Before we begin, I am assuming that you have *not* attempted to install anything! If you haven't installed anything, skip this little section, but if you have, here are the steps you should follow:
If anything comes up here (besides "package not installed"), you might have problems with the following steps (package dependancies failing, etc.) so you might want to use the rpm -U command when continuing through the next steps, INSTEAD of rpm -ivh.
Go here (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/) to get the RPM's needed for sshd. You will probably want to get "openssh-2.3.0p1-1.i386.rpm", "openssh-server-2.3.0p1-1.i386", "openssl-0.9.5a-3.i386.rpm" (current as of 11/25/2000). You need all three, or it bitches (a server rpm, an openssl rpm, and then the openssh-pl rpm).
Let's unpack the files first... go to where you downloaded them. It is VERY IMPORTANT to install them in this order!
If you get the error:
error: failed dependencies:
rpmlib(VersionedDependencies) <= 3.0.3-1 is needed by openssh-2.3.0pl-1
You will need to grab this file and install it (rpm -U rpm-3*).. it will give you an error about cannot removing a directory, don't worry about it.. continuing..
Congratulate yourself, you have just installed a SSH Server! Now to configure it..
Your ssh-keygen file should be located in /usr/bin upon install.
Let's go ahead and make ourself the keys. Some people have had questions about this,
to clarify (thanks Ron), after the -N it is apostrophe [space] apostrophe (ie. ' ' )
/usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N ' '
/usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N ' '
Output:
Okay, we have now created our keys. Now let's configure our /etc/ssh/sshd_config file. A sample file (what my file looks like.. the important things are in red):
Once you think you have your config file setup, let's make it load from tcp wrappers (this is done so that you can use hosts.allow/deny to block telnet, ftp, ssh, and all other services invoked from inetd):
pico /etc/inetd.conf
Add a line in there that says:
ssh stream tcp nowait root /usr/sbin/tcpd sshd -i
Let's restart inetd by: (after -HUP it is *not* an apostrophe; it is a back-tick - and the same at the very end! (thanks Michael)
kill -HUP `cat /var/run/inetd.pid`
You should just get another command line. If you want to make sure it's running, try:
netstat -vat | grep ssh
And it should read something like:
tcp 0 0 *:ssh *:* LISTEN
Well, you have now setup your secure shell server! The next section will be a way to test it from your windows (or linux computer).
Note: For clarification (thanks Ron), when sshd initialized (either through inetd or if you decide to put it in your rc.local file), it *automatically* "opens" port 22 (ssh) unless otherwise specified. This means that port *will* be open to anyone who is listed in /etc/hosts.allow and denied from anyone (hopefully you have taken my advice and put ALL : ALL) in /etc/hosts.deny if you have chose my method of starting from inetd; if you haven't, then port 22 will be open to the general public *as is*, so I suggest you implement some firewall rules, which you can find examples in my pmfirewall.rules.local file.
It's all based on preference. I like two, ZOC and Tera Term. I will explain ZOC.
You can get ZOC here, but you will need to get the SSH encryption part here.
Alternatively, you can get Tera Term here with the extra SSH encryption here.
Okay, back to ZOC. As for all windows apps, just double click on it, and go through the setup process. You will need WinZip to unzip devssh_win_english.zip - when you do, copy the 170k (round-about) file into ZOC's main directory (usually C:\Program Files\Zoc\). Open ZOC up, and hit alt + d to bring up the dialing box.
Click on New.. on the right-hand side, and create a new entry. The main tabs you should be concerned about should be Connect to and Device under the Call tab, and Username and Password (enter in *actual* system usernames and passwords) under the Login tab. Go ahead and try to connect once you have specified the information. The output should be something of:
And you know it worked! Note: if it doesn't work, make sure you are allowing the correct user access! Check /var/log/messages to make sure! (a common problem if you are still in as root (su'd))
Note: For linux users, ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/ offers an OpenSSH client, called "open-ssh-clients-2.3.0p1-1.i386.rpm" (as of 11/25/2000)
Go ahead and grab the file and move into the directory where you downloaded it.
If someone would like to take a few minutes and write a little section about how to configure (and optimize/secure) openssh clients, I would really love it, and would give you mucho credit for it.
If you want, there is a tutorial here (http://www.linuxguruz.org/z.php?id=31) that is excellent; I might end up just deleting what I have and include great webserver links that have already been written :) Oh, and if you want to install it with SSL you can find it here (http://www.linuxguruz.org/z.php?id=32). Enjoy
I want to take a moment to thank Sweede for all of his help in making this document come out a lot faster than it would have normally.Okay, first, grab the files to install:
download apache (latest is 1.3.14 here),
download php modules here (latest is php-4.0.4),
download mod_perl here (mod_perl-1.24_01.tar.gz as of 12/1/00),
MySQL rpms (select the latest .i386 (NOT the .src) rpm!),
mod_auth_mysql (latest 2.20-1),
GD (this will allow you to create .gif files, latest is 1.8.3).
Now, I'm assuming you have nothing webserver-based (apache, phps, etc.) installed. Installing Apache
Alright, let's go ahead and install it from the source we downloaded:
cp apache* /usr/local/
tar -zxvf apache*
cd apache_1.3.14
./configure \
--enable-module=most \
--enable-shared=max \
--enable-suexec \
--suexec-caller=httpd \
--server-uid=httpd \
--server-gid=users \
--with-layout=RedHat
(hit enter, and it will go through the configure script)
make
make install
This will install Apache exactly like the RPMs. Now to install MySQL Server:
If you don't have perl5 module, get the latest version here (latest is perl-5.6.0.tar.gz) and issue a tar -zxvf perl*, cd into the directory, run ./Configure, make and then make install.
