Set Up Ubuntu-Server 6.06 LTS As A Firewall/Gateway For Your Small Business Environment 

This tutorial shows how to set up a Ubuntu 6.06 LTS server ("Dapper Drake") as a firewall and gateway for small/medium networks. The article covers the installation/configuration of services such as Shorewall, NAT, caching nameserver, DHCP server, VPN server, Webmin, Munin, Apache, Squirrelmail, Postfix, Courier IMAP and POP3, SpamAssassin, ClamAV, and many more.

Now do:

apt-get install libnet-ssleay-perl libauthen-pam-perl libio-pty-perl shorewall dnsmasq openssl

wget http://surfnet.dl.sourceforge.net/sourceforge/webadmin/webmin_1.300_all.deb

"surfnet" is the dutch server. Change that to "heanet"(for Ireland), "belnet"(for Belgium), "mesh" (for Germany) and so on.

dpkg -i webmin_1.300_all.deb

cp /usr/share/doc/shorewall/examples/two-interfaces/* /etc/shorewall/

cd /etc/shorewall

gunzip interfaces.gz masq.gz rules.gz

So now we need some packages. Do (all in one line!):

apt-get install razor pyzor mailscanner spamc libsys-hostname-long-perl libnet-ident-perl libdb-file-lock-perl libio-socket-ssl-perl libdbi-perl spamassassin postfix postfix-doc courier-authmysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-modules-sql sasl2-bin libpam-mysql build-essential dpkg-dev fakeroot debhelper libdb4.2-dev libgdbm-dev libldap2-dev libpcre3-dev libmysqlclient12-dev libssl-dev libsasl2-dev postgresql-dev po-debconf dpatch zoo unzip arj rdate fetchmail unzip zip ncftp zlib1g-dev libpopt-dev nmap lynx fileutils curl imagemagick squirrelmail squirrelmail-locales munin munin-node ntp samba unzoo mysql-server mysql-client libapache2-mod-php4 libapache2-mod-perl2 php4 php4-cli php4-common php4-curl php4-dev php4-domxml php4-gd php4-imap php4-ldap php4-mcal php4-mhash php4-mysql php4-odbc php4-pear php4-xslt curl php-pear mailx libzzip-dev libgmp3c2 libgmp3-dev dhcp3-server pptpd

Next edit /etc/courier/imapd-ssl and change the following:

TLS_CERTFILE=/etc/apache2/ssl/apache.pem

Now do the same with your /etc/courier/pop3d-ssl.

Now edit /etc/apache2/sites-available/default. The top has to be changed so that it reads:

NameVirtualHost *:80
<VirtualHost *:80>

Edit /etc/apache2/sites-available/https as well, the top of the file should read:

NameVirtualHost *:443
<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/apache.pem

Edit /etc/squirrelmail/apache.conf It should look like this:

Alias /webmail /usr/share/squirrelmail

<Directory /usr/share/squirrelmail>
  php_flag register_globals off
  Options Indexes FollowSymLinks
  <IfModule mod_dir.c>
    DirectoryIndex index.php
  </IfModule>

  # access to configtest is limited by default to prevent information leak
  <Files configtest.php>
    order deny,allow
    deny from all
    allow from 127.0.0.1
  </Files>
</Directory>
# users will prefer a simple URL like http://webmail.example.com
#<VirtualHost 1.2.3.4>
#  DocumentRoot /usr/share/squirrelmail
#  ServerName webmail.example.com
#</VirtualHost>
# redirect to https when available (thanks omen@descolada.dartmouth.edu)
#
#  Note: There are multiple ways to do this, and which one is suitable for
#  your site's configuration depends. Consult the apache documentation if
#  you're unsure, as this example might not work everywhere.
#
<IfModule mod_rewrite.c>
  <IfModule mod_ssl.c>
    <Location /webmail>
      RewriteEngine on
      RewriteCond %{HTTPS} !^on$ [NC]
      RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
    </Location>
  </IfModule>
</IfModule>

Now make sure that the DirectoryIndex line in /etc/apache2/apache2.conf reads:

Now make squirrelmail talk your language. If you only use English you can skip the last line in the file of course.

