How To Set Up A DHCP Server For Your LAN

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 09/20/2006

This tutorial describes how to set up a DHCP server (ISC-DHCP) for your local network. DHCP is short for “Dynamic Host Configuration Protocol”, it’s a protocol that handles

the assignment of IP addresses, subnet masks, default routers, and other IP parameters to client PCs that don’t have a static IP address. Such computers try to find a DHCP server in their local network which in turn assigns them an IP address, gateway, etc. so that they can connect to the internet or other computers from the local network.

In this short guide I will show how to set up a simple DHCP server (ISC-DHCP) on a Debian Sarge (3.1) system whose sole purpose is to assign IP adresses, a gateway, DNS servers, etc. to client computers from the local network that don’t have a static IP address. You can use such a DHCP server in your home network, your office, etc., for example if your router doesn’t come with a built-in DHCP server. If you set up such a DHCP server, please make sure you don’t already have another one in your LAN as this might result in conflicts.

Of course, one can imagine much more complicated DHCP setups, but these are outside the scope of this document.

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Preliminary Note

This is the current situation:

• I’m using the network 192.168.0.0, subnetmask 255.255.255.0, broadcast address 192.168.0.255.
• My gateway to the internet is 192.168.0.1; on the gateway there’s no DHCP server..
• My ISP told me the DNS servers I can use are 145.253.2.75 and 193.174.32.18.
• I have a pool of 30 IP addresses (192.168.0.200 – 192.168.0.229) that can be dynamically assigned to client PCs and that are not already in use.
• I have an unused Debian Sarge server with the hostname server1.example.com on the IP address 192.168.0.100 which will act as my DHCP server.

2 Installing The DHCP Server

Now let’s install our DHCP server on our Debian Sarge system:

apt-get install dhcp3-server

You will be asked a few questions:

On what network interfaces should the DHCP server listen? <– eth0

Please configure the DHCP server as soon as the installation finishes. <– Ok

The version 3 DHCP server is now non-authoritative by default <– Ok

At the end of the installation you will see errors like these:

Generating /etc/default/dhcp3-server…
Starting DHCP server: dhcpd3 failed to start – check syslog for diagnostics.
invoke-rc.d: initscript dhcp3-server, action “start” failed.

That’s ok because we did not have the chance yet to configure our DHCP server.

3 Configuring The DHCP Server

Now we must configure our DHCP server. We must tell it from which IP range it should assign IP addresses to requesting clients, which gateway it should assign, which DNS servers, etc.

The configuration file for our DHCP server is /etc/dhcp3/dhcpd.conf. Currently it contains a sample configuration which we copy to /etc/dhcp3/dhcpd.conf_orig for future reference:

cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf_orig
cat /dev/null > /etc/dhcp3/dhcpd.conf

With the last command we have emptied /etc/dhcp3/dhcpd.conf so that we can place our own configuration in it which we do now:

vi /etc/dhcp3/dhcpd.conf

The file should look like this:

ddns-update-style none;

option domain-name-servers 145.253.2.75, 193.174.32.18;

default-lease-time 86400;
max-lease-time 604800;

authoritative;

subnet 192.168.0.0 netmask 255.255.255.0 {
        range 192.168.0.200 192.168.0.229;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.0.255;
        option routers 192.168.0.1;
}

I explain the configuration options here:

• ddns-update-style: You can tell the DHCP server to update a DNS server if the IP address of a server in your LAN has changed (because it has been assigned a different IP by DHCP). As we do not run servers in our LAN or always give them static IP addresses (which is a good idea for servers…) we don’t want to update DNS records so we set this to none.
• option domain-name-servers: This tells the DHCP server which DNS servers it should assign to a client. You can specify more than one DNS server here, seperated by commas.
• default-lease-time, max-lease-time: A client can tell the DHCP server for how long it would like to get an IP address. If it doesn’t do this, the server assigns an IP address for default-lease-time seconds; if it does, the server grants the requested time, but only up to max-lease-time seconds.
• authoritative: If this is not set this means that if a client requests an address that the server knows nothing about and the address is incorrect for that network segment, the server will _not_ send a DHCPNAK (which tells the client it should stop using the address.) We don’t want this so we set authoritative.
• subnet: The subnet to use.
• netmask: The netmask to use.
• range: Tells the DHCP server from which range it can assign IP addresses to clients. In our example it’s from 192.168.0.200 to 192.168.0.229 (30 IP addresses).
• option broadcast-address: The broadcast address to use.
• option routers: Tells the DHCP server the gateway address it should assign to requesting clients. In our case the gateway is 192.168.0.1.

If you are not sure about your personal network settings (network, netmask, broadcast address, etc.), visit www.subnetmask.info where you can calculate your settings.

You see, this is a very simple and basic configuration, but it’s enough to make our DHCP server functionable. Now let’s start it:

/etc/init.d/dhcp3-server restart

Afterwards you can check the output of

ps aux

to see if DHCP is running. You should also see it in the output of

netstat -uap

which should resemble this one:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 *:bootps                *:*                                2185/dhcpd3
udp        0      0 *:868                   *:*                                1964/rpc.statd
udp        0      0 *:871                   *:*                                1964/rpc.statd
udp        0      0 *:sunrpc                *:*                                1553/portmap

You can see that DHCP is running on the bootps UDP port which translates to port 67 UDP (run

grep bootps /etc/services

and you will see that bootps means port 67).

Finally you can check /var/log/syslog if any errors occurred during the DHCP server start. To see the last 100 lines of /var/log/syslog, for example, run

tail -n 100 /var/log/syslog

4 How Can I See That My DHCP Server Is Working OK?

To see if your DHCP server is working as expected, boot another PC (Windows, Linux, MAC, …) in your LAN that doesn’t have a static IP address. Wait a few seconds, and in /var/log/syslog on the DHCP server you should see that the DHCP server assigns an IP address to your PC. For example, in this excerpt of /var/log/syslog, a client PC named matze has been assigned the IP address 192.168.0.229:

Sep 19 16:01:26 server1 dhcpd: DHCPDISCOVER from 00:0c:76:8b:c4:16 via eth0
Sep 19 16:01:26 server1 dhcpd: DHCPOFFER on 192.168.0.229 to 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:27 server1 dhcpd: DHCPDISCOVER from 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:27 server1 dhcpd: DHCPOFFER on 192.168.0.229 to 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:31 server1 dhcpd: DHCPDISCOVER from 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:31 server1 dhcpd: DHCPOFFER on 192.168.0.229 to 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:31 server1 dhcpd: Wrote 1 leases to leases file.
Sep 19 16:01:31 server1 dhcpd: DHCPREQUEST for 192.168.0.229 (192.168.0.100) from 00:0c:76:8b:c4:16 (matze) via eth0
Sep 19 16:01:31 server1 dhcpd: DHCPACK on 192.168.0.229 to 00:0c:76:8b:c4:16 (matze) via eth0

The DHCP server writes all current IP address “leases” to the file /var/lib/dhcp3/dhcpd.leases so you should also find the lease there:

vi /var/lib/dhcp3/dhcpd.leases

# All times in this file are in UTC (GMT), not your local timezone.   This is
# not a bug, so please don't ask about it.   There is no portable way to
# store leases in the local timezone, so please don't request this as a
# feature.   If this is inconvenient or confusing to you, we sincerely
# apologize.   Seriously, though - don't ask.
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-V3.0.1

lease 192.168.0.229 {
  starts 2 2006/09/19 14:01:31;
  ends 3 2006/09/20 14:01:31;
  binding state active;
  next binding state free;
  hardware ethernet 00:0c:76:8b:c4:16;
  uid "010014v\213\30426";
  client-hostname "matze";
}

Have Fun!

5 Links

• ISC-DHCP: http://www.isc.org/index.pl?/sw/dhcp/
• dhcpd.conf configuration options: http://www.bind9.net/dhcpd.conf.5
• Network Calculators: http://www.subnetmask.info

Copyright © 2006 Falko Timme
All Rights Reserved.

Related Tutorials

• The Perfect Linux Firewall Part I — IPCop

[Debian-Sarge] Tunneling NFS over SSH

Last Update: 27-09-2006 @ ~21:40
Reason: Added fixed ports for nfs server to make life easy

Welcome

The goal of this howto is building a NFS server that works on a SSH tunnel. This way all traffic between your hosts and the file server is encrypted and thus more secure
Normally you should enter a password every time you try to establish a SSH connection but since we could be mounting at bootup we will use ssh-keygen to create a keypair so we can login without entering a password. We will, however, limit that login session to executing just 1 command
We will use a new clean Debian Sarge install to begin with.

In this howto I will use the fictional domain “linux.lan”.

Installing Software

We will start with the NFS server.

apt-get -y install nfs-kernel-server

First configure it to run on fixed ports, this will make building a firewall much easier but equally important it aids in simpler client mounts.

echo “STATDOPTS=–port 2231″ > /etc/default/nfs-common
echo “options lockd nlm_udpport=2232 nlm_tcpport=2232″ >> /etc/modules.conf
echo “RPCNFSDCOUNT=8 RPCMOUNTDOPTS=’-p 2233′” > /etc/default/nfs-kernel-server

Thats it, now we can use port 2233 later on when we mount the shares check if it worked with rpcinfo -p.
If nlockmgr still uses random ports it is a compiled in setting. Configure this in grub/lilo as kernel parameters:
“lockd.udpport=2232 lockd.tcpport=2232″.

Create a new user called sleeper to use for setting up the ssh tunnel from other hosts. We will generate a key for this account so you can login with a keyfile instead of typing your password everytime. The account will also be restricted to execute ‘sleep’ trough this way. Other commands will simply fail.

adduser sleeper
su sleeper

Now switch over to a client that will use our fileserver.
First we need a key:

ssh-keygen -t rsa -b 2048

(use defaults and NO passphrase!)

Now copy the .pub file to the homedir of sleeper on the server:

scp -P 12345 ~/.ssh/id_rsa.pub sleeper@10.0.0.241:~/

Now back to the server:
As the ‘sleeper’ user we need to configure/install the key:

mkdir ~/.ssh
cd ~/.ssh
mv ../id_rsa.pub ./id_rsa.pub
cat id_rsa.pub >> authorized_keys
chmod 600 authorized_keys

Add this to the beginning of authorized_keys (before ssh-rsa [...]):

client="client.linux.lan",command="/bin/sleep 600d"

substitute “client” with the correct hostname of your client, or use ip numbers.
(but make sure every entry stays on 1 line!)

Every client that needs access to the fileserver needs to store his security data (from the id_rsa.pub file) in the authorized_keys file, so you should repeat this for every host.

Mounting NFS over SSH on your clients

Issue these commands to start the tunnels for nfs and mountd:
(syntax: ssh -f -c encyption -L localport:nfsserver:nfsport -l username nfsserver remotecommand)
Also note that the portnumber for mountd is different with every restart of the NFS server… Keep that in mind.

ssh -f -i /root/.ssh/id_rsa -c blowfish -L 61001:10.0.0.241:2049 -l sleeper 10.0.0.241 sleep 600d
ssh -f -i /root/.ssh/id_rsa -c blowfish -L 62001:10.0.0.241:2233 -l sleeper 10.0.0.241 sleep 600d

This creates a connection that will stay alive for almost 2 years…
Now edit your fstab and mount:

echo “localhost:/export/data /mnt nfs tcp,rsize=8192,wsize=8192,intr,rw,bg,nosuid,port=61001,mountport=62001,noauto” >> /etc/fstab
mount /mnt

Ofcourse we need some mountable folders (shares) defined on the NFS server:

mkdir /export
mkdir /export/data
mkdir /export/www-virtual
mkdir /export/www-conf
mkdir /export/mail-virtual
mkdir /export/mail-conf

Add them to /etc/exports:

/home/export/data 10.0.0.241(rw,root_squash,sync)

Notice the ip address is the nfs server itself? Its because youll mount them from localhost when you have established the ssh tunnel.

Some security settings since we dont want anyone from outside our network to access the server:

echo “portmap: ALL” > /etc/hosts.deny
echo “portmap: 10.0.0.0/255.255.255.0″ > /etc/hosts.allow

Restart NFS:

/etc/init.d/nfs-kernel-server restart

Thats it ! You can now mount the filesystem on your clients without the need to supply a password. And ofcourse all traffic will be encrypted

Copyright © 2006 harm
All Rights Reserved.

Related Tutorials

• Setting Up A Highly Available NFS Server
• Automated Backups With rdiff-backup
• Mirror Your Web Site With rsync
• Create Incremental Snapshot-style Backups With rSync And SSH

MySQL Backup And Recovery With mysql-zrm On Debian Sarge

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 09/27/2006

This guide describes how to back up and recover your MySQL databases with mysql-zrm on a Debian Sarge system. mysql-zrm is short for Zmanda Recovery Manager for MySQL, it is a new tool that lets you create full logical or raw backups of your databases (regardless of your storage engine and MySQL configuration), generate reports about the backups, verify the integrity of the backups, and recover your databases. It can also send email notifcations about the backup status, and you can implement multiple backup policies (based on your applications and based on time (e.g. daily, weekly, etc.)).

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Preliminary Note

mysql-zrm works on MySQL 4.1 and above, so I assume you already have a MySQL server installed on your Debian Sarge system, e.g. like this:

apt-get install mysql-client-4.1 mysql-common-4.1 mysql-server-4.1

This also installs the package libdbd-mysql-perl which is needed by mysql-zrm as mysql-zrm is written in Perl.

2 Installation

Zmanda has released an rpm package of mysql-zrm for rpm-based distributions like Fedora, RedHat, SuSE, CentOS, etc., but no package for Debian Sarge. So we must download the mysql-zrm source package from http://www.zmanda.com/downloads.html. Select the stable release (at the time of this writing it was 1.0.3) and download it to your /tmp directory:

cd /tmp
wget http://www.zmanda.com/downloads/community/ZRM-MySQL/1.0.3/Source/MySQL-zrm-1.0.3.tar.gz

Next we unpack the sources and go to the source directory:

tar xvfz MySQL-zrm-1.0.3.tar.gz
cd MySQL-zrm-1.0.3

Unfortunately the installation instructions in the INSTALL file only say that you can install the mysql-zrm rpm package if you are on an rpm-based distribution, but nothing more. Also, there’s no installation script and no installation instructions for the source package on the Zmanda web site, so I had to find out myself how to get mysql-zrm installed on my Debian Sarge system. This is how I did it:

chown root:root *
mv mysql-zrm /usr/bin
mv mysql-zrm-reporter /usr/bin
mv mysql-zrm-scheduler /usr/bin
gzip mysql-zrm.1
mv mysql-zrm.1.gz /usr/share/man/man1
gzip mysql-zrm.conf.5
mv mysql-zrm.conf.5.gz /usr/share/man/man5
gzip mysql-zrm-reporter.1
mv mysql-zrm-reporter.1.gz /usr/share/man/man1
gzip mysql-zrm-reporter.conf.5
mv mysql-zrm-reporter.conf.5.gz /usr/share/man/man5
gzip mysql-zrm-scheduler.1
mv mysql-zrm-scheduler.1.gz /usr/share/man/man1
mkdir /etc/mysql-zrm
mv *.conf /etc/mysql-zrm
mkdir -p /usr/lib/mysql-zrm/Data/Report/Plugin
mv Report.pm /usr/lib/mysql-zrm/Data
mv Base.pm /usr/lib/mysql-zrm/Data/Report
mv *.pm /usr/lib/mysql-zrm/Data/Report/Plugin
mkdir /var/log/mysql-zrm
gzip AUTHORS
gzip COPYING
gzip INSTALL
gzip README
mkdir /usr/share/doc/MySQL-zrm
mv * /usr/share/doc/MySQL-zrm
mkdir /var/lib/mysql-zrm
touch /etc/mysql-zrm/mysql-zrm-release

That’s it. The executable files have been moved to /usr/bin, the configuration files are in /etc/mysql-zrm, and we even have man pages for our executables (mysql-zrm, mysql-zrm-reporter, and mysql-zrm-scheduler), so if you are not sure about the usage of the executables, you can run

man mysql-zrm

man mysql-zrm-reporter

man mysql-zrm-scheduler

• MySQL Backup And Recovery With mysql-zrm On Debian Sarge – Page 2
• MySQL Backup And Recovery With mysql-zrm On Debian Sarge – Page 3
• MySQL Backup And Recovery With mysql-zrm On Debian Sarge – Page 4
• MySQL Backup And Recovery With mysql-zrm On Debian Sarge – Page 5

next MySQL Backup And Recovery With mysql-zrm On Debian Sarge – Page 2
Copyright © 2006 Falko Timme
All Rights Reserved.