Now for MySQL:
rpm -ivh MySQL*
This will install MYSQL, but you will need to set the root password now by typing:
mqsqladmin -u root password 'newpassword123'
I was told there was a default user named test that has no password; this document does not cover securing mysql, I'm sorry.
Now for PHP: (go to where you downloaded the source. tar -zxvf php*, cd into the directory, then:)
lynx -dump -source http://www.php.net/extra/number4.tar.gz | gzip -d | tar xvf -
Then run:
./configure \
--with-apache=../apache \
--with-gd=../gd \
--enable-track-vars \
--with-ftp \
--enable-bcmath \
--with-ttf \
--with-apxs=/usr/sbin/apxs \
--with-zlib \
--with-gd \
--enable-transparent-sid \
--with-mysql
--with-config-file-path=/etc/httpd/conf
(hit enter, and it will go through the configure script)
make
make install
Now for mod_perl support:
tar -zxvf mod_perl*
cd into the directory
perl Makefile.PL
make
make install
Now we'll compile and install mod_perl into Apache
perl Makefile.PL \
USE_APXS=1 \
WITH_APXS=/usr/sbin/apxs \
EVERYTHING=1
(hit enter, and it will go through the configure script)
make
make install
Installing mod_auth_mysql
mod_auth_mysql lets the Apache web-server authorize against a MySQL user database. Installation of the module as a DSO isn't exactly documented in the README file, but it can be done.
First, change to the directory you extracted mod_auth_mysql to. I assume that you have MySQL installed somewhere (along with the headers, etc). Make sure you know the location of the MySQL libraries and header files. If in doubt, check /usr/lib/mysql and /usr/include/mysql.
In order to compile mod_auth_mysql, we'll first have to rename the 'config.h'
file to 'auth_mysql_config.h'. I'm not sure why this file wasn't named
correctly, but simply execute the following command:
cp config.h auth_mysql_config.h
Now for the final step:
/usr/sbin/apxs -i -a -I/usr/include/mysql -L/usr/lib/mysql \
-lmysqlclient -c mod_auth_mysql.c
Now go back into apache's directory and execute:
./configure \
--with-layout=Redhat \
--enable-module=rewrite \
--enable-suexec \
--suexec-caller=httpd \
--activate-module=modules/auth_mysql/libauth_mysql.a \
--activate-module=modules/php3/libphp3.a
(hit enter)
then run make and make install
Now, open up your apache config file in your favorite editor
pico /etc/httpd/conf/httpd.conf
Go to around line 750.. and uncomment these lines (feel free to add more lines if you need more extensions)
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
The easiest way is to do a search to find anything in bold I list here and change appropriately:
ServerAdmin, ServerName, AddType, and anthing around lines 340 (if you want www.domain.com/~username)
Nothing to come as of yet, check back later.
If you want to check out www.linuxnewbie.org's NHF on it: click here
Go to the directory where you downloaded the latest version of squid (if you have squid installed already, don't worry about getting this RPM, skip the first step).
rpm -i squid*
Go here to get squid's rpm: Squid rpm (2.3 is the most recent upon writing this.. ftp://rpmfind.net/linux/redhat/redhat-6.2/i386/RedHat/RPMS//squid-2.3.STABLE1-5.i386.rpm)
To spare you a lot of headaches, go get this squid.conf
(you may need to hold down shift while clicking.. http://www.fandelem.com/configfiles/squid.conf) file that is very basic,
but will get you started.
New: Okay, to create less confusion (because some of the things I set in my squid.conf file are not what everyone else wants) I'm going to specify the fields I change (that way you can do a search for these particular fields and see if they are needed for you). click here to view it.
cp squid.conf /etc/squid/
squid -z
Next type:
tail -f /var/log/messages &
squid
See if there were any error messages. If there weren't, then pat yourself on your back, the hard part is over with.
Next, go into your Windows browser, whether it be Internet Explorer (preferable) or Netscape.
Go into: tools -> internet options.. -> connections
Make sure you have "Never dial a connection"
Next, click on Lan Settings..
The *ONLY* thing that should be checked is: Use a proxy server. Fill in the following:
Address: 192.168.0.1 Port: 3128
Click okay all the way back until you're back to just Internet explorer, you're done.
Go into: edit -> preferences -> advanced -> proxies. Select manual proxy, and enter in the IP address of your Linux Server (ours is 192.168.0.1) for every type of service. In the PORT field, enter 3128. Click Ok all the way back until you're back to just Netscape Navigator, you're done.
Nothing to come as of yet, check back later.
tar -zxvf tcpdfilter* cd tcpdfilter_2.0 make make installOkay, now here is the tricky part to remember (I suggest putting it into your .bashrc file as an alias)
type: tcpdump -n -l -x -i ppp0 -s 1500 -w /test | tcpdfilter -d
Explanation: this will listen on ppp0 and log it's results to a file located at /test. tcpdfilter will then decode it. you can either run this in the background (but don't forget about it, hehe) by using the & at the end of the command or run it for a few minutes during high activity and then check your results.
Keep in mind: this *will* slow down your overall network performance and you must be logged in as root (to enable promiscuous mode on the specified adapter). Your results may vary. Most websites use some form of encryption, so it will look somewhat garbled at parts of the file (tcpdfilter does not decode encryption, hehe). This will monitor *everything* that passes through that adapter though. You will be able to get (sniff) ftp sessions, telnet sessions, etc. But remember, if they are ftp'ing large amounts of data, guess what: your file will record that data as well (which results in very large files!). It's fun to play around with, and fun to see who's going to what site (I've caught my brother at some porn sites before, lol).
New: I have found a really small, real-time, bandwidth monitoring program! You should be able to download it from the author's website here and if that doesn't work, you can get it off my site, here. (to install it, run "make" and then make sure you are in ansi/vt100.. standard win95 telnet will make it look all funky)