Edit /var/lib/locales/supported.d/local.

It should look like this: (if you are Dutch, otherwise adjust as desired). Main thing is to enable your locale with the charset ISO-8859-1.

en_US.UTF-8 UTF-8
en_US.ISO-8859-1	ISO-8859-1
nl_NL.ISO-8859-1	ISO-8859-1

dpkg-reconfigure locales

Now we configure postfix.

postconf -e 'mynetworks = 127.0.0.0/8, 192.168.1.0/24'

postconf -e 'smtpd_sasl_local_domain ='

Now edit etc/postfix/header_checks.

It should look like this:

/^Received:/ HOLD

cd /root

Now install ClamAV from source. Version numbers mentioned in the next commands aply to the latest stable source at the time of writing this article. Adjust as needed.

wget http://surfnet.dl.sourceforge.net/sourceforge/clamav/clamav-0.88.6.tar.gz

Like before, pick a mirror close to you.

groupadd clamav

useradd -g clamav -s /bin/false -c "Clam Antivirus" clamav

Now configure sasl authentication.

mkdir -p /var/spool/postfix/var/run/saslauthd

Now we have to edit /etc/default/saslauthd. It should look like this:

# This needs to be uncommented before saslauthd will be run automatically
START=yes
PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"
# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"
MECHANISMS="pam"

Next edit /etc/init.d/saslauthd and change the location of saslauthd's PID file. Change the value of PIDFILE to /var/spool/postfix/var/run/${NAME}/saslauthd.pid, so that it reads:

PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid"

Now populate your system with real users. Set the users shell to /bin/false to avoid security holes.

Now you have to send each real user a welcome message, thus creating the Maildir structures in their home directorys needed to be able to login to their accounts. You can use webmin's postfix module for this. No need to send anything to their aliases.

Your Webmail Server is located at https://your.domain/webmail (first send those messages!)

Munin is at http://your.domain/munin

Webmin is at https://your.domain:10000

If you haven't set any domains, use https://192.168.1.1/webmail etc.

Key-Based SSH Logins With PuTTY

This guide describes how to generate and use a private/public key pair to log in to a remote system with SSH using PuTTY. PuTTY is an SSH client that is available for Windows and Linux (although it is more common on Windows systems). Using key-based SSH logins, you can disable the normal username/password login procedure which means that only people with a valid private/public key pair can log in. That way, there is no way for brute-force attacks to be successful, so your system is more secure.

4 Connect To The SSH Server

Now we can connect to our SSH server simply by clicking on Open.

If you connect to the server for the first time, a security warning pops up. This is because PuTTY doesn't know the server's host key yet, so it is safe to click on Yes. (If this happens again later on, this can mean that another server is now running under the same IP address, or that someone has broken in and changed the key.)

7 Attach The Private Key To The PuTTY Profile

Now launch PuTTY again and load the profile of your SSH server (192.168.0.100):

Then go to SSH -> Auth and click on Browse:

Browse your file system and select your previously created private key:

9 Disable Username/Password Logins

Up to now, you can log in with your private/public key pair and still with username/password logins, so if someone doesn't attach a private key to his PuTTY session, he will be asked for a username and password. So to achieve a better security, we must disable the username/password logins (you should do this only when you know that your key-based logins are working, because if they aren't and you disable username/password logins, then you have a problem...).

To disable the username/password logins, we must modify the sshd configuration file. On Debian/Ubuntu systems, it's /etc/ssh/sshd_config. You should set Protocol to 2 (1 is insecure and should not be used!), PasswordAuthentication to no, and UsePAM to no (or comment out the UsePAM line), e.g. like this: