheck_method: auxprop
auxprop_plugin: sql
sql_engine: mysql
sql_user: postfix
sql_passwd: pass
sql_hostnames: localhost
sql_database: mail
sql_statement: SELECT password FROM cyrup_accounts WHERE account = '%u' AND enabled = '1'
sql_usessl: no
/usr/lib/sasl2/Cyrus.conf

auxprop_plugin: sql
sql_engine: mysql
sql_user: postfix
sql_passwd: pass
sql_hostnames: localhost
sql_database: mail
sql_statement: SELECT password FROM cyrup_accounts WHERE account = '%u' AND enabled = '1'
sql_usessl: no

This text is written by Deniss Gaplevsky (slim at msh.lv)

Unix/Linux

если выбирать между Unix и Linux в качестве сервера то я выбиру или
Freebsd(http://Freebsd.org) или trustix(http://www.trustix.net/)

Unix/Linux

если выбирать между Unix и Linux в качестве сервера то я выбиру или
Freebsd(http://Freebsd.org) или trustix(http://www.trustix.net/)

FreeBSD & portupgrade

FreeBSD & portupgrade

Установка
# cd /usr/ports/sysutils/portupgrade
# make install

Подготовка БД (длится долго)
# cd /usr/ports/
# portsdb -Uu

Проверка, что усторело:
# portversion -l "<"

Обновить все устаревшие (длительный на самом деле процесс):
# portupgrade -arR

Обновить только один порт:
# portupgrade -rR

Ремонт БД (иногда случается)
# pkgdb -fu

скрипт для получения информации о размере файлов для закачки

#!/bin/sh
# getsize.sh - скрипт для получения информации о размере файлов для закачки
#
# Запуск: ./getsize.sh [sum] [файл со ссылками|URL]
#
# Запуск с параметром "sum" выдает также общий объем файлов.
# Файл со ссылками может содержать быть как прямые ссылки на файлы,
# так и маски вида ftp://ftp.freebsd.org/pub/FreeBSD/tools/*
# (размер файлов в подкаталогах не учитывается)
# Для корректной работы скрипта требуется wget.
#
# Примеры:
# ./getsize.sh sum http://some.com/some.file.tgz http://some2.com/file.xxx
# ./getsize.sh links.txt
#
if [ -z "$1" ]; then
exit
fi
SUM=0
TMPFILE=`mktemp -q /tmp/getsize.XXXXXX`
TMPFILE1=`mktemp -q /tmp/getsize.XXXXXX`
# проверяем входные параметры
IN=$1
if [ "${IN}" = "sum" ]; then
IN=$2
fi
if [ `echo ${IN} | grep "\:\/\/"` ]; then
IN="${TMPFILE}"
printf "$*" | sed "s/sum //g" > ${IN}
fi
for i in `cat ${IN}`
do
if [ `echo "${i}" | grep "\*"` ]; then
# найдена маска, скачиваем содержимое каталога
wget -nr -R "*" ${i} > /dev/null 2>&1
cat ./.listing | grep -v "^d" | grep "-"| awk '{print $9, $5}' | sed "s/ /-----/g" > ${TMPFILE1}
for j in `cat ${TMPFILE1}`
do
name=`echo ${j} | awk -F"-----" '{print $1}'`
size=`echo ${j} | awk -F"-----" '{print $2}'`
X=`echo ${i} | sed "s/\*//g"`
echo "${X}${name} ${size}"
SUM=`expr ${SUM} + ${size}`
done
rm ./.listing
rm ${TMPFILE1}
else
# обычная ссылка
s=`fetch -s ${i}`
echo "${i} ${s}"
SUM=`expr ${SUM} + ${s}`
fi
done
if [ "$1" = "sum" ]; then
echo "Total ${SUM}"
fi
# удаляем временный файл
rm ${TMPFILE} > /dev/null 2>&1
exit

скрипт для завершения ssh-сессий

#!/bin/sh
# logoff.sh - скрипт для завершения ssh-сессий
# Запуск: ./logoff.sh username
kill -9 `ps -a -U $1 | grep sshd | grep -v grep | awk '{print $1}'`

пара полезные скриптов

#!/bin/sh
# portopts - скрипт просмотра опций сборки порта
# Скопируйте скрипт в /usr/local/bin, сделайте его исполняемым
# (chmod a+x portopts), затем перейдите в
# каталог порта и выполните команду "portopts"
#
# Порт можно указать и в командной строке: portopts www/apache13
#
if [ -z "$1" ]; then
P="."
else
P="/usr/ports/$1"
fi
cat ${P}/Makefile* | grep "defined(" | sed "s/(\!//g" | awk -F"(" '{print $2}' | awk -F")" '{print $1}' | sort | uniq

Первая заметка

make fetch-recursive-list # просмотре нужных зависимостей при скачивание

find -type d | xargs chmod 444 # у всех папок и подпапок выставляется права доступа