Related Tutorials

• How To Set Up Database Replication In MySQL
• MySQL Master Master Replication
• Automated Backups With rdiff-backup
• Mirror Your Web Site With rsync

Securing Your Server With A Host-based Intrusion Detection System

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 09/18/2006

This article shows how to install and run OSSEC HIDS, an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. It helps you detect attacks, software misuse, policy violations and other forms of inappropriate activities.

With OSSEC HIDS you can monitor multiple systems, with one system being the OSSEC HIDS server and the others the OSSEC HIDS agents that report back to the server. However, in this tutorial I want to monitor just one system, so I perform a “local” installation so that OSSEC HIDS will do its work locally on that system.

In the following I use a Debian Sarge (3.1) system to install OSSEC HIDS on.

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

1 Installing OSSEC HIDS

Installing OSSEC HIDS is very easy, it’s just a matter of downloading the sources, running the installation script and answering the questions of the installation script. First, we download and unpack the OSSEC HIDS sources:

cd /tmp
wget http://www.ossec.net/files/ossec-hids-0.9-1a.tar.gz
tar xvfz ossec-hids-0.9-1a.tar.gz

Then we run the installation script:

cd ossec-hids-0.9-1a
./install.sh

The installation script will ask you a few questions:

** Para instalação em português, escolha [br].
** Fur eine deutsche Installation wohlen Sie [de].
** For installation in English, choose [en].
** Para instalar en Español , eliga [es].
** Pour une installation en français, choisissez [fr]
** Per l’installazione in Italiano, scegli [it].
** æ¥æ¬èªã§ã¤ã³ã¹ãã¼ã«ãã¾ãï¼é¸æãã¦ä¸ãã
ï¼[jp].
** Aby instalowaÄ w jÄzyku Polskim, wybierz [pl].
** ÐÐ»Ñ Ð¸Ð½ÑÑÑÑкÑий по ÑÑÑановке на ÑÑÑÑком ,введиÑе [ru].
** Türkçe kurulum için seçin [tr].
(en/br/de/es/fr/it/jp/pl/ru/tr) [en]: <– en (or one of the other options, if you don’t want to use English)

OSSEC HIDS v0.9-1 Installation Script – http://www.ossec.net

You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).

– System: Linux server1.example.com 2.6.8-2-386
– User: root
– Host: server1.example.com

— Press ENTER to continue or Ctrl-C to abort. – <– [ENTER]

1- What kind of installation do you want (server, agent, local or help)? <– local

- Choose where to install the OSSEC HIDS [/var/ossec]: <– /var/ossec

3.1- Do you want e-mail notification? (y/n) [y]: <– y

- What’s your e-mail address? <– example@example.com (please enter your own email address here)

- We found your SMTP server as: mail.example.com.
- Do you want to use it? (y/n) [y]: <– y (normally you can accept the installer’s proposal, unless you want to use another SMTP server)

3.2- Do you want to run the integrity check daemon? (y/n) [y]: <– y

3.3- Do you want to run the rootkit detection engine? (y/n) [y]: <– y

- Do you want to enable active response? (y/n) [y]: <– y

- Do you want to enable the firewall-drop response? (y/n) [y]: <– y

- Do you want to add more IPs to the white list? (y/n)? [n]: <– n (unless you want to whitelist more IP addresses)

3.6- Setting the configuration to analyze the following logs:
– /var/log/messages
– /var/log/auth.log
– /var/log/syslog
– /var/log/mail.info

– If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .

— Press ENTER to continue — <– [ENTER]

- System is Linux (SysV).
- Init script modified to start OSSEC HIDS during boot.
Adding system startup for /etc/init.d/ossec …
/etc/rc0.d/K20ossec -> ../init.d/ossec
/etc/rc1.d/K20ossec -> ../init.d/ossec
/etc/rc6.d/K20ossec -> ../init.d/ossec
/etc/rc2.d/S20ossec -> ../init.d/ossec
/etc/rc3.d/S20ossec -> ../init.d/ossec
/etc/rc4.d/S20ossec -> ../init.d/ossec
/etc/rc5.d/S20ossec -> ../init.d/ossec

– Configuration finished properly.

– To start OSSEC HIDS:
/var/ossec/bin/ossec-control start

– To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop

– The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
(http://mailman.underlinux.com.br/mailman/listinfo/ossec-list).

More information can be found at http://www.ossec.net

— Press ENTER to finish (maybe more information below). — <– [ENTER]

That’s it, OSSEC HIDS is now installed and ready to be started.

2 Starting And Running OSSEC HIDS

In order to start OSSEC HIDS, we run this command:

/etc/init.d/ossec start

The output should look like this:

server1:/etc/init.d# /etc/init.d/ossec start
Starting OSSEC HIDS v0.9-1 (by Daniel B. Cid)…
Started ossec-maild…
Started ossec-execd…
Started ossec-analysisd…
Started ossec-logcollector…
Started ossec-syscheckd…
Completed.
server1:/etc/init.d#

As you might have seen during OSSEC HIDS installation, the installer also created the necessary system startup links for OSSEC HIDS, so that OSSEC HIDS will be started automatically whenever you boot/reboot your system.

After OSSEC HIDS has been started, it will run silently in the background, performing log analysis, integrity checking, rootkit detection, etc. You can check that it’s running by executing

ps aux

In the output you should find something like this:

ossecm    2038  0.0  0.4  1860  792 ?        S    12:40   0:00 /var/ossec/bin/ossec-maild
root      2042  0.0  0.3  1736  648 ?        S    12:40   0:00 /var/ossec/bin/ossec-execd
ossec     2046  0.2  0.5  2192 1136 ?        S    12:40   0:00 /var/ossec/bin/ossec-analysisd
root      2050  0.0  0.2  1592  556 ?        S    12:40   0:00 /var/ossec/bin/ossec-logcollector
root      2054 12.2  0.3  1756  616 ?        S    12:40   0:05 /var/ossec/bin/ossec-syscheckd

The OSSEC HIDS log file is /var/ossec/logs/ossec.log, so you can check it to see what’s going on, e.g. with the tail command.

tail -f /var/ossec/logs/ossec.log

shows what’s happening in real-time. Press CTRL-C to leave it.

tail -n 100 /var/ossec/logs/ossec.log

shows you the last 100 lines of the OSSEC HIDS log.

Whenever OSSEC HIDS detects something suspicious, it sends an email with a report about the activity to the email address you specified during installation:

If you want to change OSSEC HIDS’ settings (e.g. change the email address, add custom rulesets, etc.), you can do this by editing the configuration file /var/ossec/etc/ossec.conf (which is in XML format). You can do this by using a command-line editor such as vi:

vi /var/ossec/etc/ossec.conf

The file looks like this:

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>example@example.com</email_to>
    <smtp_server>mail.example.com.</smtp_server>
    <email_from>ossecm@example.com</email_from>
  </global>
[...]

If you change the file, make sure to restart OSSEC HIDS afterwards:

/etc/init.d/ossec restart

In order to learn how to add custom rulesets, etc. to the OSSEC HIDS configuration, please refer to the OSSEC HIDS manual: http://www.ossec.net/en/manual.html

3 Links

• OSSEC HIDS: http://www.ossec.net

Copyright © 2006 Falko Timme
All Rights Reserved.

Related Tutorials

• Intrusion Detection With BASE And Snort
• How to scan your Linux-Distro for Root Kits
• Chkrootkit-Portsentry-Howto
• Preventing SSH Dictionary Attacks With DenyHosts

Setting up Subversion and websvn on Debian 

Purpose of this howto

This howto will illustrate a way to install and configure
Subversion and websvn on a Debian server with the following features:

• multiple repository Subversion
• access to the repositories via WebDAV (http, https) and ssh
• Linux system account access control and/or Apache level access control
• a secured websvn (php web application for easy code browsing)
• configured syntax coloring in websvn with gnu enscript

I will not specifically configure inetd with svnserve in this howto. Rest assured that Subversion will be totally functional without it.
You can copy/paste most of the howto to get it working.

Packages that are assumed to already be installed

This howto assumes PHP and apache2 are installed and configured. Configuring apache2 with SSL is optional.

Setting up Subversion

Subversion packages

As root you can enter the following commands to install the packages required for our Subversion setup:

# apt-get update
# apt-get install subversion
# apt-get install libapache2-svn

The package libapache2-svn will install the subversion WebDAV apache module.

Creating and populating repositories

To work with in this howto we’ll create two repos:

# mkdir /var/svn-repos/
# svnadmin create –fs-type fsfs /var/svn-repos/project_zen
# svnadmin create –fs-type fsfs /var/svn-repos/project_wombat 

The repository directories need the proper permissions for apache and the other users. I’ll make a group and add users to it (don’t just copy/paste here). The apache user won’t be put in the group because I find it less secure.

# groupadd subversion
# addgroup john subversion
# addgroup bert subversion
# addgroup you subversion
…
# chown -R www-data:subversion /var/svn-repos/*
# chmod -R 770 /var/svn-repos/*

Let’s set up easy ssh connectivity, on a user machine enter the following commands:

$ mkdir ~/.ssh/
$ cd ~/.ssh/
$ ssh-keygen -t dsa
$ cat ~/.ssh/id_dsa.pub | ssh you@example.com “cat – >> ~/.ssh/authorized_keys”

The server example.com is the server we installed
Subversion on. For easy ssh use you can chose not to use a passphrase
with your key or use an agent to keep authenticated. Otherwise each
transaction between the user machine and Subversion will require the
user to enter a password (very inconvenient). Using an agent can be
done like this:

$ ssh-agent
$ ssh-add
$ ssh you@example.com

All should be set now to use the a repository. You may test it like this, it shows an import and a checkout:

$ mkdir ~/TEMP/
$ echo “testing svn” > ~/TEMP/testing.txt
$ svn import -m “importing test over ssh+svn” ~/TEMP/ svn+ssh://example.com/var/svn-repos/project_zen/trunk
$ svn co svn+ssh://example.com/var/svn-repos/project_zen/trunk testcheckout

As a result the testing.txt file should be in a directory called testcheckout. On the serverside you can check the repositories with svnlook.

# svnlook tree /var/svn-repos/project_zen/

Configuring Subversion WebDAV

Normally the apache mod will be enabled by default, to ensure this is true enter the following commands:

# a2enmod dav
# a2enmod dav_svn

Configuration is done in the file /etc/apache2/mods-available/dav_svn.conf, but first we’ll make an access file.

# htpasswd2 -c /etc/apache2/dav_svn.passwd you
# htpasswd2 /etc/apache2/dav_svn.passwd john
# htpasswd2 /etc/apache2/dav_svn.passwd sten
…

This is the content my /etc/apache2/mods-available/dav_svn.conf file:

		<Location /svn_zen>		  DAV svn		  SVNPath /var/svn-repos/project_zen		  AuthType Basic		  AuthName "Subversion Repository"		  AuthUserFile /etc/apache2/dav_svn.passwd		  Require valid-user		  SSLRequireSSL		</Location>

		<Location /svn_wombat>		  DAV svn		  SVNPath /var/svn-repos/project_wombat		  AuthType Basic		  AuthName "Subversion Repository"		  AuthUserFile /etc/apache2/dav_svn.passwd		  Require valid-user		  SSLRequireSSL		</Location>	

You can uncomment the SSLRequireSSL file if you don’t want to use SSL, but then you need to use http and not https
in the commands that follow. Apache should be restarted and we can test
from a user machine. We’ll import the same testfile in the wombat
project.

# /etc/init.s/apache2 restart
$ svn import -m “testing over https” https://example.com/svn_wombat ~/TEMP/

Using a webbrowser you can visit your URL https://example.com/svn_wombat
and see what was just committed. This is a basic on-line view on the
repository, but using a web font-end like websvn will offer a better
repository browsing experience.

Setting up websvn

Required packages

To get rolling with websvn we’ll need to install the following
packages, both will show you configuration screens (explained in the
next paragraph):

# apt-get install enscript
# apt-get install websvn

Enscript isn’t mandatory but we’ll need it for syntax coloring in websvn.

Configuration

Enscript will ask for paper size, this might seem awkward
but that’s because enscript is also used for converting ASCII files to
PostScript. We need it for it’s syntax coloring features.

Websvn will first ask for which kind of server to configure, go ahead and just press enter.

The next screens ask for a parent repository folder (/var/svn-repos/
in this case) and specific repository folders, this will determine
which repositories will show up in websvn. We will only enter a parent
repository, all repositories created in this folder will show up in
websvn for users to browse. If you want to show only specific
repositories enter their full paths in the second screen and leave the
parent path blank.
 
As a result the file /etc/websvn/svn_deb_conf.inc will be written. You can rerun debian package configuration screens with dpkg-reconfigure. Further websvn configuration is done in the file /etc/websvn/config.inc. This is the content of my file with some extension mappings for the syntax coloring.

		<?php		// --- LOOK AND FEEL ---		//		// Uncomment ONLY the display file that you want.  		$config->setTemplatePath("$locwebsvnreal/templates/Standard/");		// $config->setTemplatePath("$locwebsvnreal/templates/BlueGrey/");		// $config->setTemplatePath("$locwebsvnreal/templates/Zinn/");		// $contentType[".c"] = "plain/text"; // Create a new association		// $contentType[".doc"] = "plain/text"; // Modify an existing one		unset($contentType[".sh"]); // Remove a default association -> .sh is regarded as a binary file by default, needs to be unset		// --- COLOURISATION ---		// Uncomment this line if you want to use Enscript to colourise your file listings		//		// You'll need Enscript version 1.6 or higher AND Sed installed to use this feature. 		// Set the path above.		//		$config->useEnscript();		// Enscript need to be told what the contents of a file are so that it can be colourised		// correctly.  WebSVN includes a predefined list of mappings from file extension to Enscript		// file type (viewable in setup.inc).		//		// Here you should add and other extensions not already listed or redefine the default ones. eg:		//		// php is default correctly colourized		$extEnscript[".java"] = "java";		$extEnscript[".pl"] = "perl";		$extEnscript[".py"] = "python";		$extEnscript[".sql"] = "sql";		$extEnscript[".java"] = "java";		$extEnscript[".html"] = "html";		$extEnscript[".xml"] = "html";		$extEnscript[".thtml"] = "html";		$extEnscript[".tpl"] = "html";		$extEnscript[".sh"] = "bash";		// --- MISCELLANOUS ---		// Uncomment this if you don't have the right to use it.  Be warned that you may need it however!		set_time_limit(0);		// Comment this line to turn off caching of repo information.  This will slow down your browsing.		$config->setCachingOn();		// Number of spaces to expand tabs to in diff/listing view across all repositories		$config->expandTabsBy(8);		// To change the global option for individual repositories, uncomment and replicate		// the required line below (replacing 'myrep' for the name of the repository to be changed).		// $config->findRepository("myrep")->expandTabsBy(3); // Expand Tabs by 3 for repository 'myrep'		?>		<?php		if ( file_exists("/etc/websvn/svn_deb_conf.inc") ) {		  include("/etc/websvn/svn_deb_conf.inc");		}		?>	

Next up is configuring the apache virtualhost for websvn.
Example using SSL:

		<VirtualHost *:443>			ServerAdmin webmaster@example.com		    ServerName svn.example.com		    DocumentRoot /var/www/websvn/			<Location />				Options FollowSymLinks 				order allow,deny				allow from all				AuthType Basic				AuthName "Subversion Repository"				Require valid-user				AuthUserFile /etc/apache2/dav_svn.passwd 				<IfModule mod_php4.c>					php_flag magic_quotes_gpc Off					php_flag track_vars On		        </IfModule>			</Location>			SSLEngine on			SSLCertificateFile /etc/apache2/ssl/apache.pem		</VirtualHost>	

Example without SSL:

		<VirtualHost *:80>			ServerAdmin webmaster@example.com	        ServerName svn.example.com	        DocumentRoot /var/www/websvn/

			<Location />				Options FollowSymLinks 				AllowOverride None				order allow,deny				allow from all				AuthType Basic				AuthName "Subversion Repository"				Require valid-user				AuthUserFile /etc/apache2/dav_svn.passwd 				<IfModule mod_php4.c>					php_flag magic_quotes_gpc Off					php_flag track_vars On			    </IfModule>			</Location>		</VirtualHost>	

Restart apache and have a look at the result at your https://svn.example.com/.

Useful Subversion references

Getting more information

• official subversion site
• Version Control with Subversion, free on-line book
• websvn

Subversion clients

• Subclipse
• RapidSVN
• kdesvn
• Zigversion (Mac OS X)
• Quicksilver plugin (Mac OS X)
• svnX (Mac OS X)
• TortoiseSVN (Windows)

I hope you find this howto useful. This isn’t a perfect setup, but
hopefully it will help you in using Subversion. Please feel free to add
comments or corrections.

This page is licensed under a Creative Commons License.